Auditing: A Practical Approach with Data Analytics 1119401747, 9781119401742

The explosion of data analytics in the auditing profession demands a different kind of auditor. Auditing: A Practical Ap

3,457 448 6MB

English Pages 736 [733] Year 2019

Report DMCA / Copyright

DOWNLOAD FILE

Polecaj historie

Auditing: A Practical Approach with Data Analytics
 1119401747, 9781119401742

Table of contents :
Cover......Page 1
Title Page......Page 7
Copyright......Page 8
Index......Page 9

Citation preview

Auditing and Assurance Standards PCAOB (Public Company Accounting Oversight Board, pcaobus.org) Standard AS 1015 AS 1101 AS 1105 AS 1201 AS 1205 AS 1210 AS 1215 AS 1220 AS 1301 AS 2101 AS 2105 AS 2110 AS 2201

Title

Due Professional Care in the Performance of Work Audit Risk Audit Evidence Supervision of the Audit Engagement Part of the Audit Performed by Other Independent Auditors Using the Work of a Specialist Audit Documentation Engagement Quality Review Communications with Audit Committees Audit Planning Consideration of Materiality in Planning and Performing an Audit Identifying and Assessing Risks of Material Misstatement An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements AS 2301 The Auditor’s Responses to the Risks of Material Misstatement AS 2305 Substantive Analytical Procedures AS 2310 The Confirmation Process AS 2315 Audit Sampling AS 2401 Consideration of Fraud in a Financial Statement Audit AS 2405 Illegal Acts by Clients AS 2410 Related Parties AS 2415 Consideration of an Entity’s Ability to Continue as a Going Concern AS 2501 Auditing Accounting Estimates AS 2502 Auditing Fair Value Measurements and Disclosures AS 2505 Inquiry of a Client’s Lawyer Concerning Litigation, Claims, and Assessments AS 2605 Consideration of the Internal Audit Function AS 2610 Initial Audits—Communication Between Predecessor and Successor Auditors AS 2801 Subsequent Events AS 2805 Management Representations AS 2810 Evaluating Audit Results AS 2820 Evaluating Consistency of Financial Statements AS 2905 Subsequent Discovery of Facts Existing at the Date of the Auditor’s Report AS 3101 The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion AS 3105 Departures from Unqualified Opinions and Other Reporting Circumstances Ethics and Independence Rules: 3501 Definition of Terms Employed in Section 3, Part 5 of the Rules 3502 Responsibility to Not Knowingly or Recklessly Contribute to Violations 3520 Auditor Independence 3521 Contingent Fees 3522 Tax Transactions 3523 Tax Services for Persons in Financial Reporting Oversight Roles 3524 Audit Committee Pre-approval of Certain Tax Services 3525 Audit Committee Pre-approval of Non-audit Services Related to Internal Control over Financial Reporting 3526 Communication with Audit Committees Concerning Independence

Text Chapter Chapter 3 Chapter 3 Chapters 5, 7, 13 Chapter 14 Chapters 5, 15 Chapters 5, 12 Chapters 5, 8, 14 Chapter 14 Chapters 3, 4, 14 Chapter 3 Chapter 3 Chapters 3, 4, 5, 6, 8 Chapters 1, 6, 8, 15 Chapters 3, 9 Chapter 9 Chapters 5, 11 Chapter 10 Chapters 3, 14 Chapter 4 Chapter 4 Chapters 14, 15 Chapter 9 Chapter 9 Chapter 14 Chapter 5 Chapter 3 Chapter 14 Chapter 14 Chapters 9, 14 Chapter 15 Chapter 15 Chapters 1, 15 Chapter 15 Chapter 2 Chapter 2 Chapter 2 Chapter 2 Chapter 2 Chapter 2 Chapter 2 Chapter 2 Chapter 2

Auditing Standards Board (AICPA, American Institute of Certified Public Accountants, aicpa.org) Standard

Title

Text Chapter

AICPA AICPA AICPA AU-C 200

Audit Guide: Audit Sampling Code of Professional Conduct Guide to Audit Data Analytics Overall Objectives of the Independent Auditor and Conduct of an Audit in Accordance with Generally Accepted Auditing Standards Terms of Engagement Quality Control for an Engagement Conducted in Accordance with Generally Accepted Auditing Standards Audit Documentation Consideration of Fraud in a Financial Statement Audit Consideration of Laws and Regulations in an Audit of Financial Statements The Auditor’s Communication with Those Charged with Governance Communicating Internal Control Related Matters Identified in an Audit Planning an Audit Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement Materiality in Planning and Performing an Audit Performing Audit Procedures in Response to Assessed Risks and Evaluating Audit Evidence Obtained Evaluation of Misstatements Identified During the Audit Audit Evidence Audit Evidence—Specific Considerations for Selected Items External Confirmations Opening Balances—Initial Audit Engagements, Including Reaudit Engagements Analytical Procedures Audit Sampling Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures Related Parties Subsequent Events and Subsequently Discovered Facts The Auditor’s Consideration of an Entity’s Ability to Continue as a Going Concern Written Representations Special Considerations—Audits of Group Financial Statements (Including the Work of Component Auditors) Using the Work of Internal Auditors Using the Work of an Auditor’s Specialist Forming an Opinion and Reporting on Financial Statements Modifications to the Opinion in the Independent Auditor’s Reports Emphasis-of-Matter Paragraphs and Other-Matter Paragraphs in the Independent Auditor’s Report Consistency of Financial Statements An Audit of Internal Control That Is Integrated with an Audit of Financial Statements A Firm’s System of Quality Control

Chapter 10 Chapter 2 Chapter 7 Chapters 1, 3

AU-C 210 AU-C 220 AU-C 230 AU-C 240 AU-C 250 AU-C 260 AU-C 265 AU-C 300 AU-C 315 AU-C 320 AU-C 330 AU-C 450 AU-C 500 AU-C 501 AU-C 505 AU-C 510 AU-C 520 AU-C 530 AU-C 540 AU-C 550 AU-C 560 AU-C 570 AU-C 580 AU-C 600 AU-C 610 AU-C 620 AU-C 700 AU-C 705 AU-C 706 AU-C 708 AU-C 940 QC 10

Chapter 3 Chapter 14 Chapters 5, 7, 8, 14 Chapters 3, 9, 14 Chapters 4, 14 Chapters 4, 14 Chapters 6, 8 Chapter 3 Chapters 3, 4, 5, 6, 7, 8, 9 Chapter 3 Chapters 3, 9 Chapters 9, 14 Chapters 5, 7, 13 Chapters 13, 14 Chapters 5, 11 Chapter 9 Chapters 9, 14 Chapter 10 Chapter 9 Chapter 4 Chapters 14, 15 Chapters 14, 15 Chapter 14 Chapters 5, 15 Chapter 5 Chapters 5, 12 Chapters 1, 15 Chapter 15 Chapter 15 Chapter 15 Chapter 15 Chapter 3

WileyPLUS gives you the freedom and flexibility to tailor curated content and easily manage your course to keep students engaged and on track.

When course materials are presented in an organized way, students are more likely to stay focused, develop mastery, and participate in class. WileyPLUS gives students a clear path through the course material. Starting with Wiley’s quality curated content, you can customize your course by setting the pacing of content and even integrating videos, files, or links to relevant material. The easy-to-use, intuitive interface saves you time getting started, managing day-to-day class activities, and helping individual students stay on track.

Customized Content

Interactive eTextbook

Drag-and-Drop Customization

Using the content editor, you can add videos, documents, pages, or relevant links to keep students motivated.

Students can easily search content, highlight and take notes, access instructor’s notes and highlights, and read offline.

Quick reordering of chapters lets you match content to your needs.

Linear Design and Organization

Calendar

Instructor App

The drag-and-drop calendar syncs with other features in WileyPLUS— like assignments, syllabus, and grades—so that one change on the calendar shows up in all places.

You can modify due dates, monitor assignment submissions, change grades, and communicate with your students all from your phone.

Chapters include eTextbook content, videos, and practice questions.

Wileyplus.com/instructors

Auditing A Practical Approach with Data Analytics

First Edition

Raymond N. Johns on PhD, CPA Portland State University Portland, Oregon

Laura D . Wiley PhD, CPA Louisiana State University Baton Rouge, Louisiana

Adapted from Robyn Moroney, Fiona Campbell, and Jane Hamilton, Auditing: A Practical Approach, Third Edition (Wiley, 2016)

Director AND VICE PRESIDENT Michael McDonald SENIOR Acquisitions Editor Emily Marcoux Instructional Design Lead Ed Brislin SENIOR PRODUCT DESIGNER Matt Origoni Marketing Manager Jenny Geiler Editorial Supervisor Terry Ann Tatro EDITORIAL Assistant Kirsten Loose Senior Content Manager Dorothy Sinclair Senior Production Editor Valerie Vargas SENIOR DESIGNER Wendy Lai Cover Image © nikkytok/Shutterstock This book was set in Source Sans Pro by Aptara®, Inc. and printed and bound by Quad Graphics/ Versailles. The cover was printed by Quad Graphics/Versailles. Founded in 1807, John Wiley & Sons, Inc. has been a valued source of knowledge and understanding for more than 200 years, helping people around the world meet their needs and fulfill their aspirations. Our company is built on a foundation of principles that include responsibility to the communities we serve and where we live and work. In 2008, we launched a Corporate Citizenship Initiative, a global effort to address the environmental, social, economic, and ethical challenges we face in our business. Among the issues we are addressing are carbon impact, paper specifications and procurement, ethical conduct ­within our business and among our vendors, and community and charitable support. For more information, please visit our website: www.wiley.com/go/citizenship. Copyright © 2019 John Wiley & Sons, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc. 222 Rosewood Drive, Danvers, MA 01923, website www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, (201)748-6011, fax (201)748-6008, website http://www.wiley.com/go/permissions. ISBN-13: 978-1-119-40181-0 The inside back cover will contain printing identification and country of origin if omitted from this page. In addition, if the ISBN on the back cover differs from the ISBN on this page, the one on the back cover is correct. Printed in America. 10

9

8

7

6

5

4

3

2

1

Brief Contents 1 Introduction and Overview of Audit and Assurance   1-1 2 Professionalism and Professional Responsibilities   2-1 3 Risk Assessment Part I: Audit Risk and Audit Strategy   3-1 4 Risk Assessment Part II: Understanding the Client   4-1 5 Audit Evidence   5-1 6 Gaining an Understanding of the Client’s System of Internal Control  6-1 7 Audit Data Analytics   7-1 8 Risk Response: Performing Tests of Controls   8-1 9 Risk Response: Performing Substantive Procedures   9-1 10 Risk Response: Evaluating Audit Data Analytics and Audit Sampling for Substantive Tests   10-1 11 Auditing the Revenue Process   11-1 12 Auditing the Purchasing and Payroll Processes   12-1 13 Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)   13-1 14 Completing the Audit   14-1 15 Reporting on the Audit   15-1 Appe nd ix A  

Cloud 9 Inc. Audit  A-1

GLOSS ARY    G-1 I n d e x   I -1

v

From the Authors Auditing is about earning the public trust. Auditors serve that public trust by being independent of the companies they audit—in mental attitude and in fact. You will find that auditing is about developing an inquisitive mind and mastering decision-making; you must master an audit logic (the audit risk model) and develop audit strategies. To help you develop both skills, we have taken a very practical approach in this text, as follows:

Auditing is about developing an inquisitive mind and mastering decision-making. To help you develop both skills, we have taken a very practical approach in this text, as well as incorporated audit data analytics (ADA) to help you embrace an increasing variety of fascinating technologies being used by auditors.

•  Provided a variety of audit reasoning examples, which demonstrate the practical application of auditing skills and concepts through brief real-world scenarios, in each chapter. •  Included an audit decision-making example at the end of each chapter. Each example illustrates a process of identifying the issue, gathering information and evidence, analyzing and evaluating information and evidence, and drawing conclusions. •  Added professional environment examples that illustrate issues that auditors deal with on a day-to-day basis. •  Written the text in a conversational writing style that you should enjoy.

In addition, you must also embrace an increasing variety of fascinating technologies being used by auditors. To help you do this, we have: •  Included a separate chapter on audit data analytics, including an overview of the most popular audit data analytics (ADA) software applications currently used. •  Integrated the use of audit data analytics into many chapters. •  Offered IDEA-based cases available in WileyPLUS. The accounting and auditing skills you build in this course will serve you for the rest of your life as you develop an independence of thought and action. Your journey of developing a questioning mindset, developing an investigative intuitiveness, and learning how to recognize accounting issues that do not pass the “smell test” will open many opportunities. If you keep asking questions, continue to explore the application of new technologies, and stay true to the importance of integrity and independent thought and actions that will earn the public trust, you should have a rich and rewarding career. We are excited and honored to lead you on this “auditing” journey. We hope you dive into the material and explore the resources provided in this text and WileyPLUS. Above all else, we wish you great success! Raymond N. Johnson, PhD, CPA Laura D. Wiley, PhD, CPA

vi

©Aaron Hogan, Eye Wander Photo

©The National Association of State Boards of Accountancy

About the Authors

Raymond N. Johnson

Laura D. Wiley

Raymond N. Johnson, PhD, CPA, has taught auditing concepts and practices, financial statement analysis, and a case course focused on developing students’ critical thinking skills at Portland State University for 35 years. He was the first recipient of Harry C. Visse Excellence in Teaching Fellowship and is currently a professor emeritus from Portland State University. He has also taught auditing and accounting at Bond University, The University of Queensland, the Australian National University, and Southampton University. Dr.  Johnson is Chair of the International Accounting Education Standards Board’s Consultative Advisory Group. Previously, he served on the NASBA board of directors for seven years, and he previously chaired NASBA’s Education Committee and the NASBA Ethics Committee. He also served on an AACSB Task Force that was responsible for the most recent update to AACSB Accounting Accreditation rules. Dr. Johnson served a three-year term on the AICPA Professional Ethics Executive Committee which sets ethical standards for CPAs in the United States. He is a former member of NASBA’s Standard Setting Advisory Committee and served for seven years on the NASBA/AICPA International Qualifications Appraisal Board. Previously, Dr. Johnson served on the Oregon Board of Accountancy for seven years and was Chair of the Board for two years. Dr. Johnson is a past president of the Oregon Society of CPAs. He has previously served as staff to the U.S. Auditing Standards Board, and he has written numerous academic and professional articles.

Laura Wiley, PhD, CPA, is the Assistant Department Chair and senior instructor in the Department of Accounting at the E. J. Ourso College of Business, Louisiana State University (LSU). She came to LSU in 1996 and teaches financial accounting and auditing courses. She also leads a studyabroad excursion in the Master of Accountancy program, taking students on educational business trips to Central and South American countries. Dr. Wiley is active in the Society of Louisiana CPAs (LCPA) and has served as the chair of the Accounting Education Issues committee since 2014. She received the LCPA’s Distinguished Achievement in Education award in 2015 and the Outstanding Teacher Award from the E. J. Ourso College of Business in 1999 and 2014. Dr. Wiley has consulted with large and small companies on accounting-related matters and conducted onsite training sessions for company employees. Over her career, she has also been a presenter at numerous CPE events and published in the Journal of Accounting Education. Prior to coming to LSU, she was an auditor with PricewaterhouseCoopers in Atlanta, Georgia. She earned her bachelor’s degree in accounting from The University of Alabama, her master’s degree in accounting from LSU, and her doctorate in human resource education and workforce development from LSU. Her research interests are accounting education and financial literacy. She is an active licensed CPA in the state of Louisiana.

vii

Unique Pedagogical Framework Auditing provides key learning aids to help students master the content and prepare them for a successful career in accounting.

c07AuditDataAnalytics.indd Page 1 06/03/19 3:36 PM F-0590

/208/WB02435/9781119401810/ch07/text_s

ChApter 7

Each chapter begins with a flowchart detailing exactly what section of the audit process students are about to learn. The chart helps students see the big picture of the audit process.

Audit Data Analytics Special thanks to Dr. Adrian Gepp of Bond University, Queensland, Australia, for his invaluable assistance in co-authoring this chapter.

The Audit Process Overview of Audit and Assurance (Chapter 1) Professionalism and Professional Responsibilities (Chapter 2) Client Acceptance/Continuance and Risk Assessment (Chapters 3 and 4) Gaining an Understanding of the Client

Identify Significant Accounts and Transactions

Set Planning Materiality

Gaining an Understanding of the System of Internal Control (Chapter 6)

Make Preliminary Risk Assessments

Performing Tests of Controls (Chapter 8)

Audit Data Analytics (Chapter 7)

Audit Evidence (Chapter 5)

Develop Responses to Risk and an Audit Strategy

Performing Substantive Procedures (Chapter 9) Audit Sampling for Substantive Tests (Chapter 10)

Auditing the Purchasing and Payroll Processes (Chapter 12)

Auditing the Revenue Process (Chapter 11)

Auditing the Balance Sheet and Related Income Accounts (Chapter 13)

c03RiskAssessmentPartI.indd Page 3-2 24/01/19 9:35 PM F-0590

Completing and Reporting on the Audit (Chapters 14 and 15) Drawing Audit Conclusions

Procedures Performed Near the End of the Audit c05AuditEvidence.indd Page 2 04/03/19 8:37 PM F-0590

3-2

CH A PT E R 3

/208/WB02435/9781119401810/ch03/text_s

Risk Assessment Part I

LearningLearning Objectives

Reporting

/208/WB02435/9781119401810/ch05/text_s

Objectives have been carefully crafted to reflect the Bloom’s Taxonomy framework, LO 5 Explain how auditors determine their audit strategy and how audit strategy affects audit decisions. well asofreinforce the practical auditing skills LO 2 Identifyas the diff erent phases an audit. LO 6 Explain the fraud risk assessment process and analyze fraud risk. LO 3 Explain and apply the concept of materiality. that students will develop. LO 4 Explain professional skepticism and apply the LO 1 Evaluate client acceptance and continuance decisions.

5-2

Chapt e r 5

audit evidence

Learning Objectives

7-1

LO 1 Define management assertions about classes of transactions, account balances, and presentation and disclosure. LO 2 Discuss the characteristics of audit evidence.

LO 4 evaluate when it is appropriate for auditors to use the work of others.

audit risk model.

Auditing and Assurance Standards

LO 5 Document the details of evidence gathered in working papers.

LO 3 apply the procedures for gathering audit evidence, including the use of audit data analytics.

P C AO B

AUDIT ING STA NDA R D S B OA R D

AS 1015 Due Professional Care in the Performance of Work

AU-C 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards

AS 1101 Audit Risk AS 1301 Communications with Audit Committees

Auditing and Assurance Standards

AS 2101 Audit Planning

Au d i t i n g StA n dA rd S B OArd Auditing and Assurance Standards Au-C 230 audit Documentation that are disAu-C 315 Understanding the entity and Its environment AS 1205 part of the audit performed by Other cussed are listed at the beginning each chapter and assessing the risks of of Material Misstatement Independent auditors 500 audit evidence AS 1210 for Using the Work of a Specialist quick reference. AAu-C complete overview of all Au-C 505 external Confirmations AS 1215 audit Documentation Au-Cthe 600 Special Considerations—audits of Group isrisksavailable at front of the text. AS 2110 standards Identifying and assessing of Material Financial Statements (Including the Work of Component

AS 2105 Consideration of Materiality in Planning and Performing an Audit

PCAOB

AS 1105 audit evidence

Misstatementc03RiskAssessmentPartI.indd Page 3-40

24/01/19 9:35 PMauditors) F-0590

Au-C 610 Using the Work of Internal auditors

AS 2605 Consideration of the Internal audit Function

Au-C 620 Using the Work of an auditor’s Specialist

C HAPT E R 3

Risk Assessment Part I

c05AuditEvidence.indd Cloud 9 - Continuing Case Page 5-6 Cloud 9 - Continuing Case

AS 2301 The Auditor’s Responses to the Risks of Material Misstatement AS 2401 Consideration of Fraud in a Financial Statement Audit

/208/WB02435/9781119401810/ch03/text_s

AS 2310 the Confirmation process

3-40

AS 2110 Identifying and Assessing Risk of Material Misstatement

AS 2610 Initial Audits—Communication Between Predecessor and Successor Auditors

AU-C 240 Consideration of Fraud in a Financial Statement Audit AU-C 300 Planning an Audit AU-C 315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement AU-C 320 Materiality in Planning and Performing an Audit AU-C 330 Performing Audit Procedures in Response to Assessed Risks and Evaluating Audit Evidence Obtained QC10 A Firm’s System of Quality Control

Cloud 9 - Continuing Case Sharon and Josh have already discussed some specific client accep-

1/15/19 9:44 PM f-1241

explains they also must consider the overall integrity of the client (that is, management of Cloud 9). This means they need to perform W&S Partners has just won the January 31, 2023, audit for W&S Partners use the following percentages as starting handle and themselves. At the next planning meeting for the Cloud 9 audit, Pickering and document procedures that are likely to provide information Cloud 9. The audit teamSuzie assigned to this client is: the accounts receivable points forinventory the various bases: Second, Sharon is worried about how they will gather evidence regarding a presents the results of the analytical procedures performed so far about the client’s integrity. Josh is a little skeptical. “Do you mean Base Threshold (%) subsidiary of Cloud 9 located in Vietnam. W&S Partners does not and a working draft of the audit program. The audit manager, that we should ask them if they are honest?” Sharon suggests it is • Partner, Jo Wadley C H APT E R an 5 office AuditinEvidence before have Vietnam, so they mustIncome determine the tax most effec- 5.0 Sharon Gallagher, and the audit senior, Josh Thomas, are5-6 also inprobably more useful to ask others, and the key people to ask are • Audit Manager, Sharon Gallagher Total revenue 0.5 tive and efficient way to gather evidence regarding the subsidiary. volved in the planning, with special responsibility for the internal the existing auditors. Josh is still skeptical. “The existing auditors • Audit Senior, Josh Thomas Gross profites 2.0 used in operations has been appropriately In the planning meeting, considers thethat following control assessment. • the An team auditor verifi equipment marked are Ellis & Associates. Are they going to help us take one of their 0.5 questions: The meeting’s agenda is to• discuss theManager, availableMark sources of evIT Audit Batten clients from them?” Sharon says the client must give permission down ifTotal it isassets impaired (risk of overstatement). Equity 1.0 idence at Cloud 9 and specify these in the detailed audit program. first, and, if that is given, the existing auditor will usually state •  What evidence is available? • Experienced staff, Suzie Pickering The team members also must ensure they have enough evidence whether or not there were any issues that the new auditor should These starting points can be increased or decreased by taking •  What criteria will the team use to choose among alternative • First-year , Ian Harper of the to conduct the audit. Two specific issues staff worry members be aware of before accepting the work. This type of communicainto account qualitative client factors, which could be: Cloud 9 - sources Continuing Case of evidence? team. First, there are three very large asset balances on Cloud 9’s tion is covered by AS 2610 (AU-C 210 for private company clients) Asvaluation a part of the risk Josh assessment phase for• the neware audit, • The naturethe of the client’s business and industry (for example, What the the implications of using work of specialists trial balance that have particular issues. suggests Ian and Suzie have talked in general terms about the • No accounts receivables were omitted when calculating the audit team needs to gain an of Cloud 9’salready structure rapidly changing, either through growth or downsizing, or and other auditors? that a specialist will be required for the derivatives, butunderstanding they can errors that could occur in Cloud 9’s accounts receivable. For total—completeness. and its business environment, determine materiality, and assess an unstable environment). other clerical errors the risk of material misstatement.example, This will basic assist mathematical the team in de-mistakes• and Accounts(orreceivables in the total do exist at yearWhether the client is a public •company subsidiaryincluded of) could affthe ectnature, the customer’s total in either direction. Suzie emveloping an audit strategy and designing extent, and end—existence. subjectthis to regulations. phasizes that Cloud 9’s management asserts error did not timing of audit procedures. • fraud. Accounts receivables belong to Cloud 9 and have not been • The knowledge of or high risk of exist when they prepared the fi nancial statements—i.e., they One task during the planning phase is to consider the consold or factored—rights and obligations. assert that accounts valued correctly. Auditors cept of materiality as it applies to the client. Auditorsreceivable will de- areTypically, income before tax is used; however, it cannot be used must gather about each assertion for each transaction • Bad debts have been provided for—valuation and allocation. sign procedures to identify and correct errorsevidence or irregularities if reporting a loss for the year or if profi tability is not consistent. In Chapters 3 and 4, we considered audit riskinand assessment. Those chapters focused class, account, and statements note the risk financial statements. Now that that would have a material effect on the financial When calculating PM based on interim gures,the it may nec- are not included in the earlier • Salesfifrom nextbeperiod on the the decision-making importance of risk identification helpbetter, ensure auditor’sthe desired level of risk is the auditors to plan Ian understands idea he the can identify assertions and affect of the users of this thetofinancial essary to annualize the results. This allows period—cutoff. Ian is a bit confused about this because cutrelate to audit the potential errors in accounts receivable that statements. Materiality is used inthat determining procedures the audit properly based on an approximate off is anprojected assertionyear-end for transactions, not assets. Suzie agrees they discussed earlier: and sample selections, and evaluating differences from client balance. Then, at year-end, the figure isitadjusted, if necessary, to is a special sort of assertion that relates to transactions or records to audit results. Materiality •is No the mathematical maximum amount of or other reflectclerical the actual results. events, but also gives evidence about balance sheet accounts mistakes errors exist that misstatement, individually or in aggregate, canthe betotal accepted (e.g., an overstatement of revenue is also an overstatement couldthat affect receivables in either direction—valuaRequired in the financial statements. In selecting figure to be of receivables). tion the andbase allocation. Answer the following questions based on the information preused to calculate materiality, the auditors should consider the sented for Cloud 9 in the appendix to this text and in the current key drivers of the business. They should ask, “What are the end chapter and previous chapters. users (that is, stockholders, banks, etc.) of the accounts going The last category of assertions focuses on presentation and disclosure in the financial to be looking at?” For example, will stockholders be interested a. Using the 31, 2022, trialprobably balance (in the appendix to of the assertions in this category statements andOctober the notes. You’ve noticed that most in profit figures that can be used to pay dividends and increase this listed text), calculate planning materiality and include theThat justi-makes sense considering the note are also in one or both of the other categories. share price? fication and for the basis that youin have for yourstatements calculation. are inherently tied with a client’s disclosures presentation theused financial W&S Partners’ audit methodology dictates that one planb. Discuss how planningbalances. materiality would begather used toevidence detertransactions andthe year-end Auditors that disclosed items represent ning materiality (PM) amount is to be used for the financial mine materiality. events andperformance transactions that occurred and pertain to the entity, (10) occurrence and rights statements as a whole. The basis selected for determining materiality is the one determined to be the key driver of the business.

and obligations, that allamount itemsisthat should increased have been c. If the planningand materiality subsequently or disclosed are included in the fidecreased later in which the audit, that impact the audit? nancial statements, is how (11) would completeness. Auditors ensure items included in the financial statements are appropriately presented and disclosures are clearly expressed, which is

and is part of professional ethics. Sharon also gives Josh the task of researching Cloud 9’s press coverage, with special focus on anything that may indicate poor management integrity. Sharon emphasizes they must perform and document procedures to determine whether W&S Partners is competent to perform the engagement and has the capabilities, time, and resources to do so. For example, they must make sure they have audit team members who understand the clothing and footwear business. They also must have enough staff to complete the audit on time. In addition, Sharon and Josh must perform and document procedures to show that W&S Partners can comply with all parts of the code of professional conduct, not just those that focus on independence threats and safeguards. Finally, they can draft the engagement letter to cover the contractual relationship between W&S Partners and Cloud 9.

A Cloud 9 Continuing Case exercise applies concepts introduced in each chapter, concludes each chapter, and is available as an assessment question.

/208/WB02435/9781119401810/ch05/text_s tance issues, such as independence threats and safeguards. Sharon

Chapter Preview—Audit Process in Focus

viii

AU-C 210 Terms of Engagement

controls continue to be strong, she will also perform substantive procedures on the existence of inventory at an interim date.

  UN I Q UE P E DAG OG I C A L FRA MEWORK   ix

Illustration 3.12 provides a diagram of the process used when developing the audit strategy for an account or assertion. Notice that the left side of the diagram provides an overview of the reliance on controls approach described in this section.

c05AuditEvidence.indd Page 5-27 1/15/19 9:44 PM f-1241

ILLUSTRATION c06GainingAnUnderstandingOfTheClientsSystemOfInternalControl.indd Page 4 04/03/19 3.12 5:48 PM F-0590

Identify inherent risks at the account or assertion level

Process used when developing an audit strategy at the account or assertion level

Determine whether an6-4 internal control(s) C h apt e r 6 canGaining an Understanding of the Client’s System of Internal Control mitigate the risk factor

/208/WB02435/9781119401810/ch05/text_s

Detailed illustrations help students visualize complex processes and important concepts. /208/WB02435/9781119401810/ch06/text_s

Documentation—Audit Working Papers

5-27

alternative for environmentally conscientious customers. NME operates from three locations and produces a wide range of household products that it sells to supermarkets and specialty stores. the most front commonly of every audit file is a copy of the client’s trial balance that supports the fiYES NO The COSO framework has global acceptance and At is the recognized framenancial statements. TheIttrial balance is then referenced into the appropriate lead and supportwork for understanding and evaluating a system of internal control. has three dimensions, schedules in the audit file whereofaudit work is documented for each account in the trial as shown in Illustration 6.1. First, the COSO ing framework discusses the objectives internal balance. At Bell & Bowerman, LLP, the trial balance is referenced using the letter “A”; cash control. Second, the COSO framework discusses important components of internal control. Does the control(s) andobjectives cash equivalents in variousfit banks referenced into the C Lead; accounts receivable are NOF-0590 Third, the COSO framework discusses how these and components into are an orgac03RiskAssessmentPartI.indd Page 3-15 24/01/19 9:35 PM /208/WB02435/9781119401810/ch03/text_s exist? referenced into the E Lead; inventory accounts are referenced into the F Lead; property, plant nizational structure. and equipment are referenced into the K Lead; and so on. The first working paper example is the cash and cash equivalents lead schedule Objectives iLLuStrAtiOn 6.1 (see Illustration 5.8). The purpose of this lead is to summarize all general ledger accounts YES The relationship among the that are combined into the cash and cash equivalents account on the financial statements. Professional Skepticism and Audit Risk 3-15 three dimensions of internal The lead schedule also has adjusting journal entries, if any, that are proposed by the auditor. control: objectives, components, In the top-left corner of the lead schedule are the client name, period-end, and currency and organizational structure unit (in this example, balances are rounded to the nearest thousand dollars). In the top Test the Control environment control(s) center of the lead schedule is section identification (C). In the top-right corner, details of Auditors have a responsibility to plan and perform an audit with professional skepticism. the working paper preparer and reviewers are documented. Next, details of the cash and Risk assessment Professional skepticism is an attitude adopted by auditors when conducting all phases of the cash equivalents balance are listed. For each item listed in the lead schedule, the following audit. It means that auditors remain independentIncrease of the extent entity,ofitsdetailed management, and its staff are noted: Control activities Is the control(s) professional skepticism an when completing the audit work.NO In a practical sense, professional skepticism means ausubstantive procedures effective? Does it work? attitude that a• questionperformed at year-end ditors maintain a questioning mind and thoroughly investigate all evidence presented by the Information andincludes communication General ledger account number, per the client records. ing mind, being alert to condiclient (AS 1015.07). For example, AU-C 200.A22 states auditors should be skeptical if any of General ledger account name, per the client records. tionsMonitoring that may activities indicate• possible the following arise during the audit: misstatement due to fraud or • Preadjusted balance, any adjustments, and the audit-adjusted current-year balance per YES error, and a critical assessment of • Audit evidence recently gathered that is contradictory to other evidence previously gathered. the client’s trial balance (TB).

Organizational structure

ce

Entity Division Operating unit Function

Co m

pl ia n

s

po

rti ng

er at io n

Re

Op

Professional Skepticism

Components

Substantive Approach

Reliance on Controls Approach

the COSO Framework

audit evidence

• New information that brings into question the reliability of clientObjectives documents or responses of Internal Control • The prior-year balance, per the prior-year audit file (PY). to auditor inquiries. The COSO framework depicted in Illustration 6.1 identifies three objectives of internal control that allow organizations to focus on the differing purposes of internal control. These three • Situations that indicate the need for additional audit procedures objectives beyond what are:is required ILLUSTRATION 5.8 Working paper example: Cash lead schedule by generally accepted auditing standards. • Operations objectives. These pertain to the Client: effectiveness and efficiency of the entity’s opNew Millennium Ecoproducts Bell & Bowerman, LLP Does maintaining professional skepticism mean auditors should assume clientincluding manage-operational and financial erations, performance goals, and safeguarding assetsC–LEAD Period-end: 12/31/2022 Reference: C-Lead Currency unit: $000 ment is being dishonest? The answer is no. Auditors should not assume management against loss. is dishonest, but at the same time, auditors should not assume management is always honest or These pertain to internal and external financial and nonfinancial • Reporting objectives. correct. Using professional skepticism means that even if auditors believe management andencompass reliability, timeliness, Lead schedule: reporting and may transparency, or other terms as set those charged with governance are being honest, they should gather reliable evidence to sup- recognized standard setters, or the entity’s policies. forth by regulators, PreAdjusted port management’s responses to auditor inquiries and to support amounts and disclosures adjusted current-year • Compliance objectives. These pertain to adherence to laws and regulations to which the in the financial statements. all phases of the audit, auditors should keep these /208/WB02435/9781119401810/ch03/text_s c03RiskAssessmentPartI.indd Page 3-28 24/01/19 9:35 PMThroughout F-0590 Account balance balance entity is subject. Account name no. 12/31/2022 Adjustments 12/31/2022 questions in mind when gathering audit evidence: Is this information reliable? Do we need to perform more audit procedures? When auditors exercise professional skepticism during the 10100 Control—Integrated Cash in Bank: Wells Fargo $ 11,000 $0 $ 11,000 TB (COSO, Internal Framework, 2013) risk assessment phase, it helps to ensure they are using appropriate assumptions when develCash in Bank: U.S. Bank 134 0 134 TB 10200 oping their audit strategy that will be used in the risk response phase.These In thethree reporting phase,of internal control help the objectives auditor understand why the controls are auditors use Assessment professional skepticism when evaluating the evidence gathered and forming an important and the problems they are designed 10300 to prevent. understanding the 3-28 CHAPTE R 3 Risk Part I CashWithout in Bank: Barclays 126in0 126 TB opinion that the financial statements are presented fairly. tention of management in implementing internal controls, harder to understand 56 how 10400 CashitinisBank: Citigroup 0 56 TB controls prevent, or detect and correct, financial statement misstatements. Management • Ongoing losses. 10500 Short-Term Deposits 5,796 0 5,796 TB and those charged with governance are concerned about adequately controlling the entity’s • Rapid growth. Total Cash andregulations. Cash $17,112 $0 $17,112 operations, its financial reporting, and its compliance with laws and The exterPoor cash flowsProfessional combined withSkepticism high earnings. Audit Reasoning• Example nal auditor, on the other hand, is primarily concerned withEquivalents the reporting objectives and the objectives related to safeguarding ofKey assets. to audit tick marks (TM): • Pressure to meet market expectations and operations profit targets. Perform less extensive • Conditions detailed substantivethat may provide evidence of possible fraud. procedures at interim

Many illustrations, such as working papers and confirmations, present documents that students will encounter in a real-world audit.

Prepared by: Reviewed by: Reviewed by:

Prior-year balance 12/31/2021

KM 1/21/2023 SO 1/22/2023 MM 1/24/2023

Variance

% Variance

Ref

$ 10,500

PY

$500

5%

C01

134

PY

0

0%

C02

126

PY

0

0%

C03

50

PY

6

12%

C04

5,600

PY

196

4%

C05

Audit Reasoning Examples apply chapter concepts in brief real-world scenarios that students might encounter in a professional environment. They also provide real-world company examples of chapter concepts. $16,410

$702

4%

TB Agrees to client’s trial balance. An auditor was auditing• aPlanning recreational vehicle dealership. The auditor had obtained some to list on a(RV) stock exchange. PY Agrees to prior-year audit file. initial financial information from the client showing unaudited results for the end of the third Components of Internal Control • Planning to raise debt or renegotiate a loan. quarter. Sales were up and profit margins were up, making it the best year so far for the client. Background: No significant changes in banks or bank accounts from the prior period. Note: Analytical review on movements in the cash flows has The client being about to enter into ainventory signifi cant newshowed contract. The second dimension depicted in on Illustration 6.1 identifies Interim records showed •that inventory was also up, and the client’s records over of the COSO framework been performed the cash flow schedule — seefive A1.1. 300 RVs on hand at the •end the third quarter. Theofaudit senior wenttied tointegrated talk to the components audit manof internal control: A of signifi cant proportion remuneration to earnings (that is, bonuses or stock options). Comments: Cash and cash equivalents: In line with budget and change consistent with level of activity for the period (see also our review of the ager about the good news and the client’s performance. The audit manager asked the senior a key statement of cash flows referenced in A1.1). Short-term deposits: Although the balance is very consistent with previous period, inclusion of • Control environment. question. “You did the inventory observation last year. How many RVs did the client have then?” short-term deposits within cash and cash equivalents is acceptable (refer to C5). “I think it was about 210,” the senior replied. Then the audit manager asked, “How was the lot • Riskfull assessment. last year?” The senior replied that it was “almost overflowing” the year before. The manager then • Control activities. said, “Let’s look at this more skeptically. I don’t think they have storage capacity for another 90 I Audit Reasoning Example Fraud at Toshiba: Part RVs even though sales are up. There could be an error in the inventory records. This information makes me believe that the existence of inventory is a very high inherent risk.” You may be familiar with Toshiba Corporation, a publicly traded Japanese company headquartered in Tokyo that makes consumer electronics, household electronics, office equipment, and more. In July 2015, the CEO of Toshiba announced he was resigning amid an accounting scandal in which profits had been overstated for the past seven years by approximately $1.9 billion (224.8 billion yen). What incentives and pressures were involved that led to the fraud? The technology industry is extremely competitive and Toshiba’s upper management set aggressive profit targets. home electronics and appliances division was showing losses and the memory chip division Audit risk is the risk that The an auditor expresses an inappropriate audit opinion when financial was feeling pressure because of decreasing demand from Chinese electronics companies.6 As an statements are materially misstated (AU-C 200 Overall Objectives of the Independent Auditor example, in September 2012, the head of the digital products and service division was told by the and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards and CEO to improve a 24.8 billion yen loss into a 12 billion yen profit in just three days!7 Think about AS 1101 Audit Risk). Thishow means audit reportwould stateslearn the about financial statements aretopresented the the external auditor the incentives given lower-level management. How fairly, in all material respects, in actuality the fiabout nancial might when an internal auditor learn thesestatements incentives?contain a material

Audit Risk

c05AuditEvidence.indd Page 5-20 1/15/19 9:44 PM f-1241

error or fraud. While it is impossible to eliminate audit risk, auditors aim to reduce it to an

Opportunities to Perpetrate a Fraud

5-20

After identifying one or more incentives or pressures to commit a fraud, auditors assess whether a client’s employees have an opportunity to perpetrate a fraud. Auditors utilize their knowledge of how other frauds have been perpetrated to assess whether the same opportunities exist at the client. While the examples below of opportunities to commit a fraud suggest a fraud may have been committed, their existence does not mean a fraud has definitely occurred. Auditors must use professional judgment to assess each opportunity in the context of other risk indicators and consider available evidence thoroughly. Examples of opportunities that increase the risk that a fraud may have been perpetrated include:

Professional Environment boxes provide in-depth discussions of how concepts in a chapter are applied in the business world. transactions close to year-end.

/208/WB02435/9781119401810/ch03/text_s

• Significant adjusting entries and reversals after year-end. • Significant related-party transactions (discussed further in Chapter 4). • Poor corporate governance mechanisms. 3-32

CHAPT E R 3

• Poor of internal control (discussed further in Chapters 6 and 8). Risk Assessment Part system I • A high turnover of staff with accounting or internal control responsibilities.

Audit Decision-Making Example 6

E. Pfanner and M. Fujikawa, M. “Toshiba Slashes Earnings for be Past Seven Years,”locations The Walldue Street • Fraud risk may high in some to Journal, the opportuSeptember 7, 2015. https://www.wsj.com/articles/toshiba-slashes-earnings-for-past-7-years-1441589473 nity offered by weak internal controls. You have been assigned to the7 audit of inventory for a private K. Nagata. “Pressure to show a profit led to Toshiba’s accounting scandal,” The Japan Times, September 18, • The auditor needs to determine how internal controls afft-ect company that owns and operates a chain of retail jewelers. The 2015. http://www.japantimes.co.jp/news/2015/09/18/business/corporate-business/pressure-to-show-a-profi audit strategy, and whether the auditor wants one audit stratcompany’s sales revenue has grown by 300% in the last two years, led-to-toshibas-accounting-scandal/#.WNJjNmQrLjA egy for part of the inventory and another audit strategy for primarily by acquisitions. Seventy-eight percent of the value of the another part of the inventory. company’s inventory is in wedding rings, diamonds, gold necklaces, and high-end watches. Because the company has grown Analysis and Evaluation of Alternatives through acquisition, the company has not yet brought two acquired companies (representing 35% of sales) under the company’s Analysis of risk: inventory system. As a result, the company is currently operating • Inherent risk factors include valuable inventory that is subwith three different inventory-control systems. The core inventory ject to theft and misappropriation. system being used by retail stores represents 65% of sales. Sixty • Internal controls are not uniform. Based on prior year’s evipercent of inventory was tested in the prior year and controls over dence and a preliminary understanding of the system in the the existence of inventory were effective. current year, strong internal controls appear to operate over The CFO’s top priority is to put all retail operations under this only 60% of the inventory. one inventory-control system by the end of the fiscal year (January 31). He is particularly concerned about lower than expected • It may be more efficient to physically inspect inventory as of gross margins at some of the acquired stores, and he expects that one date and use one audit strategy for all inventory testing. better inventory control will improve this situation. In addition, • Fraud risk is considered to be high at locations where invengold prices have risen 15% in the last 12 months, and the company tory controls are not strong. is making sure it is not selling “conflict diamonds” illegally traded to fund conflict in war-torn areas of Africa. Your responsibility is Conclusions Regarding Audit Strategy for the Existence to develop an audit strategy for testing the existence of inventory.

Background Information

Identify the Audit Issue The focus of attention in this instance is to develop an audit strategy for testing the existence of inventory. The auditor may develop a different audit strategy for testing the valuation of that inventory.

Gather Information and Evidence Important information includes: • A significant portion of the inventory is high in value, small in size, and susceptible to theft. • A good system of internal controls may not be operating effectively and uniformly. • The weak gross margins in some stores may be evidence of inventory shrinkage or theft.

of Inventory

• Inherent risk is set at the maximum because inventory is high in value and susceptible to theft and misappropriation. • Control risk is set at high, as 40% of inventory may not have sufficient internal controls. • Fraud risk is considered high due to the opportunity offered by weak internal controls. • This results in setting detection risk at low. • Low detection risk impacts the nature, timing, and extent of substantive testing. For example, the auditor will plan testing of the physical existence of inventory at year-end, select a larger number of locations to visit, and vary the extent of inventory testing at each location depending on internal controls over the counting of inventory at each location.

CPAexcel CPAexcel questions and other resources are available in WileyPLUS.

Audit Evidence

Professional Environment Working with IT Auditors

• Accounts that rely on estimates and judgment (discussed further in Chapter 9).

A high volume of c03RiskAssessmentPartI.indd Page 3-32 24/01/19• 9:35 PM F-0590

CH A PT E R 5

/208/WB02435/9781119401810/ch05/text_s

Specialist IT auditors are often used in audits of clients with complex information technology (IT) environments because the effective audit of the IT systems contributes to overall audit quality. Large audit firms usually have such specialists within the firm, but smaller audit firms could engage external IT consultants for this part of the financial statement audit. In general, reliance on an IT specialist is appropriate when the financial statement auditor complies with the conditions of AU-C 620. If the IT expert and the financial statement auditor do not work well together, audit quality can be impaired. For this reason, researchers have investigated the factors that affect the way that financial statement auditors work with specialist IT auditors. Brazel12 reviewed this research evidence and drew the following conclusions. First, responses from financial statement auditors in the United States who were surveyed about their experiences with IT auditors indicated that they believe IT auditors’ competence levels vary in practice. Financial statement auditors also said that IT auditors appear to be overconfident in their abilities in some settings, and questioned the value provided by IT auditors to the financial statement audit. Second, Brazel suggests the research shows that both financial statement auditors’ IT ability and experience and the IT auditor’s competence affect how these two professions interact on an audit engagement. This indicates that audit firms need to ensure that staff training and scheduling produce appropriate combinations of financial statement auditors and IT auditors on an engagement.

Finally, Brazel argues that the research findings demonstrated that auditors need to consider the implications of finding a balance between greater software-assisted audit techniques training for financial statement auditors and greater use of IT specialists for overall audit efficiency and effectiveness. The role of IT audit specialists could grow to become even more than a support function for auditors. Some researchers suggest that in e-businesses, the external financial statement auditor’s authority will be challenged by IT audit specialists because of technological change and its impact on auditing.13 In e-businesses, economic transactions are captured, measured, and reported on a real-time basis without either internal human intervention or paper documentation.14 Auditing is likely to become more real-time and continuous to reflect the pattern of the transactions. If traditional auditors are unwilling or unable to adapt to the new environment, their role could be taken over by IT specialists. Other developments such as reporting using XBRL (eXtensible Business Reporting Language) provide challenges for auditors as they have to adapt their techniques and approaches to audit financial information that is disaggregated and tagged. Users can extract and analyze XBRL data directly without re-entry and the tag provides additional information about the calculation and source of the data. This means auditors have to recognize that their clients are reporting financial data with different levels of information and users might have greater expectations of the data. Learn more about XBRL at www.xbrl.org.

Cloud 9 - Continuing Case Josh will take responsibility for obtaining a specialist’s opinion on the derivatives. He knows that W&S Partners has other staff (who are not part of the audit team) who can provide additional expertise. However, because he believes the accounts are so material to the audit and derivatives have become such a big issue in audits in recent years, he deems an external specialist’s opinion is also required. He

has some experience of using a derivatives specialist on prior audits, and he also plans to ask Jo Wadley (the partner) to recommend a suitable specialist. Josh plans to investigate any possible connections between the specialist and Cloud 9 that could adversely impact the specialist’s objectivity before engaging him for this audit.

Work of Internal Auditors Each chapter concludes Using withthean Audit Decision-Making Example that takes students through specific steps of the audit process while offering solutions to issues presented throughout the example. internal auditors employees of the client who perform assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance, risk management, and internal control processes

The role of the internal audit function was introduced in Chapter 1. Internal auditors are employees of the client who perform assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance, risk management, and internal control processes. Not every client will have an internal audit function. For example, small and medium-sized companies, especially private companies, may not have the resources to staff an internal audit function. But if the client does have an internal audit function, what role, if any, do the internal auditors play in the financial statement audit? According to AU-C 610 12

J. F. Brazel. “How do financial statement auditors and IT auditors work together?” The CPA Journal, November, 2008, pages 38–41. A. Kotb, C. Roberts, & S. Sian. “E-business Audit: Advisory Jurisdiction or Occupational Invasion?” Critical Perspectives on Accounting 23, no. 6 (2012), pages 468–82. 14 Kotb et al., 2012. 13

Engaging Students with WileyPLUS Auditing is completely integrated with WileyPLUS, featuring a suite of teaching and learning resources developed under the close review of the authors. Driven by the same basic beliefs as the text, WileyPLUS allows students to practice their understanding of concepts and access the content and resources needed to master the material. Features of the WileyPLUS course include the following:

Student Practice Each chapter includes practice questions for each learning objective that students can review to assess their understanding of chapter topics.

Tableau Homework Assignments Tableau visualizations accompanied by questions are available with most chapters. Tableau visualizations allow students to interpret visualizations and think critically about data.

IDEA Cases Select chapters include IDEA cases that allow students to use IDEA software to analyze data. An IDEA casebook and accompanying data sets, provided by Audimation Data Analytic Software and Services, is also available.

Real-World Videos  loomberg videos accompany each chapter, B providing students with relevant examples of auditing practices in the professional world.

x

   ENGAGING STUDENTS WITH WILEYPLUS  xi

Relevant Accounting Articles Up-to-date accounting articles are posted to the Wiley accounting update site, www.wileyaccountingupdates.com. Many of these news updates direct students to news-related videos and articles that address auditing-related topics.

Adaptive Practice Adaptive practice is a tool students can use to understand the essentials of auditing. Students can answer a multiple-choice question and, based on their response, the adaptive practice software will recommend another question to help students assess their understanding of a topic. Detailed reports also help students identify where they need to focus their studies. There are hundreds of adaptive questions for students to answer in the Auditing course.

Preparing for the CPA Exam For each chapter in the WileyPLUS course, students can access CPAexcel videos, CPA Exam Practice Questions in the PrometricTM Testing Interface, and Task-Based Simulations (TBSs), which are the primary form of assessment used by the American Institute of Certified Public Accountants (AICPA). These resources: 1. Reinforce understanding of course topics. 2. Demonstrate relevance to show students how the auditing content they are learning will be assessed on the CPA exam. 3.  Build student confidence with early exposure to CPA exam questions.

CPA Exam Practice Questions in the Prometric™ Testing Interface Wiley partners with CPAexcel to provide pre-created CPA exam practice questions for each chapter that recreate the environment students will encounter on the CPA exam.

Task-Based Simulation in the Prometric™ Testing Interface CPA simulations recreate the simulation environment students will see on the CPA exam. Similar to the CPAexcel multiple-choice homework questions, instructors can assign a simulation as a gradable assignment.

CPA Exam Video Lessons Each chapter includes CPA exam text discussions and videos that provide students with insight into auditing topics commonly addressed on the CPA exams.

CPA Exam Assignment Each chapter includes one pre-created CPA exam assignment that allows instructors to assign multiple-choice questions adapted from prior CPA exams. Student performance is tied to the WileyPLUS gradebook. xii

Student Assessment Each chapter of Auditing in WileyPLUS has over 300 assessment questions that can help keep your students engaged and on track.

End-of-Chapter Assessment Questions and Problems Each Auditing text chapter concludes with over 40 gradable assessment questions and problems you can use to gauge students’ understanding and ability to apply auditing concepts, as follows: •  Multiple-Choice Questions—Available to quickly and effectively test students’ understanding of the chapter material. •  Short Answer Questions—Open-ended questions that require students to begin thinking critically about the auditing process. •  Analysis Problems—Designed after scenarios students might encounter as auditors in the business world, analysis problems assess how well students understand specific topics in a chapter.

Cases Because no two audits are alike, Auditing uses a practical, case-based approach to help students develop professional judgment, think critically about the auditing process, and develop the decision-making skills necessary to perform a real-world audit. The best way for a student to learn auditing is to actually do auditing. To help provide real-world application, we have developed the following cases: •  Audit Decision Cases—Three cases run through most of the text chapters and provide a broad review of the audit process (King Companies, Inc., Mobile Security, Inc., and Brookwood Pines Hospital). In addition, chapter-specific cases help you assess students’ understanding of topics that are the focus of a particular chapter. •  Cloud 9 Continuing Case—Requires students to apply chapter concepts to the ongoing Cloud 9 case that is highlighted in the chapter. To help you more easily identify what questions you want to assign, questions are tagged with learning objectives, professional AICPA and AACSB outcome standards, Bloom’s Taxonomy, level-of-difficulty, and a recommended time of completion. You can track student performance in the WileyPLUS gradebook.

Test Bank Each chapter of the test bank has between 130–175 questions that you can assign to students in an exam or as graded practice. Question types include true/false, multiple-choice, fill-inthe blank, and short answer questions. To help you more easily identify what questions you want to assign, questions are tagged with learning objectives, professional AICPA and AACSB outcome standards, Bloom’s Taxonomy, level-of-difficulty, and a recommended time of completion. You can track student performance in the WileyPLUS gradebook.

xiii

Acknowledgments Auditing has benefited tremendously from the input of students who have used this text’s material in class, manuscript reviewers, and those who have supported the writing. We are very appreciative of all the suggestions and comments received. The thoughts, ideas, and recommendations of reviewers, editorial staff, and ancillary authors is deeply appreciated. Anne Albrecht Texas Christian University

Walied Keshk California State University—Fullerton

Dwayne Powell Arkansas State University

Matthew Anderson Michigan State University

Katherine Kinkela Iona College

Matthew Reidenbach Pace University—New York

Marie Blouin Ithaca College

Milton Krivokuca California State University—Dominguez Hills

Gary Schneider California State University—Monterey Bay

A. Faye Borthick Georgia State University

Ellen L. Landgraf Loyola University—Chicago

Dan Schrag Baldwin Wallace University

Billy Brewster Texas State University

Betsy Lin Montclair State University

Edward B. Seibert Wesley College

Jeffrey R. Cohen Boston College

Cathy Liu University of Houston—Downtown

Jamie L. Seitz University of Southern Indiana

Laurence DeGaetano Montclair State University

Joe Looney Hofstra University

Suzanne Seymoure Saint Leo University, University Campus

Kristina Demek University of Central Florida

Roger Martin University of Virginia

Philip Slater Forsyth Technical Community College

Lisa Derouin Wisconsin Lutheran College

Linda McCann Metropolitan State University

Vicki Stewart Texas A&M University—Commerce

Raymond Elson Valdosta State University

Karen McDougal Pennsylvania State University—Brandywine

Paula Thomas Middle Tennessee State University

Reza Espahbodi Washburn University of Topeka

Linda McKeag University of Dubuque

Andrea Tietjen Caldwell College

Magdy Farag California Polytechnic University—Pomona

Mary Mindak DePaul University

Patricia Timm Northwood University—Michigan

Dale Flesher University of Mississippi

Paula Mooney Savannah State University

Madeline Trimble Illinois State University

Scott Fulkerson University of California—Santa Barbara

Grace Mubako California Stata University—Sacramento

Richard Turpen University of North Carolina—Asheville

Lori Fuller West Chester University

Christine Noel Metropolitan State University of Denver

Lisa Victoravich University of Denver

Abo-El-Yazeed Habib Minnesota State University—Manka

Connie O’Brien Minnesota State University—Mankato

Jim Vogt University of Colorado—Denver

James Hansen Weber State University

Aimee Pernsteiner University of Wisconsin—Eau Claire

Rick Warne University of Cincinnati

Julia Higgs Florida Atlantic University

Rossen Petkov Lehman College

Amanda Warren University of Tennessee—Knoxville

Karen Hooks Florida Atlantic University

Lincoln Pinto Concordia University Chicago

Barrett Wheeler Tulane University

Carol Jessup University of Illinois—Springfield

Marshall Pitman University of Texas—San Antonio

Fengyun Wu Manhattan College

Bill Joyce Bemidji State University

xiv

  Acknowledgments   xv

Ancillary Authors, Contributors, Proofreaders, and Accuracy Checkers

Eric Johnson University of Wyoming

Margaret B. Shackell-Dowell Ithaca College

Joe Johnston Illinois State University

Philip J. Slater Forsyth Technical Community College

Sanaz Aghazadeh Louisiana State University

Brett Kawada San Diego State University

Vicki Stewart Texas A & M University—Commerce

LuAnn Bean Florida Institute of Technology

Jason MacGregor Baylor University

Jaclyn Strauss Purdue Global

Joe Brazel North Carolina State University

Linda McKeag University of Dubuque

Floran Syler Azusa Pacific University

Rich Brody The University of New Mexico

Anita Morgan Indiana University

Andrea Tietjen Caldwell College

Emily Cokeley Rochester Institute of Technology

Byron Pike Minnesota State University—Mankato

Jim Vogt San Diego State University

Sheila Coomes Kansas State University

Sridhar Ramamoorti University of Dayton—Ohio

Rick Warne University of Cincinnati

Kel-Ann Eyler Georgia College and State University

Matthew Sargent University of Texas—Arlington

Gail E. Wright

Paul Franklin Purdue Global

Edward Seibert Wesley College

Amber Gray Adrian College

Tim Seidel Brigham Young University

Frederick Harmon University of Bridgeport

Jamie Seitz University of Southern Indiana

We also want to thank several individuals for their help in moving this text from concept to publication. This work would not have come to fruition without the extensive support and guidance of Emily Marcoux, Michael McDonald, Joel Hollenbeck, Ed Brislin, Matt Origoni, Valerie Vargas, Sandra Rigby, Kirsten Loose, Terry Ann Tatro, Nicola Smith, and Jackie Henry at Aptara.

Ally Zimmerman Northern Illinois University

We appreciate suggestions and comments from users— instructors and students alike. Please send us your thoughts and ideas about the text. Raymond Johnson Laura Wiley Baton Rouge, Louisiana Portland, Oregon

Table of Contents 1 Introduction and Overview of Audit and Assurance 

1-1

Assurance, Attestation, and Audit Services  1-3 Different Assurance Services  1-6 Financial Statement Audits  1-6 Compliance Audits  1-7 Operational (Performance) Audits  1-7 Internal Audits  1-8 Demand for Audit and Assurance Services  1-8 Financial Statement Users  1-9 Sources of Demand for Audit and Assurance Services  1-10 Preparers and Auditors  1-11 Preparer Responsibility  1-11 Auditor Responsibility  1-11 Assurance Providers  1-12 The Role of Regulators and Regulations  1-13 Securities and Exchange Commission (SEC)  1-13 Public Company Accounting Oversight Board (PCAOB)  1-13 American Institute of Certified Public Accountants  (AICPA) 1-15 Financial Accounting Standards Board (FASB)  1-17 Committee on Sponsoring Organizations of the Treadway   Commission (COSO)  1-18 National Association of State Boards of Accountancy   (NASBA) and State Boards of Accountancy  1-18 Audit Report on Financial Statements  1-19 Reasonable Assurance and the Financial Statements  1-19 Materiality and the Financial Statements  1-20 The Auditorʼs Report on Financial Statements  1-20 Audit Report on Internal Controls over   Financial Reporting  1-25 Reasonable Assurance and Internal Controls  1-25 The Auditor’s Report on Internal Control over Financial  Reporting 1-26 The Audit Expectation Gap  1-28

2 Professionalism and Professional Responsibilities 

2-1

Professionalism and Accounting  2-3 The Structure of the AICPA Code of Professional   Conduct  2-5 Conceptual Framework for Members   in Public Practice  2-7 Integrity and Objectivity  2-11 xvi

Independence  2-12 Key Individuals and Independence Requirements  2-13 Employment or Association with an Attest Client  2-17 Nonattest Services  2-18 SEC and PCAOB Independence Rules  2-20 General Standards  2-23 Other Rules of Conduct for Members in   Public Practice  2-24 Accounting Principles Rule  2-25 Fees and Other Types of Remuneration  2-25 Confidential Information  2-26 Auditor Liability Under Common Law  2-26 Liability to Clients  2-27 Contract Law  2-27 Tort Law  2-28 Cases Illustrating Liability to Clients  2-28 Liability to Third Parties  2-29 Burden of Proof and Common Law Defenses  2-32 Auditor Liability Under Statutory Law  2-33 The Securities Act of 1933  2-34 The Securities Act of 1934  2-35 The Foreign Corrupt Practices Act of 1977  2-36 The Private Securities Litigation Reform Acts of 1995 and  1998 2-36 The Sarbanes-Oxley Act of 2002  2-37 Criminal Liability  2-39

3 Risk Assessment Part I: Audit Risk and Audit Strategy 

3-1

Client Acceptance and Continuance Decisions  3-3 Phases of an Audit  3-8 Risk Assessment Phase  3-9 Risk Response Phase  3-9 Concluding and Reporting on an Audit  3-10 Materiality  3-10 Qualitative and Quantitative Materiality  3-11 Setting Materiality  3-11 Professional Skepticism and Audit Risk  3-14 Professional Skepticism  3-15 Audit Risk  3-15 The Audit Risk Model and Its Components  3-17 Audit Strategy  3-21 Reliance on Controls Approach  3-22 Substantive Approach  3-24 Fraud Risk  3-25 Incentives and Pressures to Commit a Fraud  3-27

  Table Opportunities to Perpetrate a Fraud  3-28 Attitudes and Rationalization to Justify a Fraud  3-29 Fraud Risk Assessment Process  3-30

4 Risk Assessment Part II:

Understanding the Client 

4-1

Understanding the Client  4-3 Gain an Understanding of the Entity  4-3 Gain an Understanding of the Industry and Business  Environment 4-8 Compliance with Laws and Regulations  4-10 Client Approaches to Measuring Performance  4-12 Profitability  4-12 Liquidity, Solvency, and Cash Flow  4-13 Analytical Procedures  4-14 Comparisons  4-14 Trend Analysis  4-15 Common-Size Analysis  4-15 Ratio Analysis  4-16 Audit Data Analytics  4-20 Factors to Consider When Conducting   Analytical Procedures  4-20 Related Parties  4-22 Corporate Governance  4-23 Internal Control and Information Technology  4-26 Closing Procedures  4-27

5 Audit Evidence 

5-1

Management Assertions  5-3 Characteristics of Audit Evidence  5-7 Sufficient Audit Evidence  5-7 Appropriate Audit Evidence  5-8 Audit Risk and Sufficient Appropriate Audit Evidence  5-9 Procedures for Gathering Audit Evidence  5-10 Inspection of Documents and Assets  5-11 Observation  5-12 Inquiry  5-12 Confirmation  5-13 Recalculation  5-15 Reperformance  5-16 Analytical Procedures  5-16 Scanning  5-16 Audit Data Analytics (ADA)  5-16 Using the Work of Others  5-18 Using the Work of a Specialist  5-18 Using the Work of Internal Auditors  5-20 Using the Work of Another Auditor  5-23 Documentation—Audit Working Papers  5-24 Permanent File  5-25 Current File  5-26

of Contents   xvii

6 Gaining an Understanding of

the Client’s System of Internal Control  6-1

Internal Control Defined  6-3 The COSO Framework  6-4 Inherent Limitations  6-6 Entity-Level Internal Controls  6-7 The Control Environment  6-7 Risk Assessment  6-10 Control Activities  6-11 Information and Communication  6-14 Monitoring Activities  6-16 Internal Control in Small Entities  6-17 Transaction-Level Internal Controls  6-19 Example Transaction Flows—Sales Process  6-19 Example Transaction Flows—Cash Receipts  6-21 Information Technology (IT) Controls  6-23 Benefits and Risks of IT Systems  6-23 IT General Controls  6-24 IT Application Controls  6-25 IT-Dependent Manual Controls  6-27 Documenting Internal Controls  6-29 Identifying Strengths and Weaknesses in a   System of Internal Controls  6-31 Management Letters  6-33

7 Audit Data Analytics 

7-1

Steps in Performing Audit Data Analytics  7-3 Step 1: Plan the Audit Data Analytics  7-5 Step 2: Access and Prepare the Data for Audit Data  Analytics 7-6 Step 3: Consider the Relevance and Reliability of the   Data Used  7-6 Step 4: Perform the Audit Data Analytics  7-7 Step 5: Evaluate the Results and Draw Conclusions  7-8 Audit Documentation  7-9 Steps Associated with Accessing and Preparing Data for   Audit Data Analytics  7-11 Is the Data Complete?  7-11 Does the Data Need to Be Cleaned?  7-11 Key Questions to Be Addressed in Evaluating the Relevance   and Reliability of Data Used in Audit Data Analytics  7-12 Using Audit Data Analytics as a Risk Assessment   Procedure  7-13 Understanding the Risk Analysis Decision Tree  7-14 What Do We Mean by Notable Items?  7-15 Tools for Searching for Notable Items  7-15 What to Do When ADA Identifies a Large Number of Items   for Further Consideration  7-16

xviii  Table of Contents  

Applying Audit Data Analytics as a Risk Assessment   Procedure  7-17 Cluster Analysis  7-18 Matching Information in Key Data Fields  7-25 Regression Analysis  7-30 Visualization  7-34 Using Audit Data Analytics as a Substantive Test  7-37 Applying Audit Data Analytics as a Substantive Test  7-38 Validating Sales Revenue and Accounts Receivable with   Subsequent Cash Receipts  7-38

8 Risk Response: Performing Tests of Controls 

8-1

Steps in Assessing Control Risk  8-3 Understand Entity-Level Controls  8-3 Understand the Flow of Transactions  8-3 Identify What Can Go Wrong (WCGW)  8-4 Identify Relevant Controls to Test  8-5 Determine Preliminary Audit Strategy  8-5 Perform Tests of Controls  8-5 Evaluate Evidence and Assess Control Risk  8-5 Reporting Findings  8-5 Types of Controls  8-7 Preventive and Detective Controls  8-7 Manual and Automated Controls  8-10 Procedures for Testing Controls  8-13 Inquiry  8-13 Observation  8-14 Inspection of Physical Evidence  8-14 Reperformance  8-14 Software-Based Audit Techniques  8-14 Selecting and Designing Tests of Controls  8-15 Which Controls Should Be Selected for Testing?  8-16 The Extent of Tests of Controls  8-17 Timing of Tests of Controls  8-21 Benchmarking  8-22 Selecting and Designing Tests of Controls—A Summary  8-23 Results of the Auditor’s Testing  8-26 Documenting Conclusions  8-29

9 Risk Response: Performing Substantive Procedures 

9-1

Audit Risk and Substantive Procedures  9-3 Risk Response at the Financial Statement Level  9-5 Nature of Substantive Procedures  9-7 Initial Procedures  9-8 Substantive Analytical Procedures  9-9 Tests of Details  9-13 ADA and Substantive Procedures  9-13

Timing of Substantive Procedures  9-14 Extent of Substantive Procedures  9-16 Auditing Accounting Estimates  9-19 Nature of Accounting Estimates  9-19 Risk Assessment Procedures for   Accounting Estimates  9-21 Risk Response Procedures for Accounting Estimates  9-22 Example of Auditing Accounting Estimates  9-24 Documenting Results of Substantive Procedures  9-26

10 Risk Response: Evaluating Audit

Data Analytics and Audit Sampling for Substantive Tests  10-1

Using Audit Data Analytics versus Audit Sampling  10-3 When to Use Audit Data Analytics  10-3 When to Use Audit Sampling  10-3 Audit Sampling Defined  10-5 Sampling Risk and Nonsampling Risk  10-6 Statistical and Nonstatistical Sampling  10-8 Sampling Methods  10-9 Random Selection  10-9 Systematic Selection  10-10 Haphazard Selection  10-11 Professional Judgment in Selecting and Evaluating   Sample Items  10-11 Factors That Influence the Sample Size—Substantive   Testing  10-11 A Basic Framework for Audit Sampling  10-14 Step 1: Determine the Objectives of the Substantive  Test 10-14 Step 2: Determine the Substantive Audit Procedures to  Perform 10-14 Step 3: Determine Whether to Audit a Sample   or the Entire Population  10-15 Step 4: Define the Population and Sampling Unit  10-16 Applying Probability-Proportionate-to-Size Sampling   for Substantive Testing  10-16 Step 5: Choose the Audit Sampling Technique  10-17 Step 6: Determine Sample Size Using Professional  Judgment 10-18 Step 7: Select a Representative Sample  10-21 Step 8: Apply Audit Procedures  10-22 Step 9: Evaluate Sample Results  10-22 Applying Nonstatistical Sampling for Substantive   Testing  10-28 Step 5: Choose the Audit Sampling Technique  10-28 Step 6: Determine Sample Size Using   Professional Judgment  10-29 Step 7: Select a Representative Sample  10-29 Step 8: Apply Audit Procedures  10-30 Step 9: Evaluate Sample Results  10-30 Step 10: Document Conclusions  10-32

  Table of Contents   xix

Appendix 10A: Applying Classical Variables   Sampling for Substantive Testing  10-33 Step 5: Apply Classical Variables Sampling  10-33 Step 6: Determine the Sample Size  10-34 Step 7: Select a Random Sample  10-37 Step 8: Apply Audit Procedures  10-37 Step 9: Evaluate the Sample Results  10-38 Step 10: Document Results  10-39

11 Auditing the Revenue Process 

11-1

Nature of the Revenue Process  11-3 Understanding the Entity and Its Environment  11-4 Understanding the Client’s Revenue Process  11-4 Analytical Procedures  11-6 Other Considerations Regarding the Entity   and Its Environment  11-8 Inherent Risks in the Revenue Process  11-9 Control Activities for Credit Sales  11-12 Example Transaction Flows—Sales Process  11-13 Identify What Can Go Wrong (WCGW) and Identify   Key Controls—Credit Sales and Accounts  Receivable 11-16 Control Activities for Cash Receipts  11-18 Example Transaction Flows—Cash Receipts  11-19 Identify WCGW and Identify Key Controls—Cash  Receipts 11-21 Control Activities for Sales Adjustments   and Revenue Process Disclosures  11-23 Granting Sales Returns and Allowances  11-23 Determining Uncollectible Accounts  11-24 Other Controls in the Revenue Process  11-24 Tests of Controls in the Revenue Process and   Audit Strategy  11-25 Tests of Controls in the Revenue Process  11-25 Fraud Risk Assessment  11-26 Audit Data Analytics as a Risk Assessment Procedure  11-27 The Risk of Material Misstatement and Audit Strategy  11-27 Substantive Tests for the Revenue Process  11-28 Initial Procedures  11-30 Substantive Analytical Procedures  11-31 Audit Data Analytics as a Substantive Test  11-31 Tests of Details of Transactions  11-32 Tests of Details of Balances  11-33 Tests of Details of Presentation and Disclosure  11-38

12 Auditing the Purchasing and Payroll Processes 

12-1

Nature of Purchase Transactions and Balances  12-3 Understanding the Entity and Its Environment  12-4 Understanding the Client’s Purchasing Process  12-4 Analytical Procedures  12-7

Other Considerations Regarding the Entity   and Its Environment  12-7 Inherent Risks in the Purchasing Process  12-8 Control Activities for Purchases  12-11 Example Transaction Flows—Credit Purchases  12-12 Identify What Can Go Wrong (WCGW) and Identify Key   Controls—Purchases and Accounts Payable  12-15 Control Activities for Cash Disbursements  12-18 Example Transaction Flows—Cash Disbursements  12-18 Identify What Can Go Wrong (WCGW) and   Identify Key Controls—Cash Disbursements  12-19 Evaluated Receipt Settlement (ERS)  12-21 Initiating an ERS Transaction  12-21 Receiving Goods  12-22 Recording Payables  12-22 Electronic Payment  12-22 Internal Controls in an ERS System  12-23 Control Activities for Purchase Adjustments and   Purchasing Process Disclosures  12-24 Purchase Returns and Allowances  12-24 Other Controls in the Purchasing Process  12-25 Tests of Controls in the Purchasing Process and   Audit Strategy  12-26 Tests of Controls in the Purchasing Process  12-26 Fraud Risk Assessment  12-27 Audit Data Analytics as a Risk Assessment Procedure  12-27 The Risk of Material Misstatement and Audit  Strategy 12-28 Substantive Procedures for the Purchasing   Process  12-28 Initial Procedures  12-30 Substantive Analytical Procedures  12-30 Audit Data Analytics as a Substantive Test  12-31 Tests of Details of Transactions  12-31 Tests of Details of Balances  12-32 Tests of Details of Presentation and Disclosure  12-33 Appendix 12A: Auditing Payroll  12-34 Explain the Nature of Payroll Transactions and   Balances  12-34 Understanding the Entity and Its Environment  12-35 Understanding the Client’s Payroll Process  12-35 Analytical Procedures  12-36 Other Considerations Regarding the Entity and Its  Environment 12-36 Inherent Risks Related to Payroll  12-37 Control Activities for Payroll  12-38 Example Transaction Flows—Payroll  12-38 Identify What Can Go Wrong (WCGW) and Identify Key  Controls—Payroll 12-40 Tests of Controls in the Payroll Process and Audit   Strategy  12-42 Tests of Controls for Payroll  12-43 Fraud Risk Assessment  12-43 Audit Data Analytics Used in Fraud Risk Assessment  12-44

xx  Table of Contents

The Risk of Material Misstatement and Audit  Strategy  12-44 Substantive Tests for the Payroll Process  12-45 Initial Procedures  12-46 Substantive Analytical Procedures  12-47 Audit Data Analytics as a Substantive Test  12-47 Tests of Details of Transactions  12-47 Tests of Details of Balances  12-48 Tests of Disclosures  12-48

13 Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)  13-1

Auditing Cash and Cash Equivalents  13-3 Understanding the Flow of Transactions  13-3 Understanding the Entity and Its Environment  13-3 Understanding the Results of Analytical Procedures  13-4 Assessing Inherent Risk  13-4 Assessing Control Risk and Fraud Risk  13-4 Determining an Audit Strategy  13-4 Substantive Tests of Cash Balances  13-5 Auditing Inventory on the Balance Sheet  13-11 Understanding the Flow of Transactions  13-12 Understanding the Entity and Its Environment  13-12 Understanding the Results of Analytical  Procedures 13-13 Assessing Inherent Risk  13-14 Assessing Control Risk and Fraud Risk  13-15 Determining an Audit Strategy  13-18 Substantive Tests of Inventory  13-19 Auditing Property, Plant, and Equipment  13-28 Understanding the Flow of Transactions  13-28 Understanding the Entity and Its Environment  13-29 Understanding the Results of Analytical Procedures  13-30 Assessing Inherent Risk  13-31 Assessing Control Risk and Fraud Risk  13-31 Determining an Audit Strategy  13-32 Substantive Tests for Property, Plant, and Equipment  13-32 Auditing Financing Activities  13-37 Understanding the Flow of Transactions  13-38 Understanding the Entity and Its Environment  13-38 Understanding the Results of Analytical  Procedures 13-39 Assessing Inherent Risk  13-39 Assessing Control Risk and Fraud Risk  13-40 Determining an Audit Strategy  13-41 Substantive Tests of Long-Term Debt  13-41 Substantive Tests of Stockholders’ Equity  13-44

14 Completing the Audit 

14-1

Audit Procedures for Loss Contingencies  14-3 Subsequent Events  14-7 Engagement Wrap-Up  14-10 Final Analytical Procedures  14-11 Final Evaluation of Audit Findings  14-11 Completion of Working Paper Review  14-16 Engagement Quality Review  14-17 Completion of Documentation  14-17 Going Concern  14-18 Management Representation and Communication   with Those Charged with Governance  14-21 Management Representation Letter  14-21 Communication with Those Charged with Governance  14-24

15 Reporting on the Audit 

15-1

Standard Unmodified/Unqualified Audit Report  15-3 Additional Paragraph for the Standard Unmodified   Report  15-7 Going Concern Paragraph  15-7 Consistency of Financial Statements  15-8 Emphasis Added at Discretion of the Auditor  15-10 Opinion Based in Part on the Report of Another   Auditor  15-12 Modifying the Audit Opinion  15-14 Departure from Applicable Financial Reporting  Framework 15-15 Scope Limitation  15-17 Subsequently Discovered Facts  15-22 Subsequently Discovered Facts That Become Known   Before the Report Release Date  15-22 Subsequently Discovered Facts That Become Known After   the Report Release Date  15-24 Reports on the Audit of icfr  15-26 Standard Unqualified Opinion on ICFR  15-26 Modified Opinion on ICFR  15-27 Compilation and Review Engagements  15-30 Compilation of Financial Statements  15-30 Review of Financial Statements  15-32 Appendix A   Cloud 9 Inc. Audit  A-1

Cloud 9 Inc. Company Background  A-1 Personnel  A-2 Financial Information  A-2 Transcript of Meeting with David Collier  A-4

Glossary  G-1 Index   I-1

Chapter 1 Introduction and Overview of Audit and Assurance The Audit Process Overview of Audit and Assurance (Chapter 1)

Professionalism and Professional Responsibilities (Chapter 2) Client Acceptance/Continuance and Risk Assessment (Chapters 3 and 4) Identify Significant Accounts and Transactions Make Preliminary Risk Assessments

Set Planning Materiality

Gaining an Understanding of the System of Internal Control (Chapter 6)

Audit Evidence (Chapter 5)

Develop Responses to Risk and an Audit Strategy

Performing Tests of Controls (Chapter 8)

Performing Substantive Procedures (Chapter 9) Audit Sampling for Substantive Tests (Chapter 10)

Auditing the Revenue Process (Chapter 11)

Auditing the Purchasing and Payroll Processes (Chapter 12)

Audit Data Analytics (Chapter 7)

Gaining an Understanding of the Client

Auditing the Balance Sheet and Related Income Accounts (Chapter 13)

Completing and Reporting on the Audit (Chapters 14 and 15) Procedures Performed Near the End of the Audit

Drawing Audit Conclusions

Reporting

1-1

1-2  Ch a pte r 1   Introduction and Overview of Audit and Assurance

Learning Objectives LO 1  Differentiate among assurance, attestation, and audit services. LO 2  Describe the different types of assurance services. LO 3 Explain the demand for audit and assurance services. LO 4  Discuss the different roles of the financial statement preparer and the auditor.

LO 6 Explain the concepts of reasonable assurance, materiality, and the nature of an unqualified/ unmodified report on the audit of financial statements. LO 7 Explain the concept of reasonable assurance and the nature of an unqualified report on internal controls over financial reporting. LO 8  Discuss the audit expectation gap.

LO 5  Identify the roles of different regulators and organizations that affect the audit profession.

Auditing and Assurance Standards PCAOB

Auditing Standards Board

Framework for Audits of Public Companies

Framework for Audits of Private Companies

AS 2201 An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements

AU-C 200  Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Generally Accepted Auditing Standards

AS 3101 The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion

AU-C 700  Forming an Opinion and Reporting on Financial Statements

Cloud 9 - Continuing Case This text is designed to provide you with the opportunity to learn about auditing by using a practical, problem-based approach. Each chapter begins with some information about an example audit client—Cloud 9 Inc. (Cloud 9). The chapter then provides the underlying concepts and background information needed to deal with this client’s situation and the problems facing its auditor. As you work through the chapters, you will gradually build your knowledge of auditing by studying how the contents of each chapter are applied to Cloud 9. The end-of-chapter exercises and problems also provide you with the opportunity to study other aspects of Cloud 9’s audit, in addition to applying the knowledge gained in the chapter to other practical examples. Cloud 9 Inc., a listed company (publicly traded) in the United States (U.S.), is looking to expand. McLellan’s Shoes was seen as a potential target. In 1985, Ron McLellan started McLellan’s Shoes in Seattle, Washington, manufacturing and retailing customized basketball shoes. Ron borrowed from the bank to start the company, using his

house as security, and over the years he worked very hard to establish a profitable niche in the highly competitive sport shoe market. Ron repaid the bank in 1999, and he vows to never borrow again. As the business grew, Ron’s wife and three adult children started to work with him, with responsibility for administration, marketing and sales, production, and distribution. By the early 2000s, Ron’s business employed 20 people full-time, most of whom work in production. There are also several casual employees and part-time staff in the retail outlet in Seattle, particularly during busy periods. In February 2020, Ron received a call from Chip Masters, the senior vice president of Cloud 9. Chip expressed an interest in buying McLellan’s Shoes. Ron wants to retire, and his children are starting to fight among themselves about who is going to take over their father’s business. Ron is looking for an exit strategy, but he does not want Chip to know that. He asks if Chip is ready to talk about the price. Chip says he is, but first he needs to see the audited financial statements for McLellan’s Shoes.

 Assurance, Attestation, and Audit Services  1-3

Ron asks for some time. He tells Chip that he first needs to talk to his family and will then get back to him. When Ron puts the phone down, he immediately calls his friend from the golf club, Ernie Black, who is a CPA. For years, Ernie has been suggesting to Ron that his business affairs need attention. Ron is good at making deals

and working hard, but he has never bothered with sophisticated financial arrangements. He is still running his business as a sole proprietor (not a corporation), and his wife does all the tax returns. Ron is in a panic—he wants to sell McLellan’s Shoes, but what is he going to do about Chip’s request for audited financial statements?

Chapter Preview: Audit Process in Focus The purpose of this chapter is to provide an overview of assurance, attestation, and audit services. While the focus of this text is the audit of financial statements, in this chapter we define assurance and attest engagements and differentiate among the types of assurance engagements. The assurance engagements explained in this chapter include financial statement audits, compliance audits, operational (performance) audits, and internal audits. We also discuss why there is a demand for audit and assurance services and then discuss the separate roles of the financial statement preparer and the auditors. Regulatory bodies and other organizations that impact the audit profession are introduced in this chapter. Also, the audit reports issued by auditors at the completion of the audit are discussed with the goal of explaining what is communicated in the auditor’s report. We discuss the audit expectation gap in the last section of this chapter.

Cloud 9 - Continuing Case Chip Masters has asked Ron McLellan for audited financial statements of McLellan’s Shoes. Ron has never had an audit and is not sure what it involves. He has heard about tax audits, safety audits, efficiency audits, as well as financial statement audits. Are they

all the same thing? Ernie explains to Ron that there are several services that people call “audits” that are different from financial statement audits. However, all these services, including financial statement audits, can be defined as assurance services.

Assurance, Attestation, and Audit Services Lea rning Objective 1 Differentiate among assurance, attestation, and audit services. The terms assurance, attestation, and auditing are sometimes used interchangeably, but they actually represent different types of services. They are similar in that they all represent a common process of an independent accounting firm taking information prepared by someone else and comparing that information to an established set of criteria. At the end of the service, the independent accounting firm provides a written report about the results of the service performed. This process is important because it adds credibility, or integrity, to the information, which makes it more useful for decision making. An everyday example of this process would be needing a physical exam from a medical doctor before joining a sports team. The doctor would be the independent professional. The doctor would conduct the physical exam and compare your results to standards considered acceptable for someone of your age and height. At the completion of the physical exam, the doctor would provide you with written documentation stating that you were in good physical condition to play on the sports team. The service provided by the doctor improves the “integrity” of your claim that you are in good condition to participate on the team. The relationship of assurance, attestation, and auditing services is shown in Illustration 1.1 and resembles overlapping umbrellas. We will refer to Illustration 1.1 as we discuss the three services in more detail.

1-4  Ch a pte r 1   Introduction and Overview of Audit and Assurance illustration 1.1   Relationship of assurance, attestation, and auditing services

Assurance Services

Risk advisory services Examination of financial forecast

audit services  services by an independent CPA that provide financial statement users with (1) an opinion on whether the financial statements are presented fairly, in all material respects, in accordance with an applicable financial reporting framework and, in some cases, (2) an opinion on the effectiveness of ICFR, which enhance the degree of confidence that intended users can place in the financial statements

attestation services  services performed when an independent practitioner, or CPA, is engaged to issue a report on subject matter that is the responsibility of another party

Attestation Services Review of historical financial statements Audit Services Historical Internal financial controls statements

Website security

Data integrity Agreed-upon procedures

Audit services are the most specific and narrow of the three services; therefore, it is the smallest umbrella in Illustration 1.1. Two primary types of audit services are an audit of financial statements and an audit of internal controls over financial reporting (ICFR). The purpose of an audit of financial statements is to provide financial statement users with an opinion by the auditor on whether the financial statements are presented fairly in accordance with an applicable financial reporting framework. The purpose of an audit of ICFR is to provide financial statement users with an opinion by the auditor on the design and operating effectiveness of ICFR. These audit services enhance the degree of confidence that intended users can place in the financial statements (AU-C 200.04). Some key concepts in these descriptions require further explanation. The financial statements refer to historical financial statements of either a public or private company. The auditor refers to an independent certified public accountant, or CPA, who is qualified to perform the auditing service. The only professional who can sign an audit report on historical financial statements and internal controls for a public or private company is a CPA. The applicable financial reporting framework refers to the set of standards used in preparing the historical financial statements, such as generally accepted accounting principles (GAAP) in the United States, International Financial Reporting Standards (IFRS), or governmental accounting standards for governmental entities. The intended users refer to any group that will be using the financial statements to make decisions, such as investors and creditors. Companies produce financial information that goes beyond historical financial statements. Examples include financial forecasts and detailed schedules for specific accounts. When CPAs are hired to report on the integrity of this type of financial information, it is called an attestation service. Attestation services are performed when an independent practitioner, or CPA, is engaged to issue a report on subject matter that is the responsibility of another party. As depicted in Illustration 1.1, audit services fall under the umbrella of attestation services, but so do other services that involve a CPA reporting on other financial information. Note the use of the term practitioner in the definition of attestation services. The term practitioner is used rather than auditor because attestation services encompass more than just the audit of historical financial statements and internal controls. Another example of an attestation service is a review of historical financial statements. Small private companies often do not want or need a service as extensive as an audit of the financial statements in which the auditor has to express an opinion on the fair presentation of the financial statements. In a review engagement, the practitioner expresses limited assurance that no material modifications need to be made to the financial statements. So a review of historical financial statements is a less extensive and, therefore, less expensive service that

 Assurance, Attestation, and Audit Services  1-5

can be very useful for smaller private companies. A more detailed discussion of a review is presented in Chapter 15. The largest umbrella in Illustration 1.1 represents assurance services. Assurance services are independent professional services that improve the quality of information, or its context, for decision makers. Some key concepts are included in this definition. The term independent is common to audit, attestation, and assurance services. Independent implies that the service is performed by someone who was not involved with the creation of the information and who is objective in the evaluation of the information. (Chapter 2 covers the concept of independence in more depth.) The term quality refers to the relevance and reliability of the information. The term information refers to subject matter that can be financial or nonfinancial, historical or prospective, standalone data or entire systems of data, internal or external to a company. Essentially, the concept of assurance services encompasses any service that a professional provides that involves improving the quality of information that was prepared by someone else. Both attestation and audit services fall under the broad term of assurance services, and therefore are depicted under the assurance umbrella in Illustration 1.1. While the audit of a company’s historical financial statements and internal controls is the focus of this text, there are other types of audit and assurance services that warrant some discussion. The next section provides a description of these different types of services.

assurance services  independent professional services that improve the quality of information, or its context, for decision makers

Professional Environment  Becoming a CPA Certified public accountants (CPA) are the only licensed accounting professionals in the United States. CPA licenses are not issued at the national level but at the state level. To become a licensed CPA, an individual must earn the three Es – Education, Exam, and Experience.1 The first step is meeting the education requirements set by a state board of accountancy, which vary from state to state. All states require a bachelor’s degree and completion of 150 hours of total college credit to be a licensed CPA. Within the 150 hours, some states require completion of courses in specific subject areas in accounting, business, or ethics. (See the discussion in this chapter on National Association of State Boards of Accountancy (NASBA) and State Boards of Accountancy.) The second step is passing the Uniform CPA Examination, or CPA exam. The CPA exam is accepted for CPA licensure by all states, which is why it is called the “uniform” CPA exam. The CPA exam consists of four sections: Auditing and Attestation (AUD), Business Environment and Concepts (BEC), Financial Accounting and Reporting (FAR), and Regulation (REG). The testing time for

each section is four hours for a total test time of 16 hours. Each part of the exam consists of multiple-choice items and task-based simulations, and the BEC section also contains written communication items. Exam candidates can take one part of the exam at a time and have 18 months to pass all four parts once the first part has been successfully passed. The final step is work experience. Work experience requirements also vary by state. In general, states require one to two years of work experience under the supervision of a licensed CPA. The work experience can be earned either before, during, or after sitting for the CPA exam, but some restrictions may apply for when the experience can be earned. A state board of accountancy will only issue a license to practice after all three Es have been earned. The purpose of the entire licensure process is to ensure that individuals possess the level of knowledge and the skills necessary to perform the duties of a CPA and to protect the public interest.

Before You Go On 1.1  Who are intended users of assurance services? 1.2  What does “independent” mean in the context of assurance services? 1.3  What is an example of an “applicable financial reporting framework”?

1 American Institute of Certified Public Accountants, The Uniform CPA Examination: Purpose and Structure (2018), www.aicpa.org/becomeacpa/cpaexam/examoverview.

1-6  Ch a pte r 1   Introduction and Overview of Audit and Assurance

Different Assurance Services Lea rning O bjective 2 Describe the different types of assurance services. In this section, we provide an overview of the most common types of assurance services that a practitioner can provide. We will discuss financial statement audits, compliance audits, operational (performance) audits, and internal audits.

Financial Statement Audits As stated earlier, the purpose of an audit of financial statements is to provide financial statement users with an opinion by the audit firm on whether the financial statements are presently fairly in accordance with an applicable financial reporting framework, which enhances the degree of confidence that intended users can place in the financial statements (AU-C 200.04). Within a U.S. context, the applicable financial reporting framework is typically GAAP. Public companies, or issuers, in the United States are required by the federal government to have an annual financial statement audit. Private companies, or non-issuers, are not required by the U.S. government to have an annual financial statement audit, but often other interested users request that a private company provide audited financial statements. A good example would be a lender (bank or other financial institution) requesting audited financial statements when considering whether to lend money to the private company. Audited financial statements add a degree of confidence that helps the lender make an informed lending decision.

Cloud 9 - Continuing Case Ron is not running a corporation. He operates his customized basketball shoe business as a sole proprietor. He is aware that big corporations have to be audited. However, because his business is not a publicly traded company, Ron does not believe that he has to have an audit. Ernie agrees that Ron does not have to

integrated audit  an audit that combines the financial statement audit with an audit of the effectiveness of ICFR

follow the same rules, but he also tells him that there are auditing standards in place that apply to a company like his. This means that although all the attention is usually on corporations, sole proprietors can, and may be required to, have their financial statements audited, too.

Certain public companies in the United States are also required to have an audit of ICFR. The objective in an audit of ICFR is to express an opinion on the effectiveness of the company’s system of internal controls over financial reporting (AS 2201.03). The reason for requiring an audit of internal controls is because effective internal control provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes (AS 2201.02). Therefore, public companies are required to have two audits every year, one on the financial statements and one on the effectiveness of the company’s internal controls. For efficiency purposes, these two audits are performed at the same time. This is referred to as an integrated audit. The objectives of the audits are not identical, however, and the auditor must plan and perform the work to achieve the objectives of each audit (AS 2201.06). Private companies are not required by the government to have an audit of ICFR. As mentioned above, other interested users, such as a lender, may require a private company to have an audit of ICFR along with an audit of the financial statements as a condition for being approved for a loan.

Limitations of an Audit A financial statement audit is conducted to enhance the reliability and credibility of the information included in the financial statements. It is not a guarantee that the financial

  Different Assurance Services  1-7

statements are free from error or fraud. The limitations of an audit are caused by (1) the nature of financial reporting, (2) the nature of audit procedures, and (3) the need for the audit to be conducted within a reasonable period of time at a reasonable cost (AU-C 200.A49). The nature of financial reporting refers to the use of judgment when preparing financial statements due to the subjectivity required when arriving at accounting estimates. Judgment is also required when selecting and applying accounting methods. For example, depreciating a piece of equipment is an estimate that requires judgment in selecting a depreciation method and determining a useful life and salvage value. The nature of audit procedures refers to the reliance on evidence provided by the client and its management. For example, what if client management withholds or hides important documents from the auditors? If auditors are unaware of this situation, they may arrive at an inappropriate conclusion based on incomplete facts. Evidence may be withheld or modified by perpetrators of fraud. It can be difficult for an auditor to determine whether a fraud has occurred because documents altered by those committing the fraud generally hide evidence. Also, auditors often use sampling techniques when testing some transactions and account balances. If a sample is not representative of all items available for testing, an auditor may arrive at an incorrect conclusion. The nature of audit procedures also refers to the concept of materiality. The Financial Accounting Standards Board (FASB) defines materiality as follows: Information is material if omitting it or misstating it could influence decisions that users make on the basis of the financial information of a specific reporting entity. (SFAC No. 8, para QC11)

materiality  the ability of information to influence decisions that users make on the basis of the financial information of a specific reporting entity

In other words, an error or misstatement in the financial statements is considered material if it impacts, or changes, the decision-making process of those individuals or groups who are using the financial statements. Therefore, when planning an audit, auditors select audit procedures that are designed to discover material misstatements. Because of time and cost constraints, it would be impractical for an audit to focus on finding all misstatements. The timeliness and cost of a financial statement audit refer to the pressures auditors face to complete their audit within a certain time frame at a reasonable cost. While it is important that auditors do not omit procedures in an effort to meet time and cost constraints, they may be under some pressure to do so. This pressure will come from clients wanting to issue their financial statements by a certain date, from clients refusing to pay additional fees for additional audit effort, and from within the accounting firm where there are pressures to complete all audits on a timely basis to avoid incurring costs that may not be recovered. By taking the time to plan the audit properly, auditors can ensure that adequate time is spent where the risks of a material error or fraud are greatest.

Compliance Audits A compliance audit involves gathering evidence to determine whether the person or entity under review has followed the rules, policies, procedures, laws, and regulations with which they must conform. One of the best examples of a compliance audit is an income tax audit. The Internal Revenue Service (IRS) may conduct an audit of an individual or a company to determine if tax laws have been followed and the correct amount of tax paid.

compliance audit  an audit to determine whether the entity has conformed with regulations, rules, or processes

Operational (Performance) Audits Operational (performance) audits are concerned with the economy, efficiency, and effectiveness of an organization’s activities. Economy refers to the cost of inputs, including wages and materials. Efficiency refers to the relationship between inputs and outputs, or the use of the minimum amount of inputs to achieve a given output. Finally, effectiveness refers to the achievement of certain goals or the production of a certain level of outputs. From an organization’s perspective, it is important to perform well across all three dimensions and not

operational (performance) audit  an assessment of the economy, efficiency and effectiveness of an organization’s operations

1-8  Ch a pte r 1   Introduction and Overview of Audit and Assurance

allow one to dominate. For example, if buying cheap inputs results in an inefficient production process, efficiency is sacrificed to achieve economic goals. Operational audits are generally conducted by an organization’s internal auditors (discussed in the next section), or they may be outsourced to an external accounting firm.

Internal Audits internal audit  a function within an entity which generally evaluates and improves risk management, internal control procedures and elements of the governance process those charged with governance  persons with responsibility for overseeing the strategic direction of the entity and the obligations related to the accountability of the entity

Internal audits are conducted to provide assurance about various aspects of an organization’s activities. The internal audit function is typically conducted by employees of the organization being audited, but can be outsourced to an external accounting firm. The function of an internal audit is determined by those charged with governance and management within the organization. While the functions of internal audits vary widely from one organization to another, they are often concerned with evaluating and improving risk management, internal control procedures, and elements of the governance process. The internal ­auditors often conduct operational audits, compliance audits, internal control assessments, and ­reviews. Many internal auditors are members of the Institute of Internal Auditors (IIA). The IIA is an international organization with more than 120,000 members that provides guidance and standards to aid internal auditors in their work. When conducting the financial statement audit, the external auditor may rely on the work done by internal auditors when evaluating the evidence needed to form an opinion on the financial statements or on ICFR. A more detailed discussion of how internal auditors may assist with the audit is provided in Chapter 5.

Cloud 9 - Continuing Case Ron is not concerned about internal audits—his business is too small for a separate internal audit function. He is also not worried about compliance and operational audits. His priority at the

­ oment is to close the deal with Chip Masters, and he still does m not know what he will do about the financial statement audit.

Before You Go On 2.1  What is the objective of a financial statement audit? 2.2  Explain the inherent limitations of a financial statement audit. 2.3  What are the three elements of an operational audit? 2.4  What are the most common functions of the internal auditors?

Demand for Audit and Assurance Services Lea rning O bjective 3 Explain the demand for audit and assurance services. In this section, we provide an overview of the primary financial statement users followed by a description of why these users may demand an audit of the financial statements.

  Demand for Audit and Assurance Services  1-9

Cloud 9 - Continuing Case Ron believes that his business has good, reliable financial records. Ron’s wife helps him keep tight control of the cash and other assets, and together they prepare some simple reports on a regular basis. Ron believes he knows exactly what is happening in the business and monitors the business’s cash flow and profit very closely. However, he has not prepared financial statements that

comply with U.S. GAAP. Is this a problem? Ernie explains to Ron that many businesses must apply the accounting standards, even if they are not corporations. It all depends on whether there are individuals or groups who are using the financial statements for decision-making purposes. Ron is a bit worried now—how does he know if he has these users?

Financial Statement Users Financial statement users include current and potential investors, suppliers, customers, lenders, employees, governments, and the general public. Each of these groups will read the financial statements for a slightly different reason as described below.

Investors Investors generally read financial statements to determine whether they should invest in the company. They are interested in the return on their investment and are concerned that the entity will remain a going concern (continue operating) into the foreseeable future. Investors may also be interested in the capacity of the company to pay a dividend. Prospective investors read financial statements to determine whether they should buy shares in the entity.

Suppliers Suppliers may read financial statements to determine whether the company can pay for goods or services supplied. They are also interested in whether the company is likely to remain a going concern (is likely to continue to be a customer of the supplier) and continue to pay its debts when they come due.

Customers In many business-to-business transactions, customers may read financial statements to determine whether a company they rely on is likely to remain a going concern and meet their needs.

Lenders Lenders may read financial statements to determine whether an entity is sufficiently creditworthy to qualify for a loan and whether it can pay the interest and principal as they come due.

Employees Employees may read financial statements to determine whether the entity can pay their wages or salaries and other benefits (for example, pensions). They may also be interested in assessing the future stability and profitability of the entity, as these affect job security.

Governments Governments may read financial statements to determine whether the company is complying with regulations, to evaluate if the company is paying a fair amount of taxes given its reported earnings, and to gain a better understanding of the company’s activities. A company in receipt of government grants often must provide a copy of its audited financial statements when applying for a grant and when reporting on how grant funds have been spent.

1-10  C h a pte r 1   Introduction and Overview of Audit and Assurance

The General Public The general public may read financial statements to determine whether they should associate with the company (for example, as a future employee, customer, or supplier), and to gain a better understanding of the company, what it does, and its plans for the future.

Sources of Demand for Audit and Assurance Services Financial statement users and their needs are many and varied. There are a number of reasons why some or all of these users would demand an audit of financial statements. These include remoteness, complexity, competing incentives, and reliability. Each of these concepts is explained below.

Remoteness Most financial statement users do not have access to the company under review. This makes it difficult to determine whether the information contained in the financial statements is a fair presentation of the entity and its activities for the relevant period.

Complexity Financial statements are complex, the amounts are often affected by significant estimates, and the disclosures often require significant knowledge and experience to evaluate. Most financial statement users do not have the accounting and legal knowledge to assess the reasonableness of complex accounting and disclosure choices being made by the company.

Competing Incentives Company managers have an incentive to disclose the information contained in the financial statements in a way that presents their performance in the best possible light. Users may find it difficult or impossible to identify when management is presenting biased information.

Reliability Financial statement users are concerned with the reliability of the information contained in the financial statements. Since they use that information to make decisions that have real consequences, it is very important that users can rely on the information contained in the financial statements. An independent third-party review of the financial statements by a team of auditors, who have the knowledge and expertise to assess the fairness of the information being presented by the preparers, helps users address all these issues. Auditors have access to company records, so they are not remote. Auditors are trained accountants and have detailed knowledge about the complex technical accounting and disclosure issues required to evaluate the choices made by the financial statement preparers. Independent auditors, whose work is regularly reviewed by regulators, have little incentive to aid the company in presenting its results in the best possible light. Auditors are concerned with verifying the information contained in the financial statements is reliable and free from any material misstatements. The audit service plays a vital role in maintaining the stability of the U.S. capital markets. Investors in public companies consider audited information reliable, which facilitates the trading of stocks and other financial instruments.

Cloud 9 - Continuing Case Ron tells Ernie that he has no remote users, such as shareholders or lenders, and his business is not very complex. He is the owner and the manager of McLellan’s Shoes and therefore has no competing incentives. For all these reasons, he has never felt the

need to purchase an audit to assure users of the reliability of his business’s financial information. Ernie agrees but points out that there is now a user who is very interested in the reliability of the financial information: Chip Masters.

 Preparers and Auditors  1-11

Before You Go On 3.1  Who are the main users of company financial statements? 3.2  Why might financial statement users demand an audit? 3.3  Explain why auditors, or CPAs, are the appropriate professionals to conduct an audit.

Preparers and Auditors Lea rning Objective 4 Discuss the different roles of the financial statement preparer and the auditor. In this section, we explain and contrast the different responsibilities of financial statement preparers and auditors. We provide details of the role that each group plays in ensuring the financial statements are an accurate representation of the company. Following this discussion is an overview of the different firms that provide assurance services.

Preparer Responsibility As you know from your financial accounting courses, the financial statements include the balance sheet (statement of financial position), income statement (statement of comprehensive income), statement of cash flows, statement of changes in equity, and accompanying notes. It is the responsibility of management, with oversight from those charged with governance (generally the board of directors), to prepare the financial statements. Specifically, management is responsible for the following: 1. Ensuring the information included in the financial statements is presented fairly and complies with the applicable financial reporting framework, which in the United States is most often GAAP. 2. Designing, implementing, and maintaining internal control relevant to the preparation and fair presentation of the financial statements. 3. Providing the auditors with access to all records, documentation, and personnel relevant to the preparation and fair presentation of the financial statements, and any additional information the auditors may consider relevant to complete the audit. The preparation of financial statements requires the use of knowledge and judgment on the part of management. Management is responsible for making estimates for some financial statement items (e.g., allowance for doubtful accounts or a goodwill impairment) and selecting appropriate accounting policies within the applicable financial reporting framework, usually GAAP (AU-C 200.A2–A3).

Auditor Responsibility The auditor’s responsibility is to provide an opinion on whether the financial statements are presented fairly in accordance with the applicable financial reporting framework. It is important to emphasize the auditor is not responsible for preparing the financial statements. Preparation of financial statements is management’s responsibility. Auditors are responsible for the following: 1.  Conducting the audit in accordance with the appropriate auditing standards. Auditing standards provide minimum requirements and guidance for the performance of an audit. Later in this chapter, we discuss the auditing standards that apply to financial statement audits.

1-12  C h a pte r 1   Introduction and Overview of Audit and Assurance professional skepticism  an attitude that includes a questioning mind, being alert to conditions that may indicate possible misstatement due to fraud or error, and a critical assessment of audit evidence

2. Planning and performing the audit with professional skepticism. Professional skepticism is an attitude adopted by auditors when conducting an audit. It means auditors remain independent of the entity, its management, and its staff when completing the audit work. In a practical sense, it means auditors maintain a questioning mind and thoroughly investigate all evidence presented by their client. Auditors must seek independent evidence to corroborate, or confirm, information provided by their client. Auditors must be suspicious when evidence contradicts documents held by their client or inquiries made of client personnel, including management and those charged with governance.

professional judgment  the application of relevant training, knowledge, and experience in making informed decisions about the courses of action that are appropriate in the circumstances of the audit engagement

3. Planning and performing the audit with professional judgment. Professional judgment relates to the application of relevant training, knowledge, and experience that auditors use while making informed audit decisions in conducting an audit. Auditors must use their judgment throughout the entire audit. For example, auditors must use judgment when determining if an information source is reliable. They must also use judgment when deciding if enough audit evidence has been gathered to support the audit opinion. The concepts of professional skepticism and professional judgment will be addressed throughout this text as we learn about the process used by auditors to arrive at their opinion. It is important to note that the auditor’s opinion on the financial statements is not meant to be a predictor of the future success of the company. Also, the opinion is not a reflection of how effectively management is performing its role of running the company. The auditor’s opinion is simply a report on whether the financial statements are fairly presented in accordance with the applicable financial reporting framework (AU-C 200.A1).

Assurance Providers Assurance services are provided by accounting and other consulting firms. The largest accounting firms in the United States are known collectively as the “Big 4” firms: Deloitte, Ernst & Young (EY), KPMG, and PricewaterhouseCoopers (PwC). These four firms operate internationally through a network of affiliate companies, and dominate the assurance market throughout the world. The next tier of accounting firms is known as the mid-tier. The firms that comprise the mid-tier have a significant presence nationally and most have international affiliations. The mid-tier firms in the United States include, among others, Grant Thornton, BDO USA, RSM, CBIZ/Mayer Hoffman McCann, and Crowe. These firms service medium-sized and smaller clients. The next tier of accounting firms are regional and local accounting firms. Regional firms have a significant presence across multiple states in a geographical region. For example, a regional firm might have offices located in the southeastern states of Georgia, Florida, Alabama, and Mississippi. The regional offices could be as large as some of the national firms, with just as many partners and professional staff. Like the national firms, the regional firms service medium-sized and smaller clients. Local accounting firms service clients in their local areas and range in size from a single-partner firm to several-partner firms. Local firms primarily service small-company clients and individuals. Many of these accounting firms provide non-assurance (or non-audit) services as well as assurance services. Independence is not required to provide non-assurance services. These non-assurance services include management consulting, business valuation, mergers and acquisitions, tax, and accounting. In Chapter 2, we will discuss rules regarding what types of non-assurance services, if any, can be provided to audit clients. Accounting firms are not the only providers of assurance services. A number of consulting firms provide assurance services in areas such as website security and environmental sustainability reporting. Consulting firms employ staff with a variety of expertise including, for example, engineers, accountants, IT professionals, scientists, and economists.

Cloud 9 - Continuing Case Ernie stresses to Ron that any financial statements prepared for McLellan’s Shoes are Ron’s responsibility, even if they are audited. The auditor must be skeptical about the claims made by

Ron in the financial statements. These claims include, for example, that the assets shown on the balance sheet exist and are valued correctly, and that the balance sheet contains a complete list

 The Role of Regulators and Regulations  1-13

of the business’s liabilities. In other words, the auditor is not just going to believe whatever Ron tells him or her. Auditors must gather evidence about the financial statements before they can give an audit opinion. Ernie also explains to Ron that because his business is relatively small, he has a choice between large and small audit firms. Very large companies must choose a Big 4 auditor because often the other auditors are too small to do the

work and still maintain their independence. If a small audit firm audits a large company, it is open to the criticism that it will not be sufficiently skeptical because it does not want to lose the fees from that client. A large audit firm has many other clients, so the fees from any one client are a relatively small part of its revenue. Ron likes the idea that the smaller audit firms are generally less expensive.

Before You Go On 4.1  Describe management’s responsibilities in terms of the financial statement audit. 4.2  What is professional skepticism? 4.3 What are non-audit services? Provide several examples of non-audit services provided by accounting firms.

The Role of Regulators and Regulations Lea rning Objective 5 Identify the roles of different regulators and organizations that affect the audit profession. In this section, we discuss the regulators and other organizations that impact the audit process and the profession.

Securities and Exchange Commission (SEC) The SEC is a federal government agency whose mission is to protect investors, maintain fair and efficient markets, and facilitate capital formation (www.sec.gov). A primary task of the SEC is to enforce and interpret securities laws. Some of the key laws that impact the audit profession are the Securities Act of 1933, the Securities Exchange Act of 1934, and the Sarbanes-Oxley (SOX) Act of 2002. The Securities Act of 1933 regulates the disclosure of financial information in a company’s initial public offering of stock and requires that the financial information be audited. The Securities Exchange Act of 1934 regulates the ongoing trading of securities after the initial public offering and requires the annual audit of a public company’s financial statements. The SOX Act of 2002 was passed to help restore investor confidence after a series of corporate accounting scandals were revealed in the late 1990s and early 2000s. The SOX Act enhanced financial disclosures for public companies and placed more emphasis on corporate responsibility. It also created the Public Company Accounting Oversight Board, or PCAOB, which oversees the audits of public companies.

Public Company Accounting Oversight Board (PCAOB) The PCAOB is a non-profit corporation established through the SOX legislation in 2002. Its mission is to oversee the audits of public companies to protect the interests of investors

1-14  C h a pte r 1   Introduction and Overview of Audit and Assurance

(www.pcaobus.org). Prior to the creation of the PCAOB, the audit profession was self-regulated. This means that audit professionals, through their own professional organization, created the auditing standards to be followed in the conduct of an audit. The audit profession also created a system of peer review for inspecting audit work to ensure auditors were following the standards, and would take enforcement action for auditors who did not perform audits according to the standards. The audit profession is still self-regulated with respect to the audits of private companies, but when the PCAOB was created, it took over the regulation and standard setting for the audits of public companies. Standards issued by the PCAOB are called Auditing Standards (AS), which provide minimum requirements and guidance for auditing services. When the PCAOB was created, it adopted the audit profession’s standards in 2003 as its interim standards, providing a starting point for the audits of public companies. Since then the PCAOB has issued its own standards that supersede, or replace, some of the interim standards. In 2015, the PCAOB reorganized its auditing standards using a topical structure and a single, integrated numbering system. The current topical organization of the PCAOB standards is listed in Illustration 1.2. Throughout the text, you will be learning some of the specific PCAOB auditing standards in the different topical categories. The beginning of each chapter will list which PCAOB standards will be discussed in that particular chapter. You will also see references to the PCAOB standards within each chapter. The reference will begin with “AS” followed by the standard number, a decimal, and then a paragraph number, such as “AS 2201.06.” ILLUSTRATION 1.2   PCAOB Auditing Standards topical organization

General Auditing Standards (1000) 1000

General Principles and Responsibilities

1100

General Concepts

1200

General Activities

1300

Auditor Communications

Audit Procedures (2000) 2100

Audit Planning and Risk Assessment

2200

Auditing Internal Control Over Financial Reporting

2300

Audit Procedures in Response to Risks – Nature, Timing, and Extent

2400

Audit Procedures for Specific Aspects of the Audit

2500

Audit Procedures for Certain Accounts or Disclosures

2600

Special Topics

2700

Auditor’s Responsibilities Regarding Supplemental and Other Information

2800

Concluding Audit Procedures

2900

Post-Audit Matters

Auditor Reporting (3000) 3100

Reporting on Audits of Financial Statements

3300

Other Reporting Topics

Matters Relating to Filings Under Federal Securities Laws (4000) Other Matters Associated with Audits (6000) Source: www.pcaobus.org/standards/auditing.

Accounting firms that want to audit public companies must register with the PCAOB. Registration involves paying fees to the board, complying with the PCAOB’s Auditing Standards, and having their audit work inspected by the board. The PCAOB has disciplinary authority over registered firms and can impose punishment on accounting firms that do not adhere to standards. Punishments can include revoking a firm’s registration, imposing monetary fines, and banning an individual within a firm from auditing public companies.

 The Role of Regulators and Regulations  1-15

American Institute of Certified Public Accountants (AICPA) The AICPA is a private professional membership organization of CPAs representing the accounting profession. There are over 400,000 members in 145 countries (www.aicpa.org). Some key activities of the AICPA include representing the profession before rule-making bodies, acting as an advocate for the profession before legislative bodies, providing educational materials to its members, and setting ethical standards for the profession. The AICPA is also responsible for creating and grading the Uniform CPA Exam. The AICPA accomplishes many of its activities through its system of committees. One of the standing committees is the Auditing Standards Board, or ASB. Prior to the creation of the PCAOB, the ASB was responsible for issuing auditing standards used for the audits of public and private companies. Since 2003, the task of the ASB has been to issue audit standards for the audits of private companies and not-for-profit organizations only. Audit standards issued by the ASB are called Statements on Auditing Standards (SAS). In an effort to improve the clarity of auditing standards, the ASB approved new clarity standards that were effective for audit periods ending after December 15, 2012. The new clarity standards include a more comprehensive set of principles underlying an audit conducted in accordance with generally accepted auditing standards (GAAS), which are presented in Illustration 1.3. These principles explicitly address the concepts of materiality and professional skepticism. The principles describe the responsibilities of management, and those charged with governance of an entity, for the financial statements. The auditor responsibilities also address the important concepts of compliance with ethical requirements (including independence requirements) and the fact that an auditor must use professional judgment. Take a few minutes to read the principles in Illustration 1.3.

Purpose of an Audit The purpose of an audit is to provide financial statement users with an opinion by the auditor on whether the financial statements are presented fairly, in all material respects, in accordance with the applicable financial reporting framework. An auditor’s opinion enhances the degree of confidence that intended users can place in the financial statements. Premise Upon Which an Audit Is Conducted An audit in accordance with generally accepted auditing standards is conducted on the premise that management, and where appropriate, those charged with governance, have responsibility: a. for the preparation and fair presentation of the financial statements in accordance with the applicable financial reporting framework; this includes the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatements, whether due to fraud or error. b.  to provide the auditor with: i.  all information, such as records, documentation, and other matters that are relevant to the preparation and fair presentation of the financial statements; ii.  any additional information that the auditor may request from management, and where appropriate, those charged with governance; and iii. unrestricted access to those within the entity from whom the auditor determines it necessary to obtain audit evidence. Responsibilities of the Auditor Auditors are responsible for having appropriate competence and capabilities to perform the audit; complying with relevant ethical requirements; and maintaining professional skepticism and exercising professional judgment, throughout the planning and performance of the audit. Performing the Audit To express an opinion, the auditor obtains reasonable assurance about whether the financial statements as a whole are free of material misstatement, whether due to fraud or error.

illustration 1.3   Principles underlying an audit conducted in accordance with generally accepted auditing standards (GAAS)

1-16  C h a pte r 1   Introduction and Overview of Audit and Assurance illustration 1.3  

(continued)

To obtain reasonable assurance, which is a high, but not absolute, level of assurance, the auditor: • plans the work and properly supervises any assistants. • determines and applies appropriate materiality level or levels throughout the audit • identifies and assesses risks of material misstatement, whether due to fraud or error, based on an understanding of the entity and its environment, including the entity’s internal control. • o  btains sufficient appropriate audit evidence about whether material misstatements exist, through designing and implementing appropriate responses to the assessed risks. The auditor is unable to obtain absolute assurance that the financial statements are free of material misstatement because of inherent limitations, which arise from: • the nature of financial reporting; • the nature of audit procedures; and • t he need for the audit to be conducted within a reasonable period of time and so as to achieve a balance between benefit and cost. Reporting the Results of an Audit Based on an evaluation of the audit evidence obtained, the auditor expresses, in the form of a written report, an opinion in accordance with the auditor’s findings, or states that an opinion cannot be expressed. The opinion states whether the financial statements are presented fairly, in all material respects, in accordance with applicable financial reporting framework. Source: AU-C Preface.

The SASs are interpretations of the principles underlying an audit conducted in accordance with GAAS. The SASs explain the nature and extent of an auditor’s responsibility and offer guidance to an auditor in performing the audit of a private company. Compliance with the SASs is mandatory for AICPA members, who must justify any departures from the standards. The SASs are numbered in the order in which they are issued by the ASB. Then the standards are organized by topical content using the AU numbering system. (Note that the “AU” stands for auditing standards, but these are not to be confused with the Auditing Standards (AS) from the PCAOB.) The AU-C topical order (the “C” denotes the clarified standards) is listed in Illustration 1.4. Throughout the text, we will be learning some of the specific ASB auditing standards in the different topical categories. The beginning of each chapter will list which ASB standards will be discussed in that respective chapter. You will also see references to the ASB standards within the text. The reference will begin with “AU-C” followed by the standard number, a decimal, and then a paragraph number, such as “AU-C 200.05.” The ASB also issues Statements on Standards for Attestation Engagements (SSAE) and Statements on Quality Control Standards (SQCS) for AICPA member firms. Another standing committee of the AICPA is the Accounting and Review Services Committee. This committee is tasked with issuing Statements on Standards for Accounting and Review Services (SSARS). The SSARS provide guidance for services provided on historical financial statements that are less extensive than an audit. An example that we discussed earlier is a review of historical ILLUSTRATION 1.4   Auditing Standards Board AU-C topical content

AU-C Section

General Topic

AU-C 200–299

General Principles and Responsibilities

AU-C 300–499

Risk Assessment and Response to Assessed Risks

AU-C 500–599

Audit Evidence

AU-C 600–699

Using the Work of Others

AU-C 700–799

Audit Conclusions and Reporting

AU-C 800–899

Special Considerations

AU-C 900–999

Special Considerations in the United States

Source: AICPA.

 The Role of Regulators and Regulations  1-17

financial statements. A more detailed discussion of accounting and review services is provided in Chapter 15. To help summarize the audit standard-setting environment in the United States, Illustration 1.5 provides a diagram of the current audit standard setting-structure for the audits of public and private companies.

ILLUSTRATION 1.5   Auditing standard setting in the United States

Audit standard setting

Statements on Auditing Standards (SAS)

Private company (non-issuer)

Public company (issuer)

AICPA’S Auditing Standards Board (ASB)

Public Company Accounting Oversight Board (PCAOB)

Statements on Standards for Attestation Engagements (SSAE)

Statements on Quality Control Standards (SQCS)

Interpretive publications from the ASB to provide guidance to CPAs and auditors

Auditing Standards (AS)

Staff audit practice alerts from the PCAOB to provide guidance to CPAs and auditors

Professional Environment  International Auditing and Assurance Standards Board (IAASB) In 1977, 63 accountancy bodies (including the AICPA) representing 51 countries signed an agreement creating the International Federation of Accountants (IFAC). The mission of IFAC is to serve the public interest and strengthen the accountancy profession by supporting the development and implementation of high-quality international standards.2 Toward this end, IFAC has established, as a standing subcommittee, the International Auditing and Assurance Standards Board (IAASB) with the responsibility and authority to issue International Standards on Auditing (ISA). The mission of the IAASB is to establish high-quality auditing, assurance, quality control, and related services standards and to improve the uniformity of practice by professional accountants throughout the world, thereby strengthening public

confidence in the global auditing profession and serving the public interest.3 Today, auditing has become a global profession. Many countries adopt IAASB standards as their own. Other countries have auditing standards that closely resemble the IAASB standards (for example, the SAS in the United States). Where differences exist between the international standards and local standards, the local member body, such as the AICPA’s ASB, is expected to give prompt consideration to such differences with a view to achieving harmonization. In recent years, the U.S. ASB and the IAASB have worked jointly in creating auditing standards that have global acceptance. Most of the auditing principles and practices discussed in this text are consistent with IAASB standards.

Financial Accounting Standards Board (FASB) The FASB is a privately funded organization whose mission is to establish financial accounting and reporting standards for nongovernmental entities with the goal of providing information

2

International Federation of Accountants website (accessed June 5, 2018), www.ifac.org.

3

International Auditing and Assurance Standards Board website (accessed June 5, 2018), www.iaasb.org.

1-18  C h a pte r 1   Introduction and Overview of Audit and Assurance

that is useful for decision making (www.fasb.org). You are probably familiar with the FASB from your financial accounting courses. The FASB maintains the Accounting Standards Codification (ASC), which represents the authoritative standards of financial reporting recognized by the SEC, the PCAOB, and the AICPA. We commonly refer to the authoritative standards as GAAP. There are seven full-time members of the FASB who have diverse backgrounds in accounting, finance, business, and research. Members of the FASB work closely with the AICPA, SEC, and the PCAOB when researching and drafting financial accounting and reporting standards.

Committee on Sponsoring Organizations of the Treadway Commission (COSO) COSO is an independent private-sector group that focuses on providing guidance to management and expertise in the areas of internal control, enterprise risk management, and fraud deterrence (www.coso.org). COSO was organized in 1985 and is sponsored by the following organizations: the American Accounting Association (AAA), the AICPA, Financial Executives International (FEI), the Institute of Internal Auditors (IIA), and the National Association of Accountants, which is now the Institute of Management Accountants (IMA). The first chairman of the commission was James C. Treadway, Jr., a former commissioner of the SEC. The group is often referred to as the “Treadway Commission.” In 1992, COSO issued a landmark report titled Internal Control—Integrated Framework. This report provided a comprehensive definition of internal controls and a framework that companies could use to design their own internal control systems. In 2013, the framework went through a comprehensive update and was reissued. This updated framework will be covered in depth in Chapter 6.

National Association of State Boards of Accountancy (NASBA) and State Boards of Accountancy CPAs are professionals who are licensed by state governments. Each state legislature has established a state board of accountancy to license and regulate CPAs to protect the public interest. Some of the functions of a state board of accountancy include: •  Issuing CPA licenses to individuals who meet all the requirements. •  Adopting and enforcing rules of professional conduct for CPAs. •  Adopting and enforcing rules regarding continuing professional education requirements. •  Investigating complaints, conducting hearings, and taking appropriate disciplinary actions, such as suspension or revocation of the CPA license. NASBA is a professional organization whose mission is to enhance the effectiveness and advance the common interests of its members, which are the state boards of accountancy (www.nasba.org). There are actually 55 jurisdictions with boards of accountancy. They include the 50 states, the District of Columbia, the Commonwealth of the Northern Mariana Islands, Guam, Puerto Rico, and the Virgin Islands. NASBA acts as a collective voice for the boards of accountancy and works to promote the interests of the state boards with legislative and regulatory bodies. NASBA also provides education and development opportunities for its members, provides technology support, and promotes ethical behavior in the profession. One of the services NASBA provides to state boards is that it serves as the application center for individuals applying to sit for the CPA exam. When you are ready to apply to take the CPA exam, you may be asked to apply through NASBA’s website.

 Audit Report on Financial Statements  1-19

Cloud 9 - Continuing Case Ernie explains that, in general, the regulators and regulations that apply to publicly traded corporations are not relevant to McLellan’s Shoes. However, any auditor Ron engages would apply the auditing and accounting standards that are relevant to an audit

engagement when auditing a small business. Since McLellan’s Shoes is a private company, the auditors would follow the auditing standards of the ASB when conducting the audit.

Before You Go On 5.1  What is the SEC and what is its role? 5.2 Which organization sets the standards for the audits of public companies? For the audits of private companies? 5.3  What are the main functions of a state board of accountancy?

Audit Report on Financial Statements Lea rning Objective 6 Explain the concepts of reasonable assurance, materiality, and the nature of an unqualified/unmodified report on the audit of financial statements. In this section, we introduce you to the independent auditor’s report, which is the “end product” of the financial statement audit. The independent auditor’s report is used to communicate the audit firm’s opinion about a company’s financial statements to interested users. We will revisit the independent auditor’s report in more depth in Chapter 15, but it is helpful to understand this report from the perspective of a financial statement reader as you begin to learn the audit process.

Reasonable Assurance and the Financial Statements We have explained how the responsibility of the auditor is to provide an opinion on whether the financial statements are presented fairly in accordance with the applicable financial reporting framework. An opinion is defined as a judgment about matters that are subjective. The preparation of financial statements is considered somewhat subjective because management must make some estimates and choose between different accounting methods. Therefore, the auditor is only required to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error. Reasonable assurance is a high, but not absolute, level of assurance (AU-C 200.06). In other words, the auditor does not “guarantee” or “certify” that the financial statements are 100% accurate because that is considered absolute assurance, which is not possible with content that is subjective. In addition, an audit could not be completed in a reasonable amount of time if auditors had to provide absolute assurance. For some accounts and transactions, auditors use sampling techniques when gathering audit evidence and therefore do not examine 100% of a company’s transactions for the period under audit. So, how do auditors know when they have gathered enough evidence? Ultimately, that is a matter of professional judgment. Since judgment is

reasonable assurance  a high, but not absolute, level of assurance

1-20  C h a pte r 1   Introduction and Overview of Audit and Assurance

audit risk  the risk that an auditor expresses an inappropriate audit opinion when the financial statements are materially misstated

involved, there will always be a risk the auditors will give the wrong opinion. This is called audit risk. Audit risk is affected by client characteristics as well as actions of the auditor. For example, when a client implements a new accounting standard, audit risk increases because there is increased risk for error when implementing a new process. The internal control system of the client also impacts audit risk. If the client has strong internal controls, it is more likely the internal controls will prevent, or detect and correct, material misstatements, which decreases audit risk. Auditors impact audit risk by the decisions made in how to conduct the audit. For example, using a larger sample size versus a smaller sample size, in general, will decrease audit risk. The concept of audit risk is covered in depth in Chapter 3. We will devote considerable attention throughout the text to the concept of audit risk and determining how auditors make important professional judgments about collecting sufficient, appropriate evidence to achieve reasonable assurance and support the audit opinion.

Materiality and the Financial Statements Although financial statements contain approximations, they must reflect a reasonable degree of precision. However, accounting is not precise, or accurate, the way we might think of Newtonian physics as being precise. If a potential misstatement of the financial statements is significant enough to influence or make a difference in the judgment or consequential activities of a financial statement user, it is considered material. Materiality is a relative concept, and it differs from company to company and from year to year for a given company. For example, a $25,000 misstatement of revenues may be material to a company with $200,000 of net income, while a $25,000 misstatement for a company with $5,000,000 in net income may be immaterial. In addition, qualitative characteristics influence materiality. For example, an error in the financial statements may be a small percentage of an account balance. This small error, however, may be considered material because it could cause an entity to breach a loan covenant, which could result in a misclassification of current and noncurrent debt. Auditors design an audit to provide reasonable assurance that the financial statements are free of material misstatement. However, auditors do not design an audit to look for immaterial misstatements because they would not influence a financial statement user. A deeper discussion of how auditors make materiality decisions can be found in Chapter 3.

Professional Environment  Materiality In the audit of a very large company, the amount of misstatement that would be considered immaterial might be quite large. Consider the audit of The Boeing Company for the year ended December 31, 2017, when Boeing had total revenues of $93.392 billion, earnings before income taxes of $10.047 billion, net income of $8.197 billion, and total assets of $92.333 billion at December 31, 2017. Boeing rounds its financial statement amounts to the nearest $1 million. For the year ended December 31, 2017, Boeing had a return on assets of 8.99%.

As an investor, would you consider a return on assets of 8.99% or 9.00% to be substantially the same? It would take approximately a $10 million misstatement to change return on assets by only 1/100 of 1% for Boeing for the year ended December 31, 2017. Alternatively, as an investor, would you consider a return on assets of 8.99% or 8.89% to be substantially the same? It would take approximately a $100 million misstatement to change return on assets by only 1/10 of 1% for Boeing for the year ended December 31, 2017.

The Auditorʼs Report on Financial Statements When the audit firm has determined that it has gathered sufficient, appropriate evidence to form an opinion, then it is ready to issue the audit report. Auditing standards require a standard format of the audit report be used for all audits. In other words, all accounting firms use the same standard format and standard wording for reporting their audit opinions. Using a standard format makes it easier for financial statement users to navigate the audit report. There is a standard

 Audit Report on Financial Statements  1-21

report for the audit of public company financial statements and a standard report for the audit of private company financial statements. The actual process of auditing the financial statements of public and private companies is similar, but there are also some differences, which will be discussed throughout the text. One of the key differences is the format of the audit reports. Illustration 1.6 provides an example of an unmodified audit report on the financial statements of McLellan’s Shoes, a private company. If auditors have determined the financial statements are presented fairly in accordance with the applicable financial reporting framework, they issue the standard unmodified report. Take a moment to read over the report. You will see some of the key concepts we have already discussed in this chapter. Sections of the report are numbered so we can further explain each component. Explanations of each numbered component follow Illustration 1.6.

[1] Independent Auditor’s Report [2] To the owners of McLellan’s Shoes: [3] Report on the Financial Statements We have audited the accompanying financial statements of McLellan’s Shoes, which comprise the balance sheets as of December 31, 2022 and 2021, and the related statements of income, changes in equity, and cash flows for the years then ended, and the related notes to the financial statements. [4] Management’s Responsibility for the Financial Statements Management is responsible for the preparation and fair presentation of these financial statements in accordance with accounting principles generally accepted in the United States of America; this includes the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error. [5] Auditor’s Responsibility Our responsibility is to express an opinion on these financial statements based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement. An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluating the overall presentation of the financial statements. We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinion. [6] Opinion In our opinion, the financial statements referred to above present fairly, in all material respects, the financial position of McLellan’s Shoes as of December 31, 2022 and 2021, and the results of its operations and its cash flows for the years then ended in accordance with accounting principles generally accepted in the United States of America. [7] Bell & Bowerman, LLP Seattle, Washington [8] February 15, 2023 Source: AU-C 700.A63 Exhibit—Illustration 1.

illustration 1.6   Example of an unmodified audit report on the financial statements of McLellan’s Shoes, a private company

1-22  C h a pte r 1   Introduction and Overview of Audit and Assurance

1. Title—The term independent is in the title of the report to emphasize the auditors are external to the company, unbiased, and therefore can provide an objective opinion. 2. Address—The report is addressed to the owners or shareholders of the company and to the board of directors, if applicable. 3. Introductory paragraph—This paragraph explains that an audit was conducted and identifies the financial statements and the date of the financial statements. 4. Management’s responsibility paragraph—This paragraph explains that management is responsible for the preparation and fair presentation of the financial statements and for the design, implementation, and maintenance of ICFR. 5. Auditor’s responsibility paragraphs—These paragraphs explain the auditors are responsible for expressing an opinion on the financial statements, for following auditing standards, for assessing the risk of material misstatement, and for obtaining reasonable assurance about the fair presentation of the financial statements. The appropriate auditing standards would be those issued by the ASB since the company is a private company. In a private company audit, auditors state they do not evaluate internal control for the purpose of expressing an opinion on internal control. The audit firm concludes with a statement that it believes it has obtained sufficient and appropriate evidence to provide a basis for its audit opinion. 6. Opinion paragraph—This paragraph clearly states the auditor’s opinion that the financial statements are fairly presented, in all material respects, in accordance with the applicable financial reporting framework, which in this example is GAAP. 7.  Signature—The firm name and location are used as the signature. 8. Date—The date represents the end of fieldwork, which is the conclusion of gathering and evaluating evidence, and drawing all conclusions for the audit. Illustration 1.7 provides an example of an unqualified audit report on the financial statements of The Boeing Company, a public company. If auditors have determined the financial statements are presented fairly in accordance with the applicable financial reporting framework, they issue the standard unqualified report. The PCAOB standards use the term unqualified report. The term unqualified is equivalent to the term unmodified used for the private company audit report. The terms are sometimes used interchangeably. Take a moment to look over the report in Illustration 1.7 and note some of the similarities and differences with the private company audit report. Again, you will see some of the key concepts discussed in this chapter. Sections of the report are numbered so we can further explain each component. Explanations of each numbered component follow Illustration 1.7. illustration 1.7   Example of an unqualified audit report on the financial statements of The Boeing Company, a public company

[1] REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM [2] To the shareholders and the Board of Directors of The Boeing Company Opinion on the Financial Statements [3] We have audited the accompanying consolidated statements of financial position of The Boeing Company and subsidiaries (the “Company”) as of December 31, 2017 and 2016, the related consolidated statements of operations, comprehensive income, equity, and cash flows, for each of the three years in the period ended December 31, 2017, and the related notes (collectively referred to as the “financial statements”). In our opinion, the financial statements present fairly, in all material respects, the financial position of the Company as of December 31, 2017 and 2016, and the results of its operations and its cash flows for each of the three years in the period ended December 31, 2017, in conformity with accounting principles generally accepted in the United States of America. [4] We have also audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (PCAOB), the Company’s internal control over financial reporting as of December 31, 2017, based on criteria established in Internal Control – Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission and our report dated February 12, 2018, expressed an unqualified opinion on the Company’s internal control over financial reporting.

 Audit Report on Financial Statements  1-23 Basis for Opinion [5] These financial statements are the responsibility of the Company’s management. Our responsibility is to express an opinion on the Company’s financial statements based on our audits. We are a public accounting firm registered with the PCAOB and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB. [6] We conducted our audits in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether due to error or fraud. Our audits included performing procedures to assess the risks of material misstatement of the financial statements, whether due to error or fraud, and performing procedures that respond to those risks. Such procedures included examining, on a test basis, evidence regarding the amounts and disclosures in the financial statements. Our audits also included evaluating the accounting principles used and significant estimates made by management, as well as evaluating the overall presentation of the financial statements. We believe that our audits provide a reasonable basis for our opinion. [7] /s/ Deloitte & Touche LLP Chicago, Illinois [8] February 12, 2018 [9] We have served as the Company’s auditor since at least 1934; however, an earlier year cannot be reliably determined.

1. Title—The term independent is also in the title of this report to emphasize the auditors are external to the company, unbiased, and therefore can provide an objective opinion. In addition, the term registered is included to emphasize the firm is registered with the PCAOB. 2. Address—The report is addressed to the shareholders and board of directors of the company. 3. Opinion paragraph—The first sentence explains that an audit was conducted and identifies the financial statements and the dates of the financial statements. The second sentence states the auditor’s opinion. Note the opinion sentence is virtually identical to the opinion paragraph for the private company audit report. 4. Paragraph referencing the audit of internal control—This paragraph is unique to the public company audit report. Public companies are required to have an audit of ICFR and auditors issue a separate opinion for that audit, which is discussed in the next section. 5. Basis for opinion paragraph—This paragraph states the differing responsibilities of management and auditors. It is similar to the responsibility paragraphs of the report for private company audits, but the private company report goes into more detail regarding the responsibilities of management and auditors. One key difference is that this paragraph references registration with the PCAOB and independence requirements of the SEC and other federal securities laws. 6. Scope paragraph—This paragraph explains, in brief terms, the process of conducting an audit. It mentions the concept of reasonable assurance about whether the financial statements are free of material misstatement. It includes an explicit statement that PCAOB auditing standards were followed since it is a public company. The scope paragraph also includes a brief discussion of the professional judgments made during the audit. Finally, it concludes with a statement that the audit firm believes that its audit provides a reasonable basis for its opinion. 7. Signature—The firm name and location is used as the signature. 8. Date—The date represents the end of fieldwork, which is the conclusion of gathering and evaluating evidence, and drawing all conclusions for the audit. 9. Auditor tenure—The final component of the report is a sentence that states the year in which the firm began serving consecutively as the company’s auditor. After reviewing the standard audit reports, you may be wondering what happens if auditors conclude the financial statements are not presented fairly in accordance with the

1-24  C h a pte r 1   Introduction and Overview of Audit and Assurance

applicable financial reporting framework? Or what happens if auditors cannot gather enough evidence to form an opinion? When situations such as these occur, auditors may have to modify their opinion. Auditing standards have established three types of modified audit opinions: a qualified opinion, an adverse opinion, and a disclaimer of opinion. Illustration 1.8 provides a brief summary of situations that could cause auditors to issue a modified opinion. It is important to note that only material situations would cause auditors to modify the opinion. The discovery of immaterial errors would not prevent the issuance of an unmodified/unqualified opinion. The different types of modified reports will be covered in depth in Chapter 15, so consider Illustration 1.8 a basic introduction to the modified reports.

ILLUSTRATION 1.8   Situations that cause a modified opinion

Situation

Type of Modified Opinion

Material departure(s) from the applicable financial reporting framework and the client refuses to make corrections

•  Qualified – financial statements are presented fairly, except for the uncorrected departure(s)

Material limitation on the auditor’s ability to gather sufficient appropriate evidence, referred to as a scope limitation

•  Qualified – financial statements are presented fairly, except for the auditor’s inability to gather evidence for a material item

•  Adverse – financial statements are not presented fairly and should not be relied upon (pervasively material departures)

•  Disclaimer of opinion – auditor was not able to gather sufficient appropriate evidence and cannot express an opinion on the financial statements (pervasively material scope limitations) Auditor is not independent

•  Disclaimer of opinion – auditor is not independent and cannot express an opinion

Professional Environment  PCAOB Releases New Audit Report Prior to 2017, the standard unqualified auditor’s report had remained substantially unchanged since the 1940s. Over the years, there had been much debate about the relevance of continuing to use the same standard report, particularly in the modern information age in which investors and other users demand better and faster information. Since 2011, the PCAOB has encouraged open discussion, comments, and feedback on various proposals for making the auditor’s report more relevant to the public. Finally, on June 1, 2017, the PCAOB adopted a new auditor reporting standard, AS 3101 The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion. The standard was approved by the SEC on October 23, 2017. The standard includes two significant changes to the existing auditor’s report. The first significant change is the communication of critical audit matters, or CAM, in the audit report. A CAM is any audit matter that was communicated to or required to be communicated to the audit committee. The rationale is that if a matter is being communicated to the audit committee, it must be important and should be made available to users of the financial statements. The standard states that a CAM “relates to accounts or disclosures that

are material to the financial statements and involves especially challenging, subjective, or complex auditor judgement” (AS 3101.11). For each CAM that is included in the auditor’s report, the auditor must identify the CAM, describe why the auditor considered the item a CAM and how it was addressed during the audit, and refer to the relevant accounts or disclosures that relate to the CAM. The second significant change is the inclusion of auditor tenure in the auditor’s report. After the signature of the firm at the conclusion of the report, there is a statement that says, “We have served as the Company’s auditor since [year]” (AS 3101 Appendix B). The firm includes the year in which it began serving consecutively as the company’s auditor. The PCAOB recognizes that including CAM in the auditor’s report is a significant change. Therefore, the requirement to include CAM will go into effect for fiscal years ending on or after June 30, 2019. The other changes to the auditor’s report, including the disclosure of auditor tenure, went into effect for fiscal years ending on or after December 15, 2017.4 The audit report for The Boeing Company in Illustration 1.7 reflects the new audit report and includes the statement about auditor tenure.

4 PCAOB Release No. 2017-001, The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion.

 Audit Report on Internal Controls over Financial Reporting   1-25

Before You Go On 6.1  Why do auditors provide reasonable assurance and not absolute assurance? 6.2 Explain the concept of materiality. How does the concept of materiality relate to reasonable assurance? 6.3  What are the meanings of the terms unqualified and unmodified in the context of an audit of financial statements?

Audit Report on Internal Controls over Financial Reporting Lea rning Objective 7 Explain the concept of reasonable assurance and the nature of an unqualified report on internal controls over financial reporting. Next, we will discuss the audit report for the audit of ICFR. Recall from earlier in the chapter that only certain public companies are required to have an audit on the effectiveness of ICFR. The SEC classifies public companies into three categories based on worldwide market value (in U.S. dollars) of outstanding voting and non-voting common equity: 1.  Large accelerated filer: $700 million or more. 2.  Accelerated filer: $75 million or more but less than $700 million. 3.  Non-accelerated filer: less than $75 million. Public companies categorized as non-accelerated filers are not required to have an audit of ICFR. Therefore, when we discuss the audit of ICFR for public companies, we are referring to public companies categorized as accelerated filers and large accelerated filers.

Reasonable Assurance and Internal Controls Section 404 of the SOX legislation requires that management accept responsibility for the design and maintenance of internal controls. It also requires that management issue a report each year asserting whether internal controls over financial reporting were effective. Further, management’s claims about the effectiveness of ICFR must be audited by the independent external auditor. The reason for requiring an audit of internal controls is because effective ICFR provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes (AS 2201.02). Here again we see the phrase reasonable assurance. If internal controls are effective, then it is more likely that the financial statements will be free of material misstatements and errors. Even though internal controls may be considered effective, it does not mean they will prevent all misstatements or errors from affecting the financial statements. There is still some risk that a material error could occur on the financial statements. Even an effective system of internal controls over financial reporting will only provide reasonable assurance, not absolute assurance, that financial statements are free from material misstatement. PCAOB Auditing Standard 2201 An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements states that auditors must conduct an integrated audit for public companies. This means auditors must plan and perform their work to achieve the objectives of both the financial statement audit and the audit of the effectiveness of ICFR simultaneously. For efficiency purposes, auditors will select audit procedures that allow them to gather evidence that is useful to both of the audits. Auditors are only

1-26  C h a pte r 1   Introduction and Overview of Audit and Assurance

required to obtain reasonable assurance about whether the company maintained effective ICFR for the period under audit. Auditors cannot provide absolute assurance about the effectiveness of internal controls for the same reasons they cannot provide absolute assurance on the fair presentation of the financial statements. The design and implementation of controls is somewhat subjective and there is not enough time for auditors to test the effectiveness of all of the entity’s internal controls. Using professional judgment, auditors select the most critical internal controls over financial reporting and test the effectiveness of those controls. This will be discussed further in Chapters 6 and 8.

The Auditor’s Report on Internal Control over Financial Reporting When auditors have determined they have gathered sufficient, appropriate evidence to form an opinion on the effectiveness of ICFR, then they are ready to issue the audit report. Similar to the financial statement audit report, AS 2201 requires a standard format of the audit report be used for all audits of effectiveness of ICFR. Illustration 1.9 provides an example of an audit report on the effectiveness of ICFR for a public company. If auditors have determined the company has maintained effective ICFR for the period under audit, then they issue the standard unqualified report. Take a moment to read over the report and you will see some similarities to the financial statement audit report for a public company. illustration 1.9   Example of an unqualified audit report on the effectiveness of ICFR for The Boeing Company, a public company

[1] REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM [2] To the Shareholders and Board of Directors of The Boeing Company [3] Opinion on Internal Control over Financial Reporting We have audited the internal control over financial reporting of The Boeing Company and subsidiaries (the “Company”) as of December 31, 2017, based on criteria established in Internal Control – Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). In our opinion, the Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 2017, based on criteria established in Internal Control – Integrated Framework (2013) issued by COSO. [4] We have also audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (PCAOB), the consolidated financial statements as of and for the year ended December 31, 2017, of the Company and our report dated February 12, 2018, expressed an unqualified opinion on those financial statements. [5] Basis for Opinion The Company’s management is responsible for maintaining effective internal control over financial reporting and for its assessment of the effectiveness of internal control over financial reporting, included in the accompanying Management’s Report on Internal Control Over Financial Reporting. Our responsibility is to express an opinion on the Company’s internal control over financial reporting based on our audit. We are a public accounting firm registered with the PCAOB and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB. [6] We conducted our audit in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects. Our audit included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, testing and evaluating the design and operating effectiveness of internal control based on the assessed risk, and performing such other procedures as we considered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion. [7] Definition and Limitations of Internal Control over Financial Reporting A company’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial

 Audit Report on Internal Controls over Financial Reporting   1-27 statements for external purposes in accordance with generally accepted accounting principles. A company’s internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements. Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. [8] /s/Deloitte & Touche LLP Chicago, Illinois [9] February 12, 2018

The key components of the unqualified report in Illustration 1.9 are as follows: 1. Title—The term independent is also in the title of this report to emphasize the auditors are external to the company, unbiased, and therefore can provide an objective opinion. In addition, the term registered is required to indicate that the firm is registered with the PCAOB. 2. Address—The report is addressed to the shareholders and board of directors of the ­company. 3. Opinion paragraph—The first sentence explains that an audit of ICFR was conducted and references the COSO Internal Control—Integrated Framework as the criteria used as the basis for determining if ICFR are effective. The second sentence states the auditor’s opinion. 4. Paragraph referencing the financial statement audit—This paragraph is a reference to the financial statement audit report and states the type of opinion that was given on the financial statements. 5. Basis for opinion paragraph—This paragraph states the different responsibilities of management and auditors. Like the audit report on the financial statements, this paragraph references registration with the PCAOB and independence requirements of the SEC and other federal securities laws. 6. Scope paragraph—This paragraph explains that auditors conducted their audit in accordance with the standards of the PCAOB. In brief terms, it explains the process of conducting an audit of the effectiveness of ICFR. It mentions that auditors are only required to obtain reasonable assurance about whether the company maintained, in all material respects, effective ICFR. It concludes with a statement that the audit firm believes its audit provides a reasonable basis for its opinion. 7. Definition and inherent limitations paragraph—This paragraph provides a definition of ICFR that is taken directly from AS 2201. This is helpful for users of the financial statements in case they are not familiar with the concept of internal controls. Also note the use of reasonable assurance in the definition to clarify that an internal control system does not eliminate all risk associated with the preparation of financial statements. The final sentence cautions not to use the current-year opinion to assume that future internal controls will be effective. Circumstances may change in the future that could render controls ineffective if the controls are not modified appropriately. 8. Signature—The audit firm’s name and location are used as the signature.

1-28  C h a pte r 1   Introduction and Overview of Audit and Assurance

9. Date—The date represents the end of fieldwork, which is the conclusion of gathering and evaluating evidence for the audit. Since the audits are integrated, the date on both the financial statement audit report and the audit report on the effectiveness of ICFR will be the same. material weakness  a deficiency, or combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis

What happens if auditors conclude the company did not maintain effective ICFR over the period under audit? That would mean the auditors discovered a material weakness in the client’s ICFR. The PCAOB defines a material weakness as follows: A deficiency, or combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis. (AS 2201.A7) If one or more material weaknesses are discovered during the audit, then auditors issue an adverse opinion on the effectiveness of ICFR that explicitly states the company did not maintain effective ICFR during the period under audit. AS 2201 dictates how auditors would modify the audit report to express an adverse opinion. If auditors encounter a material limitation in the scope of their work, they may consider disclaiming an opinion. We will cover these modifications in greater detail in Chapter 15.

Before You Go On 7.1 Explain the concept of reasonable assurance as it applies to a system of internal controls and to the audit of the effectiveness of internal controls. 7.2 What is management’s responsibility for internal controls as stated in the audit report on the effectiveness of internal controls? 7.3 What date is used on the audit report on the effectiveness of internal controls, and what does the date represent?

The Audit Expectation Gap LEA RNING OBJE CTIVE 8 Discuss the audit expectation gap. The overall audit expectation gap occurs when there is a difference between the expectations of auditors and financial statement users. The gap occurs when user beliefs do not align with an auditor’s professional responsibilities. In particular, the gap is caused by unrealistic user expectations such as: •  The auditor is providing absolute assurance. •  The auditor is guaranteeing the future viability of the entity. •  An unmodified audit opinion is an indicator of complete accuracy of the financial statements. •  The auditor will definitely find any and all fraud. •  The auditor has checked all transactions. The reality is that: •  An auditor provides reasonable assurance. •  The audit does not guarantee the future viability of the entity. •  An unmodified opinion indicates the auditor believes there are no material misstatements in the financial statements.

 The Audit Expectation Gap  1-29

•  The auditor will assess the risk of fraud and conduct tests to try to uncover any fraud, but there is no guarantee the auditor will find all material fraud, should one have occurred. •  The auditor tests a sample of transactions. The overall audit expectation gap is graphically represented in Illustration 1.10. In this figure, note the performance gap, which is the difference between auditor performance and auditing standards and regulations. There is also an expectation gap, which is the difference between a financial statement user’s expectations and auditing standards and regulations. illustration 1.10   Audit expectation and performance gaps

Auditor Performance

Auditing Standards and Performance Gap Regulations

•  Auditor failure to follow firm policy, standards, and regulations

Financial Statement Expectation Gap User’s Expectations

Auditor performance impacted by: •  Auditing standards •  Ethical standards •  Regulations •  Legislation •  F irm policy and procedures

Financial statement user’s expectations impacted by: •  Audit firm reputation •  Audit firm independence •  Reader’s knowledge of auditing •  Economic conditions

The performance gap can be reduced by: •  Auditors performing their duties appropriately, complying with auditing standards, and meeting the minimum standards of performance that should be expected of all auditors. •  Inspections of audits to ensure that auditing standards have been correctly applied. •  Assurance providers reporting accurately the level of assurance being provided. The audit expectation gap can be reduced by: •  Auditing standards being reviewed and updated on a regular basis to enhance the work being done by auditors. •  Education of financial statement users as to the responsibilities of preparers and auditors of financial statements. As described in this chapter, financial statement users rely on audited financial statements to make a variety of decisions. Financial statement users demand access to reliable information to help ensure the stability of financial markets. The audit profession is dedicated to providing reliable assurance services in the interest of protecting the public trust.

Cloud 9 - Continuing Case Ron believes that Chip Masters would know what an audit can provide, and what it cannot, because Chip is an experienced vice president of a large international company. He deals with auditors on a regular basis. Ron thanks Ernie for his time. Ernie has helped him to understand that preparing more detailed financial statements and

engaging an auditor to perform a financial statement audit would not be as bad as he first thought. Ron now understands why Ernie thinks audits are valuable, and not just another business expense. If Chip Masters thinks that Ron’s financial statements are more credible with an audit, then it is likely he will be prepared to pay a higher price for Ron’s business.

Before You Go On 8.1 Define the audit expectation gap. Define the audit performance gap. 8.2 What has caused the audit expectation gap? 8.3 What can be done to reduce the audit expectation gap? What can be done to reduce the audit performance gap?

1-30  C h a pte r 1   Introduction and Overview of Audit and Assurance

Learning Objectives Review 1  Differentiate among assurance, attestation, and audit-

ing services. An assurance engagement involves an assurance provider arriving at an opinion about some information being provided by their client to a third party. Attestation and auditing services are types of assurance services. A financial statement audit involves an audit firm obtaining evidence to support an opinion about the fair presentation of the financial statements, in all material respects, in accordance with an applicable financial reporting framework. 2  Describe the different types of assurance services. Assurance services include financial statement audits, audits of effectiveness over internal control of financial reporting, compliance audits, operational/performance audits, and internal audits. 3  Explain the demand for audit and assurance services. Financial statement users include investors (shareholders), suppliers, customers, lenders, employees, governments, and the general public. These groups of users demand audited financial statements due to their remoteness from the entity, accounting complexity, competing incentives between them and the entity’s managers, and their need for reliable information on which to base decisions. 4  Discuss the different roles of the financial statement

preparer and the auditor. It is the responsibility of the company’s management to prepare the financial statements in accordance with the applicable financial reporting framework. Management is also responsible for the design, implementation, and maintenance of internal control over financial reporting and for providing the auditors with access to all documentation needed to complete the audit. It is the responsibility of the auditor to form an opinion on the fair presentation of the financial statements. In doing so the auditor must utilize professional skepticism and professional judgment in the planning and performance of the audit and must adhere to the appropriate auditing standards. 5  Identify the roles of different regulators and organizations that affect the audit profession. Regulators and organizations that impact the audit profession include the Securities and Exchange Commission (SEC), the Public Company

Accounting Oversight Board (PCAOB), the American Institute of Certified Public Accountants (AICPA), the Financial Accounting Standards Board (FASB), the Committee on Sponsoring Organizations of the Treadway Commission (COSO), and the National Association of State Boards of Accountancy (NASBA). Auditors must follow the PCAOB’s Auditing Standards (AS) when auditing public companies and follow the Auditing Standards Board’s Statements on Auditing Standards (SAS) when auditing private companies. 6  Explain the concepts of reasonable assurance, materiality, and the nature of an unqualified/unmodified report on the audit of financial statements. Auditors are only required to provide reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to error or fraud. In a private company audit, if auditors determine the financial statements are presented fairly in accordance with the applicable financial reporting framework, then auditors issue the standard unmodified audit report. In a public company audit, if auditors determine the financial statements are presented fairly in accordance with the applicable financial reporting framework, then they issue the standard unqualified audit report. 7  Explain the concept of reasonable assurance and the nature of an unqualified report on internal controls over financial reporting. An effective system of ICFR provides reasonable assurance the financial statements will be free of material misstatements. Only public companies are required to have an audit of the effectiveness of ICFR. In the audit of the effectiveness of ICFR, auditors provide reasonable assurance regarding whether or not there is a material weakness in ICFR for the period under audit. If auditors have determined the company has maintained effective ICFR, then they issue the standard unqualified audit report on ICFR. 8  Discuss the audit expectation gap. The difference between what assurance providers provide and what financial statement users expect consists of two components: (1) the expectation gap, which is the difference between a financial statement user’s expectations and professional standards and regulations, and (2) a performance gap, which occurs when assurance providers do not follow professional standards. The total gap occurs when user beliefs do not align with what an auditor has actually done.

Key Terms Review Assurance services Attestation services Audit risk Audit services Compliance audit

Integrated audit Internal audit Materiality Material weakness Operational (performance) audit

Professional judgment Professional skepticism Reasonable assurance Those charged with governance

  Multiple-Choice Questions  1-31

CPAexcel CPAexcel questions and other resources are available in WileyPLUS.

Multiple-Choice Questions 1. (LO 1)  Which of the following is not a characteristic of an assurance service? a.  T he engagement is conducted by an independent professional. b.  The service lends credibility to information. c.  The subject matter is limited to financial information. d.  T  he service is useful for decision makers. 2. (LO 2)  An assurance service that determines whether the entity has conformed with regulations, rules or processes is a (an): a.  compliance audit. b.  financial statement audit. c.  internal audit. d.  o  perational audit. 3. (LO 2)  Operational (performance) audits are useful because they: a.  include a comprehensive audit. b.  are concerned with the economy, efficiency, and effectiveness of an organization’s activities. c.  i nvolve gathering evidence to determine whether the entity under review has followed the rules, policies, procedures, laws, or regulations with which they must conform. d.  ensure companies pay appropriate taxes. 4. (LO 2)  The function of internal audit is determined by:

7. (LO 5)  Which of the following organizations issues auditing standards for the audits of public companies?  CAOB. a.  P b.  SEC. c.  ASB. d.  COSO. 8. (LO 5)  The role of COSO is to: a.  establish financial accounting and reporting standards. b.  establish auditing standards for private companies. c.  prepare and grade the CPA exam. d.  provide guidance in the area of internal control and risk management. 9. (LO 6)  Auditors can only provide reasonable assurance that the financial statements are presented fairly because: a.  sampling techniques are used to gather evidence. b.  some items in the financial statements are subjective. c.  an audit must be completed in a reasonable amount of time. d.  All of these answer choices are correct. 10. (LO 6)  What is the appropriate date for an audit report? a.  The date the auditors were hired. b.  The date of the balance sheet.

a.  the external auditor.

c.  The conclusion of the gathering of evidence for the audit.

b.  the IIA.

d.  The date required by regulators.

c.  those charged with governance and management. d.  the government. 5. (LO 3)  All of the following are reasons why users would demand an audit of financial statements except: a.  complexity. b.  remoteness. c.  cost. d.  r eliability. 6. (LO 4)  Management is responsible for which of the following? a.  Preparing financial statements in accordance with the appropriate auditing standards. b.  Designing, implementing, and maintaining internal control relevant to the preparation of the financial statements. c.  Using professional skepticism in the preparation of the financial statements. d.  Issuing an opinion on whether the financial statements are presented fairly in accordance with the appropriate financial reporting framework.

11. (LO 7)  Auditors of publicly traded companies are required to perform a(an) ________ for their clients. a.  compliance audit b.  integrated audit c.  internal audit d.  operational audit 12. (LO 8)  The audit expectation gap occurs when: a.  auditors perform their duties appropriately and satisfy users’ demands. b.  user beliefs do not align with what professional standards and regulations expect of auditors. c.  inspections of audits ensure that auditing standards have been applied correctly and the standards are at the level that satisfy users’ demands. d.  the public is well educated about auditing.

1-32  C h a pte r 1   Introduction and Overview of Audit and Assurance

Review Questions R1.1  (LO 1)  What does assurance mean in the financial reporting context? Who are the three parties relevant to an assurance engagement? R1.2  (LO 1)  An assurance engagement involves evaluation or measurement of subject matter against criteria. What criteria are used in a financial statement audit? R1.3  (LO 2)  Discuss some limitations of a financial statement audit. R1.4  (LO 2)  Who would request an operational (performance) audit? Why? R1.5  (LO 3)  Why would investors in a company demand an audit of financial statements? R1.6  (LO 4)  Compare and contrast the responsibilities of preparers and auditors regarding a financial statement audit.

R1.7  (LO 5)  Describe the relationship between the SEC and the PCAOB. R1.8  (LO 5)  Compare and contrast the functions of a state board of accountancy and of NASBA. R1.9  (LO 5)  Briefly describe the principles underlying an audit conducted in accordance with GAAS that are issued by the ASB. R1.10  (LO 6)  Discuss the similarities and differences in the auditor’s reports for a public company client and a private company client. R1.11  (LO 7)  List and briefly describe the components of the auditor’s report on internal controls over financial reporting for a public company. R1.12  (LO 8)  Debate the audit expectation gap. Why do you think professional auditing standard do not give users what they want? Why do you think auditors sometimes do not meet professional standards?

Analysis Problems AP1.1  (LO 1, 2)  Basic   Research   Types of assurance engagements  A friend knows that you are studying auditing and asks you what the difference is between internal and external auditing.

Required Using what you learned in this chapter and from information from the AICPA website (www.aicpa.org) and the IIA website (www.theiia.org), compare and contrast the duties and characteristics of internal and external auditors. AP1.2  (LO 3)  Challenging   Demand for assurance  In 2002, the audit firm Arthur Andersen collapsed following charges brought against it in the United States relating to the failure of its client, Enron. Some other clients announced they would be dismissing Arthur Andersen as their auditor even before it was clear that Arthur Andersen would not survive.

Required Using the discussion in this chapter on the demand for audits, explain some reasons why these clients took this action. AP1.3  (LO 3, 4)  Moderate   Big 4 versus non-Big 4 assurance providers  Most audit firms maintain a website that explains the services offered by the firm and provides resources to their clients and other interested parties. The services offered by most firms include both audit and non-audit services.

Required Find the websites for a Big 4 audit firm and a mid-tier audit firm. Compare them on the following: a. The range of services provided. b. Geographic coverage (i.e., where their offices are located). c. Staff numbers and special skills offered. d. Industries in which they claim specialization. e. Publications and other materials provided to their clients or the general public. f. Marketing message. AP1.4  (LO 3, 4)  Challenging   Big 4 versus non-Big 4 assurance providers  Economic changes can affect how clients select their assurance providers.

Required a. In times of economic recession, would you expect the demand for audits to increase or decrease? b. Would you expect clients to shift from large (Big 4) auditors to mid-tier auditors, or from mid-tier auditors to Big 4 auditors in times of economic recession? Why or why not?

 Analysis Problems  1-33 AP1.5  (LO 5)  Basic   Research   Requirements to become a CPA  Each state has the power to determine the education and experience requirements to be a licensed CPA in that state. The power is delegated to the state board of accountancy in each state.

Required Visit the state board of accountancy website for the state in which you are attending college. What are the education and experience requirements? If you intend to begin your career in another state, also research the education and experience requirements for that state. What are the similarities and differences between the two states? AP1.6  (LO 5)  Basic   Research   Accounting firm registration  Since the creation of the PCAOB in 2003, accounting firms that wish to audit public companies must be registered with the PCAOB. Visit the PCAOB’s website (www.pcaobus.org) and browse the information.

Required Explain what is required for an accounting firm to be registered with the PCAOB. AP1.7  (LO 6, 7)  Basic   Audit reports  Auditor’s reports for The Boeing Company are provided in Illustrations 1.7 and 1.9 in this chapter. Both reports are signed by Deloitte & Touche LLP. Deloitte & Touche also audits Starbucks Corporation. Visit the Starbucks investor relations website to access the most recent annual report and 10-K. Find the auditor’s reports on the financial statements and the effectiveness of ICFR.

Required a. Compare the audit reports of The Boeing Company and Starbucks. What type of opinion did Starbucks receive on its financial statements and on the effectiveness of ICFR? b. What are the advantages of having a standard report format for all clients? AP1.8  (LO 4, 6, 8)  Moderate   Being an auditor  You have recently graduated from your university and started work with an accounting firm. You meet an old school friend, Kim, for dinner—you haven’t seen each other for several years. Kim is surprised that you are now working as an auditor because your childhood dream was to be a ballet dancer. Unfortunately, your knees were damaged in a fall and you can no longer dance. The conversation turns to your work and Kim wants to know how you do your job. Kim cannot understand why an audit is not a guarantee the company will succeed. Kim also thinks that company managers will lie to you to protect themselves, and as an auditor you would have to assume that you cannot believe anything a company manager says to you.

Required Compose a letter to Kim explaining the concept of reasonable assurance, and how reasonable assurance is determined. Explain why an auditor cannot offer absolute assurance. Describe the concept of professional skepticism and how it is not the same as assuming that managers are always trying to deceive auditors. Explain to Kim why her perceptions are a perfect example of the expectations gap. AP1.9  (LO 2, 4, 6, 7, 8)  Challenging   Limitations of an audit  You are an intern at a Big 4 accounting firm and have just finished your internship training. You feel a little overwhelmed with all of the information from the training session, and you are wondering if you are qualified to perform work that is of high-enough quality to meet the firm’s and the profession’s standards. What if you miss something or forget to do something? What if it takes you too long to complete your tasks? What if you spend time on something that is trivial and miss something that is important? You decide to review your notes from the training session and from your undergraduate audit course.

Required a. Discuss the limitations of an audit. b. Refer to the audit reports in Illustrations 1.6, 1.7, and 1.9. What are some key terms and phrases included in the reports that address these limitations? AP1.10  (LO 6)  Challenging   Research   Audit reports  On an international level, other countries have also discussed and implemented expanding the audit report to include more detail from auditors about critical audit matters (CAM). The United Kingdom (UK) has already moved to using an expanded

1-34  C h a pte r 1   Introduction and Overview of Audit and Assurance audit report. An example of the new audit report format can be found in the annual report of GlaxoSmithKline plc (GSK). Visit GSK’s investor website and download the most recent annual report. Find the auditor’s report in the Financial Statements section of the annual report.

Required a. Who are the auditors for GSK? b. What are some differences in the U.K. auditor’s report model compared with the current U.S. auditor’s report model for public companies? c. Which report model do you prefer and why? Would your answer change based on the type of user you are (lender, customer, investor)? Would your answer change if you were the preparer or auditor of the financial statements?

Cloud 9 - Continuing Case Ron McLellan established his business, McLellan’s Shoes, in 1985. Since then, he has run his business as a sole proprietor. Ron keeps records and his wife helps him prepare basic accounting records. As McLellan’s Shoes has no outside owners, Ron has never seen the need to have his accounts audited. When Chip Masters from Cloud 9 Inc. expressed an interest in buying McLellan’s Shoes in 2020, Ron was asked to provide audited financial statements. Ron discussed his concerns about having an audit with his friend Ernie Black. Ernie is concerned that Ron may forget their conversations and has asked you to prepare a summary of the issues listed below for Ron.

Required a. What are the main differences between a financial statement audit, a compliance audit, and an operational audit? b. What is the difference between reasonable assurance and absolute assurance? c. Why would Chip ask that Ron have the financial statements for McLellan’s Shoes audited rather than reviewed? d. What factors should Ron consider when selecting an accounting firm to complete the McLellan’s Shoes audit?

Chapter 2 Professionalism and Professional Responsibilities The Audit Process Overview of Audit and Assurance (Chapter 1) Professionalism and Professional Responsibilities (Chapter 2) Client Acceptance/Continuance and Risk Assessment (Chapters 3 and 4) Identify Significant Accounts and Transactions Make Preliminary Risk Assessments

Set Planning Materiality

Gaining an Understanding of the System of Internal Control (Chapter 6)

Audit Evidence (Chapter 5)

Develop Responses to Risk and an Audit Strategy

Performing Tests of Controls (Chapter 8)

Performing Substantive Procedures (Chapter 9) Audit Sampling for Substantive Tests (Chapter 10)

Auditing the Revenue Process (Chapter 11)

Auditing the Purchasing and Payroll Processes (Chapter 12)

Audit Data Analytics (Chapter 7)

Gaining an Understanding of the Client

Auditing the Balance Sheet and Related Income Accounts (Chapter 13)

Completing and Reporting on the Audit (Chapters 14 and 15) Procedures Performed Near the End of the Audit

Drawing Audit Conclusions

Reporting

2-1

2-2  Ch a pte r 2  Professionalism and Professional Responsibilities

Learning Objectives LO1  Explain what it means to be a professional and how these traits apply to auditors.

LO6  Evaluate the ethical behavior needed to comply with rules of conduct on general standards.

LO2  Explain the structure of the AICPA Code of Professional Conduct.

LO7  Evaluate the ethical behavior needed to comply with other rules of conduct for members in public practice.

LO3  Apply the conceptual framework approach to ethical decision making for members in public practice. LO4  Evaluate the ethical behavior needed to comply with rules of conduct on integrity and objectivity. LO5  Evaluate the ethical behavior needed to comply with rules of conduct on independence.

LO8  Evaluate an auditor’s legal liability under common law. LO9  Evaluate an auditor’s legal liability under statutory law.

Auditing and Assurance Standards pcaob Eth ics And Inde pendenc e R ules

AICPA Ethica l Sta ndards

3501  Definitions of Terms Employed in Section 3, Part 5 of the Rules

AICPA  Code of Professional Conduct

3502 Responsibility to Not Knowingly or Recklessly Contribute to Violations 3520 Auditor Independence 3521  Contingent Fees 3522 Tax Transactions 3523 Tax Services for Persons in Financial Reporting Oversight Roles 3524 Audit Committee Pre-approval of Certain Tax Services 3525 Audit Committee Pre-approval of Non-audit Services Related to Internal Control over Financial Reporting 3526  Communication with Audit Committees Concerning Independence

Cloud 9 - Continuing Case Ron McLellan came to an arrangement with Chip Masters and sold McLellan’s Shoes to Cloud 9 Inc. (Cloud 9) in 2021. As part of the sale agreement, Ron McLellan was appointed to the Cloud 9 board of directors.

The accounting firm W&S Partners is bidding for the January 31, 2023, audit of Cloud  9. The partner responsible for writing the proposal, Jo Wadley, asks Sharon Gallagher and Josh Thomas to assist. Sharon will be the audit manager if the proposal

 Professionalism and Accounting  2-3

is successful. Her task is to help write the proposal documents and win the job for the firm. However, even more importantly, she must make sure that there are no surprises for the audit team once they win the audit. Sharon knows how crucial this is. She still has nightmares about an audit she worked on when she was a new graduate at another audit firm. The client in that case threatened to dismiss the auditor when the auditor wanted him to recognize an impairment loss on some assets. The client was the firm’s largest account, and the partner was under a lot of pressure to keep the client.

Josh is an audit senior. He has not been involved in the proposal process before and needs the experience so he can be promoted to audit manager. Sharon and Josh do not know anything about Cloud 9 except that it manufactures and retails customized basketball and other sports shoes, and it is a publicly listed U.S. company. Sharon stresses to Josh that they want to know that the client is not going to be difficult to deal with and that W&S Partners can do a good job on the audit. Josh asks how they can know that now, before they start the audit.

Chapter Preview: Audit Process in Focus The purpose of this chapter is to provide an overview of professionalism and the professional responsibilities of a certified public accountant and auditor. We begin this chapter with a discussion of what it means to be a professional. The term professional is often used in a number of contexts. This introductory section discusses the various uses of the term and focuses on the relevance of the term for certified public accountants (CPAs) and auditors. A code of professional ethics is a critical part of any profession’s commitment to serve the public interest. A significant portion of this chapter focuses on the Code of Professional Conduct of the American Institute of Certified Public Accountants (AICPA). This section begins with a discussion of the organization of the AICPA Code of Professional Conduct, followed by a discussion of how to use the Code’s conceptual framework for ethical decision making. It then explores the Code’s rules related to (1) integrity and objectivity, (2) independence, (3) general standards, and (4) other rules of conduct for members in public practice. Since you are studying to be an accountant or a CPA, you should develop the ability to evaluate various situations and to appropriately apply the rules of conduct as circumstances dictate. An overview of the auditor’s legal responsibilities and liability is discussed next. An auditor’s legal responsibilities fall into two broad categories. The first is an auditor’s responsibilities under common law. Common law is a general law, such as law related to contracts, and it is derived from principles based on justice, reason, and common sense rather than absolute, fixed, or inflexible rules. The principles of common law are determined by the social needs of the community or the state. Second, the chapter discusses the auditor’s responsibilities under securities law. Securities laws have been written to address the auditor’s responsibilities related to the new issue of a security, or related to the trading of securities on various exchanges. All auditors should understand their legal obligations to clients and the third-party investors who rely on their reports.

Professionalism and Accounting LEAR NING OBJECTI VE 1 Explain what it means to be a professional and how these traits apply to auditors. Is public accounting a recognized profession? If so, what does it mean to be part of a recognized profession? What rights come with being part of a recognized profession? Further, what responsibilities come with being part of a recognized profession? Is being a professional about expertise and about quality of work in a chosen occupation, or is it something more? These are important questions, and the answers are often misunderstood by many. These issues were covered well by Robert K. Mautz in a 1988 editorial in Accounting Horizons,1 and his views are summarized below. 1 Robert K. Mautz, “Public Accounting: What Kind of Professionalism?” Accounting Horizons 2, no. 3/4 (1998), pp. 121–125.

2-4  Ch a pte r 2  Professionalism and Professional Responsibilities

One way that professionals are commonly defined is by level of expertise. Professional athletes are often referred to as “pros” because of their skill and level of expertise. The same term may be used related to virtually any occupation as a way of recognizing an individual’s high level of skill. In the competitive world, the high level of skill is usually well rewarded, and the public often measures success of competitors in monetary terms. Robert Mautz refers to this definition of a professional as an expert competitor (EC professional). In the context of an EC professional, the profession is usually defined by the line of work or occupation (e.g., football, basketball, coaching, or consulting). Another way to define a professional, or a profession, relates to a profession’s responsibility and concern for the public interest. Such professions include medicine, architecture, and public accounting. Robert Mautz refers to this definition of a professional by its concern for the public interest (CPI professional). CPI professions are often recognized by a specialized body of knowledge, a formal education process, standards governing admission to the profession, a code of ethics, recognized status indicated by a license, a public interest in the work that practitioners perform, and the recognition by practitioners of an obligation to society. The cornerstone of the public accounting profession is recognized in the public interest in the work done by CPAs. State governments (through state boards of accountancy) grant a CPA license to individuals who complete the required education, pass a professional examination (the CPA exam), and complete an experience requirement. Upon obtaining a CPA license, a CPA has the unique right to sign an audit or attest report, and to sign tax returns as a tax preparer (a right that is also granted to licensed tax preparers). Upon becoming licensed as a CPA, individuals also agree to accept the responsibility to follow professional standards (e.g., accounting and auditing standards) and a code of professional conduct (usually written into state rules or law). CPAs also have an obligation to keep their education current by taking continuing professional education. This chapter will cover the AICPA Code of Professional Conduct that is recognized by many state boards of accountancy. Chapter 1 summarized the demand for auditing and the need for auditors to be independent of management when serving the public interest by reporting on financial statements. The accounting profession has also seen firsthand the consequences of not fully meeting the demand from the public of providing reasonable assurance that financial statements are free of material misstatement. During the late 1990s and the first few years of the twenty-first century, auditors failed to find many material misstatements on a timely basis, and many times management had to restate earnings due to material misstatements. The public was not satisfied with the quality of audits of public companies. The result was the Sarbanes-Oxley Act of 2002 (SOX) and the creation of the PCAOB to provide oversight of the auditors of public companies. However, the events that led to additional regulation of the accounting profession need some perspective. When there were significant restatements of earnings, about 8% of all public companies had to restate their earnings. Eight percent was sufficient to shake the confidence of the securities markets in reported financial statements. For all that the accounting profession did right, the view was that the profession needed to do better. That said, it is important to understand that many CPAs who work as chief financial officers put fair presentation of the financial statements, and their obligation to society, ahead of their obligation to their employers. Further, many CPAs in public practice think about their responsibility to the public first and their responsibility to their clients second; they expect their own well-being will work out if they take these other responsibilities seriously.

Professional Environment The Ethics of WorldCom: Misplaced Motives, Weaknesses, and Heroism

In July 2002, WorldCom announced that it had understated expenses by over $3.8 billion (the number eventually was adjusted to over $11 billion) and the company filed for bankruptcy. This was one of the largest accounting frauds in U.S. history and the size of the accounting fraud and bankruptcy at WorldCom shook investor confidence already weakened by the prior restatement of financial statements by companies like Enron, Waste Management, and

Sunbeam. The misstatement at WorldCom propelled Congress to pass SOX. WorldCom was led by CEO Bernie Ebbers, who was focused on delivering growth through acquisitions. The acquisition strategy reached new heights when WorldCom acquired MCI Communications in 1998. Continued growth through merger demanded increasing stock prices. In 2000,

 The Structure of the AICPA Code of Professional Conduct  2-5 the company’s stock experienced a decline and, in an effort to bolster stock prices, Scott Sullivan, WorldCom CFO, asked accountants in the corporate headquarters to begin a scheme of booking quarter-end journal entries that resulted in capitalizing costs that should have been expensed. After being fired in 2002, Scott Sullivan was indicted by the Justice Department. He subsequently pleaded guilty to fraud and acknowledged that he willingly deceived investors. He also testified against CEO Bernie Ebbers and stated that Ebbers was fully aware of the accounting fraud. Scott Sullivan was sentenced to 5 years in prison and Bernie Ebbers was sentenced to, and is serving, 25 years in prison. Some of the accountants at WorldCom who participated in the fraud included Buford Yates, Jr., Betty Vinson, and Troy Normand. Mr. Normand was a CPA who worked at WorldCom from 1997 to 2002. While he questioned CFO Scott Sullivan about the journal entries that he was asked to write, during testimony Mr. Normand was asked if he ever conducted any analysis to determine whether the accounting was accurate. He answered that he did not perform any such analysis and that he never obtained any accounting justification for the entries he was asked to make. In short, Troy Norman, Betty Vinson, and Buford Yates, Jr., did not find a way to stand up to Scott Sullivan and investigate the proper accounting treatment. Rather, they subordinated their judgment to the judgment of others (mainly Scott Sullivan). However, there were those at WorldCom who did not subordinate their professional judgment. The public learned about WorldCom’s financial fraud through the hard work of several “auditing heroes” led by Cynthia Cooper, then aged 38 and WorldCom’s vice president for internal auditing, who took her public interest responsibilities seriously. What did Cynthia Cooper and her staff of internal auditors do to uncover the financial fraud? The internal audit team:

•  Followed up on an email from a local newspaper article about a former employee in WorldCom’s Texas office who had been fired after he raised questions about a minor accounting matter involving capital expenditures. •  Recognized that $2 billion in capital expenditures had not been authorized as part of the capital budget process. •  Did not settle for glib answers from the director of financial planning who described the $2 billion in capital expenditures as “prepaid capacity” but could not explain the nature of “prepaid capacity.” •  Uncovered over $500 million in capitalized computer costs that were not supported by vendor’s invoices. •  Demonstrated their independence by continuing to investigate the capitalization of line costs (fees paid to lease portions of other companies’ telephone networks) even when instructed by CFO Scott Sullivan to delay this particular internal audit until the third quarter. The issue came to a head when Cynthia Cooper and her audit team brought evidence of the improper capitalization of expense to the chairman of WorldCom’s audit committee. The audit committee instructed the internal auditors to work with WorldCom’s new external auditor, KPMG. Within a week, the internal and external auditors compiled evidence of financial fraud for the audit committee and the external auditors concluded that the accounting treatment was not in accordance with generally accepted accounting principles. CFO Scott Sullivan was given the opportunity to make his case to the audit committee, but the committee members were not persuaded. The next day, the audit committee and the board of directors made public the $3.8 billion restatement of earnings due to the fact that costs had been capitalized that should have been expensed. The audit committee and board of directors also fired Scott Sullivan.

Before You Go On 1.1  Do EC professionals exist in public accounting firms? Explain. 1.2  Explain the concept of the CPI professional and how it applies to auditors. 1.3  Would you call a plumber an EC professional or a CPI professional? Explain your reasoning.

The Structure of the AICPA Code of Professional Conduct LEAR NING OBJECTI VE 2 Explain the structure of the AICPA Code of Professional Conduct. Professional ethics represent a commitment by a profession to abide by ethical principles and rules of conduct. A commitment to ethical behavior is a key element that separates recognized professions from other occupations. A code of ethics usually represents standards of behavior that are both idealistic and practical in purposes. Although codes of ethics may be designed

2-6  Ch a pte r 2  Professionalism and Professional Responsibilities

in part to encourage ideal behavior, they must also be both practical and enforceable. To be meaningful they must strike a balance of being above the law but below the ideal. The adherence of professionals to a code of ethics significantly affects the reputation of the profession and the confidence in which it is held. The AICPA Code of Professional Conduct (the Code) provides guidance to all members of the AICPA with respect to performance of their professional responsibilities. The AICPA is an organization (discussed in Chapter 1) that represents the accounting profession, and membership is voluntary. However, CPAs must be licensed by state boards of accountancy. The state boards of accountancy and the AICPA work together on many professional issues. Further, many state boards of accountancy have incorporated the AICPA Code of Professional Conduct in state rules so that it applies to all CPAs in the state. The Code consists of principles, rules, interpretations, and other guidance for AICPA members. Each of these components is described below. principles  express the basic tenets of ethical conduct and provide the framework for the rules that govern the performance of the member’s professional responsibilities rules of conduct  establish minimum standards of acceptable conduct in the performance of professional services interpretations  provide additional guidance regarding the scope and applicability of the rules of conduct

ILLUSTRATION 2.1   Structure of the AICPA Code of Professional Conduct

•  Principles express the basic tenets of ethical conduct and provide the framework for the rules that govern the performance of a member’s professional responsibilities. The principles are not enforceable. •  Rules of conduct establish minimum standards of acceptable conduct in the performance of professional services. The AICPA bylaws require that members adhere to the rules of the code. The rules of conduct are enforceable and members must be prepared to justify departures from the rules of conduct. •  Interpretations provide additional guidance regarding the scope and applicability of the rules of conduct. A member who departs from the interpretations shall have the burden of justifying such departure in any disciplinary hearing. The AICPA Code of Professional Conduct can be found online at the AICPA website (www.aicpa.org). The Code is searchable using key words. There are also a series of hyperlinks within the Code that make it easy to find related topics. The Code can also be downloaded in PDF format. The Code is organized in four major sections as presented in Illustration 2.1: (1) a preface applicable to all AICPA members; (2) Part 1, which includes ethical rules for members

Preface: Applicable to All Members   .100  Overview of the Code of Professional Conduct   .200  Structure and Application of the Code of Professional Conduct   .300  Principles of the Code of Professional Conduct   .400  Definitions   .500  Nonauthoritative Guidance   .600  New, Revised and Pending Interpretations and Other Guidance   .700  Deleted Interpretations and Other Guidance Part 1: Members in Public Practice 1.000  Introduction and Conceptual Framework for Members in Public Practice 1.100  Integrity and Objectivity 1.200  Independence 1.300  General Standards 1.310  Compliance with Standards 1.320  Accounting Principles 1.400  Act Discreditable 1.500  Fee and Other Types of Remuneration 1.600  Advertising and Other Forms of Solicitation 1.700  Confidential Information 1.800  Form of Organization and Name

  Conceptual Framework for Members in Public Practice   2-7 Part 2: Members in Business 2.000  Introduction and Conceptual Framework for Members in Business 2.100  Integrity and Objectivity 2.310  Compliance with Standards 2.320  Accounting Principles 2.400  Act Discreditable Part 3: Other Members 3.000  Introduction 3.400  Act Discreditable

in public practice (usually CPAs in CPA firms); (3) Part 2, which includes ethical rules for members in business (such as a CFO, a controller, or an accountant working in industry or government); and (4) Part 3, which includes ethical rules for other members (e.g., non-CPA members of the AICPA). If an individual has a good understanding of this structure, it is easier to search and determine appropriate solutions to ethical dilemmas. The remainder of the discussion of the Code will focus on explaining the Conceptual Framework for Members in Public Practice as well as some key rules that are relevant to members in public practice.

Before You Go On 2.1  What is the purpose of the AICPA ethical principles? Explain their enforceability. 2.2  What is the purpose of the AICPA ethical rules? Explain their enforceability. 2.3  What is the purpose of the AICPA ethical interpretations? Explain their enforceability.

Conceptual Framework for Members in Public Practice lear ning objecti ve 3 Apply the conceptual framework approach to ethical decision making for members in public practice. The rules in the AICPA Code of Professional Conduct and related interpretations seek to address many situations for members in public practice. However, the rules and interpretations cannot address every possible relationship or circumstance that might arise. Thus, in the absence of a rule or an interpretation, a CPA should use the conceptual framework to evaluate what to do. The Code and the conceptual framework relate to all work performed by CPAs in public practice, audit engagements, tax engagements, accounting services performed for clients, or consulting engagements. Ultimately, a CPA should evaluate whether a relationship or circumstance would lead a reasonable and informed third party, who is aware of the relevant information, to conclude there is a threat to the CPA’s compliance with the rules and the threat is not capable of being reduced to an acceptable level.

ILLUSTRATION 2.1   (continued)

2-8  Ch a pte r 2  Professionalism and Professional Responsibilities

In situations where there is not a specific rule or interpretation that relates to a relationship or circumstance, the CPA should follow the steps outlined in Illustration 2.2. The following discussion explains each of these steps. ILLUSTRATION 2.2   Conceptual framework flowchart

Step 1

Identify Threats

Threats Identified

Step 2

Evaluate Significance of Threats

Threats Significant

Step 3

Identify and Apply Safeguards

Step 4

Evaluate the Effectiveness of Safeguards No Threats Identified

Threats Not Significant

Are Threats at an Acceptable Level?

NO

STOP

Decline or Terminate Engagement

YES

Proceed with Engagement

Step 5

Document Threats and Safeguards Applied

Step 1: Identify threats. CPAs interact with clients in a number of circumstances. CPAs need to be alert to a possible relationship or situation that might cause a threat to their compliance with ethical rules. Following is a discussion of seven common threats that CPAs in public practice should be alert to, irrespective of the services the CPA is engaged to perform: adverse interest threat  the threat that a CPA will not act with objectivity because the CPA’s interests are opposed to the client’s interests advocacy threat  the threat that a CPA will promote a client’s interests or position to the point that his or her objectivity or independence is compromised

•  Adverse interest threat. An adverse interest threat is the threat that a CPA will not act with objectivity because the CPA’s interests are opposed to the client’s interests. For example, an adverse interest threat exists if a client has expressed an intention to begin litigation against the CPA regarding the quality of tax work previously performed. •  A  dvocacy threat. An advocacy threat is the threat that a CPA will promote a client’s interests or position to the point that his or her objectivity or independence is compromised. For example, an advocacy threat exists if the CPA provides expert witness services to a client in litigation or dispute with a customer regarding a licensing arrangement. Once the CPA is advocating for a client, the CPA is no longer objective. An advocacy threat would also exist if a firm acts as an investment adviser to an officer or director of a client.

familiarity threat  the threat that, due to a long or close relationship with a client, a CPA will become too sympathetic to the client’s interests or too accepting of the client’s work or product

•  Familiarity threat. A familiarity threat is the threat that, due to a long or close relationship with a client, a CPA will become too sympathetic to the client’s interests or too accepting of the client’s work or product. For example, a familiarity threat would exist if a CPA’s immediate family member were employed by the client in a key position (such as the CFO). A familiarity threat would also exist if a former partner or professional employee of an audit firm joined the client as its CFO and had knowledge of the firms’ policies and practices for the audit engagement.

management participation threat  the threat that a CPA will take on the role of client management or otherwise assume management responsibilities

•  Management participation threat. A management participation threat is the threat that a CPA will take on the role of client management or otherwise assume management responsibilities. For example, a CPA may have a small business client, and the owner asks the CPA’s firm to do various bookkeeping services for the client. Providing bookkeeping services may cause the CPA to make various management decisions, which

  Conceptual Framework for Members in Public Practice   2-9

is a threat to the firm’s objectivity and independence. This may also put an accounting firm in a position of auditing its own work. •  Self-interest threat. A self-interest threat is the threat that a CPA could benefit, financially or otherwise, from an interest in, or relationship with, a client or persons associated with the client. For example, a self-interest threat exists when a CPA has a financial interest in the client, or a CPA’s spouse enters into employment negotiations for a key position with a client. A self-interest threat also exists if a firm has an excessive reliance on the revenues from a single client.

self-interest threat  the threat that a CPA could benefit, financially or otherwise, from an interest in, or a relationship with, a client or persons associated with the client

•  Self-review threat. A self-review threat is the threat that a CPA will not appropriately evaluate the results of a previous judgment made by, or service performed by, an individual in the CPA’s firm, and that the CPA will rely on that work in forming a judgment as part of an engagement. For example, a self-review threat exists if a CPA performs bookkeeping services for a private company client and that work needs to be evaluated by the same firm in the course of an attest engagement. (Attest engagements are explained in Chapter 1.)

self-review threat  the threat that a CPA will not appropriately evaluate the results of a previous judgment made by, or service performed by, an individual in the member’s firm, and that the CPA will rely on that work in forming a judgment as part of an engagement

•  U  ndue influence threat. An undue influence threat is the threat that a CPA will subordinate his or her judgment to an individual associated with a client or any relevant third party due to that individual’s reputation or expertise, aggressive or dominant personality, or attempts to coerce or exercise excessive influence over the CPA. For example, an undue influence threat exists if a client threatens to dismiss a firm from the current engagement, or if the client indicates that it will not award additional engagements, if the firm continues to disagree with the client on an accounting or tax matter. Step 2: Evaluate the significance of threats. If a CPA has identified a threat resulting from a relationship or circumstance, he or she should evaluate the significance of the threat. CPAs should evaluate identified threats both individually and in aggregate. The standard a CPA should use to determine if the threat is at an acceptable level is whether a reasonable and informed third party, who is aware of the relationship or circumstance, would conclude that a CPA is in compliance with the rules of the Code. If a CPA concludes the threat is not at an acceptable level, the CPA should proceed to Step 3, identify and apply safeguards.

undue influence threat  the threat that a CPA will subordinate his or her judgment to an individual associated with a client or any relevant third party due to that individual’s reputation or expertise, aggressive or dominant personality, or attempts to coerce or exercise excessive influence over the CPA

Cloud 9 - Continuing Case Familiarity is usually a greater issue for existing clients than for new clients, such as Cloud 9 for W&S Partners. However, there could be personal familiarity issues in any audit engagement. Josh is worried about asking the partners and management of the firm to declare their relationships with the management of Cloud 9.

He thinks they might regard that question as impertinent. Sharon tells Josh that she knows that the partners and managers at W&S Partners are very committed to ethical behavior. If they were not to ask this question as part of the process of accepting the new client, Sharon and Josh would be disciplined for poor performance.

Step 3: Identify and apply safeguards. There are three basic types of safeguards. The first is safeguards created by the profession (e.g., the safeguards suggested in the rules of the Code), legislation, or regulation. A CPA should be familiar with both the Code and regulatory rules that might apply. Safeguards are often suggested in these rules to guide a CPA. Second are safeguards implemented by a client. For example, a board of directors might take steps to remove a familiarity threat by reassigning a key person. However, it is not possible for an accounting firm to rely solely on safeguards implemented by the client to eliminate or reduce significant threats to an acceptable level. Finally, an accounting firm can implement safeguards within the firm. In a large accounting firm, safeguards might involve rotating someone off the engagement, or conducting an independent review of the work by another CPA. In a small accounting firm, appropriate safeguards might include the involvement of another firm. Step 4: Evaluate the effectiveness of safeguards. If a CPA concludes that threats are at an acceptable level after applying the identified safeguards, then the CPA may proceed with the professional service. However, if there are no safeguards that would eliminate the threat or reduce it to an acceptable level, or the CPA is unable to implement effective safeguards, the CPA should decline or terminate the engagement.

2-10  C h a pte r 2  Professionalism and Professional Responsibilities

Step 5: Document threats and safeguards applied. When safeguards are applied to reduce a threat to an acceptable level, best practice calls for the CPA to document the identified threats, the safeguards applied, and the CPA’s evaluation of the effectiveness of the safeguards. Consider the following example. An accounting firm is attempting to grow its audit practice and make inroads in several industries where it wants to increase its concentration of practice. In the process, it obtains a new audit client by submitting a bid for the audit below the expected cost to the firm to perform the audit. In the long run, the firm hopes to gain other clients at increased fees, and over time increase the fee for work with the new audit client. In Step 1, the CPA understands there is a self-interest threat to exercising due professional care when performing the audit. The firm understands there may be an incentive to cut corners when doing audit work in order to make a profit in performing the engagement. In Step 2, the CPA determines the threat is significant and the firm should put a safeguard in place to ensure the firm uses due professional care and follows auditing standards when performing the engagement. In Step 3, the CPA discusses the low bid with the audit team during audit planning, sets an expectation of following professional standards, and confirms that the team’s budget for the engagement will not be influenced by the low fee. In addition, the firm decides to have the work reviewed by a second audit partner to ensure compliance with firm policy and professional standards. (Note: a sole practitioner might engage another auditor to review the sole practitioner’s work.) In Step 4, the CPA determines that setting an appropriate tone at the top regarding compliance with professional standards, and the second partner review, is sufficient to mitigate the self-interest threat, and the CPA accepts the engagement. Finally, in Step 5, the CPA writes a memo to the audit engagement file explaining the threat identified, safeguards applied, and the CPA’s reasoning that the safeguards are sufficient to counter balance the self-interest threat.

Ethics Reasoning Example  A Familiarity Threat Maria is a partner in a medium-sized CPA practice, and she and her firm are bidding on a consulting engagement with Western Construction Company. Before Maria and her firm are able to make the proposal to Western Construction, Maria’s husband, Robert, comes home to share good news. Robert has just been offered his dream job as CFO of Western Construction. Maria is happy for her husband, but now she must consider the ethics of bidding on the consulting engagement. Upon searching the AICPA Code of Professional Conduct, Maria does not find a specific rule or ethics interpretation that addresses this circumstance so she applies the conceptual framework. Maria approaches her partners with the problem and the following proposed solution. Maria identifies that if her husband accepts the job, a familiarity threat is present as Maria could be viewed as too sympathetic to Western Construction’s interests. She suggests the CPA firm should disclose the conflict of interest to Western Construction and the firm replace Maria on the consulting engagement during the interview process. She would remain off the consulting engagement if her husband accepts the job. This allows the CPA firm to maintain an appropriate level of integrity and objectivity. Source: Based on the AICPA Conceptual Framework Toolkit for Members in Public Practice (2015).

The next sections address the ethical rules for members in public practice (see Illustration 2.3).

ILLUSTRATION 2.3   Ethical rules for members in public practice

Rules for Members in Public Practice

Integrity and Objectivity

Independence

General Standards

Other Rules for Members in Public Practice

  Integrity and Objectivity  2-11

Before You Go On 3.1  Explain each of the seven threats to compliance with the AICPA Code of Professional Conduct. 3.2 What is the basis for determining that a threat is at an acceptable level after the application of safeguards? 3.3 Assume that you have been the tax manager on the tax engagement of XYZ Company. Your spouse has just been offered the job of chief financial officer for XYZ Company. Is there a threat to ethical behavior? What would be an appropriate safeguard, if any, that might be applied if your spouse accepts the position with XYZ Company?

Integrity and Objectivity LEAR NING OBJECTI VE 4 Evaluate the ethical behavior needed to comply with rules of conduct on integrity and objectivity. The integrity and objectivity rule, AICPA codification section 1.100.001, reads as follows: In the performance of any professional service, a member shall maintain objectivity and integrity, shall be free of conflicts of interest, and shall not knowingly misrepresent facts or subordinate his or her judgment to others. The rule on integrity and objectivity applies to all services performed by CPAs (e.g., tax, audit, bookkeeping, or consulting services). The following discussion addresses two common issues that arise related to integrity and objectivity: conflicts of interest and subordination of judgment. A conflict of interest occurs when a CPA or accounting firm provides a professional service related to a particular matter involving two or more clients whose interests, with respect to that matter, are in conflict. In a tax matter this may occur when a CPA represents two clients (e.g., husband and wife) at the same time, who are in a legal dispute (e.g., a divorce) with each other. A larger firm may still provide tax services to the husband and to the wife, and safeguard this conflict of interest by using separate engagement teams who are provided clear policies and procedures on maintaining confidentiality. In a small firm, it is normal practice for a firm to resign providing tax services to one of the two parties in a divorce to remain free of any conflict of interest. Additional details about conflicts of interest are discussed in the AICPA Code of Professional Conduct, section 1.110. The integrity and objectivity rule also prohibits a CPA from subordinating his or her judgment when performing professional services for a client. Self-interest, familiarity, and undue influence threats to a CPA’s compliance with the integrity and objectivity rule may exist when a CPA and his or her supervisor, or another person within the accounting firm, have a difference of opinion related to the application of accounting principles, auditing standards, or other relevant professional standards. The subordination of judgment threat is at an acceptable level if the CPA concludes the position taken by the firm does not result in a material misrepresentation of fact or a violation of applicable standards, laws, or regulations. If the CPA concludes the difference of opinion may result in a material misrepresentation of fact or a violation of professional standards, then the CPA should discuss his or her concerns with the supervisor. If the difference of opinion is not resolved after discussing the concerns with the supervisor, the CPA should discuss his or her concerns with the appropriate higher level(s) of management within the CPA’s firm. Most accounting firms have specific policies for resolving these differences to ensure the firm does not violate professional standards and to protect a CPA from subordination of judgment to a supervisor.

integrity and objectivity  in the performance of any professional service, a member shall maintain objectivity and integrity, shall be free of conflicts of interest, and shall not knowingly misrepresent facts or subordinate his or her judgment to others

2-12  C h a pte r 2  Professionalism and Professional Responsibilities

Ethics Reasoning Example  Potential Subordination of Judgment James, a senior on the audit of Woodland Industries (a private company), has been discussing the adequacy of the allowance for doubtful accounts with the CFO. The CFO thought the allowance was adequate, and James thought there was evidence to support raising the allowance by $300,000. Eventually, the audit partner and the owner of Woodland Industries discussed each questionable account, and the partner and owner agreed to an adjustment of $175,000. After the meeting, the audit partner talked to James, and told James he did not want James to change any of his documentation. The audit partner told James, “I don’t want you to subordinate your judgment to mine. You document your reasoning, and I will document why I reached a different conclusion on a matter of professional judgment. That is the way we do things in our audit firm.”

Before You Go On 4.1  Define integrity and objectivity. Illustrate with an example. 4.2 Develop an example of a conflict of interest and explain a safeguard that would provide reasonable assurance that the conflict of interest does not result in a violation of the integrity and objectivity rule.

Independence LEAR NIN G OBJECTI VE 5 Evaluate the ethical behavior needed to comply with rules of conduct on independence.

independence  a member in public practice shall be independent in the performance of professional services as required by standards promulgated by bodies designated by Council

Independence is the cornerstone of the auditing profession. It is so important that every auditor’s report is entitled “Independent Auditor’s Report.” Financial statement users need to know that auditors are unbiased and independent of the entities they audit. The independence rule, AICPA codification section 1.200.001, reads as follows: A member in public practice shall be independent in the performance of professional services as required by standards promulgated by bodies designated by Council. A CPA must be independent of the client when performing attest services. Attest services include: •  Performing audits. •  Performing reviews under Statements on Standards for Accounting and Review Services (SSARS). •  Performing examinations, reviews, and agreed-upon procedures under Statements on Standards for Attestation Engagements (SSAE).

independent in fact  acting with integrity and objectivity, being honest, and not subordinating the public trust to personal gain and advantages

CPAs performing tax services or consulting services do not need to be independent of their client. Also, CPAs who compile financial statements for a client with no assurance provided do not need to be independent. However, they need to disclose that they are not independent in the compilation report. Compilation and review services are discussed further in Chapter 15. CPAs frequently think about independence in two ways, independence in fact and independence in appearance. These facets of independence are depicted in Illustration 2.4. Being independent in fact can be defined as acting with integrity and objectivity. Independence in fact is about being honest, about not subordinating the public trust to personal gain and

 Independence 2-13

advantages, and about being unbiased and impartial when performing attest services. Independence in fact is difficult for others to observe, but it is nevertheless the cornerstone upon which attest services provide value. Independent In Appearance

Independent in Fact

State of Mind

Apparent Conflict of Interest

Avoid Threats to Independence

Unbiased and Impartial; Not Subordinating the Public Trust

Follow the Rules (Minimum)

Follow Conceptual Framework

Being independent in appearance addresses a number of potential conflicts of interest that can be observed or factually determined by others. For example, an auditor (or immediate family member) having an ownership interest in an attest client, participating in a joint venture with an attest client, having litigation threatened by an attest client, or having a loan from an attest client are examples of the types of activities that impair the appearance of independence for an accounting firm. Having a financial interest in the outcome of an attest engagement may also influence independence in fact. The appearance of independence is observable and subject to enforcement under the rules of conduct. Section 1.200 of the AICPA Code of Professional Conduct specifies a number of circumstances that can impair the appearance of independence to guide CPAs in observable aspects of ethical conduct. The common factor of the issues raised in Code section 1.200 is that they are targeted to situations where CPAs appear to have a conflict of interest, such as having loans from clients or providing certain consulting services to clients. In some situations, the Code identifies safeguards that can preserve auditor independence. In other situations, the threat to independence is so significant that no safeguards are appropriate, and the relationship or circumstance is prohibited. Numerous examples are included in the following discussion. CPAs must then use common sense and be aware of apparent threats to a CPA’s independence, such as an adverse interest threat, an advocacy threat, a familiarity threat, a management participation threat, a self-interest threat, a self-review threat, or an undue influence threat. A CPA should evaluate these threats from the point of view of an independent third party, and take steps to preserve the CPA’s independence. In some cases, no safeguard may preserve independence, and the existence of the threat may require resigning from the attest engagement.

ILLUSTRATION 2.4  

Independent in fact versus independent in appearance

independent in appearance  avoiding potential conflicts of interest that can be observed by others

Cloud 9 - Continuing Case Sharon tells Josh about her experience at another accounting firm in which the client tried to pressure the audit partner into dropping a request to write down the asset values. It was an example of an undue influence threat to the auditor’s independence. Although it is difficult to stop a client from asking for a favor, the accounting

firm needs to have safeguards to prevent a simple request turning into unreasonable pressure on the audit team to meet that request. Sharon and Josh agree they need to consider the specific independence threats and safeguards for the audit of Cloud 9. The accounting firm must be independent, as well as be seen to be independent.

The following discussion explains the AICPA rule on independence and addresses some common threats to independence, such as investments in attest clients, loans to or from an attest client, taking on management responsibilities, family relationships, and performing nonattest services for an attest client.

Key Individuals and Independence Requirements Today, accounting firms have many professionals all over the globe, along with their family members, who have no influence over attest engagements of the firm. Accounting firms have also seen an increase in the number of dual-career families who potentially have independence problems when an accounting professional’s spouse works for an attest client, or receives compensation

2-14  C h a pte r 2  Professionalism and Professional Responsibilities

covered member  a person in a position to potentially influence attest decisions or the outcome of an attest engagement

ILLUSTRATION 2.5  

Definition of a covered member and activities that impair independence

through stock options or other stock ownership arrangements from an employer who is also an attest client. As a result, a CPA must think both about how his or her own activities could cause a threat to independence, as well as how the activities of his or her spouse or other family members threaten independence. The growth of non-audit services also raises questions about the ability of accounting firms to remain independent while providing services that may result in professional fees that are larger than those provided by performing an independent audit. The independence rules follow an engagement-based approach and define a level of accounting professional, a covered member, who is a person in a position to potentially influence attest decisions or the outcome of an attest engagement. While every professional in an accounting firm does not need to be independent of every attest client, the independence rules are particularly strict for accounting professionals who are defined as covered members. Illustration 2.5 summarizes the definition of a covered member and activities that impair the independence of a covered member (and his or her accounting firm) and would be prohibited under the independence rules (as they cannot be safeguarded). With respect to investments in an attest client, a covered member cannot have a direct investment in the attest client, irrespective of the materiality (or immateriality) of the investment. Therefore, a covered member cannot own one share of an attest client. Covered Members

Prohibited Activities

•  A  ny member of the engagement team

•  Cannot have a direct, or a material indirect, investment in the attest client

 artners and managers with consultation, •  P oversight, or review responsibilities related to the engagement •  D  irect supervisors of the engagement partner, including all successive senior levels •  A  ccounting firm professionals who perform (or expect to perform) more than 10 hours of nonattest services for the client •  P  artners who are in the same office as the lead partner on the engagement •  T  he firm, its benefit plans, and entities controlled by covered members

•  Cannot have a joint, closely held investment with an attest client that is material to the covered member •  Cannot have loans to or from the attest client (there are some very limited exceptions) •  Cannot be a trustee of a trust or executor of an estate who invests directly in an attest client (the AICPA and SEC permit an exception for a trustee who lacks authority to make investment decisions)

•  T  hose who evaluate partners’ performance and compensations, including members of compensation committees  ccounting firm professionals who consult •  A with the attest team regarding technical or industry-related issues specific to the engagement; this is intended to include individuals who are authorized to give advice to the attest team and there is no hours test •  I ndividuals who participate in quality-control activities for the firm

A question often comes up about owning shares in a mutual fund (where the covered member does not control the investment decisions), and the mutual fund owns shares of the attest client. This is considered an indirect investment in the attest client. A covered member can own a mutual fund where the mutual fund owns shares in the attest client, as long as the investment in the mutual fund is not material to the covered member. If the investment in the mutual fund is material to the covered member, and the mutual fund owns any shares in an attest client, independence is impaired. Covered members must also take care not to engage in joint investments with attest clients. For example, an attest partner and an attest client should not jointly own a business, or real property, together. In addition, a covered member cannot have a loan to or from an attest client. While there are some very limited exceptions (e.g., having a home mortgage from a bank who is an attest client), covered members must be very careful about making loans to, or accepting loans from, an attest client. A covered member also cannot be a trustee of a trust, or executor of an estate, that invests in an attest client. Being a trustee of a trust, or an executor of an estate,

 Independence 2-15

involves holding a key management position over the trust or estate. A covered member should not be in a management position to exercise authority over a direct investment in an attest client. Finally, the accounting firm as an entity is prohibited from the same activities as a covered member of the firm. Covered members must also be aware of potential conflicts of interest that may be raised by the activities of immediate family members and close relatives. Illustration 2.6 summarizes the definition of both immediate family members and close relatives, and activities of an immediate family member or close relative that impair the independence of the covered member (and his or her accounting firm) and would be prohibited under the independence rules. An immediate family member is one where the relationship is considered to be so close that any relationship between an immediate family member and an attest client is equivalent to the relationship between a covered member and the attest client. An immediate family member would be prohibited from making any investment, making or having a loan, or serving as a trustee of a trust or an executor of an estate that invests in an attest client. Further, as noted above, an immediate family member cannot work for an attest client in a key position. A key position would include a position where an immediate family member could exercise influence over the financial statements, such as CEO, CFO, member of the board of directors, or treasurer. In addition, a key person would be someone who prepares, or supervises others who prepare, (1) the financial statements or (2) material accounting records, or is involved in accounting decision making. Also, if a close relative held a key position with an attest client it would impair the independence of the covered member. Finally, if a close relative had a direct investment in an attest client that is material to the close relative, or had significant influence over an attest client, the covered member’s independence would be impaired.

Covered Members’ Immediate Family

Prohibited Activities

•  Spouse

•  Exactly the same as for a covered member.

•  Spousal equivalent

•  Cannot be employed in a “key position” with an attest client. A key position would be a position where the individual would:

•  Dependents

•  Exercise influence over the financial statements, such as CEO, CFO, member of the board of directors, or treasurer. •  Prepare, or supervise others who prepare, (1) the financial statements or (2) material accounting records. •  Be involved in accounting decision making.

Covered Members’ Close Relatives

Prohibited Activities

•  Parents

•  May not hold a key position with an attest client.

•  Nondependent children or stepchildren •  Brothers and sisters or stepbrothers and stepsisters

•  May not hold a material financial interest in an audit client, or have significant influence over an attest client (ASC 323–10).

An important issue for many spouses is their ability to participate in stock compensation plans. Today, it is common for many employees to be compensated with equity securities in addition to cash. If an accounting firm professional is not a covered member (e.g., a tax professional who does no work for the attest client), the spouse can work for the attest client and can participate in an employee benefit plan that includes employee stock ownership plans or employee stock option plans as long as the benefits are offered equitably to all similar employees. The same benefits are also extended to a limited group of covered members, nonattest partners and managers, and other partners in the office of the lead engagement partner that may have an immediate family member who works for an attest client as long as the immediate family member is not in a key position. Finally, an accounting firm does need to consider when the activities of professional ­employees, who are not covered members for a particular audit client, might impair the

immediate family member  a covered member’s spouse, spouse equivalent, or dependent close relative  a covered member’s parents, nondependent children, brothers and sisters, or stepbrothers or stepsisters

key position  a position with an attest client where an individual can exercise influence over the financial statements

ILLUSTRATION 2.6  

Definitions of an immediate family member and close relatives and activities that impair independence

2-16  C h a pte r 2  Professionalism and Professional Responsibilities

i­ ndependence of the firm. As a general rule, professional employees in an accounting firm who are not covered members, and their immediate family members, cannot: •  Have a direct investment of more than 5% in an attest client. •  Hold a key position with an attest client. •  Be a trustee, director or officer of an attest client, or of the client’s pension or profit-sharing trust.

Ethics Reasoning Example  Investments of an Immediate Family Member

Janice is an audit manager in a large public accounting firm with 35 offices on the East Coast. Janice has been dating Keith, a CFO of a company that is not a client of Janice’s firm. Keith has a significant investment portfolio of his own. After dating for about 4 months, Janice and Keith decide to get married. However, Janice tells Keith it is important for him to take a careful review of his investment portfolio. The policy in Janice’s firm is that she cannot have a direct investment, of any size, in any audit client of the firm. Further, she cannot have a material indirect investment in the audit client. This is so the firm is independent of its clients and can assign any staff member to any audit client. Given their relationship, Keith cannot have any investment that would be prohibited for Janice. As a result, Keith has to sell several investments and invest them in other ways.

Since independence is critical to the performance of attest services, the AICPA has published a number of interpretations of the independence rule. Illustration 2.7 summarizes these interpretations. Two key issues are discussed further next: employment or association with an attest client and nonattest services. ILLUSTRATION 2.7   Interpretations of the independence rule

AICPA Code of Professional Conduct Section

Interpretation

1.210

Conceptual Framework Approach

1.220

Accounting Firms

1.224

Affiliates, Including Governmental Units

1.228

Engagement Contractual Terms

1.230

Fees and Other Types of Remuneration

1.240

Financial Interests

1.250

Participation in Employee Benefit Plants

1.255

Depository, Brokerage, and Other Accounts

1.257

Insurance Products

1.260

Loans

1.265

Business Relationships

1.270

Family Relationship with Attest Clients

1.275

Honorary Director or Trustee of a Not-for-Profit Organization

1.277

Former Employment or Association with an Attest Client

1.279

Considering or Subsequent Employment or Association with an Attest Client

1.280

Memberships

1.285

Gifts and Entertainment

1.290

Actual or Threatened Litigation

1.295

Nonattest Services

1.297

Independence Standards for Engagements Performed in Accordance with Statements on Standards for Attestation Engagements

 Independence 2-17

Cloud 9 - Continuing Case Josh and Sharon know that they will have to put together an audit team where each member is independent with respect to Cloud 9. Jo Wadley, the partner, will discuss this matter with other partners in the office, and with other offices, to ensure that there will be no independence problems. Sharon and Josh both discuss their own independence with Jo, to confirm that there are no independence problems associated with either their investments or relationship with Cloud 9, or the investments or relationships associated with immediate family members or close relatives. Further, W&S Partners has every member

of the professional staff complete an independence questionnaire that covers direct stock ownership and spouse employment, and which serves as a basis for quality control related to independence. Jo advises them to discuss independence with all potential members of the audit team. Jo wants Sharon and Josh to make sure that every member of the audit team knows his or her responsibility to be independent, and to advise the firm of any investments in Cloud 9 or of immediate family members or close relatives who may work for Cloud 9.

Before You Go On 5.1 Explain what is meant by “independence in fact.” Explain what is meant by “independence in appearance.” Give an example of each. 5.2 An audit manager in another office from the audit client has quality control responsibilities in the same region as the audit engagement. Is the audit manager a covered member? Explain. 5.3 An audit staff person has been with the firm for only 6 months. Her spouse works for an audit client in an accounting position and makes material accounting decisions in the corporate accounting office. Are there safeguards that can be implemented to preserve the audit firm’s independence? Explain. 5.4 A partner works on the audit engagement of XYZ Company. After her husband died from a heart attack, she has had dinner a couple of times with a major shareholder in XYZ Company. The shareholder is not part of management. What are the implications if the personal relationship becomes serious between the partner and the shareholder?

Employment or Association with an Attest Client When a partner or professional employee of an accounting firm leaves the firm and is subsequently employed by the firm’s attest client, independence can be impaired inasmuch as the partner or professional employee may have continuing relationships, such as the payout of a pension plan, with the accounting firm. Furthermore, if a professional employee goes to work for an attest client, that employee may be familiar with the audit plan and/or staff working on the engagement, and there is a familiarity and undue influence risk that the former employee could influence the engagement. These are important risks that may impair an accounting firm’s independence. The rules are different for public company audit clients than for private company audit clients. With respect to public company clients, Section 206 of SOX states that the CEO, controller, CFO, chief accounting officer, or person in an equivalent position cannot have been employed by the company’s audit firm during the one-year period preceding the period under audit. With respect to private company clients, a firm’s independence will be considered impaired with respect to a client if a partner or professional employee leaves the accounting firm and is subsequently employed by the client in a key position, unless a series of safeguards discussed in Code section 1.279.02 are met. The general purpose of these safeguards is to ensure that the amounts due to the former partner or professional employee (e.g., retirement benefits) are not material to the firm, and the partner or professional employee is not in a position to influence the firm’s operations or does not participate or appear to participate in the firm’s business. The firm should also consider whether the former partner or professional employee has sufficient knowledge of the firm’s attest engagement such that the firm should consider whether to modify engagement procedures. If the former partner or professional ­employee

2-18  C h a pte r 2  Professionalism and Professional Responsibilities

joins the attest client in a key position within one year of disassociating from the firm, and has significant interaction with the engagement team, an appropriate professional in the firm should review the subsequent attest engagement to determine whether the engagement team members maintained the appropriate level of skepticism when evaluating the former partner’s or professional employee’s representations and work. A partner or professional employee merely seeking employment with an attest client may also impair independence. When a member of the attest engagement team or an individual in a position to influence the attest engagement intends to seek or discuss potential employment or association with an attest client, or is in receipt of a specific offer of employment from an attest client, independence will be impaired with respect to the client unless the person: a. Promptly reports such consideration or offer to an appropriate person in the firm. b. Removes himself or herself from the engagement until the employment offer is rejected or employment is no longer being sought. The purpose of this rule is to avoid situations where a CPA’s integrity or objectivity might be compromised. If a professional is seeking a job from an attest client, it is important to avoid a situation where the person might be tempted to take an aggressive stance in favor of the client on a matter of professional judgment while seeking the favor of a client by way of a job offer. Further, when any covered member becomes aware that a member of the attest engagement team or an individual in a position to influence the attest engagement is considering employment or association with a client, the covered member should notify an appropriate person in the accounting firm. Finally, the appropriate person in the accounting firm should consider what additional safeguards, such as additional review of any work performed by the individual considering employment with the attest client, may be necessary to provide reasonable assurance that any work performed for the client by that person was performed with objectivity and integrity.

Nonattest Services A major issue that continues to face the auditing profession is whether the performance of nonattest services (such as accounting services or internal control design and implementation) impairs an auditor’s integrity and objectivity. Critics wonder whether an auditor can be objective with respect to audit issues when fees from nonattest services exceed fees from attest services. When an auditor considers the rules related to nonattest services and independence, the auditor needs to understand that a different set of rules apply to auditors of public companies than auditors of private companies. Both the SEC and SOX set out the independence guidelines for public company audits that will be discussed in SEC and PCAOB Independence Rules. The AICPA and state boards of accountancy have rules appropriate to audits of private companies. The AICPA and many state boards of accountancy allow activities for private companies that are not allowed for public companies because many private companies (e.g., owner-managed business and small not-for-profit organizations that require audits) do not have the resources to internalize services that are often performed within public companies, such as bookkeeping, preparing financial statements, or payroll services. The demand for these services from smaller entities often causes a management participation threat. The following discussion outlines the appropriate rules for nonattest services as they relate to private company audits. AICPA independence rules (1.295) allow a member of a firm to perform nonattest services for private company attest clients under certain conditions. In each case, the CPA must evaluate the effect of nonattest services on independence. In general, a CPA should not perform management functions or make management decisions for the attest client. However, the CPA may provide advice, research materials, and make recommendations to assist the client’s management in performing its functions and making its decisions. In addition, the client must agree to perform the following functions in connection with the CPA’s engagement to perform nonattest services (safeguards implemented by the client): •  Make all management decisions and perform all management functions. •  Designate a competent employee, preferably within senior management, to oversee the services.

 Independence 2-19

•  Evaluate the adequacy and results of the services performed. •  Accept responsibility for the results of the services. •  Establish and maintain internal controls, including monitoring ongoing activities. If management cannot perform these functions (establish these safeguards), the firm’s independence is impaired. Interpretation 1.295 also indicates that before performing nonattest services, the CPA should establish, and document in writing, an understanding with the client regarding (1) the objectives of the engagement, (2) the services to be performed, (3) the client’s acceptance of its responsibilities, (4) the CPA’s responsibilities, and (5) any limitations of the engagement. It is preferable that this understanding be documented in an engagement letter (explained further in Chapter 3). In addition, the CPA should be satisfied that the client is in a position to have an informed judgment on the results of the nonattest services and the client’s management understands its responsibilities. The purpose of the AICPA rule is to allow CPAs to assist many small business clients who may not have a CPA within the entity. These entities often need outside professional expertise that the accounting firm can provide. Nevertheless, a number of general activities would be considered to impair a CPA firm’s independence when auditing non-public companies. These are summarized in Illustration 2.8, which also provides examples of how the performance of these general activities would impair an accounting firm’s independence, or how the client could take appropriate responsibilities to allow the accounting firm to assist the client without impairing the accounting firm’s independence with regard to the audit. Interpretation 1.295 provides additional specific examples of activities that would or would not impair independence. For example, CPAs can perform various accounting and bookkeeping services for an attest client. However, independence would be impaired if an accounting firm determined or changed journal entries, account codings or classification for transactions, or other accounting records without obtaining client approval; and authorized or approved transactions, prepared source documents, or made changes to source documents without client approval. Independence would not be impaired if the CPA recorded transactions for which management had determined or approved the appropriate account classification, or posted coded transactions to a client’s general ledger; prepared financial statements based on information in the trial balance; posted client-approved entries to a client’s trial balance; or proposed standard, adjusting, or correcting journal entries or other changes affecting the financial statements to the client, provided the client reviewed the entries and the CPA was satisfied management understood the nature of the proposed entries and the impact of the entries on the financial statements. You can read the actual Interpretation 1.295 for additional discussions related to payroll and other disbursements; appraisal, valuation and actuarial services; benefit plan administration; business risk consulting; corporate finance consulting; executive or employee recruiting; forensic accounting; information system design, implementation, or integration; internal audit; investment advisory or management services; and tax services.

Ethics Reasoning Example  Nonattest Services Fred Holland is a CPA in rural Wisconsin. Fred has a tax practice; he does payroll work for several businesses in the area and performs compilation and review services for some of his business clients. Fred has been careful with respect to performing payroll services as he wants to be independent of his clients. While independence is not required for compilations, Fred knows it is required for reviews and at times Fred has been requested to increase the level of assurance from a compilation to a review. As a result, whenever Fred performs payroll services for a client, he implements the following safeguards: (1) he requires the client to maintain all original time records for employees, (2) he does not sign checks on any client accounts, and (3) while Fred’s payroll system prepares checks and payroll tax returns, all of these documents are reviewed and signed by the client. Fred does not undertake a payroll engagement unless he believes the client has sufficient competence to review Fred’s work.

2-20  C h a pte r 2  Professionalism and Professional Responsibilities illustration 2.8   Independence and nonattest services for non-public clients

Examples Where Independence Is Impaired

General Activities That Will Impair Independence

Examples Where Independence Is Not Impaired

A CPA accepts responsibility to authorize payment of client funds, or accepts responsibility to sign or cosign client checks, even if only in emergency situations.

Authorizing, executing, or consummating a transaction, or otherwise exercising authority on behalf of a client or having the authority to do so

When assisting a small business client with payroll using payroll time records provided and approved by the client, the CPA can generate unsigned checks or process the client’s payroll.

Preparing source documents or originating data, in electronic or other form, evidencing the occurrence or a transaction (for example, purchase orders, payroll time records, and customer orders)

In an accounting service engagement for a non-public client, a CPA may record transactions for which management has determined or approved the appropriate account classification, or post coded transactions to a client’s general ledger and prepare financial statements based on information in the trial balance.

In a consulting engagement, a CPA acts as a promoter, underwriter, broker-dealer, or guarantor of client securities, or distributor of private placement memoranda or offering documents. In an accounting service engagement for a non-public client, a CPA determines or changes journal entries, account codings or classification for transactions, or other accounting records without obtaining client approval. A CPA prepares source documents, originates data, or makes changes to source documents without client approval. When performing payroll services, benefit plan administration, or other financial advisory services, a CPA has custody of client assets or maintains custody of client securities. In an IT engagement, a CPA supervises client personnel in the daily operation of a client’s information system. In an investment advisory engagement with an attest client, a CPA makes investment decisions on behalf of client management or otherwise has discretionary authority over a client’s investments.

In a consulting engagement, a CPA may assist in identifying or introducing the client to possible sources of capital that meet the client’s specifications or criteria.

Having custody of client assets

Another accounting firm has custody of assets and performs payroll services, benefit plan administration, or other financial advisory services.

Supervising client employees in the performance of their normal recurring activities

In an IT engagement, a CPA may design, install, or integrate a client’s information system, provided the client makes all management decisions.

Determining which recommendations In an investment advisory engagement with an attest client, a CPA can recommend the of the CPA should be implemented

allocation of funds that a client should invest in various asset classes, depending upon the client’s desired rate of return and risk tolerance.

In an attest engagement, a CPA presents business proposals to the board on the behalf of management.

Reporting to the board of directors on behalf of management

In an attest engagement, provide recommendations for improving the system for monitoring business risks.

In an investment advisory engagement, a CPA executes a transaction to buy or sell a client’s investment or has custody of client assets, such as taking temporary possession of securities purchased by a client.

Serving as a client’s stock transfer or escrow agent, registrar, general counsel, or its equivalent

In an investment advisory engagement, a CPA may review the manner in which a client’s portfolio is being managed by investment account managers, including determining whether the managers are (1) following the guidelines of the client’s investment policy statement; (2) meeting the client’s investment objectives; and (3) conforming to the client’s stated investment styles.

SEC and PCAOB Independence Rules audit committee  a committee of the board of directors responsible for oversight of internal controls, financial reporting and disclosure in the financial statements, regulatory compliance, and the company’s independent auditors

Illustration 2.9 provides the full listing of the PCAOB’s Ethics and Independence Rules. In a number of ways, the SEC and PCAOB rules related to auditor independence for public companies are stricter than the AICPA rules that apply to non-public entity audits. SOX mandates that a committee of the board of directors, called the audit committee, be directly responsible for oversight of the company’s independent auditors. (Chapter 4 provides further discussion on the role of an audit committee.) The SEC’s general standard of auditor independence is that an audit firm’s independence is impaired if a reasonable investor with knowledge of all the facts and circumstances would conclude that the firm

 Independence 2-21

PCAOB Ethics Rule Number

PCAOB Ethics Rule Title

3501

Definitions of Terms Employed in Section 3, Part 5 of the Rules

3502

Responsibility Not to Knowingly or Recklessly Contribute to Violations

3520

Auditor Independence

3521

Contingent Fees

3522

Tax Transactions

3523

Tax Services for Persons in Financial Reporting Oversight Roles

3524

Audit Committee Pre-approval of Certain Tax Services

3525

Audit Committee Pre-approval of Non-audit Services Related to Internal Control Over Financial Reporting

3526

Communication with Audit Committees Concerning Independence

Source: https://pcaobus.org/Standards/EI/Pages/default.aspx.

is not capable of exercising objective and impartial judgment on all issues encompassed within the audit engagement. The SEC developed some general rules for an audit committee to consider when evaluating an audit firm’s independence. A public company’s audit committee should consider whether a relationship with the accounting firm or service provided by the accounting firm: •  Creates a mutual or conflicting interest between the company and the accounting firm. •  Places the accounting firm in a position of auditing its own work. •  Places the accounting firm in a position of acting as management or an employee of the company. •  Places the accounting firm in a position of being an advocate for the company. To encourage the independence of audit partners, Section 203 of SOX mandates rotation of the lead audit partner and the audit partner having responsibility for reviewing the audit every five years. Additionally, SEC rules prohibit the audit firm from providing the following nonattest services to an audit client: •  Bookkeeping. •  Financial information system design and implementation. •  Appraisal or valuation series, fairness opinions, or contribution-in-kind reports. •  Actuarial services. •  Internal audit outsourcing services. •  Management functions or human resources functions. •  Broker-dealers, investment advisor, or investment banking services. •  Legal services and expert services unrelated to the audit. SEC rules also prohibit certain relationships between audit firms and the public companies they audit. The prohibited relationships include: •  Employment relationships. A one-year “cooling-off period” is required before a company can hire certain individuals formerly employed by its auditor in a financial reporting oversight role for the company. For example, an audit manager on a public company audit cannot go to work directly for a public company as its CFO or controller unless there has been at least a one-year period from the time the audit manager last worked on the audit to the time he or she is hired by that client. SEC rules ask the public company’s audit committee to consider whether the hiring of personnel who are or were formerly employed by the audit firm might affect the audit firm’s independence.

ILLUSTRATION 2.9  

PCAOB ethics and independence rules

2-22  C h a pte r 2  Professionalism and Professional Responsibilities

•  Contingent fee. Accounting firms are prohibited from performing work for public companies where the accounting firm is paid on either a contingent fee or a commission basis. The AICPA rules for auditors of non-public entities are also clear that when a firm is compensated on a commission or contingent fee basis, independence is violated. If the compensation for an accounting firm is tied to the outcome of the engagement, the firm becomes an advocate for the client with these compensation arrangements, violating a general principle of independence. •  Direct or material indirect business relationships. Accounting firms may not have any direct or material indirect business relationships with the company, its officers, directors, or significant shareholders. For example, an accounting firm may not enter into a joint venture with a public company audit client. It would be inappropriate for an auditor of a software company to enter into a business relationship with the same software company to develop accounting software to market to the public. •  Certain financial relationships. Certain financial relationships between the company and the independent auditor are prohibited. These include creditor–debtor relationships, banking relationships, broker–dealer relationships, futures commission merchant account relationships, insurance product relationships, and joint interests in investment companies. As a matter of strengthening corporate governance, the SEC rules require accounting firms to disclose to their client’s audit committee, in writing, all relationships between the accounting firm and the company that may reasonably be thought to bear on the accounting firm’s independence. SEC rules also require the auditor to confirm and discuss its independence with the client’s audit committee. As part of its responsibilities, the client’s audit committee should consider discussing the following issues with the auditor in regards to the firm’s independence disclosure: •  The processes the accounting firm uses to ensure complete disclosure of all relationships with the company and its affiliates. •  The relationships the accounting firm may have with officers, board members and significant shareholders. •  The relationships not included in the communication because they were deemed immaterial.

Professional Environment  Non-Audit Fees Prior to the passage of SOX, many accounting firms received significant fees from offering consulting services to audit clients. In some cases, the size of the consulting fee was larger than the audit fee, creating a potential conflict of interest for the audit firm. This was true for both Waste Management and Enron. The fact was also not lost on chief financial officers, who would use the size of the consulting engagement as leverage to get the auditor to go along with accounting decisions that were not black and white. Ultimately, the delivery of non-audit services to audit clients led to

a public concern about audit independence. As noted above, the SEC stepped in and now prohibits the delivery of many non-audit services to audit clients. As a result, it is common for large audit clients to use more than one accounting firm for various services. It is likely that a global audit client might use one firm for audit services, another firm for tax services, another firm for internal control consulting, and yet another firm to assist in merger and acquisition services.

Cloud 9 - Continuing Case Josh and Sharon do not know of any current work being done for Cloud 9 by W&S Partners, or any other relationships between members of the audit team and the client’s staff. However, they will check with all other departments, particularly the consulting department, and other offices of W&S Partners. They will also ask any new members of the audit team to disclose their interests and relationships with the client before they join the team.

Subsequently, the partner, Jo Wadley, advises Sharon and Josh that she has reached out to other offices and discussed the proposal with the other partners in her office. The firm is not working for Cloud 9 on any other matter. Jo, Sharon, and Josh want to make sure that there are no potential independence issues when their proposal is discussed with Cloud 9’s audit committee.

  General Standards  2-23

Before You Go On 5.5 The audit manager on an audit engagement of a large private company has been asked by the company to consider becoming the company’s CFO. What are the independence implications of this situation? What are the appropriate safeguards to preserve the firm’s independence? 5.6 An audit firm serves only private companies. It also provides tax services and investment advisory services to its clients. Can a partner in the firm advise an audit client on the allocation of funds in the client’s investment portfolio, based on the client’s desired rate of return and risk tolerances? Explain your reasoning. 5.7 Explain the general rules that an audit committee of a public company should consider when evaluating the potential services that it might request of its audit firm.

General Standards lear ning objecti ve 6 Evaluate the ethical behavior needed to comply with rules of conduct on general standards. The general standards of the AICPA Code of Professional Conduct apply to all CPAs in public practice. For example, the independence standards apply only to accounting firms that perform attest engagements, and the professionals in those firms who are in a position to influence the outcome of an attest engagement (e.g., covered members, their immediate family members, and close relatives). The general standards apply to any CPA performing any professional service for a client (e.g., tax services, consulting services, or nonattest services). Further, the same standards are found in the section of the Code related to members in business. The general standards (1.300.001) read as follows: A member shall comply with the following standards and with any interpretations thereof by bodies designated by Council: a.  Professional Competence. Undertake only those professional services that the member or the member’s firm can reasonably expect to be completed with professional competence. b.  Due Professional Care. Exercise due professional care in the performance of professional services. c.  Planning and Supervision. Adequately plan and supervise the performance of professional services. d.  Sufficient Relevant Data. Obtain sufficient relevant data to afford a reasonable basis for conclusions or recommendations in relation to any professional services performed. The standard on professional competence is clear that a CPA, or an accounting firm, should only undertake professional services that he or she reasonably expects to complete with professional competence. While a CPA does not assume infallibility of knowledge or judgment, a normal part of providing professional services involves performing additional research or consulting with others to gain sufficient competence. If a CPA is unable to gain sufficient competence, a CPA should suggest, in fairness to the client and the public, the engagement of a competent person to perform the needed professional service. For example, a tax practitioner might be approached by a tax client that needs an audit or a review of the company’s financial statements for the bank. If the tax practitioner does not have experience

professional competence  undertaking only those professional services that a CPA or a CPA’s firm can reasonably expect to complete with professional competence due professional care  exercising due professional care expected of other CPAs in the performance of professional services planning and supervision  adequately plan and supervise the performance of professional services sufficient relevant data  obtain sufficient relevant data to afford a reasonable basis for conclusion or recommendation in relation to any professional services performed

2-24  C h a pte r 2  Professionalism and Professional Responsibilities

performing audits or reviews, the practitioner should refer the engagement to another CPA with the appropriate qualifications. Alternatively, if the tax practitioner chooses to accept the engagement, he or she should take appropriate continuing professional education (CPE) courses, and consider consulting the experienced colleagues to ensure that the engagement is performed in accordance with professional standards. The due care standard expects CPAs to exercise the professional care that would be expected of other CPAs performing the same work. In particular, CPAs should follow all professional standards that relate to providing services. For example, in a tax engagement, this would include following tax practice standards. All engagements should be adequately planned and supervised. Further, in the performance of nonattest services, CPAs should obtain sufficient, relevant data to afford a reasonable basis for a conclusion or recommendation. Note that this is different than the expectation in an audit. In performing an audit, a CPA should obtain sufficient appropriate evidence, which is a higher standard. The standard of sufficient appropriate evidence is discussed further in Chapter 5. Adherence to these requirements contributes to the quality of performance of professional engagements for the benefit of clients, the public, and the overall reputation of the profession.

Ethics Reasoning Example  Professional Competence Dana Moore is a CPA in Georgia. Dana has a modestly sized tax practice, and she performs a number of audits of local school districts as well as of a few cities and counties. Dana is also on the board of directors of several charities where she interacts with some of the business people in the area. One day, a local technology entrepreneur in the area walks into her office and says, “I have worked with you on the board of directors of a local charity, and I like the perspectives you bring to the board. My company is growing and needs an audit. I know you do audits, and I am wondering if you would give me a bid on doing my company’s audit.” Dana was not expecting this, but she knows what her response should be. “I appreciate your interest in my work and my services. However, not all audits are the same. I understand the accounting and auditing issues with local governments and school districts, but I am not well-versed in the accounting, internal control, and auditing issues for technology companies. This is beyond the scope of my expertise, and I only want to consider an engagement that I can expect to complete with professional competence and due care. However, through the State Society of CPAs, I know some other auditors who might have the skills you need. Let me give you their names.”

Before You Go On 6.1 Identify two types of engagements that would be covered by the general standards in the AICPA Code of Professional Conduct. 6.2 If a CPA does not have the professional competence to complete an investment advisory engagement, what steps should the firm take to ensure that the engagement is completed with professional competence? 6.3 When evaluating whether an engagement was completed with due professional care, how might a state board of accountancy judge the due care that was used in completing an engagement?

Other Rules of Conduct for Members in Public Practice LEAR NIN G OBJECTI VE 7 Evaluate the ethical behavior needed to comply with other rules of conduct for members in public practice.

  Other Rules of Conduct for Members in Public Practice  2-25

It is not possible in the scope of this chapter to discuss all of the rules of conduct for CPAs in public practice. The following discussion addresses three additional rules of conduct that you should understand: Rule 1.320 on Accounting Principles, Rule 1.500 on Fees and Other Types of Remuneration, and Rule 1.700 on Confidential Information.

Accounting Principles Rule It is imperative that CPAs, who are experts in accounting principles, follow accounting principles in the performance of their duties. This is made clear in Rule 1.320. Further, a similar rule exists for members in business, Rule 2.320. Rule 1.320 on accounting principles reads as follows: A member shall not (1) express an opinion or state affirmatively that the financial statements or other financial data of any entity are presented in conformity with generally accepted accounting principles or (2) state that he or she is not aware of any material modifications that should be made to such statements or data in order for them to be in conformity with generally accepted accounting principles, if such statements or data contain any departure from an accounting principle promulgated by bodies designated by Council to establish such principles that has a material effect on the statements or data taken as a whole. If, however, the statements or data contain such a departure and the member can demonstrate that due to unusual circumstances the financial statements or data would otherwise have been misleading, the member can comply with the rule by describing the departure, its approximate effects, if practicable, and the reasons why compliance with the principle would result in a misleading statement. The bodies that are designated by the AICPA Council to promulgate accounting principles are (1) the Financial Accounting Standards Board (FASB), (2) the Federal Accounting Standards Advisory Board (FASAB), (3) the Governmental Accounting Standards Board (GASB), and (4) the International Accounting Standards Board (IASB). Financial statements prepared using other accounting principles would be considered financial reporting frameworks other than generally accepted accounting principles (GAAP). For example, CPAs often prepare financial statements for small businesses on a cash basis of accounting or a federal income tax basis of accounting. In these situations, the client’s financial statements, and the CPA’s report thereon, should not purport that the financial statements are in accordance with GAAP, and the financial statements and the CPA’s report should clarify the financial reporting framework used. Finally, there is a strong presumption that adherence to GAAP would, in nearly all circumstances, result in financial statements that are not misleading. The question of what constitutes unusual circumstances, referred to in the rule above, is a matter of professional judgment. In considering that judgment, a CPA must consider whether a reasonable person reading the financial statements would consider the adherence to the promulgated accounting principle to be misleading. In practice, these circumstances are extremely rare.

Fees and Other Types of Remuneration The rule on fees and other types of remuneration address two circumstances that are particularly important: Rule 1.510 on Contingent Fees and Rule 1.520 on Commissions and Referral Fees. In general, entering into a contingent fee arrangement or accepting a commission or a referral fee associated with an attest client impairs independence due to the advocacy threat associated with these types of fees. For example, if a CPA accepted a contingent fee associated with helping an attest client sell the business, the CPA would become an advocate for the client, and independence would be impaired. Further, it is particularly important that commission arrangements be disclosed to the client. For example, a CPA might be paid a commission by a software company for recommending its accounting software to a nonattest client. It is important for the client considering the accounting software to know that the

2-26  C h a pte r 2  Professionalism and Professional Responsibilities

CPA is being paid a commission if the business purchases the software, so that the client fully evaluates the product and incentives involved. It is appropriate for CPAs to perform engagements on a contingent fee basis, or to accept a commission or a referral fee, with respect to nonattest clients. However, these fee arrangements are prohibited for attest clients as they impair independence.

Confidential Information In general, a CPA in public practice shall not disclose confidential client information without the specific consent of the client. However, there are some well-known exceptions to this rule. First, the rule on confidential client information should not be construed as relieving a CPA of his or her professional obligation to comply with accounting principles. Therefore, a client cannot claim that information should not be disclosed in financial statements due to client confidentiality if the information is required by GAAP. Second, the rule on confidential client information allows a CPA to comply with a validly issued and enforceable subpoena or summons, or allows a CPA to comply with applicable laws and government regulations. For example, in certain circumstances an auditor might have to report confidential information to regulators such as the SEC if the information is not reported by management or those charged with governance of the entity. Third, the confidential client information rule does not prohibit a review of a CPA’s professional practice under the AICPA, state society, or state board of accountancy authorization. This exception allows for peer review of a CPA’s practice and allows the peer reviewer to become knowledgeable of confidential client information. However, there is an obligation on the part of the peer reviewer to respect the confidential client information rule. Finally, the confidential client information rule does not preclude a CPA from initiating a complaint with, or responding to any inquiry made by, the professional ethics division of the AICPA, a duly constituted investigative or disciplinary body of a state CPA society, or a state board of accountancy.

Before You Go On 7.1 Do the rules of conduct on accounting principles prevent a CPA from preparing financial statements for a client on a cash basis of accounting, which is not GAAP? Explain your reasoning. 7.2 Explain why accepting an engagement on a contingent fee arrangement impairs independence. 7.3 After work, can a member of an audit team discuss confidential information about a client’s business with his or her spouse, who works for the client’s competitor? Has the member violated the AICPA Code of Professional Conduct? Explain your reasoning.

Auditor Liability Under Common Law learnin g OBJECTI VE 8 Evaluate an auditor’s legal liability under common law. The previous sections have focused on an auditor’s ethical responsibilities to society (responsibilities to the client and to the public that relies on financial statements). The legal system plays an important role in supporting the quality of work performed by auditors. It provides an important framework for accountability regarding the behavior of CPAs in society.

 Auditor Liability Under Common Law  2-27

Auditors need to understand the legal impacts affecting the environment in which they work. Specifically, they need to know who can sue them, the allegations typically made in lawsuits against auditors, and defenses the auditor can use in court. Exposure to legal liability is also an incentive for auditors to conduct high-quality audits. The following discussion is broken into two sections: (1) the auditor’s liability under common law, which may vary from state to state, and (2) the federal statutes regarding an auditor’s responsibility to financial statement users. Common law is frequently referred to as unwritten law. It is based on judicial precedent rather than legislative rule. Common law is derived from principles based on justice, reason, and common sense rather than absolute, fixed, or inflexible rules. The principles of common law are determined by the social needs of the community. Therefore, common law changes in response to society’s needs. In a specific case, the accountant’s liability is determined by a state or federal court that attempts to apply case law precedents that it feels are controlling. Because there are 51 such independent jurisdictions in the United States (50 states and the District of Columbia), different decisions may result with respect to relatively similar factual circumstances. In a common law case, the judge has the flexibility to consider social, economic, and political factors as well as prior case law doctrines (precedents). Under common law, a CPA’s legal liability extends principally to two classes of parties: clients and third parties. Illustration 2.10 outlines the discussion of an auditor’s liability under common law. An audit firm may be liable to clients either under contract law or under tort law, as discussed below. An audit firm is also concerned about its exposure to liability to clients. This liability will vary from state to state depending on state laws and legal precedent. The discussion of third-party liability will address whether an audit firm is liable to primary beneficiaries of the audit, to a foreseen class of third-party users of financial statements, or to foreseeable users of financial statements.

ILLUSTRATION 2.10  

Common Law

Liability to Clients

Contract Law

Tort Law

common law  law based on justice, reason, and common sense, rather than on absolute rules

Auditor liability under common law Liability to Third Parties

Primary Beneficiaries

Foreseen Class of Third Parties

Foreseeable Third Parties

Liability to Clients A CPA is in a direct contractual relationship with clients. In agreeing to perform services for clients, the CPA assumes the role of an independent contractor. The specific service(s) to be rendered should preferably be set forth in an engagement letter, as described in Chapter 3. The term privity of contract refers to the contractual relationship that exists between two or more contracting parties. In the typical auditing engagement, it is assumed that the audit is to be made in accordance with professional standards (i.e., generally accepted auditing standards) unless the contract contains specific wording to the contrary. A CPA may be held liable to a client under either contract law or tort law. Each of these is explained below.

privity of contract  a contractual relationship that exists between two or more contracting parties

Contract Law An auditor may be liable to a client for breach of contract when the audit firm: •  Issues a standard audit report when he or she has not made an audit in accordance with generally accepted auditing standards (GAAS). •  Does not deliver the audit report by the agreed-upon date. •  Violates the client’s confidential relationship.

breach of contract  a binding agreement is not honored by one or more parties to a contract

2-28  C h a pte r 2  Professionalism and Professional Responsibilities

A CPA’s liability for breach of contract extends to subrogees. A subrogee is a party who has acquired the rights of another by substitution. For example, the bonding of the client’s employees is considered an important part of a company’s system of internal control. When an embezzlement occurs, the bonding company reimburses the insured (the client) for its losses. Then, under the right of subrogation to the insured’s contractual claim, the bonding company can bring suit against the CPA for failing to discover the fraud. When a breach of contract occurs, the client usually seeks one or more of the following remedies: (1) specific performance of the contract by the defendant (the CPA), (2) direct monetary damages for losses incurred due to the breach, or (3) incidental and consequential damages that are an indirect result of nonperformance.

Tort Law tort  a wrongful act that injures another person’s property, body, or reputation ordinary negligence  failure to exercise the degree of care a reasonable person would exercise under the same circumstances gross negligence  failure to use even slight care in the circumstances fraud  intentional deception, such as misrepresentation, concealment, or nondisclosure of a material fact, that results in injury to another

A CPA may also be liable to a client under tort law. A tort is a wrongful act that injures another person’s property, body, or reputation. A tort action may be based on any one of the following causes: •  Ordinary negligence. Failure to exercise the degree of care a person of ordinary prudence (a reasonable person) would exercise under the same circumstances •  Gross negligence. Failure to use even slight care in the circumstances •  Fraud. Intentional deception, such as misrepresentation, concealment, or nondisclosure of a material fact, that results in injury to another. In some cases a distinction has been made between fraud and constructive fraud. Constructive fraud may be inferred from gross negligence or reckless disregard for the truth. Under tort law, the injured party normally seeks monetary damages. The auditor’s documentation is vital in refuting charges for breach of contract and breach of duty in a tort action.

Cases Illustrating Liability to Clients Two cases pertaining to liability to clients are considered below. The first case involves negligence, and the second relates to breach of contract.

1136 Tenants’ Corp. v. Max Rothenberg & Co. (1971) In this case the plaintiff was a corporation owning a cooperative apartment house that sued Max Rothenberg, an accounting firm, for damages resulting from the failure of the CPA to discover the embezzlement of over $110,000 by the plaintiff’s managing agent, Riker. Riker had orally engaged Rothenberg at an annual fee of $600. The plaintiff maintained that Rothenberg had been engaged to perform all necessary accounting and auditing services. The CPA claimed he was only engaged to prepare financial statements without assurance as well as related tax returns. As evidence of their respective contentions, the plaintiff booked the accountant’s fee as auditing expenses, and the CPA defendant marked each page of the financial statements as “unaudited.” In addition, the CPA’s letter of transmittal to the financial statements stated that (1) the statements were prepared from the books and records of the corporation and (2) no independent verifications were undertaken thereon. The trial court found that the defendant was engaged to perform an audit because Rothenberg admitted that he had performed some limited auditing procedures such as examining bank statements, invoices, and bills. In fact, the CPA’s own worksheets included one entitled “Missing Invoices,” which showed over $40,000 of disbursements that did not have supporting documentation. The CPA did not inform the plaintiff of these invoices, and no effort was made to find them. The trial court also found that the CPA was negligent in the performance of the service and awarded damages totaling $237,000. The appellate court affirmed, saying:

 Auditor Liability Under Common Law  2-29

•  Regardless of whether the CPA was conducting an audit or drafting financial statements, there was a duty to inform the client of known wrongdoing or other suspicious actions by the client’s employees. •  The defendant’s worksheets indicate that the defendant did perform some audit procedures. The 1136 Tenants’ case has frequently been used to demonstrate the importance of having a written contract (engagement letter) for each professional engagement. A written contract is important, but it was not the only issue in this case. The critical issue was the CPA’s failure to inform the client of employee wrongdoing, regardless of the type of service rendered.

Fund of Funds, Ltd. v. Arthur Andersen & Co. (1982) In this case, the plaintiff sued the auditors for breach of contract because the auditors failed to disclose fraud to the client when the auditors’ engagement letter contained a specific representation that any fraud would be revealed. The fraud, totalling over $120 million, resulted from overcharges on a contract between the plaintiff and King Resources, both audited by Andersen. Andersen admitted discovery of the violation of the contract in auditing King, but declined to disclose the fraud to Fund of Funds because the AICPA’s Rule on Confidential Client Information prohibits disclosure of confidential information. The court ruled for the plaintiff on the grounds that the defendants failed to comply with the terms of their engagement letter, a breach of contract.

Liability to Third Parties The common law liability of the auditor to third parties is important in any discussion of the auditor’s legal liability. A third party may be defined as an individual who is not in privity with the parties to a contract. From a legal standpoint, there are two classes of third parties: (1) a primary beneficiary and (2) other beneficiaries. A primary beneficiary is anyone identified to the auditor by name prior to the audit who is to be the primary recipient of the auditor’s report. For example, if at the time the engagement letter is signed, the client informs the auditor that the report is to be used to obtain a loan at the Second National Bank, the bank becomes a primary beneficiary. In contrast, other beneficiaries are unnamed third parties, such as creditors and potential investors. An auditor is liable to all third parties for gross negligence and fraud under tort law. In contrast, the auditor’s liability for ordinary negligence has traditionally been different between the two classes of third parties. The following discussion explains the importance of how the case law has defined an auditor’s liability to third parties for the auditor’s negligence.

Ultramares Corp. v. Touche (1931) This decision extended the concept of privity of contract to the primary beneficiary of the auditor’s work. In this landmark case, the defendant auditors, Touche, failed to discover fictitious transactions that overstated assets and stockholders’ equity by $700,000 in the audit of Fred Stern & Co. Subsequent to the audit, Ultramares loaned Stern large sums of money that Stern was unable to repay because the company was actually insolvent. Ultramares sued the accounting firm for negligence and fraud. The court found the auditors guilty of negligence but ruled that accountants should not be liable to any third party for negligence except to a primary beneficiary. Judge Cardozo said: If liability for negligence exists, a thoughtless slip or blunder, the failure to detect a theft or forgery beneath the cover of deceptive entries may expose accountants to a liability in indeterminate amounts, for an indeterminate time, to an indeterminate class. The hazards of a business conducted on these terms are so extreme as to enkindle doubt whether a flaw may not exist in the implication of a duty that exposes to these consequences. The court also ruled that the finding on negligence does not emancipate accountants from the consequences of fraud. It concluded that gross negligence may constitute fraud. Ultramares Corp. v. Touche upheld the privity of contract doctrine under which third parties cannot sue

third party  an individual or collective group who is not in privity with the parties to a contract primary beneficiary  anyone identified to the auditor by name prior to the audit who is a recipient of the auditor’s report other beneficiaries  unnamed third parties, such as creditors, stockholders, and potential investors, who use the auditor’s report

2-30  C h a pte r 2  Professionalism and Professional Responsibilities

auditors for ordinary negligence. However, Judge Cardozo’s decision extended to primary beneficiaries the rights of one in privity of contract. Therefore, Ultramares as a primary beneficiary could sue and recover for losses suffered because of the auditor’s ordinary negligence.

Rusch Factors v. Levin (1968) The Ultramares decision remained virtually unchallenged for 37 years, and it still is followed today in many jurisdictions. However, since 1968, several court decisions have served to extend the auditor’s liability for ordinary negligence beyond the privity of contract doctrine. The following environmental factors contributed to this development: •  The concept of liability evolved significantly to include consumer protection from the wrongdoing of both manufacturers (product liability) and professionals (service liability). •  Businesses and accounting firms grew in size, making them better able to shoulder the new threshold of responsibility. •  The number of individuals and groups relying on audited financial statements grew steadily. In Rusch Factors v. Levin, the plaintiff had asked the defendant accountant to audit the financial statements of a corporation seeking a loan. The certified statements indicated that the potential borrower was solvent when, in fact, it was insolvent. Rusch Factors sued the auditor for damages resulting from its reliance on negligent and fraudulent misrepresentations in the financial statements. The defendant accountant asked for dismissal on the basis of lack of privity of contract. The court ruled in favor of the plaintiff. While the decision could have been decided on the basis of the primary beneficiary rule set forth in Ultramares, the court instead said: The accountant should be liable in negligence for careless financial misrepresentation relied upon by actually foreseen and limited classes of persons. In this case, the defendant knew that his certification was to be used for potential financiers of the … corporation (emphasis added). This decision extended the auditor’s liability from known specific primary beneficiaries, to an actually foreseen limited class of third parties known to be relying on the financial statements.

Restatement (Second) of Torts § 552 (1977) foreseen class  a limited class of third parties known to be relying on the financial statements

The shift away from Ultramares occurred in the form of judicial acceptance of the specifically foreseen class concept. Subsection (2) of the Restatement (second) of Torts § 552 extends the auditor’s liability to “a limited group of persons for whose benefit the CPA intends to supply the information.” Thus, if the client informs the CPA that the audit report is to be used to obtain a bank loan, all banks are foreseen parties, but trade creditors and potential stockholders would not be part of the foreseen class. However, a CPA would not be liable if the audit report were used by a bank to invest capital in the client’s business in exchange for common stock instead of granting a loan. The foreseen class concept does not extend to all present and future investors, stockholders, or creditors. Court decisions have not required that the injured party be specifically identified, but the class of persons to which the party belonged had to be limited and known at the time the auditor provided the information.

Rosenblum v. Alder (1983) foreseeable parties  individuals or entities who the auditor either knew, or should have known, would rely on the audit report

The Rosenblum case extended an auditor’s liability to foreseeable parties, individuals, or entities whom the auditor either knew or should have known would rely on the audit report in making business and investment decisions, and it extended the auditor’s duty of due care to any foreseeable party who suffers a pecuniary loss from relying on the auditor’s representation. Foreseeable parties include all creditors, stockholders, and present and future investors. The courts use foreseeability extensively in cases involving physical injury. For example, foreseeability is almost universally used in product liability cases when the manufacturer’s negligence causes the physical injury. This concept was first applied in an audit negligence case in the early 1980s.

 Auditor Liability Under Common Law  2-31

In reaching its decision in Rosenblum, the New Jersey Supreme Court cited the following public policy factors that appear, in part, aimed at countering Judge Cardozo’s arguments in upholding the privity doctrine in Ultramares: (1) insurance is available to accountants to cover these risks, (2) the CPA has a moral responsibility to anyone relying on his or her opinion, and (3) more rigid standards will cause accountants to do better work. The foreseeability standard was subsequently embraced by similar rulings in Wisconsin, California, and Mississippi.

Credit Alliance Corp v. Arthur Andersen & Co. (1985) In 1985, the New York Court of Appeals expressly rejected the foreseeability standard in Credit Alliance Corp. v. Arthur Andersen & Co. Instead, the court reverted to a “near privity rule,” establishing three criteria for determining whether a plaintiff can bring a claim against an auditor for ordinary negligence: (1) the plaintiff did in fact rely on the auditor’s report, (2) the auditor knew that the plaintiff intended to rely on the report, and (3) the auditor, through some actions on his or her own part, evidenced understanding of the plaintiff’s intended reliance.

Bily v. Arthur Young & Co. (1992) In 1992, in yet another landmark case known as Bily v. Arthur Young & Co., the California Supreme Court ended the foreseeability standard in that state. After perhaps the most thorough analysis by any court of the purpose and effects of audits and audit reports, and following a thorough review of approaches taken by other courts as well as the basic principles of tort liability announced in the California court’s own prior cases, it stated: We conclude that an auditor owes no general duty of care regarding the conduct of an audit to persons other than the client. An auditor may, however, be held liable for negligent misrepresentations in an audit report to those persons who act in reliance upon those misrepresentations in a transaction which the auditor intended to influence, in accordance with the rule of section 552 of the Restatement Second of Torts. . . . Finally, an auditor may also be held liable to reasonably foreseeable third persons for intentional fraud in the preparation and dissemination of an audit report. A summary of the auditor’s liability under common law is presented in Illustration 2.11.

ILLUSTRATION 2.11   Liability to third parties under common law

Rosenblum decision extends liability to foreseeable third parties

Bily decision returns California to Restatement (Second) of Torts for negligent misrepresentation

Relative exposure

Rusch Factors decision Forseen extends class liability to concept foreseen adopted in class Restatement of third (Second) parties of Torts

Ultramares decision extends liability to Liability primary excluded beneficiaries by privity of contract doctrine Pre-1931

1931

Some states adopt privity legislation restricting liability to users acknowledged by the auditor

Credit Alliance decision restricts liability to users acknowledged by the auditor

1968

1977

1983

1985

1992

1993

2-32  C h a pte r 2  Professionalism and Professional Responsibilities

Although the extent of the auditor’s exposure to liability to third parties for ordinary negligence has been subject to the court decisions in various jurisdictions, it now appears that all but three states (Mississippi, New Jersey, and Wisconsin) either embrace the Restatement (Second) of Torts, or the stricter Credit Alliance or privity legislation rules.

Burden of Proof and Common Law Defenses In general, the plaintiff must prove the following when suing an auditor: •  The auditor owed a duty of care to the plaintiff. •  The auditor breached the duty by failing to act with due care (negligence). •  The auditor’s negligence was the proximate cause of the plaintiff’s damage. •  The plaintiff had actual damages. A key issue is whether the auditor owed a duty of care to the plaintiff. As noted in the previous discussion, most states extend the auditor’s duty of care to foreseen third parties under the Restatement (Second) of Torts standard. The auditor’s defenses generally include: •  The auditor was not negligent and performed an audit in accordance with professional standards. •  No duty of care was owed to the plaintiff. •  The plaintiff had no loss. •  The loss was caused by other events. •  The plaintiff’s negligence (contributory negligence) contributed to the auditor’s failure to perform. •  The claim was invalid because the statute of limitations had expired. due care defense  the auditor’s documentation should provide evidence that the audit was performed in accordance with auditing standards generally accepted in the United States

The auditor must generally use the due care defense in breach of contract suits involving negligence. Under a due care defense, the auditor’s documentation should provide evidence that the audit was performed in accordance with auditing standards generally accepted in the United States. The due care defense is also a primary defense against tort actions, along with contributory negligence. In a contributory negligence defense, the plaintiff must have contributed to his or her own injury (loss) by his or her own negligence. Therefore, the law considers the plaintiff to be as responsible as the defendant for the injury. In such a case, there is no basis for recovery because the negligence of one party nullifies the negligence of the other party. For example, the plaintiff may have withheld vital information from the CPA during the audit, contributing to the audit firm’s failure to follow professional standards. If a plaintiff wants to prove the auditor was guilty of gross negligence or fraud, it is a much higher burden of proof. In this instance, the plaintiff must prove: •  A false representation was made by the auditor. •  The auditor knew the representation was false. •  The auditor intended to induce the plaintiff to rely on the false representation. •  The plaintiff relied on the misrepresentation. •  The plaintiff suffered damages. This is a high burden of proof and an audit firm with good quality controls would not let this situation happen. If the plaintiff can make the case that an audit firm was guilty of gross negligence or fraud, the plaintiff may be entitled to both compensatory damages and punitive damages.

Legal Reasoning Example  Duty of Care Grace Chermak is the audit partner on the audit of Price Construction LLC, a private company that manufacturers small tools. Both Grace and Price are located in a state that follows

 Auditor Liability Under Statutory Law  2-33 the restatement of torts laws. When planning the audit Grace knew the financial statements were primarily intended to be used by Last National Bank in evaluating debt covenants. After completing the audit and unbeknown to Grace, the financial statements are given to two other users: (1) another bank, and (2) a purchaser of 50% of Price Construction that was unforeseen at the time of the audit. To whom does Grace owe a duty of care under the restatement of torts law? Under restatement of torts Grace owes a duty of care to a specific class of foreseen third parties, which would include the two banks that used the financial statements. Grace does not owe the same duty of care to the purchaser of the 50% ownership interest in Price Construction. Had Grace known the financial statements would have been used in buying and selling the business, Grace might have planned the audit differently.

Before You Go On 8.1 Explain each of the two primary situations in which a CPA may be liable to his or her client. 8.2 Distinguish between foreseen and foreseeable third parties. Give an example of each. 8.3 Explain the significance of the Ultramares, Rusch Factors, Rosenblum, Credit Alliance, and Bily cases on the auditor’s liability to third parties for negligence. 8.4 What is the plaintiff’s burden of proof under common law? 8.5 Explain the due care defense as it applies to an audit.

Auditor Liability Under Statutory Law LEAR NING OBJECTI VE 9 Evaluate an auditor’s legal liability under statutory law. Statutory law is established by state and federal legislative bodies and specifically addresses auditor’s liability under certain circumstances. The following discussion addresses a number of statutory laws that address an auditor’s responsibility and liability to third-party users of financial statements. Some of these statutes also address management’s responsibility for preparing financial statements that are free of material misstatement. The discussion also addresses key cases that have set precedence under these statutes. Finally, the section concludes with a discussion of the auditor’s exposure to criminal liability under these statutes. Illustration 2.12 outlines the auditor’s liability under statutory law. The key elements of statutory law that are discussed in this section include the SEC Act of 1933, the SEC Act of 1934, the Foreign Corrupt Practices Act of 1977, the Private Securities Litigation Reform

ILLUSTRATION 2.12   Auditor liability under statutory law

Statutory Law

SEC Act of 1933

SEC Act of 1934

Foreign Corrupt Practices Act of 1977

Private Securities Litigation Reform Acts of 1995 and 1998

statutory law  law established by state and federal legislative bodies that specifically addresses the auditor’s liability under certain circumstances

Sarbanes– Oxley Act of 2002

Criminal Liability

2-34  C h a pte r 2  Professionalism and Professional Responsibilities

Acts of 1995 and 1998, the Sarbanes-Oxley Act of 2002, and the auditor’s exposure to criminal liability under statutory law.

The Securities Act of 1933 The 1933 Act is known as the Truth in Securities Act. It is designed to regulate the offering of a new security to the public through the mails or in interstate commerce. Suits against auditors under this Act are usually based on Section 11, Civil Liabilities on Account of False Registration Statement, which allows “any person” purchasing or otherwise acquiring the securities to sue when the financial statements are materially misstated. The Act makes the auditor liable for losses to third parties resulting from ordinary negligence, as well as from fraud and gross negligence, to the effective date of the registration statement. The principal effects of this Act on the parties involved in a suit may be summarized as follows. The plaintiff (e.g., investors): •  May be any person acquiring securities described in the registration statement, whether or not he or she is a client of the auditor. •  Must base the claim on an alleged material false or misleading financial statement contained in the registration statement. •  Does not have to prove reliance on the false or misleading statement or that the loss suffered was the proximate result of the statement if purchase was made before the issuance of an income statement covering a period of at least 12 months following the effective date of the registration statement. •  Does not have to prove that the auditors were negligent or fraudulent in certifying the financial statements involved. The defendant (e.g., the auditor) must prove one of the following:

due diligence defense  an audit firm must show that it made a reasonable investigation, that the firm followed auditing standards, and accordingly had reasonable grounds to believe, and did believe, that the statements certified were true at the date of the statements and as of the time the registration statement became effective

•  The audit firm made a reasonable investigation, that the firm followed auditing standards, and accordingly, had reasonable grounds to believe, and did believe, that the statements certified were true at the date of the statements and as of the time the registration statement became effective (a due diligence defense). •  The plaintiff’s loss resulted in whole or in part from causes other than the false or misleading statements. Therefore, there is a significant burden of proof that rests upon the auditor to show that the audit firm used due diligence in conducting the audit.

Escott v. BarChris Construction Corp (1968) BarChris was a company that was in constant need of cash. Purchasers of bonds filed suit under Section 11 when the company filed for bankruptcy, alleging that the registration statement pertaining to the sale of the bonds contained material false statements and material omissions. One of the defendants was Peat, Marwick, Mitchell & Co. (now KPMG), which pleaded the due diligence defense. The case revolved around the effectiveness of the audit firm’s subsequent events review (discussed in Chapter 14), called an S-1 review by the SEC. The purpose of the review was to determine whether, subsequent to the certified balance sheet, any material changes had occurred that needed to be disclosed to prevent the balance sheet from being misleading. The court concluded that Peat Marwick’s written audit program for the subsequent events review was in conformity with generally accepted auditing standards. However, it also found that the work done by the auditor who was performing his first S-1 review was unsatisfactory. The court concluded that the auditor did not meet the standards of the profession because he did not take some of the steps prescribed in the audit firm’s written program, the auditor did not spend an adequate amount of time on a task of this magnitude, and, most important of all, the auditor was too easily satisfied with glib answers given by the client.

 Auditor Liability Under Statutory Law  2-35

This case is important in that the court determined that following auditing standards generally accepted in the United States would meet the due diligence defense. The courts also determined that the subsequent events review by Peat Marwick did not meet professional standards, or the firm’s own standards.

The Securities Act of 1934 Congress passed this Act to regulate the public trading of securities in the secondary market (in contrast to the new issue of securities in the primary market covered by the 1933 Act). The 1934 Act requires companies included under the Act to (1) file a registration statement when the securities are publicly traded on a national exchange or over the counter for the first time and (2) keep the registration statement current through the filing of annual reports, quarterly reports, and other information with the SEC. Certain financial information, including the financial statements, must be audited by independent public accountants. The principal liability provisions of the 1934 Act are set forth in Sections 18 and 10. Under Section 18(a), the plaintiff: •  May be any person buying or selling the securities. •  Must prove the existence of a material false or misleading statement. •  Must prove reliance on such statement and damage resulting from such reliance. The defendant (the auditor) in a Section 18 suit must prove that he or she: •  Acted in good faith. •  Had no knowledge of the false or misleading statement. This means that the minimum basis for liability is gross negligence, not ordinary negligence. Accordingly, the auditor’s position under Section 18 is the same as under the common law doctrine of Ultramares, in which the auditor may also be held liable to third parties for gross negligence. Under Section 10(b) and the SEC-promulgated Rule 10b-5, it is unlawful for any person, directly or indirectly, to: •  Employ any device, scheme, or artifice to defraud. •  Make any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in the light of the circumstances under which they were made, not misleading. •  Engage in any act, practice, or course of business that operates, or would operate, as a fraud or deceit on any person in connection with the purchase or sale of any security. Section 10(b) and Rule 10b-5 are often referred to as the antifraud provisions of the 1934 Act. These antifraud provisions were made clear by the Ernst and Ernst v. Hochfelder decision, as discussed below. The securities acts apply to different situations. The 1933 Act applies to the initial distribution of securities (capital stock and bonds) to the public by the issuing corporation (primary market), whereas the 1934 Act applies to trading of securities in national security markets (secondary market). Differences between Section 11 of the 1933 Act and Sections 10 and 18 of the 1934 Act exist as to (1) the plaintiff, (2) proof of reliance on the false or misleading financial statements, and (3) the auditor’s liability for ordinary negligence, as summarized in Illustration 2.13. Item

1933 Act

1934 Act

Plaintiff

Any person acquiring the security

Either the buyer or seller of the security

Plaintiff must prove reliance

No

Yes

Defendant liability for ordinary negligence

Yes

No

ILLUSTRATION 2.13   Summary of differences in key sections of the 1933 and 1934 Acts

2-36  C h a pte r 2  Professionalism and Professional Responsibilities

Ernst & Ernst v. Hochfelder (1976) Lawsuits against auditors under the 1934 Act are usually based on Section 10(b) and Rule 10b-5. The plaintiffs (Hochfelder) were investors in an escrow account allegedly kept by the president (Lester K. Nay) of First Securities Co., a small brokerage firm, audited by Ernst & Ernst (now Ernst & Young). The escrow account, in which a high rate of return was promised, was a ruse perpetrated by Mr. Nay. To prevent detection, all investors were instructed to make their checks payable to Nay and to mail them directly to him at First Securities. Within the brokerage house, Nay imposed a “mail rule” that such mail was to be opened only by himself. The escrow account was not recorded on First Securities’ books. Plaintiffs sued Ernst for damages under Rule 10b-5 for aiding and abetting the embezzlement. They based their claim entirely on the premise that the auditors were negligent in their audit because they had not challenged or investigated the “mail rule.” Following conflicting lower court decisions, the U.S. Supreme Court ruled in favor of Ernst & Ernst, saying: When a statute speaks so specifically in terms of manipulation and deception, and of implementing devices and contrivances—the commonly understood terminology of intentional wrongdoing—and when its history reflects no more expansive intent, we are quite unwilling to extend the scope of the statute to negligent conduct. Based on this decision, an auditor is no longer liable to third parties under Section 10(b) and Rule 10b-5 of the 1934 Act for ordinary negligence. That is, the auditor has no liability in the absence of any intent to deceive or defraud (legally called scienter). Therefore, a plaintiff filing a lawsuit against an auditor under Rule 10(b)-5 of the 1934 Act must prove: •  The financial statements contain a material, factual misrepresentation or omission. •  The plaintiff relied on the financial statements. •  Damages were suffered as a result of the reliance on the financial statements. scienter  the auditor either had actual knowledge of the falsity of the representation, or had a reckless disregard for the truth or falsity of the representation

•  Scienter, that the auditor either had actual knowledge of the falsity of the representation, or had a reckless disregard for the truth or falsity of the representation.

The Foreign Corrupt Practices Act of 1977 The Foreign Corrupt Practices Act (FCPA), passed by Congress in 1977, makes bribing foreign officials illegal. The FCPA also addresses records retention required under the Securities Exchange Act of 1934. Through the FCPA, Congress increased the bookkeeping and accounting records requirement of those corporations bound by the 1934 Act. The major change was that the FCPA requires companies to maintain reasonable records and to have an adequate system of internal control. For records to be reasonable, they must be both complete and accurate. The FCPA applies to the work of auditors when an integrated audit reports on internal control over financial reporting. If the auditor concludes that internal control over financial reporting is effective, and it is proved otherwise, the auditor may be liable under the FCPA.

The Private Securities Litigation Reform Acts of 1995 and 1998 As a result of the Hochfelder decision, many lawsuits against auditors moved to state court under common law actions, and audit firms experienced an increase in both frivolous and abusive lawsuits. In response to this environment, Congress passed the Private Securities Litigation Reform Act of 1995 (Reform Act) to reduce frivolous litigation risk for auditors, publicly traded companies, and those parties affiliated with security issuers, such as officers, directors, and other professional advisors (e.g., underwriters and lawyers). The Reform Act substantially revised the Securities Act of 1933 and the Securities Exchange Act of 1934.

 Auditor Liability Under Statutory Law  2-37

The Reform Act instituted a system of proportionate liability whereby defendants who are not found to have “knowingly committed a violation” of securities laws are liable based on the defendant’s percentage of responsibility. This is intended to reduce the coercive pressure for innocent parties to settle meritless claims out of court rather than risk exposing themselves to liability for a grossly disproportionate share of the damages in a case. Defendants who “knowingly committed a violation” continue to be jointly and severally liable for all damages that may be assessed. For example, assume that a company has gone bankrupt, investors successfully claim the audited financial statements were materially misstated, and a jury determines that the auditor was 35% responsible for damages incurred by investors and the company was 65% responsible for the damages. Under proportionate liability, the auditor would be responsible for 35% of the damages. However, under joint and several liability, investors can recover damages from any of the defendants. If the company is bankrupt and unable to pay any damages, the auditor could potentially be responsible for 100% of the damages. If a defendant does not knowingly commit a violation of the securities acts, the Reform Act also places a cap on the proportionate share of damages that can be collected from other defendants. If another defendant’s share cannot be collected from that defendant, or from jointly and severally liable defendants, each proportionately liable defendant is then liable for a proportionate share of the uncollectible amount, only up to an amount equal to an additional 50% of such defendant’s initial share. The Reform Act imposed new reporting requirements on auditors who detect or otherwise become aware of illegal acts by issuers of securities. If an auditor concludes that an illegal act has a direct and material effect on the financial statements, and senior management has not taken appropriate action, and the failure warrants a departure from a standard report or a resignation from the engagement, the auditor should report these conclusions directly to the board of directors. The board should then notify the SEC within one day. If the board does not file a timely report with the SEC, the auditor should make a report to the SEC. The Reform Act explicitly states that the auditor will not be held liable in a private action for any finding, conclusions, or statements made in such reports. Three years later, Congress passed the Securities Litigation Uniform Standards Act of 1998. This was passed to prevent plaintiffs from evading federal courts by taking abusive lawsuits to state courts. Large class action lawsuits alleging securities fraud against auditors must now be filed in federal court. Only smaller class action lawsuits of fewer than 50 people can be filed in state court.

The Sarbanes-Oxley Act of 2002 The Sarbanes-Oxley Act of 2002 (SOX) had a number of provisions that influenced the auditing environment. SOX made it illegal for auditors to provide certain nonattest services to clients, and it changed the regulation of the auditing profession. It also significantly changed the audit environment by imposing increased penalties for management of public companies who engage in fraudulent financial reporting, as discussed below.

Changes for Auditors As discussed previously in SEC and PCAOB Independence Rules, SOX makes it “unlawful” to perform audit services for a public company and also perform the following nonattest services for audit clients: •  Bookkeeping or other services related to the accounting records or financial statements of the audit client. •  Financial information systems design and implementation. •  Appraisal or valuation services, fairness opinions, or contribution-in-kind reports. •  Actuarial services. •  Internal audit outsourcing services. •  Management functions or human resources. •  Broker or dealer, investment adviser, or investment banking services.

proportionate liability  defendants who are not found to have “knowingly committed a violation” of the securities law are liable based on the defendant’s percentage of responsibility

2-38  C h a pte r 2  Professionalism and Professional Responsibilities

•  Legal services and expert services unrelated to the audit. •  Any other service that the PCAOB determines, by regulation, is impermissible. Further, Section 203 of SOX mandates rotation of the lead audit partner and the audit partner having responsibility for reviewing the audit every five years. SOX also changed the regulatory environment. The Act gave the PCAOB authority to establish auditing standards, quality control standards, and independence standards for auditors of public companies. Prior to SOX, the auditing profession was responsible for these functions through the self-regulatory functions of the American Institute of CPAs.

Changes for Management of Public Companies SOX strengthened penalties imposed on management of public companies who were responsible for false and misleading financial statements. Following is an overview of key provisions of the Act that affect management of public companies. Section 302 requires a public company’s CEO and CFO to prepare a statement to accompany the audit report to certify the “appropriateness of the financial statements and disclosures contained in the periodic report, and that those financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the issuer.” It also creates a liability for the CEO and CFO who knowingly and intentionally make false certifications. Section 303 makes it unlawful for any officer or director of an issuer to take any action to fraudulently influence, coerce, manipulate, or mislead any auditor engaged in the performance of an audit for the purpose of rendering the financial statements materially misleading. Section 305 requires the CEO and CFO of a company that restates financial statements due to “material noncompliance” with financial reporting requirements to “reimburse the company for any bonus or other incentive-based or equity-based compensation received” during the 12 months following the issuance or filing of the noncompliant document and “any profits realized from the sale of securities of the issuer” during that period. Furthermore, this section of the Act authorizes the federal courts to “grant any equitable relief that may be appropriate or necessary for the benefit of investors” for any action brought by the SEC for violation of the securities laws. A provision within SOX is the Corporate and Criminal Fraud Accountability Act of 2002. Illustration 2.14 summarizes the key provisions of this act. ILLUSTRATION 2.14   Key provisions of the Corporate and Criminal Fraud Accountability Act of 2002

Title VIII of the Corporate and Criminal Fraud Accountability Act of 2002

Title IX of the Corporate and Criminal Fraud Accountability Act of 2002

•  Makes it a felony to “knowingly” destroy or create documents to “impede, obstruct or influence” any existing or contemplated federal investigation.

•  The maximum penalty for mail and wire fraud under the 1933 and 1934 Acts was increased from 5 to 10 years.

•  Requires auditors to maintain “all audit or review work papers” for five years. •  Extends the statute of limitations on securities fraud claims to the earlier of five years from the fraud or two years after the fraud was discovered. •  Extends “whistleblower protection” to employees of public companies and their auditors, which would prohibit the employer from taking certain actions against employees who lawfully disclose private employer information to, among others, parties in a judicial proceeding involving a fraud claim. Whistleblowers are also granted a remedy of special damages and attorney’s fees. •  Creates a new crime for securities fraud that has penalties of fines and up to 10 years imprisonment.

•  Financial statements filed with the SEC must be certified by the CEO and CFO. The certification must state that the financial statements and disclosures fully comply with provisions of the Securities Exchange Acts and that they fairly present, in all material respects, the operations and financial condition of the issuer. Maximum penalties for willful and knowing violations of this section are a fine of not more than $500,000 and/or imprisonment of up to five years. •  The SEC was given authority to seek a court freeze of extraordinary payments to directors, offices, partners, controlling persons, and agents of employees and to prohibit anyone convicted of securities fraud from being an officer or director of any publicly traded company. •  Makes it a criminal offense to tamper with a record or otherwise impede any official proceeding and asks the U.S. Sentencing Commission to review sentencing guidelines for securities and accounting fraud.

 Auditor Liability Under Statutory Law  2-39

Criminal Liability The only entities that can bring charges for criminal causes of action are governments (federal and state). Auditors can be subject to criminal liability under both the 1933 and 1934 Securities Acts. Criminal liability subjects auditors to penalties of fines or imprisonment or both. Criminal penalties are provided under Sections 17 and 24 of the Securities Act of 1933. For example, Section 24 provides for penalties on conviction of no more than $10,000 in fines or imprisonment of not more than 10 years, or both, for willfully making an untrue statement or omitting a material fact in a registration statement. Further, Section 32(a) of the Securities Act of 1934 establishes criminal liability for “willfully” and “knowingly” making false or misleading statements in reports filed under the Act. This section also provides for criminal penalties for violating the antifraud provisions of Section 10(b) consisting of fines of not more than $100,000 or imprisonment for not more than five years, or both. Further, state boards of accountancy will usually revoke CPA licenses for findings of criminal violations. In addition, SOX prohibits the destruction of documents and increases the prison penalty for such actions to 20 years. SOX also increases penalties under criminal statutes of the 1933 and 1934 Securities Act from 5 years to 10 years. Following is a summary of several key cases related to criminal liability for auditors.

United States v. Simon (1969) This was a criminal case brought under Section 24 of the 1933 Securities Act. The case involved the adequacy of disclosure about loans made by Continental Vending to its affiliated company, Valley Commercial Corporation, which subsequently lent the money to the president of Continental (Roth). The loans to Roth were secured primarily by the pledging of Continental common stock owned by Roth. Valley, in turn, pledged this stock as collateral against the loans from Continental. The government charged that the disclosure was false and misleading. The defendants (two partners and an audit senior) argued that the disclosure was in conformity with GAAP and that such compliance was a conclusive defense against criminal charges of misrepresentation. The trial judge rejected this argument and instructed the jury that the “critical test” was whether the balance sheet fairly presented financial position without reference to generally accepted accounting principles. The jury concluded that the balance sheet did not present fairly, and the three defendants were convicted of the criminal charges. The U.S. Court of Appeals refused to reverse the decision and held that We do not think the jury was . . . required to accept the accountants’ evaluation whether a given fact was material to overall fair presentation, at least not when the accountant’s testimony was not based on specific rules and prohibitions to which they could point, but only on the need for the auditor to make an honest judgment and their conclusion that nothing in the financial statements themselves negated the conclusion that an honest judgment had been made. Such evidence may be highly persuasive, but it is not conclusive, and so the trial judge correctly charged. The defendants were found guilty. They were fined $17,000 and their licenses to practice as CPAs were revoked because of the criminal conviction. The defendants did not receive jail time.

United States v. Natelli (1975) This was a landmark case because the auditors were convicted and sentenced to time in prison. Anthony Natelli, a Peat, Marwick, Mitchell & Company (now KPMG) partner, and audit supervisor Joseph Scansaroli were involved in the audit of National Student Marketing Corporation. The financial statements for fiscal year ended August 31, 1968, were misstated because the company reported as actual sales amounts that were really only commitments. A material amount of the commitments were known to be uncollectible and were written off in the next fiscal year, but were still shown as income in the financial statements used in the

criminal liability  subjects auditors to penalties of fines or imprisonment or both; the only entities that can bring charges for criminal causes of action are federal or state governments

2-40  C h a pte r 2  Professionalism and Professional Responsibilities

September 30, 1969, proxy statement. The two auditors were convicted of willingly and knowingly making false and misleading statements in the proxy statements under the Securities Act of 1934. Both received fines in addition to prison sentences. Scansaroli’s conviction was later reversed.

United States v. Weiner (1978) This case was associated with the audit of Equity Funding Corporation of America. Equity Funding sold insurance. To maintain the value of the company’s stock, management directed that fraudulent sales of insurance policies, and related receivables, be recorded in the company’s records. Eventually the fraud evolved to a reissuance scheme in which fraudulent insurance policies were resold to other insurers. The scheme required a massive amount of fictitious document creation and recordkeeping to maintain appearances. The auditors were found guilty because the fraud was so extensive that they should have known about it. One public accounting firm partner and two managers received criminal convictions and over $40 million of civil penalties were paid.

ESM Government Securities v. Alexander Grant & Co. (1987) The ESM case involved a fraud perpetrated by ESM management that was voluntarily revealed to the Alexander Grant (now Grant Thornton) audit partner responsible for the engagement. The audit partner, Joe Gomez, chose to remain silent about the fraud with the expectation that management would be able to reverse the problems if given time. In addition, the fraud had been going on for years, and Gomez did not want to admit and report to his firm that he had missed finding the fraud in prior audits. Because of his silence, which helped the fraud to continue, Gomez was charged with knowingly filing false and misleading audit reports. In addition, he was charged with having received secret payments from ESM officers totaling $125,000. Gomes was sentenced to 12 years in prison.

HealthSouth (2003) HealthSouth made its name as a provider of outpatient surgery, diagnostic, imaging, and rehabilitation health-care services. In 2003, the company and CEO Richard M. Scrushy were charged with accounting fraud and overstating earnings. The fraud dealt with intentional manipulation of corporate accounts to increase earnings so that the company would meet analyst’s expectations. Scrushy was accused of managing the company in such a way that it influenced employees to participate in the fraud. He placed extreme emphasis on meeting earnings expectations. The entire senior management team was relatively young and inexperienced, enabling Scrushy to manage the team through fear. HealthSouth’s CFO, William T. Owens, admitted to accounting fraud and instructing subordinates to make phony accounting entries. He turned himself in to authorities in 2003 and testified against Scrushy. Scrushy was eventually acquitted of criminal wrongdoing in 2005. Nevertheless, he settled with the SEC in 2007 for $77.5 million plus $3.5 million in civil penalties. In 2009, Scrushy was sued for fraud by HealthSouth investors, and he was ordered to repay his company $2.8 billion.

Cloud 9 - Continuing Case Sharon, Josh, and Ian Harper (a first-year audit staff) are having lunch and talking about Cloud 9, a potential audit client. Ian asks, “Cloud 9 is a public company and has operations in a number of states, as well as internationally. I remember from my auditing class that an auditor’s legal liability may differ from state to state, and that federal laws, which are different, may take precedence over state laws. In this litigious environment, how does the firm plan to adequately protect itself with this apparent patchwork of

different laws?” Sharon turns to Josh, asking him what he thinks about this question. Josh answers that one defense that is virtually universal is the due diligence defense. W&S Partners has invested significant time and effort in developing a strong system of quality control. If the firm’s working papers show that the auditors have used due diligence in carrying out their audit, the firm should be able to fend off legal liability. Sharon agrees with Josh. “It is very important that we follow professional standards at all times.”

  Learning Objectives Review  2-41

Before You Go On 9.1 What transactions are covered by the Securities Act of 1933? Develop examples of transactions that are, and are not, covered by this Act. 9.2 What is the burden of proof for the plaintiff and the defendant auditor under the Securities Act of 1933? Explain in the context of the BarChris case. 9.3 Explain the conditions of auditor liability under Rule 10(b)-5 of the 1934 Securities Exchange Act. What were the findings under this section as they related to the Hochfelder case? 9.4 What is proportionate liability under the Private Securities Reform Act of 1995? What finding is important for a defendant to obtain the benefits of proportionate liability? 9.5 Explain how SOX significantly changed the audit environment for auditors. 9.6 Explain how criminal liability is different from civil liability. Illustrate your discussion with the results of actual cases.

Learning Objectives Review 1  Explain what it means to be a professional and how

these traits apply to auditors. The term professional is often used loosely in various contexts. Robert Mautz talked articulately about the difference between the expert competitor (EC) professional and the concern for the public interest (CPI) professional. Auditors fall into the category of CPI professionals. CPI professions are often recognized by a specialized body of knowledge, a formal education process, standards governing admission to the profession, a code of ethics, recognized status indicated by a license, a public interest in the work that practitioners perform, and the recognition by practitioners of an obligation to society. Auditors are granted an exclusive license to perform audits in exchange for their responsibility to the public to provide reasonable assurance that financial statements are free of material misstatements. 2  Explain the structure of the AICPA Code of Profes-

sional Conduct. The AICPA Code of Professional Conduct applies to all AICPA members as well as to all CPAs in many states. The Code consists of principles, rules, and interpretations. Rules of conduct are enforceable and a CPA must be prepared to justify departures from the rules. Further, members whose conduct departs from interpretations have the burden of justifying the departure in a disciplinary hearing. The Code is also structured into four parts: a preface applicable to all members; Part I, which includes ethical rules for members in public practice; Part II, which includes ethical rules for members in business; and Part III, which includes ethical rules for other members (e.g., non-CPA members of the AICPA). 3  Apply the conceptual framework approach to ethical

decision making for members in public practice. The conceptual framework is designed to assist CPAs in situations that are not addressed in the rules or interpretations of the AICPA

Code of Professional Conduct. Illustration 2.2 depicts the five steps a CPA should apply when considering evaluating an ethical situation: (1) identify threats to compliance with rules, (2) evaluate the significance of the threat, (3) identify and apply safeguards, (4) evaluate the effectiveness of the safeguards, and (5) document the threats and safeguards applied. A CPA should judge his or her ethical conduct from the perspective of a reasonable and informed third party. 4  Evaluate the ethical behavior needed to comply with

rules of conduct on integrity and objectivity. The ethical rule on integrity and objectivity requires a CPA to (1) be free of conflicts of interest, (2) not knowingly misrepresent facts, and (3) not subordinate his or her judgment to others. 5  Evaluate the ethical behavior needed to comply with rules of conduct on independence. A CPA should be both independent in fact (act with integrity and objectivity) and independent in appearance in the eyes of reasonable and informed third parties. It is important for CPAs to understand how independence rules apply to covered members, immediate family members, close relatives, and other professionals in an audit firm. CPAs also need to understand what is prohibited or allowed in terms of investments in an attest client, loans to or from an attest client, employment relationship with an attest client, or the performance of nonattest services for an attest client. 6  Evaluate the ethical behavior needed to comply with rules of conduct on general standards. The general standards apply to any CPA performing any professional engagement for a client. At a minimum a CPA must have the appropriate professional competence to complete the engagement, use due professional care, adequately plan and supervise the engagement, and obtain sufficient relevant data to support conclusions or recommendations.

2-42  C h a pte r 2  Professionalism and Professional Responsibilities

7  Evaluate the ethical behavior needed to comply with

other rules of conduct for members in public practice. It is not possible to cover all the remaining rules of conduct for members in public practice. Illustration 2.1 provides a general outline of the rules of conduct for members in public practice. In particular, you should understand a CPA’s responsibility for complying with accounting principles and the types of engagements and the situations in which it is appropriate for a CPA to accept a commission, a referral fee, or a contingent fee. A CPA must also take care not to disclose confidential client information without the specific consent of the client, and a CPA must be cognizant of specific situations where confidential client information may be disclosed. 8  Evaluate an auditor’s legal liability under common law Auditors are liable to clients for their negligent actions that result in either breach of contract or tort actions. Auditor liability to third parties under common law varies from state to state. Three important doctrines that address common law to third parties are (1) the primary beneficiaries doctrine, (2) the restatement of torts doctrine, and (3) the foreseeable third parties doctrine. These doctrines explain when an auditor would be liable to third parties for ordinary negligence. Illustration 2.11 identifies important cases discussed in the chapter that address liability to third parties under common law. The auditor’s primary defense under common law is the due care defense, where the auditor’s working papers and documentation show that an audit was performed in accordance with auditing standards generally accepted in the United States. 9  Evaluate an auditor’s legal liability under statutory law.

summarized in Illustration 2.13. Under the 1933 Securities Act, auditors are liable for their negligence to persons who purchased or otherwise acquired a new issue of securities covered by a registration statement that included a material misstatement of fact in the financial statements. Under the 1934 Act, the auditor must be found to intend to deceive or defraud or be guilty of gross negligence to be found liable. Today, investors who suffer damages due to material misstatements in financial statements often find it easier to sue auditors under common law than under the 1934 Securities Act. The two most important reforms under the Private Securities Litigation Reform Act of 1995 include instituting a system of proportionate liability and a cap on damages into the federal securities laws. In addition, the law imposed new reporting requirements on auditors who detect or otherwise become aware of illegal acts that have a material effect on the financial statements by issuers of securities. The law also instituted a number of other reforms, making it difficult to bring frivolous lawsuits against auditors. SOX significantly changed the audit environment for both auditors and management. This section of the chapter discusses both nonattest services that are now unlawful for auditors to perform for audit clients, and the PCAOB’s responsibility for setting auditing standards, quality control standards, and independence standards for auditors of public companies. In addition, the section describes the legal liability of management, particularly the CEO and CFO. Knowing and willful violation of SOX can result in fines and imprisonment. Finally, improved systems of internal control are designed to improve the audit environment. The federal government can bring criminal charges against auditors under the 1933 and 1934 Securities Act for willfully and knowingly making false or misleading statements in reports filed under the Acts. Criminal penalties include fines and imprisonment. Also, state boards of accountancy have the ability and will usually revoke CPA licenses for criminal violations.

The auditor’s liability to financial statement users under the Securities Acts of 1933 and 1934 are significantly different, as

Key Terms Review Adverse interest threat Advocacy threat Audit committee Breach of contract Close relative Common law Covered member Criminal liability Due care defense Due diligence defense Due professional care Familiarity threat Foreseeable parties Foreseen class

Fraud Gross negligence Immediate family member Independence Independent in appearance Independent in fact Integrity and objectivity Interpretations Key position Management participation threat Ordinary negligence Other beneficiaries Planning and supervision Primary beneficiary

Principles Privity of contract Professional competence Proportionate liability Rules of conduct Scienter Self-interest threat Self-review threat Statutory law Sufficient relevant data Third party Tort Undue influence threat

 Audit Decision-Making Example  2-43

Audit Decision-Making Example Background Information Lisa Cole is a tax partner in the mid-sized CPA firm of Cole and Bayless LLP. Cole and Bayless LLP has been doing significant tax work and advising the owners of Aiwa Hardware on business restructuring over the last two years. Lisa’s husband, Perry, is one of six investors and owners of Aiwa Hardware. As a result, a conflict of interest was identified and disclosed to the owners of Aiwa Hardware. Lisa has not been allowed to have any connection to, or influence on, the tax or business restructuring engagements for Aiwa Hardware, and a second partner reviewed these engagements to ensure the firm acted with integrity and objectivity. Aiwa Hardware owes Cole and Bayless LLP $200,000 in fees for the tax and restructuring work. On December 1, 2021, after significant discussions between Fifth State Bank and the owners of Aiwa Hardware, the bank will require audited financial statements from Aiwa Hardware for the year ended December 31, 2022. Aiwa Hardware has not been audited before and the only financial information used by the bank have been tax returns. After discussions on December 3, 2021, involving Aiwa Hardware’s owners and the accounting firm’s managing partner Rick Bayless, the following conclusions are reached: (a) Perry Cole will sell his share to the other five investors and owners of Aiwa Hardware for cash as of December 15, 2021, and will discontinue any participation in the business as of that date and (b) Rick Bayless will accept an offer from the remaining owners of Aiwa Hardware to give Cole and Bayless, LLP a secured, interest-bearing note dated December 15, 2021, in settlement of the outstanding account receivable to the CPA firm with repayment terms over 3 years. On May 1, 2022, Rick Bayless and Lee Aiwa sign an engagement letter for Cole and Bayless LLP to do the audit of Aiwa Hardware for the year ended December 31, 2022.

Identify the Ethics Issue(s) Identify any threats to ethical behavior on the part of Cole and Bayless LLP. Also address the significance of the threats and any safeguards that can be put in place to reduce the threat to an acceptable level.

Gather Information and Evidence Ethical threats include: •  A familiarity threat presents a conflict of interest and a threat to acting with integrity and objectivity (ET 1.110.010.04)— exists because Lisa Cole is a partner in the CPA firm and her husband is an owner in Aiwa Hardware through December 15, 2021. •  A self-interest threat presents a conflict of interest and a threat to acting with integrity and objectivity (ET 1.110.010.04)—

exists because Lisa Cole is a partner in the CPA firm and her husband is an owner in Aiwa Hardware through December 15, 2021. •  A self-interest threat presents a conflict of interest and a threat to acting with integrity and objectivity (ET 1.110.010.04)— exists because Cole and Bayless LLP has a direct investment in Aiwa Hardware in the form of a secured debt instrument as of December 15, 2021. •  A self-interest threat presents a conflict of interest and a threat to independence (ET 1.120.010.16)—exists because Cole and Bayless LLP has direct investment in Aiwa Hardware in the form of a secured debt instrument, as of December 15, 2021.

Analysis and Evaluation of Alternatives •  Cole and Bayless LLP does not need to be independent to do tax work or consulting work (advising on business restructuring). It does need to be independent to do any attest work, including auditing the financial statements of Aiwa Hardware. •  The fact that Lisa Cole’s conflict of interest is disclosed to the client; she is not allowed to perform any work, or influence the work for Aiwa Hardware; and a second partner reviews the work for Aiwa Hardware is sufficient to ensure the integrity and objectivity of the firm with respect to performing tax and consulting services for Aiwa Hardware (ET 1.110.010). •  Lisa’s husband sells his ownership interest in Aiwa Hardware and discontinues any participation in the Aiwa Hardware business prior to the period under audit beginning January 1, 2022. This eliminates the familiarity and self-interest threats associated with his ownership interest for periods beginning after January 1, 2022. •  A self-interest threat presents a conflict of interest, and a threat to independence exists because Cole and Bayless LLP has a direct investment in Aiwa Hardware in the form of a secured debt instrument. No safeguard (ET 1.210.010.02) can be put in place to safeguard this threat and Cole and Bayless LLP is not independent with respect to performing any attest work for Aiwa Hardware, including an audit. The independence of Cole and Bayless LLP is impaired. The fact that the relationship is known by Aiwa Hardware does not eliminate the threat to independence.

Ethical Conclusions Cole and Bayless can continue to perform tax and consulting engagements for Aiwa Hardware. However, the firm cannot perform any attest engagements because the firm is not independent. There is no safeguard to the self-interest threat created by the direct investment in Aiwa Hardware.

CPAexcel CPAexcel questions and other resources are available in WileyPLUS.

2-44  C h a pte r 2  Professionalism and Professional Responsibilities

Multiple-Choice Questions 1.  (LO 1)  A key aspect of the “concern for the public interest” definition of a professional is: a.  the level of professional expertise of the professional. b.  t he fact that there are situations where professionals must put the interest of society ahead of the interest of their clients or their own well-being. c.  t he incorporation of this definition into the Sarbanes-Oxley Act of 2002. d.  the unique ability of CPAs to sign attest reports. 2.  (LO 2)  Which of the following statements is true about interpretations of the AICPA Code of Professional Conduct? a.  Interpretations are not enforceable by the AICPA in a disciplinary matter. b.  I nterpretations are strictly enforceable by the AICPA in a disciplinary matter. c.  I nterpretations are strictly enforceable by the AICPA and all state boards of accountancy in a disciplinary matter. d.  An AICPA member who departs from an interpretation has the burden of justifying a departure in any disciplinary hearing. 3.  (LO 3)  In the conceptual framework to the AICPA Code of Professional Conduct, a self-interest threat is: a.  the threat that a CPA could benefit, financially or otherwise, from an interest in, or a relationship with, a client or persons associated with the client. b.  t he threat that a CPA will not act with objectivity because the CPA’s interests are opposed to the client’s interests c.  t he threat that a CPA will take on the role of client management or otherwise assume management responsibilities.

6.  (LO 5)  A CPA who is a “covered person” purchased stock in a client corporation and placed it in a trust as an educational fund for the CPA’s minor child. The trust securities were not material to the CPA but were material to the child’s personal net worth. Would the independence of the CPA be considered impaired with respect to the client? a.  Yes, because the stock would be considered an indirect financial interest that is material to the CPA’s child. b.  No, because the CPA would not be considered to have a direct financial interest in the client. c.  Y  es, because the stock would be considered a direct financial interest and, consequently, materiality is not a factor. d.  No, because the CPA would not be considered to have a material indirect financial interest in the client. 7.  (LO 5)  Under the AICPA ethics rules on independence, which of the following individuals would not be a covered member? a.  A consulting manager in another office who provides 100 hours of non-audit services to the audit client. b.  A partner in the same office as the lead partner who provides no services to the audit client. c.  A  partner in another office who evaluates partner performance and compensation, but provides no services to the audit client. d.  A tax partner in another office who provides 9 hours of tax services to the audit client. 8.  (LO 5)  Which of the following best describes the independence requirements for a close relative of a covered member? a.  A close relative cannot have an immaterial, direct investment in an audit client. b.  A close relative cannot have a loan from an audit client.

d.  the threat that a CPA will promote a client’s interests or position to the point that the CPA’s objectivity or independence is compromised.

c.  A close relative cannot hold a key position with an audit client.

4.  (LO 4)  A CPA would violate the AICPA rule on integrity and objectivity if:

9.  (LO 6)  The essence of the due care standard is that the auditor should not be guilty of:

d.  A close relative cannot have an immaterial, indirect investment in an audit client.

a.  a CPA in industry knowingly misrepresented the earnings of the company he worked for.

a.  bias.

b.  a CPA in public practice represented both the buyer and seller in helping the parties negotiate the sale (purchase) of a business.

c.  fraud.

c.  a CPA who was an audit staff member subordinated his or her judgment to that of the audit partner. d.  All of the answers are violations of the AICPA rule on ­integrity and objectivity. 5.  (LO 5)  According to the profession’s ethical standards, an auditor would be considered independent in which of the following instances? a.  A professional employee, who does not work on the audit, has a spouse who is a marketing manager for an audit client. b.  The auditor is also an attorney who advises the client as its general counsel. c.  An employee of the auditor donates service as treasurer of a charitable organization that is a client. d.  The client owes the auditor fees for two consecutive annual audits.

b.  errors in judgment. d.  negligence. 10.  (LO 7)  Without the consent of the client, a CPA should not disclose confidential client information contained in working papers to a: a.  voluntary quality control review board. b.  CPA firm that is a likely successor auditor. c.  f ederal court that has issued a valid subpoena. d.  disciplinary body created under state statute. 11.  (LO 8)  If a stockholder sues a CPA for common law fraud based on false statements contained in the financial statements audited by the CPA, which of the following is the CPA’s best defense? a.  The CPA did not financially benefit from the alleged fraud. b.  There was contributory negligence of the client. c.  T  he stockholder lacks privity to sue. d.  The auditor followed GAAS.

 Review Questions  2-45 12.  (LO 8)  Starr Corp. approved a plan of merger with Silo Corp. One of the determining factors in approving the merger was the strong financial statements of Silo, which were audited by Cox & Co., CPAs. Starr had engaged Cox to audit Silo’s financial statements. While performing the audit, Cox failed to discover material fraud, which subsequently caused Starr to suffer substantial losses. For Cox to be liable under common law under the Ultramares decision, Starr, at a minimum, must prove that Cox: a.  was a party to the fraud. b.  acted recklessly or with a lack of reasonable grounds for belief. c.  failed to exercise due care. d.  w  as grossly negligent. 13.  (LO 9)  When a plaintiff is suing the auditor for damages under Rule 10(b)-5 of the 1934 Securities Act, which of the following is not part of the plaintiff’s burden of proof?

c.  The plaintiff relied on the financial statements. d.  Damages were suffered as a result of reliance on the financial statements. 14.  (LO 9)  One of the elements necessary to recover damages if there has been a material misstatement in a registration statement filed pursuant to the Securities Act of 1933 is that: a.  t here was a material false or misleading statement in the financial statements. b.  the plaintiff knew the auditor. c.  issuer and plaintiff were in privity of contract with each other. d.  issuer failed to exercise due care in connection with the sale of the securities.

a.  The financial statements contained a material, factual misrepresentation or omission. b.  The auditor was negligent.

Review Questions R2.1  (LO 1)  Explain the “public interest” in the work performed by auditors. R2.2  (LO 1)  There are a series of characteristics associated with CPI professionals. Explain how they apply to architecture and to public accounting. R2.3  (LO 2)  Explain the differences between Parts 1, 2, and 3 of the AICPA Code of Professional Conduct. R2.4  (LO 2, 3)  Assume that a CPA has an opportunity to bid on a new audit client. The accounting firm is being considered because the CPA’s best friend from college is the CFO of the potential client. Apply the conceptual framework for members in public practice to this situation. Explain any threats involved and whether any safeguards can be applied to reduce the threat to an acceptable level. R2.5  (LO 2, 3)  Assume that a CPA has just received a new audit client. The client will be the firm’s largest audit client, and the firm will have to hire one new staff member to staff the engagement. The fees will represent 25% of the firm revenues. Apply the conceptual framework for members in public practice to this situation. R2.6  (LO 4)  Explain the rule on integrity and objectivity. Give examples of conflicts of interest, knowingly misrepresenting facts, or subordinating judgment. R2.7  (LO 5)  Is it appropriate for an audit firm to ask questions of an employee about his or her investments or the investments of his or her spouse? Why or why not? R2.8  (LO 3, 5)  What independence problems are created when an audit manager is approached by a private company audit client, which he or she audits, to become the company’s CFO? Are there appropriate safeguards that can be put in place to protect the audit firm’s independence?

R2.9  (LO 5)  List three situations in which the SEC and PCAOB independence rules are stricter than the AICPA rules. Give an example of each. R2.10  (LO 6)  The AICPA rule on general standards identifies four aspects of professional behavior. Identify each of the four aspects and develop an example illustrating the violation of each aspect. R2.11  (LO 7)  Henry Owens, CPA works in a local accounting firm. He is the tax manager on a major client in the office. The firm prepares compiled financial statements for the client on a quarterly basis. The client was impacted by the BP oil spill off the Gulf coast, and the client would like to engage Henry to help the business prepare a claim for damages from BP. The client would like to pay Henry on a contingent fee basis where Henry and his firm would receive 15% of any amounts recovered in a settlement with BP. Henry would receive no fee unless amounts are recovered. Can Henry accept this engagement? Why or why not? R2.12  (LO 8)  What does a third-party user of financial statements have to prove under common law in a suit against an auditor for the auditor’s negligence? Illustrate each item with an example. R2.13  (LO 8)  John Rodrigeuz purchased newly issued bonds of Fly By Night Airlines in the primary market. Subsequently Fly By Night went bankrupt. What statutory law applies to this transaction? What does John have to prove in a lawsuit against Fly By Night’s auditors? R2.14  (LO 9)  Mary Chen purchased shares of Fly By Night Airlines in the secondary market. Subsequently Fly By Night went bankrupt. What statutory law applies to this transaction? What does Mary have to prove in a lawsuit against Fly By Night’s auditors?

2-46  C h a pte r 2  Professionalism and Professional Responsibilities

Analysis Problems AP2.1  (LO 2, 3)  Basic   Framework for ethical decision making  Assume that you are the audit partner on an engagement for a client that has had a string of operating losses. You know the CFO, who is a former audit manager of your firm. The company still has a positive net worth, but you are worried that the company might have to close down within the next year or so. When you tell the CFO that the company should make full disclosure in the notes concerning substantial doubt about the company’s ability to continue as a going concern, your colleague says, “Hogwash! There’s no substantial doubt. The probability of our having to close down is remote. We’ll make no such disclosure. To do so would only make our customers and creditors nervous, possibly making such a disclosure a self-fulfilling prophecy. Our competitors are as bad off as we are, and their auditors aren’t making them send out a distress signal.” You agree that the determination of “substantial doubt” is a judgment call.

Required Apply the five-step Conceptual Framework for Members in Public Practice to this dilemma. AP2.2  (LO 5)  Moderate   Independence  The attribute of independence has been traditionally associated with the CPA’s function of auditing and expressing opinions on financial statements.

Required a. What is meant by “independence” as applied to the CPA’s function of auditing and expressing opinions on financial statements? Discuss. b. The Wallydrug Company is indebted to a CPA for unpaid fees and has offered to issue to the CPA unsecured interest-bearing notes. Would acceptance of these notes have any bearing on the CPA’s independence with respect to Wallydrug Company? Discuss. c. The Rocky Hill Corporation was formed on October 1, 2021, and its fiscal year will end on September 30, 2022. You audited the corporation’s opening balance sheet and rendered an unqualified opinion on it. A month after rendering your report, you are offered the position of secretary of the board of directors because of the need for a complete set of officers and for convenience in signing various documents. You will have no financial interest in the company through stock ownership or otherwise, will receive no salary, will not keep the books, and will not have any influence on its financial matters other than occasional advice on income tax matters and similar advice normally given a client by a CPA. 1. Assume that you accept the offer but plan to resign the position prior to conducting your annual audit, with the intention of again assuming the office after rendering an opinion on the statements. Can you render an independent opinion on the financial statements? Discuss. 2. Assume that you accept the offer on a temporary basis until the corporation has gotten under way and can find a replacement for secretary of the board of directors. In any event, you would permanently resign the position before conducting your annual audit. Can you render an independent opinion on the financial statements? Discuss. AP2.3  (LO 5)  Challenging   Public Company   Research   Independence  Jones and Jones, CPA, has a manufacturing client, Widgit Technologies, Inc. (WTI), that is a small, owner-managed business with annual revenues of approximately $8 million. WTI employs a bookkeeper but is not large enough to employ a CPA in-house. WTI regularly asks Margaret Jones, the partner on the engagement, for advice on accounting issues, and Jones and Jones drafts the financial statements for the company. The client reviews the financial statements before they are printed by Jones and Jones with an audit opinion attached. During the current year, WTI asked Jones and Jones to assist the company by rendering a business valuation service. WTI is asking Jones and Jones to (1) estimate the value of WTI and (2) consult with WTI in the form of making recommendations on steps that WTI can take that will grow the value of the business.

Required a. Since Jones and Jones is preparing the financial statements for WTI, is Jones and Jones independent with respect to WTI? What conditions, if any, must Jones and Jones meet in order to be independent with respect to WTI? b. Would Jones and Jones be independent if WTI were a public company subject to SEC rules and regulations? Explain your reasoning.

 Analysis Problems  2-47 c. Can Jones and Jones take on the business valuation services and consulting engagement and remain independent with respect to WTI? Explain your reasoning. d. Can Jones and Jones take on the business valuation services and consulting engagement if WTI were a public company subject to SEC rules and regulations? Explain your reasoning. AP2.4  (LO 4, 5, 6, 7)  Moderate   Research   Rules of conduct  In the practice of public accounting, an auditor who is a member of the AICPA is expected to comply with the rules of the AICPA Code of Professional Conduct. Listed below are circumstances that raise a question about an auditor’s ethical conduct.   1. The auditor has a bank loan with a bank that is an audit client.   2. An unqualified opinion is expressed when the financial statements of a county are prepared in conformity with principles established by the Governmental Accounting Standards Board.   3. An auditor retains the client’s records as a means of enforcing payment of an overdue audit fee.   4. The auditor makes retirement payments to individuals who formerly were members of his firm.   5. An auditor sells her shares of stock in a client company in April prior to beginning work on the audit for the year ending December 31.   6. An auditor accepts an engagement knowing that he does not have the expertise to do the audit.   7. The auditor quotes a client an audit fee but also states that the actual fee will be contingent on the amount of work done.   8. The auditor’s firm states in a newspaper advertisement that it has had fewer lawsuits than its principal competitors.   9. The auditor resigns her position as treasurer of the client on May 1, prior to beginning the audit for the year ending December 31. 10. The auditor discloses confidential information about a client to a successor auditor. 11. The auditor accepts an audit engagement when he has a conflict of interest. 12. An auditor prepares a small brochure containing testimonials from existing clients that he mails to prospective clients. 13. An auditor complies with the technical standards of the Accounting and Review Services Committee in reviewing the financial statements of a non-public entity. 14. An auditor audits the financial statements of a local bank and also serves on the bank’s committee that approves loans. 15. An auditor pays a commission to an attorney to obtain a client.

Required a. Identify the rule of the AICPA Code of Professional Conduct that applies to each circumstance (available at the AICPA website, www.aicpa.org). b. Indicate for each circumstance whether the effect on the rule is (1) a violation, (2) not a violation, or (3) indeterminate. Give the reason(s) for your answer. AP2.5  (LO 4, 5, 6, 7)  Moderate   Research   Ethical issues  Gilbert and Bradley formed a corporation called Financial Services, Inc., each taking 50% of the authorized common stock. Gilbert is a CPA and a member of the American Institute of CPAs. Bradley is a CPCU (Chartered Property Casualty Underwriter). The corporation performs auditing and tax services under Gilbert’s direction and insurance services under Bradley’s supervision. The opening of the corporation’s office was announced by a three-inch, two-column ad in the local newspaper. One of the corporation’s first audit clients was the Grandtime Company. Grandtime had total assets of $600,000 and total liabilities of $270,000. In the course of the audit, Gilbert found that Grandtime’s building with a book value of $240,000 was pledged as security for a 10-year term note in the amount of $200,000. The client’s statements did not mention that the building was pledged as a security for the note. However, as the failure to disclose the lien did not affect either the value of the assets or the amount of the liabilities and the audit was satisfactory in all other respects, Gilbert rendered an unqualified opinion on Grandtime’s financial statements. About two months after the date of the opinion, Gilbert learned that an insurance company was planning a loan to Grandtime of $150,000 in the form of a first-mortgage note on the building. Realizing that the insurance company was unaware of the existing lien on the building, Gilbert had Bradley notify the insurance company of the fact that Grandtime’s building was pledged as security for the term note. Shortly after the events described above, Gilbert was charged with a violation of professional ethics.

2-48  C h a pte r 2  Professionalism and Professional Responsibilities

Required Identify and discuss the ethical implication of those acts by Gilbert that were in violation of the AICPA Code of Professional Conduct (available at the AICPA website, www.aicpa.org). AP2.6  (LO 4, 5, 6, 7)  Challenging   Research   Ethical issues  The following situations involve Herb Standard, staff accountant with the regional accounting firm of Cash & Green: 1. The bookkeeper of Ethical Manufacturing Company resigned two months ago and has not yet been replaced. As a result, Ethical’s transactions have not been recorded and the books are not up to date. To comply with terms of a loan agreement, Ethical needs to prepare interim financial statements but cannot do so until the books are posted. Ethical looks to Cash & Green, its independent auditors, for help and wants to borrow Herb Standard to perform the work. Ethical wants Herb because he did its audit last year. 2. Herb Standard discovered that his client, Ethical Manufacturing Company, materially understated net income on last year’s tax return. Herb informs his supervisor about this and the client is asked to prepare an amended return. The client is unwilling to take corrective measures. Herb informs the Internal Revenue Service. 3. While observing the year-end inventory of Ethical Manufacturing Company, the plant manager offers Herb Standard a fishing rod, which Ethical manufactures, in appreciation for a job well done. 4. Herb Standard’s acquaintance, Joe Lender, is chief loan officer at Local Bank, an audit client of Cash & Green. Herb approaches Joe for an unsecured loan from Local Bank and Joe approves the loan. 5. Herb Standard is a member of a local investment club composed of college fraternity brothers. The club invests in listed stocks and is fairly active in trading. Last week the club purchased the stock of Leverage Corp., a client of another Cash & Green office. Herb has no contact with the members of this office.

Required For each situation, (a) identify the ethical issues that are involved and (b) discuss whether there has or has not been any violation of ethical conduct. Support your answers by reference to the rules of the AICPA Code of Professional Conduct, available at the AICPA website (www.aicpa.org). AP2.7  (LO 8)  Moderate   Common law  Tyler Corp. is insolvent. It has defaulted on the payment of its debts and does not have assets sufficient to satisfy its unsecured creditors. Slade, a supplier of raw materials, is Tyler’s largest unsecured creditor and is suing Tyler’s auditors, Field & Co., CPAs. Slade had extended $2 million of credit to Tyler based on the strength of Tyler’s audited financial statements. Slade’s complaint alleges that the auditors were either (1) negligent in failing to discover and disclose fictitious accounts receivable created by management or (2) committed fraud in connection with Tyler. Field believes that Tyler’s financial statements were prepared in accordance with GAAP and, therefore, its opinion was proper. Slade has established that: •  The accounts receivable were overstated by $10 million. •  Total assets were reported as $24 million, of which accounts receivable were $16 million. •  The auditors did not follow their own audit program, which required that confirmation requests be sent to an audit sample representing 80% of the total dollar amount of outstanding receivables. Confirmation requests were sent to only 45%. •  The responses that were received represented only 20% of the total dollar amount of outstanding receivables. This was the poorest response in the history of the firm, the next lowest being 60%. The manager in charge of the engagement concluded that further inquiry was necessary. This recommendation was rejected by the partner in charge.  ield had determined that a $300,000 account receivable from Dion Corp. was nonexistent. Tyler’s •  F explanation was that Dion had reneged on a purchase contract before any products had been shipped. At Field’s request, Tyler made a reversing entry to eliminate this overstatement. However, Field accepted Tyler’s explanation as to this and several similar discrepancies without further inquiry. Slade asserts that Field is liable as a result of both negligence and fraud in conducting the audit.

Required Discuss Slade’s assertions and the defenses that might be raised by Field, setting forth reasons for any conclusions stated. AP2.8  (LO 8)  Challenging   Common law  Astor Inc. purchased the assets of Bell Corp. A condition of the purchase agreement required Bell to retain a CPA to audit Bell’s financial statements. The purpose of the audit was to determine whether the unaudited financial statements furnished to Astor fairly presented Bell’s financial position. Bell retained Winston & Co., CPAs, to perform the audit.

 Analysis Problems  2-49 While performing the audit, Winston discovered that Bell’s bookkeeper had embezzled $500. Winston had some evidence of other embezzlements by the bookkeeper. However, Winston decided that the $500 was immaterial and that the other suspected embezzlements did not require further investigation. Winston did not discuss the matter with Bell’s management. Unknown to Winston, the bookkeeper had, in fact, embezzled large sums of cash from Bell. In addition, the accounts receivable were significantly overstated. Winston did not detect the overstatement because of Winston’s inadvertent failure to follow its audit program. Despite the foregoing, Winston issued an unqualified opinion on Bell’s financial statements and furnished a copy of the audited financial statements to Astor. Unknown to Winston, Astor required financing to purchase Bell’s assets and furnished a copy of Bell’s audited financial statements to City Bank to obtain approval of the loan. Based on Bell’s audited financial statements, City loaned Astor $600,000. Astor paid Bell $750,000 to purchase Bell’s assets. Within six months, Astor began experiencing financial difficulties resulting from the undiscovered embezzlements and overstated accounts receivable. Astor later defaulted on the City loan. City has commenced a lawsuit against Winston based on the following causes of action: •  Constructive fraud. •  Negligence.

Required In separate paragraphs, discuss whether City is likely to prevail on the causes of action it has raised, setting forth reasons for each conclusion. AP2.9  (LO 9)  Moderate   Public Company   Statutory law—1933 Act  Dandy Container Corporation engaged the accounting firm of Adams and Adams to audit financial statements to be used in connection with a public offering of securities. The audit was completed, and an unqualified opinion was expressed on the financial statements that were submitted to the Securities and Exchange Commission along with the registration statement. Two hundred thousand shares of Dandy Container common stock were offered to the public at $11 a share. Eight months later, the stock fell to $2 a share when it was disclosed that several large loans to two “paper” corporations owned by one of the directors were worthless. The loans were secured by the stock of the borrowing corporation that was owned by the director. These facts were not disclosed in the financial statements. The director involved and the two corporations are insolvent. 1. The Securities Act of 1933 applies to the above-described public offering of securities in interstate commerce. 2. The accounting firm has potential liability to any person who acquired the stock in reliance on the registration statement. 3. The accountants could avoid liability if they could show they were neither negligent nor fraudulent. 4. The accountants could avoid or reduce the damages asserted against them if they could establish that the drop in price was due in whole or in part to other causes. 5. The Dandy investors would have to institute suit within one year after discovery of the alleged untrue statements or omissions. 6. The SEC would defend any action brought against the accountants in that the SEC examined and approved the registration statement. 7. Although Adams and Adams knew of the loans, and related collateral, and concluded that they did not need to be disclosed, they can still sustain the claim that they are only proportionally liable for any damages suffered by shareholders because the financial statements are management’s responsibility.

Required Indicate whether each of the above statements is true or false under statutory law. Give the reason(s) for your answer. AP2.10  (LO 8, 9)  Challenging   Public Company   Statutory law; common law Part I: The common stock of Wilson, Inc. is owned by 10,000 stockholders who live in several states. Wilson’s financial statements as of December 31, 2021, were audited by Doe & Co., CPAs, who rendered an unqualified opinion on the financial statements. In reliance on Wilson’s financial statements, which showed net income for 2021 of $1.5 million, Peters, on April 10, 2022, purchased 10,000 shares of Wilson stock for $200,000. The purchase was from a shareholder who lived in another state. Wilson’s financial statements contained material misstatements. Because Doe did not carefully follow GAAS, it did not discover that the statements failed to reflect unrecorded expenses that reduced Wilson’s actual net income to $800,000. After disclosure of the corrected financial statements, Peters sold his shares for $100,000, which was the highest price he could obtain. Peters has brought an action against Doe under federal securities law and state common law.

2-50  C h a pte r 2  Professionalism and Professional Responsibilities

Required Answer the following, setting forth reasons for any conclusions stated: a. Will Peters prevail on his federal securities law claims? b. Will Peters prevail on his state common law claims? Part II: Able Corporation decided to make a public offering of bonds to raise needed capital. On June 30, 2022, it publicly sold $2.5 million of 12% debentures in accordance with the registration requirements of the Securities Act of 1933. The financial statements filed with the registration statement contained the unqualified opinion of Baker & Co., CPAs. The statements overstated Able’s net income and net worth. Through negligence Baker did not detect the overstatements. As a result, the bonds, which originally sold for $1,000 per bond, have dropped in value to $700. Ira is an investor who purchased $10,000 of the bonds. He promptly brought an action against Baker under the Securities Act of 1933.

Required Setting forth reasons for any conclusions, determine if Will should prevail on his claim under the Securities Act of 1933. AP2.11  (LO 8, 9)  Challenging   Public Company   Statutory law; common law  To expand its operations, Dark Corp. raised $4 million by making a private interstate offering of $2 million in common stock and negotiating a $2 million loan from Safe Bank. The common stock was properly offered pursuant to the Securities Act of 1933. In connection with this financing, Dark engaged Crea & Co., CPAs, to audit Dark’s financial statements. Crea knew that the sole purpose for the audit was so that Dark would have audited financial statements to provide to Safe and the purchasers of the common stock. Although Crea conducted the audit in conformity with its audit program, Crea failed to detect material acts of embezzlement committed by Dark’s president. Crea did not detect the embezzlement because of its inadvertent failure to exercise due care in designing its audit program for this engagement. After completing the audit, Crea rendered an unqualified opinion on Dark’s financial statements. The purchasers of the common stock relied on the financial statements in deciding to purchase the shares. In addition, Safe Bank approved the loan to Dark based on the audited financial statements. Within 60 days after the sale of the common stock and the making of the loan by Safe, Dark was involuntarily petitioned into bankruptcy. Because of the president’s embezzlement, Dark became insolvent and defaulted on its loan to Safe. Its common stock became virtually worthless. •  A  ctions have been commenced against Crea by the purchasers of the common stock who have asserted that Crea is liable for damages under Section 10(b) and Rule 10b-5 of the Securities Exchange Act of 1934. •  Safe Bank filed suit against Crea & Co. under common law based on Crea’s negligence.

Required In separate paragraphs, discuss the merits of the actions commenced against Crea, indicating the likely outcomes and the reasons therefore. AP 2.12  (LO 2, 3, 4, 5)  Challenging   Research   Independence  Johnson and Wiley, CPAs acquires Fritz and Rufner, CPAs as of January 1, 2022. Johnson and Wiley have audited the financial statements of Matthews Grocery for the last 5 years. Fritz and Rufner provided nonattest services to Matthews Grocery that would have been prohibited for Johnson and Wiley. Fritz and Rufner resigned performing the nonattest services for Matthews Grocery as of December 1, 2021. Matthews Grocery has a calendar year end of December 31. Do any independence problems exist for Johnson and Wiley for the audits of Matthews Grocery as of December 31, 2021 and 2022? If so, can safeguards be applied to preserve Johnson and Wiley’s independence? Explain your answer and cite any professional standards that apply.

Ethical Decision Case King Companies, Inc. Question C2.1 is based on the following case. King Companies, Inc. (KCI) is a private company that owns five auto parts stores in urban Los Angeles, California. King Companies has gone from two auto parts stores to five stores in the last three years,

 Ethical Decision Case  2-51 and it plans continued growth. Eric and Patricia King own the majority of the shares in KCI. Eric is the chairman of the board of directors of KCI and CEO, and Patricia is a director as well as the CFO. Shares not owned by Eric and Patricia are owned by friends and family who helped the Kings get started. Eric started the company with one store after working in an auto parts store. To date, he has funded growth from an inheritance and investments from a few friends. Their accounting firm, Thornson & Danforth LLP, has done tax returns for the company, as well as for the King family, for the last 10 years. Thornson & Danforth is a CPA firm with 55 professionals, which performs audit and tax services for a number of clients. James Danforth, a tax partner in the CPA firm, is a long-time friend of Eric and owns 5% of KCI. In October 2021, Eric opens a conversation with James about upcoming expansion and the plan to open three to five more stores. Eric has learned this will mean taking on significant debt to fund the growth. Every lender that Eric has talked with has been impressed with the growth to date with equity, but the lenders will require an annual audit. Eric asks James if his firm can perform the annual audit. James explains his concerns about the independence of Thornson & Danforth. Because the expansion is still in the early planning stages, Eric agrees to purchase James’ 5% stake in KCI in November 2021. James expects that the first audited financial statements that KCI will need will be for the year ended December 31, 2022. C2.1  (LO 3, 5)  Challenging   Research   Application of the conceptual framework  Thornson & Danforth plans to continue to prepare tax returns for KCI and the King family. The firm also plans to perform the audit for the year ended December 31, 2022. a.  Identify any ethics issues that exist. b.  Gather appropriate information for each ethical issue. c.  Analyze the relevant information for each ethical issue and evaluate the alternatives. d.  Draw a conclusion about each ethical issue and explain your reasoning. Cite appropriate references from the AICPA Code of Professional Conduct (available at the AICPA website, www.aicpa.org).

Cloud 9 - Continuing Case Sharon Gallagher, Josh Thomas, and Jo Wadley work for the audit firm W&S Partners. Sharon is an audit manager, Josh is an audit senior, and Jo is an audit partner. They meet to discuss the results of a survey of other offices of W&S Partners, as well as their own office. The survey was directed toward determining if W&S Partners had any independence problems with respect to a new prospective client, Cloud 9 Inc. Based on the survey, they learn the following: •  J o Wadley and David Collier (Cloud 9’s CFO) both serve on the board of directors of the local chapter of Special Olympics. •  A  tax senior in another office has a sister that consults with Cloud 9 on shoe design. Cloud 9 is her largest client.

•  Fifteen employees of W&S Partners, ranging from partners to entry-level staff, own shares in retailers that sell Cloud 9 shoes. •  A survey shows that 23% of professional staff working for W&S Partners have purchased Cloud 9 shoes in the past.

Required Evaluate each of the items above and their impact on the independence of W&S Partners with respect to Cloud 9. If relevant, list any additional actions you might take before making your independence recommendation to Jo Wadley.

Chapter 3 Risk Assessment Part I Audit Risk and Audit Strategy

The Audit Process Overview of Audit and Assurance (Chapter 1) Professionalism and Professional Responsibilities (Chapter 2) Client Acceptance/Continuance and Risk Assessment (Chapters 3 and 4) Identify Significant Accounts and Transactions Make Preliminary Risk Assessments

Set Planning Materiality

Gaining an Understanding of the System of Internal Control (Chapter 6)

Audit Evidence (Chapter 5)

Develop Responses to Risk and an Audit Strategy

Performing Tests of Controls (Chapter 8)

Performing Substantive Procedures (Chapter 9) Audit Sampling for Substantive Tests (Chapter 10)

Auditing the Revenue Process (Chapter 11)

Auditing the Purchasing and Payroll Processes (Chapter 12)

Audit Data Analytics (Chapter 7)

Gaining an Understanding of the Client

Auditing the Balance Sheet and Related Income Accounts (Chapter 13)

Completing and Reporting on the Audit (Chapters 14 and 15) Procedures Performed Near the End of the Audit

Drawing Audit Conclusions

Reporting

3-1

3-2  Ch apt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Learning Objectives LO 1 Evaluate client acceptance and continuance decisions.

LO 5 Explain how auditors determine their audit strategy and how audit strategy affects audit decisions.

LO 2  Identify the different phases of an audit.

LO 6 Explain the fraud risk assessment process and analyze fraud risk.

LO 3 Explain and apply the concept of materiality. LO 4 Explain professional skepticism and apply the audit risk model.

Auditing and Assurance Standards PCAOB

Auditing Standards Board

AS 1015  Due Professional Care in the Performance of Work

AU-C 200  Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards

AS 1101  Audit Risk AS 1301  Communications with Audit Committees AS 2101  Audit Planning AS 2105  Consideration of Materiality in Planning and Performing an Audit AS 2110  Identifying and Assessing Risks of Material Misstatement AS 2301 The Auditor’s Responses to the Risks of Material Misstatement AS 2401  Consideration of Fraud in a Financial Statement Audit AS 2610  Initial Audits—Communication Between Predecessor and Successor Auditors

AU-C 210 Terms of Engagement AU-C 240  Consideration of Fraud in a Financial Statement Audit AU-C 300 Planning an Audit AU-C 315  Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement AU-C 320  Materiality in Planning and Performing an Audit AU-C 330 Performing Audit Procedures in Response to Assessed Risks and Evaluating Audit Evidence Obtained QC 10  A Firm’s System of Quality Control

Cloud 9 - Continuing Case Sharon and Josh have already discussed some specific client acceptance issues, such as independence threats and safeguards. Sharon explains they also must consider the overall integrity of the client (that is, management of Cloud 9). This means they need to perform and document procedures that are likely to provide information about the client’s integrity. Josh is a little skeptical. “Do you mean that we should ask them if they are honest?” Sharon suggests it is probably more useful to ask others, and the key people to ask are the existing auditors. Josh is still skeptical. “The existing auditors are Ellis & Associates. Are they going to help us take one of their clients from them?” Sharon says the client must give permission first, and, if that is given, the existing auditor will usually state whether or not there were any issues that the new auditor should be aware of before accepting the work. This type of communication is covered by AS 2610 (AU-C 210 for private company clients)

and is part of professional ethics. Sharon also gives Josh the task of researching Cloud 9’s press coverage, with special focus on anything that may indicate poor management integrity. Sharon emphasizes they must perform and document procedures to determine whether W&S Partners is competent to perform the engagement and has the capabilities, time, and resources to do so. For example, they must make sure they have audit team members who understand the clothing and footwear business. They also must have enough staff to complete the audit on time. In addition, Sharon and Josh must perform and document procedures to show that W&S Partners can comply with all parts of the code of professional conduct, not just those that focus on independence threats and safeguards. Finally, they can draft the engagement letter to cover the contractual relationship between W&S Partners and Cloud 9.

  Client Acceptance and Continuance Decisions  3-3

Chapter Preview: Audit Process in Focus This chapter marks the beginning of our overview of how an audit is conducted. First, we consider the factors that impact an auditor’s client acceptance/continuation decision. The first step for any audit is the decision to accept a company as a new audit client or to continue as the auditor of an existing client. Risk assessment is an important topic that we will cover in this and the next chapter. This chapter begins with a discussion of the different phases (or stages) of the audit: (1) the risk assessment phase, (2) the risk response phase (where the detailed work is conducted), and (3) the reporting phase (where the audit opinion is formed). In the risk assessment phase, auditors adopt a broad view of the client as a whole and the industry in which it operates. In this context, auditors obtain a more detailed understanding of the client in the early stages of each audit; that knowledge drives the audit planning decisions about the nature, extent, and timing of audit evidence to collect. Auditors cannot economically audit everything; therefore, the concepts of materiality, professional skepticism, and audit risk guide auditors in deciding which areas of the financial statements are most important to examine. Ultimately, auditors will develop a detailed audit strategy for the execution of the audit. This chapter concludes with a discussion of the assessment of fraud risk, which is part of the risk assessment phase of the audit. We will cover the remainder of the risk assessment procedures in Chapter 4.

Client Acceptance and Continuance Decisions Lea rning Objective 1 Evaluate client acceptance and continuance decisions. The first stage of any audit is the client acceptance or continuance decision. While the decision to take on a new client is more detailed than the decision to continue with an existing client, they have much in common. QC 10 A Firm’s System of Quality Control provides guidance on the procedures used when making the client acceptance or continuance decision. Illustration 3.1 summarizes factors that influence client acceptance and retention decisions and these factors are discussed below.

illustration 3.1   Factors that influence client acceptance and retention

Positive Factors Influencing Client Acceptance and Retention Decisions Management shows integrity in business and accounting decisions.

Factors That Influence Client Acceptance and Retention Integrity of management

Management places a premium on representational faithfulness of accounting information. The firm has expertise to perform services requested by the client or has access to specialists that can meet client needs. No independence problems exist, or independence problems can be resolved prior to client acceptance.

Negative Factors Influencing Client Acceptance and Retention Decisions Concerns exist about the integrity of management in business and accounting decisions. Management is preoccupied with meeting specific accounting numbers.

Competence issues

Independence issues

The firm does not have expertise needed to provide the full scope of services requested by the client, or does not have affiliation with specialists to meet client needs. Independence and conflict of interest issues exist that cannot be resolved prior to client acceptance. (continued)

3-4  Ch apt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy illustration 3.1   (continued)

Positive Factors Influencing Client Acceptance and Retention Decisions

Factors That Influence Client Acceptance and Retention Special circumstance and unusual risks

There are minimal regulatory reporting requirements. The client is financially stable and profitable, with no significant concerns about debt covenants.

Negative Factors Influencing Client Acceptance and Retention Decisions There are significant regulatory reporting requirements with close monitoring by regulators. The client is experiencing profitability issues, weak cash flows, and is close to violation of debt covenants.

No scope limitations exist.

The client voices significant concerns about the scope of audit work.

The entity has a strong accounting system with good internal controls.

The entity has a weak accounting system with few internal controls.

You may be wondering why the decision to take on a new client or continue with an existing client is such a big deal. More clients mean more revenue for the accounting firm, so why not accept all client engagement opportunities? The answer is because being associated with a “bad client” can damage the firm’s reputation, which causes the public to lose trust in the firm. A good example of this situation is the accounting firm Arthur Andersen LLP (“Andersen”), formerly one of the largest firms in the world. In the 1990s and early 2000s, several of Andersen’s clients were investigated by the Securities and Exchange Commission (SEC) for accounting fraud, the most well-known being Enron and WorldCom. Andersen was convicted of a felony (obstruction of justice) in the Enron case, but that was reversed by the Supreme Court in 2005.1 With the felony conviction overturned, Andersen could resume operations and audit public company clients. That has not happened. Why? The damage to the Andersen reputation was so severe that companies do not want to be associated with the Andersen name. One of the key factors that influences the client acceptance decision is the assessment of the integrity of the client’s management. When assessing management integrity, the auditor will consider the following factors: •  The reputation of the client, its management, directors, and key stakeholders. •  Client’s reasons for switching audit firms, if the company was previously audited. •  Management’s attitude to risk exposure. •  Management’s attitude to the implementation and maintenance of adequate internal controls. •  The appropriateness of management’s interpretation of accounting rules. •  Management’s willingness to allow the auditors full access to client personnel, records, and information required to form their opinion. How do auditors gather information on these factors? Information is gathered primarily through communication with individuals internal and external to the prospective client. Some of the key communications are as follows: •  Communication with the previous auditor, if the company was previously audited. (AU-C 210 Terms of Engagement and AS 2610 Initial Audits—Communications Between Predecessor and Successor Auditors require that the auditor obtain permission from the prospective client before communicating with the predecessor, or previous, auditor. If that permission is not granted, the auditor should consider the implications of that refusal when deciding whether to accept the engagement (AU-C 210.11). Illustration 3.2 lists the types of inquiries the auditor should make of the predecessor auditor.) •  Communication with client personnel. •  Communication with third parties such as client bankers and lawyers. 1

Arthur Andersen LLP vs. United States (04-368) 544 U.S. 696 (2005).

  Client Acceptance and Continuance Decisions  3-5

•  Communication with the client’s industry peers. •  Review of newspaper and magazine articles about the client, or articles in industry trade journals.

Inquiries of the predecessor auditor may be oral or written and should include: 1. Information that might bear on the integrity of management. 2. Disagreements with management about accounting policies, auditing procedures, or other significant matters. 3. Communications to those charged with governance regarding fraud and noncompliance with laws or regulations by the entity. 4. Communications to management and those charged with governance regarding significant deficiencies and material weaknesses in internal control. 5. The predecessor auditor’s understanding about the reasons for the change of auditors. Source: AU-C 210.A31 and AS 2610.09.

Before accepting a new client, consideration must be given to any threats to compliance with the fundamental principles of professional ethics, such as integrity, objectivity, independence, professional competence, and due care, as discussed in Chapter 2. Threats to the fundamental principles of professional ethics will occur if the prospective client is dishonest, involved in illegal activities, or aggressive in its interpretations of accounting rules. An accounting firm should not accept a new client if the firm is concerned about any of these issues. Potential threats to compliance with the fundamental principles of professional ethics for existing clients should be considered regularly as part of continuation decisions. To ensure professional competence and due care, a firm must be certain it has the staff available for the time required to complete the audit. The firm must ensure its audit staff has the knowledge and competence required to conduct the audit. The firm must have access to independent specialists, if required. The use of specialists will be discussed in Chapter 5. To ensure that it is independent of prospective and continuing clients, the accounting firm must review the threats to independence, described in Chapter 2, and make certain that safeguards are put in place to limit or remove those threats. If an independence threat appears insurmountable, a firm should decline an offer to be the auditor of a prospective client or resign from the audit of an existing client. An example of such a threat is fee dependence, where the fees from a client would form a significant proportion of the firm’s total fees. This can occur if a prospective client is much larger than a firm’s current clients or if an existing client has grown significantly. The firm should also consider any special circumstances or unusual risks that could be unique to a prospective or continuing client. For example, is the client financially stable, or is it experiencing profitability issues? Another issue is the regulatory environment for the client. Auditors should be aware of any issues being raised by regulators or whether the client may be close to violating regulatory requirements. These and other special circumstances should be carefully considered by the firm.

Audit Reasoning Example  Acceptance of New Client A software company is looking for a new auditor. The company has grown through an acquisition and needs an auditor that can handle its additional requirements. The new auditor sees no independence issues. Discussions with the predecessor auditor, the audit committee, and management indicate a good tone at the top and provide a consistent story about the company and its reasons for changing auditors. The new firm, with national and international offices and many clients in the software industry, sees this as a client with good potential for the firm.

illustration 3.2   Communication with the predecessor auditor

3-6  Ch apt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Audit Reasoning Example  Refusal of New Client A firm has been asked to submit a bid on a new engagement. An individual with experience in the investment industry is starting a new hedge-fund company. The company is looking for an auditor so that audited financial statements can be provided to potential investors. While the firm has 15 offices in the United States, the firm has very limited experience auditing investment companies or hedge funds. A background check on the CEO indicates he had allegations of improper business dealings and possible fraud with a company he ran five years before. The firm chooses not to bid on the audit because of concerns about possible management integrity issues, as well as concerns about its own expertise.

engagement letter  sets out the terms of the audit engagement, to avoid any misunderstandings between the auditor and the client

illustration 3.3   Example of an audit engagement letter for a private company client

The final stage in the client acceptance or continuance decision process involves the preparation of an engagement letter. AU-C 210 Terms of Engagement and AS 1301 Communications with Audit Committees provide guidance on the preparation of engagement letters. An engagement letter is prepared by an auditor and acknowledged by a client before the audit begins. It is a contract between an auditor and the client. According to auditing standards, it is not necessary to send a new engagement letter each year for a continuing client unless the terms of the engagement change. In practice, most audit firms have clients sign a new engagement letter each year to avoid any misunderstandings. The purpose of an engagement letter is to set out the terms of the audit engagement to avoid any misunderstandings between the auditor and the client. The engagement letter includes an explanation of the scope of the audit, the timing of the completion of various aspects of the audit, an overview of the client’s responsibility for the preparation of the financial statements, the requirement that the auditor have access to all information required to perform the audit, and independence considerations and fees. An example of an engagement letter for a private company client is provided in the appendix to AU-C 210 and is reproduced in Illustration 3.3. (Appendix C of AS 1301 details matters that should be included in the engagement letter for a public company client.)

To the appropriate representative of those charged with governance of ABC Company: [The objective and scope of the audit] You have requested that we audit the financial statements of ABC Company, which comprise the balance sheet as of December 31, 2022, and the related statements of income, changes in stockholders’ equity, and cash flows for the year then ended, and the related notes to the financial statements. We are pleased to confirm our acceptance and our understanding of this audit engagement by means of this letter. Our audit will be conducted with the objective of our expressing an opinion on the financial statements. [The responsibilities of the auditor] We will conduct our audit in accordance with auditing standards generally accepted in the United States of America (GAAS). Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement. An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluating the overall presentation of the financial statements. Because of the inherent limitations of an audit, together with the inherent limitations of internal control, an unavoidable risk that some material misstatements may not be detected exists, even though the audit is properly planned and performed in accordance with GAAS.

  Client Acceptance and Continuance Decisions  3-7 In making our risk assessments, we consider internal control relevant to the entity’s preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. However, we will communicate to you in writing concerning any significant deficiencies or material weaknesses in internal control relevant to the audit of the financial statements that we have identified during the audit. [The responsibilities of management and identification of the applicable financial reporting framework] Our audit will be conducted on the basis that [management and, when appropriate, those charged with governance] acknowledge and understand that they have responsibility a. for the preparation and fair presentation of the financial statements in accordance with accounting principles generally accepted in the United States of America; b.  for the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error; and c.  to provide us with

i. access to all information of which [management] is aware that is relevant to the preparation and fair presentation of the financial statements such as records, documentation, and other matters;



ii. additional information that we may request from [management] for the purpose of the audit; and



iii. unrestricted access to persons within the entity from whom we determine it necessary to obtain audit evidence.

As part of our audit process, we will request from [management and, when appropriate, those charged with governance], written confirmation concerning representations made to us in connection with the audit. [Other relevant information] [Insert other information, such as fee arrangements, billings, and other specific terms, as appropriate.] [Reporting] [Insert appropriate reference to the expected form and content of the auditor’s report. Example follows:] We will issue a written report upon completion of our audit of ABC Company’s financial statements. Our report will be addressed to the board of directors of ABC Company. We cannot provide assurance that an unmodified opinion will be expressed. Circumstances may arise in which it is necessary for us to modify our opinion, add an emphasis-of-matter or other-matter paragraph(s), or withdraw from the engagement. We also will issue a written report on [Insert appropriate reference to other auditor’s reports expected to be issued.] upon completion of our audit. Please sign and return the attached copy of this letter to indicate your acknowledgment of, and agreement with, the arrangements for our audit of the financial statements including our respective responsibilities. XYZ Partners Acknowledged and agreed on behalf of ABC Company by ___________________________ [Signed] [Name and Title] [Date] Source: AU-C 210.A42.

illustration 3.3  

(continued)

3-8  Ch apt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Cloud 9 - Continuing Case “Great news!” announces Sharon at the weekly team meeting. “We just received word that the audit engagement letter for Cloud 9 has been signed. We are now officially the auditors and the risk assessment phase starts now!” Later, at the first planning meeting, Sharon and Josh focus on assigning the tasks for gaining an understanding of Cloud 9. Ian Harper, a first-year staff, is not happy. He grumbles to another member of the team, Suzie Pickering, as he leaves the room. “This is such a waste of time. Why did we sign an engagement letter if we don’t understand the client? Why don’t we just get on with the audit? What else is there to know?” “Oh boy, are you missing the point!” Suzie says. “If you don’t understand where the risks are greatest, where are you going to start ‘getting on with it’?”

“The same place you always start,” replies Ian. Ian thinks that all audits are pretty much the same and that W&S Partners must have an audit plan they can use for the Cloud 9 audit. Suzie explains that if they tailor the plan to the client, the audit is far more likely to be efficient and effective. That is, they will get the job done without wasting time and ensure that quality evidence is gathered for the accounts that are most at risk of being misstated. If they can do this, W&S Partners will not only issue the right audit report, but they will make a profit from the audit as well. In other words, if the plan is good, performing the audit properly will be easier. Suzie realizes it will be a big job explaining this to Ian and invites him for a coffee in the staff room so they can talk. Suzie is an experienced staff and has worked with other clothing and footwear clients.

Before You Go On 1.1 What will an auditor consider in assessing the integrity of a client’s management, board, and other personnel? 1.2  How does an auditor gather information about management integrity? 1.3 What are the key components of an engagement letter?

Phases of an Audit Lea rning O bjective 2 Identify the different phases of an audit.

risk assessment phase  gaining an understanding of the client, identifying risk factors, developing an audit strategy, and setting planning materiality risk response phase  performing tests of controls and detailed substantive testing of transactions and accounts, concentrating effort where the risk of material misstatement is greatest reporting phase  evaluation of the results of the detailed testing in light of the auditor’s understanding of the client and forming an opinion on the fair presentation of the client’s financial statements

Before we begin the discussion of the different phases of an audit, it is important to emphasize that each audit is unique. For example, risks associated with the audit of a grocery store will not be the same as the risks associated with an audit of a jewelry store, even though both are retailers. Risks associated with the oil and gas industry will be different from risks associated with the computer technology industry because of different laws and regulations that apply to each industry. Auditors must tailor their audit to be specific to each client, but broadly speaking, once the client acceptance or continuance decision has been made, there are three general phases of every audit, as shown in Illustration 3.4: 1. The risk assessment phase involves gaining an understanding of the client, identifying factors that may impact the risk of a material misstatement occurring in the financial statements, performing a risk and materiality assessment, and developing an audit strategy. 2. The risk response phase of the audit involves the performance of detailed tests of controls and detailed testing of transactions and account balances, called substantive testing. 3. The reporting phase involves an evaluation of the results of the detailed testing in light of the auditor’s understanding of the client and forming an opinion on the fair presentation of the client’s financial statements. An overview of each phase of the audit follows.

 Phases of an Audit  3-9 illustration 3.4   Overview of the audit

Risk Assessment Phase

Understanding the Client

Risk Identification and Strategy

Risk Response Phase

Risk and Materiality Assessment

Tests of Controls

Reporting Phase

Substantive Testing

Conclusion and Forming an Opinion

Risk Assessment Phase AU-C 300 Planning an Audit and AS 2101 Audit Planning require auditors to plan the audit by assessing risk to reduce audit risk to an acceptably low level. Audit risk is the risk that an auditor expresses an inappropriate audit opinion when the financial statements are materially misstated (AU-C 200.14). An auditor will perform various risk assessment procedures to ensure that appropriate attention is paid to the accounts and transactions most at risk of being materially misstated. For example, the inventory account at The Boeing Company has a higher risk of material misstatement than the prepaid expenses account. Why is that? First, think about the difference in the dollar amount of the two accounts. Inventory will most likely be the largest current asset and prepaid expenses will be one of the smallest. Also, the number and complexity of transactions in the inventory account will be much higher than the number of transactions in the prepaid expenses account. Therefore, auditors should plan to devote more audit time to the inventory account than to the prepaid expenses account. This Boeing example illustrates that the risk assessment phase of the audit provides the opportunity to optimize efficiency and effectiveness when conducting an audit. Efficiency refers to the amount of time spent gathering audit evidence. Effectiveness refers to minimizing audit risk. You should also understand that the risk assessment process is an iterative process. Auditors make preliminary risk assessments while planning the audit. Those risk assessments are later confirmed, or refuted, when auditors perform tests of internal controls, or tests of account balances, transactions, or disclosures. On occasion, auditors might obtain information in the risk response phase that causes them to revise their preliminary conclusions drawn during the risk assessment phase. Auditors must be open to evaluating evidence obtained at any phase of the audit and to considering its implications for risk assessments made earlier in the audit. Illustration 3.5 provides a graphical depiction of the risk assessment phase of the audit and some key concepts that are applied during risk assessment and the other phases of the audit. The key concepts of materiality, professional skepticism, and audit risk are discussed in this chapter. The section “Audit Strategy” in this chapter discusses how, once the elements of risk assessment have been considered, auditors can develop their audit strategy. The section “Fraud Risk” closes this chapter. The remaining elements of risk assessment will be discussed in Chapter 4.

Risk Response Phase The risk response phase of the audit involves detailed testing of internal controls, transactions, account balances, and disclosures the auditors have determined to be at high risk of material misstatement. Auditors determine whether they plan to rely on the client’s system of internal controls. If so, they will test the effectiveness of internal controls, which is discussed in the section “Audit Strategy” and further in Chapter 8. Auditors will also make decisions about the extent and timing of detailed testing of account balances and transactions, which is discussed in “Audit Strategy” and further in Chapters 9 through 13. This detailed testing provides the evidence needed by auditors to determine if the financial statements are fairly presented.

audit risk  the risk that an auditor expresses an inappropriate audit opinion when the financial statements are materially misstated

3-10  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy illustration 3.5   Risk assessment

Materiality

Professional Skepticism

Understand the entity and the industry Fraud risk

Closing procedures

Audit Risk

Compliance with laws and regulations Client performance measurement

Risk Assessment

Understand internal controls and IT

Analytical procedures

Corporate governance

Related parties

Audit Strategy

Concluding and Reporting on an Audit The final phase of the audit involves drawing conclusions based upon the evidence gathered and arriving at an opinion regarding the fair presentation of the financial statements. The auditor’s opinion is expressed in the audit report (see Chapter 15). At this stage of the audit, auditors draw on their understanding of the client, their detailed knowledge of the risks faced by the client, and the conclusions drawn when testing the client’s controls, transactions, and account balances.

Before You Go On 2.1 What are the three main phases of the audit? 2.2  Briefly discuss why auditors must treat every audit as unique. 2.3 Explain how the risk assessment phase helps to improve the efficiency and effectiveness of the audit.

Materiality Lea rning O bjective 3 Explain and apply the concept of materiality. materiality  the ability of information to influence decisions that users make on the basis of the financial information of a specific reporting entity

The concept of materiality is used to guide audit testing and assess the validity of information contained in the financial statements and the notes. Information is considered material if it impacts the decision-making process of users of the financial statements. PCAOB AS 2105 includes the definition stated by the U.S. Supreme Court that “information is material if

 Materiality 3-11

there is a substantial likelihood that the . . . fact would have been viewed by a reasonable investor as having significantly altered the total mix of information made available (para 2).” This includes information that is misstated and information that is omitted but should be disclosed. Materiality is a key auditing concept that is first assessed during the risk assessment phase of every audit. This overall or planning materiality guides audit planning and testing for the financial statements as a whole. Before explaining how auditors arrive at their planning materiality assessment, it is important to differentiate between the qualitative and quantitative considerations of materiality.

Qualitative and Quantitative Materiality Information can be considered material because of its nature and/or its magnitude. An item that is considered material due to its nature is referred to as being qualitatively material. An item that is considered material due to its magnitude is referred to as being quantitatively material. While these concepts are not mutually exclusive, we explain them separately to help you differentiate between the two.

Qualitative Materiality Factors Information is considered qualitatively material if it affects a user’s decision-making process for a reason other than its magnitude. For example, a fraud, by its nature, is considered significant no matter how small it may be. Fraud that is small today could grow to a massive fraud in the future. Throughout the audit, auditors use their understanding of the client to be alert to qualitative factors that reflect on the client’s financial position, results of operations, and/or cash flows. When reading the notes to the financial statements, an auditor will assess accounting disclosure accuracy and compliance with any regulations and legislation and ensure any legal matters that should be disclosed are disclosed correctly. If any of these disclosures are inaccurate or omitted in error, the auditor will consider the potential impact on users. If the auditor believes an inaccurate disclosure or omission will affect a user’s decision-making process, it is considered qualitatively material, and the auditor will request that the client correct the disclosure or include any omitted information. Examples include a change in an accounting method, a change in operations that affects the level of risk faced by the client, or the client being in danger of breaching a debt covenant. AU-C 320 and AS 2105 refer to other items that may be considered material due to their nature rather than their size.

qualitative materiality  information or misstatements that impact a user’s decision-making process for a reason other than its magnitude

Quantitative Materiality Factors Information is considered quantitatively material if it exceeds the magnitude of an auditor’s planning materiality assessment. Auditors use their professional judgment to arrive at an appropriate planning materiality amount for each client. Planning materiality is typically a percentage of an appropriate benchmark from the financial statements. AU-C 320 provides guidance for determining an appropriate benchmark. An auditor will select a benchmark, as discussed next, and then decide on the percentage to use, depending upon the client’s circumstances.

Setting Materiality When determining planning materiality, auditors will use professional judgment and are mindful of the primary users of the financial statements. For publicly traded companies, the primary users are the stockholders. For private companies, the primary users are generally the owners and/or major lenders. Accounting firms may vary in the method they use to set planning materiality in the risk assessment phase, but common practice is to calculate a percentage of an appropriate benchmark. In selecting an appropriate benchmark, auditors can choose an item from the balance sheet or the income statement. Balance-sheet benchmarks

quantitative materiality ­ information or misstatements that exceed the magnitude of an auditor’s preliminary materiality assessment, which is a percentage of an appropriate benchmark

3-12  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

are generally total assets or equity. Income-statement benchmarks are typically profit before tax or total revenue. Auditors select an appropriate benchmark using their professional judgment based on their knowledge of the client, the client’s industry, and the needs of financial statement users for their decision making. For example, if a client is listed on the securities exchange, profit before tax is an appropriate benchmark because it drives dividends and return-on-investment decisions. However, if a client is a not-for-profit organization, either total assets or total revenue are more generally used as a benchmark. Auditing standards mention benchmarks the auditor can use, but the standards do not recommend any specific percentages that should be applied to these benchmarks. Therefore, auditors rely heavily on their professional judgment to determine an appropriate percentage of the selected benchmark. The discussion in the following Professional Environment box provides more detail of percentages that firms use when determining planning materiality. The auditing standards do require auditors to reevaluate their overall level of materiality throughout the audit. If new information comes to light that would cause the auditors to establish a different level of planning materiality, then they should examine the information and make adjustments to materiality as needed.

Professional Environment  Materiality Practices of the Major Public Accounting Firms Since auditing standards provide no guidance to auditors about what percentage to apply to benchmarks for determining planning materiality, what are public accounting firms doing? And more importantly, is there consistency among the major public accounting firms regarding the determination of planning materiality? These are important research questions that were studied by Eilifsen and Messier (2015) in their article titled “Materiality Guidance of the Major Public Accounting Firms.”2 For their study, Eilifsen and Messier asked the eight largest U.S. public accounting firms to provide them with a copy of the firm’s materiality guidance. The eight firms, in alphabetical order, were BDO USA, Crowe Horwath (now Crowe), Deloitte & Touche, EY, Grant Thornton, KPMG, McGladrey (now RSM), and PwC. An analysis of the eight firms’ materiality guidance revealed that for public company audits, seven of the eight firms use “income before income taxes” as the primary benchmark for determining planning materiality. One of the firms uses “income after income taxes” as the primary benchmark. For private company audits, in addition to income before income taxes, other acceptable benchmarks are total assets and total revenues. Firms will use other benchmarks if appropriate for unusual circumstances. For example, if the company is experiencing a loss or very poor operating results, another measure such as total equity may be a more reliable benchmark for determining planning materiality.

Once a benchmark has been selected, what percentage should be used for determining planning materiality? Six of the eight firms “expect, suggest, or require the use of 5% of income before taxes, while one firm allows 5–10%.”3 As an example, assume you are the auditor for The Boeing Company. At December 31, 2017, Boeing had income (earnings) before income tax of $10.047 billion. To determine planning materiality, you would multiply 5% by $10.047 billion, which results in planning materiality of $502,350,000. In addition, you would also consider any qualitative factors in making your final assessment of planning materiality. For the benchmarks of total assets and total revenues, seven of the eight firms used ranges of 0.25% to 2%. Using The Boeing Company example, at December 31, 2017, Boeing had total revenues of $93.392 billion. If you use 1% of total revenues, then planning materiality would be $933,920,000. This results in a higher planning materiality than using 5% of income before income tax. Ultimately, the auditors must use their professional judgment to decide on the planning materiality amount. Overall, the research by Eilifsen and Messier indicate there is significant agreement among the large firms regarding both the benchmarks used and the percentages applied to the benchmarks for determining planning materiality.

Using the Boeing example from the Professional Environment box discussion above, assume that planning materiality is $502 million. Does this mean auditors will only look for errors or misstatements that are $502 million or larger? If an account balance is less than $502 million, will auditors not perform any audit procedures on that account? The answer to both of these questions is no. Auditors plan the audit to detect material misstatements, but they must also consider the effects of smaller misstatements that may be immaterial on their own but, when added with other immaterial misstatements, may be material to the financial statements as a whole. In addition, what about misstatements that may not be detected during the audit? Auditors need to consider some margin of error for misstatements that may not be 2 A. Eilifsen and W. F. Messier, Jr., “Materiality Guidance of the Major Public Accounting Firms,”Auditing: A Journal of Practice & Theory 34, no. 2 (2015), pp. 3–26. 3

Ibid.

 Materiality 3-13

detected due to the sampling procedures used in an audit. Therefore, after determining planning materiality, auditors must determine performance materiality at the account or disclosure level. Performance materiality is an amount set by the auditor that is less than planning materiality and is used to make decisions about the extent of audit procedures for a particular class of transaction, account balance, or disclosure. Performance materiality at the individual account level should be less than the planning materiality. For example, if the planning materiality for Boeing is $502 million, auditors may decide that one-third that amount, $167 million, is an appropriate performance materiality at the account level. Auditors would then plan and perform their audit procedures using the performance materiality amount of $167 million to determine if individual accounts or transactions were materially misstated. If any account balances are less than the performance materiality amount, auditors may decide not to perform detailed audit procedures on the account because the entire account balance is considered immaterial. For example, in Note 9 of the December 31, 2017, Boeing financial statements, the “other investments” account has a balance of $30 million. Since $30 million is well below the performance materiality of $167 million, auditors would spend minimal time performing detailed audit testing on that account. As we have discussed, auditors also consider qualitative factors when deciding if an account is material. For example, in Note 5 of the December 31, 2017, Boeing financial statements, the “valuation allowance” account for accounts receivable has a balance of $62 million. At first glance this account balance may seem immaterial. However, the related account, accounts receivable, is a material amount ($10.516 billion) so the valuation allowance will be audited in conjunction with accounts receivable. In addition, since the valuation allowance is an estimate, there is risk that management may be biased when determining the amount of the allowance. Management might be overly optimistic about collection of receivables and underestimate the allowance, which would lead to overstated net accounts receivable. Therefore, because of these qualitative factors, auditors will perform detailed audit testing on the valuation allowance even though the balance is less than performance materiality. The use of performance materiality should reduce the probability that the sum of immaterial and/or undetected misstatements in the financial statements is greater than materiality for the financial statements as a whole. The auditing standards do not provide any guidelines for the determination of performance materiality. As stated in AU-C 320 Materiality in Planning and Performing an Audit: The determination of performance materiality is not a simple mechanical calculation and involves the exercise of professional judgment. It is affected by the auditor’s understanding of the entity, updated during the performance of the risk assessment procedures, and the nature and extent of misstatements identified in previous audits and, thereby, the auditor’s expectations regarding misstatements in the current period. (para. A14) Overall, the determination of both planning and performance materiality is a subjective process that will vary across firms and across clients, and it may change during the performance of an audit. The materiality level is a starting point for auditors to do the following: 1.  Determine the type and extent of risk assessment procedures to be performed. 2. Identify and assess the risk of material misstatements occurring at the financial statement level and the account balance level. 3.  Begin development of an audit strategy. This discussion of materiality can be concluded with an example of how the concept of materiality impacts the planning of the audit. If auditors determine a higher planning materiality level (higher dollar amount) is appropriate, then they will plan to gather less extensive audit evidence. A lower materiality level (lower dollar amount) will translate to auditors performing more extensive audit procedures to ensure that material misstatements will be detected. In other words, holding everything else constant, as the auditor’s evaluation of materiality decreases, the auditor is looking to obtain a more precise conclusion about the financial statements. The increased precision of the audit will cause the auditor to perform more extensive audit procedures.

performance materiality  amount or amounts set by the auditors at less than the materiality level for particular classes of transactions, account balances, or disclosures

3-14  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Audit Reasoning Example  Materiality Consider the following information (amounts in millions): Revenues Total assets Pretax income

2022

2021

2020

$1,810.0

$1,941.0

$1,916.0

1,600.0

1,721.0

1,774.0

1.5

45.2

31.9

In 2020 and 2021, the auditor used 5% of pretax income as a base for planning materiality. However, in 2022 pretax income was abnormally low while revenues and total assets had not shown the same level of change. Because pretax income was less than eight-tenths of 1% of revenue (the company basically broke even for the year), the auditor decided to use ½ of 1% of the lesser of total revenues or total assets as the base for determining planning materiality. Both revenues and assets showed more stability than pretax income in 2022.

Cloud 9 - Continuing Case Throughout their conversation, Suzie and Ian have been discussing “material” misstatements in financial statements. Ian asks, “Isn’t materiality just a number? Companies of about the same size would have the same materiality level, right?” Suzie explains that they will use a percentage of a benchmark, such as income before taxes or total revenue, as a starting place for determining materiality. Then, they will consider increasing or decreasing that amount based on qualitative factors specific to the Cloud 9 audit. For example, since Cloud 9 is a public company subject to regulation and more public scrutiny, the audit team may decide to

decrease materiality, which means the team will perform more extensive audit procedures. “Knowledge of the client’s industry is important for determining materiality,” continues Suzie. “We must be familiar with the client’s operations and the industry to understand what is important, or material, to the users of the client’s financial statements.” Ian is worried about getting the materiality level right. “What if we set it too low or too high?” Suzie explains that all parts of the audit plan, including the materiality decisions, will be reviewed throughout the audit and revised, if necessary.

Before You Go On 3.1 What is qualitative materiality? 3.2  What is quantitative materiality? 3.3 What is performance materiality?

Professional Skepticism and Audit Risk Lea rning O bjective 4 Explain professional skepticism and apply the audit risk model. As depicted in Illustration 3.5, two more key concepts that apply to all phases of the audit are professional skepticism and audit risk. These concepts were first introduced in Chapter 1 and will be explained in more detail next.

 Professional Skepticism and Audit Risk  3-15

Professional Skepticism Auditors have a responsibility to plan and perform an audit with professional skepticism. Professional skepticism is an attitude adopted by auditors when conducting all phases of the audit. It means that auditors remain independent of the entity, its management, and its staff when completing the audit work. In a practical sense, professional skepticism means auditors maintain a questioning mind and thoroughly investigate all evidence presented by the client (AS 1015.07). For example, AU-C 200.A22 states auditors should be skeptical if any of the following arise during the audit: •  Audit evidence recently gathered that is contradictory to other evidence previously gathered. •  New information that brings into question the reliability of client documents or responses to auditor inquiries. •  Conditions that may provide evidence of possible fraud. •  Situations that indicate the need for additional audit procedures beyond what is required by generally accepted auditing standards. Does maintaining professional skepticism mean auditors should assume client management is being dishonest? The answer is no. Auditors should not assume management is dishonest, but at the same time, auditors should not assume management is always honest or correct. Using professional skepticism means that even if auditors believe management and those charged with governance are being honest, they should gather reliable evidence to support management’s responses to auditor inquiries and to support amounts and disclosures in the financial statements. Throughout all phases of the audit, auditors should keep these questions in mind when gathering audit evidence: Is this information reliable? Do we need to perform more audit procedures? When auditors exercise professional skepticism during the risk assessment phase, it helps to ensure they are using appropriate assumptions when developing their audit strategy that will be used in the risk response phase. In the reporting phase, auditors use professional skepticism when evaluating the evidence gathered and forming an opinion that the financial statements are presented fairly.

Audit Reasoning Example  Professional Skepticism An auditor was auditing a recreational vehicle (RV) dealership. The auditor had obtained some initial financial information from the client showing unaudited results for the end of the third quarter. Sales were up and profit margins were up, making it the best year so far for the client. Interim records showed that inventory was also up, and the client’s inventory records showed over 300 RVs on hand at the end of the third quarter. The audit senior went to talk to the audit manager about the good news and the client’s performance. The audit manager asked the senior a key question. “You did the inventory observation last year. How many RVs did the client have then?” “I think it was about 210,” the senior replied. Then the audit manager asked, “How full was the lot last year?” The senior replied that it was “almost overflowing” the year before. The manager then said, “Let’s look at this more skeptically. I don’t think they have storage capacity for another 90 RVs even though sales are up. There could be an error in the inventory records. This information makes me believe that the existence of inventory is a very high inherent risk.”

Audit Risk Audit risk is the risk that an auditor expresses an inappropriate audit opinion when financial statements are materially misstated (AU-C 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards and AS 1101 Audit Risk). This means the audit report states the financial statements are presented fairly, in all material respects, when in actuality the financial statements contain a material error or fraud. While it is impossible to eliminate audit risk, auditors aim to reduce it to an

professional skepticism  an attitude that includes a questioning mind, being alert to conditions that may indicate possible misstatement due to fraud or error, and a critical assessment of audit evidence

3-16  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

inherent risk  the susceptibility of an assertion to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls assertions  statements or representations, explicit or implied, made by management regarding the recognition, measurement, presentation, and disclosure of items included in the financial statements ILLUSTRATION 3.6   Examples of inherent risk traits for accounts or assertions

significant risk  an identified and assessed risk of material misstatement that, in the auditor’s judgment, requires special audit consideration

acceptably low level. During the risk assessment phase, auditors will perform audit procedures to identify transactions and accounts where the risk of material misstatement is highest. The first stage in audit risk assessment involves the identification of accounts and related assertions most at risk of material misstatement, referred to as inherent risk. An assertion is a statement or representation, explicit or implied, made by management regarding the recognition, measurement, presentation, and disclosure of items included in the financial statements and notes. Assertions help guide the procedures conducted by auditors and are discussed in more depth in Chapter 5. Inherent risk assessment is affected by factors both internal and external to the client. For example, if a client sells valuable goods (e.g., jewelry), there is a risk of overstatement of inventory as goods may be stolen but remain recorded in the client’s books. Therefore, there is a risk that management’s assertion, or claim, that recorded inventory exists is not valid. In this example, the auditor may spend more time testing the existence assertion of recorded inventory than in the case of a client that sells lower-valued goods (e.g., office supplies). Illustration 3.6 provides examples of traits that would indicate higher or lower inherent risk for accounts or assertions. Higher Inherent Risk Traits

Lower Inherent Risk Traits

Transactions or account balances derived from significant estimates

Transactions or account balances easily confirmed with reliable sources

Technological developments in the client’s industry Technological developments a minimal factor increase the risk of obsolescence of certain assets in the valuation of the client’s assets Client location at risk of natural disasters such as hurricanes and flooding

Client location has minimal risk of being affected by a natural disaster

Client’s industry experiencing a period of decline

Client’s industry is thriving

Client has insufficient working capital and is at risk of violating loan contracts

Client has sufficient working capital and is not at risk of violating loan contracts

When identifying accounts and related assertions at risk of material misstatement, some risks are classified as being more significant than others. A significant risk is an identified and assessed risk of material misstatement that, in the auditor’s judgment, requires special audit consideration (AU-C 315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement and AS 2110 Identifying and Assessing Risks of Material Misstatement). When classifying risks as being significant, consideration is given to whether the risk involves: •  Fraud. •  Significant economic or accounting developments. •  Complex transactions. •  Significant related-party transactions (discussed further in Chapter 4). •  Significant subjectivity in measurement of financial information. •  Significant transactions outside the client’s normal course of business.

control risk  the risk that a client’s system of internal controls will not prevent or detect a material misstatement on a timely basis

The second stage in audit risk assessment involves gaining an understanding of the client’s system of internal controls. Auditors assess control risk, which is the risk that a client’s internal controls will not prevent or detect a material misstatement on a timely basis. Auditors are interested in whether the client has controls in place that are designed to minimize the risk of material misstatement for each account and related assertion identified as being high risk by the auditors. In the above example, if a client sells jewelry, auditors will assess whether the client has controls in place, such as a security system, to reduce the risk that inventory may be stolen. Finally, the assessed level of inherent and control risk for each assertion will guide audi­ tors in developing their audit strategy to gather appropriate audit evidence. This final assessment will depend upon the assessed risks of the account and related assertion and the deemed effectiveness of the client’s system of internal controls.

 Professional Skepticism and Audit Risk  3-17

Cloud 9 - Continuing Case Ian is still struggling with the idea of risk. He knows that audit risk is the risk that the auditor issues the wrong audit report, or gives an inappropriate audit opinion, and that audit risk is related to the client’s circumstances. But how does that actually work in practice? What does an auditor do differently for each audit? “Let’s break this down,” Suzie advises. “Auditors face the risk of stating that in their opinion the financial statements are not materially misstated, when in fact they are. So, how does a material misstatement get into the published financial statements?” Ian works through the logic. “First, the error has to be created, either by accident or on purpose. Second, the client’s internal control system must fail to either prevent the error getting into the accounts or detect the error once it is in the system. And, finally, the auditor has to fail to find the error during the audit.” “Correct!” says Suzie. “Now, before we go on, I want to break down the idea of ‘financial statements,’ too. The financial statements are the balance sheet (statement of financial position), income statement (statement of comprehensive income), cash flow statement (statement of cash flows), statement of changes in equity, and all the notes. So when we talk of the risk of misstatements, we are referring to the risk of misstatement in every line item in each of these statements. If we focus on just one line in a balance sheet—say, accounts receivable—what are the possible misstatements that could occur?”

Ian tries to work through the logic again. “The amount could be either understated or overstated. I suppose there are lots of errors that could occur. Obviously, basic math mistakes and other clerical errors could affect the total in either direction. In addition, accounts receivable would be understated if management omitted some customer receivables when they calculated the total. I think the deliberate ‘mistakes’ are more likely to overstate accounts receivable because that makes the balance sheet look better, and probably means profit is overstated, too. Accounts receivable would be overstated if some of the receivables management claimed in the total did not exist at year-end, did not belong to Cloud 9, were overvalued because bad debts were not written off, or sales from the next period were included in the earlier period.” “Very good,” says Suzie. “It is the same for every line item. Every time management prepares a financial statement, they assert that all these errors did not occur—that all the individual items in the financial statements are not materially misstated. The auditor has to break down the financial statement audit into accounts and assertions and consider the risk of misstatement for each assertion for each account or transaction class. The auditor deals with the risk of material misstatement of the entire set of financial statements by gathering evidence at the assertion level for each account. Then, all the evidence is put together so the auditor can form an opinion on the overall financial statements.”

The Audit Risk Model and Its Components Inherent risk and control risk are the client’s risks and exist separately from the audit of the financial statements. In other words, the auditors have no control over a client’s inherent and control risks. Inherent risk is driven by industry, economic, and client factors that are out of the control of the auditor. Control risk is impacted by the client’s design and implementation of internal controls, which are also out of the control of the auditor. When these two risks are combined, we refer to it as risk of material misstatement. The risk of material misstatement (RMM) is the risk that the financial statements are materially misstated prior to the audit (AU-C 200.14). Risk of material misstatement exists at the financial statement level and at the assertion level. At the financial statement level, the risk of material misstatement refers to risks that affect the financials as a whole. For example, if a client purchases a new computer system and does not adequately train staff in its use, there is a risk of errors when recording transactions used to prepare the financial statements. In this scenario, all accounts are at risk of material misstatement. At the assertion level, the risk of material misstatement refers to risks that affect classes of transactions, account balances, and disclosures. For example, if a client sells goods overseas, there is a risk that transactions may not be recorded correctly using appropriate exchange rates at the date of each transaction. In this scenario, revenue and accounts receivable are at risk of material misstatement. RMM considers (1) the inherent risk that an assertion is misstated and (2) the effectiveness of the internal controls in preventing, or detecting and correcting, misstatements on a timely basis. Therefore, auditors must identify client characteristics that place its financial statements at risk of material misstatement (inherent risk) and determine whether controls designed to limit such a risk exist and are effective (control risk). Once RMM has been assessed, auditors can plan the audit procedures to be performed in response to the assessed RMM. This leads us to the final component of audit risk, which is detection risk. Detection risk is the risk that the auditor’s procedures will not be effective in detecting a material misstatement should there be one. Detection risk is the only component of audit risk that can be controlled by the auditor, which we will discuss in more depth next. But note that it is

risk of material misstatement (RMM)  the risk that the financial statements are materially misstated prior to the audit; a combination of inherent risk and control risk

detection risk  the risk that the auditor’s testing procedures will not be effective in detecting a material misstatement

3-18  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

impossible to reduce any of these risks to zero. Risk will always exist in an audit, whether it is from economic or industry factors (inherent risk), a failure of an internal control (control risk), or a failure of an audit procedure (detection risk). Audit risk can be presented in a model that indicates the relationship between its components (AU-C 200.A36). The model states that audit risk is a function ( f ) of risk of material misstatement (which consists of inherent risk and control risk) and detection risk, as illustrated below.

AR = f(RMM * DR) AR = f(IR * CR * DR) where: AR = Audit risk RMM = Risk of material misstatement IR = Inherent risk CR = Control risk DR = Detection risk

Auditors plan and perform their audit to keep audit risk at an acceptably low level (AU-C 200). If inherent and control risks are high for an assertion, the auditor will set detection risk as low, to maintain a low audit risk. Illustration 3.7 provides an example of a high risk assertion at the account level. After reviewing the example, you’ll see there is an inverse relationship between the risk of material misstatement (inherent and control risks combined) and detection risk (as set by the auditor). A low detection risk means the auditors increase the amount of detailed audit procedures used to test the year-end account balances and transactions from throughout the year. ILLUSTRATION 3.7   High risk assertion with qualitative analysis

Audit risk =

Low

Risk of material misstatement Inherent risk

Control risk

High

High

Detection risk

Low

Audit Reasoning Example  High Risk Assertion A client sells high-end fashion clothing and has inadequate security. Inherent risk is high for the existence assertion of inventory as clothing may be stolen. Control risk is high since there is inadequate security, which increases the risk of theft. The auditor cannot rely on the client’s security system to reduce the risk of material misstatement associated with the existence of inventory. The auditor will set a low detection risk and spend more time performing audit procedures to determine that recorded inventory actually exists.

Audit Reasoning Example  High Risk Assertion A client is an importer with inexperienced clerical staff. Inherent risk is high for the accuracy assertion of recorded purchases as they involve foreign currency translation. Control risk is high as clerical staff are inexperienced and not accustomed to recording complex foreign currency transactions. The auditor will set a low detection risk and spend more time performing audit procedures to determine that purchases are recorded at appropriate amounts.

 Professional Skepticism and Audit Risk  3-19

The audit risk model can also be used for quantitative analysis in which all risks are stated as a percentage ranging from 1% to 100%. Suppose auditors want to keep audit risk low at 1%, which means a 1% risk they will issue an inappropriate opinion. If inherent risk and control risk are both high, say 100% inherent risk and 80% control risk, then what will detection risk be? Refer to Illustration 3.8 for the mathematical analysis. Solving for detection risk, the answer would be a 1.25% risk that the auditors’ procedures will not be effective in detecting a material misstatement. Another way to state it is the auditors are 98.75% confident that their audit procedures will detect a material misstatement if present. A 1.25% detection risk is a low detection risk, which implies auditors will perform extensive detailed testing of related account balances and use larger sample sizes.

Audit risk

Risk of material misstatement

Detection risk

=

Inherent risk

×

Control risk

×

.01

=

1.00

×

.80

×

?

.01

=

1.00

×

.80

×

.0125

ILLUSTRATION 3.8   High risk assertion with quantitative analysis

In contrast, if inherent risk and control risk are low, the auditor can set detection risk as high. Review Illustration 3.9 for an example of this situation. Remember, there is an inverse relationship between the risk of material misstatement (inherent and control risks combined) and detection risk (as set by the auditor). By setting detection risk as high, auditors reduce the level of reliance placed on their detailed testing of the account balance or transactions. Auditors are not eliminating the detailed testing of account balances and transactions; rather, they are acknowledging that the account, transaction class, or assertion is low risk. If risk of material misstatement is low, then extensive detailed testing is not required.

Audit risk =

Low

Risk of material misstatement Inherent risk

Control risk

Low

Low

ILLUSTRATION 3.9  

Detection risk

High

Audit Reasoning Example  Low Risk Assertion A client sells concrete pipe and has a high-voltage fence surrounding the pipe inventory. Inherent risk is low for the existence assertion of inventory as concrete pipe is very heavy and difficult to move. It is unlikely that recorded pipe does not exist. After testing that the security system is working and has been operational throughout the year, the auditor can set control risk low. In this case, the auditor will need to spend less time performing detailed audit procedures to determine that recorded pipe actually exists.

Audit Reasoning Example  Low Risk Assertion A client has implemented a strong system of internal controls over purchases of raw materials (e.g., grain). Inherent risk is low for the accuracy assertion of recorded purchases as the pricing of raw materials is not complex. After testing that programmed controls and related manual

Low risk assertion with qualitative analysis

3-20  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy follow-up are working properly, the auditor will verify that access to the program is limited to authorized personnel and that the program has not been tampered with. When the auditor is satisfied the program is working well and the client’s controls are effective, the auditor can set control risk as low. In this case, the auditor will spend less time performing detailed audit procedures on raw materials to determine that the recorded amount is accurate.

Using the quantitative analysis, suppose auditors assess inherent risk and control risk as low: 30% and 5%, respectively. Refer to Illustration 3.10 for the mathematical analysis. Solving for detection risk, the answer would be a 67% risk that the auditors’ procedures will not be effective in detecting a material misstatement. This is a stark contrast to the detection risk of 1.25% in Illustration 3.8. But remember, as inherent risk and/or control risk decrease, detection risk will increase, reflecting that less extensive substantive testing will be conducted by auditors because the client’s internal controls are effective for the related account balance and assertion.

ILLUSTRATION 3.10   Low risk assertion with quantitative analysis

Audit risk

Risk of material misstatement

Detection risk

=

Inherent risk

×

Control risk

×

.01

=

.30

×

.05

×

?

.01

=

.30

×

.05

×

.667

The quantitative analysis highlights the role of detection risk in changing how auditors respond to their client’s risk of material misstatement. As stated earlier, inherent risk and control risk are the client’s risks, and the auditor has no control over them. Auditors can only assess the level of inherent and control risks. Auditors can control detection risk by planning to perform more or less detailed audit procedures. The components of the model can be rearranged to solve for detection risk as follows:

DR = AR ÷ RMM where: DR = Detection risk AR = Audit risk RMM = Risk of material misstatement

The examples provided in this section are extremes. The reality will often fall somewhere in between, where inherent risk is high, but the client has an effective system of internal controls in place to mitigate that risk. For example, a client sells high-end fashion clothing and has effective security and controls, so the risk of material misstatement for the existence assertion of inventory is low. Alternatively, if inherent risk is low, the client may not consider it worthwhile investing in sophisticated control procedures (that is, any benefit is perceived to exceed the cost). For example, a client sells concrete pipe and has minimal security controls because the pipe would be very difficult to steal. In both cases, auditors will perform less extensive audit procedures when testing the existence of inventory.

  Audit Strategy  3-21

Cloud 9 - Continuing Case Cloud 9 sells athletic shoes and apparel. The shoes are likely to “go out of fashion” reasonably quickly, making obsolescence a big issue. These factors affect the inherent risk of inventory valuation. There is also a risk of errors occurring in transactions with suppliers and customers, which will affect inventory balances. How high

is the control risk? Much to Suzie’s delight, Ian suggests they will be able to make better assessments of both inherent and control risk for all assertions once they have a better understanding of the client and its system of internal control.

Before You Go On 4.1 Why is an attitude of professional skepticism important for auditors? 4.2  What is significant risk? 4.3 What are the components of the audit risk model? 4.4 What is the relationship between risk of material misstatement and detection risk?

Audit Strategy Lea rning Objective 5 Explain how auditors determine their audit strategy and how audit strategy affects audit decisions. The results of the auditor’s determination of materiality and audit risk lead to the development of an overall audit strategy. The audit strategy provides the basis for developing an audit plan that details the nature, extent, and timing of audit procedures to be performed. The nature of an audit procedure refers to what type of procedure will be used, such as tests of controls or substantive procedures. The auditor also needs to determine that the evidence collected is both reliable and relevant to the assertion being tested. The extent of an audit procedure refers to how much testing will be done, for example, how large of a sample size to use. Detection risk influences decisions about sample size. For example, when detection risk is low, auditors will use larger sample sizes than when detection risk is high. The timing of an audit procedure refers to when it will be performed. The determination of when procedures will be performed is dependent on the effectiveness of the client’s controls and will be further discussed below. The process of developing an audit strategy helps auditors allocate audit resources efficiently and make decisions such as which audit staff will be assigned to the audit, a time budget for the completion of the audit, and a schedule for when certain audit procedures will be performed. Illustration 3.11 illustrates a general timeline of when audit activities occur for the audit of a client that uses a calendar year-end. Most of the audit planning and risk assessment occur during the second and third quarters of the client’s accounting year. The period referred to as “interim” is typically during the latter part of the third quarter and into the fourth quarter. The “year-end” period is just before the client’s balance sheet date and the 4- to 6-week period after the client’s year-end. The period is referred to as “year-end” because the client’s accounting year has substantially finished and the account balances reflect the totals for the year under audit. In the audit of private companies, many times the auditor will not begin

audit strategy  the determination of the amount of time spent testing the client’s internal controls and conducting detailed testing of transactions and account balances nature of an audit procedure  the determination of what type of audit procedure to use, such as tests of controls or substantive procedures tests of controls (controls testing)  audit procedures designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level substantive procedures (substantive testing or tests of details)  audit procedures designed to detect material misstatements at the assertion level extent of an audit procedure  the determination of the quantity of audit procedures to be performed timing of an audit procedure  the determination of when an audit procedure is to be performed

3-22  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

“year-end” procedures until several weeks after year-end when the client has completed all year-end closing procedures. This timeline will be a helpful resource for you as we discuss audit strategy and activities occurring during the different phases of the audit. The remainder of this section discusses two broad audit strategies that auditors can follow. These strategies are detailed in depth in AU-C 330 Performing Audit Procedures in Response to Assessed Risks and Evaluating Audit Evidence Obtained and AS 2301 The Auditor’s Responses to the Risks of Material Misstatement. ILLUSTRATION 3.11   Timeline of audit activities

Risk Assessment Phase

Risk assessment and audit planning

1/1/2022

6/30

Risk Response Phase

Interim testing

9/30

Reporting Phase

Year-end substantive testing

Issue audit report

11/30 1/31 12/31/2022 2/15

3/31/2023

Period covered by the 2022 financial statements

Reliance on Controls Approach An audit strategy is developed at the account or assertion level, such as for accounts receivable, inventory, and other line items on the financial statements. The first step is to identify inherent risks at the account or assertion level during the risk assessment phase when auditors are gaining an understanding of the client and the environment in which it operates, which is discussed in depth in Chapter 4. If inherent risk is determined to be high for an account or assertion, the next step is to determine if an internal control is in place to mitigate the risk of a material misstatement. If an internal control is in place, auditors will determine if the control is operating effectively—that is, does it work? Auditors will usually perform tests of controls during interim testing. If results from the tests of controls show the internal control is effective at preventing and/or detecting material misstatements, auditors will conclude that control risk is low and overall risk of material misstatement (RMM) is low. Recall that RMM is a function of both inherent risk and control risk. Therefore, an effective internal control can mitigate the high inherent risk for an account or assertion. If RMM is low, the audit strategy will be to rely more on the client’s internal controls and less on the auditor’s substantive procedures. The nature, extent, and timing of substantive procedures would be adjusted since the client’s internal control is strong. For example, auditors may perform substantive procedures for balance sheet accounts one or two months prior to year-end, rather than at year-end, and may decide to use smaller sample sizes since RMM is low. Performing substantive procedures one or two months prior to year-end for lower-risk accounts, rather than waiting to perform the procedures at year-end, helps auditors use their time efficiently. The year-end time period can be more focused on performing substantive procedures for higher-risk accounts and assertions. Note that auditors can never completely rely on a client’s system of internal controls and will always conduct some substantive procedures to gather evidence regarding the account balances in the financial statements.

  Audit Strategy  3-23

Audit Reasoning Example  Existence of Inventory Jennifer is auditing a private company that manufactures batteries for cell phones. The company has good perpetual inventory records and inventory controls. In the prior year audit, tests of controls confirmed the company had excellent internal controls over inventory. In planning this year, based on inquiries with various client personnel, the system has not changed. Therefore, Jennifer is planning to test controls at an interim date, and if this year’s tests of controls confirm that controls continue to be strong, she will also perform substantive procedures on the existence of inventory at an interim date.

Illustration 3.12 provides a diagram of the process used when developing the audit strategy for an account or assertion. Notice that the left side of the diagram provides an overview of the reliance on controls approach described in this section.

ILLUSTRATION 3.12   Process used when developing an audit strategy at the account or assertion level

Identify inherent risks at the account or assertion level

Determine whether an internal control(s) can mitigate the risk factor

Does the control(s) exist?

NO

NO

Substantive Approach

Reliance on Controls Approach

YES

YES

Test the control(s)

Is the control(s) effective? Does it work?

YES

Perform less extensive detailed substantive procedures at interim

NO

Increase extent of detailed substantive procedures performed at year-end

3-24  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Substantive Approach Referring to Illustration 3.12, the substantive approach is detailed on the right side of the diagram. The process for a substantive approach begins in the same way as a reliance on controls approach. Auditors identify inherent risks at the account or assertion level during the risk assessment phase. If inherent risk is determined to be high for an account or assertion, the next step is to determine if an internal control is in place to mitigate the risk of a material misstatement. If there is no internal control in place, auditors assess RMM as high since both inherent and control risk are high. If there is an internal control in place, auditors may decide to test the effectiveness of the internal control. The test of controls may reveal that the internal control is not operating effectively. This situation would also cause auditors to assess RMM as high. If RMM is high, the audit strategy will be to perform extensive detailed substantive procedures and place little or no reliance on the client’s internal controls. The nature, extent, and timing of substantive procedures would be adjusted since the client’s internal control is weak or nonexistent. For example, auditors will perform their substantive procedures at year-end so the entire account balance can be tested rather than testing at interim when the account balance is not yet reflecting the entire year’s activity. Auditors will also use larger sample sizes and perform more extensive substantive procedures since RMM is high and detection risk is low. Illustration 3.12 illustrates the extreme of each approach, but auditors can also use a blended approach. For example, if inherent risk is assessed as moderate or low, auditors may decide to perform some tests of controls or not perform any tests of controls. The decision regarding control testing would then impact the nature, extent, and timing of the substantive procedures. Control risk and the testing of controls are discussed further in Chapters 6 and 8. Essentially, the process of determining an audit strategy for an account or assertion is heavily influenced by materiality, professional skepticism, and the risk of material misstatement.

Audit Reasoning Example  Valuation of Inventory Jennifer is auditing a private company that manufactures batteries for cell phones. While the company has good perpetual inventory records and inventory controls, Jennifer is concerned about reported problems with lithium-ion battery fires. It is not clear that the industry has solved these problems. The company has already noted a slowing in sales of one battery model. As a result, Jennifer is concerned about the lower-of-cost-or-net-realizable-value (LCNRV) issues that may arise by year-end. Will the company have problems selling the inventory of batteries on hand at year-end? Because of the volatile market of lithium-ion batteries, Jennifer plans to audit the valuation of inventory at net realizable value after year-end using a primarily substantive approach.

Cloud 9 - Continuing Case Suzie explains that Cloud 9’s audit could be planned and conducted in different ways, depending on the audit strategy adopted. In fact, the overall audit strategy sets the scope, timing, and direction of the audit, and guides the development of the detailed audit plan. “What audit strategy would be suitable for Cloud 9? Start by thinking about the scope of the audit,” she prompts. “The scope is about the different types of work we have to do—some audits have extra requirements.” “I suppose we should find out if Cloud 9 has any special requirements. The fact that it is a public company means we must follow the PCAOB auditing standards and conduct an audit of both the financial statements and the effectiveness of internal controls,” Ian suggests. “That is a good start,” says Suzie. “What else?”

“Well, I can think of several other things, such as whether any other auditors will be involved, whether there are any foreign currency translation issues, any industry-specific regulations (although I don’t think this is as big an issue for clothing and footwear as it would be for banks, for example), whether there are any service organizations involved such as payroll services, and whether software-aided audit technology is going to be used.” “Very good,” says Suzie. “That will do for now. What about timing issues? Are there any special things we should take into account for Cloud 9?” “What is the date the audit has to be finished?” asks Ian. “Good question,” says Suzie. “We will have a deadline, so we obviously have to work toward it.”

  Fraud Risk  3-25

“Also,” says Ian, “when are our staff available, and when are Cloud 9’s key people available to talk to us?” “Yes,” says Suzie. “This is all basic. But if we don’t ask these really important questions, we will find ourselves unable to meet the deadline and perhaps under pressure to cut corners. We also have to think about timing of requests to third parties for information. Now, can you think of anything regarding the direction of the audit?” “I understand about the extra requirements and working out the timing. But I don’t really know what you mean by direction,” Ian says, confused. “We have already discussed it to some extent,” Suzie explains. “Remember when we spoke about the risk for Cloud 9 created by obsolescence of inventory, and errors occurring with transactions with customers and suppliers? ‘Direction’ is about where we think there should be extra attention because of higher risk, and how we give that extra attention. We could, for example, make sure we have suitable experts available, if required, to value the inventory. This is also where we bring in our work on

materiality, both setting materiality for planning purposes, and identifying the material account balances. In our plan, we need to allocate additional time to areas where there may be higher risk of material misstatement. And, one of our biggest tasks will be considering the evidence about the design and operating effectiveness of internal controls at Cloud 9, which we haven’t yet considered in detail.” “I see,” says Ian. “If we assess the internal controls as being strong, then we plan to do more testing of controls (to confirm our assessment), and less testing of the underlying substance of transactions and account balances. We have to put this in our plan now. But what if our first thoughts about controls are wrong? Will our plan be wrong?” “That happens,” replies Suzie. “That is why our initial plan is constantly changing as we gather more information about the client. Particularly, as in this case, for a new client that we don’t have a lot of detailed information on yet. However, we already know what accounts are important to Cloud 9—the client’s previous years’ financial statements and interim results show us that.”

Before You Go On 5.1 What is the purpose of developing an overall audit strategy? 5.2  Describe the audit strategy when the auditor adopts a predominantly substantive approach. 5.3 Why would the auditors adopt a reliance on controls approach?

Fraud Risk Lea rning Objective 6 Explain the fraud risk assessment process and analyze fraud risk. During the risk assessment phase of the audit, auditors assess the risk of material misstatement due to error or fraud. Error refers to an unintentional misstatement in amounts or disclosures in the financial statements. Fraud, however, is an intentional act involving the use of deception that results in the misstatement of financial statements that are being audited (AU-C 240.11 and AS 2401.05). As you can imagine, fraud can be difficult to uncover because the perpetrator(s) will go to great lengths to conceal the deception. Therefore, auditors should adopt an attitude of professional skepticism to ensure any indicator of a potential fraud is properly investigated. This means auditors must remain independent of the client, maintain a questioning attitude, and search thoroughly for corroborating evidence to validate information provided by the client. Auditors must not assume that past experience with the client’s management and staff is indicative of the current risk of fraud. Auditors should be alert for red flags4 that indicate a fraud may have occurred. Examples of red flags include: •  Substantial discrepancy between financial growth and growth in related nonfinancial measures. •  A high turnover of key employees. 4

J. D. Wilson and J. J. Root, Internal Auditing Manual, 2nd ed. (Warren, Gorham & Lamont, 1989).

error  an unintentional misstatement in amounts or disclosures in the financial statements fraud  an intentional act through the use of deception that results in a misstatement in financial statements that are the subject of an audit

3-26  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

•  Key employees with accounting or internal control responsibilities refusing to take leave. •  Overly dominant management. •  Poor compensation practices. •  Inadequate training programs. •  A complex business structure. fraudulent financial reporting  intentional misstatements, including omissions of amounts and disclosures in financial statements, to deceive financial statement users misappropriation of assets  intentional theft of a company’s assets by employees

•  No (or ineffective) internal auditing staff. •  A high turnover of auditors. •  Unusual transactions such as large adjusting entries at the end of a period. •  Weak internal controls. There are two kinds of fraud. Fraudulent financial reporting is intentionally misstating items or omitting important facts from the financial statements. Misappropriation of assets involves some form of theft. Illustration 3.13 provides examples of financial reporting and misappropriation of assets frauds.

illustration 3.13   Examples of frauds

Fraudulent Financial Reporting

Misappropriation of Assets

•  Improper asset valuations

•  Using a company credit card for personal use

•  Unrecorded liabilities

•  Employees remaining on the payroll after ceasing employment

•  Timing differences such as bringing forward the recognition of revenues and delaying the recognition of expenses

•  Unauthorized discounts or refunds to customers

•  Recording fictitious sales

•  Using a company car for unauthorized personal use

•  Capitalizing items that should be expensed •  Inappropriate application of accounting principles

fraud risk factors  conditions that indicate an incentive or pressure to commit fraud, provide an opportunity to commit fraud, or indicate rationalizations to justify fraudulent actions

•  Theft of inventory by employees or others •  Writing checks to fictitious vendors

The responsibility for preventing and detecting fraud rests with client management and those charged with governance. Prevention refers to the use of controls and procedures aimed at avoiding a fraud. Detection refers to the use of controls and procedures aimed at uncovering a fraud should one occur. It is the responsibility of auditors to assess the risk of fraud and the effectiveness of the client’s attempts to prevent and detect fraud via its internal control system. When assessing the risk of fraud, auditors consider the fraud risk factors that may be present, such as incentives and pressures to commit a fraud, opportunities to perpetrate a fraud, and attitudes and rationalizations used to justify committing fraud (AU-C 240.A75). Illustration 3.14 illustrates the fraud risk factors, which are explained in more depth in the following sections.

ILLUSTRATION 3.14  

Fraud risk factors

Opportunity

Fraud Pressure

Rationalization

  Fraud Risk  3-27

Professional Environment  Importance of Professional Skepticism The PCAOB periodically issues Staff Audit Practice Alerts (“Alerts”). These Alerts “highlight new, emerging, or otherwise noteworthy circumstances that may affect how auditors conduct audits under the existing requirements of PCAOB standards and relevant laws.”5 The Alerts are not rules of the board but are meant to provide guidance in the application of the standards. Alert No. 10, Maintaining and Applying Professional Skepticism in Audits, was issued on December 4, 2012. The purpose of Alert No. 10 is to remind auditors of the requirement to appropriately apply professional skepticism throughout the audit, but especially in situations that involve significant management judgment and in the consideration of fraud. During inspections of the work of registered accounting firms, PCAOB inspectors found many instances of auditors failing to appropriately apply professional skepticism in certain aspects of the audit. Alert No. 10 identifies some impediments to the application of professional skepticism of which auditors should be aware. One impediment is unconscious human bias toward client preferences. For example, auditors may feel pressure to maintain good client relationships to ensure future audit engagements. This could cause auditors to rationalize or evaluate information in a manner that is consistent with what the client wants rather than what would be in the best interests of external users of the financial statements. Other examples of human bias include an overconfidence in management, a desire to keep audit costs low, and/ or a desire to sell other services to the client. Another impediment to the application of professional skepticism is the workload of the auditors. Audit firms typically experience a “busy season” in which the audits of many of the firm’s clients happen simultaneously. Audit team partners and managers may experience heavy workloads and try to meet multiple deadlines simultaneously. They may feel pressure to complete work too quickly, which could lead to gathering less evidence than is necessary, or to gathering evidence that is the easiest to obtain rather than gathering evidence that is the most reliable and relevant. What can auditors do to improve the application of professional skepticism throughout the audit process? PCAOB standards

require that registered audit firms establish a system of quality control to provide reasonable assurance that audit personnel are complying with professional standards. Some elements of a firm’s quality control system that can help ensure the appropriate application of professional skepticism include: •  Firm culture—Communication from firm leadership should emphasize the application of professional skepticism. •  Performance appraisal, promotion, and compensation processes—Firm personnel should be rewarded for adhering to professional standards in performing the audit rather than rewarded for getting work done faster or selling more services to existing clients. •  Professional competence and assigning personnel to engagement teams—Personnel assigned to audit engagements should possess the appropriate technical training and experience required for the client circumstances. •  Documentation—All areas of the audit should be properly documented. This is especially relevant for areas that require significant judgment. •  Monitoring—If a firm identifies a deficiency in which there was a failure to appropriately apply professional skepticism in performing the audit, the firm should take corrective action and modify its procedures as needed. It is the responsibility of the engagement partner to supervise the audit team members by being actively involved in planning, directing, and reviewing the work of the other team members. The partner and senior audit team members can help less experienced team members to apply professional skepticism. More senior team members may also be better equipped to challenge the financial reporting position of senior management when necessary. Ultimately, it is the responsibility of each individual auditor on the engagement team to appropriately apply professional skepticism throughout the audit to better serve the interests of external users.

Incentives and Pressures to Commit a Fraud In assessing the risk of fraud, auditors consider incentives and pressures faced by client personnel to commit a fraud. While the examples provided below indicate that client personnel may be inclined to commit a fraud, they in no way indicate that a fraud has definitely occurred. When auditors become aware of any of these risk factors, in isolation or combination, they plan their audit to obtain evidence in relation to each risk factor. Examples of incentives and pressures that increase the risk of fraud include: •  The client operating in a highly competitive industry. •  A significant decline in demand for the client’s products or services. •  Falling profits. •  A threat of takeover. •  A threat of bankruptcy. 5 PCAOB Staff Audit Practice Alert No. 10, Maintaining and Applying Professional Skepticism in Audits (December 4, 2012), www.pcaobus.org/standards/pages/guidance.

3-28  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

•  Ongoing losses. •  Rapid growth. •  Poor cash flows combined with high earnings. •  Pressure to meet market expectations and profit targets. •  Planning to list on a stock exchange. •  Planning to raise debt or renegotiate a loan. •  The client being about to enter into a significant new contract. •  A significant proportion of remuneration tied to earnings (that is, bonuses or stock options).

Audit Reasoning Example  Fraud at Toshiba: Part I You may be familiar with Toshiba Corporation, a publicly traded Japanese company headquartered in Tokyo that makes consumer electronics, household electronics, office equipment, and more. In July 2015, the CEO of Toshiba announced he was resigning amid an accounting scandal in which profits had been overstated for the past seven years by approximately $1.9 billion (224.8 billion yen). What incentives and pressures were involved that led to the fraud? The technology industry is extremely competitive and Toshiba’s upper management set aggressive profit targets. The home electronics and appliances division was showing losses and the memory chip division was feeling pressure because of decreasing demand from Chinese electronics companies.6 As an example, in September 2012, the head of the digital products and service division was told by the CEO to improve a 24.8 billion yen loss into a 12 billion yen profit in just three days!7 Think about how the external auditor would learn about the incentives given to lower-level management. How might an internal auditor learn about these incentives?

Opportunities to Perpetrate a Fraud After identifying one or more incentives or pressures to commit a fraud, auditors assess whether a client’s employees have an opportunity to perpetrate a fraud. Auditors utilize their knowledge of how other frauds have been perpetrated to assess whether the same opportunities exist at the client. While the examples below of opportunities to commit a fraud suggest a fraud may have been committed, their existence does not mean a fraud has definitely occurred. Auditors must use professional judgment to assess each opportunity in the context of other risk indicators and consider available evidence thoroughly. Examples of opportunities that increase the risk that a fraud may have been perpetrated include: •  Accounts that rely on estimates and judgment (discussed further in Chapter 9). •  A high volume of transactions close to year-end. •  Significant adjusting entries and reversals after year-end. •  Significant related-party transactions (discussed further in Chapter 4). •  Poor corporate governance mechanisms. •  Poor system of internal control (discussed further in Chapters 6 and 8). •  A high turnover of staff with accounting or internal control responsibilities. •  A nonexistent or ineffective whistleblower system.

6 E. Pfanner and M. Fujikawa, “Toshiba Slashes Earnings for Past Seven Years,” The Wall Street Journal (September 7, 2015), https://www.wsj.com/articles/toshiba-slashes-earnings-for-past-7-years-1441589473. 7 K. Nagata, “Pressure to Show a Profit Led to Toshiba’s Accounting Scandal,” The Japan Times (September 18, 2015), http://www.japantimes.co.jp/news/2015/09/18/business/corporate-business/pressure-to-show-a-profitled-to-toshibas-accounting-scandal/#.WNJjNmQrLjA.

  Fraud Risk  3-29

•  Reliance on complex transactions. •  Transactions out of character for a business (for example, invoicing sales before delivery of the goods to customers).

Audit Reasoning Example  Fraud at Toshiba: Part II Returning to the Toshiba fraud, what opportunities existed at Toshiba for such a massive fraud to occur? Overall, there was a lack of internal controls in upper management and an unethical corporate culture led by upper management. Controls that did exist were overridden by upper management’s pressure to show profits. Compounding the problem was the Japanese culture of obedience, which disallows subordinates refusing orders from upper management. One of the areas that was heavily manipulated was estimates involving long-term projects. Estimation techniques relied heavily on internal data, and internal controls over the estimation process were easily overridden by upper management.8 It is easier to see these risk factors with hindsight. However, if you were working on the Toshiba audit, could you find the warning signs and adjust the audit appropriately?

Attitudes and Rationalization to Justify a Fraud Together with the identification of incentives, pressures, and opportunities to perpetrate a fraud, auditors assess the attitudes and rationalization of client management and staff to fraud. Attitude refers to ethical beliefs about right and wrong, while rationalization refers to an ability to justify an act. While the examples below indicate that a fraud may occur in companies where these characteristics are identified, they do not mean a fraud has occurred. Examples of attitudes and rationalizations used to justify a fraud include: •  Management and employees who do not place a high priority on the entity’s value or ethical standards. •  Management attempts to justify marginal or inappropriate accounting, on the basis of materiality, on a recurring basis. •  An excessive focus on maximization of profits and/or stock price. •  A poor attitude regarding compliance with accounting regulations. •  Rationalization that other companies make the same inappropriate accounting choices.

Audit Reasoning Example  Fraud at Toshiba: Part III In the Toshiba fraud, upper management’s rationalization for fraudulent financial reporting was to maintain the company’s stock price by maximizing profits. One thing history tells us is that fraud never successfully maintains the stock price nor maximizes profits. As a result of the Toshiba fraud, the stock price dropped about 70% from May 2015 to February 2016. Nine members of senior management resigned in the wake of the fraud, including the CEO at the time the scandal was made public, and two former CEOs who were still with the company but in different roles.9 Toshiba is also being sued by multiple groups, including a Japanese bank seeking 1 billion yen ($8.7 million) in damages on behalf of its pension fund clients, 45 overseas institutional investors seeking 16.7 billion yen in damages, and 15 different groups and individuals in Japan seeking a total of 15.3 billion yen.10

8 “Toshiba Accounting Scandal,” Summary for a meeting of the International Ethics Standards Board for Accountants (IESBA), Agenda item F-2 (September 2015), https://www.ethicsboard.org/system/files/meetings/ files/Agenda_Item_F-2_-_Toshiba_Accounting_Scandal_0.pdf. 9

Ibid.

10

T. Uranaka and M. Yamazaki, “Trust Banks Plan to Sue Toshiba over 2015 Accounting Scandal,” Reuters (January 30, 2017), http://www.reuters.com/article/us-toshiba-accounting-idUSKBN15E03A.

3-30  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy In future chapters on internal control, we will discuss the importance of “tone at the top” and the control environment. While a goal of management is to maximize profits, auditors must be alert to a management that is willing to give tacit approval of fraud in order to keep the share price high.

Fraud Risk Assessment Process Perpetrators of fraud will go to great lengths to hide their activities from auditors. That is why auditors must maintain an attitude of professional skepticism and a questioning mindset, and investigate any indicators of potential fraud. The primary procedures auditors use in the fraud risk assessment process are brainstorming among the audit team members and inquiry of management and others internal or external to the client. Auditors are required to discuss among the audit team members the susceptibility of the client’s financial statements to a material fraud. This discussion usually takes place in a “brainstorming session” in which members of the audit team are encouraged to share thoughts and ideas about how a fraud might be conducted and concealed (AU-C 240.15 and AS 2110.52). The discussion includes topics related to gaining an understanding of the entity and its environment as these topics are also related to risk of fraud. For example, discussions about changes in the client’s industry or changes in the client’s internal controls lead to ideas about why management would have an incentive or opportunity to commit fraud. The brainstorming session also serves as an opportunity for more senior members of the audit team to share important information about the client with new members of the audit team. The audit team members should be encouraged to share information about fraud risk at any time during the performance of the audit. Auditors inquire of management and other client personnel about any knowledge of fraud that has occurred. They inquire about specific internal controls that management has in place to prevent and detect fraud, and how often these controls are monitored and modified as needed. The client’s audit committee of the board of directors (discussed further in Chapter 4) should also be involved in the assessment of fraud risk. Auditors should directly inquire of the audit committee members regarding their role in fraud prevention and detection. If the client has an internal audit function, auditors also make inquiries about fraud risk assessment of the internal auditors. Auditors may also consider inquiry of external parties, such as vendors and customers, if necessary. Auditors must extensively document their fraud risk assessment. The documentation should provide details of the brainstorming session, including when it took place and the audit team members who participated. The significant risks identified by auditors and the planned audit response to those risks are also documented.

Cloud 9 - Continuing Case Suzie explains fraud risk is always present, even though actual fraud is reasonably rare, and auditors must explicitly consider it as part of their risk assessment. Being aware of the incentives, pressures, opportunities, and attitudes within the client relating to fraud helps the auditor make the assessment. Ian admits he has a little trouble understanding the difference between incentives and attitudes. He thinks he understands the concept of opportunity.

Suzie explains that incentives relate to the factor that pushes (or pulls) a person to commit a fraud. Examples include a need for money to pay debts or gamble. Attitudes, or rationalization, relate to the thinking about the act of fraud. For example, the person believes it is acceptable to steal from a mean boss; that is, the theft is justified by the boss’s “meanness.”

Before You Go On 6.1 What are the responsibilities of the client and the auditor when it comes to fraud? 6.2  Explain four incentives and pressures that increase the risk of fraud. 6.3 Explain four opportunities that increase the risk of fraud.

Key Terms Review  3-31

Learning Objectives Review 1  Evaluate client acceptance and continuance decisions. Factors to consider include the integrity of the client, such as its reputation and its attitude to risk, accounting policies, and internal controls (see Illustration 3.1). An auditor will gain an understanding of the client via communication with the client’s prior auditor (in the case of a client acceptance decision), staff, management, and other relevant parties. The final stage in the client acceptance or continuance decision process involves the preparation of an engagement letter, which sets out the terms of the audit engagement, to avoid any misunderstandings between the auditor and the client. 2  Identify the different phases of an audit. The phases of an audit include risk assessment, risk response, and reporting. During the risk assessment phase, an auditor will gain an understanding of the client, identify risks, set the planning materiality, and develop an audit strategy. During the risk response phase, an auditor will execute the detailed testing of controls, account balances, and transactions. The final phase of every audit involves reviewing all of the evidence gathered throughout the audit and arriving at a conclusion regarding the fair presentation of the client’s financial statements. The auditor will then prepare an audit report that reflects the auditor’s opinion based upon the audit findings. 3  Explain and apply the concept of materiality. Information is considered to be material if it impacts the decisionmaking process of users of the financial statements. Planning materiality guides audit planning and testing for the financial statements as a whole. Performance materiality is an amount less than planning materiality that is determined at the account balance, class of transactions, or disclosure level. Auditors consider both quantitative and qualitative factors when determining materiality. 4  Explain professional skepticism and apply the audit risk model.

Auditors are required to maintain professional skepticism, or a questioning attitude, during the planning and performance of an audit. Audit risk is the risk that an auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. The three components of audit risk are inherent risk, control risk, and detection risk. The risk of material misstatement consists of inherent risk and control risk. Both professional skepticism and audit risk are key concepts used by the auditor when developing an audit strategy. 5  Explain how auditors determine their audit strategy

and how audit strategy affects audit decisions. The assessed level of the risk of material misstatement (RMM) for an account or assertion drives the development of the audit strategy and the nature, extent, and timing of audit procedures to be performed. If RMM is low, the auditors may rely on a controls approach. Under this approach, the auditors will extensively test internal controls to determine if they are effective, and spend less time performing substantive procedures. If RMM is high, the auditors may pursue a substantive approach. Under this approach, the auditors will spend little or no time testing internal controls and will focus their efforts on performing substantive procedures on the year-end account balance and assertions. 6  Explain the fraud risk assessment process and analyze fraud risk. Error is an unintentional misstatement in an amount or disclosure in the financial statements. Fraud is an intentional act using deception that results in the misstatement of the financial statements that are being audited. The two kinds of fraud are financial reporting fraud and misappropriation of assets. When assessing the risk of fraud, the auditors should consider the fraud risk factors that may be present, such as incentives and pressures to commit a fraud, opportunities to perpetrate a fraud, and attitudes and rationalizations used to justify committing a fraud. The primary procedures that auditors use in the fraud risk assessment process are brainstorming among the audit team members and inquiry of management and others internal or external of the client.

Key Terms Review Assertions Audit risk Audit strategy Control risk Detection risk Engagement letter Error Extent of an audit procedure Fraud

Fraud risk factors Fraudulent financial reporting Inherent risk Materiality Misappropriation of assets Nature of an audit procedure Performance materiality Professional skepticism Qualitative materiality

Quantitative materiality Reporting phase Risk assessment phase Risk of material misstatement Risk response phase Significant risk Substantive procedures Tests of controls Timing of an audit procedure

3-32  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Audit Decision-Making Example Background Information You have been assigned to the audit of inventory for a private company that owns and operates a chain of retail jewelers. The company’s sales revenue has grown by 300% in the last two years, primarily by acquisitions. Seventy-eight percent of the value of the company’s inventory is in wedding rings, diamonds, gold necklaces, and high-end watches. Because the company has grown through acquisition, the company has not yet brought two acquired companies (representing 35% of sales) under the company’s inventory system. As a result, the company is currently operating with three different inventory-control systems. The core inventory system being used by retail stores represents 65% of sales. Sixty percent of inventory was tested in the prior year and controls over the existence of inventory were effective. The CFO’s top priority is to put all retail operations under this one inventory-control system by the end of the fiscal year (January 31). He is particularly concerned about lower than expected gross margins at some of the acquired stores, and he expects that better inventory control will improve this situation. In addition, gold prices have risen 15% in the last 12 months, and the company is making sure it is not selling “conflict diamonds” illegally traded to fund conflict in war-torn areas of ­Africa. Your responsibility is to develop an audit strategy for testing the existence of inventory.

Identify the Audit Issue The focus of attention in this instance is to develop an audit strategy for testing the existence of inventory. The auditor may develop a different audit strategy for testing the valuation of that inventory.

Gather Information and Evidence Important information includes: •  A significant portion of the inventory is high in value, small in size, and susceptible to theft. •  A good system of internal controls may not be operating effectively and uniformly. •  The weak gross margins in some stores may be evidence of inventory shrinkage or theft.

•  Fraud risk may be high in some locations due to the opportunity offered by weak internal controls. •  The auditor needs to determine how internal controls affect audit strategy, and whether the auditor wants one audit strategy for part of the inventory and another audit strategy for another part of the inventory.

Analysis and Evaluation of Alternatives Analysis of risk: •  Inherent risk factors include valuable inventory that is subject to theft and misappropriation. •  Internal controls are not uniform. Based on prior year’s evidence and a preliminary understanding of the system in the current year, strong internal controls appear to operate over only 60% of the inventory. •  It may be more efficient to physically inspect inventory as of one date and use one audit strategy for all inventory testing. •  Fraud risk is considered to be high at locations where inventory controls are not strong.

Conclusions Regarding Audit Strategy for the Existence of Inventory •  Inherent risk is set at the maximum because inventory is high in value and susceptible to theft and misappropriation. •  Control risk is set at high, as 40% of inventory may not have sufficient internal controls. •  Fraud risk is considered high due to the opportunity offered by weak internal controls. •  This results in setting detection risk at low. •  Low detection risk impacts the nature, timing, and extent of substantive testing. For example, the auditor will plan testing of the physical existence of inventory at year-end, select a larger number of locations to visit, and vary the extent of inventory testing at each location depending on internal controls over the counting of inventory at each location.

CPAexcel CPAexcel questions and other resources are available in WileyPLUS.

Multiple-Choice Questions 1.  (LO 1)  If a prospective new audit client does not allow the ­auditor to contact its existing auditor:

c.  the existing auditor should contact the new auditor to tell them all about the client.

a.  the auditor should contact the existing auditor anyway ­because it is their duty.

d.  t he auditor should respect the prospective client’s right to privacy.

b.  t he auditor should consider that a negative factor on the ­integrity of client management.

Review Questions  3-33 2.  (LO 2)  The risk assessment phase of an audit does not include: a.  gaining an understanding of the client. b.  audit execution and reporting. c.  identification of factors that may affect the risk of a material misstatement in the financial statements. d.  d  evelopment of an audit strategy and a risk and materiality assessment. 3.  (LO 3)  Which of the following is an example of a qualitative materiality factor? a.  The client is experiencing a slowdown in sales and is struggling to pay vendors on time. b.  Inventory represents 40% of current assets. c.  The client installed a new security system to protect the building. d.  T  otal salaries expense is greater than 5% of income before taxes. 4.  (LO 4)  An attitude of professional skepticism means: a.  the auditor can rely on past experience to determine current risk of fraud. b.  any indicator of fraud is properly investigated. c.  the auditor can rely on management assertions. d.  the auditor is independent of the client. 5.  (LO 4)  An auditor will identify accounts and related assertions at risk of material misstatement: a.  after testing internal controls. b.  after writing the audit report. c.  to plan the audit to focus on those accounts. d.  to eliminate audit risk. 6.  (LO 4)  Which component of audit risk can the auditor control? a.  Inherent risk. b.  Control risk.

c.  Financial risk.

d.  Detection risk. 7.  (LO 5)  Obtaining positive results from testing controls means that: a.  the auditor can completely rely on a client’s system of internal controls. b.  no substantive testing is required. c.  the auditor can plan to reduce the reliance on detailed ­substantive testing of transactions and account balances. d.  materiality will be set at a low dollar amount. 8.  (LO 5)  The audit strategy known as the predominantly “substantive approach”: a.  is appropriate when internal controls are very strong. b.  means the auditor will spend minimum effort testing the client’s system of internal controls. c.  requires the auditor to conduct extensive control testing. d.  means the auditor will conduct some interim testing and minimal year-end account-balance testing. 9.  (LO 5)  The audit strategy known as “reliance on controls approach”: a.  is appropriate when internal controls are minimal. b.  means the auditor will spend minimum effort testing the client’s system of internal controls. c.  requires the auditor to conduct extensive control testing. d.  means the auditor will conduct extensive year-end accountbalance testing. 10.  (LO 6)  An example of an incentive or pressure that increases the risk of fraud is: a.  the client operates in a highly competitive industry. b.  the client has a history of reporting losses. c.  a significant percentage of management pay is tied to earnings. d.  All of these answer choices are correct.

Review Questions R3.1  (LO 1)  Why are there procedures governing the client acceptance or continuance decision? Explain why auditors do not accept every client. R3.2  (LO 1)  What is the purpose of the engagement letter? Are all engagement letters the same? R3.3  (LO 2)  Explain the relationship between the risk assessment, risk response, and reporting phases of an audit. R3.4  (LO 2)  Are all audits the same? Why might an audit change from year to year? R3.5  (LO 3)  How does the auditor’s assessment of planning materiality affect audit planning? What does an auditor consider when making the preliminary assessment of planning materiality? R3.6  (LO 3)  The quantitative materiality of an item is assessed relative to a particular benchmark. What are some of the choices for this benchmark, and what factors guide the auditor in this choice?

R3.7  (LO 3)  Explain the relationship between planning materiality and performance materiality. R3.8  (LO 3)  Explain how setting a lower materiality level affects the number of items that are material and affects the decisions about the nature, extent, and timing of the audit procedures. R3.9  (LO 4)  Consider this statement, “Auditors should only use professional skepticism when considering fraud risk.” Do you agree or disagree with this statement? Support your position. R3.10  (LO 4)  Explain the approach adopted by auditors of identifying accounts and related assertions at risk of material misstatement. How does this approach help reduce audit risk to an acceptably low level? R3.11  (LO 4)  Consider the following statement: “When inherent and control risk are assessed as high, the risk of material misstatement is assessed as high, and an auditor will set detection risk as low to reduce audit risk to an acceptably low level.” Explain what it means to set detection risk as low. What does this mean for the operation of the audit?

3-34  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy R3.12  (LO 5)  If auditors adopt a predominantly substantive approach to the audit, do they have to consider and test the client’s internal controls? Explain. R3.13  (LO 5)  If auditors adopt a reliance on controls approach, do they have to perform any substantive procedures? Explain. R3.14  (LO 5)  A client has physical controls over inventory, including a locked warehouse with access restricted to authorized personnel. Testing of these physical controls over inventory shows that they

are very effective. Can the auditor conclude that the valuation assertion for inventory is not at risk? Explain. R3.15  (LO 6)  In the context of fraud, explain the differences between (1) incentives and pressures, (2) opportunity, and (3) attitudes and rationalization. Why is it important for an auditor to consider client systems relevant to all three concepts? R3.16  (LO 6)  In the context of fraud risk assessment, what is the purpose of the brainstorming session?

Analysis Problems AP3.1  (LO 1)  Basic   Client continuance  Star Software is a client of Jones & Parker, LLP. Star has experienced increased competition in its industry that has resulted in decreased profits over the last three years. In an effort to stay financially sound, Star is considering employee layoffs to decrease expenses. Star is planning significant layoffs in the accounting and finance department and within the internal audit function. Star management feels that internal controls are well established and fewer employees are needed to monitor the internal control system. Also, since the accounting function is heavily dependent on IT, fewer employees are needed to keep track of the company’s accounting data.

Required What issues should Jones & Parker consider when deciding whether to continue the client relationship with Star Software? If Star were your client, would you continue to be the auditor? Explain. AP3.2  (LO 1)  Moderate   Research   Client acceptance decision  The audit committee of the board of directors of WaterFun Corporation asked DDD LLP to audit WaterFun’s financial statements for the 2022 fiscal year. DDD requested permission to communicate with the predecessor auditor and was granted permission by WaterFun’s management to do so.

Required a.  What inquiries should DDD make of the predecessor auditor? b.  Assuming that DDD is satisfied with the results of the communication with the predecessor auditor, the next step is to draft an engagement letter that will be presented to the audit committee of WaterFun. Discuss the key items that should be included in an engagement letter. (Research AU-C 210.A23 to provide a full response. ASB standards can be accessed at the AICPA website, www.aicpa.org). c.  What if WaterFun’s management does not grant permission for DDD to communicate with the predecessor auditor? What action would DDD take next? AP3.3  (LO 1)  Challenging   Public Company   Client acceptance decision  Godwin, Key & Associates is a small, but rapidly growing, accounting firm. Its success is largely due to the growth of several clients that have been with the firm for more than five years. One of these clients, Carolina Company Inc., is preparing to transition from a private company to a publicly traded company and must comply with additional reporting regulations. Carolina Company’s rapid growth has meant that it is financially stretched, and its accounting systems are struggling to keep up with the growth in business. The client continuance decision is about to be made for the next fiscal year. The managing partner of Godwin, Key & Associates, Rebecca Sawyer, has recognized that the firm needs to make some changes to deal with the issues created by the changing circumstances of its major client and the firm’s overall growth. She is particularly concerned that the firm could be legally liable if Carolina Company’s financial situation worsens and it fails.

Required Evaluate the factors that Rebecca should consider when making the client continuance decision for Carolina Company Inc. for the next fiscal year. AP3.4  (LO 3)  Basic   Materiality assessment  Mark Jackson is the manager on the audit team for a new client, Central Companies (CC). CC is a home appliance and lighting retailer specializing in high-end kitchen equipment and specialty light fixtures. The client engaged Mark’s accounting firm in

Analysis Problems  3-35 August 2022 in preparation for the December 31, 2022, audit. From January 2022 onward, CC has consistently paid its inventory suppliers late, well past the suppliers’ agreed-upon credit terms. Some suppliers are even demanding cash on delivery from CC and no longer extending credit. Mark is also aware from his review of correspondence between CC and its bank that the company has been experiencing cash flow problems since 2021.

Required Discuss how this information impacts Mark’s assessment of planning materiality for CC. AP3.5  (LO 3, 4)  Moderate   Audit risk components and materiality  Carl’s Computers imports computer hardware and accessories from China, Japan, and South Korea. It has branches in every U.S. capital city, and the main administration office and central warehouse are in Chicago, Illinois. There is a branch manager in each store plus a number (depending on the size of the store) of full-time staff. There are also several part-time staff who work on weekends since the stores are open both Saturday and Sunday. Either the branch manager or a senior member of the full-time staff is on duty at all times to supervise the part-time staff. Both part-time and full-time staff members are required to attend periodic company training sessions covering product knowledge and inventory- and cash-handling requirements. The inventory is held after its arrival from overseas at the central warehouse and distributed to each branch on receipt of an inventory transfer request authorized by the branch manager. The value of inventory items ranges from a few cents to several thousand dollars. Competition is fierce in the computer hardware industry. New products are continuously coming onto the market, and large furniture and office supply discount retailers are heavy users of advertising and other promotions to win customers from specialists like Carl’s Computers. Carl’s Computers’ management has faced difficulty keeping costs of supply down and has started to use new suppliers for some computer accessories such as printers and ink.

Required a.  Evaluate the inherent risks for inventory for Carl’s Computers. How would these risks affect the accounts? b.  Identify strengths and weaknesses in the inventory control system. c.  Comment on materiality for inventory at Carl’s Computers. Is inventory likely to be a material balance? Would all items of inventory be audited in the same way? Explain how the auditor would deal with these issues. AP3.6  (LO 4)  Basic   Audit risk and revenue  Ajax Finance Inc. (Ajax) provides small and ­medium-sized personal, car, and business loans to clients. It has been operating for more than 10 years and has always been run by Bill Short. Bill has been the public face of the finance company, appearing in most of its television and radio advertisements, and developing a reputation as a friend of the “little person” who has been mistreated by the large finance companies and banks. Ajax’s major revenue stream is generated by obtaining large amounts on the wholesale money market and lending in small amounts to retail customers. Margins are tight, and the business is run as a “no frills” service. Offices are modestly furnished, and the mobile lenders drive small, basic cars when visiting clients. Ajax prides itself on full disclosure to its clients, and all fees and services are explained in writing to clients before loans are finalized. However, although full disclosure is made, clients who do not read the documents closely can be surprised by the high exit charges when they wish to make early repayments or transfer their business elsewhere. Ajax’s mobile lenders are paid on a commission basis. They earn more when they write more loans. For example, they are encouraged to sell credit cards to any person seeking a personal loan. Ajax receives a commission payment from the credit-card companies when it sells a new card, and Ajax also receives a small percentage of the interest charges paid by clients on the credit card.

Required Analyze the inherent and control risks for Ajax’s revenue. What type of misstatements would be most likely for revenue? AP3.7  (LO 4)  Basic   Control risk  All Tunes Satellite Radio (ATS) provides a subscription service to satellite radio channels. Customers can pay for a subscription on monthly basis, or pay for a year in advance and receive a 15% discount. Approximately 53% of customers pay in advance. When ATS receives payment in advance, a deferred revenue account (Unearned Revenue) is credited. At the end of each month as the satellite radio service is provided to customers, ATS makes an adjusting entry to recognize subscription revenue. If controls over the recording of deferred revenue or the subsequent adjusting entry are not functioning properly, then revenue transactions will not be properly classified.

3-36  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Required Analyze how the balance sheet and income statement may be at risk of material misstatement if controls over the proper allocation of revenue are not functioning properly. AP3.8  (LO 5)  Moderate   Audit strategy  All Tunes Satellite Radio (ATS) provides a subscription service to satellite radio channels. Customers can pay for a subscription on a monthly basis, or pay for a year in advance and receive a 15% discount. Approximately 53% of customers pay in advance. When ATS receives payment in advance, a deferred revenue account (Unearned Revenue) is credited. At the end of each month as the satellite radio service is provided to customers, ATS makes an adjusting entry to recognize subscription revenue. The audit team is planning a reliance on controls strategy to obtain evidence of revenue recognition for ATS. The team will be testing internal controls over the recognition of subscription revenue during interim.

Required a.  Explain the type of audit strategy planned by the audit team for gathering evidence about revenue recognition. b.  Suppose during the interim testing of internal controls the team discovers a significant number of instances in which subscription revenue received in advance is recognized immediately as revenue. Analyze how the audit strategy will be impacted. AP3.9  (LO 4, 5)  Challenging   Determining an audit strategy  Avery Island Dairy is a boutique cheese maker based on Avery Island, Louisiana. Over the years, the business has grown by supplying local retailers and through exports. In addition, there is a “farm-gate” shop and café located next to the main processing plant on Avery Island serving tourists who also visit the other specialist food and wine businesses in the region. Quality control over the cheese-manufacturing process and storage of raw materials and finished products at Avery Island Dairy is extremely high. All members of the business are committed to high product quality because any poor food-handling practices that could result in a drop in cheese quality or contamination of the products would ruin the business very quickly. The export arm has become the largest revenue earner for the business and is managed by the younger of the two brothers who have run Avery Island Dairy since it was established. Jim Guidry has a natural flair for sales and marketing but is not very good at completing the associated detailed paperwork. Some of the export deals have been poorly documented, and Jim often agrees to different prices for different clients without consulting his older brother, Bob, or informing the sales department. Consequently, there are often disputes about invoices, and Jim makes frequent adjustments to customer accounts using credit notes when clients complain about their statements. Jim sometimes falls behind in responding to customer complaints because he is very busy juggling the demands of making export sales and running his other business, Café Consulting, which provides contract staff for the café business at Avery Island Dairy.

Required a.  Identify the factors that would affect the preliminary assessment of inherent risk and control risk at Avery Island Dairy. b.  Analyze how these factors would influence your choice between the predominantly substantive approach and the reliance on controls approach for sales, inventory, and receivables. AP3.10  (LO 4, 6)  Moderate   Public Company   Financial reporting fraud risk  Vaughan Enterprises Inc. has grown from its beginnings in the steel fabrication business to become a multinational manufacturer and supplier of all types of packaging, including metal, plastic, and paper-based products. It has also diversified into a range of other businesses, including household appliances in Europe, ­Australia, and Asia. The growth in the size of the business occurred gradually under the leadership of the last two CEOs, both of whom were promoted from within the business. At the beginning of last year, the incumbent CEO died of a heart attack and the board took the opportunity to appoint a new CEO from outside the company. Despite the company’s growth, returns to shareholders have been stagnant during the last decade. The new CEO has a reputation of turning around struggling businesses by making tough decisions. The new CEO has a five-year contract with generous bonuses for improvements in various performance indicators, including sales/assets, profit from continuing operations/net assets, and stock price. During the first year, the new CEO disposed of several components of the business that were not profitable. Very large losses on the discontinued operations were recorded, and most noncurrent assets throughout the business were written down to recognize impairment losses. These actions resulted in a

Analysis Problems  3-37 large overall loss for the first year, although a profit from continuing operations was recorded. During the second year, recorded sales in the household appliances business in Europe increased dramatically, and, combined with various cost-saving measures, the company made a large profit. The auditors have been made aware through various conversations with middle management that there is now an extreme focus on maximizing profits through boosting sales and cutting costs. The attitude toward compliance with accounting regulations has changed, with more emphasis on pleasing the CEO rather than taking care to avoid breaching either internal policies or external regulations. The message is that the company has considerable ground to make up to catch up with other companies in both methods and results. Meanwhile, the share price over the first year-and-a-half of the CEO’s tenure has increased 65%, and the board has happily approved payment of the CEO’s bonuses and granted the CEO additional stock options in recognition of the change in the company’s results.

Required a.  Analyze the incentives, pressures, and opportunities to commit financial reporting fraud, and attitudes and rationalizations to justify a fraud in the above case. b.  What fraudulent financial reporting would you suspect could have occurred at Vaughan? c.  Explain why professional skepticism would be critical in assessing the risk of fraud. AP3.11  (LO 6)  Moderate   Public Company   Fraud risk  Pelican Oil is a publicly traded oil and gas company specializing in global exploration and offshore drilling. Even though Pelican has been operating for almost 30 years, it is still considered a “newcomer” in the industry. The key leaders in the industry are large conglomerates that have been operating for over 100 years. Over the last 18 months, the global supply of oil has exceeded the demand, resulting in a significant drop in oil prices. A drop in oil prices means decreased revenue for oil and gas companies of all sizes. For smaller companies in the industry like Pelican, significant drops in oil prices are harder to withstand. (The larger conglomerates are so well diversified that they have an easier time withstanding fluctuations in the oil market.) In response to the drop in oil prices and decreased demand, Pelican has temporarily suspended drilling operations and laid off employees in the field and in the corporate office. You are preparing for the upcoming audit of Pelican. Looking at the interim financial statements for the current year, you calculate an 18% decrease in revenue compared to the same interim period from the previous year. You have been reading in the global financial news that the drop in oil prices has led to increased fraud in the industry, with much of the fraud being committed by senior managers. The audit team is meeting tomorrow to have a brainstorming session about fraud risk for Pelican Oil.

Required To prepare for the brainstorming meeting, research online the types of fraud that occur in the oil and gas industry. Assess the risk of fraud for Pelican Oil by discussing the fraud risk factors that may be present. AP3.12  (LO 6)  Challenging   Fraud   Research   The auditor and the Ponzi scheme  Bernard Madoff was convicted in 2009 of running a Ponzi scheme, the biggest in U.S. history. A Ponzi scheme is essen­tially the process of taking money from new investors on a regular basis and using the cash to pay promised returns to existing investors. The high and steady returns received by existing investors are the attraction for new investors, but they are not real returns from investments. As long as new investors keep contributing and existing investors do not seek redemptions (the return of their money), the scheme continues. However, eventually, as in the Madoff situation, circumstances change, the scheme is discovered, and the remaining investors find that their capital has disappeared. At age 71, Madoff was sentenced to prison for 150 years and will die in jail. Madoff’s auditor, David G. Friehling was accused of creating false and fraudulent audited financial statements for Madoff’s firm, Bernard L. Madoff Investment Securities LLC. Prosecutors alleged that these fraudulent reports covered the period from the early 1990s to the end of 2008.11

Required a.  Research the case against David Friehling. Write a report explaining his role in the Madoff Ponzi scheme and the outcome of the legal action against him. b.  Explain how Friehling’s actions violated U.S. auditing standards and professional ethics.

11

D. Searcey and A. Efrati, “Sins and Admission: Getting into Top Prisons,” The Wall Street Journal: Europe (July 17–19, 2009), p. 29; C. Bray and Efrati, “Madoff Ex-Auditor Set to Waive Indictment,” The Wall Street Journal: Europe (July 17–19, 2009), p. 29.

3-38  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Audit Decision Cases King Companies, Inc. Questions C3.1 and C3.2 are based on the following case. King Companies, Inc. (KCI) is a private company that owns five auto parts stores in urban Los Angeles, California. KCI has gone from two auto parts stores to five stores in the last three years, and it plans continued growth. Eric and Patricia King own the majority of the shares in KCI. Eric is the chairman of the board of directors of KCI and CEO, and Patricia is a director as well as the CFO. Shares not owned by Eric and Patricia are owned by friends and family who helped the Kings get started. Eric started the company with one store after working in an auto parts store. To date, he has funded growth from an inheritance and investments from a few friends. Eric and Patricia are thinking about expanding by opening three to five additional stores in the next few years. In October 2021, Eric approached your accounting firm, Thornson & Danforth LLP, to conduct an annual audit of KCI for the year ended December 31, 2022. KCI has not been audited before, but this year the audit has been requested by the company’s bank because of anticipated bank loans and by a new private equity investor that has just acquired a 20% share of KCI. KCI employs 20 full-time staff. These workers are employed in store management, sales, parts delivery, and accounting. About 40% of KCI’s business is retail walk-in business, and the other 60% is regular customers where KCI delivers parts to their locations and bills these customers on account. During peak periods, KCI also uses part-time workers. Eric is focused on growing revenues. Patricia trusts the company’s workers to work hard for the company and she feels they should be rewarded well. The accounting staff, in particular, is very loyal to the company. Eric tells you that accounting staff enjoy their jobs so much they have never taken any annual vacations, and hardly any workers ever take sick leave. There are two people currently employed as accounting staff, the most senior of whom is Jonathan Jung. Jonathan heads the accounting department and reports directly to Patricia. He is in his late fifties and hopes to retire in two or three years and move away from Los Angeles. Jonathan keeps a close watch on accounting and does many activities himself, including opening mail, cash receipts and vendor payments, depositing funds received, performing reconciliations, posting journals, and performing the payroll function. His second employee, Abby Owens, is a recent college graduate who just passed the CPA exam. Abby is responsible for the payroll functions and posting all journal entries into the accounting system. Jonathan and Abby often help each other out in busy periods. C3.1  (LO 3, 4)  Challenging   Materiality and audit risk  Analysis and evaluation: What qualitative factors in the background information would you consider when determining planning materiality for the 2022 audit of KCI? Evaluate how each factor affects your assessed audit risk and your initial assessment of the planning materiality. C3.2  (LO 6)  Challenging   Assessing fraud risk a.  Gather information: Identify and explain any significant fraud risk factors for KCI. b.  Analysis: For each fraud risk factor you identify, analyze how the risk will affect your approach to the audit of KCI.

Mobile Security, Inc. Questions C3.3 and C3.4 are based on the following case. Mobile Security, Inc. (MSI) has been an audit client of Leo & Lee LLP for the past 12 years. MSI is a small, publicly traded aviation company based in Cleveland, Ohio, where it manufactures high-tech unmanned aerial vehicles (UAV), also known as drones, and other surveillance and security equipment. MSI’s products are primarily used by the military and scientific research institutions, but there is growing demand for UAVs for commercial and recreational use. MSI must go through an extensive bidding process for large government contracts. Because of the sensitive nature of government contracts and military product designs, both the facilities and records of MSI must be highly secured. In October 2022, MSI installed a new cloud-based inventory costing system to replace a system that had been developed in-house. The old system could no longer keep up with the complex and detailed manufacturing costing process that provides information to support competitive bidding. MSI’s IT department, together with the consultants from the software company, implemented the

Audit Decision Cases  3-39 new inventory costing system which went live on December 1, 2022. Key operational staff and the internal audit team from MSI were significantly engaged in the selection, testing, training, and implementation stages. MSI’s fiscal year-end is June 30. The following table shows financial information for the first two quarters of the fiscal year-end June 30, 2023 (amounts in millions). Note that the financial data listed are for the three-month quarter ended (i.e., the second quarter does not include the first quarter data). Item Total assets Total revenues Pretax income

1st Quarter

2nd Quarter

$96.0 33.0 3.2

$92.0 31.0 2.8

The pretax income for the first two quarters is reasonable with a net profit margin falling between 8–10% of sales. Based on prior years, pretax income for the third quarter usually holds steady relative to the second quarter, but pretax income for the fourth quarter typically decreases by 20% over the third quarter as governments reach the end of their spending budgets. C3.3  (LO 4)  Challenging   Public Company   Assessing inherent risk  Gather information: Considering both industry and entity factors, what are the major inherent risks in the MSI audit? C3.4  (LO 3)  Challenging   Public Company   Assessing planning materiality  Analysis and evaluation: Discuss the factors to consider when determining planning materiality for MSI. Calculate an amount for planning materiality for the audit of fiscal year-end June 30, 2023.

Brookwood Pines Hospital Question C3.5 is based on the following case. Goodfellow & Perkins gained a new client, Brookwood Pines Hospital (BPH), a private, not-for-profit hospital. The fiscal year-end for Brookwood Pines is June 30. You are performing the audit for the 2023 fiscal year end, and the audit is currently in the risk assessment phase. The healthcare industry can be very complicated, especially in the area of billing for services provided. BPH contracts with private physician groups who use the hospital facilities, equipment, and nursing staff to treat patients. The physicians in the private group are not employees of the hospital; they are simply using the hospital facilities to treat patients. For example, a group of urologists have their own practice, separate from the hospital, where they treat patients. If one of the patients needs a surgical procedure that must be done at a hospital, then the attending urologist will approve the paperwork required to admit the patient to BPH. BPH offers inducements to the urologists so they will refer patients to BPH rather than a competing hospital. One of the inducements BPH offers is free office space in the hospital for the doctors to use when they are treating patients in the hospital. After the doctor and hospital services are provided to the patient, the patient and/or the patient’s insurance company is billed. The doctor will bill for the services he or she provided, and the hospital will bill for the use of hospital facilities and staff. Doctors and hospitals bill using a coding system that is standardized across the healthcare industry and consists of three main code sets: ICD, CPT, and HCPCS. Using a coding system is more efficient and data-friendly compared to writing a narrative about the procedures performed. However, the coding system is very complex, with thousands of different codes for medical procedures and diagnoses. To complicate matters even more, for patients who are covered by government-sponsored Medicare or Medicaid, doctors and hospitals must adhere to complicated government regulations surrounding billings to Medicare and Medicaid. As healthcare costs continue to rise each year, BPH administrators struggle to maintain consistent profitability. They look for ways to keep costs low and also to collect from patients and insurance companies as quickly as possible. In addition, BPH must have a strong risk management team to handle unique situations that may occur in hospitals, such as malpractice lawsuits and periodic inspections by the state department of health and hospitals. Negative publicity for BPH could lead to decreased revenues if physicians decide to contract with a competing hospital.

Required a.  Gather information: Research online to learn more about common types of health care fraud. Identify and explain any significant fraud risk factors for BPH. b.  Analysis: Which financial statement accounts would you identify as being at significant risk for material misstatement?

3-40  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Cloud 9 - Continuing Case W&S Partners has just won the January 31, 2023, audit for Cloud 9. The audit team assigned to this client is:

W&S Partners use the following percentages as starting points for the various benchmarks: Threshold (%) Benchmark Income before tax 5.0 0.5 Total revenue Gross profit 2.0 Total assets 0.5 Equity 1.0

•  Partner, Jo Wadley •  Audit manager, Sharon Gallagher •  Audit senior, Josh Thomas •  IT audit manager, Mark Batten •  Experienced staff, Suzie Pickering •  First-year staff, Ian Harper As a part of the risk assessment phase for the new audit, the audit team needs to gain an understanding of Cloud 9’s structure and its business environment, determine materiality, and assess the risk of material misstatement. This will assist the team in developing an audit strategy and designing the nature, extent, and timing of audit procedures. One task during the planning phase is to consider the concept of materiality as it applies to the client. Auditors will design procedures to identify and correct errors or irregularities that would have a material effect on the financial statements and affect the decision-making of the users of the financial statements. Materiality is used in determining audit procedures and sample selections, and evaluating differences from client records to audit results. Materiality is the maximum amount of misstatement, individually or in aggregate, that can be accepted in the financial statements. In selecting the benchmark to be used to calculate materiality, the auditors should consider the key drivers of the business. They should ask, “What are the end users (that is, stockholders, banks, etc.) of the accounts going to be looking at?” For example, will stockholders be interested in profit figures that can be used to pay dividends and increase share price? W&S Partners’ audit methodology dictates that one planning materiality (PM) amount is to be used for the financial statements as a whole. The benchmark selected for determining materiality is the one determined to be the key driver of the business.

These starting points can be increased or decreased by taking into account qualitative client factors, which could be: •  The nature of the client’s business and industry (for example, rapidly changing, either through growth or downsizing, or an unstable environment). •  Whether the client is a public company (or subsidiary of) subject to regulations. •  The knowledge of or high risk of fraud. Typically, income before tax is used; however, it cannot be used if reporting a loss for the year or if profitability is not consistent. When calculating PM based on interim figures, it may be necessary to annualize the results. This allows the auditors to plan the audit properly based on an approximate projected year-end balance. Then, at year-end, the figure is adjusted, if necessary, to reflect the actual results.

Required Answer the following questions based on the information presented for Cloud 9 in the appendix to this text and in the current chapter and previous chapters. a. Using the October 31, 2022, trial balance (in the appendix to this text), calculate planning materiality and include the justification for the benchmark that you have used for your calculation. b. Discuss how the planning materiality would be used to determine performance materiality. c. If the planning materiality amount is subsequently increased or decreased later in the audit, how would that impact the audit?

Chapter 4 Risk Assessment Part II Understanding the Client

The Audit Process Overview of Audit and Assurance (Chapter 1) Professionalism and Professional Responsibilities (Chapter 2) Client Acceptance/Continuance and Risk Assessment (Chapters 3 and 4) Identify Significant Accounts and Transactions Make Preliminary Risk Assessments

Set Planning Materiality

Gaining an Understanding of the System of Internal Control (Chapter 6)

Audit Evidence (Chapter 5)

Develop Responses to Risk and an Audit Strategy

Performing Tests of Controls (Chapter 8)

Performing Substantive Procedures (Chapter 9) Audit Sampling for Substantive Tests (Chapter 10)

Auditing the Revenue Process (Chapter 11)

Auditing the Purchasing and Payroll Processes (Chapter 12)

Audit Data Analytics (Chapter 7)

Gaining an Understanding of the Client

Auditing the Balance Sheet and Related Income Accounts (Chapter 13)

Completing and Reporting on the Audit (Chapters 14 and 15) Procedures Performed Near the End of the Audit

Drawing Audit Conclusions

Reporting

4-1

4-2  Ch a pte r 4  Risk Assessment Part II: Understanding the Client

Learning Objectives LO 1 Apply procedures to gain an understanding of the client. LO 2 Explain how clients measure performance and how it impacts the auditor’s risk assessment. LO 3  Demonstrate how auditors use analytical procedures when assessing risk, including the use of audit data analytics.

LO 5  Describe common corporate governance structures and how they impact the auditor’s risk assessment. LO 6 Explain how a client’s internal control and information technology (IT) can affect risk. LO 7  Discuss how client closing procedures can affect risk and a client’s reported results.

LO 4  Define related party transactions and explain how they affect the auditor’s risk assessment.

Auditing and Assurance Standards PCAOB

Auditing Standards Boa rd

AS 1301  Communications with Audit Committees

AU-C 250  Consideration of Laws and Regulations in an Audit of Financial Statements

AS 2110  Identifying and Assessing Risks of Material Misstatement AS 2405  Illegal Acts by Clients

AU-C 260 The Auditor’s Communication with Those Charged with Governance AU-C 315  Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

AS 2410 Related Parties

AU-C 550 Related Parties

Cloud 9 - Continuing Case Ian knows there are many possible problems in an audit that would cause the auditor to issue the wrong type of audit report, but he is struggling to understand why the audit team will spend time gaining an understanding of a client. How does this help? Why aren’t audits all the same? Suzie explains to Ian that issuing the wrong type of audit report is a risk the auditor always faces, but the risk varies across audits. The variation in the risk is partly related to how well the audit team performs its tasks, which is dependent on the team members’

levels of skill, effort, supervision, and so on. But the variation in risk is also related to the particular characteristics of the client and its environment. Some clients are more likely than others to have errors or deficiencies in their accounting and financial reporting systems, operations, or underlying data. Even within one client’s business, some areas are more likely to have problems than others. Suzie asks Ian to think about what sort of problems Cloud 9’s draft financial statements are most likely to have, and why.

Chapter Preview: Audit Process in Focus In Chapter 3, we began our discussion of risk assessment by considering the audit as a whole and the development of a unique audit strategy for each client. This chapter focuses on the remainder of the risk assessment process. Remember, the purpose of risk assessment procedures is to assess the risk that a material misstatement, caused by error or fraud, could occur in the client’s financial statements. The risk assessment procedures we discuss in this chapter include gaining an understanding of the client, its industry, related party transactions, corporate governance, internal controls, the information technology environment, significant accounts and transactions, and closing procedures. Two sections of this chapter deal with performance measurement and analytical procedures. By understanding how a client assesses its own performance, auditors gain insight into which accounts may be at risk of material misstatement. Recall from Chapter 3 that the risk of material misstatement is a combination of inherent risk and control risk. Many of the factors discussed in this chapter impact the auditor’s assessment of inherent risk. Chapter 6 will discuss controls a client might put in place to reduce control risk and the overall risk of material misstatement.

  Understanding the Client  4-3

Understanding the Client Lea rning Objective 1 Apply procedures to gain an understanding of the client. We will continue the discussion of risk assessment procedures that was started in Chapter 3. Illustration 4.1 presents the graphical depiction of risk assessment that was introduced in Chapter 3 (Illustration 3.5). The concepts of materiality, professional skepticism, and audit risk were discussed in Chapter 3, along with fraud risk assessment. The remaining risk assessment procedures from Illustration 4.1 will be discussed in this chapter, starting with “Understand the entity and the industry,” then proceeding clockwise. illustration 4.1   Risk assessment Materiality

Professional Skepticism

Understand the entity and the industry Fraud risk

Closing procedures

Audit Risk

Compliance with laws and regulations Client performance measurement

Risk Assessment

Understand internal controls and IT

Analytical procedures

Corporate governance

Related parties

Audit Strategy

Gain an Understanding of the Entity It is important for auditors to understand a client’s business because often inherent risk is related to underlying business risks. For example, what are some business risks of a fast-food restaurant? Some that come to mind are high employee turnover, strong competition, and quickly changing customer preferences. Would a high-end restaurant face the same business risks as a fast-food restaurant? Since they are both in the food-service industry, there may be some similarities, but there will also be different risks because they have different business models, profit margins, and volumes of transactions. For example, a high-end restaurant would be more at risk when the economy is suffering from a recession. Consumers may cut back on spending, especially on luxury items such as an expensive meal at a high-end restaurant. Auditors must approach each client as unique when gaining an understanding of the entity, even if some clients are in the same industry. AU-C 315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement and AS 2110 Identifying and Assessing Risks of Material Misstatement provide guidance on the steps to take when gaining an understanding of a client. How do

4-4  Ch a pte r 4  Risk Assessment Part II: Understanding the Client

entity-level risk  client risk that affects multiple financial statement accounts, assertions, and transaction classes transaction-level risk  client risk that affects only one transaction class, account, or assertion

auditors develop a knowledgeable perspective about the entity and its risks when the auditors are external and independent of the client? They use specific procedures such as interviewing client personnel and others outside the entity, performing analytical procedures (covered in depth later in this chapter), observing client operations, and inspecting documents. For example, when auditors read the minutes of board of directors’ meetings, they are inspecting a document (the minutes). By reading the minutes, auditors can gain an understanding of key issues and strategic initiatives being discussed by the board. When gaining an understanding of the client, auditors consider issues at both the entity and industry levels. For new clients, this process is very detailed and time consuming. For a continuing client, this process is less onerous and involves updating the knowledge gained on previous audits. By gaining an understanding of the client, the auditor is in a stronger position to assess entity-level risks and the financial statement accounts that require closer examination. Entity-level risks often affect multiple accounts and assertions. For example, if management is close to breaching a debt covenant that requires maintaining a certain current ratio, management may have an incentive to either overstate current assets or understate current liabilities. This could be accomplished in a number of ways that could affect one or more current asset or current liability accounts. Alternatively, transaction-level risk affects only one transaction class, such as revenue and accounts receivable. Understanding the entity may illuminate both entity-level risks and transaction-level risks. Illustration  4.2 summarizes factors that can increase or decrease inherent risk in the client’s financial statements. Each factor in Illustration 4.2 is numbered, and the following paragraphs provide more discussion of each of these factors auditors consider when gaining an understanding of the client. (1) Major customers are identified so the auditor may consider whether those customers have a good reputation, are on good terms with the client (that is, likely to remain a customer in the future), and are likely to pay the client on a timely basis. Dissatisfied customers may withhold payment, which affects the allowance for doubtful accounts and the client’s cash flow, or decide not to purchase from the client in the future, which can affect the client’s operations. If a client has only one or a few customers, this risk is increased if losing a major customer would cause the client to significantly curtail operations. The auditor also considers the terms of any long-term contracts between the client and the client’s customers. (2) Major suppliers are identified to determine whether they are reputable and supply quality goods on a timely basis. Consideration is given to whether significant levels of goods are returned to suppliers as faulty, the terms of any contracts with suppliers, and the terms of payment to suppliers. Auditors assess whether the client pays its suppliers on a timely basis. If the client is having trouble paying its suppliers, it may have trouble sourcing goods as suppliers may refuse transactions with a company that does not pay on time. Significant cash flow issues may be an indicator of going concern problems. Auditors identify whether the client is an (3) importer or exporter of goods. If the client trades internationally, auditors consider the stability of the country (or countries) the client trades with, the stability of the foreign currency (or currencies) the client trades in, tariffs or other barriers to trade, the effectiveness of any risk management policies the client uses to limit exposure to currency fluctuations (such as hedging policies), and the appropriateness of accounting for realized and unrealized gains and losses. Auditors consider the client’s capacity to adapt to (4) changes in technology and other trends. If the client is not well-positioned to adjust to such changes, it risks falling behind competitors and losing market share, which in the longer term can affect the client’s operations. If the client operates in an industry subject to frequent change, it risks significant losses if it does not keep abreast of such changes and “move with the times.” For example, if a client sells laser printers, auditors need to assess whether the client is up to date with changes in technology and customer demands for environmentally friendly printers. The financial statement consequences could include losses for obsolete inventory and accruals for loss contingencies associated with possible environmental cleanup. The nature of any (5) warranties provided to customers is assessed by the auditors. If the client provides warranties on products sold, auditors need to assess the likelihood that goods will be returned and the risk the client has underprovided for that rate of return (adequacy of the warranty liability). Auditors pay particular attention to goods being returned for the same problems, indicating there may be a systemic fault. For example, if the client sells quality pens and the auditors notice that a number of pens are being returned because the mechanism to twist the pen open is faulty, auditors will assess the likelihood

  Understanding the Client  4-5 illustration 4.2   Entity factors that influence inherent risk

Lower Inherent Risk Assessments Satisfied customers who pay on time and are likely to remain a customer in the future

Factors That Influence Inherent Risk Higher Inherent Risk Assessments (1) Major customers

Client has many customers

Dissatisfied customers who may withhold payment or decide to not purchase from the client in the future Client has only one or very few customers

Reputable suppliers that supply goods on a timely basis

(2) Major suppliers

Few goods are returned to supplier as faulty

Suppliers may not supply goods on a timely basis Significant amounts of goods are returned to the suppliers because they are faulty

Client pays suppliers on a timely basis

Client does not pay suppliers on a timely basis Trades with countries that are stable

(3) Importer or exporter

Trades with countries that are not stable

Trades in stable foreign currencies

Trades in unstable foreign currencies

Minimal tariffs or barriers to trade

Complex tariffs and other barriers to trade

Client maintains effective risk management policies regarding foreign trade

Client does not maintain effective risk management policies regarding foreign trade

Client well-positioned to adjust to changes in technology Client does not offer warranties on its products

(4) Changes in technology (5) Warranties

If client does offer warranties, product quality is high and the likelihood that goods will be returned is low Few discounts are given by the client to its customers

(6) Discounts

(7) Client reputation

Client has few locations and primary operations are centralized

(8) Operations

No international operations

Client does not have a good reputation with customers, employees, and/or the wider community in which it operates Client has larger number of locations and operations are decentralized Multiple locations operated internationally

(9) Selection and application of accounting principles

Recent implementation of new accounting standard Change in the application of an accounting standard

Personnel involved in the selection and application of accounting standards are competent and experienced Determination of account balance is objective and supported by transactions with third parties

Client offers discounts to its customers, possibly because it does not have much bargaining power Client misses opportunities to take advantage of supplier discounts

Client has good reputation with customers, suppliers, employees, and the wider community in which it operates

No change in the application of accounting standards

Client offers warranties on its products History of poor product quality and goods being returned for the same problem

Client takes advantage of discounts offered by suppliers

No recent implementation of new standards

Client falls behind with changes in technology and has not “kept up with the times”

Personnel involved in the selection and application of accounting standards lack competence and experience

(10) Significant accounts and classes of transactions

Determination of account balance involves considerable subjectivity

Transactions are routine and relatively homogeneous

Transactions are complex and unique

Account has low volume of transactions

Account has high volume of transactions

Less complex payroll system and benefit structures

(11) Relations with employees

Defined-contribution pension plans

More complex payroll system and benefit structures Defined-benefit pension plans

Less reliance on debt for financing

(12) Sources of financing

Heavy reliance on debt as a source of financing

Pays interest payments on time

Struggles to pay interest payments on time

Less risk of violating terms of debt covenants

Higher risk for violating terms of debt covenants which could indicate going concern issues

Simple capital structure Pays dividends from operating cash flow

(13) Ownership structure

Complex capital structure Struggles to pay dividends from operating cash flow

4-6  Ch a pte r 4  Risk Assessment Part II: Understanding the Client

that other pens will be returned for the same reason, the steps being taken by the client to rectify the problem, and whether the warranty liability is adequate in light of this issue. The financial statement impact would involve the adequacy of a warranty reserve and the adequacy of reserve for lower-of-cost-or-net-realizable-value issues with inventory. Auditors review the terms of (6) discounts given by the client to its customers and received by the client from its suppliers. An assessment is made of the client’s bargaining power with its customers and suppliers to determine whether discounting policies are putting profit margins at risk, which may place the future viability of the client at risk. Auditors consider the (7) client’s reputation with its customers, suppliers, employees, shareholders, and the wider community. A company with a poor reputation places future profits at risk and increases the risk of going concern issues. It is also not in the best interest of the auditor to be associated with a client that has a poor reputation, as we discussed in Chapter 3. Auditors gain an understanding of client (8) operations. Auditors note where the client operates, the number of locations in which it operates, and dispersion of these locations. The more spread out the client’s operations are, the harder it is for the client to effectively control and coordinate its operations, which increases the risk of errors in the financial statements. Auditors visit locations where inherent risk is greatest to assess the processes and procedures at each site. If the client has operations interstate or overseas, auditors may plan a visit to those sites by audit staff from affiliated offices at those locations where risk is greatest. For example, an auditor is more likely to visit client operations if the client opens a new, large site or if the business is located in a country where there is a high rate of inflation or where there is a high risk of theft. Auditors must gain an understanding of the client’s procedures for the (9) selection and application of accounting principles. They need to know who oversees the financial reporting process on a daily basis, an individual or a group, and consider the qualifications of those involved. Client personnel with more experience generally are more competent at applying complex accounting principles. Other considerations include whether the client has implemented a new accounting standard or changed how an accounting standard is applied. Financial reporting is already a complex process, but when implementing a new standard or making changes with a current standard, inherent risk increases because of the possibility of applying the accounting standard incorrectly. (10) Significant accounts and classes of transactions are identified during the risk assessment phase. Recall from Chapter 3 that a significant risk could be an account, transaction, or activity that has an increased risk of causing a material misstatement on the financial statements. For example, the inventory account would be a significant account for a large retail client for several reasons. It is probably the largest current asset for the client, it has a large volume of transactions, and some of the transactions may involve complex contractual arrangements with suppliers. Auditors devote more audit time to the inventory account since it poses a higher inherent risk. Another example would be a client’s process of determining if goodwill has been impaired. Since there is subjectivity involved in the measurement of this financial statement item, auditors may plan audit procedures to ensure adequate time is spent testing the client’s goodwill impairment procedures. Keep in mind, an account or class of transactions that is significant for one client may not be significant for other clients, even if they are in the same industry. For example, not every client is going to have a goodwill account. Auditors determine significant accounts and classes of transactions on a client-by-client basis. An understanding is gained of the client’s (11) relations with its employees. Auditors consider how a client pays its employees, the mix of wages and bonuses, and the attitude of employees to their employer. The more complex a payroll system, the more likely it is that errors can occur. Auditors might also expect more complex control systems when payroll transactions are complex. When employees are unhappy, there is greater risk of industrial action, such as strikes, which disrupt client operations. Auditors assess a client’s debt and equity sources, the reliability of future (12) sources of financing, the structure of debt, and the reliance on debt versus equity financing. Auditors determine whether the client is meeting interest payments on debt and repaying debt when it is due. If a client has a covenant with a lender, auditors need to understand the terms of that covenant and the nature of the restrictions it places on the client. Debt covenants vary. A company may, for example, agree to limit further borrowings, to freeze a line of credit for a period of time, or to maintain a certain debt-to-equity ratio. If the client does not meet the

  Understanding the Client  4-7

conditions of a debt covenant, the lender may recall the debt, placing the client’s liquidity position at risk, and increasing the risk the client may not continue as a going concern. Auditors learn about the client’s (13) ownership structure, such as the amount of debt financing relative to equity, the use of different forms of shares, and the differing rights of shareholder groups. The client’s dividend policy and its ability to meet dividend payments out of operating cash flow are also of interest when evaluating whether an entity is a going concern. Also, complex ownership arrangements and differing rights of shareholder groups will require more complex disclosures by the client.

Audit Reasoning Example  Samsung Fire Fiasco Most likely you are familiar with Samsung and own at least one Samsung product, such as a TV, kitchen appliance, or laptop. Samsung has consistently been the top seller of smartphones worldwide, and in 2017 Samsung had 21% of the global smartphone market share.1 In the third and fourth quarters of 2016, Samsung experienced a public relations nightmare when some customers had problems with their Galaxy Note 7 smartphones catching fire. An investigation determined that the battery in the phone had the potential to catch fire when overheated. Samsung recalled all of the nearly three million Galaxy Note 7 devices that had been sold and permanently ended production of the device.2 Suppose you are on the audit team for the December 31, 2016, financial statement audit for Samsung. How does the Galaxy Note 7 situation impact the inherent risk factors listed in Illustration 4.2? Here are some examples: •  Customers may decide not to purchase Samsung mobile devices in the future, which impacts revenues and profits. •  Samsung may consider switching battery suppliers, which could affect costs and product quality. •  Samsung must honor the warranty on the phone and issue refunds and/or replacement products to customers, which impacts profits. •  Samsung’s reputation was tarnished by the negative publicity, and the situation sparked multiple lawsuits that will drag on for years and cost Samsung millions of dollars. During the audit, you and the other audit team members would plan to give additional audit attention to accounts and note disclosures directly impacted by the Galaxy Note 7 situation, such as warranty-related accounts, inventory (lower-of-cost-or-net-realizable value), sales returns, and contingent liability accruals.

Another important component of understanding the entity includes gaining an understanding of the client’s system of internal controls as it relates to the audit. This includes learning about the design of the client’s internal controls and the different components of the client’s internal control system. Strong internal controls both reduce the likelihood of material misstatement and change the nature of audit tests. A thorough discussion of gaining an understanding of the client’s system of internal controls is covered in Chapter 6.

Cloud 9 - Continuing Case Ian is starting to think about Cloud 9 more closely. He can remember something being said about Cloud 9 importing the shoes from a production plant in Vietnam and then wholesaling them to major department stores. “OK,” says Suzie. “Let’s just take that one aspect of the operations and think about the issues that could arise.”

Ian realizes the department stores would be customers of Cloud 9 (although they should check that the stores actually purchase the shoes rather than hold them on consignment). If there were a mistake or a dispute with one of the stores, or if the store were in financial difficulty, the collectibility of accounts receivable would be in doubt, so assets could be overstated. If the store disputed a sale,

1 Chandan, “Smartphone Manufacturers in the World 2017,” https://www.techzac.com/top-10-smartphonemanufacturers-in-the-world/ (accessed August 30, 2017). 2

S. Pham, “Samsung Blames Batteries for Galaxy Note 7 Fires” (January 23, 2017), http://money.cnn.com/2017.

4-8  Ch a pte r 4  Risk Assessment Part II: Understanding the Client

or a sales return was not recorded correctly, sales (and profit) could be overstated. Is Cloud 9 liable for warranty expenses if the shoes are faulty? The auditors would need to read the terms of the contract to determine if a warranty liability should be recorded on the balance sheet. What about the balance of inventory? Do the shoes belong to Cloud 9 when they are being shipped from Vietnam, or only after they arrive at the warehouse? Is Cloud 9 exposed to foreign currency exchange risk and how is this accounted for?

Suzie points out that the answer to each of these questions could be different for Cloud 9 than for other clients because of its different circumstances. Auditors need to gain an understanding of these circumstances so they can assess the risk that accounts receivable, sales, sales returns, inventory, and liabilities are misstated. Once they understand all the risks, they are in a position to decide how they will audit Cloud 9.

Gain an Understanding of the Industry and Business Environment At the industry level, auditors are interested in the client’s position within its industry, the level of competition in that industry, and the client’s size relative to its competitors. Auditors evaluate the client’s reputation among its peers and the level of government support for companies operating in that industry. Another consideration is the level of demand for the products sold or services supplied by companies in that industry and the factors that affect that demand. For example, an ice cream manufacturer is affected by the weather, which causes revenue to be seasonal. This would be important for auditors to know because during the slow season, revenue may be at higher inherent risk if the client is trying to maintain a certain profit target. A summary of some key industry and business environment factors that can influence inherent risk is provided in Illustration 4.3. Each factor in Illustration 4.3 is numbered, and the following paragraphs provide more discussion of these industry and business environment factors that auditors consider when gaining an understanding of the client. illustration 4.3   Industry and business environment factors that influence inherent risk

Lower Inherent Risk Assessments

Industry Factors That Influence Inherent Risk

Less competitive industry, which puts less stress on the client’s ability to generate a profit

(1) Level of competition

Good reputation relative to others in the industry

(2) Reputation

Customers and suppliers may be attracted to conduct business with the client versus a competitor A new industry with considerable government support and incentives

Higher Inherent Risk Assessments Very competitive industry, which puts more stress on the client’s ability to generate a profit Poor reputation relative to others in the industry Customers and suppliers may shift business to a competitor

(3) Legal, political, and regulatory environment

A new industry with little or no government support

New or established industry with intense international competition with considerable government support and incentives

New or established industry with intense international competition with little or no government support

Industry with minimal government regulation and no special taxes or unique financial reporting requirements

Heavily regulated industry with special taxes and unique regulations and financial reporting requirements

Demand is not seasonal, which provides steady revenue flow

(4) Demand

Seasonal demand for products, which leads to sporadic revenue flow

Industry minimally affected by trends/customer preferences

Industry subject to changing trends/ customer preferences

Industry has low risk of technological obsolescence

Industry subject to technological obsolescence

Economy as a whole experiences an upturn, which leads to easily sustainable profit levels

(5) Economy

Economy as a whole experiences a downturn, which leads to pressure to maintain expected profit levels

  Understanding the Client  4-9

Auditors compare the client with its close competitors nationally and internationally. When auditors have a number of clients that operate in the same industry, and the audit firm has significant experience auditing clients in that industry, this stage of the audit is more straightforward than if the client operates in an industry the auditors are not already familiar with. The audit team assesses the (1) level of competition in the client’s industry. The more competitive the client’s industry, the more pressure is placed on the client’s profits, which will assist auditors when developing expectations regarding the client’s profitability. In an economic downturn, the weakest companies in highly competitive industries face financial hardship and possible going concern problems. A key issue for an auditor is the client’s position among its competitors and its ability to withstand downturns in the economy. Auditors also consider the client’s (2) reputation relative to other companies in the same industry. If the client has a poor reputation, customers and suppliers may shift their business to a competing firm, threatening the client’s profits. In such circumstances, a client’s management may resort to aggressive accounting choices to improve profits (or reduce losses). The audit team can assess the client’s reputation by reading articles and industry publications. Auditors consider the (3) legal, political, and regulatory environment for the client’s industry. This issue is important if the industry faces significant competition internationally or the industry is new and requires time to become established. Support is sometimes provided to industries that produce items in line with government policy, such as manufacturers of water tanks, solar heating, and reduced-flow taps in the context of environmental policies. Regulations can affect a client’s ability to continue operating or affect continued profitability, for example, through different taxes and charges imposed on companies operating in the industry. Some industries have unique accounting and financial reporting requirements, such as the oil and gas industry. The audit team must be alert to how changes in the regulatory environment might affect the client’s profitability and operations. The auditors should understand the level of (4) demand for the goods sold or services provided by companies in the client’s industry. If a client’s products or services are seasonal, this will affect revenue flow. As mentioned, if a client is an ice-cream producer, sales would be expected to increase in the summer; however, if the weather is unseasonal, profits may suffer. If a client sells swimsuits, sales will fall in a cool summer. If a client sells ski equipment, sales will fall if the winter brings little snow. If a client operates in an industry subject to changing trends, such as fashion, the client risks inventory obsolescence if it does not keep up and move quickly with changing styles. When a product or process is subject to technological change, there is the risk a client will quickly be left behind by its competitors. If products become obsolete, it will affect the lower-of-cost-or-net realizable value accounting for inventory, and it might affect the collectibility of receivables related to inventory sold to customers that has not yet been sold to end consumers. Finally, when gaining an understanding of a client, auditors assess how factors in the (5) economy affect the client. Economic upturns and downturns, changes in interest rates, and currency fluctuations affect most companies. The audit team is concerned with the client’s susceptibility to these changes and its ability to withstand economic pressures. The auditors also determine if negative consequences have been appropriately reported in the financial statements.

Audit Reasoning Example  Economic Upturns and Downturns During an economic upturn, companies are under pressure to perform as well as or better than competitors, and shareholders expect consistent improvements in profits. When conducting the audit in this environment, more focus is given to the risk of overstatement of revenues and understatement of expenses. What about an economic downturn? When the economy as a whole is poor and the entire industry is down, does management face the same pressures? During an economic downturn, management may decide to “take a bath,” meaning that companies may purposefully understate profits. When the economy is poor, there is a tendency to maximize write-offs because a fall in profits can easily be explained to shareholders when most companies in the industry are also experiencing a decline in earnings. In other words, management decides, “If it’s already a bad year, let’s make it a really bad year.” A benefit of “taking a bath” is it provides a low base from which to demonstrate an improvement in results in the following year. When conducting the audit during times when the economy is in recession and clients may be tempted to “take a bath,” how would auditors modify their audit approach? More focus is given to the risk of understatement of revenues and overstatement of expenses.

4-10  C h a pte r 4  Risk Assessment Part II: Understanding the Client

Compliance with Laws and Regulations illegal acts  violations of laws or governmental regulations

direct and material effect  a situation in which noncompliance with laws and regulations impacts amounts and disclosures already included in the financial statements indirect effect  a situation in which noncompliance with laws and regulations does not have a direct impact on amounts and disclosures in the financial statements, but could require the creation of a contingent liability or an additional disclosure

Auditors should also obtain a general understanding of laws and regulations that apply to the client’s industry and operations. For example, manufacturing clients must adhere to regulations imposed by the Environmental Protection Agency (EPA) and the Occupational Safety & Health Administration (OSHA). If a client commits an illegal act by not complying with applicable regulations, the client may be fined or may be subject to future litigation. It is the responsibility of company management and those charged with governance to ensure that policies and internal controls are in place to assist in the prevention and timely detection of noncompliance with laws and regulations. What is the auditor’s responsibility regarding illegal acts committed by the client? Remember, the objective of the audit is to determine if the financial statements are presented fairly in accordance with the appropriate financial reporting framework. An auditor is not expected to be an expert in non-accounting laws and regulations such as environmental regulations and health and safety laws, but an illegal act by the client could impact the financial statements through fines and litigation. AU-C 250 Consideration of Laws and Regulations in an Audit of Financial Statements and AS 2405 Illegal Acts by Clients address the auditors’ responsibility as it relates to the client’s compliance with laws and regulations. For illegal acts that have a direct and material effect on the financial statements, the auditors have the same responsibility for detecting those acts as they do for detecting material misstatements caused by error or fraud. Many of the laws and regulations that would have a direct and material effect on the financial statements are already familiar to the auditors. For example, auditors regularly investigate the compliance with tax law and fair presentation of income tax expense in the income statement, as well as compliance with pension laws and pension disclosures in the financial statements. For illegal acts that have a material but indirect effect on the financial statements, the auditor’s responsibility is limited to performing specified audit procedures that may identify noncompliance. Some examples of laws and regulations that could fall into this category are environmental and safety regulations, or food and drug administration regulations. If information comes to the auditors’ attention that provides evidence concerning the occurrence of possible illegal acts, the auditors should use professional skepticism and perform further audit procedures to specifically determine if an illegal act has occurred, and whether a contingent liability that is material to the financial statements should be recorded or disclosed. It is important to note that an audit conducted according to standards provides no assurance that all illegal acts that have an indirect effect on the financial statements will be detected or any contingent liabilities that may result will be disclosed (AS 2405.07 and AU-C 250.A3). If auditors discover or suspect that an illegal act has occurred, they should gain an understanding of the nature of the act, gather information to determine the possible effects on the financial statements, and document all of their work. The audit team should discuss the situation with management at a level above those involved with the suspected noncompliance and, if appropriate, also discuss the situation with those charged with governance. Auditors should consider the implications of noncompliance on other areas of the audit, such as audit risk, materiality, and reliability of management representations. For example, if an illegal act occurred, auditors should re-evaluate the internal controls that should have prevented or detected the illegal act. If the controls are determined to be weak, auditors may need to adjust the audit strategy to perform more substantive testing rather than relying on the internal controls. It is important to remember the entire risk assessment process is an iterative process, and auditors may come across evidence that contradicts prior risk assessments. In these situations, auditors should revise their risk assessments and decisions about the nature, timing, and extent of audit procedures in light of the new evidence. If management or those charged with governance do not respond appropriately to an identified situation of noncompliance, the auditors should consult with their own legal counsel and consider withdrawing from the audit. Reporting illegal acts to external parties is generally not part of the auditor’s responsibility because of the auditor’s ethical obligation of client confidentiality, as discussed in Chapter 2.

  Understanding the Client  4-11

Audit Reasoning Example  Illegal Act, Direct and Material Effect Henry is an audit associate assigned to the audit of Quick Fix Burgers, a regional fast-food chain. To gain an understanding of the client’s payroll system, Henry obtained a listing of all employees and then queried the client’s system to provide a listing of all checks made payable to employees for the last month of the second quarter. Quick Fix pays its employees twice a month; therefore, each employee should receive two paychecks each month. While scanning the report, Henry noticed that some of the frontline employees, such as cashiers and cooks, had three or four checks for the month. He selected one of the employees who had received four checks and looked more closely at the supporting detail. Two of the checks were payment for 10 hours worked during the first and second half of the month, and these checks had state and federal income taxes withheld along with Social Security and Medicare. The other two checks were for a single amount, which was about the same amount as the net pay on the payroll checks, but with no withholdings or other payroll deductions, and were paid on the same date as the payroll checks. Why might there be these additional checks to employees? Were they reimbursements for expenses incurred by the employee? Or could Quick Fix Burgers be trying to avoid payroll taxes, such as the employer share of Social Security and Medicare, by calling these additional payments “employee reimbursements”? Failure on the part of employers to remit the appropriate amount of payroll taxes is an illegal act that can lead to significant fines and penalties. If Quick Fix is under-reporting an employee’s hours and the related payroll taxes, then both expenses (wages expense and payroll tax expense) and liabilities (wages payable and payroll taxes payable) will be understated and have a material and direct effect on the financial statements.

Audit Reasoning Example  Illegal Act, Material but Indirect Effect Henry is an audit associate assigned to the audit of Quick Fix Burgers, a regional fast-food chain. A month ago, Quick Fix received some bad publicity because two customers, who had eaten at two different Quick Fix restaurants, posted on social media they had become seriously ill after eating at Quick Fix. One of the customers was admitted to a hospital and posted that doctors suspected it was a case of E. coli that could be caused by unsanitary food handling. Henry had a meeting with Quick Fix’s controller and asked about the social media posts. The controller said, “All of our restaurants are inspected by the state health department, and we have always received excellent scores. We have not been contacted by the health department regarding those posts on social media.” When Henry gets back to his desk he thinks, what if the health department does contact Quick Fix regarding the incidents? What if Quick Fix did violate some health regulations? Does failure to comply with health regulations impact the financial statements directly? No, it does not. But could there be a material indirect effect on the financial statements? Yes. Customers who became sick could pursue legal action against Quick Fix, which could lead to a contingent liability and related expense, not to mention bad publicity. Henry documents this information in his risk assessment notes and will follow up on the situation during interim and year-end audit work.

Cloud 9 - Continuing Case Suzie explains to Ian that the partner, Jo Wadley, has asked her to join the team for this audit because she has experience in the clothing and footwear industry. Jo wants to make sure the team’s industry knowledge is very strong. Several other members of the team also have experience in auditing clients in the retail industry, including Jo and manager Sharon Gallagher. In addition, Josh is highly regarded at W&S Partners for his knowledge of receivables and cash-receipts systems.

Suzie has the task of leading the team writing the report on the industry-specific economic trends and conditions. The report must include an assessment of the competitive environment, including any effects of technological changes and relevant legislation. So that Ian can appreciate how understanding the client is an important part of the risk assessment phase, Suzie asks him to help write the report on the product, customer, and supplier elements. Then, together, they will assess the specific risks arising from the entire report, including risks at the economy level, for the Cloud 9 audit.

4-12  C h a pte r 4  Risk Assessment Part II: Understanding the Client

Before You Go On 1.1  What is the purpose of gaining an understanding of a client? 1.2 Explain how changing trends in an industry affect the inherent risk for an audit client, for example, in the energy industry. Illustrate with a few tangible examples. 1.3 Give an example of an illegal act that could have a material but indirect effect on the financial statements.

Client Approaches to Measuring Performance Lea rning O bjective 2 Explain how clients measure performance and how it impacts the auditor’s risk assessment.

key performance indicators (KPIs)  measurements, agreed to beforehand, that can be quantified and reflect the success factors of an organization

Part of the process used when gaining an understanding of a client involves learning how a ­client measures its own performance. The key performance indicators (KPIs) used by a client to monitor and assess its own performance and the performance of its senior staff provide auditors with insights into the accounts their client focuses on when compiling its financial statements and which accounts are potentially at risk of material misstatement. Some KPIs are common to many clients, such as return on assets and return on stockholders’ equity. Other KPIs will vary from industry to industry and client to client. For example, a client in the airline industry is concerned about revenue per passenger mile, a client in the retail industry is concerned about inventory turnover, and a client in the finance industry is concerned about its risk-weighted assets and interest margins. It is very important for auditors to understand which KPIs a client is most concerned about in that year so the audit can be planned around relevant accounts. It is inappropriate to assume all clients use the same KPIs. It is also inappropriate to assume a client will use the same KPIs every year. Just as businesses change their focus, KPIs change to help businesses achieve new goals.

Profitability profitability  the ability of a company to earn a profit

price–earnings (PE) ratio  measures how much a stockholder is willing to pay per dollar of earnings earnings per share (EPS) ratio  measures the earnings return on each common share issued

It is common for companies to use profitability measures to assess their performance and that of their senior staff. Companies often track their revenue and expenses over time and assess the variability from budgets, goals, or expectations. A company will compare its revenues and expenses with close competitors and assess its ability to compete, as well as whether results are matching expectations based on known factors such as seasonality or economic downturns. This also provides auditors with valuable insights into the expectations of management. A company’s management will track revenues from month to month to identify and explain trends. Management of a large company will compare revenues earned across divisions to highlight good and poor performance. Comparisons among divisions, or against budget, may be used to assess how well managers of those divisions are controlling costs. Changes from one year to the next may reflect an increased cost of doing business or highlight that it may be time to source cheaper suppliers or focus on production or product changes. Companies are concerned about their stockholders (owners). The price–earnings (PE) ratio (market price per share divided by earnings per share) shows how much a stockholder is willing to pay per dollar of earnings. For example, a PE of 10 means investors (and potential investors) are willing to pay 10 times current earnings for a company’s shares. This gives value to the future earning capacity of the enterprise. The earnings per share (EPS) ratio (profits available to common shareholders divided by weighted average common stock shares issued)

  Client Approaches to Measuring Performance  4-13

reflects the earnings return on each common share issued. When a client’s PE or EPS ratios are in decline, auditors may be concerned that management is under pressure to manipulate earnings. The cash earnings per share (CEPS) ratio (operating cash flow divided by outstanding shares) shows the cash flow capacity of a company for each common share issued. CEPS may be a more reliable indicator of a company’s financial health because it excludes noncash components such as depreciation and amortization, as well as noncash mark-to-market earnings. Retailers and manufacturers are generally concerned about their inventory turnover (cost of sales divided by average inventory), often at a department level. An assessment of this ratio is made within the context of the industry in which a company operates. For example, a company that sells perishable goods such as ice cream requires a much higher turnover than a company that sells nonperishable goods such as furniture. If a client’s inventory turnover slows significantly, auditors may be concerned that inventory is overvalued.

cash earnings per share (CEPS) ratio  shows cash flow capacity of a company for each common share issued

Liquidity, Solvency, and Cash Flow Liquidity is the ability of a company to meet its needs for cash in the short term, and solvency is the ability to meet its long-term financial obligations. It is vital for a company to have access to cash to pay its debts when they fall due. If it cannot meet these obligations, a company may be forced into liquidation. Companies require cash to pay their employees’ wages, utility bills, supplier bills, interest payments on borrowed funds, dividends to stockholders, and so on. In the longer term, companies need cash to repay long-term debt and undertake capital investment. Because cash is so vital, cash flow is closely monitored by the company and by external users, such as analysts and stockholders. To gain an understanding of a client’s cash flow, auditors analyze the cash flow statement. Recall from your previous accounting courses that the cash flow statement summarizes all cash activities into three categories: operating activities, investing activities, and financing activities. The cash flow provided, or used, by operating activities indicates a company’s ability to generate cash. For analysis purposes, the cash flow from operations amount can be adjusted for any one-time influences on cash flow from operations to determine sustainable cash flow from operations. For example, if the client made a large, onetime litigation payment, that amount could be added back to the cash flow from operations amount to provide a more realistic view of cash flow generated from normal and recurring operating activities. Companies often agree to debt covenants with lenders when taking on loans. That is, they promise to maintain specified profitability, liquidity, or other financial ratios, or to seek the lender’s permission before taking on new borrowings or acquiring other companies. These covenants are written into the borrowing contracts and restrict a company’s activities. If a company breaches a debt covenant, it may need to renegotiate or repay the loan. By understanding how their client measures and assesses its own performance and any restrictions implied by debt covenants, auditors gain a deeper understanding of the accounts potentially at risk of material misstatement. For example, if a client is close to violating the terms of a debt covenant, management may have incentive to misstate reported amounts in ways to show compliance with covenants.

liquidity  the ability of a company to pay its current debts when they fall due solvency  the ability of a company to meet its long-term financial obligations

sustainable cash flow from operations  cash flow from operations adjusted for one-time influences

Cloud 9 - Continuing Case In her discussions with the partner, Jo Wadley, Suzie learns the senior people in the Cloud 9 accounting/finance department are entitled to receive stock options if revenue targets are met. Cloud 9’s share price (which determines the value of the stock options) reflects market expectations about future profits. Cloud 9 has taken on additional debt this year, and costs are rising because of issues associated with its drive to increase

market share. These results increase interest expense and decrease profitability, potentially reducing the value of the stock options. Suzie decides to allocate time in the audit plan to consider whether these pressures could impact any of the senior staff’s incentives and increase inherent risk and possibly fraud risk.

4-14  C h a pte r 4  Risk Assessment Part II: Understanding the Client

Before You Go On 2.1  What is a PE ratio? Why is it important to auditors? 2.2 Explain how internal performance reports may be used by auditors to assess the risk of material misstatement. 2.3 What is a debt covenant? Develop an example of why a debt covenant is important to assessing the risk of material misstatement.

Analytical Procedures Lea rning O bjective 3 Demonstrate how auditors use analytical procedures when assessing risk, including the use of audit data analytics.

analytical procedures  evaluations of financial information through analysis of plausible relationships among financial and nonfinancial data

As auditors gain an understanding of their client, the industry in which it operates, and how the client measures its own performance, they can develop their own expectations regarding the client’s financial statement items. For example, if auditors are aware their client has borrowed a significant amount of money in the previous financial year, a reduction in the client’s debt-to-equity ratio would be unusual and would warrant further investigation. This is an example of auditors using analytical procedures to assess risk. AU-C 315 and AS 2110 define analytical procedures as evaluations of financial information through analysis of plausible relationships among financial and nonfinancial data. Analytical procedures involve the identification of fluctuations in accounts that are inconsistent with the auditors’ expectations based upon their understanding of the client. It is essential that auditors have clear expectations about their client’s results for the reporting period before conducting analytical procedures, so that unexpected fluctuations can be correctly identified and investigated. Analytical procedures are conducted throughout an audit. During the risk assessment phase, analytical procedures are used to aid in the risk identification process. During the risk response phase, analytical procedures are an efficient method of testing account balances that are derived from estimates. At the conclusion of the audit, analytical procedures are used to assess whether the financial statements reflect the auditors’ knowledge of their client and the client’s industry. In this chapter we concentrate on the application of analytical procedures during the risk assessment phase. The use of analytical procedures when conducting substantive procedures and during the conclusion of the audit is discussed in Chapters 9 to 14. Analytical procedures are conducted during the risk assessment phase of the audit to: •  Highlight unusual fluctuations in accounts. •  Aid in the identification of risk. •  Enhance the understanding of a client and its industry. •  Identify the accounts at risk of material misstatement. •  Minimize audit risk by concentrating audit effort where the risk of material misstatement is greatest. AU-C 315 and AS 2110 require auditors to perform analytical procedures as part of their risk identification process, even if the data is preliminary or aggregated at a high level. Analytical procedures include simple comparisons, trend analysis, common-size analysis, and ratio analysis. Let’s discuss each of these forms of analysis and factors to consider when conducting analytical procedures.

Comparisons Comparisons are often made between account balances for the current year and the previous year(s), the current year and the budget, or the current year and industry data. When comparing

 Analytical Procedures  4-15

account balances from one year to the next, significant changes can be tracked and investigated further by the auditors. Auditors will assess these changes in light of their expectations based upon their understanding of the client and any changes experienced over the previous year. For example, if the client had opened a new retail outlet, total sales would be expected to have increased by a predictable amount since the previous year. When comparing account balances with budgeted amounts, auditors are concerned with uncovering variations between actual results and those expected by the client. Significant unexpected variations should be discussed with client personnel and the results of such inquiry should be corroborated by other evidence. Comparisons of one year to the next involve only limited data. As a result, auditors keep results of analytical procedures for continuing clients so they have running data over a number of years to spot changing trends more easily.

Trend Analysis Trend analysis (or horizontal analysis) is a comparison of account balances over time. It is conducted by selecting a base year and then restating all accounts in subsequent years as a percentage of that base. It allows auditors to gain an appreciation of how various accounts have changed through time. When conducting a trend analysis, it is important for auditors to consider significant changes in economy-wide factors, such as a recession, which may affect their interpretation of the trend. Illustration 4.4 provides an example of a trend analysis. 2020 (in $ millions)

2021 % Change Compared to 2020

2022 % Change Compared to 2020

2023 % Change Compared to 2020

Sales

250

(20)

(10)

20

Cost of sales

110

(10)

0

10

Interest expense

10

(30)

30

0

Wages expense

70

(20)

30

6

Rent expense

40

0

0

0

Cash

400

20

10

25

Inventory

350

30

20

10

Trade receivables

300

(10)

5

15

trend analysis  a comparison of account balances over time

ILLUSTRATION 4.4  

Trend analysis

Income statement items

Balance sheet items

Various accounts can be selected for inclusion in a trend analysis. Accounts that vary from one year to the next are generally the focus. In the trend analysis depicted in Illustration 4.4, 2020 was selected as the base year. The following years appear as a percentage increase or decrease of the 2020 amount. For example, sales in 2021 were 20% lower than sales in 2020; in 2022 sales were only 10% lower than the 2020 figure, and in 2023 sales grew to 20% higher than the 2020 amount. A trend analysis allows auditors to assess movements in the accounts over time and determine whether the underlying trends match their understanding of the client and its operations over the period under review.

Common-Size Analysis Common-size analysis (or vertical analysis) is a comparison of account balances to a single line item. In the balance sheet, the line item used is generally total assets. In the income statement, the line item used is generally sales or revenue. A common-size analysis allows auditors to gain a deeper appreciation of how much each account contributes to the totals presented in the financial statements. By preparing common-size accounts for several years, auditors can trace the relative contribution of various accounts through time. Illustration 4.5 provides an example of a common-size analysis.

common-size analysis  a comparison of account balances to a single line item

4-16  C h a pte r 4  Risk Assessment Part II: Understanding the Client ILLUSTRATION 4.5  

2020 %

2021 %

2022 %

2023 %

100

100

100

100

44

50

48

40

Interest expense

4

4

6

3

Wages expense

28

28

22

25

Rent expense

16

20

18

13

5

4

4

3

Inventory

20

27

23

23

Trade receivables

18

25

22

18

Payables

15

15

17

16

100

100

100

100

Common-size analysis Income statement items Sales Cost of sales

Balance sheet items Cash

Total assets

The common-size analysis depicted in Illustration 4.5 shows that cost of sales grew and then decreased as a proportion of sales. This may reflect a change in prices charged by suppliers, prices charged to customers, and/or quantity of goods on hand. In the balance sheet, inventory levels rose and then dropped, which may indicate a build-up of inventory on hand when sales dropped in 2021.

Ratio Analysis Auditors perform ratio analysis to assess the relationship between various financial statement account balances. Auditors will calculate profitability, liquidity, and solvency ratios.

Profitability Ratios Profitability ratios reflect a company’s ability to generate earnings and ultimately the cash flow required to pay debts, meet other obligations, and fund future expansion. Common profitability ratios, shown in Illustration 4.6, include the gross profit margin, profit margin, return on assets, and return on stockholders’ equity. ILLUSTRATION 4.6   Common profitability ratios

Ratio Gross profit margin Profit margin Return on assets (ROA) Return on stockholders’ equity (ROE)

gross profit margin  measures whether a seller of goods has sufficient markup on goods sold to pay other expenses profit margin  measures profitability after taking into account all operating expenses

Formula Gross profit Net sales Net income Net sales Net income Average total assets Net income Average equity

The gross profit and profit margins indicate the proportion of sales turned into profits. The gross profit margin indicates whether a seller of goods has a sufficient markup on goods sold to pay for other expenses. A markup is the difference between the selling price of goods and the cost of goods sold. A decline in this ratio indicates a client may be paying more for its inventory or charging less to its customers. If the gross profit margin continues to decline, the client may have a loss if it is not able to cover its operating expenses. The profit margin indicates the profitability of a company after taking into account all operating expenses. By looking at the trend in the profit margin over time, auditors can

 Analytical Procedures  4-17

identify variability in the profit-earning capacity of their client. If the profit margin is steadily falling, this may affect the future viability of the client. A profit margin that varies widely from year to year indicates volatility and uncertainty, which makes it difficult to assess the fair presentation of the current reported earnings without further investigation. The return on assets (ROA) ratio indicates the ability of a company to generate income from its average investment in total assets. The return on stockholders’ equity (ROE) ­ratio indicates the ability of a company to generate income from the funds invested by its common stockholders. If a company is unable to generate a sufficient return on funds invested, there may be insufficient funds available to pay dividends and invest in future growth. Auditors calculate these ratios to assess trends in profitability. If the ROA and ROE, and resulting cash flow, are falling, it will affect the ability of their client to pay dividends and interest, and repay loans, all of which depend on the client’s ability to generate cash. Auditors compare the current year and previous years to identify trends in their client’s profitability. Comparisons are also made with budgeted results and with competitors. When comparing actual results with the budget, auditors assess how profitable the client is compared to management’s expectations as outlined in the budget. Auditors discuss any significant variance with management. When comparing their client with competitors, auditors assess their client’s profitability relative to companies of a similar size operating in the same industry. Any significant trends that appear unusual when compared to previous years, budget, or competitors are investigated further by the audit team as a possible indication of a risk of a material misstatement.

return on assets (ROA) ratio  measures ability to generate income from average investment in total assets return on stockholders’ equity (ROE) ratio  measures ability to generate income from funds invested by common stockholders

Liquidity and Activity Ratios Liquidity ratios reflect a company’s ability to meet its short-term debt obligations, and activity ratios measure a company’s ability to convert its assets to cash. If a company is unable to pay its debts when they fall due, key employees may leave, suppliers may refuse to supply goods, and lenders may demand the repayment of loans. Auditors are concerned with their client’s liquidity situation to alert them to any potential going concern issues. Some important short-term liquidity ratios, shown in Illustration 4.7, include the current ratio, the acid-test (quick) ratio, free cash flow, and the ability of cash flow from operations to cover current debt and dividends. The turnover ratios are activity ratios and serve as indicators of managerial efficiency and client activity. Ratio Current ratio Acid-test (quick) ratio Sustainable free cash flow Ability of cash flow from operations to cover current debt and dividends Inventory turnover in days Receivables turnover in days Payables turnover in days Gross operating cycle Net operating cycle

ILLUSTRATION 4.7   Common liquidity and activity ratios

Formula Current assets Current liabilities

Cash + Short-term investments + Receivables (net) Current liabilities

Sustainable cash flow from operations – Capital expenditures Sustainable cash flow from operations

Current portion of financing debt + Dividends 365 days ÷

( (

365 days ÷ 365 days ÷

(

Cost of sales Average Inventory

)

Net credit sales Average net receivables Cost of sales

) )

Average accounts payable

Receivables turnover in days + Inventory turnover in days Gross operating cycle – Payables turnover in days

The current ratio indicates how well current assets cover current liabilities. A ratio that is greater than 1.0 indicates a company should be able to meet its short-term commitments when they fall due. In reality, this will depend upon the ability of a company to convert its inventory and receivables into cash on a timely basis. The acid-test (quick) ratio indicates

current ratio  measures ability to meet short-term obligations as they come due acid-test (quick) ratio  measures ability to meet shortterm obligations with liquid assets such as cash, short-term investments, and receivables

4-18  C h a pte r 4  Risk Assessment Part II: Understanding the Client

sustainable free cash flow  measures cash flow remaining after covering cash outflows for operations and capital expenditures ability of cash flow from operations to cover current debt and dividends  measures ability to cover current debt maturities and dividends with operating cash flow inventory turnover in days  measures how many days, on average, it takes a company to sell its inventory

receivables turnover in days  measures how many days, on average, it takes a company to collect its receivables

payables turnover in days  measures how many days, on average, it takes a company to pay its suppliers

gross operating cycle  measures how many days, on average, it takes to purchase inventory, sell it, and collect the receivable net operating cycle  measures how many days, on average, it takes a company to purchase and sell inventory, collect the receivable, and pay back creditors

how well liquid assets cover current liabilities. Liquid assets include cash, short-term investments, and receivables. Acceptable current and acid-test ratio benchmarks vary from one industry to another. Auditors compare the trend in both ratios over time to assess whether their client’s liquidity situation is improving or deteriorating. Auditors also compare their client’s ratios with the industry average to assess their client’s liquidity relative to close competitors. If a client’s liquidity situation is deteriorating or is poor when compared to the industry average, auditors may be concerned about the future viability of the company. Sustainable free cash flow measures the cash flow remaining after covering cash outflows for operations and capital expenditures. Larger numbers indicate a company has the capacity to finance operations and capital expenditures with operating cash flow, and it has the ability to take advantage of opportunities that may arise unexpectedly. For example, a large free cash flow balance could indicate the client could acquire another company if the opportunity was available. The ability of cash flow from operations to cover current debt and dividends estimates the company’s ability to cover current debt maturities and dividends with operating cash flow. A larger number indicates an increased ability to cover current debt maturities and dividends with operating cash flow. Inventory turnover in days measures how many days, on average, it takes a company to sell its inventory. In general, the lower the number of days the better, because companies prefer to sell their inventory quickly, and generate a profit, rather than have it sit on a shelf or in a warehouse. This ratio will vary widely from one industry to another. For example, the inventory turnover in days for a supermarket would be much lower than for a luxury boat manufacturer. Auditors look at the trend in this ratio to determine whether inventory is being sold more quickly or more slowly from year to year. They also compare the inventory turnover in days for their client to the industry average to determine whether their client is competitive with its rivals. If a client operates in a high-technology industry or the fashion industry, where customer preferences change quickly, an increase in the inventory turnover in days may indicate the client is not keeping up with change and products are not being sold as quickly. When a client’s inventory turnover in days increases by more than expected, auditors will spend more time testing the valuation of inventory. Inventory may need to be written down in response to slowing demand. In this situation, auditors will also investigate whether sales revenue has fallen in line with the slowing movement of inventory. Receivables turnover in days measures how many days, on average, it takes a company to collect cash from its customers. In general, a lower number of days is better. The sooner a company can collect cash from customers, the sooner that cash can be used to purchase more inventory, pay down debt, or finance new capital assets. The receivables turnover in days should be compared to the client’s credit terms that it offers customers. For example, if the credit terms are 3/10, net/30, auditors would expect the receivables turnover in days to be about 30 days or maybe less. If the ratio is 41 days, it may indicate the client is making sales to customers who are unable to pay for their goods on a timely basis or the client is not following up with customers who are late in paying. In this example, auditors will spend more time considering the adequacy of the allowance for doubtful accounts. Payables turnover in days measures how many days, on average, it takes a company to pay its suppliers. A lower number of days means a company is paying off its short-term debt at a faster rate. The payables turnover in days should be compared with the average time frame the client’s vendors allow for payment. For example, suppose most of the client’s vendors allow 30 days for the client to remit payment of an invoice. If the client’s ratio is 58 days, it may indicate the client is struggling to make vendor payments and is consistently late. This could lead to late fees and possibly vendors not wanting to sell to the client any more. It may also indicate that controls over accounts payable are weak. In this example, auditors will spend more time considering controls over the accounts payable process to ensure all liabilities that occurred are properly recorded in accounts payable. Gross operating cycle is an estimate of the number of days it takes for a company to purchase inventory, sell it, and collect the receivable. A smaller amount of days represents faster turnover of a company’s merchandise, which is desirable to maintain strong cash flow. Net operating cycle is the gross operating cycle minus the payables turnover in days. The net operating cycle reflects that a company may use credit to finance inventory purchases. It is an estimate of how long the company is waiting to sell inventory, collect on receivables, and then

 Analytical Procedures  4-19

pay back creditors. A smaller number of days indicates a faster turnover of merchandise. It is important to remember that different industries have different capital needs and product life cycles; therefore, determining whether a company has a long or short operating cycle should be made within the industry context.

Solvency Ratios Solvency ratios are used to assess the long-term viability of a company. Liquidity ratios take a short-term view of a company whereas solvency ratios have a long-term perspective. Common solvency ratios are the debt-to-equity ratio and times-interest-earned ratio, as shown in Illustration 4.8. Ratio

Formula

Debt to equity Times interest earned

Total liabilities Total equity Income before income taxes and interest expense Interest expense

The debt-to-equity ratio indicates the relative proportion of total assets being funded by debt relative to equity. A high debt-to-equity ratio increases the risk that a client will not be able to meet principal and interest payments to lenders when due. Companies with long-term debt are more likely to have debt covenants with a lender, which may restrict the company’s activities. Auditors consider the trend in the client’s debt-to-equity ratio over time and gain an understanding of the make-up of total liabilities (e.g., what percentage of debt is current versus long-term). An increasing ratio may indicate a client will not be able to repay its loans when they fall due and increases the risk a client will breach a debt covenant. Auditors also compare a client’s debt-to-equity ratio with similar companies in the same industry, as this ratio tends to vary across industries. The times-interest-earned ratio measures the ability of earnings to cover interest payments. A low ratio indicates a client may have difficulty meeting its interest payments to lenders. Auditors consider how this ratio has changed over time. A downward trend is a concern as it indicates lenders may charge the client a higher rate of interest on future borrowings. At the extreme, lenders may demand the repayment of debt if the client does not make interest payments on time.

Audit Reasoning Example  Ratio Analysis Sadie is conducting ratio analysis during the risk assessment phase for the audit of Bayou Sports Shop. She has calculated the following ratios for Bayou and compared them to the industry ­average: Ratio Receivables turnover in days Inventory turnover in days Current ratio Debt-to-equity ratio

ILLUSTRATION 4.8   Common solvency ratios

Bayou Sports Shop 27 days 58 days 1.88 1.21

Industry Average 26 days 61 days 2.0 .50

When compared to the industry averages, what areas appear to be risky for Bayou? ­Bayou is consistent with the industry in terms of collecting receivables, turning over inventory, and maintaining liquidity. In terms of solvency, Bayou’s debt-to-equity ratio is more than double the industry average. Compared to others in the industry, Bayou has more debt, which means more cash is being used to pay interest on the debt. Bayou has increased risk of not being able to pay interest payments on time if the economy takes a downturn and sales decline. Sadie documents a follow-up procedure to inspect loan documents to see if there are any debt covenants that require Bayou to maintain certain ratios. If the debt-to-equity ratio continues to increase, Bayou could be in violation of a debt covenant and be required to pay back borrowed funds immediately.

debt-to-equity ratio  measures the relative proportion of equity and debt used to finance total assets

times-interest-earned ratio  measures ability of earnings to cover interest payments

4-20  C h a pte r 4  Risk Assessment Part II: Understanding the Client

Audit Data Analytics audit data analytics (ADA)  using software to discover and analyze patterns, identify anomalies, and extract other useful infor­­­ mation in data underlying the subject matter of an audit through analysis, modeling, and visualization for the purpose of planning or performing an audit

More sophisticated analytical procedures are used by some auditors. Audit data analytics (ADA) is the use of software to conduct detailed analysis of client data, such as information contained in the client’s ledgers and journals. These applications can be used to conduct the analysis outlined above, as well as to search for unusual transactions, including those that occur at odd times, are for unusual amounts, or within unusual accounts. An in-depth discussion of ADA is provided in Chapter 7, and ADA is also addressed in other chapters throughout the text. Here is a brief discussion of using ADA to conduct cluster analysis, time-series analysis, and regression analysis. Cluster analysis involves sorting client data into various dimensions or measures. For example, client data can be sorted across dimensions such as location, cost center, or manager. It can then be measured as inventory purchased, inventory sold, inventory on hand, sales, or rent expense across those dimensions. Once measured data are sorted by dimensions, they can be analyzed to determine whether the relationships between the various data are consistent with the auditors’ understanding of their client. Journal entry summaries provide condensed overviews of transactions. Summaries can be prepared using a range of criteria by month, by division, or by manager. Time-series analysis can be used to analyze data that occur regularly within the client, for example, sales and purchases. This form of analysis uses data from the past to predict the future. For example, sales made in the past can be used to predict sales in the period under audit. Significant fluctuations in expected sales trends are then investigated by the audit team. When assessing variations, auditors incorporate their understanding of changes that have occurred in the current year that may explain the variations observed. For example, the client may have closed some retail outlets, which would explain a sharp decline in sales. When conducting a time-series analysis, auditors look at the long-term trend, seasonal variation (for example, sales of ice cream are likely to be higher in summer), and unexpected variations. Regression analysis can be used to investigate the relationships among different groups of data or variables. This analysis considers the relationship between a dependent variable, such as sales, and various independent variables, such as selling costs, purchases, and advertising expense. Regression analysis provides a statistical measure of the associations among data. It establishes whether movements in the independent variables result in a change in the dependent variable. Significant differences between what the regression model predicts and the client’s reported balances are investigated as they indicate a potential misstatement, such as an overstatement of sales relative to associated expenses.

Factors to Consider When Conducting Analytical Procedures There are several factors to consider when conducting analytical procedures. The first is the reliability of client data. If auditors believe there is a significant risk the client’s records are unreliable due to, for example, poor internal controls, then auditors are less likely to rely on analytical procedures. Another issue is the ability to make comparisons over time. If the client has changed accounting methods, this will reduce the comparability of the underlying data. In this case, auditors will need to restate prior years’ financial statement data using the current accounting methods before making any comparisons. Finally, if past results are unaudited, they are considered less reliable for comparison purposes. During the risk assessment phase, auditors may only have access to their client’s half-year results. They will need to annualize revenue and expense items before making comparisons with the prior year. If a client earns revenues evenly throughout the year, it is appropriate to double the half-year revenues. If a client earns more revenues in some months relative to

 Analytical Procedures  4-21

others (for example, an ice-cream seller earns more in warmer months), trends must be considered when annualizing half-year results. When comparing actual financial results to budgeted results, auditors must consider the reliability of the budget. This can be assessed by comparing budgets to actual results for prior years. If the client continually overestimates earnings, for example, auditors take this into account when comparing actual and budgeted results for the current period. Auditors must be careful when benchmarking a client with industry data. If the client is significantly smaller or larger than most companies in its industry, comparison may not be valid. If competitors do not use the same accounting methods, the comparison is problematic. If the client has very different results and ratios from the industry average, there may be a problem with the industry data rather than with the client data. In conducting analytical procedures, the following information sources are generally considered to be reliable: •  Information generated by an accounting system that has effective internal controls. •  Information generated by an independent reputable external source. •  Audited information. •  Information generated using consistent accounting methods. •  Information from a source internal to the client that has proven to be accurate in the past (for example, preparation of budgets). Auditors document the results of the analytical procedures, including the accounts identified as being at risk of material misstatement. These results are used to further refine the audit strategy and develop the audit plan.

Cloud 9 - Continuing Case Ian volunteers to start the analysis of Cloud 9’s interim results and previous period’s financial data. He previously attended a training session on the W&S Partners’ software that he will use to produce reports showing unusual relationships and fluctuations. Suzie is grateful for the help but cautions Ian, “You do realize that judging what is ‘unusual’ is a little more complex than getting a software application to identify a change above a certain percentage? You need considerable industry experience and client knowledge to

make sense of the information. For example, no change in a figure can be more suspicious than a large change, depending on the circumstances.” “Yes, I realize that, and I know that I don’t have the experience to complete the analysis, but I am hoping to learn from you by seeing what you do with the data and reports that I hadn’t even considered doing,” he says.

Before You Go On 3.1 Why are liquidity ratios calculated? Develop an example of how a liquidity ratio might help the auditor in risk assessment. 3.2 What is a trend analysis and why might an auditor use this form of analysis for risk assessment? 3.3 Explain the factors that the auditor should consider when performing analytical procedures in the risk assessment process.

4-22  C h a pte r 4  Risk Assessment Part II: Understanding the Client

Related Parties Lea rning O bjective 4 Define related party transactions and explain how they affect the auditor’s risk assessment.

related party  an affiliate, principal owner, manager, or other party that is not independent of the entity

Another risk assessment procedure is the search for related party relationships and transactions. What is a related party? According to FASB ASC Topic 850, Related Party Disclosures, related parties of a company include the following: •  Affiliates of the entity. •  Investments in other entities accounted for by the equity method. •  Trusts for employee benefit plans, such as pensions, that are managed by or under the trusteeship of management. •  Principal owners of the entity and their immediate family members. •  Management of the entity and their immediate family members. •  Other parties that can significantly influence management or operating policies of the entity. Financial reporting frameworks, such as GAAP, require disclosure of related party relationships, transactions, and accounts so financial statement users can understand their potential effects on the financial statements. Companies can have transactions with related parties frequently in the normal course of business, but because they are related parties, there is a risk that some of the transactions may not be accounted for according to their true substance. In other words, transactions with related parties may not be the same as “arm’s-length” transactions between independent and unrelated buyers and sellers or borrowers and lenders. For example, a company may loan money to an affiliated company, but have no scheduled terms for how or when the money will be paid back. Should this be accounted for as a loan? Is that the true substance of the transaction? If related party transactions are not accounted for properly, then one or more material misstatements could occur in the financial statements. AU-C 550 Related Parties and AS 2410 Related Parties provide audit guidance associated with related party transactions and disclosures. During the risk assessment phase, the objective of the auditors is to gain an understanding of a client’s related party relationships and transactions. The audit team should gain an understanding of the client’s procedures for identifying related parties, authorizing transactions with related parties, and disclosing the relationships and transactions in the financial statements. The client should have internal controls in place to ensure related parties are identified and disclosed. Discussion among audit team members should include an emphasis on maintaining professional skepticism and considering how related parties may be involved in fraud. The existence of related parties is a fraud risk factor because fraud may be more easily committed among related parties (see the section “Opportunities to Perpetrate a Fraud” in Chapter 3). For example, transactions between the client and a known business partner of a key manager could be arranged for the purpose of misappropriating (stealing) assets. Another example would be a major stockholder paying back a loan at period end, but the client lending the same amount of money back to the stockholder shortly after period end. This is a scheme referred to as “period-end window dressing.” Auditors use specific procedures to confirm related parties that have been identified by management and to identify additional related parties that management’s processes may not have identified. Some common procedures used by auditors to identify related parties are listed in Illustration 4.9. Note these procedures are used during risk assessment and throughout the remaining phases of the audit. Auditors should always be mindful of potential related parties because client circumstances could change and new relationships could be created at any time during the client’s year. Auditors should document all identified related parties and the nature of the relationships. If any of the related party relationships or transactions are identified as posing a significant risk of material misstatement, auditors will plan to gather more evidence or adjust audit procedures, as needed, during the risk response phase of the audit.

  Corporate Governance  4-23

Procedures to identify related parties: •  Obtain a listing of related parties from management.

illustration 4.9   Procedures used by auditors to identify related parties

•  Read minutes of the board of directors’ meetings. •  Review client filings with the SEC, if applicable. •  Read contracts or other agreements related to significant unusual transactions. •  Review life insurance policies purchased by the client. •  Review conflict-of-interest statements from management. •  Review shareholder registers to identify the principal shareholders. •  Review correspondence from the client’s advisors, such as attorneys or consultants. •  Obtain a listing of the trustees of pension plans and other trusts for the benefit of employees.

Audit Reasoning Example  Related Parties Juan is assigned to the audit of MED Inc., a new client that manufactures medical supplies made from fabrics, such as bandages, blankets, and head caps, for newborn babies. Throughout the year, MED Inc. hires temporary workers as needed to meet demand when customers place large or unexpected orders. MED Inc. uses the services of three personnel agencies to find temporary workers and pays finder’s fees to the personnel agencies. While reviewing the amounts paid to the three personnel agencies, Juan notices that one agency is being paid considerably more than the other two. Juan meets with the controller, Amanda, to gain a better understanding of the transactions with the personnel agencies. Amanda says, “The primary agency we use is Any Time Workers. The agency opened last year, and it’s actually owned by the wife of our VP of Operations. She has done a great job keeping us supplied with workers so we can keep up with demand.” Back at his desk, Juan documents his conversation with Amanda and notes this is a related party situation. What potential risks are created by this situation? First, there is a disclosure risk. The audit team must ensure that MED Inc. is disclosing the related party and the transactions. Second, the existence of related party transactions is a fraud risk factor. Could the payments to MED Inc. be a misappropriation of assets? Is MED Inc. paying Any Time Workers above-market prices for its services, or paying for services it has not actually received? Could inflated payments represent additional compensation for the VP of Operations, via his wife’s company, to avoid payroll tax expenses associated with making bonus payments? This type of thought process is an example of Juan using professional skepticism. He will keep these risks in mind when planning the audit procedures related to the transactions with the personnel agencies.

Before You Go On 4.1  What is a related party? Provide at least two examples. 4.2  Why is an auditor interested in identifying related parties during the risk assessment phase of an audit? 4.3  Are procedures to identify related parties only performed during risk assessment? Explain.

Corporate Governance Lea rning Objective 5 Describe common corporate governance structures and how they impact the auditor’s risk assessment. Corporate governance refers to the people, systems, and processes within companies used to ensure that companies are well-managed and that, among other things, risks are identified

corporate governance  refers to the people, systems, and processes within companies used to ensure that companies are well-managed and that risks are identified and controlled by management and entity personnel

4-24  C h a pte r 4  Risk Assessment Part II: Understanding the Client board of directors  a group that represents the shareholders and is responsible for ensuring the company is being run to benefit the shareholders executive directors  employees of the company who also hold a position on the board of directors non-executive directors  board members who are not employees of the company; their involvement on the board is limited to preparing for and attending board meetings and relevant board committee meetings

and controlled by management and entity personnel. In publicly traded companies, the group responsible for overseeing management is the board of directors. The board of directors represents the shareholders and is responsible for ensuring the company is being run to benefit the shareholders. The board of directors will hold meetings at least once a quarter, but will meet more often as needed. A board is comprised of a mixture of executive and non-executive directors. Executive directors are also part of the company’s management team, and they are fulltime employees of the company, such as the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO). Non-executive directors are not part of the company’s management team, and their involvement is limited to preparing for and participating in board meetings and relevant board committee meetings. The audit partner will meet with members of the board when necessary throughout the audit. Illustration 4.10 depicts the composition of the board of directors and serves as a reference for the remaining discussion of corporate governance. Board of Directors

ILLUSTRATION 4.10  

Composition of a board of directors

Executive directors

Non-executive directors

Audit committee Direct communication Auditors

audit committee  a committee of the board of directors responsible for oversight of internal controls, financial reporting and disclosure in the financial statements, regulatory compliance, and the company’s independent auditors those charged with governance  persons with responsibility for overseeing the strategic direction of the entity and the obligations related to the accountability of the entity

During risk assessment, auditors gain an understanding of a client’s corporate governance structure. It is important that the board of directors has a mixture of executive and non-executive members. The executive members have a deeper understanding of the company and its workings, which is why auditors meet with executive directors, such as the CFO, throughout the audit. The non-executive members may be better representatives of shareholders as they are not company employees and can be more impartial in their strategic decision-making. Ideally, non-executive directors should be somewhat independent of the company and be objective and knowledgeable about the industry and financial reporting. The presence of non-executive board members helps to reduce the risk of material misstatement because they provide oversight of top-level management decisions, such as the amount of dividends declared, plans for significant asset purchases, purchases and sales of major investments, and major agreements with other companies. The auditor reads minutes of board meetings to learn about these key decisions regarding the strategic direction of the company. Boards of larger entities will also have a series of committees made up of various, but not all, members of the board. It is the role of these committees to efficiently deal with specific important issues. The main board committee the auditors interact with is the audit committee. The audit committee is responsible for overseeing the accounting and financial reporting processes of the company and the audit of the financial statements. While ultimate responsibility for the financial reporting process rests with the full board, an audit committee can improve the efficiency of achieving this goal. Some private companies may not have an audit committee or even a board of directors. In that case, auditors should communicate with those charged with governance. Those charged with governance are individuals with the responsibility for overseeing the strategic direction of the entity and the obligations related to the accountability of the entity, including the financial reporting process. Those charged with governance may include management personnel, such as executive members of a governance board or an owner-manager (AU-C 260.06). For public companies, SOX has specific requirements for the composition and duties of the audit committee. These specific requirements are listed in Illustration 4.11. AS 1301 Communication with Audit Committees requires that auditors establish an understanding with the audit committee regarding the terms of the audit engagement and then document that understanding in the engagement letter. Auditors should meet with the audit committee before the engagement starts to discuss the auditor’s responsibilities, significant accounting policies, and other issues. If the audit committee has concerns over a certain area of the entity, the audit committee members can request that auditors perform specific procedures such as conducting special investigations or visiting specific locations of the client company. These requested activities would be in addition

  Corporate Governance  4-25

to the audit teams’ planned procedures, and not restrict the scope of the auditor’s planned procedures. PCAOB and ASB standards also require that auditors communicate important details about the audit to the audit committee during or towards the conclusion of the audit. These required communications will be discussed in Chapter 14. SOX requirements and duties for audit committees of public companies: •  Audit committee members must be independent members of the board of directors, not executive directors or otherwise affiliated with the issuer. •  Audit committee members cannot accept consulting or advisory fees from the issuer, beyond the normal director compensation.

ILLUSTRATION 4.11   Sarbanes-Oxley Act of 2002, Section 301: Public company audit committees and Section 407: Disclosure of audit committee financial expert

•  At least one audit committee member must be a “financial expert” as evidenced through education or work experience. •  The audit committee is responsible for the appointment, compensation, and oversight of the auditors. •  Auditors report directly to the audit committee, and the audit committee is responsible for resolving any disagreements between management and auditors over financial reporting. •  The audit committee establishes procedures for receiving complaints regarding accounting or internal control matters of the company, including receipt of anonymous complaints from employees. •  The audit committee has authority to engage legal counsel if necessary.

Professional Environment  Recruiting for an Audit Committee The passing of the Sarbanes-Oxley Act of 2002 significantly changed the landscape of corporate governance. In particular, the audit committee has taken on more responsibility in areas such as whistle-blowing, auditor oversight, and internal controls over financial reporting. The increased duties of the audit committee are making it more challenging for companies to find qualified candidates to serve on audit committees. In December 2015, the chairwoman of the Securities and Exchange Commission, Mary Jo White, was speaking to the American Institute of CPAs in Washington, D.C. She stated, “Just meeting the technical requirements of financial literacy may not be enough to fully understand the financial reporting requirements or to challenge senior management on major, complex decisions. I have growing concerns about the amount of work required of some audit committees.”3

As the requirements for the audit committee position have increased, the supply of qualified individuals has decreased. With increased workloads for audit committee members, potential candidates are reluctant to serve on multiple boards as they have done in the past. Some companies are enlisting the help of search firms to find qualified candidates and are trying to be more creative with potential recruits. The typical “go-to” candidate for an audit committee member would be a retired CFO or retired auditor. However, there are plenty of other qualified candidates, but it may take more effort to find them. In fact, finding candidates that are not the typical audit committee candidate could have a positive effect by bringing more diversity to the audit committee. Committee members with more diverse backgrounds could bring different perspectives to the group and could be willing to ask different questions.

Cloud 9 - Continuing Case The partner, Jo Wadley, and manager, Sharon Gallagher, are working on the task of assessing the quality of corporate governance at Cloud 9. Typically, the most senior people on the audit team talk to the client’s senior people. However, the work done by Suzie, Ian, and others on the audit team will also inform the

assessment of Cloud 9’s corporate governance quality because lower-level workers often have some interesting stories to relate about how things really work at a company. Suzie will be thinking about these issues when she visits the client’s premises next week.

Before You Go On 5.1  What is the purpose of a board of directors? 5.2  What is the difference between executive directors and non-executive directors? 5.3  According to SOX, what are some duties of the audit committee of the board of directors?

3

R. Teitelbaum and K. Johnson, “Boards Face Recruiting Challenges,” Wall Street Journal (December 14, 2015), www.wsj.com.

4-26  C h a pte r 4  Risk Assessment Part II: Understanding the Client

Internal Control and Information Technology Lea rning O bjective 6 Explain how a client’s internal control and information technology (IT) can affect risk.

information technology (IT)  the use of computers to process, record, and store financial reporting data and other information

According to AU-C 315, auditors must gain an understanding of the client’s system of internal controls. The concept of control risk was discussed in Chapter 3. Recall that if strong internal controls exist at the account or assertion level, then auditors may adopt a reliance on controls approach and perform less extensive substantive testing. However, if the internal controls are weak at the account or assertion level, then auditors will rely less on internal controls and adopt a substantive approach. An in-depth discussion of the specific procedures used by auditors to gain an understanding of a client’s system of internal controls is covered in Chapter 6. Auditors also consider the particular risks faced by the client associated with information technology (IT). IT is a part of most companies’ accounting processes, which include transaction initiation, recording, processing, correction as needed; transfer to the general ledger; and compilation of the financial statements. AU-C 315 and AS 2110 require that auditors gain an understanding of the client’s IT system, the associated risks, and related controls. Risks associated with IT include unauthorized access to computers, software, and data; errors in applications; lack of backup; and loss of data. Unauthorized access to data can occur when there is insufficient security or poor password protection procedures. Unauthorized access can result in data being lost or distorted. Unauthorized access to application software can result in either fraud or misstatements in the financial statements. Access can be limited in a number of ways, including security protocols (such as locked doors) and frequent changes of passwords. Errors in programming can occur if applications are not tested thoroughly. It is important that new applications and changes to applications are tested extensively before being put into operation. Errors can also occur if mistakes are made when writing an application or if applications are deliberately changed to include errors. Deliberate changes may be made by staff or outsiders who gain unauthorized access to a client’s IT system. For example, unhappy staff may purposefully change an application, causing errors to embarrass their boss or to perpetrate fraud. Therefore, it is important that access be limited to authorized staff. Errors can also occur if application changes are not processed on a timely basis. Applications may need to be changed due to changes in sales prices, updating of discounts being offered to customers, and so on. It is important that these changes be made by authorized personnel on a timely basis to avoid errors and that there are appropriate controls over such changes. New applications can be purchased “off the shelf” from a software provider or developed internally by a client’s staff. When a client purchases a general-purpose application off the shelf, there is a risk it will require modification to suit the client’s operations, which can lead to errors. An advantage of purchasing general-purpose applications from reputable companies is they will have been tested before being made available for sale. In contrast, when a client’s staff develops an application, the application is more likely to have the features required, but there is a risk of errors if the application is written by inexperienced staff or it is not adequately tested before being put into operation. When a client installs a new IT system, there are a number of risks, such as the risk the system may not be appropriate for the client and its reporting requirements. After installation, there is the risk that data may be lost or corrupted when transferring information from an existing system to the new system, or the risk that the new system does not process data appropriately. There is the risk that client staff are not adequately trained to use the new system effectively. It is important that a client has appropriate procedures for selecting new IT systems, changing from an existing system to a new system, training staff in using the new system, and ensuring that a new system includes embedded controls to minimize the risk of material misstatement. An in-depth discussion of IT controls is presented in Chapter 6. At the risk assessment phase, and as part of assessing control risk, it is important for auditors to identify significant risks, as well as any controls that mitigate those risks.

  Closing Procedures  4-27

Cloud 9 - Continuing Case Suzie explains to Ian that her experience in the clothing and footwear industry has taught her to be very inquisitive about the systems used to manage orders. She has seen a few clothing businesses fail because they could not get their goods to retail outlets in time. Fashion is such a fickle market that even being a few weeks late means stores run out of inventory, and when inventory does arrive, stores have to discount it to sell it. After this occurs a

couple of times, retailers turn to more reliable suppliers, even if the designs aren’t as imaginative. Suzie has heard that Cloud 9 is very reliant on inventory management software developed internally. Because it is not a widely used package, she does not know anything about it and is concerned about its ability to provide reliable data. Suzie and Ian decide to allocate extra time to assessing the reliability of this software.

Before You Go On 6.1 What are some of the risks associated with the use of IT? Explain the risks and develop an example of how they might be controlled. 6.2 What are two common sources of new application software? What risks are present when an entity introduces a new application and how might those risks be controlled?

Closing Procedures Lea rning Objective 7 Discuss how client closing procedures can affect risk and a client’s reported results. Auditors also consider the adequacy of the client’s closing procedures. If the client’s closing procedures are weak, there is increased risk that revenues and expenses will not be recorded in the proper period, which can lead to material misstatements on both the income statement and balance sheet of two consecutive periods. Revenue and expense items must include all transactions that occurred during the accounting period and exclude transactions that relate to other periods. Asset and liability balances must include all relevant items, accruals must be complete, and contingent liabilities must accurately and completely reflect potential future obligations. Auditors are concerned that transactions and events have been recorded in the correct accounting period. The client should have controls in place to ensure the closing procedures are performed correctly. A common risk is that management may override controls when preparing adjusting and allocating entries, especially if management is under pressure to meet certain earnings targets. Oversight of this process is the responsibility of those charged with governance. It is the responsibility of auditors to assess the internal controls over the closing procedures. Auditors must determine the risk associated with the client’s closing procedures. In addition to the annual financial statements, clients prepare monthly, quarterly, and/or semiannual financial statements for internal and/or external purposes. Auditors can review these statements to assess the accuracy of the client’s closing procedures. If there are significant issues, where closing procedures are inadequate and transactions are not always recorded in the appropriate reporting period, auditors will plan to spend more time conducting detailed testing of transactions and balances around year-end. There are a number of ways auditors can assess the adequacy of their client’s closing procedures. Clients that prepare financial statements monthly are more likely to have

closing procedures  processes used by a client when finalizing the accounts for an accounting period

4-28  C h a pte r 4  Risk Assessment Part II: Understanding the Client

well-established closing procedures than clients that prepare financial statements only annually. Auditors verify the accuracy of accrual and deferral calculations around year-end and look at earnings trends to assess whether the reported income is in line with similar prior-year periods (months or quarters). For example, revenues are generally higher for an ice-cream seller in warmer months, and wages are generally higher during months when extra staff are hired to help with the increased activity. If auditors believe the client is under pressure to report strong results, there is risk that revenues earned after year-end may be included in the current year’s income and expenses incurred before year-end may be excluded. Alternatively, if auditors believe their client is under pressure to smooth its income and not report any unexpected increases, there is risk that revenues earned just before year-end will be excluded from current income and expenses incurred after year-end will be included. In both cases, auditors will perform procedures to confirm that transactions are recorded in the appropriate ­accounting period.

Audit Reasoning Example  Period-End Closing Entries at WorldCom A summary of the WorldCom scandal was provided in Chapter 2. The WorldCom case is an excellent example of the importance of gaining an understanding of the pressures faced by the client, the corporate governance structure, and the client’s closing procedures. WorldCom was under significant pressure to increase its stock price, which translated to incentive for management to commit fraud. Scott Sullivan, the CFO, saw an opportunity to perpetrate fraud through quarter-end journal entries. As the CFO, Scott used his authority to instruct his accounting staff to make entries that resulted in capitalizing costs on the balance sheet that should have been expensed on the income statement. There was no accounting justification for the entries. Who was supposed to have oversight of the closing process? Since WorldCom was a public company, the audit committee should have had oversight of the closing process because closing entries impact the financial statements as a whole. During the years the fraud was occurring, were the members of the audit committee fulfilling their duties? Were they asking for verification and explanation of the period-end entries? If they were, what type of information and documentation was Scott providing them? Was the audit committee being skeptical or overly trusting of Scott? These same questions can be directed at Arthur Andersen, WorldCom’s external auditor. Were the auditors fulfilling their duties by gaining an understanding of the client’s processes for period-end closing entries? Were the auditors using professional skepticism when interviewing Scott and other accounting staff? Most likely, the answer is “no.”

Cloud 9 - Continuing Case The partner, Jo Wadley, has learned of pressure on Cloud 9’s management to increase revenue by 3% this year. Jo is also aware of cost increases associated with a new store and sponsorship deals. Jo believes this places additional pressure on

Cloud 9’s management to meet targets resulting in additional risks for closing procedures and has instructed Josh to allocate additional time to auditing closing procedures on the Cloud 9 audit.

Before You Go On 7.1  Explain how an auditor can assess the risk associated with the client’s closing procedures. 7.2 What is the particular risk when an auditor believes that the economy has taken a downturn and the client has an incentive to overstate poor results to improve the picture for future periods?

  Key Terms Review  4-29

Learning Objectives Review 1  Apply procedures to gain an understanding of the client. An auditor will need to gain an understanding of the client to aid in the risk assessment process. This process involves consideration of issues at the entity level, the industry level, and the broader economic level. At the entity level, an auditor will identify the client’s major customers, suppliers, and stakeholders (that is, banks, shareholders, and employees), significant accounts and classes of transactions, who the client’s competitors are, the capacity of the client to adapt to changes in technology, and compliance with applicable laws and regulations. At the industry level, an auditor is interested in the client’s position within its industry. At the economic level, an auditor will assess how well-positioned the client is to cope with current and changing government policies, regulations, laws, and economic conditions.

unrelated buyers and sellers or borrowers and lenders. In addition, related party transactions are considered a fraud risk factor because fraud may be more easily committed between related parties. Auditors perform procedures to confirm related parties that have been identified by management and to identify additional related parties that management’s processes may not have identified. If any of the related party relationships or transactions are identified as posing a significant risk for material misstatement, the auditors will plan to gather more evidence or adjust audit procedures, as needed, during the risk response phase of the audit. 5  Describe common corporate governance structures

and how they impact the auditor’s risk assessment.

The different ways that clients measure their own performance was reviewed in this chapter to highlight that, by understanding how a client measures its own performance, the auditors can plan their audit to take into consideration areas where their client may be under pressure to achieve certain outcomes. This helps the auditors identify accounts and classes of transactions likely to be misstated.

Corporate governance refers to the people, systems, and processes within companies used to ensure that companies are well-managed and that, among other things, risks are identified and controlled by management and entity personnel. In publicly traded companies, the group responsible for overseeing management is the board of directors. The board of directors is composed of executive and non-­ executive members. The audit committee, composed of non-executive members of the board, is responsible for overseeing the accounting and financial reporting processes of the company and the audit of the financial statements. The audit committee is tasked with hiring the auditors, and the auditors must communicate with the audit committee as needed and as required by standards and regulations.

3  Demonstrate how auditors use analytical proce-

6  Explain how a client’s internal control and informa-

2  Explain how clients measure performance and how it

impacts the auditor’s risk assessment.

dures when assessing risk, including the use of audit data analytics.

Analytical procedures are conducted at the risk assessment phase of the audit to identify unusual fluctuations, help identify risks when gaining an understanding of a client, identify the accounts at risk of material misstatement, and reduce audit risk by concentrating audit effort where the risk of material misstatement is greatest. Many processes can be used when conducting analytical procedures. The processes discussed in this chapter include comparisons, trend analysis, common-size analysis, and ratio analysis. 4  Define related party transactions and explain how

they affect the auditor’s risk assessment.

A related party is an affiliate, principal owner, manager, or other party that is not independent of the client. Financial reporting frameworks, such as GAAP, require that companies disclose related party relationships and transactions. Transactions with related parties may not be at the same “arm’s length” as transactions between independent and

tion technology (IT) can affect risk.

Auditors must gain an understanding of a client’s internal controls to assess control risk and develop an audit strategy. They must also identify risks associated with information technology, such as unauthorized access to software applications or data, errors in programming, and inadequate testing of new or changed systems. During the risk assessment phase of the audit, the auditors will assess the likelihood that the client’s financial statements are misstated due to limitations of its IT system. 7  Discuss how client closing procedures can affect risk

and a client’s reported results.

There are a number of risks associated with a client’s closing procedures. Closing procedures are the processes used by a client at monthend, quarter-end, or year-end to ensure that appropriate adjusting entries are made and transactions are recorded in the appropriate accounting period. From an audit perspective, the auditor should determine the risk that a material misstatement may occur during the client’s closing procedures.

Key Terms Review Ability of cash flow from operations to cover   current debt and dividends Acid-test (quick) ratio Analytical procedures

Audit committee Audit data analytics (ADA) Board of directors Cash earnings per share (CEPS) ratio

Closing procedures Common-size analysis Corporate governance Current ratio

4-30  C h a pte r 4  Risk Assessment Part II: Understanding the Client Debt-to-equity ratio Direct and material effect Earnings per share (EPS) ratio Entity-level risk Executive directors Gross operating cycle Gross profit margin Illegal acts Indirect effect Information technology (IT)

Inventory turnover in days Key performance indicators (KPIs) Liquidity Net operating cycle Non-executive directors Payables turnover in days Price–earnings (PE) ratio Profitability Profit margin Receivables turnover in days

Related party Return on assets (ROA) ratio Return on stockholders’ equity (ROE) ratio Solvency Sustainable cash flow from operations Sustainable free cash flow Those charged with governance Times-interest-earned ratio Transaction-level risk Trend analysis

Audit Decision-Making Example Background Information Your client, Baldwin Industries, manufactures personal computers, tablets, and cell phones. Baldwin Industries has positioned itself to be very price competitive and, as a result, sales have grown by 50% over the last two years. At the beginning of the current fiscal year, the board of directors approved a new compensation structure for all high-level and executive-level employees, such that bonuses are based on the company’s sales growth and profit margins. In the fourth quarter of the current fiscal year, Baldwin Current Year Unaudited Current ratio Quick ratio Debt to equity Sales to total assets % Profit before tax to sales Return on assets Return on equity Accounts receivable turnover in days Inventory turnover in days Gross operating cycle Accounts payable turnover in days Net operating cycle

released a new cell-phone product about four months ahead of schedule to be the first to market with new technologies, despite having three months of inventory on hand of the current model. The results of analytical procedures performed in planning the audit are below. Given this information, explain the inherent risk factors and risks of material misstatement that are present in the audit. Be specific about the potential misstatements that may be present and connect the risk factors to the potential misstatements identified.

Prior Year Audited

4.82 3.37 .21 1.34 12.3% 16.5% 19.8% 86.4 180.0 266.4 22.0 244.5

5.50 3.09 .16 1.16 5.7% 6.7% 7.0% 74.8 169.4 244.2 27.6 216.6

Second Prior Year Audited 5.56 2.96 .15 1.12 6.3% 7.31% 7.9% 76.2 166.3 242.5 29.1 213.4

Prior Year Industry Median 5.61 2.94 .21 1.10 7.3% 8.0% 9.9% 69.9 152.4 222.3 33.6 188.7

Second Prior Year Industry Median 5.64 2.89 .19 1.08 9.1% 9.8% 11.9% 75.3 160.6 235.9 30.8 205.1

Identify the Audit Issue

f.  Inventory turnover in days is increasing.

Identify specific inherent risks or risks of material misstatement in the audit of Baldwin Industries. Show the logic between the risk factors and the risks of material misstatement identified.

g.  Accounts payable turnover in days is decreasing.

Gather Information and Evidence Specific risk factors identified include: a. Compensation has changed for high-level and executivelevel employees to reward increases in sales and profit margin. b. Baldwin has recorded significant sales growth over the last two years (50%). c. Baldwin released a new product with new technology when it had significant levels of the existing product on hand. d.  The industry is very price-competitive. e.  Accounts receivable turnover in days is increasing.

h. In the current year, Baldwin has recorded significant ­increases in sales, profit margins, return on assets, and return on equity. i.  Profit margins are stronger than the industry medians.

Analysis and Evaluation of Alternatives Following is an analysis of the risk factors identified above: a. Changes in compensation may increase the risk that managers might push the limit on accounting issues or engage in fraudulent financial reporting to secure better compensation. b. The sales growth experienced over the last two years combined with the slower collection period (e) may indicate revenue-recognition problems.

  Multiple-Choice Questions  4-31 c., d. Releasing the new product to the market in a price-­ competitive industry (d) with significant quantities on hand of the old product increases the risk that the older product may not be sold at a price that will recover the cost of inventory on hand. This might require write-downs of the value of inventory on hand. e. The slower collection period may indicate an increased risk of collectibility of receivables. f. Slower inventory turnover in days may indicate inventory obsolescence or lower-of-cost-or-net-realizable-value problems with older models without new technology features. g. Decreasing accounts payable turnover in days may indicate potential for unrecorded liabilities and unrecorded expenses. h. Sales growth may be the result of premature revenue recognition (see b above). Improved profit margin could be the result of potential unrecorded liabilities. i. Strong profit margins may be the result of unrecorded ­expenses and liabilities.

Conclusions Regarding Inherent Risk and Risk of Material Misstatement The following risks are considered significant (before considering any internal controls that may mitigate these risks): •  Revenue recognition problems may exist based on the increase in sales to total assets, the increase in accounts receivable turnover in days, and the incentive for managers to increase compensation based on sales. •  Inventory may have a lower-of-cost-or-net-realizable-value problem because Baldwin released new technology while it still had significant inventories of the older technology and because of the increase in inventory turnover in days. •  There may be a completeness problem with both liabilities and expenses as evidenced by the decrease in accounts payable turnover in days and the increase in the company’s profit margins. •  There may be problems with the adequacy of the allowance for doubtful accounts based on the increase in accounts receivable turnover in days.

CPAexcel CPAexcel questions and other resources are available in WileyPLUS.

Multiple-Choice Questions 1.  (LO 1)  When gaining an understanding of the client, the auditor will consider: a.  related party identification. b.  the appropriateness of the client’s system of internal controls to mitigate identified business risks. c.  controls over the technology used to process and store data electronically. d.  All of these answer choices are correct. 2.  (LO 1)  When gaining an understanding of the client, the auditor will identify the geographic location of the client because: a.  more centralized clients are harder to control. b.  the auditor will only visit one location to assess processes and procedures. c.  the auditor may plan to use staff from affiliated offices to visit overseas locations. d.  more decentralized clients are easier to control. 3.  (LO 1)  When gaining an understanding of the client’s sources of financing, the auditor: a.  is not interested in debt covenants because most debt contracts are the same. b.  ignores the relative reliance on debt versus equity funding because that is a management decision, not an audit issue. c.  determines if the client is meeting principal and interest payments when they are due.

d.  determines if the client is writing off uncollectible accounts receivable. 4.  (LO 1)  When gaining an understanding of the client at the industry level, the auditor will: a.  consider the level of demand for the goods provided by companies in the industry. b.  determine if the client has centralized or decentralized operations. c.  assess the amount of faulty goods the client returns to suppliers. d.  determine if the client has a simple or complex capital structure. 5.  (LO 2)  Companies use profitability measures to assess performance and to: a.  assess their ability to compete. b.  maintain consistency in operations each month. c.  measure their ability to pay short term debts on time. d.  measure their ability to pay long term debts on time. 6.  (LO 3)  Common uses of analytical procedures include all of the following except: a.  risk identification during the risk assessment stage. b.  testing account balances derived from estimates during the risk response stage. c.  overall assessment of financial statements at the final review stage of the audit. d.  test of internal controls.

4-32  C h a pte r 4  Risk Assessment Part II: Understanding the Client 7.  (LO 3)  Analytical procedures: a.  cannot be performed on interim data. b.  a re not affected by different accounting methods between the client and other members of the industry. c.  must take into account seasonal variation in the client’s business. d.  are only useful if the client’s variation from budget is low. 8.  (LO 4)  Which of the following statements is false regarding related parties? a.  Management should have controls in place for identifying related parties. b.  R  elated party transactions do not have to be disclosed if they are conducted at “arm’s length.” c.  A subsidiary company is considered a related party. d.  The presence of related parties is considered a fraud risk ­factor. 9.  (LO 5)  An audit committee of a publicly traded company should be composed of: a.  executive and non-executive members of the board of directors.

b.  the CFO and two other board members who are also shareholders. c.  the audit partner, the CFO, and a shareholder. d.  m  embers of the board of directors who are independent directors. 10.  (LO 6)  Risks of material misstatement that are associated with a client’s IT system include all of the following except: a.  failure to accrue for a contingent liability. b.  a terminated employee who is still able to log on to the client’s IT system. c.  the installation of new software that still needs modifications to operate as needed. d.  no schedule for backing up data. 11.  (LO 7)  Client closing procedures: a.  are routine transactions that do not impact audit risk. b.  are the responsibility of those charged with governance who must ensure that transactions are recorded in the correct accounting period. c.  affect expense accounts only. d.  affect balance sheet accounts only.

Review Questions R4.1  (LO 1)  Explain the importance of the risk assessment phase of a financial statement audit.

of these explanations is the most likely cause of the change in the ratio?

R4.2  (LO 1)  List and briefly explain the key factors the auditor would consider during risk assessment.

R4.7  (LO 3)  What is a time-series analysis? How could it be useful to an auditor?

R4.3  (LO 1)  When gaining an understanding of a client, an auditor will be interested in an entity’s relationships with both its suppliers and customers. What aspects of these relationships will the auditor be interested in and how would they affect the assessment of audit risk?

R4.8  (LO 4)  Why is it important to maintain professional skepticism when gaining an understanding of related party transactions?

R4.4  (LO 2)  What is the difference between liquidity and solvency? Why does this difference matter to an auditor?

R4.10  (LO 5)  Why is it important that an audit committee not have any executive directors as members?

R4.5  (LO 3)  Explain, using examples, how you could use analytical procedures in assessing the risk of material misstatement of sales revenue.

R4.11  (LO 6)  Why does an auditor need to understand a client’s IT system? Explain how IT affects the financial statements.

R4.6  (LO 3)  What are some possible explanations of a change in the gross profit margin? How could the auditor investigate which

R4.9  (LO 5)  Do only publicly traded companies have good corporate governance? Explain.

R4.12  (LO 7)  Create an example of a client closing procedure. Using your example, analyze the accounts that would be affected if the closing procedure is performed inadequately.

Analysis Problems AP4.1  (LO 1)  Basic   Risk assessment  Michael has drafted an audit plan for a new client. The client is Countrywide Capers, a party supplies rental business. Countrywide Capers earns 80% of its revenue from renting marquees, tables and chairs, lights, and other party equipment and 20% from sales of disposable tableware, utensils, napkins, and tablecloths. Michael’s plan shows that audit time is divided to reflect this revenue pattern (that is, 80% of the audit time is spent on the rental business and 20% of the time is spent on the retail business). Michael believes that the significance of the revenue activities should be the only driver of the audit plan because the client has no related parties and has a simple, effective corporate governance structure.

Required What questions would you have for Michael before accepting his audit plan?

 Analysis Problems  4-33 AP4.2  (LO 1)  Moderate   Understanding the client and its risks—risk assessment  Ivy Brown is preparing a report for the engagement partner of an existing client, Scooter Inc., an importer of scooters and other low-powered motorcycles. Ivy has been investigating certain aspects of Scooter’s business given the change in economic conditions over the past 12 months. She has found that Scooter’s business, which experienced rapid growth over its first five years in operation, has slowed significantly during the last year. Initially, sales of scooters were boosted by good economic conditions and solid employment growth, coupled with rising gas prices. Consumers needed transportation to get to work and the high gas prices made the relatively cheap running costs of scooters seem very attractive. In addition, the low purchase price of a small motorcycle or scooter, at between $3,000 and $8,000, meant that almost anyone who had a job could obtain a loan to buy one. However, Ivy has found that the sales of small motorcycles and scooters have slowed significantly, and all importers of these products, not just Scooter, are being adversely affected. The onset of an economic recession has restricted employment growth and those people who still have jobs are less certain of continued employment. In addition, the slowdown in the world economy has made gas prices fall, further reducing demand for this type of economical transportation. Ivy has also discovered that, due to the global financial crisis, the finance company used by Scooter’s customers to finance the purchase of scooters and motorcycles has announced that it will not be continuing to provide loans for any type of vehicle with a purchase price of less than $10,000.

Required a.  Identify industry and business environment issues that potentially impact the audit of Scooter Inc. b.  Evaluate how industry and business environment issues can impact risk assessment by identifying specific financial statement risks and related accounts that would require closer examination. AP4.3  (LO 1)  Moderate   Research   Noncompliance with laws and regulations   As part of your intern training at a large public accounting firm, you have been asked to conduct research about audit procedures related to client noncompliance with laws and regulations. You will report the findings of your research to the other interns in your training class.

Required Access the Clarified Statements on Auditing Standards at the AICPA website (www.aicpa.org). Navigate to AU-C 250 and answer the following questions: a.  What might be indicators that a client has committed an illegal act? b.  What are some specific procedures the auditor can use to obtain an understanding of an identified or suspected illegal act? c.  In what situations might an auditor have a duty to notify external parties about a client’s noncompliance with laws and regulations? AP4.4  (LO 1, 3)  Basic   Understanding the client  The audit team is preparing to audit a new client in the fashion industry. The client imports garments from manufacturers in several Asian countries and retails them in a chain of shops located throughout the United States. You have access to the following information for the client: a.  Prior period financial statements. b.  Anticipated results for the current year. c.  Industry averages.

Required Discuss how you would use the information to understand your new client. AP4.5  (LO 2, 3)  Moderate   Planning analytical procedures using profitability ratios   Li Chen has calculated profitability ratios using data extracted from his client’s pre-audit trial balance. He also has the values for the same ratios for the preceding two years (using audited figures). The data for the gross profit and profit margins are:

Gross profit margin Profit margin

2022

2021

2020

45%

35% 15%

40% 20%

9%

Li is a little confused because the profit margin shows declining profitability but the gross profit margin has improved in the current year and is higher in 2022 than in the previous two years.

4-34  C h a pte r 4  Risk Assessment Part II: Understanding the Client

Required a.  Create a list of possible explanations for the pattern observed in the gross profit and profit margins. b. Which of your explanations suggest additional audit work should be planned? For each, discuss the accounts and/or transactions that would need special attention in the audit. AP4.6  (LO 2, 3)  Challenging   Analytical procedures for liquidity and solvency issues   Bright Spark Fashion has retail outlets in six large regional cities in the eastern United States. The shops are run by local managers, but purchasing decisions for all stores are handled by Ray Bright, the owner of the business. Fashion is an extremely competitive business. Bright Spark Fashion sells only for cash and generates sales through a reputation of low prices for quality goods. The winter clothing moves quite slowly, but summer fashion sells very well, providing a disproportionate amount of the business’s sales and profits. Ray is constantly monitoring cash flow and negotiating with suppliers about payment terms and with banks about interest rates and extensions of credit. Jenna Kowalski has the tasks of assessing the liquidity and solvency of Bright Spark Fashion and identifying the audit risks arising from this aspect of the business. She discovers a major long-term debt is due to be retired two months after the close of the fiscal year, but Ray is having difficulty obtaining approval from his current bank for a renewal of the debt for a further two-year term. In addition, interest rates have risen since the last fixed rate was agreed to two years ago, adding an additional 2% to the likely rate for the new debt (if it is approved). The seasonality of the business means that inventory levels fluctuate considerably. At the end of the year (January 31), Ray has placed prepaid orders for the summer fashion and the goods have started arriving in the stores by March.

Required a. What liquidity and solvency issues does Bright Spark Fashion face? Evaluate the likely impact of each issue on liquidity and solvency ratios. b.  Advise Jenna Kowalski about the audit risks for Bright Spark Fashion and propose how she could take these into account in the audit plan. AP4.7  (LO 4)  Moderate   Research   Understanding related party transactions  During the risk assessment phase for a new client, you have been assigned the task of identifying related parties. You need to refresh your memory regarding why identifying related parties is necessary in the audit.

Required Access the Clarified Statements on Auditing Standards at the AICPA website (www.aicpa.org). Navigate to AU-C 550 and answer the following questions: a. What is an “arm’s-length transaction” as defined by the standard? b. Identify examples of how related party relationships and transactions may give rise to higher risks of material misstatement than transactions with unrelated parties. AP4.8  (LO 1, 5)  Moderate   Public Company   Research   Understanding the client and its governance  Ajax Inc. is a public company and a new client of Hawthorne Partners, a medium-sized audit firm. Jeffrey Rush is the engagement partner on the audit and has asked the members of the audit team to begin the process of gaining an understanding of the client, in accordance with AS 2110. One audit manager leads the group investigating the industry and economic factors, and another helps Jeffrey consider issues at the entity level. Jeffrey will hold discussions with members of the audit committee and will discuss a wide range of issues. He has a meeting arranged for next week with the four members of the audit committee, including the chair of the committee, Stella South, who, like the other members of the audit committee, is an independent director.

Required a.  Access AS 2110 at the PCAOB website (www.pcaobus.org). Make a list of the main factors that will be considered by each audit manager’s group. b. Based on the information, can you conclude that Ajax Inc. complies with Section 301 of the Sarbanes-Oxley Act regarding its audit committee? Explain. AP4.9  (LO 6)  Moderate   IT risk assessment  Genesis Physical Therapy has been providing outpatient physical therapy services for 30 years. The owners, Jesse and Janice, have been slow to implement updated technology for the accounting system because it is costly. However, at the beginning of the current year, they decided to install a new patient revenue system. It is an off-the-shelf product that is marketed to the healthcare industry. The auditor asked one of Genesis’ accounting staff for feedback about the new system. The staff member provided the following comments: • “A frequent error has been occurring in which we invoice people who were past patients because they happened to have the same last name as one of our current patients.”

 Analysis Problems  4-35 • “We had a power outage a couple of weeks ago, and we had to re-enter all patient services that had been provided for that week because they had not been saved.” • “When we first starting using the system, we had a significant number of complaints from patients because they were being billed for more than their insurance would allow. We discovered a month later there was an error in the billing calculation formula in the system. We fixed the error and it has been functioning properly.”

Required Evaluate the audit risks associated with the new patient revenue system. AP4.10  (LO 6)  Challenging   Assessing the risks associated with information technology  Shane Woodrow is getting to know his new client Clarrie Potters, a large discount electrical retailer. Shane discovers that toward the end of last year, Clarrie Potters installed a new IT system for inventory control. The system was not operating prior to the end of the last financial year so its testing was not included in the previous audit. The new system was custom-built for Clarrie Potters by a Chicago-based software company by modifying another system it had designed for a furniture manufacturer and retailer.

Required Evaluate the audit risks associated with the installation of the new inventory IT system at Clarrie Potters. AP4.11  (LO 1, 7)  Challenging   Public Company   Impact of closing procedures on performance  Dunks Holdings Inc. (Dunks) is an importer of hardware goods and distributes the goods to hardware retailers around the country. The growth in the do-it-yourself (DIY) market that has accompanied the boom in house prices in most capital cities over the past five years has provided consistent sales growth for both hardware retailers and wholesalers like Dunks. However, the recession, which began last year, has cast doubt on the ability of this sector to keep growing. Some analysts believe the DIY market will not be affected by the recession because in tough economic times home owners increase their “nesting’’ behavior. They spend even more on improving their homes and retreat from outside activities such as vacations, the theater, and restaurants. This view is disputed by other analysts who believe that job losses and general pessimism in the economy will impact adversely on all company profits, including Dunks. Dunks’s share price has fallen over the last year as doubt about its ability to grow its profits in the current year spreads. The CEO and other senior management have large bonuses linked to both share prices and company profitability and there is a mood within the company that achieving sales and profit targets this year is vital to avoid job losses at the company. You have been brought into the audit team for Dunks this year and given the responsibility for auditing Dunks’ closing procedures. Dunks has a monthly reporting system for internal management, but you notice the reports are being issued later in each month this year than they were last year.

Required a.  Evaluate why and how the circumstances described above could affect your risk assessment. b. How would you audit Dunks’ closing procedures? Which potential errors would be of most interest? Explain. AP4.12  (LO 1, 7)  Challenging   Public Company   Research   Annual reports—disclosures  Publicly traded companies are required to make certain disclosures in their annual reports about the compensation paid to their top executives. One reason for this is to help interested stakeholders assess the performance of executives. It also helps boards of directors and companies set appropriate compensation levels based on what other companies in the same industry and/or of the same size are paying their executives. These disclosures are audited.

Required Obtain the annual proxy statements of 10 publicly traded U.S. companies in the same industry. (Hint: Go to www.sec.gov, click on Fast Answers in the Education tab, and then search for an explanation on the required disclosure of executive compensation as a fast way to find the information on the SEC’s website.) Summarize the information on executive compensation and describe the data using graphs and/or tables. Write a report addressing the following questions (justify your responses by referring to the data where appropriate). •  How are the executives paid (cash, bonuses)? •  Which companies’ executives are paid the most and what is the range of pay? • Which companies’ executives’ pay is most linked to the company’s profit and/or stock price performance? (Explain any assumptions you have to make.) • Overall, what do you conclude about how company executives are paid and how clearly the compensation data is reported?

4-36  C h a pte r 4  Risk Assessment Part II: Understanding the Client

Audit Decision Cases King Companies, Inc. Question C4.1 is based on the following case. King Companies, Inc. (KCI) is a private company that owns five auto parts stores in urban Los Angeles, California. KCI has expanded from two auto parts stores to five stores in the last three years, and it plans continued growth. Eric and Patricia King own the majority of the shares in KCI. Eric is the chairman of the board of directors and CEO of KCI, and Patricia is a director as well as the CFO. Shares not owned by Eric and Patricia are owned by friends and family who helped the Kings get started (Eric started the company with one store after working in an auto parts store). To date, Eric has funded growth from an inheritance and investments from a few friends. Eric and Patricia are thinking about expanding by opening three to five additional stores in the next few years. In October 2021, Eric approached your accounting firm, Thornson & Danforth, LLP, to conduct an annual audit of KCI for the year ended December 31, 2022. KCI has not been audited before, but this year the audit has been requested by the company’s bank because of anticipated bank loans and by a new private equity investor that has just acquired a 20% share of KCI. KCI employs 20 full-time staff. These workers are employed in store management, sales, parts delivery, and accounting. About 40% of KCI’s business is retail walk-in business, and the other 60% is regular customers where KCI delivers parts to their locations and bills these customers on account. During peak periods, KCI also uses part-time workers. Eric is focused on growing revenues. Patricia trusts the company’s workers to work hard for the company and she feels they should be rewarded well. The accounting staff, in particular, is very loyal to the company. Eric tells you that the accounting staff enjoys their jobs so much they have never taken any annual vacations, and hardly any workers ever take sick leave. There are two people currently employed as accounting staff, the most senior of whom is Jonathan Jung. Jonathan heads the accounting department and reports directly to Patricia. He is in his late fifties and hopes to retire in two or three years and move away from Los Angeles. Jonathan keeps a close watch on accounting and does many activities himself, including opening mail, cash receipts and vendor payments, depositing funds received, performing reconciliations, posting journals, and performing the payroll function. The second employee, Abby Owens, is a recent college graduate who just passed the CPA exam. Abby is responsible for the payroll functions and posting all journal entries into the accounting system. Jonathan and Abby often help each other out in busy periods. C4.1  (LO 1, 3)  Challenging   Gaining an understanding of a new client  Gather information: You have access to the following information for KCI: 1. Prior period financial statements. 2. Budgets for the current year. 3. Industry comparisons. Plan, in detail, the types of analytical procedures the audit team will use to gain an understanding of KCI.

Mobile Security, Inc. Question C4.2 is based on the following case. Mobile Security, Inc. (MSI) has been an audit client of Leo & Lee, LLP for the past 12 years. MSI is a small, publicly traded aviation company based in Cleveland, Ohio, where it manufactures high-tech unmanned aerial vehicles (UAV), also known as drones, and other surveillance and security equipment. MSI’s products are primarily used by the military and scientific research institutions, but there is growing demand for UAVs for commercial and recreational use. MSI must go through an extensive bidding process for large government contracts. Because of the sensitive nature of government contracts and military product designs, both the facilities and records of MSI must be highly secured. The MSI board of directors consists of 12 members. The CEO and CFO are board members, and the remaining 10 board members are not employees of MSI. One of the board members, who is part of the audit committee, is stepping down next month, so MSI is looking to fill that spot. C4.2  (LO 5)  Moderate   Public Company   Research   Audit committees a. Gather information: As MSI is looking for someone to fill the vacant board position, what requirements must be followed? What characteristics or qualities would be ideal for the board member to have?

 Audit Decision Cases  4-37 b. Gather information: Go to www.pcaobus.org and access AS 1301 Communication with Audit Committees. Discuss specific items the auditors must communicate with the audit committee before the audit begins. (Note: Do not discuss the auditor’s requirements for communicating the results of the audit.)

Brookwood Pines Hospital Question C4.3 is based on the following case. Goodfellow & Perkins LLP is a successful mid-tier accounting firm with a large range of clients across Texas. During 2022, Goodfellow & Perkins gained a new client, Brookwood Pines Hospital (BPH), a private, not-for-profit hospital. The fiscal year-end for BPH is June 30. Goodfellow & Perkins is performing the audit for the fiscal year-end June 30, 2023. BPH provides medically necessary care to patients, regardless of their ability to pay. Both uninsured and underinsured patients are offered discounts of up to 100% of charges based on their income as a percentage of the federal poverty-level guidelines. BPH does not pursue collection of these accounts; therefore, they are not reported in patient service revenue and accounts receivable. The cost of providing the charity care is included in operating expenses. BPH’s investments consist of mutual funds, common equities, corporate and U.S. government debt issues, state and municipal government debt issues, and trusts. A majority of the investments are the result of charitable contributions to the hospital by generous donors. Earnings from the investments are used to cover the costs of the charity care. BPH is also eligible for certain government grants to help cover the costs of the charity care. Selected financial statements and other financial information are provided below. Since BPH operates as a non-for-profit, it reports assets, liabilities, and net assets. (Note: Net assets takes the place of equity since there are no owners.) Brookwood Pines Hospital Statement of Financial Position (in thousands) June 30, 2023

June 30, 2022

$   43,077 22,725 119,380 9,208 2,364 10,740 25,792

$   36,361 49,338 99,962 5,099 1,953 10,056 23,193

233,286

225,962

Long-term investments Property and equipment, net Prepaid pension cost Insurance recoverable, less current portion Other assets, net   Total assets

915,088 576,432 19,760 11,619 31,535 $1,787,720

807,321 538,981 7,248 10,723 28,463 $1,618,698

Liabilities and net assets Accounts payable Accrued salaries and benefits Grants payable, current portion Accrued expenses and other current liabilities Due to third-party payors Current accrued liabilities under self-insurance programs Current maturities of long-term debt Short-term debt Long-term debt subject to short-term refinancing agreements

$   38,431 52,361 6,459 19,209 72,494 15,709 5,040 14,550 0

$   39,547 50,754 8,459 27,380 67,687 14,965 4,928 0 53,132

  Total current liabilities

224,253

266,852

Long-term debt, net, less current maturities Accrued liabilities under self-insurance program, less current portion Grants payable, less current portion Other liabilities

220,796 82,618 13,245 42,669

179,530 82,559 16,489 48,336

  Total liabilities

583,581

593,766 (continued)

Assets Cash and cash equivalents Short-term investments Patient accounts receivable, net Current portion of pledges and grants receivable, net Current portion of insurance recoverable Inventory Other current assets   Total current assets

4-38  C h a pte r 4  Risk Assessment Part II: Understanding the Client

Net assets:   Without donor restrictions   With donor restrictions    Total net assets     Total liabilities and net assets

June 30, 2023

June 30, 2022

1,138,140 65,999 1,204,139 $1,787,720

962,652 62,280 1,024,932 $1,618,698

Brookwood Pines Hospital Statement of Operations Year Ended June 30 (in thousands) Revenue Net patient service revenue Estimated uncollectible accounts Net patient service revenue after estimated   uncollectible accounts Rental and other revenue Net assets released from donor restrictions and   federal and state grants   Total revenue Expenses Salaries and employee benefits Supplies Purchased services Depreciation and amortization Insurance Rent and utilities Repairs and maintenance Interest Texas hospital assessment Other   Total expenses

2023

2022

$791,572 (33,675)

$706,073 (25,810)

757,897 42,727

680,263 41,975

4,541

4,407

805,165

726,645

$377,895 146,172 89,774 47,858 17,430 15,218 14,722 7,351 17,227 21,324

$344,360 126,633 79,391 45,630 18,132 13,935 14,563 8,874 14,081 21,151 754,971

686,750

50,194

39,895

109,212 6,254

25,951 (6,202)

   Operating income Nonoperating gains (losses) Investment return Change in fair value of certain investments Contribution of DeLaune unrestricted net   assets Grants provided Other   Total nonoperating gains, net    Excess of revenues over expenses

0 (3,362) 1,630

64,995 (4,458) (489)

113,734

79,797

$163,928

$119,692

Selected information from the cash flow statement is as follows (in thousands): Item

2023

2022

Net cash provided by operating activities

$63,648

$67,903

Net cash used in investing activities

(60,394)

(75,300)

3,463

3,706

Net cash provided by financing activities

C4.3 (LO 1, 3)  Challenging   Analytical procedures  Analysis: Using BPH’s financial data, perform analytical procedures to gain an understanding of BPH. Conduct a trend analysis, common-size analysis, and ratio analysis. Based on your analysis, document in a memo your understanding of the client, potential problem areas (accounts at risk of material misstatement), and any other special concerns. (Note: Some ratios provided in the text may need to be modified for a not-for-profit organization. If necessary, use the internet for additional research about financial ratios used in the hospital industry.)

 Audit Decision Cases  4-39

Cloud 9 - Continuing Case Part 1: Gain an Understanding of the Client W&S Partners began the planning phase of the Cloud 9 audit. As part of the risk assessment phase for the new audit, the audit team needs to gain an understanding of Cloud 9’s structure and its business environment, determine materiality, and assess inherent risk. This will assist the team in developing an audit strategy and designing the nature, extent, and timing of audit procedures.

considered probable given Cloud 9’s operations. Use the factors listed in Illustrations 4.2 and 4.3 as a guide for your research.

Part 2:  Analytical Procedures Required

Required

Answer the following questions based on the information presented for Cloud 9 in the appendix to this text and the current and earlier chapters. You should also consider your answers to the case study questions in earlier chapters.

Answer the following questions based on the additional information about Cloud 9 presented in the appendix to this text and the current and earlier chapters. You should also consider your answer to the case study questions in earlier chapters where relevant. Your task is to research the retail and wholesale footwear industries and report back to the audit team. Your report will form part of the overall understanding of Cloud 9’s structure and its environment. You should concentrate your research on providing findings from those areas that have a financial reporting impact and are

b. Which specific areas do you believe should receive special emphasis during your audit? Consider your discussion of the analytical procedures results as well as your preliminary estimate of materiality. Prepare a memorandum to Suzie Pickering outlining potential problem areas (that is, where possible material misstatements in the financial statements exist) and any other special concerns.

a. Using analytical procedures and the information provided in the appendix, perform an analysis of Cloud 9’s financial position and its business risks. Discuss the ratios indicating a significant or an unexpected fluctuation.

Chapter 5 Audit Evidence The Audit Process Overview of Audit and Assurance (Chapter 1) Professionalism and Professional Responsibilities (Chapter 2) Client Acceptance/Continuance and Risk Assessment (Chapters 3 and 4) Identify Significant Accounts and Transactions Make Preliminary Risk Assessments

Set Planning Materiality

Gaining an Understanding of the System of Internal Control (Chapter 6)

Audit Evidence (Chapter 5)

Develop Responses to Risk and an Audit Strategy

Performing Tests of Controls (Chapter 8)

Performing Substantive Procedures (Chapter 9) Audit Sampling for Substantive Tests (Chapter 10)

Auditing the Revenue Process (Chapter 11)

Auditing the Purchasing and Payroll Processes (Chapter 12)

Audit Data Analytics (Chapter 7)

Gaining an Understanding of the Client

Auditing the Balance Sheet and Related Income Accounts (Chapter 13)

Completing and Reporting on the Audit (Chapters 14 and 15) Procedures Performed Near the End of the Audit

Drawing Audit Conclusions

Reporting

5-1

5-2  Ch a pte r 5  Audit Evidence

Learning Objectives LO 1  Define management assertions about classes of transactions, account balances, and presentation and disclosure. LO 2  Discuss the characteristics of audit evidence.

LO 4 Evaluate when it is appropriate for auditors to use the work of others. LO 5  Document the details of evidence gathered in working papers.

LO 3 Apply the procedures for gathering audit evidence, including the use of audit data analytics.

Auditing and Assurance Standards PCAOB

Auditing Standards Board

AS 1105 Audit Evidence

AU-C 230 Audit Documentation

AS 1205 Part of the Audit Performed by Other Independent Auditors

AU-C 315  Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

AS 1210  Using the Work of a Specialist

AU-C 500 Audit Evidence

AS 1215 Audit Documentation

AU-C 505 External Confirmations

AS 2110  Identifying and Assessing Risks of Material Misstatement

AU-C 600  Special Considerations—Audits of Group Financial Statements (Including the Work of Component Auditors)

AS 2310 The Confirmation Process

AU-C 610  Using the Work of Internal Auditors

AS 2605  Consideration of the Internal Audit Function

AU-C 620  Using the Work of an Auditor’s Specialist

Cloud 9 - Continuing Case At the next planning meeting for the Cloud 9 audit, Suzie Pickering presents the results of the analytical procedures performed so far and a working draft of the audit program. The audit manager, Sharon Gallagher, and the audit senior, Josh Thomas, are also involved in the planning, with special responsibility for the internal control assessment. The meeting’s agenda is to discuss the available sources of evidence at Cloud 9 and specify these in the detailed audit program. The team members also must ensure they have enough evidence to conduct the audit. Two specific issues worry members of the team. First, there are three very large asset balances on Cloud 9’s trial balance that have particular valuation issues. Josh suggests that a specialist will be required for the derivatives, but they can

handle the accounts receivable and inventory themselves. Second, Sharon is worried about how they will gather evidence regarding a subsidiary of Cloud 9 located in Vietnam. W&S Partners does not have an office in Vietnam, so they must determine the most effective and efficient way to gather evidence regarding the subsidiary. In the planning meeting, the team considers the following questions: •  What evidence is available? •  What criteria will the team use to choose among alternative sources of evidence? •  What are the implications of using the work of specialists and other auditors?

Chapter Preview—Audit Process in Focus In Chapters 3 and 4, we considered audit risk and risk assessment. Those chapters focused on the importance of risk identification to help ensure the auditor’s desired level of risk is

  Management Assertions  5-3

achieved. This chapter begins the discussion of obtaining audit evidence in response to identified risks. Once auditors have identified the key risk factors for their client, they will plan “what” to test, “how” to test it, and “who” should test it. In this chapter, we explain “what” the auditors are testing by defining and describing management assertions. Then, we discuss characteristics of audit evidence, including traits that make some types of evidence more appropriate than others. Next, we discuss the “how” of gathering audit evidence. What specific procedures do auditors perform to gather evidence? You have already been introduced to the broad categories of risk assessment procedures, tests of controls, and substantive tests. This chapter will describe specific actions auditors perform to gather evidence at the risk assessment and risk response phases of the audit. In most audits, the audit team will perform all of the evidence gathering procedures, but “who” else may perform evidence-gathering procedures for the audit? We discuss situations in which auditors may use the work of others, such as specialists in a field other than accounting or auditing, the client’s internal auditors, or auditors from another accounting firm. Finally, auditors document the details of their risk assessment, tests of controls, and substantive tests in their working papers. An auditor’s working papers provide proof of audit work completed, procedures used, and evidence gathered. Each accounting firm has its own working paper format and preferences. This chapter provides some examples of a typical audit file and the types of working papers it may contain.

Management Assertions Lea rning Objective 1 Define management assertions about classes of transactions, account balances, and presentation and disclosure. It is the responsibility of management and those charged with governance to ensure the financial statements are fairly presented. When preparing the financial statements, management makes assertions about each account and related disclosures in the notes. An assertion is a statement or representation, explicit or implied, made by management regarding the recognition, measurement, presentation, and disclosure of items included in the financial statements and notes. For example, when reporting inventory, management is claiming, or asserting, that the items exist, are owned by the entity, represent a complete list of the inventory owned, and are valued appropriately. When reporting sales, management is asserting that the amount represents sales of the entity that occurred during the accounting period. Management also asserts that sales are recorded at the correct amount, represent a complete list of all sales, and are classified correctly. During the risk assessment phase, auditors use management assertions as a guide when determining the different types of potential material misstatements that could occur, or what can go wrong in the financial statements. Assertions also guide auditors in the collection of evidence, as the evidence used to evaluate many assertions is unique to that assertion. For example, evidence the auditor will use to evaluate the completeness of revenues is different from the evidence used to evaluate the occurrence of revenues. AU-C 315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement provides a summary of the assertions used by auditors. The assertions are divided into the three categories of classes of transactions and events, account balances at the period-end, and presentation and disclosure. The assertions are summarized in Illustration 5.1. Each assertion in Illustration 5.1 is numbered and the following paragraphs provide more discussion of each one.

assertion  statement or representation, explicit or implicit, made by management regarding the recognition, measurement, presentation, and disclosure of items included in the financial statements and notes

5-4  Ch a pte r 5  Audit Evidence illustration 5.1   Assertions by category

Assertions About Classes of Transactions and Events for the Period Under Audit (1) Occurrence

Transactions and events that have been recorded have occurred and pertain to the entity.

(2) Completeness

All transactions and events that should have been recorded have been recorded.

(3) Accuracy

Amounts and other data relating to recorded transactions and events have been recorded appropriately.

(4) Cutoff

Transactions and events have been recorded in the correct accounting period.

(5) Classification

Transactions and events have been recorded in the proper accounts.

Assertions About Account Balances at the Period-End (6) Existence

Assets, liabilities, and equity interests exist.

(7) Rights and obligations

The entity holds or controls the rights to assets, and liabilities are the obligations of the entity.

(8) Completeness

All assets, liabilities, and equity interests that should have been recorded have been recorded.

(9) Valuation and allocation

Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts, and any resulting valuation or allocation adjustments are appropriately recorded.

Assertions About Presentation and Disclosure (10) Occurrence and rights and obligations

Disclosed events, transactions, and other matters have occurred and pertain to the entity.

(11) Completeness

All disclosures that should have been included in the financial statements have been included.

(12) Classification and understandability

Financial information is appropriately presented and described, and disclosures are clearly expressed.

(13) Accuracy and valuation

Financial and other information are disclosed fairly and in appropriate amounts.

Source: AU-C 315.A128.

Let’s discuss these assertions in more detail, beginning with the assertions about classes of transactions and events for the period under audit, and what can go wrong with each assertion. When considering (1) occurrence, auditors gather evidence to verify that a recorded transaction or event, such as revenue or an expense item, actually took place and relates to the entity. This assertion is particularly important when auditors believe there is a risk of overstatement and that some transactions are recorded but did not actually occur. For example, a client may record revenues prematurely in error, or management might record fictitious sales to overstate revenues and profit. When considering (2) completeness, auditors gather evidence that all transactions have been recorded and the financial statements are not understated or overstated because transactions have been omitted. This assertion is particularly important when auditors believe there is a risk of understatement and that some transactions or events that should have been recorded have not been recorded. For example, a client may have incurred an expense but not recorded it because the vendor’s invoice had not been received, or because management intended to understate expenses and overstate profit. When considering (3) accuracy, auditors gather evidence that transactions and events have been recorded at appropriate amounts. This assertion is important when auditors believe there is a risk the reported amounts are not accurate. For example, a client might inadvertently use the wrong price on an invoice or may have complex foreign exchange calculations where errors can easily occur. When considering (4) cutoff, auditors search for evidence that transactions have been recorded in the correct accounting period. This assertion is particularly important for transactions close to year-end. For example, a client may record a sale before year-end that actually occurred after year-end, or a client may record an expense after year-end that was actually incurred before year-end. Unintentional cutoff mistakes may happen when internal controls

  Management Assertions  5-5

are poor. Alternatively, a client may be motivated to record an expense or revenue in the wrong period to manipulate net income for the period. When considering (5) classification, auditors gather evidence that transactions and events have been recorded in the proper accounts. For example, a client may have recorded a routine maintenance expense in a fixed asset account when it should be recorded in an expense account. Auditors should be alert to misstatements that result in capitalizing an amount that should be expensed.

Audit Reasoning Example  Wells Fargo Scandal Wells Fargo is an international banking giant headquartered in San Francisco. In 2016, news broke that Wells Fargo employees had participated in various fraud schemes to increase revenue. One of the schemes was charging auto loan customers for vehicle insurance without their knowledge. Which assertion about classes of transactions is violated with this scheme? Did these revenues actually occur? Wells Fargo was collecting actual payments from actual customers, so this wasn’t a case of fictitious customers. But charging customers without their consent is fraudulent and violates the occurrence assertion. Why did Wells Fargo employees participate in this scheme? The company had very aggressive internal sales goals with compensation tied to sales performance. Wells Fargo management encouraged cross-selling to existing customers as a way to boost revenues, and employees felt pressure to meet the lofty sales goals. In July 2017, Wells Fargo announced “it would issue $80 million in refunds or account adjustments to more than 570,000 auto loan customers who were charged for vehicle insurance without their knowledge.”1 Consideration of the occurrence assertion for revenues is a relevant assertion for all audits. Historically, many accounting frauds have involved overstatement of revenues either through creation of fictitious revenue, improper period-end cutoff, and/or improper application of revenue recognition rules. Auditors spend considerable time gathering evidence to support management’s assertion that recorded revenue occurred and relates to the entity.

The next category of assertions focuses on account balances at the end of the period, which is typically fiscal year-end. When considering (6) existence, auditors search for evidence to verify that asset, liability, and equity items on the balance sheet actually exist. This assertion is important when auditors believe there is a risk of overstatement. For example, a client may miscount inventory, resulting in an overcount and overstatement, or a client may attempt to overstate inventory or accounts receivable to improve financial ratios for the period. When considering (7) rights and obligations, auditors gather evidence to verify recorded assets are owned by the entity and recorded liabilities represent commitments of the entity. This assertion is particularly important when auditors believe there is a risk that recorded assets or liabilities are not owned by the entity. This assertion is different from existence, as the assets and liabilities may exist but not be owned by the entity. An example of inventory that physically exists but does not satisfy the rights and obligations assertion is inventory held on consignment in the client’s warehouse (and therefore not owned by the entity), which is incorrectly recorded as an asset. When considering (8) completeness, auditors search for assets, liabilities, and equity items to ensure they have been recorded. This assertion is particularly important when auditors believe there is a risk of understatement and the client has omitted some items from the balance sheet. For example, a client may fail to record various accrued liabilities due to an error or an attempt to improve reported financial ratios for the period. When considering (9) valuation and allocation, auditors search for evidence that assets, liabilities, and equity items have been recorded at appropriate amounts and allocated to the correct general ledger accounts. With respect to assets, auditors need to be aware of both valuation at historical cost and any fair value tests that may be relevant. This assertion is particularly important when auditors believe there is a risk of over- or undervaluation. For example: •  An auditor verifies that inventory has been appropriately recorded at the lower of cost or net realizable value (risk of overstatement). •  An auditor tests for the adequacy of the allowance for doubtful accounts (risk of understatement or overstatement depending on the client’s motivation). 1

K. McCoy, “Wells Fargo’s Legal Challenges Accumulate,” USA Today (August 9, 2017), p. 2B.

5-6  Ch a pte r 5  Audit Evidence

•  An auditor verifies that equipment used in operations has been appropriately marked down if it is impaired (risk of overstatement).

Cloud 9 - Continuing Case Ian and Suzie have already talked in general terms about the errors that could occur in Cloud 9’s accounts receivable. For example, basic mathematical mistakes and other clerical errors could affect the customer’s total in either direction. Suzie emphasizes that Cloud 9’s management asserts this error did not exist when they prepared the financial statements—i.e., they assert that accounts receivable are valued correctly. Auditors must gather evidence about each assertion for each transaction class, account, and note in the financial statements. Now that Ian understands this idea better, he can identify the assertions that relate to the potential errors in accounts receivable that they discussed earlier: •  No mathematical mistakes or other clerical errors exist that could affect the total receivables in either direction—valuation and allocation.

•  No accounts receivables were omitted when calculating the total—completeness. •  Accounts receivables included in the total do exist at yearend—existence. •  Accounts receivables belong to Cloud 9 and have not been sold or factored—rights and obligations. •  Bad debts have been provided for—valuation and allocation. •  Sales from the next period are not included in the earlier ­period—cutoff. Ian is a bit confused about this because cutoff is an assertion for transactions, not account balances. Suzie agrees it is a special sort of assertion that relates to transactions or events, but also gives evidence about balance sheet accounts (e.g., an overstatement of revenue is also an overstatement of receivables).

The last category of assertions focuses on presentation and disclosure in the financial statements and the notes. You’ve probably noticed that most of the assertions in this category are also listed in one or both of the other categories. That makes sense considering the note disclosures and presentation in the financial statements are inherently tied with a client’s transactions and year-end balances. Auditors gather evidence that disclosed items represent events and transactions that occurred and pertain to the entity, (10) occurrence and rights and obligations, and that all items that should have been disclosed are included in the financial statements, which is (11) completeness. Auditors ensure items included in the financial statements are appropriately presented and disclosures are clearly expressed, which is (12) classification and understandability, and financial and other information is disclosed fairly and in appropriate amounts, which is (13) accuracy and valuation. The PCAOB standards also address management assertions but in a more condensed manner than the ASB standards. AS 1105 Audit Evidence lists just five assertions and does not use the three categories of assertions like the ASB standard. The five assertions defined in AS 1105.11 are: •  Existence or occurrence—Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. •  Completeness—All transactions and accounts that should be presented in the financial statements are so included. •  Valuation or allocation—Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. •  Rights and obligations—The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. •  Presentation and disclosure—The components of the financial statements are properly classified, described, and disclosed.

relevant assertion  an assertion that has a reasonable possibility of containing a material misstatement or misstatements that would cause the financial statements to be materially misstated and, therefore, has a meaningful impact on whether the account is fairly stated

You can see there are similarities with the assertions listed in both sets of standards. The ASB standard simply provides a more detailed description of the assertions, especially in the category of presentation and disclosure. Recall from Chapter 4 that one of the risk assessment procedures is to identify significant accounts and classes of transactions. Once these are identified, auditors assess the risk of material misstatement at the relevant assertion level for these significant classes of transactions and account balances. Relevant assertions are assertions that have a reasonable possibility of containing a material misstatement that would cause the financial statements to be materially misstated and, therefore, have a meaningful impact on whether the account is fairly stated (AU-C 315.A131). All assertions may not be relevant for a particular account balance

  Characteristics of Audit Evidence  5-7

or transaction. For example, the valuation of cash is typically not an issue, but the existence of cash is always relevant because there is risk that a client may overstate its cash balance due to the misappropriation of cash. Once the relevant assertions are identified for significant accounts and classes of transactions, auditors can proceed with planning their audit procedures to gather evidence in support of management assertions. The specific procedures auditors will use to gather evidence are detailed in the audit program. The audit program is part of the audit documentation that lists the details of the audit procedures to be used when testing controls and when conducting detailed substantive procedures. Audit procedures will be further discussed in this chapter in the section “Procedures for Gathering Audit Evidence.” Audit documentation is discussed in the section “Documentation—Audit Working Papers.”

audit program  a listing of details of the audit procedures to be used when testing controls, conducting detailed substantive audit procedures, and completing the audit

Before You Go On 1.1 When auditing accounts receivable, what will an auditor search for when testing for rights and obligations? 1.2 What does the accuracy assertion mean? Develop an example in the context of purchases of inventory. 1.3 What is the auditor trying to ensure when considering the cutoff assertion? Develop an example in the context of payroll transactions.

Characteristics of Audit Evidence Lea rning Objective 2 Discuss the characteristics of audit evidence. Audit evidence is the information auditors use when arriving at their opinion on the fair presentation of the client’s financial statements (AU-C 500 Audit Evidence and AS 1105 Audit Evidence). It is the responsibility of management and those charged with governance to ensure the financial statements are prepared in accordance with the appropriate financial reporting framework (usually GAAP). They are also responsible for ensuring that accurate accounting records are maintained and any potential misstatements are prevented, or detected and corrected. It is the responsibility of auditors to gather sufficient appropriate evidence to arrive at their opinion. Before considering the different procedures auditors will use for gathering evidence, we start with a discussion of what is meant by the phrase sufficient appropriate evidence.

audit evidence  information gathered by the auditor that is used when forming an opinion on the fair presentation of a client’s financial statements

Sufficient Audit Evidence Sufficient refers to the quantity of audit evidence gathered. Essentially, auditors determine at what point they have gathered enough evidence to support their opinion on the financial statements. AU-C 500.A4 and AS 1105.05 state the quantity of evidence needed is affected by the risk of material misstatement in a relevant assertion for an account balance or class of transactions. In other words, as risk increases, the amount of evidence the auditor should gather also increases. For example, the existence assertion for the accounts receivable balance is typically a relevant assertion because of the risk of overstatement of receivables due to premature revenue recognition, which inflates revenues and receivables. In contrast, the risk of understatement of accounts receivable, which is the completeness assertion, is typically low because a client would most likely record all credit sales and related accounts receivable. In this scenario, auditors will gather more evidence in support of the existence assertion since it presents the higher risk of material misstatement. Auditors should also be alert that, for some private companies needing audits, the incentive might be to understate pretax profits in order to minimize income tax expense.

sufficient  refers to the quantity of audit evidence gathered

5-8  Ch a pte r 5  Audit Evidence

Appropriate Audit Evidence appropriate  refers to the quality of audit evidence gathered

relevance  refers to the logical connection with the assertion being tested

reliability  refers to the source, form, or nature of the audit evidence

Appropriate refers to the quality of audit evidence gathered. The concepts of quantity and quality are interrelated as the quality of evidence gathered will affect the quantity required. Typically, the higher the quality of the evidence, the less quantity that may be required. What contributes to the quality of audit evidence? AU-C 500.A5 and AS 1105.06 state the quality of audit evidence is determined by its relevance and reliability in providing support for the conclusions on which the auditor’s opinion is based. Relevance of audit evidence refers to its relationship to the assertion being tested. In other words, does the evidence gathered really support the assertion being tested? For example, if auditors are testing for the completeness of the accounts payable balance, they are trying to determine if all accounts payable owed have been properly recorded. Suppose auditors inspect a sample of accounts payable balances from the ledger and verify they are true payables owed by the client. Have the auditors gathered evidence about completeness? No, they have not. They have gathered evidence in support of the existence assertion: that payables that have been recorded actually do exist. To gather relevant evidence for the completeness assertion, auditors must use a different procedure. Auditors could examine a client’s unpaid invoices file and determine if payables have been properly created for any unpaid invoices. This procedure would provide relevant, or appropriate, evidence in support of the completeness assertion. Reliability of audit evidence refers to the source of the evidence and form or nature of the evidence. In general, here are some guidelines regarding the reliability of audit evidence provided in AU-C 500.A32 and AS 1105.08: •  Evidence gathered from a knowledgeable source independent of the client is more reliable than evidence gathered solely from internal client sources. •  The reliability of evidence generated internally from the client is increased when the client’s internal controls over the information are effective. •  Evidence obtained directly by the auditor is more reliable than evidence obtained indirectly by the auditor. •  Evidence provided by original documents is more reliable than evidence obtained from copies, scans, or faxes. However, this could be mitigated if internal control over the duplication of documents is effective. •  Evidence that has been documented (paper or electronic form) is more reliable than strictly oral evidence obtained by having a discussion with an individual. Some examples of these reliability guidelines are provided in Illustration 5.2.

ILLUSTRATION 5.2    

Examples of reliability of   audit evidence

Nature/Source of   Evidence

Example

Independent source

Auditors communicate directly with a client’s bank regarding the existence of the client’s cash account balances at year-end. The bank confirms the cash balances directly with the auditor. This is more reliable than relying solely on the client’s internal records related to its cash account balances.

Effective internal controls

If auditors determine that controls over the client’s accounting information system are effective, then information generated from the client’s accounting information system is deemed more reliable than if controls were weak.

Direct knowledge by auditor

Auditors visit a client’s warehouse to observe, in person, the physical count of the client’s inventory to support the existence assertion of inventory. This is more reliable than auditors reading a summary report of the physical count or interviewing client personnel about the physical count.

Original documents

Auditors review the original title to verify the client’s rights to a piece of equipment. Inspecting the original title is more reliable than inspecting a copy because a copy can be altered and/or forged.

Documented

Auditors read the minutes from a board of directors’ meeting. This documented evidence, either written or in electronic form, is more reliable than interviewing one of the board members about the topics covered in the meeting.

  Characteristics of Audit Evidence  5-9

Cloud 9 - Continuing Case Whenever Suzie’s draft audit program shows the team relying on internally generated evidence, it also includes requirements to obtain additional evidence. This is because the evidence obtained from the client is less persuasive than evidence gathered directly

by an auditor or externally generated evidence that has passed through the client’s hands. Therefore, the audit program includes plans to obtain evidence from tests of controls for each assertion, to support the conclusion that internal controls are strong.

Audit Risk and Sufficient Appropriate Audit Evidence In Chapter 3, we discussed the audit risk model. Let’s discuss how the audit risk model impacts the gathering of audit evidence. Audit risk affects the quantity and quality of evidence gathered by an auditor during the risk response phase. When there is a significant risk of material misstatement with an assertion and the client’s system of internal controls is not considered to be effective at reducing that risk, detection risk is set as low. (See Illustration 5.3.) How would this scenario impact the quality and quantity of evidence to be gathered? When detection risk is low, auditors want to decrease the risk that their audit procedures will not detect a material misstatement. Therefore, auditors would plan for substantive procedures that result in higher quality evidence and possibly gather an increased quantity of evidence for that assertion.

Risk of material misstatement Audit risk =

Low

Inherent risk

Control risk

High

High

Detection risk

Level of sufficient appropriate evidence

Low

Increased

ILLUSTRATION 5.3    

High risk assertion

When the risk of material misstatement with an assertion is inherently low and the client’s system of internal controls is considered effective at reducing risk, then detection risk is set as high. First, the auditor will obtain evidence through risk assessment procedures to support the low inherent risk assessment, and perform tests of controls to support the low control risk assessments. Second, since detection risk is high, that means auditors are willing to accept a higher risk that their audit procedures may not detect a material misstatement. Therefore, auditors would plan for substantive procedures that may result in lower quality evidence and possibly a decreased quantity of evidence for that assertion. This scenario is demonstrated in Illustration 5.4.

Risk of material misstatement Audit risk =

Low

Inherent risk

Control risk

Low

Low

Detection risk

Level of sufficient appropriate evidence

High

Decreased

The risk patterns illustrated in Illustrations 5.3 and 5.4 are extremes. The risk of material misstatement associated with most assertions falls somewhere in between. Ultimately, the amount of evidence gathered when conducting substantive procedures is a matter for professional judgment and will vary from assertion to assertion and client to client. Nevertheless,

ILLUSTRATION 5.4    

Low risk assertion

5-10  C h a pte r 5  Audit Evidence

there is a direct relationship between the risk of material misstatement (inherent and control risk) and the extent of sufficient appropriate evidence gathered when testing transactions and balances.

Cloud 9 - Continuing Case Ian thinks he finally understands. To limit the risk of an inappropriate audit opinion for Cloud 9, the audit team will assess inherent risk and control risk at the assertion level for account balances and transactions. They make the inherent and control risk assessments after gaining an understanding of the client because these risks are influenced by the client’s circumstances. If inherent and control risk are assessed as high, the audit team will set detection risk as low. This means the audit team will

need to gather more, better-quality evidence through substantive testing than if inherent and control risk are assessed as low. In addition, planning materiality is set by considering what would be influential to users of the financial statements. The lower the detection risk and materiality level, the more sufficient appropriate evidence that needs to be gathered. Suzie thinks the time spent having coffee with Ian has been well worth it!

Before You Go On 2.1  What are two characteristics of appropriate audit evidence? Develop an example of each. 2.2 What is a disadvantage of using evidence that is generated internally by the client? Explain with an example. 2.3 Describe the relationship between the risk of material misstatement and sufficient appropriate audit evidence. Develop an example in the context of auditing the occurrence of revenues.

Procedures for Gathering Audit Evidence Lea rning O bjective 3 Apply the procedures for gathering audit evidence, including the use of audit data analytics.

accounting records  client’s records of the initial accounting entry and supporting documents

Auditors spend a considerable amount of total audit time on the process of obtaining and evaluating audit evidence in support of management assertions. The primary source of the evidence is the client’s accounting records. The accounting records consist of the records of initial accounting entry and supporting documents such as checks, invoices, contracts, general and subsidiary ledgers, and client-prepared spreadsheets and cost allocations. Auditors also gather evidence from other sources independent of the client to corroborate, or confirm, amounts recorded in the client’s accounting records. Audit evidence consists of any information that supports and corroborates management’s assertions and any information that contradicts the assertions. In some situations, the absence of information may also constitute audit evidence (AU-C 500.A1). For example, suppose a client recorded the purchase of a new piece of equipment, which increased total assets. Auditors would observe the tangible asset and inspect the vendor’s invoice for the purchase in support of the existence assertion, and make inquiries about how the equipment was financed. If there is no invoice to corroborate the purchase of a new piece of equipment, then perhaps the client did not actually buy the equipment. The equipment could be a short-term rental and therefore should not be recorded as an asset. The absence of an invoice would serve as audit evidence that contradicts management’s assertion.

 Procedures for Gathering Audit Evidence  5-11

Let’s now discuss “how” auditors gather audit evidence. Audit procedures are the methods used by auditors in gathering evidence and they are classified into three general categories: 1.  Risk assessment procedures (discussed in Chapters 3 and 4)—Methods used to gain an understanding of a client and its industry for the purpose of identifying risk of material misstatement. 2.  Tests of controls (discussed in Chapters 3 and 8)—Methods used to determine the operating effectiveness of the client’s controls in preventing, or detecting and correcting, material misstatements at the assertion level. 3.  Substantive procedures (discussed in Chapters 3 and 9–14)—Methods designed to detect material misstatements at the assertion level. Two categories of substantive procedures are tests of details (of account balances, transactions, and disclosures) and substantive analytical procedures. We introduced these categories in Chapters 3 and 4 in the discussion of risk assessment, audit risk, and audit strategy. We now detail the specific procedures auditors perform to gather sufficient appropriate evidence. The specific procedures described in the rest of this section are used as risk assessment procedures, tests of controls, or substantive procedures as determined by the auditors.

Inspection of Documents and Assets Inspection involves the examination of documents and physical assets. Let’s first discuss the inspection of documents. The documents could be internally or externally generated and in paper or electronic form. Inspection of documents can be used as a risk assessment procedure, test of controls, or a substantive procedure. For example, as a risk assessment procedure, auditors inspect the board of directors’ meeting minutes to become familiar with the objectives and strategies of the client. As a test of controls, auditors inspect purchase orders for proper authorization by a manager before a purchase is made. As a substantive procedure, auditors inspect vendor invoices in support of management’s assertion of the valuation of inventory. When used as a substantive procedure to test management’s assertions of occurrence and completeness, the inspection procedure can be further explained by the direction of the testing. First, auditors want to determine if transactions recorded in sales revenue actually occurred. They start by selecting transactions from the sales journal or ledger and then examining the underlying source documents, such as a shipping document and an invoice to the customer as shown in Illustration 5.5. This procedure is called vouching. Auditors are essentially working backward from the recording of the event back to the supporting documentation. Vouching provides evidence that recorded transactions actually occurred.

Source document

Direction of Testing

Assertion

Vouching

Existence or occurrence

Journal

Tracing

inspection  an evidence-­ gathering procedure that involves examining documents and physical assets

vouching  a type of inspection in which auditors select transactions from a journal or ledger and work backward to examine the underlying source documents. Vouching provides evidence for the occurrence or existence assertion ILLUSTRATION 5.5     Vouching versus tracing

Ledger

Completeness

What if auditors are gathering evidence in support of the completeness assertion for sales? They want to determine if all sales that occurred have been completely recorded. This time, auditors will start with the underlying source documents and work forward to follow the transaction through to recording in the journal and ledger (see Illustration 5.5). This process is called tracing. In the sales example, auditors would start with a sales order, then follow the

tracing  a type of inspection in which auditors select source documents and work forward to follow the transaction through to recording in the journal and ledger; tracing provides evidence for the completeness assertion

5-12  C h a pte r 5  Audit Evidence

transaction forward to a shipping document, to an invoice to a customer, and then to related journal entries and posting to the ledger. Inspection is also used to gather evidence for assertions related to physical assets. For example, auditors inspect an actual piece of machinery in a client’s factory to support the existence assertion. If the machinery is not being used, perhaps it is obsolete or in need of repairs. This evidence is used to determine if assets should be written down below cost, which relates to the valuation and allocation assertion.

Cloud 9 - Continuing Case Suzie will head the team gathering evidence about inventory. There are some issues with Cloud 9’s inventory control, including difficulties in delivering merchandise from the warehouse to the store in a timely manner. Suzie is also concerned about the thefts at Cloud 9’s retail store. Although Cloud 9’s management has been very open in disclosing the thefts, Suzie is concerned about what this means for the effectiveness of inventory control. She plans to inspect inventory and gather evidence of its existence and quality (because obsolescence is another major concern). Sharon will also assign a team to inspect the furniture and equipment, and the leasehold improvements, as there have been some major additions this year because of the new store opening. Ian is a little concerned about being asked to inspect assets. “I don’t understand how inspection can sometimes relate to the existence assertion and other times relate to the completeness

a­ ssertion. How do I know when the evidence relates to one assertion and not the other?” he asks Suzie. Suzie tries to explain that it depends on the process. If you start with the accounting records and then gather evidence to support the records, you are gathering evidence about existence. For example, the furniture and equipment ledger account has a record stating that Cloud  9 owns a copy machine. The record contains information about brand, size, and other details. Can you agree the records to the physical item? That is, can you find the copy machine in the office? If so, you have evidence that it exists. (You would also do separate tests for its valuation and rights and obligations.) However, if you see a copy machine in the office, your question is then whether the item is in the accounting records. That is, are the accounting records complete? In this case, you start with the physical item and trace it through to the records. If the copy machine is entered in the ledger, you have evidence about the completeness of the accounting records.

Observation observation  an evidence-­ gathering procedure that involves watching a process or procedure being carried out by client personnel or another party

Observation is an audit procedure that involves watching a process or procedure being carried out by client personnel or another party. It is used most often as a risk assessment procedure or a test of controls. For example, auditors observe the opening of the mail to determine whether the appropriate control procedures over the handling of cash receipts are being followed with appropriate segregation of duties. Keep in mind that observation only provides evidence of a process at the time auditors observe it happening, and people tend to alter behaviors when being watched. Auditors must determine whether there is evidence that the procedures observed have been applied consistently throughout the period under audit.

Inquiry inquiry  an evidence-gathering procedure that involves asking questions verbally or in written form to gain an understanding of various matters throughout the audit

Inquiry involves asking questions verbally or in written form of knowledgeable individuals internal or external to the client. Inquiry is used when gaining an understanding of the client and to corroborate other evidence gathered throughout the audit. For example, during risk assessment, auditors will inquire of client management regarding various topics such as related parties, corporate governance, and major customers. The results of inquiries of client personnel and third parties are documented by the auditor. If the evidence is particularly important, auditors may document the information more formally and ask the other party (or parties) to the discussion to sign their agreement that the auditors have recorded the discussion accurately. As a test of controls or substantive procedure, inquiry of client personnel, on its own, typically does not provide reliable evidence to reduce audit risk to a low-enough level for a relevant assertion (AS 1105.17). Additional evidence needs to be gathered to corroborate the client’s statements. For example, auditors ask the CFO about any new or updated lease agreements. The CFO tells the auditors the company signed a lease agreement for a new manufacturing facility. The auditors will document the response but will also follow up by ­inspecting the actual signed lease agreement. This is an example of auditors using professional skepticism by verifying statements made by the client.

 Procedures for Gathering Audit Evidence  5-13

Audit Reasoning Example  Evidence for Relevant Assertion Your client is Jane’s Apparel, a national chain of women’s clothing stores. There are 500 Jane’s stores located in malls across the United States. Inventory is a key account for Jane’s, and the existence assertion for inventory is always a relevant assertion. As part of your risk assessment procedures, you meet with the national inventory manager, Carla, to inquire about internal controls over inventory and other issues about inventory for the current-year audit. Carla says, “As you know, one of our biggest problems is employee theft of our merchandise. We just recently decided to hire an outside company to perform our annual physical inventory count rather than having our own employees perform the count. Although it will be an additional cost for us, we think the benefits of an independent inventory count will be worth it. It will deter employee theft and hopefully detect instances of theft that are occurring.” After your meeting, you document Carla’s responses to your inquiries. You are excited about the news of an independent company performing the inventory count and discuss it with another member of your audit team, John. You say to John, “Since an independent company is performing the count, I guess that means we do not have to observe the physical inventory count anymore. We can use the report from the independent company, right?” John thinks for a moment, then says, “I agree that it is an improvement in internal controls to have an independent company physically count the inventory. But remember, we have documented that the existence of inventory is a relevant assertion. Therefore, we must gather an increased level of sufficient, appropriate evidence to support our conclusion. Can we rely solely on inquiry of the client? Can we rely on the report from the independent company that is counting the inventory? I recommend that we still observe the physical inventory counting, even though it is being performed by an independent company. As we have done before, we will select a sample of stores from across the country and have auditors from our firm present while the inventory is being counted.” You agree with John that having your auditors observe the physical inventory count provides more relevant and reliable evidence to support the existence assertion for inventory.

Confirmation AU-C 505 External Confirmations and AS 2310 The Confirmation Process provide guidance on the use of external confirmations. External confirmation is an audit procedure in which the auditor corresponds directly with a third party, either in paper or electronic form. The third party is asked to respond directly to the auditor, not to the client, on the matter(s) included in the confirmation. Evidence obtained from external confirmations is considered reliable because it is obtained from an independent source outside of the client. However, auditors must maintain control over the confirmations at all times. Specifically, auditors determine the following for the confirmations:

external confirmation  an audit procedure in which the auditor corresponds directly with a third party, either in paper or electronic form, and the third party responds directly to the auditor on the matter(s) included in the confirmation

1.  What information should be confirmed or requested? 2.  Who is the appropriate confirming third party? 3.  How should the confirmation request be designed? 4.  How will the third party respond directly to the auditor? 5.  When should the confirmation request be sent? 6. If applicable, how should auditors follow up on requests when the third party has not responded? External confirmations can be sent to any third parties the auditors deem necessary, but the most common confirmations are with the client’s bank and customers. A bank confirmation is a request for information about the amount of cash held in the bank, details of any loans with the bank (e.g., interest rates and terms), and details of any pledges of assets made to guarantee loans. This information is used to confirm that the cash listed on the client’s balance sheet actually exists, is recorded at the appropriate amount (valuation and ­allocation assertion), is in the client’s name (rights and obligations assertion), and that all loans with the bank are included in the liability section of the balance sheet (completeness assertion). The bank confirmation also requests details of interest rates paid on the client’s cash balances, if applicable, and interest rates charged on bank overdrafts and loans. This information

bank confirmation  correspondence sent directly by the auditors to their client’s bank requesting information such as cash held in the bank and details of any loans with the bank and interest rates charged

5-14  C h a pte r 5  Audit Evidence

receivable confirmation  correspondence sent directly by the auditors to their client’s customers requesting information about amounts owed to the client by the customer

positive confirmation  correspondence sent directly by an auditor to a third party, who is asked to respond to the auditor on the matter(s) included in the letter in all circumstances (that is, whether they agree or disagree with the information included in the auditor’s letter) negative confirmation  correspondence sent directly by an auditor to a third party, who is asked to respond to the auditor on the matter(s) included in the letter only if the party disagrees with the information provided

is used when auditing interest income and interest expense items (accuracy assertion). We will cover the bank confirmation in depth in Chapter 13. Receivable confirmations can be sent to customers to verify amounts owed to the client. Auditors select the customers to whom they will send confirmations. Criteria used when selecting the customer balances to confirm include materiality (large trade receivables), age (overdue accounts), and location (if customers are dispersed, a selection from various locations). The primary assertion being tested when using receivable confirmations is existence. The confirmations provide audit evidence that the customers exist. They also provide some evidence on ownership (rights and obligations assertion), as customers confirm that they owe money to the client. Customers are only asked to confirm they owe the amount outstanding at year-end (or at an interim date). They do not confirm their intention to pay the amount due. Therefore, confirmations provide very little evidence regarding the valuation and allocation assertion. There are two types of external confirmations: positive and negative. ­Positive confirmations ask recipients to reply in all circumstances. If a response cannot be obtained, auditors must perform follow-up procedures. Negative confirmations ask recipients to reply only if they disagree with the information provided. If a recipient does not respond to a negative confirmation, it is assumed they agree with the information provided. But could there be other reasons why there is no response? What if the customer never ­received the confirmation, perhaps because of an address error? What if it is sitting on someone’s desk and has not been opened? Because of these “unknowns,” this form of request is of limited benefit when the assertion being tested is existence. According to AU-C 505.15 and AS 2310.20, auditors should not use negative confirmations as the sole audit procedure unless all of the following conditions are present: 1.  Auditors have assessed the risk of material misstatement for accounts receivable as low. 2.  Auditors have gathered sufficient appropriate evidence that internal controls are effective. 3.  The population of accounts receivable balances consists of a large number of small account balances. 4.  Auditors expect a low exception rate. 5.  Auditors are not aware of any circumstances that would cause the recipients to disregard the confirmation request. In practice, negative confirmations are not commonly used. Positive confirmations provide superior evidence because auditors must follow up on any nonresponses by verifying the appropriate recipient and sending a follow-up request or by completing alternative procedures. When auditors send a positive receivable confirmation, they ordinarily include the amount recorded in their client’s records for each customer to confirm. There is risk that a customer may sign and return the confirmation to the auditor without checking the balance outstanding. As the primary assertion being tested when using this audit procedure is existence, rather than valuation and allocation, this issue is not of great concern. Auditors will rely on other procedures to provide evidence on the valuation and allocation of the receivable balance. If auditors were to send a confirmation to customers requesting they provide the balance outstanding, there is risk that customers will not respond as locating the amount owed takes some effort to find, which would reduce the overall response rate and the amount of evidence available for the existence assertion. We will revisit the accounts receivable confirmation process in Chapter 11.

Professional Environment  Updating Audit Confirmation Standards How has technology influenced audit practice and standards? According to Daniel Goelzer, a former member of the Public Company Accounting Oversight Board (PCAOB), it has impacted practice more than the standards. In 2009, Goelzer believed that changes to the U.S. standard on audit confirmations

(at the time AU Section 3302) were necessary to bring it into the twenty-first century.3 Goelzer suggested that technological innovations such as the internet and email have changed confirmation practice since AU Section 330 was written in the early 1990s.4

2 Public Company Accounting Oversight Board (PCAOB), AU Section 330 The Confirmation Process, www. pcaobus.org. 3 D. L. Goelzer, “Statement on Consideration of Concept Release on Possible Revisions to the Standard on Audit Confirmations” (April 14, 2009), www.pcaobus.org; WebCPA 2009, PCAOB Mulls Revising Audit Confirmation Standards (April 14, 2009), www.webcpa.com. 4 Goelzer, 2009.

 Procedures for Gathering Audit Evidence  5-15 In the United States, the practice of audit confirmations is essentially mandatory, unlike the situation that typically prevails in the rest of the world where confirmations are an optional procedure—a tool available for auditors to select as part of a package of audit procedures.5 The U.S. requirement to use confirmations dates back to a famous fraud case, McKesson Robbins, in the 1930s.6 In that case, around $19 million of a total of $87 million in assets were entirely fictitious and the fraud would probably have been discovered if audit confirmations had been used appropriately.7 More recent scandals, such as the Madoff, Satyam, and Parmalat cases, have meant that the confirmation process is back in the spotlight.8 The PCAOB believes that a new confirmation standard should take into account today’s sophisticated security and encryption tools for email and online transactions. Specifically, some confirming parties have indicated that instead of responding to confirmation requests, they prefer to allow the auditors to have electronic access to the company’s accounts so the auditor may directly check the confirming party’s records.9 Former PCAOB member Steven Harris believed “the standard should address the use and reliability of confirmations received electronically. It should address the authenticity and accuracy of direct access to online account information.”10 In addition, auditors are continu­ ally faced with disclaimers—clauses inserted into a client’s customer’s reply to a confirmation request disclaiming responsibility for any inaccuracy in the information provided. In a litigious ­society like the United States, these disclaimers are routinely used to avoid legal liability for statements made. However, the auditor is then faced with a decision; that is, how much weight should be placed on a statement that is accompanied by a disclaimer? The

PCAOB included this issue in its request for public comment on the new standard. The comment period for the proposed rule closed in September 2010. The PCAOB received 27 comment letters, 19 of which were from accounting firms and associations of accountants. There was general acknowledgment from the respondents that the existing standard needs to be revised. However, there were two primary recommendations from the respondents. One recommendation is that the standard should be modified to be based more on principles and risk rather than being a hard rule that auditors must use confirmations. With a model based on principles and risk, auditors can rely more on their professional judgment when determining if confirmations are appropriate for a given client. The second recommendation is that additional research should be conducted to determine how additional confirmation requirements will affect the confirming parties. Currently, the PCAOB has not issued any updated standard on the confirmation process.11 The clarified standards of the Auditing Standards Board include an updated standard on external confirmations that became effective for audit periods ending after December 31, 2012. Paragraph A15 of AU-C 505 addresses the issue of validating the source of replies received in electronic format, such as email. It may be possible for the auditor to establish a secure environment for electronic responses, for example, by the use of encryption, electronic digital signatures, and procedures, to verify website authenticity. However, if this is not possible and the auditor has doubts about the reliability of any form of evidence obtained through the confirmation procedure, AU-C 505 requires the auditor to consider alternative procedures, for example, telephone contact with the respondent (AU-C 505.A14).

Cloud 9 - Continuing Case Suzie explains to Ian that they use external confirmations to gather sufficient appropriate evidence about the existence of Cloud 9’s customers. However, the confirmations will not be appropriate for valuation purposes, as a reply from a customer to confirm the debt exists does not mean the customer is going to pay the debt when it is due. The audit team will use other procedures to provide evidence about the valuation assertion for accounts receivable.

Suzie also suggests that bank confirmations will be useful on the Cloud 9 audit for the rights and obligations, existence, and valuation assertions for bank accounts. The audit team will also ask the banks to supply any information they have about any other bank accounts or loans, which is useful for gathering evidence about the completeness assertion for these accounts. Suzie incorporates her ideas on confirmations into the draft audit program.

Recalculation Recalculation is the audit procedure of checking the mathematical accuracy of documents or records. Recalculation can be performed manually or electronically with the aid of software. Some recalculations are simple, such as footing (adding/subtracting figures) a column in a clientprepared spreadsheet. Other recalculations are more complex, such as foreign currency translation, payroll taxes, interest on loans outstanding, and depreciation. When ­conducting 5

Ibid. Ibid. 7 S. B. Harris, “Statement on Proposed Auditing Standard on Confirmation” (July 13, 2010), www.pcaobus.org. 8 WebCPA, 2009. 9 Harris, 2010. 10 WebCPA, 2009. 11 Public Company Accounting Oversight Board (PCAOB), “Transcript Excerpt and Slides: Standing Advisory Group Meeting,” Docket 28 (October 14, 2010), www.pcaobus.org. 6

recalculation  an audit procedure that involves checking the mathematical accuracy of documents or records

5-16  C h a pte r 5  Audit Evidence

complex recalculations, auditors agree the amounts included in the calculations to externally prepared documents, when available, and check that the formulas are used appropriately and are free of errors.

Reperformance reperformance  an audit procedure that involves the independent execution of procedures or controls that were originally performed by client personnel

Reperformance involves the independent execution of procedures or controls that were originally performed by client personnel. In other words, the auditors will “re-do” a procedure that was performed by the client to determine if the auditors get the same result. Reperformance is commonly used as a test of controls. For example, a client’s control procedure over cash disbursements states that checks are prepared only after all source documents have been independently approved in a voucher packet. Auditors can reperform this procedure by looking at approved voucher packets awaiting check processing. Auditors reperform the act of agreeing all of the source documents and verify that an approval signature is on the packet. Another example is reperforming a bank reconciliation the client has prepared. Client personnel prepare bank reconciliations for all bank accounts each month as an internal control procedure. Auditors will reperform the bank reconciliation to gather evidence that the procedure was performed correctly.

Analytical Procedures analytical procedures  evaluations of financial information through analysis of plausible relationships among both financial and nonfinancial data

Recall from Chapter 4 that analytical procedures are evaluations of financial information through analysis of plausible relationships among both financial and nonfinancial data. Some examples of analytical procedures include data comparisons, ratio analysis, and trend analysis. During risk assessment, analytical procedures are required and are used to identify accounts at risk of material misstatement, which aids in planning the audit. They can also be used as a substantive procedure to gather sufficient appropriate evidence, but auditing standards do not require the use of analytical procedures during the risk response phase. When properly designed and executed, analytical procedures may provide an efficient alternative to other audit procedures and, in some cases, may provide the most effective test of the appropriateness of account balances. For example, when auditing management’s estimate of the allowance for doubtful accounts or the accrual for warranty costs, auditors compare the current-year estimates with prior-year estimates, taking into consideration any increases or decreases in sales. Based on the results, auditors may decide that no further substantive testing is needed. In other situations, analytical procedures may provide the only method of gathering evidence. For example, if the client does not maintain an effective costing system, auditors could estimate manufacturing overhead in finished inventory by relating actual overhead for the year to actual direct labor. The use of analytical procedures as a substantive procedure is covered in more depth in Chapter 9.

Scanning scanning  a type of analytical procedure in which auditors use their professional judgment to review accounting data to identify unusual or significant items to examine further

Scanning is a type of analytical procedure in which auditors use their professional judgment to review accounting data to identify unusual or significant items that may be an indication of a material misstatement. Scanning includes the identification of unusual individual items within an account balance or other accounting records such as journals, reconciliations, and detailed transaction reports. Examples of unusual items include a large dollar amount for a transaction, such as a very large cash receipt that might be evidence of a loan, or a nonstandard journal entry. Once an unusual item is identified, auditors may decide to further examine the item using other audit procedures, such as inspection or recalculation.

Audit Data Analytics (ADA) As clients have incorporated more technology into their processes, so have auditors. Auditors use software to assist with gathering evidence. Software usage ranges from simple techniques, such as electronic spreadsheets and software for a paperless audit, to more sophisticated procedures, such as cluster analysis.

 Procedures for Gathering Audit Evidence  5-17

Auditors use software to perform procedures such as calculations (for example, the summing of a report) and logic tests (for example, sorting or comparing current-year amounts with prior years), and to select key items and representative samples for testing. Audit data analytics (ADA) is using software to discover and analyze patterns, identify anomalies, and extract other useful information from client data. Auditors then use “visualization” techniques to draw conclusions and communicate the information. Visualization refers to the use of graphics to explain and communicate findings. Typical visualization techniques include graphs, charts, trend lines, scatter diagrams, and dashboards. For example, traditional audit techniques would compare aggregate figures, such as current-year sales compared to prior-year sales, or quarterly sales totals in the current year to quarterly sales totals from the prior year. ADA software can provide a deeper examination of sales activity by summarizing every sales transaction for the year into a graph that shows a trend line with time on the x-axis and dollars of sales on the y-axis. This deeper analysis shows more detailed trends with highs and lows of sales activity. Knowing more about their clients helps auditors plan a more effective audit. Using ADA software makes the audit (1) more comprehensive because each item in a client’s file can be examined and subjected to a variety of tests and (2) more efficient because the software can handle large volumes of data, thereby reducing time-consuming clerical tasks. Using software also allows auditors to concentrate on designing the test criteria and evaluating and interpreting the results, rather than on performing the detailed audit procedures. ADA can be used during risk assessment and risk response. The main considerations in deciding whether to use ADA are the completeness of the client’s records and the reliability of the client’s data. As with any audit procedure, the nature and ­extent of the procedures performed with ADA will largely depend on the evaluation of the effectiveness of the client’s information technology controls. The use of ADA will be covered in more depth in Chapters 7 and 11–13.

audit data analytics (ADA)  using software to discover and analyze patterns, identify anomalies, and extract other useful information in data underlying the subject matter of an audit through analysis, modeling, and visualization for the purpose of planning or performing an audit visualization  using graphics to explain and communicate findings

Cloud 9 - Continuing Case Suzie and Ian have already begun gathering evidence by performing the analytical procedures on Cloud 9’s interim results and prior-period statements. Further evidence gathering at the risk assessment phase will be performed by members of the team when they begin their assessment of the internal controls system by inspecting the relevant documents. They will gather evidence from observing personnel performing their duties and making inquiries of members of Cloud 9’s staff and management. In addition, the partner, Jo Wadley, held discussions with the previous auditors (Ellis & Associates) before accepting the client. The record of these discussions, plus others that Jo held with Cloud 9 management, is already in the evidence files. Ian has some questions about the evidence: in particular, why the audit team is bothering to gather verbal evidence,

through ­inquiry, which has low persuasiveness. Suzie explains that all forms of evidence have their limitations. Observation is useful to see how staff perform their tasks (as opposed to what the manuals say they should be doing), but people often “behave” better when they are being watched. Documents can be lost or altered, or misinterpreted, and not everything is written down. Electronic evidence is hard to audit if the system does not have a “hack-proof” audit trail. Signatures on documents do not mean the signor actually read the document properly, and people can pre- or post-date documents. Auditors must use professional judgment and skepticism to determine the appropriateness and sufficiency of evidence by considering it as a whole and be prepared to follow up on any problems or discrepancies they observe until any doubts are satisfactorily resolved.

Before You Go On 3.1 Explain the procedures of vouching and tracing. Illustrate with an example in the context of the revenue process. 3.2  What is a bank confirmation? Why is it an important confirmation? 3.3 How is a positive confirmation different from a negative confirmation? 3.4 Explain the audit procedure of reperformance. Illustrate with an example in the context of revenue transactions.

5-18  C h a pte r 5  Audit Evidence

Using the Work of Others Lea rning O bjective 4 Evaluate when it is appropriate for auditors to use the work of others. We have covered a significant amount of information regarding the planning and design of an audit. As you have probably concluded, an audit requires many hours of work by a team of auditors. The size of an audit team will vary depending on the size and complexity of the client. The composition of a general audit team is depicted in Illustration 5.6. You can think of the composition of an audit team like a triangle, with more team members at the base of the triangle and fewer at the top. The senior and associates perform the detailed testing under the supervision of the manager. The partner holds ultimate responsibility for audit decisions, supervision of the team members, and the issuance of the final audit report. Throughout the engagement, as audit procedures are completed and documented, they are reviewed by an audit team member with seniority over the team member who did the work. Chapter 14 will provide more information about the review of audit documentation. ILLUSTRATION 5.6     General structure of an   audit team

Partner

10 or more years’ experience

Manager

Senior/In-charge

Staff/Associates

6–10 years’ experience 2–5 years’ experience 0–3 years’ experience

In Illustration 5.6, the approximate years of experience for each level of team member are also shown in the diagram. When assigning the audit team, an accounting firm will make sure it assigns individuals with appropriate audit experience. An appropriate response to an identified risk may be assigning an individual with the right experience. For example, when fraud risk is high, the accounting firm may assign an individual with more audit experience in a particular industry to audit an assertion than when fraud risk is low. In some situations, the audit team will rely on the work of others during the risk assessment and/or risk response phase of the audit. Some examples include relying on an industry or technical specialist, the client’s internal auditors, and/or other auditors. These situations will be discussed in the following sections.

Using the Work of a Specialist specialist  an individual or organization with expertise in a field other than accounting or auditing whose work in that field is used by the auditors to assist in obtaining sufficient appropriate evidence

Some audits may require the use of a specialist when gaining an understanding of a client, testing internal controls, and/or performing substantive tests. A specialist is an individual or an organization with expertise in a field other than accounting or auditing whose work in that field is used by the auditors to assist in obtaining sufficient appropriate audit evidence. The specialist may be an employee of the accounting firm or may be contracted by the accounting firm as needed. Some examples of when a specialist may be used include estimating oil and mineral reserves for inventory reporting and performing actuarial calculations for the determination of employee benefit plan liabilities. Specialists may also be used to evaluate the quality of inventory, such as taking samples of grain from a grain elevator to determine if the grain has any bacteria or other attributes that could affect its quality.

  Using the Work of Others  5-19

AU-C 620 Using the Work of an Auditor’s Specialist and AS 1210 Using the Work of a ­ pecialist provide guidelines for auditors when using the work of a specialist. The first step S is for auditors to determine whether a specialist is required. The need to engage the services of a specialist depends on the knowledge of the audit team, the significance and complexity of the item, the risk of material misstatement of the account or assertion, and the availability of appropriate alternative corroborating evidence. If the audit team has experience with the item being audited and can draw on their knowledge from previous audits of that client or similar companies in the same industry, there is less need to use a specialist. If auditors decide they do not have the expertise necessary to test and evaluate the accuracy of reported information, they can seek assistance in the form of a specialist’s opinion to corroborate other evidence obtained. For example, a licensed appraiser may be engaged to provide an opinion on the value of a client’s property, a geologist may be engaged to evaluate the quantity and quality of mineral deposits, a vintner may be engaged to assess the quality and value of wine stocks, or an actuary may be engaged to develop an estimate of a pension liability. Once it has been determined that a specialist is required, the next step is for the auditors to determine the scope of the work to be carried out and agreed to by the specialist. The agreement can be in the form of a formal engagement letter with the specialist or recorded in the audit planning documents when using a specialist from the accounting firm. Auditors determine the nature, timing, and extent of work to be completed by the specialist. It is important that auditors are involved in setting the scope of the work required because the judgment of the specialist forms part of the audit evidence upon which auditors form their audit opinion. Written instructions to the specialist can cover the (1) issues the specialist is to report upon, such as the market price of properties owned by the client; (2) the details to be included in the report, such as computations used in arriving at their conclusion; (3) the sources of data to be used, such as market interest rates or market prices of shares; (4) clarification of the way the auditors intend to use the information included in the specialist’s report; and (5) notice that the specialist’s report and the data used in compiling the report must remain confidential. Before contacting a specialist, auditors should assess the competence, capability, and objectivity of the specialist. Competence refers to the expertise of the specialist. What are the qualifications of the specialist? Does he or she maintain a license or certification in a relevant field? How many years of experience does the specialist have in the relevant field? Capability refers to the ability of the specialist to perform the required work. For example, does the specialist have the time and resources needed to complete the work? Is the specialist located in the area or will significant travel be required? Objectivity refers to the possible effects that bias, conflicts of interest, or the influence of others may have on the professional judgment of the specialist (AU-C 620.A15). Auditors should inquire of the client and of the specialist as to whether any interests or relationships exist between the client and the specialist that would impair the specialist’s objectivity. For example, does the specialist have any financial interests or outside business relationships with the client? The specialist is not required to be completely independent of the client. If some type of relationship does exist between the client and the specialist, auditors may decide to perform some additional procedures with respect to the specialist’s work to determine that the findings are reasonable. Once the specialist’s work is complete, auditors will assess the specialist’s report. The report should detail each stage of the process used in arriving at the overall conclusion in the report, including information about the data sources or estimation models used, or calculations conducted. Auditors assess the consistency of any assumptions made with those made in prior years and with other known information and with conclusions drawn with corroborating evidence gathered by the audit team. The responsibility for arriving at an overall conclusion regarding fair presentation of a client’s financial statements rests with the auditors. When auditors decide to use a specialist, that responsibility is not reduced in any way. It is the responsibility of auditors to assess the quality of the evidence provided by a specialist and determine whether it is reliable and objective. Auditors do this by following the process outlined above. They will determine the need for a specialist, the scope of the specialist’s work, and the competence and objectivity of the specialist. Finally, auditors will assess the quality of the specialist’s report and the reliability of the information included in it.

5-20  C h a pte r 5  Audit Evidence

Professional Environment  Working with IT Auditors Specialist IT auditors are often used in audits of clients with complex information technology (IT) environments because the effective audit of the IT systems contributes to overall audit quality. Large audit firms usually have such specialists within the firm, but smaller audit firms could engage external IT consultants for this part of the financial statement audit. In general, reliance on an IT specialist is appropriate when the financial statement auditor complies with the conditions of AU-C 620. If the IT expert and the financial statement auditor do not work well together, audit quality can be impaired. For this reason, researchers have investigated the factors that affect the way that financial statement auditors work with specialist IT auditors. Brazel12 reviewed this research evidence and drew the following conclusions. First, responses from financial statement auditors in the United States who were surveyed about their experiences with IT auditors indicated that they believe IT auditors’ competence levels vary in practice. Financial statement auditors also said that IT auditors appear to be overconfident in their abilities in some settings, and questioned the value provided by IT auditors to the financial statement audit. Second, Brazel suggests the research shows that both financial statement auditors’ IT ability and experience and the IT auditor’s competence affect how these two professions interact on an audit engagement. This indicates that audit firms need to ensure that staff training and scheduling produce appropriate combi­ nations of financial statement auditors and IT auditors on an ­engagement.

Finally, Brazel argues that the research findings demon­ strated that auditors need to consider the implications of finding a balance between greater software-assisted audit techniques training for financial statement auditors and greater use of IT specialists for overall audit efficiency and effectiveness. The role of IT audit specialists could grow to become even more than a support function for auditors. Some researchers suggest that in e-businesses, the external financial statement auditor’s authority will be challenged by IT audit specialists because of technological change and its impact on auditing.13 In e-businesses, economic transactions are captured, measured, and reported on a real-time basis without either internal human intervention or paper documentation.14 Auditing is likely to become more real-time and continuous to reflect the pattern of the transactions. If traditional auditors are unwilling or unable to adapt to the new environment, their role could be taken over by IT specialists. Other developments such as reporting using XBRL (eXtensible Business Reporting Language) provide challenges for auditors as they have to adapt their techniques and approaches to audit financial information that is disaggregated and tagged. Users can extract and analyze XBRL data directly without re-entry and the tag provides additional information about the calculation and source of the data. This means auditors have to recognize that their clients are reporting financial data with different levels of information and users might have greater expectations of the data. Learn more about XBRL at www.xbrl.org.

Cloud 9 - Continuing Case Josh will take responsibility for obtaining a specialist’s opinion on the derivatives. He knows that W&S Partners has other staff (who are not part of the audit team) who can provide additional expertise. However, because he believes the accounts are so material to the audit and derivatives have become such a big issue in audits in recent years, he deems an external specialist’s opinion is also required.

He has some experience with using a derivatives specialist on prior audits, and he also plans to ask Jo Wadley (the partner) to recommend a suitable specialist. Josh plans to investigate any possible connections between the specialist and Cloud 9 that could adversely impact the specialist’s objectivity before engaging him for this audit.

Using the Work of Internal Auditors internal auditors  employees of the client who perform assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance, risk management, and internal control processes

The role of the internal audit function was introduced in Chapter 1. Internal auditors are employees of the client who perform assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance, risk management, and internal control processes. Not every client will have an internal audit function. For example, small and medium-sized companies, especially private companies, may not have the resources to staff an internal audit function. But if the client does have an internal audit function, what role, if any, do the internal auditors play in the financial statement audit? According to AU-C 610 12

J. F. Brazel, “How Do Financial Statement Auditors and IT Auditors Work Together?” The CPA Journal (November 2008), pp. 38–41. 13 A. Kotb, C. Roberts, and S. Sian, “E-business Audit: Advisory Jurisdiction or Occupational Invasion?” Critical Perspectives on Accounting 23, no. 6 (2012), pp. 468–482. 14 Kotb et al., 2012.

  Using the Work of Others  5-21

Using the Work of Internal Auditors and AS 2605 Consideration of the Internal Audit Function, auditors may (1) use the work of internal auditors in gathering audit evidence and (2) use internal auditors to provide direct assistance under the direction, supervision, and review of the external auditors. If external auditors intend to use the work of internal auditors, they must first assess the objectivity, competence, and processes of the internal audit function. The concepts of objectivity and competence discussed above in the context of a specialist also apply when considering internal auditors. Since internal auditors are employees of the client, they are not independent. However, a well-designed internal audit function can operate free of bias and avoid conflicts of interest. Illustration 5.7 lists factors for auditors to consider when assessing the objectivity and competence of the internal audit function. Auditors should also consider the processes of the internal audit function. Essentially, auditors want to determine if the internal auditors follow a systematic and disciplined approach to their work and have quality control procedures in place. Ideally, the internal audit function should plan, supervise, document, and review its activities in a way that is distinct from other monitoring activities within the entity.

Factors that impact objectivity: •  Internal auditors report directly to the board of directors, audit committee, or owner-manager. •  There is no assignment of managerial or operational duties that are outside of the internal audit function. •  Policies prohibit internal auditors from auditing areas where relatives are employed or areas where the internal auditor was previously assigned before moving to the internal audit function. •  Internal auditors are members of a professional body that obligates compliance with professional standards regarding objectivity. Factors that impact competence: •  Evidence of technical training and proficiency shown by education, years of experience, and professional certification in a relevant field. •  Internal auditors hold membership in relevant professional bodies that require compliance with professional standards and continuing professional education. •  Staffing is appropriate to the size of the entity. •  There are established policies for hiring, training, and assigning internal auditors. •  Quality-of-work documentation and reports exist.

If auditors determine that the internal auditors are objective, competent, and follow appropriate procedures, then the next step is to determine how the internal auditors’ work may affect the nature, timing, and extent of the audit. Procedures planned or already performed by the internal audit function may be the same as, or very similar to, audit procedures the external auditor would design and perform, particularly in the area of evaluation of the performance of internal controls. Therefore, work already performed or planned to be performed by the internal auditors can affect the auditors’ risk assessment procedures, testing of controls, and/or substantive procedures performed. Here are some examples: •  The internal auditors have developed a flowchart for a new sales and receivables software application. The external auditors obtain a copy and review the flowchart to gain an understanding of the new application. If the auditors are satisfied with the quality of the flowchart, they will not need to prepare their own flowchart, which improves the efficiency of the audit. •  The internal auditors have tested relevant controls over the completeness assertion for accounts payable. The results of the internal auditors’ procedures provide evidence that controls are operating effectively. If satisfied that the controls are operating effectively, auditors may reduce the extent of their testing of these controls.

ILLUSTRATION 5.7    

Factors that impact objectivity and competence of internal   auditors

5-22  C h a pte r 5  Audit Evidence

•  As part of their own work, the internal auditors confirm a sample of accounts receivable balances to ensure a new sales and receivables software application is functioning ­properly. Auditors may use this work as evidence obtained and then reduce the number of additional receivable balances that would be confirmed. When determining the extent to which the internal auditors’ work will affect the auditors’ procedures, auditors consider the materiality of the account balance or transaction; the risk of material misstatement of the assertions related to the account balance, transaction, or disclosure; and the amount of subjectivity involved in evaluating the evidence gathered (AU 2605.20). As these factors increase, the need for auditors to perform their own tests of the related assertions also increases. Remember, external auditors have sole responsibility for expressing an opinion on the fair presentation of the financial statements. That responsibility is not decreased by the use of work performed by internal auditors. External auditors may also obtain direct assistance from internal auditors to carry out audit procedures the external auditors would normally do themselves. In this scenario, internal auditors would be under the direction, supervision, and review of the external auditors. When determining the nature of work to be assigned to internal auditors, external auditors should follow the same guidelines as mentioned in the previous paragraph. As the factors of materiality, risk of material misstatement, and subjectivity increase, the need for external auditors to perform the procedures will increase. An example might be the valuation assertion for assets that require significant accounting estimates. Areas involving less materiality, lower risk of material misstatement, and less subjectivity are more appropriate to assign to internal auditors. An example might be the existence assertion for prepaid expenses. External auditors should obtain written acknowledgment from management, or those charged with governance, regarding the use of internal auditors for direct assistance with the audit. This written acknowledgment can be included within the audit engagement letter or prepared as a separate document. Audit evidence obtained from the internal auditors and the work performed by internal auditors providing direct assistance are included in the external auditors’ documentation as evidence of work completed. Also included is the evaluation of the objectivity, competence, and procedures of the internal auditors. Audit documentation is discussed further in this chapter in the section “Documentation—Audit Working Papers.”

Audit Reasoning Example  Consideration of Internal Audit Function One of your clients is Mary Lee’s Cookie Company. Mary Lee’s produces various types of cookies and sells them at grocery stores and convenience stores across the United States. Mary Lee’s is a family-run, private company, and it has experienced significant growth over the last six years. The founder and chair of the board of directors, Mary Lee Nguyen, has a goal of taking the company public one day, so she wants to start preparing the company to be run more like a public company. Therefore, she has decided to create an internal audit function. Two months after the conclusion of the prior-year audit, Mary Lee hired Kathy Bourgeois to lead the internal audit function. Kathy has three years of internal audit experience working at a public company, and she is a certified internal auditor (CIA). To add to her department, Kathy has hired a recent college graduate who has taken courses in internal auditing, and she also has a current college student who is interning part-time. Kathy and her team will report directly to Mary Lee and the board of directors. One of Kathy’s first tasks has been to document Mary Lee’s transaction processes and internal controls. Can your audit team use the work of Kathy’s team regarding the transaction flows and internal controls documentation? Are Kathy and her team objective and competent? You consider objectivity. Kathy is a CIA and therefore must comply with professional standards to maintain her certification. The internal audit function reports to the board of directors, not to a member of management. No one in the internal audit function is assigned managerial duties. Therefore, based on these factors, the internal audit function seems to be objective. Now you consider competence. Kathy is a CIA, but she only has three years of work experience. The rest of her department, a recent college graduate and an intern, is not experienced. The internal audit department has only been functioning for a few months. Based on

  Using the Work of Others  5-23 these factors, you do not consider the internal audit function highly competent at this time. Therefore, for the current-year audit, you do not plan to use any of the work of Mary Lee’s internal auditors. However, over time, the internal audit function may develop more competence and you may consider using the work of the internal auditors or obtaining direct assistance from them.

Using the Work of Another Auditor Sometimes auditors must rely on work performed by a separate accounting firm. For example, when auditing a consolidated company, the auditors may rely on another accounting firm to audit a subsidiary that is located in a foreign country. AU-C 600 Special Considerations—Audits of Group Financial Statements (Including the Work of Component Auditors) provides guidance when using the work of another audit firm. Group financial statements include the financial information of more than one entity, or component, such as consolidated financial statements prepared by a parent company. A component is an entity or business activity that is required by the applicable financial reporting framework to prepare financial information that will be included in group financial statements. An audit of group financial statements is referred to as a group audit. The group engagement team will establish the overall group audit strategy and communicate with the component auditors. The component auditors are from a different audit firm and gather evidence on a component that will be used as audit evidence for the group audit. The group engagement partner is the partner responsible for the performance of the group audit engagement and for the auditor’s report on the group financial statements. When making a client acceptance or continuance decision, auditors will consider their capacity to undertake the audit and the proportion of the financial statements for which they will rely on component auditors. The group engagement partner’s firm should audit the majority of a client’s financial statements and be knowledgeable about the components of the financial statements they do not audit themselves. For example, when accepting a new client that has a 50% interest in a joint venture in another country that is audited by another audit firm, the group engagement partner must be knowledgeable about the business of the joint venture so that he or she can evaluate the risks associated with the joint venture and how the joint venture is reported in the financial statements of the potential audit client. Without such knowledge, the firm should not accept the new client. When assigning work to a component auditor, the group engagement partner will consider the capacity of the other auditor to undertake the work. The group engagement partner will also consider the reputation of the component auditor and ensure that it is a member of a reputable professional body. It is the responsibility of the group engagement partner to ensure the work completed by a component auditor meets the group engagement partner’s requirements and standards. AU-C 600 sets out the responsibilities of the group engagement partner when using the work of a component auditor. The group engagement partner is responsible for the direction, supervision, and performance of the group audit engagement. The two auditors may discuss the detailed procedures to be used, and the group engagement partner then reviews the main conclusions drawn in the documentation of the component auditor. The extent of review of the component auditor’s work depends on a number of factors. The group engagement partner will spend more time when the component is material and/or at risk of material misstatement. The group engagement partner will spend less time if the component auditor has a good reputation and/or has done audit work for the group engagement partner in the past, and if the financial statements being audited by the component auditor are at low risk of material misstatement. The group engagement partner uses the evidence provided by a component auditor when drawing a final conclusion on the fair presentation of the group financial statements. Chapter 15 will discuss what modifications may be required to the independent auditor’s report when component auditors are used. The corresponding PCAOB standard for using the work of another auditor is AS 1205 Part of the Work Performed by Other Independent Auditors. The guidance in the PCAOB standard

group financial statements  financial statements that include the financial information of more than one entity, or component component  an entity or business activity whose financial information is required by an applicable financial reporting framework to be included in group financial statements group audit  an audit of group financial statements group engagement team  partners and staff who establish the overall group audit strategy, communicate with component auditors, perform work on the consolidation process, and evaluate audit evidence to form an opinion on the group financial statements component auditor  an audit firm that performs work on the financial information of a component that will be used as audit evidence for the group audit group engagement partner  the partner who is responsible for the group audit engagement and its performance and for the auditor’s report on the group financial statements that is issued on behalf of the firm

5-24  C h a pte r 5  Audit Evidence

is essentially the same as the ASB standard for private companies. The key difference is the PCAOB standard uses different terminology. The term “principal auditor” is used instead of “group engagement team” and “group engagement partner.” The term “other auditors” is used instead of “component auditors.”

Cloud 9 - Continuing Case Sharon knows that Cloud 9 has production operations in Vietnam. The previous auditors, Ellis & Associates, used an accounting firm based in Vietnam to gather evidence regarding the inventory and property, plant, and equipment at the Vietnamese production facilities. If they want to use the same

Vietnamese accounting firm, Sharon will need to assess the reputation of the other firm and the firm’s capacity to take on the engagement. Sharon decides to set up a meeting with the partner (Jo) to further discuss how to proceed with gathering evidence related to the Vietnamese operations.

Before You Go On 4.1  What factors may influence an auditor’s decision on the need to use a specialist? Illustrate with an example. 4.2  Why might an external auditor want to use the work of the internal audit function? Illustrate with an example. 4.3  Who is the group engagement partner? Why is this position important? 4.4  What are some of the factors that a group engagement partner will consider when assigning work to a component auditor?

Documentation—Audit Working Papers Lea rning O bjective 5 Document the details of evidence gathered in working papers.

working papers  paper or electronic documentation of the audit created by the audit team as evidence of the work completed

In this chapter, we have discussed the characteristics of audit evidence, the procedures for gathering audit evidence, and situations when others may be used to gather audit evidence to support management assertions. Next, we cover procedures for documenting all of the audit evidence that has been gathered. AU-C 230 Audit Documentation and AS 1215 Audit Documentation require auditors to document each stage of the audit in their working  papers to provide a record of work completed and evidence gathered in forming their audit opinion. Determining what and how much to document is a matter of professional judgment, but the documentation must be sufficient to enable an experienced auditor, having no connection with the audit, to understand the procedures performed and the conclusions reached. Auditors document each stage of the audit and the procedures used. During the risk assessment phase, auditors document their understanding of the client, the risks identified, analytical procedures used to aid in risk identification, their materiality assessment, the understanding of the client’s system of internal controls, the understanding of the client’s information technology, related parties identified, and a preliminary audit strategy. During the

  Documentation—Audit Working Papers  5-25

risk response phase, auditors develop an audit program, and document details of tests undertaken, copies of significant documents referenced, correspondence with the client’s lawyers and bankers, confirmations received from customers, and inquiries of management. Documentation will vary from client to client. It will depend upon the audit procedures used, the risks identified, the extent of judgment used, the persuasiveness of the evidence gathered, the nature and extent of exceptions noted, and the audit methodology utilized (AU-C 230). An audit working paper generally includes: •  Client name. •  Period under audit. •  Title describing the contents of the working paper. •  File reference indicating where the working paper fits in the audit file. •  Initials identifying the preparer of the working paper together with the date the working paper was prepared. •  Initials identifying the reviewer(s) of the working paper together with the date(s) the working paper was reviewed. •  Cross-referencing between working papers indicating where further work and evidence is summarized elsewhere. Working papers for each client consist of two main files called the permanent file and the current file.

Permanent File The permanent file includes client information and documentation that applies to multiple audits. In the first year of a continuing audit, auditors gather information that will be relevant to future audits. The information included in the permanent file is checked and updated at the start of each annual audit. The permanent file usually contains the client’s head-office address, other locations, and contact details (telephone, fax, and email). Information about key personnel and an organizational chart are included in the permanent file. A client’s organizational chart includes details of key roles within the organization and the names of the people in those roles. The file may also include the details of the client’s bank(s) and lawyer(s). The permanent file includes copies of long-term contracts and agreements. These documents will be used to calculate interest payable on outstanding long-term loans, or enable the assessment of any lease obligations. Debt covenants will be included in the permanent file. Auditors can check the details of these agreements to assess the client’s compliance with covenants. If a client has long-term commitments with customers and suppliers, auditors will include the relevant documentation in the permanent file. Key long-term investments will be detailed, including the details of the broker used for these transactions. The permanent file includes details of the client’s board of directors and its subcommittees, such as the audit committee. The file includes the minutes of significant meetings held by the client, such as its board of directors’ meetings. It may include details of bonus and stock option plans for the client’s senior staff. The permanent file details a client’s primary accounting policies and methodologies. Prior financial statements and audit reports are included in the permanent file. Details of prior analytical procedures are included and added to so auditors can observe changing trends. Flowcharts and narratives detailing a client’s system of internal controls are included in the permanent file and amended as needed during the risk assessment phase of each audit. Reports sent to the client during previous audits will be included in the permanent file. For example, letters to management that detail weaknesses in internal controls identified by the auditors in previous years are included and referred to by the auditors. When planning future audits, auditors read these reports and discuss their contents with the client’s management.

permanent file  contains client information that is relevant for more than one audit

5-26  C h a pte r 5  Audit Evidence

Cloud 9 - Continuing Case Cloud 9’s permanent file contains the basic information about the company (that is, its headquarters’ address, key senior staff and their employment contracts) plus a copy of the engagement letter appointing W&S Partners and stating the scope of the audit.

Sharon and Suzie have gathered copies of some of the relevant agreements and will add these and more to the permanent file. Josh’s documentation of Cloud 9’s system of internal control will be added to the permanent file once it is completed.

Current File current file  contains client information that is relevant for the duration of one audit

The current file is developed as audit work is performed and includes client information and documentation that apply to the current year’s audit. Contents of the current file vary from client to client depending on the accounts in the client’s financial statements and the client’s activities. The current file includes the details of all testing and evidence gathered in preparation of the audit report. The current file also includes correspondence among the auditors and the client, the client’s bankers, and the client’s lawyers that pertain to the current audit period. Correspondence with other auditors, specialists, and relevant third parties is also included. The engagement letter is included in the current file, along with the management letter detailing any weaknesses uncovered in the client’s system of internal control. Representation letters (discussed in Chapter 14) and confirmation letters are also included in the current file. The current file includes extracts from the minutes of meetings, such as the board of directors’ meetings, that pertain to the current audit. The file includes details of the audit planning process and the audit program. The current file also includes detailed descriptions of evidence gathered, testing conducted, and audit procedures performed. It will detail the analytical procedures, tests of controls, and detailed substantive testing undertaken, as well as the conclusions drawn at the completion of testing. The current file includes testing of any subsequent events (discussed in Chapter 14) and a copy of the final audit opinion.

Examples of Working Papers

lead schedule  summarizes the detail included in a specific account on the financial statements

This section provides two examples of working papers. While each accounting firm has its own way of documenting evidence, most have common elements. To aid your understanding, examples are provided of how a fictitious accounting firm, Bell & Bowerman, LLP, prepares its working papers. Working papers are prepared and stored electronically. Once the audit is concluded, the accounting firm usually retains a paper copy of working papers, as well as an electronic copy of files and working papers. An accounting firm will back up electronic files and archive working papers in a location that is secure. (Chapter 14 provides more details on documentation retention.) Once they are completed, working papers are typically electronically locked so they cannot be modified. Each audit has a unique file name for ease of identification, which usually includes the client’s name and the year-end of the financial statements being audited. Each current file created for an audit is divided into unique sections with each section representing a different element of the audit (e.g., cash, accounts receivable, or inventory). Each section contains (1) a lead schedule that summarizes the detail included in the financial statements for a particular account, and (2) supporting working papers that provide evidence obtained related to that account. Each working paper generally includes details such as the client’s name, the period under audit, a file reference, cross-references to other parts of the audit file, details of the testing conducted, comments/conclusions drawn, and identification of the preparer and reviewers. For illustration, a series of working papers are presented for a fictional client of Bell & Bowerman, LLP, New Millennium Ecoproducts (NME). The working paper examples are for the audit period ending December 31, 2022. NME was created by its founders, brothers Tomas and Charles Delron, avid environmentalists, at the turn of the twenty-first century. The vision for the company is to produce everyday products in a sustainable way, providing an affordable

  Documentation—Audit Working Papers  5-27

alternative for environmentally conscientious customers. NME operates from three locations and produces a wide range of household products that it sells to supermarkets and specialty stores. At the front of every audit file is a copy of the client’s trial balance that supports the financial statements. The trial balance is then referenced into the appropriate lead and supporting schedules in the audit file where audit work is documented for each account in the trial balance. At Bell & Bowerman, LLP, the trial balance is referenced using the letter “A”; cash and cash equivalents in various banks are referenced into the C Lead; accounts receivable are referenced into the E Lead; inventory accounts are referenced into the F Lead; property, plant and equipment are referenced into the K Lead; and so on. The first working paper example is the cash and cash equivalents lead schedule (see Illustration 5.8). The purpose of this lead is to summarize all general ledger accounts that are combined into the cash and cash equivalents account on the financial statements. The lead schedule also has adjusting journal entries, if any, that are proposed by the auditor. In the top-left corner of the lead schedule are the client name, period-end, and currency unit (in this example, balances are rounded to the nearest thousand dollars). In the top center of the lead schedule is section identification (C). In the top-right corner, details of the working paper preparer and reviewers are documented. Next, details of the cash and cash equivalents balance are listed. For each item listed in the lead schedule, the following are noted: •  General ledger account number, per the client records. •  General ledger account name, per the client records. •  Preadjusted balance, any adjustments, and the audit-adjusted current-year balance per the client’s trial balance (TB). •  The prior-year balance, per the prior-year audit file (PY).

illustration 5.8   Working paper example: Cash lead schedule Client: New Millennium Ecoproducts Period-end: 12/31/2022 Currency unit: $000

Bell & Bowerman, LLP C–LEAD

Reference: C-Lead

Prepared by: Reviewed by: Reviewed by:

KM 1/21/2023 SO 1/22/2023 MM 1/24/2023

Lead schedule:

Account no.

Account name

Preadjusted balance 12/31/2022

Adjusted current-year balance 12/31/2022

10100

Cash in Bank: Wells Fargo

$ 11,000

$0

$ 11,000

TB

$ 10,500

10200

Cash in Bank: U.S. Bank

134

0

134

TB

10300

Cash in Bank: Barclays

126

0

126

10400

Cash in Bank: Citigroup

56

0

10500

Short-Term Deposits

5,796

Total Cash and Cash Equivalents

$17,112

Prior-year balance 12/31/2021

Variance

% Variance

Ref

PY

$500

5%

C01

134

PY

0

0%

C02

TB

126

PY

0

0%

C03

56

TB

50

PY

6

12%

C04

0

5,796

TB

5,600

PY

196

4%

C05

$0

$17,112

$702

4%

Adjustments

$16,410

Key to audit tick marks (TM): TB Agrees to client’s trial balance. PY Agrees to prior-year audit file. Background: No significant changes in banks or bank accounts from the prior period. Note: Analytical review on movements in the cash flows has been performed on the cash flow schedule — see A1.1. Comments: Cash and cash equivalents: In line with budget and change consistent with level of activity for the period (see also our review of the statement of cash flows referenced in A1.1). Short-term deposits: Although the balance is very consistent with previous period, inclusion of short-term deposits within cash and cash equivalents is acceptable (refer to C5).

5-28  C h a pte r 5  Audit Evidence

•  Variance and percentage change, the calculated difference between the prior-year and current-year balances. •  The cross-reference to the working paper where supporting documentary evidence is kept for each balance (e.g., C02). The final section of the lead working paper includes any relevant background information about the account and comments based upon completed testing. The second working paper example relates to accounts receivable and would be found in the “E” section of the audit file (see Illustration 5.9). As noted before, in the top left corner are the client name, period-end, and currency unit ($000). In the top center are the working paper reference (E02) and title (confirmations and related alternative procedures). The upper-right corner of the working paper shows who performed and who reviewed the audit procedures. Next, the date of the interim confirmation is noted. In this case, the confirmation was conducted for the accounts receivable balance at two months prior to year-end. The balance in the accounts receivable account on that date is noted ($9,500) and cross-referenced to the accounts receivable subsidiary ledger (SL) and another part of the accounts receivable section of the audit file (E03). Receivable balances for a sample of customers were confirmed as of October, 31, 2022. The date the confirmations were sent is then noted. The first request was sent on November 5, 2022, and a second request was sent on December 10, 2022, to customers that did not reply to the first request. The table contains details of the customers who were sent confirmation requests. (This working

illustration 5.9   Working paper example—Confirmations and related alternative procedures Client: New Millennium Ecoproducts E02– CONFIRMATIONS AND RELATED ALTERNATIVE PROCEDURES

Period-end: 12/31/2022 Currency unit: $000

Confirmation/Interim date

10/31/2022

AR as of confirmation date

$9,500

SL/E03

Bell & Bowerman, LLP

Prepared by:

DM 12/14/2022

Reference: E02

Reviewed by:

SO 12/17/2022

Reviewed by:

MM 12/19/2022

Date 1st request sent

11/5/2022

Date 2nd request sent

12/10/2022

Alternative procedures in case of no response or variance Balance per customer as of confirmation Date date Received [B] TM/Ref

Account or invoice number

Customer name

Balance as of confirmation date [A]

TM/Ref

123456

Greenwash

$2,000

SL

654321

EcoFriend

$545

SL

789789

BigSupa

$6,000

SL

11/19/2022

$6,000

E02.2



987654

Cleanair

$500

SL

11/20/2022

$450

E02.3

$50

11/28/2022

$2,000

E02.1

Variance [A – B]

Subsequent cash receipts [C]

Date or source

Alternative procedures other than subsequent cash receipts Total TM/Ref [D] TM/Ref [C + D] Comments

– $545

– $400

11/18/2022



$145

β

$545 –

$50



11/1/2022



$50 –

Key to audit tick marks (TM): ✓ Agrees to check copy/remittance advice, which indicates invoice was paid subsequent to the confirmation date. β Agrees to shipping reports signed by external carriers, which indicates item was shipped prior to the confirmation date. SL Agrees to subledger—accounts receivable. Comments: • A: OK payment made by customer prior to the confirmation date, but received by the client just after confirmation date. This timing difference does not affect the existence of receivables as of the end of October.

A

  Documentation—Audit Working Papers  5-29

paper shows audit work for only a few customers, just to provide an example.) The table documents: •  The account or invoice number per the accounts receivable subsidiary ledger (SL). •  The customer name per the accounts receivable subsidiary ledger (SL). •  The balance at confirmation date per the accounts receivable subsidiary ledger (SL). •  The date the auditor received a response from the customer. •  The balance outstanding at the confirmation date according to the customer correspondence (filed and cross-referenced E02.1, E02.2, E02.3). •  Any variance between the client records and the customer correspondence, which is calculated and listed by the auditor. •  An explanation of alternative procedures used when a customer has not responded or if the customer’s response varies from the client’s records. The table also includes several tick marks (✓, β) that cross-reference to explanatory comments by the auditor at the bottom of the page. In this case, the tick marks ✓ and β refer to audit procedures performed on customers EcoFriend and Cleanair that are explained at the bottom of the working paper. The following discussion interprets the audit work documented on this working paper. The table shows the following audit work was performed to evaluate the appropriateness of the accounts receivable balances for four customers that were selected for confirmation. •  Customer Greenwash confirmed the balance owed to NME as $2,000. •  No response was received from EcoFriend. The auditor determined that EcoFriend paid $400 on November 18, 2022, and also vouched the remaining balance to underlying shipping documents that shows the goods had been shipped and title had passed to Eco­ Friend prior to the confirmation date. With this evidence, the auditor determined that $545 was the correct receivable balance as of the confirmation date. •  Customer BigSupa confirmed the balance owed to NME as $6,000. •  Customer Cleanair confirmed it owed $450 to NME. The variance of $50 represented a cash receipt on November 1, 2022, that was likely in the mail to NME prior to October 31, 2022. The bottom part of the working paper includes the auditor’s comments related to the last customer, Cleanair. The auditor concluded the timing difference did not affect the existence of a receivable as of the end of October.

Cloud 9 - Continuing Case The first major item in the current file for Cloud 9 is the audit plan with the detailed audit program. The current file also contains documentation for every test performed during the audit. Ian is still struggling with how to correctly complete the papers. He often forgets to complete all the relevant fields and Sharon

and Josh are continually sending papers back to him with requests to clarify some of his comments. However, embedding the working papers in Excel has made life easier, because an error message will be generated if certain key fields are not completed.

Before You Go On 5.1  What is a current file? 5.2  What is a permanent file and how does it relate to a current year’s audit? 5.3  What will an auditor document during the risk assessment phase of the audit?

5-30  C h a pte r 5  Audit Evidence

Learning Objectives Review 1  Define management assertions about classes of

transactions, account balances, and presentation and disclosure. When preparing the financial statements, management will make assertions about each account and related disclosures in the notes. Auditors use these assertions to assess the risk of material misstatement and design audit procedures. The assertions used when considering classes of transactions and events are occurrence, completeness, accuracy, cutoff, and classification. The assertions used when considering account balances at period-end are existence, rights and obligations, completeness, and valuation and allocation. The assertions used when considering presentation and disclosure are occurrence and rights and obligations, completeness, classification and understandability, and accuracy and valuation. The auditors will determine the relevant assertions for significant accounts and transactions to plan the audit procedures used to gather evidence. 2  Discuss the characteristics of audit evidence. Sufficient appropriate evidence is a core concept in auditing. Sufficient relates to the quantity and appropriate relates to the quality of audit evidence gathered. For evidence to be of high quality, it must be both relevant and reliable. The audit risk model impacts the quality and quantity of evidence to be gathered. For high risk assertions, auditors may increase the quantity and quality of evidence gathered. For low risk assertions, auditors may modify the quantity and quality of evidence gathered. Ultimately, the determination of sufficient appropriate evidence is a matter of professional judgment. 3  Apply the procedures for gathering audit evidence,

including the use of audit data analytics. Audit procedures are the specific methods used by auditors to gather evidence to support management assertions. The audit procedures are inspection of documents (including vouching and tracing), observation, inquiry, confirmation, recalculation, reperformance, analytical procedures, scanning, and audit data analytics (ADA). These

procedures can be used during risk assessment, for testing of controls, and as substantive tests of account balances, transactions, and disclosures. 4  Evaluate when it is appropriate for auditors to use

the work of others. In some situations, the audit team will rely on the work of others during the risk assessment and/or risk response phase of the audit. A specialist with expertise in a field other than accounting or auditing may be used by the auditors to assist in obtaining sufficient appropriate audit evidence. If the client has an internal audit function, the auditors may use the work of the internal auditors and/or obtain direct assistance from the internal auditors to carry out audit procedures that the external auditors would normally do themselves. A group auditor may need to use the work of a component auditor when their client operates in a number of locations or has subsidiaries spread around the country or the globe. In all cases when using the work of others, the auditors should first assess the objectivity, competence, and capability of the individuals or firms that will be used. 5  Document the details of evidence gathered in work-

ing papers. Audit evidence is documented in an auditor’s working papers. Audit working papers include the client’s name, the period under audit, a title describing the contents of the working paper, a file reference indicating where the working paper fits in the audit file, the initials identifying the preparer of the working paper together with the date the working paper was prepared, the initials identifying the reviewer(s) of the working paper together with the date(s) the working paper was reviewed, and cross-referencing between working papers indicating where further work and evidence are summarized elsewhere. Working papers are stored in either the permanent file or the current file. The permanent file includes client information and documentation that apply to multiple audits. The current file includes client information and documentation that apply to the current year’s audit.

Key Terms Review Accounting records Analytical procedures Appropriate Assertion Audit data analytics (ADA) Audit evidence Audit program Bank confirmation Component

Component auditor Current file External confirmation Group audit Group engagement partner Group engagement team Group financial statements Inquiry Inspection

Internal auditors Lead schedule Negative confirmation Observation Permanent file Positive confirmation Recalculation Receivable confirmation Relevance

  Audit Decision-Making Example  5-31 Relevant assertion Reliability Reperformance Scanning

Specialist Sufficient Tracing

Visualization Vouching Working papers

Audit Decision-Making Example Background Information You have been assigned to the audit of a new client, Acadian Chemicals (AC), headquartered in southern Louisiana. AC produces a product called carbon black. It is a black powder that is used in making other products, such as toner for printers/copy machines and vehicle tires. The powder is produced in four different grades, from very fine powder to coarser powder. The finished powder is stored in a large silo that has four compartments for the four different grades of powder. The silo is about two stories tall and can store a maximum of 700,000 pounds of powder. The bottom of the silo can be opened to fill 20-pound bags, 50-pound sacks, or entire train cars so the powder can be shipped to customers for further refinement into other products. The 20-pound bags and 50-pound sacks are stored in a large warehouse located on the production premises. You have toured the production facility and have seen the warehouse and the storage silo. There are no windows in the silo to see how much powder is inside, and no lighting inside of the silo. At the top of the silo, there is a lid for each compartment that can be opened, but when you look in, all you see is darkness. At any given time during the year, about 40% of AC’s inventory is stored in the silo, waiting to be packaged and shipped. The production facility operates continuously, 24 hours a day, 7 days a week.

Identify the Audit Issue One of the issues here is determining what assertion is most at risk with the inventory that is stored in the silo. Another issue is determining what audit procedures to use to gather sufficient appropriate evidence regarding the inventory that is in the silo.

Gather Information and Evidence Important information includes: •  A material portion (40%) of the inventory is stored in the silo; therefore, it should be audited. However, there is no way to see how much is actually in the silo. •  Since the production facility operates continuously, there is always powder being loaded into at least one compartment of the silo. It is not possible to stop production for purposes of determining what is in the silo. Even if production could be stopped, it is still not possible to see what or how much is in the silo. •  Fraud risk may be high because AC management could lie about how much is in the silo in an effort to overstate inventory. Management could also put something different in the silo, such as sand, thereby providing false information about the silo’s contents.

•  Risk of theft of the powder is low because it is not a product that is easy to steal or in demand (unlike jewelry or cars). •  The client has a method of determining how much is in the silo. The client uses a “strapping tool” to measure the empty part of the silo. The strapping tool is basically a tape measure on a reel with a weight on the end of the tape measure. From the top of each compartment of the silo, the client lowers, or reels, the tape measure down into each compartment. When the weight on the end of the tape hits the powder, the client stops reeling and looks at the measurement on the tape. Essentially, the client is measuring the empty part of the compartment. Once the measurement is obtained, it is entered into a client-prepared spreadsheet that contains a formula. The total volume of the silo, minus the strapping tool measurement (converted into a volume amount), equals an estimate of volume of powder in the silo.

Analysis and Evaluation of Alternatives Analysis of risk and alternatives: •  Risk of material misstatement is high for the existence assertion of powder stored in the silo. •  Visually observing the amount of inventory in the silo is not possible in this situation. However, you can reperform the client’s procedure of using the strapping tool to measure the empty part of the tank, and then use the client’s spreadsheet formula to determine the volume of powder in the silo. •  You may consider hiring a specialist to assist in the observation of inventory in the silo. The specialist can also inspect the client’s spreadsheet formula to ensure it is mathematically reasonable and consistent with what is used in the industry.

Audit Conclusion Since AC is a new client with a unique inventory situation, your firm will hire a specialist in the carbon black industry to perform procedures on the client’s spreadsheet and measurement process for inventory in the silo. The specialist will summarize his or her findings in a report that will be included in the audit documentation for AC. If the specialist determines that AC’s procedures are reasonable and consistent with the industry, then the specialist probably will not be needed for future audits unless the client’s process for storing the powder changes significantly.

5-32  C h a pte r 5  Audit Evidence

CPAexcel CPAexcel questions and other resources are available in WileyPLUS.

Multiple-Choice Questions 1.  (LO 1)  The three categories of management assertions are: a.  journal entries, ledgers, and trial balances. b.  journal entries, account balances, and financial statements. c.  transactions, ledgers, and account balances. d.  classes of transactions, account balances, and presentation and disclosure. 2.  (LO 1)  The assertion related to recording transactions in the correct accounting period is: a.  accuracy. b.  completeness. c.  cutoff. d.  occurrence. 3. (LO 1)  A detailed listing of the specific audit procedures to be used to gather evidence for an account is called the: a.  permanent file. b.  audit strategy. c.  audit program. d.  accounting records. 4. (LO 2)  The quantity of evidence that an auditor will gather: a.  varies with the assessed risk of material misstatement. b.  is the same for most audits because it has to be appropriate. c.  depends on the size of the audit team. d.  is the same for clients in the same industry. 5. (LO 2)  Which is generally the most reliable form of evidence? a.  Internally generated evidence from the client’s IT system. b.  Internally generated evidence based on discussions with upper management. c.  Externally generated evidence held by the client. d.  Externally generated evidence sent directly to the auditor. 6. (LO 3)  An external confirmation sent to a bank: a.  requests information about the bank balances and loan amounts. b.  requests information about interest rates paid on deposits and charged on loans. c.  is relevant to the audit of interest revenue and expense. d.  All of these answer choices are correct. 7. (LO 3)  When an auditor inspects a tangible asset to support a balance in the client’s records, the auditor is gathering evidence to support the: a.  completeness assertion. b.  existence assertion. c.  valuation and allocation assertion. d.  rights and obligations assertion.

8. (LO 3)  When an auditor inspects loan documentation and ­traces the details to recording in the client’s records, the auditor is gathering evidence to support the: a.  completeness assertion. b.  existence assertion. c.  valuation and allocation assertion. d.  rights and obligations assertion. 9. (LO 3)  Which audit procedure is being used when an auditor checks the calculations in a client-prepared spreadsheet? a.  Analytical procedure. b.  Recalculation. c.  Reperformance. d.  Scanning. 10. (LO 4)  If a specialist is engaged to assist with the audit: a.  it means the auditor does not have the requisite skill and knowledge to assess the item. b.  it means the auditors should not have taken on the audit because they are not qualified. c.  the PCAOB must be contacted and permission obtained before the specialist starts work. d.  the auditor does not have to take responsibility for the fair presentation of the item in the financial statements. 11. (LO 4)  Before the external auditors decide to use the work performed by the internal auditors, the external auditors must first assess: a.  the size of the internal audit function relative to the client. b.  the independence of the internal auditors. c.  the supervision skills of the internal audit function. d.  t he competence and objectivity of the internal audit function. 12. (LO 5)  The working papers for a client contain both a permanent and a current file. The difference between the two files is that: a.  the permanent file is kept by the audit partner in charge and cannot be altered after the first audit engagement is com­ pleted, but the current file can be updated. b.  the copy of the permanent file must be sent to a regulator (PCAOB or State Board of Accountancy) and the current file is not. c.  the permanent file includes documents that relate to the client and are relevant for more than one year’s audit, and the current file includes the details of work completed and evidence gathered that relate to the current year’s audit. d.  the permanent file cannot be altered, but the current file can be altered.

 Analysis Problems  5-33

Review Questions R5.1  (LO 1)  Are financial statements considered statements of fact? Discuss in the context of management assertions.

R5.7  (LO 3)  Differentiate between recalculation and reperformance, and provide an example of each.

R5.2  (LO 2)  Explain why the quality of audit evidence is determined by the choice of audit procedure and the assertion most at risk of material misstatement.

R5.8  (LO 4)  If an auditor does not have sufficient knowledge and skill in an area, the auditor can ask for the assistance of a specialist. Does this create a problem? Explain how an auditor knows if the specialist’s work is reasonable if the auditor is not also a specialist.

R5.3  (LO 2)  Discuss why an auditor must consider the reliability of audit evidence. R5.4  (LO 3)  Explain how inspecting a client’s tangible assets provides evidence about the completeness and existence assertions.

R5.9  (LO 4)  Describe the general composition of an external audit team. Discuss whether a client’s internal auditors can be part of the external audit team.

R5.5  (LO 3)  Differentiate between the “occurrence” and “existence” assertions. How do both differ from “completeness”?

R5.10  (LO 4)  Provide examples of situations in which an auditor would use the work of a component auditor.

R5.6  (LO 3)  List and describe the procedures for gathering audit evidence. At which stage(s) of the audit is each procedure appropriate?

R5.11  (LO 5)  List some key elements that would be included in any working paper document.

Analysis Problems AP5.1  (LO 1)  Basic   Assertions at risk  The inventory of a large grocery store client is material, and it is the largest current asset on the balance sheet. The cost of inventory items ranges from very small amounts (like individual candy at the checkout line) to larger amounts (like prime meat and specialty deli items). Typical risks for a grocery store are theft and spoilage of inventory. During the second quarter, the client caught three employees in a scheme of stealing produce and meats from the store and selling them, at a discount, to friends and family. Based on an investigation by authorities and store management, the scheme had been operating for about two months.

Required Based on the information, evaluate which accounts and assertions are at risk of misstatement. AP5.2  (LO 1)  Basic   Assertions at risk  Davis Do-It-Center (Davis) is a local hardware store with five locations in southern Georgia. The company has been operating for over 70 years. In the last 15 years, the two owners, who are brothers, have been working hard to transition from manual processes to electronic systems. Recently, one of the store managers had to fill in at the checkout register, which uses a scanning system to capture the sales price of each item, and noticed that the scanned sales prices of some items were incorrect. The manager alerted one of the brothers about the issue. Upon further investigation, this brother discovered that the scanning system was pulling sales prices from outdated price lists for three inventory categories: lawn and garden, plumbing, and paint supplies.

Required Based on the information, evaluate which accounts and assertions are at risk of misstatement. AP5.3  (LO 1, 2)  Moderate   Assertions and evidence  Propel Equipment rents heavy equipment, such as cranes, bulldozers, and dump trucks, to industrial contractors. One of Propel’s larger expenses is repairs and maintenance on the rental equipment. The company’s policy is to capitalize repairs that improve the useful life or increase the operating efficiency of the equipment. Routine repair and maintenance costs should be expensed as incurred. Business has been slow for the last two quarters, so Propel is taking advantage of the “down time” to catch up on repair and maintenance items. Propel’s auditors have completed their risk assessment procedures and noted the increased activity with repairs and maintenance. Since business is slow, auditors also noted there is increased risk that management may try to understate expenses to inflate profit.

Required a.  If Propel management incorrectly capitalizes repairs and maintenance expenses, evaluate which accounts and assertions are at risk of misstatement. b.  If auditors determine there is increased risk for understatement of expenses, how does that impact the sufficiency and appropriateness of the audit evidence?

5-34  C h a pte r 5  Audit Evidence AP5.4  (LO 1, 2, 3)  Moderate   Types and persuasiveness of audit evidence  Jenna is working on the audit of a client’s accounts receivable. During the last few weeks, she has conducted interviews with the accounts receivable manager, the chief financial officer, and staff working in the accounts receivable department. She has overseen the external confirmations of accounts receivable, 30% of which required the recipient to respond whether or not the amount stated was correct. Jenna also inspected subsequent cash receipts from the client’s customers. She vouched a sample of accounts receivable balances back to the underlying invoices, cash receipts and sales returns, and traced a sample of these documents to the accounts receivable ledger.

Required a.  List the audit procedures used by Jenna to gather evidence and comment on the reliability of the evidence. b.  Relate each type of evidence to the relevant accounts receivable assertions. AP5.5  (LO 1, 2, 3)  Moderate   Audit evidence  James Thomas is responsible for preparing bank reconciliation statements at Ajax Inc. Ajax has many bank accounts, including separate accounts for each major branch, accounts for payments of salaries and dividends, and accounts kept in foreign currency for overseas divisions. James maintains records including bank statements and weekly bank reconciliations for each account. In addition, there are files containing correspondence with banks about disputed transactions, dishonored checks from Ajax’s customers, and other bank-initiated transactions such as fees and interest.

Required a.  Comment on the appropriateness of the evidence in James’ files for Ajax’s financial statement audit. b.  Explain how an auditor would obtain more appropriate evidence for the relevant assertions for the bank accounts at Ajax. AP5.6  (LO 1, 2, 3)  Basic   Audit evidence  An audit associate is preparing an audit program for the audit of a client’s revenue transactions. To gather evidence in support of the occurrence assertion, the associate included the following audit procedure in the audit program: Select a sample of authorized shipping documents and approved customer orders and trace them to recording in the sales journal.

Required a.  Evaluate the relevance of the procedure in addressing the occurrence assertion. b.  Comment on the reliability of the evidence gathered using the procedure. AP5.7  (LO 1, 2, 3)  Moderate   Audit evidence  An audit associate is preparing an audit program for the audit of a client’s inventory purchases transactions. To gather evidence in support of the cutoff assertion, the associate included the following audit procedure in the audit program: Select a sample of receiving reports in the warehouse for three days before and after year-end and inspect related journal entries in inventory/accounts payable to determine that purchases were recorded in the proper period.

Required a.  Evaluate the relevance of the procedure in addressing the cutoff assertion. b.  Comment on the reliability of the evidence gathered using the procedure. AP5.8  (LO 1, 2, 3)  Basic   Audit evidence  An audit associate is preparing an audit program for the audit of a client’s allowance for doubtful accounts. To gather evidence in support of the valuation assertion, the associate included the following audit procedure in the audit program: Confirm accounts receivable by sending positive confirmations to a sample of customer account balances.

Required a.  Evaluate the relevance of the procedure in addressing the valuation assertion. b.  Comment on the reliability of the evidence gathered using the procedure. AP5.9  (LO 1, 2, 3)  Challenging   Gathering evidence  Max Crowe is an associate auditor who has just started with the team conducting the audit of a new client in the construction industry. Max is shadowing Susan Wong, an experienced auditor. Susan is showing Max how to be a member of an audit team and is trying to teach Max about the benefits of getting to know the client. Susan is also trying to help Max develop experience in picking up subtle signals about the client’s problems and what the client might be trying to hide from the auditor.

 Analysis Problems  5-35 Max is getting a little frustrated with the “shadowing” assignment. He cannot understand why Susan is spending so much time talking to the client’s staff and touring the various construction sites and offices. When Susan is not doing this, she is working on a spreadsheet of the client’s previous financial statements and unaudited interim data. Max wants to know when they are going to do some “real” work and start gathering audit evidence. Susan tells Max that they have already started.

Required a.  Discuss Susan’s comment that they have already started the audit. What evidence have they gathered so far? b.  Explain what work is being done with the spreadsheets of financial data. Give some specific examples for this client. How is this type of work relevant to different phases of the audit? c.  When Susan is touring the client’s premises, she is taking notes of equipment and furniture she sees, especially anything that looks either newly purchased or older and unused. Explain why she is doing this. AP5.10  (LO 4)  Moderate   Using the work of internal auditors  Theobald Inc. has an internal audit department that primarily focuses on audits of the efficiency and effectiveness of its production departments. The other main role of the internal audit department is auditing compliance with various government regulations surrounding correct disposal of waste and storage of raw materials at its five factories. Theobald’s internal audit department is run by Harry Potts, a CPA and a member of the Institute of Internal Auditors. There are three other members of the department, all of whom have experience in performance auditing and, in addition, have completed industry-run training courses in waste management and handling dangerous goods. Harry meets regularly with the chief production manager and sends monthly reports to the CEO and the board of directors. Your initial investigations suggest that Harry is highly regarded within Theobald, and his reports are often discussed at board meetings. In most cases, the board authorizes the actions recommended in Harry’s reports with respect to major changes to production and logistics.

Required Evaluate the extent of reliance the external auditor should place on the work of the internal audit department at Theobald Inc. Explain the likely impact of the internal audit department’s work on the audit plan. AP5.11  (LO 4)  Challenging   Research   Using a specialist  SolarTubeGen is a start-up company in the renewable energy sector. The founder of SolarTubeGen, Fritz Herzberg, has developed cutting-edge technology to convert the energy in the sun’s rays to electricity via a novel system of mirrors designed to focus the sun’s rays onto tubes containing a patented type of gas, which then heats and expands to drive turbines. Ramirez & Walker LLP has won the contract for the first audit of SolarTubeGen on the basis of its expertise in the energy sector. However, the lead partner, Mark Ramirez, recognizes the success of the audit is dependent on the correct assessment of the technology being used at SolarTubeGen. Mark specified in the successful audit bid documents that the audit will use an external specialist to help with valuation of the company’s assets. Fritz Herzberg is very protective of his company’s intellectual property and is resistant to Mark’s first suggested specialist, Manfred Hamburg. Fritz believes that Manfred Hamburg is hostile toward him because they clashed when they both worked for a German company making photovoltaic cells in the 1990s. Fritz has suggested another specialist, Lily Beilherz, with whom he has had good working relations over the last 20 years.

Required a.  Advise Mark Ramirez about the choice of a specialist for the audit of SolarTubeGen. What must he consider when making his choice? Refer to AU-C 620 Using the Work of an Auditor’s Specialist to support your answer. (ASB standards can be accessed at www.aicpa.org/research/ standards.) b.  SolarTubeGen takes over another renewable energy company during the second-year audit. The new subsidiary is based in another country and has previously been audited by a local audit firm. Evaluate how Mark should handle the new audit responsibilities brought about by the client’s ­expansion. AP5.12  (LO 3, 5)  Moderate   Research   Documentation  Jennifer Jones is reading documents prepared by the members of the team working on the audit of receivables for a private company audit client. Jennifer is the senior manager assisting the engagement partner, Ruby Rogers. Jennifer and Ruby have worked together on many audits, and Jennifer knows the types of questions Ruby will ask about the working papers if they are not up to the standard required by AU-C 230. Jennifer is trying to make sure that all documents are up to the required standard before Ruby sees them tomorrow. Jennifer is particularly concerned about the documents relating to the receivable confirmations. This is because the audit assistant who wrote the confirmation results recommended that no further work was required. On review of the results, Jennifer discovered the audit assistant had incorrectly

5-36  C h a pte r 5  Audit Evidence treated “no reply” results as acceptable for a positive confirmation, when they are acceptable only for a negative confirmation. Jennifer had ordered further work be done to follow up on these “no reply” results.

Required a.  What is the minimum standard that audit documentation must meet? b.  Propose how you would treat the corrections made to the audit assistant’s recommendations and the additional work on receivable confirmations in the working papers. Refer to both AU-C 505 External Confirmations and AU-C 230 Audit Documentation in your answer. AP5.13  (LO 4, 5)  Challenging   Fraud   Public Company   Research   Overstating revenue— Satyam Computer Services, Ltd  In April 2011, the SEC charged Satyam Computer Services Ltd., an India based-company, with fraudulently overstating the company’s revenue, income, and cash balances by more than $1 billion over five years. The SEC also sanctioned the company’s auditors for conducting deficient audits that allowed the fraud to go undetected for years. The auditors were five India-based affiliates of PricewaterhouseCoopers (PwC). The SEC stated that “PW India’s failure to properly execute third-party confirmation procedures resulted in the fraud at Satyam going undetected for years.”15

Required a.  Go to www.sec.gov and research the Satyam fraud scandal. Briefly summarize the fraud, such as the time period over which it took place, who was involved, and how it was conducted. b.  Go to www.pcaobus.org and search for PCAOB Release No. 105-2011-002. Summarize the audit deficiencies noted by the PCAOB in the audit of the cash and receivables balances. Also summarize how the auditors violated Auditing Standard No. 3 Audit Documentation. (Note that the Auditing Standards have since been reorganized. The documentation standard is now AS 1215.) What penalties/ punishment was levied on the PwC affiliate firms?

Audit Decision Cases King Companies, Inc. Questions C5.1 and C5.2 are based on the following case. King Companies, Inc. (KCI) is a private company that owns five auto parts stores in urban Los Angeles, California. KCI has gone from two auto parts stores to five stores in the last three years, and it plans continued growth. Eric and Patricia King own the majority of the shares in KCI. Eric is the chairman of the board of directors and CEO of KCI, and Patricia is a director as well as the CFO. Shares not owned by Eric and Patricia are owned by friends and family who helped the Kings get started. Eric started the company with one store after working in an auto parts store. To date, he has funded growth from an inheritance and investments from a few friends. Eric and Patricia are thinking about expanding by opening three to five additional stores in the next few years. KCI employs 20 full-time staff. These workers are employed in store management, sales, parts delivery, and accounting. About 40% of KCI’s business is retail walk-in business, and the other 60% is made up of regular customers for whom KCI delivers parts to their locations and bills these customers on account. During peak periods, KCI also uses part-time workers. As part of gaining an understanding of KCI, you inspect (1) the accounts receivable trial balance that lists amounts owed by each customer and (2) an aging of accounts receivable schedule. One customer, Tire Repair Specialists (TRS), has a large material balance that is more than 90 days past due. You discuss the TRS balance with Jonathan, one of KCI’s accounting staff, and he says there are rumors that TRS is having serious financial difficulty. Jonathan says no adjustment or allowance has been made regarding the TRS account. You just completed a continuing professional education (CPE) course at your firm, Thornson & Danforth, about audit documentation. AU-C 230 has specific requirements about documenting audit work. In particular, paragraph 9 states: “In documenting the nature, timing and extent of audit procedures performed, the auditor should record: a.  the identifying characteristics of the specific items or matters tested; b.  who performed the audit work and the date such work was completed; and c.  who reviewed the audit work performed and the date and extent of such review.” 15

Securities Exchange Commission (SEC), “SEC Charges India-Based Affiliates of PWC for Role in Satyam Accounting Fraud,” Release 2011-82 (April 5, 2011), www.sec.gov.

 Audit Decision Cases  5-37 In addition, paragraph 11 states: “The auditor shall document discussions of significant findings or issues with management, those charged with governance, and others, including the nature of the significant finding or issues discussed, and when and with whom the discussions took place.” C5.1  (LO 1)  Moderate   Assertions at risk  Analysis and evaluation: Based on the information, evaluate which accounts and assertions are at risk of misstatement. C5.2  (LO 5)  Moderate   Documentation  Analysis: Describe how you would apply the mandatory requirements of AU-C 230 when documenting your understanding related to the potential bad debt.

Mobile Security, Inc. Question C5.3 is based on the following case. Mobile Security, Inc. (MSI) has been an audit client of Leo & Lee, LLP for the past 12 years. MSI is a small, publicly traded aviation company based in Cleveland, Ohio, where it manufactures hightech unmanned aerial vehicles (UAV), also known as drones, and other surveillance and security equipment. MSI’s products are primarily used by the military and scientific research institutions, but there is growing demand for UAVs for commercial and recreational use. MSI must go through an extensive bidding process for large government contracts. Because of the sensitive nature of government contracts and military product designs, both the facilities and records of MSI must be highly secured. MSI has a small internal audit department that is led by Lorenzo Mandella, a former audit senior of Leo & Lee who worked on the MSI audit. Lorenzo never took the time to sit for the CPA exam and therefore was not able to advance to manager at Leo & Lee. He was thankful that the opportunity at MSI became available. Lorenzo was hired by MSI five years ago as MSI’s first internal auditor. He was tasked with establishing the internal audit function and hiring more internal audit staff as needed. Over the past five years, he has hired three additional internal audit staff. Two of his staff are CPAs and one is a certified internal auditor (CIA). The two CPAs have 2-3 years of external audit experience from working at a mid-size public accounting firm. The CIA is a recent college graduate whose only work experience was an internal audit internship for a health insurance company. On a day-to-day basis, Lorenzo works closely with the CFO and other accounting personnel as part of internal control monitoring. The CFO will ask Lorenzo’s group to perform audits of accounts if errors are suspected. Lorenzo reports to the audit committee as needed, particularly if there are issues with internal controls that the audit committee should be made aware of. Lorenzo and the rest of his group do not have any managerial duties outside of their internal audit role. C5.3  (LO 4)  Moderate   Public Company   Research   Considering the work of internal 

auditors  Analysis and evaluation: Using AS 2605 as a guide, discuss how Leo & Lee would evaluate the internal audit function of MSI. Based on the information, make a decision regarding the use of MSI’s internal auditors and defend your decision. (PCAOB auditing standards can be accessed at www.pcaobus.org.)

Brookwood Pines Hospital Question C5.4 is based on the following case. Goodfellow & Perkins LLP is a successful mid-tier accounting firm with a large range of clients across Texas. During 2022, Goodfellow & Perkins gained a new client, Brookwood Pines Hospital (BPH), a private, not-for-profit hospital. The fiscal year-end for BPH is June 30. Goodfellow & Perkins is performing the audit for the fiscal year-end June 30, 2023. BPH provides medically necessary care to patients, regardless of their ability to pay. Both uninsured and underinsured patients are offered discounts of up to 100% of charges based on their income as a percentage of the federal poverty level guidelines. BPH does not pursue collection of these accounts; therefore, they are not reported in patient service revenue and accounts receivable. The cost of providing the charity care is included in operating expenses. BPH’s investments consist of mutual funds, common equities, corporate and U.S. government debt issues, state and municipal government debt issues, and trusts. A majority of the investments are the result of charitable contributions to the hospital by generous donors. Earnings from the investments are used to cover the costs of the charity care. BPH is also eligible for certain government grants to help cover the costs of the charity care.

5-38  C h a pte r 5  Audit Evidence The breakdown by payor of BPH’s accounts receivable balance approximates the following:

Medicare

16%



Medicaid

12%



Blue Cross

19%



Other insurance providers

33%



Patients

20%

The historical estimated allowance for uncollectible accounts is approximately 23%. The following table lists selected asset accounts for BPH as of June 30, 2023 and 2022 (amounts in thousands). Account Cash and cash equivalents Short-term investments

June 30, 2023

June 30, 2022

$   43,077

$   36,361

22,725

49,338

119,380

99,962

10,740

10,056

915,088

807,321

57,839

58,140

  Buildings

577,546

556,590

  Equipment and furniture

194,481

169,603

  Construction in progress

89,890

58,290

919,756

842,623

Accumulated depreciation

343,324

303,642

Property and equipment, net

576,432

538,981

Patient accounts receivable, net Inventory Long-term investments Property and equipment:   Land

Total current assets Total assets

233,286

225,962

1,787,720

1,618,698

C5.4  (LO 1, 2, 3)  Challenging   Assertions and audit procedures  Analysis: Select three asset accounts that you consider significant accounts for BPH and explain why they are significant. For each significant account that you identify, determine the two most relevant assertions for that account and select one audit procedure that would provide sufficient appropriate audit evidence related to each of the relevant assertions.

Cloud 9 - Continuing Case W&S Partners will need the assistance of auditors in Vietnam and a derivatives specialist to complete the Cloud 9 audit. The other auditors will be asked to provide evidence about the inventory shipped to the United States from the production plant in Vietnam and about the property, plant, and equipment at the Vietnam plant. Although the inventory is sent FOB shipping point, there have been several occasions when the shipping agent was unable to place the inventory on a ship. In these cases, the inventory was stored in the shipping agent’s warehouse until a vessel became available. Suzie has some concerns about the quality of the warehouses because if the goods are damaged they could become worthless, and the value of goods in transit will be overstated. In addition, Josh has asked Jo Wadley (the partner) for help in choosing a specialist to help with valuation aspects of the audit of derivatives. Jo has provided him with three names of specialists in the field, but she has had no personal experience with any of them. Josh must make a choice and engage the specialist soon to be sure the specialist’s opinion will be received in time to complete the audit.

Answer the following questions based on the information presented for Cloud 9 in the appendix to this text and the current and earlier chapters. You should also consider your answers to the case study questions in earlier chapters.

Required a. Access AS 1205 Part of the Audit Performed by Other Independent Auditors at www.pcaobus.org. Explain the procedures that W&S Partners must complete before engaging other auditors to perform the work on the inventory and property, plant, and equipment in Vietnam. Cite the audit standard in your response. b. Access AS 1210 Using the Work of a Specialist at www.pcaobus. org. Advise Josh on engaging the derivatives specialist. Discuss the qualities the specialist must possess. What must the specialist provide to Josh so that he can be sure he has sufficient appropriate evidence about the derivatives? What steps must Josh perform? Cite the audit standard in your response.

Chapter 6 Gaining an Understanding of the Client’s System of Internal Control The Audit Process Overview of Audit and Assurance (Chapter 1) Professionalism and Professional Responsibilities (Chapter 2) Client Acceptance/Continuance and Risk Assessment (Chapters 3 and 4) Identify Significant Accounts and Transactions Make Preliminary Risk Assessments

Set Planning Materiality

Gaining an Understanding of the System of Internal Control (Chapter 6)

Audit Evidence (Chapter 5)

Develop Responses to Risk and an Audit Strategy

Performing Tests of Controls (Chapter 8)

Performing Substantive Procedures (Chapter 9) Audit Sampling for Substantive Tests (Chapter 10)

Auditing the Revenue Process (Chapter 11)

Auditing the Purchasing and Payroll Processes (Chapter 12)

Audit Data Analytics (Chapter 7)

Gaining an Understanding of the Client

Auditing the Balance Sheet and Related Income Accounts (Chapter 13)

Completing and Reporting on the Audit (Chapters 14 and 15) Procedures Performed Near the End of the Audit

Drawing Audit Conclusions

Reporting

6-1

6-2  Ch a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

Learning Objectives LO 1  Define internal control and describe the COSO framework.

LO 5  Discuss the different techniques used to document internal controls.

LO 2 Explain and evaluate internal controls at the entity level.

LO 6 Explain the importance of identifying strengths and weaknesses in a system of internal control.

LO 3 Explain and evaluate internal controls at the transaction level.

LO 7 Explain how to communicate internal control weaknesses to those charged with governance.

LO 4 Explain and evaluate information technology (IT) controls.

Auditing and Assurance Standards PCAOB

Auditing Standards Board

AS 2110  Identifying and Assessing Risks of Material Misstatement

AU-C 265  Communicating Internal Control Related Matters Identified in an Audit

AS 2201 An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements

AU-C 315  Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Cloud 9 - Continuing Case Sharon Gallagher (audit manager), Josh Thomas (audit senior), Ian Harper, and Suzie Pickering (both audit staff) are meeting to discuss their internal control assessment for Cloud 9. Sharon asks, “What is the purpose of understanding Cloud 9’s system of internal control?” Ian answers, “We need to understand the system in order to issue a report on internal controls over financial reporting.” Sharon responds, “If Cloud 9 were a private company, would we still need to understand the system of internal control?” ­Suzie now jumps into the conversation. “In every audit we need to understand the strengths and weaknesses in an entity’s system of internal control. For Cloud 9, this helps us understand control risk and which internal controls to test. If Cloud 9 were a private ­company, we

would still need to understand the system of internal controls to evaluate control risk and determine audit strategy.” ­Sharon summarizes, “You are right, Suzie. We need to understand internal controls at both the entity level and at the transaction level. This helps us assess risk. We hope to find sound internal control strengths at all levels, so we can test controls and support our opinion on internal controls since it is a public company. However, we should also be alert to any significant deficiencies or material weaknesses in internal controls. Both need to be reported to the board of directors and we need to include a discussion of any material weaknesses in our audit report on internal controls. This process all begins by understanding the internal controls that Cloud 9 has placed in operation.”

Chapter Preview: Audit Process in Focus An integrated audit focuses on internal controls to (1) express an opinion on the effectiveness of internal control over financial reporting (ICFR), and (2) permit the auditor to make judgments about the evidence needed for the financial statement audit. To form an opinion on ICFR, the audit team must obtain an understanding of the entity’s system of ICFR, gather evidence, evaluate the evidence, and verify it against some form of independent reference. The most commonly accepted global framework is the Internal Control—Integrated Framework developed by the Committee of Sponsoring Organizations of the Treadway ­Commission

  Internal Control Defined  6-3

(COSO).1 This framework enables organizations to effectively and efficiently develop systems of internal control. It also provides a common framework for users to understand audits of internal control over financial reporting. When internal controls put in place by management conform to the COSO framework and function effectively, internal control is described as strong. When they do not agree closely to the COSO framework, or they do not operate effectively, the internal control is described as weak. Recall from Chapter 1 that if a public company has one material weakness in ICFR, the company will receive an adverse opinion on ICFR. In audits of private companies, not-for-profit entities, and governments, where the auditor does not have to issue a report on ICFR, the auditor must still understand the system of internal control, evaluate control risk, and assess the impact of internal controls on audit strategy. In this chapter, we begin with a discussion of how the client’s system of internal controls relates to an integrated audit. This involves understanding: •  What is meant by the term internal control. •  The objectives of the internal controls put in place by management. •  The components of internal control (at the entity level and at the transaction level). •  What the auditor should understand about the client’s system of internal control. Next, we focus on information technology (IT) controls and how they work. This chapter concludes with a discussion of identifying strengths and weaknesses in a system of internal control and how weaknesses are communicated to both management and those charged with governance.

Internal Control Defined Lea rning Objective 1 Define internal control and describe the COSO framework. Why is understanding the internal controls of an organization important? It is because when controls are effective, the organization is more likely to achieve its strategic and operating objectives. Internal control is a very broad concept and encompasses all of the elements of an organization—its resources, systems, processes, culture, structure, and tasks. When these elements are taken together, they support the organization’s ability to achieve its objectives. Internal control is defined by COSO as follows: Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the objectives related to operations, reporting and compliance.2 Understanding internal control is important to (1) audit internal controls over financial reporting and (2) make a preliminary assessment of control risk. Control risk is a key component of the overall audit risk assessment and provides evidence that influences the resulting audit strategy developed by the auditor. Both AS 2110 Identifying and Assessing Risks of Material Misstatement and AU-C 315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement require the auditor to obtain an understanding of an entity’s internal controls. This applies to all audits, including when the auditor of a private company decides that an entirely substantive approach (control risk is assessed at the maximum) is the appropriate response to the risks identified. Understanding an entity’s system of internal control assists the auditor both in identifying the types of misstatements that are likely to occur and the risk of fraud in the financial statement audit. 1

COSO, Internal Control—Integrated Framework (AICPA: Durham, NC, 2013). Ibid.

2

internal control  a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the objectives related to operations, reporting, and compliance

6-4  Ch a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

The COSO Framework

Objectives

Components

m pl ia nc

Control environment Risk assessment Control activities

Entity Division Operating unit Function

Co

tin po r Re

Op er

at io

g

ns

The relationship among the three dimensions of internal control: objectives, components, and organizational structure

e

ILLUSTRATION 6.1  

Organizational structure

The COSO framework has global acceptance and is the most commonly recognized framework for understanding and evaluating a system of internal control. It has three dimensions, as shown in Illustration 6.1. First, the COSO framework discusses the objectives of internal control. Second, the COSO framework discusses important components of internal control. Third, the COSO framework discusses how these objectives and components fit into an organizational structure.

Information and communication Monitoring activities

Objectives of Internal Control The COSO framework depicted in Illustration 6.1 identifies three objectives of internal control that allow organizations to focus on the differing purposes of internal control. These three objectives are: •  Operations objectives. These pertain to the effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss. •  Reporting objectives. These pertain to internal and external financial and nonfinancial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, recognized standard setters, or the entity’s policies. •  Compliance objectives. These pertain to adherence to laws and regulations to which the entity is subject. (COSO, Internal Control—Integrated Framework, 2013) These three objectives of internal control help the auditor understand why the controls are important and the problems they are designed to prevent. Without understanding the intention of management in implementing internal controls, it is harder to understand how controls prevent, or detect and correct, financial statement misstatements. Management and those charged with governance are concerned about adequately controlling the entity’s ­operations, its financial reporting, and its compliance with laws and regulations. The external auditor, on the other hand, is primarily concerned with the reporting objectives and the ­operations objectives related to safeguarding of assets.

Components of Internal Control The second dimension of the COSO framework depicted in Illustration 6.1 identifies five ­integrated components of internal control: •  Control environment. •  Risk assessment. •  Control activities.

  Internal Control Defined  6-5

•  Information and communication. •  Monitoring activities. Within the five components of internal control, the 2013 COSO framework clearly articulates 17 principles that are essential to evaluating whether the five components of internal control are present and operating effectively. The principles also apply to an entity’s operations, reporting, and compliance internal control objectives. These components and principles are summarized in Illustration 6.2.

Control Environment 1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence from management and exercises ­oversight over the development and performance of internal control. 3.  Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The organization demonstrates a commitment to attract, develop, and retain competent ­individuals in alignment with objectives. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. Risk Assessment 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risk as a basis for determining how the risks should be managed. 8. The organization considers the potential for fraud in assessing the risks to the achievement of objectives. 9. The organization identifies and assesses changes that could significantly impact the system of internal control. Control Activities 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. The organization selects and develops general control activities over technology to support the achievement of objectives. 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into actions. Information and Communication 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 14. The organization internally communicates information, including objectives and ­responsibilities for internal control, necessary to support the functioning of internal ­control. 15. The organization communicates with external parties regarding matters affecting the functioning of internal control. Monitoring 16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. (COSO, Internal Control—Integrated Framework, 2013)

illustration 6.2   Seventeen COSO principles of internal control

6-6  Ch a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

Organizational Structure The third dimension of the COSO framework depicted in Illustration 6.1 describes an entity’s organizational structure. While some private companies or not-for-profit organizations may have simple organizational structures, and some multinational organizations have complex organizational structures, the key issue is that some controls are implemented at the entity level, while other controls may be implemented at a division, operating unit, or function level. All three internal control objectives (operations, reporting, and compliance) should be accomplished throughout the organizational structure of the entity. When understanding a client’s system of internal control, the auditor must consider the client’s objectives and the five components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring). Within this context, the auditor must understand the scope of the control implemented by the client and the number of transactions that may be affected by the control implemented by the client. The controls related to financial reporting and to the safeguarding of assets are most relevant to an audit of ICFR as well as to an audit of the financial statements. Other controls related to operations, other types of reporting, and compliance may be relevant when they affect the data or evidence used by the auditor when performing audit procedures.

Inherent Limitations Internal control, no matter how effective, can only provide an entity with reasonable assurance in achieving its financial reporting objectives. For example, people may have effective alarm systems in their homes, but if they are in a hurry and leave the house without activating the alarm system, the control is ineffective. Common inherent limitations in internal control include: •  Ability of management to override internal control. •  Human error that results in a breakdown in internal control. •  Ineffective understanding of the purpose of a control. •  Collusion by two or more individuals to circumvent a control. •  Overriding or disabling a control within a software program. •  Decisions made by management as to the nature and extent of the control it chooses to implement. Another example is a person may receive a daily exception report but not know what to do with it. If potential errors are not investigated and corrected, the programmed control that flags items for review loses its effectiveness.

Before You Go On 1.1  What is the purpose of a system of internal control? 1.2  Why is it important to understand the client’s system of internal control? 1.3  Explain the three objectives of internal control. 1.4  Identify the five components of internal control. 1.5 Explain the relationship between internal control objectives, internal control components, and organizational structure. 1.6  Describe the inherent limitations of internal control.

 Entity-Level Internal Controls  6-7

Entity-Level Internal Controls Lea rning Objective 2 Explain and evaluate internal controls at the entity level. PCAOB AS 2201 describes a top-down approach to understanding internal control over ­financial reporting and selecting which specific internal controls to test. A top-down approach begins by considering what can go wrong in the financial statements. The auditor needs to understand what could go wrong both at the entity and transaction levels, and controls the client may have in place at both levels. Therefore, the auditor focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions. The internal control components listed in Illustrations 6.1 and 6.2, when collectively considered, are often referred to as entity-level controls because each of them exists at an entity (organizational) level rather than at a transactional level. For example, a control ensuring that sales are recorded in the sales ledger is a transaction-level control. A control such as strong tone at the top of the organization emphasizing the importance of internal control is an entity-level control. Gaining an understanding of the entity-level internal control components helps in establishing the appropriate level of professional skepticism; gaining an understanding of the client’s business and financial reporting risks; and making assessments of the risk of material misstatement. Understanding all of these elements determines the nature, timing, and extent of audit procedures. The 17 COSO principles of internal control (see Illustration 6.2) are usually implemented at the entity level. If the entity-­level controls are weak, it is less likely that transaction-level controls will be effective. This section focuses on how the auditor gains an understanding of entity-level controls using the 17 COSO principles as a framework.

entity-level controls  the client’s control environment, risk assessment process, information system, control activities, and monitoring of controls that exist at the organizational level

The Control Environment The control environment sets the tone of an entity and influences the control consciousness of its people. It is the foundation for all other components of internal control and is often thought of as a combination of the culture, structure, and discipline of an organization. It reflects the overall attitude, awareness, and actions of management, the board of directors, any others charged with governance, and owners concerning the importance of controls and the emphasis given to controls in determining the organization’s policies, processes, and organizational structure. The control environment includes the first five principles summarized in Illustration 6.2.

Principle 1. The organization demonstrates a commitment to integrity and ethical values.  Integrity and ethical values are essential elements of the control environ-

ment and affect the design, administration, and monitoring of key processes. Integrity and ethical values are the products of the organization’s ethical and behavioral standards, how the standards are communicated, and how they are monitored and enforced in its business activities. They include management’s actions to remove or reduce incentives, pressures, and opportunities that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of the organization’s values and behavioral standards to personnel through policy statements, codes of conduct, and the examples set by management. For example, management may put in place methods for personnel to raise questions about the appropriateness of accounting and financial reporting at progressively higher levels, including a hotline that is monitored by the audit committee or the internal audit group. This, coupled with other procedures, may support an effective control environment. It is also important that management is seen as complying with its own policies.

Principle 2. The board of directors demonstrates independence from management and exercises oversight over the deployment and performance of internal control.  The organization’s control environment is influenced significantly by

its board of directors and others charged with governance of the entity, for example, the audit

control environment  the attitudes, awareness, and actions of management and those charged with governance concerning the entity’s internal control and its importance in the entity

6-8  Ch a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

committee members. The board of directors oversees the entity’s accounting and financial reporting policies and procedures, including its system of internal control. As a result, those charged with governance have an obligation to be concerned with the entity’s system of internal control, internal and independent (external) audit processes, and financial reporting to shareholders and the investing public. In determining the effectiveness of the participation of those charged with governance, in particular the board of directors, auditors consider the board’s independence from management, the experience of its members, the extent of its involvement and scrutiny of management’s day-to-day activities, and its interactions with the internal and/or external auditors. For example, if the board has regular and open communications with its auditors, management may be more willing to inform the board of issues arising in the system of internal control on a timely basis (to avoid “surprises”).

Principle 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.  Organizational structure reflects management philosophy and

company size. Management’s assignment of authority and responsibility relates to organizational structure. Many ways exist to assign authority and responsibility. Some entities empower employees across the entire organizational hierarchy with decision-making authority. Others limit decision-making authority. The key to successful empowerment and an effective control environment is to: •  Delegate only as much authority as is needed to achieve the organization’s goals. •  Ensure that those making decisions understand that they will be held accountable. •  Hold those who are responsible accountable for their actions. Assignment of authority and responsibility includes how authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established. It includes policies related to appropriate business practices, knowledge and experience of key personnel, and resources provided for carrying out duties. It also includes policies and communications directed toward ensuring all employees understand the organization’s objectives, know how their individual roles and actions contribute to those objectives, and recognize how they will be held accountable for their actions and decisions.

Principle 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.  A key aspect of

setting the tone at the top involves management’s commitment to ensure that workers have the knowledge, skills, and training to make appropriate judgments required by their job responsibilities. A commitment to competence requires two management steps. First, management needs to decide what skills are required to appropriately perform job responsibilities. Second, management must staff those jobs with individuals who have the needed skills. Trade-offs can be made in fulfilling these required steps, such as placing a less experienced person in a demanding job and providing that person with extra supervision. Regardless of how it is accomplished, a strong control environment involves a commitment to job responsibilities with people of sufficient competence. Auditors use professional judgment to determine whether they believe management and employees appear to be competent to carry out their assigned roles and receive adequate supervision where required. For example, do employees have the knowledge and expertise necessary to understand and execute the requirements of generally accepted accounting principles (or another reporting framework that is applicable to the entity)? The PCAOB emphasizes the importance of commitment to competence by stating that, for ICFR to operate effectively, it must function as intended and be implemented by a person with appropriate qualifications. The lack of personnel with appropriate skills may be an internal control deficiency.

Principle 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.  The discussion related to assigning authority and responsibility in Principle 3 above notes several keys to successful empowerment and an effective control environment, including holding those who are responsible accountable for their actions. When individuals or managers are not held accountable, little attention is given to the accounting system and the completeness and accuracy of

 Entity-Level Internal Controls  6-9

i­ nformation that flows from the accounting system. If a manager is not held accountable for the results of his or her operating unit, there is little incentive to correct errors in accounting for transactions. Although written job descriptions should delineate specific duties and reporting relationships, it is important for the auditor to understand informal structures that may exist and how individuals are held accountable for their actions. The auditor should also be aware of how management assigns authority and responsibility for IT, and how individuals responsible for IT are held accountable, particularly with respect to procedures for authorizing and approving system changes. A lack of accountability over making changes in programmed control procedures creates an environment that is conducive to utilizing IT to cover employee fraud. When gaining an understanding of the control environment, the auditor considers each of the five principles just discussed and their interrelationships. In particular, the auditor needs to understand whether there are any significant deficiencies related to one principle that may have an impact on the effectiveness of other principles or other components of internal control. If the control environment is weak, it decreases the likelihood that other components of internal control will be effective. The assessment of internal controls, as well as the impact of weaknesses in or exceptions to internal controls, is discussed in more detail in Chapter 8.

Cloud 9 - Continuing Case During an interview Josh and Sharon held with David Collier, CFO of Cloud 9, they learned a lot about the tone at the top at Cloud 9. Top-level management and the board of directors adopted a code of conduct that emphasizes the importance of management and other employees acting with integrity. Cloud 9’s board members and senior managers attend training and awareness sessions on the code at least annually. In addition, there has been a rigorous process of embedding the code’s main points throughout the company’s policies and procedures, most of which have been rewritten in the previous two years. Josh intentionally conducts interviews with employees at all levels within Cloud 9. He finds that all employees have

attended training on the code of conduct. Several accounting personnel add that while the company has financial goals to achieve, the emphasis from the top has been getting the ­f inancial numbers right. Accurate financial reporting is a top priority. A copy of the company’s code of conduct and the policies and procedures are included in the audit working papers. Josh also writes a description of the company’s efforts to communicate its approach to management integrity in the report. He assesses the control environment at Cloud 9 as likely to be effective.

Audit Reasoning Example  Tone at the Top Susan Larson, a senior manager, was having lunch with Linh Sun (an audit senior) and Peter Miller (a new audit staff). All three were working on an audit of a pharmaceutical client. Both Linh and Peter were focused on understanding the client’s system of internal control for a new audit client. Susan commented, “I want you to get a good feel for the control environment and the tone at the top about financial reporting by talking to employees at all levels of the organization, particularly in accounting. Wells Fargo has been in the news recently because the tone at the top focused on hitting targets at any cost, and there were significant negative consequences for those who did not meet artificially high expectations. At one end of the spectrum, you have companies like Wells Fargo with a poor tone at the top. At the other end of the spectrum, I had a client that I approached with a misstatement that was significant, but probably had not met our materiality threshold. After the controller understood the underlying cause of the misstatement, and how their control system failed to detect the problem, the controller announced that the company would book the adjustment, even though it decreased unaudited earnings that had previously been announced. When I asked the controller about his reasoning, he stated, ‘We are more concerned about our credibility with investors than one earnings announcement.’ These are the two ends of the spectrum, and our new audit client may be somewhere in between these two examples. I want you to determine where on this control environment spectrum this new client is.”

6-10  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

Risk Assessment risk assessment process  the entity’s process for identifying and responding to risks that an organization will not achieve its objectives

All entities, regardless of their size, structure, nature, or industry, encounter risks at all levels within the organization. Risk is defined as anything that can keep an organization from achieving its objectives (operations, reporting, or compliance). Therefore, an entity’s risk ­assessment process is its process for identifying and responding to risks that an organization will not achieve its objectives. Risks will affect the entity’s ability to survive, compete, grow, and improve the quality of its products, services, and people. It follows that objectives must be set and threats to achieving those objectives must be identified before the risks can be assessed. It is not possible to reduce these risks to zero; however, management (in conjunction with those charged with governance) needs to determine how much risk is acceptable to the organization. Some organizations have a risk committee, which is responsible for ensuring that all of these risks are identified, managed, and reported to the board of directors. An organization’s risk assessment process is different from the auditor’s consideration of risk. The purpose of the entity’s risk assessment process is to identify, analyze, and manage the risks that affect its ability to achieve its operational effectiveness. If a risk is not properly identified, it is likely there will be no control designed to mitigate the risk. In an audit, the purpose is to assess the combined inherent, control, and detection risks to evaluate the likelihood that material misstatements could occur in the financial statements (see discussion in Chapter 3 of the audit risk model). An effective risk assessment process requires management and the board of directors to implement the following four principles.

Principle 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.  If risk

is defined as anything that can keep an organization from achieving its operations, reporting, or compliance objectives, risk assessment begins with clearly articulating the entity’s objectives. Objectives must be clearly set so that threats to achieving those objectives can be identified, and risks can be assessed. It is important for management (and auditors) to understand the relationship between the entity’s objectives and risks that can affect financial reporting. For example, a company may plan on introducing new technology. However, if it introduces the new technology to the marketplace while it still has a significant inventory of older technology on hand, the introduction of new technology may cause existing inventory to become obsolete or have a lower-of-cost-or-net realizable value problem. The auditor needs to be alert to make sure that the financial consequences of business risks are fairly presented in an entity’s financial statements.

Principle 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risk as a basis for determining how the risks should be managed.  The identification and analysis of risk involves several steps.

Management should establish a process for (1) identifying risk relevant to the achievement of the entity’s objectives, (2) estimating the significance of the risks, (3) assessing the likelihood of their occurrence, and (4) deciding about actions to address those risks. For example, new legislation or regulation might force changes to operating policies or strategies. Illustration 6.3 provides some examples of external and internal risk factors that an entity might consider.

Principle 8. The organization considers the potential for fraud in assessing the risks to the achievement of objectives.  Fraud risk was discussed in Chapter 3.

In a strong system of internal control, management should be alert to financial reporting frauds, misappropriation of assets, and various types of corruption associated with fraud or other types of misconduct. When assessing fraud risks, management should consider the three elements of the fraud triangle: (1) incentives and pressures to commit fraud, (2) opportunities to perpetrate fraud, and (3) attitudes and rationalization. A good system of internal control should significantly reduce or eliminate the opportunity to perpetrate a fraud. Therefore, management should consciously assess the risk of fraud and put appropriate controls in place to reduce fraud risk to an acceptable level.

Principle 9. The organization identifies and assesses changes that could significantly impact the system of internal control.  Risks can arise or change as a result of

changes to the organization and the environment in which it operates. These include changes in the operating environment, personnel, technology, growth, business structures, and accounting pronouncements. It is important for the auditor to understand the risks identified by the entity,

 Entity-Level Internal Controls  6-11 ILLUSTRATION 6.3  

External Risk Factors •  Technological development can affect the nature and timing of research and development, or lead to changes in procurement.

Examples of risk factors

•  Changing customer needs or expectations can affect product development, production processes, customer service, pricing, or warranties. •  Competition can alter marketing or service activities. •  New legislation and regulation can force changes in operating policies and strategies. •  Natural catastrophes can lead to changes in operations or information systems and highlight the need for contingency planning. •  Economic changes can have an impact on decisions related to financing, capital expenditures, and expansion. Internal Risk Factors •  Ability to adjust existing operations and legacy IT infrastructures to meet performance expectations. •  A disruption in information systems processing can adversely affect the entity’s operations. •  The quality of personnel hired and methods of training and motivation can influence the level of control consciousness within the entity. •  A change in management responsibilities can affect the way certain controls are implemented. •  The nature of the entity’s activities, and employee accessibility to assets can contribute to misappropriation of resources. •  An unassertive or ineffective board or audit committee can provide opportunities for indiscretions.

as this will assist the auditor in considering where (and if) a material misstatement in the financial statements might exist. The overall potential for risks to have a material impact on financial reporting is increased when management appears willing to accept unusually high risks in making business decisions, enters into major commitments without sufficient consideration of the risks, and fails to closely monitor and control the risks associated with commitments.

Cloud 9 - Continuing Case In their interview, Josh and Sharon ask David Collier about Cloud 9’s risk assessment process. They want to know which risks management has identified so that they can consider whether those risks could cause a material misstatement in the accounts. They also want to know about the company’s methods of responding to the identified risks. David Collier tells them that Cloud 9’s management continually monitors its competitors’ activities. It also considers the risk of interruption to supplies because of shipping problems and labor disputes at production plants or transport companies. Other examples of risks that could have a major impact on the accounts are the use of forward exchange contracts to control the risks caused by purchasing in foreign currencies. Cloud 9 management is also very aware of risks associated with the just-in-time inventory system, which has had some problems lately, and has planned some changes to deal with those problems. Management is monitoring the risks of using a soccer player as a spokesperson for the brand, plus the broader risks arising from

sponsorship of the soccer team, because there has been a lot of adverse publicity about soccer players’ behavior over the past year. Such adverse publicity could impact negatively on sales. Cloud 9’s management ensures that the soccer team’s management keeps the company’s management informed of players’ activities, where appropriate. Management has also assessed fraud risks, and it believes that between the company’s code of conduct, tone at the top about its code of conduct, and strong system of internal controls, the incentives for fraud and the opportunity to commit fraud are minimal. Josh concludes from the interview and from Suzie’s review of documents including company plans, board minutes, and significant contracts and agreements that Cloud 9 has a potentially effective system of risk assessment because it actively searches out and considers potential risks to the business, and it has developed action plans to deal with each risk depending on its likely ­occurrence.

Control Activities Control activities are policies and procedures that help ensure management’s directives are carried out and that necessary actions are taken to address risks impacting the achievement of the organization’s objectives. Control activities, whether automated or manual, have various

control activities  policies and procedures that help ensure that management directives are carried out

6-12  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

objectives and are applied at various organizational and functional levels. Effective control activities require management and the board of directors to implement the following three principles.

Principle 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.  Management, with the oversight of the board of directors, selects and develops control activities to ensure that the entity achieves its objectives. Control activities often use a combination of IT and manual controls. AU-C 315.A99 provides the following examples of control activities: •  Authorization controls. •  Performance reviews. •  Information-processing controls. •  Physical controls. •  Segregation of duties. Each of these categories of control activities is discussed below. Authorization controls. A major purpose of proper authorization procedures is to ensure that every transaction is authorized by management personnel acting within the scope of their authority. Each transaction should be properly authorized and approved in accordance with management’s general or specific authorization. General authorization relates to the general conditions under which transactions are authorized, such as standard price lists for products and credit policies for charge sales. Specific authorization relates to the granting of the authorization on a case-by-case basis. When transactions are individually processed, authorization is usually provided in the form of a signature or stamp on the source document or in the form of electronic authorization that leaves a computerized audit trail. Proper authorization procedures often have a direct effect on control risk for existence and occurrence assertions, and in some cases, the valuation and allocation assertion, such as the authorization of an expenditure or the authorization of a customer’s credit limit. The board of directors may authorize capital expenditures at a designated amount. Expenditures in excess of that amount might indicate existence problems (an invalid transaction) or classification problems (expenses classified as assets). Performance reviews. Examples of performance reviews include management review and analysis of: •  Reports that summarize the detail of account balances such as an aged trial balance of accounts, reports of cash disbursements by department, or reports of sales activity and gross profit by customer or region, salesperson, or product line. •  Actual performance versus budgets, forecasts, or prior-period amounts. •  The relationship of different sets of data such as nonfinancial operating data and financial data (for example, comparison of hotel occupancy statistics with revenue data). Management’s use of reports that drill down and summarize the transactions that make up sales or cash disbursements may provide an independent check on the accuracy of the accounting information. For example, a university department chair might review the details of the payroll that was charged to his or her department on a monthly basis. The quality of this review may provide control over the occurrence, completeness, and accuracy of payroll transactions. Management’s analysis of operating performance may serve another purpose similar to the auditor’s use of analytical procedures in audit planning. That is, management may develop nonfinancial performance measures that correlate highly with financial outcomes, and those measures may allow management to detect accounts that might be misstated. Information-processing controls. Information-processing controls address both IT risks and risks related to financial statement assertions. These controls are particularly relevant to the financial statement audit. Most entities, regardless of size, now use IT for data processing in general and for accounting systems in particular. In such cases, it is useful to further categorize information-processing controls as general controls and application controls. IT general controls are the subject of Principle 11 and are discussed in detail in this chapter in the section “Information Technology (IT) Controls.”

 Entity-Level Internal Controls  6-13

Physical controls. Physical controls are concerned with limiting the following two types of access to assets and important records: (1) direct physical access and (2) indirect access through the preparation or processing of documents such as sales orders and disbursement vouchers that authorize the use or disposition of assets. Physical controls pertain primarily to security devices and measures used for the safekeeping of assets, documents, records, and software programs or files. Security devices include on-site safeguards such as fireproof safes and locked storerooms, and off-site safeguards such as bank deposit vaults and certified public warehouses. Security measures also include limiting access to storage areas to authorized personnel. Such controls reduce the risk of theft or misappropriation of assets. Physical controls also involve the use of mechanical and electronic equipment in executing transactions. For example, cash registers help to ensure that all cash receipt transactions are rung up, and they provide locked-in summaries of daily receipts. Finally, physical control activities include periodic counts of assets and comparison with amounts shown on control records. Examples include petty cash counts and physical inventory counts. Segregation of duties. Illustration 6.4 depicts strong segregation of duties. Authorization of transactions

Maintaining custody of assets

Compare recorded accountability with assets

ILLUSTRATION 6.4  

Appropriate segregation of duties

Maintaining recorded accountability in accounting records

Failure to maintain strong segregation of duties makes it possible for an individual to commit an error or fraud and then be in a position to conceal it in the normal course of his or her duties. For example, an individual who processes cash remittances from customers (has access to the custody of assets) should not also have authority to approve and record credits to customers’ accounts for sales returns and allowances or write-offs (authorize transactions). In such a case, the individual could steal a cash remittance and cover the theft by recording a sales return or allowance or bad-debt write-off. Sound segregation of duties also involves comparing recorded accountability with assets on hand. For example, sound internal control involves independent bank reconciliations comparing bank balances with book balances for each bank account. Perpetual inventory records should also be periodically compared with inventory on hand. Sound segregation of duties limits the opportunity for individuals to perpetrate fraud.

Principle 11. The organization selects and develops general control activities over technology to support the achievement of objectives.  IT general controls

are policies and procedures that relate to many software applications and support the effective functioning of IT application controls. IT general controls function at an entity level to control a wide variety of IT risks. IT general controls maintain the integrity of information and security of data. They commonly include controls over: •  Data center and network operations. •  System software acquisition, change, and maintenance. •  Program changes. •  Access security. •  Application system acquisition, development, and maintenance.

6-14  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

If IT general controls are weak, it is less likely that IT application controls will be effective, which would lead the auditor to assess control risk as high. These controls are discussed in more detail later in this chapter in the section “Information Technology (IT) Controls.”

Principle 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into actions.  A

good system of internal control needs to be both properly designed and placed in operation. At the entity level, management (with board of director oversight) needs to address both the effectiveness of the design of internal controls and the effectiveness of how internal controls actually operate. Management and the board of directors should oversee the testing of internal controls to determine whether they prevent material misstatements or detect and correct material misstatements on a timely basis. In understanding the client’s control activities at the entity level, consideration is given to factors such as: •  The extent to which performance of control activities relies on IT. •  Whether the necessary policies and procedures exist with respect to each of the entity’s activities, including IT security and system development. •  The extent to which controls included in the organization’s policies are being applied. •  Whether management has clear objectives in terms of budget, profit, and other financial and operating goals, and whether these objectives are clearly written, communicated throughout the entity, and actively monitored. •  Whether planning and reporting systems are in place to identify variances from planned performance and communicate such variances to the appropriate level of management. •  Whether the appropriate level of management investigates variances and takes appropriate and timely corrective actions. •  To what extent duties are divided or segregated among different people to reduce the risk of errors, fraud, or manipulation of results. •  Whether software is used to control access to data and programs and, if so, the extent to which segregation of incompatible duties is achieved by implementing these software controls. •  Whether periodic comparisons are made of amounts recorded in the accounting system with physical assets. •  Whether adequate safeguards are in place to prevent unauthorized access to or destruction of documents, records, and assets. Compared to other types of entity-level controls, the auditor finds control activities the easiest to test because their operation is readily verifiable. For example, the controls surrounding the counting of inventory can be observed, while management’s integrity is not observable or easily verified. This concept is covered in more detail in Chapter 8.

information and communication  the information and communication system relevant to financial reporting objectives, which includes the accounting system, consists of methods and records established to identify, assemble, analyze, classify, record, and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets and liabilities; communication involves a clear understanding of individual roles and responsibilities pertaining to ICFR

Information and Communication The role of information systems is to capture and exchange the information needed to conduct, manage, and control an entity’s operations. The quality of information and communication affects management’s ability to make appropriate decisions in controlling the organization’s activities and to prepare reliable financial reports. Information and communication involve capturing and providing information to management and employees so that they can carry out their responsibilities, including providing an understanding of individual roles and responsibilities as they relate to internal controls over financial reporting. An effective system of information and communication requires management and the board of directors to implement the following three principles.

Principle 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.  Information is needed at all levels of the entity to run the business, and to assist in the achievement of

 Entity-Level Internal Controls  6-15

financial reporting, operating, and compliance objectives. An array of information is used. Financial information, for instance, is used not only in developing financial reports for external dissemination; it may also be used for operational decisions, such as monitoring performance and allocating resources. Similarly, operating information (for example, airborne particle emissions, personnel data) may be needed to achieve compliance and financial reporting objectives, as well as operating objectives. However, certain operating information (for example, purchases and sales data) is essential for developing financial reports. As such, information developed from internal and external sources, both financial and nonfinancial, is relevant to all three objectives. Information is identified, captured, processed, and reported by information systems. Information systems may be computerized, manual, or a combination thereof. The term “information systems” is frequently used in the context of processing internally generated data relating to transactions (for example, sales) and internal operating activities (for example, production processes). However, information systems as they relate to internal controls are much broader— they also deal with information about external events, activities, and conditions. Auditors are most interested in the information systems that are relevant to the financial reporting objective. AU-C 315.A92 states that the information systems relevant to financial reporting objectives, which includes the accounting system, consist of the procedures and records designed and established to: •  Initiate, authorize, record, process, and report entity transactions (as well as events and conditions) and maintain accountability for the related assets, liabilities, and equity. •  Resolve incorrect processing of transactions (for example, automated suspense files and procedures followed to clear suspense items out on a timely basis). •  Process and account for system overrides or bypasses to controls. •  Transfer information from the transaction-processing system to the general ledger. •  Capture information relevant to financial reporting for events and conditions other than transactions, such as the depreciation and amortization of assets and change in the recoverability of accounts receivable. •  Ensure information required to be disclosed by the applicable financial reporting framework is accumulated, recorded, processed, summarized, and appropriately reported in the financial statements.

Principle 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.  Communication by an entity of roles and respon-

sibilities related to operations, financial reporting, and compliance objectives involves providing an understanding of individual roles and responsibilities. It is important for senior management to communicate a clear message that internal control responsibilities are to be taken seriously. It is important for employees to believe that their supervisors really want to know about problems, and that the supervisors take necessary actions. Communication of information within the entity often includes clearly stating control objectives, the importance and benefits of effective internal control, roles and responsibility in performing controls, and the expectations to communicate within the entity significant issues related to internal control, including noncompliance with controls or policies. Many public companies also have hotlines for confidential reporting of suspected violations of policies, codes of conduct, or other concerns employees may have about financial reporting.

Principle 15. The organization communicates with external parties regarding matters affecting the functioning of internal control.  There are a number of

ways communication with external parties may improve the system of internal control. For example, it is important for an entity to consider how it receives information from customers regarding incorrect billings, late shipments, or shipments of incorrect items. An entity also should consider how it receives information from vendors regarding late payments or incorrect payments. If this information goes to an independent party within the entity, it will provide feedback on the effectiveness of the entity’s system of internal control. It is also important for a company to consider how it shares information within the entity regarding regulatory examinations or tax audits.

6-16  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

An entity may also want to communicate its code of conduct with vendors, so that vendors understand the entity’s values and ethical culture prior to doing business. Ultimately, public companies need to communicate with stakeholders and the SEC regarding any material weaknesses in ICFR.

Cloud 9 - Continuing Case Josh has significant experience in understanding information systems and, based on the interview with David Collier, which covered the information systems at a high level, Josh can conclude that the entity-level controls in this area are likely to be effective. Josh will gather further information in an interview with Cloud 9’s

financial controller, Carla Johnson. Based on this second interview and a review of the company’s documents, he and Suzie will write a description of their understanding of the processes used in each of the major transaction cycles.

Monitoring Activities After establishing and maintaining internal controls, management must monitor the controls to assess whether they are operating as intended. Over time, systems of internal controls change, and the way controls are applied may evolve. Also, the circumstances for which the system of internal controls was originally designed may change, causing it to be less effective in warning management of risks brought about by new conditions. Accordingly, management needs to determine whether its internal controls continue to be relevant and able to address new risks. Effective processes to monitor controls require management and the board of directors to implement the following two principles.

monitoring  a process that assesses the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions

Principle 16. The organization selects, develops, and performs ongoing and/ or separate evaluations to ascertain whether the components of internal control are present and functioning.  Monitoring is a process of assessing the quality

of internal control performance over time, considering whether controls are operating as intended, and making sure controls are modified as appropriate for changes in conditions. It involves assessing the design and implementation of controls on a regular basis and taking necessary corrective actions. This process is accomplished through ongoing activities and separate evaluations, or a combination of the two. Ongoing monitoring procedures are built into the normal recurring activities of the entity and include regular management and supervisory activities. For example, managers of sales, purchasing, and production at divisional and corporate levels should understand the entity’s operations and question the accuracy of reports that differ significantly from their knowledge of operations. Monitoring activities may include using information obtained from communications with external parties. For example, an entity’s customers ordinarily verify and corroborate their billing data by paying their invoices or by complaining about overcharging or other errors. Much of the information used in monitoring is produced by the entity’s information systems. If management assumes that data used for monitoring is accurate without having a basis for the assumption, errors may exist in the information, potentially leading management to incorrect conclusions about its monitoring activities. One of the most common monitoring activities is the internal audit function. In many organizations, internal auditors (or personnel performing similar functions) contribute to the monitoring of the client’s activities through separate evaluations. They regularly provide information about the functioning of internal controls, focusing considerable attention on the evaluation of the design and implementation of controls. They communicate information about strengths and weaknesses and make recommendations for improving internal control. The importance that a company places on its internal audit function also provides evidence about its overall commitment to internal control. Refer to Chapter 5 for a discussion of how external auditors may use the work of internal auditors.

Principle 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.  As discussed above, an entity may learn about deficiencies in internal control

from sources such as outside customers or vendors, managers evaluating the accuracy of the

 Entity-Level Internal Controls  6-17

information about the objectives for which they are held accountable, information that may surface through hotlines, and regular ongoing evaluation by management or internal auditors. The monitoring function is most effective when deficiencies are reported to those responsible for taking corrective action on a timely basis. It is also common for any deficiency to be reported to management at least one level above the individuals responsible for taking corrective action. Senior management and the board of directors should get a report of deficiencies noted and corrective actions taken on a regular basis. When the auditor obtains an understanding of the client’s monitoring processes at the entity level, the auditor considers factors such as the following: •  Whether periodic evaluations of internal control are made. •  The extent to which personnel, in carrying out their regular duties, obtain evidence as to whether the system of internal controls continues to function. •  The extent to which communications from external parties corroborate internally generated information, or indicate problems. •  Whether management implements internal control recommendations made by internal and external auditors. •  Management’s approach to correcting known significant deficiencies on a timely basis. •  Management’s approach to dealing with reports and recommendations from regulators. •  The existence of an internal audit function that management uses to assist in its monitoring activities. •  Evaluations or observations made by the external auditors.

Cloud 9 - Continuing Case In the interview with David Collier, Sharon and Josh ask questions about both the control activities and the monitoring of those activities at Cloud 9. Sharon and Josh are particularly interested in the systems used at the company to make sure that information about management’s plans is transmitted throughout the organization and that there are policies and procedures to ensure that the ­appropriate actions are taken and reviewed. In addition to asking David Collier about these matters, ­Suzie reads the policy and procedures manuals. Josh and Suzie then take a tour of the offices and other facilities. For example, Cloud 9 has a tightly structured system of performance reviews. Managers at each level must report financial and operating ­performance

against budgets at regular intervals. Higher-level managers are able to access information about activities within their area of responsibility for monitoring purposes through the information system. Although there have been some issues with theft of goods from the retail store, the losses have been contained following the installation of additional security, including cameras. Josh and Sharon have been particularly impressed with Cloud 9’s thorough approach to appropriate segregation of duties. Josh is able to conclude that, at an entity level, there is sufficient evidence that these controls are potentially effective. He asks Suzie to review the specific controls that affect transaction processes in more detail and document their understanding of these processes.

Internal Control in Small Entities In smaller entities, there are often limitations surrounding the entity’s ability to put effective internal controls in place. This is due to the limited number of employees, which in turn impacts the ability of the organization to segregate duties. Also, it is often not practical for smaller organizations to create an appropriate paper trail of documentation that allows an assessment of internal controls to be made. However, despite the size limitations of these entities, internal controls may still exist. Ordinarily in smaller businesses there is an owner-manager (and primary stakeholder in the business) who is heavily involved in the day-to-day running of the business. This can be both a strength and a weakness. It is a strength (assuming the owner-manager is competent) because he or she is closely involved in the business and day-to-day operations, including the selling of goods and services as well as the daily cash management of the operations. Effective ownermanager performance reviews make it unlikely that material errors that might occur would not be detected by the owner-manager. It is also a weakness because that same owner-manager is in a position to override internal controls.

6-18  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

The risk of management override can be reduced by establishing documented policies and procedures. However, if no such procedures or controls are in place, the risk of management override will need to be reduced from an audit perspective by the performance of additional audit procedures (through an increase in substantive procedures).

Professional Environment  Human Risks Why do controls fail? Once a computer is programmed to do something, it will keep doing exactly what it is programmed to do. Will employees do exactly what they are told to do, every time? A perfect control is no match for the employee who doesn’t know how to operate the control or isn’t careful. In an article explaining the human side of risk,3 Russell Jackson urges internal auditors to take a careful look at the human element of risk by considering how controls are used by employees, and to not just concentrate on evaluating the design of control systems within organizations. External auditors also need to recognize that financial reporting misstatement risk does not simply come from an organization’s processes or controls, but from the people behind the processes and controls who might make mistakes or commit fraud. Human risks are perennial because they are among the most difficult to define, control, and manage.4 A report conducted by Ernst & Young (EY)5 shows that human resource (HR) issues rank among the top five business risks to a company’s results. The EY report contains the results from surveying senior finance, accounting, risk, and HR executives at 150 Fortune 1000 companies. The executives were asked to rank the HR issues that they perceived as having a high impact and likelihood of occurrence within a global organization. The top five HR issues were: 1.  Talent management and succession planning. 2.  Ethics/tone at the top.

3.  Regulatory compliance. 4.  Pay and performance alignment. 5.  Employee training and development. The executives in these 150 companies were also asked about the methods used to monitor these risks. The results show that 41% of executives surveyed admit to reviewing these risks on an ad hoc basis or never.6 These results reinforce the view that HR issues are not managed effectively in many ­organizations. One aspect of HR risk that is closely related to external auditing is the effect of HR policies on promoting and communicating ethical values throughout the organization and ensuring that the appropriate “tone at the top” trickles down through the organization. The EY survey revealed that these issues have become more visible and significant in recent years, possibly as a result of adverse publicity about corporate ethics. However, although ethics is becoming more significant as a HR risk, the executives responding to the survey rated the likelihood of ethical problems arising throughout the organization as low. The survey’s authors suggest HR executives should pay more attention to the alignment between values espoused by company management in public arenas and actual practices by employees at all levels within the organization.7

Before You Go On 2.1  What are the five components of internal control? 2.2  Briefly explain the important aspects of a strong control environment. 2.3 Explain the key elements of the client’s risk assessment process and how they interact with other components of internal control. 2.4 What are the five common categories of control activities? Why is segregation of duties important when understanding internal control? 2.5  Briefly explain the information and communication component of internal control. 2.6 Develop several examples of monitoring activities that an auditor might expect to find in entity-level controls.

3

R. Jackson, “The Human Side of Risk,” Internal Auditor, vol. 64, no. 5 (October 2007), pp. 38–44.

4

Ernst & Young, 2008 Global Human Resources (HR) Risk: From the Danger Zone to the Value Zone, Accelerating Business Improvement by Navigating HR Risk (2008), p. 5, www.ey.com. 5

Ernst & Young, 2008.

6

S. Steffee, “HR Risks Are Largely Ignored,” Internal Auditor, vol. 65, no. 6 (December 2008), pp. 14–15.

7

Ernst & Young, 2008.

 Transaction-Level Internal Controls  6-19

Transaction-Level Internal Controls Lea rning Objective 3 Explain and evaluate internal controls at the transaction level. Now that we have discussed entity-level controls, we will briefly overview transaction-level controls. Transaction-level controls are discussed in more detail in Chapters 8, 11, 12, and 13. As explained previously, entity-level controls are at the entity-wide or whole-­organization level and have the potential to impact all of the processes management puts in place for the entire organization. As its name suggests, transaction-level controls are controls that affect a particular transaction or group of transactions. Transactions in this sense refer to transactions that are ordinarily recorded in the general ledger for the client and span from initiation of the transaction through to the reporting of the transaction in the financial statements. Transaction-level controls are those controls that respond to things that can go wrong with transactions. They need to be sensitive enough to either prevent an error from occurring, or to detect the error, report it, and have it corrected on a timely basis. These controls are referred to as preventive and detective controls and are explained further in Chapter 8. An important process used for developing an audit strategy for various assertions involves the following steps:

transaction-level controls  controls that affect a particular transaction or group of transactions

1. Understand entity-level controls. 2. Understand the flow of transactions. 3. Identify what can go wrong (WCGW) for financial statement assertions. 4. Identify relevant controls to test. 5. Determine a preliminary audit strategy. 6. Perform tests of controls. 7. Evaluate audit evidence, assess control risk, and reevaluate audit strategy (if necessary). 8. Report internal control weaknesses to those charged with governance. Steps 2–5 focus significant attention on understanding internal controls at the transaction level. The auditor often obtains this understanding by performing a walkthrough of a transaction cycle, such as the sales process or a cash receipts process. A walkthrough involves following a transaction from initiating the transaction until it is recorded in the financial records. The auditor will understand the documents used by the client, as well as the entity’s use of information technology. The auditor will often ask questions of the entity’s personnel about their understanding of their responsibilities and controls that they are involved in. Through inquiry and observation, the auditor obtains an understanding of transaction-level controls as well as the adequacy of segregation of duties. The discussion below provides examples of the flow of a transaction from initiating the transaction, to exchanging the title to a good or service, to recording the transaction in the general ledger.

Example Transaction Flows—Sales Process The transaction flow in a typical sales process for a client that sells goods includes processing orders, approving credit, shipping goods, invoicing customers, and recording sales and accounts receivables. The transaction flows for a client that sells services are similar but instead of shipping goods the client sells or performs the services. Common documents and files that are found in the process of selling goods include: •  Customer master file—An electronic file containing the customer shipping and billing ­information and the customer credit limit.

walkthrough  following a transaction from initiating the transaction until it is recorded in the financial records

6-20  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

•  Sales order—A client-prepared prenumbered document that includes customer information, description and quantity of what was ordered, terms of sale, and authorization of the sales order. •  Bill of lading—A shipping document that serves as acknowledgement of receipt of goods for delivery by a freight carrier. •  Packing slip—A client-prepared document with the details of items included in a shipment. •  Sales invoice—A client-prepared document stating the particulars of a sale, including the amount owed, terms, and date of sale. It is used to bill customers, and it provides the basis for recording a sale in the sales journal. •  Sales cycle database—Electronic files that accumulate data on sales, cash receipts, and accounts receivable. •  Monthly statements of receivable balances—A report sent to each customer showing the beginning receivable balance, transactions during the month, and the ending receivable balance. This chapter will discuss sales in the context of a client that sells goods. Examples of risks and controls that can be put in place relating to sales are described in Illustration 6.5. ILLUSTRATION 6.5   Sales process example risks and controls

Transaction

Documents and Files

Risks (WCGW)

Example Control

Key Assertion*

Initiating Credit Sales

Customer master file

Sales may be made to unauthorized customers

Only a limited number of individuals can change the customer master file and all file changes are reviewed by appropriate levels of management

Occurrence, Valuation and allocation

Sales order

Sales may be made to unauthorized customers

The software application matches the customer on the sales order with the customer master file

Occurrence, Accuracy

Sales order

Sales may be made without credit approval

The software application matches amount of sales order with credit authorization on the customer master file

Occurrence, Valuation and allocation

Perpetual inventory

Goods may be released from warehouse for unauthorized orders

The software application matches all goods pulled from inventory (perpetual inventory) to approved sales order

Occurrence

Bill of lading and packing slip

Products are shipped without shipping documents being generated

Application control generates packing slip and delivery documentation when order is processed

Accuracy, ­Completeness

Goods ordered may not be shipped

The software application prints a report of all unfilled sales orders

Completeness

Some shipments may not be billed

The software application prints a ­report of all bills of lading not matched with sales invoices

Completeness

Delivering Goods

Recording Sales

Sales invoice

Invoices are prenumbered and accounted for Sales invoice

Billing may be made for fictitious transactions, or duplicate billing may be made

The software application matches sales invoice information with underlying shipping information

Occurrence

(continued)

 Transaction-Level Internal Controls  6-21 illustration 6.5   (continued)

Transaction

Documents and Files

Risks (WCGW)

Example Control

Key Assertion*

Sales invoice

Sales invoices may be recorded in the incorrect accounting period

The software application matches sales invoice date with accounting period in which goods are shipped

Cutoff

Sales invoice

Sales invoices may be recorded in the incorrect amount

The software application matches sales invoice quantities with shipping information and prices with master price list

Accuracy

Sales invoice Sales cycle database

Invoices may not be journalized or posted to customer accounts

The software application checks runto-run total of beginning receivables, plus sales transactions with the sum of ending receivables.

Accuracy, Completeness

Sales invoice

Sales invoices may be billed to the wrong customer

The software application matches customer number on sales invoice with customer number of sales order and bill of lading

Accuracy

Monthly statements of receivable balances

Customers may be billed incorrect amounts

Mailing of monthly statements with independent follow-up on customer complaints

Completeness, Occurrence, Accuracy, Cutoff

*Most assertions may apply. However, this example has focused on the key assertion(s) for each WCGW.

Example Transaction Flows—Cash Receipts The cash receipts function, which includes the processing of receipts from cash and credit sales, involves the following subfunctions: (1) receiving cash, (2) depositing cash, and (3) recording the receipts. As in the case of credit sales transactions, segregation of duties in performing these subfunctions is an important internal control. Today, many cash receipts ­involve the electronic transfer of funds and cash is received directly by the bank. Alternatively, in some circumstances, cash or checks may be received by the entity that is responsible for both receiving and depositing cash. A major risk in processing cash receipts transactions is the possible theft of cash before or after a record is made of the cash receipt. Thus, control procedures should provide reasonable assurance that documentation establishing accountability is created at the moment cash is received and that cash is subsequently safeguarded. Common documents and files that are found in the cash receipts process include: •  Remittance advice—A document received from the customer showing details of payments made by the customer. •  Prelist of cash receipts—An internally prepared document showing the listing of cash ­received from customers. •  Remittance report from the bank—A document prepared by the bank showing the details of electronic funds transfers received by the bank from customers. •  Bank deposit slip—A receipt from the bank showing the total amount deposited with the bank. •  Sales cycle database—Electronic files accumulating data on sales, cash receipts, and accounts receivables. •  Independent bank reconciliation—Independent person reconciles cash account in the general ledger with the bank statement from the bank. •  Monthly statements of receivable balances—A report sent to each customer showing the beginning receivable balance, transactions during the month, and the ending receivable balance. Examples of what can go wrong and controls that can be put in place relating to cash receipts are shown in Illustration 6.6.

6-22  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control ILLUSTRATION 6.6   Cash receipts process example risks and controls

Transaction

Documents and Files

Risks (WCGW)

Example Control

Key Assertion*

Receiving Cash

Prelist of cash receipts

Cash sales may not be recorded

Use of cash registers or point-of-sale devices

Completeness

Prelist of cash receipts

Mail receipts may be lost or misappropriated after receipt

Immediate preparation of prelist of mail receipts; restrictive endorsement of checks immediately upon receipt

Completeness

Prelist of cash receipts Remittance advices

Checks received may not agree with prelist of cash

Independent check of agreement of remittance advices with prelisting of cash received

Completeness, Occurrence, Accuracy

Depositing Cash

Bank deposit slip Prelist of cash receipts Bank remittance report

Cash may not be deposited intact daily

Independent check of agreement of prelisting of cash receipts or bank remittance report with validated deposit slip

Completeness, Accuracy

Recording Cash Receipts

Sales database Prelist of cash receipts Bank ­remittance report

Cash receipts may be recorded in error

Software application agreement of amounts journalized and posted with the prelist of cash receipts or bank remittance report

Completeness, Occurrence, Accuracy, Cutoff

Independent bank ­reconciliation

Errors may be made in journalizing cash receipts

Preparation of periodic independent bank reconciliations

Completeness, Occurrence, Accuracy, Cutoff

Monthly statement to customers

Receipts may be posted to the wrong customer account

Mailing of monthly statements to customers

Completeness, Occurrence, Accuracy, Cutoff, Classification

*Most assertions may apply. However, this example has focused on the key assertion(s) for each WCGW.

Audit Reasoning Example  Transaction-Level Internal Controls Jonathan Briggs (an audit manager) was talking with Marisa Sherwani (an audit senior) about the audit of a private company with retail hardware operations in thirty states. Jonathan states: “I have reviewed the work that you and the team have done to document the revenue process, purchases process, and payroll process. While you have documented the transaction flow from initiating the transaction to the general ledger, now I want you to turn your attention to the period-end financial reporting process. Adjusting journal entries and consolidating entries can have a material impact on the client’s financial statements. Specifically, I want you to pay attention to: •  The locations involved in the month-end reporting process. •  T  he financial inputs used, adjusting and consolidating journal entries developed, reviews performed, and outputs used by the company to produce the monthly and annual financial statements. •  The extent of involvement of IT in each month-end reporting process. •  Who participates from management in this process. •  The types of adjusting and consolidating entries developed at month-end. •  T  he nature and extent of the oversight of the process by management, the board of directors, or the audit committee.”

Before You Go On 3.1  What is the difference between entity-level controls and transaction controls? 3.2  Explain the process of a system walkthrough. 3.3 Explain one risk, and corresponding control to address the risk, for each assertion related to credit sales transactions. 3.4 Explain one risk, and corresponding control to address the risk, for each assertion related to cash receipt transactions.

  Information Technology (IT) Controls  6-23

Information Technology (IT) Controls Lea rning Objective 4 Explain and evaluate information technology (IT) controls.

Benefits and Risks of IT Systems In order to understand internal control in an IT environment, it is important to understand the benefits and risks of IT systems. The major benefits of IT systems over manual systems include the following: •  IT systems can provide greater consistency in processing than manual systems because they uniformly subject all transactions to the same controls. •  More timely software-generated accounting reports may provide management with more effective means of analyzing, supervising, and reviewing the operations of the company. •  IT systems enhance the ability to monitor the entity’s performance and activities. Important risks of IT systems over manual systems include the following: •  The IT system may produce a transaction trail that is available for audit for only a short period of time. •  There is often less documentary evidence of the performance of control procedures in IT systems. •  Files and records in IT systems are usually in machine-sensible form and cannot be read without a computer. •  The decrease of human involvement in IT processing can obscure errors that might be observed in manual systems. •  IT systems may be more vulnerable to physical disaster, unauthorized manipulation, and mechanical malfunction than information in manual systems. •  Various functions may be concentrated in IT systems, with a corresponding reduction in the traditional segregation of duties followed in manual systems. •  Changes in the system are often more difficult to implement and control in IT systems than in manual systems. •  IT systems are vulnerable to unauthorized changes in programs, systems, or data in ­master files. •  Reliance is placed on systems that process inaccurate data, process data inaccurately, or both. •  Unauthorized access to data may result in the destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions, or inaccurate recording of transactions. •  There may be inappropriate or unauthorized manual intervention. Many IT risks are controlled by layering control activities. Illustration 6.7 provides an important overview of IT control activities and describes how controls function in IT systems, regardless of the methods of input, data organization, data processing, or output devices. The following paragraphs describe the control procedures depicted in Illustration 6.7. IT general controls at the entity level control program development, program changes, computer operations, and access to programs and data. They represent a higher level of controls designed to provide reasonable assurance that individual software applications operate consistently and effectively. General controls will be discussed in more detail in the next ­section, “IT General Controls.”

6-24  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control ILLUSTRATION 6.7  

Data input

Information technology ­controls

IT application controls during processing of transaction

IT general controls

Output of processed transactions and reports

Exception reports

User controls over assertions

Manual follow-up

Another layer of control is provided by IT application controls, which are designed to prevent or detect potential misstatements in specific transaction processes. For purposes of illustration, consider the processing of a sales order. When a sales order is input, the software application subjects the data to application controls that check, for example, the validity of a customer number or whether a customer has reached its credit limit. IT application controls are designed to provide reasonable assurance that the IT system records, processes, and reports data properly for specific purposes, such as sales, purchases, payroll, or inventory control. IT application controls will be discussed in more detail in the section “IT Application Controls.” The output of processing and IT application controls are usually twofold. First, the software will process and produce transactions and reports. In some systems, the processed transactions or reports will be subject to manual controls such as supervisory review. Second, the system generates exception, or error, reports. Some exception reports may appear on a screen, such as an edit check of the validity of a customer number. Some exception reports may result in printed reports, such as all daily transactions where customers exceeded their credit limit. In either case, people must follow up on the exceptions noted by the software application. The effectiveness of the control depends on the effectiveness of both the programmed application control and the manual follow-up. In some instances, software programs only process and record data, and data input to the system is not subject to IT application controls that might identify potential misstatements. In such cases, other controls must be applied. These are discussed in the section “IT-Dependent Manual Controls.”

IT General Controls IT general controls  controls of program development, program changes, computer operations, and access to programs and data; these entity-level controls are designed to provide reasonable assurance that individual software applications operate consistently and effectively

The purpose of IT general controls is to control program development, program changes, computer operations, and to secure access to programs and data. The following five types of IT general controls are widely recognized: 1.  Data center and network operations controls address the segregation of duties within the IT department and between IT and user departments. A critical component is segregating access to programs from access to data files. Weakness in these controls usually affects all IT applications. 2.  System software acquisition, change, and maintenance controls relate to software programs that are designed to operate and control the hardware and to provide a platform for running application software. The controls focus on both acquiring new operating systems and ensuring the integrity of operating systems over time. If system software is subject to unauthorized changes or poor maintenance, there is an increased risk that IT application controls will not function as designed. 3.  Program change controls are designed to provide assurance that changes to software ­applications are introduced in a controlled and coordinated manner. Unauthorized changes create a significant risk that software applications will not function consistently

  Information Technology (IT) Controls  6-25

over time. Programs should be changed with forethought, and changes should be tested and reviewed by users before they are approved for use with live data. 4.  Access controls are designed to prevent unauthorized use of IT equipment, data files, and software programs. The specific controls include a combination of physical, software (password controls), and procedural safeguards. 5.  Application system acquisition, development, and maintenance controls focus on controlling specific software applications, such as a sales or inventory application. The controls focus on the acquisition of new application software, controlling changes to that software, and ensuring that the software is maintained without unauthorized changes. IT general controls pertain to the IT environment and all IT activities as opposed to a single IT application. Because of the pervasive character of IT general controls, if the auditor is able to obtain evidence that IT general controls function effectively, then the auditor also has important assurance that individual application systems may be properly designed and operate consistently during the period under audit. For example, strong IT general controls involve regular testing and review of individual programs that process sales, cash receipts, payroll, and many other transactions. Alternatively, deficiencies in IT general controls may affect many applications and may prevent the auditor from assessing control risk below the maximum for many applications and transaction processes.

Cloud 9 - Continuing Case Josh finds that he is spending a great deal of time with Will ­Burton, Cloud 9’s IT manager. Josh and Suzie have a number of questions for Will about what software programs are designed within the accounting system to process transactions; whether there have been any changes to those programs during the year; how changes are authorized, reviewed, and tested; who has access to programs and data files; and how access to programs and data is protected. Will walks the audit team through Cloud 9’s principal data center, showing them various physical controls, and printouts and reports that Will receives regarding changes to system access and changes to various programs. ­Suzie inspects documentation regarding program changes, their authorization, and testing. The team is focused on adequacy of segregation of duties; controls over program changes, mainte-

nance and ­updates; access controls, and plans for hardware and software upgrades. At this point, Suzie and Josh are just trying to obtain an understanding of IT general controls at Cloud 9. They know that testing will come later. When they are finished, Josh is satisfied that Cloud 9 has addressed the control issues that he is most concerned about. Overall the system design appears to be operating as planned, based on their questions, observation of Cloud 9 personnel, and preliminary inspection of reports from Cloud 9’s IT system. If tests of controls show that IT general controls are effective, this will make testing applications more efficient, and increase the probability that the audit team can use a reliance on controls approach during the audit. Strong IT general controls are also critical to giving Cloud 9 an unqualified opinion on internal controls over financial reporting.

IT Application Controls The purpose of IT application controls is to use the power of information technology to control transactions in individual transaction cycles. Therefore, IT application controls will differ for each transaction cycle (e.g., sales vs. inventory controls). The following three groups of application controls are widely recognized: •  Input controls. •  Processing controls. •  Output controls. These controls are designed to provide reasonable assurance that the recording, processing, and reporting of data by an IT system are properly performed for specific applications. Thus, the auditor must consider these controls separately for each significant accounting application, such as billing customers or preparing payroll checks. In today’s IT environment, IT application controls execute the function of independent checks by (1) using programmed application controls to identify transactions that contain possible misstatements and (2) having people follow up and correct items noted as an exception. The following discussion explains how programmed controls may be used to identify items that should be reported as exceptions.

IT application controls  controls designed to provide reasonable assurance that the recording, processing, and reporting of data by IT are properly performed for specific applications

6-26  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

Input controls are program controls designed to detect and report errors in data that are input for processing. They are of vital importance in IT systems because most of the errors occur at this point. Input controls are designed to provide reasonable assurance that data received for processing have been properly authorized and converted into machine-sensible form. These controls also include the people who follow up on the rejection, correction, and resubmission of data that were initially incorrect. Controls over the conversion of data into machine-sensible form are intended to ensure that the data are correctly entered and converted data are valid. Examples of input controls are provided in Illustration 6.8. The correction and resubmission of incorrect data are vital to the accuracy of the accounting records. If the processing of a valid sales invoice is stopped because of an error, both accounts receivable and sales will be understated until the error is eliminated and the processing completed. Furthermore, strong controls create a log of potential misstatements, and the data control group is required to periodically review their disposition.

ILLUSTRATION 6.8   Example IT application ­controls

Input Controls

Processing Controls

•  Verification controls. Data input for processing is compared with information contained on master files, or other data independently entered at earlier stages of a transaction. •  Missing data check. This check ensures that all required data fields have been completed and no blanks are present. •  Valid character check. This check verifies that only alphabetical, numerical, or other special characters appear as required in data fields. •  Limit (reasonableness) check. This check determines that only data falling within predetermined limits are entered (e.g., time cards exceeding a designated number of hours per week may be rejected). •  Valid code check. Classification (e.g., expense account number) or transaction codes (e.g., cash receipts entry) are agreed to the master list of codes permitted for the type of transaction to be processed.

•  Control totals. Provision for accumu­ lating control totals is written into the software program to facilitate the balancing of input totals with processing totals for each run. Similarly, run-to-run totals are accumulated to verify processing performed in stages. •  Limit and reasonableness checks. A limit or reasonableness test would compare computed data with an expected limit (e.g., the product of payroll rates times hours worked would be included on an exception report and not processed if it exceeded a predetermined limit). •  Before-and-after report. This report shows a summary of the contents of a master file before and after each update.

Output Controls •  Reconciliation of totals. Output totals that are generated by the software programs are reconciled to input and processing totals by the data control group or user departments. •  Comparison to source ­documents. ­Output data are subject to detailed ­comparison with source documents (e.g., comparing sales invoices to shipping documents). •  Visual scanning. The output is reviewed for completeness and apparent reasonableness. Actual results may be compared with estimated results. •  Run-to-run totals. Ending balances are compared to beginning balances plus known transactions processed.

•  Sequence tests. If transactions are given identification numbers, the transaction file can be tested for sequence (e.g., an exception report would include missing numbers or duplicate numbers in a sequence of sales invoices).

Processing controls are designed to provide reasonable assurance that the IT processing has been performed as intended for the particular application. Thus, these controls should prevent data from being lost, added, duplicated, or altered during processing. Processing controls take many forms, but the most common ones are programmed controls incorporated into the individual application’s software. Examples of processing controls are also provided in Illustration 6.8. Output controls are designed to ensure that the processing results are correct, that exceptions are addressed on a timely basis, and that only authorized personnel receive the output. The accuracy of the processing result includes both updated machine-sensible files and printed output. In addition, a data control group usually controls who can have access to data in a database and maintains control over any centrally produced reports for the distribution of output. This group maintains a high level of control over reported exceptions to ensure that they are addressed and corrected on a timely basis. Finally, this group should exercise special

  Information Technology (IT) Controls  6-27

care over the access to, or distribution of, confidential output. To facilitate control over the disposition of output, systems documentation should include reports of who has access to various aspects of a database or some form of a report distribution sheet.

Cloud 9 - Continuing Case Suzie will document their understanding of the various transaction processes. By performing a system walkthrough in each major accounting system, Suzie will document the flow of transactions and the documents that the client uses in the accounting system. Josh is particularly focused on transaction and account balance assertions, what can go wrong for each assertion, and the controls that the client has implemented to identify and correct potential misstatements. Suzie asks questions about what exception reports are generated by the system, and how items appearing on exception reports are cleared. She learns that some exceptions are noted only on computer terminals, and corrections must be made before transactions are processed further. Once the types of potential material misstatements and the controls that Cloud 9 has put in place to detect and correct any misstatements are understood, the audit team will consider the magnitude and likelihood of the misstatement in the financial statements. This will help narrow the risk assessment and determine what audit procedures should be performed. In addition, the

audit team considers how errors in each financial statement assertion might occur. This analysis will guide the audit planning for additional substantive testing. Sharon and the audit partner can also decide if there are any material weaknesses that should be included in the management letter. Suzie knows that documenting her understanding of the processes is necessary for the team to identify control strengths that can be relied upon to justify reduced substantive testing. Substantive testing will be reduced if tests of those controls confirm that these design strengths are reflected in actual performance of the control system. Josh thinks he will need to discuss his assessment of control strengths and weaknesses with Sharon before finalizing the audit program. He needs her help to determine if some control weaknesses are compensated for by other strengths. They will also identify the most important controls to test. Some controls may actually be redundant; that is, another control exists that performs the same function.

IT-Dependent Manual Controls IT-dependent manual controls are internal controls that are performed by individuals, but rely on IT-generated information. In some cases, accounting information is input into IT systems, but the data is not subject to IT application controls; therefore, the IT processes the data without performing any tests to validate the information. The completeness and accuracy of the system-generated accounting information depends on the effectiveness of the manual control over the output. For example, software might be used to generate sales invoices, a sales journal, and an accounts receivable file. An IT-dependent manual control would require that an independent person compare the output to the input to validate that all sales invoices are recorded (completeness), that sales invoices are recorded only for valid transactions (occurrence), that sales invoices are accurate (accuracy), that sales invoices are billed to the correct customer (classification), and that sales invoices are recorded in the correct time period (cutoff).

Audit Reasoning Example  IT-Dependent Manual Controls Dave Bartlett is the senior on the audit of a manufacturer of automobile engines that has union labor, managers, and executives. The company has four plants that operate two shifts, six days a week. Each plant has approximately the same number of employees. The CFO has been with the company for 10 years, and thoroughly understands the company business process and payroll processes. She reviews weekly payroll summary reports prepared by the centralized accounting function. With the company’s flat organizational structure and smaller size; the CFO’s extensive background with the company; her understanding of seasonal fluctuations, business cycles, and workflows; and her close familiarity with the budget and reporting processes, the CFO quickly identifies any signs of improprieties with payroll and their underlying cause, whether related to a project, overtime, hiring, or layoffs. The CFO investigates as needed to determine whether misstatements have occurred and whether any internal controls have not operated effectively. Based on the results of audit procedures related to the control environment and controls over management override, Dave observes that the CFO demonstrates integrity and commitment to effective internal control over financial reporting.

IT-dependent manual controls  controls that involve manual review of the completeness and accuracy of computer-generated information

6-28  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control Dave is in the process of determining whether he can rely on the reviews conducted by the CFO to detect material misstatements related to payroll processing because the CFO’s threshold for investigating significant differences from expectations, and her follow-up, is adequate. As Dave goes through his mental checklist, he realizes that additional evidence and testing are important. The CFO’s reviews are only as strong as the reports produced by the company’s IT system. The CFO’s review can be effective only if the IT controls over the completeness and accuracy of those reports are effective. Therefore, the auditors will need to test the company’s IT general controls, as well as IT application controls over the completeness and accuracy of software application reports.

Professional Environment  Blockchain Blockchain first gained notoriety as the core technology behind Bitcoin. The appeal of blockchain technology is in its use of peerto-peer networks combined with a highly secure environment. Blockchain offers parties, who may or may not know each other, the ability to conduct transactions without requiring a trusted intermediary such as a bank or payment processor. By eliminating the intermediary and harnessing the power of peer-to-peer networks, blockchain technology may provide opportunities to reduce transaction costs and decrease settlement time. However, blockchain technology is still emerging and has not yet been effective on a commercial scale. The major potential of blockchain involves the following characteristics: •  Blockchain involves a distributed shared ledger that is common among participants of a business network. •  Blockchain involves a set of permissions such that each member of the network has access rights so that confidential information is shared only on a need-to-know basis. •  Blockchain is highly secured, because consensus is required from all network members and all validated transactions are permanently recorded. The blockchain technology will not allow an individual person, not even the system administrator, to alter or delete a transaction. What are the implications of the use of blockchain for auditors? This is the subject of a recent report by Deloitte Canada, CPA Canada, the AICPA, and the University of Waterloo, Audit & Assurance Alert—Blockchain Technology and Its Potential Impact on the Audit and Assurance Profession. While verifying the occurrence of a transaction is a key aspect of the financial statement audit, it is just one of many assertions. Will blockchain provide sufficient, appropriate evidence for all assertions? For example,

consider a hypothetical bitcoin transaction involving the sale of a product recorded in a blockchain. The auditor may or may not be able to determine that the product was delivered solely by evaluating the information in the blockchain. The blockchain may or may not provide sufficient, appropriate information for all assertions of interest to the auditor. The auditor should not assume that because data comes out of a blockchain it is reliable. The auditor must still consider information technology general controls (ITGCs) related to the blockchain environment. The auditor should also understand and assess the reliability of the consensus protocol for the specific blockchain, as well as understand the linkage between the blockchain information and the information reported in the financial statements. The report, Audit & Assurance Alert — Blockchain Technol­ ogy and Its Potential Impact on the Audit and Assurance Profession, also identifies risks associated with a recorded blockchain transaction. The transaction may be: •  Unauthorized, fraudulent, or illegal. •  Executed between related parties. •  Linked to a side agreement that is “off chain.” •  Incorrectly classified in the financial statements. While blockchain is an important technology, the auditor still must assess the risk of misstatement in a transaction, assess the strength of internal controls over the transaction, and design appropriate substantive tests as blockchain will not eliminate all risks of material misstatement. Source: Deloitte Canada, CPA Canada, AICPA, and Univers­ity of Waterloo, Audit & Assurance Alert—Blockchain Technology and Its Potential Impact on the Audit and Assurance Profession (Deloitte Development LLC: Toronto, Canada, 2017).

Before You Go On 4.1  Explain the risks and benefits of information technology (IT) compared with manual systems. 4.2 Explain the overall purpose of IT general controls. Provide two examples of IT general controls and the types of situations that can occur if the IT general control is ineffective. 4.3 Explain the overall purpose of IT application controls. Provide two examples of IT application controls that might be found in a revenue process and the types of misstatements that can occur if the IT application control is ineffective. 4.4 Explain the overall purpose of IT-dependent manual controls. Provide two examples of IT-dependent manual controls and identify the assertion that is controlled by the example IT-dependent manual control.

  Documenting Internal Controls  6-29

Documenting Internal Controls Lea rning Objective 5 Discuss the different techniques used to document internal controls. Before the auditor tests specific internal controls, he or she needs to document his or her understanding of the system of internal control. AU-C 315.33 requires auditors to document their understanding of each of the internal control components. The most common forms of documentation include the following. •  Narratives. This is the most common form of documentation, particularly in smaller environments where accounting and internal control activities are simple or where a flow of a particular transaction is relatively simple and straightforward. It involves the auditor describing (in words) each step of the flow of a transaction from start to finish (that is, from initiation to reporting in the financial report). Refer to Illustration 6.9 for an example.

A customer sales order is received by fax or email. The sales staff checks customer details to see that it is on the customer master list. If not, it is referred to the credit department to obtain required customer approvals. Sales staff also checks the customer account balance to see if the customer has exceeded its credit limit. If the customer has exceeded its limit, staff refers the sales order to the credit manager (S. Fitzpatrick) for approval. If approval is denied, staff refers the order back to the sales manager to discuss with the customer and notify customer. If customer has not exceeded its credit limit or the credit manager (S. Fitzpatrick) has provided an approval to exceed the limit, an internal sales order is generated to initiate the shipment of goods.

•  Flowcharts and logic diagrams. This form of documentation is used in larger and more complex environments. It involves the auditor summarizing (in flowcharts or logic diagrams) each step of the flow of a transaction from start to finish (that is, from initiation to reporting in the general ledger). Logic diagrams are more common than flowcharts. Logic diagrams provide a visual perspective of the flow of the transaction and key controls throughout the flow that is often simpler for the reader or reviewer to understand. The key to a good logic diagram is to keep it as simple as possible, with as few words as possible so as not to overload the reader with information. Refer to Illustration 6.10 for an example. •  Combinations of narratives and flowcharts. This form of documenting internal controls is typically a page divided into two sections with the process flowchart on the left-hand side, and the narrative describing each step in the flow on the right-hand side. The flowchart side highlights the key activities from initiation to reporting, while the narrative column contains the details about what happens in the flow of the transaction. Refer to Illustration 6.11 for an example. •  Checklists and preformatted questionnaires. An internal control checklist or questionnaire is another technique used to systematically identify the most common types of internal control procedures that should be present. This is particularly helpful in industries that the auditor may not personally be familiar with, or when less experienced auditors find it difficult to identify which are the critical controls (for example, when documenting entity-level controls). Refer to Illustration 6.12 for an example. Regardless of which of the above approaches is used to document internal controls, the extent of the documentation will increase as the complexity of the client, its systems, and its internal controls increases.

ILLUSTRATION 6.9   Example narrative for documenting credit sales process

6-30  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control ILLUSTRATION 6.10   Example logic diagram for credit sales process Sales order for credit sale received

Approved customer?

NO

Refer to credit dept. to obtain required customer approvals

NO

Request approval to exceed credit limit

YES

Balance below approved credit limit?

Request approved?

NO

Reject sale or refer to sales manager for follow-up with customer

YES

Process internal sales order

YES

Stock picking and delivery process

ILLUSTRATION 6.11   Example combination documentation for credit sales process Sales order is received by fax or email.

Sales order for credit sale received

Approved customer?

NO

Refer to credit dept. to obtain required customer approvals

NO

Request approval to exceed credit limit

The sales staff check customer details to see that it is on the customer master file. If not, it is referred to the credit department to obtain required customer approvals.

YES

Balance below approved credit limit?

Request approved?

YES

Process internal sales order

Stock picking and delivery process

YES

NO

Reject sale or refer to sales manager for follow-up with customer

Sales staff check to see if the customer’s balance will be below its credit limit. If the customer’s balance exceeds its credit limit, refer to credit manager (S. Fitzpatrick) for approval. If approval is denied, refer the order back to the sales manager to discuss with the customer.

If the customer has not exceeded its credit limit, or the credit manager has approved a transaction in excess of the credit limit, prepare an internal sales order. Once the sales order is received in the warehouse, the ordered goods are picked from inventory and shipped to the customer.

  Identifying Strengths and Weaknesses in a System of Internal Controls   6-31 ILLUSTRATION 6.12   Example checklist for documenting a credit sales process

Process Step

Performed by

IT/Reliance on Electronic Data? Yes/No

Customer places sales order and order is input into the sale order program. Customer is compared with approved master customer list. Credit and/or credit terms approved. Order filled and prepared for shipment. Shipping/delivery documents prepared. Order shipped, delivered to, or picked up by customer. Sale invoice prepared. Prices (or deviations from standard prices) are approved. Invoices reviewed for accuracy and emailed/delivered to customers. Sales journal produced. Sales journal summarized and posted to general ledger and trade receivables detail. Provide any other details that are necessary to understand the initiation, processing, recording, and reporting of the transactions: Briefly describe the client’s revenue recognition policy, including standard billing and collection terms: Briefly describe the client’s credit terms and credit authorization procedures: Briefly describe the client procedures for sales returns and allowance and for issuance of credit memos:

Cloud 9 - Continuing Case Suzie will prepare a flowchart or narrative to document her understanding of the different transaction processes. This will help her understand the stages at which errors can occur. She will include the entire process from the initiation of the transaction through to recording in the general ledger. Where appropriate, she will link several accounting processes together into one seamless flow of transactions. For example, as a first step she makes a simple diagram of the flow of transactions from initiation of a purchase

order through to the cash payment to the supplier. The process comprises three smaller processes: initiating a purchase order through to receiving the goods as they arrive; receiving the purchase invoice from the supplier through to entering the invoice in the general ledger; and requesting cash payment through to recording the payment to the supplier. In the next step, the flow of transaction diagram will be supplemented with additional details of the IT tests and their disposition.

Before You Go On 5.1  Explain the different techniques used to document internal controls. 5.2  What is the difference between a narrative and a flowchart or logic diagram? 5.3 Explain the benefits of combining a flowchart with a narrative to document internal controls.

Identifying Strengths and Weaknesses in a System of Internal Controls Lea rning Objective 6 Explain the importance of identifying strengths and weaknesses in a system of internal control. An important outcome of understanding the system of internal controls that a client puts in place is the ability to make observations, draw conclusions, and offer recommendations

6-32  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

r­ egarding the strengths and weaknesses observed. When the auditor identifies internal control strengths, the auditor will consider a reliance on controls approach for assertions influenced by these strengths. If the auditor identifies internal control weaknesses, the risk of material misstatements being undetected by management’s processes and controls increases. Further, the areas of weakness are where the auditor typically performs additional substantive testing to quantify the (potential) material misstatement. The link between weaknesses in internal controls and the level of substantive procedures required to address these exceptions is explained further in Chapter 9. Internal control weaknesses are commonly categorized into three groups by both PCAOB auditing standards and ASB auditing standards. These three groups are: deficiency in internal control (control deficiency)  a deficiency in the design or operations of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis material weakness  a deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis significant deficiency  a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance

1.  Deficiency in internal control (or control deficiency). A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A deficiency in the design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. A deficiency in the operation exists when a properly designed control does not operate as designed or the person performing the control does not possess the necessary authority or competence to perform the control effectively. 2. Material weakness. A deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis. It takes only one material weakness for a public company to receive an adverse opinion on ICFR. 3. Significant deficiency. A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. Further, having numerous significant deficiencies could add up to a material weakness. Note that the term “deficiency in internal control” or “control deficiency” is a broad term that encompasses all types of internal control problems. Material weaknesses and significant deficiencies are examples of deficiencies in internal control, but they are classified separately because they are more serious control deficiencies. A material weakness is the most severe type of deficiency in internal control. An easy way to remember that a material weakness is the most severe is to focus on the word “material.” A “material” weakness means increased risk of a “material” misstatement occurring in the financial statements because it was not prevented or detected by the internal control system. As the definition above explains, a significant deficiency is not as severe as a material weakness, but it must still be reported to those charged with governance. If a significant deficiency is not corrected by management in a timely manner, it could develop into a material weakness in the future. PCAOB AS 2201 requires that, in an audit of ICFR, material weaknesses are reported to the public in the auditor’s report on ICFR. The auditor’s report on ICFR was introduced in Chapter 1 and will be revisited in Chapter 15. Both PCAOB AS 2201 and AU-C 265 Communicating Internal Control Related Matters Identified in an Audit require the auditor to provide those charged with governance with timely observations regarding both material weaknesses and significant deficiencies in internal control. It is for these key reasons that the auditor prepares a management letter. For audits of private companies, AU-C 265 states that the auditor should not issue a written communication stating that no significant deficiencies in internal control were identified during the audit. If the auditor has not audited internal controls over financial reporting for a private company client and is only issuing an opinion on the financial statements, the scope of the work required to understand internal control may be sufficient to determine an audit strategy, but not sufficient to determine if no significant deficiencies in internal control exist.

Before You Go On 6.1 Why is it important to identify both the strengths and weaknesses in a system of internal controls? 6.2 How does the auditor’s audit strategy vary depending on whether the auditor finds a strength or weakness in internal controls related to an assertion? 6.3 What obligations does the auditor have regarding communicating strengths or weaknesses in internal controls?

  Management Letters  6-33

Management Letters Lea rning Objective 7 Explain how to communicate internal control weaknesses to those charged with governance. A management letter (sometimes referred to as a letter of recommendations) is a document prepared by the audit team and provided to those charged with governance. The management letter discusses internal control weaknesses and other matters discovered during the course of the audit. The purpose of the management letter is to meet the auditor’s responsibility for communicating internal control matters in writing on a timely basis to those charged with governance and to inform those charged with governance of the auditor’s recommendations for improving its internal controls. The combination of the auditor’s experience in auditing various businesses and the understanding gained in conducting an audit means the auditor is in a unique position to provide insights regarding the system of internal controls designed and monitored by those charged with governance. An example of a management letter to a private company is shown in Illustration 6.13.

March 15, 2023 To the Management and the Board of Directors of New Millennium Ecoproducts: In planning and performing our audit of the financial statements of New Millennium Ecoproducts (the Company) as of and for the year ended December 31, 2022, in accordance with auditing standards generally accepted in the United States of America, we considered the Company’s internal control over financial reporting (internal control) as a basis for designing audit procedures that are appropriate in the circumstances for the purpose of expressing our opinion on the financial statements, but not for the purpose of expressing an opinion on the effectiveness of the Company’s internal control. Accordingly, we do not express an opinion on the effectiveness of the Company’s internal control. Our consideration of internal control was for the limited purpose described in the preceding paragraph and was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies and therefore, material weaknesses or significant deficiencies may exist that were not identified. However, as discussed below, we identified certain deficiencies in internal control that we consider to be material weaknesses and significant deficiencies. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis. We consider the following deficiency in the Company’s internal control to be a material weakness. During our audit procedures, we observed that there was limited segregation of duties in the accounts payable and cash payments process. We understand that due to the size of the Company’s finance team, lack of segregation of duties will exist. This is largely due to the small number of employees. However, limited segregation of duties increases the risk of loss through error or fraud. We recommend that the directors undertake a periodic review of a selection of cash payments to ensure that there is adequate supervision, and that the degree of reliance upon employees is warranted. Alternatively, a director could be selected to review and approve all payments over a specified limit. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. We consider the following deficiency in the Company’s internal control to be a significant deficiency. During our observation of the inventory count, we noted that two of the items counted as part of our sample did not reconcile to the quantities stated in the system. Upon investigation, this was

management letter  a ­document prepared by the audit team and provided to the client that discusses internal control weaknesses and other matters discovered during the course of the audit

ILLUSTRATION 6.13   Example of a management letter

6-34  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control found to be the result of a sale that had been invoiced the previous day that had not yet been dispatched. This was caused by the delivery not being physically separated from the year-end inventory on hand. This resulted in a risk that inventory, sales, and cost of sales could be misstated due to incorrect cutoff of deliveries of goods sold. We encourage New Millennium Ecoproducts to implement a control requiring the physical segregation of deliveries from remaining stock on hand as soon as the sale has been picked and packaged. This communication is intended solely for the information and use of management and the Board of Directors, and it is not intended to be, and should not be, used by other than these specified parties. Will B. Ready Bell & Bowerman, LL o P rtland, Oregon

Significant professional judgment is necessary in deciding whether an identified weakness is significant enough to warrant communicating to management and those charged with governance. When the auditor identifies risks of material misstatement that the entity has not controlled (or has not adequately controlled), or if in the auditor’s judgment there is a material weakness in the entity’s design or implementation of internal control, the auditor is required to communicate these weaknesses as soon as practicable to those charged with governance. Deciding whether an internal control deficiency, and whether the deficiency has been remediated, should be reported to those charged with governance is often a matter of consultation and discussion amongst the audit team. AU-C 265 requires written communication of internal control deficiencies to those charged with governance of the entity. A management letter meets this requirement and avoids any ambiguity or confusion as to what observations, conclusions, and recommendations the audit firm has made. It also provides a simple way for management to document the actions it has taken in response to the issues raised, and to share these actions (and the progress towards the resolution of the issues) with those charged with governance. Discussing internal control deficiencies with management and those charged with governance also provides the auditor with valuable insights into management’s attitude towards the importance of internal controls by being able to evaluate what management has done in response to the recommendations made in the previous year at the start of each audit. Depending on the size of the engagement and the timing of when control weaknesses are identified relative to the final audit visit, teams will sometimes prepare an interim management letter at the end of planning and interim procedures, with a final management letter issued at the completion of the audit.

Cloud 9 - Continuing Case Once Suzie has documented the audit team’s understanding of Cloud 9’s system of internal controls and her preliminary assessment of the system’s strengths and weaknesses, Josh presents the document to Jo Wadley, the engagement partner of the audit. The audit team will gather additional evidence about the system of internal controls during the audit, and at the completion of the audit the senior members of the audit team will make a final assessment of Cloud 9’s internal controls and write a management

letter. Providing a management letter, including recommendations for future changes to the system of internal controls, is an important part of the auditor’s role. The management letter not only discharges the audit team’s responsibilities to the client, but helps the client improve its systems. In turn, this will likely increase the quality of its financial reporting in the future and improve the efficiency and effectiveness of future financial statement audits.

Before You Go On 7.1 Do auditors always communicate internal controls deficiencies to those charged with governance? Explain your answer. 7.2 Can the content ordinarily included in a management letter be delivered verbally to those charged with governance? Explain your answer. 7.3 Why should communications with those charged with governance be done in ­writing?

  Key Terms Review  6-35

Learning Objectives Review 1  Define internal control and describe the COSO frame-

4 Explain and evaluate information technology (IT)

work.

­controls.

Internal control is the process designed, implemented, and maintained by those charged with governance as well as management and other personnel to provide reasonable assurance about the achievement of the entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of the components of internal control. The COSO framework is three-dimensional. The first dimension is the objectives of internal control, which include operations objectives, reporting objectives, and compliance objectives. The second dimension is the components of internal control, which include the control environment, risk assessment, control activities, information and communication, and monitoring. The final dimension addresses the entity’s organizational structure. 2 Explain and evaluate internal controls at the entity level. There are 17 principles of internal control that guide the auditor’s understanding of internal control at the entity level. These are summarized in Illustration 6.2. It is important that management and those charged with governance of the entity pay attention to ­entity-level controls because if controls are weak at the entity level, it reduces the likelihood that transaction-level controls will be effective. 3  Explain and evaluate internal controls at the transac-

tion level. Transaction-level controls are controls that impact a particular transaction or group of transactions. Transactions in this sense refer to transactions that are ordinarily recorded in the general ledger for the client and span from initiation of the transaction through to the reporting of the transaction in the financial report. Transaction-level controls are those controls that respond to things that can go wrong with transactions. The auditor will often obtain an understanding of transaction-level controls by performing a system walkthrough for each transaction cycle.

Information technology controls are often grouped into three categories: IT general controls, IT application controls, and IT-dependent manual controls. IT general controls are designed to control program development, program changes, computer operations, and access to programs and data. IT application controls are designed to provide reasonable assurance that the recording, processing, and reporting of data by IT are properly performed for specific applications. Finally, IT-dependent manual controls are controls performed by individuals to check the completeness and accuracy of IT-generated information. 5 Discuss the different techniques used to ­ document internal controls. The most common forms of documentation include narratives, flowcharts, logic diagrams, combinations of narratives and flowcharts, and checklists and preformatted questionnaires. 6  Explain the importance of identifying strengths and weaknesses in a system of internal controls. When the auditor identifies internal control strengths, the auditor will be able to consider a lower assessed level of control risk approach for assertions influenced by these strengths. If the auditor identifies internal control weaknesses, the risk of material misstatements being undetected by management’s processes and controls increases, which has a direct effect on audit strategy and audit testing. Further, professional standards require auditors to communicate material weaknesses and significant deficiencies in internal control to those charged with governance of an entity. This is generally done through a management letter. 7  Explain how to communicate internal control weaknesses to those charged with governance. A management letter is a deliverable prepared by the audit team and provided to those charged with governance of an entity. It informs the client of the auditor’s recommendations for improving its system of internal control.

Key Terms Review Control activities Control environment Deficiency in internal control Entity-level controls Information and communication Internal control

IT application controls IT-dependent manual controls IT general controls Management letter Material weakness Monitoring

Risk assessment process Significant deficiency Transaction-level controls Walkthrough

6-36  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

Audit Decision-Making Example Background Information Simmons Optics Company (SOC) is a private company manufacturing medical devices in Florida. Through a network of wholesalers and medical supply warehouses, it sells various instruments used by optometrists. SOC has a number of new products at various stages of development, with various investments in its research and development budget aimed primarily at taking advantage of tax credits. It is also experiencing competition from a new entrant to the industry, Bright Eyes Instruments, Inc., which is taking a significant percentage of the optical instruments market. As a result, SOC’s CEO is pushing supervisors to reduce product development time from 24 months to 10 months, but without any new capital expenditures. He is also focused on increasing sales; he has set aggressive sales budgets and wants weekly sales reports. The board of directors almost always agrees with the CEO’s initiatives and has rubber-stamped this course of action. Six months ago, SOC hired a new CFO. He is a hands-off CFO, is concerned about maximizing sales, and spends significant time networking with customers in the sunshine, at the country club, and at the ocean. During his first six months he realigned the reporting responsibilities of the company so that the credit and collections department reports to the sales manager, rather than to the treasury department. He gave the sales manager increased authority to develop business by negotiating the terms of sales transactions. The sales manager is also responsible for establishing effective internal controls. The sales manager developed and negotiated a new type of agreement, called a Guaranteed Profit Agreement, that relieves Simmons’s distributors of any obligation to pay for goods until they are sold through to the end users (optometrists). Under these agreements, Simmons records the revenue when the goods are shipped to wholesalers and medical supply warehouses. The CFO is not aware of any reversals for unsold goods, but he admits that the information systems are not designed to keep track of goods in Simmons’s distributors’ warehouses. Finally, plans to hire an internal auditor have been put on hold due to budget constraints.

Identify Audit Issues Identify entity-level risk factors in the above scenario and potential implications for audit strategy.

Gather Additional Information and Evidence Important information includes: •  Research and development is primarily aimed at taking advantage of tax credits rather than new revenue potential. •  Simmons is losing market share to a new entrant to the industry, representing a significant external risk. •  The board of directors is not independent.

•  The CFO has a hands-off approach and is not paying significant attention to internal controls. •  The CEO and CFO have put significant emphasis on maximizing sales. •  The combination of realigned responsibilities (moving credit and collections from treasury to sales) and the development of the Guaranteed Profit Agreement will likely increase receivables and inventory on hand at the distributors’ warehouses, and slow cash flow into the business. •  The responsibility for internal controls rests with the sales manager. •  The company has no information system to track when inventory has been sold through to end customers. •  No internal controls appear to be in operation to monitor revenue recognition or collectibility of receivables. •  No significant monitoring controls are in place.

Analysis and Evaluation of Alternatives •  The control environment is weak. The tone at the top, from both the CEO and CFO, is focused on meeting aggressive sales targets, not on accuracy of reported financial statements. In addition, the board of directors is not independent. The CFO is not focused on internal controls or the integrity of financial reporting. •  There are significant external risk factors, including significant competition from a new entrant to the market. There are also significant internal risk factors, including a lack of attention to internal controls and the entity’s information and communication system. Also, changes in business processes may slow down collections and cash flows. •  Due to the weak control environment, there is a risk that control activities may not be effective. •  SOC’s information and communication system is not geared up to appropriately recognize revenue. There is a problem with the occurrence of revenue and the existence of receivables. Revenue should not be recognized until the product is sold through to end customers. •  There are no significant monitoring systems in place. The company has put off hiring an internal auditor.

Audit Conclusion Due to a number of weaknesses in entity-level controls, it is unlikely that transaction-level controls will function effectively. In addition, risk factors point to particularly high risk regarding revenue recognition. The auditor should consider a primarily substantive approach for all assertions, planning the audit for after yearend, with larger sample sizes.

CPAexcel CPAexcel questions and other resources are available in WileyPLUS.

  Multiple-Choice Questions  6-37

Multiple-Choice Questions 1.  (LO 1)  Internal control is defined as: a.  the entity’s system to prevent, or detect and correct, misstatements in the financial statements.

7.  (LO 2)  Which of the following represent a common categorization of control activities? a.  A  uthorization controls, control over human error, informationprocessing controls, physical controls, and segregation of duties.

b.  a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the objectives related to operations, reporting, and compliance.

b.  Authorization controls, control over human error, informationprocessing controls, and segregation of duties.

c.  a process, implemented by management, to ensure the integrity of the entity’s management information system.

c.  Authorization controls, information-processing controls, physical controls, and segregation of duties.

d.  t he entity’s system to ensure that management and those charged with governance of the entity have quality information for decision making. 2.  (LO 1)  It is important for an auditor to understand a public company’s system of internal control in order to: a.  audit internal control over financial reporting. b.  make a preliminary assessment of control risk. c.  develop an audit strategy. d.  All of these answer choices are correct. 3.  (LO 1)  The objectives of internal control include: a.  operations objectives, internal control objectives, and financial reporting objectives. b.  operations objectives, control environment objectives, and ­financial reporting objectives. c.  operations objectives, reporting objectives, and compliance objectives. d.  r isk assessment objectives, compliance objectives, and reporting objectives. 4.  (LO 2)  The control environment: a.  sets the tone of an entity with respect to internal control and influences the control consciousness of its people. b.  is focused on how the entity addresses informationtechnology risks. c.  only applies to public companies.

d.  Authorization controls, performance reviews, informationprocessing controls, physical controls, and segregation of duties. 8.  (LO 2)  In a good system of segregation of duties, which of the following duties should be segregated? a.  A  uthorization of transactions, physical access to assets, and recording transactions. b.  Authorization of transactions, physical access to assets, and management. c.  Physical access to assets, recording of transactions, and ­consideration. d.  Authorization of transactions, recording transactions, and management. 9.  (LO 3)  An auditor normally obtains an understanding of transaction-level controls by: a.  conducting an interview with senior management. b.  performing a system walkthrough. c.  reading the prior year’s management letter. d.  testing the entity’s risk assessment process. 10.  (LO 4)  Which of the following is a good example of an IT application control over the occurrence of revenue transactions? a.  P  hysical access to IT systems is limited only to specific personnel who work in the revenue cycle.

a.  is designed to help an entity think about risk in the same way that an auditor thinks about risk.

b.  The software application compares information on a sales invoice with information from the bill of lading to ensure that sales invoices are only prepared for actual shipments. Any exceptions are not processed and are set aside for manual ­follow-up.

b.  is established only if the entity is subject to unusually high risk.

c.  The software changes to the revenue program must be tested and authorized before they may be used with live data.

c.  is the entity’s process for identifying and responding to business risks and the results of those risks.

d.  Strong segregation of duties exists between IT operations and IT program development.

d.  n  ever allows management of an entity to decide to accept a risk without taking any action.

11.  (LO 4)  If the auditor is able to collect evidence that IT general controls are strong, then the auditor can conclude that:

6.  (LO 2)  The internal control component that addresses how an organization holds an individual accountable for his or her internal control responsibilities in pursuit of objectives is related to:

a.  a pplication controls function properly and put the correct transactions on exception reports.

d.  directly addresses adequacy of segregation of duties. 5.  (LO 2)  An entity’s risk assessment process:

a.  the control environment.

b.  software applications are more likely to operate consistently over time.

b.  risk assessment.

c.  IT transactions are adequately supported by source documents.

c.  control activities. d.  information and communication.

d.  the risk of batch totals failing to detect misstatements is low.

6-38  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control 12.  (LO 5)  Documenting internal controls: a.  is always handled through the use of checklists and preformatted questionnaires. b.  is done after internal controls are tested so that the results can be included in the documentation. c.  can be handled with a combination of narratives and flowcharts or logic diagrams. d.  is not done for smaller clients because of the risk of management override. 13.  (LO 6)  When an auditor identifies internal control deficiencies, what levels of internal control deficiencies must be reported to those charged with governance of the entity? a.  Material weaknesses only.

c.  Deficiencies and significant deficiencies in internal control. d.  Significant deficiencies and material weaknesses in internal control. 14.  (LO 7)  A management letter: a.  lists only the material weaknesses discovered during the audit. b.  is written by management to the auditor at the start of the audit. c.  contains recommendations for improving significant deficiencies and material weaknesses in internal control discovered during the course of the audit. d.  is only required for public company audits.

b.  Significant deficiencies only.

Review Questions R6.1  (LO 1)  If an auditor does not intend to rely on internal controls in the audit, does the auditor need to obtain an understanding of internal control? Explain.

R6.8  (LO 3)  Explain eight steps that an auditor follows when understanding internal controls at the transaction level and developing an audit strategy.

R6.2  (LO 1)  What are the three internal control objectives? Illustrate each with an example.

R6.9  (LO 4)  Identify four risks associated with IT systems in accounting. For each of the four risks, identify whether they are miti­ gated by IT general controls or IT application controls. Identify a specific control that mitigates the risk (for each of the four IT risks identified) and explain how it mitigates the risk identified.

R6.3  (LO 2)  Discuss the idea that the control environment is the most important part of a system of internal control. R6.4  (LO 2)  Explain why an auditor would be interested in the functioning of the human resources department within an organization. R6.5  (LO 2)  For a retail entity, give some examples of risks that should be considered in the risk assessment process. Which of these risks would be relevant to a retailer’s financial reporting? Explain. R6.6  (LO 2)  Explain the importance of segregation of incompatible duties. What duties should be segregated within the sales process? Why? R6.7  (LO 2)  Why would an auditor be interested in a client’s monitoring processes?

R6.10  (LO 5)  Four approaches to internal control documentation are discussed in this chapter. List the advantages and disadvantages of each. How would documentation assist the auditor to identify strengths and weaknesses of an entity’s system of internal controls? R6.11  (LO 6)  If an auditor identifies an internal control weakness for an assertion, how does it affect the audit strategy? If the auditor identifies an internal control strength for an assertion, how does it affect the audit strategy? R6.12  (LO 7)  Why do auditors prepare management letters?

Analysis Problems AP6.1  (LO 1)  Basic   Understanding client controls  Parsons & Co, LLC, an audit firm, has audited Cascade Motors, a manufacturer of auto parts, for the last two years. Dereck Miller, a first-year auditor, has noted that the IT auditor has evaluated IT general controls (ITGC) as strong. Dereck notes that because ITGC’s are strong, controls over program changes are strong. Therefore, Dereck concludes they don’t need to do additional work to understand internal controls at Cascade Motors.

Required Evaluate Dereck’s comments about the need to do additional work to understand internal controls. AP6.2  (LO 2)  Basic   Understanding components of internal control  Internal controls can be categorized using the following framework: 1.  Control environment 2.  Risk assessment

 Analysis Problems  6-39 3.  Control activities 3.1.  Authorization 3.2.  Performance reviews 3.3.  Information-processing controls 3.3.1.  IT general controls 3.3.2.  IT application controls 3.3.3.  IT-dependent manual controls 3.4.  Physical controls 3.5.  Segregation of duties 4.  Information and communication 5.  Monitoring Following is a list of controls implemented by Waterfront, Inc.: a.  Management established a code of conduct that includes rules regarding conflicts of interest for purchasing agents. b.  Waterfront’s management established a disclosure committee to review the selection of new ­accounting policies. c.  Any software program revision must be approved by user departments after testing the entire ­program with test data. d.  The managers of each of Waterfront’s manufacturing departments must review expenditures charged to their responsibility center weekly. e.  The CEO, CFO, and controller review the financial consequences of business risks annually to ­ensure that controls are in place to address significant business risks. f.  Human resources focuses on ensuring that accounting personnel have adequate qualifications, ­experience, and training for work performed in billing and accounts receivable. g.  Security software limits access to programs and data files, and keeps a continuous log of programs and files that have been accessed. The log is reviewed by the security manager daily. h.  A software program prints a daily report of all shipments that have not yet been billed to customers. i.  The controller reviews sales and collections bi-monthly. j.  The software application compares the information on the sales invoice with underlying shipping information for the transaction. k.  Customer billing complaints are directed to internal audit for follow-up and resolution. l.  The documentary transaction trail for all credit sales is documented in company policy manuals. m. Waterfront uses a Microsoft Excel program to calculate depreciation expense. An accounting manager tests the calculations on a sample basis and evaluates the overall reasonableness of depreciation expense.

Required a.  Indicate the category of internal control applicable to each procedure using the framework above. b.  Identify the assertion or assertions to which each procedure pertains. AP6.3  (LO 2)  Basic   Understanding segregation of duties in a small business  Big State Computers has premises on the main street of a large regional city. The business is owned by Max and Betty Waldup, who purchased it three years ago. Betty has an extensive background in IT and has a talent for diagnosing and solving problems with computers that are brought in for repair. Max also has an IT background and oversees the sales and administration staff. They employ three people: a computer technician who assists Betty, a part-time salesperson, and a part-time bookkeeper. Sally, the bookkeeper, enters transactions into a simple computerized accounting system. Sally is also responsible for issuing invoices and monthly statements to customers who have service contracts with the business. These customers are generally other businesses who ask Betty to visit their premises for routine and emergency repairs and who purchase software and hardware from the business. Max and Betty have worked diligently over the last three years, but they are having cash flow problems. Their bank manager has requested a meeting to discuss the business’s poor cash balances. The bank manager asks Max and Betty to prepare for the meeting by analyzing their accounts receivable and customer receipts. Max and Betty review the accounts receivable ledger and find that it is not up to date. They also discover that customer statements have not been printed or mailed to customers for four months. They are unable to identify from the cash receipts journal which clients have paid their accounts.

6-40  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

Required a.  Discuss the attitude and control consciousness of Big State Computers’s management. b.  Which duties should be segregated in this business? Recommend an appropriate allocation of duties for the personnel at Big State Computers. AP6.4  (LO 2)  Basic   Public Company   Understanding the control environment  Peterson, CPA, is auditing the financial statements of a publicly held manufacturing company, Amalgamated Products, Inc. In complying with the PCAOB standards, Peterson seeks to obtain an understanding of Amalgamated’s control environment.

Required a.  Identify the control environment factors that can impact the effectiveness of the other components of internal control. b.  What effect may the preliminary audit strategy have on the required level of understanding of the control environment factors? AP6.5  (LO 2)  Moderate   Control environment at a large company  A large international bank is experiencing bad publicity surrounding huge fraud losses in its foreign currency department. ­Accusations are being made in the press that a rogue trader blamed for the losses was operating outside the official bank guidelines, with the tacit approval of senior management in the department because of the large profits made by this trader in previous years. The press claims it was common knowledge in the foreign currency department that strict policies and procedures surrounding the size of trades and the processes for balancing out trades at the end of each day were not to be followed if the trader had verbally informed his supervisor of the trade. The press is also suggesting that the problems are not confined to the foreign currency department.

Required Discuss the control environment at this large international bank assuming the press reports are correct. Which parts appear to be most deficient? AP6.6  (LO 2)  Moderate   Control activities and related assertions  Several categories of control activities are identified in the chapter using the following framework: A.  Authorization B.  Performance reviews C.  Information-processing controls C1.  IT general controls C2.  IT application controls C3.  IT-dependent manual controls D.  Physical controls E.  Segregation of duties Following are specific control procedures prescribed by Trusty Inc., a public company: 1.  The software application must match information from a vendor’s invoices with information from receiving and information from the purchase order before a check is issued. 2.  Two authorized signatures are required on every check for payment of purchases over $100,000. 3.  Each month the credit manager carefully reviews the computer-generated aged trial balance of ­accounts receivable to identify past-due balances and follows up for collection. 4.  A supervisor must approve overtime work. 5.  The software application assigns sequential numbers to sales invoices used in the billing system. 6.  The software application verifies the mathematical accuracy of each voucher and prints an exception report for items with mathematical errors. 7.  Employee payroll records are kept on an electronic file that can only be accessed by certain terminals and are password-protected. 8.  An accounting supervisor reviews journal entries periodically for reasonableness of account classifications. 9.  Two individuals open the mail and prepare a prelisting of checks received. Then the checks received from customers and related remittance advices are separated in the mailroom and subsequently processed by different individuals.

 Analysis Problems  6-41 10.  All vouchers must be stamped “paid” on payment. 11. On a quarterly basis, the controller reviews a software-generated comparison of warranty expenses and actual warranty claims. 12.  Computer programmers are not allowed in the computer room. 13. The software application will not complete the processing of a batch when the accounts receivable control account does not match the total of the subsidiary ledgers.

Required a.  Indicate the category of control activities applicable to each procedure using the framework above. b.  Identify an assertion to which each procedure pertains. AP6.7  (LO 3)  Basic   Expense transaction risk  Sinha Airways owns many of its aircraft. The useful lives and residual values may be influenced by external changes to economic conditions, demand, and new technology. Analytical procedures show that depreciation expense is down by 8% compared to prior years.

Required a.  Evaluate inherent risk for depreciation expense. b.  Discuss what can go wrong. c.  Suggest an internal control that management might put in place to control the appropriate recording of depreciation expense. AP6.8  (LO 3)  Moderate   Research   Public Company   Revenue fraud risk  Omega Airways is a public company and a new client of your audit firm. Its accounting policy for revenue is to credit unearned revenue when cash is received, and subsequently transfer to revenue in the income statement when passengers or freight are transported. Your review of last year’s financial statements reveals that realized revenue from passengers represents 80% of total revenue, and that this year there is little change in realized revenue from passengers but an 11% decrease in unearned revenue from passengers. You have also read articles in the financial press that suggest an increased incidence of fraud due to a global decrease in the number of passenger air miles. At quarter-end, Omega Airway’s controller evaluates the unearned revenue account and related revenue recognition. This adjusting journal entry is later reviewed by the CFO and the company’s disclosure committee.

Required a.  Research PCAOB AS 2201 and summarize the auditor’s responsibility to address the risk of fraud when understanding the entity’s system of internal control. b.  Consider what you know about Omega Airways and explain why the revenue in the income statement is at significant risk of fraudulent financial reporting by management. c.  Evaluate the internal controls Omega has established over unearned revenue and revenue recognition. AP6.9  (LO 3)  Moderate   What can go wrong at the transaction level  Carmel Harrison owns and runs Emerald Spa, a business providing women-only hairdressing, beauty, relaxation massage, and counseling services in a small tourist town. Ninety percent of the clients using the beauty and massage services at Emerald Spa are weekend visitors, but 80% of the hairdressing and counseling clients are ­locals. The masseuse and counselor have appropriate qualifications and licenses, allowing clients to claim the cost of the service(s) with their private health insurer, if an appropriate receipt is provided when the client pays. Emerald Spa has just opened another branch of the business in a town 100 miles away, and there are plans to open a third branch nearby next year. Carmel has been very busy establishing each new branch and relies on staff in each office to run the day-to-day operations, including ordering supplies and depositing cash receipts. In addition, the branch manager organizes the staff and authorizes their time sheets. Carmel makes the payments for rent, power, salaries, and large expenditures, such as furniture purchases.

Required a.  Give examples of transactions that would occur at Emerald Spa. b.  Explain what could go wrong with these transactions if the system of internal control is not effective for each transaction class assertion. AP6.10  (LO 3, 5)  Moderate   Segregation of duties and documentation  Lisa Curtis is documenting the purchasing and cash payments processes at Hardies Wholesaling, Inc. (HWI), a company in Iowa. HWI distributes garden and landscaping items such as pots, furniture, fountains, mirrors, and sculptures.

6-42  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control All items are made from materials such as stone, concrete, metal, and wood, and are distributed to retailers throughout the country. Purchases are denominated in U.S. dollars. The purchasing department initiates a purchase order when inventory levels reach reorder points or sales staff notify the department of large customer orders that need to be specially filled. The purchase order is approved and sent to suppliers selected from an approved supplier list. Goods are transported from Southeast Asia by ship and are delivered by truck to the HWI central warehouse in Des Moines. A receiving report is generated by the receiving department and forwarded to the accounts payable department to be matched with the copy of the original purchase order and the supplier’s invoice. When the package of documents is completed, a purchase is entered into the purchases journal that debits an appropriate account and credits accounts payable. When the cash payment is due, the cash payments department reviews the supporting documentation and requests payment of the invoice according to the supplier’s payment terms. The payment is approved and the cash payment is made.

Required a.  Create a flowchart or logic diagram to represent the flow of transactions from initiating a purchase order to cash payment. b.  Which duties in the above process should be segregated? AP6.11  (LO 2, 7)  Challenging   Risk assessment  Recent reports have warned of climate change impacts on the Florida coastline, including a rise in sea levels, more frequent storms, flooding, and coastal erosion. Assume you are a member of senior management at a large property development company in Florida that owns a material amount of undeveloped ocean front property, which the company expects to develop over the next 15 years.

Required Write a report identifying the main risks to your company that you believe should be considered at the next meeting of the risk assessment committee. Include risks to the company’s operations, assets, ­finances, and personnel.

Audit Decision Cases King Companies, Inc. Questions C6.1 and C6.2 are based on the following case. King Companies, Inc (KCI) is a private company that owns five auto parts stores in urban Los Angeles, California. King Companies has gone from two auto parts stores to five stores in the last three years, and it plans continued growth. Eric and Patricia King own the majority of the shares in KCI. Eric is the chairman of the board of directors of KCI and CEO, and Patricia is a director as well as the CFO. Shares not owned by Eric and Patricia are owned by friends and family who helped the Kings get started. Eric started the company with one store after working in an auto parts store. To date, he has funded growth from an inheritance and investments from a few friends. Eric and Patricia are thinking about expanding by opening three to five additional stores in the next few years. In October 2021, Eric approached your accounting firm, Thornson & Danforth, LLP, to conduct an annual audit of KCI for the year ended December 31, 2022. KCI has not been audited before, but this year the audit has been requested by the company’s bank because of anticipated bank loans and by a new private equity investor that has just acquired a 20% share of KCI. KCI employs 20 full-time staff. These workers are employed in store management, sales, parts delivery, and accounting. About 40% of KCI’s business is retail walk-in business, and the other 60% is regular customers where KCI delivers parts to their locations and bills these customers on account. During peak periods, KCI also uses part-time workers. Eric is focused on growing revenues. Patricia trusts the company’s employees to work hard for the company, and she feels they should be rewarded well. The accounting staff, in particular, is very loyal to the company. Eric tells you that accounting staff enjoy their jobs so much they have never taken any annual vacations and hardly any workers ever take sick leave. There are two people currently employed as accounting staff, the most senior of whom is Jonathan Jung. Jonathan heads the accounting department and reports directly to Patricia. He is in his late fifties and hopes to retire in two or three years and move away from Los Angeles. Jonathan keeps a close watch on accounting and does many activities himself including opening mail, cash receipts and vendor

 Audit Decision Cases  6-43 payments, depositing funds received, performing reconciliations, posting journals, and performing the payroll function. His second employee, Abby Owens, is a recent college graduate who just passed the CPA exam. Abby is responsible for the payroll functions and posting all journal entries into the accounting system. Jonathan and Abby often help each other out in busy periods. C6.1  (LO 2, 3)  Challenging   Internal control components a. Gather information: Explain how the internal control components are usually adjusted to meet the needs of small entities. What advantages and disadvantages does this bring? b. Analysis: Assess the control environment at KCI. What changes would you recommend? c. Evaluation: Based on what you know about the accounting system, what recommendations would you offer in terms of control activities? C6.2  (LO 7)  Challenging   Communication with management  Conclusion: Write a management letter to Eric and Patricia King and the board of directors. Address your findings, your recommendations, and how you believe your recommendations would benefit the company.

Mobile Security, Inc. Question C6.3 is based on the following case. Mobile Security, Inc. (MSI) has been an audit client of Leo & Lee, LLP for the past 12 years. MSI is a small, publicly traded aviation company based in Cleveland, Ohio, where it manufactures high-tech unmanned aerial vehicles (UAV), also known as drones, and other surveillance and security equipment. MSI’s products are primarily used by the military and scientific research institutions, but there is growing demand for UAVs for commercial and recreational use. MSI must go through an extensive bidding process for large government contracts. Because of the sensitive nature of government contracts and military product designs, both the facilities and records of MSI must be highly secured. In October 2022, MSI installed a new cloud-based inventory costing system to replace a system that had been developed in-house. The old system could no longer keep up with the complex and detailed manufacturing costing process that provides information to support competitive bidding. MSI’s IT department, together with the consultants from the software company, implemented the new inventory costing system which went live on December 1, 2022. Key operational staff and the internal audit team from MSI were significantly engaged in the selection, testing, training, and implementation stages. The inventory costing system uses various manufacturing costing and unit of production inputs to calculate and produce a database of all product costs and recommended sales prices. It also integrates with the general ledger each time there are product inventory movements such as purchases, sales, waste, and damaged inventory losses. It is now February 2023, and you are beginning the audit planning for the June 30, 2023, annual financial statement audit. You are assigned to assess MSI’s IT controls with particular emphasis on the recent implementation of the new inventory costing system. C6.3  (LO 2, 3, 4)  Challenging   Public Company   Components of internal control  Analysis: Explain how the external auditors would evaluate each of the following components with respect to the new inventory costing system. a. The control environment. b. Management’s risk assessment process. c. IT general controls.

Brookwood Pines Hospital Question C6.4 is based on the following case. Goodfellow & Perkins gained a new client, Brookwood Pines Hospital (BPH), a private, not-for-profit hospital. The fiscal year-end for Brookwood Pines is June 30. You are performing the audit for the 2023 fiscal year end, and the audit is currently in the risk assessment phase. The healthcare industry can be very complicated, especially in the area of billing for services provided. BPH contracts with private physician groups who use the hospital facilities, equipment, and nursing staff to treat patients. The physicians in the private group are not employees of the hospital; they are simply using the hospital facilities to treat patients. For example, a group of urologists have their own practice, separate from the hospital, where they treat patients. If one of these patients needs a surgical procedure that must be done at a hospital, then the attending urologist will approve the paperwork required to admit the patient to BPH. BPH offers inducements to the urologists so they will refer patients to BPH rather than a competing hospital. One of the inducements BPH offers is free office space in the hospital for the doctors to use when they are treating patients in the hospital.

6-44  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control After the doctor and hospital services are provided to the patient, the patient and/or the patient’s insurance company is billed. The doctor will bill for the services he or she provided, and the hospital will bill for the use of hospital facilities and staff. Doctors and hospitals bill using a coding system that is standardized across the healthcare industry and consists of three main code sets: ICD, CPT, and HCPCS. Using a coding system is more efficient and data-friendly compared to writing a narrative about the procedures performed. However, the coding system is very complex, with thousands of different codes for medical procedures and diagnoses. To complicate matters even more, for patients who are covered by government-sponsored Medicare or Medicaid, doctors and hospitals must adhere to complicated government regulations surrounding billings to Medicare and Medicaid. As healthcare costs continue to rise each year, BPH administrators struggle to maintain consistent profitability. They look for ways to keep costs low and also to collect outstanding payments from patients and insurance companies as quickly as possible. In addition, BPH must have a strong risk management team to handle unique situations that may occur in hospitals such as malpractice lawsuits and periodic inspections by the state regulators. Negative publicity for BPH could lead to decreased revenues if physicians decide to contract with a competing hospital. C6.4  (LO 2, 3, 4)  Challenging   Risk assessment and transaction-level controls a. Gather information: You have been assigned to evaluate revenue from patients who are covered by government-sponsored Medicare or Medicaid programs. What questions do you want to ask about BPH’s risk assessment controls? b. Analysis: Assume that you are focused on the occurrence of revenue recognized from patients who are covered by government-sponsored Medicare or Medicaid programs. What controls do you expect to be in place regarding this assertion?

Cloud 9 - Continuing Case Sharon Gallagher and Josh Thomas have assessed the internal controls at Cloud 9 as being effective at an entity level. This means that, at a high level, the company demonstrates an environment where potential material misstatements are prevented or detected. Answer the following questions based on the information presented for Cloud 9 in the appendix to this text and the current and earlier chapters. You should also consider your answers to the case-study questions in earlier chapters.

this text). Using this interview transcript and other information presented in the case, you are asked to: a.  Prepare a flowchart, logic diagram, or narrative documenting your understanding of the revenue process for wholesale sales from making sales to recording sales invoices in the general ledger.

Required

b.  Identify any follow-up questions you should ask the client if aspects of the process are not adequately explained. You could address such questions to Carla Johnson or any other employee you deem appropriate.

You have been assigned the task of documenting the process for recording sales, trade receivables, and cash receipt transactions for wholesale customers. In your absence, Josh met with the Cloud 9 controller, Carla Johnson, and received permission to tape the interview, which is provided as a transcript (see the appendix to

d.  Draw an overall conclusion about internal controls related to the recording of wholesale revenue transactions.

c.  For each assertion associated with recording wholesale revenue transactions, identify a control related to that assertion. If no controls are identified, recommend a control for the assertion.

Chapter 7 Audit Data Analytics Special thanks to Dr. Adrian Gepp of Bond University, Queensland, Australia, for his invaluable assistance in co-authoring this chapter.

The Audit Process Overview of Audit and Assurance (Chapter 1) Professionalism and Professional Responsibilities (Chapter 2) Client Acceptance/Continuance and Risk Assessment (Chapters 3 and 4) Identify Significant Accounts and Transactions Make Preliminary Risk Assessments

Set Planning Materiality

Gaining an Understanding of the System of Internal Control (Chapter 6)

Audit Evidence (Chapter 5)

Develop Responses to Risk and an Audit Strategy

Performing Tests of Controls (Chapter 8)

Performing Substantive Procedures (Chapter 9) Audit Sampling for Substantive Tests (Chapter 10)

Auditing the Revenue Process (Chapter 11)

Auditing the Purchasing and Payroll Processes (Chapter 12)

Audit Data Analytics (Chapter 7)

Gaining an Understanding of the Client

Auditing the Balance Sheet and Related Income Accounts (Chapter 13)

Completing and Reporting on the Audit (Chapters 14 and 15) Procedures Performed Near the End of the Audit

Drawing Audit Conclusions

Reporting

7-1

7-2  Ch a pte r 7  Audit Data Analytics

Learning Objectives LO 1 Explain the five-step process associated with planning, performing, and evaluating results from audit data analytics. LO 2 Apply steps associated with accessing and preparing data for audit data analytics. LO 3 Explain how audit data analytics is used as a risk assessment procedure.

LO 4 Apply audit data analytics as a risk assessment procedure and evaluate the results. LO 5 Explain how audit data analytics is used as a substantive test. LO 6 Apply audit data analytics as a substantive test and evaluate the results.

Auditing and Assurance Standards PCAOB

Auditing Standards Board

AS 1105 Audit Evidence

AICPA  Guide to Audit Data Analytics AU-C 230 Audit Documentation AU-C 315  Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement AU-C 500 Audit Evidence

Cloud 9 - Continuing Case Sharon Gallagher (audit manager) and Josh Thomas (audit senior) have just returned from an all-day staff training session on audit data analytics (ADA). Josh asks Sharon, “Do you think using audit data analytics would be an effective tool on the Cloud 9 audit? If so, where do you think we might implement audit data analytics?” Sharon responds: “Why don’t we involve the entire audit team in a brainstorming session about the use of audit data analytics. Everyone would benefit from this discussion.” Later that week, Jo Wadley (audit partner), Sharon, Josh, Suzie Pickering (experienced audit staff), and Ian Harper (new audit staff) met to discuss the application of ADA to the audit. They were

joined by Mark Batten, IT audit manager. They began by determining where ADA might be most effectively implemented in the audit. They quickly listed accounts like accounts receivable, inventory, and payables to suppliers. At this point, Jo stepped in and said, “We have to be more thoughtful about how we think about the uses of ADA. For each of these accounts, what are the assertions where we might use data analytics as an audit tool? Once we identify assertions where we think it might be cost-effective, we then need to think about the data that might support our audit of those assertions. Is the client’s data reliable? Does the data need to be cleaned? Let’s start by answering these questions.”

Chapter Preview: Audit Process in Focus audit data analytics (ADA)  the science and art of discovering and analyzing patterns, identifying anomalies, and extracting other useful information in data underlying or related to the subject matter of an audit through analysis, modeling, and visualization for planning and performing the audit

This chapter addresses an emerging and quickly evolving audit topic—audit data analytics. More and more audit clients have significant data in machine-readable form that the auditor can interrogate to look for anomalies, unusual trends, or other information of interest to the auditor. Today, tools at the audit team’s disposal allow the auditor to search a large database for the “needle in the haystack.” The AICPA Guide to Audit Data Analytics defines audit data analytics (ADA) as “the science and art of discovering and analyzing patterns, identifying anomalies, and extracting other useful information in data underlying or related to the subject matter of an audit through analysis, modelling, and visualization for planning and performing the

  Steps in Performing Audit Data Analytics  7-3

audit.”1 Audit data analytics (ADA) is an additional tool available to the auditor that makes the audit more effective given the right circumstances. In some audit applications, ADA may replace a sampling technique, and in some audit applications it may not. This is discussed further in Chapter 10. In this chapter, we begin with an introduction to audit data analytics and a discussion of the five-step process suggested in the AICPA Guide to Audit Data Analytics. Prior to considering how to implement audit data analytics, the auditor uses his or her business acumen, knowledge of the business and industry, and an understanding of the availability of relevant and reliable data to evaluate where audit data analytics might be successful and cost-effective. Next, the chapter explores issues associated with preparing the data for analysis. The auditor needs to consider both the relevance and reliability of the data, just as in any other audit test. In some cases, the auditor may need to take steps to prepare the data for analysis or consider procedures needed to determine whether the data is sufficiently reliable for analysis. The chapter then focuses on two areas in some depth, starting with the use of audit data analytics as a risk assessment procedure. Here, the auditor focuses on identifying and assessing the risk of material misstatement, whether due to error or fraud. Audit data analytics may effectively identify subpopulations with a high risk of material misstatement. In this discussion, we explain how the auditor may use various sorting and clustering techniques, regression analysis, or various matching techniques to identify items with a high likelihood of material misstatement. The chapter also discusses the risks and benefits of using visualization techniques to analyze the risk of material misstatement. Second, the chapter addresses using audit data analytics as a substantive test. In this section of the chapter, we describe how the auditor might use audit data analytics to examine 100% of a population and identify misstatements in the population. This section also illustrates a process of matching key information to identify revenue recognition problems, as well as techniques for identifying duplicate payments to a vendor.

Steps in Performing Audit Data Analytics Lea rning Objective 1 Explain the five-step process associated with planning, performing, and evaluating results from audit data analytics. Auditors have been using software-assisted audit techniques for some time to investigate client databases and perform audit procedures. However, a recent review of big data in accounting and finance revealed that auditing is lagging behind other disciplines in the use of data analytics, perhaps due to a lack of policy guidance and related professional standards.2 In response, the International Auditing and Assurance Standards Board now has a Data Analytics Working Group. In 2017, the AICPA published the AICPA Guide to Audit Data Analytics. The following year, the International Accounting Education Standards Board published an exposure draft addressing updated learning objectives related to information and communication technologies and professional skepticism. These learning objectives emphasize the overlap of skills related to: •  Business acumen. •  Behavioral competence. •  Digital acumen. •  Data interrogation, synthesis, and analysis. •  Communication skills. 1

AICPA, Guide to Audit Data Analytics (AICPA: Durham, NC, 2017). A. Gepp, M.K. Linnenluecke, T.J. O’Neill, and T. Smith, “Big Data Techniques in Auditing Research and Practice: Current Trends and Future Opportunities,” Journal of Accounting Literature (2018), pp. 102–115. 2 

7-4  Ch a pte r 7  Audit Data Analytics

Finally, the Big 4 firms all now have pages on their websites that promote their use of data analytics, demonstrating an emphasis on utilizing ADA. Mid-sized firms are expanding their uses of software-assisted audit techniques to include the regular use of ADA, and many smaller audit firms are using various forms of ADA in current audits. Data analytics is increasingly discussed in businesses, even at the board of directors’ level. As clients continue to adopt data analytics in their business, they expect auditors to do the same. Auditors need to understand ADA to have effective conversations with clients. Further, auditors need to adopt ADA in the world of big data so they avoid information overload and improve the quality of audit decisions. It is imperative for auditors to understand ADA and the insights data analytics can provide. Finally, simply utilizing a small team of data analysts is not recommended when attempting to utilize ADA on a large scale and in new ways. Individuals with data analytics skills need to be fully integrated with the rest of the audit team so new opportunities for risk analysis and substantive testing can be identified and utilized. An understanding of what data analytics techniques can offer audit firms is essential for every member of the audit firm that influences the audit. The use of ADA is providing opportunities to rethink how an audit is performed. In some ways, the audit does not change. The auditor must still audit the same assertions, must still understand the business and industry, and must still understand an entity’s system of internal control. However, ADA allows the auditor to rethink how risk is assessed and how substantive tests might be performed. Audit data analytics can be used at virtually any phase of the audit. ADA can be used as a risk assessment tool, as a test of controls, as a test of details, or to help form a conclusion regarding virtually any audit assertion. In this chapter, ADA is discussed in the contexts of a risk assessment tool and as a substantive test of details. As with all audit procedures, auditors must carefully plan the nature, timing, and extent of ADA to be used for each client. In its Audit Guide for Audit Data Analytics, the AICPA outlines a five-step process, shown in Illustration 7.1, to follow when planning, performing, and evaluating results from ADA. illustration 7.1   Five-step process for planning and performing audit data analytics

Step 1: Plan the ADA

Step 2: Access and prepare the data for the ADA

Step 3: Consider the relevance and reliability of data used

Step 4: Perform the ADA

Step 5: Evaluate the results and conclude whether the purpose and specific objectives of performing the ADA have been achieved

The following discussion addresses each of these steps in detail. The discussion of these five steps will be illustrated in the context of auditing a retailer of consumer electronics and appliances. Assume the client has a very heterogeneous inventory, and preliminary analytical procedures indicate that in aggregate, inventory moves slower than the industry average. The intent of the ADA is to analyze inventory turnover for each item in inventory (e.g., for each SKU number) to determine if there is a problem with the net realizable value of inventory (valuation and allocation assertion) as of the company’s fiscal year-end. Illustration 7.2 indicates the key characteristics of this ADA application.

  Steps in Performing Audit Data Analytics  7-5

Financial Broad Business Concern for Risk of Material Statement ADA Audit Environment Misstatement Account(s) Assertion Objective Retailer of consumer electronics and appliances

•  Inventory moves slower than the industry average. •  Inventory may be overstated. It may need to be written down to its net realizable value because of obsolete or slowmoving items.

•  Inventory •  Cost of Goods Sold

Valuation of inventory at net realizable value

Gather evidence for risk assessment

illustration 7.2  

Overview of applying ADA when auditing a retailer of consumer electronics and appliances

Step 1: Plan the Audit Data Analytics The typical starting point for ADA is good business acumen. An auditor needs to customize an ADA application to an audit client. Analyzing inventory for a retailer of consumer electronics and appliances will be entirely different from analyzing inventory for a construction company. Therefore, the initial planning of where to use ADA may involve significant audit partner and manager time, or it may be combined with a brainstorming session that involves all members of the audit team. In addition, the auditor needs to consider the availability of data to suit the auditor’s purpose. In various medium-sized businesses, city and county governments, and not-for-profit organizations, data may not be subject to a strong system of internal controls. As a result, the data may be inaccurate and not well-suited for the ADA application. Illustration 7.3 outlines some key questions an audit team is likely to consider when planning an ADA application.

Key questions for an audit team to consider when planning an ADA application: • What financial statement items, accounts, or disclosures and related assertions are being audited? • What is the overall purpose of the ADA application and how will it contribute to the balance of the audit? For example, is ADA being used as a risk assessment procedure or as a substantive test? • What is the audit population being analyzed or tested using ADA? The auditor should also consider the relevance of the data to the audit assertion(s) being tested, and the availability and reliability of the data. • What ADA tool is best suited for the audit purpose? Here the auditor selects the techniques, tools, graphics, tables or other analytical techniques to be used.

Initially, an audit staff member thought the audit team should determine inventory turnover by comparing sales revenue for each item in inventory with the underlying cost of each item in inventory. However, after discussing this approach with a colleague, the staff member realized that the revenue includes a markup for gross margin, while the inventory data is at cost. As a result, it would be like comparing apples with oranges. Further, the client uses a perpetual inventory method and does not have cost of sales for each item in inventory. The client does have data on the quantity of each item sold and the quantity and location of each item in inventory. The audit team can calculate inventory turnover in days by comparing quantities sold with quantities on hand. Internal controls over this data have previously been tested as part of tests of controls, and the audit team assessed control risk as low. The auditor is also satisfied with the quality of the company’s IT general controls. In this example, the auditor wants to use ADA to combine the quantities at each location and sort each SKU number by the number of days sales in inventory (comparing quantity sold to quantity on hand). Once ADA has been used to develop an appropriate aging for each item, the auditor will examine the slowest-moving inventory using traditional substantive tests to determine whether a material amount of inventory may need to be written down to its net realizable value.

illustration 7.3   Key issues to consider when planning an ADA application

7-6  Ch a pte r 7  Audit Data Analytics

Step 2: Access and Prepare the Data for Audit Data Analytics Once the auditor has planned the ADA application, the auditor must access the data, make a copy of the client’s data, and prepare the data for analysis. Illustration 7.4 lists some key questions that the auditor should consider when preparing data for analysis. This topic is discussed in detail in this chapter’s section “Steps Associated with Accessing and Preparing Data for Audit Data Analytics.”

illustration 7.4   Key issues to consider when preparing data for ADA

Is the data complete? • Does the data agree with the general ledger and the financial statements? • The auditor should check the numerical continuity of the data. Are there missing numbers (e.g., missing numbers in the sequence of invoices)? Does the data need to be cleaned? • Are there fields with missing data? • Is the data appropriately and consistently formatted?

In our example of the audit of a consumer electronics and appliances retailer, the auditor, in investigating inventory turnover, will want to ensure that ending inventory quantities match ending inventory used to prepare the financial statements. The auditor will also want to test the completeness of the data regarding inventory sold. Finally, the auditor needs to make sure that information about inventory SKU numbers and inventory quantities are in a consistent format, and that there are no fields with missing data.

Step 3: Consider the Relevance and Reliability of the Data Used The question of relevance and reliability of the data should be addressed as part of any audit test. For example, AU-C 500 (.A29 and .A31) suggests that the auditor consider the following items when evaluating the relevance of information. •  A given set of procedures may provide audit evidence that is relevant to certain assertions but not to others. •  Designing substantive procedures includes identifying conditions relevant to the purpose of the test that constitute a misstatement in the relevant assertion. It is particularly important that the data be relevant to the assertion being tested. The data that will help the auditor determine that all transactions are recorded (completeness) is not the same data that will help the auditor determine that recorded transactions are valid (occurrence). Further, the mere fact that the data set agrees to the general ledger does not mean that the data set is complete. Transactions may be missing from both the data set and the general ledger. As discussed in Chapter 5, AU-C 500.A32 provides the following guidance regarding the reliability of the data. •  The reliability of audit evidence is increased when it is obtained from independent sources outside the entity.

  Steps in Performing Audit Data Analytics  7-7

•  The reliability of audit evidence that is generated internally is increased when the related controls imposed by the entity, including those over its preparation and maintenance, are effective. •  Audit evidence obtained directly by the auditor (for example, observation of the application of a control) is more reliable than audit evidence obtained indirectly or by inference (for example, inquiry about the application of a control). •  Audit evidence in documentary form, whether paper, electronic, or other medium, is more reliable than evidence obtained orally (for example, a contemporaneously written record of a meeting is more reliable than a subsequent oral representation of the matters discussed). •  Audit evidence provided by original documents is more reliable than audit evidence provided by photocopies, facsimiles, or documents that have been filmed, digitized, or otherwise transformed into electronic form, the reliability of which may depend on the controls over their preparation and maintenance. In AS 1105 Audit Evidence, the PCAOB provides similar guidance. It is particularly important for the auditor to understand internal controls over the data set. If internal controls are weak, the data set may contain misstatements and inaccuracies, or the data may be incomplete. The auditor may need to consider whether the data set should be subjected to audit procedures to verify the data before using it to draw an audit conclusion. On the other hand, the auditor is likely to feel more comfortable using data that comes from a strong system of internal controls, and the controls provide some validation of the reliability of the data set. In the example involving the audit of an electronics and appliances retailer, where the auditor wants to use ADA to compare quantities on hand to quantities sold for each item in inventory, the auditor will test the internal controls over the inventory system, and how the inventory system interacts with the purchases system and the sales system. The auditor will want to know that the client regularly tests inventory on hand against the perpetual inventory, purchases of inventory with the quantities received, and sales of inventory with shipping records. In situations where the auditor obtains electronic data from outside the entity, the auditor should also consider the reliability of the data. While information that comes from an independent source is normally more reliable than information obtained inside the entity, the auditor still needs to evaluate the quality of electronic information obtained from outside the entity. For example, say your client is an independent grocery chain that purchases liquor from the state. While the liquor inventory is “purchased” from the state, it goes to the warehouse of an independent third party and does not become the grocer’s inventory until it leaves the warehouse and is shipped to a retail grocery outlet. It is important for the auditor to understand the system of control at the independent warehouse company.

Step 4: Perform the Audit Data Analytics At Step 4, the auditor executes the ADA. This is discussed in considerable detail in the sections “Applying Audit Data Analytics as a Risk Assessment Procedure” and “Applying Audit Data Analytics as a Substantive Test.” In the example of a retailer of consumer electronics and appliances, assume the auditor determines that the inventory quantities on hand in the electronic file agree to the quantities used to prepare the financial statements, and the auditor has reliable data about the quantity of each item sold from the revenue system. Next, the auditor uses ADA to screen out items that have been discontinued during the year, so the auditor is analyzing data on inventory for all items in inventory on hand in any location at year-end. The auditor then uses ADA to calculate the inventory turnover in days for each item in inventory [(Inventory Quantity ÷ Inventory Sales) × 365]. The inventory is grouped into deciles, or groups of approximately 10% of the inventory. The results are shown in Illustration 7.5.

7-8  Ch a pte r 7  Audit Data Analytics illustration 7.5  

ADA ranking of inventory by decile groups of how long it should take to sell the existing inventory

Quantity Sold

Quantity on Hand

% of Inventory on Hand

Estimate of How Long It Will Take to Sell Each Decile Group of Existing Inventory

6,954

6,667

10%

349.9

9,023

6,682

10%

270.3

22,523

6,720

10%

108.9

25,047

6,680

10%

97.3

29,953

6,703

10%

81.7

39,602

6,685

10%

61.6

51,500

6,710

10%

47.6

58,201

6,690

10%

42.0

65,318

6,705

10%

37.5

100,385

6,755

10%

24.6

408,506

66,997

100%

Aggregate inventory turnover is 59.9 days.

Step 5: Evaluate the Results and Draw Conclusions Finally, Step 5 involves evaluating the results provided by the ADA. On average, this retailer of consumer electronics and appliances is able to turn over its inventory about every 60 days (59.9), which is fairly standard for the industry. However, inventory turnover in days for this company is very heterogeneous. The fastest 20% of the inventory turns over every 37.5 days or less. On the other hand, the slowest-moving 20% of the inventory takes 270 days or more to sell. This means it takes over nine months to sell 20% of the inventory, and almost all year (349.9 days) to sell 10% of the inventory on hand at year-end. The next step is to look at the underlying cost of the inventory on hand. The analysis performed above only looked at inventory quantities. The analysis will be more meaningful if dollar values are associated with each stratum of inventory. Illustration 7.6 shows the cost associated with each inventory item, the cost of the total inventory, and the cost of goods sold from the unaudited financial statements. illustration 7.6   ADA ranking of inventory by decile groups including the cost of inventory on hand

Estimate of How Long It Will Take to Sell Each Decile Group of Existing Inventory

Quantity Sold

Quantity on Hand

% of Inventory on Hand

6,954

6,667

10%

349.9

9,023

6,682

10%

22,523

6,720

25,047

Cost of Inventory on Hand

% of Inventory Value

Cumulative %

$7,947,064

16.4%

16.4%

270.3

$6,334,536

13.1%

29.5%

10%

108.9

$5,591,040

11.5%

41.0%

6,680

10%

97.3

$4,883,080

10.1%

51.1%

29,953

6,703

10%

81.7

$5,536,678

11.4%

62.5%

39,602

6,685

10%

61.6

$4,973,640

10.3%

72.8%

51,500

6,710

10%

47.6

$4,623,190

9.5%

82.3% (continued)

  Steps in Performing Audit Data Analytics  7-9 ILLUSTRATION 7.6   (continued)

Estimate of How Long It Will Take to Sell Each Decile Group of Existing Inventory

Quantity on Hand

% of Inventory on Hand

58,201

6,690

10%

42.0

65,318

6,705

10%

100,385

6,755

408,506

66,997

Quantity Sold

Cost of Inventory on Hand

% of Inventory Value

Cumulative %

$3,652,740

7.5%

89.8%

37.5

$3,345,795

6.9%

96.7%

10%

24.6

$1,587,425

3.3%

100.0%

100%

59.9

$48,475,188

100%

Cost of goods sold per unaudited financial statements Estimated number of days to sell inventory

$232,541,934 76.1

Analysis of this information shows that the 20% of inventory that takes over 270 days to sell represents almost 30% of the cost of inventory (29.5%). When the auditor calculates the average number of days to sell inventory based on the financial statements (using dollars instead of quantities), it calculates 76.1 days compared to 59.9 days. On one hand, the client’s inventory may just turn over slowly. On the other hand, the client may need to mark down inventory in order to sell it. It is possible that the audit client has a lower-of-cost-or-net-realizable-value problem with inventory. The next step for the auditor will be to compare the cost of items in inventory with the evidence of what that inventory has sold for to determine if there is a net realizable value problem with inventory. Given that almost 30% of the dollar value of inventory is very slow-moving, the auditor needs to investigate this issue further. The auditor also needs to evaluate the client’s past experience selling inventory and the underlying business model. If the client has a history of taking significantly longer to sell high-priced goods but gets a better margin on those items when they do sell, net realizable value may not be a problem. However, if the client has ventured into selling higher-cost and higher-priced items for the first time, and those items are not selling in the client’s market, it is more likely that a write-down of inventory to its net realizable value is necessary. This is where the auditor’s business acumen and experience, both with the audit client and with the client’s industry, becomes so important.

Audit Documentation Recall from Chapter 5 that AU-C 230.08 states that the auditor should prepare audit documentation that is sufficient to enable an experienced auditor, having no previous connection with the audit, to understand (a) the nature, timing, and extent of the audit procedures performed to comply with GAAS and applicable legal and regulatory requirements; (b) the results of the audit procedures performed, and the audit evidence obtained; and (c) significant findings or issues arising during the audit, the conclusions reached thereon, and significant professional judgments made in reaching those conclusions. Paragraph 1.51 of the AICPA Guide to Audit Data Analytics suggests that the documentation of ADA might include the following: •  Objectives of the procedure. •  Risks of material misstatement that the procedure intended to address at the financial statement level or at the assertion level. •  The sources of the underlying data and how it was determined to be sufficient and appropriate (as necessary in the context of the nature and objectives of the ADA being performed). •  The ADA and related tools and techniques used. •  The tables or graphics used, including how they were generated. •  The steps taken to access data, including the system accessed and, when applicable, how the data was extracted and transformed for audit use.

7-10  C h a pte r 7  Audit Data Analytics

•  The evaluation of matters identified as a result of applying the ADA and actions taken regarding those matters. •  The identifying characteristics of the specific items or matter tested. •  The individual who performed the audit work and the date such work was completed. •  The individual who reviewed the audit work performed and the date and extent of such review. The discussion in the AICPA Guide to Audit Data Analytics also states that GAAS do not require, and it may not be practicable, to include in the audit file all the data analyzed or tested using an ADA audit procedure (paragraph 1.50). The illustrations used in this chapter provide partial examples of what might be documented in an audit file. They are not intended to provide complete examples of the documentation that might be created in an audit file.

Professional Environment  Personal Views on the Use of Technology in Audits Melanie McLaren, Executive Director of the Financial Reporting Council (FRC) in the United Kingdom, noted that in 2015 the FRC observed the use of data analytics in only 16 of 109 inspected audits. However, the FRC expects the use of audit data analytics to increase. In these 16 inspected audits, the FRC observed the following use of data analytics: •  Analysis of all transactions in a population, stratifying that population and identifying outliers for further examination. •  Reperformance of calculations relevant to the financial statements. •  Matching transactions as they pass through a processing cycle. •  Assisting in segregation of duties testing. •  Comparing entity data to externally obtained data. •  Manipulating data to assess the impact of different assumptions.

•  Deepened the auditor’s understanding of the entity. •  Facilitated the focus of audit testing on areas of highest risk through stratification of large populations. •  Aided in the exercise of professional skepticism. •  Improved the consistency and central oversight of group audits. •  Enabled the auditor to perform tests on large or complex datasets where a manual approach would not be feasible. •  Improved audit efficiency. •  Assisted in identifying instances of fraud. •  Enhanced communications with audit committees. Source: Melanie McClaren, Developments in Technology and Data Analytics,” Speech delivered at the PCAOB International Institute Panel Discussion (December 8, 2017).

In addition, the FRC noted the following benefits of the use of audit data analytics:

Cloud 9 - Continuing Case After some discussion, the Cloud 9 audit team decided they might use ADA to look at the collectibility of receivables. The intent is to identify specific customers with past due balances. Cloud 9 has a relatively low allowance for doubtful accounts. Is management’s assessment justified? The Cloud 9 audit team also thought that they might look at purchases to do a triple match of items ordered, items received, and items recorded as liabilities. Preliminary analytical procedures show

that accounts payable turnover in days have declined, so a careful look at transactions might help identify potential problems. Mark then brought up a key issue. How good is the client’s data? Is it reliable? Sharon responded that internal controls appeared to be strong at Cloud 9, and the audit team was just beginning to perform tests of controls. The team decided the next step was to look carefully at the data that might be used to perform these audit tests. Then, they would meet again to discuss the application of ADA in the Cloud 9 audit.

Before You Go On 1.1  Explain each of the five steps associated with performing audit data analytics. 1.2 Develop two examples where client data might not be ready to use for audit data analytics. In each instance, suggest a strategy to correct the deficiencies. 1.3 In the inventory turnover example for a retailer of consumer electronics and appliances discussed in the chapter, what is the red flag in the data showing that there might be a net realizable value problem?

  Steps Associated with Accessing and Preparing Data for Audit Data Analytics  7-11

Steps Associated with Accessing and Preparing Data for Audit Data Analytics Lea rning Objective 2 Apply steps associated with accessing and preparing data for audit data analytics. Before using client data for audit data analytics, the auditor needs to address several issues. First, the auditor needs to make a copy of the client’s data for purposes of the auditor’s analysis. The auditor should never perform any functions or procedures that would modify or change the client’s actual data. All analysis should be done on a copy of the client’s data. Next, the auditor needs to determine if the data obtained from the client is complete. The auditor also needs to determine if the data is in a consistent format and whether it needs to be cleaned before it can be used. Finally, the auditor must evaluate the relevance and reliability of the client’s data before it is ready to be used for audit data analytics. These topics are discussed in more detail below.

Is the Data Complete? There are several questions the auditor wants to ask about the underlying completeness of the data set to be used for ADA. First, when appropriate, the auditor should determine if the data set agrees with the general ledger. If the auditor is auditing an accounts receivable file, the auditor will want to make sure the receivable file matches the general ledger as of the date of the test. Sometimes, the accounting department may run the general ledger off a different set of parameters than, for example, individuals in a sales office or another part of the organization that may use a preconfigured report. If the auditor runs an ADA application without first reconciling the data to the general ledger, the auditor may identify anomalies only because the data is incomplete. The analysis of an incomplete data file may be both inefficient and ineffective. Second, the auditor should determine if there are gaps in the sequence of prenumbered documents in the audit file. If the auditor is auditing revenues and identifies gaps in the sequence of prenumbered sales invoices, the auditor may be facing a completeness problem, even if the file reconciles with the general ledger. Alternatively, if the auditor identifies duplicate invoice numbers, this may reveal the possibility of occurrence problems with recorded revenues. Similarly, data may be incomplete if it does not contain key elements of the analysis, such as unique ID numbers for personnel when auditing payroll-related applications, or unique customer numbers when auditing receivables. In another example, when combining data associated with a global entity, the auditor needs to make sure all desired fields are complete across the entire organization. If a geographic division is unable to provide data fields consistent with other geographic areas, it might cause problems in the auditor’s ADA application. Finally, the auditor must consider the purpose of the ADA application. For example, the auditor might be auditing the data given to an actuary for purposes of developing an estimate of pension obligations. In this example, the auditor might be given W-2 wages, but this may be different from pensionable wages. Pensionable wages may include nonmonetary compensation that might not be included in W-2 wages. Therefore, the auditor needs to be knowledgeable about the purpose of the ADA application and be able to assess the completeness of the data received from the client. Incomplete data will make the ADA application inefficient and possibly ineffective.

Does the Data Need to Be Cleaned? Once the auditor has determined that the data is complete and available for all desired fields, the auditor must also make sure that the data is clean and ready for analysis. A common problem with multinational organizations is recording dates in different formats. Some parts of the world record dates as month/day/year, while other parts of the world use a format

7-12  C h a pte r 7  Audit Data Analytics

of day/month/year. The date 10/4/22 in Australia would be the same as 4/10/22 in the United States. Dates must be in a consistent format before the auditor can begin the ADA application. Also, data problems may arise when the auditor compares data over several years. Key identifiers such as customer or employee numbers should not change from year to year. If an existing customer number is taken from an old customer that no longer does business with the company and is assigned to a new customer, it may cause problems with the underlying analysis. It is common for data problems to arise when a company acquires another company. When a new company is acquired, there is frequently a period of transition and integration of accounting and IT systems when different formats are introduced. The acquired subsidiary may not have data fields that are consistent with the parent company, and it may take time to migrate the acquired company onto the parent’s accounting system. Auditors should also be alert to problems that may arise if a subsidiary company outsources part of its accounting system to an external service provider (such as an external payroll service). Finally, the auditor should be alert to similar problems that arise when an entity, of its own volition, transitions from one accounting system to another. These are common problems that may require the auditor to take extra care in ensuring the data is clean and in a consistent format across the entire ADA application.

Key Questions to Be Addressed in Evaluating the Relevance and Reliability of Data Used in Audit Data Analytics The auditor determines the relevance of the data by the audit question or assertion being audited; the data must be relevant to the assertion or audit question. Further, the auditor should be open to evaluating anomalies that may relate to an assertion that the auditor may not be looking for. For example, the auditor may be planning a test of revenue recognition. In the process, the auditor reconciles total revenues to the general ledger and then finds gaps in the numeric sequence of sales invoices. This leads the auditor to discover a problem with the completeness of revenues. The auditor should always evaluate evidence with a questioning mind and an attitude of professional skepticism. When evaluating the reliability of data, the AICPA Guide for Audit Data Analytics suggests the following key questions the auditor should address: •  W  hat is the nature of the data? For example, is it financial or nonfinancial? Is it economic or business sector data? Is it original data or summarized data? •  W  hat is the source of the data? For example, does it come from the client’s accounting system? Is it internal or external data? •  W  hat is the process used to produce the data? For example, is the data subject to the entity’s system of internal control over financial reporting (ICFR)? •  W  hat matters might the auditor consider in determining the nature, timing, and extent of procedures to perform regarding whether the data is sufficiently reliable? For example, will tests of controls confirm that the controls over data reliability are strong? Alternatively, have substantive tests already been performed that may indicate that the data is reliable? •  W  hat procedures regarding data reliability will the auditor consider performing? For example, when auditing revenues, the auditor will often perform a test of missing invoice numbers or breaks in the prenumbered sequence. The auditor might also look for duplicate invoice numbers. The AICPA Guide for Audit Data Analytics also provides some examples of how the auditor might document the answers to these questions. Illustration 7.7 provides an example of this documentation in the context of the ADA inventory application shown in Illustration 7.6.

  Using Audit Data Analytics as a Risk Assessment Procedure  7-13 ILLUSTRATION 7.7   Documenting the reliability of data used in audit data analytics: An inventory illustration

Nature of the data

Data on quantities of inventory on hand and quantities of inventory sold.

Source of the data

The data comes from the company’s inventory system.

Process used to produce the data

Data is produced by the client’s inventory management system, which interacts with the purchases of inventory (purchases process) and sale of inventory (revenue process). The company tests inventory on hand through a process of cycle counts. Quantities of purchases and sales are reviewed by purchasing managers and sales staff.

Matters the auditor might consider in determining the nature, timing, and extent of procedures to perform regarding whether data is sufficiently reliable

The audit team tested internal controls over cycle counts and inventory quantities and found the controls effective. Controls over purchases and sales were also found to be effective.

Procedures regarding data reliability an auditor may consider performing

This is a planned risk assessment procedure. Based on tests of controls, the data is considered reliable for identifying slow-moving items in inventory that may be at risk of being written down to net realizable value. In addition, audit team members will talk with inventory managers about slow-moving inventory as part of inventory observation procedures.

Cloud 9 - Continuing Case Sharon, Josh, and Mark are talking about using data analytics to test the aging of accounts receivable and evaluate net realizable value of receivables. They have determined that they need to know beginning receivables, all sales transactions, and all cash receipts on account for the entire year, as well as any sales adjustment transactions. All of the information should come out of the revenue process for Cloud 9. Sharon’s first question relates to the merger with McClellan’s Shoes in 2021. “I just want to confirm our understanding that McClellan’s operations have been fully integrated with Cloud 9’s operations and we are only running one accounting system.” Josh confirms that that is his understanding. “Thank goodness!” he says. “I would not like to run ADA and have to combine two accounting systems to get the needed data.” However, Mark makes a note to double-check, as tests of controls still need to be performed.

Mark then asks, “Cloud 9 sells on a global scale. When Cloud 9 sells to British Commonwealth and European countries, do they change the format of the dates on sales invoices?” Josh responds that he has asked questions about this; the electronic file is all in one format: day/month/year. However, depending on the customer code, the date may print out on the invoice as month/day/year. From Josh’s understanding, the electronic file has dates in a single format. Mark is pleased that Josh has asked this level of detailed questions in understanding the system. Mark then states, “Let’s get the data from the client and then take a close look at it. Before we proceed with the analysis, we need to make sure the data is clean and in a consistent format.”

Before You Go On 2.1  Develop two examples of how an auditor might obtain an incomplete data set. 2.2 Develop two examples of a data set that needs to be cleaned before it is ready for an ADA application. 2.3  Describe how the auditor evaluates the relevance of a data set for an ADA application. 2.4  List five key questions that help the auditor in evaluating the reliability of a data set for ADA.

Using Audit Data Analytics as a Risk Assessment Procedure Lea rning Objective 3 Explain how audit data analytics is used as a risk assessment procedure. AU-C 315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement defines risk assessment procedures as “audit procedures performed to obtain

7-14  C h a pte r 7  Audit Data Analytics

an understanding of the entity and its environment, including the entity’s internal control, to identify and assess the risk of material misstatement, whether due to error or fraud, at the financial statement level and relevant assertion levels.” Often when performing ADA as a risk assessment procedure, the auditor will have first obtained an understanding of the entity and its environment because it takes a significant understanding of the entity to identify misstatements and anomalies. It is also likely that the auditor has obtained an understanding of the system of internal control, and perhaps performed tests of controls, to assess the reliability of data used in performing ADA.

Understanding the Risk Analysis Decision Tree ADA is effective not only for identifying general types of misstatements but also for identifying specific transactions or accounts that are likely to be misstated. Consider the thought process outlined in Illustration 7.8. The following discussion will illustrate this thought process in the context of the inventory example presented in Illustration 7.6. illustration 7.8   Risk analysis decision tree

Environment of Professional Skepticism Population

Fits the auditor’s Does not fit the expectation auditor’s expectation

Acceptable variation from the auditor’s expectation

Unacceptable variation from the auditor’s expectation

Remote probability of aggregating to a material misstatement

Reasonable possibility of aggregating to a material misstatement

In this example, the population is inventory on hand, and the auditor is focused on determining if there is a net realizable value problem with inventory. The auditor has obtained data on inventory quantities on hand for each item in inventory, as well as the quantities of inventory sold during the year. Using this data, the auditor has ordered items in inventory from the fastest-moving inventory to the slowest-moving inventory. The auditor must then decide what constitutes a “slow-moving item” that represents a net realizable value problem. In other words, which items in inventory are outside the auditor’s expectation in the context of inventory turnover? The auditor must use his or her business acumen, knowledge of the business, and knowledge of the industry and economy in which the audit client operates. The auditor might know that on average it takes 90 days for a retailer of consumer electronics and appliances to sell inventory, and that some inventory regularly turns more slowly than every 90 days. As a result, the audit team plans to pay particular attention to inventory if there is more than a 120-day supply of inventory on hand. In the context of Illustration 7.8, the auditor might conclude that any inventory items with more than a 120-day supply of inventory on hand initially do not fit the auditor’s expectation. However, the auditor might also know that some items in inventory regularly take more than 120 days to sell. For example, the client may make a business decision to carry items that are high-price and high-margin, but on average turn over only twice a year, or every 180 days. Based on prior evidence and the auditor’s experience, these items do not represent a net realizable problem with these particular products. Therefore, these would be acceptable variations from what the auditor expects. Ultimately, the auditor must determine the items in inventory that represent an unacceptable variation from the client’s experience and the auditor’s expectations (e.g., items where there is a significant risk of net realizable value issues). The auditor pays particular attention to inventory where changes in technology might result in an oversupply of inventory that will

  Using Audit Data Analytics as a Risk Assessment Procedure  7-15

likely need to be marked down. Alternatively, the client may have overestimated the demand for a particular product, and the inventory will need to be marked down significantly in order to sell that inventory on hand. The auditor might choose to look at sales of these items after year-end to evaluate the client’s ability to reduce its inventory of slow-moving items without incurring a loss. At this point, the auditor will engage in traditional audit tests of these highrisk items to determine if it is reasonably possible that a material misstatement exists with respect to the net realizable value of inventory.

What Do We Mean by Notable Items? When the auditor uses ADA, the auditor is looking for anomalies, or balances or transactions that do not meet the auditor’s expectations. The AICPA Guide to Audit Data Analytics (DATA 2.14) defines these balances or transactions of audit interest as notable items. A  “notable item is an item identified from the population being analyzed that has one or more characteristics that, for a relevant assertion, may do the following: a.  Be indicative of a risk of material misstatement: i.  Not previously identified (a new risk) ii.  A higher risk of material misstatement than anticipated by the auditor, or b. Provide information useful in designing or tailoring procedures to address risks of material misstatement.” An issue related to the net realizable value of inventory is that notable items are all items for which the audit client has more than a 120-day supply of inventory on hand. Identifying notable items depends on both the auditor’s understanding of the client’s business and the industry in which the client operates, and the auditor’s understanding of the particular client circumstances. For example, expected inventory turnover for a retailer of electronics and appliances will be different from the expected turnover for a retail grocer. Further, it takes a considerable understanding of the client’s business to identify transactions or balances that may initially appear to be slow-moving inventory but do not represent a risk of a net realizable value problem. Consider another example where the auditor is investigating the collectibility of accounts receivable. An initial look at notable items might include any customer with receivables that are outstanding over 90 days. However, when the auditor uses ADA to take a closer look at these notable items, the auditor may find two groups of customers: (1) a group of customers that take 100–120 days to pay but regularly pays the outstanding receivable in full, and (2) clients that have a deteriorating credit history (e.g., customers were making payments in full in 30 to 60 days early in the client’s fiscal year, but those same customers were not paying receivables in full on a timely basis near the end of the client’s fiscal year). The second group of customers represent customers of greater concern when evaluating the adequacy of the allowance for doubtful accounts. Defining notable items depends on the assertion being audited and the auditor’s understanding of the business and industry.

Tools for Searching for Notable Items There are a number of ways an auditor might search an audit population for notable items. Following are four techniques an auditor might use as a risk assessment procedure to identify notable items that are at a high risk of being materially misstated: 1. Clustering transactions or balances based on a particular characteristic or multiple characteristics. The example regarding inventory turnover clustered each item in inventory based on inventory turnover [(Quantity of inventory on hand ÷ Quantity of inventory sold) × 365]. 2. Matching the characteristics of two populations to see if there are any overlaps. For example, when auditing accounts payable, the auditor might attempt to match addresses of vendors, or bank account numbers of vendors, with the addresses of employees or the bank account numbers of employees. The auditor would not expect a match in these two different populations, but a match might be an indicator of fraudulent transactions.

notable item  an item identified from the population being analyzed that has one or more characteristics that, for a relevant assertion, may do the following: (a) be indicative of a risk of material misstatement, or (b) provide information useful in designing or tailoring procedures to address risks of material misstatement

7-16  C h a pte r 7  Audit Data Analytics

3. Statistical analysis, such as regression analysis, whereby the notable items are identified using statistics (e.g., transactions or balances that are more than three standard deviations from a mean). 4. Visualization, where the auditor plots certain characteristics of a population of account balances or transactions looking for unusual characteristics. Each of these methods will be discussed in more detail later in the chapter.

What to Do When ADA Identifies a Large Number of Items for Further Consideration A challenge for many auditors is what to do when initial investigation identifies a large number of notable items. Does the auditor have to look at each notable item identified? This issue is addressed in the AICPA Guide to Audit Data Analytics, which states, “a large number of notable items may mean, for example, that the number is such that it is not practicable for the auditor to address the items manually. For some audits, notable items could number in the hundreds or thousands for audits of very large organizations.” When this happens, the AICPA Guide to Audit Data Analytics suggests a process similar to that outlined in Illustration 7.6, which involves an iterative process of grouping and filtering. The AICPA Guide to Audit Data Analytics suggests that the auditor first evaluate whether the ADA has been appropriately planned and performed and, if not, refine and reperform the ADA. The Guide (DATA 2.19) suggests that “the auditor might also decide to apply a grouping of filtering process when, for example, a large number of notable items identified have many diverse characteristics. A grouping and filtering process could be used as follows: a. Identify characteristics common to groups of notable items, focusing on their nature, cause and what can go wrong at the relevant assertion level. b. For each group identified in step a, sort the notable items into two groups being comprised of either: i. Items requiring no further response to identify new or higher risks (sometimes called “false positives”); or ii.  Items requiring a further response from the auditor to identify new or higher risks. c. Further analyze the characteristics of the items in b.ii to help identify and sort those notable items into three subgroups: i. Those indicating one or more risks of material misstatement of which the auditor was not previously aware (new risks); ii. Those indicating a higher level of risk of material misstatement than previously identified; or iii. Those that do not indicate new or higher levels of risk of material misstatement.”

false positives  items incorrectly identified as notable items

The following discussion applies this logic of notable items to the investigation of the net realizable value of inventory shown in Illustration 7.6. The auditor determined that an inventory item would be a notable item if there was more than a 120-day supply of inventory on hand at year-end. These notable items represent in excess of 29.5% of inventory on hand at year-end (see Illustration 7.4). Upon further investigation, the auditor notes inventory turnover for the retailer is very heterogeneous. Some of the inventory turns over quickly, and some turns over slowly. The auditor also knows that the client intentionally stocks inventory that is high-margin and slow-moving. Looking at the last three years of history of these items, they seem to take about 9  months to sell, and they regularly sell at a higher-than-average profit margin. These high-margin items represent about 10% of the quantity and 15% of the value of inventory on hand. Based on this history, the auditor believes these items represent a low risk of material misstatement and require no further response or investigation. Items that are incorrectly identified as notable items are called false positives. When these high-margin items are removed from the notable items, the remaining population of notable items represents about 20% of the quantity and 15% of the value of total inventory. The auditor needs to take a careful look at these items. The auditor might

 Applying Audit Data Analytics as a Risk Assessment Procedure  7-17

use additional data analytics to determine what proportion of these items were sold in a period of eight weeks after year-end (10 days before the anticipated report date), whether the items were marked down to speed up the sale of these items, and whether the client had to sell these items at a loss to move them out of inventory. For items that have been sold, the auditor can determine with hindsight if an allowance for net realizable value is material to the financial statements. If inventory has not been sold in the eight weeks after year-end, the auditor needs to use his or her knowledge of the industry to determine if the value of inventory is materially overstated. In determining the need for a proposed audit adjustment, the auditor must also consider any allowance for the lower-of-cost-or-net-realizable-value that the client may already have recorded in preparing the financial statements.

Cloud 9 - Continuing Case Josh and Mark are talking about the results of using ADA as a risk assessment technique. Josh notes that from looking at Cloud 9’s trial balance, Cloud 9 has provided an allowance for doubtful accounts at 1% of gross receivables. Josh and Mark are concerned because they have found that about 6% of total receivables are over 90 days old. Mark asks, ”If Cloud 9 has a good collection history, why is such a large proportion of receivables over 90 days old?” Josh suggests that they look deeper at the customers who are past due. The first thing they see is some very large receivables that are over 90 days old. These customers include one large sporting goods chain, several large shoe chains, and one large national retailer. In fact, these four customers represent about 5% of receivables. When

they look more closely, these customers regularly take 100 to 120 days to pay their invoices, but regularly pay their invoices in that time period. By looking at a year’s worth of both sales and cash receipts, the evidence bears out that these important customers regularly take longer to pay invoices. Once these customers are filtered out, there are some smaller customers who take a long time to pay but pay regularly; however, there are also customers (smaller shoe stores) who seem to be having problems. Some of these were current in their payments early in the year but not late in the year. Upon closer review, Josh believes that, based on the last year’s collection history and looking at each customer, allowance of 1% of receivables is adequate.

Before You Go On 3.1 Assume you are using ADA to conduct a risk assessment regarding the allowance for doubtful accounts for a company that manufactures sunscreen and other skincare products and sells to many retail outlets. How would you apply the risk analysis decision tree to this situation? 3.2 Explain the role of business acumen in applying the risk analysis decision tree. 3.3 Describe a “notable item” and why it is important to audit data analytics. 3.4 Assume that you are auditing the manufacturer of sunscreen and other skincare products and you find a large quantity of customers that have long-outstanding receivables that qualify as notable items. Determine whether the auditor needs to audit each customer that represents a notable item. Why or why not?

Applying Audit Data Analytics as a Risk Assessment Procedure Lea rning Objective 4 Apply audit data analytics as a risk assessment procedure and evaluate the results. Auditors can use a wide variety of data analytics techniques in a risk assessment ADA. In fact, it may not be reasonable for a single auditor to be aware of all possible techniques. Recall that the initial planning stages may involve brainstorming sessions with all members of the audit team. One advantage of such team sessions is pooling together the knowledge about

7-18  C h a pte r 7  Audit Data Analytics

data analytics techniques so the team can discuss which techniques are most appropriate to use. In this section, four particularly useful techniques for risk assessment ADA are discussed, as shown in Illustration 7.9. Different examples are used to illustrate how each technique might be helpful and integrated into the five-step ADA process.

ILLUSTRATION 7.9   Selected data analytics techniques for risk assessment

Data Analytics Techniques for Risk Assessment

Cluster Analysis

Matching Information in Key Data Fields

Regression Analysis

Visualization

Professional Environment  Audit Data Analytics Software A number of ADA software is available for use, such as the following: Microsoft Excel: Microsoft Excel is commonly used by many CPAs as a basic tool for various analyses. The latest version of Excel includes a variety of tools to improve the ability to import data, as well as some new functions and workflow tools. IDEA: IDEA is a powerful and user-friendly tool designed to help accounting and finance professionals, including CPA firms and internal audit groups, extend their auditing capabilities, detect fraud, and meet documentation standards. It easily imports data from almost any source to analyze large data sets, report findings using visualization tools, and automate repeatable processes without programming. See IDEA’s Academic Partnerships at https://www.casewareanalytics. com/idea-academic-partnership. ACL: ACL is another popular audit software, similar to IDEA, that is used by accounting firms and internal audit groups.

Tableau: The focus of Tableau software is visual analytics to help individuals and organizations see and understand their data. Tableau Desktop and Tableau Prep are free for students and faculty; see https://www.tableau.com/academic/students. R: R is one of the most popular software environments for data science. It is open source, which means it is freely available to all users. R provides a vast array of analytics and visualization capabilities that can be used for any purpose, including ADA. One of the reasons for its popularity is that R has ongoing updates from the analytics community and thus is kept up-to-date with cutting-edge advances in analytics. RStudio is a popular user interface to access R that many people find easier to use than R directly. Details and installation instructions for RStudio can be found at https://www.rstudio.com/. Please note that R should be installed (https://www.r-project.org/) before installing RStudio. Python: Python is another very popular programming language for data science, with similar capabilities as R.

Cluster Analysis cluster analysis  the process of discovering groups (termed clusters in data science) of similar items in a set of data; items in the same group are similar, while items in different groups are not as similar

Cluster analysis is the process of discovering groups (termed clusters in data science) of similar items in a set of data; items in the same group are similar, while items in different groups are not as similar. The characteristics of the groups need not be known beforehand; they are determined by the data. For this reason, it is a particularly useful technique when the auditor does not know much about the data set. However, in the audit environment, clustering is often informed by the auditor’s knowledge of the business and industry, knowledge of the client, and an understanding of the accounts, transactions, and assertions being audited. Consequently, the creation of groups should be guided by a combination of the data and the auditor’s expert knowledge. The auditor is generally not advised to outsource clustering work without active communication with the person performing the clustering. There are numerous algorithms available in software packages that perform clustering: k-means and hierarchical clustering are two of many popular clustering techniques.3 3 

Most data science and data analytics texts contain more information about modern clustering techniques. Provost and Fawcett (2013, pp. 163–183) is one such example that is directed at a business audience, not mathematicians and statisticians. F. Provost and T. Fawcett, Data Science for Business (O’Reilly Media: Sebastopol, United States, 2013).

 Applying Audit Data Analytics as a Risk Assessment Procedure  7-19

Clustering can also be performed by graphing data in a way that allows for visual identification of groups. For example, the auditor might use clustering to search for customers who are taking longer than usual to pay, or inventory that is taking abnormally long to sell. Clustering could also be used in the audit of a construction company to look for work in progress with unusually high gross profit margins. Unusual items may be uncovered by clustering because individual items do not belong to a group, or because an entire group is identified as abnormal. In either case, unusual items should be treated as notable items and be investigated further according to the risk analysis decision tree (Illustration 7.8) to determine whether (i) their unusual characteristics are acceptable because they are underpinned by a valid business reason that can be substantiated or (ii) whether there is a risk of a material misstatement. Clustering is illustrated in the context of an audit client that specializes in eco-friendly, solar-dried fruit. Illustration 7.10 identifies key characteristics of this ADA application. The client is involved in the production of dried fruit, the wholesale distribution to retailers, and retail sales through farmers’ markets. The client purchases fruit from the wholesale markets and dries it using patented solar driers. Its patented drier results in a product with a lower moisture content than its competitors, which allows the client to have a 24-month best before date on all products. Although the products can still be sold at a discount (usually more than 50%) after the best before date, commercial customers usually only accept products with at least 6-months until the best before date.

Business Concern for Risk of Environment Material Misstatement A company in growth mode. It is involved in the production, wholesale distribution, and retail of dried fruit.

•  Inventory soared from $3,833,046 in the prior year to $10,180,954 in the current year. •  Inventory may expire or spoil before it can be sold. The value of inventory may need to be adjusted to net realizable value.

Financial Broad Statement ADA Account(s) Assertion Objective •  Inventory •  Cost of Goods Sold

Valuation of inventory at net realizable value

Gather evidence for risk assessment

With the social aim of reducing food waste, the client performs a number of fruit rescues each year. The first way a fruit rescue occurs is when weather conditions damage fruit so it can no longer be sold as fresh fruit. The fruit is, however, often well-suited for drying, and the client is able to purchase damaged crops at a discount. Fruit rescues can also occur when the yield of fresh fruit is too high for all of it to be sold as fresh fruit. In this case, the client offers to buy the excess at a discount from the price for fresh fruit. Fruit rescues benefit the client because the price per pound is substantially lower than in wholesale markets. At historical production levels, the client has substantial spare capacity to dry more fruit should additional attractive fruit rescue opportunities present themselves. The client has a December 31 year-end, and the audit report is expected in March of the following year. At December 31, 2022, the client had $10,180,954 of inventory; a year earlier, it had $3,883,046. Performance materiality for inventory and cost of sales is set at $500,000.

Plan the Audit Data Analytics The client’s inventory value has increased more than 250% in one year. Such a large increase needs to be investigated by the auditor. It is vital for auditors to use their business acumen and knowledge of the business in this investigation. Recall that the company had capacity to perform more fruit rescue, which could result in substantial and sudden increases in inventory. First, the auditor wants to know that the inventory exists. Second, the auditor wants to determine that the

illustration 7.10  

Overview of applying clustering when auditing a company that dries fruit

7-20  C h a pte r 7  Audit Data Analytics

inventory is properly valued and is likely to be sold well before the best before date to avoid heavy discounting. The production process first involves purchasing fresh fruit. Regardless of the method of obtaining the fresh fruit (raw materials), it is always dried in a matter of days to maintain product flavor. The dried fruit is then immediately packaged into bags (ranging from ¼ pound to 3 pounds) and then individually barcoded. These are sold to distributors and retailers. The business model suggests that fresh fruit (raw materials) quickly becomes bags of dried fruit of varying weight (finished goods). Because of the business cycle, no raw materials (fresh fruit) or inventory-in-process (fruit currently being dried) are on hand at year-end. This is consistent with expectations. Assume that, at this stage, the auditor has observed inventory and that inventory observation confirms a substantial increase in finished goods inventory. The auditor has also audited the production process, addressed the issues associated with decreases in weight during the production process, and is satisfied with a value of inventory at cost of $10,180,954. The unique nature of the business means that the client’s inventory levels are likely to be notably different from other food production, distribution, and retail companies. Consequently, comparisons to industry averages are not very beneficial. Instead, the auditor plans to use ADA to investigate the large increase in inventory, specifically focusing on the age of finished goods and turnover of finished goods for each product in inventory. Graphical clustering techniques will be used with both the current and prior years’ data to identify abnormalities that might be notable items. The information from the ADA will be used to help the auditor evaluate the valuation and allocation assertion and determine whether the large increase in inventory is justified or whether inventory should be written down.

Access and Prepare the Data for Audit Data Analytics The client uses a perpetual inventory method and does not have cost of sales for each item in inventory. Consequently, the ADA will compare quantities sold with quantities on hand for each product, while also considering the total cost of each product. Examples of products include ¼-pound bag of Mango, 3-pound bag of Mango, 1-pound bag of Fuji Apples with Skin, and 1-pound bag of Fuji Apples without Skin. Overall, there are 48 different fruit types and 5 different bag weights, which multiply to total 240 different products. The auditor gathers data on the quantity and carrying cost of inventory per product (for 240 products) from year-end accounting used to cost finished goods inventory and cost of goods sold for the years ended 2021 and 2022. The quantity sold per product during the year was obtained from the revenue system. For reliability testing reasons, the auditor also extracted all the records of finished goods produced during 2022. There was no change to the products offered during this time period. Further, all the data was clean and in a consistent format, so the auditors proceeded to document their evaluation of the relevance and reliability of the data used.

Evaluate the Relevance and Reliability of the Data Used The auditor’s evaluation of the relevance and reliability of the data obtained from the client is summarized in Illustration 7.11.

ILLUSTRATION 7.11   Documentation of relevance and reliability of information obtained from the client

Nature of the data

Data categorized by product name was obtained from the client regarding: •  Quantity of finished goods on hand at December 31, 2021 and 2022. •  Cost of finished goods on hand at December 31, 2021 and 2022. •  Quantity sold during the year ending December 31, 2021. •  Quantity sold during the year ending December 31, 2022. •  Sales transactions from January 1 to December 31, 2022. •  Records of finished goods produced from January 1 to December 31, 2022. (continued)

 Applying Audit Data Analytics as a Risk Assessment Procedure  7-21 ILLUSTRATION 7.11   (continued)

Source of the data

All the data comes from the client.

Process used to produce the data

The client’s perpetual inventory system collects finished goods data. The client’s revenue system collects quantity sold data.

Matters the auditor might consider in determining the nature, timing and extent of procedures to perform regarding whether data is sufficiently reliable

As part of tests of internal controls, the audit team assessed control risk as low for both the revenue system and the inventory system, including records of finished goods. The auditor is also satisfied with the quality of the company’s IT general controls. The client conducts cycle counts of approximately 5 to 10% of inventory every 14 days. This control was also tested and found to be effective. Further, the client carefully stores inventory in order of age, so that the oldest inventory is sold first. Any inventory older than 15 months is flagged to sell quickly. Any inventory older than 18 months is sold through retail outlets only. This process has been tested and verified by the auditor.

Procedures regarding data reliability an auditor may consider performing

The audit team determined that the total cost of inventory matched the general ledger, and the inventory quantities on hand matched the data used to prepare the financial statements. The audit team has also already tested and found no issue with the existence assertion for inventory. The data about quantity sold during the year ending December 31, 2022, was reconciled with a sales transaction file provided by the client that in turn matched the general ledger. The following also reconciles: Quantity of finished goods at December 31, 2021

866,444

+ Total quantity of bagged products of finished goods    produced during 2022 – Quantity sold during 2022

5,237,416 (3,538,720)

Quantity of finished goods at December 31, 2022

2,565,140

Perform the Audit Data Analytics The audit team first used ADA to summarize the relevant annual changes shown in Illustration 7.12. The analytical procedures performed in audit planning reveal that in addition to the increase in the cost of finished goods, quantity has also substantially increased. The average cost by weight of the inventory has decreased, which is consistent with additional fruit rescues being performed with favorable fruit pricing. Further, the estimated number of days to sell inventory more than doubles in a year. This indicates that, on average, the additional finished goods from extra fruit rescues may take substantially longer to sell. It also highlights the need for a detailed analysis by individual product.

2021

2022

Annual Increase

$3,883,046

$10,180,954

162%

Quantity of finished goods at year-end

866,444

2,565,140

196%

Weight (pounds) of finished goods at year-end

921,327

2,613,676

184%

$4.21

$3.90

−8%

2,521,694

3,538,720

40%

125.4

264.6

111%

Cost of finished goods at year-end

Average cost per pound Quantity sold during year Estimated number of days to sell   [(Finished goods quantity ÷ Quantity sold) × 365]

ILLUSTRATION 7.12  

Finished goods and quantity sold for 2021 and 2022

7-22  C h a pte r 7  Audit Data Analytics

The initial analysis presented averages over 240 products. Illustration 7.13 presents the results from a more detailed analysis that considers each product separately. Recall that although the products have a 2-year best before date, distributors generally do not purchase inventory that is older than 1.5 years (that is, with less than 6 months remaining of best before). Therefore, for products to be sold through distributors (as well as retail), the estimated number of days to sell is expected to be less than 547.5 days [(18 ÷ 12) × 365]. Consequently, as per the first level of the risk analysis decision tree (Illustration 7.8), any products with estimated days to sell greater than 547.5 have been highlighted in yellow, indicating “Does Not Fit the Auditor’s Expectation.” Any products with values of more than $500,000 have also been flagged if they have days to sell greater than 182.5 (half a year). The shorter expectation is because of the importance of these products in value terms, as they are individually over the performance materiality threshold limit of $500,000. $ 900

Total cost of finished goods on hand ($000)

ILLUSTRATION 7.13   Total cost of finished goods against estimated days to sell for each product and by year (December 31, 2021 and 2022)

700

500

Year 2021 2022

300

100 0 0.0

182.5

730.0 365.0 547.5 Estimated days to sell

912.5

Preliminary analysis shows many interesting facts that are observable in Illustration 7.13. Looking first at the previous year (2021), it is clear that finished goods on hand for most products is below $100,000, but that estimated days to sell can range up to just over one year (365). The majority of the products in 2022 have similar characteristics. However, in 2022 there are also a number of products that have much higher cost of finished goods on hand, as well as some with a notably longer estimated selling time. Further, all the products that are outside of expectations in the yellow highlighted region are from 2022. In 2022, there are 51 products out of 240 (21.2%) that have fallen outside of the auditor’s expectations. Furthermore, some are well outside of expectations with more than 730 (2 years) estimated days to sell, longer than the best before duration. It is now clear that the changes in finished goods are driven by a minority of products, rather than a common increase in all products. In fact, the 51 products only represent a small number of fruits: 30 Apple products, 9 Blueberry products, 8 Apricot products, and 1 Banana, 1 Mango, 1 Tomato, and 1 Cherry product. This is consistent with the client’s statement that it undertook large-scale fruit rescue opportunities for specific fruits in 2022. The 51 products identified as notable items now need to be processed through the next level of the risk analysis decision tree to determine whether each of them is an acceptable or unacceptable variation from expectation. When the results were presented to the client, management commented that many of its products are expected to have substantial increases in sales volume in 2023 because until now supply has not met demand. The auditor noted that

 Applying Audit Data Analytics as a Risk Assessment Procedure  7-23

100% of the inventory on hand at December 31, 2021, was sold during 2022. Evidence was also found in the sales department of orders that could not be filled during the first six months of the year. It can also be seen from Illustration 7.14 that the total production of finished goods in 2022 primarily occurred late in the year, which means that the business is quite seasonal, and a significant amount of the 2022 production would be expected to be sold in 2023. 31% 1,500

Quantity (in thousands)

ILLUSTRATION 7.14  

29%

Production of bagged products (finished goods) in 2022

20% 1,000

11% 500 6% 3% 0

0%

0% 0% 0% 0% 0%

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Month

Because the audit report was not expected until March 2023, the audit team decides to look at notable items with hindsight, so they extract additional information to determine what sales in the first two months of 2023 indicate about the rates of sale for 2023. Illustration 7.15 is the same as Illustration 7.13 with the exception that the items indicated in dark blue represent items that should sell within 365 days based on sales in the first two months of 2023. These represent 25 of the 51 notable items. ILLUSTRATION 7.15  

Total cost of finished goods on hand ($000)

$ 900

Copy of Illustration 7.13 with highlighted notable items that are selling in January and February of 2023 at a rate that indicates their estimated days to sell is less than 365 days (shown in dark blue)

700

500

Year 2022 2023

300

100 0 0.0

182.5

730.0 365.0 547.5 Estimated days to sell

912.5

7-24  C h a pte r 7  Audit Data Analytics

Of the remaining 26 notable items in the yellow highlighted region, the item with the highest total cost and the other 25 items sum to a total cost of $373,748.90. The notable item with the highest total cost is found to be 3-pound bags of Organic Cherry; its key details are described in Illustration 7.16. The cost per pound has dropped by 20%, which matches the cost motivation for conducting large fruit rescues. In the first two months of 2023 (59 days), 4,238 of these products have been sold. If this rate were to continue, it would take 540 days [(38,750 ÷ 4,238) × 59] to sell the finished goods inventory from December 31, 2022. Although high, this period is marginally within the initial threshold of 18 months (547.5 days) to allow for a product to be sold through distributors as well as retail. ILLUSTRATION 7.16   Finished goods and sales summary for 3-pound bags of Organic Cherry

Jan.–Feb. 2023

2021

2022

$145,555

$892,800

Quantity of finished goods at year-end

5,054

38,750

Cost per pound

$9.60

$7.68

30,500

31,000

4,238

60.5

456.3

539.5

Cost of finished goods at year-end

Quantity sold during the period Estimated number of days to sell

Evaluate the Results and Draw Conclusions The audit team has thoroughly investigated the fact that total finished goods inventory increased more than 196% in 2022, while sales only increased by 40%. The audit team is most concerned about the net realizable value of inventory. Initially, 51 products were notable items because they are estimated to take much longer than 18 months to sell based on past sales levels. However, the client is trying to break new ground and substantially increase its scale. The client has increased inventory, at a lower cost per pound, because it believes that there is unmet demand for its products, which will result in a large increase in 2023 sales. An analysis of sales for the first two months of the year indicate that 25 of these 51 notable items are selling at a pace where they are likely to be sold within one year. The remaining 26 notable items are of concern, but the client is not at risk of writing down the value of this inventory in the next 12 months. Most of these items were produced within the last six months, and the client has between 12 and 16 months to liquidate this inventory. As a result, the audit team determined that there was not a net realizable value issue at this time. However, the auditors discussed with the client their findings and concerns about the 26 products that are at risk of not being sold in sufficient time. In addition, the auditors recommended that items with more than a 365-day supply be classified as long-term inventory. The client agreed to monitor quantities of these 26 products on a monthly basis. Further, the client recognized that it must evaluate quantities of inventory on hand when considering purchases of raw fruit during the 2023 production process. The client also agreed to report certain inventory as long-term inventory. The audit team also raised a separate concern about how the increase in inventory had been funded, and the effect of growing inventory on the client’s cash flow. The audit team discovered that capital had been raised from an existing owner and a new investor, and that the inventory growth was funded primarily with investments from new owners rather than from a drawdown of existing cash reserves.

Audit Reasoning Example  Multiple Transactions Below a Key Threshold Bill Cannon is working on an audit of an advertising agency. The entity’s primary expenditure is purchased advertising (radio, TV, online, billboard, and other physical advertising) for clients. Department managers are able to purchase advertising at their own discretion below a $1,000 threshold. Advertising purchases above $1,000 need a second level of approval. When Bill analyzes advertising expenditures for the agency, he finds the following frequency of purchases in the first nine months.

 Applying Audit Data Analytics as a Risk Assessment Procedure  7-25

Histogram of Invoices 1,500

Frequency

1,000

500

0

0

1,000

2,000 3,000 4,000 Invoice amounts ($000)

5,000

$6,000

While many of the advertising agency’s clients are small and have limited budgets, Bill is surprised to find such a large number of small purchases. Further investigation reveals the following:

Histogram of Invoices Less than $1,000 800

Frequency

600

400

200

0

0

200

400 600 Invoice amounts

800

$1,000

This further analysis shows a normal distribution of expenditures less than $800, and 32% of the expenditures are between $900 and $999. Bill subsequently finds that 95% of the advertising purchases are made by one advertising manager, with one online advertiser. What questions does this raise? Bill is concerned about the risk that the advertising manager may be intentionally circumventing internal controls by breaking up large purchases (greater than $1,000) into smaller purchases. Further, is the advertising manager getting any kickback from the online advertiser? As Bill talks this over with Shannon (the audit manager), Shannon is impressed with the level of professional skepticism that Bill has exhibited. Bill is pleased that audit data analytics allowed him to dig deeper to answer questions with evidence, rather than accepting a representation from the client. At this point, Bill and Shannon decide to bring this to the attention of the CFO of the advertising agency, and let management take the next step in the investigation. With respect to the audit of advertising expenses, Bill and Shannon believe that they cannot rely on the internal controls. After management completes its investigation, Bill and Shannon plan to proceed with a primarily substantive approach, completing their tests of transactions at year-end. In addition, they must look more carefully at other transactions approved by the advertising manager, as fraud risk just went up.

Matching Information in Key Data Fields Matching information in key data fields is a process whereby the auditor uses audit data analytics to search for key characteristics that may exist in several different databases. Often, the auditor uses this process with an expectation that there should be no matches. For example,

matching information in key data fields  the process whereby the auditor uses audit data analytics to search for key characteristics that may exist in several different databases

7-26  C h a pte r 7  Audit Data Analytics

the auditor would not expect an overlap between addresses in a vendor database and a payroll database as shown in Illustration 7.17. However, if segregation of duties is weak, there may be an opportunity for an employee to create a fictitious vendor, and the vendor address may match an employee’s address. Using audit data analytics to search for this type of evidence of fraud may be a useful technique if fraud risk is assessed as high. ILLUSTRATION 7.17   Example of searching for and finding unexpected matches is two data fields

Vendor Database

Vendor Addresses Unexpected Address Matches

Payroll Database

Employee Addresses

The matching process is illustrated in the context of work performed by an internal audit department in a U.S. state government. Illustration 7.18 identifies key characteristics of this ADA application. Once again, the five-step process for ADA will be used in conjunction with the risk analysis decision tree. The state has approximately 10 million citizens, and its government currently employs about 125,000 people across all its divisions. More than 500,000 citizens receive some type of benefit from the state government (e.g., unemployment benefits). The audit period covered by this ADA is the 2021–2022 fiscal year from July 1, 2021, to June, 30, 2022. ILLUSTRATION 7.18  

Overview of matching example performed by a state government internal audit department

Business Environment U.S. state government internal audit department

Concern

Account(s)

To ensure that government employees are not receiving a paycheck and a government benefit; if an employee is receiving both at the same time, this is considered fraud

• Payroll Expenses

Broad ADA Audit Objective Uncover fraud

• Benefit Expenses

Plan the Audit Data Analytics According to the publicly disclosed conditions of the benefit plans offered, it is not possible for any employee of the state government currently receiving wages or salary to be eligible for any benefits. Given the large number of employees and benefit recipients, the internal audit team wants to verify whether anybody is receiving payments from both sources at the same time and thereby possibly defrauding the state government. The audit team plans to use this ADA to investigate the employee and beneficiary populations to see whether this is the case. This involves investigating hundreds of thousands of people receiving multiple payments during the 2021–2022 fiscal year. Analyzing such populations is not feasible by hand but has been made possible by ADA. The state government internal audit team uses IDEA software to assist with its ADA. As this ADA involves matching populations of data (employees and benefit recipients), a key decision is what field(s) to use to perform the matching. Although not always possible, it is ideal to have a common field that is unique for each data point (or person in this case). Both employees and benefit recipients are required to provide their social security number (SSN) in order to receive payments. Furthermore, SSNs are unique by design, so they are an ideal field for matching. The ADA is concerned with both types of payments being made to the same SSN during the 2021–2022 fiscal year. This could be discovered by analyzing the payment data, but the audit team has decided to first check whether there is any overlap with SSNs between all employees and all beneficiaries. If there is overlap, then the payment data will need to be investigated. If there is no overlap, then the larger task of analyzing payments is not required.

 Applying Audit Data Analytics as a Risk Assessment Procedure  7-27

Access and Prepare the Data for Audit Data Analytics First, an employee master file is needed. However, there are 20 different divisions within the state government, and each maintains its own employee file. Furthermore, each division maintains two lists: one for salaried employees and another for employees who receive hourly wages. Thus, there are 40 files that need to be combined. The auditor obtains all 40 and imports them into IDEA. The salary files have slight differences between them, particularly between salaried and hourly employees, but all have Employee Number, SSN, Name, and Address fields in a consistent format. The unique state-governmentissued employee number is used for internal identification purposes, such as for payment transactions. The auditor verifies that the SSN field is mandatory, which correctly means that it cannot be empty. Given that no other information is needed to perform the matches in this ADA, the files are merged into an Employee Master List that comprises SSNs for all employees from the entire state government, both hourly and salaried, using IDEA’s Append Database functionality. A master file of benefit recipients including their SSN is now needed to compare with the Employee Master List. Unlike employee lists, the Welfare division maintains central lists of benefit recipients. However, separate lists are kept for each of the 17 different benefit schemes. The auditor determines that all files have Beneficiary Number, SSN, Name, and Address fields in a consistent format, and once again that the SSN field is mandatory. Thus, using the same approach as for the employee files, the auditor appends the 17 files together to create a Beneficiary Master List that comprises SSNs for all recipients of benefits. The control systems should not allow any employee or beneficiary to exist without an SSN, but it is valuable to check, particularly since it is quick and easy in IDEA. As expected, no missing values were detected. The auditor also verifies access to: •  The Payroll Wages data set and the Payroll Salaries data set, which contain details of the payments, including dates, paid to employees from all 20 divisions. •  The Benefits Paid data set that contains details of all benefit payments (from all schemes) and when they were paid. The auditor noted that none of these data sets contained the SSN, but they did contain the internal identifier Employee Number (EMP_NUM) or Beneficiary Number (BENF_NUM), which can be used to link them to the master lists that contain SSNs. However, this is not necessary if no matches are found in employees and benefit recipients with the following exception: The auditor needs to verify that no payments have been made to employees or benefit recipients that are not in the master files just created. The control systems should prevent this from happening, but once again it is important to check to ensure the reliability of the results of this ADA. As expected, all payroll payments were made to employees in a master list, so the ADA can proceed. Further, all benefit payments were made to individuals on the benefits master file.

Evaluate the Relevance and Reliability of the Data Used The auditor’s evaluation of the relevance and reliability of the data obtained is summarized in Illustration 7.19. ILLUSTRATION 7.19   Evaluation of relevance and reliability of information obtained

Nature of the data

The following data sets were obtained and imported into IDEA: •  Salaried employee list from each of the 20 divisions. •  Hourly employee list from each of the 20 divisions. •  Benefit recipient list for each of the 17 benefit plans from the Welfare division. •  Payroll Wages, Payroll Salaries, and Benefits Paid from the Finance division.

Source of the data

All the data comes from the 20 divisions within the state government.

Process used to produce the data

IDEA was used to perform all data preparation and analysis. (continued)

7-28  C h a pte r 7  Audit Data Analytics ILLUSTRATION 7.19   (continued)

Matters the auditor might consider in determining the nature, timing, and extent of procedures to perform regarding whether data is sufficiently reliable

The IT general controls have previously been tested and found effective for all 20 divisions by the internal audit team.

Procedures regarding data reliability an auditor may consider performing

The internal audit team has: •  Verified that the payment data obtained is the same data used to prepare the financial statements. •  Checked for and found no duplicates in the data sets used in this analysis. •  Checked for and found no people in the data sets with missing SSNs nor payments made to people not on the payroll master file.

Perform the Audit Data Analytics The audit team used IDEA to perform the matching based on SSNs. The resulting data was not empty but contained eight matches as shown in Illustration 7.20. While there was a match in the SSN field, the full SSN number was not printed for privacy reasons. It is noteworthy that employee Adrian Queen has a different name as a beneficiary (Adrian McQueen). This is suspicious and will be discussed later in the ADA. ILLUSTRATION 7.20   Match SSN employee benefit data set—the result of matching employee master list and beneficiaries master list by SSN

EMP_NUM

EMP_FNAME

EMP_LNAME

SSN

BENF_NUM

BENF_FNAME

BENF_LNAME

E0100013

Steve

Roger

XXXXX3122

B02913784

Steve

Roger

E0030230

Vanessa

Rodreges

XXXXX1780

B01284130

Vanessa

Rodreges

E0134995

Adrian

Queen

XXXXX1246

B0226012

Adrian

McQueen

E0039616

Taylor

Blue

XXXXX9622

B0240748

Taylor

Blue

E0013018

Mark

Muller

XXXXX8073

B0193545

Mark

Muller

E0088492

John

Molman

XXXXX9991

B0403283

John

Molman

E0085311

Alana

Hopman

XXXXX5756

B0252775

Alana

Hopman

Given that matches have been found, the next step is to analyze payments to the matching SSNs during the 2021–2022 fiscal year. The result is 119 payments that include only seven people. These 119 payments are notable items as they do not fit the auditor’s expectation that benefits and wages/salary would not be paid to the same SSN. These notable items are now investigated further to determine whether they are acceptable variations consistent with the second level of the risk analysis decision tree. This was done by visual analysis of the dates of the payments; if there is no overlap between benefit payments and wage/salary payments, then it is acceptable. For example, a person might have switched from being initially eligible for benefits to later working for the state government, or vice versa. Illustration 7.21 shows all the payments to Vanessa Rodreges during 2021–2022 and some of the payments to Adrian Queen. Note that all types of payments are made on the 15th or 30th of every month (28th in February), and benefits and wages are also paid on the 15th of each month. Vanessa Rodreges’ payments are acceptable as she receives benefits for a while and then receives wages as an hourly employee. Adrian Queen’s case (Adrian McQueen), on the other hand, is very different. He receives salary every month as an employee while at the same time receiving benefits under a slightly different name. This is clearly an issue that must be investigated. After conducting similar visual analysis for all seven employees, problems are identified with Adrian Queen and Alana Hopman, while the other five have acceptable payment patterns.

 Applying Audit Data Analytics as a Risk Assessment Procedure  7-29 ILLUSTRATION 7.21   Selected rows from the created payments match SSN 2021–2022 data set

EMP_FNAME

EMP_LNAME

Vanessa

WAGE_DATE

SAL_DATE

BENF_DATE

PAY_DATE

SSN

Rodreges

03/15/2022

03/15/2022

XXXXX1780

Vanessa

Rodreges

03/30/2022

03/30/2022

XXXXX1780

Vanessa

Rodreges

04/15/2022

04/15/2022

XXXXX1780

Vanessa

Rodreges

04/30/2022

04/30/2022

XXXXX1780

Vanessa

Rodreges

05/15/2022

05/15/2022

XXXXX1780

Vanessa

Rodreges

05/30/2022

05/30/2022

XXXXX1780

Vanessa

Rodreges

06/15/2022

06/15/2022

XXXXX1780

Vanessa

Rodreges

06/30/2022

06/30/2022

XXXXX1780

07/30/2021

XXXXX1246

08/15/2021

XXXXX1246

08/30/2021

XXXXX1246

… Adrian

Queen (McQueen)

07/30/2021

Adrian

McQueen (Queen)

Adrian

Queen (McQueen)

Adrian

McQueen (Queen)

08/30/2021

08/30/2021

XXXXX1246

Adrian

McQueen (Queen)

09/15/2021

09/15/2021

XXXXX1246

Adrian

Queen (McQueen)

09/30/2021

XXXXX1246

Adrian

McQueen (Queen)

09/30/2021

XXXXX1246

08/15/2021 08/30/2021

09/30/2021 09/30/2021 …

Evaluate the Results and Draw Conclusions By matching SSNs, this Risk Assessment ADA identified eight people who are on both a list of employees and a list of benefit recipients, and 119 notable items were identified as payments during 2021–2022 to these seven SSNs. These items did not fit expectations as the benefit plan criteria and internal controls should make it impossible for an employee to be eligible for benefits. Deeper analysis revealed five people had acceptable payment patterns with no overlap in benefits and wages/salary, and two people had unacceptable payment patterns with overlapping payments. Although the auditors did not use a visualization to conduct the ADA, they developed Illustration 7.22 to summarize the findings for their report to the Chief Auditor of the state.

Payment type:

Benefit

Salary

Wage

Salary and benefit

Steve Roger Vanessa Rodreges Adrian Queen Taylor Blue Mark Muller John Molman Alana Hopman Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun

ILLUSTRATION 7.22   Visualization of 2021–2022 payments to matching SSNs

7-30  C h a pte r 7  Audit Data Analytics

The two unacceptable cases of Adrian Queen and Alana Hopman were thoroughly investigated at the end of this ADA because false payments can easily amount to material sums of money over time. As shown in the visualization, Adrian Queen starts and ends the fiscal year receiving only salary, but in the middle receives benefits and salary at the same time. The investigation revealed that Adrian works as a salaried employee in the Welfare division and had been approving benefit payments to himself. In an interview, he disclosed that he thought avoiding receiving benefits in the first and last period of the fiscal year reduced his likelihood of getting caught. The name change to Adrian McQueen for receiving benefits was another attempt to conceal his wrongdoing. Alana Hopman, another salaried employee in the Welfare division, discovered Adrian’s wrongdoing in October. She confronted Adrian, who in an attempt to avoid being reported taught Alana how to do it to receive extra money. This explains why, from the end of November, Alana also started to receive both benefits and salary. In addition to following through on Adrian’s and Alana’s cases of wrongdoing, the audit team also concluded that an investigation is needed immediately into the control system failure that allowed these two employees to make changes to the benefit master file and approve benefit payments to themselves. In this case, the matching process utilized by a state internal audit department identified fraud on the part of two state employees.

Regression Analysis regression analysis  a statistical process that involves estimating a prediction equation that expresses an item of interest (commonly known as the y or dependent variable) in terms of other data fields (the x or independent variables)

Regression analysis is a statistical process that involves estimating a prediction equation that expresses an item of interest (commonly known as the y or dependent variable) in terms of other data fields (the x or independent variables). Auditors can use such a prediction equation to inform their expectations and then compare them against actual figures in search of notable items. Consider an auditor analyzing revenue as part of a risk assessment procedure. Revenue might be strongly seasonal, as it is for many retailers, in which case the auditor might expect revenue to follow a time-series regression that is based on the trend and seasonality in historical revenue figures. On the other hand, revenue might be strongly related to the level of internet traffic for a purely online business, in which case the auditor might expect revenue to follow a regression that is based on the numbers of page views or hits. As part of ADA, the following steps should be used for regression analysis: 1. Estimate the prediction equation using data that is not currently being audited (usually historical data). 2. Validate the prediction equation from a business logic point of view based on the auditor’s knowledge of the client, the industry, and the data being analyzed. Make modifications to Step 1 as needed. 3. Validate the prediction equation from a statistics point of view. Make modifications to Step 1 as needed. 4. Use the regression equation to make predictions for the data currently being audited. 5. Compare the predicted values (auditor’s expectation) with the actual values. 6. Any values that are unacceptable variations should be treated as notable items and be investigated further according to the risk analysis decision tree (Illustration 7.8) to determine whether (i) their unusual characteristics are acceptable because they are underpinned by a valid business reason that can be substantiated or (ii) whether there is a risk of a material level of misstatement. Notice how business acumen is a key part of this analytical procedure (in Steps 2 and 6). Estimating a linear (straight-line) regression is the most common approach. There are also a vast number of more complex regression models should a linear regression not be appropriate. All well-known analytics packages can perform linear regression, and more advanced packages are also able to perform other regressions, such as logistic regression and other generalized linear regressions, local regression, time-series regressions, and more. Ultimately,

 Applying Audit Data Analytics as a Risk Assessment Procedure  7-31

the auditor should choose the most appropriate regression model for the problem—a more complex model will provide worse results if it is not the most suitable model. In fact, simple models often perform very well. The simplest regression is where the prediction equation is the average of the data. Even this model can be useful. Insurance premiums for a large, mature company are likely akin to fixed costs that could be predicted well by their average. In this case, the auditor might flag any observations that fall outside of two standard deviations as notable items. About 95% of the data falls within two standard deviations of the mean if the data is approximately normally distributed, and even if it is not, there should still be at least 75% of the data (using Chebyshev’s Theorem). The use of regression analysis as an ADA technique can be illustrated in the context of an analysis of passenger service expenses in the audit of G&J Airlines. Illustration 7.23 identifies key characteristics of this ADA application. Once again, the five-step process for ADA will be used in conjunction with the risk analysis decision tree. Here, regression analysis is used as a general risk assessment tool. The focus is on transactions recorded during the year, and misstatements could arise from any assertion. The audit period covered by this ADA is the year ended December 31, 2022.

ILLUSTRATION 7.23   Overview of airline example

Business Environment

Concern for Risk of Material Misstatement

Regional airline in the United States

Potential for under- or overstatement of passenger expenses based on relationship to number of passengers (using information in the database on number of passengers).

Account(s) Passenger Service Expenses

Financial Statement Assertion Completeness, occurrence, accuracy, cutoff, or classification of passenger service expenses

G&J Airlines is a regional airline in the United States. Over the past five years, the average quarterly revenue was $660 million. Although the airline is not a public company, its financials are audited annually to support debt financing. G&J Airlines has a December 31 year-end, and the audit associated with this application of ADA focuses on the year 2022. In this example, the five-step process for ADA will be used in conjunction with the risk analysis decision tree (Illustration 7.8) to investigate the level of passenger service expenses. Examples of such expenses include costs associated with cleaning aircraft, handling luggage, and passenger check-in. In total, all costs relating to processing and servicing passengers before, during, and after the flight should be coded as passenger service expenses.

Plan the Audit Data Analytics Some financial values have consistent patterns over time, such that deviations from that pattern might be notable items. In this example, quarterly data were made available to the auditor. No expected quarterly patterns for passenger service expenses over time were known to the auditor, so the audit team decided to explore historical data to determine if there were any clearly noticeable patterns. To this end, the audit team produced the time-series plot shown in Illustration 7.24. It appears that there may be some seasonality to the data and a slow increasing trend, but overall there are no clearly noticeable features that could be used from an audit expectations standpoint. Instead of exploring the data, the auditors thought more about their expectations for passenger service expenses. They concluded that they expected there to be a substantial fixed-cost component, as well as a variable-cost component strongly linked to the number of passengers. The audit team proceeded to plan the ADA based on this expectation.

Broad ADA Objective Search for unacceptable variations from expected patterns

7-32  C h a pte r 7  Audit Data Analytics Quarterly cost of passenger services ($000)

ILLUSTRATION 7.24  

Quarterly passenger service expenses of G&J Airlines over time

$25,000 20,000 15,000 10,000 5,000 0 Q1 2014

Q1 2016

Q1 2018

Q1 2020

Q1 Q4 2022

Historical data prior to the financials to be audited (2022) was used to develop a linear regression model that predicts passenger service expenses based on an intercept term (fixed cost) and the number of passengers (variable cost). This model would then be used to predict the passenger service expenses in 2022 based on the passenger numbers. These predictions represent the audit team’s expectation and are compared to the actual figures as per the risk analysis decision tree (Illustration 7.8). Performance materiality for this analysis has been set at $15 million. For this ADA, the audit team used the R data science programming language that is available for free. Other spreadsheet and statistical programs are also able to complete the analysis.

Access and Prepare the Data for Audit Data Analytics G&J Airlines have made quarterly data available even though only the annual financials are being audited. Current and historical data for passenger service expenses and passenger numbers have been provided in a spreadsheet. As the data was clean, the auditors proceeded to document their evaluation of the relevance and reliability of the data.

Evaluate the Relevance and Reliability of the Data Used The auditors’ evaluation of the relevance and reliability of the data obtained from the client is presented in Illustration 7.25.

ILLUSTRATION 7.25   Evaluation of relevance and reliability of information obtained from the client

Nature of the data

Quarterly data from the first quarter of 2014 to the fourth quarter of 2022 was obtained from the client regarding: •  Passenger service expenses. •  Passenger numbers.

Source of the data

All the data comes from the client.

Process used to produce the data

The client’s accounting database for costs contained the expense information, while the database of operational information housed the passenger numbers data.

Matters the auditor might consider in determining the nature, timing, and extent of procedures to perform regarding whether data is sufficiently reliable

The client has a well-defined process of recording the number of passengers on each flight in the database of operational information and then aggregating them for a reporting period. This process has been tested and verified by the auditor. The audit team has also previously tested and found effective the IT general controls and internal controls over the accounting and operational databases.

Procedures regarding data reliability an auditor may consider performing

The audit team verified that the quarterly expense data supplied reconciled with the annual data being audited.

 Applying Audit Data Analytics as a Risk Assessment Procedure  7-33

Perform the Audit Data Analytics Illustration 7.26 is a plot of quarterly passenger service expenses against the corresponding total number of passengers. There appears to be a noticeable linear relationship.

Quarterly cost of passenger services ($000)

Historical

Current year

ILLUSTRATION 7.26  

Passenger service expenses against passenger numbers

$25,000 20,000 15,000 10,000 5,000 0 0

3,000 4,000 1,000 2,000 Quarterly passenger numbers (’000)

The next step after visually observing a linear relationship is to confirm by estimating a linear regression. The regression model must be estimated based only on the historical data to ensure it can be used to make predictions for the current period. The resulting regression equation is: Predicted passenger service expenses = $9,794,630.16 + ($2.48 × Number of passengers) This regression indicates that quarterly passenger service expenses has a fixed-cost component that is almost $10 million and a variable cost component of approximately $2.48 per passenger. It is important to verify that the model makes logical sense to the auditors given their knowledge of the business and the industry. In this case, the model is suitable and consistent with expectations formed in the planning stage (see “Plan the Audit Data Analytics” earlier in this section). Furthermore, both coefficients are highly statistically significant (meaning that they are reliably not zero) as shown by the t-statistics and p-values in Illustration 7.27. The auditors also conducted appropriate tests and did not find any clear violation of linear regression model assumptions.

Intercept Quarterly passenger numbers

Coefficient

t-Statistic

p-Value (twosided)

9,794,630.16

7.15

0.00000005

2.48

5.35

0.000008

The auditors then proceeded to use the model to calculate expectations for 2022. As an example, if there were 3 million passengers in a quarter, then using the regression model the auditor would expect just over $17 million in passenger service expenses: $9,794,630.16 + ($2.48 × 3,000,000) = $17,232,111.45 However, performing an exact comparison between expectations and actual figures results in every quarter being a notable item, because they do not match the auditor’s expectation exactly (even if they are very close). Thus, the concept of acceptable variations from the risk analysis decision tree needs to be introduced. In this case, the audit team calculated a 95% prediction interval for each quarter in 2022. If the actual value fell outside of that interval, then it was deemed an “Unacceptable Variation from Auditor’s Expectation.” Illustration 7.28 shows the results.

ILLUSTRATION 7.27  

Results of linear regression model to predict quarterly passenger service expenses

7-34  C h a pte r 7  Audit Data Analytics Historical

ILLUSTRATION 7.28  

Quarterly cost of passenger services ($000)

Result of regression-based ADA for G&J Airlines

Simple regression line 95% prediction interval

Current year

$25,000 20,000 15,000 10,000 5,000 0 0

3,000 4,000 1,000 2,000 Quarterly passenger numbers (’000)

Evaluate the Results and Draw Conclusions Based on business logic, the audit team developed expectations that the passenger service expenses should be related to passenger numbers. This relationship was validated with data and a linear regression model was estimated and used to form expectations for the four quarters of 2022 currently being audited. This risk assessment ADA identified two quarters (Q2 and Q3) that are unacceptable variations from the auditor’s expectation and that are at risk of being overstated. Furthermore, given these quarterly costs are in excess of the $15 million threshold for performance materiality (as per the third level in the risk analysis decision tree), they need to be investigated further. An investigation into these two quarters revealed the reason for their unusually high values is that some fuel costs had been miscoded as passenger service expenses—approximately $4 million in Q2 and $3.2 million in Q3. Once these figures were correctly coded, all passenger service expenses were well within their 95% prediction interval. The investigation further revealed that all of the miscoding had been performed by Steve Baxly, a new employee. As a result of this ADA, Steve was informed that fuel expenses are not passenger-related and have their own expense code. Steve’s manager has also informed the audit team that they are reviewing the new staff training procedures to make sure this error does not happen again with new employees. Finally, the audit team increased control risk with respect to tests of the classification assertion in the purchases process, decreased detection risk, and increased the scope of substantive testing to look further for potential of classification misstatements.

Visualization visualization  the representation of a data set, or key information, as a chart or other image

Visualization is the representation of a data set, or key information, as a chart or another image. Computers do not need visualizations. Instead, visualizations are produced to reveal information to people. “Visualization is a fundamentally human activity” is how Garrett ­Grolemund and Hadley Wickham put it in their recent data science book.4 Good visualizations have the following characteristics: •  F  acilitate people making visual comparisons between data elements. This can help auditors to identify patterns, deviations from patterns, and outliers in the analysis stage of ADA. •  Are generally understood by a wider audience. Visualizations reduce the message to its core components and use minimal, or no, jargon. This is particularly useful to auditors because they have to present findings to business people with varied backgrounds. This benefit is also applicable to auditors sharing the results of ADA with the rest of the audit team who will not be as familiar with ADA as the auditor who performed it. 4

G. Grolemund and H. Wickham, R for Data Science (O’Reilly, 2017), Chapter 2.

 Applying Audit Data Analytics as a Risk Assessment Procedure  7-35

•  Communicate a lot of information efficiently. There is truth to the saying a picture is worth a thousand words. A popular statistics textbook5 refers to a research finding that managers in meetings reach a consensus 25% faster when shown presentations that include graphics. Managers are extremely busy people, and so auditors will benefit from being able to communicate their findings efficiently. Once again, a similar logic applies to auditors communicating findings within an audit team. •  Are likely to be better remembered. In the book Brain Rules, John Medina6 talks of vision being the top-ranked sense and that the human brain excels at remembering pictures. Having a strong recollection of the findings from ADA is useful to the auditor when combining the large number of findings to make sense of the audit as a whole. It is also useful for clients (and any other stakeholders) to better remember what auditors are trying to tell them. In the context of ADA, a visualization can be used to assist with the analysis, to communicate findings effectively and efficiently, or both. Just as is the case for the benefits, the risks associated with visualizations are related to their association with people. There are risks when visualizations are created in isolation. Visualizations are excellent at summarizing results, but they generally do not provide precise figures or tests of statistical significance that are often needed in ADA. That is, they should be used in combination, not isolation. An excellent visualization of an otherwise poor ADA is not useful. Even a beautiful visual as part of a good ADA is useless if it has no purpose. On the other hand, an excellent visualization that is integrated into a well-defined and well-executed five-step ADA can add tremendous value. There is also a risk that the pretty visualization will be remembered rather than the message it was intended to convey. Auditors need to focus viewers on the substance, not the form, of the visualization. Current software makes it very easy to create complex visualizations, but they are not always appropriate. For example, three-dimensional graphs are rarely needed because they are relatively difficult to interpret. Usually, all the information can be displayed in a standard two-dimensional graph. The lesson is to use the graph that is best suited to the need of the ADA. This requires business acumen and equally applies to simple cases. In the advertising agency example (see Audit Reasoning Example “Multiple Transactions Below a Key Threshold” from earlier in the chapter), a simple histogram was a well-suited visualization. Even then, without the proper business acumen, the ADA could have concluded that there were no notable items based on the first histogram. However, what was needed was a more detailed analysis of smaller amounts, so a second histogram was produced. The most appropriate visualization to use and the best parameters to use for that chosen visualization should be decided on a case-by-case basis. It is also important to acknowledge that there are inherent limitations with visualizations because people can only view three dimensions, but it is easily possible to have a regression or clustering based on four, or more, data fields. Visualizations can also easily be misleading. Illustration 7.29 presents an alarming picture of revenue dropping.

Annual revenue (in $ billions)

Crisis: Major Drop in Revenue

2018 5

2019

2020

2021

2022

G. Keller, Statistics for Management and Economics 11e (Cengage Learning: Stamford, CT, 2017), p. 14. J. Medina, Brain Rules (Updated and Expanded): 12 Principles for Surviving and Thriving at Work, Home, and School, Second Edition (Pear Press: Seattle, WA, 2014). 6

ILLUSTRATION 7.29   Example of a misleading graph

7-36  C h a pte r 7  Audit Data Analytics

However, using identical data, Illustration 7.30 reveals that revenue is in fact extremely stable and that the misleading figure was produced by manipulating the vertical axis and then removing the information that would reveal the manipulation. Auditors need to guard against this by using professional skepticism whenever viewing visualizations produced by others. When producing visualizations, it is important to remember that a good visualization is clear and well-labeled, concise and informative, accurate and not misleading. $50.0

$50

Annual revenue (in $ billions)

Undistorted axis example (left panel) and distorted axis with labels example (right panel)

Very Consistent Revenue Annual revenue (in $ billions)

ILLUSTRATION 7.30  

40 30 20 10 0

2018

2019

2020

2021

2022

Crisis: Major Drop in Revenue

49.8 49.6 49.4 49.2 49.0

2018

2019

2020

2021

2022

Let us consider some of the visualizations already presented in this chapter to see these benefits and risks in practice. The dried fruit case was an example of visualizations being used to enhance analysis and communicate results to the client (Illustrations 7.13, 7.14, and 7.15). As part of the analysis, the auditor used this visualization to help identify common patterns in inventory turnover and outliers from those patterns. Even though the visualization was useful as an analysis tool, the auditor still needed numbers for precise analysis, which were presented in tables in the example. The visualization helped to understand the bigger picture—it helped to see the forest but was not the correct tool for viewing individual trees (individual dried fruit products in this example). Visualizations were also used for dual purposes in the G&J Airlines example (Illustrations 7.26 and 7.28). The results of the regression and the prediction intervals were shown visually for the auditor to easily identify notable items, but it was also used to tell the story to the client. This visualization (Illustration 7.28) effectively presents a lot of information: the historical data, current data being audited, the expectations as per the regression’s predictions, and the prediction intervals that clearly identify any points with unacceptable variations from expectation. None of this needs to be explained in text, as it is evident from the visualization. Another key lesson from this ADA is that not all visualizations are useful. Initially, a timeseries graph was produced, but it was not appropriate for this ADA. When additional business acumen was applied, the more suitable regression analysis was chosen. In contrast to the other examples, no visualizations were used to conduct the analysis matching welfare benefit disbursements with payroll disbursements as part of a state government internal audit. In that example, IDEA software was used to process hundreds of thousands of records looking for matches; that is, to “find the needle in the haystack.” A visualization was still useful as a means of reporting the results to superiors. When viewing the visualization (Illustration 7.22), it is easy to learn the payment patterns of all people with matching SSNs in the employee and beneficiary databases. These patterns would be difficult, and cumbersome, to describe in only text. As an exercise, you might like to try describing the payment patterns shown in Illustration 7.22 and see how difficult it is to convey all the information in that graph. This ADA is an example where a visualization was not useful in the analysis stage, but a wellsuited visualization was an effective and efficient way to communicate the results. Overall, a successful ADA is accomplished by all five steps in the process being done well and with sound reasoning. It is clear that visualizations are a necessity in the ADA tool box. They can help with analysis and communicate results, but they are not the correct tool to solve every ADA challenge. Visualizations are tools to enhance the five-step ADA process, not replace it.

  Using Audit Data Analytics as a Substantive Test  7-37

Before You Go On 4.1  What is clustering? How is clustering used as a risk assessment tool? 4.2  What is the goal of using ADA to find matches in two large populations? 4.3  Explain how the auditor would use regression analysis to identify notable items. 4.4  What should be accomplished with good visualizations?

Using Audit Data Analytics as a Substantive Test Lea rning Objective 5 Explain how audit data analytics is used as a substantive test. A number of substantive tests of details involve matching information in the accounting rec­ords with information on underlying documents. For example, an auditor might perform a vouching procedure whereby the auditor vouches the quantities on a sales invoice to the quantities on underlying shipping documents, the existence of a bill of lading, and the prices compared to the sales order. In another example, if a confirmation of an accounts receivable balance is not returned by the customer, the auditor might validate the receivable by looking at evidence of subsequent cash receipt in the amount of the billing to the customer. Today, these previously paper documents have been transferred to electronic form. It is appropriate for the auditor to compare electronically what was previously compared manually. Further, the auditor should make the same judgments about the relevance and reliability of information when making an electronic comparison as the auditor would consider when making a manual comparison. AU-C 315.A61–.A64 provides a discussion about how the use of information technology results in benefits and risks that may affect the reliability of data. AU-C 500.A27–.A34 provides a general discussion about the relevance and reliability of evidence. When the auditor is performing ADA as a substantive test of details of a population of transactions or balances, the auditor will have evaluated inherent risk and will likely have performed tests of controls to assess control risk. Therefore, the auditor will most likely perform ADA as a substantive test when the auditor has performed tests of controls and concluded that the entity has: •  Strong IT general controls, including strong access controls. •  Strong IT application controls related to the assertion being tested. •  Strong controls over electronic data interchange and the exchange of electronic information about a transaction between the client and its customers or suppliers. If the auditor is performing substantive tests at an interim date, the auditor must perform steps to update the conclusion to the date of the financial statements. This roll-forward process is discussed in more detail in Chapter 9. Finally, if the auditor finds a misstatement when performing substantive tests, the auditor needs to evaluate (1) the materiality of the misstatement found, and (2) whether the misstatement provides evidence of a weakness in internal controls. If the evidence about internal controls does not support a previous conclusion regarding internal controls, the auditor should reassess internal controls at a higher level and reevaluate the implications of a high control risk assessment on detection risk and the auditor’s audit strategy. The following section provides an example illustrating the use of ADA as a substantive test.

7-38  C h a pte r 7  Audit Data Analytics

Before You Go On 5.1 Develop an example of a traditional manual comparison of information in a substantive test where the same process can be done electronically with ADA. 5.2 What conditions are normally present when an auditor plans to use ADA as a substantive test of details? 5.3 What should the auditor consider when ADA performed as a substantive test of details identifies misstatements?

Applying Audit Data Analytics as a Substantive Test Lea rning O bjective 6 Apply audit data analytics as a substantive test and evaluate the results. The use of ADA as a substantive test is illustrated in the context of an analysis of revenues and receivables at an electric power cooperative. Illustration 7.31 identifies key characteristics of this ADA application. Once again, the five-step process for ADA will be used as a substantive test. The focus is on validating revenue transactions recorded during the year and accounts receivable at December 31, 2022. Therefore, the assertions being tested are the occurrence of revenue transactions and the existence of receivables. It is possible that the test could uncover problems with the accuracy of revenues or the valuation of receivables at their gross amount.

ILLUSTRATION 7.31   Overview of electric cooperative example

Business Environment

Concern for Risk of Material Misstatement

Electric power cooperative

Potential for overstatement of revenues and accounts receivable.

Account(s) • Revenue • Accounts Receivable

Financial Statement Assertion

Broad ADA Objective

• Occurrence of revenues and existence of receivables

Substantive test

• Accuracy of revenues and valuation of receivables

Validating Sales Revenue and Accounts Receivable with Subsequent Cash Receipts The following example illustrates the five-step process for ADA to validate both sales revenue and accounts receivable when auditing the revenue process. In this example, the audit client is an electric power cooperative that delivers power to approximately 209,000 members. Most of the members are households in the electric utility district, and it has been difficult for the auditor to obtain confirmations from general consumers of electric power. The auditor plans to use ADA as a substantive test of details to validate both revenues and receivables by matching billings to members with subsequent cash receipts from members. The client has a December 31 year-end, and the audit report is expected in April of the following year. For the year-end December 31, 2022, the client had power sales to members of $237,166,939. Receivables from members at December 31, 2022, amounted to $23,044,787. Performance materiality for revenues and receivables is set at $725,000.

 Applying Audit Data Analytics as a Substantive Test  7-39

Plan the Audit Data Analytics The purpose of the ADA is to validate power revenues from members for the year ended December 31, 2022, and receivables from members as of December 31, 2022. The auditor is auditing the occurrence and accuracy of sales revenues, and the existence and valuation of receivables. Inherent risk for revenue and receivables is determined to be moderate to high because of the volume of transactions going through the account. Control risk is assessed as low based on tests of controls and the following conclusions have been reached. The electric cooperative has: •  A strong control environment. •  Strong IT general controls. •  Strong IT application controls related to the occurrence of revenue, the completeness of cash receipts, and the existence and valuation of receivables. The cooperative reviews the collectibility of power bills monthly to decide about turning off power to members with receivables that are 90 days past due. The CFO reviews old outstanding receivables quarterly and decides whether to turn past due receivables over to a collection agency, evaluates the allowance for doubtful accounts, and determines the amount of receivables that should be written off. The auditor plans to validate the occurrence and accuracy of sales revenue by matching power billings with subsequent cash receipts. The auditor will also validate the existence and valuation of receivables at December 31, 2022, by matching receivables with subsequent cash receipts during January and February 2023.

Access and Prepare the Data for Audit Data Analytics To test the completeness of the data, the auditor summarized the information in Illustration 7.32 from the client’s general ledger.

Balance, December 31, 2021

Accounts Receivable

Allowance for Doubtful Accounts

$  22,342,841

$ 11,985

Power sales to members

237,166,939

Collected from members

(236,369,269)

Provision for bad debts Accounts Receivable written off

   (95,724)

(95,724)

  23,044,787

13,261

Power sales to members

  40,572,853

Balance, February 28, 2023

Summary of Accounts Receivable activity for the 14 months ended February 28, 2023

97,000

Balance, December 31, 2022 Collected from members

ILLUSTRATION 7.32  

(39,965,046) $  23,652,594

$ 13,261

The auditor then obtained a sales transaction file, a cash receipts transaction file, and an accounts receivable file from the client. The accounts receivable files matched the information above that was taken from the general ledger. The sales file also matched the general ledger. The auditor then prepared the information in Illustration 7.33, which reconciled the above information to the cash receipts journal. For the Year Ended December 31, 2022

For the Two Months Ended February 28, 2023

Cash collected from members

$236,369,269

$39,965,046

Cash received from bank loan

 3,000,000

    –

Cash received from sale of assets Cash received per cash reciepts journal

   142,837

   28,771

$239,512,106

$39,993,817

ILLUSTRATION 7.33  

Reconciliation of Cash collected from members to total cash receipts

7-40  C h a pte r 7  Audit Data Analytics

The auditor was able to reconcile the data files received from the client to the client’s general ledger. All the data was clean and in a consistent format, so the auditors proceeded to document their evaluation of the relevance and reliability of the data used.

Evaluate the Relevance and Reliability of the Data Used The auditor’s evaluation of the relevance and reliability of the data obtained from the client is shown in Illustration 7.34. ILLUSTRATION 7.34   Evaluation of relevance and reliability of information obtained from the client

Nature of the data

Data was obtained from the client regarding: •  Accounts receivable at December 31, 2021. •  Accounts receivable at December 31, 2022. •  Accounts receivable at February 28, 2023. •  Power sales for the 14 months ended February 28, 2023. •  Cash receipts for the 14 months ended February 28, 2023.

Source of the data

The data came from the electric cooperative’s financial database.

Process used to produce the data

The client’s accounting information system (database) collects information on revenue and cash receipt transactions, as well as journal entries made. This database is also used to produce accounts receivable balances.

Matters the auditor might consider in determining the nature, timing, and extent of procedures to perform regarding whether data is sufficiently reliable

The audit team tested internal controls related to the cooperative’s control environment. The following controls were also tested and found effective:

Procedures regarding data reliability an auditor may consider performing

The audit team reconciled the following information received from the client with the general ledger:

•  IT general controls. •  I T application controls related to occurrence of revenues, accuracy of revenues, completeness of cash receipts, and the existence and valuation of accounts receivable.

•  Accounts receivable as of December 31, 2021, December 31, 2022, and February 28, 2023. •  T  otal power sales to members for the periods ending December 31, 2022, and February 28, 2023. •  Total cash receipts for the periods ending December 31, 2022, and February 28, 2023. •  S  ales adjustments for the provision for bad debts and the write-off of accounts receivable for the year ended December 31, 2022.

Perform the Audit Data Analytics The audit team used ADA to match billings for power sales to members with subsequent cash receipts. The audit team also used ADA to match receivables at December 31, 2022, to subsequent cash receipts during the two months ended February 28, 2023. Illustration 7.35 summarizes the results of the ADA performed. ILLUSTRATION 7.35   Summary of matching of power billings with subsequent cash receipts for the year ended December 31, 2022, and matching receivables at December 31, 2022, with subsequent cash receipts

Number of Members

Dollars

Percentage

Power billings 1/1/2022–12/31/2022 subject to matching procedures

193,629

$ 237,166,939

100.0%

Cash collection equals billing

188,023

$ 209,167,026

88.2%

1,978

1,805,948

0.8%

482

454,445

0.2%

Cash collection greater than billings subsequently offset by   cash collections less than billings Cash collections greater than billings

(continued)

 Applying Audit Data Analytics as a Substantive Test  7-41 ILLUSTRATION 7.35   (continued)

Number of Members

Dollars

Percentage

Cash collection less than billings subsequently offset by   cash collections greater than billings

1,714

Cash collections less than billings

1,127

 Total cash received from customers

$ 1,643,710

0.7%

965,353

0.4%

$ 214,036,482

90.2%

23,130,457

9.8% 100.0%

193,324 No cash received  Total billings subject to matching procedures

193,324

$ 237,166,939

Ending receivables at 12/31/2022

191,839

23,044,787

Billings for 2022 subsequently written off

305

 Total of no cash received on 2022 billings

85,670 $ 23,130,457

Accounts receivable 12/31/2022 subject to matching procedures

191,839

$ 23,044,787

100.0%

Cash collection equals billing

183,162

22,002,475

95.5%

Cash collection greater than billings subsequently offset by   cash collections less than billings

1,292



143,156

0.6%

Cash collections greater than billings

1,957



174,969

0.8%

  cash collections greater than billings

2,076



256,785

1.1%

Cash collections less than billings

3,287



Cash collection less than billings subsequently offset by

No cash collected  Total cash received from customers

455,876

2.0%

65

11,526

0.1%

191,839

$ 23,044,787

100.0%

Evaluate the Results and Draw Conclusions The audit team is focused on the occurrence and accuracy of sales revenues. The presumption is that when power bills are paid in full by the customer, the transaction is validated by the subsequent payment in full by the customer and no dispute of the amount by the member. The same presumption is made regarding receivables at year-end. If they are paid in full and are not disputed, the receivable at December 31, 2022, exists and is properly valued at its gross amount. With respect to the power billings to members, 88.2% of billings were matched by identical cash receipts. Further, there was significant overlap between the group of members that overpaid and the group of members that underpaid. Detailed analysis showed that 1,978 members overpaid their bills, and the same members subsequently underpaid their bills. Investigation showed that some of these members unintentionally overpaid one month, which reduced the amount due the next month, and the customer then paid the amount due (which was less than the power bill for the month). In some cases, members paid three or four months of expected power bills in advance, and then made no payments for several months. A similar pattern was noted among the 1,714 members that initially underpaid. Often, in the next 30 to 60 days, the customers brought their bills current with an overpayment of what was billed in the current month. To the extent that collections were less than billings and not offset by overpayments, the result was a growth in receivables. An analysis of the collection of accounts receivable at December 31, 2022, shows that 95.5% of receivables were collected in full during the subsequent period. Once again, some members overpaid the receivable they owed, and other members underpaid the receivable owed to the electric cooperative. Further, a detailed analysis shows a significant overlap between the members who overpaid and members who underpaid. However, an analysis of year-end receivables showed 3,287 members whose underpayments were not offset by overpayments. These receivables amounted to $455,876. Upon investigation, some of these members complained about the size of their bill, believing that they had been overbilled. As a result, receivables were growing for these members. Other members did not complain but their receivables were growing as well.

7-42  C h a pte r 7  Audit Data Analytics

The auditor determined that the potential misstatement of revenues and receivables amounted to $467,402 ($455,876 + $11,526) which was less than performance materiality. In the cases where members overpaid or underpaid but brought themselves current in a short period of time thereafter, the auditor determined that there was not a breakdown in internal controls. However, the auditor was concerned about the extent of the CFO review of the allowance for doubtful accounts on a quarterly basis. At year-end, the allowance for doubtful accounts was only $13,261, and the estimate for bad debt was only $97,000. After discussion with the CFO, it was determined that, while net receivables were not materially misstated, the auditor did not believe that internal controls related to the estimate for bad debts and the allowance for doubtful accounts were adequate. The audit team included a discussion of a significant deficiency in internal controls related to these items in a management letter to the board of directors of the electric cooperative.

Before You Go On 6.1 What was the evidence in the electric cooperative case supporting the conclusion that power sales for the year ended December 31, 2022, actually occurred and the billings were accurate in their amount? 6.2 What was the evidence in the electric cooperative case supporting the conclusion that accounts receivable at December 31, 2022, existed and were valued correctly at the amount due from members? 6.3 If ADA shows that an account balance is materially correct, can a weakness in internal controls exist? Explain your reasoning.

Learning Objectives Review 1  Explain the five-step process associated with plan-

3  Explain how audit data analytics is used as a risk as-

ning, performing, and evaluating results from audit data analytics.

sessment procedure.

The five steps involved in planning, performing, and evaluating the results of audit data analytics are (1) plan the ADA, (2) access and prepare the data for the ADA, (3) consider the relevance and reliability of the data used, (4) perform the ADA, and (5) evaluate the results and conclude whether the purpose and specific objectives of performing the ADA have been achieved. 2  Apply steps associated with accessing and preparing

data for audit data analytics. When preparing data for ADA, the auditor should first determine if the data is complete and agrees with the general ledger. The auditor also needs to determine if the data is in a consistent format and needs to be cleaned. Subsequently, the auditor should address the following questions in the audit documentation: (1) What is the nature of the data? (2) What is the source of the data? (3) What is the process used to produce the data? (4) What matters might the auditor consider in determining the nature, timing, and extent of procedures to perform regarding whether the data is sufficiently reliable? (5) What procedures regarding data reliability will the auditor consider performing?

The auditor often uses his or her knowledge of the entity, its business, and its industry combined with ADA to identify account balances, transactions, or disclosures that are at a high risk of material misstatement. Illustration 7.6 explains a process for identifying notable items. This section also explains what an auditor should do when ADA identifies a large number of notable items for further consideration. 4  Apply audit data analytics as a risk assessment pro-

cedure and evaluate the results. This discussion illustrates the application of cluster analysis (a process of matching information in key data fields) and regression analysis. This section discusses the benefits and risks of data visualization. Each method is discussed in a case context that walks through the five-step process for using ADA. 5  Explain how audit data analytics is used as a substan-

tive test. A number of substantive tests of details involve matching information in the accounting records with information on underlying documents.

 Audit Decision-Making Example  7-43 Today, much of the evidence that was previously in the form of paper documents has been transferred to electronic form. It is appropriate for the auditor to compare electronically what was previously compared manually. This discussion explains what the auditor should know about the risk of material misstatement, including the system of internal control when evaluating the relevance and reliability of data used for ADA. Further, if the auditor finds misstatements when performing the ADA, the auditor should evaluate (1) the materiality of the misstatements found and (2) whether the misstatements provide evidence of a weakness in internal controls. If the evidence about internal controls does not support a previous conclusion regarding internal controls, the auditor should reassess control risk at a higher level, and re-evaluate the implications of a high control risk assessment on detection risk and the auditor’s audit strategy.

6  Apply audit data analytics as a substantive test and

evaluate the results. This section illustrates the use of ADA as a substantive test. The five-step process is illustrated in the context of validating revenue by matching electronic information, rather than manually comparing information. The example in this section of the chapter uses ADA to match information about customer billings with information about cash receipts and payment of billings. While this is often done manually, it can also be done electronically. The example also walks through the evaluation of results when not every customer billing can be matched with subsequent cash receipts.

Key Terms Review Audit data analytics (ADA) Cluster analysis False positives

Matching information in key data fields Notable item Regression analysis

Visualization

Audit Decision-Making Example Background Information7

•  The expiration dates of leases, in particular, those expiring in the current year (internal data from a source outside the financial reporting system).

Edwin Iverson has been assigned to the audit of a private company that owns 10 apartment buildings. A member of the audit team built a nonstatistical model to predict the company’s revenues based on the following:

•  Average monthly rental rates in the marketplace in which the company operates (external data). •  Average monthly vacancy rates in that marketplace (external data).

•  The number of units in each of the company’s 10 apartment buildings (internal data from a source outside the financial reporting system). •  The size (square footage) and number of rooms of the units (internal data from a source outside the financial reporting system). Analysis of the data showed the following results:

Actual vs. Expected Monthly Rental Revenue $1,400,000 1,200,000 1,000,000 800,000 600,000 400,000 200,000 Se gus t pt em be Oc r to No ber ve m De ber ce m be r

ly Ju

Expected revenue

Au

ne Ju

M ay

Ap ril

ar ch

ar y

M

br u Fe

Ja

nu

ar y



Actual revenue

7 Background information taken from AICPA, Guide to Audit Data Analytics (AICPA: Durham, NC, 2017), Appendix D.

7-44  C h a pte r 7  Audit Data Analytics

Expected Annual Revenue vs. Actual Annual Revenue by Property $2,000,000 1,500,000 1,000,000 500,000

Ed

W

Lo

ng vi

ew

AV e. es tS ge tre m on et t No Plac e rth St re Pa et rk 52 Ave . Ri nd S ve rb tree en t d Dr iv 49 e th St re 7t e h Av t e Bo nu ar e d St re et



Expected

Actual

Identify Audit Issues

Analysis and Evaluation of Alternatives

The above data shows that revenues might be overstated. Overstatements might be due to occurrence problems, cutoff problems, or accuracy problems. It is also possible that the prediction model could be incorrect. For example, the prediction model might overstate vacancy rates. In particular, the auditor might focus detail testing on the months of July, December, and February. The auditor might also focus attention on the following properties: 52nd Street, 49th Street, 7th Avenue, and Broad Street.

As a result of the urban renewal project, lease contracts showed a higher monthly rental rate than predicted by the model based on vouching rental transactions to new contracts. The shorter vacancy periods were vouched to both signed leases and cash deposits from new tenants. The increased rental revenue was also supported by increased cash inflows.

Gather Additional Information and Evidence Edwin determined that he needed to look at lease contracts signed in the months of July, December, and February at the abovementioned properties. The model predicted that units would stay vacant for 17 days before finding a new tenant. Upon investigation, the actual vacancy times were closer to 7 days at the properties investigated. Further, all four properties were in an area where a major urban renewal project had been completed by the city in the last year.

Audit Conclusion Based on detail testing, the increase in rental revenues was attributed to shorter vacancy periods than predicted by the model and larger rental increases than predicted by the model. Edwin also determined that increased revenues were supported by increased cash flows. Based on the ADA performed and the subsequent vouching of selected transactions, Edwin determined that revenues were presented fairly, in all material respects.

CPAexcel CPAexcel questions and other resources are available in WileyPLUS.

Multiple-Choice Questions 1.  (LO 1)  What step follows planning the ADA?

2.  (LO 1)  A key aspect of preparing the data for ADA is:

a.  Evaluating results and concluding whether the purpose of the ADA has been achieved.

a.  determining the source of the data.

b.  Considering the relevance and reliability of data used.

c.  e valuating the reliability of internally generated evidence.

c.  Accessing and preparing the data for ADA. d.  Performing the ADA.

b.  determining if the data is complete. d.  determining the validity of data obtained from an external source.

Review Questions  7-45 3.  (LO 2)  Which of the following is an example of data that needs to be cleaned before it can be analyzed?

receivable. The auditor is most likely auditing which of the following a­ ssertions?

a.  The data has dates in two different formats (MM/DD/YY and DD/MM/YY).

a.  E  xistence.

b.  The data has information from customers in data files from two different divisions.

c.  Valuation and allocation.

c.  The data comes from a system with poor internal controls. d.  T  he data contains misstatements. 4.  (LO 2)  A key aspect of testing the completeness of a data set is: a.  determining that every customer has a transaction. b.  the data has information from customers in data files from two different divisions. c.  checking the numerical continuity of the data. d.  t he data contains misstatements. 5.  (LO 3)  When performing ADA as a risk assessment procedure, a notable item: a.  is indicative of a risk of material misstatement not previously identified by the auditor. b.  is indicative of a higher risk of material misstatement than anticipated by the auditor. c.  provides information useful in designing procedures to address the risk of material misstatement. d.  A  ll of these answer choices describe notable items. 6.  (LO 3)  A “false positive” is: a.  another term for a notable item. b.  indicative of a higher risk of material misstatement. c.  incorrectly identified as a notable item and requires no further response to identify new or higher risks. d.  a notable item that requires further investigation. 7.  (LO 4)  An auditor is performing a cluster analysis and sorts a client’s customers into groups based on the aging of accounts

b.  Rights and obligations. d.  Completeness. 8.  (LO 4)  An auditor is using regression analysis to investigate battery expense for a computer manufacturer that purchases batteries. Which of the following would be a good choice of independent variable for the regression? a.  R  evenues. b.  Number of employees. c.  Square footage of manufacturing space. d.  Number of computers sold. 9.  (LO 5)  When performing ADA as a substantive test, the auditor: a.  u  ses ADA to match electronic information that otherwise would have been audited manually. b.  uses ADA to identify high-risk transactions and balances and then audits those high-risk items with traditional audit tests. c.  relies solely on the client’s system of internal controls. d.  uses ADA to identify breakdowns in the client’s system of ­internal control. 10.  (LO 6)  An auditor is using ADA as a substantive test to validate accounts receivable because consumers are poor at responding to confirmations. In this case, the auditor validates the receivable by: a.  v ouching the receivable back to sales orders. b.  tracing shipping documents to bills of lading. c.  finding electronic evidence that the receivable is supported by subsequent cash receipt in the same amount. d.  finding electronic evidence of strong internal controls.

Review Questions R7.1  (LO 1)  Identify and briefly describe the five steps of performing ADA and place them in the proper order.

example should be an acceptable variation and the other an unacceptable variation.

R7.2  (LO 1)  Describe three key issues to consider when planning ADA.

R7.7  (LO 4)  Explain how visualizations can be used as part of ADA and why they are important.

R7.3  (LO 2)  Are the quality of internal controls relevant when evaluating the reliability of data to be used in ADA? Explain why or why not, and provide an example.

R7.8  (LO 4)  Describe two risks associated with using visualizations as part of ADA.

R7.4  (LO 2)  How does each of the following influence the reliability of the data: (1) data obtained from external versus internal sources, (2) data obtained directly versus indirectly, (3) data from original documents versus electronic scans, and (4) and data from written information sources versus records of verbal conversations?

R7.9  (LO 4)  Identify two analytical techniques that could be used as part of risk assessment ADA and how they could be useful. R7.10  (LO 5)  Explain why strong IT general controls and strong IT application controls are important when an auditor plans to use ADA as a substantive test of details.

R7.5  (LO 3, 4)  Explain how the risk analysis decision tree can be used in conjunction with the five-step process for ADA. Provide an example.

R7.11  (LO 5, 6)  What should an auditor do if the conclusion from performing ADA as a substantive test does not agree with a previous conclusion regarding internal controls?

R7.6  (LO 3, 4)  Provide two examples of items that “Do Not Fit the Auditor’s Expectation” per the risk analysis decision tree. One

R7.12  (LO 6)  Explain how applying ADA as a substantive test differs from ADA as a risk assessment procedure.

7-46  C h a pte r 7  Audit Data Analytics

Analysis Problems AP7.1  (LO 1)  Basic   Planning an ADA application  You are auditing Quick Technologies, Inc. (QTI). QTI is a manufacturer of various computer technologies and works hard on bringing new technologies to market. QTI has approximately 4,000 customers (some with multiple locations). On average, QTI sells its inventory every 45 days, and it takes approximately 33 days to collect receivables. QTI has also experienced a high degree of competitiveness and technological obsolescence. The company has found that the average product life is between 9 and 15 months.

Required a. Identify a potential application for ADA in the audit of QTI. Explain the account and the assertion(s) tested by the application. b.  What is the population being analyzed and tested using ADA? c.  Is ADA being used as a risk assessment procedure or as a substantive test? d.  Explain the ADA application that is planned and how it will contribute to the evaluation of the assertion being audited. e.  Explain the role of business acumen in the application of ADA. AP7.2  (LO 2)  Basic   Planning an ADA application  Timothy Steele, a recent college graduate and new audit staff member, is having lunch with Michael Watts, an audit senior. Both are working on the audit engagement of a retailer that has operations in North America and Europe. Timothy says to Michael, “I have been doing some reading about audit data analytics, and there is something I don’t understand. While I understand the importance of internal controls to the reliability of the client’s data, I also keep reading that the auditor needs to clean the data before it can be analyzed. I don’t understand what people are talking about with when they talk about ʻcleanʼ data. Is there a difference between ʻcleanʼ and ʻdirtyʼ data? Can you explain this to me with a practical illustration? I just don’t get what the discussion of ʻcleanʼ data is about.”

Required Answer Timothy’s questions. As Timothy asks, explain the concept of “clean” versus “dirty” data with a practical illustration. AP7.3  (LO 2)  Moderate   Preparing data for ADA  Emma Reed, an audit partner at Gung & Ho, CPAs, is auditing a company in the music industry that owns multiple record labels and sells music in North America and Europe. Emma is currently performing ADA as a risk assessment procedure investigating sales. Emma has asked you, a junior auditor at Gung & Ho, to assist her with the second step of the five-step ADA process. The client maintains two separate sales transaction files—one for North America (NAsales.csv) and one for Europe (EUsales.csv).

Required Emma has specifically asked you to create one sales transaction file in a consistent format (data files are available in WileyPLUS). AP7.4  (LO 3)  Moderate   ADA as a risk analysis procedure  McCaffery, CPA, is the auditor of the Raleigh Corporation. Raleigh is a construction company that builds single-family homes and lowrise apartment buildings. Raleigh uses the percentage-of-completion method to recognize revenues on projects. Percentage of completion is based on discussion with project managers and the percentage of expenditures versus budget for each project. McCaffery has decided to use ADA as a risk analysis tool to evaluate revenue recognized on various projects.

Required a.  Identify the assertion being audited. b.  How would an auditor set an expectation regarding percentage-of-completion for each project? c.  What would be an acceptable deviation from the auditor’s expectation? Explain the role of business acumen in evaluating an acceptable deviation from the auditor’s expectation. d.  What would be an unacceptable deviation from the auditor’s expectation? Explain the role of business acumen in evaluating an unacceptable deviation from the auditor’s expectation. AP7.5  (LO 4)  Basic   Visualizing the results of ADA using Tableau  Illustration 7.6 presented the analysis of using clustering as an ADA technique to identify inventory that was at a high risk of not

Analysis Problems  7-47 being properly valued at the inventory’s net realizable value. The information contained in this illustration is presented in an Excel file (Illustration 7.6.xls), available in WileyPLUS.

Required Using Tableau, develop visualizations to present to the client illustrating the potential problems and risks associated with slow-moving inventory. AP7.6  (LO 4)  Challenging   Performing ADA involving matching  A team from More & Less CPAs are auditing SportsLovers, a U.S. sporting goods manufacturer and distributor. The audit team recently had a meeting to discuss how to perform the current ADA, which is designed to investigate the risk of employees stealing by shipping products to their home address. The team has already completed the first three steps of the five-step ADA process. The discussion point in the meeting was how to compare the addresses in the Employee Master File with the addresses in the Shipment List File. The relevant fields in each database are shown below. Database

Field Code

Employee Master File

E_ID

A unique identification number for each employee

6-digit number

E_ADD

Employee’s home address excluding city, state, zip code

Text

E_CITY

City associated with E_ADD

Text

Shipment List File

Field Description

Data Type

E_STATE

State associated with E_ADD

Text

E_ZIP

Zip code associated with E_ADD

5-digit number

E_COUN

Country associated with E_ADD (currently US for all employees but stored in case of future expansion)

Text

SHIP_NO

A unique identification number for each package shipped

8-digit number

INV_NO

The invoice number the shipped package belongs to

8-digit number

SHIP_ADD

Shipping address excluding city, state, zip code

Text

SHIP_CS

City and state (separated by a comma) associated with SHIP_ADD

Text

SHIP_ZIP

Zip code associated with SHIP_ADD

5-digit number

SHIP_ COUNTRY

Country associated with SHIP_ADD (currently US for all employees but stored in case of future expansion)

Text

During the meeting, the following ideas were proposed for a criterion to identify notable items: 1.  E_ADD is the same as SHIP_ADD. 2.  E_ZIP is the same as SHIP_ZIP. 3.  The result of joining E_ADD, E_CITY, E_STATE, and E_ZIP is the same as joining SHIP_ADD, SHIP_CS, and SHIP_ZIP. 4.  E_NUMS is the same as SHIP_NUMS. E_NUMS is created by joining E_ADD and E_ZIP together and then removing all letters so only the numbers remain. In a similar way, SHIP_NUMS is created by joining SHIP_ADD and SHIP_ZIP and retaining only the numbers.

Required a.  Critically analyze the advantages and disadvantages of each of the four suggestions. b.  Recommend a criterion to identify notable items and justify your choice. c.  Evaluate the risk of missing truly notable items given your recommendation in (b). AP7.7  (LO 4)  Challenging   Role of assertions and risk analysis decision tree in ADA  The audit firm you work for is auditing the 2022 financial statements for a national clothing retailer. As part of the audit, ADA is being used to assess risk associated with accrued wages. Regression-based ADA was developed, and the first four steps of the five-step ADA process have already been completed. The regression was developed using monthly data from 2019, 2020, and 2021. The regression model was validated from a statistics and a business logic point of view. The results from the regression analysis are summarized in the following visualization, where the blue dots outside the confidence interval represent November and December 2022. The independent variable is monthly number of employees. The dependent variable is payroll payable at the end of the month.

7-48  C h a pte r 7  Audit Data Analytics Historical

Linear regression line 95% prediction interval

Current year

Monthly payroll payable ($000)

$45,000

35,000

25,000

15,000 4,500

6,000 6,500 5,000 5,500 Monthly number of employees

7,000

Required a.  Evaluate the results of the ADA. In your answer, be sure to state what assertions might be misstated. b.  What tests would you perform next to determine whether any notable items identified have a valid business reason supporting them? AP7.8  (LO 5)  Basic   ADA as a risk assessment procedure versus a substantive test   Timothy Steele, a recent college graduate and new audit staff member, is having lunch with Michael Watts, an audit senior. Both are working on the audit engagement of a retailer that has operations in North America and Europe. Timothy has another question for Michael: “In my reading I have seen a number of examples of audit data analytics. However, I am having a difficult time distinguishing between ADA as a risk assessment procedure and ADA as a substantive test.” Can you explain the difference to me and illustrate with a practical example?”

Required Answer Timothy’s questions. Explain the difference between ADA as a risk assessment procedure and ADA as a substantive test. Illustrate your explanation with practical illustrations. AP7.9  (LO 6)  Challenging   ADA as a substantive test  Assume that you are auditing a real estate company that owns and rents several apartment buildings. In total, the company owns 22 buildings and has over 1,000 apartments that it rents out on annual leases. You are auditing accounts receivables. From past experience, it has been difficult to get renters to confirm receivables at the end of the year. As an alternative, you choose to use ADA to investigate the relationship between accounts receivable and subsequent cash receipts. Using ADA, you get the following results.

Accounts receivable at year-end subject to ADA

$2,634,008

100.0%

Cash collection equals accounts receivable

2,122,858

80.6%

Cash collection greater than accounts receivable

    —

0.0%

Cash collection less than accounts receivable

  418,025

15.9%

  93,125 $2,634,008

3.5% 100.0%

No cash collected on December 31, 2022, accounts receivable

Required a.  What assertion(s) is the auditor investigating? b.  How do you interpret the results presented above? c.  What tests would you perform next to determine whether any notable items identified have a valid business reason supporting them?

Audit Decision Case  7-49 AP7.10  (LO 4, 6)  Moderate   Research   False positive analysis  Read the following article, available online: G. Baader and H. Krcmer, “Reducing False Positives in Fraud Detection: Combining the Red Flag Approach with Process Mining,” International Journal of Accounting Information Systems (December 2018).

Required Prepare a two-page summary of the article outlining the definition of a false positive, the solution proposed, and the performance of that solution on the tested data set.

Audit Decision Case G&J Airlines Questions C7.1 and C7.2 are based on an audit of G&J Airlines, a regional airline described in this chapter in the section “Regression Analysis.” Data files needed to complete this case are available in WileyPLUS. C7.1  (LO 1, 2, 3, 4)  Challenging   Using regression analysis to search for notable items in revenue  Perform the following as part of the 2022 audit of G&J Airlines. The dependent variable is revenue. The independent variable is passenger miles. a.  Plan an ADA as a risk assessment procedure that uses regression to investigate revenue. b.  Prepare the data for your ADA c.  Document the relevance and reliability testing that would need to be performed for this ADA to be effective and efficient. Assume all tests are satisfied. d.  Perform your planned regression analysis using the six steps outlined in the chapter section “Regression Analysis.” e.  Create a visualization to describe the results of the ADA and evaluate the results of the ADA. f.  Recommend procedures that should be taken because of your findings in (e). C7.2  (LO 1, 2, 3, 4)  Challenging   Using regression analysis to search for notable items in an expense  Perform the following as part of the 2022 audit of G&J Airlines. The dependent variable is salaries and wages expenses. You should determine which independent variable(s), if any, are appropriate from the data set provided. a.  Plan an ADA as a risk assessment procedure that uses regression to investigate salaries and wages payable. b.  Prepare the data for your ADA. c.  Document the relevance and reliability testing that would need to be performed for this ADA to be effective and efficient. Assume all tests are satisfied. d.  Perform your planned regression analysis using the six steps outlined in “Regression Analysis.” Looking for Notable Items. e.  Create a visualization to describe the results of the ADA and evaluate the results of the ADA. f.  Recommend procedures that should be taken because of your findings in (e).

Cloud 9 - Continuing Case You have been asked to assist in the planning and development of audit data analytics as a substantive test for Cloud 9. Cloud 9 uses an evaluated receipt settlement system (see Chapter 12) that

involves electronic invoice presentment and payment (EIPP) for 90% of its purchase transactions. The following information is captured electronically within this system.

Database

Field Code

Field Description

Data Type

Data Input By

Vendor Master File

Vendor_ID

A unique identification number for each vendor

6-digit number

Cloud 9

Vendor_ADD

Vendor’s mailing address excluding city, state, post (zip) code

Text

Cloud 9

7-50  C h a pte r 7  Audit Data Analytics

Database

Field Code

Field Description

Data Type

Data Input By

Vendor_CITY

City associated with Vendor_ADD

Text

Cloud 9

Vendor_STATE

State associated with Vendor_ADD

Text

Cloud 9

Vendor_PC

Vendor post (zip) code

Text

Cloud 9

Vendor_COUN

Country associated with Vendor_ADD

Text

Cloud 9

Vendor_Bank Account Number

Routing number and account number for vendor

Numeric data

Cloud 9

Vendor Credit Limit

Amount of credit extended by the vendor

9-digit number

Cloud 9

Vendor_ID

A unique identification number for each vendor

6-digit number

Cloud 9

EIPP_NO

A unique transaction number that follows each transaction from order (serves as purchase order number), through shipment (serves a shipment number), receiving (serves as receiving number), invoicing (serves an ASN number), recording of the liability (serves as voucher number) and payment (number identified on payment).

14-digit number

Cloud 9 and Vendor

PO_DATE

Order date

MM/DD/YYYY

Cloud 9

PO_SHIP_ADD

Shipping address for PO excluding city, state, post (zip) code

Text

Cloud 9

PO_CS

PO_SHIP_ADD

Text

Cloud 9

EIPP DatabaseC

PO_PC

Post (zip) code for PO_SHIP_ADD

Text or number

Cloud 9

PO_COUNTRY

Country associated with PO_SHIP_ADD

Text

Cloud 9

PO_PROD_CODE

Product number

14-digit number

Cloud 9

PO_PROD_QUANT

Inventory quantity ordered by Cloud 9

7-digit number

Cloud 9

PO_PROD_PRICE

Price per unit for each item ordered by Cloud 9

$X,XXX.XX

Cloud 9

PO_ACCT

Account charged based on ordering department

5-digit number

Cloud 9

TOTAL_ORD_PRICE

Total price for the individual purchase order

$XXX,XXX.XX

Cloud 9

ASN_DATE

ASN date

MM/DD/YYYY

Vendor

PROD_NO

Unique inventory number

14-digit number

Vendor

PROD_QUANT

Inventory quantity ordered by Cloud 9

7-digit number

Vendor

PROD_PRICE

Price for each item ordered by Cloud 9

$X,XXX.XX

Vendor

ASN_TOTAL

Sum total of the vendor’s advance shipping notice

$XXX,XXX.XX

Vendor

ASN_TERMS

% discount allowed if paid within XX days from receiving date

PP.P%/XX

Vendor

BILL_ADD

Billing address excluding city, state, post (zip) code

Text

Vendor

BILL_CS

City and state (separated by a comma) associated with BILL_ADD

Text

Vendor

BILL_PC

Post (zip) code associated with BILL_ADD

Text

Vendor

BILL_COUNTRY

Country associated with BILL_ADD

Text

Vendor

BL_DATE

Bill of lading date

MM/DD/YYYY

Vendor

SHIP_ADD

Shipping address excluding city, state, post (zip) code

Text

Vendor

SHIP_CS

City and state (separated by a comma) associated with SHIP_ADD

Text

Vendor

SHIP_PC

Post (zip) code associated with SHIP_ADD

5-digit number

Vendor

SHIP_COUNTRY

Country associated with SHIP_ADD

Text

Vendor

SHIP_PROD_NO

Unique inventory number

14-digit number

Vendor

SHIP_QUANT

Inventory quantity shipped by vendor

7-digit number

Vendor

REC_DATE

Date of receipt of goods

MM/DD/YYYY

Cloud 9

REC_ADD

Shipping address excluding city, state, post (zip) code

Text

Cloud 9

 Audit Decision Case  7-51

Database

Field Code

Field Description

Data Type

Data Input By

REC_CS

City and state (separated by a comma) associated with SHIP_ADD

Text

Cloud 9

REC_PC

Post (zip) code associated with SHIP_ADD

5-digit number

Cloud 9

REC_COUNTRY

Country associated with SHIP_ADD

Text

Cloud 9

REC_PROD_NO

Unique inventory number of item received

14-digit number

Cloud 9

REC_PROD_QUANT

Quantity of inventory item received

7-digit number

Cloud 9

VOUCHER_DATE

Date of recording the liability

MM/DD/YYYY

Cloud 9

VCH_ PROD_NO

Unique inventory number on voucher

14-digit number

Cloud 9

VCH_PROD_QUANT

Inventory quantity on voucher

7-digit number

Cloud 9

VCH_PROD_PRICE

Price for each item on voucher

$X,XXX.XX

Cloud 9

VCH_TOTAL

Sum total of the liability on voucher

$XXX,XXX.XX

Cloud 9

VCH_ACCT

Account charged with liability for purchase

5-digit number

Cloud 9

PAY_DATE

Date of payment

MM/DD/YYYY

Cloud 9

TOTAL_PYMT_AMT

Total amount of payment of invoice

$XXX,XXX.XX

Cloud 9

Required Plan a substantive test of purchase transactions using ADA as a substantive test. When planning the substantive test, identify the following: a.  What is (are) the assertion(s) being tested?

b.  What information are you comparing electronically for each assertion? c.  What electronic evidence would represent a misstatement for each assertion?

Chapter 8 Risk Response Performing Tests of Controls

The Audit Process Overview of Audit and Assurance (Chapter 1) Professionalism and Professional Responsibilities (Chapter 2) Client Acceptance/Continuance and Risk Assessment (Chapters 3 and 4) Identify Significant Accounts and Transactions Make Preliminary Risk Assessments

Set Planning Materiality

Gaining an Understanding of the System of Internal Control (Chapter 6)

Audit Evidence (Chapter 5)

Develop Responses to Risk and an Audit Strategy

Performing Tests of Controls (Chapter 8)

Performing Substantive Procedures (Chapter 9) Audit Sampling for Substantive Tests (Chapter 10)

Auditing the Revenue Process (Chapter 11)

Auditing the Purchasing and Payroll Processes (Chapter 12)

Audit Data Analytics (Chapter 7)

Gaining an Understanding of the Client

Auditing the Balance Sheet and Related Income Accounts (Chapter 13)

Completing and Reporting on the Audit (Chapters 14 and 15) Procedures Performed Near the End of the Audit

Drawing Audit Conclusions

Reporting

8-1

8-2  Ch apt e r 8  Risk Response: Performing Tests of Controls

Learning Objectives LO 1  Describe the steps in assessing control risk. LO 2 Explain the different types of controls that an auditor might encounter. LO 3 Explain the types of evidence that can be used to support a test of controls.

LO 4  Determine how to select and design tests of controls. LO 5 Evaluate the results of tests of controls. LO 6  Document the results of tests of controls.

Auditing and Assurance Standards PCAOB

Auditing Standards Board

AS 1215 Audit Documentation

AU-C 230 Audit Documentation

AS 2110  Identifying and Assessing Risks of Material Misstatement

AU-C 265  Communicating Internal Control Related Matters Identified in an Audit

AS 2201 An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements

AU-C 315  Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Cloud 9 - Continuing Case Based on the procedures used to obtain an understanding of internal controls, Sharon Gallagher, the audit manager, believes Cloud 9 has effective internal controls at the entity level. Sharon has instructed the audit team to turn its attention to controls at the transaction level. Josh, Ian, and Suzie completed documenting the various accounting processes at Cloud 9. Now, for each transaction process, they try to determine the likely sources of potential misstatements by asking “what could go wrong” within a given significant account. Josh has asked Ian to identify the controls that Cloud 9

uses in the payroll cycle to either prevent or detect the types of misstatements they have identified so far. Ian would like to clarify the difference between preventive and detective controls. Josh tells Ian that he is available to consult with him as he identifies key controls and plans tests of controls for Cloud 9’s payroll cycle. He wants him to focus the testing on the key controls. Ian is confused. He thought a reliance on controls approach to an audit required the auditors to test all the controls. How can they justify testing only some controls? Which are the key controls?

Chapter Preview: Audit Process in Focus As we discussed in Chapter 3, assessing audit risk involves assessing the inherent and control risks and then setting detection risk for each significant account and assertion. The assessment of control risk is accomplished by understanding and evaluating the client’s system of internal controls (see Chapters 3 and 6) and by performing tests of controls. When control risk is assessed as low, the auditor has determined controls are in place. The auditor must then test the controls to provide evidence that the controls put in place by the organization are designed and operating effectively to prevent material misstatements from occurring, or to detect their occurrence and to then correct the misstatement in a timely manner. In this chapter, we begin with an overview of the steps involved in assessing control risk. We then discuss the different types of controls that an auditor might find when gaining an understanding of and evaluating the client’s system of internal controls. When the auditor decides to include control testing in the audit strategy, he or she must select those controls

  Steps in Assessing Control Risk  8-3

that will provide the most efficient and effective audit (that is, provide the assurance required that the controls are working). Also, auditors test only those controls they believe are critical to their opinions on both the financial statements and on internal control over financial reporting (ICFR) for public company audits. Auditors select those controls that are extensive and sensitive enough to provide reasonable assurance that the controls operated effectively throughout the period covered by the audit report. Deciding which controls to test will be influenced by whether the control covers the “what can go wrongs” associated with the relevant account assertions, and the level of assurance the auditor wants to gain that the control has been designed and implemented effectively. The auditor must then make decisions about how to test the control. The auditor’s tests of controls depend on the nature of the control and the evidence that may be available to conclude on the operating effectiveness of the control. Many procedures are available to test the controls identified when planning the audit. In this chapter, we include examples of audit decisions about (1) what controls should be selected for testing, (2) the extent of tests of controls (depending on the type of control being tested), and (3) the timing of tests of controls. The chapter will also address how the extent of control testing will influence the auditor’s decision about control risk. Finally, the chapter will discuss the auditor’s response to any exceptions or errors found in their testing of controls, as well as how to document the results of tests of controls.

Steps in Assessing Control Risk Lea rning Objective 1 Describe the steps in assessing control risk. The steps associated with assessing control risk are depicted in Illustration 8.1. Each of these steps is discussed briefly below.

Understand Entity-Level Controls Assessing control risk begins with understanding entity-level controls (see Entity-Level Internal Controls in Chapter 6). Entity-level controls involve all five components of internal controls: the client’s control environment, risk assessment process, control activities, information and communication system, and monitoring of controls. Strong entity-level controls make it more likely that transaction-level controls will operate effectively. Strong entity-level controls are a necessary element of a strong system of internal control. Even if entity-level controls are strong, the auditor must still identify key controls at the transaction level. However, if entitylevel controls are weak, and if the tone at the top is poor, it is unlikely that the auditor will find effective internal controls at the transaction level.

Understand the Flow of Transactions The flow of a transaction and the documents involved will differ from one transaction class to another. For example, the flow of documents that provides evidence of a transaction will differ among sales transactions, purchases transactions, and payroll transactions. Nevertheless, there are common steps in any transaction stream. These common steps are: •  Authorization. Normally a transaction is authorized at the start of a transaction stream. •  Executing the transaction. This involves filling the order so that title of a good passes. In a sales process, normally title passes when goods are shipped or received. In a service

8-4  Ch apt e r 8  Risk Response: Performing Tests of Controls illustration 8.1   Steps in assessing control risk

1. Understand entity-level controls

2. Understand the flow of transactions

3. Identify what can go wrong (WCGW) for financial statement assertions

4. Identify relevant controls to test

5. Determine preliminary audit strategy

6. Perform tests of controls

7. Evaluate the evidence, assess control risk, and reevaluate audit strategy (if necessary)

8. Report internal control weaknesses to those charged with governance

process, the transaction is executed when a service is completed. In a payroll process, the transaction takes place when individuals work. •  Recording the transaction. On an accrual basis, transactions are recorded after title passes (for goods) or services are completed. In the sales process, the transaction is recorded with a sales invoice. In the purchases process, the transaction is normally recorded with an internally prepared voucher. •  Consideration. A transaction is completed when consideration (usually cash or electronic transfer of funds) is received or paid. A sales transaction is completed when cash is received from a customer. A purchase transaction is normally completed when a vendor is paid. It is important for the auditor to understand the flow of transactions and the documentary audit trail for each business process.

what can go wrong (WCGW)  describes where material misstatements due to error or fraud could occur in a flow of transactions or source and preparation of information that affects a relevant financial statement assertion

Identify What Can Go Wrong (WCGW) Once auditors understand the flow of transactions, they will use their knowledge of assertions to understand what can go wrong (WCGW). For example, regarding the occurrence of revenues, the auditor is concerned about potential revenue recognition problems that lead to premature revenue recognition. Auditors use the financial statement assertions to guide them in considering WCGW with each assertion relevant to the various transaction classes, account balances, or disclosures being audited.

  Steps in Assessing Control Risk  8-5

Identify Relevant Controls to Test Once the auditor identifies WCGW, the auditor will look for relevant internal controls that will either prevent misstatements from happening or detect and correct misstatements on a timely basis. Many public companies have built in redundant control systems such that if one control fails, another control might succeed in ensuring accurate financial reporting. In many cases, an audit client might have multiple controls related to an assertion. This presents a challenge for the auditor. It is inefficient to test every control. The auditor only desires to test controls, often referred to as “key” controls, that are important to the auditor’s conclusion about whether the entity’s controls sufficiently address the assessed risk of misstatement for each relevant assertion. Identifying controls to be tested is a subjective task that requires professional judgment.

Determine Preliminary Audit Strategy If the auditor identifies internal control strengths relative to an assertion, the auditor will consider the efficiency of testing the controls, and possibly following a reliance on controls strategy. If the audit firm is performing an integrated audit for a public company, there is an expectation that the auditor will test controls in order to support an opinion on ICFR. If the audit firm is auditing a private company, a not-for-profit organization, or a government, the auditor will decide whether audit efficiencies are obtained by testing internal controls that appear to be strong. In some cases, it may be efficient for the auditor to follow a primarily substantive approach even when internal controls appear to be strong, particularly when auditing smaller audit populations. For example, in the notes payable account, if the only activity in the account is the monthly payment on the principal, it may be more efficient for the auditor to follow a substantive approach because there are so few transactions. The auditor will also follow a primarily substantive audit strategy for assertions that do not appear to have strong internal controls.

Perform Tests of Controls Once the auditor has decided to follow a reliance on controls strategy for an assertion and identified the key controls to test, the auditor performs tests of controls. The auditor will ­design different tests for automated controls versus manual controls. The section “Selecting and Designing Tests of Controls” in this chapter provides numerous examples associated with the selection and design of tests of controls, and how the auditor makes decisions about the nature, timing, and extent of tests of controls.

Evaluate Evidence and Assess Control Risk The section “Results of the Auditor’s Testing” discusses how to evaluate the results of tests of controls. In some cases, the results of tests of controls may indicate that the control is not functioning as designed. In these situations, the auditor should determine whether other controls covering the relevant financial statement assertion exist. The auditor should test these compensating controls to determine if they are operating effectively to mitigate the internal control weakness. If tests of controls indicate that a key control is not functioning as designed, and if other compensating controls do not exist, the auditor should: •  Increase the assessed level of control risk. •  Decrease the level of calculated detection risk. •  Make appropriate changes to the nature, timing, and extent of substantive tests related to the assertion. The auditor must also carefully document the evidence obtained when performing tests of controls and the conclusions reached based on that evidence.

Reporting Findings Recall from Chapter 6 that if an auditor finds a breakdown in the system of internal control, the auditor must classify any breakdown as a deficiency in internal controls, a significant

8-6  Ch apt e r 8  Risk Response: Performing Tests of Controls

deficiency, or a material weakness. If the auditor is auditing a public company in the United States and must report on ICFR, the identification of one or more material weaknesses will result in an adverse opinion on ICFR. If, however, internal control breakdowns are not as severe as a material weakness, and are classified as either a control deficiency or a significant deficiency, the auditor can issue an unqualified opinion on ICFR. Both PCAOB AS 2201 An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements and AU-C 265 Communicating Internal Control Related Matters Identified in an Audit require the auditor to provide those charged with governance with timely observations regarding both material weaknesses and significant deficiencies in internal control. This is normally accomplished when the auditor issues a management letter to those charged with governance of the entity with the auditor’s observations and potential ways to correct the deficiencies.

A Brief History of PCAOB Standards and Inspection Activities   Professional Environment 1 ­Related to Internal Control over Financial Reporting

On March 26, 2014, Jeanette Franzel, a member of the Public Company Accounting Oversight Board, delivered a speech to the Institute of Internal Auditors in which she recounted a brief chronology of the PCAOB standards and inspection activities. Students should note that, while the PCAOB was created by the Sarbanes-Oxley Act of 2002, it took several years to appoint the board and board staff, and go through a due process in creating the first standards for audits of ICFR. Following is Jeanette’s brief chronology. 2004: The Board adopted Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements (AS 2), to govern the newly required audit of internal controls. 2006: On May 1, the Board issued a statement announcing it would focus on how efficiently the firms performed audits according to AS 2. At that time, PCAOB inspections were focused on efficiency including (1) the degree of integration between the audit of ICFR and the financial statements; (2) the auditor’s use of a top-down approach; (3) the proper assessment of and response to identified risks; and (4) using the work of others. Through inspections and other monitoring, the PCAOB determined that, although the audit of internal control over financial reporting produced benefits, those benefits came at a significant cost. 2007: On June 12, the Board adopted Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements (AS 5), to improve implementation of ICFR audits. AS 5 became effective for audits for fiscal years ended on or after Nov. 15, 2007, and emphasizes a top-down, risk-based audit approach that focuses on

the most important audit matters. It also eliminated unnecessary audit procedures and was designed to be scalable to the size and complexity of the business. 2008: The PCAOB’s 2008 inspections of ICFR audits focused on whether auditors were effectively transitioning to AS 5. During inspections fieldwork, inspections teams communicated specific observations to the audit teams and discussed overall observations for each firm with the firm’s leadership. Inspection findings related to ICFR were not reported in individual firm inspection reports, but were summarized in a general report issued by the Board. 2009–2010: The Board continued to monitor the execution of AS 5 and its inspections focused on whether firms had obtained sufficient audit evidence to support audit opinions on the effectiveness of ICFR. Beginning primarily in the 2010 inspections cycle, when inspections staff found deficiencies in the auditor’s testing of the design and/or the operating effectiveness of internal controls, those deficiencies were communicated to the audit firms primarily through comment forms and then reported, as appropriate, in the firms’ inspection reports. 2013: The PCAOB issued Staff Audit Practice Alert No. 11, Considerations for Audits of Internal Control over Financial Reporting, in light of significant ICFR audit practice issues observed by PCAOB inspection staff from 2010–2012. (The results of this Staff Audit Practice Alert are discussed later in this chapter.) Authors’ note: Guidance provided by PCAOB Auditing Standard No. 2 and No. 5 is now covered in PCAOB AS 2201.

Before You Go On 1.1  Explain each of the seven steps associated with assessing control risk. 1.2 Explain each of the four steps commonly involved with a transaction, from start to finish. Provide an example in the context of selling goods to a customer. 1.3  How do auditors identify WCGW in the flow of transactions? 1.4 An auditor might commonly identify multiple controls related to an assertion. What factors should an auditor consider when determining which control(s) should be tested during the audit? 1.5 What steps should an auditor take if the auditor determines that a key control is not operating effectively? 1 J. M. Franzel, “Effective Audits of Internal Control in the Current ‘Perfect Storm’, ” Speech delivered to the Institute of Internal Auditors (March 26, 2014).

  Types of Controls  8-7

Types of Controls Lea rning Objective 2 Explain the different types of controls that an auditor might encounter. There are a number of ways to categorize the specific controls that a client may use. As described previously, there are two levels of internal control: entity-level ­controls and transaction-level controls. This chapter focuses on transaction-level controls. Transaction-level controls relate to two of the five components of entity-level internal controls as set out in the COSO Framework: information and communication and control activities. Transactionlevel controls are implemented by businesses to reduce the risk of misstatement due to error or fraud, and to ensure that business processes are operating effectively. Controls have two main objectives: (1) to prevent or detect misstatements in the financial statements, (2) control operations objectives, and (3) control compliance objectives. The method by which controls are applied to achieve these objectives can be broadly classified as either manual or automated controls. Automated controls are commonly referred to as IT controls and include IT general controls (ITGC), IT application controls, and IT-dependent manual controls, as discussed in Chapter 6. Now let’s look more closely at how both manual and automated controls are used to prevent or detect misstatements.

Preventive and Detective Controls Preventive Controls Preventive controls are those applied to each transaction during normal processing that are intended to stop fraud or errors from occurring. Preventing errors during processing is an important objective of every accounting system. Illustration 8.2 shows examples of preventive controls and some of the WCGWs each control is designed to prevent.

Assertion

WCGW

Preventive Control

Valuation and allocation

Sales occur that may not be collectible.

The software application will not allow a sale to be processed if a customer has exceeded its credit limit.

Occurrence

Fictitious employees are paid.

Employees are not eligible to be paid without an IT application control matching a valid employee ID number to the employee master file and hours worked to an authorized time sheet.

Accuracy

Sales are recorded at an incorrect amount.

Sales invoices are automatically priced using the information in the price master file.

Classification

Transactions are classified and posted to incorrect accounts.

The account coding on each purchase order is checked by the software application to a table of valid account numbers, and then various logic tests are performed by the application.

When designing controls, consideration is given to WCGW with the transaction (the risk of material misstatement) at the assertion level. Preventive controls do not always have physical evidence indicating whether the control was performed, who performed it, or how well it was performed. Many preventive controls result in error messages that require employees to enter valid information before the transaction is processed; however, these controls do not leave a documentary audit trail. In other cases, there may be evidence that the control

preventive controls  controls applied to each transaction that stop fraud or errors from occurring

illustration 8.2   Examples of preventive controls

8-8  Ch apt e r 8  Risk Response: Performing Tests of Controls

was performed, but evidence as to the effectiveness of the control may not be available. For example, the signature of a staff member on a receiving report indicates the signer agreed the goods were physically received into the warehouse, but it does not guarantee that the person carefully reviewed the report, or the person agreed the quantities of each item on the receiving report. The documentation may have been signed based on only a quick glance or without any review at all. Thus, goods may be recorded that do not exist, excess goods may have been received but not recorded, or the goods received may not match the goods ordered and recorded. Having a staff member’s signature, without the ability to reperform the control, does not provide the quality of evidence for the auditor to conclude that the control operated effectively throughout the reporting period. An absence of effective preventive controls increases the risk that errors or fraud may occur and therefore increases the need for controls that are sensitive enough to detect these errors should they occur.

Detective Controls detective controls  controls applied after transactions have been processed to identify whether fraud or errors have occurred, and to rectify the fraud or errors on a timely basis

Most companies design detective controls to ensure that if preventive controls are not effective, errors or fraud are detected and corrected on a timely basis. Detective controls are those applied after transactions have been processed to identify whether fraud or errors have occurred, and to rectify the fraud or errors on a timely basis. Companies put detective controls in place to assist management in ensuring WCGWs do not occur in financial reporting and that the business is functioning as planned through the design and implementation of its business processes. Often detective controls are applied using IT application controls. For example, to generate sales invoices, a software application may electronically match every sales order with an underlying shipping document to ensure a sales transaction that is about to be recorded actually occurred. If the software application is not able to match the sales order with the underlying shipping document, the transaction is not processed and it is reported on an exception report for manual follow-up. It is important to note that the effectiveness of the control depends both on the effectiveness of design of the software and the effectiveness of the manual follow-up. Detective controls vary from client to client to a greater extent than preventive controls. Detective controls can depend on the nature of the client’s business processes and on the competence, preferences, and imagination of the people who perform the controls. Detective controls may be formally established procedures such as the preparation of a monthly reconciliation and the subsequent follow-up of unusual items. Alternatively, an accountant may keep a list of standard month-end journal entries to post monthly to use as the basis for identifying and following up on any exceptions. It is important that detective controls: 1.  Completely and accurately capture all relevant data. 2.  Identify all potentially significant misstatements (e.g., address all relevant assertions). 3.  Are performed on a consistent and regular basis. 4. Include follow-up and correction on a timely basis for any misstatements or issues ­detected. There are many examples of detective controls, including the following: •  IT application controls and manual follow-up. Reports are automatically produced showing transactions that fall outside a set of parameters selected by the client. These exceptions are then reviewed, and appropriate action must be taken on each item. For example, a report may be produced that shows all sales orders written to customers who have exceeded their credit limits. The credit manager then follows up on these sales orders with the salesperson to ensure no further sales are made until the balance is brought below the credit limit. In rare cases, the credit manager might allow the customer to go over its credit limit. •  R  econciliations are prepared, unusual items are then investigated, and issues are resolved or corrections made, if necessary. The performance of reconciliations without following up on reconciling or unusual items is not a control. The control is the follow-up. Typical

  Types of Controls  8-9

reconciliations are performed between the general ledger and some other form of external evidence or a subsidiary ledger. For example, the bank reconciliation reconciles the bank statement to the cash account recorded in the general ledger, and accounting ­personnel make adjustments for transactions identified in the bank statement that have not been recorded (e.g., recording bank service charges). •  Management level reviews consist of actual performance versus budgets, forecasts, prior periods, competitors (if available), or industry averages (if available). Management’s ­actions in analyzing and following up on unexpected variances is a detective control. For example, the financial controller may review the monthly results and compare the number of days’ sales outstanding to previous periods to ensure the allowance for doubtful accounts is reasonable. •  Performance indicators relate different sets of data, operational or financial, to each other. These indicators, together with an analysis of the relationships and the subsequent follow-­­up of anomalies, are also control activities. The auditor needs to understand whether the client uses the information for operational purposes only (to assist in making operating decisions), or whether the client uses it to also follow up on unexpected results in the financial reporting system. If the information is only used for operational purposes, it is unlikely that the auditors will gather a significant amount of audit evidence to assist them in the integrated audit. Performance indicators include, for example, purchase price variances, inventory ordered but not yet manufactured, and percentage of sales returned compared to total sales orders. By investigating unexpected results or unusual trends, the client may identify issues in the underlying procurement or manufacturing processes. Illustration 8.3 shows examples of detective controls and some of the WCGWs each control is designed to address. Assertion

WCGW

Detective Control

Completeness

Shipment of goods is neither billed nor recorded in the sales journal or in the general ledger.

The software application compares all bills of lading with sales invoices. If differences are revealed, a report is generated for review and follow-up by the billing supervisor.

Occurrence

Revenue is recorded for items that have not been shipped and revenue is recognized prematurely.

The software application compares all sales invoices with underlying shipping information on the bills of lading and packing slips with sales invoices. If differences are revealed, a report is generated for review and follow-up by the billing supervisor.

Completeness, Occurrence, Cutoff

Cash is received but not recorded in the general ledger; payments are made but not recorded; cash receipts or cash payments are not real or not recorded on a timely basis.

Bank reconciliation identifies unexpected outstanding items (e.g. unexpected or large deposits in transit, checks, or bank charges processed by the bank but not recorded in the general ledger), which are followed up.

Completeness, Classification

There are unrecorded billings and errors in classifying sales or cash receipts.

Credit balances in accounts receivable are reviewed monthly to determine their causes.

Accuracy

Among other things, errors are found in the number of units, or unit prices are calculated or applied incorrectly.

The sales manager reviews daily shipments, total sales, and sales per unit shipped.

When assessing detective controls it is not necessary for the auditor to reperform all of the steps in, for example, preparing a reconciliation to gain sufficient evidence that the control is operating effectively. It is normally enough to make inquiries of staff and examine evidence that the reconciliation was properly completed and that the appropriate reviews and follow-­ ups were carried out by the client in a timely manner.

illustration 8.3   Examples of detective controls

8-10  C h apte r 8  Risk Response: Performing Tests of Controls

Preventive and Detective Controls Compared Detective controls are often accompanied by physical evidence such as exception reports or monthly reconciliations. This is in direct contrast to preventive controls, which tend to be dependent on IT. Preventive controls are often driven by error messages that are part of the particular software used by the company, and therefore there is no physical evidence of the control. Often, a specialist with IT skills is required to audit ITGCs and IT application controls, depending on how sophisticated the client’s IT system is. Therefore, the auditor is more likely to identify detective controls as “key controls” to test and evaluate. Note, however, that some detective controls are more effective when the underlying data and transactions (and therefore preventive controls) can be relied upon. Therefore, it is important to gain an understanding of the preventive controls in addition to the detective controls to which they relate before developing an audit strategy. For example, the review and follow-up of a monthly management report that compares actual results to budget results would be ineffective if there were no evidence available to show that the budgeted amounts were the approved amounts and the actual amounts were the total of the transactions recorded in the general ledger. In addition, the auditor needs to obtain evidence that the underlying transactions are captured and recorded properly. This is ordinarily done via the identification and testing of the underlying preventive controls. Also, the monthly comparison needs to be at an information level detailed enough to identify material misstatements, and the review and follow-up needs to be performed by supervisory personnel on a timely basis. Detective controls can be applied on a transaction-by-transaction basis, or on reconciliations that test the accumulation of transactions. An auditor might identify IT application controls that screen transactions on a transaction-by-transaction basis. If such controls are important to the audit strategy, the auditor must also identify and test the appropriate manual follow-up of exceptions that are identified by the application control. In computerized environments, detective controls can often be tested effectively and efficiently. This is because preventive and detective controls are accompanied by direct evidence as to the effectiveness of their operation (for example, review and follow-up of exception reports) or the auditor is able to reperform the control to ensure it is operating effectively. This is discussed in more detail in the following section “Manual and Automated Controls.” Reconciliations are ordinarily performed less frequently than preventive controls (e.g., bank reconciliations are performed monthly). In this case, a high degree of assurance the controls operated effectively throughout the period of reliance can be obtained by examining a relatively small amount of evidence.

Cloud 9 - Continuing Case Ian asks Josh about the types of controls that are normally used in a company like Cloud 9. Josh explains that it is useful to start by classifying controls as automated, manual, IT-dependent manual, or IT general controls. However, Ian’s focus should be on considering whether each of these controls prevents an error occurring in the first place, or whether the control is designed to detect an error that has already occurred, so it can be brought to someone’s attention. Josh gives Ian an example of a preventive control at Cloud 9. Based on his conversation with Carla Johnson, the financial controller, he has discovered that the computerized payroll system checks to make sure each employee is on the master payroll file before the transaction is processed further. However, Ian must determine who has access to change the master payroll file. Also, how does the client ensure the completeness and accuracy of the master payroll files?

Josh also gives Ian an example of a detective control at Cloud 9. Carla told Josh about an incident that happened earlier in the year. In February, a large group of employees were given a retroactive pay raise. When this payroll was processed, the software application produced an exception report. It turned out that some of the employees who were eligible for the retroactive payment had left the company and did not work during the affected payroll period. The IT application control checked to make sure that each employee actually worked during the period before processing the payroll for the time period. As a result, Carla had to personally approve payment of the retroactive payroll that was due to employees who did not work during the affected period. The software identified a potential misstatement, and the manual follow-up also did its job.

Manual and Automated Controls As the auditor considers preventive and detective controls, the auditor must also consider the degree to which controls are manual or automated. In this section, we discuss manual

  Types of Controls  8-11

controls and review automated, or IT, controls that were covered in Chapter 6. Illustration 8.4 shows the types of controls and how they are interrelated. The illustration also shows that both manual and automated controls have the potential to be preventive or detective controls.

IT general controls

illustration 8.4  

Detective

Detective

Types of controls

IT Application Controls

Preventive

ITdependent manual controls

Preventive

Manual

Manual Controls Purely manual controls are those that do not rely on the client’s IT environment for their operation. An example is a locked inventory cage for high dollar-value items to which only a few authorized staff have a key to access. However, manual controls may use IT-produced information from third parties. For example, a client may reconcile the amount of inventory held on consignment that was manually counted during its inventory count to the amounts listed in the third party’s IT-generated consignment inventory statement. There are very few, if any, companies that do not use some form of IT to assist in transaction processing, and most controls rely on IT in some way (refer to the section “IT-Dependent Manual Controls” below). In most situations, purely manual controls are preventive controls and, therefore, the considerations for an effective preventive control, listed in the section “Preventive Controls,” are particularly important.

Automated Controls Controls generally rely on the client’s IT applications (or software) in some way, as discussed in the Chapter 6 section “Information Technology Controls.” It is important to identify the extent of reliance a control places on IT to determine the effect of IT on the evaluation of controls. The key consideration for relying on automated aspects of controls is to determine whether or not the client has effective ITGCs.

IT General Controls (ITGCs)  ITGCs support the ongoing functioning of the automated (programmed) aspects of preventive and detective controls and also provide the auditor with a ­basis for relying on electronic audit evidence. The auditor needs to identify, understand, walkthrough, test, and evaluate the ITGCs that have been implemented for software applications the auditor plans to rely on, as is done for any other type of control. Ordinarily, an entity has five types of ITGCs in place (as explained in Chapter 6): 1.  Data center and network operations controls. 2.  System software acquisition, change, and maintenance controls. 3.  Program change controls. 4.  Access controls. 5.  Application system acquisition, development, and maintenance controls.

8-12  C h apte r 8  Risk Response: Performing Tests of Controls

ITGCs are important because they impact the effectiveness both of IT application controls and IT-dependent manual controls, as well as potentially affect the reliability of electronic audit evidence the auditor may wish to rely upon during the audit. For example, if a client relies on an application that records a sale and then automatically records and updates the accounts receivable ledger for that particular customer, the client also relies on its IT program change procedures and security to verify that the program and this specific control is not changed without appropriate approval and testing.

IT Application Controls  IT application controls are the fully automated controls that apply to the processing of individual transactions. They are the controls that are driven by the particular software application being used for different business processes, hence the name “application” controls. They include controls such as edit checks, validations, calculations, and authorizations. Application controls may also be important in enforcing the segregation of incompatible duties, particularly in large organizations. A common test of IT application controls involves the auditor entering test data into the client’s software application while the application is under the auditor’s control. For example, if the client has an authorization control that checks that (1) the customer is an authorized customer, and (2) that the customer has not exceeded its credit limit, the auditor will submit test data involving both valid and invalid customers and test data where one customer is over, and another customer is under, its credit limit. The software application should accept appropriate transactions and reject other transactions that do not meet the control criteria. However, as noted in Chapter 6, the effectiveness of the software application also depends on the effectiveness of manual follow-up of items that the software identifies as exceptions. IT-Dependent Manual Controls  In many situations, the auditor identifies a preventive or detective control that has both manual and automated aspects to it. These are referred to as IT-­dependent manual controls. For these controls, consideration is given to both the manual and the automated aspects. For example, management reviews a monthly variance report and follows up on significant variances. Because management relies on the IT-generated report to identify the variances, the auditor also needs to check that there are controls in place to ensure that the variance report is complete and accurate. When evaluating the completeness and accuracy of IT-produced information, before the auditor can rely on the information he or she needs to identify the source and the controls that ensure the information is complete and accurate. This testing can either be performed directly on the report in question or, alternatively, testing can be performed on the overall application that produces the report and the relevant ITGCs, which then removes the need to test the actual report.

Professional Environment PCAOB Evidence on Tests of Controls In 2012 and again in 2013, the PCAOB released some troubling results of inspections of audits of internal controls over financial reporting. In 2012, the PCAOB issued a report, Observations from 2010 Inspections of Domestically Annually Inspected Firms ­Regarding Deficiencies in Audits of Internal Control over Financial Reporting.2 This report summarized the results of 309 inspections of integrated audit engagements. The report’s findings include the following: •  In 46 of the 309 integrated audit engagements, or 15%, that were inspected in 2010, inspections staff found that the firm, at the time it issued its audit report, had not obtained sufficient audit evidence to support its audit opinion on the

2

effectiveness of internal control due to one or more deficiencies identified by the inspections staff. •  In 39 of those 46 engagements, or 85%, where the firm did not have sufficient evidence to support the internal control opinion, the firm also did not obtain sufficient audit evidence to support the financial statement audit opinion. These engagements represent 13% of the 309 integrated audit engagements that were inspected. •  These deficiencies also revealed weaknesses in some audit firms’ systems of quality control of such significance that, in the Board’s view, required remediation.

PCAOB, Observations from 2010 Inspections of Domestically Annually Inspected Firms Regarding Deficiencies in Auditors of Internal Control over Financial Reporting (Washington, DC, December 10, 2012).

  Procedures for Testing Controls  8-13 •  Obtain sufficient evidence to update the results of testing of controls from an interim date to the company’s year-end (i.e., the roll-forward period).

Subsequently, in 2013, the PCAOB issued Staff Audit Practice Alert No. 11, Considerations of Audits of Internal Control over ­Financial Reporting.3 This report summarized audit practice ­issues observed by the PCAOB inspections staff over the three ­previous years. Significant auditing deficiencies that had been cited ­frequently in PCAOB inspection reports included the following deficiencies in which audit firms did not: •  Identify and sufficiently test controls that were intended to address the risks of material misstatement. •  Sufficiently test the design and operating effectiveness of management review controls that were used to monitor the results of operations.

•  Sufficiently test controls over the system-generated data and reports that support important controls. •  Sufficiently perform procedures regarding the use of the work of others. •  Sufficiently evaluate identified control deficiencies. As you read the remainder of this chapter, it would be helpful to focus on the types of activities that would prevent these types of audit deficiencies.

Before You Go On 2.1  What are the different types of controls? 2.2 Which type of control, preventive or detective, is usually a more effective control type to test? ­Explain your answer. 2.3  What is the difference between an IT application control and an IT general control?

Procedures for Testing Controls Lea rning Objective 3 Explain the types of evidence that can be used to support a test of controls. Tests of controls (or controls testing) are the audit procedures performed to test the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level. Tests of controls include inquiry, observation, inspection of physical evidence, reperformance, and various data analytics techniques. Ordinarily, a combination of these testing procedures provides the evidence that the control operated as intended throughout the period for which the auditor wishes to place reliance on the control. Each of these tests is discussed below.

Inquiry This procedure involves the auditor using questioning skills to determine how the control is completed and whether it appears to have been carried out properly and on a timely basis. For example, the auditor may ask the employee who prepares the bank reconciliation how reconciling items are identified, the reasons for them, and the procedures in place to ensure that the accounting records are corrected on a timely basis. The auditor may also ask management how it ensures the reconciliation is prepared correctly and on a timely basis. In addition, the auditor might ask questions of employees who follow up on exception reports about the types of misstatements that employees find and how exceptions are cleared. Finally, while inquiry is helpful, it does not stand on its own in terms of quality of evidence. Important information obtained through inquiry should be corroborated with other evidence. 3

PCAOB, Staff Audit Practice Alert No. 11, Considerations for Audits of Internal Control over Financial R ­ eporting (Washington, DC, October 24, 2013).

tests of controls or controls testing  audit procedures designed to evaluate the ­operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level

8-14  C h apte r 8  Risk Response: Performing Tests of Controls

Observation This procedure involves the auditor observing the actual control being performed. For example, the auditor may observe the preparation of the bank reconciliation. The limitation with this technique is that employees often perform procedures more diligently when they know they are being observed. Observation is also important to identifying appropriate segregation of duties.

Inspection of Physical Evidence This procedure relies on the auditor testing the physical evidence to verify that a control has been performed properly. For example, the auditor may inspect initials and dates on a bank reconciliation, or trace certain amounts on the bank reconciliation to the accounting records or to other documents (for example, a bank statement) to gain evidence that the procedures were properly performed. Also, auditors may read some or all of the reconciliations for other periods and examine the reconciling items to determine whether the reconciliation routinely detected errors and whether those errors were appropriately dealt with. ITGCs often result in documented evidence of authorization of program changes or testing, and other reports of system access that provide important evidence associated with these controls.

Reperformance This procedure involves the auditor reperforming the control to test its effectiveness. For example, the auditor may test the effectiveness of manual follow-up by reperforming the ­follow-up procedures to see that items put on an exception report were appropriately cleared. In some smaller organizations, the auditor might find manual controls where an independent person checks the accuracy of the software program’s output to its input. If the auditor wants to test this control, the auditor must find evidence that the control was performed on a timely basis and then reperform the control to make sure it was performed correctly.

Software-Based Audit Techniques The auditor might use a variety of software-based techniques to test controls. A common technique involves submitting test data to the client’s software application while the application is under the auditor’s control. Submitting auditor test data to the client’s application will allow the auditor to verify that the application is functioning as designed. When the auditor uses test data to test an IT application control, the auditor needs the following package of evidence to gain assurance that the control functions properly throughout the period: 1.  Test data that shows that the program properly identifies exceptions. 2.  Evidence that IT general controls are strong, to conclude that the program has not been subject to unauthorized changes. 3.  Evidence that manual follow-up procedures are effective and correct items flagged by the IT application control on a timely basis. In addition, in various circumstances the auditor might use a form of ADA to test controls. For example, let’s assume that transactions are both authorized and approved electronically, and the software electronically tracks the individuals authorizing or approving transactions. Subsequently, the auditor might use audit software to identify any transactions for which the individual authorizing the initiation of a transaction and the approval of the transaction for payment were the same. Alternatively, let’s say that the policy in a private company is that all purchases over $500,000 must be approved by the CEO. The audit software can identify all transactions over $500,000 and extract any that do not have the CEO’s approval.

  Selecting and Designing Tests of Controls  8-15

Audit Reasoning Example  How to Test a Control Elena Hauge (an audit senior) is talking with Tonya Tran (a seasoned audit staff member) about testing controls on the audit of Midwest Wholesale Foods. The client produces a daily report listing each sales invoice and gross margins for each sale. Each morning, the sales manager reviews the report and investigates invoices with unusually high or low gross margins. Elena asks Tonya, “How do you want to test this control?” Tonya responds, “Inquiry of the sales manager about what he finds and how he resolves discrepancies might be an option, but it does not, by itself, provide sufficient evidence to conclude that the control is operating effectively. I am also concerned about reviewing the reports and looking for the initials of the sales manager. Based on the initials of the sales manager, we cannot conclude that a thorough review and appropriate follow-up was performed. In addition to the initials, we would also need to reperform the control on a sample basis. If we identify transactions with high and low gross margins, and determine they were handled appropriately, this provides additional corroboration that the control operated effectively.” Elena responds, “It sounds like you have done this before. I like your logic.”

Cloud 9 - Continuing Case On a previous audit, Ian tested IT-dependent manual controls in the payroll cycle for a not-for-profit organization. These were human checks of the IT output, and Ian reperformed the control for a sample of payroll transactions. However, Ian is less sure about how they could test the IT controls in the payroll system because the process at Cloud 9 is fully automated. Josh explains that one possible test is to feed dummy data into the system to see if an employee who is not

on the master file is rejected. Also, they can use software-based techniques to test the client’s applications and produce reports to diagnose the performance of that part of the application. Josh then explains that if they rely on automated controls, they must test the manual follow-up procedures that clear any exceptions that are flagged by the software. The combination of software-based techniques and reperformance of manual follow-up procedures will be needed to test the automated controls.

Before You Go On 3.1  Explain five different techniques for testing controls and provide an example for each. 3.2 When would an auditor most likely perform observation and inquiry procedures on a control? 3.3 Give an example of the package of evidence that is needed to test an IT application control that matches every sales invoice to an underlying bill of lading to ensure that revenue is properly recognized.

Selecting and Designing Tests of Controls Lea rning Objective 4 Determine how to select and design tests of controls. The section “Procedures for Testing Controls” discussed different procedures used to collect evidence that internal controls are operating effectively. The auditor needs to match the appropriate procedure to the control that has been selected for testing. Three additional areas that require

8-16  C h apte r 8  Risk Response: Performing Tests of Controls

a large degree of professional judgment are deciding (1) which controls should be selected for testing, (2) the extent of tests of controls, and (3) the timing of when to perform tests of controls. These areas are explained in the following sections.

Which Controls Should Be Selected for Testing? When performing an integrated audit (to issue an opinion on the financial statements and an opinion on ICFR), the auditor uses a top-down approach to determine which controls to select (AS 2201.21). The auditor begins by understanding the entity and the business, and determines the risk of material fraud or error at the financial statement level. The auditor then focuses on entity-level controls (the control environment, the strength of risk assessment and monitoring controls, and ITGCs). Effective monitoring controls can provide assurance that transaction-level controls are effective and, therefore, monitoring can provide some evidence about the effectiveness of transaction-level controls, thus reducing the testing of those controls. The auditor then works down to transaction-level controls related to significant accounts, disclosures, and related assertions that present a reasonable possibility of material misstatement in the financial statements. The auditor needs to sufficiently perform tests of controls at both the entity and transaction levels to provide reasonable assurance about whether material weaknesses exist as of the date of management’s assessment of ICFR. Auditors do not need to test each and every client control. Rather, auditors identify key controls that might be relevant to financial statement assertions and WCGW. Illustration 8.5 summarizes key factors that influence the auditor’s decision about which controls should be selected for testing. For example, if there is a high risk of material fraud related to an as-­ sertion, the auditor will want to test controls over that assertion. Where there are multiple controls related to one assertion, the auditor will need to determine which control is most likely to ensure that fraud or error does not occur if other controls fail. This would then be the key control that the auditor would test. The auditor also needs to consider whether the effectiveness of one control depends on the effectiveness of other controls. For example, if the auditor wants to rely on IT application controls, the auditor needs to test the application control and the IT general controls (to gain assurance that the software functioned as designed throughout the period), and manual follow-up of exceptions that are noted by the software. ILLUSTRATION 8.5  

Factors commonly considered when identifying controls to test

Factors to consider when identifying controls to test: •  Points at which error or fraud could occur. •  The nature of the control implemented by management. •  The significance of each control in achieving the objectives of the control and whether more than one control achieves a particular objective. •  Factors that affect the risk that the control might not be operating effectively, such as: º Whether there have been changes in the volume or nature of transactions that might adversely affect control design or effectiveness. º  Whether there have been changes in the design of the controls. º  The degree to which the control relies on the effectiveness of other controls (e.g., the control environment or IT general controls). º Whether there have been changes in key personnel who perform the control or monitor its performance. º  Whether the control relies on the performance by an individual or it is automated. º  The complexity of the control.

When looking for controls that are reliable, and have a high likelihood of operating as intended, the auditor considers the following factors: •  The competence (and integrity) of the person who performs the control. •  The quality of the control environment, such as the potential for management to override the control or for the control to be bypassed.

  Selecting and Designing Tests of Controls  8-17

•  Changes in the accounting system that may have occurred. •  Unexplained changes in related account balances. •  The auditor’s prior-period experiences with the engagement. In the audit of a private company (when an auditor is only issuing an opinion on the financial statements), an auditor’s tests of controls are largely dictated by the planned audit strategy. When auditing a private company, it may sometimes be more efficient to forgo tests of controls and test an assertion substantively. For other assertions, performing tests of controls may allow the auditor to change the timing of substantive tests from year-end to an interim date, change the nature of substantive tests, and reduce the extent of substantive testing. Also, the best controls to test are those that address the WCGWs most effectively with the least amount of testing required (efficient ­testing strategy).

The Extent of Tests of Controls When testing controls, the auditor can use either statistically based sampling techniques or nonstatistical techniques to determine the extent of testing. There are a number of factors to consider when deciding on the extent of tests of controls. Illustration 8.6 summarizes the factors that influence sample size for tests of controls. illustration 8.6   Factors that influence the sample size when testing controls

Larger Samples

Factor (Relationship to Sample Size)

Smaller Samples

Tolerable deviation rate of the population to be tested (Inverse)

The larger the rate of deviation from the prescribed control procedure that the auditor can tolerate, the smaller the sample size.

Higher levels of assurance dictate larger sample size.

Desired level of assurance that the tolerable rate of deviation is not exceeded by the actual rate of deviation in the population (Direct)

Lower levels of assurance dictate smaller sample size.

The closer tolerable deviation rate and expected deviation rate are to each other, the larger the sample size.

Expected rate of deviation of the population to be tested (Direct)

The greater the amount of difference between tolerable deviation rate and expected deviation rate, the smaller the sample size.

The larger the population, the larger the sample size.

The number of sampling units in the population, if the population size is very small (Direct)

The smaller the population, the smaller the sample size.

Population size larger than 5,000 (No Effect)

Population size does not affect sample size.

The smaller the rate of deviation from the prescribed control procedure that the auditor can tolerate, the larger the sample size.

Population size does not affect sample size.

First, the tolerable deviation rate is the maximum rate of deviation from a prescribed control that an auditor is willing to accept and still use the planned control risk. The AICPA Audit Guide: Audit Sampling includes the guidelines presented in Illustration 8.7 for quantifying an acceptable range for the tolerable deviation rate. Note the relationship between the tolerable deviation rate and the planned assessed level of control risk. If the auditor plans to assess control risk as low, for example, the tolerable rate should be between 2% and 7%. The auditor will not be able to tolerate many deviations if the planned control risk is low. Planned Control Risk

Range of Tolerable Deviation Rate

Low

2%–7%

Moderate

6%–12%

High

11%–20%

tolerable deviation rate  the maximum rate of deviation from a prescribed control that an auditor is willing to accept and still use the planned assessed level of control risk

ILLUSTRATION 8.7    

AICPA guidelines for   quantifying tolerable   deviation rate

8-18  C h apte r 8  Risk Response: Performing Tests of Controls desired level of assurance  the confidence that the evidence obtained is representative of the underlying population from which the sample was taken

Next, the auditor should consider the desired level of assurance that the tolerable rate of deviation is not exceeded by the actual rate of deviation in the population. This addresses the assurance the auditor wants from the performance of the controls, or confidence that the evidence is representative of the population. There is a direct relationship between assurance and sample size. The more assurance the auditor wants, the more representative a sample should be of the population, and the more testing the auditor needs to do. That is, if the auditor intends to assess control risk at a low level, he or she performs more testing than if he or she is planning to obtain only limited assurance from tests of controls. Therefore, the assurance that the tolerable rate of deviation is not exceeded by the actual rate of deviation is influenced by: •  The degree to which the auditor intends to rely on the control as a basis for limiting substantive tests or for supporting an opinion on ICFR. •  The existence of a combination of controls that may reduce the level of assurance that might be needed from any one of the controls. •  The relative importance of the WCGW issues being considered.

expected rate of deviation in the population  the rate at which the auditor expects controls not to function as planned

The expected rate of deviation in the population is the rate at which the auditor expects controls to not function as planned. This is usually based on prior experience with the entity, evidence obtained through a system walkthrough, and the auditor’s professional judgment. Auditors often perform tests of controls only when the expected deviation rate is very low (e.g., less than 1% or 2%). This may seem counterintuitive, but consider this. If you expect a high rate of deviation in the population for a certain control, then why waste time testing the control only to find out that you are right and the control fails at a high rate? In this situation, it is more efficient for the auditors to take a primarily substantive strategy and focus on auditing transactions and account balances instead of testing controls. Auditors only test controls if the expected deviation rate in the population is very low. The control test will confirm (or deny) that the control is indeed working as expected. If the testing confirms that the control can be relied upon, then the auditors can continue with a reliance on controls strategy. When considering the size of the population, the auditors should determine how often the control is performed. Not all controls are applied to every transaction. Some controls may operate daily, monthly, or quarterly. Illustration 8.8 provides an example of how many tests of each control might be performed depending on the frequency of the control in question, and the assurance that the auditor wants that the tolerable rate of deviation is not exceeded by the actual rate of deviation in the population. The selection of how many instances of a control to test involves significant professional judgment. Illustration 8.8 is only an example, and two different auditors are likely to design two different plans for determining sample size. Also note that this illustration is based on an expectation that internal controls are strong, and

ILLUSTRATION 8.8   Example of an extent of testing table

More Assurance Frequency of the Control

Less Assurance

Reasonable More Than Limited Assurance from Assurance from Tests of Controls Tests of Controls

Limited Assurance from Tests of Controls

Expected number of deviations from the prescribed control

None

None

None

> 5,000 instances

45–50

25–30

10–15

Daily or multiple times a day

45–50

25–30

10–15

8

5

2

Weekly Monthly

3

2

1

Quarterly

2

2

1

Annually

1

1

1

IT application control (effective ITGCs)

2

2

2

IT application control (ineffective ITGCs)

45–50

25–30

25–30

  Selecting and Designing Tests of Controls  8-19

no deviations are expected. The sample size varies depending upon the assurance the auditor wants from tests of controls. In other words, must the auditor issue an opinion on ICFR (for a public company client), and to what degree does the auditor want to reduce substantive testing based on reliance on controls relevant to an assertion? For example, bank reconciliations are a monthly control. If the auditor wants to obtain reasonable assurance that bank reconciliations are functioning as designed, the auditor might select three bank reconciliations for tests of controls from throughout the year. If, however, only a limited level of assurance from the controls testing is required, only one occurrence of the control would be tested from throughout the year. In the latter case, the auditor will do more substantive testing of cash balances. Tests of various manual controls that are accompanied by an initial or signature of someone who performed the control would require (1) testing to see that the person performed the control by leaving their initial and then (2) reperforming the checking routine itself (for example, reperforming that the price, extensions, and totals have been checked). The extent of such tests is a matter of professional judgment but, as seen in Illustration 8.8, very large sample sizes are not necessary. When the client has a strong system of internal control and the auditor expects that no control exceptions or deviations will be observed, a random sample of, say, 45 to 50 items provides evidence that controls operated as intended (that is, the control was effective). The example sample sizes in Illustration 8.8 have been calculated using audit risk tables and a technique called attribute sampling, a sampling technique used to reach a conclusion about a population in terms of a rate (frequency) of occurrence. For instance, a sample of purchase vouchers can be examined for signatures of a manual control that the voucher was checked for occurrence, accuracy, and account classification. Exceptions would be represented by either a missing signature, or by a voucher with a signature but with evidence that the good or service received was recorded in incorrect quantities, the voucher had incorrect amounts, or the voucher had an incorrect account classification. Each sample item provides one of only two possible outcomes: (1) the attribute being tested (a signature, evidence of occurrence, correct prices, and correct account coding) functioned effectively, or (2) it did not operate as intended. For example, let’s say a local government has a manual control where each purchase transaction is reviewed by a second individual before payment is made, and there are approximately 750 to 1,000 transactions a month (more than 5,000 transactions a year). The auditor plans to rely on this control and assess control risk as low. The auditor can take a sample of 45 transactions out of the year to test this control. Note that the auditor expects no deviations, based on the table in Illustration 8.8. If one deviation is found, the auditor cannot assess control risk as low. Depending on the number of deviations found, the auditor may have to assess control risk as moderate or high. Consider another example. The audit client may have an IT application control that compares each purchase with underlying purchase order and receiving information. If there are any discrepancies, the software should reject the transaction. The auditor can use test data and test the programmed control with a sample size of two: one transaction that the software should accept and one transaction that it should reject. If the software fails to properly process either transaction, the control cannot be relied upon. Attribute sampling by itself does not provide a direct estimate of dollar values, such as the dollar amounts of exceptions. That is why attribute sampling is used for tests of controls (rather than for a substantive test of account balances). Nevertheless, the auditor is able to determine with a certain level of confidence (90% or more) that the error rate for control ­exceptions (deviations) is acceptably low. If the audit objective is to obtain evidence directly about a dollar amount being examined, the auditor is performing a substantive test, not a test of controls. When determining whether there is a control exception or not, the auditor should focus on whether the control functioned as designed, or not. If the control did not function as designed, irrespective of whether the control failure resulted in a monetary misstatement, there is a control exception and a deviation from the prescribed control. The small sample sizes noted in Illustration 8.8 are based on the assumption that internal controls are strong, and the auditor does not expect any deviations from the prescribed control procedures. If the auditor expects deviations, the auditor will use larger sample sizes. Regardless of the size of the sample, all control exceptions (deviations), including those

attribute sampling  a sampling technique used to reach a conclusion about a population in terms of a rate (frequency) of occurrence

control exception (deviation)  an observed condition that provides evidence that the control being tested did not operate as intended

8-20  C h apte r 8  Risk Response: Performing Tests of Controls

accompanied by monetary misstatements, are investigated by the auditor. The auditor should be careful not to dismiss an observed control exception as a random or a nonsystematic occurrence. The detection of one control exception should result in the auditor extending the sample size, amending the auditor’s decision to rely on that control, or considering whether another control is available that can be substituted for the control being tested (often referred to as a compensating control).

Cloud 9 - Continuing Case Talking with Josh about the factors that have to be considered when deciding how much control testing to do helps Ian appreciate his task. He realizes that his previous understanding of a reliance on controls strategy was too simple. Gathering evidence about the effectiveness of controls in order to reduce reliance on substantive testing does not mean that the auditor has to test every control in the same way. Ian realizes that if the evidence that would be produced from testing a control is not very persuasive, there is little point in devoting a lot of effort to testing that control. For example, a preventive control that a supervisor authorizes a transaction only produces evidence of the presence or absence of a signature, not evidence of whether the supervisor was performing the task of reviewing the transaction effectively. Is it worth obtaining evidence by reperformance that the supervisor’s signature was appropriately put on a form authorizing a transaction?

Also, Ian is now starting to understand what Josh means by “key control.” Josh wants to know which of the controls identified for each assertion are likely to be the most effective at preventing the WCGWs from occurring or detecting them if they do occur. Josh would like to focus testing on these controls and gather sufficient, appropriate evidence to justify reduced substantive testing and to support an opinion on ICFR. For example, several controls are usually designed to prevent or detect errors and misstatements in inventory and sales. In the wholesale sales area at Cloud 9, these controls include signed delivery receipts, and policies requiring undelivered goods to be returned to the warehouse at night. Other controls include the use of electronic scanners and matching and authorizing documents in the dispatch and invoicing process. Ian must identify a key control for each assertion in the sales cycle and inventory control cycle. At the transaction level, Ian must identify one strong control for each assertion, or a strong control that covers several assertions.

IT Application Controls When the auditor decides to rely on IT application controls, the auditor must use a more complex testing strategy. As noted in Illustration 8.8, the auditor can often test a key decision point in a software application with a sample size of two. For example, if the auditor is testing an IT application control that notes an exception of an employee who is not on the master payroll file, the auditor can test the software with test data. Recognizing that IT application controls operate in a systematic manner, the auditor will submit one transaction where an employee is on the master payroll file and the software should process the transaction, and a second transaction where an employee is not on the master payroll file and the transaction should be rejected. This is sufficient to determine that the IT application control was functioning when it was tested. However, the auditor must also test the operating effectiveness of: 1.  Controls over program changes, and/or access to data files. Here the auditor is testing the ITGCs. The auditor may choose to test controls over any changes to the payroll program to ensure changes are tested and appropriately approved. 2. Manual follow-up procedures that support the application control. The auditor must focus on how the client follows up on exceptions. For example, if an employee is rejected because he or she is not on the master payroll file, what documentary follow-up is generated to determine why the transaction was submitted to begin with? If this combined testing strategy is not feasible, the auditor can still rely on IT application controls by testing them throughout the period of reliance. Using the master payroll file example above, assume the payroll is processed weekly. The auditor may choose to select a sample of employees for weekly payroll processing from throughout the period and compare the employees with the master payroll file, instead of just testing at a single point in time. (Note: This obtains assurance that the software is functioning correctly. The auditor must also test the effectiveness of manual follow-up of any exceptions noted by the software.) When the client relies on controls over program changes and/or access to data files (ITGCs), it is efficient for the auditor to test these controls as they may support reliance on

  Selecting and Designing Tests of Controls  8-21

s­ everal other application controls (e.g., sales, purchases, payroll). For example, the auditor may decide to do a system-wide test of access to data files for controls that apply to more than one software application. Regardless of which testing strategy is selected, the auditor establishes a basis for concluding that the underlying processing of data is complete and accurate. The procedures to test controls over program changes and/or access to data files are similar to those used to test manual controls, and they usually involve inquiry, observation, and examination of physical evidence. When auditing a private company, the auditor does not need to issue an opinion on ICFR. Therefore, the auditor may plan to obtain only a limited level of assurance from tests of controls and obtain additional evidence from substantive testing. For example, the auditor may plan to obtain evidence from a combination of substantive analytical procedures as well as from substantive tests of details. Using more of a substantive strategy will be discussed in depth in Chapter 9.

Cloud 9 - Continuing Case Making sure that testing covers the key controls and provides sufficient, appropriate evidence of the effectiveness of the controls allows the auditor to support an opinion on ICFR and reduce the control risk of the related assertion. Josh and Ian discuss how they can design the control tests to be able to conclude that each control: •  Operated as it was designed. •  Was applied throughout the period of intended reliance. •  Was applied on a timely basis. •  Encompassed all applicable transactions.

•  Was based on reliable information. •  Resulted in timely correction of any errors that were ­identified. Josh explains that if they can satisfy the above objectives in their design and no exceptions are found when they perform their tests, the control will be deemed to be effective. If any exceptions are found, they need to investigate the circumstances. They need to be careful not to dismiss any exception as a random event, or as unlikely to be a symptom of more extensive problems. Further, they may need to perform additional procedures to obtain sufficient assurance to ensure that a material weakness does not exist. This latter action might require additional testing of another compensating control.

Audit Reasoning Example  Extent of Tests of Controls Tonya Tran is planning to test controls over cash disbursements for Midwest Wholesale Foods (MWF). MWF has manual controls over accounts payable, where a payable clerk matches the vendor invoice with the underlying purchase order and receiving report before booking the liability. This control happens on every transaction so there are approximately 500 to 750 instances of the control in a month, and over 7,000 in a year. Tonya would like to assess control risk as low, so she decides to test controls by taking a random sample of 45 purchase transactions during the first 9 months. Tonya finds two transactions where the client cannot produce vendor’s invoices. Tonya also determined that there were no compensating controls. Tonya’s expected error rate was zero; with two errors in 45 transactions, Tonya has determined that control risk should be assessed as high, rather than low, and that substantive tests should be expanded based on the resulting decrease in detection risk. Tonya also determines that this is a material weakness in internal controls that should be reported to those charged with governance of the entity.

Timing of Tests of Controls Illustration 8.9 lays out the timing of a typical audit for a client with a December 31 yearend. Tests of controls will usually be carried out at an interim date, often about three months prior to year-end. It is preferable to test entity-level controls and ITGCs early in the audit process because the results of this testing could impact the nature, timing, and extent of tests of controls or other procedures the auditor plans to perform. For example, if it is found that the ITGCs are not effective and cannot be relied upon, more extensive testing of application controls will need to be performed if the auditor is planning on relying on applications and software-generated audit evidence.

8-22  C h apte r 8  Risk Response: Performing Tests of Controls ILLUSTRATION 8.9   Timing of the audit

Risk assessment and audit planning

1/1/2022

6/30

Interim testing

9/30

Year-end Issue substantive audit testing report

11/30 1/31 12/31/2022 2/15

3/31/2023

Period covered by the 2022 financial statements

The auditor will also want to complete control testing in time to allow for substantive testing at an interim date. For example, if the auditor is able to conclude that internal controls related to the occurrence of sales and the existence of receivables operated effectively during the first nine months of the year, the auditor is likely to perform substantive tests related to the existence of receivables (sending confirmations to customers) at the end of October. When the auditor concludes that control risk is low at an interim date, the auditor also needs to update that conclusion through to the year-end date. When updating a control risk conclusion, the auditor should update the evaluation by identifying changes, if any, in the control environment and in the controls themselves. If changes are identified, consideration is given to the effect of such changes on their evaluation of the controls. This update is often done by inquiry, observation, and testing the control again at year-end. In most cases, a client may not have made significant changes in the control environment or controls between completion of the interim work and year-end. When this is the case and the auditors have noted an effective control environment and strong monitoring controls, they may satisfy themselves by inquiry, observation, and limited reperformance that controls continued to function throughout the remainder of the period without the need for significant additional detailed tests of controls. In summary, when the auditor decides on a reliance on controls strategy, tests of controls are often performed at an interim date (often about three months prior to year-end). If tests of controls demonstrate that internal controls are strong and function effectively at an interim date, the auditor still must test the remaining period to ensure that controls functioned effectively throughout the year.

Benchmarking benchmarking  an audit testing strategy that can be used to allow evidence obtained in prior audit periods to support a conclusion about IT application controls in the current audit period

Benchmarking is an audit testing strategy that can be used to allow evidence obtained in prior audit periods to support a conclusion about IT application controls in the current audit period. It can also assist in reducing or eliminating certain substantive audit procedures in the current and following audit periods. Benchmarking is based on the premise that software will continue to perform any given procedure in exactly the same way until such time as the program (or application) is changed. If the auditor can verify that a given program that executes an application control has not changed since last tested by the auditor, he or she may decide not to repeat direct tests of the application control in a subsequent period. This period might extend, for example, from interim through to year-end, or beyond into future audit periods. The auditor establishes the benchmark at a point in time (for example, at an interim date) by performing a test of the application control using normal tests of controls (e.g., test data). Then, at a later point in time (for example at year-end), the auditor determines that the application has not been changed or modified since he or she performed the benchmark test of the application control. In order to verify that there have been no changes, it may be necessary for the audit team to use a team member with specialist IT assurance skills. Benchmarking is appropriate when: •  A programmed control can be matched to a defined program within an application (for example, the auditor may be able to benchmark the specific program that performs the invoice extension calculation or interest computation).

  Selecting and Designing Tests of Controls  8-23

•  The application is stable (that is, few changes have happened or are expected to happen from period to period). •  A reliable trail of program changes exists (refer to the previous discussion on ITGCs). This record or trail of program changes is used to identify each change that has been made to the application and how these changes might impact the audit approach. It is a matter of professional judgment as to when it is necessary to re-benchmark an application. Factors to consider in making this assessment are the effectiveness of the ITGCs, the nature and timing of other related audit tests, and the consequence of misstatements associated with application controls that are benchmarked. In some cases, the auditor may choose to rely on benchmarked controls from year to year. In other instances, the auditor may choose only to rely on benchmarked controls between interim and year-end. It is worth noting that while the auditor may not directly test the application in the current period, the auditor must still perform tests of ITGCs and tests of manual follow-up procedures.

Selecting and Designing Tests of Controls— A Summary Illustration 8.10 provides some examples of tests of controls. Examples are provided of both entity-level controls and transaction-level controls. For each control, you will find a summary of what can go wrong (WCGW), the control to prevent or detect and correct a misstatement, the frequency of operation of the control, an example test of control (including sample size), the evidence obtained, and what would represent an exception evidencing that the control was not effective. Most of these examples represent the types of controls an auditor might find in a typical public company. The final example for the transaction-level control is more likely to be used by a smaller private company. All tests of controls should be performed at an interim date, and then performed again at year-end to update the conclusion reached at interim and determine that controls functioned effectively throughout the year. As you work through Illustration 8.10, ask yourself, “Would this be a key control?” Cover up some of the columns before reading the full table, and ask yourself, “What would the sample size be? What evidence would show that the control is effective?” Finally, recall from this chapter’s section “The Extent of Tests of Controls” that a control exception exists if (1) the control is not performed, or (2) if the control is performed in an ineffective manner. Also recall that a control exception (or control deviation) exists if the control did not function as designed. If the control results in a monetary error that is inconsequential in magnitude, it is still a deviation from the prescribed control and should be considered a control exception.

ILLUSTRATION 8.10   Selecting and designing tests of controls—Some examples

Entity-Level Controls

What Can Go Wrong

Example Control

Control Environment

Poor ethics in financial reporting.

Management sets a strong tone at the top about the importance of accuracy in financial reporting.

Frequency of Operation of the Control Operates daily as important accounting decisions arise, or monthly as part of accounting decision making during monthend closing procedures.

Example Test of Controls

Evidence Obtained

Make inquiries of management and a variety of others in accounting about the tone at the top regarding accuracy in financial reporting. Also read any memos regarding important accounting decisions.

Primarily inquiry of a variety of personnel to determine if answers are consistent. Also inspection of physical evidence regarding any memos on important accounting decisions.

Exception to Effective Operation of the Control Evidence from lower levels of the organization about weak tone at the top. Also, any evidence of pushing the envelope with aggressive accounting positions.

(continued)

8-24  C h apte r 8  Risk Response: Performing Tests of Controls ILLUSTRATION 8.10   Selecting and designing tests of controls—Some examples (continued)

Example Test of Controls

Evidence Obtained

Exception to Effective Operation of the Control

Quarterly, or between quarters as significant risks arise.

Make inquiries about risks identified between quarters and actions taken. Select two quarters and inspect documentation of formal quarterly risk assessment to determine the effectiveness of the control.

Inspection of physical evidence documenting management’s risk assessment and implementation of any new controls.

Evidence of failure to consider significant risks, or evidence of failure to place internal controls in place to control significant risks.

Internal auditor performs regularly scheduled tests of controls.

Various tests of control are performed on a monthly schedule, on rotating basis throughout the year.

Randomly select tests of controls performed during three months to reperform the test of controls performed by internal auditors.

Reperformance. The auditor will reperform the tests performed by internal auditors and determine if the same conclusion is reached.

In reperforming tests of controls, the auditor reaches a different decision about the effectiveness of internal control based on the internal audit evidence.

All application changes are monitored. All changes must be tested with test data and approved by user departments before the change is put into production with live data.

By reviewing logs of application changes, the auditor identifies, for example, 10 changes affecting the accounting system through the interim date.

Randomly select three application changes, interview the personnel involved in the change, and reperform controls to confirm that changes were appropriately tested and approved.

Inspection of physical evidence including inspection of logs of application changes, inquiry of personnel involved in reviewing and approving changes, and reperformance of controls over changes to determine that applications were changed as intended.

Any evidence that shows that application changes were not appropriately approved, such as lack of approval of user departments.

Entity-Level Controls

What Can Go Wrong

Example Control

Risk Assessment

Management has not properly assessed risk and may not have effective controls for risks faced by the entity.

Management reviews risks quarterly (or as significant risks emerge), and documents controls intended to respond to risks.

Monitoring

Management does not know how effective controls are.

Information Technology General Controls

Software applications (e.g., revenue application) may not operate as designed.

TransactionLevel Controls IT Application Control

Frequency of Operation of the Control

Frequency of Operation of the Control

What Can Go Wrong

Example Control

Unauthorized sales may be made to customers that are significant credit risks.

Each transaction. Authorization of sales. The software application checks to see that the customer is on the master customer file and compares account balance to credit limit on the customer master file.

Example Test of Controls

Evidence Obtained

Test IT general controls to determine that the program is operating effectively. Submit two transactions to test the program itself: one transaction to ensure the program appropriately accepts a transaction, and one to ensure that the program appropriately rejects a transaction.

Software-based audit techniques. Document the results of submitting test data to test the sales program.

Exception to Effective Operation of the Control Evidence that the software application authorized sales that should not have been authorized, or evidence that the program rejected transactions that should have been authorized based on authorization criteria.

(continued)

  Selecting and Designing Tests of Controls  8-25 ILLUSTRATION 8.10   Selecting and designing tests of controls—Some examples (continued)

TransactionLevel Controls

What Can Go Wrong

Example Control

Manual Follow-Up of Exceptions

Software may identify control failures or errors in processing that are not corrected.

Accounting assistant manager receives exception reports and clears items on exception reports, noting resolution of each item.

Segregation of Duties

Fraud risk is increased without segregation of duties.

Segregation of duties between authorization of sales, shipping goods, and recording sales and receivables.

TransactionLevel Controls in a Private Company IT -Dependent Manual Control

What Can Go Wrong

Example Control

Revenue may be recognized in the wrong accounting period.

Accountant matches softwareproduced sales invoices with underlying bill of lading and terms of sale on sales order to validate revenue recognition.

Frequency of Operation of the Control

Exception to Effective Operation of the Control

Example Test of Controls

Evidence Obtained

Daily.

Select one exception report from each of 45 days, and reperform the manual follow-up procedures to determine that any errors are appropriately corrected.

Reperformance. Document results of tests of controls in a memo explaining sample selected, reperformance performed, and results of tests of controls.

Evidence that items noted as exceptions were not appropriately corrected or resolved on a timely basis.

Segregation of duties must be maintained for each transaction.

Observed segregation of duties while on the client’s premises. Also inspect documents showing evidence of appropriate segregation of duties in the sales process.

Observation and inspection of documents. Write a memo explaining results of observation and any inspection of documents showing results of tests of segregation of duties.

Evidence that duties were not adequately segregated, or that collusion or management override resulted in a breakdown of segregation of duties.

Frequency of Operation of the Control Each transaction.

Example Test of Controls

Evidence Obtained

Select a sample of 25 sales transactions and reperform the manual control to validate that revenue recognition controls functioned effectively on each sample item.

Reperformance. Document results of tests of controls in a memo explaining sample selected, reperformance performed, and results of tests of controls.

Exception to Effective Operation of the Control Evidence that a transaction was not reviewed or tested for proper revenue recognition, or evidence that the employee review was incorrectly performed.

Cloud 9 - Continuing Case Josh and Ian are going over a plan for tests of controls that Ian has developed. As Ian reviews his ideas with Josh, he points out that the plan for testing transaction-level controls in the payroll process is contingent on strong entity-level controls. Since the payroll system is automated, the effectiveness of IT general controls will be important. Josh assures Ian that he and Ian have already been testing IT general controls and other entity-level controls, and that he believes that these controls are effective.

Ian then walks Josh through tests of controls for each assertion in the payroll process. Suzie suggests testing IT application controls with test data; however, she notes that testing the application controls directly is not enough. Based on her walkthrough, when payroll is run twice a month, exception reports are generated. With a population size of 24 payroll periods, she suggests a sample size of 4 payroll periods to reperform the manual follow-up procedures. Josh is happy with the plan and feels that Suzie has a much better understanding of how to design tests of controls.

8-26  C h apte r 8  Risk Response: Performing Tests of Controls

Before You Go On 4.1 Name five factors to consider when deciding the extent of tests of controls to be performed. Give an example of how each factor would result in an increased sample size. 4.2 Explain the audit strategy for testing IT application controls. Why is a sample size of two sufficient for testing an IT application control? What other tests allow the auditor to use this smaller sample size? 4.3  Why does the auditor update the interim evaluation of controls at year-end? 4.4 Explain the concept of benchmarking. Why might it be appropriate not to test a key control that is an IT application control every year? 4.5 Assume that you plan to test the following transaction-level control. In order to ensure that revenue recognized on each sales invoice is accurate and in the correct amount, the software application matches the sales invoice quantities with shipping information and prices with the master price list. Discuss the following: (1) what can go wrong, (2) the frequency of operation of the control, (3) the sample size for tests of controls, and (4) the procedure you would use to test the control.

Results of the Auditor’s Testing Lea rning O bjective 5 Evaluate the results of tests of controls. When performing tests of controls, the auditor makes a “yes or no” decision. For each sample item, was the control effective or ineffective? As discussed previously, the auditor uses smaller sample sizes when the auditor expects no deviations from the prescribed control procedures. Nevertheless, the auditor must be alert for evidence that the control might be ineffective, even if only once or twice. A control would be ineffective if it was not performed, or if it failed to function as designed. An IT application control will be ineffective if it fails to put an invalid transaction on an exception report. Manual follow-up procedures are ineffective if they are not acted upon on a timely basis, or if client personnel fail to clear items noted on an exception report. For example, when performing a bank reconciliation, an accountant might determine that interest received for the month has not been recorded and note it as a reconciling item on the bank reconciliation. If, however, an adjusting journal entry is not made to record the interest earned, the bank reconciliation has not resulted in correcting the error noted (failure to record interest earned). The auditor would conclude this is a control exception. Illustration 8.11 illustrates the decision tree or thought process auditors go through when assessing the results of their controls testing. If the results of tests of controls confirm the auditor’s preliminary evaluation of controls, and control risk for the relevant assertion, the planned substantive audit procedures are not modified. If the test results do not confirm the preliminary evaluation of controls, the auditor will consider whether there is a compensating control that might detect and correct a misstatement missed by the original control being tested. If tests of controls demonstrate that a preventive control that screens every transaction is not as effective as originally planned, it is possible that a reconciliation control might detect and correct the same misstatement on a timely basis. For example, the auditor tested a control that compared every sales bill of lading with each sales invoice to ensure that all sales were recorded, but exceptions were noted—the control did not function as planned. However, the auditor later determined that an independent client employee reconciled total shipments with total billings on a daily basis, and this compensating control should have identified any unrecorded transactions. In this case, the auditor might choose to perform tests of controls on the reconciliation control. If the compensating control proves effective, the evidence now supports the auditor’s preliminary evaluation of controls, and control risk and planned substantive audit procedures need no modification.

 Results of the Auditor’s Testing  8-27

Do tests of controls show that controls are effective?

ILLUSTRATION 8.11   Results of testing controls

NO

For internal control exceptions, do compensating controls exist?

NO

YES YES

YES

Do tests of controls show that compensating controls are effective?

Document results and control risk assessment and proceed with planned audit strategy

NO

Document results, the effect on year-end substantive testing, and the effect on ICFR report (if appropriate)

If the auditor extends the testing and another control exception is identified, the auditor should change the decision to rely on that control. If another (compensating) control is not available to be substituted for the control being tested, or it is not considered efficient to continue testing controls, the auditor should modify (and potentially increase) the nature, timing, and extent of the planned substantive procedures. That is, the audit strategy is altered, and detection risk is reduced. In trying to determine whether there is a need for additional detailed tests of controls, the following factors are considered: •  Results of inquiries and observations. If, during inquiries or observations later in the audit process, the auditor identifies that significant changes to processes and controls have occurred, the auditor’s previous tests of controls may no longer provide a basis for relying on those controls. Therefore, the auditor may need to identify and test other controls, perform additional tests of controls, or change the nature or extent of substantive testing performed at year-end. Changes to processes or controls are significant only if they have implications for the continued functioning and effectiveness of controls on which the auditor is relying in the first place. •  Evidence provided by other tests. Tests of account balances (substantive testing) can often provide evidence about the continued functioning of controls. For example, when the auditor evaluates the results of confirmations of accounts receivable, and no exceptions are found, the auditor has circumstantial evidence that controls over the occurrence of credit sales and the existence of receivables continue to function. To the extent that the auditor’s other audit procedures provide evidence of the effectiveness of controls from the date of interim work to the end of the period under audit, additional tests that otherwise might be necessary can be reduced. •  Changes in the overall control environment. An effective entity-level control environment may allow the auditor to limit tests of controls to inquiry and observation during the period between when they tested the controls (interim) and year-end. If the auditor ­becomes aware of adverse changes in the overall control environment of the entity, such as a loss of employees or management who perform key controls and who provide

8-28  C h apte r 8  Risk Response: Performing Tests of Controls

evidence as to the effectiveness of the overall entity control environment, additional tests of controls may be necessary. If the auditor determines that an effective compensating control does not exist, or tests of controls show that the compensating control is not functioning as designed, the auditor revises the overall audit risk assessment for the related account and assertion, and revises the planned audit strategy. For example, if the tests of controls indicate that a detective control related to the occurrence of sales did not function as prescribed and compensating controls are not available or were not effective, the auditor should revise his or her audit risk assessment (increase control risk), reduce or eliminate the intended reliance on the control, and reduce detection risk by designing more extensive substantive audit procedures related to the occurrence of revenues and the existence of accounts receivable. The auditor always needs to investigate any control exceptions that he or she identifies during testing to find out, to the extent practical, the causes, the amounts involved, the financial statement accounts affected, and the potential effect on other audit procedures. The auditor is required to document the resolution of any control exceptions, including the impact on the remaining audit strategy. Recall from Chapter 6 that the auditor must also determine whether an exception ­represents a significant deficiency or a material weakness. As noted in Illustration 8.12, the auditor determines the severity of a control exception based on a combination of the likelihood of the control failing to prevent or detect a misstatement and the magnitude of the potential misstatement to the financial statements. A material weakness and a significant deficiency are defined as follows: •  A material weakness is a deficiency, or combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis. •  A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. Control exceptions that are not severe enough to be classified as a significant deficiency or a material weakness would be categorized simply as a control deficiency. Auditor Action

ILLUSTRATION 8.12   Internal control deficiencies and auditor action

Report on ICFR (public companies only) High

Magnitude

Material

Not material but significant

Neither material nor significant Low

Remote (5% to 10%)

Report to: (public and private companies)

Material weakness

Those charged with Adverse governance of the entity Opinion on ICFR and to management.

Significant deficiency

Those charged with Unqualified governance of the entity Opinion on ICFR and to management.

Control deficiency

Unqualified Opinion on ICFR

Management.

Reasonably possible or probable (more than 5% to 10%)

Likelihood If the auditor is engaged to perform an integrated audit and identifies either a significant deficiency or a control deficiency, the auditor can issue an unqualified opinion on ICFR. However, if the auditor determines that a control deficiency is a material weakness, the auditor will

  Documenting Conclusions  8-29

issue an adverse opinion on the company’s ICFR if the material weakness is not remediated by the fiscal year-end date. Remember, the auditors are performing most of the controls testing during interim. Therefore, if a material weakness is identified, there is time for management to correct the material weakness before year-end. Once corrected, management and the auditors would test the control again to ensure it is operating effectively by year-end. If the auditors are satisfied that enough time has passed to provide sufficient appropriate evidence that the control is now operating effectively, the auditors can then issue an unqualified opinion. Auditors of both public companies and private entities have a responsibility to report internal control issues to those charged with governance of the entity. This is a requirement of both PCAOB AS 2201 and AU-C 265 and is usually done through a management letter as described in Chapter 6. The auditor includes a discussion of both material weaknesses and significant deficiencies in the management letter. It is also important to note that all control deficiencies should be reported to management. If a control deficiency is sufficiently small that it is not reported to those charged with governance, it should still be verbally reported to management at least one level above where the deficiency occurred.

Audit Reasoning Example  Results of Tests of Controls Elena Hauge (an audit senior) and Tonya Tran (a seasoned audit staff member) are continuing their tests of controls on the audit of Midwest Wholesale Foods (MWF). This time, Tonya is testing internal controls over accounts payable when she brings an issue to Elena. “MWF has a manual control where every payable is double-checked. I took a sample of 45 transactions, and now I have two transactions that have been signed off, but MWF cannot produce the vendor invoices. I’m concerned. With two exceptions, we cannot assess control risk as low.” Elena chimes in, “This may be a bigger issue. If the client cannot produce the vendor invoices, there may be an increased risk of fraud. You need to dig deeper on these transactions. Follow through to the cash disbursements. MWF uses electronic funds transfers. We need to make sure the disbursements actually went to the vendor. Dig deeper and get back to me. Ultimately, we may need to communicate this to the board of directors.”

Before You Go On 5.1 What does the auditor do when he or she identifies control exceptions? Develop an example of an internal control exception. 5.2  What is a compensating control? Develop an example of a compensating control. 5.3  Why does the auditor always investigate control exceptions? 5.4  What internal control deficiencies are communicated in an auditor’s report on ICFR? 5.5 What level of internal control deficiencies are reported to management? Explain your reasoning. What level of internal control deficiencies are reported to those charged with governance of the entity? Explain your reasoning.

Documenting Conclusions Lea rning Objective 6 Document the results of tests of controls. Once controls have been tested, the auditors document their work in a working paper. Working paper documentation should include: •  The auditors’ conclusion about control risk. •  The basis for their conclusion (e.g., underlying evidence).

8-30  C h apte r 8  Risk Response: Performing Tests of Controls

In preparing a working paper for tests of controls, the auditor would ordinarily set out the purpose of the tests of the controls identified. This assists in carrying out the testing by reminding the auditor of the overall purpose in testing the controls. If the auditor identifies any exceptions or issues, the auditor should determine if there is an impact on the testing strategy by considering whether the control exception means that the control no longer meets the objective of the test. For example, assume that the control selected for testing is a bank reconciliation and the objective of the test is to verify that a review by the financial controller occurred on a timely basis. When performing the testing, it was noted that while there was evidence of the review (a signature), there was no date, so timeliness could not be verified. Therefore, the auditor is able to conclude that the control operated but the auditor is not able to conclude as to whether it operated on a timely basis. It would need to be determined whether a compensating control should be tested, or whether the timeliness of the review is not critical to the auditor’s ability to rely on the bank reconciliation as audit evidence. The auditor also documents the test performed, the actual controls selected for testing, and the results of the testing. There needs to be enough detail regarding the controls selected to allow another auditor to review the working paper, reperform the steps (if necessary), and reach the same conclusion as the auditor who prepared the working paper. The results are often set out in a table to make it easier to review and identify quickly what (if any) exceptions were identified during the testing. Prior to an overall conclusion being reached for each section of work performed, the test results table also assists the person reviewing the working paper to determine if enough work has been performed and if the right conclusion regarding the controls testing has been reached. The working paper should also include a conclusion specific to whether the test results support the overall purpose of the test. This is the documentation standard required by AU-C 230 Audit Documentation and AS 1215 Audit Documentation. Regardless of how the working papers are prepared and documented, the extent of the auditor’s documentation will increase as the complexity of the client’s operations, systems, and controls increases. Also, the more complex the client’s operations and its internal controls, the more experienced the auditor who performs the work needs to be. Illustration 8.13 is an example of a working paper relating to controls testing. Note that the working paper clearly lays out the purpose of the test of the control, the nature and extent of the work performed at an interim date, the results of the audit tests, and the auditor’s conclusion about control risk.

ILLUSTRATION 8.13   Example test of control working paper

Client: New Millennium Ecoproducts Period-end:   12/31/2022

Bell & Bowerman, LLP C1.1 – Bank Reconciliation Controls Testing

Reference: C1.1

Prepared by:

DM 10/14/2022

Reviewed by:

SO 10/21/2022

Reviewed by:

MM 10/25/2022

Purpose of test: The purpose of this test is to verify that the bank reconciliation control was adequately designed and implemented through the date of interim testing. Work performed: Selected three bank reconciliations from different months, tied the balance as per the bank statement on the bank reconciliation to the bank statement, tied the balance as per the general ledger to the trial balance, and vouched all reconciling items between the bank statement and the trial balance greater than $5,000 to supporting documentation to ensure valid reconciling items and that the reconciliation had been performed correctly. Ensured the reconciliations had been prepared and reviewed on a timely basis, based on dates on the reconciliation, inquiry, and observation of procedures in October 2022. Findings/results of testing: Selected bank reconciliations for the months of February, April, and September 2022. No errors noted in the preparation of the reconciliation. All were dated and reviewed within seven days of month-end. Considered this to be on a timely basis. Conclusion: Based on testing performed, the bank reconciliations appear to have been designed, implemented, and operated effectively for the nine months ended September 30, 2022. Control risk is assessed as low for the following assertions: existence of cash, completeness of cash, and valuation of cash.

  Learning Objectives Review  8-31

After the auditor has completed testing controls, and drawn a conclusion about control risk, the auditor will want to make decisions about the nature, timing, and extent of substantive testing. These topics are discussed in Chapter 9.

Cloud 9 - Continuing Case Josh and the rest of the audit team have finished testing and assessing the controls at Cloud 9. In a few instances, they had to perform additional testing to investigate the deviations or exceptions discovered during initial testing. In these cases, they also tested compensating controls that existed. They sent their completed working papers to Sharon Gallagher, the audit manager, and Jo Wadley, the partner. The more senior members of the audit team must review the results of the controls testing and judge whether there is sufficient appropriate evidence to support the decision to continue to use a reliance on controls approach to the audit, and to assess

that there were no material weaknesses. Sharon Gallagher and Jo Wadley are looking at the tests of controls from the perspective of whether the team has tested the right entity-level controls, as well as key controls for material assertions in the financial statements. Josh has been busy over the past few days answering questions from Sharon and Jo about particular aspects of the controls testing, but it now seems that all issues have been resolved satisfactorily. Although the team has been concentrating on controls testing, the plans for substantive testing are well advanced and attention now turns to this phase of the audit.

Before You Go On 6.1 What information does the auditor need to include in the audit working papers when ­documenting the results of the controls testing? 6.2 Which auditing standard sets the minimum level of documentation required in the working papers stored in the audit files? 6.3 What is the impact on the extent of required substantive testing if inherent risk is high and no assurance has been obtained from controls testing?

Learning Objectives Review 1  Describe the steps in assessing control risk.

3  Explain the types of evidence that can be used to

support a test of controls. The seven steps involved in assessing control risk are (1) understand entity-level controls, (2) understand the flow of documents through the system for each transaction cycle, (3) identify what can go wrong (WCGW), (4) identify relevant controls to test, (5) perform tests of controls, (6) evaluate evidence and assess control risk, and (7) report findings to those charged with governance and, if relevant, in a report on ICFR. 2  Explain the different types of controls that an auditor might encounter. There are two primary types of controls, manual and automated. Types of automated, or IT, controls include IT general controls (ITGCs), IT application controls, and IT-dependent manual controls. Each of these types can be described as either a preventive control or a detective control. Preventive controls, as the name suggests, prevent errors from occurring. Detective controls detect the error after it has occurred and rectify the error on a timely basis.

Five key procedures are used for testing controls: inquiry (questions are asked regarding the operation of the control), observation (the operation of the control is observed as occurring), inspection (of physical evidence resulting from the performance of the control), reperformance (when the auditor reperforms the control to test its effectiveness), and software-assisted audit techniques (when the auditor uses software to test automated controls). 4  Determine how to select and design tests of controls. The selection of which controls to test is a matter of professional judgment. Illustration 8.5 provides a list of factors that influence the auditor’s decision about which controls to test. The extent of testing of controls (that is, how many to test) is also a matter of professional judgment, although sampling techniques are available. Illustration 8.6 explains the factors that influence sample size for a test of controls

8-32  C h apte r 8  Risk Response: Performing Tests of Controls and Illustration 8.8 provides an example of how sample size is influenced by the frequency at which the control is performed during the year (e.g., some controls may function only monthly or quarterly). Auditors usually perform tests of controls at an interim date, and then they update their conclusions at year-end to ensure that the controls continued to function as designed during the remainder of the year. In some cases, the auditor may be able to use a benchmarking technique to test use of software applications from prior years, if the auditor is able to obtain evidence that the software application has not changed. 5  Evaluate the results of tests of controls. When performing tests of controls the auditor must determine in each instance whether the control did or did not function as designed. If tests of controls reveal exceptions (the control did not function as designed), the auditor should consider whether compensating controls exist, and whether the compensating control is likely to be effective. If control exceptions are found, they should be classified as control

deficiencies, significant deficiencies, or material weaknesses. Illustration 8.12 summarizes how these classifications affect the auditor’s decisions about what should be reported to those charged with governance of the entity, and what should be reported in the auditor’s report on ICFR. 6  Document the results of tests of controls. The purpose of the tests of controls, selection of controls to test, results of the controls testing performed, and conclusion regarding the design and implementation of the controls are all documented in a working paper. This working paper is then reviewed by a more experienced auditor to determine if sufficient work was performed and if the appropriate conclusion was reached. Ultimately, the results of tests of controls should influence the auditor’s audit strategy. If the controls are effective, the auditor may continue with a reliance on controls approach. If controls are ineffective, the auditor must decide how to modify the nature, timing, and extent of substantive tests.

Key Terms Review Attribute sampling Benchmarking Control exception (deviation) Desired level of assurance

Detective controls Expected rate of deviation in the population Preventive controls

Tests of controls (controls testing) Tolerable deviation rate What can go wrong (WCGW)

Audit Decision-Making Example Background Information

Analysis and Evaluation of Alternatives

You are auditing the revenue process for Haven Company. Your firm previously tested Haven’s IT general controls and determined that these entity-level controls are effective. Also, tests show the company has a sound control environment. Haven has IT application controls that screen every sales transaction. The software matches the information supporting the sales invoice with underlying shipping documents and the sales order before a sales invoice is recorded. The customer information from the customer master file is matched with the customer information on the bill of lading, the quantities billed are matched with the packing slip, prices are matched with the sales order, and the invoice date is matched with the accounting period in which goods are shipped. If the transaction does not exactly match the underlying information, it is not processed, and it is printed on a daily exception report. A data control clerk investigates any items on the exception report each morning and corrects any errors to ensure that the invoice is correct.

To assess control risk as low, the auditor needs to test IT application controls and related manual follow-up of exception reports.

Identify Audit Issues Explain the tests of controls that need to be performed to assess control risk at a low level based on the internal controls described above.

Gather Additional Information and Evidence The key issues are that tests of controls have shown a strong control environment and strong IT general controls at the Haven Company.

Audit Conclusion 1. The auditor can test IT application controls with test data. The auditor should submit the following: •  Data where all information matches and the software should process the transaction. •  Data where information does not match at each decision point (e.g., a transaction where customer information does not match, a transaction where quantities do not match, a transaction where prices do not match, and a transaction in the incorrect accounting period). 2. The exception reports are printed daily (approximately 260 exception reports based on five per week for 52 weeks). To assess control risk as low, the auditor should select 45 exception reports at random (see Illustration 8.8), and reperform the control to determine that each transaction appearing on the exception report was correctly resolved and that the revenue transactions were correctly recorded.

  Multiple-Choice Questions  8-33

CPAexcel CPAexcel questions and other resources are available in WileyPLUS.

Multiple-Choice Questions 1.  (LO 1, 4)  The auditor decides which controls to test by considering: a.  the points at which fraud or error can occur. b.  the nature of controls implemented by management. c.  the significance of each control in achieving its control objective. d.  All of these answer choices are correct. 2.  (LO 1, 4)  When obtaining an understanding of internal controls, the auditor identifies important programmed application controls over the occurrence of sales. However, the auditor also has serious concerns about the adequacy of the control environment due to a weak tone at the top about control consciousness. Which of the following best describes how the auditor should respond to this situation when planning tests of controls related to the occurrence of sales? a.  The auditor could assess control risk as low for an assertion after performing software-based audit techniques on controls relevant to that assertion. b.  The auditor could assess control risk as low for an assertion after performing software-based audit techniques on controls relevant to that assertion and assessing the adequacy of segregation of duties.

b.  impact the effectiveness of manual controls. c.  prevent the reliability of electronic audit evidence. d.  allow client staff to change programs without needing to receive authorization for the change. 6.  (LO 2)  Which of the following represents an example of an IT application control?  he assistant controller performs a monthly bank reconciliaa.  T tion and follow-up of unexpected outstanding items. b.  The accounts receivable manager reviews credit balances in accounts receivable quarterly to determine their causes. c.  The software application compares all sales invoices with underlying shipping information on the bills of lading and packing slips with sales invoices. If differences are revealed, a report is generated for review and follow-up by the billing supervisor. d.  All changes to software applications must be reviewed and approved by the department affected by the application. 7.  (LO 3)  An auditor is going to test the client’s controls over bank reconciliations. The auditor will perform which of the following audit procedures for this test of controls? a.  Software-based audit techniques using test data.

c.  The auditor will probably assess control risk at the maximum irrespective of the quality of the programmed application controls.

b.  Inquiry of the person performing the bank reconciliation.

d.  T  he auditor could assess control risk as low for an assertion if ITGCs are tested and shown to be strong.

d.  Inquiry of the person performing the bank reconciliation and reperformance of the bank reconciliation procedure.

3.  (LO 2)  A software application will not allow a sale to be processed if a customer is over its credit limit. This is an example of a(n): a.  detective control. b.  preventive control. c.  IT general control. d.  IT-dependent manual control. 4.  (LO 2)  The software application compares all sales invoices with underlying shipping information on the bills of lading and packing slips with sales invoices. If differences are revealed, a report is generated for review and follow-up by the billing supervisor. This is an example of a(n): a.  detective control. b.  preventive control. c.  IT general control. d.  IT-dependent manual control. 5.  (LO 2)  ITGCs are important because they: a.  prevent unauthorized personnel from having access to data and applications.

c.  Reperformance of the bank reconciliation procedure.

8.  (LO 4)  Which of the following would require the auditor to increase the level of control testing for a particular control? a.  The control is performed monthly instead of daily. b.  There are several controls relating to a particular audit objective. c.  The WCGW addressed by the control is not very important. d.  A high degree of reliance is to be placed on the control to limit the amount of substantive testing required. 9.  (LO 4)  Benchmarking is a process that involves: a.  comparing the effectiveness of one control with another control. b.  an audit strategy that allows an auditor to rely on IT application controls if manual follow-up procedures are strong. c.  an audit strategy that allows the auditor to use evidence from testing an IT application control in a prior period, if the application has not been changed. d.  an audit strategy that allows the auditor to test only identified key controls rather than all controls used by the client.

8-34  C h apte r 8  Risk Response: Performing Tests of Controls c.  Perform tests of controls on compensating controls.

10.  (LO 4)  If an auditor decides to assess control risk as low based on IT application control procedures, which of the following would not be part of the auditor’s strategy for testing controls? a.  Testing the effectiveness of IT general control procedures. b.  Testing the effectiveness of management review controls used to monitor the results of operations.

d.  Document the results of tests of controls and proceed with the planned audit strategy. 12.  (LO 6)  Working papers: a.  document the auditor’s conclusion about control risk and the basis for that conclusion.

c.  Testing the effectiveness of manual follow-up procedures.

b.  are necessary for the first-year auditor to keep track of the daily work but are not important to the overall audit.

d.  Testing the effectiveness of the application with test data.

c.  document the results of the tests but not the purpose of the control selected for testing.

11.  (LO 5)  If an auditor performs tests of controls and determines that the control is not effective, what should the auditor’s next step in testing controls be?

d.  document the purpose of the control selected for testing and the conclusion made by the auditor but not the results of the test.

a.  Document the results of tests of controls and proceed with a primarily substantive approach. b.  Determine if a compensating control exists.

Review Questions R8.1  (LO 1)  Identify the eight steps performed in assessing control risk and place them in the proper order.

R8.7  (LO 4)  Does an auditor have to test every control? Explain your answer.

R8.2  (LO 2)  Explain the purpose of (a) preventive controls and (b) detective controls. Why would it be important for an entity to have both types of controls?

R8.8  (LO 4)  What factors do auditors consider when deciding how much control testing to do?

R8.3  (LO 2)  Explain why reconciliations, such as bank reconciliations, are classified as detective controls.

R8.9  (LO 4)  Explain the concept of benchmarking and its benefits to the auditor.

R8.4  (LO 2)  Explain the difference between automated and manual controls.

R8.10  (LO 4)  Identify the factors that influence sample size in a test of controls. Provide an example related to each factor in terms of how it would potentially increase the level of control testing.

R8.5  (LO 2)  Explain the three types of ITGCs. Why are they “general” controls? Explain why they are important controls.

R8.11  (LO 5)  Explain the relationship between the results of tests of controls and substantive testing.

R8.6  (LO 3)  What are the five procedures used for tests of controls? Explain them and comment on the reliability of the evidence obtained from each.

R8.12  (LO 6)  Explain the process of documenting the auditor’s conclusions. What must be documented?

Analysis Problems AP8.1  (LO 1)  Basic   Assessing control risk and audit strategy  As an audit manager at Gung & Ho, CPAs, you have been scheduled to serve as the discussion leader for an in-office training session on consideration of the internal control structure in a financial statement audit. Gung & Ho’s audit practice consists of audits of privately owned companies and not-for-profit organizations.

Required Prepare an outline of comments you plan to make to indicate similarities and differences in how each of the following items is handled under a primarily substantive approach versus a reliance on controls approach. a.  Understand entity-level controls. b.  Understand the flow of transactions. c.  Identify what can go wrong (WCGW) for financial statement assertions. d.  Identify relevant controls to test. e.  Determine preliminary audit strategy. f.  Perform tests of controls. g.  Evaluate audit evidence, assess control risk, and reevaluate audit strategy (if necessary). h.  Report internal control weaknesses to those charged with governance.

 Analysis Problems  8-35 AP8.2  (LO 2)  Basic   IT controls—password  The client company assigns each new employee a user profile and password for the client’s IT system. The first time new employees log onto a company desktop computer, they are automatically forced to change their password. Passwords must be changed every 30 days.

Required Explain what type of control the above information describes. Discuss the control’s strengths and weaknesses. AP8.3  (LO 2)  Basic   IT controls—suppliers  Within the client’s IT system, supplier information is contained in a supplier master file (SMF). Each supplier has a unique supplier code. If the purchasing clerk attempts to place an order from a supplier not in the SMF, the order cannot be processed.

Required Explain what type of control the above information describes. Discuss the control’s strengths and weaknesses. AP8.4  (LO 2)  Moderate   Preventive controls  Alabama Industries manufactures and wholesales small tools. It sells the tools to a large group of regular customers and makes most sales by telephone to this group. Additionally, it receives orders online by its sales team who signs up new customers within the sales area. In the past, Alabama Industries has had trouble with customers who do not pay their accounts on time. Despite instructing the sales team not to make sales to customers before their creditworthiness has been assessed, sales are still being made to new customers before their limits have been set and to existing customers beyond their credit limit. Also, an economic downturn has started to impact its customers, and Alabama’s management is concerned about the possibility of increasing bad debts.

Required a.  What sort of preventive control could be used to deal with the problems faced by Alabama Industries? Explain how the control would work. b.  Assume the preventive control is implemented, and during this year there have been no sales to customers that have taken any customer beyond its credit limit. What are two possible explanations for this that the auditor must consider? c.  If an auditor finds two sales transactions during the year that exceed a customer’s credit limit at the time of the sale, what conclusion would the auditor draw from this evidence? What other evidence could the auditor consider before concluding that the preventive control has failed? AP8.5  (LO 2, 3, 4)  Moderate   Testing bank reconciliation controls  You are testing the controls over bank accounts for your audit client, Louisiana Liquidators. You note that the responsibility for bank reconciliations has changed due to a corporate reorganization halfway through the current fiscal year. Both the staff member performing the bank reconciliations and the supervisor have changed. You are able to talk only to the current staff member and supervisor because the prior staff members took a voluntary severance package and left the client’s employment three months ago.

Required a.  What procedures are available for you to gather evidence about the bank reconciliations? Explain how you would use each procedure and comment on the quality of the evidence obtained from each. b.  When you ask the employee responsible for bank reconciliations about how bank reconciliations are performed, there is a possibility that you will not be told the whole truth about the performance of the reconciliations. Given this, will you bother to ask? Explain. c.  Explain the impact of the staff changes on your controls testing program. AP8.6  (LO 2, 4)  Moderate   Inventory program controls  Dakota Drapers supplies custom-fitted curtains and blinds to retail customers. It has recently expanded to offer a wide variety of home decorating products through its six stores across the state. After some initial problems with inventory control, the client installed a new automated inventory system in April this year (the fiscal year end is December 31). The system replaced another automated system that had been modified so often over the years that the auditors had advised Dakota’s management that they did not regard it as reliable. That is, in the past, the auditors were unable to rely on the old system sufficiently to assess control risk for inventory as anything less than high.

Required a.  Explain the normal process an auditor would expect to find in the client’s system governing changes to software applications. Why is an auditor concerned about application changes?

8-36  C h apte r 8  Risk Response: Performing Tests of Controls b.  Dakota Drapers’ fiscal year-end is December 31. Does the auditor need to obtain evidence about the performance of the inventory control system from every month in the year or from a sample of months? Explain. c.  If the auditor conducts tests of the inventory controls at an interim date, is it appropriate to conclude that the controls are effective up through the end of period date? Explain your reasoning. AP8.7  (LO 4, 5)  Moderate   Internal controls from prior year  The first-year auditor on the engagement has suggested that since no exceptions were detected in previous years, no work on internal controls is required because last year’s evidence will be sufficient.

Required a.  Explain why the first-year auditor’s suggestion may or may not be appropriate and outline what work is required. b.  Explain the concept of benchmarking. Why is it appropriate for an auditor to use a benchmarking audit strategy that uses information from tests of controls performed in prior years? AP8.8  (LO 5)  Basic   Public Company   Results of testing controls  The lead auditor was reviewing the results of testing controls in the payroll expense area for a public company. The documentation for the testing showed that there was one instance of a part-time staff member being paid an incorrect hourly rate.

Required a.  Explain why the result shows a control exception (deviation). b.  Does the materiality of the exception influence the auditor’s conclusion about whether there is a deviation? c.  If the auditor selects a sample size of 45 for an IT-dependent manual control over payroll and finds one exception, what should the auditor conclude? AP8.9  (LO 6)  Challenging   Research   Comparison of standards  Explain the differences between an audit of internal controls as required by PCAOB AS 2201 and the testing of internal controls for the purposes of expressing an opinion on the financial statements as mandated by AU-C 315. Refer to the standards in your answer.

Audit Decision Cases Virginia Creepers Question C8.1 is based on the following case. Arne Adams, the audit senior, is reviewing the working papers written by the audit staff on the audit of Virginia Creepers, a garden nursery and retailer of garden accessories. Arne reads the following description of the results of testing of inventory controls written by the audit staff member: The inventory manager advises that no changes have been made to the inventory programs during the current fiscal year. There are no documents on file authorizing program changes,  so I conclude the inventory manager’s statement is true. The inventory manager also advises that management did not attempt to override any controls relating to inventory. There are no memoranda or emails from management on file instructing the inventory manager to go against procedures, so I conclude the inventory manager’s statement is true. The audit staff member concludes that the inventory controls have not been changed or overridden during the  fiscal year, so the results of the interim testing of controls can be relied upon. C8.1  (LO 3, 4, 5, 6)  Challenging   Control testing results and documentation a.  Analysis: Examine the statements by the audit staff member. What deficiencies in the testing can you identify? b.  Evaluation: If the results of testing one control show that the control is not effective, does the auditor have to increase substantive testing? What other options are available to the auditor?

 Audit Decision Cases  8-37

Frankel Factors Question C8.2 is based on the following case. The audit senior on the audit of Frankel Factors is preparing the audit plan for the year ended June 30, 2023. The following notes relate to the payroll application system that went live on January 1, 2023: 1. The new payroll application is more complex than the old system, but its reporting function provides more detail. For example, the new application calculates leave, pension, payroll tax, and employee benefit expenses, as well as the corresponding accruals. 2. Due to the brief time available to implement the new system, the previous application ceased operation on December 31, 2022, and the new application went live on January 1, 2023, without running parallel with the previous application. Staff training and testing of the new application was limited. 3. Access to the master files is restricted to the payroll supervisor and her assistant. Access to transaction files is restricted to payroll staff who are responsible for the processing of bi-weekly and monthly pay. Prior to the introduction of the new payroll application system, the payroll master file and transaction files were kept in a separate database from the general ledger application. At the end of each month, the IT staff imported transaction data from the database into the general ledger. Management decided to upgrade the existing accounting system due to the frequent problems encountered by IT staff when importing data into the general ledger. C8.2  (LO 2, 4)  Challenging   Payroll controls a.  Analysis: Based on the information above, explain two concerns about the payroll application’s integration with the general ledger application. b.  Analysis: Describe one IT application control to ensure the accuracy of the salaries and wages expenses transaction. c.  Analysis: Describe one IT application control to ensure the occurrence of the salaries and wages expenses transaction. d.  Evaluation: Design and describe in detail appropriate tests of controls you would use to satisfy yourself about the effectiveness of these internal controls.

Mobile Security, Inc. Question C8.3 is based on the following case. Mobile Security, Inc. (MSI) has been an audit client of Leo & Lee, LLP for the past 12 years. MSI is a small, publicly traded aviation company based in Cleveland, Ohio, where it manufactures high-tech unmanned aerial vehicles (UAV), also known as drones, and other surveillance and security equipment. MSI’s products are primarily used by the military and scientific research institutions, but there is growing demand for UAVs for commercial and recreational use. MSI must go through an extensive bidding process for large government contracts. Because of the sensitive nature of government contracts and military product designs, both the facilities and records of MSI must be highly secured. In October 2022, MSI installed a new cloud-based inventory costing system to replace a system that had been developed in-house. The old system could no longer keep up with the complex and detailed manufacturing costing process that provides information to support competitive bidding. MSI’s IT department, together with the consultants from the software company, implemented the new inventory costing system which went live on December 1, 2022. Key operational staff and the internal audit team from MSI were significantly engaged in the selection, testing, training, and implementation stages. The inventory costing system uses various manufacturing costing and unit of production inputs to calculate and produce a database of all product costs and recommended sales prices. It also integrates with the general ledger each time there are product inventory movements such as purchases, sales, waste, and damaged inventory losses. It is now February 2023 and you are beginning the audit planning for the June 30, 2023, annual financial statement audit. You are assigned to assess MSI’s IT controls with particular emphasis on the recent implementation of the new inventory costing system. C8.3  (LO 3, 4)  Challenging   Public Company   IT application controls  Analysis: MSI’s new inventory costing system integrates with its sales system. MSI integrated an IT application control that checks each sales transaction to ensure that it is supported by shipping documents, packing slip and bill of lading, before a sales invoice is created. a.  How would you test the IT application control described above? b.  What assertion is controlled by the IT application control described above? c.  In order to rely on the IT application control, what other evidence is needed if the auditor wants to assess control risk as low?

8-38  C h apte r 8  Risk Response: Performing Tests of Controls

Brookwood Pines Hospital Question C8.4 is based on the following case. Goodfellow & Perkins gained a new client, Brookwood Pines Hospital (BPH), a private, not-for-profit hospital. The fiscal year-end for Brookwood Pines is June 30.  You are performing the audit for the 2023 fiscal year-end, and the audit is currently in the risk assessment phase. The healthcare industry can be very complicated, especially in the area of billing for services provided. BPH contracts with private physician groups who use the hospital facilities, equipment, and nursing staff to treat patients. The physicians in the private group are not employees of the hospital; they are simply using the hospital facilities to treat patients. For example, a group of urologists have their own practice, separate from the hospital, where they treat their patients. If one of their patients needs a surgical procedure that must be done at a hospital, then the attending urologist will approve the paperwork required to admit the patient to BPH. BPH offers inducements to the urologists so they will refer patients to BPH rather than a competing hospital. One of the inducements BPH offers is free office space in the hospital for the doctors to use when they are treating their patients in the hospital. After the doctor and hospital services are provided to the patient, the patient and/or the patient’s insurance company is billed. The doctor will bill for the services he or she provided, and the hospital will bill for the use of hospital facilities and staff. Doctors and hospitals bill using a coding system that is standardized across the healthcare industry and consists of three main code sets: ICD, CPT, and HCPCS. Using a coding system is more efficient and data-friendly compared to writing a narrative about the procedures performed. However, the coding system is very complex, with thousands of different codes for medical procedures and diagnoses. To complicate matters even more, for patients who are covered by government-sponsored Medicare or Medicaid, doctors and hospitals must adhere to complicated government regulations surrounding billings to Medicare and Medicaid. As healthcare costs continue to rise each year, BPH administrators struggle to maintain consistent profitability. They look for ways to keep costs low and also to collect from patients and insurance companies as quickly as possible. In addition, BPH must have a strong risk management team to handle unique situations that may occur in hospitals such as malpractice lawsuits and periodic inspections by the state department of health and hospitals. Negative publicity for BPH could lead to decreased revenues if physicians decide to contract with a competing hospital. C8.4  (LO 2, 3, 4)  Challenging   Evaluating internal control  Analysis: Brookwood Pines has a large number of employees and it is important for the payroll system to have controls to ensure that employees actually worked the hours they are paid for. Answer the following items: a.  Determine the key assertion at risk. b.  Describe a practical preventive internal control that would directly address the risk. c.  Describe a practical detective internal control that would directly address the risk. d.  Explain the test of controls you would perform to test the control in your answer to (b), including the evidence that you would obtain. e.  Describe the evidence of an exception to the internal control in your answer to (b). f.  Explain the test of controls you would perform to test the control in your answer to (c), including the evidence that you would obtain. g.  Describe the evidence of an exception to the internal control in your answer to (c)

Cloud 9 - Continuing Case Effective internal controls at the transaction level are designed to prevent or detect and correct material misstatements that could occur within the flow of transactions. In the case study assignment in Chapter 6, you were required to identify potential misstatements and affected assertions within the wholesale credit sales. Answer the following questions based on the information presented for Cloud 9 in the appendix to this text and the earlier chapters. You should also consider your answers to the case study questions in earlier chapters.

Required a.  For each assertion related to wholesale credit sales, identify a key control in Cloud 9’s system of internal control. b.  For each key control identified in (a), explain how you would test the control. c.  For each control identified in (a), explain the evidence that would lead the auditor to believe that the there was a deviation from the prescribed control.

Chapter 9 Risk Response Performing Substantive Procedures

The Audit Process Overview of Audit and Assurance (Chapter 1) Professionalism and Professional Responsibilities (Chapter 2) Client Acceptance/Continuance and Risk Assessment (Chapters 3 and 4) Identify Significant Accounts and Transactions Make Preliminary Risk Assessments

Set Planning Materiality

Gaining an Understanding of the System of Internal Control (Chapter 6)

Audit Evidence (Chapter 5)

Develop Responses to Risk and an Audit Strategy

Performing Tests of Controls (Chapter 8)

Performing Substantive Procedures (Chapter 9) Audit Sampling for Substantive Tests (Chapter 10)

Auditing the Revenue Process (Chapter 11)

Auditing the Purchasing and Payroll Processes (Chapter 12)

Audit Data Analytics (Chapter 7)

Gaining an Understanding of the Client

Auditing the Balance Sheet and Related Income Accounts (Chapter 13)

Completing and Reporting on the Audit (Chapters 14 and 15) Procedures Performed Near the End of the Audit

Drawing Audit Conclusions

Reporting

9-1

9-2  Ch apt e r 9  Risk Response: Performing Substantive Procedures

Learning Objectives LO 1  Demonstrate how audit risk, management assertions, and substantive procedures are linked.

LO 4 Explain and analyze factors that impact the timing of substantive procedures at the assertion level.

LO 2  Describe methods of risk response at the financial statement level.

LO 5 Explain and analyze factors that impact the extent of substantive procedures at the assertion level.

LO 3 Explain and analyze factors that impact the nature of substantive procedures at the assertion level, including the use of audit data analytics.

LO 6 Explain and apply audit procedures used to audit accounting estimates. LO 7  Describe how auditors document the results of substantive procedures.

Auditing and Assurance Standards pcaob

auditing standards board

AS 2301 The Auditor’s Responses to the Risks of Material Misstatement

AU-C 240  Consideration of Fraud in a Financial Statement Audit

AS 2305  Substantive Analytical Procedures

AU-C 315  Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

AS 2501 Auditing Accounting Estimates AS 2502 Auditing Fair Value Measurements and Disclosures AS 2810 Evaluating Audit Results

AU-C 330  Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained AU-C 450 Evaluation of Misstatements Identified During the Audit AU-C 510  Opening Balances—Initial Audit Engagements, Including Reaudit Engagements AU-C 520 Analytical Procedures AU-C 540 Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures

Cloud 9 - Continuing Case Suzie Pickering has experience in the clothing and retail industry, which is why she was assigned to the Cloud 9 audit. Suzie is mentoring Ian Harper, a first-year staff on the audit team, and they are working together on the detailed substantive test program. Ian remembers that Suzie used analytical procedures in the risk assessment phase and she explained to Ian how useful they could also be in the risk response phase. Ian suggests that they plan to rely extensively on analytical procedures for Cloud 9’s

substantive tests. He is very enthusiastic and wants to put analytical procedures in the plan for all transaction processes and major balances because he believes analytical procedures are very efficient for the audit team to perform. Suzie is more cautious. Although she will definitely plan to use some analytical procedures, she knows they will also need other types of tests. “Why?” asks Ian. “How do I know when to only use analytical procedures? What other tests do we need?”

 Audit Risk and Substantive Procedures  9-3

Chapter Preview: Audit Process in Focus Finding an appropriate combination of audit procedures to minimize an engagement’s audit risk is a challenge. The purpose of this chapter is to describe the part of the risk response phase often referred to as performing substantive procedures. The overall objective of substantive procedures is to supplement risk assessment procedures and controls testing the auditor may have performed (discussed in Chapters 3, 4, and 8), and ultimately to determine that the underlying accounting records are fairly presented and reconcile to the financial statements. In this chapter, we will revisit audit risk and management assertions, linking them to the nature, timing, and extent of substantive audit procedures. The types of substantive procedures we will discuss in this chapter include analytical procedures, substantive tests to follow up on notable items identified when performing audit data analytics (ADA) as a risk assessment procedure, and tests of details of transactions and balances, including ADA used as a substantive test. We will also describe the nature of accounting estimates and procedures used for the audit of accounting estimates. The last section of the chapter discusses the documentation of substantive procedures in the audit working papers.

Audit Risk and Substantive Procedures LEA RNING OBJECTI VE 1 Demonstrate how audit risk, management assertions, and substantive procedures are linked. As discussed in Chapter 3, an audit strategy is developed in response to the risk assessment for each significant account and assertion using the formula for audit risk. An audit strategy can take a reliance on controls approach, a substantive approach, or a combination of both. With a substantive approach, auditors will rely more on substantive procedures. The term substantive comes from substantiate, which means auditors gather evidence to support the transactions, account balances, and disclosures provided by management in the financial statements. After auditors have completed testing controls and drawn a conclusion about control risk (Chapter 8), they make decisions about the nature, timing, and extent of substantive testing. Illustration 9.1 diagrams the relationship between the risk of material misstatement (RMM) and decisions about the nature, timing, and extent of substantive procedures. Recall that an Combined assessed levels of inherent risk and control risk (RMM) Maximum

High

Moderate

Low

Acceptable level of detection risk Very low

Low

Moderate

High

Substantive tests:

More effective

Year–end

Larger sample sizes

Nature (what evidence)

Timing (when to collect evidence)

Extent (how much evidence)

Less effective

Interim

Smaller sample sizes

substantive procedures  audit procedures designed to detect material misstatements at the assertion level and to gather evidence to support management assertions

ILLUSTRATION 9.1  

Impact of risk of material misstatement (RMM) on level of substantive testing

9-4  Ch apt e r 9  Risk Response: Performing Substantive Procedures

inverse relationship exists between the auditors’ assessed RMM (combined inherent and control risk) and detection risk. For example, when RMM is assessed as low, detection risk is high. Look over the figure and then let’s consider an example. As we discuss an example, refer to Illustration 9.1 and follow along. Let’s say the auditor is auditing the existence of accounts receivable, and revenue recognition is a significant risk. The auditor decides to assess inherent risk at the maximum. If internal controls are strong, the auditor assesses control risk as low. Therefore, RMM is moderate to low, and detection risk is moderate to high. This combination would fall on the right side of Illustration 9.1. When making decisions about substantive testing, the auditor might send positive confirmations (a more effective audit procedure), use smaller sample sizes, and perform the substantive test at an interim date. When internal controls are strong and the auditor can obtain the appropriate relevant and reliable data, the auditor might also consider using ADA as a substantive test. For example, when auditing a hotel chain, an auditor obtains reliable electronic information about room occupancy and compares room occupancy with revenue recognized on a daily basis. However, if the auditor determines that internal controls are not functioning as designed and a compensating control does not exist, the auditor will assess control risk and RMM as high and set detection risk as low. This combination would fall on the left side of Illustration 9.1. The auditor would send positive confirmations to customers using larger sample sizes at year-end. Later sections of this chapter provide more in-depth discussion about the nature, timing, and extent of substantive procedures. As discussed in previous chapters, risk assessment is required to be performed at an assertion level. Chapter 5 introduced and defined each of the management assertions as outlined in AU-C 315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. The 13 assertions are reproduced in Illustration 9.2 and grouped to show the assertions that have common objectives across each category of classes of transactions and events, account balances at year-end, and presentation and disclosure. illustration 9.2   Management assertions by category

1 2

Assertions About Classes of Transactions and Events

Assertions About Account Balances at Year-End

Assertions About Presentation and Disclosure

Typically income statement accounts and cash flow statement

Typically balance sheet accounts

Disclosures made in the financial statements

Occurrence

Existence

Cutoff

Rights and obligations

Occurrence and rights and obligations

Completeness

Completeness

Completeness Cutoff

Accuracy and valuation

Accuracy 3

Classification

Valuation and allocation

Classification and understandability

Illustration 9.2 shows how similar assertions across categories are related to each other. Let’s look at row 1 and use the sales process as an example. The auditor needs to verify that sales transactions recorded in the income statement occurred and relate to the entity (the occurrence assertion) and that the sales transactions have been recorded in the correct accounting period (the cutoff assertion). Those same sales transactions flow through to the cash flow statement and to the accounts receivable balance on the balance sheet. Verifying that the sales transactions occurred also provides evidence that the balance of accounts receivable at year-end exists and the client holds the rights to those receivables (the existence and rights and obligations assertions). The auditor can also use that evidence to verify that the balances disclosed in the financial statements as sales revenue and accounts receivable occurred and relate to the entity (the occurrence and rights and obligations assertions). It is clear from this example that testing performed on the occurrence of sales transactions also provides evidence on the existence of accounts receivable on the balance sheet and the financial statement disclosures. Rows 2 and 3 show the remaining assertions that still need to be tested for the sales transactions and related accounts receivable balance and related disclosures.

 Risk Response at the Financial Statement Level  9-5

Be careful and do not assume that similar assertions across all three categories are exactly the same. For example, classification for income statement accounts is not exactly the same as classification and understandability in the financial statement disclosures. Classification as it relates to transactions requires verification that transactions have been recorded in the proper accounts within the general ledger. Classification and understandability as they relate to disclosures requires verification that information included in the financial statements is appropriately presented and described according to the applicable financial reporting framework, and disclosures are clearly expressed. The objective of auditors is to obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement. This is accomplished by designing and implementing appropriate responses to those risks at both the financial statement level and the assertion level. Chapter 8 focused on responding to risk through the use of tests of controls. This chapter continues the risk response discussion through the use of substantive procedures.

Cloud 9 - Continuing Case Suzie emphasizes to Ian that their testing must respond to the risk of material misstatement at the assertion level. For each assertion, the audit team determines the level of detection risk, which is based on the inherent risk assessment and the results of the control testing. Auditors also have to consider a range of practical factors, such as constraints on timing and the complexity of the

client’s systems. “Analytical procedures are always useful, but the decision to use analytical procedures and/or other substantive procedures must consider risk and practical factors,” she says. “In an audit, we have to decide what an acceptable level of detection risk is, and how to achieve it, for every assertion about transactions, account balances, and disclosures.”

Before You Go On 1.1 Explain the relationship between the risk of material misstatement and detection risk. 1.2 Describe why management assertions are important in the determination of detection risk.

Risk Response at the Financial Statement Level LEA RNING OBJECTI VE 2 Describe methods of risk response at the financial statement level. We have discussed how important it is that auditors are knowledgeable about their client’s operations for the purpose of identifying risks (refer to Illustration 4.2 for a refresher). Some identified risks could impact the financial statements as a whole. For example, if a client is relying heavily on debt financing and struggling to make debt payments, management may feel pressure to maintain debt covenants. That pressure could lead to fraudulent financial reporting that is pervasive in the financial statements. Auditors should respond to that risk with procedures that have an overall effect on how the audit is conducted. AU-C 330 Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained and AS 2301 The Auditor’s Responses to the Risks of Material Misstatement provide the following examples of responding to risk at the financial statement level: •  Emphasize that audit team members should maintain professional skepticism. •  Assign more experienced staff to areas of higher risk of material misstatement.

9-6  Ch apt e r 9  Risk Response: Performing Substantive Procedures

•  Provide more supervision. •  Include more elements of unpredictability in the selection of audit procedures. •  Make general changes to the nature, timing, or extent of audit procedures to obtain more persuasive evidence. Risk response at the financial statement level is affected by (1) the auditor’s understanding of the entity’s control environment and (2) the assessed risk of material misstatement due to fraud. An effective control environment suggests that management and those charged with governance demonstrate a commitment to ethical values and strong internal control. Auditors will have more confidence in internal controls and audit evidence generated internally with a client that maintains an effective control environment. If the control environment is assessed to be weak, auditors may respond by altering the audit plan to include more audit procedures and expanding the scope of the audit to include more of the client’s locations. After auditors have assessed control risk, they are in an ideal position to evaluate the risk of fraud. Auditors will seriously consider the risk of fraud if control risk is high. They will assess the risk of fraud by considering fraud risk factors that may be present, such as pressure and opportunities for management to commit fraud (see “Fraud Risk” in Chapter 3). If significant fraud risk exists, auditors should respond by including elements of unpredictability in their audit plan. For example, auditors could perform audit procedures related to accounts, assertions, or disclosures that they normally would not test because they are immaterial or considered low risk. They could also perform some procedures on a “surprise” basis and vary the timing of when the procedures are performed. For clients with multiple locations, auditors could vary which locations are tested each year and the type of audit procedures that are performed at the different locations. Ultimately, auditors must exercise professional skepticism and be prepared to modify the planned audit procedures, as needed, to obtain more reliable evidence. They may also need to expand audit procedures to gather evidence from independent sources to corroborate management’s explanations and other internally generated evidence.

Audit Reasoning Example Risk Response at the Financial Statement Level

Xiao Wang is the manager on the audit of Superior Corp., an oil and gas company located in Houston. The price of oil has dropped due to an excess supply of oil in the market. A drop in oil prices has caused a dramatic decrease in revenue for Superior, which in turn has caused a significant drop in Superior’s stock price. To stay afloat, Superior has implemented some drastic cost-cutting measures and laid off one-fifth of its workforce. Superior has also announced it will suspend matching its employees’ 401(k) contributions until further notice. Xiao knows that when a client is experiencing stressful times such as this, the audit team should be especially mindful of an increased risk of fraud, particularly the risk of fraudulent financial reporting. Xiao has worked on the Superior audit for the last five years and notes that Superior has an effective control environment, and upper management has consistently shown a commitment to integrity and ethical values. However, Xiao knows that even good people can be pushed to extreme action in times of stress. What if management tries to overstate revenues or understate expenses in an effort to improve profitability? Xiao calls a meeting with the audit team members to discuss the situation. “Team, you are aware of the stress that Superior and other oil and gas companies are feeling in this current market. I want to remind you to use professional skepticism in all of your work, even in areas that we deem to be low risk. If you see anything unusual, please let me know. Also, I will be more involved with testing revenue and closely supervising the work in that area. We will assess inherent risk at the maximum level for revenue so that we are verifying more transactions. Let’s get to work and please don’t hesitate to ask questions.”

In addition to considering risk response at the overall financial statement level, auditors must plan to respond to risk at the assertion level for accounts, classes of transactions, and disclosures. This involves designing and implementing the nature, timing, and extent of specific audit procedures to be performed at the assertion level.

  Nature of Substantive Procedures  9-7

Before You Go On 2.1 What factors affect the auditor’s risk response at the financial statement level? 2.2 How could auditors modify their audit procedures if there is increased risk of fraud? 2.3 How could auditors modify their audit procedures if a client has a poor control environment?

Nature of Substantive Procedures LEA RNING OBJECTI VE 3 Explain and analyze factors that impact the nature of substantive procedures at the assertion level, including the use of audit data analytics.

The nature of an audit procedure refers to its purpose (test of controls or substantive procedure) and its type. The different types were covered in Chapter 5 and include inspection, observation, inquiry, confirmation, recalculation, reperformance, analytical procedures, scanning, and ADA. When analytical procedures are used to obtain audit evidence during the risk response phase, they are referred to as substantive analytical procedures. This will be discussed further in the section “Substantive Analytical Procedures.” When the other types of procedures are used to gather audit evidence, they are referred to as tests of details of classes of transactions, account balances, and disclosures. Tests of details will be discussed further in the section “Tests of Details.” Consideration of the nature of the audit procedure is the most important factor when responding to the assessed risks (AU-C 330.A5). Auditing standards provide guidance regarding the performance of substantive procedures. AU-C 330 and AS 2301 state that auditors are required to perform substantive procedures for all relevant assertions that have been identified during the risk assessment phase. Recall from Chapter 5 that relevant assertions have a reasonable possibility of containing a material misstatement that would cause the financial statements to be materially misstated and, therefore, have a meaningful impact on whether the account is fairly stated. Every audit will involve some amount of substantive testing because auditing standards require it for relevant assertions. Further substantive testing for all other assertions will be based on the auditor’s overall assessment of risk. For some assertions, an effective response may be for the auditor to perform primarily tests of controls. This would be following a reliance on controls strategy. For other assertions, an effective response may be for auditors to only perform substantive procedures. This would be following a substantive strategy. Auditors may choose a substantive strategy because they have not identified any effective controls that are relevant to that assertion or because testing controls would be inefficient. In many cases, auditors use a combined strategy in which they use both tests of controls and substantive procedures to respond to identified risks. If appropriate, auditors may design a test of controls and a substantive test of details to be performed at the same time on the same transaction. This is called a dual-purpose test. For example, auditors inspect a sample of vendor invoices for inventory purchases to determine if they were properly authorized to be paid (test of controls). On the same sample of invoices, they can inspect and recalculate the cost of inventory items purchased to test the valuation and allocation assertion (substantive test of details). Designing dual-purpose tests helps improve the efficiency of the audit. Once auditors have determined that using substantive procedures is the appropriate risk response, the next step is to determine the type of procedure to use. What factors do auditors consider when determining the type of substantive procedure to use? One factor is the assessed level of risk for the assertion. When the risk of material misstatement for an assertion is high, auditors must gather more reliable and persuasive evidence. Some types of procedures

relevant assertions  assertions that have a reasonable possibility of containing a material misstatement that would cause the financial statements to be materially misstated and, therefore, have a meaningful impact on whether the account is fairly stated

dual-purpose test  a substantive test of a transaction and a test of control relevant to that transaction that are performed concurrently

9-8  Ch apt e r 9  Risk Response: Performing Substantive Procedures

significant risk  an identified and assessed risk of material misstatement that, in the auditor’s judgment, requires special audit consideration

lend themselves to gathering more reliable evidence. For example, to test the completeness assertion for a contract, auditors decide to send a confirmation to the outside party on the contract. Confirming the details of the contract with an outside third party provides more reliable evidence than just inspecting the document and inquiring of management regarding the details. For any risks that have been identified as significant risks, auditors are required to perform substantive procedures that are specifically responsive to the significant risk. Recall from Chapter 3 that a significant risk is an identified and assessed risk of material misstatement that, in the auditor’s judgment, requires special audit consideration. For example, if the client has complex derivative transactions that auditors have identified as being a significant risk for material misstatement, the auditors’ response may be to use a specialist to perform inquiry and recalculation procedures to test the accuracy assertion. Another factor auditors consider is that certain types of procedures are more suited for testing some assertions than others. For example, performing a recalculation of depreciation expense for a newly acquired fixed asset may provide evidence for the accuracy and valuation and allocation assertions, but it does not provide evidence that a newly acquired fixed asset actually exists. To test the existence assertion for a fixed asset, auditors should personally inspect the fixed asset and inspect supporting documentation of the purchase. Auditors also consider the reasons for the level of assessed risk for an assertion when determining the type of substantive procedures to use. For example, auditors may assess risk as low for an assertion for a class of transactions because inherent risk is low. The class of transactions may be uniform and tend to be predictable over time. A good example is the accuracy assertion for interest expense on outstanding loans that have fixed interest rates with interest payments due monthly. Even if controls do not exist for the transactions, the risk of material misstatement is low due to the characteristics of the transactions. Auditors may determine that performing only substantive analytical procedures will be sufficient to reduce audit risk for the accuracy assertion to an acceptably low level. The section “Substantive Analytical Procedures” goes more in depth regarding the use of substantive analytical procedures to obtain audit evidence.

Cloud 9 - Continuing Case Ian is starting to realize that the standards and professional practice would not allow him to rely exclusively on analytical procedures. Cloud 9 has significant inventory balances (around 25% of total assets) and receivables (around 28% of total assets), so the auditors will need to gather persuasive evidence about the existence, valuation and allocation, and rights and obligations assertions for these accounts. Procedures such as confirming receivables balances and observing inventory counts are definitely going to be included in the detailed audit program.

Suzie warns Ian that it is not always the size of the account that determines the use of analytical procedures or other procedures. For example, in Cloud 9’s trial balance there is a derivatives investment account that is around 5% of total assets. It is a smaller portion of total assets, but since accounting for derivative investments is complex, they probably cannot rely solely on analytical procedures, particularly regarding the valuation and allocation assertion.

Initial Procedures When auditing an account balance, auditors perform several initial procedures before applying other substantive procedures. First, auditors should simply recall their understanding of the client’s business and industry and think about how those factors may impact the account balance being audited. For example, a client that is a technology retailer faces a higher risk of inventory obsolescence because technology items such as computers and smartphones become obsolete if they are not sold quickly. Therefore, when applying substantive procedures for the audit of inventory, auditors should keep the risk of inventory obsolescence in mind, particularly when performing audit procedures related to the valuation and allocation and existence assertions. Extensive knowledge of the client provides the appropriate context for evaluating the results of substantive procedures. Other initial procedures are fairly routine steps performed for all account balances. For illustrative purposes, let’s consider a prepaid insurance account that includes the transactions

  Nature of Substantive Procedures  9-9

for all of a client’s insurance policies. The client must pay insurance premiums in advance as required by the insurance provider, which creates the asset account of prepaid insurance. The following initial procedures are performed: 1. Trace the beginning balance of the prepaid insurance account to the auditor’s working papers from the prior year’s audit. The beginning balance should match the ending audited balance reflected in last year’s working papers. (Note: If the auditors did not audit the client last year, refer to AU-C 510 Opening Balances—Initial Audit Engagements, Including Reaudit Engagements.) 2. Scan the transactions in the account for unusual items. An amount could be unusual because of its large dollar amount, its timing, or its source. For example, the client typically pays its insurance premiums annually in the first quarter of the year. A large payment made to an insurance provider in the third quarter would be unusual and warrant further investigation. 3. Obtain a trial balance or other detailed report for the account. A trial balance shows the balances of prepaid insurance for each insurance provider. The trial balance is typically in electronic form and compiled from the client’s information system. It should be footed for mathematical accuracy. If the detailed report is in another form, such as an Excel spreadsheet, auditors should review the formulas and recalculate to ensure the formulas are working as intended. The total on the trial balance should agree to the total in the subsidiary ledger from which it was prepared, and it should agree to the total in the general ledger. A sample of the individual insurance provider balances from the trial balance should be compared to the corresponding detail in the subsidiary ledger and vice versa. This procedure may seem redundant, but it helps to ensure the trial balance or report is an accurate and complete representation of the account balance. Once these initial procedures are completed and documented in the working papers, auditors continue with the remaining substantive procedures detailed in the audit program.

Substantive Analytical Procedures Analytical procedures are evaluations of financial information through analysis of plausible relationships among financial and nonfinancial data. Some examples include ratio analysis, trend analysis, simple comparisons of data, and complex statistical analysis techniques. The use of analytical procedures is required during risk assessment, as we learned in Chapter 4. Using analytical procedures as a substantive procedure during risk response is not required, but it is very common. AU-C 520 Analytical Procedures and AS 2305 Substantive Analytical Procedures address the use of analytical procedures as a substantive procedure for gathering evidence. AU-C 520 also addresses the auditor’s responsibility to perform analytical procedures near the end of the audit to assist the auditor when forming an overall conclusion on the financial statements (AU-C 520.01). Using analytical procedures near the end of the audit is required and is covered in Chapter 14. When conducting a substantive analytical procedure, auditors develop an expectation, or estimate, using data in the client’s records or data from reliable outside sources, and then compare the expectation with the client’s recorded amount. If there is a difference, auditors determine if it is significant and if further audit procedures need to be performed. Depending on the risk factors for a particular assertion, auditors may determine that substantive analytical procedures can be used as follows: •  As the only substantive test for a class of transactions or account balance. •  In combination with tests of details. Auditors use their professional judgment when deciding which substantive procedures to use and will consider the effectiveness and efficiency of the procedures in reducing the assessed risk of material misstatement to an acceptably low level. Factors that impact the effectiveness and efficiency of using a substantive analytical procedure to respond to risk

analytical procedures  evaluations of financial information through analysis of plausible relationships among both financial and nonfinancial data; analytical procedures also encompass such investigation, as is necessary, of identified fluctuations or relationships that are inconsistent with other relevant information or that differ from expected values by a significant amount

9-10  C h apte r 9  Risk Response: Performing Substantive Procedures

include (1) the nature of the assertion, (2) the plausibility and predictability of the relationship, (3) the availability and reliability of the data used to develop the expectation, and (4) the precision of the expectation (AU-C 520.A8 and AS 2305.11). Each of these factors will be discussed next. The use of a substantive analytical procedure may be more appropriate and provide more persuasive audit evidence depending on the nature of the assertion. With some assertions, potential misstatements may not be discovered by examining detailed evidence or detailed evidence may not be available. For example, consider the accuracy and occurrence assertions for salaries expense for the year. Auditors need to gather evidence that the amount recorded for salaries expense transactions has been recorded appropriately and the transactions have occurred. A substantive analytical procedure can be used by comparing the number of employees at fixed salaries to the total salaries expense for the period. If the actual salaries expense is significantly more than the expectation from the comparison, it could indicate a misstatement caused by error or unauthorized payments. This comparison may be more effective for the accuracy and occurrence assertions then performing a detailed test of a sample of individual payroll transactions. When using a sample, none of the transactions in the sample may reflect any misstatements. If the assessed risk of material misstatement for an assertion is high, auditors need to gather more persuasive audit evidence. Results from substantive analytical procedures will be more persuasive if relationships among data are more predictable. For example, relationships in a stable industry environment are usually more predictable than relationships in an industry environment that is unstable or changing rapidly. Large volumes of similar transactions tend to be more predictable over time than smaller volumes of more unique transactions that may vary in occurrence and amount. Relationships involving income statement accounts are usually more predictable than relationships involving only balance sheet accounts because income statement accounts represent transactions over a period of time. Balance sheet accounts represent an amount at a specific point in time (AU-C 520.A10 and AS 2305.14). Relationships involving transactions that are subject to management discretion are typically less predictable. For example, rather than incurring advertising expense on a routine monthly basis, management may decide to only advertise when special sales are being offered. Illustration 9.3 provides examples of substantive analytical procedures that typically provide persuasive evidence.

ILLUSTRATION 9.3  

Examples of analytical procedures that provide persuasive evidence

Evidence

Analytical Procedure

Material content of work in progress and finished goods

Relate raw materials put into production and quantities sold to normal yield factors

Overhead in ending inventory

Relate actual overhead for the period to actual direct labor, production volumes, or another appropriate measure

Finished goods inventory pricing

Refer to selling prices less selling costs and “normal” gross margin

Charges for depreciation

Refer to asset balance, effect of additions and disposals, and average depreciation rate

Payroll expense

Refer to days accrued and average daily payroll or subsequent period’s gross payroll

Commission expense

Refer to commission rates and related sales

Accruals for commissions or royalties

Refer to terms of agreements and payment dates

Interest expense and related accrual

Refer to the average debt outstanding, weighted average interest rate, and payment dates

Investment income

Relate average amounts invested to an average interest rate or yield

Total revenue for a school

Relate school fee per each year level by number of students in each respective level

  Nature of Substantive Procedures  9-11

Audit Reasoning Example  Substantive Analytical Procedures Carmen is an audit senior on the audit of High Tide Automobile Corp., a company of car dealerships. The year-end audit work is under way and she discusses the audit of commission expense with Ryan, a first-year associate on the team. “Ryan, you will be auditing commission expense,” says Carmen. “During risk assessment, we learned about the car sales commission rates for the sales staff of High Tide. Do you remember what it is?” Ryan replies, “Yes, I remember. A salesperson receives a 25% commission on the profit of a sale. Profit is defined as the selling price minus High Tide’s invoice price for the vehicle. So if the profit on the sale of one car is $1,000, the salesperson will receive a commission of $250.” “That is correct,” says Carmen. “One of the steps in the audit program is to use substantive analytical procedures to develop an expectation of what commission expense should be for the year. How do you think we calculate our expectation?” Ryan thinks for a moment, and then says, “We could take High Tide’s total gross profit on vehicle sales and multiply it by 25%. That should give a pretty good estimate of what commission expense is for the year.” “Yes, that is exactly what we do,” says Carmen. “We also look at the relationship between sales revenue and commission expense. As sales revenue increases, commission expense should also increase. If actual commission expense is significantly different from our expectation, we may need to perform additional tests of details.”

Before auditors can use substantive analytical procedures, they must consider the availability and reliability of data to be used to develop their expectation. Data may not be readily available to develop expectations for some assertions. For example, to develop an expectation to test the completeness assertion for sales, auditors use data from budgets, forecasts, or square feet of selling space. If this type of data is not available, it may be more effective to perform a test of details using the client’s shipping records. Auditors should also consider the reliability of the data being used to develop the expectation for the analytical procedure. If the underlying data is not reliable, the expectation will not be reliable, and any evidence gathered would not be considered reliable. Illustration 9.4 lists factors that auditors consider regarding the reliability of data to be used for substantive analytical procedures. Factor

Explanation

Source of the data

Generally, data obtained from independent sources outside of the client are considered more reliable.

Controls over the data

If the data are internally generated, are there adequate internal controls over the data? The auditors should test the effectiveness of the controls over the data to determine that the underlying data are complete and accurate. If controls over the data are effective, the data are considered more reliable.

Current or prior year testing of the data

If the data have been subjected to audit testing in the current year or prior year, they are considered more reliable than if they have not yet been tested.

Comparability of the data

The data must be capable of being used to create an expectation that is relevant to the entity. For example, if auditors plan to use industry averages for comparisons with client data, they must consider if the industry data are too broad to provide a meaningful comparison. If the client is more specialized within the industry, then using a broad industry average may not be reliable.

Finally, auditors must determine if the expectation that will be developed is precise enough to identify misstatements at the assertion level. The amount of precision needed depends on whether the substantive analytical procedure is being used as the only substantive test of an assertion or if it is being used in conjunction with tests of details. If it is being used as the only substantive test, then the expectation needs to be more precise to provide more reliable audit evidence. Expectations that are developed at a detailed level are more precise than expectations developed at a broad level. For example, using monthly amounts will generally provide a more precise expectation than using yearly amounts, or using data by business unit will be more precise than using company-wide data. The level of detail needed to develop the expectation will vary by client and depends on the size and complexity of the client.

ILLUSTRATION 9.4  

Factors that affect the reliability of data to be used for substantive analytical procedures

9-12  C h apte r 9  Risk Response: Performing Substantive Procedures

If, after considering the factors discussed above, auditors decide that using a substantive analytical procedure is appropriate for testing an assertion, next they consider how much of a difference between the expectation and the client’s recorded amount they can accept without performing further investigation. Auditors will consider materiality of any differences and how persuasive the evidence needs to be. For example, if the substantive analytical procedure is the only substantive test being performed for an assertion, then the evidence needs to be persuasive. Therefore, the amount of difference auditors could tolerate decreases. If the substantive analytical procedure is being used in conjunction with tests of details, then the amount of difference auditors could tolerate would increase since other procedures would also be used to gather evidence. If the difference is large enough to warrant further investigation, auditors should first review the factors used in developing the expectation. They can also inquire of management as to the reasons for the difference. However, any information obtained from management should be corroborated with other evidence. If the differences cannot be explained after performing additional procedures, auditors should consider it an indication of increased risk of material misstatement for the assertion. Auditors must document in the working papers the use of substantive analytical procedures. This includes documenting the factors considered in developing the expectation, the results of the comparison of the expectation with the client’s recorded amount, and any additional procedures performed to investigate differences between the expectation and the client’s recorded amount.

Cloud 9 - Continuing Case Ian and Suzie continue their discussion about using analytical procedures. Ian is starting to feel more confident and suggests that there are some factors to consider about the Cloud 9 audit that would affect the use of the various procedures. “We could use all of the usual techniques in the Cloud 9 audit, although we have to be careful in making comparisons across years for a couple of reasons. We have only just taken over the audit, so although

prior-year data was audited, we are still building up our level of familiarity with the data and don’t really understand all the conditions that applied to the previous years. Also, the changes at Cloud 9, in particular the opening of the retail store and the additional borrowing to finance the purchase of the delivery trucks that we discovered during our preliminary work, will impact the data.”

Professional Environment  Interpreting the Results of Analytical Procedures Before they can complete an audit, auditors need to evaluate the causes of any unexpected fluctuations in a client’s financial statements detected by the use of analytical procedures. Auditors have to consider possible causes of the fluctuation, search for additional information about these possible causes, evaluate the alternatives, and decide which possible cause of the fluctuation is the correct one. As part of this process, auditors can make inquiries of client managers to obtain their explanations of the fluctuation’s cause. Client managers could provide the correct explanation because of their superior knowledge of the situation. However, it is possible that management will give the auditors an incorrect explanation, deliberately or not. The question then arises whether auditors will be inappropriately influenced by management’s explanations that are not consistent with audit evidence. In an experiment using 61 Australian auditors from a large accounting firm, Green investigated whether receiving an incorrect management explanation affected auditors’ performance in determining the correct explanation for financial data fluctuations.1 The subjects were required to complete a computerized experimental task involving analytical procedures relating to an error in cost of sales. The subjects in a control group did not receive a management expla-

1

nation while the other auditors received a management explanation either before or after considering their own alternative explanations. Green found that only 15 of the 61 auditors selected the correct cause of the data fluctuation, with the remainder either selecting management’s explanation or another cause considered as a possibility by the auditor.2 Although 47 of the auditors actually considered the correct cause, 32 dismissed it in favor of another alternative. The data showed that 14 auditors never even considered the correct cause as a possibility during their investigations. Overall, Green concluded that receiving an incorrect explanation from management affected the auditors’ performance by influencing them to judge it as the correct cause. None of the auditors in the control group, who did not receive the management explanation, judged that explanation to be the correct one. Green suggests that audit firms could consider offering more guidance to auditors to develop their professional skepticism and prompt their consideration of more alternatives. In addition, auditor training could focus more on the evaluation of evidence, particularly in relation to management explanations. However, it is possible that in practice more experienced auditors, such as partners, would not be so easily distracted by management’s explanations.

W. Green, “Are Auditors’ Analytical Procedures Judgements Affected by Receiving Management Explanations?” Australian Accounting Review 15, no. 3 (2005), pp. 67–74.

2

Green 2005, p. 71.

  Nature of Substantive Procedures  9-13

Tests of Details The phrase tests of details refers to the substantive procedures auditors use to test the details of account balances, transactions, and disclosures. Recall that these tests of details are inspection, observation, inquiry, confirmation, recalculation, reperformance, scanning, and ADA. One or more tests of details may be used to test an assertion. Also, one or more tests of details may be used in conjunction with a substantive analytical procedure for testing an assertion. Which procedure or procedures to use will depend on auditor judgment, the assessed risk of material misstatement, and the nature of the assertion being tested. The following paragraphs provide some examples and other guidelines for using tests of details. As we have already discussed, when an assertion has a higher assessed risk of material misstatement, auditors need to gather more reliable and persuasive evidence. For example, due to poor internal controls over accounts receivable, auditors have determined there is increased risk that some recorded accounts receivable balances do not exist for a client. Auditors could inspect the underlying documentation in support of recorded receivables, such as sales orders, shipping documents, and customer invoices. But since these documents are generated internally by the client, does inspection provide the most reliable evidence? No, it does not. Evidence that is gathered from an independent source from outside of the client is considered more reliable. Therefore, a more effective test of details would be to send confirmations to customers to verify the existence of the accounts receivable balances. If a customer notes a discrepancy on the returned confirmation, auditors can follow up with additional tests of details as needed, such as recalculation of the balance, inspection of documents, and inquiry of management. The nature of the assertion being tested affects the type of test of details that auditors use. For example, what procedures will provide evidence that a client’s recorded inventory balance actually exists? Auditors can observe the client counting the physical inventory at year-end. Recall that the auditor’s direct knowledge through observation is more reliable than indirect knowledge. Auditors can also inspect supporting documents by vouching a sample of inventory purchases to receiving reports and purchase orders (requisitions). Would recalculating the mathematical accuracy of a sample of inventory purchases (price × quantity) provide evidence for the existence assertion? No, it would not. Recalculation provides evidence for the accuracy assertion, not the existence assertion. When selecting which tests of details to use, auditors must select procedures that are appropriate for the assertion being tested. Tests of details are also used to evaluate assertions related to the disclosures of the financial statements, referred to as the notes. It is management’s responsibility to prepare the note disclosures. The objective of auditors is to determine if the notes are prepared in accordance with the applicable financial reporting framework. Refer to Illustration 9.2 for the assertions related to disclosures. Auditors should read and inspect the notes and recalculate amounts, as needed, to gather sufficient appropriate evidence that: •  Management has adequately disclosed the significant accounting policies applied in the financial statements. •  Information in the notes is accurate and does not contain errors or inconsistencies with information presented in the financial statements. •  Appropriate and understandable terminology is used, as prescribed by the applicable financial reporting framework. •  All disclosures that are required by the financial reporting framework have been included. You may recall from your financial accounting courses that some note disclosures, such as pensions, deferred income taxes, and stock options, require extensive detail. Therefore, it is critical that auditors are very knowledgeable about the financial reporting framework used by their client. That knowledge provides a context for auditors to evaluate whether the financial statements and notes are presented fairly.

ADA and Substantive Procedures We discussed in Chapter 5 how ADA has ushered in many changes regarding how audits are conducted. Chapter 7 introduced using ADA both as a risk assessment procedure and as a substantive procedure. At the risk response phase, the auditor may use substantive procedures to follow up on

9-14  C h apte r 9  Risk Response: Performing Substantive Procedures

confirmation bias  the tendency to seek or interpret evidence in ways that support pre-existing beliefs or expectations

the findings of an ADA procedure used during risk assessment. For example, during risk assessment an auditor may have used ADA to identify slow-moving inventory. For the notable items in inventory identified by ADA, the auditor may perform traditional substantive procedures regarding the net realizable value of inventory. In other words, for these items the auditor might look at how many of the items were sold between year-end and a date near the end of fieldwork. During that period the auditor can determine if the company had to mark down items below cost in order to sell them. The auditor might also identify that a significant portion of inventory has not sold and may look at sales prices of similar items in the marketplace to determine the need to write down inventory to its net realizable value. Essentially, the auditor uses ADA to identify items that are at a high risk of material misstatement and will use traditional substantive tests to evaluate the high risk balances or transactions. At the risk response stage the auditor may have identified a specific fraud risk. For example, if there is a weakness in access controls over a master vendor file, the auditor might use ADA to compare vendor addresses with employee addresses. A match might be an indication that an employee has put a fictitious vendor in the master vendor file, and invoices might be paid to a fictitious vendor. Also, the auditor might use ADA as a substantive procedure. For example, a local transportation district may hire primarily hourly workers under a union contract to drive and maintain buses. The transportation district has good internal controls over the master payroll file and over capturing hours worked electronically. All hourly workers are paid every two weeks, and all hourly pay is classified in the same payroll expense account. The auditor may use ADA to recalculate gross payroll for hourly employees and this classification of payroll expense. The auditor will still have to perform other payroll cutoff tests, but the auditor may use ADA to substantiate the vast majority of payroll expense for the transportation district. ADA, substantive analytical procedures, and tests of details are all powerful tools, but they do not replace the need for professional judgment and skepticism. Auditors must use professional judgment when designing the procedures, interpreting the results, and determining how the results influence the nature, timing, and extent of other audit procedures. Auditors must use their professional skepticism, being careful to prevent confirmation bias when interpreting results. Confirmation bias is the tendency to seek or interpret evidence in ways that support pre-existing beliefs or expectations.3 If client management has already explained why a transaction was an outlier or why an analytical procedure did not align with the auditor’s expectation, auditors must be careful not to seek evidence that solely confirms management’s explanation. Auditors need to exercise professional skepticism and consider all information, whether it supports or contradicts the original explanation provided by management.

Before You Go On 3.1 Explain a dual-purpose test. Provide an example. 3.2 What factors impact the effectiveness and efficiency of using substantive analytical procedures to respond to risk? 3.3 What are some advantages of using audit data analytics in the audit process? 3.4 How could confirmation bias impact an audit? Provide an example.

Timing of Substantive Procedures Lea rning O bje cti ve 4 Explain and analyze factors that impact the timing of substantive procedures at the assertion level. Chapters 3 and 8 have addressed the timing of performing both tests of controls and substantive procedures. Recall that testing of internal controls is performed during an interim period, which may be two or three months before the client’s year-end. Some substantive procedures can also 3

R. Fay and N. Montague, “I’m Not Biased, Am I?” Journal of Accountancy 2019, no. 2 (2015), pp. 26–31.

 Timing of Substantive Procedures  9-15

be performed at interim. For assertions that have a lower risk of material misstatement, it may be more efficient for auditors to perform substantive procedures on those assertions prior to year-end to allow more time for testing higher risk assertions at year-end. For example, during the risk assessment phase, auditors determined that the occurrence assertion for a client’s prepaid expense transactions have a low risk of material misstatement. The auditors also tested the effectiveness of internal controls over the recording of transactions in the prepaid expenses account and concluded that controls are effective. Therefore, during the interim period, auditors perform test of details by selecting a sample of prepaid expense transactions from the ledger and vouching the transactions to supporting documentation to test the occurrence assertion for the transactions. Note that since the vouching is being performed at interim, the transactions available for testing are those that occurred from the beginning of the year through the interim period, which is usually through the client’s third quarter. Illustration 9.5 lists factors auditors consider when deciding to perform substantive tests at an interim date. Factor

More Likely to Perform Substantive Tests at Interim If…

Internal controls

Internal controls, including the control environment, are effective.

Assessed risk of material misstatement

Assessed risk of material misstatement is low.

Availability of information to perform procedures

Information is available during the interim period that may not be readily available at year-end.

Nature of the substantive procedure

The type of procedure can be performed at interim. For example, inquiry of management and inspection of fixed assets can be performed during interim, but observation of the physical inventory count can only be performed at the time scheduled by the client, which is typically at year-end.

Nature of the account and relevant assertions

Little change is expected in an account balance during the period from interim to year-end.

Auditor’s ability to perform additional procedures to cover the remaining period

Additional procedures can be performed during the period after interim and after year-end, if necessary.

When substantive procedures are performed during an interim period, auditors perform roll-forward procedures to update their audit findings from the time of the interim procedures through to year-end. The nature and extent of these roll-forward procedures are matters of judgment and are responsive to the risk assessment. When the entity’s control environment has been assessed as effective, controls have been tested, and no significant changes in the control environment and controls have occurred, limited roll-forward procedures, such as substantive analytical procedures or limited tests of details of transactions occurring between the interim period and year-end, may be all that are necessary. For example, auditors used inspection of supporting documents, observation of physical assets, and inquiry of client personnel to test the existence and completeness of fixed asset additions and disposals during the interim period, which was the end of the client’s third quarter. At year-end, auditors could perform roll-forward procedures on any fourth-quarter activity by scanning fixed asset transactions, inquiring about any unusual or large transactions and, if necessary, performing further tests of details on fourth quarter transactions. Illustration 9.6 shows a timeline of when Interim substantive Roll-forward testing on 1/1 procedures to 9/30 transactions for 9/30 and 9/30 account to 12/31 balances transactions

9/30/2022 1/1/2022 Period covered by the 2022 financial statements

1/31/2023 12/31/2022

ILLUSTRATION 9.5  

Factors to consider regarding the performance of substantive procedures at an interim date

roll-forward procedures  procedures performed at year-end on transactions occurring between an interim date and year-end (the roll-forward period) to provide sufficient appropriate audit evidence on which to base conclusions at year-end when substantive procedures are performed at an interim date

ILLUSTRATION 9.6  

Illustration of roll-forward procedures

9-16  C h apte r 9  Risk Response: Performing Substantive Procedures

the interim substantive testing is performed and when the roll-forward procedures are performed for a December 31 year-end client. Some substantive procedures can only be performed at year-end due to the nature of the assertion or the timing of the transactions. For example, the client makes final adjusting entries and closing entries at year-end to prepare the annual financial statements. Auditors will inspect and recalculate the entries at year-end. They also reconcile the annual financial statements with the underlying accounting records. Substantive tests of details to test the cutoff assertion for sales transactions are also performed at year-end. The cutoff assertion for sales means that transactions have been recorded in the proper accounting period. Auditors inspect supporting documentation for sales transactions that occurred just before and after the yearend date. They compare the dates on sales invoices with the dates of shipment of inventory and the dates of recording the transaction in the sales journal to ensure that sales are recorded in the proper accounting period. Finally, if during risk assessment auditors have identified risks of material misstatement due to fraud, they may consider changing the timing of audit procedures. For example, the auditor may decide that due to the heightened risk, performing substantive procedures at interim would not be effective. Gathering evidence at year-end would provide more reliable evidence in response to the assessed risk of material misstatement due to fraud.

Before You Go On 4.1 What types of assertions are more likely to be tested at interim? Provide an example. 4.2 Explain roll-forward procedures. 4.3 Why can some substantive procedures only be performed at year-end? Provide an example.

Extent of Substantive Procedures Lea rning O bje cti ve 5 Explain and analyze factors that impact the extent of substantive audit procedures at the assertion level. The extent of substantive procedures refers to how much testing will be performed within a class of transactions or account balance. A key issue for the auditor to decide is whether to screen 100% of the transactions using ADA, or whether to use an audit sampling approach. Audit sampling is discussed in more detail in Chapter 10. In general, an auditor is more likely to use ADA when the following conditions exist: •  Evidence to support the audit test is available in electronic form. •  T  he audit population is large and the auditor’s tests are supported by reliable and relevant data in electronic form, making ADA efficient. •  Relevant data is reliable and internal controls over the reliability of data are strong. •  Relevant data is clean or can be cleaned up easily. Alternatively, the auditor is more likely to use audit sampling when: •  P  rofessional standards expect the auditor to perform certain audit procedures (e.g., observe inventory or confirm receivables). •  Evidence to support the audit test is not available in electronic form.

 Extent of Substantive Procedures  9-17

•  The audit population is small and can efficiently be tested using traditional audit tests. •  Relevant data is not reliable and internal controls over the reliability of data are weak. •  Relevant data may be in different formats and is not easy to use. When the auditor chooses to engage in audit sampling, Illustration 9.7 shows the link between the assessment of inherent risk and control risk and how it impacts the amount of substantive testing required to reduce detection risk to an acceptable level. For example, if the combined inherent risk and control risk are high (bottom right shaded corner), the amount of detection risk the auditor is willing to accept is very low and therefore extensive substantive procedures are necessary to reduce detection risk. If the combined inherent risk and control risk are low (top left shaded corner), the amount of detection risk the auditor is willing to accept is high and therefore few substantive procedures are necessary to reduce detection risk.

Low High

Inherent Risk (IR) Assessment

Control Risk (CR) Assessment Low

Medium

High

Controls tested extensively and able to be relied upon

Limited controls tested and able to be relied upon

No controls tested and no assurance from controls

Lower risk of material errors if no controls in place

Few substantive procedures required

Some substantive procedures required

DR = High

DR = Medium

Considerable substantive procedures required

Higher risk of material errors if no controls in place

Considerable Some substantive procedures required substantive procedures required DR = Medium DR = Low

DR = Low Extensive substantive procedures required DR = Very Low

Essentially, extent of substantive procedures is referring to sample size. For example, if a client has 10,000 customers, how many customers should the auditor select to receive confirmation requests? The answer will depend primarily on the assessed risk of material misstatement for the account balance. If the risk of material misstatement is high (and detection risk is low), then a larger sample size should be selected. If the risk of material misstatement is low (and detection risk is high), then a smaller sample size should be selected. Auditors will also consider qualitative factors when determining sample size. For example, if there has been significant turnover in the accounts receivable department and the client is concerned there may be errors, auditors may decide to increase the sample size. Or as another example, perhaps the client implemented a new discount program to encourage customers to pay their accounts receivable balances early. Auditors may decide to increase sample size to ensure that discounts on customer payments were appropriately calculated and recorded according to the guidelines of the discount program. When selecting a sample, auditors may decide to select all items (testing 100%) for substantive tests of details (rather than ADA). For some account balances or classes of transactions, it may be appropriate and feasible for auditors to test 100% of the population. Some account balances have a small population of transactions, but the transactions are large in dollar value. For example, a retail clothing client has a prepaid advertising account. The client pays in advance for social media advertising four times during the year. The amount of each payment is material, but the payment amount varies during the year because of the seasonal nature of the retail industry (i.e., more advertising occurs during the holiday season). Auditors will perform substantive procedures on all four transactions for the year, such as inspection of advertising invoices, inspection of contracts with the advertising vendors, and possibly confirming directly with the advertising vendors the amount of prepaid advertising still available at year-end. Another reason to test 100% of a population is because significant risk exists for a class of transactions or account balance. Testing 100% of the population may be the most effective way of gathering sufficient appropriate audit evidence. For example, a large beverage company may have acquired several smaller beverage companies during the year. As a result of

ILLUSTRATION 9.7   Linkage between inherent risk, control risk, detection risk, and substantive procedures

9-18  C h apte r 9  Risk Response: Performing Substantive Procedures

the acquisitions, the client has a material increase in intangible assets such as copyrights and trademarks. Determining the useful life of some intangibles involves judgment which poses a significant risk. Therefore, auditors may decide to audit 100% of the amortization transactions for the intangible assets account. If it is not feasible to select all items, auditors may decide to select specific items from a population. Which items to select depends on auditor judgment, but a common method is selecting high dollar value items or key items. Items may be selected because they have a high dollar value or for some other characteristic, such as being unusual, suspicious, or having a history of error. For example, to test the existence assertion of a client’s $3 million accounts receivable balance, auditors will send confirmations to customers. The client has two key customers whose accounts make up $2.1 million of the balance. By selecting these two key customers to confirm, and assuming the customers’ replies, auditors can conclude that 70% of the accounts receivable balance does exist. Another method of selecting specific items from a population is to select items that are over a certain dollar amount when testing for overstatement. By selecting items over a certain amount, auditors are ensuring that a large portion of the account balance or class of transactions is being included in the testing. For example, a client has 200 customers with a total accounts receivable balance of $3 million. Thirty of the customers carry balances of at least $75,000 while the remaining 170 customers have balances of less than $75,000. If auditors send confirmations to the 30 customers with balances of at least $75,000, then at least 75% of the accounts receivable balance is being confirmed ($75,000 × 30 = $2,250,000). Selecting specific items involves auditor judgment, which means nonsampling risk is a factor. Nonsampling risk is discussed in Chapter 10. Finally, auditors can use statistical audit sampling to select a sample of items to test. By using statistical sampling, auditors can draw conclusions about an entire population based on the results of the sample testing. Statistical sampling can be used in addition to testing specific items from a population. Chapter 10 continues a more in-depth discussion of statistical sampling with substantive procedures.

Cloud 9 - Continuing Case Ian and Suzie have decided that analytical procedures will not be sufficient for all accounts. For each major transaction process and account balance they will also conduct tests of details of transactions. For vouching tests, the auditors will sample transactions and balances in the accounting records and go to the underlying documentation (or physical assets) to confirm the recorded details. For example, for sales recorded as being made prior to the fiscal year-end, they will examine the invoices and shipping documents to gather evidence on the date, amount, and other details of the transactions. If they find a sales invoice with a February date has been included in the sales for the year ended January 31, they have evidence of a misstatement in the occurrence and cutoff assertions for sales. They will also trace the details in a sample of documents through to Cloud 9’s accounting records. This means that they will

start with the documents and then test how that transaction (or asset or liability) is recorded in the client’s accounts. For example, if they find a sales invoice with a January date that is not included in the sales for the year, they will have evidence of a misstate­ ment in the completeness and cutoff assertions for sales. Suzie advises Ian that the sample sizes and approach to sampling are determined by the results of the controls testing and the resulting expectations for errors. Suzie also asks Ian to include tests of details of accounts, such as accounts receivables and property, plant, and equipment (PPE), in the detailed audit program. Where the risk is low, such as PPE, they will perform these tests at an interim date. Finally, Suzie informs Ian that the IT audit manager, Mark Batten, is writing the ADA program.

Before You Go On 5.1 Describe two situations in which the auditors may decide to test 100% of a population. 5.2 What techniques can an auditor use to select specific items from a population to test? 5.3 What is an advantage of using statistical sampling?

 Auditing Accounting Estimates  9-19

Auditing Accounting Estimates Lea rning Objecti ve 6 Explain and apply audit procedures used to audit accounting estimates. Financial statements include a variety of items that cannot be measured precisely and must be estimated by client management. An accounting estimate is an approximation of a monetary amount when a precise means of measurement is not available. In your studies of financial accounting you encountered examples of accounting estimates such as uncollectible receivables, useful lives and residual values of fixed assets, and future warranty liabilities. What is the auditor’s responsibility regarding accounting estimates made by management? AU-C 540 Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures states the objective of the auditor is to obtain sufficient appropriate evidence that (1) accounting estimates are reasonable and (2) related disclosures are adequate (AU-C 540.06). This section discusses the nature of accounting estimates, risk assessment procedures related to estimates, and the auditor’s procedures for responding to risks associated with accounting estimates. (Note: The PCAOB has two standards related to accounting estimates and fair value measurements: AS 2501 Auditing Accounting Estimates and AS 2502 Auditing Fair Value Measurements and Disclosures.)

accounting estimate  an approximation of a monetary amount when a precise means of measurement is not available

Nature of Accounting Estimates According to AU-C 540.03, there are two types of accounting estimates: 1. Forecasting the outcome of a transaction or event as required by a financial reporting framework. Examples in this category include estimating uncollectible receivables and estimating the probability and amount of litigation loss. 2. Determining fair value of a transaction or financial statement item for inclusion in the financial statements and disclosure in the notes as required by a financial reporting framework. Examples in this category include determining the fair value of goodwill and intangible assets in a business combination and determining the fair value of complex financial instruments that are not traded in an open market. Once the final outcome of the transaction or event occurs, it is expected that there will be a difference between the outcome of the accounting estimate and the amount originally recognized or disclosed in the financial statements. This difference does not necessarily constitute a misstatement, but rather the outcome of estimation uncertainty. Estimation uncertainty is the susceptibility of an accounting estimate and related disclosures to an inherent lack of precision in its measurement. For example, a client sells commercial-grade lawn mowers and offers a one-year warranty for any repairs that may be needed on the mowers. Based on past experience, the client estimates a future warranty liability of 5% of sales revenue and records that on the balance sheet. Suppose over the next year the client performs warranty repairs that total 6% of sales revenue, which is more than was estimated on the prior-year balance sheet. Does that mean the prior-year balance sheet is misstated? No, it just means that actual warranty repairs were more than originally estimated. Some years the warranty repairs will be less than estimated. The most important factor is that management monitors the amount of actual warranty repairs and adjusts its estimate each year as needed. Some accounting estimates involve more estimation uncertainty than others. The amount of estimation uncertainty is affected by the nature of the accounting estimate, the subjectivity of the assumptions used to make the estimate, and the extent to which a generally accepted method or model is available to aid in developing the estimate. Illustration 9.8 provides examples of estimates that have lower estimation uncertainty and estimates that have higher

estimation uncertainty  the susceptibility of an accounting estimate and related disclosures to an inherent lack of precision in its measurement

9-20  C h apte r 9  Risk Response: Performing Substantive Procedures ILLUSTRATION 9.8  

Estimation uncertainty with accounting estimates

Lower Estimation Uncertainty

Example

Accounting estimates involving non-complex business activities

Estimating warranty liabilities for sales of a readily available consumer product

Accounting estimates that are frequently made and updated because they relate to routine transactions

Estimating the allowance for doubtful accounts

Accounting estimates derived from data that are readily available

Imputing the interest rates on receivables or payables using published interest rate data

Fair value accounting estimates in which the method of measurement dictated by the applicable financial reporting framework is simple and easily applied to the asset or liability requiring measurement at fair value

Using published market values of equity securities that are held as trading securities and must be reported at fair value on the balance sheet

Fair value accounting estimates made using measurement models that are well-known or generally accepted

Using the Black-Scholes model to determine the fair value of stock options granted to employees

Higher Estimation Uncertainty

Example

Accounting estimates related to the outcome of litigation

Estimating a potential loss from a breach of contract dispute with a vendor in which litigation could continue for several years

Fair value accounting estimates for financial instruments not publicly traded

Estimating the fair value for a derivative financial instrument that is not traded on a public market

Fair value accounting estimates for which an entity-developed model is used or for which there are assumptions that cannot be observed in the marketplace

Estimating the fair value of highly specialized, internally developed equipment that is being offered as consideration in a nonmonetary exchange of plant assets with another party in a different line of business

Source: AU-C 540.A2-.A7.

management bias  a lack of neutrality by management in the preparation and fair presentation of information

estimation uncertainty. It is important for auditors to be aware of the degree of estimation uncertainty related to an accounting estimate. In general, accounting estimates with a high degree of estimation uncertainty pose a greater risk of material misstatement. In contrast, accounting estimates with lower estimation uncertainty have a lower risk of material misstatement. Accounting estimates, by their nature, involve subjective decision-making on the part of management. Therefore, accounting estimates may be subject to management bias. Management bias is a lack of neutrality by management in the preparation and fair presentation of information. The lack of neutrality by management may be unintentional or intentional. Intentional management bias is usually driven by pressure on management to achieve a target result and could be an indicator of fraud. (See Chapter 3, “Incentives and Pressures to Commit Fraud,” for more fraud risk factors.) AU-C 540.A134 states auditors should be aware of indicators of possible management bias such as: •  Changes in an accounting estimate, or the method for making it, that are based on subjective assumptions. •  Using management’s own assumptions for fair value estimates when they are inconsistent with readily observable market assumptions. •  Selecting or developing significant assumptions that yield an estimate more favorable for management’s objectives. •  Selecting an estimate that indicates a pattern of optimism or pessimism. Auditors must exercise their professional skepticism and question management’s methods, assumptions, and motivations for the accounting estimates included in the financial statements and disclosures.

 Auditing Accounting Estimates  9-21

Cloud 9 - Continuing Case Suzie asks Ian to consider Cloud 9’s estimated warranty liability. The estimated warranty liability is included in accrued liabilities on the balance sheet and trial balance. Included in accrued liabilities on the October 31, 2022 trial balance is an estimated warranty liability of $832,015, which is slightly higher than the liability on the prior year’s October 31, 2021 trial balance of $808,326. Suzie asks, “What is the likelihood that the liability is understated? Are there any reasons to believe there are unidentified claims, and how would auditors detect such claims?” Ian does not know of any change in manufacturing conditions that would affect the quality of Cloud 9’s product, and thus the obligation under the warranty program. However, a new product was introduced at the start of the previous year. “Because sales of the new ‘Heavenly 456’ walking shoe are now 20% of total sales,

we should consider any possible effects on the warranty liability. I recommend specific work be done to assess the claims from this new product.” “However, if we remove this product from the analysis, the relationship between the warranty liability and sales is likely to be similar to past years. Because warranties apply to products, the amount of the warranty liability is determined by sales volume and product quality. Therefore, if conditions affecting product quality have not changed, and there is no change to the warranty program, substantive analytical procedures are a useful way of testing the reasonableness of the warranty liability.” “Finally,” Ian concludes, “relying on substantive analytical procedures to test the warranty liability is more justified if control testing suggests that Cloud 9 has effective controls over warranty claim estimation and identification of pending claims.”

Risk Assessment Procedures for Accounting Estimates We learned in Chapters 3 and 4 that auditors must perform risk assessment procedures to gain an understanding of the entity and its environment for the purpose of assessing risk and planning audit procedures. During the risk assessment phase, auditors gain an understanding of the nature and type of accounting estimates made by management. Specifically, auditors perform the following procedures: 1. Gain an understanding about what is required by the client’s financial reporting framework. The financial reporting framework may specify conditions or methods for making accounting estimates, require measurement of certain items at fair value, and require specific disclosures. 2.  Inquire of management regarding the process for identifying the need for accounting  estimates. The process of identifying the need for accounting estimates is influenced by management’s knowledge of the industry, management’s business strategies being implemented during the period, and prior experience with management’s preparation of the entity’s financial statements. 3.  Inquire of management regarding how accounting estimates are made. Auditors want to gain a thorough understanding of management’s process for making the accounting estimates. Specific examples of inquiries are: a.  What is the method of measurement? In some cases, the financial reporting framework may dictate the method of measurement, such as the use of a specific model. If the financial reporting framework does not specify a method or model, then auditors consider if management is using a method commonly used in its industry. If management has developed its own model or has departed from what is commonly used in its industry, there could be a greater risk of material misstatement for the accounting estimate. b. What controls are in place? Auditors should inquire about the data being used to develop the estimate. Are there controls to ensure the data is complete, relevant, and accurate? The members of management tasked with making the estimate should be competent and experienced, and there should be a review and approval process by appropriate levels of management. There should be segregation of duties between those tasked with making the estimate and those responsible for committing the entity to the related transactions or events triggering the estimate. For example, sales staff who interact with current and new customers to generate revenue should not also be tasked with estimating bad debt allowances. If you are the salesperson who generated the sale and related account receivable, you may not be objective when determining if the account receivable is at risk of being a bad debt.

9-22  C h apte r 9  Risk Response: Performing Substantive Procedures

c.  W  hat assumptions are used and how are they developed? Auditors should focus on the most significant assumptions used by management. How does management determine the assumption is relevant and complete? Management may have information to support assumptions that are used. Supporting information may come from external sources, such as published interest rates, or from internal sources, such as previous conditions experienced by the client. Management should fully document the assumptions used along with information supporting the use of the assumptions. d. Has there been a change, or should there be a change, in the methods or assumptions used to make an accounting estimate? Sometimes circumstances change, which brings about change in the way an estimate is made. The change may be required by the financial reporting framework or it may be caused by changes in the industry or economic environment. If a change has been made, management must document support for the change. If a change needs to be made but management has not altered its method of estimation, then management should document its reasons for not altering its estimation method. e. Has management considered the effect of estimation uncertainty? There are several ways management could assess the effect of estimation uncertainty on its estimates. For example, management should consider alternative assumptions or outcomes to determine how sensitive the estimate is to changes in assumptions. If there are several different outcome scenarios for an accounting estimate, how does management determine which one to use? Also, management should monitor the outcomes of accounting estimates from the prior period and use information from that monitoring process to improve upon future accounting estimates. 4.  Inspect the outcome of prior period accounting estimates. Since many accounting estimates arise from routine and recurring transactions, such as estimating uncollectible accounts receivable, it may not be necessary for auditors to review every accounting estimate from the prior period. But for prior-period accounting estimates that had a high degree of estimation uncertainty, auditors should review the outcome of the accounting estimate in the current year or review the re-estimation of the item if the outcome has not yet occurred. A review of prior period accounting estimates is also required by AU-C 240 Consideration of Fraud in a Financial Statement Audit. If management bias is detected in prior-period accounting estimates, it could represent an increased risk of material misstatement due to fraud for the current year financial statements. After performing these risk assessment procedures, auditors assess the risk of material misstatement related to the client’s specific accounting estimates. Remember, every client is unique, so the types of accounting estimates made by each client will vary. Auditors should evaluate the degree of estimation uncertainty for each accounting estimate. Typically, those with more estimation uncertainty will have a higher risk of material misstatement and be more susceptible to management bias. Auditors must use their professional judgment and professional skepticism to determine if any of the accounting estimates are considered significant risks. The level of assessed risk of material misstatement for each accounting estimate will determine how auditors plan their risk response.

Risk Response Procedures for Accounting Estimates Using the assessed risk of material misstatement determined from the risk assessment procedures, auditors plan the nature, timing, and extent of the procedures to be used during risk response. The objectives of the audit procedures are (1) to determine if management appropriately applied the requirements of the applicable financial reporting framework and (2) to determine if the methods used for arriving at the accounting estimate are appropriate. Auditors use the knowledge gained about the industry and the applicable financial reporting framework during risk assessment to evaluate management’s estimation processes. Risk response procedures may include tests of controls, substantive procedures, or a combination of both. If the client has well-designed, implemented, and documented controls over the preparation of accounting estimates, then an appropriate risk response would be to test the operating effectiveness of the controls. For example, a client has controls in place for the review and approval of the accounting estimates by appropriate levels of management, and when

 Auditing Accounting Estimates  9-23

applicable, by those charged with governance. Auditors would test the control by inspecting documentation that shows approval by the appropriate level of management. If testing the operating effectiveness of controls alone does not provide sufficient appropriate audit evidence, auditors also conduct substantive procedures on the reasonableness of accounting estimates. Some specific procedures include the following: •  Inquire about the method of measurement. If the financial reporting framework does not specify a method of measurement, then the method selected is a matter of professional judgment. Auditors should inquire about management’s rationale for the method selected, if the method is consistent with what is used in the industry, and if management considered other alternative methods. •  Inquire about assumptions used by management. Auditors should evaluate the assumptions used by management in developing the accounting estimate. Items that auditors should consider include reasonableness, consistency with assumptions used in prior periods and, in the case of fair value accounting estimates, whether the assumptions appropriately reflect observable market conditions. •  Recalculate the accounting estimate. If management used a model recommended by the financial reporting framework to develop the accounting estimate, auditors should also use that model and recalculate the accounting estimate. If applicable, they may need to test the data that is used as input for the model to ensure it is reliable and complete. Performing a recalculation procedure provides evidence that the model was used correctly and that management’s estimate is reasonable. •  Inspect events occurring after year-end and up to the date of the auditor’s report. Financial statements are prepared after the client’s year-end with management using the best information available near, or shortly after, the end of the year to prepare accounting estimates. Since year-end audit work takes place during the six to eight weeks after the client’s year-end date, events may occur after year-end, but before the audit is completed, that provide more information regarding the accounting estimate. Sometimes, the accounting estimate may even be resolved before the audit is complete. For example, a client has three large accounts receivable balances that have been outstanding for over 90 days. Three weeks after year-end, two of the three accounts receivable balances are paid in full, which provides audit evidence relating to the appropriateness of the estimate of the allowance for doubtful accounts. In situations like this one, no further procedures may be needed because sufficient appropriate evidence has been obtained. For accounting estimates that have been identified as significant risks, auditors may perform further substantive procedures. For example, the auditor should inquire how management has addressed the effect of estimation uncertainty on the accounting estimate. Has management used different methods or different assumptions to see how the accounting estimate is impacted? If there is a large monetary difference in the estimate when different assumptions are used, how did management choose which estimate to use? For accounting estimates that are very specialized, such as some fair value accounting estimates, auditors have the option of using a specialist to gather sufficient appropriate audit evidence that the accounting estimate is reasonable. (See “Using the Work of a Specialist” in Chapter 5 for more information.)

Cloud 9 - Continuing Case During their conversation about Cloud 9’s warranty liability, Suzie asks Ian about how they would use other substantive procedures to obtain evidence about the completeness assertion for the liability balance. “For example,” Suzie asks, “would inspecting documents using vouching and tracing be useful and, if so, how would you use them?” Ian is still keen on using substantive analytical procedures but considers the question carefully. “I think we would use vouching to get evidence about transactions or balances that are recorded as warranty claims by Cloud 9. We could do this by selecting transactions or items in the account balance and obtaining

the documentary evidence to support each one. However, it might be more useful to consider tracing because this would allow us to start with the documents and get evidence about how and whether the transactions are recorded in the accounts. If we find a document relevant to a warranty claim has not been recorded in the accounting system, we would be concerned that the liability is understated, or not complete. Additionally, we would like to examine transactions around the balance sheet date and make sure they are recorded in the correct accounting period. This evidence relates to the cutoff assertion and is part of considering completeness.”

9-24  C h apte r 9  Risk Response: Performing Substantive Procedures

Example of Auditing Accounting Estimates Let’s walk through the risk assessment and risk response procedures for auditing accounting estimates by using an estimate you studied in a financial accounting course—recording inventory at lower-of-cost-or-net-realizable-value (LCNRV). Your client is Hi-Tech Manufacturing (Hi-Tech), a company that manufactures parts for personal computers and tablets. During risk assessment, you perform the following procedures regarding the estimate of LCNRV: 1. Gain an understanding about what is required by the client’s financial reporting framework. Your client is based in the United States and uses GAAP as the financial reporting framework. Normally, inventory is recorded at cost. However, if net realizable value (NRV) drops below cost, GAAP requires that inventory be written down to NRV. NRV is defined as the net amount a company expects to realize from the sale of inventory. NRV is calculated as estimated selling price less costs associated with making the sale, such as advertising, transportation costs, or further completion costs. The difference between cost and NRV is recorded as a loss. 2.  Inquire of management regarding the process for identifying the need for an accounting estimate. You have a meeting with the controller to discuss inventory valuation. Since the IT industry is very competitive and quick to change, inventory obsolescence is a major risk for Hi-Tech. New technologies are always being introduced to the market, which puts current technologies at risk of being outdated and no longer preferred by consumers. The controller is aware of the LCNRV rule and knows it must be considered in the preparation of the financial statements. 3. Inquire of management regarding how the accounting estimate is made. The controller goes on to tell you that every month he meets with the inventory manager, production man­ager, and sales manager to discuss inventory valuation. If necessary, they meet more often than once a month. The goal is to produce just enough inventory to meet sales orders. To accomplish this goal, the sales team communicates frequently with customers regarding how much inventory they need and any modifications Hi-Tech should make to existing inventory items to keep them relevant. The sales team then communicates with the production team to maintain tight control over production to minimize producing items that cannot be sold or are at risk of being sold below cost. Even with this process in place, Hi-Tech occasionally has inventory that becomes obsolete if it is not sold fast enough or if it is returned by a customer. Inventory warehouse personnel tag inventory that is slow-­moving or deemed obsolete, and move it to a designated area in the warehouse. Each month, the inventory manager sends an “obsolete report” to the controller with details about any inventory that is tagged as obsolete. At the monthly meeting with the inventory, sales, and production managers, the controller discusses the inventory on the obsolete report. As a team, they determine the estimated NRV of the inventory shown on the report. Based on customer demand for the product, the sales manager provides input on the estimated selling price. The production manager provides input on any further costs to complete the inventory item, and the inventory manager provides information on transportation costs. If the estimated NRV is less than inventory cost, the controller calculates the difference and proposes an adjusting entry to debit a loss and credit an inventory allowance account. The proposed adjusting entry is then sent to the CFO for approval. Minutes are kept at all of the monthly meetings to document the process of determining if inventory is obsolete and for estimating NRV. 4.  I nspect the outcome of prior period accounting estimates. In the prior-year audit of Hi-Tech, the financial statements included a write-down of some inventory to NRV. However, the amount of last year’s write-down was not material to the overall inventory account. The inventory that was written down in the prior year is no longer in the warehouse for the current year. It was either sold at a price below cost or disposed of as recycling. The client’s estimate of last year’s NRV was very close to the actual selling price or disposal costs, which is to be expected since estimating NRV for inventory is a fairly routine estimate that Hi-Tech makes in the ordinary course of business.

 Auditing Accounting Estimates  9-25

After performing these risk assessment procedures, you assess the risk of material misstatement related to Hi-Tech’s estimate of NRV for inventory items. Since the technology industry exhibits a fast rate of change and fierce competition, it may be challenging to estimate a reasonably accurate NRV for some inventory. On the other hand, inventory transactions are routine and each year there are usually some items that have to be written down to NRV. Therefore, you assess inherent risk for this estimate as medium. Hi-Tech appears to have strong controls in place for how the estimate is determined, so your preliminary assessment of control risk is low. These risks combined would equal a low to medium risk of material misstatement for the estimate of NRV. A couple of months later, your audit team is performing interim procedures at HiTech at the end of the third quarter. You are assigned to test controls over the estimate of NRV for inventory. You inspect the minutes from the monthly meetings of the controller, sales manager, inventory manager, and production manager. The minutes are very detailed and provide good explanations for how the team determined the estimate of NRV. You also inspect the monthly obsolete inventory reports from the beginning of the year through the third quarter. There has been some obsolete inventory each month, but it has been immaterial. You also inspect the controller’s proposed journal entries and see the CFO’s signed approval for each month’s entry. You document your findings on the controls testing and conclude that control risk is low for the process of estimating the NRV for inventory. Your team returns to conduct year-end fieldwork after Hi-Tech’s fiscal year is over. The time frame for completing year-end work is six weeks. One of your tasks is to perform substantive procedures on the estimate of NRV for inventory. During the last month of the year, Hi-Tech had identified more obsolete inventory than all previous months combined. The primary inventory item identified as obsolete in the last month was a lower-grade screen used in some tablets. The companies that buy this part from Hi-Tech are phasing out the lower-grade screens and using stronger screens that are more resistant to damage. Hi-Tech has halted production of the lower-grade screen but has a large number of them on hand. After year-end, the controller, sales manager, inventory manager, and production manager held the monthly meeting to discuss the situation and prepare the estimate of NRV. The controller prepared an adjusting entry, and the CFO approved it. You perform the following substantive procedures on the year-end estimate: 1.  I nquire about the assumptions used by management. You are already familiar with the process used by management to determine the estimate. Since this was a larger amount of obsolete inventory than any other month, you speak with the controller about the situation. He provides you with the minutes of the meeting in which his team determined the estimate. The sales manager had communicated with several customers to see if there was any interest in the lower-grade screens. Based on feedback from the customers and changing preferences for more durable screens, the sales manager recommended a NRV that is 25% of cost. There are no further costs for completion and a minimal packaging cost if they are sold. 2. Recalculate the estimate. You recalculate the estimate of NRV as 25% of cost and agree to the amount calculated by the controller. You trace the adjusting entry from the general ledger to inclusion in the financial statements. 3.  I nspect events occurring after year-end and up to the date of the auditor’s report. One week before the audit fieldwork is completed, the controller tells you the entire stock of lower-grade screen inventory was sold. A company that does tablet repairs and refurbishing bought all of the lower-grade screens. The final selling price was for 20% of cost. Since the obsolete inventory situation is resolved before the financial statements are issued, the controller can refine the estimate to 20% of cost for reporting in the year-end financial statements. The controller prepares the adjusting entry, it is approved by the CFO, and you verify the entry is made and the updated amounts appear in the financial statements. You thoroughly document all of your work in the working papers. You conclude that Hi-Tech’s estimate of LCNRV is fairly stated in all material respects.

9-26  C h apte r 9  Risk Response: Performing Substantive Procedures

Before You Go On 6.1 Describe the concept of estimation uncertainty. 6.2 What are some indicators of possible management bias in accounting estimates? 6.3 Briefly describe some audit procedures that can be used as substantive tests for accounting estimates.

Documenting Results of Substantive Procedures LEA RNING OBJECTI VE 7 Describe how auditors document the results of substantive procedures.

misstatement  a difference between the amount, classification, presentation, or disclosure of a reported financial statement item and the amount, classification, presentation, or disclosure that is required for the item to be in accordance with the applicable financial reporting framework; misstatements can arise from error or fraud

As auditors perform their substantive procedures, they may identify misstatements. A misstatement is a difference between what is reported in the client-prepared financial statements and what is required for the item to be presented fairly in accordance with the applicable financial reporting framework. The misstatement could occur with an account balance, transaction, classification, presentation, or disclosure and could be caused by error or fraud. Examples of causes of misstatements include the following: •  Intentional or unintentional omission of an amount or disclosure. •  Incorrect accounting estimate caused by a misinterpretation of facts or by management bias. •  Inappropriate selection of accounting policies. •  Inaccuracies in gathering or processing data. •  Disclosures not presented in accordance with the applicable financial reporting framework. AU-C 450 Evaluation of Misstatements Identified During the Audit and AS 2810 Evaluating Audit Results state the auditor’s objective is to evaluate the effect of identified misstatements on the audit and the effect of uncorrected misstatements, if any, on the financial statements. Auditors document and accumulate the misstatements identified during the audit. Material, and in some cases immaterial, misstatements are accumulated. A misstatement may be classified as material because of its quantity or because of a qualitative factor. Recall from Chapter 3 that an item may be material because of its nature, not its magnitude. For example, the discovery of fraud, no matter how small, is qualitatively material and would warrant further investigation by the auditors. Many misstatements discovered by auditors may be immaterial on their own, but when aggregated with other misstatements could have a material impact on the financial statements. AU-C 450.A3 provides guidance to auditors when evaluating the type of misstatements accumulated during the audit. The standard includes three categories of misstatements as follows: •  F  actual misstatements. There is no doubt it is a misstatement because there is no element of judgment involved. •  J udgmental misstatements. These differences are caused by management judgment regarding accounting estimates the auditors feel are unreasonable or the selection of accounting policies the auditors feel are inappropriate. •  P  rojected misstatements. These are the auditor’s best estimate of the misstatement in a population based on the misstatement found in a sample drawn from the population. (See Chapter 10 on audit sampling.) The identification and resolution of misstatements is one of the auditor’s most important responsibilities in an audit and is a critical step in the formulation of the audit opinion

  Learning Objectives Review  9-27

on the fairness of the client’s financial statements. This is discussed in greater detail in Chapter 14. When auditors perform substantive procedures and identify misstatements they did not expect, they reconsider their audit strategy and audit plan, and determine if the nature, timing, or extent of substantive procedures need to be modified. For example, suppose auditors tested a client’s controls over accounts receivable processing and collections and determined that controls were effective. If controls are effective, auditors would expect few misstatements in the accuracy of the customer account balances. As a substantive procedure, auditors select a small sample of customer accounts to confirm. On half of the returned confirmations, customers have notated that a difference exists in the balance as compared with their own records. If controls are effective, why are so many of the confirmations returned as being incorrect? Perhaps the controls are not effective as originally determined. Auditors would revisit their audit strategy by reviewing their controls testing to see if something was missed or not performed correctly. They would also consider increasing the sample size on the substantive procedure and send out more accounts receivable confirmations to determine if the first sample results were an anomaly or if the issue is widespread. All substantive audit procedures performed are documented in the working papers. Documentation should include the objective of the test, the substantive procedure performed, what items were selected for testing, and the results of the testing. How much detail to include is a matter of professional judgment, but there needs to be enough detail regarding the procedures performed to allow another auditor to review the working paper, re-perform the steps (if necessary), and reach the same conclusion as the auditor who prepared the working paper. Typically, the more judgment that is involved in conducting the substantive procedures and evaluating the results, such as with some accounting estimates, the more documentation is needed.

Cloud 9 - Continuing Case Suzie asks Ian to set up the working papers for the tests they will perform. W&S Partners uses electronic working papers and there are examples available for Ian to use as a base for the Cloud 9 working papers. The priorities for Ian are to ensure that each test is described in sufficient detail in the audit program so the audit

staff can perform the test correctly and identify any misstatements. The working papers also have to provide for comments to be included as the work is completed and reviewed by senior staff.

Before You Go On 7.1 What is a misstatement? 7.2 List some possible causes of misstatements. 7.3 What information about substantive procedures should be documented in the working papers?

Learning Objectives Review 1  Demonstrate how audit risk, management asser-

tions, and substantive procedures are linked. An inverse relationship exists between the auditor’s assessed risk of material misstatement (combined inherent and control risk) and detection risk. When the risk of material misstatement is high, auditors will perform more substantive testing to keep detection

risk low. When the risk of material misstatement is low, auditors may perform less substantive testing, which increases detection risk. It is possible that the auditor performed ADA as a risk assessment procedure, in which case, at the risk response phase the auditor is following up on notable items detected while performing ADA. The determination of the risk of material misstatement is made at the assertion level. The assertions are summarized in Illustration 9.2.

9-28  C h apte r 9  Risk Response: Performing Substantive Procedures

2  Describe methods of risk response at the financial

statement level. Some identified risks could have a pervasive effect on the financial statements as a whole, such as the risk of fraudulent financial reporting. Risk response at the financial statement level is affected by (1) the auditor’s understanding of the entity’s control environment and (2) the assessed risk of material misstatement due to fraud. Some methods of responding to risk at the financial statement level include emphasizing professional skepticism, having more supervision of the audit team, assigning more experienced audit staff, and including more elements of unpredictability in the selection and timing of audit procedures. 3  Explain and analyze factors that impact the nature of

substantive procedures at the assertion level, including the use of audit data analytics. The nature of an audit procedure refers to its purpose (test of controls or substantive procedure) and its type. Consideration of the nature of the audit procedure is the most important factor when responding to the assessed risks. Auditors are required to perform substantive procedures for all relevant assertions that have been identified during the risk assessment phase. When auditing an account balance, auditors perform initial procedures before applying other substantive procedures, such as substantive analytical procedures and tests of details. When conducting a substantive analytical procedure, auditors develop an expectation, or estimate, using data in the client’s records or data from reliable outside sources, and then compare the expectation with the client’s recorded amount. Analytical procedures may be the only substantive procedures used to test an assertion, or they may be used in conjunction with tests of details. It is possible that the auditor performed ADA as a risk assessment procedure. In this case, the auditor often uses traditional substantive tests to follow up on notable items. The nature of the substantive test will depend on the assertion being tested. The auditor might also use ADA to follow up on a specific fraud risk and ADA may be effective at identifying if it is likely that fraud has occurred. Finally, the auditor may use ADA as a substantive test. In this case, the auditor is using electronic information to identify transactions or balances that are misstated. 4  Explain and analyze factors that impact the timing of

substantive procedures at the assertion level. Some substantive procedures can be performed at interim. Illustration 9.5 lists factors that impact the decision to perform substantive procedures at an interim date. When substantive procedures are performed during an interim period, auditors perform roll-forward procedures to update their audit findings from the time of the interim procedures through to year-end. Some substantive procedures can only be performed at year-end due to the nature of the assertion or the

timing of the transactions. If auditors have identified risks of material misstatement due to fraud, they may consider changing the timing of audit procedures. 5  Explain and analyze factors that impact the extent of

substantive procedures at the assertion level. The extent of substantive procedures refers to how much testing will be performed, which essentially refers to sample size. A key question involves whether the auditor wants to use ADA and audit 100% of a large population to identify notable items, or whether the auditor wants to use audit sampling. This topic is discussed briefly in this section, and it is discussed in more depth at the beginning of Chapter 10. The assessed risk of material misstatement for the account balance or class of transactions will have the most influence on sample size. If the risk of material misstatement is high, then a larger sample size should be selected. If the risk of material misstatement is low, then a smaller sample size can be selected. When selecting a sample, auditors may decide to perform tests of details on all items (testing 100%), select specific items, or use audit sampling. 6  Explain and apply audit procedures used to audit

accounting estimates. An accounting estimate is an approximation of a monetary amount when a precise means of measurement is not available. Two types of accounting estimates are forecasting the outcome of a transaction or event and determining the fair value of an item or transaction that is required to be included in the financial statements. Accounting estimates are subject to management bias and estimation uncertainty. During risk assessment, auditors gain an understanding of what is required of the financial reporting framework, inquire of management regarding the process for identifying and determining the accounting estimates, and inspect the outcome of the prior year’s accounting estimates. During risk response, auditors inspect events occurring after year-end that may provide more information about accounting estimates made at year-end, recalculate estimates, and inquire about management’s methods and assumptions used to prepare the estimate. 7  Describe how auditors document the results of sub-

stantive procedures. All substantive audit procedures performed are documented in the working papers. The documentation should include the objective of the test, the substantive procedure performed, what items were selected for testing, and the results of the testing. Auditors document and accumulate the misstatements identified during the audit. When auditors identify misstatements they did not expect, they will reconsider their audit strategy and audit plan, and determine if the nature, timing, or extent of substantive procedures need to be modified.

Key Terms Review Accounting estimate Analytical procedures Confirmation bias Dual-purpose test

Estimation uncertainty Management bias Misstatement Relevant assertions

Roll-forward procedures Significant risk Substantive procedures

  Multiple-Choice Questions  9-29

Audit Decision-Making Example Background Information Your client, Iberville Corp, is a publicly traded company that has been operating for over 100 years. Iberville manufactures handheld tools such as hammers and screwdrivers. Iberville offers a defined benefit (pension) plan for its employees. Full vesting in the plan begins after 15 years of service. Iberville has an excellent reputation as a great place to work, so employee turnover is low. Many employees spend their entire career at Iberville and have over 30 years vested in the pension plan. For the last decade, Iberville’s board of directors has been concerned about the growing underfunded status of the pension plan. About one-quarter of Iberville’s employees are from the baby boom generation and will be retiring over the next two to seven years, so the board is concerned about the viability of the pension plan to keep up with retiree benefit payments. Iberville has always used one external actuary to assist with estimates related to the pension plan. For the current year under audit, the CFO hired three different actuaries and requested a report from each one regarding any necessary adjustments to the pension benefit obligation (PBO liability). Two of the actuaries recommended a material increase to the PBO liability primarily due to increased life spans of future retirees. One of the actuaries recommended a slight decrease to the PBO liability primarily due to the trend of younger workers switching jobs more frequently during their careers. Near the end of the year in early December, upper management held a meeting and reviewed the three actuary reports. Upper management decided to use the estimate that recommended a slight decrease to the PBO liability. Upper management has not yet reported this information to the board of directors, but plans to do so at the upcoming board meeting in January.

Identify the Audit Issue The issue is whether the PBO liability is complete and valued appropriately.

Gather Information and Evidence Important information includes: •  Management is under pressure regarding a growing underfunded pension liability.

•  I t is common practice for a company to use an outside actuary to assist with determining an appropriate value for the PBO liability. However, this is the first time that Iberville has sought input from three different actuaries in the same year. •  It is not unusual for different actuaries to report different estimates; however, the estimates should be fairly consistent. Your audit team should gather evidence about the objectivity and competence of the three actuaries and carefully review the reports provided by each one. •  Estimating future pension liabilities carries a higher level of estimation uncertainty than routine estimates such as estimating the allowance for doubtful accounts.

Analysis and Evaluation of Alternatives Analysis of risk and alternatives: •  Risk of material misstatement is high or maximum for the completeness and valuation and allocation assertions for the PBO liability. •  Management bias is most likely affecting management’s decision in the selection of the estimate that lowers the PBO liability rather than selecting an estimate that increases the PBO liability. Management is under pressure to keep the underfunded status of the pension plan from growing. •  Since two out of the three actuaries recommended an increase to the PBO liability, it seems that increasing the PBO is the more conservative approach.

Audit Conclusion Your team should inquire of management about the process it used for selecting the estimate and thoroughly document management’s response in the audit working papers. You recommend to management that using one of the estimates that increases the PBO liability is more in alignment with the principle of conservatism and with the applicable financial reporting framework. If management does not act upon your recommendation, your team should discuss the situation with the audit committee of the board of directors.

CPAexcel CPAexcel questions and other resources are available in WileyPLUS.

Multiple-Choice Questions 1.  (LO 1)  Designing substantive procedures responds to: a.  the risk of material misstatement at the entity level. b.  the risk of material misstatement at the assertion level. c.  the risk of all types of misstatements at the assertion level. d.  t he risk of all types of misstatements at the entity level.

2.  (LO 1)  Which assertion is typically related to income statement accounts rather than balance sheet accounts or presentation and disclosure? a.  Completeness.

c. Rights and obligations.

b.  Accuracy.

d. Cutoff.

9-30  C h apte r 9  Risk Response: Performing Substantive Procedures 3.  (LO 2)  Which of the following would be the most likely reason to include more unpredictability in the selection and performance of audit procedures? a.  Client has a strong internal control environment. b.  Client was not audited in the previous year. c.  There is heightened risk of fraud. d.  Unpredictability provides the audit team with more variety. 4.  (LO 3)  The nature of an audit procedure refers to: a.  when the procedure is performed. b.  the assessed level of detection risk. c.  the sample size required to perform the procedure. d.  its purpose and its type. 5.  (LO 3)  All of the following are initial procedures performed on an account balance except:

c.  c onfirmation bias. d.  weak internal controls. 9.  (LO 4)  Which of the following situations would most likely preclude an auditor from performing substantive procedures during an interim period? a.  Internal controls are weak and the risk of material misstatement is high. b.  Internal controls are weak and the risk of material misstatement is low. c.  Internal controls are strong and the risk of material misstatement is high. d.  Internal controls are strong and the risk of material misstatement is low. 10.  (LO 5)  Which of the following would not be a reason to increase the extent of a substantive test? a.  The risk of material misstatement is high.

a.  agreeing the opening balance to the audited ending balance from the prior year’s working papers.

b.  Qualitative factors suggest there may be errors in the account.

b.  footing a trial balance for mathematical accuracy.

d.  Auditors have time to test more items.

c.  vouching items from the trial balance to supporting documentation. d.  scanning account details for unusual items. 6.  (LO 3)  Analytical procedures: a.  are required during the planning and substantive testing phases of the audit. b.  are substantive procedures and cannot be used at any other stage of the audit. c.  are used to test controls and are not substantive procedures. d.  can be used as substantive tests but cannot be used as primary tests of a balance. 7.  (LO 3)  Which of the following situations increases the reliability of data being used for substantive analytical procedures? a.  The source of the data is the client’s internal budget reports. b.  During the prior-year audit, the data was subjected to audit testing. c.  Controls over the data have not been tested. d.  Broad industry averages will be used in comparison with the client’s data. 8.  (LO 3)  When analyzing the results of substantive procedures, auditors should beware of:

c.  Internal controls are weak. 11.  (LO 6)  Which of the following characteristics of an accounting estimate would lead to lower estimation uncertainty? a.  Estimate is related to routine transactions. b.  Estimate is derived from a model developed by the client. c.  Estimate is related to complex transactions. d.  Estimate involves assumptions that cannot be observed in a public market. 12.  (LO 6)  Which of the following can be used as both a risk assessment procedure and a substantive procedure for the audit of accounting estimates? a.  Gain an understanding of what is required by the applicable financial reporting framework. b.  Inquire of management about the methods and assumptions used in developing the estimate. c.  Inspect documentation for proper approval of the accounting estimate. d.  Inspect events happening after year-end and up to the date of the auditor’s report. 13.  (LO 7)  The auditor’s best estimate of the misstatement in a population based on the misstatement found in a sample drawn from the population is called a: a.  factual misstatement. b.  judgmental misstatement.

a.  professional skepticism.

c.  confirmation misstatement.

b.  audit engagement deadlines.

d.  projected misstatement.

Review Questions R9.1  (LO 1)  Explain how the nature of a substantive test could affect the decisions about when and how much substantive testing is performed. How do these decisions relate to the overall risk assessment for the item being tested?

R9.2  (LO 2)  Differentiate risk response at the financial statement level with risk response at the assertion level. R9.3  (LO 3)  What are substantive procedures designed to obtain evidence about? What are the main types of substantive procedures?

 Analysis Problems  9-31 R9.4  (LO 3)  Using the inventory trial balance as an example, explain the initial procedures that will be performed. R9.5  (LO 3)  What are analytical procedures? Describe how they can be used as substantive procedures in an audit. R9.6  (LO 3)  Why is it important to consider the quality of the data used in analytical procedures? How important to this question are client controls over financial data? R9.7  (LO 3)  Develop an example of the type of substantive test an auditor might use to investigate notable items when ADA is performed as a risk assessment procedure. R9.8  (LO 3)  Does using audit data analytics remove the need to test the client’s internal controls?

R9.9  (LO 3)  What is confirmation bias? How can auditors minimize it? R9.10  (LO 4)  When is it appropriate to use roll-forward procedures? R9.11  (LO 5)  Using the inventory trial balance as an example, explain different techniques for selecting a sample of items for testing. What are the advantages and disadvantages of each technique? R9.12  (LO 6)  Using the allowance for doubtful accounts as an example, briefly explain the risk assessment procedures that would be performed on the accounting estimate. R9.13  (LO 7)  Provide an example of (1) a factual misstatement and (2) a judgmental misstatement that could affect the balance of property, plant, and equipment.

Analysis Problems AP9.1  (LO 1)  Basic   Public Company   Designing substantive procedures  Carla has been asked to join the team responsible for designing the audit program for a new client, Gaskin Industries Inc. (Gaskin), a manufacturing and wholesaling firm. Gaskin recently went public and is now listed on the New York Stock Exchange. Carla has worked for the audit firm for a year and received a very high performance rating from her supervisors on last year’s audit of Bryson LLP (Bryson), a private firm that provides marketing and other consulting services. Gaskin and Bryson have total revenue of approximately the same amount, so Carla feels confident she can apply her knowledge to the new audit. She takes a copy of the audit program for Bryson along to the first meeting, intending to suggest they use it as the basis for the audit program for Gaskin. Carla thinks the Gaskin audit program could use the same substantive procedures that were used on the Bryson audit.

Required Discuss the problems with Carla’s idea of using Bryson’s audit program as a basis for designing substantive procedures for Gaskin. AP9.2  (LO 1)  Basic   Sales invoices and journal  James and Katie will be auditing the revenue account for their retail client, Go Big Tires. They disagree about how to test the occurrence assertion for the revenue account. James thinks they should use Procedure A, while Katie thinks Procedure B is appropriate. A. Select a sample of sales from the sales journal and agree the details in the journal to the invoices sent to customers, shipping documents, and customer orders. B. Select a sample of invoices sent to customers, shipping documents, and customer orders and agree to the details recorded in the sales journal.

Required Who do you agree with, James or Katie, and why? Which assertion does the other procedure provide evidence about? AP9.3  (LO 3)  Moderate   Payroll testing  Anna has the task of designing the audit program for the payroll area. There have been no recent changes to the payroll system or to its interface with the general ledger. Among other tests, Anna is considering using the following substantive analytical procedures to gather evidence:   1. Compare payroll tax expenses (such as state and federal unemployment taxes) to the annual payroll multiplied by the statutory tax rates.   2. Compare the relationship between direct labor costs and number of employees with prior periods.

Required Evaluate the persuasiveness of the evidence obtained from each substantive analytical procedure. AP9.4  (LO 1, 2, 3)  Moderate   Data for substantive analytical procedures  North West Paper Inc. (North West) provides cardboard, paper, and plastic packaging materials to a large number of manufacturers and distributors in all states. The cardboard and paper division is a well-established business, but

9-32  C h apte r 9  Risk Response: Performing Substantive Procedures North West has been providing plastic products only since its takeover of Plastic Products Inc. 18 months ago. The takeover doubled North West’s revenue and caused changes in its management structure, adding another two divisional managers. These new divisional managers are in charge of plastic product sales to different areas of the country, Plastic (Eastern) and Plastic (Western), and they join the Paper (Eastern) and Paper (Western) division managers in reporting directly to the CEO. All internal operating reports are now structured along the four divisional reporting lines, although external financial statements continue to be produced for the whole business. All purchasing and billing systems are fully integrated, although it is possible to extract data along divisional lines, and by state (as before). North West purchases bulk supplies of raw plastic and paper and makes boxes, rolls, and sheets of these materials to fill customer orders. Production processes in the paper divisions have not changed, and North West has made minimal changes to the production processes used by Plastic Products Inc.

Required a. Identify the inherent risks at the financial statement level caused by the takeover of Plastic Products Inc. What procedures could the auditors take to respond to risk at the financial statement level? b. Discuss the factors that would increase or decrease the reliability of data used in substantive analytical procedures at North West. AP9.5  (LO 3, 4)  Challenging   ADA   Persuasiveness of evidence from substantive analytical procedures  Iman has the task of reviewing the evidence from substantive analytical procedures conducted by the audit associates on the audit of Smalley Services Inc. The audit associates have reported the results of these substantive analytical procedures:   1. Comparison of depreciation expense with the closing balance of each depreciable asset class in property, plant, and equipment.   2. Recalculation of sales commission expenses using the standard sales commission rate and total sales.   3. Comparison of payroll expense with previous year payroll.

Required a. If you were Iman, what review comments/questions would you have for each procedure? Comment on the persuasiveness of evidence provided by each one. b. For each item, describe one test of details that would provide additional evidence. c. For each item, discuss how ADA could be used as a risk assessment procedure or as a substantive test. Explain the evidence used to support an audit conclusion. AP9.6  (LO 3, 5)  Moderate   ADA   Tests of details  Marty has to audit the sales transactions of Okawa Inc. Okawa supplies tools to the mining industry and carries a large number of different makes and models of standard mining tools. Okawa also designs and manufactures tools for special purposes and for miners operating in difficult conditions. The custom-designed tools are made only on the signing of a contract and receipt of a deposit, whereas standard tools are supplied to regular customers on receipt of a phone or email order. Okawa’s sales transactions vary from a few dollars to millions of dollars depending on the number of items sold, whether the individual items are large or small tools, and whether the tools are standard items or custom designed. Marty is instructed to gather evidence about the sales transactions using sampling and vouching. This is explained in detail in the audit program.

Required a. Explain how Marty would select a sample of sales transactions as well as vouch the sales transactions. What primary assertion is Marty testing with the vouching procedure? b. How could Marty use ADA as a substantive procedure? (You may want to refer to Illustration 7.8 to help formulate your response.) AP9.7  (LO 1, 3, 4, 5)  Challenging   Timing of substantive tests  Connie is the recently appointed engagement partner of the audit of Camel Inc. Connie has just taken over the audit from Mathew Pate, a partner who will be retiring soon. Mathew had a small portfolio of clients and completed most substantive testing for Camel at year-end. Connie is unable to do this because she is facing difficulties with two of her other large clients. These clients have just been advised that their financing arrangements with banks may not be renewed, raising doubts about their ability to continue as going concerns. The banks will make their financing decisions very close to the clients’ year-end, forcing Connie to spend considerable time in this period with these clients.

 Analysis Problems  9-33 The financing problems at Connie’s existing clients have created demands on Connie’s audit team that she must resolve. The accounting firm cannot provide her with the additional staff she has requested for the year-end period because several other partners’ clients are also facing financing difficulties. It is too late to find new partners for any of her other clients, so Connie must find a way to continue with the audit and still meet all professional standards. So far, the audit team has conducted the preliminary risk assessment for Camel and early control testing results confirm that Camel has excellent controls. Connie calls a meeting with her senior audit team members to discuss the issue.

Required Explain how Connie could vary the timing of the substantive testing at Camel to help her meet her audit obligations. Specifically: a.  Propose different substantive procedures that could be performed prior to year-end. b.  Discuss how Connie will use roll-forward procedures to complete the audit. c.  Explain any other considerations that would affect the timing of substantive procedures for Camel. AP9.8  (LO 4, 5)  Challenging   Selecting customers for substantive testing  Crescent City Fun Park (Crescent City), an amusement park with thrilling rides and a water park, sells tickets onsite and has a website that allows customers to purchase tickets in advance and bypass the long lines. Customers who use the website include the general public and travel agents. Both individuals and travel agents can purchase tickets online using a major credit card. Some travel agents prefer the option of using the website to purchase tickets, but rather than pay with a credit card, be billed at the end of each month. To use the billing option, a travel agent must contact a sales agent with Crescent City and complete a detailed application with at least two references. Once an application is complete, the sales manager verifies the information, contacts the references, and either approves or denies the application. If the application is approved, the sales manager decides on a credit limit for the travel agent. Terms of payment for all travel agent customers is 30 days from the invoice date. The auditor performs tests of controls on the credit-granting process and gathers sufficient appropriate audit evidence to conclude that the process is working effectively. Credit is only granted after a thorough credit check. However, Crescent City has continual problems collecting from the larger travel agents within the 30-day period. Some of the largest travel agents regularly take 90 or more days to pay an invoice. Crescent City allows this late payment habit to continue simply because of the volume of business generated by the large travel agents. Crescent City has 398 travel agents as customers, with 42 of them representing 81% of accounts receivable.

Required a.  Recommend which customers should be selected for further testing and why. b.  Explain when the testing of accounts receivable would take place and why. AP9.9  (LO 6)  Moderate   Auditing accounting estimates  Crescent City Fun Park (Crescent City), an amusement park with thrilling rides and a water park, sells tickets onsite and has a website that allows customers to purchase tickets in advance and bypass the long lines. Customers who use the website include the general public and travel agents. Both individuals and travel agents can purchase tickets online using a major credit card. Some travel agents prefer the option of using the website to purchase tickets, but rather than pay with a credit card, be billed at the end of each month. To use the billing option, a travel agent must contact a sales agent with Crescent City and complete a detailed application with at least two references. Once an application is complete, the sales manager verifies the information, contacts the references, and either approves or denies the application. If the application is approved, the sales manager decides on a credit limit for the travel agent. Terms of payment for all travel agent customers is 30 days from the invoice date. The auditor performs tests of controls on the credit-granting process and gathers sufficient appropriate audit evidence to conclude that the process is working effectively. Credit is only granted after a thorough credit check. However, Crescent City has continual problems collecting from the larger travel agents within the 30-day period. Some of the largest travel agents regularly take 90 or more days to pay an invoice. Crescent City allows this late payment habit to continue simply because of the volume of business generated by the large travel agents. Crescent City has 398 travel agents as customers, with 42 of them representing 81% of accounts receivable. Accounts receivable for the theme park consists of balances from travel agents only, not individual customers. The accounts receivable (A/R) manager estimates bad debt expense and the allowance for doubtful accounts each quarter, and then performs a final evaluation for the year-end financial statements. The A/R manager submits the estimates to the controller for approval.

9-34  C h apte r 9  Risk Response: Performing Substantive Procedures

Required a.  Compile a list of questions you would ask the A/R manager and controller during risk assessment to gain an understanding of the process for estimating bad debt expense and the allowance for doubtful accounts. b.  What specific substantive procedures would you perform at interim and/or year-end on the bad debt expense and allowance estimates? c.  Evaluate the level of estimation uncertainty that is associated with this estimate. What factors impact your assessment of estimation uncertainty? AP9.10  (LO 6, 7)  Moderate   Evaluating substantive testing results  The following items are documented in the working papers:   1. A sales transaction is included in the year ended December 2022, but evidence from the cutoff procedure suggests the sale should be dated January 1, 2023 ($1,250,000).   2. At December 31, 2021, the balance of the Liability for Warranty Claims account was $100,000 (credit balance). During 2022, $150,000 of warranty claims was processed. Inspection of correspondence suggests that an additional $200,000 in warranty claims could result from ongoing disputes with customers. No adjustment for these claims has been made. Management has booked a warranty liability accrual at the end of December 2022 of $120,000.   3. Restructuring expenses related to reorganization of head office administration were incorrectly charged to rental expenses ($578,920).   4. No expense for impairment of assets has been made by management. A drought-induced recession has adversely impacted property values in regional cities where seven branch offices are located (head office and two branch offices are located in the capital city). Total land and buildings in the trial balance is $5,500,000.

Required Evaluate each item and explain whether it is a factual misstatement or a judgmental misstatement. Which accounts would be affected, and how, if an adjustment is made for each item? AP9.11  (LO 1, 6, 7)  Moderate   Public Company   Research   PCAOB inspections  The PCAOB staff prepares documents called Staff Inspection Briefs. The purpose of the briefs is to help auditors, audit committees, investors, and preparers to understand the PCAOB inspection process and its results. Each year, one of the briefs provides information about that year’s inspections of registered audit firms and their audits of issuers. For example, for 2017, there is a brief entitled, “Staff Inspection Brief, Vol. 2017/3: Information about 2017 Inspections (August 2017).” Go to the PCAOB website (www.pcaobus.org). In the top menu, hover over Inspections and click on Staff Inspection Briefs to go to the Staff Inspection Briefs page. For the most current year presented, select the brief that provides information about that year’s inspections.

Required Read the brief and answer the following questions. a.  How many firms was the PCAOB planning to inspect during the year? Does the brief provide any descriptive characteristics of the firms being selected? b.  What were the key areas of inspection focus for the year? For those related to substantive procedures, documentation, or auditing accounting estimates, briefly summarize the PCAOB’s findings.

Audit Decision Cases Mobile Security Inc. Question C9.1 is based on the following case. Mobile Security, Inc. (MSI) has been an audit client of Leo & Lee, LLP for the past 12 years. MSI is a small, publicly traded aviation company based in Cleveland, Ohio, where it manufactures high-tech unmanned aerial vehicles (UAV), also known as drones, and other surveillance and security equipment. MSI’s products are primarily used by the military and scientific research institutions, but there is growing demand for UAVs for commercial and recreational use. MSI must go through an extensive bidding process for large government contracts. Because of the sensitive nature of government contracts and military product designs, both the facilities and records of MSI must be highly secured.

 Audit Decision Cases  9-35 MSI is known as being an innovator in the industry and holds 25 patents on its products. One of its older patents is for the Covert Recorder, a listening device for land-line phones. Sales of the Covert Recorder have slowly declined in the last decade, primarily due to increased use of smart phones and other advances in technology. For the last few years, management has debated whether the patent, which currently has a carrying value of $500,000, should be impaired. Management conducted an analysis by estimating the future cash flows that will be generated from sales of the Covert Recorder. Based on the analysis, management believes an impairment loss of $400,000 should be recorded and the patent balance written down for the current year. C9.1  (LO 6)  Challenging   Public Company   Auditing accounting estimates a.  Information gathering: Prepare a list of questions that the auditors would ask MSI managers regarding how the impairment loss was determined. b.  Analysis and evaluation: Comment on the level of estimation uncertainty that is involved with determining if the patent is impaired. What factors in this case affect estimation uncertainty? c.  Analysis and evaluation: Explain the role of management bias in situations such as the impairment issue with the patent. d.  Analysis and evaluation: What substantive audit procedures should be performed for the audit of the Covert Recorder patent balance?

Brookwood Pines Hospital Question C9.2 is based on the following case. Goodfellow & Perkins LLP is a successful mid-tier accounting firm with a large range of clients across Texas. During 2022, Goodfellow & Perkins gained a new client, Brookwood Pines Hospital, a private, notfor-profit hospital. The fiscal year-end for Brookwood Pines is June 30. You are performing the audit field work for the June 30, 2023, fiscal year-end. When doctors and other medical personnel provide services to patients, they record the procedures performed in the patient’s medical chart using a code. The codes are standardized across the healthcare industry and consist of three main code sets: ICD, CPT, and HCPCS. Using a coding system is more efficient and data friendly compared to writing a narrative about the procedures performed. The doctors and nurses that staff the emergency room department are all employees of BPH. They are not contracted to use hospital facilities like specialty doctors. In September 2022, a nurse from the emergency room unit reported to the accounting department that she suspected two doctors were “upcoding.” Upcoding is a fraud that occurs when medical providers use codes for more complex procedures than those that were actually performed. The result is the patient and/or patient’s insurance are charged for the more complex and more expensive procedures. The hospital performed an internal investigation and discovered that the doctors were upcoding. The two doctors were fired in early October 2022. C9.2  (LO 1, 3, 4, 5)  Challenging   ADA   Planning substantive tests a.  Information gathering: Describe how you would gather information about the incidence of upcoding that occurred at the hospital. b.  Analysis: Identify two key account balances likely to be affected by the upcoding fraud and identify the key assertions most at risk for those account balances. c.  Evaluation: Evaluate how the upcoding fraud impacts the nature, timing, and extent of substantive procedures for the key account balances impacted by the fraud. d.  Analysis: Formulate a plan for how ADA could be used as a substantive procedure for the key account balances impacted by the fraud.

9-36  C h apte r 9  Risk Response: Performing Substantive Procedures

Cloud 9 - Continuing Case Answer the following questions based on the information presented for Cloud 9 in the appendix to this text and the current and earlier chapters. You should also consider your answers to the case study questions in earlier chapters.

Account Assertion

Inherent Risk

Required a.  Based on your conclusions from the case study questions in previous chapters (particularly Chapters 3, 4, and 8), complete the following worksheet to determine the risk of material misstatement (RMM) and the acceptable detection risk (DR).

Control Risk

Risk of Material Misstatement

Detection Risk

Sales—occurrence Sales—completeness Trade receivables—existence Trade receivables—completeness Cash—existence Cash—completeness

b.  Scan the line items on the prior-year financial statements and the current-year trial balance for Cloud 9. Using your knowledge of financial accounting, identify line items that require

estimates or fair value measurements. For each item, state whether estimation uncertainty is low or high and briefly explain why.

Chapter 10 Risk Response Evaluating Audit Data Analytics and Audit Sampling for Substantive Tests

The Audit Process Overview of Audit and Assurance (Chapter 1) Professionalism and Professional Responsibilities (Chapter 2) Client Acceptance/Continuance and Risk Assessment (Chapters 3 and 4) Identify Significant Accounts and Transactions Make Preliminary Risk Assessments

Set Planning Materiality

Gaining an Understanding of the System of Internal Control (Chapter 6)

Audit Evidence (Chapter 5)

Develop Responses to Risk and an Audit Strategy

Performing Tests of Controls (Chapter 8)

Performing Substantive Procedures (Chapter 9) Audit Sampling for Substantive Tests (Chapter 10)

Auditing the Revenue Process (Chapter 11)

Auditing the Purchasing and Payroll Processes (Chapter 12)

Audit Data Analytics (Chapter 7)

Gaining an Understanding of the Client

Auditing the Balance Sheet and Related Income Accounts (Chapter 13)

Completing and Reporting on the Audit (Chapters 14 and 15) Procedures Performed Near the End of the Audit

Drawing Audit Conclusions

Reporting

10-1

10-2  C ha pte r 10 Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

Learning Objectives LO 1  Evaluate when to use audit data analytics versus audit sampling.

LO 6  Determine how sample size for substantive testing is influenced by various factors.

LO 2  Define audit sampling and explain how audit sampling is applied for substantive tests.

LO 7  Explain a basic framework for selecting and evaluating an audit sample for substantive testing.

LO 3  Differentiate between sampling and nonsampling risk.

LO 8  Apply probability-proportionate-to-size sampling for a substantive test to draw an audit conclusion.

LO 4  Differentiate between statistical and nonstatistical sampling.

LO 9  Apply nonstatistical sampling for a substantive test to draw an audit conclusion.

LO 5  Explain various sampling methods available to auditors.

LO 10*  Apply classical variables sampling for a substantive test to draw an audit conclusion.

Auditing and Assurance Standards PCAOB

Auditing Standards Board

AS 2315  Audit Sampling

AU-C 530  Audit Sampling

Cloud 9 - Continuing Case Ian Harper (first-year audit staff) asks Suzie Pickering (experienced audit staff) to coffee. He wants her to explain how to plan audit tests and write a detailed audit program, including instructions on when to use audit data analytics versus audit sampling, how to select a sample for a substantive test, and when the results of one audit test will influence the work on other audit tests. It all seems a bit circular to him and he is finding it difficult to grasp.

Suzie meets Ian that afternoon in the staff room. “The types of tests we do, tests of controls and substantive tests, and when and how we do them, depends on the quality of the client’s system of internal control and accounting records. However, before we talk about that, we probably should talk about when we use audit data analytics versus audit sampling, and how we take samples. Do you have a feel for when we use audit data analytics versus audit sampling?” Ian is not sure.

Chapter Preview: Audit Process in Focus The purpose of this chapter is twofold. First, the chapter reviews the discussion in Chapter 7 regarding audit data analytics (ADA) and then explores the question of when to use ADA versus audit sampling. Second, the chapter explains how to apply audit sampling for substantive testing. Recall that audit sampling for tests of controls was covered in Chapter 8. In this chapter, we begin with a discussion of choosing between ADA and audit sampling. We then explore the issues associated with the uncertainty that occurs any time the auditor audits less than 100% of the population. This discussion also explains the concepts of sampling risk and nonsampling risk, and provides a framework for applying a sampling plan for a substantive test. We then review the factors and professional judgments that the auditor should consider when making decisions about sample size when performing a substantive test.

  Using Audit Data Analytics versus Audit Sampling   10-3

The remainder of the chapter focuses on two types of audit sampling for substantive tests: statistical probability-proportionate-to-size sampling and nonstatistical sampling. The appendix to this chapter discusses a third type, applying classical variables sampling for substantive tests.

Using Audit Data Analytics versus Audit Sampling LEA RNING OBJECT iVE 1 Evaluate when to use audit data analytics versus audit sampling.

When to Use Audit Data Analytics An important audit planning question involves determining whether the auditor plans to use ADA or audit sampling to evaluate an audit population. As discussed in Chapter 7, the auditor is most likely to use ADA when: •  Data is available that is relevant to an audit assertion of interest, whether as a risk assessment procedure or a substantive test. •  The available data is reliable and comes from a strong system of internal controls. •  The available data is relatively clean and does not require significant work to make it usable. •  ADA appears to be more effective or more efficient than using traditional audit tests. Recall from Chapter 7 that when the auditor uses ADA as a risk assessment procedure and the auditor identifies high-risk items, the auditor’s response may include applying a different ADA or another procedure that might more clearly identify those items that represent a misstatement. The auditor often is sorting, screening, and analyzing the entire population rather than performing traditional auditing procedures such as vouching, tracing, or confirming each item in the entire population. For example, when auditing a construction company, the auditor might use ADA to determine the gross margin on each construction contract, including work in progress, and identify contracts with unusually large or small gross margins for further investigation. Traditional vouching or tracing might be used to further investigate construction contracts that are at a high risk of material misstatement. Alternatively, the auditor might use ADA to identify customers with a weak payment history when evaluating the allowance for doubtful accounts. For example, an auditor might use ADA to screen every customer, looking for customers with both past-due accounts and a deteriorating payment history. The auditor will audit these specific customers in more detail to determine if the allowance for doubtful accounts is adequate. A common characteristic of each of these applications is that the auditor has reliable client data and the audit population is large. In addition, the auditor has a good understanding of the underlying business processes, and the auditor uses that business knowledge to evaluate an expected relationship or to look for a specific attribute within the population that represents something that is unusual and of audit interest. ADA that might be used for one client may not necessarily apply to another client because of the differences in business models and processes. As a result, ADA is often customized to an audit situation. However, given that auditors often develop specializations in certain industries, an audit firm may develop certain ADA that might be used with many audit clients within a given industry.

When to Use Audit Sampling The choice of using audit sampling or ADA is often a matter of what is most effective and efficient in determining whether an assertion is presented fairly, in all material respects. There are several situations where using audit sampling is the clear choice. First, the auditor will

10-4  C ha pte r 10 Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

usually use audit sampling when certain audit procedures are required by professional standards. Current professional standards normally require that the auditor physically inspect inventory to determine that inventory recorded in the accounting records actually exists. Current professional standards also recommend that the auditor confirms receivables. In these cases, the auditor will select a sample of inventory to observe, or a sample of customers to send confirmations to. Second, the auditor is more likely to use audit sampling when internal controls are weak (as discussed in Chapters 6, 7, and 8) and reliable data does not exist to support ADA. An underlying requirement of ADA is that the client’s data is reliable. Client data is most reliable when internal controls are strong. However, when internal controls are weak, the auditor will often validate the client’s records by reference to reliable information, such as vouching a transaction to a vendor’s invoice, or vouching a sale to underlying shipping documents. Third, the auditor will need to have data that is relevant to the audit test. For example, when auditing cost of goods sold, an audit client may have perpetual inventory information for quantities of inventory, but not for the value of each item sold because the client calculates cost of goods sold using a periodic inventory method. This will limit the audit questions that might be answered using ADA. Finally, the use of audit sampling may be a function of the efficiency and effectiveness of the audit procedure. For example, when testing internal controls related to bank reconciliations, it might be most effective to reperform the control on a sample basis. Further, some audit populations are also relatively small and easy to audit. For example, an audit client may have relatively few notes payable, and confirming notes payable is an effective and efficient way to determine the amount of notes payable that should be reported on the balance sheet. In contrast, a public utility may have a very large population of small accounts receivable from consumers who are unlikely to respond to a confirmation. These customers often pay their bills in full on a monthly basis. Therefore, rather than sending a confirmation to a consumer, ADA might be a more effective procedure to evaluate the appropriateness of revenue recognized by correlating billings with subsequent cash receipts. In many cases, the choice of using audit sampling is a matter of determining which audit procedure will be most effective and efficient in the circumstances. Illustration 10.1 summarizes the settings in which the auditor might choose to use ADA or to use audit sampling. ILLUSTRATION 10.1  

Factors that influence the choice of ADA versus audit   sampling

Situations When the Auditor   Is Likely to Use ADA

Situations When the Auditor   Is Likely to Use Audit Sampling

• Evidence to support the audit test is available in electronic form.

• Evidence to support the audit test is not available in electronic form (e.g., observing the existence of inventory).

• The audit population is large, and the auditor’s tests are supported by reliable and relevant data in electronic form, making ADA efficient.

• The audit population is small and can efficiently be tested using traditional audit procedures.

• Relevant data is reliable and internal controls over the reliability of data are strong.

• Relevant data is not reliable and internal controls over the reliability of data are weak.

• Relevant data is clean or can be cleaned up easily.

• Relevant data may be in different formats and is not easy to use.

However, it is not always a choice of using ADA or audit sampling. In some cases, the auditor may use both audit techniques. For example, the auditor may use ADA to identify abnormal transactions or balances in a particular data set and then perform audit procedures on 100% of the abnormal transactions or balances. In addition, the auditor may draw a sample from the transactions or balances that fill in the normal range and perform audit procedures on the sample.

Cloud 9 - Continuing Case Suzie and Ian are discussing the use of ADA versus audit sampling. ­Suzie illustrates with a discussion of their audit of inventory. “Let me illustrate with a discussion of how we might audit two different assertions for inventory. When testing the existence assertion,

professional standards require that we physically inspect inventory. We will focus on Cloud 9’s distribution centers, and we will select a sample of inventory at each distribution center. Electronic data is not available that proves the existence of inventory. In this

  Audit Sampling Defined  10-5

case sampling is both appropriate and an effective audit technique to draw a conclusion about the existence of inventory. On the other hand, we are thinking about using ADA to audit inventory obsolescence. Cloud 9 has a large amount of inventory. Most of it turns over pretty fast, but we need to be alert to slow-moving inventory. Cloud 9 has good data on inventory

quantities sold and on hand for each location. ADA may be a way to investigate a large amount of inventory, to look at how much inventory is on hand for each item in inventory, and to see how fast each inventory item is being sold. This can be an effective way to identify slow-moving inventory or inventory with lower-of-costor-net-realizable-value problems.”

Before You Go On 1.1 Explain when ADA might be most efficient and effective, and illustrate with an example. 1.2 Explain when audit sampling might be most efficient and effective, and illustrate with an example.

Audit Sampling Defined LEA RNING OBJECTI VE 2 Define audit sampling and explain how audit sampling is applied for substantive tests.

AS 2315 Audit Sampling and AU-C 530 Audit Sampling provide guidance on audit sampling. When creating an audit program and designing audit procedures, an auditor also decides how to select appropriate items for testing. When an audit procedure is tested on an entire group of transactions (for example, all borrowing activities) or 100% of items within an account balance (for example, all loan balances), sampling is not required. However, when there are numerous transactions or items within an account balance, an auditor must decide how best to select a sample that is representative of the entire population of items. Audit sampling occurs when an auditor selects less than 100% of a population (on a basis where the sample is representative of the population) that the auditor expects is likely to provide a reasonable basis for drawing a conclusion about an entire population. For example, an auditor might take a sample of inventory for the purpose of drawing a conclusion about the existence of all of the inventory recorded in the client’s accounting records. In some cases, it is feasible to audit the entire population. This decision depends on the assertion and the evidence available to support the assertion. Sometimes, an audit population may be sufficiently small that the auditor can audit every item in the population. For example, a client may have a large balance of notes payable but with only a few banks. The auditor might audit the outstanding balance on each note payable as there are just a small number of banks, and it is easy to send confirmations to each bank holding a note payable. As a result, the auditor is able draw a conclusion about the notes payable balance with certainty. Alternatively, it may be more efficient to select a sample of receivables to confirm the existence of receivables. Similarly, it may be more efficient to select a sample of inventory for validating the existence of inventory. Whenever the auditor draws a conclusion about the entire population (total accounts receivable) based on a sample (a selection of receivables from a limited number of customers), there is some level of uncertainty about the auditor’s conclusion. The auditor’s conclusion based on the sample may be different than the conclusion drawn if the auditor had audited the entire population. This uncertainty is referred to as sampling risk and is discussed in the following section.

audit sampling  the selection and evaluation of less than 100% of the population of audit ­relevance such that the auditor expects the items selected (the sample) to be representative of the population and, thus, likely to provide a reasonable basis for conclusions about the population

10-6  C ha pte r 10 Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

Before You Go On 2.1 What is audit sampling? 2.2 When is it appropriate to use audit sampling? 2.3 How does audit sampling relate to audit risk?

Sampling Risk and Nonsampling Risk LEA RNING OBJECTI VE 3 Differentiate between sampling and nonsampling risk.

sampling risk  the risk that the auditor’s conclusion based on a sample may be different from the conclusion if the entire population were subjected to the same audit procedure

ILLUSTRATION 10.2  

Sampling risk when   conducting substantive tests

risk of incorrect acceptance  the risk that the auditor concludes that a material misstatement does not exist when it does

risk of incorrect rejection  the risk that the auditor concludes that a material misstatement exists when it does not

Sampling risk is the risk that the sample chosen by the auditor is not representative of the population of transactions or items within an account balance and, as a consequence, the auditor arrives at an inappropriate conclusion (AU-C 530, AS 2315). There are two consequences of sampling risk: (1) the risk that the audit will be ineffective (fail to find material misstatements) and (2) the risk that the audit will be inefficient (the auditor will do more audit work than is necessary). When conducting substantive tests, sampling risk is the risk that an auditor concludes that a material misstatement does not exist when it actually does, or an auditor concludes that a material misstatement exists when it actually does not. Illustration 10.2 provides details of sampling risk when conducting substantive tests and the implications of that risk for the audit. Sampling Risk

Implications for the Audit

Risk of incorrect acceptance. This is the risk that the auditor concludes, based on sample results, that a material misstatement does not exist when it does exist.

An increased audit risk (i.e., there is a risk that the audit will be ineffective).

Risk of incorrect rejection. This is the risk that the auditor concludes, based on sample results, that a material misstatement exists when it does not exist.

An increase in audit effort when not required (i.e., there is a risk that the audit will be inefficient).

The risk of incorrect acceptance represents a situation where the auditor has conducted substantive procedures on a sample and concluded that there is no material misstatement, when in fact there is a material misstatement. As a consequence, the auditor will conclude that an assertion is presented fairly in all material respects, when the assertion is actually materially misstated (i.e., the audit is ineffective). For example, a client has warehouses in four major cities. The auditor chose to select a sample of inventory items for testing from two warehouses near the client’s corporate office and concluded that the client’s inventory balance is materially correct based on that sample. The auditor did not test material inventory items held at the other two warehouses. As a consequence, the auditor did not detect a significant error in valuing inventory at one of the warehouses. If the auditor had selected a sample for testing from each warehouse, the risk of arriving at an incorrect conclusion would have been reduced, though not eliminated. The auditor uses the audit risk model and decisions about detection risk to determine the appropriate risk of incorrect acceptance when using audit sampling for substantive tests. The risk of incorrect rejection represents a situation where the auditor has conducted substantive procedures on a sample and concluded that there is a material misstatement in an assertion, when in fact there is no material misstatement. This usually happens when the known misstatements in the sample are immaterial, but they project to a material amount of misstatements in the population. Often, the client will ask the auditor to conduct more

  Sampling Risk and Nonsampling Risk  10-7

extensive testing as the client believes that material misstatements do not exist, and only immaterial misstatements have been found in the sample. If the auditor expands audit testing only to find that there is not a material misstatement, the audit is inefficient. For example, an auditor may find a few misstatements when confirming receivables that project to a material misstatement in receivables. As a consequence, the auditor increases the testing of receivables to determine if additional misstatements exist. If the known misstatements are unique and not repeated throughout the population, the audit will be inefficient due to the increased audit work, but the auditor will eventually reach the correct conclusion about the audit population. Once again, the more significant risk for the auditor is the risk of incorrect acceptance, as this risk results in an ineffective audit. This important audit judgment is directly related to decisions about detection risk in the audit risk model. The risk of incorrect acceptance is not related to audit risk. Rather, the risk of incorrect acceptance should consider the auditor’s assessment of inherent risk, control risk, and the assurance obtained from other substantive tests. Therefore, the risk of incorrect acceptance for a substantive test is related to the auditor’s determination of detection risk in the audit risk model. Nonsampling risk is the risk that an auditor arrives at an inappropriate conclusion for a reason unrelated to sampling issues. One nonsampling risk is the risk that an auditor relies too heavily on less persuasive or unreliable evidence. For example, an auditor may rely too heavily on management representations through inquiry without gathering independent corroborating evidence. Another nonsampling risk is when an auditor spends most of his or her time testing assertions where the risk of material misstatement is modest, and ignores or spends insufficient time testing assertions most at risk of material misstatement. For example, a client sells diamonds. There is a significant risk that recorded inventory does not exist, yet the auditor spends more time testing the completeness assertion. A third nonsampling risk occurs when the auditor uses an inappropriate audit procedure or performs the procedure incorrectly. For example, an auditor sends accounts receivable confirmations to 30 customers of the client. When three immaterial customers fail to reply, the auditor concludes that the customers are immaterial and no further work is required in relation to the accounts receivable confirmations. When a customer fails to reply and the auditor is unable to obtain other evidence about the existence of the receivable, the auditor must conclude that those customer balances are 100% misstatements and project the misstatements on the remaining portion of the population. The fact that three customers did not respond means that further testing for the existence of customer receivables may be warranted. Nonsampling risk is typically controlled by a firm’s quality control procedures and the review of audit work performed by a manager or partner on the audit team or an engagement quality control reviewer.

Audit Reasoning Example  Nonsampling Risk Carrie Paulson, an audit manager, works in a one-office CPA firm that has about 30 professional staff. Carrie has been given the task of preparing a staff training session on audit sampling. Carrie is talking with Patrick O’Hara (a partner and the office’s engagement quality control reviewer) about common quality control issues. Carrie asks, “What are the most common problems you see in our audit sampling applications?” Patrick responds, “To be frank, I see more problems with nonsampling risk than anything else. Our staff members are pretty good about using audit software to select and evaluate samples. The bigger problem involves staff who try to rationalize internal control breakdowns or who do not recognize a misstatement. For example, staff might take a sample of 45 and find one instance of a breakdown of internal control. They want to conclude that it is an isolated instance. This does not work. Staff need to assume the results of the sample will happen proportionately in the unsampled portion of the population, as in their audit sample. Also, sometimes staff don’t recognize a misstatement when it is actually part of the evidence. For example, a staff member evaluated confirmation results and found a cutoff error. The client found the error after the fact and corrected it, so the staff member assumed that it was not a problem. However, as of the confirmation date the account balance was misstated, even though it was subsequently corrected, and that misstatement needed to be projected on the unsampled portion of the population. I would recommend that you spend significant time on the potential for nonsampling risk with our staff and illustrate with examples like the ones I have just explained. It would make my job as a quality reviewer a lot easier.”

nonsampling risk  the risk that the auditor reaches an ­erroneous conclusion for any reason not related to sampling risk

10-8  C ha pte r 10 Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

Cloud 9 - Continuing Case Ian and Suzie are talking about sampling risk. Ian is a bit disappointed. “I thought that if you took a random sample and did not find any misstatements, you could conclude that there was definitely no misstatement in the overall population. But you are saying that there is still a risk that the population is misstated.” “That’s right,” says Suzie. “Unless you test every item in the population, you will still have a statistical chance of making the wrong conclusion simply because you took a sample. Also, if you take a sample in a way that is biased, it is difficult to conclude that the sample results say anything at all about the population.

That’s why it is so important junior staff don’t just take the nearest, or most convenient, sample of items in inventory to test. Another big trap is that conditions may change during the accounting period when transactions are being tested. Perhaps a key member of the client’s staff is on leave. The auditor should select a sample from both times when that key member is present and when that key member is on leave. We know that Cloud 9 opened a new San Francisco store on the first of June. Obviously, inventory levels will be different around this time, so we have to plan to handle these different conditions with our sampling.”

Before You Go On 3.1 What is sampling risk? 3.2 How does sampling risk relate to substantive testing? Illustrate with an example related to sales and accounts receivable. 3.3 What is nonsampling risk? Illustrate with an example related to sales and accounts receivable.

Statistical and Nonstatistical Sampling LEA RNING OBJECTIVE 4 Differentiate between statistical and nonstatistical sampling.

statistical sampling  an approach to sampling that involves a random selection of sample items and the use of an appropriate statistical technique to determine sample size and evaluate the sample results, including a measurement of sampling risk

nonstatistical sampling    involves any sample selection method and evaluation method that does not have the characteristics of statistical sampling

According to AU-C 530, “statistical sampling is an approach to sampling that involves a random selection of sample items and the use of an appropriate statistical technique to determine sample size and evaluate sample results, including measurement of sampling risk.” As a result, sample size is determined objectively, or quantitatively, using appropriate statistics. The sample should be selected randomly, which is the auditor’s best estimate of a representative sample. Finally, the sample results should be evaluated mathematically, using the appropriate statistical technique (examples are provided later in the chapter). This evaluation includes both an estimate of the audited value of the population (or the amount of misstatements in the population) and an estimate of a statistical confidence interval associated with the estimate. Any sample selection method that does not have these characteristics is not statistical sampling, for example, an auditor using judgment alone to select a sample for testing. An advantage of statistical sampling is that it allows an auditor to measure sampling risk. Using statistical sampling also involves some modest cost and time to set up, select, and evaluate the sample. However, this is often relatively easy to do with generalized audit software if the client’s data is in electronic form. Using statistical sampling also requires learning the statistical technique and professional judgments involved in planning and setting up the sample, as well as in evaluating sample results. Nonstatistical sampling involves any sample selection and evaluation method for which the auditor does not use a formal statistical technique to select the sample or to evaluate the sample results. In nonstatistical sampling, the auditor determines sample size and selection methods and evaluates the sample results entirely on the basis of professional judgment and the auditor’s own experience. The auditor cannot quantify sampling risk when using a nonstatistical sampling technique. Nonstatistical sampling is considered easier to

  Sampling Methods  10-9

use than statistical sampling, requires less staff training, and allows an auditor to select a sample he or she believes is appropriate. Most audit firms use a combination of statistical and nonstatistical sampling (discussed in the next section). In any case, the auditor should attempt to choose a random sample, as that is the auditor’s best estimate of a sample that is representative of the population. It is also important that the auditor understand how to use professional judgment to estimate a confidence interval when evaluating sample results. This is discussed further in the section “Applying Probability-Proportionate-to-Size Sampling for Substantive Testing.”

Before You Go On 4.1 What is statistical sampling? What are the specific characteristics of a statistical sample? 4.2 What is nonstatistical sampling? How does a nonstatistical sample differ from a statistical sample?

Sampling Methods LEA RNING OBJECTI VE 5 Explain various sampling methods available to auditors.

An important aspect of selecting a sample involves determining the population and sampling unit. When performing a substantive test, the population consists of the class of transactions or the account balance to be tested. For each population, the auditor should decide whether all the items should be included. For example, when auditing accounts receivable balances, accounts receivable could be divided into four possible groups based on account balances in the accounts receivable ledger: (1) all balances, (2) only debit balances, (3) only credit balances, and (4) zero balances. Alternatively, the auditor could break down an accounts receivable population into sampling units. A sampling unit is a subset of a population that is the basis for sampling. Accounts receivable could be broken down in two different ways. First, the auditor could define the population as each customer account balance and the account balance would be the sampling unit. Second, the auditor could define the population as each outstanding invoice and the unpaid invoice from a customer would be the sampling unit. In some cases, it is easier for customers to confirm individual invoices than the entire account balance outstanding. Ultimately, auditors start with defining the population that they want to draw a conclusion about, and then they can determine the appropriate sampling unit. Then auditors can move on to determine the method of selecting the sampling units from the entire population. Different sampling techniques available to the auditors include random selection, systematic selection, haphazard selection, and block selection.

population  the class of transactions or the account balance to be tested

sampling unit  a subset of the population that is the basis for sampling

Random Selection As explained earlier, statistical sampling requires a sample be selected randomly and the results of the test be evaluated using probability theory. Random selection requires that the person selecting the sample does not influence the choice of items. For example, when inspecting the contents of inventory in stacks of boxes, the auditor does not want to just select the top item in each stack of boxes. This may be easy, but it is systematically biased, and it may not be representative of the population. A random sample is free from bias and each item within the population has an equal chance of being selected for testing. Random number generators can be used to select a sample.

random selection  involves selecting a sample that is free from bias and for which each item in a population has an equal chance of selection

10-10  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests stratification  a process of dividing a population into groups of sampling units with similar characteristics that are more homogeneous

Stratification can be used prior to random selection to improve audit efficiency. This means that an auditor subdivides a population before sampling. Consider the example in Illustration 10.3. In this case, the auditor partitions the population of accounts receivable into three groups: (1) all receivables with balances over $50,000, (2) receivables with balances between $15,000 and $50,000, and (3) all receivables with balances less than $15,000. The auditor tests all of the receivables over $50,000, selects a random sample of 15 items out of 110 in the second stratum, and selects a random sample of 25 items out of 500 items in the third stratum. Notice that no sampling is being used in stratum 1 because all items are being tested. The auditor is only sampling out of strata 2 and 3 and can draw a conclusion about stratum 1 with certainty. Also, stratum 2 and stratum 3 are more homogeneous than if the two strata were combined. Finally, the auditor has audited 38% ($2,850,000 ÷ $7,500,000) of the dollars by auditing 9.5% (60 ÷ 630) of the items in the population. This strategy might be particularly effective if the auditor is concerned about the population being overstated.

ILLUSTRATION 10.3   Example stratified sample

Dollar Value of Stratum Receivables

Book Value (BV) % of Items in of Stratum Popn $ Popn (N) % of N

BV of Sample

% of $ % of Sample Stratum Items Items (n) Audited Audited

1

Greater than $50,000

$2,000,000

26.7%

20

3.2%

$2,000,000

20

100%

100.0%

2

$15,000 to $50,000

3,000,000

40.0%

110

17.5%

600,000

15

20%

13.6%

3

Less than $15,000

2,500,000

33.3%

500

79.4%

250,000

25

10%

5.0%

$7,500,000

100.0%

630

100.0%

$2,850,000

60

38%

9.5%

Stratification can be used to ensure the sample includes items that have the characteristics required by the auditor, such as the inclusion of material or risky items in the ­sample (e.g., large dollar-value items). Stratification can be used with both statistical and nonstatistical techniques.

Systematic Selection systematic selection  involves the selection of a sample for testing by dividing the number of items in a population by the sample size, determining a sampling interval (n), and then selecting every nth item in the population

Systematic selection involves the selection of a sample for testing by dividing the number of items in a population by the sample size, resulting in the sampling interval (n). Once the sampling interval has been determined, a starting point is selected, which is an item in the population below the sampling interval. Then, the sample is selected by selecting the first item and then every nth item after that. For example, a client has 600 customers. The auditor has decided that the sample size when testing customer receivables is 20. To determine the sampling interval, the following formula is used. Sampling interval =

Population size Sample size 600 = 20 = 30

This means that every 30th item will be selected for testing. An item within the first 30 in the list of customers is selected as the starting point. From then, every 30th item is selected for testing. The first item is usually randomly selected. If the randomly selected first item is customer number 15, then the following items will be tested: 15, 45, 75, 105, 135, 165, 195, 225, 255, 285, 315, 345, 375, 405, 435, 465, 495, 525, 555, and 585. If the starting item is selected randomly and the population is not arranged in any particular order, systematic selection can be considered a statistical sampling technique. The risk in using systematic selection is that items will be listed in such a way that by selecting every nth item, the auditor is selecting items that are somehow related. For example, assume a company pays 100 employees each week, and you select payroll for testing from the entire year with a sampling interval of 50. If employees are ordered by employee number, it is possible that

  Factors That Influence the Sample Size—Substantive Testing  10-11

the auditor will select the same two employees every time. This risk can be reduced by reviewing the items in a population for any systematic bias before selecting a sample. If the auditor identifies systematic bias, the audit might use haphazard (see below) or random sampling instead.

Haphazard Selection Haphazard selection involves the selection of a sample by an auditor without using a methodical technique. While this technique appears to have much in common with random selection, there is a risk that an auditor will avoid selecting some items or ensure other items are included in the sample. For example, an item that is going to be difficult to test because the documentation is held in another location may be purposefully omitted by the auditor, while an item that looks unusual and catches the auditor’s eye may be purposefully included. This is both a nonstatistical and a non-random technique because human bias impacts the sample selected.

haphazard selection  the selection of a sample without use of a methodical technique

Professional Judgment in Selecting and Evaluating Sample Items Auditors should understand that professional judgment is needed in applying both statistical and nonstatistical sampling. The next section discusses the factors that influence sample size. Making appropriate decisions about these factors involves significant professional judgment. Professional judgment is also needed in evaluating the evidence obtained by sampling and in drawing an appropriate conclusion about the population based on sample evidence. Whether using a statistical or nonstatistical selection method, auditors need to consider the traits of the population. When conducting substantive testing, judgment may be used to evaluate stratification of a sample to include large or unusual items. All sampling methods require the use of professional judgment.

Cloud 9 - Continuing Case “We are going to use random selection for sales invoices and cash receipts at Cloud 9,” Suzie tells Ian. “We will select our sample from the entire year because we do not expect different conditions

in sales made to department stores during different times of the year. Obviously, part of the sampling process includes processes to protect against any potential bias in the sample selection.”

Before You Go On 5.1 How should the auditor go about defining the population and sampling unit? 5.2 What is the difference between random and haphazard sample selection?

Factors That Influence the Sample Size—Substantive Testing LEA RNING OBJECTI VE 6 Determine how sample size for substantive testing is influenced by various factors. The auditor must recognize when the concepts associated with audit sampling apply or do not apply to substantive tests. In a few instances, the logic behind audit sampling does not apply to substantive tests. For example, audit sampling does not apply to initial procedures, substantive analytical procedures, and many tests of details of accounting estimates and tests of details of disclosures. For instance, an auditor might audit the allowance for doubtful

10-12  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

accounts by using ADA to identify and analyze the payment history of every customer with receivables more than 30 or 60 days past due. It is common to use audit sampling when performing substantive tests on a population of transactions or account balances, such as taking a sample of total sales or a sample of total receivable balances. AU-C 530.A13 identifies a number of factors that will influence the sample size when testing transactions and balances. These are summarized in Illustration 10.4. ILLUSTRATION 10.4  

Factors that influence   sample size when testing   transactions and balances

Larger Samples • Higher levels of assurance should result in larger sample sizes. • Higher levels of risk of material misstatement and lower levels of detection risk will result in auditors needing higher levels of assurance from substantive tests.

Factor (Relationship to Sample Size) Desired level of assurance that tolerable misstatement is not exceeded by the actual misstatement in the population (Direct)

• The auditor also needs larger samples when assurance is not obtained from other substantive tests.

Smaller Samples • Lower levels of assurance should result in smaller sample sizes. • Lower levels of risk of material misstatement and higher levels of detection risk will result in the auditor needing lower levels of assurance from substantive tests. • The auditor also can accept smaller samples when assurance is obtained from other substantive tests.

If the auditor can only tolerate small amounts of misstatement and conclude that the account balance is presented fairly, the auditor will need larger sample sizes.

Tolerable misstatement

Larger amounts of expected misstatements in the population will result in larger sample sizes.

The amount of expected misstatement the auditor expects to find in the population

(Inverse)

If the auditor can tolerate larger amounts of misstatement and conclude that the account balance is presented fairly, the auditor will accept smaller sample sizes. Smaller amounts of expected misstatements in the population will result in smaller sample sizes.

(Direct) High variability in an audit population that is not stratified will result in larger sample sizes. desired level of assurance  the level of assurance that the sample is representative of the population; the auditor wants to choose a level of assurance so tolerable misstatement is less likely to be exceeded by the actual misstatement in the population

Stratification of the population when appropriate

Stratification of a population into relatively homogeneous subgroups is an effective way to reduce sample size for substantive tests.

The first factor listed in Illustration 10.4 is the auditor’s desired level of assurance that tolerable misstatement is not exceeded by the actual level of misstatement in the population. High levels of assurance mean lower levels of sampling risk that the sample is not representative of the population. Auditors use the audit risk model to guide them on making decisions about the levels of assurance needed from substantive tests. If the risk of material misstatement is low (e.g., the combined inherent risk and control risk assessments are low), then the auditor does not need as much assurance from substantive tests, and the auditor can reasonably accept a lower level of assurance from substantive tests and use smaller sample sizes for substantive testing. Alternatively, if the risk of material misstatement is high due to a combined assessment of inherent risk and control risk as high, the greater is the risk that a material misstatement exists and the more an auditor must rely on substantive tests of transactions and balances to identify potential material misstatements. When an auditor decides to increase his or her reliance on substantive procedures, he or she will increase the sample size. When considering the desired level of assurance that the auditor should obtain from tests of details of transactions or account balances, the auditor will also consider the assurance obtained from other substantive procedures directed toward the same assertion. When testing transactions and balances, an auditor will use a number of audit procedures. The more procedures that are directed to the same audit assertion, the less an auditor will need to rely on the evidence provided by one test alone and the smaller the sample size required. For example, when testing interest expense, the auditor may use analytical procedures to evaluate the overall fairness of interest expense given average principal balances and average interest rates. If analytical procedures provide evidence that interest expense is presented fairly, the auditor

  Factors That Influence the Sample Size—Substantive Testing  10-13

can appropriately limit the assurance needed from tests of details of transactions and decrease sample size when testing interest expense. The second factor listed in Illustration 10.4 is the auditor’s assessment of tolerable misstatement, which is the maximum dollar amount of misstatement that an auditor is willing to accept in a transaction class or an account balance, and still conclude that the population is presented fairly. Tolerable misstatement is the application of performance materiality to a particular sampling procedure. Hence, tolerable misstatement is equal to or less than the performance materiality level set for the class of transactions or balances being tested. For example, if a receivable population amounts to $100 million, the auditor’s sample size will be larger if tolerable misstatement is set at $4 million than if it is set at $5 million, in order to support a more precise conclusion. The third factor listed in Illustration 10.4 is expected misstatement, or the amount of misstatement the auditor expects to find in the population. When an auditor believes that there is likely to be a material misstatement in the population of transactions or amounts making up an account balance, he or she will increase the sample size to gain a better estimate of the actual misstatement in the population. This will occur when an account is at risk of material misstatement, such as when it requires estimation (for example, the allowance for doubtful accounts), when it requires complex calculations (for example, foreign exchange translations), or when it requires difficult valuation techniques (for example, fair market values). This will also occur when the auditor has assessed that control risk is high and the client’s control procedures are inadequate. The auditor may be able to estimate the amount of misstatement that the auditor expects to find in the population based on prior audit experience with the entity. The fourth factor listed in Illustration 10.4 is stratification of the population. When there is a wide range in the monetary size of items in the population (e.g. the population has a high degree of variability), stratification of the population is a way to group the population into more homogeneous subgroups, which will result in more efficient sampling and reduce the sample size required.

tolerable misstatement (TM)  the maximum dollar amount of misstatement that an auditor is willing to accept within the population tested, and conclude that the population is presented fairly when performing a substantive test expected misstatement (EM)  the amount of misstatement the auditor expects in a transaction class or account balance when performing a substantive test

Cloud 9 - Continuing Case Suzie and Ian are discussing how sample size might change from the prior year when performing substantive tests of transactions related to total sales. At an interim date when Suzie and Ian are planning the audit, Cloud 9 has increased its revenues by approximately 10%. Ian notes that he expects that the increase in revenue will cause an increase in sample size. However, Suzie observes that the increase in the total revenues also caused an increase in the auditor’s level of tolerable misstatement. As a result, these two changes may offset each other and have little effect on sample size. Ian also asserts that because top-line revenues are so important to many financial statement users, the auditor should want a high level of assurance that tolerable misstatement is not exceeded by expected misstatement. Suzie responds with a question. “Based on our planning work, how strong are internal controls? And how will our control risk assessment affect the assurance that we need from substantive tests of revenues?” As Ian attempts to answer this question, he suggests, “Inherent risk is probably maximum for sales revenues, but internal controls are expected to be strong, so overall risk of material misstatement is low. Because risk of material misstatement is low, we can allow ourselves to obtain a higher detection risk that the actual misstatements do not exceed tolerable

misstatement, which allows for a smaller sample size for substantive tests of revenue transactions.” Suzie likes Ian’s reasoning. Now she asks, “Is there anything else we need to consider?” Ian thinks for a minute and then suggests that they also need to consider the expected amount of misstatement in the population: “If internal controls are good, then the expected amount of misstatement should be fairly low. I now see that good internal controls are really important to our audit strategy, and we will need to emphasize testing controls, and strong controls will allow us to minimize the sample sizes we need for substantive testing.” Finally, Suzie asks Ian if they should stratify their sample selection regarding sales. Ian suggests that before answering that question, he really needs to understand the variation in the size of sales made to various customers. Suzie likes the fact that this needs to be determined based on Cloud 9’s sales history. However, she notes that, based on prior experience, some large customers have many stores, but the average invoice for each store is relatively similar. Suzie suggests that stratification may be more important for testing accounts receivable than for testing sales. They agree to quickly investigate this more and then reach a final conclusion.

Before You Go On 6.1 What are the factors that influence sample size when conducting substantive procedures? 6.2 What influences an increase in the auditor’s assessment of desired level of assurance that tolerable misstatement is not exceeded by the actual misstatement in the population? 6.3 Explain why effective stratification reduces sample size.

10-14  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

A Basic Framework for Audit Sampling LEA RNING OBJECTI VE 7 Explain a basic framework for selecting and evaluating an audit sample for substantive testing. Many aspects of planning and evaluating a sample are not affected by the choice of statistical or nonstatistical sampling. The choice of statistical or nonstatistical sampling does not affect the selection of procedures or the competence of evidence obtained about individual sample items. These matters require the exercise of professional judgment when applying either statistical or nonstatistical sampling. The relationship between statistical and nonstatistical sampling is shown graphically in Illustration 10.5. The following discussion focuses on the first four steps. These steps are common to all sampling methods. Steps 5 to 10 are discussed in the next sections, which discuss probability-proportionate-to-size sampling and nonstatistical sampling for substantive tests. Appendix 10A discusses classical variables sampling.

Step 1: Determine the Objectives of the Substantive Test The ultimate purpose of a substantive test is to obtain reasonable assurance that an assertion is presented fairly in all material respects. The auditor can use audit sampling for this goal by either (1) estimating the total dollar amount of a population or (2) estimating the dollar amount of misstatement in a population. For example, the auditor might use a sampling tool to develop an estimate of the audited value of total accounts receivable or total inventory. If this estimate is within a range of the book value of the client’s account balance plus or minus tolerable misstatement, then the auditor can conclude the population is materially correct. Alternatively, the auditor might estimate the amount of misstatement that might be present in an audit population. If this estimate is less than tolerable misstatement for the account, then the auditor can conclude the account balance is materially correct. At the outset, the auditor needs to determine the population being tested, the assertion or assertions being tested, and if the auditor is trying to estimate the total dollar value of the population or the total amount of misstatement that might exist in the population.

Step 2: Determine the Substantive Audit Procedures to Perform Important substantive procedures include tests of details of transactions and tests of details of balances. These are the most common procedures where the auditor would use audit sampling for substantive tests. For example, the auditor might audit the existence of accounts receivable by sending confirmations or audit the existence of inventory by physically inspecting inventory. The auditor might focus audit procedures related to the existence of property, plant, and equipment (PP&E) by (1) starting with a beginning audited balance and then (2) auditing changes to PP&E. The auditor might test the additions to PP&E by vouching to the documentation underlying the transaction. Chapter 9 explained the nature, timing, and extent of substantive procedures. In addition, Chapters 11, 12, and 13 explore developing substantive tests for the revenue, purchases, and payroll processes, and for cash, inventory, PP&E, and financing activities. It is important to make sure the evidence obtained is relevant to the assertion. More extensive audit procedures are of no audit value if the evidence is not relevant to the assertion being tested.

  A Basic Framework for Audit Sampling  10-15

Step 1

Determine the objectives of the substantive test

Step 2

Determine the substantive audit procedures to perform

Step 3

Determine whether to audit a sample or the entire population

ILLUSTRATION 10.5  

Steps in planning and   executing a statistical or   nonstatistical sample

All items

A sample Define the population and sampling unit

Step 4

Step 5

Statistical

Choose the audit sampling technique

Nonstatistical

Step 6

Determine sample size from model explicitly recognizing relevant factors

Determine sample size using professional judgment

Step 7

Randomly select representative sample

Judgmentally select representative sample

Step 8

Apply audit procedures

Apply audit procedures

Step 9

Evaluate results statistically and judgmentally

Evaluate results judgmentally

Step 10

Document conclusions

Step 3: Determine Whether to Audit a Sample or the Entire Population A critical step is to determine if the auditor will audit the entire population, apply an ADA technique to the entire population, or use sampling. As we have noted previously, when an audit population is sufficiently small, the auditor might easily audit the entire population with traditional audit procedures. For large populations, if reliable data is available in

10-16  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

electronic form and controls over the data are strong, then ADA could be used to analyze data and search for anomalies. If electronic data is not available and/or not reliable and controls over the data are weak, then the auditor is more likely to use audit sampling. These and other factors that influence the choice of ADA versus audit sampling were summarized in Illustration 10.1. The remainder of the discussion of a basic framework for audit sampling focuses on when the auditor chooses to use audit sampling rather than testing an entire population.

Step 4: Define the Population and Sampling Unit reciprocal population  a population that is overstated if the population of interest is understated (or vice versa)

As discussed in the “Sampling Methods” section, an important step is determining the population and the appropriate sampling unit. Sometimes an auditor will audit a reciprocal population. A reciprocal population is a population that is overstated if the population of interest is understated (or vice versa). For example, if accounts payable at year-end is understated, it is likely that the transaction is recorded in the next month, and subsequent recording of purchases is overstated. The unrecorded liability gets paid, but the transaction is recorded in the wrong accounting period. Hence, the auditor may often look at the population of purchases in January searching for items that should have been recorded as accounts payable at the end of December. Steps 5 to 10 are discussed in each application of audit sampling in the remainder of this chapter and its appendix.

Before You Go On 7.1 List the 10 steps associated with planning, selecting, and evaluating a sample for substantive testing. 7.2 Explain the importance of determining the objectives of the substantive test. 7.3 Assume that you are auditing accounts payable. Identify and explain several different ways you might define the population being tested.

Applying Probability-Proportionate-to-Size Sampling for Substantive Testing LEA RNING OBJECTI VE 8 Apply probability-proportionate-to-size sampling for a substantive test to draw an audit conclusion. The following discussion applies the framework described in Illustration 10.5 to probabilityproportionate-to-size (PPS) sampling. Steps 1 through 4 were discussed previously. The following discussion focuses on Steps 5 through 10, and focuses on the audit judgments involved in applying PPS sampling for substantive tests.

  Applying Probability-Proportionate-to-Size Sampling for Substantive Testing   10-17

Step 5: Choose the Audit Sampling Technique Probability-proportionate-to-size (PPS) sampling, sometimes called dollar-unit sampling or monetary-unit sampling, uses attribute sampling theory to ­express a conclusion in dollar amounts. With this sampling technique, the probability that a particular sampling unit will be chosen in the sample is proportionate to the monetary size of the item. This form of sampling may be used in substantive tests of both transactions and balances. The PPS sampling approach illustrated in this chapter is based on the PPS sampling model described in the AICPA’s Audit Guide: Audit Sampling.1 The model in the Audit Guide: Audit Sampling is primarily applicable in testing transactions and balances for overstatement. It may be especially useful in tests of: •  Receivables when unapplied credits to customer accounts are insignificant. •  Investment securities. •  Inventory price tests when few differences are anticipated. •  Plant asset additions. The AICPA’s Audit Guide: Audit Sampling identifies several advantages and disadvantages of PPS sampling. The advantages of PPS sampling are: •  It is generally easier to use than classical variables sampling because the auditor can calculate sample sizes and evaluate sample results by hand or with the assistance of tables. •  The size of a PPS sample is not based on any measure of the estimated variation of audit values. •  PPS sampling automatically results in a stratified sample because items are selected in proportion to their dollar values. •  PPS systematic sample selection automatically identifies any item that is individually significant if its value exceeds an upper monetary cutoff. •  If the auditor expects no misstatements, PPS sampling will usually result in a smaller sample size than under classical variables sampling. •  A PPS sample can be designed more easily, and sample selection may begin before the complete population is available. In contrast, PPS sampling has the following disadvantages: •  It includes an assumption that the audit value of a sampling unit should not be less than zero or greater than book value. When understatements or audit values of less than zero are anticipated, special design considerations may be required. •  If understatements are identified in the sample, the evaluation of the sample may require special considerations. •  The selection of zero balances or balances of a different sign (e.g., credit balances for asset accounts) requires special consideration. •  PPS evaluation may overstate the allowance for sampling risk when misstatements are found in the sample. As a result, the auditor may be more likely to reject an acceptable book value for the population. •  As the expected number of misstatements increases, the appropriate sample size increases. Thus, a larger sample size may result than under classical variables sampling. Professional judgment should be exercised by the auditor in determining the appropriateness of this approach in a given audit circumstance. Most generalized audit software, such as Idea or ACL, allows for the easy use of statistical sampling, provided the auditor understands the logic behind the statistics being used. When using PPS sampling, the population consists of the class of transactions or the account balance to be tested. For each population, the auditor should decide whether all the items should be included. For example, four populations are possible when the population is based on account balances in the accounts receivable ledger: (1) all balances, (2) only debit balances, (3) only credit balances, and (4) zero balances. The following discussion will develop an example sampling plan for New Millennium Ecoproducts. In this example, the auditor uses customer receivables with debit balances only. 1

Audit Guide: Audit Sampling (AICPA: New York, NY, 2017).

probability-proportionate-tosize (PPS) sampling  an approach to sampling that uses attribute sampling theory to express a conclusion in dollar amounts; with this sampling technique, the probability that a particular sampling unit will be chosen in the sample is proportionate to the monetary size of the item

10-18  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

logical sampling unit  the item snagged by the sampling plan for audit, such as an individual customer or individual sales invoice; auditing procedures are performed on the logical sampling unit

In PPS sampling, the sampling unit is the individual dollar, and the population is considered a number of dollars equal to the total dollar amount of the population. Each dollar in the population is given an equal chance of being selected in the sample. Although individual dollars are the basis for sample selection, the auditor does not actually examine individual dollars in the population. Rather, the auditor examines the account, transaction, document, or line item associated with the dollar selected. In the case developed in the following discussion, the auditor will select individual dollars and use that information to “hook” individual customers when auditing accounts receivable. The item snagged (e.g., a customer receivable) is known as a logical sampling unit. It is this feature that gives PPS sampling its name. The more dollars associated with a logical unit, the greater its chance of being chosen. Thus, the likelihood of selection is proportional to its size. This feature is also responsible for two limitations of PPS sampling. First, in testing assets, zero and negative balances should be excluded from the population because such balances have no chance of being selected in the sample. The example below will use customers with debit balances only. Customers with zero balances or credit balances will have to be audited separately. Second, PPS sampling is not suitable in testing liabilities (when the auditor is concerned about looking for understatements) because the more an item is understated, the less likely it is to be included in the sample. PPS sampling is biased against selecting very small items that might, if understated, be very large. As a result, many auditors using PPS sampling think about how to identify a reciprocal population that will be overstated if the account balance being audited is understated. For example, if accounts payable at year-end is understated, the voucher register for the period subsequent to year-end will likely be overstated because liabilities that are unrecorded at year-end are normally recorded in the subsequent period. The item chosen (e.g., individual customer receivable) and tested by the auditor is known as the logical sampling unit. If the auditor intends to seek confirmation of customer account balances, he or she would ordinarily choose the customer account as the logical unit. Alternatively, the auditor might choose to seek confirmation of specific transactions with customers. In that case, the auditor might choose sales invoices as the logical unit. The auditor then selects the sample items from a physical representation of the population, such as the invoices making up the client’s accounts receivable trial balance. Audit software (such as Idea) may be used to select the sample items directly from a machine-readable form of the physical representation. Before selecting the sample, the auditor should determine that the physical representation is complete. Using the software to reconcile a machine-readable file to a general ledger control total usually accomplishes this task. In the following discussion, we will develop an example for New Millennium Ecoproducts where: 1. The population is defined as customer receivables with debit balances. 2. The aggregate book value of these accounts is $600,000. 3. The customer account is defined as the logical sampling unit. 4. The electronic file from which the accounts are to be selected has been reconciled to the general ledger account balance of $600,000 referred to in (2).

Step 6: Determine Sample Size Using Professional Judgment The same basic factors should be considered whenever the auditor determines sample size. Illustration 10.6 provides an overview of the factors that influence sample size when the auditor uses PPS sampling. These factors are similar to those discussed in Illustration 10.4 except for the book value of the population. When selecting a PPS sample, book value does influence sample size. The risk of incorrect acceptance is related to the desired level of assurance the auditor wants from the sample. Lower risk of incorrect acceptance is equivalent to having a higher desired level of assurance from the sample. Tolerable misstatement and expected misstatement behave the same as discussed in Illustration 10.4.

  Applying Probability-Proportionate-to-Size Sampling for Substantive Testing   10-19 ILLUSTRATION 10.6   Factors that influence sample size for PPS sampling

Factor (Relationship to Sample Size)

Larger Samples Larger populations with higher book values should result in a larger sample size.

Book value of the population

Smaller amounts of sampling risk should result in a larger sample size.

Risk of incorrect acceptance

The smaller the amount of misstatement that the auditor can tolerate, the larger the sample size.

Tolerable misstatement

The closer tolerable misstatement and expected misstatement are to each other, the larger the sample size.

Expected misstatement

(Direct) (Inverse) (Inverse) (Direct)

Smaller Samples Smaller populations with lower book values should result in a smaller sample size. Larger amounts of sampling risk should result in a smaller sample size. The larger the amount of misstatement the auditor can tolerate, the smaller the sample size. The greater the difference between tolerable misstatement and expected misstatement, the smaller the sample size.

Once the auditor has made professional judgments about these factors, the following formula is used to determine sample size (n) in PPS sampling:

n=

BV × RF TM − (EM × EF)

where

  BV = book value of population tested

  RF = reliability factor for the specified risk of incorrect acceptance   TM = tolerable misstatement

  EM = expected misstatement

  EF = expansion factor for expected misstatement Each of these factors is explained below.

Book Value of Population Tested The book value specified in determining sample size must relate to the definition of the population. In our example, the book value of total accounts receivable with debit balances for New Millennium Ecoproducts is $600,000. The amount of the book value has a direct effect on sample size—the larger the book value being tested, the larger the sample size.

Reliability Factor for Specified Risk of Incorrect Acceptance In specifying an acceptable level of risk of incorrect acceptance, the auditor should consider (1) the level of audit risk that he or she is willing to take that a material misstatement in the account will go undetected, (2) the assessed levels of inherent and control risks, and (3) the results of other tests of details and substantive analytical procedures that are relevant to the assertion. Therefore, the risk of incorrect acceptance is determined using the audit risk model as shown below. Risk of incorrect acceptance =

AR = audit risk IR = inherent risk CR = control risk OSP = assurance from other substantive procedures

where        

AR IR × CR × OSP

10-20  C h a pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

Further, the risk of incorrect acceptance has an inverse effect on sample size—the lower the specified risk, the larger the sample size. For example, the auditor concludes that inherent risk is at the maximum, and control risk is low. If other substantive procedures provide moderate assurance that the book value being tested is not materially misstated, the auditor will be willing to accept a higher risk of incorrect acceptance, perhaps up to 40%, for the PPS sample. Now suppose the auditor concludes inherent risk is maximum, and control risk is high. If other substantive procedures provide little assurance about the account being tested, then greater assurance must be obtained from the test and the auditor will specify a low risk, perhaps as low as 5%, of incorrect acceptance. The audit risk model, experience, and professional judgment must be used in making these determinations. Risk of incorrect acceptance is used to determine the reliability factor (RF), and this is obtained from Illustration 10.7. It is based on the risk of incorrect acceptance specified by the auditor and zero number of misstatements, regardless of the number of misstatements expected. In New Millennium Ecoproducts, the auditor specifies a 5% risk of incorrect acceptance, implying that the auditor is not relying on internal controls and is getting all of the assurance from substantive tests of details. Therefore, the reliability factor is 3.0. ILLUSTRATION 10.7  

Reliability factors for zero overstatements

Risk of Incorrect Acceptance Reliability factors

1%

5%

10%

15%

20%

25%

30%

37%

4.61

3.00

2.31

1.90

1.61

1.39

1.21

1.00

Source: AICPA Audit Guide: Audit Sampling.

Tolerable Misstatement Tolerable misstatement (TM) is the maximum misstatement that can exist in an account before it is considered materially misstated. Some auditors use the term performance materiality (or material amount) as an alternative to TM. In specifying this factor, the auditor should realize that misstatements in individual accounts, when aggregated with misstatements in other accounts, may cause the financial statements as a whole to be materially misstated. TM has an inverse effect on sample size—the smaller the TM, the larger the sample size. For New Millennium Ecoproducts, the auditor specifies a TM equal to 5% of book value, or $30,000.

Expected Misstatement and Expansion Factor In PPS sampling, the auditor does not quantify the risk of incorrect rejection. This risk is controlled indirectly, however, by specifying the expected misstatement (EM) that is inversely related to the risk of incorrect rejection and directly related to sample size. EM is the amount of misstatement the auditor expects to occur in the population. The auditor uses prior experience, knowledge of the client, and professional judgment in determining an amount for EM. The auditor must bear in mind that an excessively high amount will unnecessarily increase sample size, whereas too low an estimate will result in a high risk of incorrect rejection. For New Millennium Ecoproducts, the auditor specifies EM of $6,000 based on knowledge from the audit in the prior year. The expansion factor (EF) is required only when misstatements are expected. It is obtained from Illustration 10.8 using the auditor’s specified risk of incorrect acceptance. The smaller the specified risk of incorrect acceptance, the larger the EF. Like expected misstatement, the EF has a direct effect on sample size. In New Millennium Ecoproducts, the EF for expected misstatement is 1.6. The combined effect of expected misstatement and EF is then subtracted from tolerable misstatement in determining sample size. ILLUSTRATION 10.8

Expansion factors for PPS sampling

Risk of Incorrect Acceptance Expansion factor

1%

5%

10%

15%

20%

25%

30%

37%

1.90

1.60

1.50

1.40

1.30

1.25

1.20

1.15

Source: AICPA Audit Guide: Audit Sampling.

  Applying Probability-Proportionate-to-Size Sampling for Substantive Testing   10-21

Calculation of Sample Size

The factors for determining sample size for New Millennium Ecoproducts are BV = $600,000, RF = 3.0, TM = $30,000, EM = $6,000, and EF = 1.6. Thus, sample size is 88, computed as follows: n=

$600,000 × 3.0 = 88 $30,000 − ($6,000 × 1.6)

Step 7: Select a Representative Sample The process of selecting a sample should be unbiased and the auditor should attempt to obtain a representative sample of the items in the balance or transaction class being sampled. The auditor can never be certain that a representative sample has been achieved. The concept of sampling risk (risk of incorrect acceptance) is a measure of whether the sample is representative or not. The auditor’s best opportunity to obtain a representative sample is to select a random sample. The following discussion explains the methodology for selecting a random sample using PPS sampling.

Calculate Sampling Interval The most common selection method used in PPS sampling is systematic selection. This method divides the total population of dollars into equal intervals of dollars. A logical unit is then systematically selected from each interval. Thus, a sampling interval (SI) must be calculated as follows: SI =

BV n

In New Millennium Ecoproducts, the sampling interval is $6,818 ($600,000 ÷ 88).

Select Random Sample The initial step in the selection process is to pick a starting random number between 1 and the sampling interval of 6,818. The sample will then include each logical unit that contains every 6,818th dollar thereafter in the population. A random number can be determined by using the @ random function in Microsoft Excel, by using an audit software application like Idea, or by using the serial number on a dollar bill. In the selection process, it is necessary to determine the cumulative balance of the book values of the logical units to determine which logical units are “hooked” or “snagged” by the individual dollar units selected. The process is illustrated for New Millennium Ecoproducts in Illustration 10.9, where (1) the customer account number is used to identify the logical units and (2) the starting random number is 5,082. Note that the amounts in the Dollar Unit Selected column represent every 6,818th dollar after 5,082. For example, the second item selected is the item with the cumulative dollar value of $11,900 (5082 + 6818 = 11,900). This was customer 1004. The first dollar of this customer was $9,834 and the last dollar of this customer was $13,108. Since $11,900 falls between these numbers, customer 1004 was the second customer selected for confirmation. The dollar unit selected causes the entire book value of the related logical sampling unit (customer) to be included in the sample. It is important to note that the selection process will result in the selection of all logical units with book values equal to or greater than the sampling interval ($6,818 in this case). These items become a certainty stratum, and the auditor can draw a conclusion about that sampling interval with certainty as the auditor will audit every dollar in the sampling interval. Most auditors use generalized audit software (e.g., Idea) to accomplish this task.

10-22  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests ILLUSTRATION 10.9   PPS systematic selection process

Accounts Receivable Logical Unit (Customer Number)

Book Value

Cumulative Balances

First Dollar of Logical Unit

Last Dollar of Logical Unit

1001

$   1,200

$  1,200

$   1

$  1,200

1002

6,443

7,643

1,201

7,643

1003

2,190

9,833

7,644

9,833

1004

3,275

13,108

9,834

13,108

1005

980

14,088

13,109

14,088

1006

1,647

15,735

14,089

15,735

1007

4,260

19,995

15,736

19,995

1008

480

20,475

19,996

20,475

1009

7,150

27,625

20,476

27,625

Total

°

°

Dollar Unit Selected Random Start = $5,082 Sampling Interval = $6,818 $  5,082

Book Value of “Hooked” Sample Item $6,443

11,900 ($5,082 + $6,818)

3,275

18,718 ($11,900 + $6,818)

4,260

25,536 ($18,718 + $6,818)

7,150

$600,000

Step 8: Apply Audit Procedures Once the auditor selects a sample, the auditor should apply audit procedures to determine the magnitude of misstatement in the items selected for auditing. In Step 2, the auditor determined the evidence that would support a conclusion about whether the account balance or transaction class was correct or whether it contained a misstatement. If the auditor is sending confirmations, the auditor must use professional judgment to evaluate each confirmation (see a further discussion of confirmation follow-up procedures in Chapter 11). In the New Millenium Ecoproducts example, the auditor has chosen to send confirmations of accounts receivable to 88 customers. Assume that five of the 88 confirmations were either returned with customer disagreements with the amount or the confirmation was never returned. After the auditor performs follow-up procedures on the five items, he or she documents the results. In all five cases, the audit value is less than the recorded book value, as noted in the following table.

Customer Number

Book Value (BV)

Audit Value (AV)

1031

$  950

$   855

1042

2,500

1,250

1098

7,650

6,885

1157

5,300

5,035

1210

8,000

0

Step 9: Evaluate Sample Results upper misstatement limit  a statistical estimate of the maximum misstatement in the population based on the sample

In evaluating the results of the sample, the auditor calculates an upper misstatement limit (UML) from the sample data to develop a statistical estimate of the maximum misstatement in the population based on the sample. The auditor can then compare the UML with tolerable misstatement specified in designing the sample. The sample results support the conclusion that the population book value is not misstated by more than the UML at the specified risk

  Applying Probability-Proportionate-to-Size Sampling for Substantive Testing   10-23

of incorrect acceptance. If the UML is less than TM, then the auditor accepts the population as being materially correct. The auditor may also want to consider whether the UML may aggregate with other misstatements found in the audit in a way that aggregates to a material misstatement. The upper misstatement limit (UML) is calculated as follows: UML = PM + ASR

 PM = projected misstatement, which is a projection of the misstatement in the population based on the findings in the sample  ASR = a llowance for sampling risk which measures the uncertainty associated with not sampling the entire population where

No Misstatements Found in the Sample The results of the sample are used to estimate the total projected misstatement (PM) in the population. When no misstatements are discovered in the sample, the PM factor in the formula above is zero dollars. In the case of no misstatements, the allowance for sampling risk (ASR) factor consists of one component sometimes referred to as basic precision (BP), which is the amount of estimated misstatement in the population, even if no misstatements are detected in the sample. The amount is obtained by multiplying the reliability factor (RF) for zero misstatements at the specified risk of incorrect acceptance (Illustration 10.7) times the sampling interval (SI). Ordinarily, the auditor uses the same risk of incorrect acceptance in this calculation that was specified in determining sample size (5%). Thus, in the New Millennium Ecoproducts example, basic precision is $20,454, computed as follows: BP (or ASR if no misstatements) = RF0 × SI



= 3.0 × $6,818



= $20,454

Now we know ASR, and PM is zero if no misstatements were found. We can then calculate the UML as follows: UML = PM + ASR

= 0 + $20,454



= $20,454

The UML of $20,454 is less than the $30,000 TM specified in the sample design. As a general rule, if no misstatements are in found in the sample and expected misstatement (EM) was specified as zero, the ASR and the UML will always equal TM. If EM was greater than zero, as was the case for New Millennium Ecoproducts, the ASR and the UML will be less than TM. When making this statistical calculation, if no misstatements were found for New Millennium Ecoproducts, the auditor could conclude that the book value of the population is not overstated by more than $20,454 at a 5% risk of incorrect acceptance.

Some Misstatements Found in the Sample If misstatements are found in the sample, the auditor must calculate both the total PM in the population and the ASR to determine the UML for overstatements. The UML is then compared with TM. A projected misstatement (PM) amount is calculated for each logical unit (each customer) where a misstatement is found by the auditor. Individual projected misstatements are then summed to arrive at the PM for the entire population. The PM is calculated differently for (1) logical units with book values less than the sampling interval and (2) logical units with book values equal to or greater than the sampling interval.

projected misstatement (PM)  a projection of the misstatement in the population based on the findings in the sample allowance for sampling risk (ASR)  a measure of the uncertainty associated with not sampling the entire population

basic precision (BP)  the amount of estimated misstatement in the population, even if no misstatements are detected in the sample

10-24  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

For each logical unit with a book value less than the sampling interval that contains a misstatement, a tainting percentage (TP) and projected misstatement are calculated as follows: Tainting percentage = (Book value – Audit value) ÷ Book value

Projected misstatement = Tainting percentage × Sampling interval

The calculations recognize that each logical unit included in the sample represents one sampling interval of the dollars in the population’s book value. Thus, the degree to which a logical unit is “tainted” with misstatement is projected to all of the dollars in the sampling interval it represents. For each logical unit where the book value is equal to or greater than the sampling interval, the projected misstatement is the amount of misstatement found in the logical unit (Book value – Audit value). Because the logical unit itself is equal to or greater than the sampling interval, a tainting percentage to project the misstatement to the interval is unnecessary. Rather, the actual amounts of such misstatements are used in arriving at PM for the population as a whole. Illustration 10.10 shows the calculation of projected misstatement for the five misstatements in the New Millennium Ecoproducts example. ILLUSTRATION 10.10  

Determination of projected   misstatement for New   Millennium Ecoproducts

Customer Number

Book   Auditing Value (BV) Value (AV)

Tainting   Sampling Percentage (TP)  Interval (BV – AV)/BV (SI)

Projected Misstatement TP × SI or   (BV – AV)

1031

$   950

$   855

10%

$6,818

$   682

1042

2,500

1,250

50%

6,818

3,409

1098

7,650

6,885

N/A*

N/A*

765

1157

5,300

5,035

5%

6,818

341

1210

8,000

0

N/A*

N/A*

8,000

$24,400

$14,025

$13,197

*Book value of the logical sampling unit is greater than sampling interval; therefore, projected misstatement equals actual misstatement (BV – AV).

Note that the first, second, and fourth logical units containing misstatements have book values less than the sampling interval of $6,818. Accordingly, the tainting percentages (TP) have been calculated and used to determine the projected misstatements. The third and fifth units have book values greater than the sampling interval. Therefore, the projected misstatement for each is the difference between the book value and the audit value. The total misstatement in the sample is $10,375 ($24,400 – $14,025), and the total PM in the population is $13,197. The allowance for sampling risk (ASR) for samples containing misstatements has two components as indicated in the following formula: ASR = BP + IA

  BP = basic precision   IA = incremental allowance for sampling risk where

The calculation of BP is the same whether or not misstatements are found in the sample. Thus, in New Millennium Ecoproducts, this component is again $20,454, based on the RF of 3.0 (for zero errors and a 5% risk of incorrect acceptance) multiplied by the SI of $6,818. To calculate the incremental allowance for sampling risk (IA), the auditor must consider separately the logical units with book values less than the sampling interval and those with book values equal to or greater than the sampling interval. For all logical units equal to or greater than the sampling interval, the auditor has examined 100% of the sampling interval, and the auditor can draw a conclusion about these sampling intervals with certainty. There is no sampling risk associated with these items. Consequently, the calculation of IA involves only misstatements related to logical units with book values less than the sampling interval.

  Applying Probability-Proportionate-to-Size Sampling for Substantive Testing   10-25

The calculation of IA involves the following steps: •  Determine the appropriate incremental change in reliability factors. •  Rank the projected misstatements for logical units less than the sampling interval from highest to lowest. •  Multiply the ranked projected misstatements by the appropriate factor and sum the products. Illustration 10.11 illustrates the first step. ILLUSTRATION 10.11

5% Risk of Incorrect Acceptance Number of  Reliability Incremental Change Incremental Change in Overstatements Factor in Reliability Factor Reliability Factor Minus One 0

3.00





1

4.75

1.75

0.75

2

6.30

1.55

0.55

3

7.76

1.46

0.46

4

9.16

1.40

0.40

Incremental change for   allowance for sampling risk

Source: AICPA Audit Guide: Audit Sampling.

The data in the first two columns in Illustration 10.11 are taken from Illustration 10.12 for the specified risk of incorrect acceptance (5% in this illustration). Each entry in the third column in Illustration 10.11 is the reliability factor on the same line less the reliability factor on the previous line. The factors calculated in the fourth column are obtained by subtracting one from each of the third column factors. ILLUSTRATION 10.12   Reliability factors for evaluating PPS samples

Risk of Incorrect Acceptance

Number of Overstatements

1%

5%

10%

13%

15%

20%

25%

30%

37%

0

4.61

3.00

2.31

2.00

1.90

1.16

1.39

1.21

1.00

1

6.64

4.75

3.89

3.56

3.38

3.00

2.70

2.44

2.14

2

8.41

6.30

5.33

4.94

4.72

4.28

3.93

3.62

3.25

3

10.05

7.76

6.69

6.25

6.02

5.52

5.11

4.77

4.34

4

11.61

9.16

8.00

7.53

7.27

6.73

6.28

5.90

5.43

5

13.11

10.52

9.28

8.77

8.50

7.91

7.43

7.01

6.49

6

14.57

11.85

10.54

10.00

9.71

9.08

8.56

8.12

7.56

7

16.00

13.15

11.78

11.21

10.90

10.24

9.69

9.21

8.63

8

17.41

14.44

13.00

12.41

12.08

11.38

10.81

10.31

9.68

9

18.79

15.71

14.21

13.59

13.25

12.52

11.92

11.39

10.74

10

20.15

16.97

15.41

14.77

14.42

13.66

13.02

12.47

11.79

Source: AICPA Audit Guide: Audit Sampling.

The second and third steps are illustrated below. Ranked Projected Misstatements

Incremental Change in Reliability   Factor Minus One

Incremental  Allowance

$3,409

0.75

$2,557

682

0.55

375

341

0.46

157 $3,089

10-26  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

Observe that (1) only the projected misstatements from Illustration 10.10 for logical units with book values less than the sampling interval are ranked, and (2) the appropriate reliability factor is obtained from the fourth column of Illustration 10.11. The incremental allowances for the projected misstatements are then added to determine the total incremental allowance of $3,089. Thus, the total allowance for sampling risk for New Millennium Ecoproducts is $23,543, computed as follows: ASR = BP + IA = $20,454 + $3,089 = $23,543 Finally, the UML is calculated as: UML = PM + ASR = $13,197 + $23,543 = $36,740 The auditor may conclude (a quantitative conclusion) that the book value is not overstated by more than $36,740 at a 5% risk of incorrect acceptance. For New Millennium Ecoproducts, the UML exceeds the TM of $30,000 specified in designing the sample. When this occurs, the auditor should consider several possible reasons and alternative courses of action. These matters are discussed next.

Qualitative Considerations Whether UML is less than, equal to, or greater than TM, certain qualitative considerations should be made prior to reaching an overall conclusion. Misstatements may be due to (1) differences in principle or application, (2) errors, or (3) fraud. Consideration should also be given to the relationship of the misstatements to other phases of the audit. For example, if misstatements are discovered in substantive tests in amounts or frequency that provide evidence that internal controls are not functioning as expected, and the control risk assessment used in arriving at the risk of incorrect acceptance specified for the sample is inconsistent with the subsequent evidence, the auditor should consider whether that assessment of control risk is still appropriate. If it is not appropriate, the auditor should redesign the sampling plan. If the auditor detects fraud in the sample, the auditor may want to perform additional procedures, even if the amount of the UML is less than tolerable misstatement. The nature of the fraud, particularly evidence of management fraud, may also have implications for other aspects of the audit (see Chapter 4). The auditor uses professional judgment in combining evidence from several sources to reach an overall conclusion about whether an account balance is free of material misstatement. When (1) the results of a PPS sample reveal the UML to be less than or equal to TM, (2) the results of other substantive tests do not contradict this finding, and (3) analysis of the qualitative considerations reveals no evidence of fraud, the auditor can generally conclude that the population is not materially misstated. However, if the UML is greater than TM, if the results of other tests contradict the results of the PPS sample, or if qualitative issues arise in the sample evidence, further evaluation of the circumstances is necessary. For example, if the UML is greater than TM, the auditor should consider the following possible reasons and actions: •  The sample is not representative of the population. The auditor might suspect this is the case when the sample contains immaterial misstatements that result in a projected UML that exceeds tolerable misstatement. In this case, the auditor might examine additional sampling units or perform alternative procedures to determine whether the population is misstated. (Note: A simple way to expand the sample is to divide the sampling interval in half. This will produce a sample containing all the units in the original sample plus an equal number of additional units.) •  The amount of expected misstatement specified in designing the sample may not have been large enough relative to tolerable misstatement to adequately limit the allowance for sampling risk. That is, the population may not be misstated by more than TM, but because the amount of misstatement in the population is greater than expected, more precise information is needed from the sample. In this situation, the auditor may examine

  Applying Probability-Proportionate-to-Size Sampling for Substantive Testing   10-27

additional sampling units and reevaluate or perform alternative audit procedures to determine whether the population is misstated by more than TM. •  The population is misstated by more than TM. In this case, the auditor may request the client investigate the misstatements found in the sample and, if appropriate, adjust the book value. As a result of any of these courses of action, the client’s book value might be adjusted. If the UML after adjustment is less than TM, the sample results would support the conclusion that the population, as adjusted, is not misstated by more than TM at the specified risk of incorrect acceptance. For example, in the New Millennium Ecoproducts sample, one receivable with a book value of $8,000 was found to have an audit value of zero. If this account was adjusted to the audited value, the PM for the population would be $5,197 ($13,197 – $8,000). The allowance for sampling risk would remain the same at $23,543, and UML would become $28,740 ($5,197 + $23,543), which is less than the $30,000 TM specified in designing the sample.

Step 10. Document Conclusions Illustration 10.13 provides an example of how the application of PPS sampling in the audit of New Millennium Ecoproducts receivables might be documented. This example shows how the sample was designed, the specific audit evidence that was obtained, and the conclusions that were reached about the account balance. The working papers also cross-reference to other working papers where important audit planning decisions and other audit evidence are documented. ILLUSTRATION 10.13   PPS sampling plan working paper

Client:  New Millennium Ecoproducts

Bell & Bowerman, LLPrepared by: A.J.D. 1/7/23

Period-end: 12/31/22

Reference: B-2

Reviewed by: C.W.B. 1/9/23

Evaluation of Confirmation Results Objective: To obtain evidence to determine whether the aggregate book value of customer accounts with debit balances as of 12/31/22 is, or is not, materially misstated. See W/P B-4 for procedures performed on zero and credit balances, which found no exceptions. Population and Sampling Unit: The population is defined as the total book value of accounts receivable with debit balances per master file. The logical sampling unit is the customer account. Sample Size:

Book Value of the Population

$600,000

Risk of Incorrect Acceptance

GF - 8

5%

Tolerable Misstatement

GF - 4

$30,000

(TM)

$6,000

(EM)

Expected Misstatement Sample Size Sample Selection:

Evaluation of Sampling Plan: Evaluation of Sample Results:

(BV) RF = 3.00

88

EF = 1.60

(n)

Sampling Interval = BV/n Random Start

$6,818 $5,082

Logical Sampling Units Selected Listed on W/P

B-3

 Audit Procedures Applied Listed on W/P B-1 Book and Audit Values for Sample Items with Misstatements Listed Below Projected Misstatement

Customer Number

Book Value (BV)

Audit Value (AV)

Tainting Percentage (TP) (BV − AV)/BV

Sampling Interval (SI)

Projected Misstatement TP * SI or (BV − AV)

1031

$  950

$ 855

10.0%

$6,818

$   682

1042

2,500

1,250

50.0%

6,818

3,409

1098

7,650

6,885

N/A

N/A

765

1157

5,300

5,035

5.0%

6,818

341

1210

8,000



N/A

N/A

8,000  13,197 (PM)

Allowance for Sampling Risk: Basic Precision = RF * SI

$20,454 (BP) (continued)

10-28  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests ILLUSTRATION 10.13   (continued)

Incremental Allowance for Sampling Risk Ranked Projected Misstatements

Incremental Change in Reliability Factor Minus One

1

$3,409

0.75

$ 2,557

2

682

0.55

375

3

341

0.46

157

4





5



–  3,089 (IA)

Upper Misstatement Limit (PM + BP + IA)

$36,740  (UML > TM)

Conclusion: The UML of $36,740 exceeds TM of $30,000. Client subsequently agreed to adjust customer number 1210 to the audited value of $0. This item was larger than the sampling interval and the misstatement was known with certainty. This reduces both PM and UML by $8,000, making UML $28,740 which is less than TM. See adjusting entry on w/p AE-1. After the client adjustment, the results support a conclusion that the aggregate book value of customer accounts with debit balances, as adjusted, is materially correct.

Before You Go On 8.1 Explain the advantages and disadvantages of using PPS sampling. 8.2 Distinguish between the sampling unit and the logical sampling unit in PPS sampling. 8.3 Explain why, when auditing accounts receivable with PPS sampling, zero balances and credit balances must be audited separately. 8.4 Give the formula for calculating sample size in PPS sampling. Explain what each element in the formula represents and how a change in each element, holding other elements constant, affects sample size. 8.5 Explain the terms tainting percentage and projected misstatement as they pertain to PPS sampling. 8.6 Explain the two components of allowance for sampling risk in PPS samples.

Applying Nonstatistical Sampling for Substantive Testing LEA RNING OBJECTIVE 9 Apply nonstatistical sampling for a substantive test to draw an audit conclusion.

The basic steps associated with any sampling plan are summarized in Illustration 10.5. This section picks up the unique aspects of applying Steps 5 through 10 in the context of executing a nonstatistical sample for a substantive test.

Step 5: Choose the Audit Sampling Technique The auditor may choose to use nonstatistical sampling in certain substantive testing applications. Nonstatistical sampling is an approach to audit sampling that relies on the auditor’s judgment to determine sample size, select the sample, project sample results on the population, and evaluate any allowance for sampling risk. The major advantages of nonstatistical sampling include: •  Decreased complexity.

  Applying Nonstatistical Sampling for Substantive Testing  10-29

•  Lower training cost. •  May be less time-consuming. The major disadvantages of nonstatistical sampling are that the auditor: •  Cannot quantify sampling risk. •  Cannot measure the sufficiency of evidence. •  May not get the most efficient sample.

Step 6: Determine Sample Size Using Professional Judgment Recall that AU-C 530.A13 identifies the following factors that influence sample size: •  The desired level of assurance that tolerable misstatement is not exceeded by the actual misstatement in the population. •  Tolerable misstatement. •  The amount of expected misstatement in the population. •  Stratification of the population into more homogeneous subgroups. Each of these factors and their influence on sample size were summarized in Illustration 10.4. When the auditor uses professional judgment to determine sample size, it is important that the audit firm applies judgment consistently within an audit, and from audit to audit. In the following example, the auditor is auditing accounts receivable. The book value of total receivables is $7,500,000, and the auditor sets tolerable misstatement at $375,000 (5% of the book value of the population). The auditor also stratifies the customer receivables into three groups: (1) all receivables with book values greater than $150,000, (2) receivables with book values between $15,000 and $150,000, and (3) all receivables with book values less than $15,000 (including zero and credit balances). The auditor then determines to audit 100% of the items greater than $150,000, which amount to $1,750,000. There is no sampling risk in this first stratum and the auditor will draw a conclusion about this stratum with certainty. This leaves a remaining population of $5,750,000 in two strata. The auditor judgmentally determines to select 15 of the 90 customers in stratum 2, and 25 of the 400 items in stratum 3. This sampling plan audits more of the larger receivables and may favor finding overstatements than understatements as a result.

Dollar Value of Stratum Receivables

Book Value of the Population

Percent of Book Value

Number of Sampling Units in the Population (N)

Percent of Sampling Units in the Population

Sample Selected (n)

Percent of the Sample

1

Greater than $150,000

$1,750,000

23%

10

2%

10

20% (10/50)

2

$15,000 to $150,000

3,000,000

40%

90

18%

15

30% (15/50)

3

Less than $15,000

2,750,000

37%

400

80%

25

50% (25/50)

$7,500,000

100%

500

100%

50

Step 7: Select a Representative Sample The process of selecting a sample should be unbiased; the auditor should attempt to obtain a representative sample of the items in the balance or transaction class being sampled. The auditor can never be certain that a representative sample has been achieved. Usually, the auditor’s best opportunity to obtain a representative sample is to select a random sample of receivables from each stratum. Alternatively, the auditor might judgmentally draw a haphazard sample from each stratum. Let’s assume that the auditor draws a haphazard sample of 15 customers out of stratum 2 and 25 customers out of stratum 3, and gets the following results in terms of the book value of the sample.

100%

10-30  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

Dollar Value of Stratum Receivables 1

Greater than $150,000

2

$15,000 to $150,000

3

Less than $15,000

Book Value of the Population % of BV

N

% of N

n

Book Value of % of BV of the Sample Sample

% of n

$1,750,000

23%

10

2%

10

20% (10/50)

$1,750,000

62%

3,000,000

40%

90

18%

15

30% (15/50)

910,000

32%

2,750,000

37%

400

80%

25

$7,500,000

100%

500

100%

50

50% (25/50) 100%

170,000

6%

$2,830,000

100%

In this case, the auditor will confirm 10% (50 ÷ 500) of the customers in the population, and the auditor is auditing 38% ($2,830,000 ÷ $7,500,000) of the dollars in the population.

Step 8: Apply Audit Procedures

Applying audit procedures is the same for statistical and for nonstatistical sampling. In this case, the auditor is auditing accounts receivable and decides to send confirmations to customers for the purpose of determining the audited value of each customer receivable confirmed. To continue the example discussed above, the following table shows the audited values for the sample selected from strata 1, 2, and 3. For illustration purposes, each stratum is overstated by $10,000. Dollar Value of Stratum Receivables 1

Greater than $150,000

2

$15,000 to $150,000

3

Less than $15,000

Book Value of the Population

n

Book Value Audited Value of the Sample of the Sample

$1,750,000

10

$1,750,000

$1,740,000

3,000,000

15

910,000

900,000

$2,750,000

25

$  170,000

$  160,000

Step 9: Evaluate Sample Results When evaluating sample results, the auditor should (1) project misstatement found in the sample to the audit population and (2) consider sampling risk when evaluating sample results. Two acceptable methods of projecting misstatements in nonstatistical sampling are: ratio method  a method of estimating the audited value of the population where the auditor estimates the audited value of the population based on the ratio of the audited value in each stratum divided by the book value of the sample in each stratum difference method  a method of estimating the audited value of the population where the auditor adds (or subtracts) the projected difference between the audited value and book value of the sample to the book value of each stratum

•  A ratio method where the auditor estimates the audited value of the population (or each stratum) based on a ratio of the audited value of the sample divided by the book value of the sample. •  A difference method where the auditor estimates the audited value of the population by adding (or subtracting) the projected difference between audited value and book value of each stratum to the book value of that stratum. To illustrate, the following discussion continues with the data discussed above. Under the ratio method, the auditor would determine the audited value (AV) of each stratum using the following formula (as illustrated for the second stratum). AV of sample × BV of population BV of sample $900,000 × $3,000,000 = $910,000 = $2,967,033

Estimated AV of population =

The estimated audited value for each stratum using the ratio method is summarized as follows: Dollar Value   Stratum of Receivables 1

Greater than $150,000

2 3

Book Value of Book Value of the Population the Sample

Total Estimated  Audited Value Estimated Value Overstatement of the Sample of the Population of Population

$1,750,000

$1,750,000

$1,740,000

$1,740,000

$15,000 to $150,000

3,000,000

910,000

900,000

2,967,033

32,967

Less than $15,000

2,750,000

170,000

160,000

2,588,235

161,765

$7,295,268

$204,732

$7,500,000

$  10,000

  Applying Nonstatistical Sampling for Substantive Testing  10-31

Under the difference method the auditor would determine the audited value (AV) of each stratum using the following formula (as illustrated for the second stratum). Estimated AV of population = BV of population − D of population, where D=

(AV of population − BV of population) ×N n

= $3,000,000 −

Dollar Value   Stratum of Receivables

[($900,000 − $910,000) × 90] = $2,940,000 15 Estimated Audited Audited Total Estimated  Book Value   Value of Value of the Overstatement of the Sample the Sample Population of Population

Book Value of the Population

N

n

$1,750,000

10

10

$1,750,000

$1,740,000

$1,740,000

1

Greater than $150,000

2

$15,000 to $150,000

3,000,000

90

15

910,000

900,000

2,940,000

60,000

3

Less than $15,000

2,750,000

400

25

170,000

160,000

2,590,000

160,000

$7,500,000

500

50

$7,270,000

$230,000

One hundred percent of stratum 1 was audited, so the projected misstatement under each method was $10,000. The auditor knows this conclusion with certainty because 100% of this stratum was audited. Under both the ratio and difference methods, the $10,000 misstatement in stratum 2 projects to a smaller estimated misstatement than in stratum 3 because a higher proportion of stratum 2 is sampled and the auditor is projecting the misstatement on a smaller unsampled portion of the stratum. Recall that an allowance for sampling risk (ASR) is a measure of the uncertainty associated with not sampling the entire population. In nonstatistical samples, the auditor cannot calculate an allowance for sampling risk for a specific measurable level of risk of incorrect acceptance. However, the difference between projected misstatement (or estimated overstatement in this case) and tolerable misstatement may be viewed as an allowance for sampling risk. If tolerable misstatement exceeds projected misstatement by a large amount, the auditor may be reasonably assured that there is an acceptable low sampling risk that the actual misstatement exceeds tolerable misstatement. In the above example, tolerable misstatement exceeds projected misstate­ment by $170,268 ($375,000 – $204,732) using the ratio method, and by $145,000 ($375,000 – 230,000) using the difference method. Most auditors would conclude that these differences are sufficient to conclude that with respect to the assertions being audited (existence of receivables and valuation of receivables at their gross amount), the book value is materially correct. However, what would the auditor conclude if he or she found different results that showed an estimated overstatement of $345,000? In this case, while this overstatement is less than tolerable misstatement of $375,000, $345,000 of misstatement is so close that it does not allow for a reasonable allowance for sampling risk. In this case, the auditor is likely to extend the sample size and perform additional audit procedures to obtain a higher level of certainty (lower level of sampling risk) with respect to the auditor’s conclusion. When the results of a nonstatistical sample do not appear to support the book value, the auditor may (1) examine additional sample units and reevaluate, (2) apply alternative auditing procedures and reevaluate, or (3) ask the client to investigate and, if appropriate, make an adjustment. In audit sampling, prior to reaching an overall conclusion, consideration should be given to the qualitative characteristics of the misstatements. If evidence of fraud is found, the auditor must not only consider the implications for the account balance and transaction class being audited, but the auditor should also consider whether fraud may have occurred in other audit areas. Given the nature of the fraud and the perpetrators of the fraud, the auditor needs to consider what other audit issues might be influenced by the perpetrators of the discovered fraud. In addition, the auditor should consider whether the evidence is consistent with previous assessments of inherent and control risks. For example, if the auditor assesses control risk as low but finds multiple misstatements when performing substantive tests, the auditor should reassess control risk, and increase the degree of substantive testing accordingly.

$  10,000

10-32  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

Step 10: Document Conclusions Once the auditor has completed the sampling process, it is important that the auditor document the results of substantive tests in his or her working papers. The auditor might prepare a working paper similar to the one in Illustration 10.14. ILLUSTRATION 10.14   Example nonstatistical sampling plan working paper

Client:  G.J. Manufacturing Period-end: 12/31/22 Evaluation of Confirmation Results

Bell & Bowerman, LLP

Prepared by: W.M.F. 2/8/23 Reviewed by: C.W.B. 2/18/23

Reference: B-2

Objective: To obtain evidence regarding the existence of accounts receivable and the valuation of receivables at their gross amount. Population and Sampling Unit: Total book value of accounts receivable is $7,500,000 per the customer master file. Logical sampling unit is the customer account. Sample Size and Selection: We are planning moderate reliance on this sample. No reliance is placed on internal controls, and moderate reliance is placed on substantive analytical procedures. Receivables were confirmed as of year-end. Tolerable misstatement is set at $375,000, and individually significant items were determined to be $150,000 or greater. The population was sorted into three strata: (1) all receivables greater than $150,000, (2) all receivables between $150,000 and $15,000, and (3) all receivables less than $15,000 (including zero balances and credit balances). All individually significant items were confirmed 100%. A total sample size was judgmentally determined to be 50, with 10 items in stratum 1, 15 items haphazardly selected from stratum 2, and 25 items haphazardly selected from stratum 3 to include zero balances and credit balances. Confirmation procedures were applied to 38% of the dollars in the population, and 10% of the customers in the population. Audit Procedures Applied: The results of confirmation procedures are documented on workpaper B-3. Evaluation of Sample Results: Ratio Method Stratum

BV

N

n

$

$ AV

Estimated Audited Value

Expected Misstatement

1

> $150,000

$1,750,000

10

10

$1,750,000

$1,740,000

$1,740,000

$ 10,000

2

$15,000 - $150,000

3,000,000

90

15

910,000

900,000

2,967,033

32,967

3

< $15,000

2,750,000

400

25

170,000

160,000

2,588,235

161,765

$7,500,000

500

50

$2,830,000

$7,295,268

$204,732

BV

N

n

$

$ AV

Estimated Audited Value

Estimated Difference

$1,750,000

10

10

$1,750,000

$1,740,000

$1,740,000

$ 10,000

% of $ audited

37.7%

% of customers audited

10.0%

Difference Method Stratum 1

> $150,000

2

$15,000 - $150,000

3,000,000

90

15

910,000

900,000

2,940,000

60,000

3

< $15,000

2,750,000

400

25

170,000

160,000

2,590,000

160,000

$7,270,000

$230,000

$7,500,000

50

Conclusion: The estimated misstatement in the population is $204,732 using the ratio method and $230,000 using the difference method. This is sufficiently below tolerable misstatement to allow for a judgmental determination of an allowance for sampling risk and conclude that there is not more than $375,000 in misstatement in the population. As a result, I conclude that audit objectives cited above for accounts receivable are presented fairly in all material respects.

Before You Go On 9.1 How does the process of determining sample size differ in a statistical versus a nonstatistical sampling plan for substantive tests? 9.2 Explain two acceptable methods for projecting misstatements found in a nonstatistical sample. 9.3 Explain how the auditor evaluates an allowance for sampling risk in a nonstatistical sample.

Appendix 10A: Applying Classical Variables Sampling for Substantive Testing  10-33

  Applying Classical Variables Sampling for Substantive Testing Appendix 10A

LEARNING OBJECTIVE 10* Apply classical variables sampling for a substantive test to draw an audit conclusion.

After studying this appendix, you should be able to apply classical variables sampling for substantive tests following Steps 5 to 10 in Illustration 10.5, and draw an audit conclusion.

Step 5: Apply Classical Variables Sampling The auditor may use a classical variables sampling approach in substantive testing. Classical variables sampling uses normal distribution theory to select a sample and evaluate the characteristics of a population based on the results of a sample drawn from the population. Classical variables sampling may be useful to the auditor when the audit objective relates to either the possible under- or overstatement of an account balance and other circumstances when PPS sampling is not appropriate or cost-effective. The following three techniques may be used in classical variables sampling: (1) mean-­ per-unit (MPU), (2) difference, and (3) ratio. All three techniques require the determination of the total number of units in the population and an audit value for each item in the sample. The AICPA Audit Guide: Audit Sampling identifies the following constraints that should be considered in selecting the technique that is most appropriate in the circumstances:

classical variables sampling  a sampling method that uses normal distribution theory to select a sample from a population and evaluate the characteristics of a population based on the results of the sample

•  The ability to design a stratified sample. Stratification may significantly reduce sample size under the MPU method but may not materially affect sample size under the difference or ratio techniques. •  The expected number of differences between audit and book values. A minimum number of differences must exist between these values in the sample to use either the difference or ratio techniques. •  The available information. Book values must be available for each sampling unit in ratio and difference estimation. Book values are not required with the MPU technique. When all the constraints can be satisfied by any of the methods, the auditor ordinarily will prefer either difference or ratio estimation because these methods generally require a smaller sample size than the MPU method. Thus, they are more cost-effective in meeting the auditor’s objectives. The sampling plan for each technique involves the same steps required in PPS sampling.

Mean-per-Unit Estimation MPU estimation sampling involves determining an audit value for each item in the sample. An average (or mean) of these audit values is then calculated and multiplied by the number of units in the population to obtain an estimate of the total population value. An allowance for sampling risk associated with this estimate is also calculated for use in evaluating the sample results. The mean-per-unit method is illustrated by the audit of loans receivable for Ace ­Finance Company. The population is defined as 3,000 individual loans receivable, the recorded book value of these receivables is $1,340,000, individual loans are defined as the sampling unit, and the physical representation from which sample items are selected is an electronic file listing all loans receivable.

MPU estimation  a sampling method that involves determining an audit value for each item in the sample; an average (or mean) of these audit values is then calculated and multiplied by the number of units in the population to obtain an estimate of the total population value

10-34  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

Step 6: Determine the Sample Size Illustration 10A.1 provides an overview of the factors that influence sample size when the auditor uses MPU sampling. Some factors are similar to those discussed in Illustration 10.4, but others are unique to classical variables sampling. We will discuss each factor in Illustration 10A.1 in detail.

Illustration 10A.1   Factors that influence sample size for classical variables sampling using MPU estimation

Factor (Relationship to Sample Size)

Larger Samples Larger populations with larger numbers of units should result in a larger sample size. The larger the standard deviation in the population, the larger the sample size.

Population size in number of units (Direct) Estimated population standard deviation

Smaller Samples Smaller populations with fewer number of units should result in a smaller sample size. The smaller the standard deviation in the population, the smaller the sample size.

(Direct) Smaller amounts of sampling risk should result in a larger sample size. The risk of incorrect rejection influences sample size through the planned allowance for sampling risk.

Risk of incorrect rejection

Smaller amounts of sampling risk should result in a larger sample size. The risk of incorrect acceptance influences sample size through the planned allowance for sampling risk.

Risk of incorrect acceptance

If the auditor desires more precise estimates, the sample size will be larger.

Planned allowance for sampling risk

The smaller the amount of misstatement that the auditor can tolerate, the larger the sample size.

Tolerable misstatement

(Inverse)

(Inverse)

(Inverse) (Inverse)

Larger amounts of sampling risk should result in a smaller sample size. The risk of incorrect rejection influences sample size through the planned allowance for sampling risk. Larger amounts of sampling risk should result in a smaller sample size. The risk of incorrect acceptance influences sample size through the planned allowance for sampling risk. If the auditor can tolerate less precise estimates, the sample size will be smaller. The larger the amount of misstatement that the auditor can tolerate, the smaller the sample size.

Population Size It is critical to have accurate knowledge of the number of units in the population because this factor enters into the calculation of both the sample size and sample results. Population size directly affects sample size—that is, the larger the population, the larger the sample size. As noted earlier, the population for Ace Finance Company consists of 3,000 loans receivable.

Estimated Population Standard Deviation In MPU estimation, the sample size required to achieve specified statistical objectives is related directly to the variability of the values of the population items. The more variability in an audit population, the larger the sample size. The measure of variability used is the standard deviation. If an audit value is not obtained for every population item, the standard deviation of the audit values for the items in the sample is used as an estimate of the population standard deviation. But because the sample standard deviation is not known before the sample is selected, it also must be estimated. There are three ways to estimate this factor. First, in a recurring engagement, the standard deviation found in the preceding audit may be used to estimate standard deviation for the purpose of determining sample size. Second, the standard deviation can be estimated from available book values. Third, the auditor can take a small presample of 30 to 50 items and base the estimate of the current year’s population standard deviation on the audit values of these sample items. When this is done, the presample may be made a part of the final sample. Software for MPU estimation sampling includes a routine to calculate the estimated standard deviation. Microsoft Excel also provides a formula for the standard deviation of a sample.

Appendix 10A: Applying Classical Variables Sampling for Substantive Testing  10-35

If it must be calculated manually, the formula for calculating the standard deviation is: Sx j =

n



( x j − x )2

j=1

n –1

where n

∑ = sum of sample values; j = 1 means the summary should begin with the first item and j =1

n means that the summary should end with the last item in the sample xj = audit values of individual sample items x = mean of the audit values of sample items n = number of items audited A primary concern of the auditor in MPU sampling is whether the population should be stratified into relatively homogeneous groups or strata. A homogeneous group in this context is one that has little variability in the values of the items comprising the group or stratum. Sampling is performed separately on each stratum, and sample results for each stratum are subsequently combined to evaluate the total sample. Stratification may be advantageous because the combined sample size often will be significantly less than a single sample size based on an unstratified population. This follows from the fact that sample size decreases as the variability of the population decreases. In fact, a change in the variability of a population affects sample size by the square of the relative change. Consequently, when the variation in the population changes from 200 to 100 (i.e., halved), the sample size required to meet the same statistical objectives is decreased by a factor of 4 (one-half squared equals one-fourth). The optimal number of strata depends on the pattern of variation in the population values and the additional costs associated with designing, executing, and evaluating each stratified sample. Because of the complexity of the procedure, stratification is generally used only when appropriate software is available. To simplify subsequent illustrations in this appendix, unstratified samples are used. In practice, when population values are highly variable and stratification is not feasible, the auditor may choose another sampling method. Ace Finance Company limits loans to a maximum of $500 per customer. Thus, variability is low and the auditor concludes there is no need to stratify the population. Based on the prior year’s audit, the auditor estimates a standard deviation of $100.

Risk of Incorrect Rejection The risk of incorrect rejection is the risk the sample results will support the conclusion that the recorded account balance is materially misstated when it is not. The principal consequence of this risk is additional costs associated with expanded audit procedures following the initial rejection. However, the additional auditing procedures should ultimately result in the conclusion that the balance is not materially misstated. In contrast to PPS sampling, the auditor must quantify the risk of incorrect rejection in MPU sampling as well as the risk of incorrect acceptance. The risk of incorrect rejection has an inverse effect on sample size. If the auditor specifies a very low risk of incorrect rejection, the size and cost of performing the initial sample will be larger. Therefore, the auditor’s experience and knowledge of the client should be used to specify an appropriate risk of incorrect rejection to balance the costs associated with the initial sample and the potential costs of later expanding the sample. In many software applications, the auditor inputs the risk of incorrect rejection directly as a percentage figure. Other applications require the auditor to input a confidence or reliability level, which is the complement of the risk of incorrect rejection. In either case, the software then converts the percentage into an appropriate standard normal deviate or UR factor for use in calculating the sample size. If the sample size is being calculated manually, a UR factor for the specified risk of incorrect rejection is obtained from a table like the one illustrated in Illustration 10A.2.

10-36  C h a pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests Illustration 10A.2  

Selected risk of incorrect rejection percentages and corresponding standards normal deviates or UR factors

Risk of Incorrect Rejection

Standard Normal Deviate (UR Factor)

Corresponding Confidence or Reliability Level

30%

±1.04

70%

25%

±1.15

75%

20%

±1.28

80%

15%

±1.44

85%

10%

±1.64

90%

05%

±1.96

95%

01%

±2.58

99%

The auditor decides to specify a 5% risk of incorrect rejection in the Ace Finance Company audit. Thus, the UR factor is 1.96.

Risk of Incorrect Acceptance The factors to be considered in specifying the risk of incorrect acceptance are the same as in PPS sampling. The risk of incorrect acceptance of a materially misstated balance is ordinarily specified in the range from 5 to 30%, depending on the auditor’s evaluation of the elements of the audit risk model, such as inherent risk, the assessed level of control risk, and the assurance expected from other substantive tests. The risk of incorrect acceptance has an inverse effect on sample size—the lower the specified risk, the larger the sample size. In the Ace Finance audit, the auditor specifies a 20% risk of incorrect acceptance.

Planned Allowance for Sampling Risk The planned allowance for sampling risk has an inverse relationship to sample size. Higher levels of sampling risk in which the auditor can tolerate less precise estimates leads to smaller sample sizes. The planned allowance for sampling risk (sometimes referred to as “desired precision”) is derived from the following formula: A = R × TM

  A = desired or planned allowance for sampling risk   R = ratio of desired allowance for sampling risk   TM = tolerable misstatement where

The ratio for the R factor is based on the specified risks of incorrect acceptance and incorrect rejection. The amount of the ratio is obtained from the table shown in Illustration 10A.3. In the Ace Finance Company example, the foregoing risks have been specified at 20% and 5%. Thus, the R factor is 0.70. This factor is then multiplied by the TM of $60,000 to produce an allowance for sampling risk of $42,000. ILLUSTRATION 10A.3  

Ratio of desired allowance for sampling risk to tolerable misstatement

Risk of Incorrect Acceptance

Risk of Incorrect Rejection 20%

10%

5%

1% 0.525

1.0%

0.355

0.413

0.457

2.5%

0.395

0.456

0.500

0.568

5.0%

0.437

0.500

0.543

0.609

7.5%

0.471

0.532

0.576

0.641

10.0%

0.500

0.561

0.605

0.668

15.0%

0.511

0.612

0.653

0.712

20.0%

0.603

0.661

0.700

0.753

25.0%

0.653

0.708

0.742

0.791

30.0%

0.707

0.756

0.787

0.829

35.0%

0.766

0.808

0.834

0.868

40.0%

0.831

0.863

0.883

0.908

45.0%

0.907

0.926

0.937

0.952

50.0%

1.000

1.000

1.000

1.000

Source: AICPA Audit Guide: Audit Sampling.

Appendix 10A: Applying Classical Variables Sampling for Substantive Testing  10-37

Tolerable Misstatement The considerations applicable to tolerable misstatement (TM) are the same in MPU sampling as in PPS sampling. TM has an inverse effect on sample size. In the Ace Finance Company example, the auditor specifies a TM of $60,000.

Sample Size Formula The following formula is used to determine sample size for an MPU estimation sample:  N ⋅U R ⋅ S x j  n=  A 

2

where   N = population size   UR = the standard normal deviate for the desired risk of incorrect rejection   S x j = estimated population standard deviation   A = desired or planned allowance for sampling risk In the Ace Finance Company example, these four factors are 3,000, 1.96, $100, and $42,000, respectively. Thus, the sample size is 196, computed as follows: 2

 3,000 × 1.96 × $100  n=  = 196  42,000 This formula assumes sampling with replacement (i.e., an item once selected is put back into the population and is eligible for selection again). When sampling without replacement, a finite correction factor is recommended when the relationship between n (sample size) and N (population size) is greater than 0.05. The adjusted sample size (n′) is determined as follows: n′ =

n n   1 +  N

Because n/N is greater than 0.05 (196 ÷ 3,000 = 0.065) in Ace Finance, the adjusted sample size is n′ =

196 = 184 196   + 1  3,000 

Step 7: Select a Random Sample Either the simple random number selection method or the systematic selection method may be used in selecting the sample under the MPU technique. In the Ace Finance Company example, the auditor decides to use generalized audit software to randomly identify the 184 loans receivable to be examined.

Step 8: Apply Audit Procedures The execution phase of an MPU estimation sampling plan includes the following steps: •  Perform appropriate auditing procedures to determine an audit value for each sample item. •  Calculate the following statistics based on the sample data:

̥  The average of the sample audit values (x).

̥  The standard deviation of the sample audit values (S x ). j

The average and standard deviation statistics for the sample may be computed manually or with software. For the Ace Finance sample, the sum of the audit values is determined to be $81,328, ­resulting in an average audit value of $442 ($81,328 ÷ 184). The standard deviation of the audit values is determined to be $90.

10-38  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

Step 9: Evaluate the Sample Results Evaluating sample results involves making both a quantitative and a qualitative assessment of the results in order to reach an overall conclusion.

Quantitative Assessment In making this evaluation in an MPU sampling plan, the auditor calculates: •  The estimated total population value. •  The achieved allowance for sampling risk, sometimes referred to as achieved precision. •  A range for the estimated total population value, sometimes referred to as the precision interval. The estimated total population value (Xˆ ) is calculated as follows: Xˆ = N ⋅ x Thus, the estimated total population value for Ace Finance Company’s 3,000 loans receivable is: Xˆ = 3,000 × $442 = $1,326,000 The basic formula for calculating the achieved allowance for sampling risk ( A ′) is: A′ = N ⋅U R ⋅

Sx j n

where S x j is the standard deviation of the sample audit values. Note that the value for S x j is based on the standard deviation of the audited values, not the value for S x j used in determining sample size. When the finite correction factor has been used in determining sample size, the formula is modified as follows: A′ = N ⋅U R ⋅

Sx j 1 − n′

n′ N

Therefore, the achieved allowance for sampling risk for Ace Finance is:

A ′ = 3,000 × 1.96 ×

184 3,000 = $37,798 184

$90 1 −

The range for the estimated total population value is calculated by adding and subtracting the achieved allowance for sampling risk to the estimated total population value. The range is: Xˆ ± A ′ For Ace Finance Company, the calculation is as follows: Range = $1,326,000 ± $37,798 = $1,288,202 to $1,363,798 If the book value falls within this range, the sample results support the conclusion that the book value is not materially misstated. The book value of loans receivable for Ace Finance is $1,340,000. Therefore, the auditor can conclude that the population is fairly stated in all material respects. It should be recognized that the sample results may support the conclusion that the book value is not materially misstated but not within the level of risk of incorrect acceptance specified by the auditor. To stay within the desired risk, achieved allowance for sampling risk ( A ′) must be equal to or less than planned allowance for sampling risk (A). A ′ will be greater than A whenever the standard deviation of audit values is greater than the estimated population standard deviation used in determining sample size. For example, if the standard deviation of audit values in the Ace Finance example had been $110, A ′ would have been $46,197, which is greater than the $42,000 specified for A. In such a case, the auditor computes the adjusted

Appendix 10A: Applying Classical Variables Sampling for Substantive Testing  10-39

achieved allowance for sampling risk ( A ′′) by the following formula where TM is the tolerable misstatement specified in the sampling plan: A′   A ′′ = A ′ + TM  1 −   A $46,197   A ′′ = $46,197 + $60,000  1 −  $42,000  A ′′ = $40,197 Note that A ′′ ($40,197) is less than A, ($42,000). A ′′ is then substituted for A ′ in the formula used to calculate the range for the estimated population value. Using A ′′, the estimated population range is $1,326,000 ± $40,197, or $1,285,803 to $1,366,197. Because the book value of $1,340,000 falls within the range, the sample results indicate that the book value is not materially misstated at the planned risk of incorrect acceptance. The book value may fall outside the range because the achieved allowance for sampling risk is significantly smaller than the planned allowance. When this occurs, the auditor (1) calculates the difference between the book value and the far end of the range and (2) compares the difference to TM. If the difference is equal to or less than TM, the sample results indicate that the book value is not materially misstated. For example, if the achieved allowance in Ace Finance Company is $12,000, the range becomes $1,314,000 to $1,338,000 and the book value ($1,340,000) falls outside the precision interval. The difference between the book value and the far end of the range is $26,000 ($1,340,000 – $1,314,000). Because this is less than the TM of $60,000, the book value is supported.

Qualitative Assessment Prior to reaching an overall conclusion, the auditor should consider the qualitative aspects of the sample results. These considerations are the same in MPU sampling as in PPS sampling, and the auditor should consider the underlying cause of all misstatements found. For example, misstatements may be due to (1) differences in principle or application, (2) errors, or (3) fraud. Consideration should also be given to the relationship of the misstatements to other phases of the audit.

Reaching an Overall Conclusion When either the auditor’s quantitative (statistical) or qualitative assessments of sample results support the conclusion that the population is materially misstated, professional judgment should be used in deciding an appropriate course of action. The possible causes and actions are as follows: Causes

Actions

1. The sample is not representative of the population.

Expand the sample and reevaluate the results.

2. The achieved allowance for sampling risk may be larger than the desired allowance because the sample size was too small.

Expand the sample and reevaluate the results.

3. The population book value may be misstated by more than tolerable misstatement.

Have client investigate and, if warranted, adjust the book value and reevaluate the sample results.

Step 10: Document Results Illustration 10A.4 summarizes the steps performed in designing, executing, and evaluating the MPU sampling plan to test the book value of Ace Finance Company’s loans receivable and illustrates how these steps can be documented in a working paper.

10-40  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests ILLUSTRATION 10A.4   Mean-per-unit sampling plan working paper

Bell & Bowerman, LLPrepared by: W.M.F. 2/22/23

Client:  Ace Finance Company Period-end: 12/31/22

Reference: C-2

MPU Sample – Loans Receivable

Reviewed by: C.W.B. 2/25/23

Objective: To obtain evidence that the aggregate book value of loans receivable as of 12/31/22 was not materially misstated. Population and Sampling Unit: 3,000 loans on electronic listing prepared from master file. The sampling unit was the individual loan receivable. Sample Size:

Population Size

3,000

Estimated Standard Deviation

$100

(S )

Tolerable Misstatement

$60,000

(TM)

Risk of Incorrect Rejection

5%

UR = 1.96

Risk of Incorrect Acceptance

20%

Ratio of Desired Allowance for Sampling Risk

0.700

(R)

Desired Allowance for Sampling Risk = R x TM

$42,000

(A)

 N ⋅ UR ⋅ S x j n =  A

196

(n)

184

(n′)

n′ =

  

(N)

xj

2

n  n 1 + N   

Sample Selection:

Simple random using software-generated random numbers list to correspond to loan numbers. Sampling units selected are listed on W/P C-5

C-5

Execution of Sampling Plan

Audit Procedures Applied Listed on W/P

C-6

Audit Values of Sample Items Shown on W/P

C-6

Sum of Sample Audit Values

$81,328

Average of Sample Audit Values

$442.00

X

Standards Deviation of Sample Audit Values

$90.00

Sx

Estimated Total Population Value

$1,326,000



Achieved Allowance for Sampling Risk Range: Xˆ ± A′

$37,798 $1,288,202 to  $1,363,798

A′

Evaluation of Sample Results

j

Conclusion: The total book value of $1,340,000 falls within the calculated range for the estimated total population value. Sample results support the conclusion that the loans receivable are materially correct.

Before You Go On 10.1 What information must the auditor have about the population to be audited in order to use classical variables sampling? 10.2 Identify the factors that influence sample size in a classical variables sample, and explain how each factor influences sample size, holding other factors constant. 10.3 After calculating the achieved allowance for sample risk, explain how the auditor uses this value when evaluating sample results.

  Learning Objectives Review  10-41

Learning Objectives Review 1  Evaluate when to use audit data analytics versus

audit sampling. When developing an audit plan for an assertion, the auditor needs to determine whether it is more appropriate to use audit data analytics (ADA) or audit sampling for the purpose of collecting and evaluating evidence. When considering the use of ADA, the auditor needs to consider whether ADA will be used as a risk assessment procedure or as a substantive test, how reliable the underlying data is, and how the ADA relates to the account balance and assertion being audited. Often the auditor will use ADA to look for particular characteristics in the underlying data (e.g., items where there is too much inventory on hand), or the auditor might use ADA to predict the relationship between two variables (e.g., sales and accounts receivable). The auditor might be more likely to use audit sampling when certain audit procedures are required by professional standards (e.g., observing inventory or confirming receivables), when internal controls are poor (leading to poor quality data), or when auditing smaller audit populations that can be easily sampled. 2  Define audit sampling and explain how audit sam-

sampling involves any sample selection and evaluation method that does not have the characteristics of statistical sampling. In nonstatistical sampling, the auditor determines sample size, chooses sample selection methods, and evaluates sample results entirely on the basis of the professional judgment and the experience of those on the audit team. 5  Explain various sampling methods available to

auditors. The most common methods used by auditors to select a sample are random selection, systematic selection, and haphazard selection. Random selection involves a sample that is free from bias and each item in a population has an equal chance of being selected. Systematic selection involves the selection of a sample for testing by dividing the number of items in the population by the sample size, ­determining a sampling interval, and then selecting one item from the sampling interval using random or haphazard selection. Haphazard selection is a method where the auditor does not use a formal selection technique but haphazardly attempts to select a sample without bias. An auditor might also stratify a population into more homogeneous groups prior to selecting a sample using random, systematic, or haphazard selection.

pling is applied for substantive tests. Audit sampling is the auditor selecting and evaluating less than 100% of the population of audit relevance such that the auditor expects the items selected (the sample) to be representative of the population and, thus, likely to provide a reasonable basis for conclusions about the population. In some cases, the auditor might also audit 100% of the population when there are few sampling units in a population, such as the balance of notes payable when notes are from only a few banks. Sampling may be more effective when there are a large number of sampling units in a population, such as when confirming receivables or observing inventory. 3  Differentiate between sampling and nonsampling risk. Sampling risk is the risk that the auditor’s conclusion based on a sample may be different from the conclusion if the entire population were subjected to the same audit procedure. Sampling risk is caused by a sample not being representative of the entire population. Nonsampling risk involves any risk that is not due to sampling, such as collecting evidence that is not relevant to the assertion, or incorrectly evaluating audit evidence. Nonsampling risk is typically controlled by a firm’s quality control procedures and the review of audit work performed by others in the audit firm. 4  Differentiate between statistical and nonstatistical

sampling. Statistical sampling is an approach to sampling that involves a ­random selection of sample items and the use of an appropriate ­statistical technique to determine sample size and evaluate sample results, including measurement of sampling risk. Nonstatistical

6  Determine how sample size for substantive testing is influenced by various factors. AU-C 530.A13 identifies the following factors that influence sample size in a substantive test: •  The desired level of assurance that tolerable misstatement is not exceeded by the actual misstatement in the population. •  Tolerable misstatement. •  The amount of expected misstatement in the population. •  Stratification of the population into more homogeneous subgroups. This section of the chapter discusses how each of these factors influences sample size (while holding other factors constant). 7  Explain a basic framework for selecting and evaluating an audit sample for substantive testing. Illustration 10.5 outlines a basic framework that is used in the remainder of the chapter for selecting and evaluating a sample. This framework involves 10 steps, which are:

1. Determine the objectives of the substantive test. 2.  Determine the substantive audit procedures to perform. 3. Determine whether the auditor will audit a sample or the entire population.

4. Define the population and sampling unit. 5. Determine whether the auditor will use statistical or nonsta-

tistical sampling and what method will be used to sample the population.

10-42  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

6. Determine sample size based on the sampling method used. 7. Select a representative sample. 8. Apply audit procedures to the sampled items. 9. Evaluate sample results and draw a conclusion about the population.

10. Document conclusions. Steps 1 through 4 are common to all sampling plans. 8  Apply probability-proportionate-to-size sampling for a substantive test to draw an audit conclusion. PPS sampling uses attribute sampling theory to express a conclusion in dollar amounts. The sampling technique is such that the probability that a particular sampling unit will be chosen in the sample is proportionate to the monetary size of the item. This form of sampling may be used in substantive tests of both transactions and balances. This section explains the advantages and disadvantages of using PPS sampling and explains Steps 5 through 10 in the application of probability-proportionate-to-size sampling.

9  Apply nonstatistical sampling for a substantive test to draw an audit conclusion. Nonstatistical sampling is an approach to audit sampling that relies on the auditor’s judgment to determine sample size, select the sample, project sample results onto the population, and evaluate any allowance for sampling risk. This section explains the advantages and disadvantages of using nonstatistical sampling and explains steps 5 through 10 with the application of ratio and difference analysis for evaluating the sample results. 10*  Apply classical variables sampling for a substantive

test to draw an audit conclusion. Classical variables sampling uses normal distribution theory to select a sample and develop a conclusion in dollar amounts. This form of sampling may be used in substantive tests of both transactions and balances. This section explains the advantages and disadvantages of using classical variables sampling and explains steps 5 through 10 in the application of classical variables sampling to select and evaluate a sample for a substantive test.

Key Terms Review Allowance for sampling risk (ASR) Audit sampling Basic precision (BP) *Classical   variables sampling Desired level of assurance Difference method Expected misstatement Haphazard selection Logical sampling unit

*MPU   estimation Nonsampling risk Nonstatistical sampling Population Probability-proportionate-to-size (PPS) sampling Projected misstatement Random selection Ratio method Reciprocal population

Risk of incorrect acceptance Risk of incorrect rejection Sampling risk Sampling unit Statistical sampling Stratification Systematic selection Tolerable misstatement Upper misstatement limit

Audit Decision-Making Example: Determining Sample Size Background Information Gregory Ness has been assigned to the audit of Mainstream Kayak, Inc. Mainstream is a privately owned company that manufactures kayaks from one location in Minnesota and ships its products to retailers throughout the United States and Canada. Mainstream has had a good year. Sales amounted to $35.1 million, which represents almost a 25% growth over the previous year. Mainstream has approximately 1,500 customers. Individual accounts receivables at yearend range from Mainstream’s largest account receivable of $250,000 to its smallest receivable of $500. Receivables have grown by only 20% to $3,950,000, so receivable collections have been strong. Gregory has completed a system walkthrough for the revenue process and has determined the company has very conscientious accounting staff. However, the owner has not invested in significant internal controls. There is weak segregation of duties, but the owner regularly reviews receivables, cash balances, and cash disbursements on a timely basis. The owner also monitors inventory levels carefully. In the prior year, confirmations showed misstatements in accounts receivable and a proposed audit adjustment in the amount of $680,000 (reducing receivables and revenues).

Gregory now needs to develop a preliminary audit plan for the audit of the revenue process. He has not performed tests of controls over receivables and therefore has determined receivables should be confirmed as of year-end. Gregory plans on using a nonstatistical sampling plan. Following his audit firm’s methodology, tolerable misstatement for accounts receivable has been set at $190,000 (4.8% of accounts receivable).

Identify Audit Issues What should Gregory consider when making a decision about sample size for testing the existence of accounts receivable? Discuss each factor that influences sample size, what Gregory knows about Mainstream, and how this should influence his decision.

Gather Additional Information and Evidence The key factors that influence sample size in a substantive test are: •  The desired level of assurance that tolerable misstatement is not exceeded by actual misstatements in the population. •  Tolerable misstatement. •  Expected misstatement. •  Stratification of the population (if appropriate).

  Multiple-Choice Questions  10-43

Analysis and Evaluation of Alternatives Inherent risk is high due to the fact that receivables would be affected if revenue recognition problems exist. Control risk is dependent on the strength of owner controls and review of receivables and cash balances. If owner controls are not tested, control risk should also be set at maximum given the problems with weak segregation of duties. As a result, detection risk should be set at low.

Audit Conclusion The auditor needs a high level of assurance that tolerable misstatement is not exceeded by actual misstatement in the population given that detection risk is set at low. Based on prior

experience, expected misstatements are significant and may exceed tolerable misstatement. Each of these factors leads to selecting a larger sample size. The population appears to have a high degree of variance, with receivables ranging from $500 to $250,000. Hence, Gregory should consider using a stratified sampling plan. Gregory might select the 10–20 largest accounts for 100% confirmation and then stratify the remaining receivables into two or three relatively homogeneous groups. Using this format, Gregory might be able to audit 50% to 60% of the total dollars of accounts receivable while only confirming 10% to 15% of the customer receivables, or perhaps sending confirmations to 200 out of 1500 customers.

CPAexcel CPAexcel questions and other resources are available in WileyPLUS. Note: All asterisked material relate to the appendix to the chapter.

Multiple-Choice Questions 1.  (LO 1)  Which of the following factors would most likely cause an auditor to use audit sampling versus audit data analytics?

d.  is the risk that an auditor arrives at an inappropriate conclusion for a reason unrelated to sampling issues.

a.  Evidence to support the audit test is not available in electronic form.

5.  (LO 4)  The critical difference between statistical and nonstatistical sampling is:

b.  The audit population is large, and the auditor’s tests are ­supported by reliable and relevant data in electronic form, making ADA efficient.

a.  the required use of judgment in nonstatistical sampling.

c.  Relevant data are reliable and internal controls over the ­reliability of data are strong. d.  Relevant data are clean or can be cleaned up easily. 2.  (LO 2)  Audit sampling is defined as a situation where: a.  the auditor tests a subset of the population to draw a ­conclusion about a subset of the population. b.  the auditor screens 100% of the population to identify a subset with particular risk traits. c.  the auditor tests a representative group that is less than 100% of the population for the purpose of drawing a conclusion about the entire population. d.  the auditor screens less than 100% of the population to ­identify a subset with particular risk traits. 3.  (LO 3)  Sampling risk: a.  is the risk that the sample chosen by the auditor is not ­representative of the population of transactions. b.  is the risk that the results of the test will be misinter­preted by the auditor. c.  can be eliminated by taking a random sample. d.  applies only to samples for substantive testing. 4.  (LO 3)  Nonsampling risk: a.  only occurs if you test every item of the population. b.  only applies to samples taken for the purposes of substantive testing. c.  does not occur if an auditor relies on unreliable evidence.

b.  the elimination of nonsampling risk with statistical ­sampling. c.  the use of the laws of probability in statistical sampling to determine sample size and develop a confidence interval around the results of the sample. d.  that more representative samples are attained with statistical sampling. 6.  (LO 5)  An auditor is testing accounts receivable for a client that has 1,000 customers with customer balances that range from $150 to $185,000. The auditor subdivided the receivables into three groups: group 1 has all customers with receivable balances between $185,000 and $100,000, group 2 has all customers with receivable balances between $100,000 and $25,000, and group 3 has all customers with receivable balances less than $25,000. The auditor then randomly selects customers out of each group. This is known as: a.  random selection. b.  stratified sampling. c.  haphazard selection. d.  block selection. 7.  (LO 6)  Holding all other factors constant, which of the following factors results in an increase in sample size for substantive tests? a.  A decrease in the amount of expected misstatement in the population to be tested. b.  Stratifying the population when appropriate. c.  An increase in the amount of tolerable misstatement. d.  An increase in the desired level of assurance that the tolerable misstatement is not exceeded by the actual amount of misstatement in the population.

10-44  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests 8.  (LO 7)  When defining the population and sampling unit, sometimes an auditor must look for a reciprocal population. A reciprocal population is: a.  a class of transactions or the account balance to be tested. b.  a class of transactions related to the account balance being tested (e.g., sales to accounts receivable).

10.  (LO 9)  An auditor uses nonstatistical ratio estimation to evaluate the results of a sample. The population book value was $2,000,000 and contained 350 items. The auditor selected 100 items with a book value of $500,000. The audited value of the sample was $480,000. The estimated audited value of the population is: a.  $1,980,000.

c.  a subset of the population that is the basis for sampling.

b.  $1,930,000.

d.  a population that is overstated if the population of interest is understated (or vice versa).

d.  $1,900,000.

9.  (LO 8)  The auditor’s decision about the risk of incorrect acceptance affects which of the following factors in a statistical PPS sample?

c.  $1,920,000. *11.    (LO 10)  When planning a classical variables sample, the risk of incorrect acceptance and the risk of incorrect rejection are related to what general factor that influences sample size?

a.  Tolerable misstatement.

a.  The desired level of assurance from the sample.

b.  Reliability factor.

b.  Tolerable misstatement.

c.  Book value of the population.

c.  Expected misstatement.

d.  Expected misstatement.

d.  The use of stratification when sampling.

Review Questions R10.1  (LO 1)  Assume that you are auditing inventory for a computer manufacturer with strong internal controls. Identify one assertion where the auditor is likely to use audit sampling. Explain your reasoning. Then identify another assertion where the auditor is likely to use audit data analytics. Explain your reasoning. R10.2  (LO 2)  Using your example of audit sampling in the answer to R10.1, what items make up the population? What items are subject to being sampled? When the sample is complete, is the auditor drawing a conclusion about the sample or the population? Explain your reasoning. R10.3  (LO 3)  Assume an auditor finds total errors of $25, 300 in a sample of sales invoices. Why is it not appropriate to conclude that sales are misstated by $25, 300? R10.4  (LO 3)  Explain the difference between the two types of sampling risk for substantive tests: the risk of incorrect acceptance and the risk of incorrect rejection. What are the errors’ different implications for the audit? Which is the more serious risk? Explain. R10.5  (LO 3)  Why does nonsampling risk exist for all types of tests in all audits? Explain. R10.6  (LO 4)  What are the advantages of nonstatistical sampling over statistical sampling?

R10.7  (LO 4)  Explain the advantages of statistical sampling over nonstatistical sampling. R10.8  (LO 5)  Explain the risk associated with using systematic ­sample selection. R10.9  (LO 5, 7)  Explain the role of professional judgment in selecting and evaluating a sample. R10.10  (LO 6)  What influences the auditor’s assessment of tolerable misstatement? R10.11  (LO 6)  What influences the auditor’s assessment of expected misstatement in the population? R10.12  (LO 7)  Explain the importance of determining the appropriate audit procedure to perform. What is the risk if the audit procedure is not appropriate for the assertion being tested? Does this step relate to sampling risk or nonsampling risk? R10.13  (LO 8)  Explain the advantages and disadvantages of using probability-proportionate-to-size sampling when testing the existence of accounts receivable. R10.14  (LO 9)  Explain the advantages and disadvantages of using nonstatistical sampling when testing the existence of accounts receivable. *R10.15    (LO 10)  What conditions should exist if the auditor plans to use difference estimation or ratio estimation techniques with classical variables sampling?

Analysis Problems AP10.1  (LO 1)  Basic   ADA   Audit data analytics and audit sampling  You are auditing Northeastern Food Wholesalers (NFW). NFW purchases a full line of various grocery products and sells them to independent grocery stores in six Northeastern states. NFW has one distribution center and approximately 900 customers. On average NFW turns its inventory approximately every 21 days, and it takes approximately 35 days to collect receivables.

  Analysis Problems  10-45

Required a.  Identify a potential application for audit data analytics in the audit of NFW. Explain the application and the assertion(s) tested by the application. b.  Identify a potential application for audit sampling in the audit of NFW. Explain the application and the assertion(s) tested by the application. AP10.2  (LO 3)  Basic   Uncertainties in audit sampling  One of the generally accepted auditing standards states that sufficient competent evidential matter is to be obtained through inspection, observation, inquiries, and confirmation to afford a reasonable basis for an opinion regarding the financial statements under examination. Some degree of uncertainty is implicit in the concept of “a reasonable basis for an opinion,” because the concept of sampling is well established in auditing practice.

Required a.  Explain the auditor’s justification for accepting the uncertainties that are inherent in the sampling process. b.  Discuss the uncertainties that collectively embody the concept of audit risk. c.  Discuss the nature of sampling risk and nonsampling risk. Include the effect of sampling risk on tests of controls in the auditor’s study and evaluation of the internal control structure. 

(AICPA adapted)

AP10.3  (LO   3)  Moderate   Sampling and nonsampling risk for substantive testing  Fred Hutchinson is auditing revenue for Urban Homes, a home builder in California. Urban Homes usually has between 450 and 600 home construction projects going at any point in time, for between 300 and 500 customers. Urban Homes recognizes revenue on a percentage-of-completion basis. Fred has to determine the appropriateness of revenue recognition for Urban Homes. Fred has previously tested controls and assessed control risk as moderate.

Required a.  What population(s) would be relevant to Fred’s substantive tests of revenue recognition? b.  Explain the potential implications of sampling risk for the audit of revenue recognition. c.  What possible nonsampling risks exist in this case? AP10.4  (LO 2, 3, 4, 5)  Basic   Judgment in statistical sampling  The use of statistical sampling techniques in an audit of financial statements does not eliminate judgmental decisions.

Required a.  Identify and explain four areas in which judgment may be exercised by a CPA when planning a statistical sampling for testing the existence of inventory. b.  Assume that a CPA’s sample shows two differences between inventory counted in the sample and the inventory recorded on the books for those items. Describe the various actions that he or she may take based on this finding. c.  A nonstratified sample of 80 accounts payable vouchers is to be selected from a population of 3,200. The vouchers are numbered consecutively from 1 to 3,200 and are listed, 40 to a page, in the voucher register. Describe two different techniques for selecting a sample of vouchers for substantive tests of transactions. 

(AICPA adapted)

AP10.5  (LO 6)  Moderate   Factors that influence sample size.  Jennifer Jones has been assigned to audit inventory for Consumer Home Electronics Warehouse. Consumer Home Electronics Warehouse is a retailer of a variety of home electronics and appliances (ranging from refrigerator and stoves, washers and dryers, televisions, computers, and cell phones). Consumer Home Electronics Warehouse has 25 locations located in larger cities in the midwestern United States. Jennifer plans to audit the existence of inventory. The book value of inventory is $35 million, which is very material to the company’s financial statements. A few items in inventory are very high in dollar value, but there is no individual item larger than tolerable misstatement. About 5% of the items in inventory have costs over $1,000. About 45% of the individual items in inventory have a cost between $500 and $1,000. The remainder of the inventory has individual costs of less than $500. Tolerable misstatement is set at $1,600,000. Jennifer has determined that Consumer Electronics has excellent internal controls over inventory and tests of controls noted no deviations or exceptions.

10-46  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

Required a.  Identify the factors that influence sample size for a substantive test. b.  In the case of Consumer Home Electronics Warehouse, identify how each item might influence sample size (while holding the other items constant). AP10.6  (LO 7)  Basic   Steps in executing a substantive sampling plan   Jennifer Jones has been assigned to audit inventory for Consumer Home Electronics Warehouse. Consumer Home Electronics Warehouse is a retailer of a variety of home electronics and appliances (ranging from refrigerator and stoves, washers and dryers, televisions, computers, and cell phones). Consumer Home Electronics Warehouse has 25 locations located in larger cities in the midwestern United States.

Required Jennifer plans to audit the existence of inventory. Put the following steps associated with planning and executing a sample of inventory in the proper order. a. Choose the number of items to be examined. b. Document conclusions. c. Select a representative sample. d. Determine the objectives of the substantive test. e. Determine the type of sampling to be used. f. Determine the substantive procedures that will meet objectives. g. Determine sample size. h. Apply audit procedures. i. Define the population and sampling unit. j. Evaluate results of the sample. AP10.7  (LO 8)  Challenging   PPS sampling  Edwards has decided to use probability-proportional-to-size (PPS) sampling in the audit of a client’s accounts receivable balance. Few, if any, errors of overstatement are expected. Edwards plans to use the following PPS sampling table: 5% RELIABILITY FACTORS FOR OVERSTATEMENTS Risk of Incorrect Acceptance

Number of Overstatements

1%

5%

10%

15%

20%

0

4.61

3.00

2.31

1.90

1.61

1

6.64

4.75

3.89

3.38

3.00

2

8.41

6.30

5.33

4.72

4.28

3

10.05

7.76

6.69

6.02

5.52

4

11.61

9.16

8.00

7.27

6.73

Required a.  Identify the advantages of using PPS sampling over classical variables sampling. b.  Calculate the sampling interval and the sample size Edwards should use, given the following information: Tolerable misstatement

$15,000

Risk of incorrect acceptance

5%

Number of misstatements allowed

0

Recorded amount of accounts receivable

$300,000

c.  Calculate total projected misstatement if the following three misstatements were discovered in a PPS sample: Recorded Amount

Audit Amount

Sampling Interval

$ 400

$ 320

$1,000

2nd misstatement

500

0

1,000

3rd misstatement

3,000

2,500

1,000

1st misstatement



(AICPA adapted)

  Audit Decision Cases  10-47 AP10.8  (LO 8)  Challenging   Evaluating a PPS sample  Assume the following misstatements were found in a PPS sample: Sample Item

Book Value

Audit Value

1

$ 650

$ 585

2

540

0

3

1,900

0

4

2,200

1,650

5

2,800

2,660

Required a.  Calculate the projected misstatement assuming: 1.  The sampling interval was $1,800. 2.  The sampling interval was $2,000. b.  If a risk of incorrect acceptance of 15% is specified in the sample design, the sampling interval is $2,000, and five misstatements are found as enumerated above, calculate: 1.  Basic precision. 2.  The incremental allowance for sampling risk. 3.  The upper misstatement limit. c.  If tolerable misstatement were $50,000 and expected misstatement were $10,000, what conclusion would you reach based on your results in (b) above? AP10.9  (LO 5, 6, 7, 9)  Challenging   Fraud   Research   Fine Host Corporation (FHC)  The following research question focuses on the audit of Fine Host Corporation (FHC), a Connecticutbased company that provided food and beverages concession, catering, and other services in approximately 400 facilities in 38 states. Start by locating and reading SEC Accounting and Auditing Releases 1482 and 1483 related to the audit of FHC.

Required a.  How were the financial statements of FHC misstated? b.  Make a list of the defects in the audit of FHC as it relates to audit sampling. For each defect that you note, suggest an alternative that would have allowed the auditor to follow professional standards.

Audit Decision Cases Red Cedar Office Furniture Question C10.1 is based on the following case. The data file needed to complete this case is available in WileyPLUS. Bob Downe is auditing Red Cedar Office Furniture (RCOF), a manufacturer of office furniture and custom cabinets. RCOF was founded 25 years ago by a husband-and-wife team and has grown rapidly in the last five years as solid, environmentally friendly, wooden furniture has grown in popularity. The company has inventory consisting of raw materials, work in process, and finished goods with a book value of $6,719,028.95. You have been assigned the task of testing the accuracy of the final inventory compilation for RCOF. You may assume that you have separately observed the inventory and that you are satisfied that the inventory was accurately counted. However, you need to test that quantities were accurately transcribed to the final accumulation and valuation of inventory and that the inventory is correctly priced and accumulated. A file showing the client’s accumulation of inventory is available in WileyPLUS. This case will guide you through the process of selecting a sample from the client’s inventory, comparing audited values with book values, and drawing a conclusion about the fair presentation of inventory.

10-48  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests C10.1  (LO 8)  Challenging   PPS sampling audit case Part 1. Determine the objectives of the test. You are auditing both quantities and pricing of the final inventory accumulation. a.  Explain the assertions that you are testing. b.  Explain the evidence that you would obtain to test those assertions. Part 2. Determine sample size based on the following judgments (round sample size to the nearest whole number). a.  Tolerable misstatement is assessed at $325,000. b.  The risk of incorrect acceptance is assessed at 37%. c.  Expected misstatement is assessed at $100,000. Whether the auditor uses nonstatistical sampling or statistical sampling, the same basic factors are considered in determining sample size. Once the auditor has made professional judgments about these factors, the following formula is used to determine sample size in PPS sampling: n=

(BV × RF ) [TM − (EM × EF)]

where   BV = book value of population tested   RF = reliability factor for the specified risk of incorrect acceptance assuming zero overstatements (see the following table Reliability Factors for Overstatements)   TM = tolerable misstatement   EM = expected misstatement (see the subsequent table Expansion Factors for Expected Misstatements)   EF = expansion factor for expected misstatement Document your determination of sample size.

Reliability Factors for Overstatements Risk of Incorrect Acceptance

Number of Overstatements

1%

5%

10%

13%

15%

20%

25%

30%

37%

0

4.61

3.00

2.31

2.00

1.90

1.16

1.39

1.21

1.00

1

6.64

4.75

3.89

3.56

3.38

3.00

2.70

2.44

2.14

2

8.41

6.30

5.33

4.94

4.72

4.28

3.93

3.62

3.25

3

10.05

7.76

6.69

6.25

6.02

5.52

5.11

4.77

4.34

4

11.61

9.16

8.00

7.53

7.27

6.73

6.28

5.90

5.43

5

13.11

10.52

9.28

8.77

8.50

7.91

7.43

7.01

6.49

6

14.57

11.85

10.54

10.00

9.71

9.08

8.56

8.12

7.56

7

16.00

13.15

11.78

11.21

10.90

10.24

9.69

9.21

8.63

8

17.41

14.44

13.00

12.41

12.08

11.38

10.81

10.31

9.68

9

18.79

15.71

14.21

13.59

13.25

12.52

11.92

11.39

10.74

10

20.15

16.97

15.41

14.77

14.42

13.66

13.02

12.47

11.79

Expansion Factors for EXPECTED Misstatements Risk of Incorrect Acceptance Expansion factor

1%

5%

10%

15%

20%

25%

30%

37%

1.90

1.60

1.50

1.40

1.30

1.25

1.20

1.15

Part 3. Develop a scenario that supports the auditor’s conclusion that the appropriate risk of incorrect acceptance is 37%.

  Audit Decision Cases  10-49 Part 4. Select a sample and apply audit procedures. Select the PPS sample using the sample size determined in Part 2 above. Choose your own random start based on the size of the sampling interval (each student should have a different random start). Determine the book value and audited value for each item in your unique sample. Document your sample, the book values and the audited values. Part 5. Compute the upper misstatement limit (UML) for the sample you selected. Follow the procedures outlined in the chapter. You can use the Reliability Factors for Overstatements table to determine the factors to use for the “Upper Misstatement Limit.” Document your calculation of UML. Part 6. Evaluate your results both quantitatively and qualitatively. Develop both a statistical conclusion and an audit conclusion based on your sample. Document your conclusions about your inventory tests.

Wholesale Plumbing Supply Question C10.2 is based on the following case. Assume that you have selected the following nonstatistical sample for selecting accounts receivable for confirmation. The total book value of the population is $9,000,000, and tolerable misstatement is $350,000. You have decided to audit every item over $50,000 and randomly select items in two groups under $50,000, as the following shows. You selected the following sample.

Stratum > $50,000

N

n

Book Value of Stratum

Book Value of Sample

Audit Value of Sample

  20

20

$3,000,000

$3,000,000

$2,948,000

$50,000 > x > $5,000

100

30

3,000,000

1,000,000

970,000

< $5,000

300

30

3,000,000

300,000

280,250

$9,000,000

$4,300,000

$4,198,250

C10.2  (LO 9)  Moderate   Evaluating substantive testing results a.  Evaluate results judgmentally: Determine the estimated audited value of the population using nonstatistical ratio analysis. b.  Document conclusion: What audit conclusion can you draw based on the evidence above?

Fabrication Holdings, Inc. Questions C10.3 and C10.4 are based on the following case. Fabrication Holdings, Inc. (FHI) has been a client of McDonald and McGee LLP for many years. You are an audit senior and have been assigned to the FHI audit for the first time for the financial year ending June 30, 2022. During March 2022, you are completing the audit planning for the property, plant, and equipment (PPE) account class, which is one of FHI’s most material balances. You are also aware that FHI has made a large investment in a new manufacturing process to place itself in a more competitive position. Your analytical procedures indicate an increase in acquisitions of PPE. You are testing the appropriateness of the depreciation rate assigned to PPE, and whether it is consistent with the present condition and expected use of the assets over their remaining lives. You have sampled 35 PPE items, with a total dollar value of $1, 145, 000. The results show that, for the sample items, some depreciation rates were too low and/or the remaining useful life of the equipment was overstated by management. Together, these issues produce an error in the sample of $48, 500. FHI has a profit before tax for the current year of $1, 875, 000, and a PPE account balance at the end of the year of $11, 345, 000. C10.3  (LO 4, 5)  Challenging   Sampling methods and risk analysis  Analysis: Discuss the appropriate method of sampling PPE for the planned tests of depreciation. Define the population. What assertions are most at risk? C10.4  (LO 9)  Challenging   Projecting errors for PPE  Evaluation and conclusion: What conclusion would you draw about valuation and allocation of PPE from the above information? Justify your conclusion.

10-50  C ha pte r 10  Risk Response: Evaluating ADA and Audit Sampling for Substantive Tests

MPU Sampling Plans Question C10.5 is based on the following case. Data relative to three MPU sampling plans are presented below.

Tolerable misstatement

1

2

3

$110,000

$140,000

$170,000

5,000

6,000

8,000

Size of population Risk of incorrect rejection

10%

Estimated population standard deviation

5%

$80

10%

$105

$125

Risks that misstatements accumulating to greater than tolerable misstatements will not be detected by:   Internal control

50%

40%

40%

  Analytical and other substantive   procedures (excluding this test of details)

25%

50%

85%

  Desired overall audit risk   Inherent risk

5%

5%

5%

100%

100%

100%

*C10.5    (LO 10)  Challenging   Classical variables mean-per-unit sampling a.  Analysis: Determine an appropriate risk of incorrect acceptance for each population. b.  Determine sample size: Calculate sample size in each of the plans. Show computations.

Company X, Company Y Question C10.6 is based on the following case. Data relevant to the December 31, 2022, audit of accounts receivable in two of your clients is presented in the tabulation below. Company X Company Y Client’s book value Population size

$90,000

$200,000

1,000

2,000

Desired risk of incorrect acceptance

20%

30%

Desired risk of incorrect rejection

10%

5%

Tolerable misstatement Estimated standard deviation

$9,000

$10,000

$50

$25

*C10.6    (LO 10)  Challenging   Mean-per-unit sampling a.  Determine sample size: Determine sample size for each company using classical variables MPU estimation sampling. b.  Analysis and evaluation: Assume the total audited value of the Company X sample is $13,600 and the standard deviation is $52. Evaluate the sample results. c.  Analysis and evaluation: Assume the average of the sample audit values in the Company Y sample is $90 and the standard deviation is $30. Evaluate the sample results.

Cloud 9 - Continuing Case Answer the following questions based on the information for Cloud 9 presented in the appendix to this text and the current and earlier chapters. You should also consider your answers to the case study questions in earlier chapters.

c. What changes would you expect to see in inventory transactions and balances as Cloud 9 changes from a wholesaleonly business to a retail and wholesale business? Be specific in your answer.

Required

d. Which inventory balance and transaction assertions would be most affected? Explain.

a. Consider and explain the effects of the opening of Cloud 9’s first retail store on its accounts. b. Describe how this business change would affect the components of audit risk.

e. Describe the population(s) and suggest a sampling approach for substantive testing for inventory.

Chapter 11 Auditing the Revenue Process The Audit Process Overview of Audit and Assurance (Chapter 1) Professionalism and Professional Responsibilities (Chapter 2) Client Acceptance/Continuance and Risk Assessment (Chapters 3 and 4) Identify Significant Accounts and Transactions Make Preliminary Risk Assessments

Set Planning Materiality

Gaining an Understanding of the System of Internal Control (Chapter 6)

Audit Evidence (Chapter 5)

Develop Responses to Risk and an Audit Strategy

Performing Tests of Controls (Chapter 8)

Performing Substantive Procedures (Chapter 9) Audit Sampling for Substantive Tests (Chapter 10)

Auditing the Revenue Process (Chapter 11)

Auditing the Purchasing and Payroll Processes (Chapter 12)

Audit Data Analytics (Chapter 7)

Gaining an Understanding of the Client

Auditing the Balance Sheet and Related Income Accounts (Chapter 13)

Completing and Reporting on the Audit (Chapters 14 and 15) Procedures Performed Near the End of the Audit

Drawing Audit Conclusions

Reporting

11-1

11-2  C h a pte r 11 Auditing the Revenue Process

Learning Objectives LO 1 Explain the nature of the revenue process. LO 2 Evaluate how an auditor’s understanding of an entity and its environment affects audit planning decisions in the revenue process. LO 3  Determine inherent risk for various assertions in the revenue process. LO 4 Evaluate control activities for credit sales transactions.

LO 6 Evaluate control activities for sales adjustment transactions and revenue process disclosures. LO 7  Determine how to design and perform tests of controls in the revenue process and connect the results of control testing to audit strategy. LO 8 Assess detection risk and design substantive tests, including audit data analytics, to address various assertions in the revenue process.

LO 5 Evaluate control activities for cash receipt transactions.

Auditing and Assurance Standards PCAOB

Auditing Standards Board

AS 2310 The Confirmation Process

AU-C 505 External Confirmations

Cloud 9 - Continuing Case Sharon Gallagher (audit manager), Josh Thomas (audit senior), and Suzie Pickering (audit staff) are discussing the audit of revenues for Cloud 9. Previously, Suzie learned that senior members of management, including a number in the accounting and finance section, will receive stock options if revenue targets are reached. In addition, the company is opening a new company-owned store in a major market. The audit team is considering what other aspects of the business and industry Suzie needs to understand in order to

carefully plan the audit of the revenue process. The company has set aggressive goals to increase market share in a very competitive industry. Suzie recognizes that she needs to complete work in understanding the business and industry to evaluate the results of analytical procedures relative to revenues and receivables. Sharon asks Josh and Suzie to suggest other key factors the audit team will have to consider when designing the substantive procedures for the revenue process.

Chapter Preview: Audit Process in Focus Finding an appropriate combination of audit procedures to achieve a low level of audit risk at an acceptable cost is a constant challenge facing most audit teams. This chapter focuses on making decisions about appropriate audit procedures in the revenue process. We begin with a discussion of the nature of the revenue process. We then address the process of understanding the entity and its environment in the context of the revenue process and using this knowledge to assess inherent risk in the revenue process. The chapter then moves on to a discussion of evaluating internal controls in the revenue process, including understanding entity-level controls, understanding the document trail, evaluating what can go wrong (WCGW), identifying controls to test, performing tests of controls, and evaluating control risk and the risk of fraud. At this point, the auditor often confirms or revises his or her preliminary audit strategy and then executes substantive tests to reduce audit risk to an acceptable level. This chapter will walk you through key audit decisions in the context of the revenue process.

  Nature of the Revenue Process  11-3

Nature of the Revenue Process LEA RNING OBJECTI VE 1 Explain the nature of the revenue process.

An entity’s revenue process consists of activities related to credit sales with customers and the collection of accounts receivable. For a merchandising company, the classes of transactions in the revenue process include (1) credit sales, (2) cash receipts (collection of receivables and cash sales), and (3) sales adjustments (discounts, sales returns and allowances, and adjustments for bad debts). These transactions are depicted in Illustration 11.1.

Revenue Transactions

Debit

Credit

Credit sales

Accounts Receivable

Sales

Cost of Goods Sold

Inventory

Cash

Accounts Receivable

Cash receipts (primarily focused on collection of receivables)

Sales Discounts

Sales adjustment transactions   Sales returns and allowances

Sales Returns and Allowances

Accounts Receivable

  Provision for bad debts

Bad Debt Expense

Allowance for Doubtful Accounts

  Write-off of bad debts

Allowance for Doubtful Accounts

Accounts Receivable

For companies that sell goods or services on account, there is significant interaction between sales and accounts receivable. If revenue is recognized prematurely, both sales and accounts receivable will be overstated. The same interaction also exists between cash receipt transactions and accounts receivable, and a misstatement of cash receipts will result in a misstatement of accounts receivable. Further, if discounts are given for early payment, sales discounts are recorded when recording the cash receipt and reducing a customer’s receivable. The highest volume of transactions usually occurs with credit sales and cash receipts, as well as a series of transactions that fall under the broad category of sales adjustment transactions: sales returns and allowances, the provision for bad debts, and the write-off of bad debts. Usually, sales returns represent a much smaller volume of transactions. Further, a critical aspect of sales return transactions is the receipt of returned goods in the warehouse. Transactions providing for bad debts, or the write-off of receivables, often occur during month-end or quarterend adjustments. Finally, three of these accounts, inventory, cost of goods sold, and cash, are also affected by transactions in other processes. The audit of these accounts is deferred to Chapter 13. The auditor should obtain sufficient appropriate evidence for the transaction classes, balances, and disclosures outlined in Illustration 11.2. While the auditor must obtain sufficient appropriate evidence for all assertions, the auditor is often concerned about the overstatement of revenues and receivables. Hence, the auditor is particularly concerned about the occurrence, accuracy, and cutoff of revenues, and the existence, right to, and valuation and allocation of receivables. The discussion in this chapter will focus primarily on credit sales transactions (rather than on cash sales).

ILLUSTRATION 11.1  

Revenue transactions

11-4  C h a pte r 11 Auditing the Revenue Process ILLUSTRATION 11.2   Key revenue process assertions

Relevant Transaction Classes Sales Cash receipts Sales adjustment transactions • Sales returns and allowances • Adjustment for bad debts • Write-off of bad debts

Relevant Account Balances Accounts receivable Allowance for doubtful accounts

Receivable disclosures Revenue disclosures

Assertions

Assertions Occurrence Completeness Accuracy Cutoff Classification

Relevant Disclosures

Existence Rights and obligations Completeness Valuation and allocation • Valuation at historical cost • Valuation at net realizable value

Assertions Occurrence and rights and obligations Completeness Classification and understandability Accuracy and valuation

Before You Go On 1.1 Identify two major transaction classes with significant volumes of transactions in the revenue process. 1.2 Explain the interaction of sales and cash receipts with accounts receivable. Further, if cash receipts are understated, what are the implications for accounts receivable? 1.3  What is the usual timing of recording charges to bad debt expense?

Understanding the Entity and Its Environment LEA RNING OBJECTI VE 2 Evaluate how an auditor’s understanding of an entity and its environment affects audit planning decisions in the revenue process.

Chapters 3 and 4 explained the importance of understanding the entity and its environment, and how this understanding is important to assessing inherent risk. As inherent risk factors vary from industry to industry, from client to client, and from year to year, each audit must be custom-made to address unique risks. The following discussion will address the importance of understanding the entity and its environment in the context of the revenue process, analytical procedures commonly used in the revenue process, other issues associated with the entity and its environment, and the resultant assessment of inherent risk.

Understanding the Client’s Revenue Process The process of earning and recognizing revenues will vary from entity to entity. It is particularly important that the auditor be knowledgeable about the entity, how the entity earns revenues, and what particular revenue recognition issues may be relevant to the entity. Understanding how the entity earns and recognizes revenues assists the auditor in: •  Developing an expectation of total revenues by understanding the client’s capacity, marketplace, and customers.

  Understanding the Entity and Its Environment  11-5

•  Developing an expectation of gross margin by understanding the client’s market share and competitive advantage in the market. •  Developing an expectation of net receivables based on the average collection period for the client and for the industry. In addition, the process of generating revenues drives many expenses (e.g., cost of goods sold or selling expenses), so understanding the revenue process assists in developing expectations of the entity’s expenses associated with other transaction processes and assessing the risk that unaudited earnings contain material misstatements. Illustration 11.3 illustrates the importance of understanding the revenue process for five different industries, which will be discussed in this chapter, as well as Chapters 12 and 13. These industries were chosen for their variety based on the North American Industry Classification System (NAICS). These include the manufacture of oil and gas field machinery and equipment (NAICS 333132), the manufacture of electronic computer equipment (NAICS 334111), supermarkets and other grocery stores (NAICS 445110), hotels and motels (NAICS 721110), and colleges, universities, and professional schools (NAICS 611310). These examples define a wide spectrum of underlying business practices and an equally wide spectrum of risk for the auditor. The auditor would normally obtain this understanding through previous experience with the entity; information from trade associations, business periodicals, and newspapers; and from publishers of industry information such as Robert Morris Associates or Value Line. ILLUSTRATION 11.3   Understanding an entity’s revenue process

Example Industry Traits Oil and Gas Field Machinery and   Equipment Manufacturing • Tied to extract industries that are dependent on oil prices • Depends on opportunities for export and competitive pricing Electronic Computer Manufacturing • Sells products ranging from network servers to personal computers and tablets • Consulting services may represent a significant component of revenues

Developing a Knowledgeable Perspective About the Entity’s Financial Statements (Median Industry Data) Sales to Total Assets: 1.6 Sales to Net Fixed Assets: 10.3 Gross Profit: 36.9% Net Operating Profit: 12.0% Collection Period: 61 days

• Concerns about terms of sales and moving inventory during a period of low oil prices

Sales to Total Assets: 2.7 Sales to Net Fixed Assets: 49.2 Gross Profit: 39.2% Net Operating Profit: 5.2% Collection Period: 41 days

• Significant revenue recognition issues associated with bundled products

• Margins depend on competing technologies

• Intense competition from club stores and other competitors Hotels and Motels • Generates revenues from hotel occupancy and services (food and conferences), franchise fees, and property management

• Sales may be dependent on policies of foreign governments • Collection risk associated with selling to foreign entities

• Cash collection may precede revenue recognition resulting in unearned revenues • Competitive environment significantly affects selling prices and gross margins •  Normal concerns about collection risk

Sales to Total Assets: 2.7 Sales to Net Fixed Assets: 5.3 • Numerous products where product Gross Profit: 26.7% differentiation is difficult Net Operating Profit: 1.5% • Companies are improving margins by leasing Collection Period: 4 days space to banks and coffee companies Supermarkets and Other Grocery Stores

•  Importance of brand development

Assessing the Risk of Material Misstatement

Sales to Total Assets: .5 Sales to Net Fixed Assets: .6 Gross Profit: Not Reported Net Operating Profit: 17.2% Collection Period: 2 days

•  Sales volume coverage of fixed costs • Gross margins related to product mix and space utilization • Receivables usually relate to pharmacy receivables from insurance companies and miscellaneous trade receivables • Revenue recognition for accounting for hotel transactions versus property ­management • Revenue tied to sales volumes, prices, and occupancy rates • Major hotel companies that enter into agreements to manage properties for others experience a higher degree of collection risk (continued)

11-6  C h a pte r 11 Auditing the Revenue Process ILLUSTRATION 11.3   (continued)

Developing a Knowledgeable Perspective About the Entity’s Financial Statements (Median Industry Data)

Example Industry Traits

•  Revenue recognition is straightforward

Sales to Total Assets: .5 Sales to Net Fixed Assets: 1.0 Gross Profit: Not Reported Net Operating Profit: 10.2% Collection Period: 16 days

Colleges, Universities, and Professional Schools • Concerns about the degree of tuition discounting through scholarships • Importance of accreditation and access to federal student loans

Assessing the Risk of Material Misstatement •  Low collection risk if accredited • Business risk associated with high fixed costs and enrollment declines

• Enrollment sensitive to demographics and unemployment levels

It is important for the auditor to understand the nature of the client’s revenue process. The demand for oil and gas field machinery equipment can be significantly impacted by (1) oil prices or decisions made by foreign countries to invest in or support oil and gas extraction, or (2) political factors that influence a government’s ability to sell oil and gas. The companies that manufacture computers may bundle services and service contracts with their products resulting in more complex revenue recognition accounting. While the accounting for revenues in the grocery industry might be uncomplicated, hotel and motel operations may include managing properties for others, which requires recognition of only the management commission and not the gross receipts of the managed properties. Therefore, the audit of each company must be custom-made, and inherent risks will often differ from one audit to the next. Finally, understanding an entity's revenue process provides the basis for developing expectations about revenue and receivables that an auditor uses in performing analytical procedures.

Analytical Procedures Analytical procedures are required in every audit as part of the risk assessment process during audit planning, which often occurs during the client’s second or third quarter. They are cost-effective, and they are often effective in identifying potential misstatements in the financial statements. The most effective analytical procedures rely on the auditor’s knowledge of the business and industry. Some example analytical procedures that may apply to the revenue process are presented in Illustration 11.4. ILLUSTRATION 11.4   Analytical procedures commonly used for the revenue process

Ratio

Formula

Sales to capacity

Audit Significance

Net sales

Helpful in assessing the reasonableness of total revenues.

Nonfinancial measure of capacity Market share

Client’s net sales

Helpful in assessing the reasonableness of both total revenues and gross margins. Larger market share is often associated with larger gross margins.

Net sales of industry Sales to total assets

Sales

This ratio is useful for manufacturing and other asset-based companies. Describes the relationship between assets and sales revenues.

Average total assets Accounts receivable growth to sales growth

Accounts receivable turnover in days

(

)

Accounts receivableCurrent Year Accounts receivablePrior Year

(

)

SalesCurrent Year SalesPrior Year

(

365 days ÷  

Ratios larger than 1.0 indicate that receivables are growing faster than sales. Large ratios may indicate possible collection problems.

 − 1

 − 1

Net credit sales

)

Average net receivables

Useful in comparing with industry averages. Longer collection periods may indicate collection problems. Prior experience and current sales volumes may be useful in estimating current net receivables. (continued)

  Understanding the Entity and Its Environment  11-7 ILLUSTRATION 11.4   (continued)

Ratio Uncollectible accounts expense to net credit sales

Formula Uncollectible accounts expense Net sales

Uncollectible accounts expense to accounts receivable write-offs

Actual accounts receivable write-offsCurrent Year

New product revenues to total revenues

Revenues from new products introduced during the year

Uncollectible accounts expensePrior Year

Total revenues

Audit Significance Useful in evaluating the reasonableness of uncollectible accounts expense. Smaller ratios may indicate an inadequate provision for uncollectible accounts. Useful in evaluating the reasonableness of prior period’s uncollectible accounts expense. Smaller ratios may indicate an inadequate estimation process. Companies with a high proportion of revenues from new products may earn a premium gross margin due to their ability to innovate.

The first step in performing analytical procedures is obtaining an understanding of total revenues given (1) the client’s capacity and (2) the client’s marketplace for those products. The auditor should understand the entity’s capacity, which is the maximum volume of sales that it could generate if it fully utilized its facilities and employees to manufacture and deliver products and services. Auditors should be sensitive to the volume of sales that an entity records given its maximum capacity, the number of shifts that an entity operates, and seasonal variations in the industry. In today’s audit environment, effective analysis of either analytical procedures or data analytics is tied directly to the auditor’s business acumen. It is much more effective to evaluate total revenues against a measure of business activity than to compare current revenues with prior-year revenues. Auditors must be sensitive to how the business environment is changing, not just how the financial numbers are changing. Therefore, the auditor will often tailor analytical procedures to the client’s industry that compare revenues with measures of the process that produces revenues. For example, the auditor might evaluate the following trends: •  Revenue per number of manufacturing employee labor hours, for a labor-intensive manufacturing process. •  Revenue to plant assets in a capital-intensive manufacturing process. •  Revenue per square foot of retail space for a grocer. •  Revenue compared to occupancy rates for industries such as hotels or airlines. •  Revenue per student for a college. When evaluating these trends, the auditor must also be sensitive to seasonal demand or other trends in the marketplace for the client’s products. For example, the auditor must be able to assess the reasonableness of revenue increases for a household appliance manufacturer when national housing starts are declining, or the reasonableness of occupancy rates and room prices for a hotel chain when new competitive properties have entered key markets. One important analytical procedure is understanding the client’s market share, which compares the client’s revenues with total revenues in the market for the client’s product. This is particularly important because companies with dominant market shares often obtain premium gross margins. Finally, it is important for the auditor to evaluate the client’s accounts receivable turnover in days, or average collection period, and be able to compare the collection period with industry norms. Companies may be able to speed up collection times when products are in high demand. Increases in the client’s collection period indicate that receivables are growing faster than sales volumes, which consumes operating cash flows and may lead to liquidity problems. It is particularly important in growth companies for auditors to monitor the entity’s collection period because any growth in sales is usually accompanied by receivable growth that consumes operating cash. If receivables are growing faster than sales, it may be an indication that the company is accomplishing sales growth by taking on increased credit risk. Other analytical procedures an auditor might assess in the revenue process include: •  Sales turnover, a ratio of sales to average total assets. •  Trends in gross margins compared with trends in market share. •  Estimates of accounts receivables given knowledge of the company’s sales volumes, prices, and historical collection period.

11-8  C h a pte r 11 Auditing the Revenue Process

•  Comparison of accounts receivables to the receivables estimate in the company’s cash budgets. •  Uncollectible accounts expense to net credit sales. •  Uncollectible accounts expense to actual uncollectible accounts written off.

Other Considerations Regarding the Entity and Its Environment Recall from Chapter 4 (see Illustration 4.1) that there are numerous issues an auditor should understand about the entity and its environment. Illustration 11.5 summarizes revenue issues that have not yet been covered in this chapter, and it provides examples of the settings in which these factors might lead to either a higher assessment of inherent risk or a lower assessment of inherent risk. It is important for auditors to recognize that these factors may change for a given client over time and that each audit should be viewed independently from previous audits. ILLUSTRATION 11.5   Understanding the entity and its environment in the revenue process

Higher Inherent Risk Significant legal compliance issues exist when making sales, delivering on contracts, and collecting sales (e.g., HIPAA compliance in the medical industry, or legal compliance in defense contracting).

Key Factors Regarding the Entity and Its Environment

Lower Inherent Risk

Compliance with laws and regulations

Nominal legal compliance issues exist when making and collecting sales.

The client only informally compares revenues with underlying business activity.

Client performance measurement

A significant amount of revenue transactions is with affiliated companies or other related parties.

Related party transactions

There are few or no revenue transactions with affiliated companies or other related parties.

Corporate governance

There is strong corporate governance with oversight of revenue recognition and accounting estimates in the revenue process.

There is little or no independent oversight of management, the revenue accounting process, or accounting estimates in the revenue process. Revenue recognition is complex and requires significant adjustments at period-end.

Month-end, quarter-end, and year-end closing procedures

The client carefully monitors revenue recognized compared to underlying business activity.

Revenue recognition is not complicated and requires little period-end adjustment, if any.

Audit Reasoning Example Indicators of Misstatements in the Revenue Process

Chris Spenser is the senior on the audit of Cloud Materials, Inc. (CMI). CMI manufactures a variety of computer hardware used in server farms and computer networks, and this year it started bundling software with the products to more seamlessly handle the problems associated with large data storage and retrieval. CMI is also starting to invest in data analytics software to better serve its clients. Chris has noticed two significant warning signs: (1) the company has improved its gross margins to a point where they are significantly above industry averages, and (2) the company is significantly lagging behind the rest of the industry in collecting its receivables. Chris wonders if this makes sense in a price-competitive industry. Is the combination of increasing gross margins and increasing collection periods a sign of premature revenue recognition? As Chris talks about this with his audit manager, they decide that these are warning signs that need specific investigation. They need to determine if the system of internal control kept up with changes in business practices. Also, they need to focus attention on how revenue is recognized on bundled hardware and software sales, as well as whether there have been significant profit increases in the fourth quarter.

  Inherent Risks in the Revenue Process  11-9

Before You Go On 2.1 Explain how auditing the revenue process might be different for a hotel client than for an oil and gas field equipment manufacturer. 2.2 Assume that, when performing analytical procedures, an auditor notices that revenue grows 10% while receivables grow at a 30% rate. What assertions might be misstated? 2.3 Explain how quarter-end closing procedures might increase inherent risk in the revenue process.

Inherent Risks in the Revenue Process LEA RNING OBJECTI VE 3 Determine inherent risk for various assertions in the revenue process.

In assessing inherent risk for revenue process assertions, the auditor should consider pervasive factors that may affect assertions in several processes, including the revenue process, as well as factors that may pertain only to specific assertions in the revenue process. Accounting for various revenue transactions under ASC 606 Revenue from Contracts with Customers is complex; revenue should only be recognized when a company satisfies its performance obligations. This is particularly true when there are multiple performance obligations, such as when the sale of goods and services are bundled together. Further, management often has more incentive to overstate revenues than to understate revenues. Factors that incentivize management to misstate revenue process assertions and commit fraudulent financial reporting include: •  Pressures to overstate revenues to achieve revenue or profitability targets that were not achieved in reality owing to such factors as global, national, or regional economic conditions; the impact of technological developments on the entity’s competitiveness; or poor management. •  Pressures to overstate cash and gross receivables or understate the allowance for doubtful accounts in order to report a higher level of working capital in order to meet debt covenants. The auditor should maintain an appropriate attitude of professional skepticism and be alert to some of the following devices that have been used by companies to overstate revenues: consignment sales, refund rights, and bill-and-hold transactions. Consignment sales. Sale arrangements that have the characteristics of a consignment sale include giving the buyer a lengthy right of return, having substantial payment made upon the resale of the product, requiring sellers to repurchase inventory at a specified price, or allowing the buyer not to assume risks of ownership due to future pricing concessions. For example, if a manufacturer promises a wholesaler future price concessions based upon holding and financing costs for the length of time between purchase and sale, the sale should be accounted for as a consignment sale, and revenue should be deferred. Refund rights. When rights of return exist or are likely to be accepted, a reasonable estimate of refunds should be made when revenue is recognized. In determining the amount of the estimated refunds, management should consider competition, obsolescence, and the length of time over which the product can be returned. However, if a reasonable estimate cannot be made, revenue should not be recognized until the material uncertainty is resolved. Further, if a seller changes the right of return near the end of the period to offer more generous terms, the seller should not be able to recognize revenue until material uncertainties are resolved and subsequent cash collections are assured.

consignment sales  may occur in a transaction between a manufacturer and a wholesaler, when the seller retains title to inventory in the wholesaler’s possession, and the sale is completed when the wholesaler sells the inventory forward; a consignment sale may be created in economic substance when the terms of sale create uncertainties about whether the wholesaler assumes risk of ownership upon receipt of goods refund rights  a sale is made with the right to return the goods for a full refund, even if the goods are not defective

11-10  C h a pte r 11  Auditing the Revenue Process bill-and-hold transactions  a customer is billed for goods, but goods are not shipped; accounting principles have very narrow criteria for when revenue can be recognized for a bill-and-hold transaction; the transaction must be initiated by the customer, and the customer must have a sound economic reason for purchasing the goods and asking the seller to continue to hold the goods gross sales  total revenues before any deductions, such as deductions for sales returns and allowances

Bill-and-hold transactions. These are transactions in which a company bills customers without shipping goods. Sunbeam Corporation was the first to use this method to inflate revenue. For example, assume that a manufacturer leases a portion of its facility to a customer and records revenue on sales to this customer when products are delivered to the customer’s portion of the facility. The SEC now has very strict rules for revenue recognition related to bill-and-hold sales. ASC 606 Revenue from Contracts with Customers also has specific conditions that must be met for the seller to recognize revenues. Problems associated with booking consignment sales, refund rights, and bill-and-hold transactions usually result in problems associated with the occurrence of revenues and the existence of receivables. An additional problem that auditors have experienced involves the correctness of gross sales. Many companies, particularly growth companies, pay considerable attention to topline revenues. Companies may award bonuses based on gross revenues, and companies have been valued based on multiples of revenues. Consider the hotel chain that manages properties that it does not own. It should not record revenues from managed properties in a similar fashion to owned properties and then record related expenses of property management. Rather, management should record revenue only in the amount of the commission earned. Recently, Groupon restated earnings when it went public because it had booked revenue in the amount of the gross value of products sold through Groupon, rather than merely the commission that Groupon received on the sale of the product for customers. In this case, there was an overstatement of revenues and an overstatement of expenses. Operating income was correctly reported, but significant misreporting of the amounts of revenues and expenses existed. In the Groupon case, the problem is with the occurrence of revenue and the occurrence of expenses. Other factors that contribute to misstatements in the revenue process include the following: •  The volume of sales, cash receipts, and sales adjustment transactions is often high, resulting in numerous opportunities for errors to occur. •  The timing and amount of revenue to be recognized (occurrence and cutoff of revenues) may be contentious owing to factors such as complex accounting standards, the need to make estimates, the complexity of the calculations involved, and purchasers’ rights of return. •  When receivables are factored with recourse, the classification of the transaction as a sale may be incorrect. •  Receivables may be misclassified as current or noncurrent owing to difficulties in estimating the likelihood of collection within the next year or events upon which collection is contingent. •  Cash receipt transactions generate liquid assets that are particularly susceptible to misappropriation (completeness of revenues or cash receipts). •  Sales adjustment transactions may be used to conceal thefts of cash received from customers by overstating discounts, recording fictitious sales returns (occurrence or accuracy of discounts or sales returns), or writing off customers’ balances as uncollectible (occurrence of write-off of accounts receivable). Because of the variety and potential magnitude of the misstatements that can occur in the absence of effective controls, the auditor must always give careful consideration to inherent risks in the revenue process. Risks associated with revenue recognition are such that auditors often consider the occurrence of revenues and the existence of receivable assertions to be a significant inherent risk. In many cases, management adopts extensive internal controls to address these issues through its own risk assessment procedures. Finally, when auditors perform analytical procedures during risk assessment, they should develop a skill in analyzing the likely assertions that might be misstated based on the data. For example, consider the information in Illustration 11.6. Take a moment, study the data, and consider what assertions might be at an increased risk of misstatement.

  Inherent Risks in the Revenue Process  11-11

Current Year $000 Percentage

Prior Year $000 Percentage

Revenues

$5,638

100.0%

$3,780

100.0%

Cost of goods sold

$2,691

47.7%

$1,975

52.2%

  Gross profit

$2,947

52.3%

$1,805

47.8%

Accounts receivable, net

$1,335

ILLUSTRATION 11.6   Example analytic procedures in the revenue process

$837

Revenue growth

  49%

  33%

Accounts receivable growth

  59%

  30%

Cost of goods sold growth

  36%

  34%

Accounts receivable turnover in days

  86 days

  81 days

Inventory turnover in days

180 days

189 days

The data show a company that is clearly experiencing rapid growth. Revenues have grown by nearly 50%, receivables are growing faster than sales, and gross margins are improving. This fast growth, combined with the slow accounts receivable turnover, should cause the auditor to heighten professional skepticism with respect to revenue recognition. Recognizing revenues without shipping goods will cause gross margins to improve and accounts receivable turnover in days to slow. The significant accounts receivable growth should also cause concerns about the collectibility of receivables. In summary, significant inherent risks exist for the occurrence of revenues, the existence of receivables, and for the valuation of receivables at their net realizable value.

Audit Reasoning Example  Right of Return and Revenue Recognition Keila Hirata is a senior auditor on Eastern Automotive, a small automotive parts company. She has worked on this audit since she started with the audit firm, and she has developed a good understanding of the company and its market. She has been monitoring the company’s monthly financial statements and has been watching a build-up in inventory. Two months before year-end, she talks to Eastern’s CFO about the problem; the CFO is wondering if Eastern will have to start marking down inventory to move it out. Then in the last month of the year, inventory drops, revenue increases, and things look normal again. However, looking at the results of a data analytics test, Keila notices that more goods have been shipped in the last month than have been ordered by customers. What would explain this? Digging deeper in the shipping department, she finds several large shipments to some of Eastern Automotive’s larger customers. The problem is that the goods have not been ordered by the customers. Keila finds that the goods were shipped with a full right of return if the customer cannot sell the products forward. This is a significant revenue recognition problem that will result in taking revenue and receivables off the books and putting inventory back on the books with a concurrent reduction in cost of sales.

Professional Environment  Restatements of Revenues Audit Analytics1 recently reported a summary of restatements due to revenue recognition issues for a 17-year period ending in 2017. The revenue recognition issues consist of misstatements in approach, understanding, or calculation associated with the

recognition of revenue. Many of these restatements originated from a failure to properly interpret sales contracts for hidden rebates, returns, or barter or resale clauses. Some of the restatements also relate to the treatment of sales returns, credit, and other allowances.

1 Don Whalen, Olga Usvyatsky, and Dennis Tanona, 2017 Financial Restatements, A Seventeen Year Comparison (Audit Analytics: Sutton, MA, 2018).

11-12  C h a pte r 11  Auditing the Revenue Process

Disclosure Year Revenue restatements

2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 169

194

226

173

% of all financial 21.4% 20.4% 14.3% 9.3% statement restatements

173

120

86

86

89

90

119

104

90

96

77

13.5% 12.4% 10.4% 10.1% 10.5% 10.6% 13.6% 12.1% 11.9% 14.1% 13.9%

Overall, restatements due to revenue recognition problems were the second most common source of restatements during the 17-year period. In the early years of this time series, revenue restatements amounted to over 20% of all restatements. In the subsequent period, revenue restatement declined as a percentage of total restatements. From 2009–2012, revenue restatements

amounted to only about 10.5% of all restatements, and from 2013 onward revenue restatements have increased, ranging from 11.9% to 14.1% of all restatements. Based on restatements of earnings due to revenue recognition problems, revenue recognition continues to be a significant inherent risk.

Cloud 9 - Continuing Case As Josh and Suzie review what they know about Cloud 9’s business and industry, they know that senior employees will receive stock options if revenue targets are met. Those targets are associated with opening a new company-owned store and making more sales through existing channels. Analytical procedures performed during interim planning show that inventory levels have increased. Further investigation has revealed that, while the economy has been strong, the company appears to have been aggres-

sive in its forecasting and overestimated the demand for certain products. Suzie is concerned about how this might affect accounting in the revenue process. Josh also wants Suzie to pay careful attention to period-end closing procedures. Finally, Josh asks Suzie to think about the assertions where inherent risk will be high or maximum. Then, they can consider what they know about Cloud 9’s system of internal control when assessing the overall risk of material misstatement.

Before You Go On 3.1 Explain how sales adjustment transactions may be used to conceal thefts of cash. 3.2 Ron Fisher owns Fisher’s Bar and Grill. Ron is particularly concerned about generating adequate cash flow but also places a real emphasis on minimizing the entity’s income taxes. If you were to audit Fisher’s Bar and Grill, address the inherent risks that might exist in the revenue process.

Control Activities for Credit Sales LEA RNING OBJECTI VE 4 Evaluate control activities for credit sales transactions.

Recall from the section “Entity-Level Internal Controls” in Chapter 6 that when evaluating internal controls in the revenue process, it is important to understand a number of entitylevel controls. Entity-level controls establish a background and environment for transactionlevel controls. For example, the control environment may enhance or negate the effectiveness of transaction-level controls. A key control environment factor in reducing the risk of fraudulent financial reporting through the overstatement of revenues and receivables is management’s adoption of and adherence to high standards of integrity and ethical ­values.

  Control Activities for Credit Sales  11-13

One related aspect is eliminating incentives that encourage dishonest reporting, such as management’s undue emphasis on meeting unrealistic sales or profit targets. Another related aspect is the supporting activities of an effective board of directors and audit committee. The auditor might also be interested in how the entity’s risk assessment process responds to risks that arise from changed circumstances, such as implementing new accounting standards for revenue transactions. The discussion for the remainder of the chapter focuses on transactionlevel controls. Recall from Chapter 6 that the process used for developing an audit strategy for various assertions involves the following six steps: 1.  Understanding the flow of transactions in a given transaction process. 2. Identifying what can go wrong from initiating the transaction to the recording in the general ledger. The auditor needs to link what can go wrong to assertions. 3.  Assessing whether controls exist to mitigate what can go wrong. 4.  Identifying relevant controls, performing tests of controls, and evaluating results. 5. Reporting internal control weaknesses to those charged with governance of the entity, based on controls that are absent or controls that are not operating effectively. 6.  Determining an audit strategy at the assertion level. Now think about the five industries that were mentioned at the beginning of this chapter. Is it reasonable to expect that the flow of transactions would be the same for a manufacturer of oil and gas field equipment as for a grocery store or a hotel? The following examples are more likely to fit a manufacturing company that sells manufactured goods on credit. However, be alert to comments that might apply to a retail grocer, a hotel chain, or a college/ university. Auditors usually understand the flow of transactions in a given process by performing a walkthrough of a transaction process, such as the sales process or the cash receipts process. The walkthrough is important as different companies often have different documents and transaction flows. During a walkthrough, the auditor will interview client personnel, review the documents and electronic files used by the client, and understand how the entity uses information technology to support transaction-level controls. The auditor will ask questions of the entity’s personnel about their understanding of their responsibilities. Through inquiry and observation, the auditor obtains an understanding of transaction-level controls as well as the adequacy of segregation of duties. The discussion below provides examples of the flow of transactions in the credit sales process from initiating a transaction, to exchanging title to a good or service, to recording the transaction in the general ledger. This is followed by a discussion of the flow of transactions in the cash receipts processes. These two transaction streams often have a high volume of transactions.

Example Transaction Flows—Sales Process The transaction flow in a typical sales process for a client that sells goods includes processing and approving credit and sales orders, shipping goods, invoicing customers, and recording sales and trade receivables. The transaction flow for a client that sells services is similar, but instead of shipping goods, the client performs the services. When selling services, recordkeeping regarding services performed (number of rooms used daily at a hotel or course enrollment at a college) is important to documenting the revenue process. Common documents and files that are found in the process of selling goods include: Source Documents and Related Electronic Files •  Customer master file—Usually part of the sales process database with information on approved customers, customer shipping and billing information, and the customer credit limit. Access to the customer master file and changes to this file should be tightly controlled by the entity. •  Master price file—Usually part of the sales process database with information on approved prices and discounts, such as volume discounts, that are allowed for any customer.

11-14  C h a pte r 11  Auditing the Revenue Process

•  Sales order—Client-prepared prenumbered document that includes customer information, description and quantity of what was ordered, and terms of sale. •  Bill of lading—Client’s shipping document that serves as acknowledgement of receipt of goods for delivery by a freight carrier. •  Packing slip—Client-prepared document with the details of items included in a shipment. Recording Document •  Sales invoice—Client-prepared document stating the particulars of a sale, including the amount owed, terms, and date of sale. It is used to bill customers, and it provides the basis for recording a sale in the sales journal. •  Sales journal—The journal of original entry where each sale is recorded. Important Databases or Other Documents •  Sales process database—Electronic files that accumulate data on sales, cash receipts, and accounts receivables. •  Monthly statements of receivable balances—Client-prepared report sent to each customer showing the beginning receivable balance, transactions during the month, and the ending receivable balance (even if it is zero). An example of how these documents commonly flow is illustrated in Illustration 11.7. Illustration 11.7 is followed by a brief discussion of how credit sales are processed in many companies. It is helpful to understand the documents and what information might be included

illustration 11.7   Example flow of transactions for credit sales

Authorization

Process

Documents

Files and Databases

Receive customer order for goods

Customer master file

Prepare internal sales order

Sales order

Prepare shipping documents and ship goods

Packing slip

Prepare sales invoice to bill customer

Sales invoice

Sales process and G/L database

Shipping Bill of lading

Sales process and G/L database

Recording Sales process and G/L database

Record in sales journal

Post to general ledger

Record in A/R subsidiary ledger

Monthly statement

Master price list

  Control Activities for Credit Sales  11-15

on each document. The flow of transactions that is visualized in this illustration might be represented by documents being received from, or sent to, the customer in either paper or electronic form (by way of electronic data interchange). Nevertheless, the following functions are standard functions in the revenue process.

Initiating and Authorizing Credit Sales Initiating a transaction represents the process of agreeing to sell goods or services to an independent third party (or to a related party). Accepting customer orders. Sales orders from customers should be accepted only in accordance with management’s authorized criteria. The criteria generally provide for specific approval of the order in the sales order department, using a software application to determine that the customer exists in a customer master file with approved credit limits. If the customer is not in the master file, many companies ask for a credit card, or they ship on a collect-ondelivery basis to establish a history with a new customer. In many companies, the next step involves the client preparing a prenumbered sales order form. The prenumbered sales order form enables following each transaction from initiation, to delivery of goods or services, to recording the sale, to receipt of final consideration. The sales order represents the start of the transaction trail of documentary evidence. Information on open (unfilled) and filled sales orders is usually maintained in appropriate electronic files and monitored to ensure ordered goods are shipped to customers. Usually, the software can be programmed to compare a customer’s outstanding receivable balance, plus the anticipated sale, with the customer’s credit limit in the approved customer master file. Segregating responsibility for initiating a sale and approving sales that exceed a credit limit prevents sales personnel from subjecting the company to undue credit risks to boost sales. Approving credit. Today, most companies ask first-time customers to pay in cash, pay on a cash-on-delivery basis, or pay with credit cards or some form of electronic funds transfer. This allows the company to make the sale and begin to establish a relationship with new customers. After some history with a new customer, a company may begin steps to approve credit in small amounts and increase credit limits based on a customer’s payment history. Controls over approving credit are designed to reduce the risk of initially recording a revenue transaction at an amount in excess of the amount of cash expected to be realized from the transaction. Thus, these controls also relate to the valuation and allocation assertion associated with the allowance for uncollectible accounts.

Shipping Goods Delivery of goods or services is the economic event that results in a change in title and establishes revenue recognition and the right to a receivable. Filling sales orders. Company policy generally prohibits the release of any goods from the warehouse without an approved sales order. Further, the software may be programmed to match items taken from the perpetual inventory with items on an approved sales order. This control procedure is designed to prevent the unauthorized removal of items from inventory. The warehouse may receive an electronic copy of the approved sales order as authorization to fill the order and release the goods to the shipping department. When goods are pulled from inventory, a packing slip is normally produced to detail the items that will be shipped to the customer and the quantity of each item shipped. Shipping sales orders. Segregating the responsibility for shipping from approving and filling orders helps to prevent shipping clerks from making unauthorized shipments. In addition, an important manual control requires that shipping clerks make independent checks to determine (1) that goods pulled from the warehouse are accompanied by appropriate authorization, and (2) that the order was properly filled (goods taken from the warehouse agree with the details of the sales order). The shipping function also involves preparing multicopy shipping documents, such as a bill of lading. Shipping documents are often produced by the software application using order information already in the program and adding appropriate shipping data such as quantities shipped, carrier, freight charges, and so on. Daily software application checks are often run to (a) account for all shipping documents, (b) determine that all sales

11-16  C h a pte r 11  Auditing the Revenue Process

orders result in shipments, and (c) determine that a sales invoice was subsequently prepared for each shipping document. These checks provide an important control for the completeness assertion.

Recording Sales The process of recording sales involves preparing and sending prenumbered sales invoices to customers (billing customers) and recording sales invoices accurately and in the proper accounting period (recording sales). The auditor’s primary concerns regarding recording sales are that sales invoices are recorded accurately and in the proper period. The latter pertains to when the revenue is earned, which is usually when the goods are shipped. The auditor’s primary concerns regarding billing are that customers are billed (1) for all shipments, (2) only for actual shipments (no duplicate billings or fictitious transactions), and (3) at authorized prices.

Identify What Can Go Wrong (WCGW) and Identify Key Controls—Credit Sales and Accounts Receivable Once the auditor understands the flow of transactions, the auditor should evaluate what can go wrong, identify potential controls that management has placed in operation, and then choose key controls to test. Illustration 11.8 summarizes the flow of transactions through the revenue process, key documents and files, what can go wrong, and example controls for a manufacturing client making credit sales. There is likely to be a different analysis of what can go wrong for a hotel that receives cash in advance of providing the service and has significant unearned revenues. As you review Illustration 11.8, notice that most of the controls are IT application controls; try to associate particular controls with the assertions being controlled.

ILLUSTRATION 11.8   Credit sales transactions—WCGW and example controls

Transaction

Documents   and Files

Risks (WCGW)

Example Control

Initiating credit sales

Customer master file

Sales may be made to unauthorized customers.

Only a limited number of individuals can change the customer master file and all file changes are reviewed by appropriate levels of management. These duties should be segregated from shipping goods or recording transactions.

Sales order

Sales may be made to unauthorized customers.

The software application matches the customer on the sales order with the customer master file.

Sales order

Sale may be made without credit approval.

The software application matches amount of sales order with credit authorization on the customer master file. Appropriate level of regular review of sales analysis (by product, division, salesperson or region) and comparisons with budgets.

Delivering goods

Perpetual inventory

Goods may be released from warehouse for unauthorized orders.

The software application matches all goods pulled from inventory (perpetual inventory) to approved sales orders.

Bill of lading and packing slip

Products may be shipped without shipping documents being generated.

The software application generates packing slip and delivery documentation when order is processed.

Bill of lading and packing slip

Goods ordered may not be shipped.

The software application prints a report of all unfilled sales orders. (continued)

  Control Activities for Credit Sales  11-17 ILLUSTRATION 11.8   (continued)

Transaction Recording sales

Documents   and Files Sales invoice and sales process database

Risks (WCGW)

Example Control

Some shipments may not be billed.

The software application prints a report of all goods shipped but not billed. Invoices are prenumbered and accounted for. The software application prints a report of all bills of lading not matched with sales invoices.

Sales invoice and sales process database

Billing may be made for fictitious transactions, or duplicate billing may be made.

The software application matches sales invoice information with underlying shipping information.

Sales invoice and sales process database

Sales invoices may be recorded in the incorrect accounting period.

The software application matches sales invoice date with accounting period in which goods are shipped.

Sales invoice and sales process database

Sales invoices may be recorded in the incorrect amount (incorrect quantities or prices).

The software application matches sales invoice quantities with shipping information and prices with master price list.

Sales invoice and sales process database

Invoices may not be journalized or posted to customer accounts.

The software application checks run-to-run total of beginning receivables, plus sales transactions with the sum of ending receivables.

Sales invoice and sales process database

Sales invoices may be billed to the wrong customer.

The software application matches customer number on sales invoice with customer number of sales order and bill of lading.

Monthly receivable statements

Customers may be billed incorrect amounts.

An individual reviews monthly statements to customers before they are mailed, reporting any exceptions to a designated accounting supervisor not otherwise involved in the execution or recording of revenue process transactions. Statements are mailed monthly, with follow-up on customer complaints independent from the recording process.

Many clients build in redundant controls such that if one control does not find a misstatement, another control will detect the problem. However, auditors cannot efficiently test all controls that exist. The auditor will find a key control by identifying the most important control for each assertion. Following are example key controls that auditors often identify. The examples rely significantly on IT application controls to flag potential misstatements. The auditor should understand the logic behind the IT application controls and how client personnel manually follow up on exceptions on a timely basis. Completeness of sales. The software application starts with a population of daily shipping documents and develops a one-for-one match with sales invoices to ensure that each shipment results in a sales invoice. A report is generated daily of any shipments that have not resulted in a recorded sales invoice. Occurrence of sales. The software application starts with the population of daily sales invoices and develops a one-for-one match with underlying shipping documents to ensure that each sales invoice is supported by a bill of lading. A report is generated daily of any sales that are not supported by shipments. Many larger companies that are heavily computerized have a control that does a three-way match. A “three-way match” means matching a sales invoice with underlying shipping documents and the customer’s sales order. In many companies where title passes when goods are shipped, revenue is appropriately recognized when all three sets of documents match. Nevertheless, the auditor should always be alert to changes in the terms of sale that might mean revenue should not be recognized, even though goods have been shipped. Accuracy of sales. The software application starts with the population of daily sales invoices and compares quantities with the underlying packing slips, compares prices to the underlying sales order, and checks the mathematical accuracy of the sales invoice. A report is

11-18  C h a pte r 11  Auditing the Revenue Process

generated daily of any prices or quantities on the sales invoices that are not supported by underlying documents or files. Cutoff of sales. The software application starts with the population of daily sales invoices and compares the date on the sales invoice with the date on the underlying bill of lading. A report is generated daily of any sales invoices not recorded in the same accounting period as the shipment. Classification of sales and receivables. The software application starts with the population of daily sales invoices and compares customer numbers with the sales order. Both customer account coding and general ledger coding are compared with the sales order if a sales invoice bills for both goods and services, as these need to be recorded in separate accounts. A report is generated daily of any sales invoices showing incorrect account coding, for example, billing the wrong customer or recording revenue for selling goods when services are sold. Existence of receivables, valuation of receivables at historic cost, and possible completeness of accounts receivable. Monthly statements are sent to customers. An independent process is set up so that customers can lodge a complaint with a person in the company who is independent of recording sales and receivables. Customers will complain if they are billed for items that were not ordered or not received. Rights and obligations of accounts receivable. If receivables are factored or sold with recourse, an independent process is set up to monitor monthly statements received from the factoring agent and monitor payments made by customers to the factoring agent (or payments made to the client in error).

Before You Go On 4.1 How are financial statements misstated if there is a material misstatement in the completeness assertion regarding credit sales? Describe a key control to detect and correct this problem. 4.2 How are financial statements misstated if there is a material misstatement in the occurrence assertion regarding credit sales? Describe a key control to detect and correct this problem. 4.3 How are financial statements misstated if there is a material misstatement in the existence of accounts receivable? Describe a key control to detect and correct this problem.

Control Activities for Cash Receipts LEA RNING OBJECTI VE 5 Evaluate control activities for cash receipt transactions.

The cash receipts function involves the following subfunctions: (1) receiving cash, (2) depositing cash, and (3) recording the receipts. As in the case of credit sales transactions, segregation of duties in performing these subfunctions is an important internal control. Today, many cash receipts involve the electronic transfer of funds. Funds are received directly by the bank, and the bank establishes controls over receiving cash. Alternatively, customers may send checks to a client, and the client sets up a lockbox opened by the bank. In this case, the checks are once again received directly by the bank, which is responsible for both receiving and depositing cash. This system is described in the following section, “Example Transaction Flows—Cash Receipts.” If a company receives cash or checks directly from customers (such as at a college/university), it must establish initial control over the receipt of cash. In this case, the client creates its own remittance report (independent of the process of recording cash) and makes a detailed list of customers who paid via cash or check and the amounts received. A major risk in processing cash receipt transactions is the possible theft of cash before a record is made of the cash receipt; thus, control procedures should provide reasonable assurance that documentation establishing accountability is created at the moment cash is received and cash is subsequently safeguarded.

  Control Activities for Cash Receipts  11-19

Example Transaction Flows—Cash Receipts Common documents and files that are found in the cash receipts process include: Source Documents •  Remittance advice—A document received from the customer showing details of payments made by the customer. •  Remittance report from the bank—A document prepared by the bank showing the details of electronic funds transfers received by the bank from customers. •  Bank deposit slip—A receipt from the bank showing the total amount deposited to the client’s account at the bank. Recording Cash Receipts •  Daily remittance report (or daily cash receipts journal)—A daily report showing cash recorded in the cash receipts journal that identifies customers making payments on account and the amounts received. This report could be prepared by a bank or prepared by a client that receives cash and checks from customers. Important Databases or Other Documents •  Sales process database—Electronic files accumulating data on sales, cash receipts, and accounts receivables. •  Monthly statements of receivable balances—A report sent to each customer showing the beginning receivable balance, transactions during the month, and the ending receivable balance. An example of how these documents commonly flow through the cash receipts process is presented in Illustration 11.9. Illustration 11.9 is followed by a brief discussion of how cash receipts may be processed in many companies. illustration 11.9   Example flow of transactions for cash receipts

Receiving and depositing cash

Process Electronic funds transfer directly to bank

Documents Remittance report from bank

Files and Databases

Deposit slip

or Check sent to lockbox

Remittance report Remittance from bank advice

Deposit slip

Recording Prelist of cash receipts

Daily remittance report

Record in cash receipts journal

Post to general ledger

Record in A/R subsidiary ledger

Monthly statement

Customer master file

Sales process and G/L database

11-20  C h a pte r 11  Auditing the Revenue Process

Receiving Cash

lockbox system  cash is received at a post office box that is controlled by the client’s bank; the bank picks up the mail daily (or more frequently) and deposits the checks in the company’s bank account

A major risk in processing cash receipt transactions is the possible theft of cash before or after a record of the receipt is made. Control procedures should provide reasonable assurance that documentation establishing accountability is created at the moment cash is received and that the cash is subsequently safeguarded. Electronic funds transfer and lockboxes. Today, the most common form of cash receipts involves either electronic funds transfer (EFT) or physical checks received directly by the bank through a lockbox system. With an electronic transfer of funds, cash goes from the customer’s bank account to the client’s bank account. However, the U.S. economy still uses written checks in significant amounts. Companies that receive checks often receive them through a lockbox (a post office box that is controlled by the company’s bank). The bank picks up the mail daily, deposits the checks in the client’s bank account, and sends to the client the remittance advices, a remittance report listing each individual cash receipt, and a deposit slip. When the bank receives electronic funds transfers, the bank also prepares a remittance report listing each individual cash receipt and a deposit slip. The remittance report is used by the client as a source document to record cash receipts and update accounts receivable. These systems expedite the depositing of funds from customers, permit the company to receive credit for the receipts sooner, and provide external evidence of the existence of the transactions. They also eliminate the risk of theft of the receipts by company employees or the failure to record cash receipts. Cash received by the company. It is less common for larger companies to process their own mail receipts, but this continues to occur in small businesses, governments, and notfor-profit organizations. In these cases, an independent individual with cashier responsibilities should (1) immediately restrictively endorse checks for deposit only (increasing the likelihood that receipts will be deposited and recorded) and (2) list the checks on a remittance report. The latter may be done manually or using software. Immediate preparation of the remittance report establishes accountability for the receipts and provides a batch or control total for use in independent checks on the completeness and accuracy of processing cash receipts. Remittance advices received with the checks, and a copy of the remittance report, are then forwarded to the client’s accounting department for use in updating customer accounts. Over-the-counter receipts. For over-the-counter receipts, a cash register or point-of-sale terminal is indispensable. These devices provide: •  Immediate visual display for the customer of the amount of the cash sale and the cash tendered. •  A printed receipt for the customer and an internal record of the transaction on an electronic file or a tape locked inside the register. •  Printed control totals of the day’s receipts processed on the device. The customer’s expectation of a printed receipt and supervisory surveillance of overthe-counter sales transactions helps to ensure that all cash sales are processed through the cash registers or terminals (completeness and accuracy of cash received). In addition, supervisors may be assigned responsibility for performing independent checks on the accuracy of cash count sheets and verifying agreement of cash on hand with the totals printed by the register or terminal. The cash, count sheets, and register- or terminal-printed totals are then forwarded to the cashier’s department for further processing and inclusion in the bank deposit. Proper physical controls over cash also require that all cash receipts be deposited daily. This control reduces the risk that receipts will not be recorded, and the resulting bank deposit record establishes evidence of the occurrence of the recorded transactions. When over-the-counter and mail receipts are received by the cashier, an independent check should be made to determine their agreement with the accompanying cash count sheets and remittance report, respectively. The totals for each are then entered on a daily cash summary, and the deposit is prepared. After making the deposit, the daily cash summary and validated deposit slip should be forwarded to general accounting for posting to accounts receivable.

  Control Activities for Cash Receipts  11-21

Recording Cash Received Recording cash receipts involves journalizing cash received by a bank, over the counter, and by mail and posting receipts to customer accounts. Controls should ensure only valid receipts are entered, all actual receipts are entered, and entries are at the correct amounts. Over-the-counter receipts are generally recorded in general accounting based on the daily cash summary received from the cashier. In most cases, a company will receive an electronic file from the bank that it may use to update the sales and accounts receivable database. If cash or checks are received by the entity, it is common for accounts receivable clerks to use software to enter cash received from an internal prelist into the sales and accounts receivable database.

Granting Cash Discounts Cash discounts are commonly granted for timely receipt of payments from customers, such as a 1% discount granted if cash is received within 10 days of the invoice date. Trade terms are often stated on the invoice and the software application can test the appropriateness and the accuracy of the discount by comparing the cash receipts date with the invoice date and recomputing the cash discount.

Identify WCGW and Identify Key Controls—Cash Receipts Once the auditor understands the flow of transactions for cash receipts, the auditor should evaluate what can go wrong, identify potential controls management has placed in operation, and then identify key controls the auditor wants to test. Illustration 11.10 summarizes the flow of transactions through the revenue process, key documents and files, what can go wrong, and example controls. As you review Illustration 11.10, try to associate particular controls with the assertions they are controlling. ILLUSTRATION 11.10   Cash receipts transactions: WCGW and example controls

Transaction Receiving and depositing cash

Documents and Files Remittance advice from customer, bank remittance report, deposit slip

Risks (WCGW)

Example Control

Mail receipts may be lost or misappropriated after receipt.

Electronic funds transfer directly to bank or establish a lockbox arrangement with the bank.

Cash may be taken (skimmed) or not be deposited intact daily. Inappropriate cash discounts may be taken by customers.

Cash received by the client

The client’s software application can recalculate cash discounts taken by customers.

Cash sales may not be recorded.

Use of cash registers or point-of-sale devices.

Prelist of cash receipts

Mail receipts may be lost or misappropriated after receipt.

Immediate preparation of prelist of mail receipts. Restrictive endorsement of checks immediately upon receipt.

Prelist of cash receipts, remittance advices

Checks received may not agree with prelist of cash.

Independent check of agreement of remittance advices with prelist of cash received.

Cash deposited by the client

Bank deposit slip, prelist of cash receipts, bank remittance report

Cash may not be deposited intact daily.

Independent check of agreement of prelist of cash receipts or bank remittance report with validated deposit slip.

Recording cash receipts

Sales database, prelist of cash receipts, bank remittance report

Cash receipts may be recorded in error.

Software agreement of amounts journalized and posted with the prelist of cash receipts or bank remittance report.

Independent bank reconciliation

Errors may be made in journalizing cash receipts.

Preparation of periodic independent bank reconciliations.

Monthly statement to customers

Receipts may be posted to the wrong customer account.

Mailing of monthly statements to customers.

11-22  C h a pte r 11  Auditing the Revenue Process

As noted earlier, auditors cannot efficiently test all controls that exist. Instead, auditors will find a few key controls and attempt to identify the most important control for each assertion. Following are example key controls auditors often test for cash receipts transactions. The examples rely significantly on IT application controls to flag potential misstatements. In this case, the auditor must understand both the IT control and how clients manually follow up on exceptions on a timely basis. Completeness of cash receipts. The software application compares each item in the bank remittance report (or the prelist of cash receipts if cash and checks are received by the client) to develop a one-for-one match with recorded cash receipts in the daily remittance report. An exception report is generated daily of any cash receipts that have not been recorded. However, the strength of these controls depends on adequate segregation of duties and controls establishing immediate recorded accountability for all cash receipts to prevent the diversion or skimming of cash receipts. Occurrence of cash receipts. The software application starts with the population of daily cash receipts recorded in the daily remittance report (daily cash receipts journal) and develops a onefor-one match with the bank remittance report (or prelist of cash received). An exception report is generated daily of any recorded cash receipts not supported by the bank remittance report. Accuracy of cash receipts. The software application starts with the population of daily cash receipts recorded in the daily remittance report (daily cash receipts journal) and compares the dollar amount of each recorded cash receipt with the bank remittance report (or prelist of cash received). The accuracy of any discounts for early payment by customers is double-checked by the software application. An exception report is generated daily for any recorded values of cash received not supported by a remittance report or for inappropriate discounts taken by customers for early payment. Cutoff of cash receipts. The software application starts with the population of daily cash receipts recorded in the daily remittance report (daily cash receipts journal) and compares the date recorded in the daily remittance report with the date received and deposited by the bank (or date on the prelist of cash receipts). An exception report is generated daily for any cash receipts recorded in the incorrect time period. Classification of cash receipts. The software application starts with the population of daily cash receipts recorded in the daily remittance report (daily cash receipts journal) and compares customer account numbers on the daily remittance report (cash receipts journal) with the customer numbers on the bank remittance report. An exception report is generated daily of any cash receipts posted to the incorrect customer.

Audit Reasoning Example  Diverting Cash Receipts Lucas (audit manager) and Robert (audit staff) are working on the audit of a political campaign. Robert has just assessed control risk as low for cash receipts. Lucas asks Robert: “Did you consider the highest risk of fraud in cash receipts happens when an individual is able to divert cash receipts before funds are deposited and recorded in the accounting records? I recall reading a story about a campaign treasurer who received a donation and diverted it for personal use, without depositing the funds in the political campaign. Do you think this could be a problem?” Robert responds that he had not considered cash being diverted before being received by the client. Lucas goes on, “We have several clients who own restaurant chains. Do you think this is a problem for them?” Robert thinks for a moment and then responds. “Now that I think about it, this is a problem. I recall paying for a meal at a small restaurant in cash and getting change, but not a receipt. I guess that also is a way to divert cash and not record the transaction. I suppose the completeness assertion is a high inherent risk assertion for most restaurants.” Lucas responds, “You are right, Robert. Now let’s go back and revisit this campaign’s internal control over collecting cash.”

Before You Go On 5.1 How are financial statements misstated if there is a material misstatement in the completeness assertion regarding cash receipts? Describe a key control to detect and correct this problem. 5.2 How are financial statements misstated if there is a material misstatement in the cutoff assertion regarding cash receipts? Describe a key control to detect and correct this problem.

  Control Activities for Sales Adjustments and Revenue Process Disclosures   11-23

Control Activities for Sales Adjustments and Revenue Process Disclosures LEA RNING OBJECTI VE 6 Evaluate control activities for sales adjustment transactions and revenue process disclosures.

Sales adjustments involve adjustments for goods returned by the customer, discounts given to customers associated with defects in goods received by the customer, and period-end adjustments to record a provision for bad debt expense or to record the write-off of accounts receivable. Important documents and records used in processing sales adjustments include the following: •  Sales return authorization—A form showing the description, quantity, and other data pertaining to goods the customer is authorized to return. It serves as the basis for initiating the sales return and internal processing of the customer return by the seller. •  Authorization for accounts receivable write-off—A form showing the procedures taken to attempt collection and to document authorization of accounts receivable write-off. •  Receiving report—A report prepared on the receipt of goods from customers showing the kinds and quantities of goods received. •  Credit memo—A form stating the particulars of a credit to accounts receivable, includ­ing the specific items returned, prices, and amount credited to a customer’s account. It provides the basis for recording the sales return or a sales adjustment for damaged goods. •  Journal entry—A document used to record adjustments such as a provision for bad debt expense or an accounts receivable write-off in the general ledger. •  Cash receipts journal—A journal listing cash receipts from cash sales and collections on accounts receivable. In many companies, the number and dollar value of sales adjustments is immaterial. However, in some companies, the potential for misstatements resulting from errors and fraud in the processing of these transactions is considerable.

Granting Sales Returns and Allowances The possibility of fictitious sales adjustment transactions being recorded is a primary concern because it may be used to conceal fraud in processing cash receipts. For example, an employee might misappropriate cash received from a customer and cover up the fraud by writing a credit memo to reduce the receivable from the customer. Accordingly, control activities useful in reducing the risk of fraud focus on establishing the occurrence of such transactions and include the following: •  All sales returns should be authorized by sales management. •  Goods should be received only with a proper sales return authorization, and an independent count of goods returned should be recorded on a receiving report. •  The software application should match the credit memo information with the sales order, authorization of sales return, and receiving report.

11-24  C h a pte r 11  Auditing the Revenue Process

disclosure committee  a committee often led by the CFO or chief legal officer with the purpose of helping ensure that financial statement disclosures are accurate, complete, and fairly presented in all material respects

Further, there should be adequate segregation of duties for authorizing sales returns, receiving goods, and recording credit memos. Usually, the business unit that makes the sale will have the responsibility of authorizing sales adjustment transactions. When there is the potential for material misstatements from sales adjustments transactions, the auditor should obtain an understanding of all relevant aspects of the internal control components and consider the factors that affect the risk of such misstatements. If a provision for sales returns is estimated at quarter-end, management should establish controls to ensure adjustments are made based on reliable information and adjustments are consistent from quarter to quarter. In larger public companies, a disclosure committee reviews these estimates if they could aggregate with other adjustments to an amount that is material to the financial statements. A disclosure committee is typically led by the CFO and includes individuals in management who are knowledgeable about the condition of the company and required financial reporting disclosures relevant to the revenue process.

Determining Uncollectible Accounts Strong internal controls over the write-off of uncollectible accounts are important to prevent write-offs from being used to conceal fraud in processing cash receipts. For example, an employee might misappropriate cash received from a customer and cover up the fraud by writing off the customer’s account against the allowance for uncollectible accounts. Strong internal controls include: •  All write-offs of uncollectible accounts should be authorized by an appropriate level of management and supported by documentation, such as correspondence with the customer or collection agencies. •  Journal entries for write-offs should be reviewed by management to ensure the appropriateness of the transaction. In addition, management should establish controls over accounting estimates such as the provision for bad debt expense. Management should ordinarily establish a process for monitoring aging and the collectibility of receivables. Hindsight should be used to evaluate the adequacy of prior provisions for bad debt expense compared with subsequent receivables that went uncollectible. It is essential that the data used to develop a provision for bad debt expense (the history of accounts written off) be reliable. In addition, a qualified and independent disclosure committee should review the allowance on a regular basis. These controls are necessary to determine the adequacy of the allowance.

Other Controls in the Revenue Process The previous discussion focused on controls over transactions. It is also important to control balances and disclosures. The primary account balance in the revenue process is accounts receivable. If strong controls exist over credit sales, cash receipts, and sales adjustments, the accounts receivable balance should also be controlled, as it is the product of recording these transactions. Most companies control the completeness, existence, and valuation of receivables at historical cost by sending monthly statements to customers. The function of following up on issues raised by customers should be independent of accounts receivable personnel. Controls over the rights and obligations assertion relate to whether the company has a legal claim to receivables. A company normally gives up claims to collection of receivables when it sells the receivables or pledges receivables as collateral. These transactions may not exist in many entities. However, if an entity sells its receivables with recourse, it should keep a documentary record of receivables that have been sold. This record should be compared with monthly statements sent by a bank or factoring company. This provides an independent check on the accuracy of the company’s records. Finally, management should establish controls over the occurrence and rights and obligations of disclosures, the completeness of disclosures, the classification and understandability

 Tests of Controls in the Revenue Process and Audit Strategy   11-25

of disclosures, and the accuracy and valuation of information included in disclosures. Common disclosures in the revenue process include: •  Reclassification of material credit balances in accounts receivable as accounts payable. •  Segregation of short-term trade receivables from long-term trade receivables. •  Disclosure of major customers. •  Disclosure of sales by geographic regions or major product lines. •  Disclosure of receivables from officers, directors, employees, or related parties. Public companies normally accomplish this task with a disclosure committee that works with the CFO or controller to review disclosures. Many companies use a current GAAP disclosure checklist to assist in this process.

Before You Go On 6.1 Explain the fraud that might be covered up by granting inappropriate sales adjustments or by inappropriately writing off accounts receivable. Describe an internal control to detect and correct this problem. 6.2 Explain appropriate controls over journal entries to provide for bad debt expense. 6.3 Explain an appropriate control over revenue process disclosures.

Tests of Controls in the Revenue Process and Audit Strategy LEA RNING OBJECTI VE 7 Determine how to design and perform tests of controls in the revenue process and connect the results of control testing to audit strategy.

The following discussion identifies potential tests of controls that may be used to determine if a client’s controls in the revenue process are effective. Once the auditor has evaluated the quality of the system of internal control, the audit team is in a good position to evaluate the opportunity for fraud risk. The fraud risk assessment should be approached with professional skepticism. Finally, this section focuses on the links between risk of material misstatement (RMM) and subsequent strategy for substantive testing.

Tests of Controls in the Revenue Process Most auditors plan to test controls in the revenue process because of the high volume of routine transactions in this process. Public company auditors test controls to support an opinion on internal control. Auditors of private companies will test controls that appear to be effective because of the audit efficiencies that exist when the client has effective controls in place. If the client relies on IT controls and the auditor plans to assess control risk as low for revenue process assertions, the auditor will usually: •  Test the effectiveness of IT general controls. •  Use generalized audit software to evaluate the effectiveness of IT application controls.

11-26  C h a pte r 11  Auditing the Revenue Process

•  Test the effectiveness of manual procedures to follow up on exceptions identified by IT application controls. The auditor will usually test the effectiveness of IT general controls as part of testing entity-level controls. For example, when testing the control environment, the auditor might pay particular attention to making inquiries and collecting supporting evidence regarding employee awareness of IT security issues. If the auditor is testing issues regarding controls over program changes, the auditor might determine how program access is controlled and monitored, look at logs of program access or incident reports, and talk to users about their involvement in program changes affecting their responsibilities. The auditor will want to pay attention to segregation of duties regarding access to programs and access to data, the effectiveness of password controls, and the follow-up of any incident reports regarding unauthorized access. The auditor will also want to understand controls over back-up and recovery of programs and data, and test the effectiveness of these controls. These tests are often performed by an IT audit specialist. Auditors often use test data to test IT application controls and determine whether expected results appear on exception reports. For example, in the revenue process, the auditor might submit: •  A missing or invalid customer code. •  An invalid product code. •  An order that exceeds a customer’s credit limit. •  Transactions reporting shipments in quantities different from the amount ordered (both over and under). •  Prices, vendor numbers, or other information on sales invoices that do not match information on the sales order. •  Invoice quantities that do not match quantities on shipping documents. The auditor might also use generalized audit software to perform sequence checks and print lists of sales orders, shipping documents, or sales invoices whose numbers are missing in designated sequences of prenumbered documents. Finally, the auditor will need to test the appropriateness of manual follow-up of exceptions noted by the software application. If exception reports are printed daily, the auditor might select a sample of exception reports to determine if exceptions are cleared on a timely basis. The auditor might make inquiries of personnel responsible for clearing exceptions to determine their awareness of the types of misstatements that might appear on exception reports. The auditor should also follow through on previously noted exceptions to determine they were cleared appropriately and on a timely basis.

Fraud Risk Assessment

lapping  a scheme where an accounting clerk incorrectly classifies cash receipts from one customer to another in order to cover up the diversion of funds from a customer for personal gain

After evaluating inherent risk and control risk, the auditor is in a position to evaluate fraud risk. The auditor will consider incentives and pressures on management that may push management toward fraudulent financial reporting, such as the nature of management compensation plans, or whether management is trying to show a growth trend to investors or meet previously forecasted revenue targets. The auditor should also be alert to situations where an employee may have personal reasons to misappropriate assets, such as affording the costs of private schools or universities. Ultimately, a key aspect of fraud risk relates to the opportunity that may or may not present itself based on the quality of the system of internal control. An auditor’s concerns are heightened when the control environment is weak, or control activities are nonexistent. In not-for-profit organizations, smaller companies, or governments, segregation of duties may be weak or nonexistent. In these cases, the auditor with appropriate professional skepticism should consider fraud risk to be high. A common scheme to conceal the misappropriation of cash receipts is called lapping. The opportunity for a lapping scheme begins when a customer pays cash toward an accounts receivable balance. Then, an employee steals the cash that is received from the customer. Say an employee is able to steal a $1,000 payment from Customer A. To prevent Customer A from

 Tests of Controls in the Revenue Process and Audit Strategy   11-27

complaining, when $1,500 is received from Customer B, it is accounted for as $1,000 from Customer A and $500 from Customer B. Subsequently, the accounts receivable clerk must cover the shortage from Customer B with funds from another customer, and so on. Sometimes the fraudster can solve the problem of keeping this going by falsifying a sales adjustment to reduce the receivable, or by writing off part of a customer’s balance through a journal entry. The auditor should be alert to the possibility of fraud when a cash receipt is credited to the wrong customer, or there is little or no justification for a sales adjustment or receivable write-off.

Audit Data Analytics as a Risk Assessment Procedure Audit data analytics is often used to identify transactions or balances with a significant risk of material misstatement. The first step in planning the use of ADA is determining the overall purpose of the test. This first step requires business acumen, knowledge of the client, and an understanding of how ADA might be effective in the audit of revenues and receivables. For example, if the client is in the construction industry (using the percentage-of-completion method for revenue recognition), the auditor might use ADA to investigate work in progress and the gross margins on each project in the fourth quarter compared to gross margins on completed projects. This may be a way to identify projects with unusually high (or low) gross margins and focus more tests of details on these contracts. Alternatively, if the auditor is concerned about fraud risk and premature revenue recognition, the auditor might use ADA to identify customers with no sales representatives assigned to the customer, sales transactions with no sales commissions codes, or customers having no cash receipts during the period. Because anomalies may vary significantly from one client to the next, ADA are often custom-made to the client’s circumstances.

Audit Reasoning Example Detailed Analysis of Contracts Reveals Problems at a Construction Company

Toni Koyama is working on the audit of a construction company. Shortly after the fourth quarter ended, Toni ran some data analytics and has the following information: Quarter 1

Quarter 2

Quarter 3

Quarter 4

Gross margin on work in progress

15.5%

15.9%

16.6%

18.9%

Gross margin on completed contracts

20.8%

20.1%

12.3%

6.9%

Toni notes the gross margin on completed contracts declines quarter by quarter. Gross margin on work in progress actually increases in the fourth quarter. Toni wonders where to look next. Receivables from customers are increasing, and work in progress inventory is also increasing. Toni is now concerned in two ways. Does the client have a problem with (1) premature revenue recognition, (2) the capitalization of costs that should be expensed, or (3) both? Two risks have clearly been identified. Now, more tests of details of revenues recognized along with work in progress inventory are warranted.

The Risk of Material Misstatement and Audit Strategy Once the auditor has tested internal controls, the auditor will determine whether the auditor’s expectations regarding the effectiveness of internal controls are confirmed. Tests of controls are performed when the auditor expects that internal controls are effective. If the auditor’s expectations regarding effective controls are not confirmed, the auditor will need to evaluate the significance of the deficiencies noted and determine if the client has a compensating control in place that the auditor might rely on. If no compensating control exists, the auditor will need to revise the audit strategy as control risk is now higher than initially planned, determine

11-28  C h a pte r 11  Auditing the Revenue Process

if fraud risk is increased as a result of the internal control deficiency, and determine how to revise planned substantive tests for the revenue process. The auditor may need to change the timing of planned substantive tests related to an assertion from interim testing to testing year-end balances. The auditor may also have to consider increasing sample sizes when sampling is involved. If internal controls related to an assertion are ineffective, the auditor will need to communicate significant deficiencies or material weaknesses to management and to those charged with governance of the entity.

Cloud 9 - Continuing Case As Josh and Suzie consider the risk of material misstatement, Suzie notes they have conducted extensive testing of Cloud 9’s controls over sales, cash receipts, and sending monthly statements to customers, and many of these were dual-purpose tests. Therefore, they have assurance about both the quality of internal

c­ ontrols and the fact that tested transactions were recorded correctly. As they plan substantive tests, Josh confirms that Suzie is thinking correctly, and that they have already done significant tests of transactions at an interim date. They will, however, need to update these tests for the period remaining in the fiscal year.

Before You Go On 7.1 If the auditor has identified an IT application control related to the completeness of revenues, and IT general controls have already been determined to be effective, suggest how the auditor might test the effectiveness of such IT application controls and related manual follow-up. 7.2 Explain lapping. What might be evidence that lapping has occurred? 7.3 Assume an auditor is auditing a private company that sells computer hardware and offers servicing contracts to maintain the computer. If internal controls are weak, what are the implications for developing an audit strategy in the revenue process?

Substantive Tests for the Revenue Process LEA RNING OBJECTI VE 8 Assess detection risk and design substantive tests, including audit data analytics, to address various assertions in the revenue process.

At this stage the auditor has evaluated inherent risks, evaluated and tested the system of internal control in the revenue process, and developed an audit strategy. What remains is performing substantive tests. The following discussion focuses on identifying the appropriate substantive tests for relevant assertions in the revenue process. It further addresses performing initial procedures, performing analytical procedures as a substantive test, considering when the auditor would want to audit an entire population, performing tests of details of transactions, performing tests of details of account balances, and performing tests of details of presentation and disclosure assertions. Illustration 11.11 presents a suggested audit program for substantive tests of revenue process assertions, which is followed by a discussion of each of the steps. The audit procedures in Illustration 11.11 are most likely to be associated with manufacturing companies or wholesalers. If the auditor is auditing a retail grocery store, it is unlikely to have significant receivables. A hotel is more likely to have significant unearned revenue than accounts receivable, and the auditor will have to determine the best way to evaluate unearned revenues. Finally, a college is less likely to have significant receivables from students. In many cases, students use student loans from sources other than the college or university.

  Substantive Tests for the Revenue Process  11-29 ILLUSTRATION 11.11   Substantive tests in the revenue process

Category

Substantive Test

Relevant Assertion

Initial procedure

1.  Obtain an understanding of the business and industry and determine:

All

a.  the significance of revenues and accounts receivable to the entity b.  key economic drivers that influence the entity’s sales, margins, and collections c.  standard trade terms in the industry, including seasonal dating, collections period, etc. d.  the extent of concentration of activity with customers 2. Perform initial procedures on accounts receivable balance and records that will be subjected to further testing. a.  Trace beginning balance for accounts receivable to prior year’s working papers.

Valuation and allocation, Rights and obligations

b. Scan the activity in the general ledger account for accounts receivable and investigate entries that appear unusual in amount or source. c. Obtain accounts receivable trial balance and determine that it accurately represents the underlying accounting records by:

Valuation and allocation

i. footing the trial balance and determining agreement with (1) the total of the subsidiary ledger or accounts receivable master file, and (2) the general ledger balance ii. verifying agreement of customer balances listed on the trial balance with those included in the subsidiary ledger or master file Analytical procedures

3.  Perform analytical procedures:

All

a. Develop an expectation for accounts receivable using knowledge of the entity’s business activity, market share, normal trade terms, and its history of accounts receivable turnover in days. b.  Calculate ratios: i.  compare sales to the entity’s capacity ii.  compare sales growth and receivable growth iii.  accounts receivable turnover in days iv.  uncollectible accounts expense to net credit sales v.  uncollectible accounts expense to accounts receivable write-offs c. Analyze ratio results relative to expectations based on prior years, industry data, budgeted amounts, or other data.

Tests of details of transactions

Occurrence, a. Vouch recorded revenue transactions to supporting sales invoices, shipping documents, and sales Accuracy, Cutoff, orders. Classification b. Vouch cash receipt transactions to supporting bank remittance reports and remittance advices.

4.  Vouch a sample of recorded revenue process transactions to supporting documentation.

c. Vouch sales adjustment transactions to authorizations for sales returns and allowances or uncollectible account write-offs. 5. Trace a sample of revenue transactions from shipments to recording in the sales journal. Also trace a sample of cash receipts and sales returns to their recording in the accounting records.

Completeness

6.  Perform cutoff test for sales and sales returns.

Cutoff

a. Select a sample of recorded sales transactions from several days before and after year-end and examine supporting sales invoices and shipping documents to determine sales were recorded in the proper period. b. Select a sample of credit memos issued after year-end, examine supporting documentation such as dated receiving reports, and determine that returns were recorded in the proper period. Also consider whether volume of sales returns after year-end suggest possibility of unauthorized shipments before year-end. 7.  Perform cash receipts cutoff test.

Cutoff

a. Observe that all cash received through the close of business on the last day of the fiscal year is included in cash on hand or deposits in transit and that no receipts of the subsequent period are included, or b. Scan documentation such as daily cash summaries, duplicate deposit slips, and bank statements covering several days before and after year-end for proper cutoff. (continued)

11-30  C h a pte r 11  Auditing the Revenue Process ILLUSTRATION 11.11   (continued)

Category Tests of details of balances

Relevant Assertion

Substantive Test 8.  Confirm accounts receivable. a.  Determine the form, timing, and extent of confirmation requests. b.  Select and execute sample and investigate exceptions. c. For positive confirmation requests for which no reply was received, perform alternative follow-up procedures:

Existence, Valuation and allocation, Completeness

• Vouch subsequent cash receipts identifiable with items comprising account balance at confirmation date to supporting documentation. • Vouch items comprising balance at confirmation date to documentary support such as sale orders and shipping documents. 9.  a.  Inquire about the sale, factoring, or pledging of accounts receivable. b. Send confirmations to entities that have purchased accounts receivable or hold accounts receivable as collateral. 10.  Evaluate adequacy of allowance component for each aging category and in the aggregate. a.  Foot and crossfoot the aged trial balance of receivables and agree total to the general ledger.

Rights and obligations Valuation and allocation

b.  Vouch amounts in aging categories for a sample of accounts to supporting documents. c.  For past–due accounts: • Examine evidence of collectibility, such as correspondence with customers and outside collection agencies, credit reports, and customers’ financial statements. • Inquire about collectibility of accounts with appropriate management personnel. d. Evaluate management’s process for estimating the allowance for doubtful accounts using hindsight. e.  Evaluate the adequacy of the allowance given information about • industry trends • aging trends • collection history for specific customers Tests of details of presentation and disclosure

11.  Compare statement presentation with GAAP. a. Compare disclosures related to existence and rights and obligations of receivables to the results of tests performed above.

Occurrence and rights and obligations

b. Verify that receivables are properly identified and classified as to type and expected period of realization.

Classification and understandability

c. Verify whether there are credit balances that are significant in the aggregate and that should be reclassified as liabilities.

Classification and understandability

d. Verify the appropriateness of disclosures and accounting for related party, pledged, assigned, or factored receivables.

Occurrence and rights and obligations

e. Verify the need for disclosures regarding significant customers or sales by line of business.

Completeness

f. Evaluate the completeness of presentation and disclosures for receivables in drafts of financial statements to determine conformity to GAAP by reference to disclosure checklist.

Completeness

g. Read disclosures and independently evaluate their understandability. h. Vouch the accuracy of receivable disclosures to tests performed above.

Classification and understandability, Accuracy and valuation

Initial Procedures The starting point for every audit test is obtaining an understanding of the business and industry. As previously discussed, it is important to understand the entity’s policies regarding revenue recognition, as well as the entity’s underlying economic drivers that impact total revenues and gross margin. The auditor should also understand standard trade terms, industry and client collection

  Substantive Tests for the Revenue Process  11-31

experience, seasonal aspects of the industry, and the extent of concentration of business with particular customers. This knowledge provides the context for evaluating the results of analytical procedures, tests of controls, and substantive tests. For example, the evidence obtained when performing detail tests of transactions and balances, such as invoice prices or size of receivables for particular customers, should be consistent with expectations about industry competitiveness, the entity’s productive time capacity, and the existence of major customers. An important initial procedure for verifying accounts receivable and the related allowance account is tracing the current period’s beginning balances to the ending audited balances in the prior year’s working papers (when applicable). Next, the current period’s activity in the general ledger control account and related allowance account should be scanned for any significant entries that are unusual in nature or amount and that may require special investigation. For example, the auditor should investigate any receivables and revenues that are not booked by way of recording sales invoices in the sales journal. In addition, a listing of all customer balances, called an accounts receivable trial balance, is obtained (usually in digital form). The auditor uses generalized audit software to foot the accounts receivable trial balance and the total should be compared with (1) the total of the subsidiary ledger or master file from which it was prepared and (2) the general ledger control account. The auditor should also compare a sample of the customer balances shown on the trial balance with that in the subsidiary ledger and vice versa to determine that the trial balance is an accurate and complete representation of the underlying accounting records. It can then serve as the physical representation of the population of accounts receivable to be subjected to further substantive testing. Alternatively, the auditor can produce the accounts receivable trial balance directly from the client’s master file using audit software. If the auditor can obtain the client’s records in ­machine-readable form, the auditor can also use generalized audit software to identify significant customers, analyze the volume of transactions with customers, and identify unusual transactions or a high volume of transactions near year-end. The initial procedures in verifying the accuracy of the trial balance and determining its agreement with the general ledger balance relate primarily to the valuation and allocation assertion.

Substantive Analytical Procedures As discussed extensively in Chapter 9, auditors can use analytical procedures as a substantive procedure to gather evidence in support of assertions related to account balances or transactions. However, analytical procedures are not required to be used as a substantive procedure. Illustration 11.4 provided examples of analytical procedures that are commonly used in the revenue process. When these analytical procedures are used during risk assessment, the auditors are using data up through the clientʼs second quarter and possibly into the third quarter. If analytical procedures are used as a substantive procedure during risk response, the auditors are using data through the clientʼs third quarter or even the entire year if it is after year-end. Therefore, when used as a substantive procedure, the auditor typically has more data to analyze and can develop more precise expectations of the accounts receivable balance, of the relationship of accounts receivable to sales, and of the clientʼs gross margins. The auditor may also want to develop analytical procedures that are custom-made for the client. The more reliable the data, and the more predictable the analytical model, the more assurance the auditor might obtain from substantive analytical procedures, thus reducing the extent of tests of details of transactions or balances. For example, analytical procedures comparing production with revenues may be an effective way to test the completeness of sales and receivables. If these procedures show that sales are consistent with capacity utilization, the auditor can reduce the extensiveness of tests of transactions.

Audit Data Analytics as a Substantive Test The right ADA may be a very effective substantive test of details. For example, many public utilities have a very high percentage of customers that pay the amount billed each month. Matching subsequent cash receipts with billings may be a very effective way of testing the occurrence of revenue and the existence of receivables for consumers that may not respond to confirmations. The auditor may also learn a great deal by following up on customers with no payments.

11-32  C h a pte r 11  Auditing the Revenue Process

If a merchandising client has strong internal controls, the auditor might consider matching electronic information from the sales order, the shipping documents, and the sales invoice to test the occurrence and completeness of revenue. The ­effectiveness of this procedure might depend on how often items are backordered. Each time an item must be backordered, and an order is not shipped in its entirety, the transaction will likely require further investigation.

Tests of Details of Transactions Tests of details of transactions may be performed during interim work along with tests of controls in the form of dual-purpose tests. Alternatively, tests of details of transactions may be performed separately. This section describes key tests of details of transactions and the assertions they are designed to test. Further, this section describes cutoff tests that are usually performed as part of year-end work.

Vouch Revenue Transactions To vouch revenue transactions, the auditor will select a sample of sales invoices (see Illustration 11.7) to vouch to the supporting source documents to provide evidence pertaining to the occurrence, accuracy, classification, and cutoff assertions. Credit memos can be vouched to receiving reports and sales adjustment authorizations. These tests will be performed more extensively when the applicable level of detection risk to be achieved is low, when confirmation procedures are not practicable, or to supplement confirmation procedures. Transactions might be selected for vouching by way of a random sample. Alternatively, the auditor might use ADA to screen 100% of transactions and identify unusual transactions that do not fit the norm for the company. Determining what fits or does not fit the norm is a matter of considerable professional judgment that relies on the auditor’s knowledge of the company and the industry. For example, the auditor of a hotel might review all transactions to identify unusual amounts of revenues per room and follow up on only high-risk transactions. The auditor would then vouch the group of high-risk (unusual) transactions.

Trace Revenue Transactions To test the completeness assertion, the auditor should trace a sample of sales, cash receipts, and sales adjustment transactions to their recording in the accounting records. For sales, the auditor should start with a sample of shipping documents (see Illustration 11.7) and trace transactions to the sales journal. For cash receipts, the auditor would sample items from the prelist of cash (see Illustration 11.9) and trace them forward to the cash receipts journal. For sales returns, the auditor would normally start with the sale returns authorization and trace forward to the receiving report and the entry in accounting records. The completeness of sales returns may be a particular concern if management has incentives to overstate revenues, and internal controls over sales returns are weak.

Perform Cutoff Tests for Sales and Sales Returns

FOB shipping point  title passes from seller to buyer when goods are shipped FOB destination  title passes from seller to buyer when goods arrive at the customer’s warehouse

The sales cutoff test is designed to obtain reasonable assurance that (1) sales and accounts receivable are recorded in the accounting period in which the transactions occurred and (2) the corresponding entries for inventories and cost of goods sold are made in the same period. Sales should be recorded in the period in which legal title to the goods passes to the buyer. When goods are shipped from inventory FOB (free on board) shipping point, title passes on the date of shipment. When the terms of sale are FOB destination, title does not pass until the buyer receives the goods. As a practical matter, the seller may add one to a few days to the shipping date to estimate the date the goods will arrive at their destination as a basis for determining the date on which to record the sale. The sales cutoff test is made as of the balance sheet date. For sales of goods from inventory, the test involves comparison of a sample of recorded sales from the last few days of the current period and the first few days of the next period with shipping documents to determine whether the transactions were recorded in the proper period. When prenumbered shipping documents are issued in sequence and the auditor is on hand to observe the number of the last shipping document used in the current period, he or she should make a record of these

  Substantive Tests for the Revenue Process  11-33

numbers in the audit documentation. The auditor can subsequently determine that each sales transaction recorded prior to year-end is supported by a shipping document with a number issued in the current period and that each sales transaction recorded after year-end is supported by a shipping document with a number issued in the subsequent period. Illustration 11.12 provides some examples of potential sales cutoff issues, assuming the shipping terms are FOB shipping point. For a calendar-year client, if January sales are recorded in December, there is a misstatement of the occurrence assertion. Conversely, if December sales are not recorded until January, there is a misstatement of the completeness assertion. Date on the Shipping Date on the Documents Sales Invoice

Potential Misstatement

December 30, 2022

December 31, 2022

No problem

December 30, 2022

January 3, 2023

Completeness of revenues and receivables

January 3, 2023

December 30, 2022

Occurrence of revenues and existence of receivables

The sales return cutoff test is similar and is particularly directed toward the possibility that returns made prior to year-end are not recorded until after year-end, resulting in the overstatement of receivables and sales. The correct timing can be determined by examining dated receiving reports for returned merchandise and correspondence with customers. The auditor should also be alert to the possibility that an unusually heavy volume of sales returns after year-end (perhaps up to the end of fieldwork and report date) could signal unauthorized shipments before year-end to inflate recorded sales and receivables.

Perform Cash Receipts Cutoff Test The cash receipts cutoff test is designed to obtain reasonable assurance that cash receipts are recorded in the accounting period in which they are received. A proper cutoff at the balance sheet date is essential to the correct presentation of both cash and accounts receivable. For example, if December collections from customers are not recorded until January, accounts receivable will be overstated and cash will be understated at the balance sheet date. Conversely, if January collections from customers are recorded in December, cash will be overstated and accounts receivable will be understated. Thus, this test relates to the existence or occurrence and completeness assertions for both cash and accounts receivable. When most cash receipts are received by way of electronic funds transfer or through a lockbox, the process begins by reconciling the timing of receipt by the bank with recording in a cash receipts journal. The objective of this procedure is to determine that the deposit slip total agrees with the receipts shown on the daily cash summary, and that individual cash receipts are properly allocated to each customer in the correct time period.

Tests of Details of Balances Two primary sets of procedures in this category of substantive tests for accounts receivable are discussed below: (1) confirmation of receivables and the related follow-up procedures and (2) procedures for evaluating the adequacy of the allowance for uncollectible accounts.

Confirmation of Accounts Receivable Confirmation of accounts receivable involves direct written communication between the client’s customers and the auditor. The confirmation of receivables is a generally accepted audit procedure. PCAOB AS 2310 The Confirmation Process and AU-C 505 External Confirmations state there is a presumption that the auditor will request the confirmation of receivables during an audit unless: •  Accounts receivable are immaterial to the financial statements. •  The use of confirmations would be ineffective as an audit procedure.

ILLUSTRATION 11.12     Potential sales cutoff issues

11-34  C h a pte r 11  Auditing the Revenue Process

•  The auditor’s assessed level of risk of material misstatement at the relevant assertion level is low, and the other planned substantive procedures address the assessed risk. An auditor who does not request confirmation of receivables should document in the working papers how he or she overcame the presumption that confirmations should be requested. For example, the auditor might state the conclusion, based on the prior year’s audit experience on that engagement, that it is expected the responses would be unreliable or the response rates would be inadequate in the current year. Occasionally, clients have prohibited auditors from confirming any or certain accounts receivable. Complete prohibition represents a serious limitation on the scope of the audit that generally results in a disclaimer of opinion on the financial statements. The effect of partial prohibition should be evaluated on the basis of management’s reasons and whether the auditor can obtain sufficient evidence from other auditing procedures. Finally, the auditor must make a decision about the use of positive or negative confirmations. The section “Confirmation” in Chapter 5 discussed the difference between positive and negative confirmations, and the desirability of using positive confirmations in most circumstances. Illustration 11.13 provides an example of a positive confirmation. While confirmations are signed by the client, they should be controlled and mailed by the auditor. Today, there are services that can assist the auditor in providing electronic delivery and receipt of confirmations. A positive confirmation sent electronically will be similar to the confirmation shown in Illustration 11.13. However, the service allows for the customer to send an electronic response securely and confidentially to the audit firm. The use of electronic confirmations is increasing rapidly. ILLUSTRATION 11.13     Example positive confirmation

G.J. Manufacturing P.O. Box 1922, Denver, Colorado 80123 Industrial Automotive P.O. Box 131 Spring Green, Wisconsin 53558 This request is being sent to you to enable our independent auditors to confirm the correctness of our records. It is not request for payment. Our records on December 31, 2022, showed an amount of $16,421.08 receivable from you. Please confirm whether this agrees with your records on that date by signing and returning this form directly to our auditors. An addressed envelope is enclosed for this purpose. If you find any difference, please report details directly to our auditors in the space provided below.

Emily Paulson

Chief Financial Officer

The above amount is correct. □ The above amount is incorrect for the following reasons: 

Signature and Title of Individual Responding to the Confirmation: Date: Please examine this carefully and advise our auditors as to any exceptions at the following address: Bell & Bowerman, LLP Certified Public Accountants 822 17th St., Suite 2200 Denver, CO 80202 A self-addressed envelope is enclosed for your convenience. THIS IS NOT A REQUEST FOR PAYMENT

  Substantive Tests for the Revenue Process  11-35

Timing and Extent of Requests  When the level of detection risk is low, the auditor

ordinarily requests confirmation of receivables as of the balance sheet date. If the risk of material misstatement is low, the auditor is willing to accept a higher level of detection risk, and the confirmation date may be one or two months earlier. In such a case, the auditor is expected to evaluate material changes between the confirmation date and balance sheet date. In some cases, the auditor may elect to reconfirm accounts with unusual changes during the roll-forward period. The extent of confirmation requests, or sample size, is related to the factors discussed in Chapter 10 (Illustration 10.4). Stratification may also affect sample size. For example, auditors frequently seek confirmation of all accounts in excess of a certain dollar amount (less than or equal to tolerable misstatement) and select a random sample of all other accounts. Sample size may be determined judgmentally or with the aid of a statistical sampling plan, as explained in Chapter 10.

Disposition of Exceptions  Confirmation responses will inevitably contain some exceptions. Exceptions may be attributed to goods in transit from the client to customers, returned goods, payments in transit from customers to the client, items in dispute, errors, and irregularities. All exceptions should be investigated by the auditor and their resolution indicated in the auditor’s documentation. For example, an auditor might vouch customer payments in transit to cash receipts after confirmation date by the client. Alternative Procedures for Dealing with Nonresponses  When no response has been received after a confirmation request to a customer, alternative procedures should ordinarily be performed. The two main alternative procedures are (1) examining subsequent collections and (2) vouching open invoices comprising customer balances. The best evidence of existence and collectibility is the receipt of payment from the customer. Before the conclusion of the audit fieldwork, the client will receive payments from many customers on amounts owed at the confirmation date. The matching of such collections back to unpaid invoices comprising the customers’ balances at the confirmation date establishes the existence and collectibility of the accounts. In performing this test, the auditor should recognize the possible adverse implications of collections that cannot be matched to specific transactions or balances. For example, a round sum amount may, on investigation, reveal items in dispute, and token payments on large balances may indicate financial instability on the part of the customer. If the customer has not paid the receivable, the auditor can vouch the receivable to underlying customer orders and shipping documentation to provide evidence that the receivable exists. Professional standards acknowledge that the omission of such procedures may be acceptable when both of the following conditions apply: •  There are no unusual qualitative factors or systematic characteristics related to the nonresponses, such as that all nonresponses pertain to year-end transactions. •  The nonresponses, projected as 100% misstatements to the populations and added to the sum of all other unadjusted differences, would not affect the auditor’s decision about whether the financial statements are materially correct.

Audit Reasoning Example  Evaluating Confirmation Exceptions Brian McIntosh is working on accounts receivable confirmations. Confirmations are sent as of the interim date of October 31 on a December 31 year-end client. One confirmation comes back with the customer claiming it was overbilled on an October 29 invoice and the receivable is overstated as of October 31. Upon investigation with the client, Brian discovers that the error was actually recognized by the client before the customer noted it, and the client issued a credit memo on November 4. Brian also recognizes that in spite of the client’s efforts, this is evidence of a misstatement as of October 31; this will have to be analyzed as a misstatement in the sample, and the misstatement will be projected on the unsampled portion of the population.

11-36  C h a pte r 11  Auditing the Revenue Process

Summarizing and Evaluating Results  The auditor’s working papers should contain a summary of results from confirming accounts receivable. The summary should provide data on: •  The number and dollar value of confirmations sent and responses received. •  The proportion of the population total covered by the sample. •  The relationship between the audited and book values of items included in the sample. Statistical and nonstatistical procedures may be used to project misstatements found in the sample to the population, as explained in Chapter 10. The combined evidence from the confirmations, alternative procedures performed on nonresponses, and other tests of details and analytical procedures are evaluated to determine whether sufficient evidence has been obtained to support management’s assertions about gross accounts receivable. Illustration 11.14 provides an abbreviated example of a working paper evaluating confirmations. (Note: This supports the analysis working paper shown in Illustration 10.14.)

ILLUSTRATION 11.14   Evaluation of individual confirmations

Client: G.J. Manufacturing

Bell & Bowerman, LLP Prepared by: W.M.F. 2/8/23

Period-end: 12/31/22 Reviewed by: C.W.B. 2/18/23 Evaluation of Confirmation Results Reference: B-3 Objective: Evaluation of Accounts Receivable Confirmations

Stratum 1

Stratum 2

Stratum 3

Confirmation #

Book Value

Confirmed Value

Audited Value

Misstatement Explanation

1

$165,000

$165,000

$165,000

2

310,000

300,000

300,000

10

187,500

NR

187,500

¥,€

11

42,000

NR

42,000

¥,€

12

20,000

20,000

20,000

25

35,000

25,000

25,000

10,000

Goods were billed at the incorrect price, resulting in an overcharge of $10,000.

26

12,000

2,000

2,000

10,000

Incorrect quantity entered on invoice resulting in an overcharge of $10,000.

27

7,600

7,600

7,600

50

5,400

5,400

5,400

$10,000

$10,000 of goods returned. Received on 12/29/22. Credit memo issued 1/3/23.

Legend: NR

No response from customer

¥

Vouched to bill of lading



Vouched to subsequent cash receipt

Applicability to Assertions  Confirmations are the primary source of evidence in meeting the existence assertion for accounts receivable. Acknowledgment of the debt by the customer in the response confirms that the client has a legal claim on the customer. This test also provides evidence concerning the rights and obligations assertion. The confirmation of accounts receivable is not a request for payment, so it does not provide evidence as to the collectibility of the balance due. However, the responses may reveal previously paid items

  Substantive Tests for the Revenue Process  11-37

or disputed items that affect the proper valuation of the amount due. While confirmations may provide indications of collectibility problems, the confirmation of accounts receivable relates only to the valuation and allocation assertion for gross accounts receivables. When a customer’s response indicates agreement with the book balance, there is evidence that the balance is complete. However, the evidence about the completeness assertion is limited because (1) unrecorded receivables cannot be confirmed and (2) customers are more likely to report errors of overstatement than errors of understatement.

Evaluating the Allowance for Doubtful Accounts The key accounting estimate involved in the revenue process is the allowance for doubtful accounts. Audit procedures for this accounting estimate include: •  Using generalized audit software to foot and crossfoot the aged trial balance of accounts receivable and agreeing the total to the general ledger balance. •  Testing the accuracy of the client’s aging by vouching to underlying sales invoices and shipping documents. •  Considering evidence concerning the collectibility of past-due amounts by, for example, inspecting correspondence from customers. •  Identifying customers with past-due balances and calculating credit histories for customers with past-due balances. •  Evaluating prior estimates of uncollectible accounts with subsequent experience and the benefit of hindsight. •  Using the evidence obtained above to assess the reasonableness of the percentages used to compute the allowance component required for each aging category and the adequacy of the overall allowance. Auditing the allowance for doubtful accounts may be a good place to use ADA to evaluate the adequacy of the allowance for doubtful accounts. Consider this example in the context of Illustration 7.8. The auditor can use generalized audit software to generate an aging of the client’s master file. The auditor can then use the same aging to identify customers that do not fit the norm for the client’s normal collection history (e.g., over 90 past due). Within this population of customers taking over 90 days to pay, the auditor might identify customers that normally take 90 to 120 days to pay, but pay regularly. This would be an acceptable variation from the norm. Alternatively, the auditor wants to pay close attention to customers that demonstrate deteriorating payment history as the year progresses. For this final grouping, auditors might also examine correspondence with customers or correspondence with outside collection agencies, review customers’ credit reports and financial statements, and discuss the collectibility of specific accounts with appropriate management personnel. Ultimately, the auditor must determine if the potential misstatement of the allowance for doubtful accounts could aggregate to an amount greater than or equal to tolerable misstatement. Finally, the auditor may want to use as much hindsight as possible to evaluate whether outstanding receivables are subsequently collected. The allowance for uncollectible accounts is an accounting estimate made by management that involves both objective and subjective considerations. In essence, it is a prospective estimate of receivables that will not be collected in the future. The auditor’s responsibility is to judge the reasonableness of the allowance and the related provision for uncollectible accounts expense. From the aging data, information about collectibility, and analysis of the client’s prior experience with uncollectible accounts, the auditor can assess the reasonableness of management’s method used to determine an appropriate allowance. An important aspect of evaluating prior experience with the entity involves using hindsight to evaluate prior estimates of the allowance and subsequent experience in collecting receivables outstanding at the date of the estimate. When the client’s controls over (1) granting credit and (2) writing off uncollectible accounts are strong, fewer substantive tests will be required in making this assessment than when controls are weak.

11-38  C h a pte r 11  Auditing the Revenue Process

Tests of Details of Presentation and Disclosure Illustration 11.11 describes a number of tests of disclosures for the revenue process. It is common for auditors who are knowledgeable about the company and accounting principles to carefully read the financial statements and related disclosures. The auditor who reads the financial statements might also use a disclosure checklist to ensure that all required disclosures are present. For example, auditors should be alert to the following issues if they are material: •  Classification and disclosure requirements include proper identification and classification for receivables, such as separating trade receivables from other receivables such as receivables from employees, officers, affiliated companies, and other related parties that should be separately disclosed. •  Credit balances in accounts receivable (customers who overpay) should be reclassified as current liabilities. •  GAAP requires proper classification of receivables not due within one year to be classified as noncurrent. •  GAAP requires disclosures concerning the pledging, assigning, or factoring of receivables. •  Disclosures may be required regarding significant customers or sales by significant lines of business. Evidence relevant to these matters might be obtained by inquiring of management and reviewing minutes of board of directors’ meetings and loan agreements. Evidence is also obtained through the audit procedures performed to test other assertions.

Cloud 9 - Continuing Case Josh and Suzie are finalizing their plans for substantive tests. A significant number of tests of transactions were accomplished with dual-purpose tests for testing controls, and additional tests of transactions will be planned after the end of the year for the portion of the year that was not covered by tests of controls. They plan to send positive confirmations at two months prior to yearend, and they will use a service that allows for electronic submission of confirmations by customers. They also concluded that they

will use generalized audit software to evaluate the allowance for doubtful accounts by analyzing every account over 90 days past due to determine if some customers regularly take long times to pay and are low credit risk, or if customers are showing signs of deteriorating payment history and are high credit risk. At this point they believe they have a plan for the remaining substantive tests. Now it is time to perform the substantive tests and draw an audit conclusion.

Before You Go On 8.1 What is involved in vouching sales transactions to supporting documentation? What documents would the auditor look at when vouching sales transactions and what assertions are met by vouching sales? 8.2 What cutoff tests are performed for sales and cash receipts? How are they performed and what assertions are met by these tests? 8.3 When positive confirmations are used, how does the auditor deal with nonresponses? 8.4 What steps should the auditor perform when auditing the accounting estimate associated with the allowance for doubtful accounts? 8.5  List several common disclosures required for sales or accounts receivable.

  Learning Objectives Review  11-39

Learning Objectives Review 1  Explain the nature of the revenue process. The revenue process includes three major classes of transactions: (1) credit sales, (2) cash receipts, and (3) sales adjustments. The primary balance sheet account in the revenue process is accounts receivable, net of the allowance for doubtful accounts. Illustration 11.1 summarizes the transactions that go through the revenue process, and Illustration 11.2 identifies the assertions relevant to the revenue process. Remember, the auditor must obtain sufficient appropriate evidence for each material assertion, and an audit strategy for one assertion may be different from the audit strategy for another assertion. 2  Evaluate how an auditor’s understanding of an entity and its environment affects audit planning decisions in the revenue process. Different companies in different industries experience various risks associated with the revenue process. Revenue recognition is more problematic in some industries, and some industries have significant transactions that result in cash collection in advance of earning revenues. Illustration 11.3 provides examples of five different industries and how knowledge of the entity and its environment can be used to develop expectations of the financial statements and to assess the risk of material misstatement. This section also addresses common analytical procedures that (1) help the auditor understand the business and (2) may identify significant inherent risks in the financial statements. Illustration 11.5 provides examples of other key factors associated with understanding the entity and its environment and how these factors may influence inherent risk in the revenue process. 3  Determine inherent risk for various assertions in the revenue process. Common inherent risks in the revenue process relate to the occurrence of revenue and the existence of receivables. This section reviews a number of methods that have been used by companies to overstate revenues. This section also provides an example of how analytical procedures might flag an increased risk of material misstatement for some revenue process assertions. In using professional skepticism, an auditor should be able to recognize factors that increase inherent risk in the revenue process, so that the audit is responsive to these risks. 4  Evaluate control activities for credit sales transac-

tions.

Each entity has a unique system of internal control that is tailored to the entity’s business model and how it brings in revenues. It is important for the auditor to (1) understand the flow of transactions in the revenue process, (2) identify what can go wrong in the revenue process, and (3) assess whether the client has controls to mitigate what can go wrong. Illustration 11.7 provides an example of the flow of transactions for credit sales; Illustration 11.8 addresses what can go wrong in the process of making credit sales and common controls that might be found to mitigate these risks. This section concludes with

a discussion of key controls that are often found related to relevant assertions for credit sales and accounts receivable. 5  Evaluate control activities for cash receipt transactions. This section continues the discussion of understanding the flow of transactions related to cash receipts. While many companies now receive cash either by electronic funds transfer or a lockbox, this section also discusses how a company should establish initial control over cash and checks if they are received directly from customers. Illustration 11.10 summarizes what can go wrong in the process of receiving cash along with common controls that might mitigate these risks. This section concludes with a discussion of key controls that might be found related to relevant cash receipt transaction assertions. 6  Evaluate control activities for sales adjustment trans-

actions and revenue process disclosures.

The final section on revenue transactions discusses common documents found when goods are returned, and credit is given to customers. Common controls over granting credit for sales returns and allowances, controls over determining uncollectible accounts, controls over selling receivables, and controls over disclosures are also discussed in this section of the chapter. 7  Determine how to design and perform tests of controls in the revenue process and connect the results of control testing to audit strategy. This final section related to controls in the revenue process discusses the process of testing the controls identified for relevant assertions in the financial statements. Remember, when the entity relies on significant IT application controls, the auditor must test (1) the effectiveness of IT general controls, (2) the effectiveness of the IT application controls, and (3) the effectiveness of manual procedures to follow up on exceptions. Once the auditor has evaluated controls, the auditor should consider fraud risk in the revenue process. The discussion related to fraud risk addresses the risk of lapping techniques, its tie to misappropriation of cash, and various risks of fraudulent financial reporting techniques that the auditor should be alert to. Once the auditor has determined the risk of material misstatement of each assertion, the auditor can make decisions about what substantive tests to perform, the timing of substantive tests, and the extent of substantive tests. 8  Assess detection risk and design substantive tests, including audit data analytics, to address various assertions in the revenue process. The final section of this chapter outlines common substantive tests in the revenue process. Illustration 11.11 provides a common audit program for substantive tests that might be found in the revenue process, and this section explains the importance of each of these tests. The section also reviews professional standards related to sending confirmations to customers and the importance of follow-up procedures when customers fail to respond to confirmations.

11-40  C h a pte r 11  Auditing the Revenue Process

Key Terms Review Bill-and-hold transactions Consignment sales Disclosure committee

Lapping Lockbox system Refund rights

FOB destination FOB shipping point Gross sales

Audit Decision-Making Example Background Information Assume that, for the third year, you are auditing sales and accounts receivable of the manufactured products division of United Plastics, Inc. (UPI). You know the following from your risk assessment procedures. •  The CFO implemented a new computerized accounting system during the prior fiscal year. Tests of controls performed in the prior year’s audit showed that IT application controls were designed effectively and operated effectively. •  UPI is experiencing significant competition from overseas. As a result, UPI extended an unlimited right-of-return policy to two months to keep sales volume at an economical level since there has been a decline in demand for the company’s manufactured products. This change was made with the knowledge and agreement of the UPI board of directors. •  All sales are booked upon shipment with sales terms of FOB shipping point. •  Management continues to receive significant bonuses based on attaining sales volume and profitability targets. •  The company has strong controls over cash receipts. •  An IT specialist has determined that UPI’s IT general controls are strong. •  During the current-year system walkthrough, you learned the company has placed in operation the following programmed control activities: exceptions are printed on an exception report and the transactions are held in a suspense file for follow-up. Manual follow-up procedures appear to be effective based on a system walkthrough. •  The amount of a sale plus the customer’s accounts receivable balance are compared with the customer’s credit limit before a sales order is approved. •  All goods taken from inventory are matched with approved sales order information. •  The software application compares quantities on every sales invoice against shipping information and prices are checked against the master price file. •  The software application compares the date on the sales invoice with the date on shipping records. •  The software application matches every sales invoice with an underlying bill of lading, and then it electronically flags the bill of lading so it cannot be matched with another sales invoice.

•  The company generates a monthly aging of accounts receivable report. •  The company sends monthly statements to customers. •  An individual independent of sales, accounts receivable, and cash receipts is assigned to follow-up exceptions noted by the software application. Manual follow-up appears to be effective based on system walkthrough.

Identify the Issues Develop an audit strategy for the occurrence of revenues and the existence of receivables.

Gather Information and Evidence Important information includes: •  The unlimited two-month right of return policy affects revenue recognition. No internal controls appear to address this issue. •  Bonuses provide incentives for management to maximize revenues. •  Prior experience shows that internal controls are effective (except for new policies regarding right of return). •  Current-year tests of IT general controls show that general controls are strong. •  A preliminary evaluation based on system walkthrough show a number of programmed control procedures in the revenue process. •  Manual follow-up appears to be effective based on system walkthrough.

Analysis and Evaluation of Alternatives •  Significant inherent risk indicators include (1) the new policy regarding extended right of return and (2) bonuses for maximizing revenues. •  With the exception of problems associated with the right of return, internal controls appear to be strong. However, revenue appears to have been booked when goods were shipped. •  For sales made during the last two months, consider using ADA to match cash receipts with sales. Any sales in the last two months that have not been sold through by customers (for which cash has been received) should be treated as consignment sales. Revenue cannot be booked and inventory should be placed back on the books using information from the sales system.

  Multiple-Choice Questions  11-41

Conclusions Regarding Internal Controls and Audit Strategy in the Revenue Process •  Inherent risk assessment. Assess inherent risk at the maximum due to right-of-return issues and incentives for management to overstate revenues (and receivables). •  Control risk and planned tests of controls. Plan to test the following IT application controls related to revenues and sales: (1) comparison of date on sales invoice with date on shipping records, (2) match of every sales invoice with underlying bill of lading, (3) sending of monthly statements to customers. Also, plan to test manual follow-up of exceptions noted by the software application. Review any correspondence with

customers disputing items on monthly statements indicating a breakdown in internal control. •  Detection risk. Plan to send confirmations to customers at an interim date if preliminary assessment of internal controls is confirmed. Receivables confirmed also represent a test of transactions for sales confirmed. Plan to use ADA to match cash receipts with all sales made during the last two months. Any sales in the last two months that have not been sold through by customers (for which cash has been received), should be treated as consignment sales. Revenue cannot be booked and inventory should be placed back on the books using information from the sales system.

CPAexcel CPAexcel questions and other resources are available in WileyPLUS.

Multiple-Choice Questions 1.  (LO 1)  An auditor wants to determine that all sales adjustments are recorded. This relates to which of the following transaction-class assertions? a.  Occurrence. b.  Completeness. c.  Accuracy. d.  Classification. 2.  (LO 1)  If a customer pays its receivable in full but a client fails to record cash received from the customer, which of the following account balance assertions related to accounts receivable is misstated? a.  Completeness. b.  Rights and obligations. c.  Valuation at net realizable value. d.  Existence. 3.  (LO 2)  Assume that an auditor is auditing a public company client that manufactures computer hardware and markets significant maintenance and consulting services. The auditor should be concerned about which of the following? a.  Appropriate accounting for commissions on sales. b.  Significant revenue issues associated with bundling products and services. c.  More than the usual concern about collection risk. d.  Significant concerns about the completeness of revenues. 4.  (LO 2)  An auditor is studying a ratio of accounts receivable growth rate to sales growth rate. Which of the following indicates a potential risk of collection problem in accounts receivable? a.  Sales grew by 10% and receivables grew by 11% from year one to year two.

b.  Sales declined by 2% and receivables declined by 7% from year one to year two. c.  Sales grew by 10% and receivables declined by 2% from year one to year two. d.  Sales grew by 5% and receivables grew by 17% from year one to year two. 5.  (LO 3)  An audit client that manufactures and sells goods to a network of authorized dealers may create the equivalent of a consignment sale if the client: a.  only allows goods to be returned if they are damaged. b.  allows a cash discount if the receivable is paid within 30 days. c.  allows an unconditional right of return at any time until the goods are sold by the dealer. d.  ships goods only on a collect on delivery (C.O.D.) basis. 6.  (LO 4)  Which of the following control activities would most likely assure that no fictitious billings have been posted to the sales journal? a.  The accounts receivable master file is compared with the general ledger control account. b.  Each shipment on credit is supported by a prenumbered sales order. c.  The software application compares each sales invoice with the supporting shipping documents and notes any discrepancies. d.  The software application compares prices on the sales invoices with prices on the master price list and notes any discrepancies.

11-42  C h a pte r 11  Auditing the Revenue Process 7.  (LO 4)  Which of the following control activities would be a reasonable control over the accuracy of recorded sales? a.  The software application matches sales invoice quantities with the underlying packing slip and prices with the sales order. b.  The software application prints a report of unfilled sales orders. c.  The software application prints a report of all bills of lading not matched with a sales invoice. d.  The software application matches the customer number on the sale invoice with the customer number on the sales order.

b.  the sales manager. c.  the accounts receivable supervisor. d.  the credit manager. 11.  (LO 7)  Which of the following situations increases the risk of fraud due to “lapping?” a.  The sales manager can approve credit limits for customers. b.  The accounts receivable clerk also has responsibilities for writing a sales invoice. c.  The shipping clerk in the warehouse has read-only access to sales orders.

8.  (LO 4)  Which of the following is a good example of an IT application control over the occurrence of revenue transactions?

d.  The accounts receivable clerk also has responsibilities for receiving cash.

a.  Physical access to computer systems is limited only to specific personnel who work in the revenue process.

12.  (LO 8)  A cutoff test designed to detect credit sales made before the end of the fiscal year that have been recorded in the subsequent year provides assurance about which of the following management assertions?

b.  The software application compares information on a sales invoice with information from the bill of lading to ensure that sales invoices are only prepared for actual shipments. Any exceptions are not processed and are set aside for manual follow-up. c.  Computer system changes to the revenue program must be tested and authorized before they are allowed to be used with live data. d.  Strong segregation of duties exists between computer operations and computer program development. 9.  (LO 5)  A small manufacturing company makes only credit sales. If cash receipts from sales are misappropriated, which of the following acts would most likely conceal this fraud? a.  Understating the accounts receivable control account. b.  Understating the accounts receivable subsidiary ledger. c.  Overstating the sales journal. d.  Understating the cash receipts journal. 10.  (LO 6)  Sound control activities dictate that defective merchandise returned by customers should be presented initially to: a.  the receiving department.

a.  Completeness. b.  Occurrence. c.  Accuracy. d.  Classification. 13.  (LO 8)  When sending positive confirmations, which of the following would not be an appropriate way to address nonresponse by a customer? a.  Search for evidence of subsequent cash receipt from the customer. b.  Match open invoices to underlying bills of lading and customer orders. c.  If the customer’s account balance is individually immaterial, conclude that no further work or analysis is necessary. d.  Assume that the nonresponse is 100% in error and project the misstatement on the population.

Review Questions R11.1  (LO 1)  If there is a completeness problem with cash receipts, are accounts receivable overstated or understated? Explain.

ucts on credit. Identify the documents involved and explain the process from authorizing the transaction through recording in the general ledger.

R11.2  (LO 1)  List three common revenue recognition problems. Illustrate each with an example.

R11.7  (LO 4)  Explain a sound control over revenue recognition in the process of making credit sales for a manufacturing company.

R11.3  (LO 2)  How might the risk of material misstatement in the revenue process differ for a manufacturer of oil and gas field machinery equipment and a retail grocer?

R11.8  (LO 4)  Identify a risk of fraudulent financial reporting in the revenue process. Describe a sound internal control that would detect and correct the misstatement on a timely basis.

R11.4  (LO 2)  Identify one or two financial ratios that you believe would be useful in identifying revenue recognition problems. Explain your reasoning.

R11.9  (LO 5)  Identify a risk of misappropriation of assets in the revenue process. Describe a sound internal control that would detect and correct the misstatement on a timely basis.

R11.5  (LO 3)  Explain two common inherent risks in the revenue process and explain how each risk is likely to affect the financial statements (e.g., identify the accounts that are likely to be overstated or understated and explain why).

R11.10  (LO 5)  Briefly explain a likely flow of transactions related to receiving cash from a customer received by way of electronic funds transfer, from the customer’s payment being made through recording in the general ledger.

R11.6  (LO 4)  Briefly explain a likely flow of transactions related to authorizing and recording credit sales for a manufacturer that sells its prod-

R11.11  (LO 5)  Explain a sound control over the completeness of cash receipts associated with the situation described in the previous question.

 Analysis Problems  11-43 R11.12  (LO 6)  Explain a sound control over a public company’s process for controlling the appropriateness of the allowance for doubtful accounts.

R11.15  (LO 8)  Explain an effective substantive test related to the cutoff of sales at year-end.

R11.13  (LO 7)  Assume you are auditing a public company with sound IT controls over the occurrence of revenue. Describe the IT control over the occurrence of revenue and how you would test the control.

R11.16  (LO 8)  Develop an example of the use of audit data analytics in the audit of accounts receivable. R11.17  (LO 8)  Explain the audit procedures used to test the adequacy of the allowance for doubtful accounts.

R11.14  (LO 8)  Explain several important initial procedures in the revenue process. Why should these be performed prior to other substantive procedures?

Analysis Problems AP11.1  (LO 1, 2)  Basic   Understanding the entity and its environment  Your client is a regional motel chain. It owns 27 properties in your region and manages another 40 properties for absentee owners. All the motels are located on interstate highways and achieve at least 60% of capacity on a regular basis. In the past, many motels have been fully booked during the summer travel season; however, the economy has taken a turn for the worse and people are traveling less.

Required Explain how your knowledge of the business and industry would impact your audit of total revenues and accounts receivable for the client. AP11.2  (LO 2)  Moderate   Analytical procedures  The following data was taken from the production and accounting records for Casuccio Manufacturing, Inc. Unaudited 2023

Audited 2022

Audited 2021

Operating Data Capacity in units

450,000

450,000

450,000

Production in units

450,000

400,000

300,000

Inventory in units

32,000

28,000

21,000

Total revenues

$ 35,200

$ 27,500

$ 21,200

Total assets

$ 23,000

$ 19,500

$ 15,700

Accounts receivable, net

$ 5,900

$ 4,300

$ 3,900

Bad debt expense

$

175

$

135

$

105

Accounts receivable written off

$

165

$

125

$

100

Financial Data ($000)

Required a.  Calculate the following ratios for 2023, 2022, and 2021: 1.  Sales to total assets. 2.  Sales to production. 3.  Revenue per unit sold. 4.  Accounts receivable growth to sales growth. 5.  Uncollectible accounts expense to net credit sales. 6.  Uncollectible accounts expense to accounts receivable written off. 7.  Accounts receivable turnover in days. b. 1.  Describe the implications of the resulting ratios for the auditor’s audit strategy for the year 2023. 2.  What specific assertions are likely to be misstated? 3.  How should the auditor respond in terms of potential audit tests? AP11.3  (LO 5)  Moderate   Controls over cash receipts  You have been asked by the board of trustees of a local church to review its accounting procedures. As a part of this review, you have prepared the

11-44  C h a pte r 11  Auditing the Revenue Process following comments relating to the collections made at weekly services and recordkeeping for members’ contributions: 1. The church’s board of trustees has delegated responsibility for financial management and audit of the financial records to the finance committee. This group prepares the annual budget and approves major disbursements but is not involved in collections or recordkeeping. No audit has been considered necessary in recent years because the same trusted employee has kept church records and served as financial secretary for 15 years. 2. The collection at the weekly service is taken by a team of ushers. The head usher counts the collection in the church following each service. He then places the collection and a notation of the amount counted in the church safe. The next morning, the financial secretary opens the safe and counts the collection again. She withholds about $100 to meet cash expenditures during the coming week and deposits the remainder of the collection intact. To facilitate the deposit, members who contribute by check are asked to make their checks payable to “cash.”

Required Describe the weaknesses and recommend improvements in procedures for collections made at weekly services. Organize your answer using the following format: Weakness

Recommended Improvement(s)

AP11.4  (LO 8)  Moderate   Substantive tests of accounts receivable  The following situations were not discovered by an inexperienced staff auditor in the audit of the Parson Company. 1. Several accounts were incorrectly aged in the client’s aging schedule. 2. The accounts receivable turnover ratio was far below expected results. 3. Goods billed were not shipped. 4. Some year-end sales were recorded in the wrong accounting period. 5. Several sales were posted for the correct amount but to the wrong customers in the accounts receivable ledger. 6. The allowance for uncollectible accounts was understated. 7. Several sales were entered and posted at incorrect amounts. 8. Mathematical errors were made in totaling the accounts receivable ledger. 9. An unrecorded sale at the balance sheet date was collected in the next month. 10. Several fictitious sales were recorded. 11. The pledging of some customer accounts as security for a loan was not reported in the balance sheet. 12. Some year-end cash receipts were recorded in the wrong accounting period.

Required (Use a tabular format for your answers with one column for each part.) a.  Identify the substantive test that should have detected each error. b.  For each substantive test identified in a., indicate the account balance assertion to which it pertains. AP11.5  (LO 3, 8)  Challenging   Fraud   Research   Inflating advertising revenues—Homestore, Inc.  In 2003, the Securities and Exchange Commission released an Accounting and Auditing Enforcement Release (AAER) describing charges and discipline against five former executives of Homestore, Inc., including the company’s former CEO and CFO. The charges claim the executives developed a scheme to inflate advertising revenues.

Required Find and read the 2003 AAER related to Homestore, Inc. Explain the scheme that the company used to inflate advertising revenues. What is meant by the term “round-trip” transactions? How were the company’s vendors involved?

 Audit Decision Cases  11-45

Audit Decision Cases King Companies, Inc. Questions C11.1 and C11.2 are based on the following case. King Companies, Inc (KCI) is a private company that owns five auto parts stores in urban Los Angeles, California. KCI has gone from two auto parts stores to five stores in the last three years, and it plans continued growth. Eric and Patricia King own the majority of the shares in KCI. Eric is the chairman of the board of directors of KCI and CEO, and Patricia is a director as well as the CFO. Shares not owned by Eric and Patricia are owned by friends and family who helped the Kings get started. Eric started the company with one store after working in an auto parts store. To date, he has funded growth from an inheritance and investments from a few friends. Eric and Patricia are thinking about expanding by opening three to five additional stores in the next few years. In October 2021, Eric approached your accounting firm, Thornson & Danforth, LLP, to conduct an annual audit of KCI for the year ended December 31, 2022. KCI has not been audited before, but this year the audit has been requested by the company’s bank because of anticipated bank loans and by a new private equity investor that has just acquired a 20% share of KCI. KCI employs 20 full-time staff. These workers are employed in store management, sales, parts delivery, and accounting. About 40% of KCI’s business is retail walk-in business, and the other 60% is regular customers where KCI delivers parts to their locations and bills these customers on account. During peak periods, KCI also uses part-time workers. Eric is focused on growing revenues. In his opinion, revenue growth is particularly important to obtaining bank financing. Patricia trusts the company’s workers to work hard for the company, and she feels they should be rewarded well. The accounting staff, in particular, is very loyal to the company. Eric tells you that accounting staff enjoy their jobs so much they have never taken any annual vacations, and hardly any workers ever take sick leave. There are two people currently employed as accounting staff, the most senior of whom is Jonathan Jung. Jonathan heads the accounting department and reports directly to Patricia. He is in his late fifties and hopes to retire in two or three years and move away from Los Angeles. Jonathan keeps a close watch on accounting and does many activities himself; including opening mail, cash receipts and vendor payments, depositing funds received, performing reconciliations, posting journals, and performing the payroll function. His second employee, Abby Owens, is a recent college graduate who just passed the CPA exam. Abby is responsible for the payroll functions and posting all journal entries into the accounting system. Jonathan and Abby often help each other out in busy periods. C11.1  (LO 3, 5)  Challenging   Fraud risk a.  Analysis: Consider the risk of fraud regarding the diversion of cash receipts from customers. How does this impact your decisions regarding which audit procedures to perform, the timing of audit procedures, or the extent of procedures associated with auditing revenue assertions? If cash were diverted from customers, how might Eric or Patricia identify the problem? b.  Analysis: Explain your assessment of the risk associated with fraudulent financial reporting. How does this impact your decisions regarding which audit procedures to perform, the timing of audit procedures, or the extent of procedures associated with auditing revenue assertions? C11.2  (LO 8)  Challenging   ADA   Audit data analytics for revenue  Analysis: You have been asked by your audit manager to consider how the audit firm might audit revenues by using audit data analytics to evaluate 100% of the revenue transactions. Where do you feel that it would be most effective to audit 100% of the transactions using ADA? In addition to the sales information, what other information should you consider in your analysis? Develop a specific audit strategy for how you would screen 100% of the revenues, how you would identify exceptions, and how you might consider what would be acceptable variations from your expectation norm versus unacceptable variations.

Mobile Security, Inc. Question C11.3 is based on the following case. Mobile Security, Inc. (MSI) has been an audit client of Leo & Lee, LLP for the past 12 years. MSI is a small, publicly traded aviation company based in Cleveland, Ohio, where it manufactures high-tech unmanned aerial vehicles (UAV), also known as drones, and other surveillance and security equipment. MSI’s products are primarily used by the military and scientific research institutions, but there is growing demand for UAVs for commercial and recreational use. MSI must go through an extensive bidding process for

11-46  C h a pte r 11  Auditing the Revenue Process large government contracts. Because of the sensitive nature of government contracts and military product designs, both the facilities and records of MSI must be highly secured. In October 2022, MSI installed a new cloud-based inventory costing system to replace a system that had been developed in-house. The old system could no longer keep up with the complex and detailed manufacturing costing process that provides information to support competitive bidding. MSI’s IT department, together with the consultants from the software company, implemented the new inventory costing system which went live on December 1, 2022. Key operational staff and the internal audit team from MSI were significantly engaged in the selection, testing, training, and implementation stages. The inventory costing system uses various manufacturing costing and unit of production inputs to calculate and produce a database of all product costs and recommended sales prices. It also integrates with the general ledger each time there are product inventory movements such as purchases, sales, waste, and damaged inventory losses. The following list of sales invoices are entered in the sales journal for the months of June 2023 and July 2023, respectively. All goods are shipped FOB shipping point. Sales Invoice Amount

Sales Invoice Date

Cost of Merchandise Sold

a.

$ 30,000

June 21

$20,000

June 29

b.

20,000

June 30

8,000

June 20

Date Shipped

June

c.

10,000

June 29

6,000

d.

40,000

June 30

24,000

July 3

June 30

e.

100,000

June 30

56,000

June 30 (shipped to consignee)

f.

$ 60,000

June 30

$40,000

July July 1

g.

40,000

July 2

23,000

July 1

h.

80,000

July 3

55,000

June 30

C11.3  (LO 8)  Challenging   Public Company   Sales cutoff tests  Analysis and evaluation: Analyze the eight transactions shown above. Based on a sales cutoff analysis, record necessary adjusting journal entries at June 30 in connection with the foregoing data.

Brookwood Pines Hospital Question C11.4 is based on the following case. Goodfellow & Perkins LLP is a successful mid-tier accounting firm with a large range of clients across Texas. During 2022, Goodfellow & Perkins gained a new client, Brookwood Pines Hospital (BPH), a private, not-forprofit hospital. The fiscal year-end for Brookwood Pines is June 30. You are performing the audit for the 2023 fiscal year-end. The healthcare industry can be very complicated, especially in the area of billing for services provided. BPH contracts with private physician groups who use the hospital facilities, equipment, and nursing staff to treat patients. The physicians in the private group are not employees of the hospital; they are simply using the hospital facilities to treat patients. For example, a group of urologists have their own practice, separate from the hospital, where they treat patients. If one of the patients needs a surgical procedure that must be done at a hospital, then the attending urologist will approve the paperwork required to admit the patient to BPH. BPH offers inducements to the urologists so they will refer patients to BPH rather than a competing hospital. One of the inducements BPH offers is free office space in the hospital for the doctors to use when they are treating patients in the hospital. After the doctor and hospital services are provided to the patient, the patient and/or the patient’s insurance company is billed. The doctor will bill for the services he or she provided, and the hospital will bill for the use of hospital facilities and staff. Doctors and hospitals bill using a coding system that is standardized across the healthcare industry and consists of three main code sets: ICD, CPT, and HCPCS. Using a coding system is more efficient and data-friendly compared to writing a narrative about the procedures performed. However, the coding system is very complex, with thousands of different codes for medical procedures and diagnoses. To complicate matters even more, for patients who are covered by government-sponsored Medicare or Medicaid, doctors and hospitals must adhere to complicated government regulations surrounding billings to Medicare and Medicaid. As healthcare costs continue to rise each year, BPH administrators struggle to maintain consistent profitability. They look for ways to keep costs low and also to collect from patients and insurance companies

 Audit Decision Cases  11-47 as quickly as possible. In addition, BPH must have a strong risk management team to handle unique situations that may occur in hospitals such as malpractice lawsuits and periodic inspections by the state department of health and hospitals. Negative publicity for BPH could lead to decreased revenues if physicians decide to contract with a competing hospital. C11.4  (LO 8)  Challenging   ADA   Auditing the existence of accounts receivable  Analysis: Brookwood Pines Hospital has receivables from both insurance companies and from consumers. In the past, only one in four confirmations has been returned. Internal controls have been tested and are strong. How might audit data analytics be used to collect evidence regarding the existence of accounts receivable? Develop a specific audit strategy for how you would screen 100% of the revenues (of a particular type), how you would identify exceptions, and how you might consider what would be acceptable variations from your expectation norm versus unacceptable variations.

Cloud 9 - Continuing Case Assume that you are preparing to confirm accounts receivable at December 31, 2022, which is one month prior to the fiscal yearend of January 31, 2023. The book value of gross accounts receivable is $71,622,804. Complete the following requirements related to the confirmation of receivables for Cloud 9 based on previous work and the following information.

Required a.  Using PPS sampling, determine the sample size that you want to use for sending accounts receivable confirmations. Draw on the information you learned about PPS sampling in Chapter 10. The book value of accounts receivable before the allowance for doubtful accounts is $71,622,804. You make the following assumptions: •  You set tolerable misstatement for accounts receivable at $3,500,000. •  Expected misstatement = $750,000.

•  Risk of incorrect acceptance = 37%. Given these parameters:

1. What do you believe to be appropriate qualitative assumptions for inherent risk and control risk given the risk of incorrect acceptance used? 2.  What do you calculate for sample size? 3.  What do you calculate for sampling interval? b.  After discussion of the sample size with Josh Thomas, the audit team sets tolerable misstatement at $3,000,000, expected misstatement at $1,750,000, and risk of incorrect acceptance at 37%. You use a sample size of 73 confirmations. The sampling interval is $981,134. You may assume that except for the following, you received confirmations from customers that showed no exceptions. Determine whether the following conditions represent errors for purposes of your evaluation. Based on your evaluation and the parameters of the sample you designed above, evaluate the result of confirming accounts receivable. •  Customer No. 00030 disputed the price on stock number 11205, which was priced at $75 per item and should have been priced at $60 per item on 1200 items. Cloud 9 issued a credit memo for $18,000 on January 7, 2023. The book value of the receivable for Customer No. 00030 at December 31, 2022, was $130,500. •  Customer No. 00158 with a receivable balance of $730,225 on December 31 disputed receivables in the amount of

$30,500, as a shipment of shoes was not received until January 2, 2023. Further investigation showed that the customer ordered the goods on December 31, 2022, and they were not counted in inventory when the inventory was taken on that date. The freight carrier came by late in the day and picked up the goods, even though the warehouse was normally shut down for inventory on December 31, 2022. The goods were shipped FOB shipping point. The receivable was paid in full on January 29, 2022. •  Customer No. 00651 disputed receivables in the amount of $250,750, as it had been paid on December 30, 2022. The check from Customer No. 00651 was received and deposited by Cloud 9 on January 3, 2022. The book value of the receivable for Customer No. 00651 at December 31, 2022, was $250,750. •  Customer No. 00850 disputed the balance on the confirmation of $35,700 in its entirety. Further investigation showed that the balance was charged to the wrong customer. Goods were shipped to Customer No. 00580. On January 3, 2022, the error was discovered. A credit memo was issued to Customer No. 00850 and an invoice was sent to Customer No. 00580, which was paid in full on January 27, 2022. •  No response was received from Customer No. 10141. Goods in the amount of $944,232 were shipped on November 1, 2022. Additional goods in the amount of $131,824 were shipped on December 12, 2022. The receivable balance was $1,076,056 at December 31, 2022. A review of the cash receipts journal showed that a check for $944,232 was deposited on January 24, 2022. Another check for $131,824 was received on February 1, 2023. •  Customer No. 21287 disputed receivables in the amount of $755 claiming that it did not receive a promised 1% discount associated with the first shipment to a new customer. The book value of the receivables for Customer No. 21287 at December 31, 2022 was $75,500. The customer subsequently paid $74,745 on January 29, 2022, and Cloud 9 issued a credit memo in the amount of $755. 1. Determine the amount of misstatement for each customer listed above. 2. Determine the upper misstatement limit. 3. Draw a conclusion about whether the existence assertion for accounts receivable is presented fairly at December 31, 2022.

Chapter 12 Auditing the Purchasing and Payroll Processes The Audit Process Overview of Audit and Assurance (Chapter 1) Professionalism and Professional Responsibilities (Chapter 2) Client Acceptance/Continuance and Risk Assessment (Chapters 3 and 4) Identify Significant Accounts and Transactions Make Preliminary Risk Assessments

Set Planning Materiality

Gaining an Understanding of the System of Internal Control (Chapter 6)

Audit Evidence (Chapter 5)

Develop Responses to Risk and an Audit Strategy

Performing Tests of Controls (Chapter 8)

Performing Substantive Procedures (Chapter 9) Audit Sampling for Substantive Tests (Chapter 10)

Auditing the Revenue Process (Chapter 11)

Auditing the Purchasing and Payroll Processes (Chapter 12)

Audit Data Analytics (Chapter 7)

Gaining an Understanding of the Client

Auditing the Balance Sheet and Related Income Accounts (Chapter 13)

Completing and Reporting on the Audit (Chapters 14 and 15) Procedures Performed Near the End of the Audit

Drawing Audit Conclusions

Reporting

12-1

12-2  C h a pte r 12 Auditing the Purchasing and Payroll Processes

Learning Objectives LO 1 Explain the nature of purchasing transactions and balances. LO 2 Evaluate how an auditor’s understanding of an entity and its environment affects audit planning decisions related to purchases. LO 3  Determine inherent risk for various assertions in the purchasing process.

LO 9 Assess detection risk and design substantive tests, including audit data analytics, to address various assertions in the purchasing process. LO 10* Explain the nature of payroll transactions and balances.

LO 4 Evaluate control activities for purchase transactions.

LO 11* Evaluate how an auditor’s understanding of an entity and its environment affects audit planning decisions in the payroll process.

LO 5 Evaluate control activities for cash disbursement transactions.

LO 12*  Determine inherent risk for various assertions in the payroll process.

LO 6 Evaluate control activities in an evaluated receipt settlement system.

LO 13* Evaluate control activities for payroll transactions.

LO 7 Evaluate control activities for purchase adjustment transactions and purchasing process disclosures.

LO 14*  Determine how to design and perform tests of controls in the payroll process and connect the results of control testing to audit strategy.

LO 8  Determine how to design and perform tests of controls in the purchasing process and connect the results of control testing to audit strategy.

LO 15* Assess detection risk and design substantive tests, including audit data analytics, to address various assertions related to payroll.

Auditing and Assurance Standards PCAOB

Auditing Standards Board

AS 1210  Using the Work of a Specialist

AU-C 620  Using the Work of an Auditor’s Specialist

Cloud 9 - Continuing Case Josh Thomas (audit senior) and Suzie Pickering (audit staff) are discussing the audit of the purchasing process for Cloud 9. Cloud 9 products are developed through a collaboration between Cloud 9’s product development teams and third-party manufacturers. Purchases from manufacturers represent a material transaction stream, and accounts payable is one of the most significant current liabilities on Cloud 9’s balance sheet. As Josh and Suzie

plan the audit of the purchasing process, they believe they have a basic understanding of Cloud 9’s business processes. However, they still need to address a few key issues before they settle on an audit plan. What are the most significant inherent risks for Cloud 9 in the purchasing process? Do significant fraud risks exist? Are there significant substantive tests that can be performed at an interim date?

Chapter Preview: Audit Process in Focus This chapter focuses on decisions about appropriate audit procedures in the purchasing process. We begin with a discussion of the nature of the purchasing process. We then address the process of understanding the entity and its environment in the context of an entity’s purchases and using this knowledge to assess inherent risk. The chapter moves on to discuss evaluating the system of internal control over purchasing, including understanding

  Nature of Purchase Transactions and Balances   12-3

entity-level controls, understanding the document trail, evaluating what can go wrong (WCGW), identifying controls to test, performing tests of controls, and evaluating control risk and the risk of fraud. The discussion of the audit trail begins with a more traditional system that includes a combination of electronic and paper documents. It is followed by a similar discussion involving a paperless evaluated receipt settlement (ERS) process. At this point, the auditor should be able to confirm or revise his or her preliminary audit strategy and then execute substantive tests to reduce audit risk to an acceptable level. The chapter is supplemented by an appendix that addresses similar issues in the payroll process.

Nature of Purchase Transactions and Balances LEA RNING OBJECTI VE 1 Explain the nature of purchasing transactions and balances. An entity’s purchasing process consists of activities related to the acquisition of, and payment for, goods and services. The core purchases transactions are (1) purchasing goods and services (purchase transactions), (2) making payments (cash disbursement transactions), and (3) purchase adjustments. These transactions are depicted in Illustration 12.1.

Purchasing Transactions

Debit

Credit

Purchases on credit

Merchandise Inventory

Accounts Payable

Raw Materials Inventory Plant Assets Other Assets Various Expenses Cash disbursements (primarily focused on payment of payables)

Accounts Payable

Cash Purchase Discounts

Purchase adjustment transactions   Purchase returns and allowances

Accounts Payable

Purchase Returns and Allowances

For companies that purchase goods on account, the transaction should record purchases and accounts payable upon the receipt of goods. Purchases and accounts payable may be understated if a company receives goods but then waits to record the transaction until a vendor’s invoice is received. If discounts are taken for early payment, purchase discounts are recorded when recording the cash disbursement. In some cases, a company will return defective goods or claim an allowance for goods that are damaged but still usable upon receipt. This is included in a discussion of purchase returns and allowances. The discussion of inventory, cost of goods sold, and cash is deferred to Chapter 13. Recall that the auditor should obtain sufficient appropriate evidence for each assertion related to the purchasing process. Therefore, the auditor should obtain sufficient appropriate evidence for the transaction classes, balances, and disclosures outlined in Illustration 12.2. Finally, the rights and obligations assertion with respect to accounts payable relates to whether accounts payable reflect the recorded liability of the entity. This is usually tested as part of the existence assertion.

ILLUSTRATION 12.1  

Purchasing transactions

12-4  C h a pte r 12 Auditing the Purchasing and Payroll Processes ILLUSTRATION 12.2   Key purchasing process assertions

Relevant Transaction Classes Purchases of materials or goods Various expenses

Relevant Account Balances Accounts payable Various purchased assets

Assertions Occurrence Completeness Accuracy Cutoff Classification

Assertions Existence Rights and obligations Completeness Valuation and allocation • Valuation at historical cost • Valuation at net realizable value

Relevant Disclosures Payable disclosures Asset and expenditure disclosures

Assertions Occurrence and rights and obligations Completeness Classification and understandability Accuracy and valuation

Before You Go On 1.1 Identify two major transaction classes with significant volumes of transactions in the purchasing process. 1.2 Explain the interaction of purchases and cash disbursements with accounts payable. Further, if cash disbursements are understated, what are the implications for accounts payable?

Understanding the Entity and Its Environment LEA RNING OBJECTIVE 2 Evaluate how an auditor’s understanding of an entity and its environment affects audit planning decisions related to purchases. Chapters 3 and 4 explained the importance of understanding the entity and its environment, and how this understanding is important to assessing inherent risk. As inherent risk factors vary from industry to industry, from client to client, and from year to year, each audit must be custom-made to address unique risks. The following discussion will address the importance of understanding the entity and its environment in the context of the purchasing process, analytical procedures commonly used in the purchasing process, other issues associated with the entity and its environment, and the resultant assessment of inherent risk.

Understanding the Client’s Purchasing Process purchasing process (procurement process)    involves selecting vendors, establishing payment terms, negotiating contracts, purchasing goods, receiving goods, and recording purchases and payment of liabilities

The process of purchasing goods and services will vary from entity to entity. In this chapter, the purchasing process is synonymous with the procurement process. The purchasing or procurement process involves selecting vendors, establishing payment terms, negotiating contracts, purchasing goods, receiving goods, and recording purchases and payment of liabilities. Purchasing is concerned with acquiring (procuring) all of the goods and services that are vital to an organization. It is particularly important for the auditor to be knowledgeable about the entity, the types of purchases the entity makes, and how those purchases support the earnings generation of the entity. Every business has different market forces that place differing demands on the company’s

  Understanding the Entity and Its Environment  12-5

cash flow. An entity’s net operating cycle represents the time from using cash to purchase goods or services to collecting cash from the sale of goods or services. For a manufacturer or retailer, the gross operating cycle is estimated by the average number of days it takes to turn over inventory and collect receivables. The net operating cycle represents the gross operating cycle reduced by accounts payable turnover in days, which is the amount of time that an entity’s suppliers will let it use trade credit before requiring payment for goods and services. Some companies are very adept at using vendor financing (accounts payable) to finance a significant portion of their operating cycle. For example, before Dell Computers went private in 2013, it was turning over its inventory approximately every 8 days. Further, Dell Computers was taking approximately 30 days to collect from its customers (mostly business customers). This adds up to a gross operating cycle of 38 days. However, Dell Computers was taking 41 days to pay its vendors; that is, it used vendor funds to finance its operating cycle. It is critical for auditors to understand the economic drivers in the purchasing process and how cash flows through the entity. Illustration 12.3 illustrates the importance of understanding the purchasing process for the five different industries that were introduced in Chapter 11. These industries were chosen for their variety based on the North American Industry Classification System (NAICS). They include the manufacture of oil and gas field machinery and equipment (NAICS 333132), the manufacture of electronic computer equipment (NAICS 334111), supermarkets and other ILLUSTRATION 12.3   Understanding an entity’s purchasing process

Example Industry Traits Oil and Gas Field Machinery and Equipment Manufacturing • Purchases range from raw materials (where quality is essential) for the production of drill bits, drilling pipes, valves, or derricks, to motors used in a variety of oil and gas field equipment

Developing a Knowledgeable Perspective About the Entity’s Financial Statements (Median Industry Data)

Assessing the Risk of Material Misstatement

Accounts Payable Turnover in Days: 34 Accounts Payable as a % of Total   Assets: 13.7% Current Ratio: 1.8:1 Quick Ratio: .9:1

• Concerns about recording purchases in the correct time period

Accounts Payable Turnover in Days: 30 Accounts Payable as a % of Total   Assets: 18.1% Current Ratio: 1.8:1 Quick Ratio: 1.0:1

• Vendors often offer price concessions or terms such that goods do not have to be paid for until purchased product is sold, leading to concerns about consignment traits of inventory

• Concerns about increased fraud risk with a high number of vendors • Concerns about potential for unrecorded liabilities

• Wide variety of vendors Electronic Computer Manufacturing • Purchases must be managed aggressively to minimize inventory obsolescence • Significant subcontracting or outsourcing of the manufacturing process Supermarkets and Other Grocery Stores • Purchase a wide array of products including products with perishable characteristics • Purchasing and supply chain management is an important aspect of profitability

• Concerns about potential unrecorded liabilities Accounts Payable Turnover in Days: 16 Accounts Payable as a % of Total   Assets: 3.4% Current Ratio: 1.2:1 Quick Ratio: .5:1

• Purchases include food for restaurant and convention business • Purchases are less significant operating costs compared to retailers or manufacturers Colleges, Universities, and Professional Schools • Purchases are incidental to the core product, educating students • Core process may not be significantly affected by price increases for purchased goods

• Concerns about accounting for advertising allowances and other price concessions to stock merchandise • Concerns about recording purchases in the correct time period • Concerns about potential unrecorded liabilities

• Wide variety of vendors Hotels and Motels

• Concerns about purchasing cutoff at year-end

Accounts Payable Turnover in Days:   Not Reported Accounts Payable as a % of Total   Assets: 2.4% Current Ratio: .7:1 Quick Ratio: .6:1

• Purchases, including food, cleaning of linens, and purchases of other supplies that are moderately material to the entity

Accounts Payable Turnover in Days:   Not Reported Accounts Payable as a % of Total   Assets: 3.3% Current Ratio: 1.6:1 Quick Ratio: 1.4:1

• Purchases and accounts payable are not central to the core business, resulting in reduced potential for unrecorded liabilities

12-6  C h a pte r 12 Auditing the Purchasing and Payroll Processes

grocery stores (NAICS 445110), hotels and motels (NAICS 721110), and colleges, universities, and professional schools (NAICS 611310). These examples define a wide spectrum of underlying business practices and an equally wide spectrum of risk for the auditor. The auditor would normally obtain an understanding of the client’s business and its economic environment through previous experience with the entity; information from trade associations, business periodicals, and newspapers; and from publishers of industry information such as Robert Morris Associates or Value Line. It is important for the auditor to understand the nature of the client’s purchasing process. The oil and gas field machinery equipment industry produces products such as drill bits, drilling pipes and motors, derricks, valves, portable rigs, well-monitoring instruments, tubing, wellheads, blowout preventers, and oil and gas separators. Therefore, manufacturers may have a wide range and large number of suppliers, which heightens the attention to internal controls over vendors. Manufacturing computer components can be very capital-intensive, and the quality of raw materials is very important. However, the actual manufacturing of computers or tablets may be outsourced, and supply chain management may be a key component of the purchasing system. The retail grocery industry usually has a very large number and variety of vendors; control over the supply chain and vendors in the supply chain is critical to profitability in this industry. Purchases of products are less important in the hotel industry, and purchases of supplies may be even less significant to the operations of a college or university. The auditor should also consider the industry-related factors of the availability and price volatility of raw materials. For example, a computer assembler, who may be dependent on a single vendor for a unique component critical to an assembled product, may face significant price increases if key components are in demand. An airline’s demand for fuel is another example of a key purchase that cannot be substituted and is extremely vulnerable to price swings or shortages. Alternatively, a retail grocer deals with numerous vendors and prices where intense market competition tends to stabilize prices, and substitute products are available. A retail grocer may be able to choose among a variety of produce providers, resulting in more limited exposure to inventory shortages or sudden price swings. Once again, the audit of each company must be custom-made. Inherent risks differ from one client to the next, and inherent risks may often differ from one audit to the next for an existing client. Auditors must be alert to the potential issues unique to a specific audit client. Hence, understanding the nature of the purchasing process will help auditors identify and assess the inherent risk of material misstatement in the purchasing process. Assessing inherent risk related to the purchasing process is discussed later in the chapter.

Audit Reasoning Example Taking a Fresh Look at the Client Every Year

Carla has been working as an auditor for about six months. She was assigned to the audit of a Howard’s Hardware (a local hardware and lumber company that has six stores in small communities in a midwestern state). Carla prepared some of the initial planning documents because the senior on the engagement was moved to another engagement, and the audit firm believed she could step up and do the work. Brandon, the audit manager, has just reviewed some of Carla’s planning documentation. Brandon comments, “It looks like you cut and pasted a lot of the planning documentation from last year, which is a place to start. But let’s discuss and think deeper about planning for the current year. What do you think has changed?” Carla replies, “The company has not opened any new stores, and sales have dropped at a couple of stores, but otherwise it seems to be doing about the same.” Brandon then asks, “Why is this planning documentation important?” Carla responds, “The documentation is required by professional standards.” Brandon responds, “Yes, but it is more than compliance with professional standards. I don’t think an auditor can look at data and draw appropriate conclusions without having a broader context of what is happening in the client’s industry. For example, a major lumber company with stores in 20 states has just entered two markets to compete with Howard’s Hardware. How will new and major competition change business for Howard’s Hardware? Does Howard’s Hardware have plans for how it will respond? I know you are not familiar with this industry, but it is important that you and the entire team be up to speed about how this, and other changes, might influence Howard’s Hardware’s business. This sets the context for our ability to look at, and understand, the variety of information we will review during the audit.”

  Understanding the Entity and Its Environment  12-7

Analytical Procedures As noted previously, performing analytical procedures as part of risk assessment is costeffective and often useful in identifying potential misstatements in the financial statements. The most effective analytical procedures rely on the auditor’s knowledge of the business and industry. Some example analytical procedures that may apply to the purchasing process are presented in Illustration 12.4. Ratio Accounts payable turnover in days

Cost of goods sold to average accounts payable Payables as a percentage of total assets

Current ratio

(

365 ÷  

Formula Cost of sales

)

Average accounts payable

Cost of goods sold Average accounts payable Accounts payable Total assets

Current assets Current liabilities

Audit Significance Prior experience in accounts payable turnover in days combined with knowledge of current purchases can be useful in estimating current payables. A reduction of the period may indicate completeness problems. Unless the company has changed its payment policy, this ratio should be about the same percentage from year to year. Common-sized percentages in accounts payable are useful to compare with industry data. A significant decline in payables as a percent of total assets may indicate completeness problems. A significant increase in the current ratio compared to prior years may indicate a completeness problem. However, this ratio may also be influenced by changes in current asset accounts.

Many analytical procedures focus on the relationship between purchases and accounts payable. If a company is growing, it is common to expect purchases, inventory, and accounts payable to grow at approximately the same rates. The auditor’s knowledge of the volume of purchases, combined with prior experience in terms of accounts payable turnover in days (the average number of days it takes to retire payables), is useful in estimating current year’s payables. While ratios like the current ratio are easy to calculate, they may fluctuate based on influences from processes other than the purchasing process, such as sales or investments. The auditor needs to bring an appropriate level of professional skepticism to reviewing the results of analytical procedures, and auditors should be particularly alert to the risk that purchases and payables may be understated (a problem with the completeness of purchases and payables).

Audit Reasoning Example Analyzing the Results of Analytical Procedures

Emily White, an audit manager, is reviewing with Steve McKinley, audit staff, the results of his analytical procedures. Emily notes Steve picked up on the fact that a client’s current ratio improved significantly, from 1.5:1 to 2.5:1. “However, does this mean that the company is performing better?” Steve responds that he is not quite sure what Emily’s concern is. Emily then points out that the company’s receivables and inventory have grown about 3–5%, consistent with sales growth. However, payables are down significantly. Emily goes on, “We need to bring an appropriate level of professional skepticism to our analytical procedures and analyses. From my perspective, the improvement in the current ratio is largely due to a significant decline in payables. We could have a potential problem in unrecorded liabilities and expenses. This needs to be highlighted for further investigation. Do you understand my concern now?”

Other Considerations Regarding the Entity and Its Environment Recall from Chapter 4 (see Illustration 4.1) that an auditor should understand numerous issues about the entity and its environment. Illustration 12.5 provides examples of situations

ILLUSTRATION 12.4   Analytical procedures commonly used to audit purchases

12-8  C h a pte r 12 Auditing the Purchasing and Payroll Processes

and key factors related to an entity that might lead to either a higher or lower assessment of inherent risk for the purchasing process. Each audit should be viewed independently from previous audits when an auditor updates his or her understanding of the entity and its environment. illustration 12.5   Understanding the entity and its environment related to purchases

Key Factors Regarding the Entity and Its Environment

Higher Inherent Risk Many governmental entities may be subject to various “buy American” laws. Companies need to be concerned about purchases from entities in countries where corruption is common. The client does not effectively monitor purchasing activity. Significant purchase transactions are conducted with affiliated companies or other related parties. Corporate governance provides little or no oversight of management or the purchasing process. Payables are not recorded until vendor invoices are received, and little or no attention is paid to month-end cutoff and closing procedures.

Compliance with laws and regulations

Client performance measurement Related party transactions Corporate governance Month-end, quarter-end, and year-end closing procedures

Lower Inherent Risk Purchases are not subject to legal restrictions.

The client carefully monitors purchases compared to underlying business activity. There are few or no purchase transactions with affiliated companies or other related parties. There is strong corporate governance with oversight of the purchasing process. When vendor invoices are not received, policies are in place to accrue liabilities for items received and significant attention is paid to month-end cutoff and closing procedures.

Before You Go On 2.1 Explain how auditing the purchasing process might be different for a retail grocer than for a college or university. 2.2 Assume that, when performing analytical procedures during risk assessment, an auditor notices that purchases have grown by 10% while payables have declined by 15%. What assertions might be misstated? 2.3 Explain how month-end closing procedures might decrease inherent risk in the purchasing process.

Inherent Risks in the Purchasing Process LEA RNING OBJECTI VE 3 Determine inherent risk for various assertions in the purchasing process. In assessing inherent risk for purchasing process assertions, the auditor should consider pervasive factors influencing the understatement or overstatement of payables and expenses. Pervasive factors that might motivate management to misstate purchasing process assertions include: •  Pressure to understate expenses in order to report achieving announced profitability targets or industry norms that were not achieved in reality. •  Pressure to understate payables in order to report a higher level of working capital when the entity is experiencing liquidity problems or going-concern doubts. Both of these pressures lead to a greater risk of understatement of expenses and payables.

  Inherent Risks in the Purchasing Process  12-9

The expenditure process is also particularly prone to the risk of employee fraud through unauthorized disbursements of cash, misappropriation (theft) of purchased assets, and collusion with vendors to win bids or set prices. If managers, or the auditors, are sufficiently familiar with industry practices and prices, they might be able to spot these types of problems at early stages. Other factors that may contribute to misstatements in the purchasing process include: •  A high volume (very material amount) of transactions are usually made. •  Duplicate payment of vendor invoices may occur. •  Cutoff problems due to failure to accrue liabilities when goods have been received but vendor invoices have not arrived.

Professional Environment  Duplicate Payments Are a Problem for Companies and Governments Imagine paying a $40,000 invoice from a vendor twice. What does that do to a company’s cash flow? In its 2014 Annual Report,1 the U.S. Government Accountability Office disclosed that it was involved in preventing such improper payments in the amount of $124.7 billion within just 22 federal agencies. Infor, Inc., a company that helps other companies prevent or detect duplicate payments estimates that 0.05% to 0.1% of invoices paid are typically duplicate payments.2 For a company with $50 million in annual payments, this could represent a loss of $150,000. Infor, Inc. suggests some of the most common data entry errors resulting in duplicate payments include:

•  Poor review of vendor master files allowing duplicate vendors.

•  Misreading a number or letter (e.g., 0 instead of O, or 5 instead of S).

•  Failure of vendors to provide purchase order numbers on an invoice, making it difficult to match invoices with purchase orders.

•  Transposing numbers (e.g., 45 instead of 54). •  Mis-keying or omitting punctuation (such as hyphens or slashes). •  Omitting leading or trailing zeros (e.g., entering an invoice one time as 456 and the next time as 000456). Pyrus, a company that engages in workflow automation, suggests the following problems may be at the root of many duplicate payments:3

•  Failure to double-check for mis-keying or misreading problems similar to those noted above. •  Entities being too responsive to vendors who request rushed checks (e.g., payment before receiving an invoice). •  Payment from multiple source documents. •  Multiple methods for processing an invoice. •  Failure to have all invoices sent to a central location.

•  Failure to make appropriate approval of a vendor invoice a company priority. •  Dispute resolution being a low priority. •  Failure to pay only from original invoices or to mark original invoices “paid.”

Finally, when auditors perform analytical procedures during risk assessment, they should develop a skill in analyzing the likely assertions that might be misstated based on the data. For example, consider the following information. Take a moment, study the data, and consider what assertions might be at an increased risk of misstatement.

Current Year $000 Percentage

$000

Prior Year Percentage

Revenues

$5,638

100.0%

$3,780

100.0%

Cost of goods sold

$2,691

47.7%

$1,975

52.2%

  Gross profit

$2,947

52.3%

$1,805

47.8% (continued)

1 U.S. Government Accountability Office, 2014 Annual Report: Additional Opportunities to Reduce Fragmentation, Overlap, and Duplication and Achieve Other Financial Benefits (Washington, DC, April 2014). 2

Infor.com, White Paper, Detecting and Preventing Duplicate Invoice Payments (New York, NY, 2015).

3

Pyrus.com, https://pyrus.com/en/blog/2016/07/duplicate-payment.html (accessed December 15, 2018).

12-10  C h a pte r 12  Auditing the Purchasing and Payroll Processes (continued)

Accounts payable, net

Current Year $000 Percentage

$000

$ 180

$ 164

Prior Year Percentage

Revenue growth

49%

33%

Accounts payable growth

  9%

30%

Cost of goods sold growth

36%

34%

Accounts payable turnover in days

  24 days

  31 days

Inventory turnover in days

180 days

189 days

The data show a company that is clearly experiencing rapid growth. While cost of goods sold has grown by 36%, payables have only grown by 9%, and gross margins have improved. The lack of growth in accounts payable should heighten the auditor’s professional skepticism with respect to the completeness of payables and cutoff of purchases and payables. In summary, significant inherent risks exist for the completeness of purchases and payables.

Professional Environment  Restatements Related to Expense Recording and Liabilities Audit Analytics4 recently reported a summary of restatements due to expense recording and liability issues for a 17-year period ending in 2017. Two categories of restatements are relevant to the purchasing and payroll processes. The first category is entitled Expense (Payroll, SGA, Other) Recording Issues. Expense recording issues consist of errors or irregularities in approach, theory,

Disclosure Year Expense recording issues % of all financial statement restatements

or calculation associated with the expensing of assets or understatement of liabilities. These issues can arise from any number of areas, including failure to record certain expenses, reconcile certain amounts, or record certain payables on a timely basis. Issues with payroll and SG&A expenses are also identified in this category.

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 144

153

15.6% 9.7%

61

78

15.5% 18.5% 14.0% 13.8% 14.6% 11.2% 7.2%

286

236

135

114

8.9%

The second category is entitled Liabilities, Payables, Reserves, and Accrual Estimate Failure. This category consists of errors, irregularities, or omissions associated with the accrual or identification of liabilities on the balance sheet. The underlying cause of these

Disclosure Year Liabilities, payables, reserves, and accrual estimate failure % of all financial statement restatements

124

95

104

81

77

224

237

237

101

­ isstatements ranges from failures to record pension obligations to m problems with establishing the correct amount of liabilities for leases and other liabilities. The category also includes the failures to record deferred revenue obligations or normal accruals.

87

102

86

76

15.9% 14.2% 12.7% 18.5% 10.5% 10.5% 12.0% 10.2% 8.9%

In the last four years of this period, the expense recording issues have leveled out between 10.7% and 12.1% of all restatements. The liabilities, payables, reserves, and accrual estimate

959

12.1% 10.7% 11.3% 10.7%

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 151

2017

89

97

89

78

2017 63

10.2% 11.3% 11.8% 11.5% 11.4%

failure have also leveled out in the last four years of the period, ranging between 11.3% and 11.8% of all restatements.

4 Don Whalen, Olga Usvyatsky, and Dennis Tanona, 2017 Financial Restatements, A Seventeen Year Comparison (Audit Analytics: Sutton, MA, 2018).

  Control Activities for Purchases  12-11

Cloud 9 - Continuing Case Josh and Suzie review what they know about Cloud 9’s purchasing function. Cloud 9’s product development teams work closely with a variety of manufacturers around the globe. Cloud 9 has been particularly concerned about the quality of manufacturing when choosing manufacturers. Cloud 9’s CFO, David Collier, has also expressed concerns about risks inherent in the purchasing function globally. David has had several meetings with accounting staff to raise awareness about the risk of duplicate payment or fictitious vendors. Further, he has placed a top priority on regular screening of the master vendor file to

ensure the file is kept current, old vendors are removed from the file, and the file represents an accurate list of current vendors and manufacturers that Cloud 9 does business with. However, Josh points out to Suzie that inherent risk is still high related to the occurrence assertion for purchases and that the quality of Cloud 9’s internal control will likely allow for a low control risk assessment. Further, Josh and Suzie are concerned about potential cutoff problems that may lead to unrecorded liabilities; therefore, inherent risk is also assessed as high for the completeness of purchases.

Before You Go On 3.1 Identify several pervasive factors that might motivate management to misstate assertions in the purchasing process. 3.2 Why are auditors more concerned about the understatement of liabilities rather than the overstatement of liabilities? 3.3 Identify several analytical procedures the auditor might use to assess the likelihood that a material misstatement might exist in the purchasing process. Would the analysis of accounts payable turnover in days provide for more accurate analysis of accounts payable than analyzing the current ratio? Explain.

Control Activities for Purchases Lea rning Objecti ve 4 Evaluate control activities for purchase transactions. The quality of entity-level controls is important to the effective functioning of transaction-level controls. In particular, auditors should understand the combined effect of the control environment and an entity’s risk assessment activities in establishing an awareness within the entity about the risk of misappropriation of assets in the purchasing process, the potential for duplicate payments, and the risk of failure to accrue expenses and payables due to cutoff problems. A strong tone at the top about the importance of accurate financial reporting also discourages the under-accrual of expenses and liabilities. The discussion for the remainder of this chapter focuses on transaction-level controls. When understanding transaction-level controls and performing a system walkthrough, auditors should always be alert to understanding the influence of the control environment on the effective operation of transaction-level controls. The process used for developing an audit strategy for various assertions involves the following six steps: 1.  Understanding the flow of transactions in a given transaction process. 2. Identifying what can go wrong (WCGW) from initiating the transaction to recording it in the general ledger. The auditor needs to link what can go wrong to relevant assertions.

12-12  C h a pte r 12  Auditing the Purchasing and Payroll Processes

3. Assessing whether controls exist to mitigate what can go wrong. 4. Identifying relevant controls, performing tests of controls, and evaluating results. 5. Reporting internal control weaknesses to those charged with governance of the entity, based on controls that are absent or controls that are not operating effectively. 6. Determining an audit strategy at the assertion level. Now think about the five industries that were mentioned at the beginning of this chapter. It is likely the demands in the purchasing process will be different for a computer manufacturer than for a retail grocery chain or a college and university. Today, many larger companies use a heavily automated system with electronic data interchanges between a company and its suppliers. However, many governments and private companies continue to use a more paper-intensive environment to provide an audit trail for transactions recorded in a computerized accounting system. The following discussion of purchases and cash disbursements begins with illustrations of systems that use a higher level of documentation in the audit trail. Subsequently, the chapter has a section on evaluated receipt settlement (ERS). ERS and electronic invoice presentment and payment (EIPP) systems are highly automated with significant electronic data interchange. A comparison of the two systems displays very different methods of recording and controlling purchases, payables, and cash disbursements. The paper-intensive system is discussed in this chapter in “Control Activities for Purchases” and “Control Activities for Cash Disbursements,” while the automated system is discussed in “Evaluated Receipt Settlement (ERS).” Many of the controls discussed in this section focus on IT application controls implemented by a company. The assumption is made that IT general controls are strong, and the auditor will need to understand and eventually test the effectiveness of manual follow-up of exceptions noted by IT application controls.

Example Transaction Flows—Credit Purchases The transaction flow in a typical process for a client purchasing goods includes approving purchases, receiving goods, and recording purchases and accounts payable. Common documents and files that are found in the process of selling goods include: Source Documents and Related Electronic Files •  Purchase requisition—Written request for goods or services by an authorized individual or department. •  Approved vendor master file—Electronic file containing pertinent information on vendors and suppliers that have been approved to purchase services from and make payments to. •  Purchase order—Written offer from the purchasing department to a vendor or supplier to purchase goods or services specified in the order. •  Receiving report—Report prepared on the receipt of goods showing the kinds and quantities of goods received from vendors. •  Vendor invoice—The bill from the vendor that states the number of items shipped or services rendered, the amount due, the payment terms, and the date billed. Recording Document •  Voucher—An internal document used to record a purchase on account. The voucher has information about the vendor, the amount due, the payment date, and due date. Many purchase systems require a complete packet of purchase information (e.g., purchase order, receiving report, and vendor invoice) before approving a purchase for payment. This is also referred to as a three-way match. •  Purchases journal—The journal of original entry where each purchase is recorded.

  Control Activities for Purchases  12-13

Important Databases or Other Documents •  Purchases database—Electronic files that accumulate data on purchases, accounts payable, and cash disbursements. •  Monthly statements received from vendors—A monthly statement often sent by a vendor that shows the beginning payable balance, transactions during the month, and the ending payable balance (even if it is zero). An example of how these documents commonly flow is illustrated in Illustration 12.6, which is followed by a brief discussion of how purchases on credit are processed in many companies.

ILLUSTRATION 12.6   Example flow of transactions for purchases

Authorization

Process

Documents

Department requisitions goods

Internal

Prepare purchase order

Purchase order

Receive goods

Receiving report

Files and Databases External

Vendor master file

Purchasing and G/L database

Receiving Purchasing and G/L database

Recording Receive vendor invoice

Prepare voucher to record purchase

Vendor’s invoice

Voucher

Record in purchases journal

Purchasing and G/L database

Post to general ledger

Record in A/P subsidiary ledger

Vendor’s monthly statement

Initiating and Authorizing Purchases Initiating a transaction is the process of agreeing to a transaction with an independent third party. For smaller transactions, a department may have more latitude in purchasing goods, and company credit cards may be used by authorized personnel for smaller purchases. When management grants greater latitude to a department in initiating transactions, strong budget and accountability controls over a department’s expenditures are usually established.

12-14  C h a pte r 12  Auditing the Purchasing and Payroll Processes

Controls over an authorized vendor list. The process of approving vendors for the delivery of goods and services is a critical control. If management establishes strong controls over putting authorized vendors on an authorized vendor list, it is difficult for employees to initiate transactions with fictitious vendors. The master vendor file should also be reviewed on a regular basis to remove old vendors or potential duplicate vendors. For example, a vendor might show up twice in a master vendor file, once with an address of 1800 Southwest Fifth Avenue, and again with an address of 1800 SW 5th Ave. Having the same vendor with the same address written in two different ways increases the risk of duplicate payments. Requisition goods and services. The purchase requisition is often prepared electronically and represents the start of the transaction trail of documentary evidence in support of management’s assertion of occurrence of purchase transactions. Purchase requisitions usually are initiated from the warehouse for inventoried items or any department for items that are not in inventory. Most companies permit general authorizations for regular operating items included in a department’s operating budget. The permitted dollar amount is often tied to the employee’s responsibilities within the entity. In contrast, company policy frequently requires specific, high-level authorizations for capital expenditures and lease contracts. In an IT system, unique purchase requisitions should be sequentially numbered regardless of the originating department. Creation of electronically prepared requisitions should require entry of a valid employee number. The software uses that number to confirm that the requisition is within the authorization limit set for that employee. The software will also screen the input fields for errors such as negative numbers, characters in a numeric field, and so on. Rejected data often must be dealt with immediately in online systems. A report of missing or out-of-sequence requisitions should be routinely produced, and any exceptions promptly investigated. Preparing purchase orders. The purchasing department should have the authority to issue purchase orders only on the receipt of properly approved purchase requisitions. Preparing the purchase order continues the process of initiating a transaction. The role of purchasing is to ascertain the best source of supply. Purchase orders should contain a precise description of the goods and services desired, quantities, price, and vendor name and address. Purchase orders should be prenumbered and accounted for, which enables the tracking of each transaction from initiation, to receipt of goods or services, to recording the purchase, and to final payment. The original purchase order is usually sent to the vendor and copies are electronically distributed internally to the receiving department, the accounts payable department, and the department that submitted the requisition. The quantity ordered is generally omitted on the receiving department’s copy so that receiving clerks will make careful counts when the goods are received. Depending on the extent of the IT system, the only hard copy document generated would be the purchase order that is sent to the vendor. Many companies eliminate this hard copy by using electronic data interchange with their suppliers.

Receipt of Goods and Services Preparing a receiving report. A valid purchase order represents authorization for the receiving department to accept goods delivered by vendors. The receipt of goods usually results in the exchange of title and the establishment of a liability. Receiving department personnel should compare the goods received with the description of the goods on the purchase order, count the goods, and inspect the goods for damage. A prenumbered receiving report should be prepared for each order received to document that goods have been received, and a liability should be established. In IT systems, the receiving report may be prepared by using information already in the system and adding the appropriate data for quantities received. The software should compare the quantity ordered to that received and generate an exception report for appropriate follow-up. An entity should keep received goods in secure storage with limited access and proper surveillance. Most electronic perpetual inventory systems allow warehouse management to keep track of inventory by specific location in the warehouse. The receiving report is an important document supporting the occurrence assertion for purchase transactions. In addition, most companies prepare daily reports of anything received that has not resulted in vouchers (the recording of an accounts payable) to control the

  Control Activities for Purchases  12-15

c­ ompleteness assertion for purchases and accounts payable. The information on the receiving report is forwarded to accounts payable via a paper copy of the receiving report or electronically. Receiving reports are rarely prepared for the receipt of services (e.g., utility bills, rent, or accounting services) and management usually documents receipt of a service by approving a copy of the vendor invoice for payment.

Recording Purchases The receipt of a good or service usually establishes an obligation for an entity to record a transaction as a liability. Many companies create a voucher (an internal, prenumbered document) to recognize the liability and record it in the purchases journal or voucher register. Usually, the accounts payable department is responsible for ensuring that purchases are accurately recorded. Controls over the recording of the payables are particularly important because once a liability is established, it also authorizes the payment of the liability.

Identify What Can Go Wrong (WCGW) and Identify Key Controls—Purchases and Accounts Payable Once the auditor understands the flow of transactions, the auditor should evaluate what can go wrong, identify potential controls management has placed in operation, and then choose key controls to test. In doing so, it is important for the auditor to understand the logic used by a software application to flag potential misstatements for investigation. Illustration 12.7 summarizes the flow of transactions through the purchasing process, key documents and files, what can go wrong, and example controls for a manufacturing client making purchases on credit. As you review Illustration 12.7, try to associate particular controls with the assertions being controlled. ILLUSTRATION 12.7   Purchase transactions—WCGW and example controls

Transaction Authorizing purchases

Documents and Files

Risks (WCGW)

Example Control

Vendor master file

Purchases may be made from unauthorized vendors.

Only a limited number of individuals can change the vendor master file, and these duties are segregated from receiving goods or recording transactions. All file changes are reviewed by appropriate levels of management. The master vendor file is also reviewed to remove old vendors or duplicate vendors.

Purchase requisition

Unauthorized purchases may be made.

The software application determines individuals who have authority to initiate a purchase. Budgetary responsibility and account numbers for items purchased are established at this time. Purchase requisitions are prenumbered and accounted for.

Purchase order

Unauthorized purchases may be made.

Purchases can only be made from approved vendors. Purchase order establishes evidence of items ordered and price agreed with vendor.

Perpetual inventory

Goods received may not have been ordered.

The software application matches all goods received to approved purchase order.

Receiving report

Products may be received without generating a receiving report.

The software application prints a report of all unfilled purchase orders for follow-up by ordering department. Receiving reports are also prenumbered and accounted for.

Receiving report

Goods ordered may not be received.

The software application prints a report of all unfilled purchase orders for follow-up by ordering department.

Purchase orders are prenumbered and accounted for. Receiving goods

(continued)

12-16  C h a pte r 12  Auditing the Purchasing and Payroll Processes ILLUSTRATION 12.7   (continued)

Transaction

Documents and Files

Recording purchases

Voucher and purchasing database

Risks (WCGW)

Example Control

Purchases may not be recorded.

The software application prints a report of goods received that have not resulted in a voucher. A month-end accrual is made for items received in the warehouse, but the vendor’s invoice has not been received. Vouchers are prenumbered and accounted for.

Voucher and purchasing database

Purchases may be made for fictitious transactions, or duplicate payments may be made.

Vouchers are only recorded when a vendor’s invoice is received. The software application matches voucher and vendor invoice information with the receiving report. The purchase order and vendor’s invoice are marked as recorded, so they cannot be recorded again.

Voucher and purchasing database

Purchases may be recorded in the incorrect accounting period.

The software application matches the voucher date with the accounting period in which goods are received.

Voucher and purchasing database

Purchases may be recorded in the incorrect amount (incorrect quantities or prices).

The software application matches voucher quantities with receiving information and prices with the purchase order.

Voucher and purchasing database

Vouchers may be posted to incorrect accounts.

The software application checks account numbers on the voucher to underlying purchase requisition and purchase order.

Voucher and purchasing database

Payable may be posted to the wrong vendor.

The software application matches vendor number on voucher with vendor number on the purchase order.

Vendor’s monthly statements

Vendors invoices may be recorded in incorrect amounts.

Monthly statements from vendors are compared with the accounts payable subsidiary ledger.

Many clients build in redundant controls such that if one control does not find a misstatement, another control will detect the problem. Many clients put both preventive and detective controls in place. However, auditors cannot efficiently test all controls that exist. The auditor will find a key control by identifying the most important control for each assertion. Following are example key controls auditors often identify. The examples rely significantly on IT application controls to flag potential misstatements. The auditor should understand the logic behind the IT application controls and how client personnel manually follow up on exceptions on a timely basis. Note that the direction of the control is important. For completeness, the control will start with receiving reports and compare that population with the recorded payable. For other assertions, the control will normally validate the recorded purchase by comparing the purchase information with information documented previously in the system. Completeness of purchases. The software application starts with a population of daily receiving reports and develops a one-for-one match with vouchers to ensure each receiving report results in a voucher (the recording of a payable). A report is generated daily, reporting any goods received that have not resulted in a recorded voucher. Occurrence of purchases. The software application starts with the population of daily vouchers and develops a one-for-one match with the underlying receiving report to ensure each purchase voucher is supported by a receiving report (or an approved vendor’s invoice in the case of services). A report is generated daily of any purchases not supported by documentation of receiving goods. Once the match is made, the vendor invoice and receiving report are cancelled so they cannot be used with a subsequent voucher. Accuracy of purchases. The software application starts with the population of daily vouchers and compares quantities with the underlying receiving report, compares prices to the underlying purchase order, and checks the mathematical accuracy of the voucher. A report is generated daily of any prices or quantities on the voucher that are not supported by underlying documents or files.

  Control Activities for Purchases  12-17

Purchases cutoff. The software application starts with the population of daily vouchers and compares the date on the voucher with the date on the underlying receiving report. A report is generated daily of any vouchers not recorded in the same accounting period as the receiving report. Classification of expenses and payables. The software application starts with the population of daily vouchers and compares the vendor number with the purchase order. Both vendor account coding and general ledger coding are compared with the purchase order and purchase requisition, as a variety of accounts could be debited when the payable is recorded. A report is generated daily of any vouchers showing incorrect account coding. Completeness of payables, valuation of payables at historic cost, and existence of accounts payable. Monthly statements received from vendors are reconciled to the accounts payable subsidiary ledger. In addition, department managers should be asked to review the transactions that have been charged to their accounts. These managers should be familiar with the underlying business reasons for the transactions and review such reports to ensure transactions are valid, the obligation of the entity, correctly valued, and charged to correct accounts. If management has not established controls over accountability for the use of resources, it is evidence of a weak control-consciousness in the organization and reduces the likelihood that other controls will function effectively.

Audit Reasoning Example What Is a Voucher and What Is Its Purpose?

Ron and Vincent are working on a new audit engagement. The client has not been audited before. Ron is a junior member of the audit staff, and he is clearly frustrated when he comes in to talk with Vincent, the senior on the audit engagement. Ron recounts for Vincent, “I just finished talking with the company’s accounts payable clerk. When I asked about a voucher, she had no idea what I was talking about. On the last two clients I worked on, the companies used vouchers to record accounts payable. That doesn’t seem to be the case here. Does that mean accounts payable is a high-risk audit area? What should I do next?” Vincent responds, “There are several possible explanations. First, determine if our client has a purchases journal to record purchases and payables when goods are received. If so, what do they call the document recorded in each line of the purchases journal? They may just use another name. However, I have seen companies that don’t use a purchases journal. These companies just have a cash disbursements journal, and they pay vendor invoices when they come due. At the end of the month, these companies have a formal process for determining items received that have not been paid. Once the amount of unrecorded purchases is determined, they write an entry to accrue the purchase and payable. Further, they write a reversing entry at the beginning of the next month. It is just a different process for accruing purchases and liabilities. There is also a third possibility. The company may pay vendor invoices when they come due, and they may not have a formal process for accruing purchases and payables. If this is the case, then there is a significant risk that purchases and payables are understated.”

Before You Go On 4.1 How are financial statements misstated if there is a material misstatement in the completeness assertion regarding purchases? Describe a key control to detect and correct this problem. 4.2 How are financial statements misstated if there is a material misstatement in the occurrence assertion regarding purchases? Describe a key control to detect and correct this problem.

12-18  C h a pte r 12  Auditing the Purchasing and Payroll Processes

Control Activities for Cash Disbursements Lea rning O bjecti ve 5 Evaluate control activities for cash disbursement transactions. The cash disbursements process involves the following subprocesses: (1) approving cash disbursements and (2) recording cash disbursements. Segregation of duties in performing these subprocesses is an important internal control. Today, many disbursements involve the electronic transfer of funds. However, in the United States, many businesses continue to write checks to vendors.

Example Transaction Flows—Cash Disbursements Common documents and files that are found in the cash disbursements process include: Supporting Documents •  Voucher—An internal document indicating the vendor, the amount due, and payment terms for the purchases received. It is used to authorize recording and paying a liability. •  Report of vendor invoices due—A report of vendor invoices listed by due date. •  Report of cash balances—A report of daily cash balances. Recording Cash Disbursements •  Check or electronic funds transfer (EFT)—A formal order to a bank to pay the payee the indicated amount. •  Cash disbursements journal—A daily report showing checks written or electronic funds transferred to vendors and amounts paid. Important Databases or Other Documents •  P  urchasing database—Electronic files that accumulate data on purchases, accounts payable, and cash disbursements. •  Monthly bank statement—Statement from the bank showing transactions in the bank account. •  B  ank reconciliation—A reconciliation of the cash amount shown in the general ledger with the cash amount shown on the bank statement. Often, there are differences due to deposits in transit, outstanding checks, or bank charges.  onthly statements received from vendors—A monthly statement often sent by vendors •  M that shows the beginning payable balance, transactions during the month, and the ending payable balance (even if it is zero). An example of how these documents commonly flow through the cash disbursements process is illustrated in Illustration 12.8, followed by a brief discussion of how cash disbursements may be processed in many companies.

  Control Activities for Cash Disbursements  12-19 ILLUSTRATION 12.8   Example flow of transactions for cash disbursements

Authorization

Process

Documents Internal

Determine disbursements to be made

Files and Databases External Vendor master file

Report of vendor invoices due

Purchasing and G/L database

Report of cash balances

Recording Prepare payment

Check or EFT Purchasing and G/L database

Record in cash disbursements journal

Post to general ledger

Record in A/P subsidiary ledger

Bank reconciliation

Bank statement

Vendor’s monthly statement

Paying the Liability and Recording Cash Disbursements Usually, a treasury or cash management function is responsible for determining that unpaid payables are processed for payment on their due dates. All payments should be by check or electronic funds transfer. The software can be programmed to extract the vouchers due on each day from the accounts payable database. This report is reviewed to determine which payables should be paid considering the company’s cash position. Once management identifies certain vouchers for payment, the software application matches the check or EFT information against supporting information, performs IT application controls, and sets a flag to identify the voucher and that the related vendor’s invoice has been paid (to prevent duplicate payment). Each payment, whether by individual check or EFT, is recorded in the cash disbursements journal. Checks below a certain dollar amount may be machine-signed, with larger checks requiring a manual signature from one or more authorized individuals. On a monthly basis, the client should receive both a bank statement from the bank and a monthly statement from vendors. The bank statement should be reconciled with the general ledger cash account. The monthly statement from vendors should be reconciled with individual accounts payable subsidiary ledgers.

Identify What Can Go Wrong (WCGW) and Identify Key Controls—Cash Disbursements Once the auditor understands the flow of transactions, the auditor should evaluate what can go wrong, identify potential controls management has placed in operation, and then identify key controls to test. Illustration 12.9 summarizes the flow of transactions through the purchasing process, key documents and electronic files, what can go wrong, and example controls. As you review Illustration 12.9, try to associate particular controls with the assertions they are controlling.

12-20  C h a pte r 12  Auditing the Purchasing and Payroll Processes ILLUSTRATION 12.9   Cash disbursement transactions—WCGW and example controls

Transaction

Documents and Files Risks (WCGW)

Paying the liability and recording cash disbursements

Purchasing process database

A check (EFT) may not be recorded.

Report of vendor’s invoices due

Example Control The software application reports any breaks in the sequence of a prenumbered check series and electronic funds transfers. The software application compares the daily total in the cash disbursements journal with the total vouchers submitted for payment.

Cash disbursements journal

Access to blank checks and signature plates is controlled. There is an independent bank reconciliation.

Purchasing process database

A check (EFT) may not be recorded promptly.

Run-to-run totals compare beginning cash less cash disbursements with ending cash balance; beginning accounts payable less disbursements with ending accounts payable are also compared.

Report of vendor invoices due Cash disbursements journal Purchasing process database

The software application prints a report of checks due but not yet paid.

Checks (EFT) may be issued for unauthorized purchases.

The software application compares check information with purchase order and receiving information or other authorization. The software application performs a limit test on any large disbursement and checks for such disbursements must be manually signed.

Purchasing process database

A vendor’s invoice may be paid twice.

The software application has a field that identifies a vendor’s invoice has been paid and the voucher number cannot be reused.

Purchasing process database

A check (EFT) may be issued for the wrong amount.

Manual control requires check signers control the mailing of checks. There is an independent bank reconciliation.

Bank reconciliation Purchasing process database

A check (EFT) may be posted to the wrong account.

The software application compares information on check summary with related voucher information.

Recall that many clients build in redundant controls such that if one control does not find a misstatement, another control will detect the problem. However, auditors cannot efficiently test all controls that exist. The auditor will identify a key control for each assertion. Following are example key controls auditors often identify for cash disbursement transactions. The examples rely significantly on IT application controls to flag potential misstatements. The auditor should understand the logic behind the IT control and how client personnel manually follow up on exceptions on a timely basis. Completeness of cash disbursements. The software application compares the daily total in the cash disbursements journal with the total of vouchers submitted for payment. Occurrence of cash disbursements. The software application compares the check (EFT) information with purchase order, receiving, and voucher information. Once the voucher is paid, it is cancelled so that it cannot be paid twice. Accuracy of cash disbursements. The software application compares the check (EFT) information with the underlying information on the voucher. The software application must calculate discounts taken for early payment. Cutoff of cash disbursements. Run-to-run totals compare beginning daily cash balances with cash disbursed from the cash disbursements journal, plus cash receipts, and the ending daily cash balances. Therefore, a run-to-run total starts with the beginning balance, adds and subtracts transactions, and should match the ending balance in a balance sheet account. Also, the software application compares the vendors approved for payment with the total of the daily cash disbursements journal. Classification of cash disbursements. The software application compares information on the cash disbursements journal with the related voucher information.

 Evaluated Receipt Settlement (ERS)   12-21

Completeness, existence, and valuation of cash balances. The client performs an independent bank reconciliation.

Before You Go On 5.1  How are financial statements misstated if there is a material misstatement in the completeness assertion regarding cash disbursements? Describe a key control to detect and correct this problem. 5.2 How are financial statements misstated if there is a material misstatement in the accuracy assertion regarding cash disbursements? Describe a key control to detect and correct this problem. 5.3  How are financial statements misstated if there is a material misstatement in the classification assertion regarding cash disbursements? Describe a key control to detect and correct this problem.

Evaluated Receipt Settlement (ERS) Lea rning Objecti ve 6 Evaluate control activities in an evaluated receipt settlement system. Evaluated receipt settlement (ERS) is a highly automated business process between suppliers and purchasers to exchange data electronically and execute a purchase transaction electronically. In larger public companies, ERS transactions represent 75–90% of all transactions. In smaller, privately owned companies, not-for-profit organizations, or governments, ERS transactions are rare. ERS recognizes the key elements of a purchase transaction involve: •  The nature and quantity of the goods received. •  The price of the goods received. •  The payment terms for the goods received. In an ERS system, the purchaser and supplier agree to exchange data about a transaction electronically and use an ERS process for paying purchases. While ERS systems are often custom-made to accommodate the supplier’s and purchaser’s information systems, the following discussion addresses the common elements of many ERS systems.

Initiating an ERS Transaction The first step in initiating an ERS transaction is the contract, which may be the only “paperwork” in the process. Many contracts are exchanged and signed electronically. The contract between the vendor and the purchaser will specify how data is exchanged electronically, how long prices are good for (30 days, 60 days, or whenever updated), the process for verifying quantities shipped and received, the process for verifying other transaction costs such as freight or taxes, and the terms of payment (e.g., discounts for early payment). Once the contract is agreed to, the system of electronic data interchange is established, pricing information regarding the vendor’s catalog (stating items available for sale and prices) is often obtained online, and controls over access to data are placed in operation.

evaluated receipt settlement (ERS)  a highly automated business process between suppliers and purchasers to exchange data electronically and execute a purchase transaction electronically

12-22  C h a pte r 12  Auditing the Purchasing and Payroll Processes

advance shipping notice (ASN)  an electronic acknowledgement of a transaction by a supplier indicating goods shipped, prices, and other information such as freight costs or taxes

The next step involves the purchasing company initiating a purchase order. The purchase order is prenumbered to establish control over the population of purchases. The purchase order is usually sent electronically to the vendor (although it may be faxed or sent by mail). The supplier will normally acknowledge the transaction electronically by sending an advance shipping notice (ASN) indicating the goods to be shipped, prices, and other information (e.g., freight costs or taxes). Upon shipment, the vendor will create normal shipping documents such as a bill of lading and packing slip.

Receiving Goods The receipt of goods in an ERS system is similar to any other system. A prenumbered, electronic receiving report should be created, noting the items received and the condition of goods including any defective items. Often, the goods are counted using barcodes, and once the quantity received of each item is known, the purchaser has sufficient information to book a liability.

Recording Payables Upon the receipt of goods, the purchaser should match the goods received, per the receiving report, to the purchase order and ASN. Once all the documents match, an entry should be made to the purchases journal to record the purchase and accounts payable. Normally, a unique, prenumbered document (similar to a voucher) should be created to record the purchase and establish control over the recording process. Since this is an internal document, it is usually created only in electronic form in an ERS system. The ERS system often records the purchase and liability created concurrently with the receiving report, as all information is known about the transaction at time of receipt of goods (e.g., the type of goods received, the quantity of goods received, the price for goods received, and payment terms). When a vendor’s invoice is presented electronically, it is matched to determine that the purchase order, receiving report, and vendor’s invoice agree (a three-way match). In some systems, a vendor’s invoice is never generated. Rather, all the information needed to establish a transaction is embedded in the ASN and the receiving report. A liability is created when goods are received and the purchase is paid based on contractual terms. In these cases, a two-way match is performed to agree the recorded liability to the receiving report and purchase order.

Electronic Payment electronic invoice presentment and payment (EIPP) systems  an electronic system that uses a third-party payment process to settle a businessto-business transaction third-party payment processor  an independent third party such as a bank or payment processor that processes a payment from the purchaser to the supplier; federal regulations require that the thirdparty payment process is PCI security compliant

Many ERS systems use electronic invoice presentment and payment (EIPP) systems. EIPP systems use an independent third party to settle the business-to-business (B2B) transaction. An independent third-party payment processor, such as a bank or payment processor, is used to make the payment from the purchaser to the supplier. A third-party payment processor is often used to make payments because entities that store checking account number information must be Payment Card Industry (PCI) security compliant according to federal regulations, which requires investing in secure IT systems and paying for regular recertification. In an EIPP system, the purchasing entity: •  Receives an electronic invoice from the vendor. •  Validates the invoice (using a three-way match). •  Cancels the vendor’s invoice so it is not paid twice. •  Approves the invoice for payment (usually taking advantage of early payment discounts). Once the invoice is approved for payment, the third-party payment processor transfers funds from the purchasing entity to the vendor on the due date.

 Evaluated Receipt Settlement (ERS)   12-23

Internal Controls in an ERS System Internal controls in an ERS system are similar to internal controls in a traditional system. Following is a list of key controls that are often found in an ERS system for purchases, categorized by relevant assertion. The effectiveness of each of these controls relies on timely manual follow-up on exception reports, as well as the accuracy of the software application. •  Completeness of purchases. The software application generates a daily report of receiving reports that have not been matched one for one with the recording of a purchase and a liability. •  Occurrence of purchases. The software application generates a daily report of any discrepancies between the recorded payable and quantities on the receiving report. Once a receiving report is matched with a purchase, it cannot be matched with another purchase. •  Accuracy of purchases. The software application generates a daily report of any discrepancies between the recorded payable and quantities on the receiving report or prices on the purchase order, and other information such as freight and taxes on the advance shipping notice from the vendor. When a vendor’s invoice is received electronically, it is matched with information on the recorded payable (which has previously been matched with the purchase order, advance shipping notice, and the receiving report) and a report is created of any discrepancies. •  Purchases cutoff. The software application generates a daily report of any discrepancies between the accounting period on the receiving report and the accounting period on the recording of the purchase and liability. •  Classification of expenses and payables. The software application generates a daily report of any discrepancies between the vendor account coding and general ledger coding, which is compared with the purchase order and purchase requisition. •  Completeness of payables, valuation of payables at historical cost, and existence of accounts payable. Monthly statements received from vendors are compared to the accounts payable subsidiary ledger with timely follow-up on discrepancies. Following is a list of key controls that are often found in the purchaser’s ERS system for cash disbursements, categorized by relevant assertion. •  C  ompleteness of cash disbursements. The software application generates a daily report comparing the daily total in the cash disbursements journal with the total of payables submitted to the third-party payment processor for payment and any discrepancies are reported. •  O  ccurrence and accuracy of cash disbursements. The vendor’s invoice is cancelled so that it is not paid twice. The software application develops a daily report that compares the EFT information submitted to the third-party payment processor with the payable and invoice information and that identifies any discrepancies. Any duplicate payments or potential payments with discrepancies are rejected and not forwarded to the third-party payment processor for payment. •  C  utoff of cash disbursements. The software application generates a daily report comparing the time period of when vendors are approved for payment with the time period they are recorded in the cash disbursements journal. •  C  lassification of cash disbursements. The software application generates a daily report comparing account classification in the cash disbursements journal with the related voucher information. •  C  ompleteness, existence, and valuation of cash balances. The purchasing entity performs an independent bank reconciliation.

12-24  C h a pte r 12  Auditing the Purchasing and Payroll Processes

Before You Go On 6.1  Explain the flow of a transaction from initiating a purchase to paying for the purchase in an ERS system. 6.2 How are financial statements misstated if there is a material misstatement in the completeness assertion regarding the recording of purchases? Describe a key control to detect and correct this problem in an ERS system. 6.3  How are financial statements misstated if there is a material misstatement in the occurrence assertion regarding cash disbursements? Describe a key control to detect and correct this problem in an ERS system.

Control Activities for Purchase Adjustments and Purchasing Process Disclosures Lea rning O bjecti ve 7 Evaluate control activities for purchase adjustment transactions and purchasing process disclosures. Important documents and records used in processing purchase adjustments in traditional or ERS systems include the following: •  Purchase return authorization—Form showing the description, quantity, and other data pertaining to the goods the vendor has authorized the purchaser to return. It serves as the basis for initiating the purchase return. •  Shipping report—Report prepared on the shipment of goods to vendors showing the kinds and quantities of goods shipped. •  Debit memo—Form stating the particulars of a debit to accounts payable, including the specific items returned, prices, and amount debited. It provides the basis for recording the purchase return. These documents are referenced in the following discussion.

Purchase Returns and Allowances On occasion, goods received from vendors are defective and must be returned. In addition, vendors offer a number of inducements to purchase inventory. In some cases, vendors will agree to reduce the price for goods rather than have goods returned. Some vendors offer incentives depending on the volume of their products sold. Other vendors offer various advertising allowances. For example, in the retail grocery industry, many vendors will pay some of the advertising costs for their products in the advertisements of the grocery store. In many companies, the number and dollar value of these transactions is immaterial. However, in some companies, the potential for misstatements could reach a material amount. Each of these transactions results in reducing payables and expenses, and improving reported liquidity and earnings. In rare instances, companies have recorded material purchase returns at year-end to reduce payables and expenses. Sound financial reporting needs to establish adequate controls over these transactions to prevent their abuse in earnings management activities. Accordingly, control activities useful in reducing the risk

  Control Activities for Purchase Adjustments and Purchasing Process Disclosures  12-25

of misstatements focus on establishing the occurrence of such transactions and include the following: •  All purchase returns should be authorized by the vendor. •  Goods should be returned only with a proper purchase return authorization, and an independent count of goods returned should be recorded on shipping documents such as packing slips and bills of lading. •  The software application should match the debit memo information with the authorization for purchase return and the shipping documents and report any discrepancies. Further, there should be adequate segregation of duties between obtaining authorization for purchase returns, shipping goods, and recording debit memos. When there is the potential for material misstatements from purchase adjustments transactions, the auditor should obtain an understanding of all relevant aspects of the internal control structure components and consider the factors that affect the risk of such misstatements. If purchase adjustments are estimated at quarter-end, management should establish controls to ensure adjustments are based on reliable information and that adjustments are consistent from quarter to quarter. A disclosure committee should review these estimates if they could aggregate with other adjustments to an amount that is material to the financial statements.

Other Controls in the Purchasing Process The previous discussion focused primarily on controls over transactions. If good controls exist over credit purchases, cash disbursements, and purchase returns, the accounts payable and cash balances should also be controlled as they are the result of recording these transactions. Additional controls over payables include comparing vendor statements with the balance in the accounts payable subsidiary ledger. Further, sound control over cash balances involves performing a bank reconciliation shortly after month-end. Finally, management should establish controls over the occurrence and rights and obligations of disclosures, the completeness of disclosures, the classification and understandability of disclosures, and the accuracy and valuation of information included in disclosures. Common disclosures in the purchasing process include: •  Reclassification of material debit balances in accounts payable as accounts receivable. •  Segregation of short-term payables from long-term payables. •  Dependence on a single vendor or a small number of vendors. •  Disclosure of purchase commitments and long-term purchase contracts. •  Expenses reportable by business segment or geographic region. •  Disclosure of payables to officers, directors, employees, or related parties. Public companies normally accomplish this task with a disclosure committee that works with the CFO or controller to review disclosures. The disclosure committee often includes individuals in management who are knowledgeable about the condition of the company and knowledgeable about appropriate GAAP for disclosures relevant to the purchasing process. Many companies use a current GAAP disclosure checklist to assist in this process.

Before You Go On 7.1 Explain the economic substance of purchase returns and allowances. Explain the appropriate controls over purchase returns and allowances. 7.2  Explain the appropriate controls over the purchasing process disclosures.

12-26  C h a pte r 12  Auditing the Purchasing and Payroll Processes

Tests of Controls in the Purchasing Process and Audit Strategy Lea rning O bjecti ve 8 Determine how to design and perform tests of controls in the purchasing process and connect the results of control testing to audit strategy. The following discussion identifies potential tests of controls that may be used to determine if a client’s controls in the purchasing process are effective. Once the auditor has evaluated the quality of internal controls, the audit team is in a good position to evaluate the opportunity for fraud risk. The fraud risk assessment should be approached with professional skepticism. Finally, this section focuses on the links between risk of material misstatement and subsequent strategy for substantive testing.

Tests of Controls in the Purchasing Process Most auditors plan to test controls in the purchasing process because of the high volume of routine transactions in this process. Public company auditors test controls to support an opinion on internal control. Auditors of private companies may decide to test controls if the controls appear effective and the auditors determine it is efficient to do so. If the client relies on IT controls and the auditor plans to assess control risk as low for purchasing process assertions, the auditor will usually: •  Test the effectiveness of general controls. •  Use generalized audit software to evaluate the effectiveness of IT application controls. •  Test the effectiveness of manual procedures to follow-up on exceptions identified by IT application controls. As discussed in previous chapters, the auditor will usually test the effectiveness of IT general controls as part of testing entity-level controls. For example, when testing the control environment, the auditor might pay particular attention to making inquiries and collecting supporting evidence regarding employee awareness of IT security issues. If the auditor is testing issues regarding controls over program changes, the auditor might determine how program access is controlled and monitored, look at logs of program access or incident reports, and talk to users about their involvement in program changes affecting their responsibilities. The auditor will want to pay attention to segregation of duties regarding access to programs and access to data, the effectiveness of password controls, and the follow-up of any incident reports regarding unauthorized access. Many of these tests are performed by an IT audit specialist. Auditors often use test data on IT application controls to determine whether expected results appear on exception reports. For example, in the purchasing process the auditor might submit: •  A missing or invalid vendor code. •  An invalid product code. •  Transactions reporting items received in quantities different from the amount ordered (both over and under). •  Prices, vendor numbers, or other information on vouchers that does not match information on the purchase order. •  Voucher quantities that do not match quantities on receiving documents. Finally, the auditor will need to test the appropriateness of manual follow-up of exceptions noted by the software application. If exception reports are printed daily, the auditor might select a sample of exception reports to determine if exceptions are cleared on a timely basis. The auditor might make inquiries of personnel responsible for clearing exceptions to determine their awareness of the types of misstatements that might appear on exception reports. The auditor should also follow through on previously noted exceptions to determine they were cleared appropriately by authorized personnel on a timely basis.

 Tests of Controls in the Purchasing Process and Audit Strategy  12-27

Fraud Risk Assessment After evaluating inherent risk and control risk, the auditor is in a position to evaluate fraud risk. The risk of misappropriation of assets is particularly prevalent in the purchasing process. Procurement fraud risks include: •  Fictitious or phantom vendors. An employee sets up a fictitious vendor in the master vendor file. The fictitious vendor information relates to an address or post office box controlled by the employee. Purchases, which are fictitious, are made from the fictitious vendor, and then payments are made to the employee via the fictitious vendor. •  Kickbacks. A kickback scheme involves collusion between an employee and a vendor. The client company pays inflated prices to the vendor, and the employee receives a payment, or kickback, for facilitating the inflated transactions with the vendor. •  Bid rigging. A bid rigging scheme involves collusion between an employee and a vendor in which the employee assists the vendor in winning a competitive bid for a contract, sometimes at higher prices. The employee is typically compensated by the vendor in the form of a cash payment. •  Personal purchases. An employee uses company funds to purchase personal items. For example, an employee may be on a legitimate business trip but also spends company funds for personal travel such as extended hotel nights and meals for extra days. These frauds can be reduced with strong controls over the vendor master files, determining the appropriateness of support for payments to vendors before recording a liability (voucher), and the willingness to dispute inappropriate items with vendors. Auditors should also consider incentives and pressures on management that may push management toward fraudulent financial reporting, such as how management compensation plans provide incentives to meet profitability targets, or whether management is trying to meet previously forecasted earnings targets. Ultimately, a key aspect of fraud risk relates to the opportunity that may or may not be present based on the quality of the system of internal control. An auditor’s concerns are heightened when the control environment is weak, or control activities are nonexistent. In not-for-profit organizations, smaller companies, or governments, segregation of duties may be weak or nonexistent. In these cases, the auditor, with appropriate professional skepticism, should consider fraud risk to be high and design effective substantive tests to provide reasonable assurance of detecting material fraud.

Audit Data Analytics as a Risk Assessment Procedure Audit data analytics might be effective at finding fraud in the purchasing process. Sometimes people who commit fraud know the different thresholds for their approval of an invoice for payment. For example, a supervisor’s approval may be required for any invoice of $5,000 or more. To identify a population of possible fraudulent invoices, the auditor might identify a group of invoices that are 4% less than the approval amount. This would flag invoices between $4,800 and $4,999 for further investigation, particularly if many are from the same vendor. This would be a clue to determine if the vendor was a fictitious vendor or if the vendor might be giving the purchasing agent a kickback.

Audit Reasoning Example Audit Data Analytics in the Purchasing Process

Cecily has just returned from a staff training session on audit data analytics. She is auditing a mining company with a high volume of purchases, and she is concerned about the risk of her client paying a fictitious vendor. She asks herself, “How would I determine if an employee is submitting invoices from a fictitious vendor to pay himself or herself extra money?” Eventually, Cecily thinks about merging two key files: the client’s vendor master file and the client’s employee master file. Each file has fields for addresses, tax ID numbers, phone numbers, and bank routing numbers. She thinks to herself, “If I use audit data analytics to compare the two files, I should find no matches. However, if I find a match of any one of these fields in both databases, further investigation is clearly warranted.” For example, Cecily would not expect to find the same tax ID number or bank routing number for a vendor and an employee.

kickback  the entity pays inflated prices to the vendor, and the employee receives a payment for facilitating the inflated transactions with vendor bid rigging  an employee assists a vendor in winning a competitive bid for a contract; employee is compensated, usually in the form of a cash payment

12-28  C h a pte r 12  Auditing the Purchasing and Payroll Processes

The Risk of Material Misstatement and Audit Strategy Once the auditor has tested internal controls, the auditor will determine whether the auditor’s expectations regarding the effectiveness of internal controls are confirmed. Tests of controls are performed when the auditor expects that internal controls are effective. If the auditor’s expectations regarding effective controls are not confirmed, the auditor will need to evaluate the significance of the deficiencies noted and determine if the client has a compensating control in place that the auditor might rely on. If no compensating controls exist, the auditor will need to revise the audit strategy, determine if fraud risk is increased as a result of the internal control deficiency, and determine how to revise planned substantive tests for the purchase process. The auditor may need to change the timing of planned substantive tests related to an assertion from interim testing to testing year-end balances. The auditor may also need to consider increasing sample sizes when sampling is involved. If internal controls related to an assertion are found to be ineffective, the auditor will need to communicate significant deficiencies or material weaknesses to management and to those charged with governance of the entity.

Cloud 9 - Continuing Case Josh and Suzie are pleased with the results of tests of controls related to the purchasing process. They found strong controls over the master vendor file, and vouchers are prepared based only on original invoices. Cloud 9 is very careful about entering the right invoice number, including any leading zeros, so an invoice is not paid twice. Further, individuals who are responsible for following

up on exceptions understood the types of exceptions they were following up on, and exceptions tended to be rare. Finally, under David Collier’s direction, Cloud 9 developed clear procedures for accruing payables for goods received in the warehouse for which vendor invoices had not yet arrived.

Before You Go On 8.1 If the auditor has identified an IT application control related to the completeness of purchases, and IT general controls have already been determined to be effective, suggest how the auditor might test the effectiveness of such IT application and the related manual follow-up. 8.2 Explain the fraud associated with a phantom vendor. What controls might prevent this from happening? 8.3 Assume an auditor is auditing a small city or county with poor segregation of duties in the purchasing process. What are the most significant risks in this case? What are the implications for developing an audit strategy in the purchasing process?

Substantive Procedures for the Purchasing Process Lea rning O bjecti ve 9 Assess detection risk and design substantive tests, including audit data analytics, to address various assertions in the purchasing process. At this stage, the auditor has evaluated inherent risks, evaluated and tested the system of internal control in the purchasing process, and developed an audit strategy. What remains is

  Substantive Procedures for the Purchasing Process  12-29

performing substantive tests. The following discussion focuses on identifying the appropriate substantive tests for relevant assertions in the purchasing process. Illustration 12.10 presents a suggested audit program for substantive tests of purchasing process assertions, including initial procedures, substantive analytical procedures, and tests of details. A discussion of each of these steps follows the illustration. The audit procedures in Illustration 12.10 are most likely to be associated with manufacturing companies, wholesalers, or retailers.

ILLUSTRATION 12.10   Substantive tests in the purchasing process

Category

Substantive Test

Relevant Assertion

Initial procedures

1.  Obtain an understanding of the business and industry to determine:

All

a.  The significance of purchases and accounts payable to the entity. b.  Key economic drivers that influence the entity’s purchases, margins, and cash disbursements. c.  Standard trade terms in the industry, including seasonal dating, payment period, etc. d.  The extent of concentration of activity with vendors. 2.  Perform initial procedures on accounts payable and records that will be subjected to further testing. a.  Trace beginning balance for accounts payable to prior year’s working papers. b. Scan activity in the general ledger account for accounts payable and investigate entries that appear unusual in amount or source. c. Obtain the accounts payable subsidiary ledger and determine that it accurately represents the underlying accounting records by footing the subsidiary ledgers and comparing the total to the general ledger balance.

Analytical procedures

3.  Perform analytical procedures:

Valuation and allocation, Rights and obligations Valuation and allocation All

a. Develop an expectation for accounts payable using knowledge of the entity’s business activity, market share, normal trade terms, and its history of accounts payable turnover in days. b.  Calculate ratios: i. Compare purchases activity to the entity’s sales. ii.  Compare purchases growth and payable growth. iii.  Accounts payable turnover in days. c. Analyze ratio results relative to expectations based on prior years, industry data, budgeted amounts, or other data.

Tests of details of transactions

Occurrence, a. Vouch recorded purchase transactions to supporting vendor’s invoices, receiving documents, and Accuracy, Cutoff, purchase orders. Classification b. Vouch disbursement transactions to underlying vouchers and supporting documents.

4.  Vouch a sample of recorded purchasing process transactions to supporting documentation.

c. Vouch purchase returns to supporting shipping documents and subsequent recognition of return by the vendor. 5. Trace a sample of purchase transactions from goods received to their recording in the purchases journal. Also trace a sample of cash disbursements and purchase returns to their recording in the accounting records.

Completeness

6.  Perform cutoff tests for purchases and purchase returns.

Cutoff

a. Select a sample of goods received in the warehouse for several days before and after year-end and examine supporting vouchers to determine that purchases were recorded in the proper period. b. Select a sample of purchase returns from the shipping dock for several days before and after year-end to determine that debits to accounts payable were recorded in the proper period. 7. Perform cash disbursements cutoff tests by observing that all cash disbursed through the close of business on the last day of the fiscal year is included in the cash disbursements journal.

Cutoff

8.  Perform a search for unrecorded liabilities. a. Examine subsequent payments between balance sheet date and end of fieldwork, and when related documentation indicates payment was for an obligation in existence at balance sheet date; trace to accounts payable listing. (continued)

12-30  C h a pte r 12  Auditing the Purchasing and Payroll Processes ILLUSTRATION 12.10   (continued)

Category

Relevant Assertion

Substantive Test b. Examine documentation for payables recorded at year-end that are still unpaid at end of fieldwork. c. Inspect unmatched purchase orders, receiving reports, and vendor invoices at year-end. d. Inquire of accounting and purchasing personnel about unrecorded payables. e. Review capital budgets, work orders, and construction contracts for evidence of unrecorded payables.

Tests of details of balances

9.  Evaluate the effectiveness of confirming accounts payable. a. Identify major vendors by reviewing the voucher register or accounts payable subsidiary ledger or master file and send confirmation requests to vendors with large balances, unusual activity, small or zero balances, and debit balances.

Existence, Valuation and allocation, Completeness

b. Investigate and reconcile differences. 10.  Reconcile unconfirmed payables to monthly statements received by client from vendors. 11.  Compare statement presentation with GAAP. Tests of details of a. Determine that payables are properly identified and classified as to type and expected period of presentation payment. and disclosure b. Determine whether debit balances in accounts payable are significant in the aggregate and should be reclassified as accounts receivable.

Classification and understandability Classification and understandability

c. Determine the appropriateness of disclosures pertaining to related party payables.

Classification and understandability

d. Inquire of management about potential undisclosed commitments or contingent liabilities.

Completeness

e. Evaluate the completeness of presentation and disclosures for payables in drafts of financial statements to determine conformity to GAAP by reference to disclosure checklist.

Completeness

f. Read disclosures and independently evaluate their understandability.

Classification and understandability

Initial Procedures The starting point for every audit test is obtaining an understanding of the business and industry. Understanding the significance of the purchasing process to the entity provides a context for important risk assessments. Understanding the company’s economic drivers, standard trade terms, and the extent of concentration of business with certain suppliers provides the context for evaluating the results of analytical procedures, tests of controls, and substantive tests. Procedures performed to obtain this understanding were discussed earlier in this chapter. Another initial procedure for substantive tests of accounts payable is tracing the beginning balance to the prior year’s working papers, using generalized audit software to scan the general ledger account for any unusual entries, and developing a list of amounts owed at the balance sheet date. Ordinarily, the client provides a listing of the unpaid voucher file or the accounts payable subsidiary ledger in electronic form. The auditor can also use generalized audit software to determine the mathematical accuracy of the listing by refooting the total and by verifying that it agrees with the general ledger account balance.

Substantive Analytical Procedures Recall that analytical procedures are not required to be used as a substantive procedure. Illustration 12.4 provided examples of analytical procedures that are commonly used in the purchasing process. If analytical procedures are used as a substantive procedure during risk response, the auditors are using data through the client’s third quarter or even the entire year of data if the procedures are performed after year-end. Therefore, when used as a substantive procedure, the auditor typically has more data to analyze and can develop more precise expectations of the accounts payable balance and the relationship between accounts payable and other key accounts such as

  Substantive Procedures for the Purchasing Process  12-31

purchases or inventory. For example, an abnormal decrease in the accounts payable turnover in days or unexpected increase in the current ratio may provide indicators of understated liabilities.

Audit Data Analytics as a Substantive Test The right ADA procedure may be a very effective substantive test of details. If a client has strong internal controls regarding the three-way match of purchase documents (purchase order, receiving report, and vendor invoice), then the auditor can focus on searching for transactions that may be more unusual or outside of the norm. For example, the client may issue company credit cards to certain employees, either to make purchases or for work-related travel. Banks and credit card companies use a common coding system, called merchant category codes (MCC), to determine the type of business from which goods or services have been purchased with the credit card. There are codes for specific airlines, hotels, electronics, household appliances, electrician services, and hundreds more. The auditor could use ADA to organize all credit card purchases by MCC code. For codes that are unusual for the client, such as MCC 8351 for child care services, the auditor would investigate further by inspecting supporting documentation and proper authorization for the transaction.

Tests of Details of Transactions Five major substantive tests of details of accounts payable transactions are shown in Illustration 12.10 and discussed next. Recall that in performing these tests, the auditor is primarily concerned with detecting understatements of recorded payables as well as unrecorded payables. The extent to which each test is performed varies based on the acceptable levels of detection risk specified for the related assertions.

Vouch Recorded Payables to Supporting Documentation In this test of the occurrence assertion, credit entries to accounts payable are vouched back to supporting documentation such as vendor invoices, receiving reports, and purchase orders. Debits to accounts payable are vouched to documentation of cash disbursement transactions, such as paid checks, or memoranda from vendors pertaining to purchase returns and allowances. Some vouching may be performed during interim work as a dual-purpose test with tests of controls over purchasing. The extent of vouching is directly related to the auditor’s conclusions about inherent risk and control risk. This test primarily provides evidence for the specific audit objectives related to four of the five assertions, excluding completeness. Vouching is not applicable to the completeness assertion as vouching starts with a recorded transaction.

Perform Cutoff Tests The purchase cutoff test involves determining that purchase transactions occurring near the balance sheet date are recorded in the proper period. This may be done by tracing dated receiving reports to voucher register entries and vouching recorded entries to supporting documentation. The test usually covers a period of five to ten business days before and after the balance sheet date. Evidence from the procedure pertains to the existence or the occurrence and completeness assertions for accounts payable transactions. In examining documentation as part of this procedure, special consideration must be given to goods in transit at the balance sheet date. Goods shipped FOB (free on board) shipping point should be included in the inventory and accounts payable of the purchasing entity. In contrast, goods in transit shipped FOB destination should remain in the inventory of the seller and be excluded from the purchaser’s inventory and accounts payable until arrival at the purchasing entity’s receiving department. In performing this procedure, the auditor should determine that a proper cutoff is achieved in the taking of the physical inventory, as explained further in Chapter 13, as well as in the recording of the purchase transactions. A proper cutoff of cash disbursement transactions at the end of the year is essential for the correct presentation of cash and accounts payable at balance sheet date. Evidence for the cash disbursement cutoff test may be obtained by personal observation and review of internal documentation. If the auditor can be present at the balance sheet date, he or she can personally

12-32  C h a pte r 12  Auditing the Purchasing and Payroll Processes

determine the last check written by the client. Subsequent tracing of this evidence to the accounting records will verify the accuracy of the cutoff. Alternatively, the auditor can trace “paid” checks dated within a period of several days before and after the balance sheet date to the dates the checks were recorded. Evidence from this test also pertains to the existence or occurrence and completeness assertions for accounts payable. Purchase return cutoff tests are similar to other cutoff tests. First, the auditor should start with the shipping records for a period of five to ten days before and after year-end to ensure that purchase returns are accurately recorded in the accounting records. Then, the auditor should go from the accounting records back to evidence in shipping records to verify the accuracy of the last purchase returns recorded by the entity.

Perform Search for Unrecorded Liabilities search for unrecorded liabilities  procedures designed specifically to detect significant unrecorded obligations as of the balance sheet date (or as of an interim date) examining subsequent payments  examining vouchers paid after the balance sheet date (or an interim date) to determine if the payment is for an obligation that existed as of the balance sheet date (or an interim date) and whether the obligation was in fact recorded as of the balance sheet date (or an interim date)

The search for unrecorded liabilities consists of procedures designed specifically to detect significant unrecorded obligations at the balance sheet date (or as of an interim date). Thus, it relates to the completeness assertion for accounts payable. A common procedure involves examining subsequent payments, which consists of examining supporting documentation for checks issued or vouchers paid after the balance sheet date. When the payment is for an obligation existing at the balance sheet date, it is traced to the accounts payable listing to determine whether it was included. This procedure is performed toward the end of fieldwork to enhance the opportunity of obtaining evidence concerning payables that were intentionally or inadvertently excluded from the listing of payables at the balance sheet date. Liabilities rarely go unrecorded for long periods. If vendors are not paid, they will usually follow up to ask when a payment can be expected, which results in the recording of a purchase, usually in the wrong accounting period. Therefore, examining subsequent payments may be an effective search for unrecorded liabilities. The auditor can also search this subsequent period looking for overstatements of subsequent payments and may focus on larger transactions. Documentation supporting payables recorded but remaining unpaid through the end of fieldwork should also be examined on a test basis. This may reveal obligations that existed but were unrecorded as of the balance sheet date. Other procedures may reveal unrecorded payables including (1) investigating unmatched purchase orders, receiving reports, and vendor invoices at year-end, (2) inquiring of accounting and purchasing personnel about unrecorded payables, and (3) reviewing capital budgets, work orders, and construction contracts for evidence for unrecorded payables.

Tests of Details of Balances Two tests included in this category are (1) confirming accounts payable and (2) reconciling unconfirmed payables to monthly statements received by the client from vendors.

Confirmation of Accounts Payable Unlike the confirmation of accounts receivable, there is no presumption made about the confirmation of accounts payable. This procedure is optional because (1) confirmation offers no assurance that unrecorded payables will be discovered, and (2) external evidence in the form of invoices and vendor monthly statements should be available to substantiate the balances. Confirmation of accounts payable is recommended when the detection risk is low, there are individual creditors with relatively large balances, or a company is experiencing difficulties in meeting its obligations. As in the case of confirming accounts receivable, the auditor must control the preparation and mailing of each request and should receive the responses directly from the respondent. When auditors choose to send confirmations of accounts payable, accounts with zero or small balances should be among those selected for confirmation because they may be more understated than accounts with large balances. In addition, confirmations should be sent to major vendors who (1) were used in the prior year but not in the current year and (2) do not send monthly statements. The positive form should be used in making the confirmation request. Usually, a positive confirmation does not specify the amount due. In confirming a

  Substantive Procedures for the Purchasing Process  12-33

payable, the auditor prefers to have the creditor indicate the amount due because that is the amount to be reconciled to the client’s records. The confirmation may also request information regarding purchase commitments of the client. This test produces evidence for all accounts payable assertions. However, evidence provided for the completeness assertion is limited because of the possible failure to identify and send confirmation requests to vendors with whom the client has unrecorded obligations.

Reconcile Unconfirmed Payables to Vendor Statements In many cases, vendors provide monthly statements that are available in client files. The auditor can reconcile the vendor statements to the client’s listing of payables. The evidence from this procedure applies to the same assertions as confirmations but is less reliable because the vendors’ statements were sent to the client rather than directly to the auditor. In addition, statements may not be available from certain vendors.

Tests of Details of Presentation and Disclosure Illustration 12.10 describes a number of tests of disclosures for the purchasing process. The auditor must be knowledgeable about the statement presentation and disclosure requirements for accounts payable and purchases under GAAP. Accounts payable should be properly identified and classified as a current liability. If the accounts payable balance includes material advance payments to some vendors for future delivery of goods and services, such amounts should be reclassified as advances to suppliers and included as assets. In addition, disclosures may be required for related party payables, purchase commitments, and contingent liabilities. Management’s presentation and disclosures must be compared with these GAAP requirements. Evidence relevant to these matters can be obtained by inquiring of management and reviewing minutes of board of directors’ meetings. Evidence is also obtained through the audit procedures performed to test other assertions. Management’s representations on these matters should be obtained in writing in a management representation letter as one of the final steps in the audit, as will be explained in Chapter 14.

Cloud 9 - Continuing Case As Josh and Suzie finalize their plans for substantive tests in the purchasing process, they recognize that a significant number of tests of transactions were accomplished with dual-purpose tests for testing controls. With cutoff controls being performed monthly, they decided to test cutoff at interim with a dual-purpose test, plus retesting Cloud 9’s internal control and simultaneously performing substantive cutoff procedures at year-end. Josh did not feel that

confirmations of payables was an effective procedure. Josh felt the audit team could perform a search for unrecorded liabilities at year-end, rather than performing the procedure at an interim date and performing roll forward tests. Josh felt that performing the search for unrecorded liabilities at year-end would not be overly time-consuming, and it would be good to have evidence as of the balance sheet date.

Before You Go On 9.1 Which assertion is of primary importance to the auditor in auditing accounts payable? Why? 9.2 Your classmate believes the auditor’s responsibility for confirming accounts payable is the same as for accounts receivable. Do you agree with your classmate? Explain. 9.3 Explain the following audit test and the assertion(s) that are evaluated with this audit procedure: Vouch recorded payables to supporting documents. 9.4 Explain the following audit test and the assertion(s) that are evaluated with this audit procedure: Perform a search for unrecorded liabilities. 9.5 Explain the following audit test and the assertion(s) that are evaluated with this audit procedure: Determine that payables are properly identified and classified. 9.6 List several common disclosures required for purchases and accounts payable.

12-34  C h a pte r 12  Auditing the Purchasing and Payroll Processes

Appendix 12A

  Auditing Payroll

Explain the Nature of Payroll Transactions and Balances Lear ning Objective 10* Explain the nature of payroll transactions and balances.

payroll process  transactions and balances related to the payment of salaries, hourly and incentive compensation, commissions, and bonuses

imprest payroll bank account  a bank account that only processes payroll transactions; only the exact amount needed to clear net payroll transactions is transferred into this account, and after payroll disbursements are made the balance in the account is zero

illustration 12A.1  

Payroll transactions

This appendix focuses on auditing payroll transactions and balances and follows the same format as the previous discussions of the revenue and purchasing processes. The presentation in this appendix is abbreviated compared to the chapter discussions, with a focus on understanding the business and industry, inherent risks, expected controls and control risk, and substantive tests in the payroll process. For many businesses, the payroll process includes a significant volume of routine transactions. The payroll process includes transactions and balances related to the payment of salaries, hourly and incentive compensation, commissions, and bonuses. The following discussion does not include additional payroll transactions such as stock options, pension benefits, or other benefits tied to payroll, such as health insurance or paid vacations. In many companies, payroll is recorded when paid, and payroll taxes are accrued at the same time. If the pay period does not coincide with the end of month, end of quarter, or end of fiscal year, accruals should be made for payroll payable. The payroll process interfaces with the expenditure process. Payment of payroll and payroll taxes relates to cash disbursements transactions in the expenditure process. Many companies create an imprest payroll bank account used for payroll disbursements. An imprest payroll bank account means that only payroll transactions go through this bank account and, each pay period, only the exact amount necessary to clear net payroll transactions is transferred into the account. Then the payroll disbursements are made (often by electronic funds transfer) and the book balance in the account is zero. If payroll is paid by check, then the balance in the bank account relates only to outstanding checks. The transactions in the payroll process are depicted in Illustration 12A.1. Payroll expenses might be charged to manufactured inventory via direct or indirect labor accounts, or they might be charged to various accounts associated with selling, general, and administrative expenses. Payroll Transactions

Debit

Credit

Payroll paid

Payroll Expense

Cash Payroll Withholdings   Payable

Payroll taxes accrued

Payroll Tax Expense

Payroll Taxes Payable

Payroll accruals for partial pay periods at the end of the period (two entries)

Payroll Expense

Payroll Payable Payroll Withholdings   Payable

Payroll Tax Expense

Payroll Taxes Payable

Sufficient and appropriate evidence for the payroll process should be obtained for the following assertions outlined in Illustration 12A.2. The rights and obligations for payroll and payroll taxes payable relate to whether the payable reflects the recorded liability of the entity. This may not be a significant assertion, and it is often tested as part of testing the existence or occurrence assertions.

 Appendix 12A: Auditing Payroll  12-35 illustration 12A.2   Key payroll process assertions

Relevant Transaction Classes Payroll expense Payroll tax expense

Relevant Account Balances Payroll payable Payroll taxes payable Payroll withholdings payable

Assertions Occurrence Completeness Accuracy Cutoff Classification

Relevant Disclosures Payroll disclosures

Assertions Existence Rights and obligations Completeness Valuation and allocation at historical cost

Assertions Occurrence and rights and obligations Completeness Classification and understandability Accuracy and valuation

Before You Go On 10.1  E  xplain what should be accrued at month-end if payroll is paid in cash and payroll pay periods do not coincide with month-end. 10.2 Explain what an imprest payroll bank account is and how it works.

Understanding the Entity and Its Environment Lea rning Objecti ve 11* Evaluate how an auditor’s understanding of an entity and its environment affects audit planning decisions in the payroll process.

Understanding the Client’s Payroll Process Detailed statistics on labor costs by industry are not readily available, except for specific trade associations. However, some organizations, such as a college or university, are labor-intensive. The audit of the payroll process may be significant for a university; 70–75% of the annual budget might be expended for personnel services and benefits. The hotel industry is a service industry that also depends on effective utilization of personnel. Today, the majority of employment in the U.S. economy is in the service sector. Personnel services may vary in importance to various manufacturers, wholesalers, and retailers. Some industries may vary widely on the labor-intensiveness of the manufacturing process. Before proceeding with the audit of the payroll process, it is important for the auditor to understand: •  The importance of human resources to the overall entity (i.e., is the entity labor-intensive or capital-intensive?). •  The nature of compensation, as hourly compensation requires a different control system than salaried compensation. •  The importance of various compensation packages, such as bonuses or other compensation arrangements. If an entity’s compensation is primarily salary-based and demonstrates a predictable relationship to the delivery of services, the auditor may emphasize analytical procedures in the

12-36  C h a pte r 12  Auditing the Purchasing and Payroll Processes

development of audit strategy. If compensation expenses are based on hourly pay and show a high degree of variability throughout the period, the auditor may emphasize testing controls.

Analytical Procedures The auditor usually will perform analytical procedures as part of risk assessment procedures because they are cost-effective. Examples of analytical procedures the auditor might use for the payroll process are presented in Illustration 12A.3. Analytical procedures may be useful in identifying potential fraud, such as when gross payroll per employee exceeds the auditor’s expectations. This type of procedure is most effective when the auditor uses generalized audit software to sort employees by category and then evaluates the average pay by category of employees. For example, if the auditor were performing this test for a professional baseball team, professional ballplayers should be segregated from front-office personnel, who in turn should be segregated from employees who sell hot dogs at the ball games. If every class of employee is lumped together, the analytical procedure becomes ineffective. illustration 12A.3   Analytical procedures commonly used to audit the payroll process

Ratio Average payroll cost per employee classification

Revenue per employee

Formula

Total payroll costs for employee group Reasonableness test of gross payroll for a group of employees. Many companies have more than one class of employee, and it Number of employees in group is important to evaluate the reasonableness of payroll based on employee class. Total revenue Number of full-time employees

Total payroll costs as a percent of revenues

Total payroll expenses

Payroll tax expense as a percent of gross payroll

Total payroll tax expenses

Compare payroll expenses (salaries and wages, commissions, bonuses) with prior-year balances or budgets

Current-year payroll expenses

Compare current-year payroll liability with prior-year payroll liability Employee benefits expenses as a percent of gross payroll

Audit Significance

Total revenues Gross payroll Prior-year payroll expenses Current-year payroll tax liability Prior-year payroll tax liability adjusted for growth in payroll volume Total benefits expenses Gross payroll

This may be a measure of productivity per employee. This is particularly important in services industries and would be compared with industry statistics. Reasonableness test of payroll costs. This is often compared with industry statistics. Reasonableness test of payroll taxes. This can often be compared with standard tax rates. Reasonableness test for payroll expenses if the ratio is significantly different from 1.0. Reasonableness test for payroll liability if the ratio is significantly different from 1.0. Reasonableness test of benefits expenses. This is often compared with industry statistics.

In some cases, the auditor may be able to develop accurate expectations regarding an organization’s payroll. In a university, for example, the auditor can develop accurate estimates of the number of full-time faculty and gross pay for those faculty in a school or college given the number of full-time-equivalent students. As the auditor develops more reliable expectations, he or she may place more assurance on that evidence than if expectations are rather broad and general. The use of generalized audit software may allow for the development of more accurate expectations when auditing the payroll process.

Other Considerations Regarding the Entity and Its Environment Recall from Chapter 4 (see Illustration 4.1) that an auditor should understand numerous issues about the entity and its environment. Illustration 12A.4 summarizes important

 Appendix 12A: Auditing Payroll  12-37

aspects of the payroll process that an auditor should understand. The illustration provides examples of the settings in which these factors might lead to either a higher assessment of inherent risk or a lower assessment of inherent risk. As stated before, each audit should be viewed independently from previous audits when an auditor updates his or her understanding of the entity and its environment, as entity traits and characteristics may change over time.

illustration 12A.4   Understanding the entity and its environment in the payroll process

Higher Inherent Risk Most entities must comply with state or local minimum wage laws, the U.S. Fair Labor Standards Act, and the Family Medical Leave Act. Additional legal requirements regarding payroll taxes often apply. The client does not effectively monitor payroll costs. These are usually not a significant issue as material compensation transactions with related parties are excluded from required disclosures. Corporate governance provides little or no independent oversight of management. Employees are paid weekly, or every other week, and pay periods do not align well with month-end.

Key Factors Regarding the Entity and Its Environment Compliance with laws and regulations

Client performance measurement

Lower Inherent Risk It is rare that legal requirements are not found in the payroll process.

The client carefully monitors payroll costs compared to underlying business activity.

Related party transactions

Typical disclosure requirements for material related party transactions exclude compensation arrangements.

Corporate governance

Corporate governance provides strong oversight of management.

Month-end, quarter-end, and year-end closing procedures

Employees are paid monthly, and significant cutoff issues do not exist.

Before You Go On 11.1 Explain how auditing the payroll process might be different for a manufacturer in a capitalintensive manufacturing business than for a college or university. 11.2 Explain how the timing of pay periods not aligning with month-end influences inherent risk.

Inherent Risks Related to Payroll LEA RNING OBJECTI VE 12* Determine inherent risk for various assertions in the payroll process. The auditor is rarely concerned about the completeness assertion in the payroll process as most employees quickly follow up with their employers if they are not paid. However, payroll fraud (occurrence of payroll expense) is a major concern for the auditor. Fraud may occur at two levels. First, employees involved in preparing and paying the payroll may process data for fictitious employees and then divert the payroll payments to their own use. When there is frequent turnover of personnel in a company, there is the risk that a terminated employee might be continued on the payroll. Second, there is a risk that management may overtly misclassify or “pad” labor costs in government contract work to defraud the agency.

12-38  C h a pte r 12  Auditing the Purchasing and Payroll Processes

Pay periods may be weekly, bimonthly, or monthly. If pay periods do not align well with month-end, quarter-end, or year-end, then the risk of cutoff problems associated with accruing unpaid payroll increases. If factory workers are paid based on time and/or productivity, or if payroll computations are subject to complex rules, inherent risk for accuracy may be high.

Before You Go On 12.1 Why are auditors less concerned about the understatement of payroll liabilities and expenses? 12.2 Explain two significant inherent risks in the payroll process.

Control Activities for Payroll LEA RNING OBJECTI VE 13* Evaluate control activities for payroll transactions. The following discussion continues to focus on transaction-level controls. It is assumed the auditor has already obtained an understanding of entity-level controls, and management has emphasized an awareness about the risks associated with paying fictitious payroll, or about ensuring that period-end cutoff is accurate. Further, a strong tone at the top discourages efforts to misclassify or “pad” labor costs in contract arrangements. Many of the controls discussed below focus on IT application controls implemented by a company. The following discussion assumes IT general controls are strong, and the auditor will need to understand and eventually test the effectiveness of manual follow-up of exceptions noted by IT application controls.

Example Transaction Flows—Payroll The transaction flow in a typical payroll process focuses on authorizing payroll, employee working hours, and paying payroll. At month-end, a company must consider whether unpaid payroll needs to be accrued by way of an adjusting journal entry. Common documents and files that are found in the payroll process include: Source Documents and Related Electronic Files •  Payroll authorization—Written request to put a new employee on the payroll. •  Approved payroll master file—Electronic file containing pertinent information on employees that have been approved for payroll payments. •  Time card—Written or electronic record of hours worked. Recording Document •  Payroll disbursement, EFT, or paycheck—An internal document indicating the employee, gross payroll, payroll deductions, and net payroll paid. •  Payroll journal—The journal of original entry where each payroll paid is recorded. •  Payroll tax returns—Tax returns based on gross payroll, reporting taxes due to state and local governments. Important Databases or Other Documents •  Payroll process database—Electronic files that accumulate data on payroll expenses, payroll liabilities, and related cash disbursements.

 Appendix 12A: Auditing Payroll  12-39

An example of how these documents commonly flow is illustrated in Illustration 12A.5, which is followed by a brief discussion of how payroll transactions are processed in many companies.

illustration 12A.5   Example flow of transactions for payroll

Authorization

Process

Documents

Personnel authorization

Files and Databases Payroll master file

Update personnel master file

Master file change report

Hours are worked

Time card

Pay payroll

Paycheck

Hours Worked

Payroll and G/L database

Payroll and G/L database

Recording

Payroll and G/L database Record in payroll journal

Payroll tax returns

Post to general ledger

Month-end journal entry

In the flowchart, observe that responsibility for (1) authorizing payroll, (2) recording hours worked, and (3) paying and recording payroll should be segregated. This segregation of duties contributes significantly to reducing the risk of payments to fictitious employees or excessive payments to actual employees due to inflated rates or hours.

Initiating Payroll Transactions Hiring employees. The hiring of employees is usually done in the human resources (HR) personnel department. All hiring should be documented on an HR authorization form. The form should indicate the job classification, starting wage rate, and authorized payroll deductions. In the system shown in Illustration 12A.5, authorized individuals in the personnel ­department gain access to the personnel data master file by entering a password before entering data on new hires. A ­regular IT-generated log of all changes to the master file should be printed and independently checked by a HR manager not involved in entering the data into the system. Usually, a copy of the personnel authorization form is placed in the employee’s personnel file in the HR department. Controls over adding new hires to the HR data master file reduce the risk of payroll payments to fictitious employees. Thus, they relate to the occurrence assertion for payroll transactions. Authorizing payroll changes. The request for a change in job classification or a wage rate increase may be initiated by the employee’s supervisor. However, all changes should be authorized in writing by the HR department before being entered in the personnel data master file. Other controls over entering the changes in the software application and distributing

12-40  C h a pte r 12  Auditing the Purchasing and Payroll Processes

the change forms are the same as discussed above for new hires. These controls over payroll changes help to ensure the accuracy of the payroll. The HR department should also issue a termination notice on completion of an individual’s employment. Prompt updating of the personnel data master file is vital in preventing terminated employees from continuing on the payroll. Thus, this control relates to the occurrence assertion.

Receive Services from Employees In many companies, a timekeeping department is responsible for this function. Time clocks are frequently used to record time worked by an employee when a clock card or employee card (electronic fob) or code is inserted into the clock. To prevent one employee from “punching in” for another employee, security or supervisory personnel should supervise the clock card procedures. Management should also review and approve hours worked before they are paid. For factory employees, clock hours are usually supported by time tickets showing the type of work done (direct or indirect labor) and the jobs to which direct labor hours are to be charged. Increasingly, these records are kept in electronic form. By ensuring accurate data are accumulated on time worked, controls over the timekeeping function relate to the occurrence, completeness, and accuracy assertions for payroll transactions. Supervisory approval often is used to validate the payment of salaried employees, and it may also facilitate proper classification of payroll.

Recording and Paying Payroll Preparing the payroll. Information from electronic time cards should be forwarded to the supervisor for review and electronic approval. The file is then electronically forwarded to payroll for processing. Before processing payroll, the payroll program will check the employee number and pay rates against the master payroll information. The program may also place a limit test on hours worked or gross payroll expenses. The output of the payroll program should consist of valid payroll transactions and an exceptions and control report that is sent to data control. Data control compares the control totals and batch totals, informs the payroll department of exceptions discovered by the edit routine, and follows up to confirm that corrected data is processed. These controls over the payroll processing relate to the occurrence, completeness, accuracy, and classification assertions. The data associated with valid payroll transactions and the employee master file are used to calculate payroll and prepare the payroll register and payroll disbursements. Recording the payroll. As the gross pay, deductions and net pay are calculated for each employee, the payroll program updates the payroll master file for year-to-date payroll transactions and accumulates totals for entries in the payroll journal. Another important control over paying the payroll in most large companies is the use of an imprest payroll bank account on which all payroll checks are drawn. Filing payroll tax returns. Payroll tax returns must be filed for amounts withheld from employees for federal income taxes and Social Security, and for the Social Security and federal and state taxes levied on the employer. Returns must be filed on a timely basis to avoid penalties and interest payments, and possibly even criminal charges. Responsibility should be clearly assigned for performing this function according to a schedule that conforms to federal and state filing and payment deadlines.

Identify What Can Go Wrong (WCGW) and Identify Key Controls—Payroll At this point, we have established an audit process whereby, once the auditor understands the flow of transactions, the auditor should evaluate what can go wrong, identify potential controls that management has placed in operation, and then identify key controls the auditor wants to test. Illustration 12A.6 summarizes the flow of transactions through the payroll process, key documents and files, what can go wrong, and example controls for payroll. As you review Illustration 12A.6, try to associate particular controls with the assertions they are controlling. Also, think about what these controls have in common with controls you have studied in the revenue and purchasing processes.

 Appendix 12A: Auditing Payroll  12-41 illustration 12A.6   Payroll transactions—WCGW and example controls

Transaction

Documents and Files

Risks (WCGW)

Example Control

Authorizing payroll

Payroll master file

Payroll may be paid to fictitious employees.

Only a limited number of individuals can change the payroll master file, and this duty should be segregated from recording payroll transactions. All file changes are reviewed by appropriate levels of management. The personnel master file is also reviewed to remove employees no longer working for the organization.

Hours are worked

Electronic time cards

Employees may be paid for hours not worked.

Supervisory review of hours worked for hourly and salaried employees.

Recording payroll

Payroll database

Payroll may not be recorded.

The software application prints a report of all hours that have not been paid. A month-end accrual is made for payroll worked between the last pay period and period end. Employees will complain if they work and are not paid.

Payroll database

Payroll may be paid to fictitious employees.

Each payroll is matched with the payroll master file. The software application matches payroll disbursement to hours worked.

Payroll database

Payroll may be recorded in the incorrect amount (incorrect hours or wage rates).

The software application matches hours with the time card information and wage rate with the master payroll file.

Payroll database

Payroll may be recorded in the incorrect accounting period.

At month-end, the software application generates a report of hours worked but not paid. This report is the basis of end-ofperiod journal entries reviewed and approved, and reversed in the subsequent period.

Payroll database

Vouchers may be posted to incorrect accounts.

The software application checks wage classification against the master payroll file. Wage classification is also reviewed and approved by a supervisor when approving hours worked.

Payroll database

Payroll may be paid to the wrong employee.

The software application matches employee number on the time card with employee number on the master payroll file. Employees will complain if they work and are not paid.

As noted in other transaction classes, when choosing controls for control testing, the auditor will find a key control (the most important control) for each assertion. Following are ­example ­controls that auditors often look for when identifying key controls. The examples rely sig­ nificantly on IT application controls to flag potential misstatements. In this case, the auditor must understand both the IT control and how client personnel follow up on exceptions on a timely basis. Completeness of payroll. The software application starts with a population of hours worked and develops a one-for-one match with hours paid. A report is generated for hours worked that does not result in a payroll disbursement. At the end of the month, a report is prepared of hours worked that need to be accrued. This report is compared to any adjusting journal entry to accrue payroll expenses. Occurrence of payroll. The software application starts with the population of payroll disbursements and develops a one-for-one match with underlying approved hours worked. A report is generated each pay period of any payroll that is not supported by hours worked. The employee number is also compared with the approved master payroll file. A report is generated of any transactions that are not supported by underlying documents or files. Accuracy of payroll. The software application starts with the population of payroll disbursements and compares hours worked with underlying time approved, and compares wage rates with the master payroll file. A report is generated of any transactions that are not supported by underlying documents or files. Payroll cutoff. At month-end, the software application generates a report of hours worked but not paid. This report is the basis of end-of-period journal entries that are reviewed and independently approved.

12-42  C h a pte r 12  Auditing the Purchasing and Payroll Processes

Classification of expenses and payroll. The software application checks wage classification against master payroll file. Wage classification is also reviewed and approved by a supervisor when approving hours worked. A report is generated each pay period of any payroll showing incorrect account coding. Completeness of payroll payables, existence of payroll payable, and valuation of payables at historic cost. At month-end, the software application generates a report of hours worked but not paid. This report is the basis of an end-of-period journal entry that is reviewed and independently approved.

Audit Reasoning Example Understanding Manual Follow-Up Procedures

Shelly is auditing a large construction company and is doing a system walkthrough. Shelly talked to Frank, a client employee responsible for following up on exceptions flagged by the IT system. Shelly wanted to know if Frank had seen any exceptions where the system identified employees who had not worked during the current time period. Frank responded, “It is very rare, and I only remember one instance. About two months ago, the payroll system flagged over 25 employees for further investigation. It turned out that we had settled a union contract and employees were given a retroactive pay raise. At that time, we had about 25–30 employees who did not work during the current pay period but had previously worked and earned pay for the retroactive pay raise.” Shelly was impressed that Frank understood what the IT system was looking for, and it appeared that the internal control was placed in operation. Shelly documented the conversation and made a point to test some of Frank’s follow-up on the exceptions to make sure the entire control system was working effectively.

Before You Go On 13.1 How are financial statements misstated if there is a material misstatement in the occurrence assertion regarding payroll? Describe a key control to detect and correct this problem. 13.2 How are financial statements misstated if there is a material misstatement in the accuracy assertion regarding payroll? Describe a key control to detect and correct this problem. 13.3 How are financial statements misstated if there is a material misstatement in the classification of payroll? Describe a key control to detect and correct this problem.

Tests of Controls in the Payroll Process and Audit Strategy LEA RNING OBJECTI VE 14* Determine how to design and perform tests of controls in the payroll process and connect the results of control testing to audit strategy. The following discussion identifies potential tests of controls to be used to test a client’s controls in the payroll process. Once the auditor has evaluated the quality of the system of internal control, the audit team is in a good position to evaluate the opportunity for fraud risk. The fraud risk assessment should be approached with professional skepticism. Finally, this section focuses on the links between risk of material misstatement and subsequent strategy for substantive testing.

 Appendix 12A: Auditing Payroll  12-43

Tests of Controls for Payroll Most auditors plan to test controls in the payroll process because of the high volume of routine transactions. Public company auditors test controls to support an opinion on internal control. Auditors of private companies may decide to test controls that appear to be effective because of the audit efficiencies that exist when the client has effective controls in place, particularly for a payroll-intensive entity like a university, a hotel, or another entity in the service industry. If the client relies on IT controls and the auditor plans to assess control risk as low for payroll assertions, the auditor will usually: •  Test the effectiveness of general controls. •  Use generalized audit software to evaluate the effectiveness of IT application controls. •  Test the effectiveness of manual procedures to follow-up on exceptions identified by IT application controls. As discussed in previous chapters, the auditor will usually test the effectiveness of IT general controls as part of testing entity-level controls. For example, when testing the control environment, the auditor might pay particular attention to making inquiries and collecting supporting evidence regarding employee awareness of IT security issues. If the auditor is testing issues regarding controls over program changes, the auditor might determine how program access is controlled and monitored, look at logs of program access or incident reports, and talk to users about their involvement in program changes affecting their responsibilities. The auditor will want to pay attention to segregation of duties regarding access to programs and access to data, the effectiveness of password controls, and the follow-up of any incident reports regarding unauthorized access. Many of these tests are performed by an IT audit specialist. Auditors often use test data to test IT application controls and determine whether expected results appear on exception reports. For example, in the payroll process the auditor might submit: •  A missing or invalid employee number. •  Inaccurate hours worked compared to hours processed to be paid. •  Inaccurate wage rates compared to the master payroll file. •  Inaccurate account classifications compared to the master payroll file. The auditor may also want to test important manual controls, such as supervisor approval of time and account classifications, by reperforming these controls. Finally, the auditor will need to test the appropriateness of manual follow-up of exceptions noted by the software ­application. If exception reports are printed each pay period, the auditor might select a ­sample of exception reports to determine if exceptions are cleared before payroll is paid. The auditor might make inquiries of personnel responsible for clearing exceptions to determine their awareness of the types of misstatements that might appear on exception reports, and their sensitivity to issues that result in the overpayment of payroll or paying fictitious employees. The auditor should also follow through on previously noted exceptions to determine they were cleared appropriately and on a timely basis.

Fraud Risk Assessment After evaluating inherent risk and control risk, the auditor is in a position to evaluate fraud risk. The risk of misappropriation of assets is a significant risk in the payroll process. The risks are (1) paying a fictitious employee or (2) paying for more hours than are actually worked. In entities with poor segregation of duties, weak internal controls, and a significant volume of payroll transactions, this must be considered a significant risk. In certain industries that bill on a cost-plus basis, auditors also need to be alert to the risk of padding payroll in order to increase revenues. Whether addressing the fictitious employee, or addressing padded payroll expenses, the auditor needs to be alert to potential occurrence or accuracy problems.

12-44  C h a pte r 12  Auditing the Purchasing and Payroll Processes

Payroll fraud can be reduced with strong controls over the payroll master files and by ensuring there is strong underlying support for payments to employees. Ultimately, a key aspect of fraud risk relates to the way effective internal controls minimize the opportunity to commit fraud. An auditor’s concerns are heightened when the control environment is weak or control activities are nonexistent. In not-for-profit organizations, smaller companies, or smaller governments, segregation of duties may be weak or nonexistent. In these cases, the auditor with appropriate professional skepticism should consider fraud risk to be high and design effective substantive tests to provide reasonable assurance of detecting material fraud.

Audit Data Analytics Used in Fraud Risk Assessment The use of ADA may be effective in organizations with a single payroll system, such as large universities with multiple departments or campuses, governments of large cities or counties, or state governments. Large public companies may have internal controls to look for the following indicators of payroll fraud, but private companies, not-for-profit organizations, or governments may not have made the same investment in internal controls. The auditor might use ADA to compare payroll payments with the supporting human resource files, looking for the following indicators of possible payroll fraud: •  Multiple employees with the same information in the payroll system such as bank account routing number, Social Security number, or same home address. •  Employees on the payroll register prior to their start date or after their termination date. •  Multiple paychecks issued to an employee within a single pay period. •  Bonuses paid to employees who are not eligible. •  Inappropriate wage levels given the employee’s classification. As with any use of ADA, the auditor’s knowledge of the client helps refine the auditor’s ability to identify potential anomalies, and there may be legitimate business reasons for some anomalies. Nevertheless, the auditor should investigate items flagged for further investigation with appropriate professional skepticism.

The Risk of Material Misstatement and Audit Strategy When an entity has a significant volume of payroll transactions, inherent risk would normally be considered high for the occurrence assertion due to the risk of fictitious employees on the payroll, over-reporting hours, and over-reporting payroll costs on cost-plus contracts. Inherent risk may also be high for the cutoff assertion when there is a significant volume of payroll transactions and pay periods do not line up well with month-end. Inherent risk is moderate for the completeness assertion because employees will complain if they are not paid, minimizing the risk of unrecorded payroll. Inherent risk is also moderate for accuracy when payroll calculations are not complex. The control risk assessment for each assertion will depend on the results of tests of controls for each assertion. If the auditor’s expectations regarding effective controls are not confirmed, the auditor will need to evaluate the significance of the deficiencies noted and determine if the client has a compensating control in place. If no compensating controls exist, the auditor will need to revise the audit strategy, determine if fraud risk is increased as a result of the internal control deficiency, and determine how to revise planned substantive tests for the payroll process. The auditor may need to change the timing of planned substantive tests related to an assertion from interim testing to testing accrued payroll balances at year-end. The auditor may also have to consider increasing sample sizes when sampling is involved. Finally, if the auditor determines material weaknesses or significant

 Appendix 12A: Auditing Payroll  12-45

deficiencies exist in internal controls over payroll, the auditor will need to communicate significant deficiencies or material weaknesses to management and to those charged with governance of the entity.

Before You Go On 14.1 If the auditor has identified an IT application control related to the occurrence of payroll transactions, and IT general controls have already been determined to be effective, suggest how the auditor might test the effectiveness of such IT controls and related manual follow-up. 14.2 Explain the fraud associated with payments to fictitious employees. What controls might prevent this from happening? 14.3 Assume an auditor is auditing a rural fire district with poor segregation of duties in the payroll process. What are the most significant risks in this case? What are the implications for developing an audit strategy in the payroll process?

Substantive Tests for the Payroll Process LEA RNING OBJECTI VE 15* Assess detection risk and design substantive tests, including audit data analytics, to address various assertions related to payroll. Substantive tests of payroll transactions are often performed at an interim date as part of a dual-purpose test. Interim substantive tests of payroll balances may be performed if internal controls are strong, or at year-end if internal controls are weak. Payroll balances normally include accrued liabilities for salaries, wages, commissions, bonuses, employee benefits, payroll taxes, and related expense accounts. Suggested substantive tests of payroll transactions and balances are shown in Illustration 12A.7. Each of the substantive tests is discussed with selected comments about how the procedures can be tailored based on the acceptable level of detection risk to be achieved.

illustration 12A.7   Substantive tests of payroll process

Category Initial procedures

Substantive Test 1.  Obtain an understanding of the business and industry and determine:

Relevant Assertions All

a.  The significance of payroll costs to the business. b.  Key economic drivers for payroll costs. c. The extent to which the client has defined benefit pension plans or uses other incentive compensation plans. 2. Perform initial procedures on payroll balances and records that will be subjected to further testing. a.  Trace beginning accrued payroll balances to prior year’s working papers.

Valuation and allocation

b. Review activity in payroll accounts and investigate entries that appear unusual in amount or source.

Occurrence, Accuracy

c. Verify totals of payroll registers and other subsidiary ledgers for agreement with general ledger balances.

Valuation and allocation (continued)

12-46  C h a pte r 12  Auditing the Purchasing and Payroll Processes ILLUSTRATION 12A.7   (continued)

Analytical procedures

3.  Perform analytical procedures:

All

a.  Review industry experience and trends. b.  Examine analysis of payroll costs. c. Review relationship of payroll costs to recent production and sales activities. Tests of details of transactions

Tests of details of balances

Tests of presentation and disclosure

4. On a test basis, vouch payroll transactions to supporting documentation (e.g., time cards, employee contracts, bonus arrangements, and incentive compensation agreements).

Occurrence, Accuracy, Classification

5. On a test basis, vouch payroll tax transactions to supporting documentation (e.g., underlying gross payroll and calculation of payroll taxes).

Occurrence, Accuracy, Classification

6. Verify officer compensation to board of director authorization.

Occurrence, Accuracy, Classification

7. On a test basis, trace data from time cards and contracts to the payroll register.

Completeness

8. Test payroll cutoff at the end of the month (year) based on time periods worked and payroll accrual if month-end (year-end) and the end of the payroll period do not coincide.

Cutoff

9. Recalculate accrued payroll liabilities at year-end to underlying payroll records.

Completeness, Existence, Valuation and allocation

10. Recalculate accrued payroll tax liabilities and vouch to subsequent cash disbursements.

Completeness, Existence, Valuation and allocation

11.  Determine that accrued payroll payables are the obligations of the entity.

Rights and obligations

12.  Compare statement presentation with GAAP. a. Review presentation and disclosure for payroll costs in drafts of the financial statements and determine conformity with GAAP.

Classification and understandability, Occurrence and rights and obligations

b. Evaluate the completeness of presentation and disclosures for receivables in drafts of financial statements to determine conformity to GAAP by reference to disclosure checklist.

Completeness

c.  Read disclosures and independently evaluate their understandability.

Classification and understandability

Initial Procedures An essential initial procedure involves obtaining an understanding of the entity’s business and industry and expected payroll costs. This allows the auditor to develop a knowledgeable perspective about the entity and set the context for the evaluation of analytical procedures and tests of details. If the client is a manufacturer, it is particularly important to understand the mix of payroll costs versus other manufacturing costs and how this interacts with the production process. It is also important to understand incentive compensation agreements and the degree to which these agreements might influence behavior related to other processes (e.g., compensating executives only on the level of revenues). Finally, the auditor also needs to understand the nature of pension agreements, stock options, and other employee benefit costs. In tracing beginning payroll and payroll tax payable balances to the working papers in prior years, the auditor should make certain that any audit adjustments agreed upon in the prior year did in fact get recorded. In addition, current period entries in the general ledger payroll accounts should be scanned to identify any postings that are unusual in amount or nature and require special investigation. Initial procedures also involve determining that the detailed subsidiary ledgers for payroll liabilities tie in with the general ledger balances.

 Appendix 12A: Auditing Payroll  12-47

Substantive Analytical Procedures Recall that analytical procedures are not required to be used as a substantive procedure. Illustration 12A.3 provided examples of analytical procedures that are commonly used in the payroll process. If analytical procedures are used as a substantive procedure during risk response, the auditors are using data through the client’s third quarter or even the entire year of data if the procedures are performed after year-end. Therefore, when used as a substantive procedure, the auditor typically has more data to analyze and can develop more precise expectations of the accrued payroll account balances and the relationship between payroll costs and hours worked. Auditors should be alert to signals of unrecorded payroll liabilities.

Audit Data Analytics as a Substantive Test The use of ADA as a substantive test depends on the quality of the client’s data. For example, when auditing a university, many employees may be salaried rather than hourly employees. The amount of gross payroll expense and the classification of payroll expense may be easily compared to a master payroll file (assuming strong controls over the master payroll file). The same test may be performed for employees who teach courses on a fixed-term contract. The ability to use ADA to test the payroll for hourly employees depends on how information about hours worked is captured in electronic form. If reliable information about hours worked is captured in electronic form, the auditor can have the software validate hours paid for the entire population of hourly workers. Further, gross payroll and payroll deductions can be validated with information obtained from the master payroll file.

Tests of Details of Transactions These tests involve traditional procedures of vouching and tracing to obtain evidence about the processing of individual payroll transactions. In addition, the auditor should also give consideration to payroll taxes, benefits, and determining the propriety of the cutoff of payroll transactions at the end of the accounting period. Some or all of this type of testing may be done as part of dual-purpose tests during interim work. Examples of vouching recorded entries in payroll accounts include the vouching of: •  Transactions recorded in the payroll register to underlying source documents to determine the appropriateness of occurrence, accuracy, and classification of payroll costs. •  Authorization of officers’ compensation by the board of directors. Tracing transactions from time cards or other evidence of employees working to the payroll register provides evidence for the completeness and accuracy of payroll costs. Officers’ compensation may be audit sensitive for the following two reasons: (1) separate disclosure of officers’ compensation is required in 10-K reports that public companies file with the SEC, and (2) officers may be able to override controls and receive salaries, bonuses, stock options, and other forms of compensation in excess of authorized amounts. For these reasons, board of directors’ authorizations for officers’ salaries and other forms of compensation should be compared with recorded amounts. This test pertains to objectives related to each category of assertions. Depending on how pay periods are determined, there may be a risk of material misstatement associated with cutoff problems. If employees are paid every two weeks and payroll is recorded when paid, it is possible that almost two weeks’ worth of payroll costs have not been recorded at month-, quarter-, or year-end. The auditor should determine management’s procedures for accruing payroll costs, including the costs of gross payroll, payroll taxes, and other benefits and test the completeness and accuracy of payroll accruals.

12-48  C h a pte r 12  Auditing the Purchasing and Payroll Processes

Tests of Details of Balances Tests of details of balances are similar to the search for unrecorded liabilities in the purchasing process. In large part, they focus on recalculating accruals and vouching subsequent cash disbursements to underlying support. It is necessary for many companies to make a variety of accruals at the balance sheet date for amounts owed to officers and employees for salaries and wages, commissions, bonuses, vacation pay, and for amounts owed to government agencies for payroll taxes. Although the auditor’s primary concern for payroll expenses for the year is with overstatement, for the year-end accruals the primary concern is with understatement. Also of concern is consistency in the methods of calculating the accruals from period to period. In obtaining evidence concerning the reasonableness of management’s accruals, the auditor should review management’s calculations or make independent calculations. Accruals for payroll taxes should be compared with amounts shown on payroll tax returns. Additional evidence is usually obtained by examining subsequent payments made on the accruals prior to the completion of fieldwork. Evidence obtained from these tests should support the completeness, existence, valuation and allocation, and rights and obligations assertions. Many companies offer significant pension and post-retirement benefits to employees. A number of manufacturing companies have defined benefit pension plans that present significant issues with respect to the measurement of pension expenses as well as pension disclosures. The most significant risks are associated with misstatements in the valuation and allocation assertion (determining pension expenses) and the presentation and disclosure assertions (writing the pension note). Defined benefit pension plans are normally subject to requirements of the Employee Retirement Income Security Act (ERISA) of 1974, which usually requires a separate audit of the pension plan. The financial statement auditor can usually refer to the results of the ERISA audit when auditing pension expenses and disclosures. When completing the ERISA audit, the auditor will usually employ an outside expert to audit the important actuarial assumptions that are needed to determine pension expenses and the projected benefit obligation. The auditor will have to comply with the requirements of AU-C 620 Using the Work of an Auditor’s Specialist or AS 1210 Using the Work of a Specialist. These standards require the auditor to evaluate the reasonableness of the key actuarial estimates made by the specialist, such as the discount rate that is used to determine the projected benefit obligation and the long-term rate-of-return assumption used for the expected return on plan assets. The discount rate should be in line with current annuity purchase rates for high-quality fixed income investments. The long-term rate of return assumption should reflect the actual and anticipated returns for the plan’s assets.

Tests of Disclosures The most significant disclosures for payroll transactions are not covered as part of this discussion of routine payroll transactions. More complex payroll transactions involving stock options, stock appreciation rights, and defined benefit pension plans require significant disclosures. However, these transactions are not covered as part of this appendix, which focuses primarily on internal controls and substantive testing of a large volume of routine transactions, which rarely generate significant disclosures.

Before You Go On 15.1  Which assertion is of primary importance to the auditor in auditing payroll expenses? Why? 15.2 Explain the following audit test and the assertion(s) that are evaluated with this audit procedure: Vouch payroll expenses to supporting documents. 15.3 Explain the following audit test and the assertion(s) that are evaluated with this audit procedure: Recalculate accrued payroll tax liabilities and vouch to subsequent cash disbursements.

  Learning Objectives Review  12-49

Learning Objectives Review 1  Explain the nature of purchasing transactions and

balances. The purchasing process includes three major classes of transactions: (1) credit purchases, (2) cash disbursements, and (3) purchase adjustments. The primary balance sheet account in the purchasing process is accounts payable. Illustration 12.1 summarizes the transactions that go through the purchasing process, and Illustration 12.2 identifies the assertions relevant to the purchasing process. Remember, the auditor must obtain sufficient, appropriate evidence for each material assertion, and an audit strategy for one assertion may be different from the audit strategy for another assertion. 2  Evaluate how an auditor’s understanding of an entity

and its environment affects audit planning decisions related to purchases. Different companies in different industries experience different risks associated with the purchasing process. It is important for the auditor to understand how the company uses vendor financing (accounts payable) to finance its operating cycle. Some companies with short inventory turns are quite skillful in using vendor financing as a key source of working capital. Auditors should also understand the importance of the entity’s supply chain to the business. Some raw materials or products may be very important to the business and auditors need to understand the extent to which businesses may be vulnerable to shortage of key products or materials. Finally, the auditor should also understand how related party transactions influence the purchasing process, or the potential for legal restrictions that might influence an entity’s purchasing process. 3  Determine inherent risk for various assertions in the purchasing process. Common inherent risks in the purchasing process relate to the completeness of purchases, expenses, and payables. In addition, the risk of misappropriation of assets may be significant due to unauthorized disbursements, fictitions vendors, collusion with vendors, and weak controls in the purchasing process. Further, cutoff errors may be frequent due to receiving goods prior to receiving vendor invoices. Finally, this section also provides an example of how analytical procedures might flag an increased risk of material misstatement for some purchasing process assertions. It is critical for an auditor to use professional skepticism to recognize factors that increase inherent risk in the purchasing process, so the auditor is responsive to these risks. 4  Evaluate control activities for purchase transactions. Each entity has a unique system of internal control tailored to the entity’s business model and its purchasing process. It is important for the auditor to (1) understand the flow of transactions for purchases, (2) identify what can go wrong in the purchasing process, and (3) assess whether the client has controls to mitigate what can go wrong. Illustration 12.6 provides an example of the flow of transactions for credit

purchases. Illustration 12.7 addresses what can go wrong in the process of making credit purchases and making cash disbursements, and common controls that might be found to mitigate these risks. This section concludes with a discussion of key controls that are often found related to relevant assertions for credit purchases and accounts payable. 5  Evaluate control activities for cash disbursement transactions. This section continues the discussion of understanding the flow of transactions related to cash disbursements. While an increasing number of cash disbursements is made by way of electronic funds transfers, many U.S. companies continue to pay vendors with checks. Illustration 12.9 summarizes what can go wrong in the cash disbursement process along with common controls that might mitigate these risks. This section concludes with a discussion of key controls that might be found related to relevant cash disbursement transaction assertions. 6  Evaluate control activities in an evaluated receipt settlement system. Evaluated receipt settlement (ERS) is a highly automated business process between suppliers and purchasers to electronically exchange data and execute a purchase transaction. ERS recognizes that the key elements of a purchase transaction involve (a) the nature and quantity of the goods received, (b) the price of the goods received, and (c) the payment terms for the goods received. While an ERS system is highly automated and documents are exchanged electronically, the internal controls in an ERS system are similar to those found in any sound purchasing system. 7  Evaluate control activities for purchase adjustment transactions and purchasing process disclosures. The final section on purchase transactions discusses common documents found when goods are returned to vendors and payables and expenses are reduced. Common controls over purchase adjustments, and controls over purchasing process disclosures, are also discussed in this section of the chapter. 8  Determine how to design and perform tests of controls in the purchasing process and connect the results of control testing to audit strategy. This section related to controls in the purchasing process discusses testing the controls identified for relevant assertions in the financial statements. Remember, when the entity relies on significant IT application controls, the auditor must test (1) the effectiveness of IT general controls, (2) the effectiveness of the IT application controls, and (3) the effectiveness of manual procedures to follow up on exceptions. Once the auditor has evaluated controls, the auditor should consider fraud risk in the purchasing process. Auditors should be particularly attentive to the potential for fraud related to fictitious vendors,

12-50  C h a pte r 12  Auditing the Purchasing and Payroll Processes kickbacks, bid rigging, and personal purchases with entity funds. Once the auditor has determined the risk of material misstatement of each assertion, the auditor can make decisions about what substantive tests to perform, the timing of substantive tests, and the extent of substantive tests. 9  Assess detection risk and design substantive tests, including audit data analytics, to address various assertions in the purchasing process. This section outlines common substantive tests in the purchasing process. Illustration 12.10 provides a common audit program for substantive tests that might be found in the purchasing process, and this section explains the importance of each of these tests. Given the risk of understatement of payables, auditors should understand procedures to search for potential unrecorded liabilities. Further, given the risk of understatement of payables, if auditors choose to confirm accounts payable, they need to give equal attention to payables with small or zero balances as they do to larger payables. 10*  Explain the nature of payroll transactions and balances. The payroll process includes two major classes of transactions: (1) paying payroll and (2) accruing payroll and payroll taxes at the end of the period. The primary balance sheet account in the payroll process is payroll and payroll taxes payable. Illustration 12A.1 summarizes the transactions that go through the payroll process, and Illustration 12A.2 identifies the assertions relevant to the payroll process. Remember, the auditor must obtain sufficient, appropriate evidence for each material assertion, and an audit strategy for one assertion may be different from the audit strategy for another assertion. 11*  Evaluate how an auditor’s understanding of an en-

tity and its environment affects audit planning decisions in the payroll process. Different companies in different industries experience various risks associated with the payroll process. It is important for the auditor to understand the importance of human resources to the overall entity (i.e., is the entity labor-intensive or capital-intensive?), the nature of compensation (hourly compensation requires a different control system than salaried compensation), and the importance of various compensation packages such as bonuses or other compensation arrangements. 12*  Determine inherent risk for various assertions in the payroll process.

Common inherent risks in the payroll process relate to the completeness of payroll expenses and payables, particularly when pay periods do not align with month-end. The accuracy assertion may be at risk depending on the complexity of payroll calculations (e.g., complex bonus schemes), Finally, fraud risks relate to paying fictitious employees or keeping employees on the payroll after they leave the organization. 13*  Evaluate control activities for payroll transactions. Each entity has a unique system of internal control tailored to the entity’s business model and its payroll process. It is important for the auditor to (1) understand the flow of transactions for payroll, (2) identify what can go wrong in the payroll process, and (3) assess whether the client has controls to mitigate what can go wrong. Illustration 12A.5 provides an example of the flow of transactions for payroll. Illustration 12A.6 addresses what can go wrong in the payroll process and common controls that might be found to mitigate these risks. This section concludes with a discussion of key controls that are often found related to relevant assertions for payroll. 14*  Determine how to design and perform tests of controls in the payroll process and connect the results of control testing to audit strategy. This final section related to controls in the payroll process discusses testing the controls identified for relevant assertions in the financial statements. Remember, when the entity relies on significant IT application controls the auditor must test (1) the effectiveness of IT general controls, (2) the effectiveness of the IT application controls, and (3) the effectiveness of manual procedures to follow-up on exceptions. Once the auditor has evaluated controls, the auditor should consider fraud risk in the payroll process. Once the auditor has determined the risk of material misstatement of each assertion, the auditor can make decisions about what substantive tests to perform, the timing of substantive tests, and the extent of substantive tests. 15*  Assess detection risk and design substantive tests, including audit data analytics, to address various assertions related to payroll. This section outlines common substantive tests in the payroll process. Illustration 12A.7 provides a common audit program for substantive tests that might be found in the payroll process. Given the risk of understatement of payroll payables, auditors should understand procedures to evaluate payroll accruals at the end of the accounting period.

Key Terms Review Advance shipping notice (ASN) Bid rigging Electronic invoice presentment and payment   (EIPP) systems

Evaluated receipt settlement (ERS) Examining subsequent payments *Imprest payroll bank account Kickback

*Payroll process Purchasing process (procurement process) Search for unrecorded liabilities Third-party payment processor

 Audit Decision-Making Example  12-51

Audit Decision-Making Example Background Information During the year, Mid-City State University purchased approximately $5 million of office equipment under its “special” ordering systems, with individual orders ranging from $5,000 to $30,000. “Special” orders involve low-volume items that have been included in an authorized user’s budget. Department heads include in their annual budget requests for the type of office equipment needed and the dollar amounts at their estimated cost. The budget, which limits the types and dollar amounts of office equipment a department head can requisition, is approved at the beginning of the year by the board of regents. Department heads prepare a purchase requisition form for equipment and forward the requisition to the purchasing department. Mid-City’s ordering system functions as follows: Purchasing. Upon receiving a purchase requisition, a buyer verifies that the person requesting the equipment is an authorized department head and compares the purchase requisition with the unused budget. The buyer then selects the appropriate vendor by searching the various vendor catalogs on file and then emails the vendor and confirms a price quotation. The buyer next processes a prenumbered purchase order with the original sent to the vendor. The purchase order information is sent electronically to the requisitioning department and stored in the system to be accessed by purchasing, receiving, and accounts payable. Once a month, the buyer reviews a report of unfilled orders to follow up and expedite open orders. Receiving. The receiving department can access a copy of the purchase order online, without quantities. When office equipment is received, the receiving clerk accesses the purchase order electronically to complete a receiving report, noting the date and types and quantities of goods received. Goods are then delivered to the requisitioning department. Accounts payable. The IT system maintains an open purchase order file. When a vendor’s invoice is received, the invoice is entered into the system and matched with the applicable purchase order. A payable is set up by debiting the equipment account of the department for the invoiced items. The accounts payable clerk carefully compares the information on the vendor invoice with the underlying purchase order before submitting the vendor’s invoice to the accounts payable system. The vendor’s invoice is then filed with the purchase order by purchase order number in a paid invoice file, and the check is forwarded to the treasurer for signature. At the end of every month, an accounts payable clerk compares the total of unpaid invoices in the IT database with the general ledger control account for accounts payable. Monthly, university administration and department heads receive a report comparing recorded departmental expenses and capital expenditures with budgets.

Identify the Issues Evaluate Mid-City State University’s transaction-level controls related to the recording of purchases. If any controls are evaluated as weak, prepare a list of recommended controls for management.

Gather Information and Evidence Important information includes: •  Payables are recorded when the vendor’s invoice is received.

•  Information on the vendor’s invoice is compared with the purchase order. •  Budgetary controls appear to be placed in operation. •  Review of the recording of the purchase and accounts payable is performed by the AP clerk that enters the information.

Analysis and Evaluation of Alternatives •  There is no comparison of receiving reports with the recording of purchases to test for completeness. •  Purchases are not recorded until the vendor’s invoice is received, which increases the likelihood of completeness and cutoff problems. •  There is no independent check of the recorded purchase with the receiving report to control the occurrence of purchases. •  There is no independent check of the recorded purchase with underlying vendor information, quantities on the receiving report, or prices on the purchase order to control the accuracy of purchases. •  There is no independent check of the recorded purchase with account classification on the purchase order to control the classification of purchases. There may be a compensating control if department heads carefully review items charged to their department budgets.

Conclusions Regarding Internal Controls in the Purchasing Process Internal controls over the recording of purchases are weak for the following transaction class assertions: completeness, occurrence, accuracy, cutoff, and classification. Control risk should be assessed at the maximum for these assertions. Further, the auditor should recommend the client implement the following controls: •  Completeness: On a daily basis, the software application should generate a report to be reviewed and items cleared related to all receiving reports that have not resulted in the recording of a purchase and payable. •  Occurrence: On a daily basis, the software application should generate a report to be reviewed and items cleared related to all recordings of a purchase and a payable that are not supported by receiving reports with matching quantities of items received. •  Accuracy: On a daily basis, the software application should generate a report to be reviewed and items cleared related to all recordings of a purchase and a payable that are not supported by receiving reports with matching quantities of items received or purchase orders with matching prices. •  Cutoff: On a daily basis, the software application should generate a report to be reviewed and items cleared comparing dates on receiving reports with dates on the recording of a purchase and a payable. •  Classification: On a daily basis, the software application should generate a report to be reviewed and items cleared comparing account classification on the recording of a purchase and a payable with account classification on the underlying purchase requisition.

12-52  C h a pte r 12  Auditing the Purchasing and Payroll Processes

CPAexcel CPAexcel questions and other resources are available in WileyPLUS.

Multiple-Choice Questions 1.  (LO 1)  The purchasing process normally includes all of the following transactions: a.  purchases, inventory transactions, and cash receipts. b.  purchases on account, purchase returns, and cash receipts. c.  purchases on account, purchase returns, and cash disbursements. d.  purchases of inventory, plant and equipment, and depreciation. 2.  (LO 2)  Which of the following industries would have the greatest concerns about purchases cutoff at month end, unrecorded liabilities, and accounting for advertising allowances provided by vendors? a.  Manufacturer of construction equipment. b.  Retail grocer. c.  Hotel. d.  Local school district. 3.  (LO 3)  If the auditor is concerned about the risk of fraud in the purchasing process, which of the following best describes the auditor’s potential fraud risk assessments? a.  Fraudulent financial reporting–high risk; misappropriation of assets–high risk. b. Fraudulent financial reporting–high risk; misappropriation of assets–low risk. c. Fraudulent financial reporting–low risk; misappropriation of assets–high risk.

billed was received. Assume the software application prepares an exception report and follow-up procedures are effective. IT application edit checks compare: a.  quantities and prices on the voucher with quantities and prices on the purchase order. b.  quantities on the vendor’s invoice with quantities entered in receiving. c.  quantities and prices on the voucher with quantities and prices on the vendor’s invoice. d.  quantities times price on the voucher with the amount of cash disbursements. 7.  (LO 4)  Which of the following IT application control procedures would be most effective in assuring that recorded purchases are accurately recorded for transactions that actually occurred? a.  The software application compares the quantity ordered from purchase order information with the quantity received from the receiving department. b.  Vendor invoice information is compared with purchase order information. c.  Receiving reports require the signature of the individual who authorized the purchase. d.  The software application matches voucher information with information supporting purchase orders, receiving reports, and vendor invoices.

d. Fraudulent financial reporting–low risk; misappropriation of assets–low risk.

8.  (LO 5)  Which of the following controls would most likely prevent a vendor’s invoice from being paid twice?

4.  (LO 3)  The auditor is studying a ratio of accounts payable turnover in days. Which of the following indicates a potential risk of unrecorded liabilities?

b.  The software application compares information on the check with information on the receiving report.

a.  Accounts payable turnover in days increased from 28 days to 45 days from year one to year two. b.  Accounts payable turnover in days increased from 28 days to 30 days from year one to year two. c.  Accounts payable turnover in days decreased from 28 days to 15 days from year one to year two. d.  Accounts payable turnover in days decreased from 30 days to 25 days from year one to year two. 5.  (LO 4)  The internal document commonly used to record a credit purchase in the purchases journal is a: a.  purchase requisition. b.  purchase order. c.  vendor’s invoice. d.  voucher. 6.  (LO 4)  Describe the IT application control procedure that provides assurance that all the merchandise for which the client was

a.  An independent bank reconciliation is prepared. 

c.  The software application compares the daily total in the cash disbursements journal with the total vouchers submitted for payment. d.  The software application has a field that identifies a vendor’s invoice has been paid and the voucher number cannot be reused. 9.  (LO 6)  An evaluated receipt system is: a.  a highly automated business process between suppliers and purchasers to exchange data electronically to execute a purchase transaction. b.  a highly automated business process between retailers and customers to receive payment electronically for a purchase transaction. c.  a highly automated process between suppliers and purchasers to manage the receipt of goods. d.  a highly automated process associated with the initiation of a purchase transaction.

 Review Questions  12-53 10.  (LO 7)  The key documents involved in recording a purchase adjustment involve:

d.  a bank account where a company only deposits sufficient funds to process gross payroll amounts.

a.  a purchase return authorization, a shipping report, and a debit memo.

*15.    (LO 11)  When auditing the payroll process, the auditor will normally want to understand:

b.  a vendor’s invoice, a receiving report, and a credit memo. c.  a purchase order, a vendor’s invoice, and a voucher. d.  a purchase return authorization, a shipping report, and a credit memo. 11.  (LO 8)  Assume an auditor is testing an IT application control over the accuracy of purchases. The auditor is most likely to submit test data for a: a.  voucher with different quantities than on the receiving report. b.  purchase order without appropriate authorization.

a.  the relationship between payroll and significant customers. b.  the extent to which a company is capital-intensive or laborintensive. c.  the predictability of the relationship between payroll expense and capital expenditures for the year. d.  the relationship between net payroll and the company’s tax liability. *16.    (LO 12)  An inherent risk of major concern to the auditor in the payroll process is:

c.  voucher with no receiving report.

a.  the completeness of payroll.

d.  purchase order with an invalid vendor number.

b.  the occurrence assertion for payroll.

12.  (LO 9)  Which of the following procedures is best for identifying unrecorded trade accounts payable? a.  Examining unusual relationships between monthly accounts payable balances and recorded cash payments. b.  Reconciling vendors’ statements to the file of receiving reports to identify items received just prior to the balance sheet date. c.  Investigating payables recorded just prior to and just subsequent to the balance sheet date to determine whether they are supported by receiving reports.  eviewing cash disbursements recorded subsequent to the d.  R balance sheet date to determine whether the related payables apply to the prior period. 13.  (LO 9)  An auditor decided to confirm accounts payable to accomplish a low level of detection risk for the completeness assertion. Which of the following is the most reasonable sampling plan?

c.  the occurrence and cutoff assertions for payroll. d.  the completeness and occurrence assertions for payroll. *17.    (LO 13)  A client just read about a business paying extraordinary sums of money to a variety of employees. How would the client company use an IT application control to prevent this type of valuation problem? a.  Test a check digit embedded in the employee number. b.  Perform a limit test related to the class of employee. c.  Check the employee number against the master payroll file. d.  Compare the total number of payroll disbursements with a predetermined batch total. *18.    (LO 14)  An auditor may plan to test controls in the payroll process because, among other factors: a.  the chance of employee fraud is remote.

a.  Confirm accounts payable with an emphasis on all vendors including zero and small balances.

b.  outside governmental auditors spend considerable time investigating the payroll area in most companies.

b.  Confirm accounts payable with an emphasis on the largest account payables.

c.  audit risk in the area relates primarily to the hiring of competent personnel.

c.  Confirm accounts payable using probability-proportionateto-size sampling.

d.  payroll transactions are generally routine and processed in a high volume, which makes controls effective for management to employ.

d.  C  onfirm accounts payable with an emphasis on new vendors, irrespective of the size of the account balance. *14.    (LO 10)  An imprest payroll bank account is: a.  a bank account where a company only deposits sufficient funds to process net payroll transactions.

*19.    (LO 15)  Which of the following audit assertions is least likely to be accomplished by vouching payroll transactions to supporting documentation (e.g., time cards and employee contracts)? a.  The occurrence of payroll transactions.

b.  a bank account that processes all payroll withholding transactions.

b.  The completeness of payroll transactions.

c.  a bank account devoted to all payroll transactions.

d.  Proper cutoff related to payroll transactions.

c.  The accuracy of payroll transactions.

Review Questions R12.1  (LO 1)  Explain the transactions in the purchasing process. R12.2  (LO 2)  Explain how the risk of material misstatement in the purchasing process is different for a hotel than it is for a manufacturer of gas and oil field equipment.

R12.3  (LO 3)  What are the greatest inherent risks in the purchasing process? Explain the assertions that are at risk and the underlying drivers causing an increase in inherent risk. R12.4  (LO 4)  Assume that your client is a private company that manufacturers wedding rings. The company’s raw materials are gold,

12-54  C h a pte r 12  Auditing the Purchasing and Payroll Processes silver, platinum, and gem stones. Explain the expected flow of transactions, the documents, and accounting system from purchasing raw materials to paying for raw materials.

*R12.11    (LO 11)  Explain how the risk of material misstatement in the payroll process is different for a manufacturer of gas and oil field equipment than it is for a university.

R12.5  (LO 5)  Explain a typical control preventing, or detecting and correcting, duplicate payment of a vendor’s invoice in a purchasing system.

*R12.12    (LO 12)  What are the greatest inherent risks in the payroll process? Explain the assertions that are at risk and the underlying drivers causing an increase in inherent risk.

R12.6  (LO 5)  Explain a typical control preventing, or detecting and correcting, payments to a fictitious vendor.

*R12.13     (LO 13)  Assume that you are auditing a software company that has mostly salaried employees. Explain the expected flow of transactions, documents, and accounting system from hiring a new employee to paying payroll.

R12.7  (LO 6)  Assume that your client is a major grocery chain that uses evaluated receipt settlement (ERS) for 75% of its purchases. Explain the flow of transactions from the purchasing of products (e.g., various household cleaning supplies) for various grocery stores to the payment for products using an ERS system.

*R12.14    (LO 13)  Explain a typical control preventing, or detecting and correcting, payments to a fictitious employee.

R12.8  (LO 7)  Explain the flow of transactions for purchase returns.

*R12.15    (LO 13, 14)  Explain a typical IT application control to prevent paying an inappropriate wage rate. Also, explain how you would test the control.

R12.9  (LO 9)  Explain how examining subsequent payments paid after the balance sheet date (or a cutoff date) is a useful test of the completeness of purchases and payables.

*R12.16    (LO 15)  Explain how an auditor might use ADA when auditing payroll. Explain the assertions being analyzed and what might be considered an outlier given the test that you suggest.

*R12.10    (LO 10)  Assume that a company has numerous hourly employees that it pays every Friday. Explain the transactions expected in this payroll process.

Analysis Problems AP12.1  (LO 2)  Basic   Knowledge of the entity and its environment  Your client is a local independent grocer with five stores which competes with a number of large grocery chains. It purchases goods from several large grocery supply chains as well as from various vendors that sell directly to the store. Some vendors offer various advertising rebates or other price concessions for stocking goods.

Required Explain how your knowledge of the business and industry would impact your audit of total purchases and accounts payable for the client. AP12.2  (LO 2)  Moderate   Analytical procedures  The following information was taken from the accounting records for Aurora Manufacturing, Inc.:

Year 5 Unaudited

Year 4 Audited

Year 3 Audited

Year 2 Audited

Year 1 Audited

$  525,000

$  460,000

$  390,000

$  310,000

$  225,000

1,350,000

1,175,000

950,000

750,000

600,000

Accounts payable

115,000

113,000

97,500

85,000

70,000

Current liabilities

545,000

535,000

440,000

380,000

320,000

Sales

2,700,000

2,050,000

1,750,000

1,400,000

1,200,000

Cost of goods sold

1,650,000

1,225,000

1,025,000

850,000

725,000

31

30

29

30

10.7

11.2

10.9

11.1

1.9

2.2

2.3

2.1

Inventory Current assets

Industry Median Accounts payable turnover days Cost of goods sold to average   accounts payable Current ratio

 Analysis Problems  12-55

Required a.  Calculate the following information and ratios for years 2, 3, 4, and 5:

1.  Purchases.



2.  Accounts payable turnover in days.



3.  Cost of goods sold to average accounts payable.



4.  Current ratio. b.  Describe the implications of the resulting ratios for the audit strategy in year 5. What specific audit objectives are likely to be misstated? How should the auditor respond in terms of potential audit procedures?

AP12.3  (LO 6)  Moderate   Internal control evaluation—cash disbursements  Management has requested a review of internal control over cash disbursements for parts and supplies purchased at manufacturing plants. Cash disbursements are centrally processed at corporate headquarters based on disbursement vouchers prepared and approved at manufacturing plants. Each manufacturing plant purchases parts and supplies for its own production needs. In response to management’s request, a thorough evaluation of internal control over disbursements for manufacturing plant purchases of parts and supplies is being planned. As a preliminary step in planning the engagement, each plant manager has been requested to provide a written description of his or her plant’s procedures for processing disbursement vouchers for parts and supplies. Presented below are some excerpts from one of the written descriptions. 1.  The purchasing department acts on purchase requisitions issued by the parts department. 2. A software application generates prenumbered purchase orders based on information submitted by buyers in purchasing. 3.  Receiving has complete access to purchase order information in the IT system. 4. When goods are received, the receiving department logs the shipment in the IT system by indicating that the purchase order was received and forwards this electronically to accounts payable. 5. When the vendor invoice is received, it is entered into the IT system and matched electronically with purchase order and receiving information. Discrepancies are printed on an exception report for follow-up by accounts payable personnel. 6. The software application checks the clerical accuracy of information on vendor invoices. Discrepancies are printed on an exception report for follow-up by accounts payable personnel. 7. A prenumbered disbursement is prepared and forwarded along with supporting documentation to the plant controller who reviews and approves the voucher. 8. Supporting documents are returned to accounts payable for filing, and approved disbursement vouchers are forwarded to corporate headquarters for payment. 9. A report listing checks issued by corporate headquarters is received and promptly filed by accounts payable.

Required For each of the disbursement system procedures listed above, state whether the procedure is consistent with good internal control and describe how each procedure strengthens or weakens internal control. Consistent/Inconsistent

Strengthens or Weakens

1. (Example) Consistent

Purchase requisitions provide the authorization for purchasing to order.

AP12.4  (LO 9)  Moderate   Accounts payable assertions/confirmations  Mincin, CPA, is the auditor of the Raleigh Corporation. Mincin is considering the audit work to be performed in the accounts payable area for the current year’s engagement. The prior year’s papers show that confirmation requests were mailed to 100 of Raleigh’s 1,000 suppliers. The selected suppliers were based on Mincin’s sample that was designed to select accounts with large dollar balances. A substantial number of hours were spent by Raleigh and Mincin resolving relatively minor differences between the confirmation replies and Raleigh’s accounting records. Alternative auditing procedures were used for those suppliers who did not respond to the confirmation requests.

12-56  C h a pte r 12  Auditing the Purchasing and Payroll Processes

Required a.  Identify the accounts payable assertions that Mincin must consider in determining the substantive tests to be performed. b.  Identify situations when Mincin should use accounts payable confirmations and discuss whether Mincin is required to use them. c.  Discuss why the use of large dollar balances as the basis for selecting accounts payable for confirmation might not be the most efficient approach and indicate what more efficient procedures could be followed when selecting accounts payable for confirmation. (AICPA adapted)

AP12.5  (LO 9)  Moderate   Search for unrecorded liabilities  You were in the final stages of your audit of the financial statements of Ozine Corporation for the year ended December 31, 2022, when you were consulted by the corporation’s president, who believes there is no point in your examining the 2023 voucher register and testing data in support of 2023 entries. He stated that (a) bills pertaining to 2022 that were received too late to be included in the December voucher register were recorded as of the year-end by the corporation by journal entry, (b) the internal auditor made tests after the year-end, and (c) he would furnish you with a letter certifying that there were no unrecorded liabilities.

Required a.  Should a CPA’s search for unrecorded liabilities be affected by the fact that the client made a journal entry to record 2022 bills that were received late? Explain. b.  Should a CPA’s search for unrecorded liabilities be affected by the fact that a letter is obtained in which a responsible management official certifies that to the best of his knowledge all liabilities have been recorded? Explain. c.  Should a CPA’s search for unrecorded liabilities be eliminated or reduced because of the internal audit tests? Explain. d.  Assume that the corporation, which handled some government contracts, had no internal auditor but that an auditor for a federal agency spent three weeks auditing the records and was just completing his work at this time. How would the CPA’s unrecorded liability search be affected by the work of the auditor for a federal agency? e.  What sources, in addition to the 2023 voucher register, should the CPA consider to locate possible unrecorded liabilities? (AICPA adapted)

AP12.6  (LO 9)  Moderate   Substantive tests for accounts payable  Taylor, CPA, is engaged in the audit of Rex Wholesaling for the year ended December 31, 2022. Taylor performed a proper study of the internal control structure relating to the purchasing, receiving, trade accounts payable, and cash disbursement processes, and has decided not to proceed with tests of controls. Based on analytical procedures, Taylor believes that the trade accounts payable balance on the balance sheet as of December 31, 2022, may be understated. Taylor requested and obtained a client-prepared trade accounts payable schedule listing the total amount owed to each vendor.

Required What additional substantive procedures should Taylor apply in auditing trade accounts payable? (AICPA adapted)

AP12.7  (LO 9)  Challenging   Fraud   Research   SEC  In 2003, the Securities and Exchange Commission released an Accounting and Auditing Enforcement Release (AAER) describing charges and discipline against TruServ Corporation and the company’s chief financial officer. The charges claim that TruServ underestimated the accrual for merchandise payable.

Required Find and read the 2003 AAER related to TruServ Corporation. Explain the scheme that the company used to understate the accrual for merchandise payable. Finally, what audit procedures might an auditor use to uncover this misstatement? *AP12.8    (LO 13)  Moderate   Internal control questionnaire—payroll  Butler, CPA, has been engaged to audit the financial statements of Young Computer Outlets, Inc., a new client. Young is a

 Analysis Problems  12-57 privately owned chain of retail stores that sells a variety of software and video products. Young uses an in-house payroll department at its corporate headquarters to compute payroll data and to prepare and distribute payroll checks to its 300 salaried employees. Butler is preparing an internal control questionnaire to assist in obtaining an understanding of Young’s internal control structure and in assessing control risk.

Required Prepare a “Payroll” segment of Butler’s internal control questionnaire that would assist in obtaining an understanding of Young’s internal control structure and in assessing control risk. Focus on preparing questions about payments based on hourly rates and payroll tax accruals other than withholdings. Use the format in the following example: Questions

Yes

No

1.  Are paychecks prenumbered and accounted for? 2. 3.

*AP12.9    (LO 13)  Moderate   Control activities in payroll processing  As part of the audit of Beach Land Construction, you are assigned to review and test the payroll transactions. Beach Land Construction is a privately owned company, which has about 30 full-time employees, and another 30 to 60 part-time employees, depending on the company’s needs. All employees, job foreman, and other workers are paid hourly wages. Your procedures show the payroll register was properly footed, totaled, and posted. The company keeps a separate bank account for payroll transactions, which normally carries a balance between $2,000 and $10,000. Based on your conversations with the owner and bookkeeper, you determine the following: 1. Any new employee is interviewed by and hired by the owner of the company. Upon being hired, the new employee must complete appropriate IRS and other withholding forms. This information is given to the bookkeeper. 2. At the end of every day, the job foreman phones the owner to report the number of hours worked by each employee on the job. The owner then reports this information to the bookkeeper. 3. Each Friday at the end of the day, the bookkeeper prepares payroll based on the number of hours reported by the owner for each employee, the employee’s wage rate, and withholdings. The bookkeeper then prepares payroll checks. 4. The owner gives checks a cursory scan and signs the checks at the end of the day on Friday. On Monday morning, the owner has a meeting with all job foremen. Payroll checks are given to each job foreman who then distributes the checks to employees every Monday. 5. At the end of the month, the bookkeeper performs a monthly bank reconciliation on the payroll bank account, and writes and posts any needed adjusting journal entries.

Required a.  Identify any significant deficiencies or material weaknesses in the payroll procedures used in the payroll system for Beach Land Construction. b.  For each significant deficiency or material weakness you identify, recommend an improvement to correct the deficiency. *AP12.10    (LO 14)  Moderate   Potential misstatements/tests of controls—payroll  The following questions are included in the internal control questionnaire on control procedures for payroll transactions in the Pena Company: 1.  Are pay rates, payroll deductions, and terminations authorized by the personnel department? 2.  Are time clocks and clock cards used? 3.  Is there supervisory approval of time worked by each employee? 4.  Are electronic payroll deposits appropriately authorized? 5.  Is there internal verification of payroll checks with payroll register data? 6.  Is access restricted to personnel and employee earnings master files? 7.  Is hiring of new employees authorized by personnel department? 8.  Are payroll tax returns and payment of payroll taxes reviewed for accuracy and for timely filing?

12-58  C h a pte r 12  Auditing the Purchasing and Payroll Processes

Required a.  Identify a misstatement that may occur if a NO answer is given to each question. b.  Identify a possible test of controls assuming a YES answer is given to each question. (Present your answers in tabular form using separate columns for each part.)

Audit Decision Cases Construction Industry Resources, Inc. This case has two phases. Question C12.1 is based on Phase I. Question C12.2 is based on Phase II.

Phase I: Company Background and Internal Control Evaluation Construction Industry Resources, Inc. (CIRI), a C corporation, supplies building material to contractors and construction sites in a major metropolitan area. Today, CIRI has approximately $60 million in total assets and generates approximately $250 million in annual revenues. Les Browning, the majority shareholder, purchased CIRI five years ago when sales were approximately $90 million per year and it was the only building supply business in the area. Les Browning owns 70% of CIRI, a business associate who is not active in the operation of the business owns 10% of the business, and two family members (Les Browning’s father and his brother) own 10% each. The other shareholders hold management positions in other businesses (not in the construction industry) and are not active in day-to-day management. Five years ago, Les owned only 55% of the business and he purchased 5% from each of the other shareholders based on an independent valuation of the business two years ago. Les plans to purchase 100% of the common stock outstanding sometime in the next five years. Les has prided himself on his ability to grow sales and profits of the company and he looks forward to another 10 to 15 years of running the company, and enjoying the benefits of ownership, before considering an exit strategy and retirement. The board of directors is composed of the four shareholders, a representative of CIRI’s major lender, the corporation’s attorney, and its controller, Craig Ferris. The board of directors meets semiannually to review the company’s performance and make decisions regarding officer bonuses and dividends. Unlike public companies, CIRI does not have an audit committee. An audit is needed for the bank and other creditors, and the auditor meets annually with the board as a whole. CIRI is composed of two major divisions. One division is involved in the purchase and sale of lumber, building materials, hardware, and related products. The other division is a lumber brokerage business. The building supply division competes in a very competitive business environment where business must be earned on both price competitiveness and on quality of service. The building supply division has three retail/wholesale outlets in a major metropolitan area of approximately 2 million people. The lumber brokerage business is also extremely price-competitive. As a result, the company operates on relatively high ratios of sales to total assets (high asset turnover), and profit margins are low. When Les came to CIRI, he had a strong sales background. He therefore focused his attention first on customer relations and building sales in the building supply business, paying attention to CIRI’s relationships with the major general contractors and builders in the community. Les knew that profit margins were going to be thin, so he focused his energies on growing sales volume. Then, three years ago, he decided to launch the lumber brokerage division, which allowed CIRI direct access to lumber markets as well as allowed the company to continue a strong growth trend in total revenues. Craig Ferris has been CIRI’s controller for 30 years, and he continued with the company when Les Browning and the other shareholders acquired it. Les is comfortable with Craig’s skills and knows that he will have to increase the salary for the position to hire a replacement when Craig retires. Craig, while not a CPA, has a competent understanding of GAAP and knows many of the suppliers and general contractors in the construction business. In addition to completing monthly income statements and balance sheets for the company, Craig has paid a great deal of attention in recent years to the lumber brokerage business, particularly to understanding and attempting to control the business risks associated with price volatility in the lumber markets. Craig also reviews each store’s overall performance when the financial statements are prepared each month, but the company does not have sufficient staff or time to develop budgets. Accountability for store performance is very informal. Store managers are paid competitive salaries, but they receive no bonuses. Therefore, accounting numbers do not play in the determination of store managers’ compensation packages. Further, Craig and Les feel that it would be too time-consuming to develop budgets that reflect the seasonal nature of the business, and they feel that interim financial statements are sufficient to control the business.

 Audit Decision Cases  12-59 You have been assigned to the audit of the building supplies division, specifically the purchasing process, which consists primarily of the acquisition of inventories (many of which are delivered directly to building sites), the inventory process, and accounts payable.

Information and Communication and Control Activities With respect to the accounting system and control activities, Les has been rather hands-off, focusing his attention on sales growth and lumber brokerage. Les has been satisfied with Craig’s ability to produce income numbers within 15–20 days after month-end, and he has relied on the annual audit to ensure that the accounting system is working correctly. In past audits, Les and Craig have accepted auditor-proposed journal entries related to the allowance for doubtful accounts and inventory shrinkage (a perpetual problem in the construction industry), but routine transactions have not resulted in significant audit problems. Three ongoing issues have been raised in prior management letters: 1. There is a segregation of duties problem in cash disbursements as Craig has access to the supply of unused checks, he signs checks, and he performs the monthly bank reconciliations. 2. A similar segregation of duties issue has been raised regarding the activities of Wendy Roberts, who authorizes credit, maintains accounts receivable records, and follows up on bad debts. However, Craig has responsibility for writing off bad debts. 3. There is no formal system and review associated with adding new vendors or new customers to master vendor and customer files. Les and the other owners have not taken action on these issues as no significant audit adjustments have been proposed related to these problems that they believe are due to a company with a small accounting staff. The owners have viewed the audit adjustments to the allowance for doubtful accounts as an issue where they welcome the oversight provided by outside auditors. A major change in the accounting system was planned last year and implemented at the beginning of the current year (2022) when one of CIRI’s major suppliers, Contractors Wholesale Supply (CWS), approached CIRI about implementing a purchasing system with electronic data interchange (EDI). Les was eager to move forward with the system as it would keep CIRI on the cutting edge. In general, the EDI system allows CIRI to order goods electronically. CWS sends electronic sales invoices, and CIRI makes weekly payments by electronic funds transfer through a bank where both CWS and CIRI have accounts. Les sees that the process expedites shipments to customers, and CIRI receives a 1% discount on all shipments ordered through the system. Craig was also willing to make the change, as a significant portion of the operating system was resident with the supplier, and only modest programming changes were necessary at CIRI. Craig delegated implementation of the EDI system to Dennis Brewer. Dennis has been with the company for several years and has demonstrated strong technology skills. Dennis is also responsible for accounts payable and accounting for inventories. Dennis looks at the systems project as a real opportunity to demonstrate his skills. Dennis has been disappointed that he has not advanced faster in the organization. He has commented to colleagues about his frustration that most of his college friends have achieved management roles in their jobs, and they are earning good salaries and bonuses. Dennis has several children in private school and feels that this is his opportunity to earn advancement, status, and the salary he wants and needs. Following is a brief description of how the new EDI purchasing system functions at CIRI: Initiating purchases. Several buyers are responsible for purchasing inventory, managing store inventories, and making sales to general contractors and the larger builders in the metropolitan area. The buyers determine inventory to order based on their review of inventory on hand and requests from ­customers. Based on perceived inventory needs, the buyer can log onto the CSW/CIRI system using passwords, and electronically place a CIRI prenumbered purchase order directly with CWS online in real time. CWS confirms the order electronically, and an electronic sales order is sent from CWS to Dennis. Dennis receives exception reports each morning of any mismatches between CIRI purchase orders and CWS sales orders. (CWS writes sales orders based on inventory that they have in stock.) Dennis tracks all purchases based on the prenumbered purchase orders. Buyers have restricted access to only the order side of the system. (Buyers can also monitor all inventory quantities.) Receiving access has been given only to the warehouse clerks at each store. Dennis has full access to the system. Receiving goods. When shipments are received from CWS, they are counted by the warehouse clerk at each of CIRI’s three stores. The clerk then logs into the CWS/CIRI system and enters quantities received in the electronic equivalent of a prenumbered receiving report. The electronic receiving report is sent from each store to Dennis. Further, approximately 35% of purchases are drop-shipped directly to customer locations. In other words, a building contractor will call a CIRI buyer, who will order the goods from CWS and have them shipped directly to the building site. The warehouse clerk at each store has responsibility for following up on drop shipments with customers and filing electronic receiving reports for drop shipments. Experience shows that this is a low priority for these warehouse clerks, and it often

12-60  C h a pte r 12  Auditing the Purchasing and Payroll Processes takes nagging by Dennis each week to get these reports filed. This had also been a problem in the manual system in that on-site project managers were not good about signing delivery reports. When the warehouse clerk at the responsible store files an electronic receiving report for drop shipments, the clerk also has responsibility for filing a shipping report to initiate CIRI’s customer billing process. The receiving information updates the perpetual inventory records for all items received at one of the three stores. The perpetual inventory is not updated for drop shipments. The buyers informally review the accuracy of the perpetual inventory for reasonableness. A full physical inventory is done at year-end, and the stores are closed for that event. Recording payables. When CWS ships goods, an invoice is electronically sent to Dennis. Each day, Dennis receives a system-generated report of items that have been ordered from CWS, a report of items ordered that have not been received, and a list of all billings that have not been matched with prenumbered receiving reports. Dennis pays the most attention to these reports on Wednesdays and Thursdays so that all billings are cleared for electronic payment on Friday. He particularly follows up on items where electronic invoices have been received from CWS that have not yet been matched with receiving reports sent from the stores. He then files these exception reports by date with his notations on the various reports. Once the electronic receiving report is electronically matched with the sales invoice, a payable is established and Dennis approves payment of the invoice. Electronic funds transfer. Every Friday, the total of approved invoices is paid via electronic funds transfer though a national bank from CIRI to CWS. Craig is responsible for reviewing and approving a list of cash disbursements before they are run. With respect to the EDI system, Craig performs an overall reasonableness check on the volume of activity with CWS. Craig feels that the system has greatly reduced the paperwork, made the office more efficient, and allowed the company to maintain margins in a very competitive marketplace. Dennis was happy to work on the project and was pleased to be given the increased responsibility. However, Dennis was overheard in the lunchroom to have been disappointed that neither pay nor promotion advances were received as he expected, and that he is not earning what he deserves. Dennis expressed frustration that his career was going nowhere and that Craig and Les were too tight-fisted with promotion and recognition for making the transition go smoothly. C12.1  (LO 1, 3, 4, 6, 7)  Challenging   Understanding internal control, fraud risk assessment, and substantive tests a. Analysis and evaluation: Evaluate the effectiveness of the CIRI’s control environment. You may evaluate each individual component of the control environment but then develop an overall conclusion regarding the control environment and its influence on other aspects of internal control. b.  1. Analysis and evaluation: Using the table below, evaluate the factors associated with the risk of fraud and the effectiveness of control activities with respect to the occurrence assertion for purchases and payables associated with the EDI purchasing system. Fraud Risk Factors Assertion

Incentives/ Pressures

Opportunity

Attitude and Rationalization

Control Activities

Possible Misstatements

Occurrence purchases and payables 2.  Analysis: Identify internal control deficiencies that you find in the EDI purchasing system. c. Evaluation: Prepare a letter with the two most important internal control recommendations that you have for management. Each specific recommendation should describe the current system, explain the risk involved, and make specific recommendations for improvement. Focus on issues raised by the new system and not on issues that have been raised in prior audits.

Phase II: Substantive Testing When obtaining an understanding of the accounting system, you looked at the file containing the exception reports reviewed by Dennis Brewer (e.g., for items billed but not received). While these reports are printed daily, often only three or four reports would be present for a given week. Dennis said that he really pays attention to the reports primarily on Wednesday and Thursday and that he often does not keep the reports from earlier in the week. Subsequently, you pulled a sample of 30 transactions from the EDI system to perform substantive tests of transactions and test the accuracy of recorded transactions that are processed through the system.

 Audit Decision Cases  12-61 Of the 30 transactions selected at random, 19 represented transactions shipped directly to stores, and 11 represented drop shipments. The following table summarizes the nature of this sample of 30.

Drop shipments Shipped to stores Purchases through the EDI system

$ BV of Popn.

# of Transactions

Sample Size

$ BV of Sample

$ 5,756,077

1,391

11

$ 80,530

10,615,018

1,737

19

188,455

$ 16,371,095

3,128

30

$ 268,985

You noted the following issues among the 30 transactions. •  You find one item that shipped directly to the stores with an invoice total of $9,775, for which the price on the invoice per the purchase order was $67 per unit but was billed at $76 per unit. The company purchased 100 units of the SKU number on that invoice and paid the invoice in full as billed. •  The company was closed from Thursday, June 30, 2022, through Monday, July 4, 2022. Inventory was taken on Thursday, June 30, 2022. During the inventory count, a truck came in with a shipment from CWS. The value of the invoice was $9,875. The units were segregated from the rest of the inventory and not counted. At the end of the inventory, the shipment was added to the overall value of the inventory. During the closing of the books after July 4, the purchase was recorded as an account payable in the amount of $9,875 with a date of June 30, 2022. •  Auditing drop shipments has been a problem in past audits, as CIRI has not always had receiving documents to support deliveries to construction sites. However, your firm has been able to verify that shipments had been billed to customers and subsequently cash was received associated with these deliveries. In the current year, not only did you verify that the item was supported by electronic receiving reports, but you also followed up to find that they were billed to customers who paid for the goods. All 11 of the electronic invoices from CWS for drop shipments included in the sample were supported by electronic receiving reports and they were paid in the correct amounts and on time. However, Dennis could not show where one transaction with an invoice amount of $4,323 had been billed to, and had been paid by, customers. He suggested two possibilities. First, he suggested that some customers had prepaid for the shipments. Second, he complained that he often had to follow up with the stores about filing receiving reports because someone at the store level failed to file a shipping report. However, his primary responsibility was only for the purchasing system, not the billing system and ensuring that vendors were paid on time. He could not verify what caused the problem with this transaction. Further follow-up failed to identify the underlying sales invoice for this transaction. C12.2  (LO 1, 3, 4, 6, 7)  Challenging   Understanding internal control, fraud risk assessment, and substantive tests a. Analysis and evaluation: What concerns, if any, are raised by the evidence noted above? Assuming that the problems found in the sample are representative of problems in the population, determine any relevant amount of projected misstatement based on your finding, assuming that the ratio of misstatements to book value found in the strata from which they were selected are representative of the entire strata. After considering your findings, what additional audit procedures should be performed, if any? b.  Evaluation: What issues do you want to discuss with management? Draft the issues that you want to discuss with CIRI management, including with whom in management discussions should be held.

Brookwood Pines Hospital Question C12.3 is based on the following case. Goodfellow & Perkins gained a new client, Brookwood Pines Hospital (BPH), a private, not-for-profit hospital. The fiscal year-end for Brookwood Pines is June 30. You are performing the audit for the 2023 fiscal year-end. The healthcare industry can be very complicated, especially in the area of billing for services provided. BPH contracts with private physician groups who use the hospital facilities, equipment, and nursing staff to treat patients. The physicians in the private group are not employees of the hospital; they are simply using the hospital facilities to treat patients. For example, a group of urologists have their own practice, separate from the hospital, where they treat patients. If one of the patients needs a surgical procedure that must be done at a hospital, then the attending urologist will approve the paperwork required to admit the patient to BPH. BPH offers inducements to the urologists so they will refer patients to BPH

12-62  C h a pte r 12  Auditing the Purchasing and Payroll Processes rather than a competing hospital. One of the inducements BPH offers is free office space in the hospital for the doctors to use when they are treating patients in the hospital. After the doctor and hospital services are provided to the patient, the patient and/or the patient’s insurance company is billed. The doctor will bill for the services he or she provided, and the hospital will bill for the use of hospital facilities and staff. Doctors and hospitals bill using a coding system that is standardized across the healthcare industry and consists of three main code sets: ICD, CPT, and HCPCS. Using a coding system is more efficient and data-friendly compared to writing a narrative about the procedures performed. However, the coding system is very complex, with thousands of different codes for medical procedures and diagnoses. To complicate matters even more, for patients who are covered by government-sponsored Medicare or Medicaid, doctors and hospitals must adhere to complicated government regulations surrounding billings to Medicare and Medicaid. As healthcare costs continue to rise each year, BPH administrators struggle to maintain consistent profitability. They look for ways to keep costs low and also to collect from patients and insurance companies as quickly as possible. In addition, BPH must have a strong risk management team to handle unique situations that may occur in hospitals such as malpractice lawsuits and periodic inspections by the state department of health and hospitals. Negative publicity for BPH could lead to decreased revenues if physicians decide to contract with a competing hospital. You are completing the planning of the audit of accounts payable and payments system. A prenumbered voucher is used to record all payables. An IT application control performs the following procedures: •  T  he vendor details, item numbers, quantities, and prices on the voucher are matched to information on the supplier’s invoice and the appropriate receiving report. •  T  he vendor details, item numbers, and quantities on the voucher are matched to information on an authorized purchase order.  anual follow-up procedures are performed daily by a data control group. Any exceptions are cor•  M rected within 24 hours. C12.3  (LO 9)  Challenging   Evaluating internal controls  Given the information you have collected above about internal controls in the purchases process: a.  Evaluation: Evaluate the quality of internal controls for each assertion related to purchase transactions. b.  Analysis: For assertions where internal controls are determined to be strong, design appropriate tests of controls to test the assertion. You may assume that IT general controls have previously been tested and found effective. c.  Analysis and evaluation: For assertions where internal controls are weak, prepare a recommendation to management identifying the weakness, the risk of misstatement associated with the weakness, and a recommended control to correct the weaknesses.

The Vane Corporation Question C12.4 is based on the following case. The Vane Corporation is a manufacturing concern that has been in business for the past 18 years. During this period, the company has grown from a very small family-owned operation to a medium-sized manufacturing concern with several departments. Despite this growth, a substantial number of the procedures employed by Vane have been in effect since the business was started. Just recently, Vane has computerized its payroll function. The payroll function operates in the following manner. Human resources is responsible for hiring or firing workers. HR also maintains an employee master file with the employee number, pay rates, information about the department in which an employee works, and payroll withholding information. Only the HR manager and two of her assistants have the ability to access and change the employee master file database. The HR manager reviews a report of all changes weekly. Each worker has a personal swipe card to record hours worked electronically. Each Friday evening, the factory foreman reviews an electronic file of hours worked and approves the hours or raises questions with employees about what has been recorded. This information is submitted to payroll by Monday at noon for processing. In payroll, the approved time worked is imported electronically to process weekly payroll. Later on Monday, a final payroll file is sent to the company controller for approval. Once the controller approves the payroll, direct deposits of payroll are made to employee bank accounts. Further analysis of the payroll function reveals the following: •  A worker’s gross wages should not exceed $1,300 per week. •  Raises never exceed $3.55 per hour for the factory workers. •  No more than 20 hours of overtime are allowed each week. •  The factory employs 150 workers in ten departments.

  Audit Decision Cases  12-63 The following problems surfaced when the new payroll system was placed in operation: 1. A worker received a direct deposit for $1,531.80 when it should have been $153.81. It was determined that the wage rate was overstated by a magnitude of 10 because it was entered incorrectly in the payroll system. 2. One worker complained that a direct deposit was not made to his account, and this error was not detected. As it turned out, the payment was made to another individual because the wrong bank account number was on file. 3. One worker received a paycheck for an amount considerably larger than she should have. Investigation revealed that a worker was paid $21.75 per hour rather than $12.75 per hour because of an input error when changing the employee’s wage rate on the master file. 4. In processing non-routine changes, an HR assistant included a pay rate increase for one of his friends in the factory. This was discovered by chance when a foreman was reviewing charges to his department. *C12.4    (LO 13)  Challenging   Internal control evaluation—payroll  Analysis and evaluation: Identify the control deficiencies in the payroll process for The Vane Corporation. Recommend the changes necessary to improve the control structure. Arrange your answer in the following columnar format: Control Deficiencies

Recommendations

(ICMA)

Cloud 9 - Continuing Case Answer the following questions based on the information for Cloud 9 presented in the appendix to this text and the current and earlier chapters. You should also consider your answers to the case study questions in earlier chapters. The following information focuses on evaluating inherent risk, control risk and detection risk for purchase transactions and accounts payable.

Required a.  After reviewing the trial balance, calculate the following ratios for Cloud 9 as of 1/31/2021, 1/31/2022, and 10/31/2022: 1. Accounts payable turnover in days (use ending balance rather than average balance for accounts payable). 2.  Cost of goods sold to average accounts payable. 3.  Payables as a % of total assets. 4.  Current ratio. 5. Any other ratios and information that you believe would be appropriate to evaluating inherent risk for purchase transactions and accounts payable balances. b.  Based on your analysis of information gathered: 1. Identify high inherent risk assertions for purchases transactions and accounts payable. 2. Evaluate inherent risk for purchase transactions and accounts payable. Explain why you have identified various assertions as high or maximum risk for accounts payable.

c. Analyze and draw conclusions about the nature and extent of tests of controls: 1. For each assertion that you identify as high or maximum inherent risk, identify an internal control, or a combination of internal controls, that would control that risk. 2. Explain the nature and extent of tests of controls you would need to perform to assess control risk as low, for the controls you identified in (c)1 above. d. Analyze and draw conclusions about the nature, timing, and extent of substantive procedures: 1. Given your conclusions about inherent risk and assuming that tests of controls show that internal controls are effective, what are your conclusions about detection risk for the assertions identified as high or maximum inherent risk? Explain your conclusions. 2. For the assertions you identified as high or maximum inherent risk, what is the substantive procedure you would suggest performing (nature of the test)? Explain your conclusions. 3. For the assertions you identified as high or maximum inherent risk, when do you suggest performing the substantive procedure (timing of the test)? Explain your conclusions. 4. For the assertions you identified as high or maximum inherent risk, how extensively should the auditor test these assertions (extent of the test)? Explain your conclusions.

Chapter 13 Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts) The Audit Process Overview of Audit and Assurance (Chapter 1) Professionalism and Professional Responsibilities (Chapter 2) Client Acceptance/Continuance and Risk Assessment (Chapters 3 and 4) Identify Significant Accounts and Transactions Make Preliminary Risk Assessments

Set Planning Materiality

Gaining an Understanding of the System of Internal Control (Chapter 6)

Audit Evidence (Chapter 5)

Develop Responses to Risk and an Audit Strategy

Performing Tests of Controls (Chapter 8)

Performing Substantive Procedures (Chapter 9) Audit Sampling for Substantive Tests (Chapter 10)

Auditing the Revenue Process (Chapter 11)

Auditing the Purchasing and Payroll Processes (Chapter 12)

Audit Data Analytics (Chapter 7)

Gaining an Understanding of the Client

Auditing the Balance Sheet and Related Income Accounts (Chapter 13)

Completing and Reporting on the Audit (Chapters 14 and 15) Procedures Performed Near the End of the Audit

Drawing Audit Conclusions

Reporting

13-1

13-2  C h a pte r 13 Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Learning Objectives LO1  Evaluate how an auditor determines and executes an audit strategy for cash and cash equivalents.

for property, plant, and equipment, and depreciation expense.

LO2  Evaluate how an auditor determines and executes an audit strategy, including the use of ADA, for inventory and cost of goods sold.

LO4  Evaluate how an auditor determines and executes an audit strategy for long-term debt and interest expense, and stockholders’ equity.

LO3  Evaluate how an auditor determines and executes an audit strategy, including the use of ADA,

Auditing and Assurance Standards PCAOB

Auditing Standards Board

AS 1105 Audit Evidence

AU-C 500 Audit Evidence AU-C 501 Audit Evidence—Specific Considerations for Selected Items

Cloud 9 - Continuing Case Suzie and Ian are continuing their work on the substantive audit testing program for the Cloud 9 audit. Suzie convinced Ian that analytical procedures are not the only substantive tests they will need. They will need to consider how audit risk and other factors impact the appropriateness of analytical procedures for each area of the audit, and include other substantive tests where required. Today, they are focusing on asset and liability accounts. Significant accounts on Cloud 9’s trial balance that they have not

yet addressed include cash; inventory; property, plant, and equipment (PPE) (mainly furniture and equipment and leasehold improvements); as well as long-term debt and stockholders’ equity accounts. Suzie asks Ian to suggest the key factors that they will consider when designing the substantive test program for each of these accounts, as well as which procedures they will choose to include in the program.

Chapter Preview: Audit Process in Focus This chapter focuses on the audit of several key balance sheet accounts. Chapters 11 and 12 discussed performing tests of details of transactions for cash receipts and cash disbursements and purchases, including the purchases of inventory. In this chapter, we begin with a discussion of performing tests of details for the cash and cash equivalents balance. The discussion continues by focusing on how auditors test inventory on the balance sheet, and how the ending inventory balance affects cost of goods sold. Next, we describe auditing property, plant, and equipment, and the related depreciation expense. Finally, this chapter concludes with a discussion of testing financing activities associated with long-term debt, the related interest expense, and equity. In each case, the discussion follows a process of: 1. Understanding the flow of transactions involving the balance sheet and income statement. 2. Understanding the entity and its environment. 3. Understanding the results of analytical procedures. 4. Assessing inherent risk. 5. Assessing controls risk and fraud risk. 6. Determining an audit strategy. 7. Completing substantive tests.

 Auditing Cash and Cash Equivalents  13-3

Auditing Cash and Cash Equivalents Lea rning Objective 1 Evaluate how an auditor determines and executes an audit strategy for cash and cash equivalents.

Understanding the Flow of Transactions Cash and cash equivalents include: •  Cash in the bank. An example is the primary bank account for the company. •  Imprest bank accounts. An example is an imprest payroll bank account (see the appendix to Chapter 12). These are bank accounts that will have a specific book balance, such as zero or $10,000. At each payroll date, the exact amount needed to clear net payroll transactions is transferred into this account. After payroll disbursements are made, the balance in the account reverts to the specific expected balance. •  Cash equivalents. Examples are commercial paper, Treasury bills, or money market funds. These are highly liquid investments having a maturity of three months or less. These accounts usually result in the recognition of interest income. Chapter 11 discussed cash receipt transactions and internal controls over cash receipts. Chapter 12 discussed cash disbursement transactions and internal controls over cash disbursements. The following discussion focuses primarily on testing cash balances on the balance sheet.

Understanding the Entity and Its Environment An important aspect of developing a preliminary audit strategy involves understanding the entity and its environment. In Chapters 11 and 12, we discussed how understanding the entity and its industry might be helpful for developing an expectation for certain balances. For example, a manufacturer is more likely to sell on credit, resulting in more significant receivables than a retail grocer. Cash balances may vary significantly from company to company within an industry. Top performers in an industry, which generate significant free cash flow (the excess of cash flow from operations over capital expenditures), are more likely to have significant balances of cash and cash equivalents. It is important for the auditor to understand: •  Management’s cash budgeting practices. •  The influence of seasonal activity on cash balances. •  The level of minimum cash balances the company expects to keep on hand. •  The company’s policies regarding the investment of excess cash in cash equivalents or long-term investments. Some companies, such as Apple, Inc., have significant positive cash flow from operations and positive free cash flow, which result in significant cash and cash equivalents, and significant investments in marketable securities. Other companies, such as Sears Holding Corporation, have experienced negative cash flow from operations and have had to manage cash by selling assets, issuing debt, and repaying debt; cash balances are a small percentage of total assets. While Apple and Sears may be extreme examples, it is important for the auditor to understand how management budgets and manages cash balances, and to tailor the audit of cash accordingly.

13-4  C h a pte r 13 Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Understanding the Results of Analytical Procedures Management’s operating, investing, and financing decisions and strategies significantly affect cash balances. Consequently, in some audits these balances may not be expected to show a stable or predictable relationship with other current or historical financial or operating data. Well-managed companies regularly develop cash budgets, projecting (1) cash receipts from operations, (2) cash disbursements for operating needs, and (3) cash flows from investing and financing activities. Effective analytical procedures involve comparing cash balances with forecasts or budgets, or with company policies regarding minimum cash balances and the investment of surplus cash. When internal controls are strong, it is usually most effective to compare cash balances with budgets and company policies because the individual cash needs of various entities are often unique.

Assessing Inherent Risk Cash, by its nature, is susceptible to theft. Many schemes for stealing cash involve failing to record cash receipts. Significant inherent risks relate to cash receipts and disbursement transactions (discussed in Chapters 11 and 12). Cash is also susceptible to theft by the manipulation of cash balances, such as paying fictitious vendors or employees. Disclosures related to cash balances are usually not complex. Auditors should recognize that problems with transactions during the period result in problems with the completeness of the ending cash balance, yet these frauds are uncovered by auditing transactions rather than cash balances. In contrast to receivables or inventories, inherent risks pertaining to the rights and obligations or the valuation and allocation assertions for cash are low because there are no complexities involving rights, accounting measurements, and estimates.

Assessing Control Risk and Fraud Risk Strong internal control always starts with a strong tone at the top and sound control environment. The most important control over the existence, completeness, and valuation of cash balances is an independent bank reconciliation. Auditors expect that public companies and larger private companies will have good internal controls over cash. Controls over cash receipts and cash disbursement are usually tested as part of testing controls in the revenue process and the purchasing process. However, many smaller businesses, not-for-profit organizations, or smaller governments may have inadequate segregation of duties, which may result in weak internal controls over cash. If control risk is high or maximum (as it should be when segregation of duties is inadequate and there are no compensating controls), the auditor should assume that fraud risk is high and design appropriate substantive tests, particularly substantive tests of transactions. In some cases, particularly businesses with significant cash sales, it may be very difficult to determine if cash is being skimmed before being recorded and deposited. To detect this, audit procedures might focus on average size of cash sales and lower gross margins compared to prior periods or industry statistics to determine if unrecorded cash is a problem. If the company appears to be receiving more cash than the underlying business supports, and gross margins are unusually high, it may be evidence of money laundering. With respect to cash disbursements, it may be easier for auditors to focus on payments to fictitious vendors as there is often a lack of evidence related to receiving goods. Nevertheless, it is important for auditors to design appropriate audit procedures when control risk is high or maximum, and fraud risk is high.

Determining an Audit Strategy Illustration 13.1 provides an example audit strategy for assertions related to cash balances and disclosures. This audit strategy assumes that internal controls are strong and the auditor

 Auditing Cash and Cash Equivalents  13-5

performs tests of controls. In the case of larger public companies where the internal auditor tests controls over cash and cash budgeting, or the internal auditor performs some level of substantive tests of cash, the external auditor will determine if it is appropriate to use the work of the internal auditor to support the audit conclusion.

ILLUSTRATION 13.1   Example preliminary audit strategies for cash assuming strong internal controls

Risk That Analytical Procedures Will Fail to Detect Material Misstatements

Risk That Detail Testing Will Fail to Detect Material Misstatements

Assertion

Inherent Risk

Control Risk

Existence

Maximum: Cash involves a high volume of transactions and it is highly susceptible to misappropriation.

Low: Strong controls over cash disbursements and cash receipts. Additional controls include independent monthly bank reconciliation.

High: Comparing year-toyear financial data and comparing cash balances with cash budgets and forecasts.

High: The auditor will usually confirm bank balances. Tests of bank reconciliations depend on quality of internal controls.

Completeness

Moderate: Completeness problems are more likely with cash transactions than with cash balances. It is more likely that cash will be overstated than understated.

Low: Strong controls over cash disbursements and cash receipts. Additional controls include independent monthly bank reconciliation.

High: Comparing year-toyear financial data and comparing cash balances with cash budgets and forecasts.

High: The auditor will usually confirm bank balances. Tests of bank reconciliations depend on quality of internal controls.

Rights and obligations

Low: Significant rights issues do not exist with respect to cash balances.

N/A

Maximum: Analytical procedures are not directed at the rights and obligations assertion.

High: The auditor will usually confirm bank balances and any restriction on cash.

Valuation and allocation

Low: Significant valuation issues do not exist with respect to cash balances.

Low: Strong controls over cash disbursements and cash receipts. Additional controls include independent monthly bank reconciliation.

High: Comparing year-toyear financial data and comparing cash balances with cash budgets and forecasts.

High: The auditor will usually confirm bank balances. Tests of bank reconciliations depend on quality of internal controls.

Presentation and disclosure assertions

Moderate: Usually cash does not have significant disclosures; however, cash may be restricted due to debt covenants or compensating balance arrangements.

Moderate or Low: Primary control is the involvement of an effective disclosure committee.

Maximum: Analytical procedures are not directed at disclosures.

Moderate to High: The auditor will often perform tests of details to evaluate the quality and accuracy of financial statement disclosures.

In some cases involving private companies, a small business owner may want the auditor to extend the scope of the engagement to provide assurance about the validity of cash balances. As a result, the auditor will follow a primarily substantive approach emphasizing tests of details even when the audit risk model might indicate that such an approach is not necessary because of the effectiveness of internal controls. As previously discussed, when segregation of duties is weak, the auditor will plan a primarily substantive approach for obtaining assurance about cash balances and cash transactions.

Substantive Tests of Cash Balances Tests of cash balances focus on the account balance assertions of existence, completeness, right and obligations, and valuation and allocation. An audit program for testing cash balances is presented in Illustration 13.2. Each of these procedures is explained in the following section, including comments on when certain procedures might be omitted and how some of the procedures can be tailored to applicable risk factors.

13-6  C h a pte r 13 Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts) ILLUSTRATION 13.2  Substantive tests of cash balances

Category

Initial procedures

Substantive Test

1.  Obtain an understanding of the business and industry to determine:

Assertions All

a.  The significance of cash balances and transactions to the entity. b. The entity’s policies for maintaining minimum cash balances, forecasting cash balances, and investing surplus cash. 2. Perform initial procedures on cash balances and records that will be subjected to further testing.

Analytical procedures

Tests of details of transactions

a. Trace beginning balance for cash on hand and in bank to the prior year’s working papers.

Valuation and allocation

b. Review activity in general ledger accounts for cash and investigate entries that appear unusual in amount or source.

All

c. Obtain client-prepared schedules of bank balances, verify mathematical accuracy, Valuation and allocation and determine agreement with general ledger. 3.  Perform analytical procedures: All a. Compare cash balances with budgeted amounts, prior year’s balances, or other expected amounts. b. Calculate cash as a percent of total assets and compare with auditor expectations. 4. Perform cash cutoff tests (note these tests may have been performed as part of the audit programs for cash receipts and cash disbursements):

Existence, Completeness

a. Observe that all cash received through the close of business on the last day of the fiscal year is included in cash on hand or deposits in transit and that no receipts of the subsequent period are included. OR b. Inspect documentation such as daily cash summaries, duplicate deposit slips, and bank statements covering several days before and after year-end date to determine proper cutoff. c. Determine the last check issued and mailed on the last business day of the fiscal year and trace to accounting records to determine the accuracy of the cash disbursements cutoff. OR d. Compare dates on checks issued for several days before and after the year-end date to the dates the checks were recorded to determine proper cutoff. 5. Trace bank transfers for several days before and after the year-end date to determine that each transfer is properly recorded as a disbursement and a receipt in the same accounting period and is properly reflected in bank reconciliations when applicable.

Tests of details of balances

Presentation and disclosure

Existence, Completeness

6. Prepare proof of cash for any bank accounts the auditor has been unable to reconcile Existence, Completeness, Accuracy or for which there is a high risk that fraudulent transactions have occurred. 7. Count undeposited cash on hand and determine that such amounts are included in Existence, Completeness, Valuation and allocation, Rights and obligations cash balances. 8.  Confirm cash balances and loan balances with banks.

Existence, Completeness, Valuation and allocation, Rights and obligations

9. Confirm other arrangements with banks, such as lines of credit, compensating balance agreements, or loan guarantees.

Existence, Completeness, Valuation and allocation, Rights and obligations

10.  Obtain, scan, review, and reperform bank reconciliations as appropriate.

Existence, Completeness, Valuation and allocation

11. Obtain and use cutoff bank statements to verify bank reconciliation items and detect any unrecorded checks that have cleared the bank. 12.  Compare statement presentation with GAAP.

Existence, Completeness, Valuation and allocation

a. Determine that cash balances are properly identified and classified in the financial statements.

Classification and understandability

b. Determine that bank overdrafts are reclassified as current liabilities.

Classification and understandability

c. Make inquiries of management, inspect correspondence with banks, and inspect minutes of board of directors’ meetings to determine matters requiring disclosure such as lines of credit, loan guarantees, compensating balance agreements, or other restrictions on cash balances.

Occurrence and rights and obligations

d. Evaluate the completeness of presentation and disclosures for cash balances in drafts of financial statements to determine conformity to GAAP by reference to disclosure checklist.

Completeness

e. Read disclosures and independently evaluate their understandability.

Classification and understandability

 Auditing Cash and Cash Equivalents  13-7

Initial Procedures Before proceeding with tests of details of cash balances, the auditor should ensure that an understanding has been obtained regarding the entity and its environment and the importance of cash balances to the entity. For example, the auditor might understand the volume of transactions going through various cash accounts, the entity’s ability to generate positive cash flow from operations, policies for forecasting or budgeting cash, and policies for investing surplus cash. The starting point for verifying cash balances is tracing the current period’s beginning balances to the ending audited balances in the prior year’s working papers (when applicable). Next, the current period’s activity in the general ledger cash accounts should be reviewed for any significant entries that are unusual in nature or amount that require special investigation. In addition, any schedules prepared by the client showing summaries of undeposited cash receipts at different locations and/or summaries of bank balances should be obtained. The mathematical accuracy of any such schedules should be determined and their agreement with related cash balances in the general ledger checked. This test provides evidence about the valuation and allocation assertion.

Substantive Analytical Procedures As previously discussed, the effectiveness of analytical procedures varies significantly from client to client. Cash balances may be difficult to predict and may depend on operating cash flow plus investing and financing activities during the year. Nevertheless, the auditor should understand management’s policies for maintaining minimum cash balances and for investing surplus cash.

Tests of Details of Transactions Chapters 11 and 12 discussed internal control over cash receipts and cash disbursements. Many times, substantive tests of transactions involving the tracing and vouching of cash receipts and cash disbursements transactions are performed concurrently with tests of controls as dual-purpose tests. The evidence from such tests should be combined with the evidence from the procedures discussed here in reaching a conclusion as to the fair presentation of cash balances. Testing cutoff. A proper cutoff of cash receipts and cash disbursements at the end of the year is essential to the proper statement of cash at the balance sheet date. In many cases, the auditor may rely on the client’s internal controls related to the cutoff assertion for cash receipts (see Chapter 11) and cash disbursements (Chapter 12), and test these controls at an interim date. When internal controls are weak, the auditor will perform his or her own cutoff procedures at year-end. For cash receipts, the auditor will determine the last deposits made before year-end and the amount of any cash on hand at year-end. The auditor can then compare this information with the last transactions recorded in the cash receipts journal. Likewise, the auditor will determine the last check written at year-end and compare this information with the cash disbursements journal to determine that transactions are recorded in the proper accounting period. Auditing bank transfers. Many entities maintain accounts with more than one bank. A company with multiple bank accounts may make authorized transfers of money between bank accounts. For example, money may be transferred from a general bank account to a payroll bank account for payroll checks that are to be direct-deposited on payday. When checks are written to transfer funds between accounts at different banks, several days (called the float period) generally will elapse before the check clears the bank on which it is drawn. Thus, if the bank deposit is recorded in one period, and the cash disbursement is recorded in the subsequent period, cash will be overstated because it is being double-counted. It is essential that the disbursement and the deposit be recorded in the same period. Intentionally recording a bank transfer as a deposit in the receiving bank while failing to show a deduction from the bank account on which the transfer check is drawn is a form of fraud known as kiting. Kiting may be used to conceal a cash shortage and overstate cash at the balance sheet date.

kiting  a method often used to conceal a cash shortage or to overstate cash; kiting involves recording a transfer between bank accounts as a deposit while failing to record the cash disbursement in the same time period

13-8  C h a pte r 13 Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

An auditor requires evidence on the validity and accuracy of bank transfers. This is obtained by preparing a bank transfer schedule. Data for the schedule is obtained from an analysis of the cash entries per books and applicable bank statements and cutoff bank statements. The schedule lists all transfer checks issued at or near the end of the client’s fiscal year, and shows the dates that the checks were recorded by the client and the bank, as illustrated in Illustration 13.3. If we assume all checks are dated and issued on December 31, check 4100 in Illustration 13.3 was handled properly because both book entries were made in December and both bank entries occurred in January. This check would be listed as an outstanding check in reconciling the general bank account at December 31 and as a deposit in transit in reconciling the payroll bank account. Check 4275 illustrates a transfer check in transit at the closing date. Cash per books is understated by $10,000 because the check has been deducted from the balance per books by the issuer in December, but has not been added to the Branch #1 account per books by the depositor until January. To correct this error, an adjusting entry is required at December 31 to increase the branch balance per books. ILLUSTRATION 13.3  

Bank transfer schedule

Bank Accounts Check No. From

To

Disbursement Date

Receipt Date

Amount Per Books Per Bank Per Books Per Bank

4100

General

Payroll

$50,000

12/31

1/3

12/31

1/2

4275

General

Branch #1

$10,000

12/31

1/4

1/2

1/2

4280

General

Branch #2

$20,000

1/2

1/2

12/31

12/31

B403

Branch #4 General

$5,000

1/3

1/4

12/31

12/31

Checks 4280 and B403 illustrate the likelihood of kiting because these December checks were not recorded as disbursements per books until January, even though they were deposited in the receiving banks in December. Check 4280 results in a $20,000 overstatement of cash in bank because the receipt per books occurred in December, but the corresponding book deduction was not made until January. Check B403 may illustrate an attempt to conceal a cash shortage because the bank deposit occurred in December, presumably to reconcile the bank and book balances, and all other entries were made in January. Kiting is possible when weaknesses in internal controls allow one individual to issue and record checks (i.e., improper segregation of duties), or there is collusion between individuals who are responsible for the two functions. In addition to tracing bank transfers, kiting may be detected by (1) obtaining and using a cutoff bank statement (as discussed in the following section) because the kited check clearing in January will not appear on the list of outstanding checks for December, and (2) performing a cash cutoff test because the last check issued in December will not be recorded in the check register.

Tests of Details of Balances The following tests of details of balances focus primarily on two major tests: (1) sending a bank confirmation and (2) testing the client’s bank reconciliation. Confirm bank deposit and loan balances. It is customary for the auditor to obtain a bank confirmation for cash on deposit and loan balances as of the balance sheet date. The standard bank confirmation, depicted in Illustration 13.4, normally confirms the following information: 1. The client’s permission for the bank to respond to the auditor. 2. Requests for all bank balances including details of any accounts closed during the year. 3. Requests of details of interest charges. 4. Requests for details of any loans or lending facilities or bank overdrafts, together with the limits and, if applicable, dates of repayments and any collateral pledged as security for the loan. 5. Requests for details of any assets held by the bank on the customer’s behalf. 6. Requests for details of any contingent liability of which the bank may be aware. A trend is developing where the auditor obtains this information through secure online access to the client’s bank account information. This information assists the auditor in testing the existence, completeness, and valuation and allocation assertions. In addition, it provides information in support of disclosure assertions.

 Auditing Cash and Cash Equivalents  13-9 ILLUSTRATION 13.4  

ASB-CL-6.1: Standard Form to Confirm Account Balance Information with Financial Institutions [ ]

ORIGINAL To be mailed to Financial Institution’s Name and Address

Example bank confirmation

CUSTOMER NAME [Financial Institution’s Name and Address]

We have provided to our accountants the following information as of the close of business on [Date], regarding our deposit and loan balances. Please confirm the accuracy of the information, noting any exceptions to the information provided. If the balances have been left blank, please complete this form by furnishing the balance in the appropriate space below. Although we do not request nor expect you to conduct a comprehensive, detailed search of your records, if during the process of completing this confirmation additional information about other deposit and loan accounts we may have with you comes to your attention, please include such information below. Please use the enclosed envelope to return the form directly to our accountants.

1. At the close of business on the date listed above, our records indicated the following deposit balance(s): ACCOUNT NAME

ACCOUNT NO.

INTEREST RATE

BALANCE*

2. We were directly liable to the financial institution for loans at the close of business on the date listed above as follows: ACCOUNT NO./ INTEREST DATE THROUGH WHICH DESCRIPTION DESCRIPTION BALANCE* DUE DATE RATE INTEREST IS PAID OF COLLATERAL

(Customer’s Authorized Signature)

(Date)

The information presented above by the customer is in agreement with our records. Although we have not conducted a comprehensive, detailed search of our records, no other deposit or loan accounts have come to our attention except as noted below.

(Financial Institution Authorized Signature)

(Date)

(Title) EXCEPTIONS AND/OR COMMENTS

[Audit Firm’s Name and Address] Please return this form directly to our accountants: *Ordinarily, balances are intentionally left blank if they are not available at the time the form is prepared.

Approved 1990 by American Bankers Association, American Institute of Certified Public Accountants, and Bank Administration Institute.

13-10  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Scan or test bank reconciliations. Scanning or testing a bank reconciliation establishes the correct cash-in-bank balance at the balance sheet date. When the acceptable level of detection risk is high, the auditor may scan the client-prepared bank reconciliation and verify the mathematical accuracy of the reconciliation. If detection risk is moderate or low, the auditor may test more items on the client’s bank reconciliation, which includes: •  Comparing the ending bank balance with the balance confirmed on the bank confirmation form. •  Verifying the validity of deposits in transit and outstanding checks to supporting documentation and the bank cutoff statement (explained below). •  Establishing the mathematical accuracy of the reconciliation. •  Vouching reconciling items such as bank charges, bank credits, or errors to supporting documentation. •  Investigating old items such as checks outstanding for a long period of time and unusual items. The working paper showing auditor testing of a bank reconciliation prepared by the client (PBC) is illustrated in Illustration 13.5. ILLUSTRATION 13.5   Review of client-prepared bank reconciliation

Client: New Millennium Ecoproducts Bell & Bowerman, LLP Prepared by: C.J.B. 1/15/23 Period-end: 12/31/22 Reference: A-1 Reviewed by: R.E.Z. 1/25/23 Acct # 110 Bank Account No. 12345-642 Balance per Bank Deposits in Transit

Outstanding Checks

Add NSF Check: R. Zim 12/29 Balance per Books

$120,262.47 (a) Per Books 12-30 12-31

Per Bank 1-2 1-7 1047 1029 1435 1436 1437 1440 1441

$ 8,425.15 (b) 17,844.79 (b) 225.94 21,600.00 47.25 1,428.14 1,000.00 832.08 41.08

(c) (c) (c) (c) (c) (c) (c)

26,269.94 (F)

(25,174.49) (F) 200.00 (d) $121,557.92 (F)(e) To A

(F) Footed. (a) Agreed to bank statement and bank confirmation. (b)  Vouched to cutoff bank statement plus supporting remittance documents. (c)  Vouched to bank cutoff statement and supporting disbursement documentation. (d) Vouched to bank statement and debit memo. Cash balance at year-end was overstated by $200 and receivables were understated by the same amount. Immaterial. Pass further investigation. (e) Agreed to general ledger.

cutoff bank statement  a bank statement for the period subsequent to the date of the balance sheet that the client requests the bank to send directly to the auditor

The auditor agreed the balance per bank to the bank confirmation. The auditor vouched deposits in transit and outstanding checks to a cutoff bank statement obtained from the bank or by way of secure online access to the client’s bank account information for the cutoff period. A cutoff bank statement is a bank statement as of a date subsequent to the balance sheet date. The date should be at a point in time that will permit most of the year-end outstanding checks to clear the bank. Usually, the date is seven to 10 business days following the end of the client’s fiscal year. The client must request the cutoff statement from the bank and instruct that it be sent directly to the auditor. On receipt of the cutoff statement, the auditor should: •  T  race a sample of all checks dated in the prior year to the outstanding checks listed on the bank reconciliation. •  V  ouch a sample of deposits in transit on the bank reconciliation to deposits on the cutoff statement. •  Scan the cutoff statement and enclosed data for unusual items.

 Auditing Inventory on the Balance Sheet  13-11

The extent of this testing depends on the level of detection risk associated with tests of details. The auditor will test the mathematical accuracy of the client-prepared bank reconciliation and agree the final balance per books to the general ledger. Proof of cash. When fraud risk is high, the auditor might consider performing a proof of cash. A proof of cash not only reconciles the ending balance, it also reconciles cash receipt transactions between the accounting records and the bank, and the cash disbursement transactions between the accounting records and the bank. Consider the following situation. A controller who is a check signer withdraws $5,000 in cash without approval and replaces the cash before the end of the month. This would not be picked up by a bank reconciliation, but it would be picked up by a proof of cash. An end-of-chapter problem explores the topic of proof of cash in more depth.

Tests of Details of Presentation and Disclosure Cash should be correctly identified and classified in the balance sheet. For example, cash on deposit is a current asset. However, bond sinking fund cash is a long-term investment. In addition, there should be appropriate disclosure of arrangements with banks such as lines of credit, restrictions on cash balances, or contingent liabilities. A bank overdraft is normally reported as a current liability. The auditor determines the appropriateness of the statement presentation from a review of the draft of the client’s statements and the evidence obtained from substantive tests. In addition, the auditor should review the minutes of board of directors’ meetings and make inquiry of management for evidence of restrictions on the use of cash balances.

Cloud 9 - Continuing Case Suzie reminds Ian they have conducted extensive testing of Cloud 9’s controls over cash receipts and payments, and many of these tests were dual-purpose. This means that the substantive and control tests were done at the same time. While examining the documents, Ian completed tasks designed to detect control deviations and substantive errors. These tests included reperformance of the bank reconciliations and vouching recorded cash payments and receipts (including transaction approvals and posting) to the underlying documents.

The testing already completed shows that controls over cash are reasonably strong, and they can justify requesting a bank confirmation for an interim date, with a roll-forward to year-end. The bank confirmation will gather evidence about the existence and valuation and allocation assertions, plus rights and obligations (that is, it will reveal liens or claims over bank accounts). The roll-forward will include testing the cutoff of cash receipts and payments.

Before You Go On 1.1 When auditing cash, how might the auditor’s procedures change when a client has poor segregation of duties and weak controls over cash balances? 1.2 What is meant by the term kiting? Explain how kiting results in misstated financial statements. Explain the audit procedures that can be used to detect misstatements due to kiting. 1.3 What information does the auditor seek on a standard bank confirmation form? Explain how the bank confirmation is used in the audit of cash. 1.4 What is a cutoff bank statement? How is the cutoff bank statement used in the audit of cash?

Auditing Inventory on the Balance Sheet Lea rning Objective 2 Evaluate how an auditor determines and executes an audit strategy, including the use of ADA, for inventory and cost of goods sold. Chapter 11 discussed the revenue process, including the sale of inventory. Chapter 12 discussed the purchasing process, including the purchase and payment for many costs associated with the production of inventory. This chapter will focus on auditing the ending balance for inventory

13-12  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

reported on the balance sheet. It will focus primarily on auditing inventory for a company that purchases and resells inventory. However, the discussion of auditing the valuation and allocation assertion will also address valuation of inventory for a manufacturing company.

Understanding the Flow of Transactions Some companies produce inventory, which involves purchasing raw materials (the purchasing process), incurring factory overhead in the conversion process (the purchasing process), and incurring labor costs (the payroll process). In some cases, companies purchase inventory for resale, which also involves the purchasing process. The costs of purchasing or manufacturing inventory are accumulated and added to the cost of beginning inventory to determine the cost of goods available for sale. The cost of ending inventory is then subtracted from goods available for sale to determine the cost of goods sold. The focus of this section is on auditing the costs assigned by the client to ending inventory and the account balance assertions of: •  The completeness of inventory. •  The existence of inventory. •  The valuation of inventory and the allocation of costs to cost of goods sold. •  The rights and obligations related to inventory. Auditors need to be aware that any changes to inventory reported on the balance sheet will also result in changes to cost of goods sold reported on the income statement.

Understanding the Entity and Its Environment A theme that runs through this text is that the audit will vary from client to client, and it may vary from year to year for a particular client. The auditor needs to be attuned to changes in an audit client and tailor the audit to the circumstances that the auditor finds. To drive this point home, we have followed five different industries (manufacturing of oil and gas field machinery and equipment, manufacturing computer equipment, the retail grocery industry, the hotel and motel industry, and colleges and universities) with the goal of understanding how each is different from the others, so that the auditor might make appropriate adjustments in the audit plan. Illustration 13.6 illustrates the importance of inventory and inventory turnover for these five industries. Inventory is immaterial for two of these industries, the hotel and motel industry and colleges and universities, because these are service industries. illustration 13.6   Understanding an entity’s inventory

Example Industry Traits Oil and Gas Field Machinery and Equipment Manufacturing •  Relatively slow inventory turnover

Developing a Knowledgeable Perspective About the Entity’s Financial Statements Inventory as a % of Total Assets: 28% Inventory Turnover in Days (upper quartile):   52 days Inventory Turnover in Days (median): 85 days

Assessing the Risk of Material Misstatement •  Inventory is very material to the financial statements. •  Inventory valuation is subject to industry volatility.

Inventory Turnover in Days (lower quartile):   131 days

•  Products are less subject to significant obsolescence risk.

Electronic Computer Manufacturing

Inventory as a % of Total Assets: 26%

•  Moderate inventory turnover

Inventory Turnover in Days (upper quartile):   31 days

•  Inventory is very material to the financial statements.

•  Gross margins depend on technological superiority of products •  Companies outsource significant aspects of the manufacturing process

Inventory Turnover in Days (median): 66 days Inventory Turnover in Days (lower quartile):   114 days

•  The valuation of inventory is a significant inherent risk due to the technological obsolescence issue.

(continued)

 Auditing Inventory on the Balance Sheet  13-13 illustration 13.6   (continued)

Example Industry Traits

Developing a Knowledgeable Perspective About the Entity’s Financial Statements

Supermarkets and other Grocery Stores

Inventory as a % of Total Assets: 30%

Inventory Turnover in Days (upper quartile): •  Very competitive environment and one product may be substituted easily for other   16 days products Inventory Turnover in Days (median): 24 days Inventory Turnover in Days (lower quartile):   31 days

Assessing the Risk of Material Misstatement •  Inventory is very material to the financial statements. •  The valuation of inventory is a significant inherent risk due to complexity of applying the retail method for valuing inventory. •  Modest risk associated with perishable inventories. •  Supply chain management is the key to profitability in a competitive industry.

Hotels and Motels •  Inventory is usually insignificant in this industry

•  The risk of material misstatement is low due to the immateriality of inventory for Inventory Turnover in Days (upper quartile): N/A this industry. Inventory Turnover in Days (median): N/A Inventory as a % of Total Assets: Less than 1%

Inventory Turnover in Days (lower quartile): N/A Colleges, Universities, and Professional Schools

Inventory as a % of Total Assets: Less than 1%

•  Inventory is usually insignificant in this industry

Inventory Turnover in Days (median): N/A

Inventory Turnover in Days (upper quartile): N/A

•  The risk of material misstatement is low due to the immateriality of inventory for this industry.

Inventory Turnover in Days (lower quartile):   N/A

Inventory is a material asset for the other three industries. Inventory in the manufacture of oil and gas field machinery and equipment is less subject to significant obsolescence risk, but in some economic environments when prices are down due to lower demand, growing inventories may be a concern. The computer manufacturing industry is subject to technological obsolescence, and laptops face significant competition from phones and tablets. When considering the valuation and allocation assertion for manufacturing companies, the auditor needs to understand how capital-intensive the manufacturing process is, and the expected costs associated with raw materials, labor, and manufacturing overhead. The grocery industry is extremely competitive, margins are low, and supply-chain management is critical to a retailer’s success. Further, a significant amount of inventory may be in the supply chain or in the warehouse, rather than in stores.

Understanding the Results of Analytical Procedures Analytical procedures performed as part of risk assessment are cost-effective and may alert the auditor to potential misstatements. If the financial statements show a trend of increased profit margin combined with an increase in the number of inventory turnover in days, inventory may be overstated. This will alert the auditor to pay careful attention to the existence and valuation of inventory. The auditor might also be alert to cutoff problems that might have resulted in overstating inventory. Illustration 13.7 pre­sents some example analytical procedures along with an explanation of the problems that might be identified. When inventory is material to the financial statement audit, the auditor should not consider that analytical procedures are a substitute for other tests of details, but they may be very effective in focusing audit attention where misstatements are likely. In addition, Illustration 13.7 suggests several comparisons of financial measures with underlying measures of business activity, such as raw materials used and direct labor hours. If the auditor plans to use this type of data for a substantive analytical procedure, the auditor should test the control system that ensures the reliability of the data used to support an analytic conclusion.

13-14  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts) illustration 13.7   Analytical procedures commonly used to audit inventory

Ratio Inventory turnover in days

Inventory growth to cost of sales growth

365 ÷

(

(

(

Formula

)

Cost of goods sold Average inventory

InventoryCurrent Year InventoryPrior Year

)

Cost of salesCurrent Year Cost of salesPrior Year

−1

)

Audit Significance Prior experience in inventory turnover in days, combined with knowledge of cost of sales, can be useful in estimating current inventory levels. A lengthening of inventory turnover in days may indicate existence or valuation (lower-of-cost-or-net-realizable-value) problems. Ratios larger than 1.0 indicate that inventories are growing faster than sales. Large ratios may indicate possible inventory obsolescence problems.

−1

Finished goods produced to raw material used

Finished goods quantities Raw material quantities

Useful in estimating the efficiency of the manufacturing process. May be helpful in evaluating the reasonableness of production costs.

Finished goods produced to direct labor

Finished goods quantities Direct labor hours

Useful in estimating the efficiency of the manufacturing process. May be helpful in evaluating the reasonableness of production costs.

Product defects per million

Number of product defects Each million produced

Useful in estimating the effectiveness of the manufacturing process. May be helpful in evaluating the reasonableness of production costs and warranty expenses.

Professional Environment  Indicators of Phantom Inventory In his article “Ghost Goods: How to Spot Phantom Inventory,” Joseph T. Wells says that ghost goods throw a company’s accounting records out of kilter. He suggests the following trends are potential indicators of phantom inventory: •  Inventory increasing faster than sales. •  Decreasing inventory turnover. •  Shipping costs decreasing as a percentage of inventory.

•  Inventory rising faster than total asset growth. •  Falling cost of sales as a percentage of sales. •  C  ost of goods sold on the books not agreeing with tax returns. Source: Joseph T. Wells, “Ghost Goods: How to Spot Phantom Inventory,” Journal of Accountancy (June 2001).

Assessing Inherent Risk The inherent risk of material misstatement arising from inventory transactions for a hotel chain or a university is relatively low, as inventory is not a material part of the entity’s core process. With a manufacturer, wholesaler, or retailer, however, inherent risk for inventory may be assessed at or near the maximum for the following reasons: •  The volume of purchases, manufacturing, and sales transactions that affects these accounts is generally high, increasing the opportunities for misstatements to occur. •  Contentious issues often surround the use of professional judgment in the identification, measurement, and allocation of costs related to inventory such as indirect materials, labor, and manufacturing overhead, joint product costs, and the accounting for cost variances, scrap, or inventory shrinkage. •  The wide diversity of inventory items sometimes requires the use of special procedures to determine inventory quantities, such as geometric volume of stockpiles, aerial photography, and estimation of quantities by experts. •  Inventories are often stored at multiple sites, adding to the difficulties associated with maintaining physical controls over theft and damages, and properly accounting for goods in transit between sites. •  The wide diversity of inventory items may present special problems in determining their quality and market value. •  Inventories are vulnerable to spoilage, obsolescence, and other factors such as general economic conditions that may affect demand and sales price, and thus the proper valuation of the inventories.

 Auditing Inventory on the Balance Sheet  13-15

Professional Environment  Restatements Related to Inventory Audit Analytics1 recently reported a summary of restatements due to inventory, vendor, and cost-of-sales issues for the 17-year period ending in 2017. Inventory restatements included inventory, vendor, and cost-of-sales issues that consisted of errors or fraud in approach, theory, or calculations associated with transactions affecting inventory, vendor relationships (including rebates), and/or cost of sales. These misstatements

Disclosure Year

primarily are related to the capitalization of activities in inventory or the calculation of year-end inventory balances. As seen below, these misstatements range between 4.2% and 9.6% of all restatements. From 2013–2016, misstatements were pretty steady, ranging between 7.9% to 9.1% of all restatements. In 2017, the number of restatements associated with inventory dropped down to 6.3% of all restatements.

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

2017

Expense recording issues

91

145

133

72

54

47

36

46

49

71

78

60

59

35

% of all financial statement restatements

9.6%

9.2%

7.2%

5.6%

5.6%

5.7%

4.2%

5.4%

5.8%

8.1%

9.1%

7.9%

8.7%

6.3%

Assessing Control Risk and Fraud Risk Many elements of valuing inventory involve professional judgment and accounting estimates. For example, significant professional judgment is involved in estimating how manufacturing overhead is allocated to inventory versus cost of goods sold. Professional judgment is also involved in determining if inventory is obsolete or should be written down to the lower-of-costor-net-realizable-value. As a result, entity-level controls such as a sound control environment and a tone at the top set an important foundation for accurate accounting and strong internal controls. Many of the controls over inventory overlap with revenue, purchasing, and payroll processes. For example, the purchase of raw materials or the purchase of inventory held for resale overlap with the controls over purchase transactions. Controls over the classification of these transactions are particularly relevant to inventory (e.g., the proper classification of purchase of raw materials or items related to manufacturing overhead). Further, controls over the classification of payroll are particularly relevant to the accounting for manufacturing labor. It is important for the auditor to understand how the client develops the value for inventory reported on the balance sheet at the end of the year. Most clients keep a perpetual inventory for inventory quantities, which keeps track of the quantity of each item in inventory and where it is located. However, when it comes to determining the value of inventory, most clients use the periodic method. Therefore, at the end of the year, the client determines the quantity of inventory on hand, usually by a physical count, and then the client determines the value of each item in inventory to arrive at an ending inventory value. The client then takes the beginning inventory value and adds purchases (or total manufacturing cost) to determine the value of goods available for sale. Finally, the client subtracts the value of ending inventory to determine cost of goods sold. To summarize, determining the value of ending inventory is a three-step process outlined in Illustration 13.8. In step one, the client determines inventory quantities at each location. This may be done by taking a complete physical count of inventory, or by using the perpetual inventory records of inventory quantities on hand. The client often controls the accuracy of physical counts by having a second team investigate differences between the physical count and the perpetual inventory. In step two, a compilation of inventory values is developed in which the client assigns values to each item in inventory to determine the value of ending inventory. In step three, a journal entry is prepared to adjust the value of ending inventory and cost of goods sold based on the physical count and the compilation of inventory values. If ending inventory is overstated in this process, cost of goods sold will be understated, and gross margins and net income will be overstated. 1 Don Whalen, Olga Usvyatsky, and Dennis Tanona, 2017 Financial Restatements, A Seventeen Year Comparison (Audit Analytics: Sutton, MA, 2018).

compilation of inventory values  the client’s documentation behind the value for inventory in the general ledger; this shows the quantity of each item in inventory and the values assigned to each item in inventory

13-16  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts) ILLUSTRATION 13.8  

Steps in accounting for inventory

1. Physically count inventory at each location

2. Develop a compilation of inventory values with quantities and prices for each item in inventory

3. Develop a journal entry to adjust ending inventory and cost of goods sold

Illustration 13.9 summarizes what can go wrong (WCGW) with respect to inventory, and key controls the auditor might expect to find related to inventory. As you review Illustration 13.9, try to associate particular controls with the assertions being controlled. The following illustration assumes there is good segregation of duties and strong entitylevel controls.

ILLUSTRATION 13.9   Inventory: WCGW and example controls

Risks (WCGW)

Example Controls

Inventory may not exist.

•  Physical controls over inventory (fences, a secure warehouse, and additional physical controls in the warehouse depending on the size and value of inventory). •  W  arehouse and store organization such as numbered locations and identification of each item in inventory using SKU (Stock Keeping Unit) numbers and barcodes or UPC (Universal Product Codes) numbers and barcodes. •  Regular comparison of perpetual records with actual inventory using frequent counts of a small proportion of inventory, or cycle counts.

Inventory counts may be inflated.

•  Regular independent comparison of perpetual records with actual inventory. •  Accurate recording of all scrap transactions or spoilage.

Inventory may not be recorded.

•  Regular count of physical inventory for comparison with perpetual records. •  Investigation of negative balances in inventory records.

Inventory may be valued incorrectly at historical cost.

•  Costs compared with recent purchases. •  Internal controls over purchases of raw materials and manufacturing labor charged to inventory. •  Regular review of manufacturing overhead charged to inventory.

Inventory may be valued incorrectly at net realizable value.

•  Regular review of obsolete inventory.

Consignment out may not be included.

•  Consignment out periodically inspected by company.

Consignment in may be included in inventory.

•  Consignment inventory segregated from other inventory and accounted for separately.

•  Regular comparisons of inventory costs to sales prices.

Key Inventory Controls Many clients build in redundant controls such that if one control does not prevent a misstatement, another control will detect the problem (both preventive and detective controls). Auditors cannot efficiently test all controls that exist, but will identify a few key controls and test the most important control for each assertion. Following are example key controls auditors often identify. Several of these controls are dependent on good physical controls over inventory and the use of SKU (Stock Keeping Unit) numbers and barcodes, or UPC (Universal Product Codes) numbers and barcodes, similar to what you see in Illustration 13.10.

 Auditing Inventory on the Balance Sheet  13-17 ILLUSTRATION 13.10  

Alphanumeric

SKU or UPC inventory label

SKU#: V4C3D5R2 UPC:

Numeric only 8

10 2 9 5 0 0 1 16

9

Existence of inventory. The client conducts regular cycle counts, typically monthly or quarterly. The client will frequently identify a small portion of items in the perpetual inventory, go to the inventory location and count the inventory, and investigate and correct any discrepancies that are found. Clients that do not cycle-count should count inventory at least once a year, preferably near the balance sheet date. Completeness of inventory. As part of regular cycle counts, the client begins by counting items in inventory and comparing them with the perpetual inventory records. Any discrepancies between the physical count and the perpetual records are investigated and corrected. Valuation of inventory at historical cost. The client regularly compares costs with recent purchases when using FIFO. The client also regularly compares accumulated manufacturing costs with standard costs and investigates variances. Valuation of inventory at net realizable value. The client regularly conducts a review of obsolete inventory. This usually involves evaluating the amount of inventory on hand, investigating slow-moving items, and comparing inventory cost with sales prices. Rights and obligations. An important rights and obligations issue involves consignment inventory. Consignment inventory is inventory that is sent by its owner (consignor) to an agent (consignee) who agrees to sell the goods. The consignee has an obligation to pay the consignor when the goods are sold by the consignee. If the client holds inventory on consignment from a consignor, it should be segregated from other inventory in the warehouse or store, counted separately, and not included in any final inventory count. If the client owns inventory on consignment to a consignee, the client should regularly visit the consignee’s locations and count consignment inventory that has not been sold for comparison with perpetual inventory records.

Testing Inventory Controls Tests of inventory controls often involve observing the client’s controls and reperforming the client’s controls. For example, the auditor will observe the client conducting cycle counts, and at the same time the auditor may check the accuracy of the client’s cycle counts and investigate and correct discrepancies. In some cases, the client may use IT application controls to test the accuracy of inventory prices compared to recent purchases, or to compare inventory values with sales prices. If these controls operate monthly or quarterly, the auditor may choose to test these software applications at both interim and year-end, thereby performing a dual-purpose test—testing the control and substantively testing the assertion at the same time.

Fraud Risk Assessment After evaluating inherent risk and control risk, the auditor is in a position to evaluate fraud risk. The auditor should be alert to incentives and pressures that may motivate management to misstate inventory. Further, weak internal control over the existence of inventory may lead to increased theft of inventory by employees. Ultimately, good internal controls reduce the opportunity for fraud. If internal controls are not strong, the auditor should be alert to the heightened risk of fraud.

cycle counts  the client will frequently identify a small portion of items in the perpetual inventory, count actual inventory, and investigate discrepancies; the client will usually vouch items in the perpetual records to the actual inventory on hand (testing existence), and also count inventory on hand for other items and then trace results to the perpetual records (testing completeness)

consignment inventory  inventory that is sent by its owner (consignor) to an agent (consignee) who undertakes to sell the goods; the consignee has an obligation to pay the consignor when the goods are sold by the consignee

13-18  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Professional Environment SEC Settlements Regarding Inventory Frauds and Misstatements

On April 19, 2016, the SEC issued Accounting and Auditing Enforcement Release 3765 involving Logitech International. In October 2010, Logitech launched a product called “Revue,” a set-top device that connected to televisions allowing internet usage and video streaming. The product was not well-received and Logitech missed a number of internal sales projections. Based on the sales rate for the fourth quarter of 2011, Logitech had over a year’s supply of Revue. Based on the quarter-end sales rate to retailers, Logitech had over three years of inventory of Revue. However, management used optimistic sales forecasts when considering whether there was a lower-of-cost-or-market problem, in spite of internal discussions that noted if Logitech needed to scrap inventory and components, Logitech should assume the recoverable value of zero. The SEC findings concluded that at the time Logitech filed its 2011 financial statements, the company overstated its operating income by $30.7 million, i.e., over 27%.

On September 22, 2015, the SEC issued Accounting and Auditing Enforcement Release 3704 involving Stein Mart, Inc., a retailer of discounted clothing and accessories. In May 2013, Stein Mart had to restate its financial results for the first quarter of 2012, all reporting periods in fiscal year 2011, and its annual reporting period for 2010. The primary reason was that it failed to appropriately account for permanent markdowns of inventory. Unlike temporary markdowns, permanent markdowns were never returned to their original prices. While the retailer regularly marked down inventory, it did not record the permanent inventory markdowns until the inventory was actually sold. The failure to decrease the value of inventory for permanent inventory markdowns was so significant that, in the first quarter of 2012, Stein Mart overstated its pretax income by almost 30%. The SEC concluded that not only were earnings materially misstated, but that Stein Mart did not have adequate internal controls over inventory markdowns.

Audit Data Analytics as a Risk Assessment Procedure Audit data analytics (ADA) allow the auditor to screen the entire inventory population for particular characteristics. ADA may be helpful in assessing whether inventory may be misstated. The auditor can use ADA to determine how quickly or slowly inventory is turning. For example, ADA can calculate the number of inventory turnover in days for each SKU number and identify the slowest-moving inventory for follow-up analysis regarding the lower-of-cost-or-net-realizable-value (NRV) of inventory. ADA can also aggregate inventory turnover in days for each location to identify specific locations that are underperforming or appear to have excessive inventory. In some cases, companies that have filed for bankruptcy have had inventory on hand that would take them two years to sell. This should be a clear indicator for the auditor that the client may have obsolete inventory or inventory with a lower-of-cost-or-NRV problem. ADA may also be used to evaluate the space needed to store inventory. When a company has a large number of items in inventory, and the inventory should take up significant space, the auditor can use information about the space needed to warehouse each item of inventory and determine whether the space needed for the entire inventory approximates the space actually used to store that inventory. This may be an effective way to determine the appropriateness of quantities recorded for inventory.

Determining an Audit Strategy The audit strategy is highly dependent on the client’s system of internal controls. For many companies, inventory is a material item on the balance sheet and cost of goods sold is material to the income statement. Inherent risk associated with the existence and the valuation and allocation assertions is likely to be at or near maximum because of the materiality of the inventory account and its interaction with cost of goods sold. When evaluating internal controls, auditors are particularly alert to the frequency and quality of cycle counts and the number of discrepancies that result in corrections to the perpetual inventory. Auditors are also alert to the controls over the valuation of inventory. It is particularly important for auditors to use their knowledge of the entity and its business environment when evaluating customer demand for inventory, the amount

 Auditing Inventory on the Balance Sheet  13-19

of inventory on hand, and the potential need to adjust inventory for lower-of-cost-orNRV issues. When the risk of material misstatement (the combined assessment of inherent risk and control risk) is low, the auditor is likely to perform substantive tests at an interim date with smaller sample sizes. However, when the risk of material misstatement is high, the auditor is more likely to perform substantive tests directly on year-end balances with more extensive audit procedures.

Substantive Tests of Inventory Possible substantive tests of inventory balance assertions are shown in Illustration 13.11. Evidence from some of the tests applicable to merchandise inventory and to manufactured finished goods inventories also relates to objectives for the corresponding cost of goods sold accounts because of the reciprocal relationship of these accounts. Following the illustration, each of the substantive tests is discussed, together with selected comments about how the tests can be tailored based on the acceptable level of detection risk to be achieved.

ILLUSTRATION 13.11  Substantive tests for inventory

Category Initial procedures

Substantive Test 1.  Obtain an understanding of the business and industry and determine:

Assertions All

a.  The significance of cost of sales and inventory to the business. b. Key economic drivers that influence the entity’s cost of sales, gross margins, and the possibility of obsolete inventory. c. The extent to which the client has consignment inventories (in or out). d. The existence of purchase commitments and concentration of activities with suppliers. 2. Perform initial procedures on inventory balances and records that will be subjected to further testing.

Analytical procedures

a. Vouch beginning inventory balances to ending balances in the prior year’s working papers.

Valuation and allocation

b. Review activity in inventory accounts and investigate entries that appear unusual in amount or source.

Existence, Completeness

c. Verify totals of perpetual records and other inventory schedules and their agreement with general ledger balances.

Existence, Completeness, Valuation and allocation

3. Perform analytical procedures:

All

a. Review industry experience and trends. b. Examine analysis of inventory turnover. c. Review relationship of inventory balances to recent purchasing, production, and sales activities. d. Compare inventory balances to anticipated sales volume.

Tests of details of transactions

4. On a test basis, vouch entries in inventory to supporting documentation (e.g., vendors’ invoices, manufacturing cost records, completed production reports, and sales and sales return records).

Occurrence, Accuracy, Classification

5. On a test basis, trace data from purchases, manufacturing, completed production, and sales records to inventory accounts.

Completeness, Accuracy, Classification

6. Test cutoff of purchases and sales returns (receiving), movement of goods through manufacturing departments (routing), and sales (shipping).

Cutoff (continued)

13-20  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts) ILLUSTRATION 13.11  (continued)

Category Tests of details of balances

Substantive Test

Assertions

7. Observe client’s physical inventory count: a. Determine the timing and extent of tests.

Existence, Completeness

b. Evaluate adequacy of client’s inventory-count plans. c. Observe care taken in client’s counts and make test counts. d. Look for indications of slow-moving, damaged, or obsolete inventory.

Valuation and allocation

e. Account for all inventory electronic count media, tags, or count sheets used in physical count. 8. Test clerical accuracy of the compilation of inventory values: a. Recalculate totals and extensions of quantities × unit prices.

Valuation and allocation

b. Trace test counts (from item 7c) to the compilation of inventory values.

Completeness

c. Vouch items on the compilation of inventory values to inventory electronic count media, tags, count sheets.

Existence, Valuation and allocation

d. Reconcile physical counts to perpetual records, the compilation of inventory values, and general ledger balances. Inspect adjusting entries.

Existence, Completeness, Valuation and allocation

9. Test inventory pricing: a. Examine paid vendor invoices for purchased inventories.

Valuation and allocation

b. Examine propriety of direct labor and overhead rates, standard costs, and accounting for variances pertaining to manufactured inventory.

Valuation and allocation

10. Confirm inventories at locations outside the entity.

Rights and obligations

11. Examine consignment arrangement and contracts.

Rights and obligations

12. Based on the tests of beginning inventory, production costs, and ending inventory, determine the appropriateness of cost of sales.

Valuation and allocation

13. Evaluate the net realizable value of inventory:

Valuation and allocation

a. Examine sales invoices after year-end and perform lower-of-cost-or-NRV test. b. Compare inventories with client’s current sales catalog and sales reports. c. Inquire about slow-moving, excess, or obsolete inventories and determine need for writedown. d. Evaluate management’s process for estimating the net realizable value of inventory using hindsight. e. Evaluate the net realizable value of inventory given information about: •  Industry trends. •  Inventory turnover trends. •  Specific slow-moving inventory. Presentation and disclosure

14. Compare statement presentation with GAAP: a. Confirm agreements for pledging inventories as collateral for loans.

Occurrence and rights and obligations

b. Review presentation and disclosure for inventories in drafts of the financial statements and Classification and understandability, determine conformity with GAAP. Accuracy and valuation Completeness c. Evaluate the completeness of presentation and disclosures for inventory in drafts of financial statements to determine conformity to GAAP by reference to disclosure checklist. d. Read disclosures and independently evaluate their understandability.

Classification and understandability

Initial Procedures An essential initial procedure involves obtaining an understanding of the entity’s business and industry. This allows the auditor to develop a knowledgeable perspective about the entity and set the context for the evaluation of analytical procedures and tests of details. In tracing beginning inventory balances to the prior year’s working papers, the auditor should make certain that any audit adjustments agreed upon in the prior year did in fact get

 Auditing Inventory on the Balance Sheet  13-21

recorded. In addition, current period entries in the general ledger inventory accounts should be scanned to identify any unusual adjustments in amount or nature and require special investigation. Initial procedures also involve determining that the compilation of inventory values agrees with the general ledger balance.

Substantive Analytical Procedures The application of substantive analytical procedures to inventories uses the auditor’s knowledge of the entity and its environment to develop expectations about the financial statements. This knowledgeable perspective is effective in identifying accounts that may be misstated. Suggested analytical procedures are presented in Illustration 13.7 and by the steps shown in Illustration 13.11. A review of industry experience and trends may be essential in developing expectations to be used in evaluating analytical data for the client. For example, knowing that a sharp drop in the client’s inventory turnover ratio mirrors what is happening in the industry may help the auditor to conclude that the drop does not indicate errors pertaining to the existence assertion or problems in the client data used in calculating the ratio, but may instead indicate a valuation problem related to a drop in demand that is likely to be followed by falling market prices. A review of relationships of inventory balances to recent purchasing, production, and sales activities should also aid the auditor in understanding changes in inventory levels. For example, an increase in the reported level of finished goods inventory when purchasing, production, and sales levels have remained steady might indicate misstatements related to the existence or valuation of the finished goods inventory. In addition to the calculation of an overall inventory turnover ratio for each inventory account, it may be appropriate to calculate the ratio for disaggregated data, such as by product line. Because of the reciprocal relationship between inventories and cost of goods sold, these procedures may provide evidence useful in determining the fairness of management’s assertions pertaining to both accounts. For example, an unexpectedly high inventory turnover ratio or an unexpectedly low gross margin might be caused by an overstatement of cost of goods sold and a corresponding understatement of inventories. The auditor should also understand and evaluate the relationship between costs, volume, and gross profit, and the degree to which manufacturing costs are fixed and variable. Conversely, conformity of these ratios with expectations may provide some limited assurance of the fairness of the historical data used in the calculations unless evidence from other sources is contradictory. Finally, analysis of inventory levels and ratios based on anticipated sales volume in the subsequent period may be useful in conjunction with market valuation procedures.

Tests of Details of Transactions Testing transactions involves the procedures of vouching and tracing to obtain evidence about the processing of individual transactions that affect inventory balances. In this process, the auditor should give special consideration to determining the propriety of the cutoff of inventory transactions at the end of the accounting period. Inspect entries in inventory accounts. Some or all of this type of testing may be done as part of dual-purpose tests during interim work. Examples of vouching recorded entries in inventory accounts include the vouching of •  Purchases of merchandise or raw materials inventories to vendor invoices, receiving reports, and purchase orders. •  Increases in work in process or finished goods inventories to manufacturing cost records and production reports. •  Decreases in raw materials and work in process inventories to manufacturing cost records and production reports. •  Sales of merchandise and finished goods inventories to sales documents and records. Tests of purchases and sales may be performed during testing of the purchasing process (Chapter 12) and revenue process (Chapter 11). Recall that vouching entries that increase inventory balances provides evidence about the existence and valuation of the inventory at the time of the transaction. Vouching entries that decrease inventory balances to determine the propriety of the inventory reductions provides

13-22  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

evidence about the valuation and allocation assertion for cost of goods sold. Tracing documentation for purchases and the cost of factors added to production to entries in the inventory accounts provides evidence for the completeness and valuation and allocation inventory assertions. Tracing documentation of transactions that decrease inventory balances, such as sales, provides evidence for the existence and valuation and allocation assertions for inventory, since the evidence helps determine that entries were recorded and entered at the correct amounts. Test cutoff of purchases, manufacturing, and sales transactions. The purpose and nature of sales and purchases cutoff tests are explained in Chapters 11 and 12 in connection with the audit of accounts receivable and accounts payable balances. Both tests are important in establishing that transactions occurring near the end of the year are recorded in the correct accounting period. In a manufacturing company, it must also be determined that entries are recorded in the proper period for the transfer of costs for goods moved (1) between stores and production departments, (2) between one production department and another, or (3) between production departments and finished goods. In each case, the auditor must determine, through inspection of documents and physical observation, that the paperwork cutoff and the physical cutoff for inventory counts are coordinated. For example, if the auditor determines that an entry transferring the cost of the period’s last lot of completed production to finished goods has been recorded, the auditor should determine that the goods, even if in transit, were included in the physical inventory of finished goods only. That is, they were neither counted as part of work in process, nor double counted, nor missed altogether. Evidence from these cutoff tests relates to both the existence and completeness assertions for inventory balances and cost of goods sold.

Tests of Details of Balances: Observing the Client’s Physical Inventory Count The observation of inventories has been a generally accepted auditing procedure for over 80 years. This procedure is required whenever inventories are material to a company’s financial statements. In performing this auditing procedure, the client has responsibility for the counting of inventory. AU-C 501 Audit Evidence—Specific Considerations for Selected Items states that, from testing the accuracy of the client’s inventory count, the auditor obtains direct knowledge of the effectiveness of the client’s inventory count and gains a measure of reliance that may be placed on management’s assertions as to the quantities and physical condition of the inventories. In some cases, outside inventory specialists may be hired by the client to count the inventory. When this occurs, the auditor must also be present to observe the specialist’s counts because, from an auditing standpoint, the specialist is basically the same as client employees. The primary audit considerations applicable to this required procedure are explained in the following subsections.

Professional Environment Why Do Auditors Observe Inventory? During the 1930s, audit evidence for inventories was usually restricted to obtaining a certification from management as to the correctness of the stated amount. In 1938, the discovery of a major fraud in McKesson & Robbins Company, a major pharmaceutical firm, caused a reappraisal of the auditor’s responsibilities for inventories. The company’s December 1937 financial statements “certified” by a national public accounting firm reported $87 million of total assets. Of this amount, $19 million ($10 million in inventory and $9 million in receivables) was subsequently determined to be fictitious. The auditors were exonerated of blame because they had complied with existing auditing standards. However, promptly thereafter, in Statement on Auditing Procedure No. 1, auditing standards were changed to include physical observation of inventories.

In spite of the standard for auditors to physically observe inventory, inventory scandals continue to happen. In 1963, Allied Crude Vegetable Oil, a New Jersey company led by Anthony De Angelis, determined that it could obtain loans based on the company’s inventory of salad oil. When inspectors confirmed that stores of salad oil were full, the company obtained millions in loans. However, storage tanks were filled mostly with water, with only a few feet of salad oil floating on the top. The company claimed to have 1.8 billion pounds of salad oil, when it only had 110 million pounds. Once the scandal was exposed, investors and lenders lost significant sums. These issues are only avoided when the auditor understands the client’s business and uses due diligence and professional skepticism when auditing inventory.

 Auditing Inventory on the Balance Sheet  13-23

Timing and extent of inventory observations. The timing of an inventory observation depends on the effectiveness of the client’s internal controls over inventory. In a periodic inventory system, quantities are determined by a physical count, and all counts are made as of a specific date. The date should be at or near the balance sheet date, and the auditor should ordinarily be present on the specific date. In a perpetual inventory system with effective internal controls, physical counts may be compared with inventory records at interim dates. When the perpetual records are well kept and comparisons with physical counts are made periodically by the client, the auditor should be present to observe a representative sample of such counts. In such cases, this procedure may occur either during or after the end of the period under audit. In companies where inventories are at multiple locations, the auditor will use his or her knowledge of sampling to determine the number of locations at which to observe inventory. Inventory-count plans. The counting of a physical inventory by a client is done according to a plan or a list of instructions. The client’s instructions should include such matters as the: •  Names of employees responsible for supervising the counting of inventory. •  Date of the counts. •  Locations to be counted. •  Detailed instructions on how the counts are to be made (e.g., manual counts versus electronic counts) and instructions for controlling inventory counts (e.g., whether manual counts are double counted or the basis for testing electronic counts). •  Use and control of electronic count media, prenumbered inventory tags, or summary count sheets. •  I nstructions for handling the receipt, shipment, and movement of goods during the counts if such activity is unavoidable. •  Segregation or identification of goods not owned. The auditor must plan in advance so that inventory observation can be done efficiently and effectively. An experienced auditor usually has the responsibility for (1) planning the inventory observation, (2) determining the staffing needs, and (3) assigning members of the audit team to specific locations. Each observer should be provided with a copy of the client’s inventory plans and written instructions for counting inventory. Performing the inventory observation. In observing inventories, the auditor should: •  Scrutinize the care with which client employees are following the inventory plan. •  See that all merchandise is counted once and only once. If inventory is tagged, no items should be double-tagged. •  Determine that the electronic count media, prenumbered inventory tags, or compilation sheets are properly controlled. •  Make some test counts and trace quantities to final count. •  Be alert for empty containers and hollow squares (empty spaces) that may exist when goods are stacked in solid formations. •  Identify the last receiving and shipping documents used and determine that goods received during the count are properly segregated. •  Watch for damaged and obsolete inventory items and evaluate the general condition of the inventory (e.g., inventory caked with dust or cobwebs). •  Inquire of employees about the existence of slow-moving inventory items. The extent of the auditor’s test counts depends, in part, on the care exercised by client employees in counting the inventory, the nature and composition of the inventory, and the effectiveness of controls pertaining to the physical safeguarding of the inventory and the maintenance of perpetual records. Ordinarily, the auditor will stratify the inventory items to include the items of highest dollar value in the count, as well as count a representative sample of other items. The auditor may refer to perpetual inventory records to identify the high-value items and select the sample items. In making test counts, the auditor should record the count and give a complete and accurate description of the item (identification number, unit of measurement, location, etc.) in the working

13-24  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

papers as shown in Illustration 13.12. Such data are essential for the auditor’s comparison of the test counts with the client’s counts, the subsequent tracing of the counts to the perpetual inventory records, and the compilation of inventory values. After the inventory has been counted, the auditor should obtain a copy of the electronic count media, or make a listing of all tags (used or unused) or summary sheets and obtain sufficient information so no inventory can be added to the count after the auditor has observed inventory. Several significant frauds have occurred, overstating inventory, when the auditor has not adequately controlled the electronic media or count sheets. ILLUSTRATION 13.12   Inventory test counts working paper

Client: New Millennium Ecoproducts Bell & Bowerman, LLP Prepared by: W.C.B.  1/15/23 Period-end: 12/31/22 Reviewed by: R.E.Z.  1/25/23 Raw Materials Test Counts Reference: F-2 Tag No.

Sheet No.

Number

Description

6531 8340 1483 4486 3334 8502 8844 6295

15 18 24 26 48 64 68 92

1-42-003 1-83-012 2-11-004 2-28-811 4-26-204 7-44-310 7-72-460 3-48-260

back plate 1/4″ copper plate Single end wire Copper tubing Side plate 1/2″ copper wire 3/8″ copper wire Front plate

Count 125 93 1325 yds. 220 424 276 ft. 419 ft. 96

Count 125 93 1321 yds. 220 424 276 ft. 419 ft. 69

Difference (a) (a) (a) (a) (a) (a) (a) (a)

 0  0 4 yds.  0  0  0  0 27

(b)

(b)

(a) Traced to clientʼs electronic count media (F-4), noting corrections for all differences. (b) Each difference was corrected by the client. The net effect of the corrections was to increase inventory by $840. If similar errors existed in the unsampled portion of the population (F-5), the projected misstatement would amount to $26,460, which is considered to be immaterial to the current fiscal year. Pass further investigation.

At the conclusion of the observation procedure, a designated member of the audit team should prepare an overall summary. The summary should include a description of such matters as (1) departures from the client’s inventory-count plan, (2) the extent of test counts and any material discrepancies resulting therefrom, (3) conclusions on the accuracy of the counts, and (4) conclusions regarding slow-moving or obsolete inventory noted while at the client’s location.

Audit Reasoning Example  Preparing for an Inventory Observation Ken has been assigned to the audit of a regional company that sells household appliances (e.g., washers and dryers, refrigerators, televisions). Ken is meeting Jennifer, the audit manager, before going out to perform an inventory observation at the company’s warehouse. Jennifer says, “Ken, the inventory observation is particularly important. If errors happen during the inventory observation and we don’t get the appropriate evidence, we will have to observe the inventory again— at our own cost! This must be done right the first time. First, it is essential that you observe how the client is counting the inventory, and how client personnel are double-checking their counts. Test the client’s controls over counting all of the inventory. If the client has good controls you can reduce the extent of your test counts. All of the inventory is bar coded, so they should be comparing actual counts with the company’s perpetual inventory. Make sure you document your tests of the client’s controls and your conclusions. Second, you will need to test-count the inventory; have the client open boxes to make sure the boxes actually contain the appropriate inventory. This is important to testing the existence of inventory. Third, look for any evidence of the inventory being damaged, or boxes with a lot of dust on them. On average, the company turns over its inventory about every two months, so inquire of workers in the warehouse about inventory that has been around for three months or more. Fourth, when you are talking with the warehouse personnel, determine if they are aware of inventory that is held on consignment. I don’t expect that they should have any consignment inventory, but we need to ask the employees that work with inventory on a day-to-day basis about this. Finally, in addition to your test counts, make sure you leave with a copy of all of the counts made by the client. This will most likely be in electronic form, so obtain a copy of the electronic file the client has with 100% of the counts of inventory. This will be essential for our later work. It goes without saying that you need to document all of your tests and your audit findings.”

 Auditing Inventory on the Balance Sheet  13-25

Observation of beginning inventories. To express an unqualified opinion on the income statement, the auditor must observe the counting of both the beginning and ending inventories. On a recurring audit engagement, this requirement is met by auditing the ending inventory of each year. However, in the initial audit of an established company, the auditor may either be appointed after the beginning inventory has been counted or be asked to report on the financial statements of one or more prior periods. In such circumstances, it is clearly impracticable for the auditor to have observed the inventory count, and generally accepted auditing standards permit the auditor to verify the inventories by other auditing procedures as explained below. When the client has been audited by another firm of independent auditors in the prior period(s), the other procedures may include a review of the predecessor auditor’s report and/or working papers and a review of the client’s inventory summaries for the prior period(s). If the client has not been audited previously, the auditor may be able to obtain audit satisfaction by reviewing the summaries of any client counts, testing prior inventory transactions, and applying gross profit tests to the inventories. Such procedures are appropriate only when the auditor is able to verify the validity and propriety of the ending inventory for the period under audit. When inventories have been observed at the beginning of the year, the auditor may be able to issue a standard unmodified audit report. However, when sufficient appropriate evidence has not been obtained as to the beginning inventories or the auditor is unable to observe the counting of ending inventories, the auditor has a scope limitation and should issue a qualified opinion or a disclaimer of opinion as will be discussed in Chapter 15. Test clerical accuracy of compilation of inventory values. After the physical inventory has been counted, the client uses the electronic count media, inventory tags, or count sheets to prepare a compilation of inventory values that lists all items counted. The inventory items are then priced to arrive at the total dollar valuation of the inventory on hand. Because this listing serves as the client’s basis for any entries required to adjust recorded inventories to agree with those on hand, the auditor must perform certain tests to determine that the listing is clerically accurate, it accurately represents the results of the physical counts, and it agrees to the general ledger. Tests of clerical accuracy include recalculating the totals shown on the inventory listings and verifying the accuracy of the extensions of quantities multiplied by unit prices on a test basis. This can often be done with generalized audit software. To determine that the list accurately represents the results of the count, the auditor traces his or her own test counts to the inventory listings, and vouches items on the listings to the electronic count media, inventory tags, or count sheets used in the physical inventory. The physical counts are then compared, on a test basis, with amounts per perpetual records, when applicable, and any differences are noted and investigated and traced to adjusting entries if required. This test provides evidence for the existence, completeness, and valuation and allocation assertions. Test inventory pricing. This test involves examining supporting documentation for both the cost and market value of inventories. Thus, it relates primarily to the valuation and allocation assertion. Evidence in support of unit costs varies with the nature of the inventory. For items purchased for resale (merchandise inventory or raw materials), costs should be vouched to representative vendor’s invoices. If the client is unable to produce vendor invoices for the quantity in inventory, it would indicate a potential existence problem with inventories. The auditor should also determine that inventory costing procedures used are consistent with those used in prior years. The consistency of the pricing can be established by review of the prior year’s working papers on a recurring audit. This step in the verification of pricing includes a review of the pricing of obsolete and damaged goods to ensure they are not valued in excess of net realizable value at the statement date. The determination of net realizable value of inventory is based on sales prices. If the client can sell inventory and break even, there is not a lower-of-cost-or-NRV problem. Therefore, when auditing net realizable value the auditor will usually look at sales prices on sales invoices after year-end to determine if the cost of inventory is recovered by sales prices. Test costs of manufactured inventories. The nature and extent of the auditor’s pricing tests of work in process and finished goods depend on the reliability of the client’s cost accounting records and the methods used by the client to accumulate such costs. The auditor should review the methods for propriety, and accuracy and consistency of application. For example, when standard costs

13-26  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

are used, the auditor should test the calculation of the standards, and evaluate whether the standards approximate actual costs by examining the variance accounts. When variance accounts have large balances, the auditor must consider whether fair presentation requires a pro rata allocation to inventories and costs of goods sold, rather than simply charging the variances to cost of goods sold. When the inventory is specialized or highly technical, the auditor may require the assistance of an outside expert. This might occur, for example, in an oil company with different grades of gasoline and motor oil, or in a jewelry store with different carat diamonds and different jeweled watches. The auditor may use the work of a specialist as an auditing procedure to obtain competent evidential matter when the auditor is satisfied about the qualifications and objectivity of the expert. The use of a specialist is discussed in Chapter 5. Confirm inventories at locations outside the entity. When client inventories are stored in public warehouses or with other outside custodians, the auditor should obtain evidence as to the existence of the inventory by direct communication with the custodian. This type of evidence is deemed sufficient except when the amounts involved represent a significant proportion of current or total assets. When this is the case, the auditor should apply one or more of the following procedures: •  Test the owner’s procedures for investigating the warehouse company and evaluating the warehouse company’s performance. •  Obtain an independent accountant’s report on the warehouse company’s control procedures relevant to custody of goods and, if applicable, pledging of receipts, or apply alternative procedures at the warehouse to gain reasonable assurance that information received from the warehouse company is reliable. •  Observe physical counts of the goods, if practicable and reasonable. •  If warehouse receipts have been pledged as collateral, confirm with lenders pertinent details of the pledged receipts (on a test basis, if appropriate). This test also provides evidence about the rights and obligations assertion. In addition, it will result in evidence as to the completeness assertion if the custodian confirms more goods on hand than stated in the confirmation request. Confirming inventories does not provide any evidence about the value of the inventory because the custodian is not asked to report on the cost, condition, or market value of the goods stored in the warehouse. Examine consignment agreements and contracts. Goods on hand may be held on consignment by a consignee. Thus, the consignee’s management is requested to segregate goods not owned during the inventory count. In addition, the auditor often requests a written assertion on ownership of inventories. When consignments exist, the agreement should be examined for terms and conditions. If the client (consignor) has shipped goods on consignment, the auditor should review the documentation to determine that goods held by the consignee are included in the consignor’s inventory at the balance sheet date. The evidence obtained from this procedure relates to the rights and obligations assertion. Tests of accounting estimates. When auditing inventory, the auditor must determine whether it is appropriate to write down the value of inventory below cost because the inventory is obsolete or slow-moving, and whether conditions would cause the client to sell inventory at such a price that it would experience a loss. The audit of accounting estimates is particularly challenging because of their prospective nature. The auditor (and the client) must estimate what inventory will sell for after year-end. The auditor’s responsibility for quality is limited to that of a reasonably informed observer. This means the auditor is expected to determine whether the inventory appears to be in condition for sale, use, or consumption, and whether there are any obsolete, slow-moving, or damaged goods. The auditor obtains evidence of general condition or obsolescence by: •  Observing the client’s inventory count. •  Scanning perpetual inventory records for slow-moving items or items where the client has sufficient quantity that it cannot sell the inventory during the period of normal inventory turnover. •  Reviewing quality control production reports.

 Auditing Inventory on the Balance Sheet  13-27

In addition, the auditor will use hindsight and review the sale of inventory after year-end to determine the reasonableness of costs compared to subsequent sales prices. For example, the auditor will usually: •  Compare the cost of inventory items with the entity’s current sales catalog and sales reports. •  Review inventory turnover after year-end. •  Consider whether a change in replacement costs indicates changing market conditions. •  Make inquiries of the client about slow-moving and obsolete inventory and the realizable value of inventory through sales. ADA can be used to evaluate the lower-of-cost-or-net-realizable-value of inventory. The auditor can use ADA to compare the cost of inventory with sales prices after year-end for every item in inventory to determine the materiality of a potential NRV problem. When evidence suggests a material decline in the realizable value of the goods, an appropriate write-down below cost is required. Auditing cost of goods sold. Cost of goods sold is usually determined by starting with the book value of beginning inventory, adding purchases of production costs, and subtracting the book value of ending inventory. Beginning inventory is normally validated by the previous year’s audit. Purchases are audited as part of the audit of tests of transactions in the purchasing process (see Chapter 12). For a manufacturing company, the auditor will have to audit the process of accumulating transactions regarding the purchases of raw materials (this may be audited as part of auditing the purchasing process), the allocation of direct payroll costs to inventory (this may be audited as part of auditing the payroll process), and the allocation of indirect payroll costs and factory overhead to the cost of production. The auditor will often perform tests of transactions related to the accumulation of production costs. As part of this process, the auditor should pay attention to variances from standard costs and determine the degree to which these variances are period costs (and should be allocated to cost of sales) or whether they are product costs (and part of the variance should be allocated to the cost of ending inventory). The process of auditing manufacturing costs involves significant professional judgment, and this is often performed by auditors that have some experience auditing manufacturing companies. Ultimately, the auditor should also validate adjusting journal entries at year-end to adjust the value of ending inventory, based on the audit procedures suggested above, and determine the appropriateness of related charges to cost of goods sold.

Testing Presentation and Disclosure It is customary to identify the major inventory categories in the notes to the financial statements. In addition, there should be disclosure of the inventory costing method(s) used, the assignment or pledging of inventories, and the existence of major purchase commitments. Evidence pertaining to statement presentation and disclosure is often obtained by the substantive tests described previously. Further evidence may be obtained, as needed, from a review of the minutes of board of directors’ meetings and from inquiries of management. Based on the evidence and a comparison of the client’s financial statements with applicable accounting pronouncements, the auditor determines the propriety of the presentation and disclosures. Inquiry of management is also used to determine the existence of binding contracts for future purchases of goods. When such commitments exist, the auditor should examine the terms of the contracts and evaluate the propriety of the company’s accounting and reporting. When material losses exist on purchase commitments, they should be recognized in the financial statements, together with a disclosure of the circumstances. At this point, we have discussed the risks, audit strategies, and audit plans for auditing the revenue process, the purchasing process, the payroll process, cash, and inventory. Before you begin the next section on auditing property, plant, and equipment, take a blank piece of paper, write out the assertions, think about the risks associated with each assertion, and think about the audit strategy and audit procedures you would plan for the audit of property, plant, and equipment. When you are finished, take a moment and do the same exercise for long-term debt. Think about how property, plant, and equipment and long-term debt are connected, and then develop an audit plan for long-term debt. Then, read the remainder of the chapter.

13-28  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Cloud 9 - Continuing Case Suzie and Ian spend a considerable amount of time discussing the substantive procedures they will include in the audit program for Cloud 9’s inventory. Cloud 9’s core business is importing and wholesaling inventory; in addition, they have now established a retail store. The importance of inventory to the business’s success means that Cloud 9’s senior managers are very aware of the issues surrounding good inventory systems and handling procedures. The audit team has already recognized the importance of these systems by focusing much attention on the controls relating to inventory. However, Suzie and Ian have some concerns about their ability to gather sufficient appropriate evidence about Cloud 9’s inventory management system, and they know that if inven-

tory is misstated in the financial statements, it is unlikely that the financial statements are presented fairly in all material respects. Suzie and Ian decide that they will gather substantive evidence from the inventory counts at Cloud 9 to add to the evidence gathered from analytical procedures and vouching of inventory transactions. Suzie also decides to take charge of writing the program for gathering evidence on the contracts surrounding the inventory transactions between Cloud 9 and the overseas manufacturers. She wants to be sure that the accounts appropriately reflect the terms of these contracts with respect to transfer of inventory ownership. She asks Ian to take charge of reviewing Cloud 9’s procedures for identifying damaged, slow-moving, excess, out-of-style, and obsolete inventory.

Before You Go On 2.1 Explain how the audit of inventory would be different for an oil and gas field equipment manufacturer than it would be for a retail grocer. 2.2 Assume that, when performing analytical procedures, an auditor notices inventory turnover in days slowing from 33 days to 43 days, and gross margin increasing from 40% to 47%. What assertions might be misstated? 2.3 Explain the concept of the client’s cycle counts and how they relate to management’s assertions. 2.4 Assume that you are auditing an oil and gas field equipment manufacturer. Explain several key controls that you would expect to find related to the valuation and allocation assertion. 2.5 Determining the value of inventory as reported on the balance sheet is normally a three-step process. Explain the three steps. 2.6 Explain the importance of the auditor’s inventory observation. Further, explain three audit procedures performed during an inventory observation related to three different assertions. 2.7 Explain how the auditor will audit the lower-of-cost-or-NRV of inventory.

Auditing Property, Plant, and Equipment LEA RNING OBJE CTIVE 3 Evaluate how an auditor determines and executes an audit strategy, including the use of ADA, for property, plant, and equipment, and depreciation expense.

investing activities  the purchase and sale of land, buildings, equipment, and other long-term assets not generally held for resale; in addition, investing activities include the purchase and sale of financial instruments that are not intended for trading purposes

The following section focuses on a material aspect of a company’s investing activities: the acquisition, use, and sale of property, plant, and equipment. Investing activities include the purchase and sale of land, buildings, equipment, and other long-term assets not generally held for resale. In addition, investing activities include the purchase and sale of financial instruments not intended for trading purposes. The primary focus of this section will be on the audit of property, plant, and equipment. An entity acquires property, plant, and equipment assets because they support its operations and core processes.

Understanding the Flow of Transactions During the audit of inventory, an auditor expects that inventory has turned over several times during the year and that none of the inventory that was on hand during the prior audit would

 Auditing Property, Plant, and Equipment  13-29

still be present. However, with property, plant, and equipment, the auditor’s expectations are just the opposite—most of the property, plant, and equipment that was on hand at the beginning of the year will still be on hand at the end of the year. Therefore, substantive tests of property, plant, and equipment often focus on: •  Agreeing the beginning balance in property, plant, and equipment to the prior year’s audit. •  Auditing the acquisition of new property, plant, and equipment. •  Auditing the disposal of property, plant, and equipment. •  Auditing the depreciation of property, plant, and equipment.

Understanding the Entity and Its Environment When an auditor develops a business-based approach to auditing property, plant, and equipment, it is essential to understand how the long-term assets support the operations of the entity. For example, a forest products company will usually make significant investments in timber and timberlands, as well as manufacturing facilities. As a rule of thumb, most businesses will acquire new assets if the rate of return generated by those assets exceeds the after-tax marginal cost of debt financing associated with acquiring additional assets. The first step in auditing property, plant, and equipment involves understanding the assets that are needed to support the entity’s operations (e.g., investments in the supply chain, manufacturing facilities, land, or natural resources) and the rate of return a company expects to achieve from its underlying asset base. The auditor will often look at how the entity is growing and determine the assets needed to support that growth. The auditor will also obtain an understanding of how newly acquired assets are financed. The issue of how long-term assets are financed has received substantial attention as the FASB has adopted new standards for accounting for leases. The new accounting standard on leases will take effect for public companies for fiscal years beginning after December 15, 2018. For all other organizations, the standard on leases will take effect for fiscal years beginning after December 15, 2019. Illustration 13.13 provides summary financial information related to fixed assets as a percent of total assets, a measure of return on assets, and a summary of how all of the company’s assets are financed for the various industries we followed in Chapters 11 and 12. There is a significant variation from industry to industry. It is important to develop a good understanding of the audit client to develop expectations regarding the client’s financial statements.

ILLUSTRATION 13.13   Understanding the importance of property, plant, and equipment, and debt for various industries

Developing a Knowledgeable Perspective About the Entity’s Financial Statements

Assessing the Risk of Material Misstatement

Oil and Gas Field Machinery and Equipment Manufacturing

Net Fixed Assets as a % of Total Assets: 22.9%

•  There is little risk of asset obsolescence.

•  Fixed assets are a modest portion of total assets for these companies.

Profit Before Tax as a % of Total Assets: 3.4%

•  Debt tends to be stable and concentrated with a few sources.

Example Industry Traits

•  Financing debt is slightly more than the amount of fixed assets.

Sales ÷ Net Fixed Assets: 8.4

Operating Debt as a % of Total Assets: 28.1% Financing Debt as a % of Total Assets: 23.8% Equity as a % of Total Assets: 48.1%

Electronic Computer Manufacturing

Net Fixed Assets as a % of Total Assets: 11.6%

•  Fixed assets are a smaller proportion of total assets as a significant amount of production is outsourced.

Profit Before Tax as a % of Total Assets: 5.2%

•  Financing debt is significant relative to the investment in fixed assets.

Sales ÷ Net Fixed Assets: 35.2

Operating Debt as a % of Total Assets: 39.4% Financing Debt as a % of Total Assets: 22.9%

•  Chip manufacturers, rather than computer manufacturers, have a higher degree of obsolescence of production technology. •  Debt tends to be stable and concentrated with a few sources.

Equity as a % of Total Assets: 37.7% (continued)

13-30  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts) ILLUSTRATION 13.13   (continued)

Example Industry Traits

Developing a Knowledgeable Perspective About the Entity’s Financial Statements

Supermarkets and Other Grocery Stores

Net Fixed Assets as a % of Total Assets: 33.1%

•  Fixed assets and having key locations are important for grocery retailers. Currently, retail grocers have significant operating leases associated with locations.

Profit Before Tax as a % of Total Assets: 9.2%

Sales ÷ Net Fixed Assets: 21.2

Operating Debt as a % of Total Assets: 37.5% Financing Debt as a % of Total Assets: 29.2% Equity as a % of Total Assets: 33.3%

Hotels and Motels

Net Fixed Assets as a % of Total Assets: 69.6%

•  Properties are a key asset for many hotels and motels. Operating leases are likely to be significant.

Profit Before Tax as a % of Total Assets: 5.8%

Sales ÷ Net Fixed Assets: 0.8

Assessing the Risk of Material Misstatement •  Significant use of long-term operating leases. Expect a significant increase in net fixed assets and financing debt under the new accounting rules for leased assets. •  Property, plant, and equipment is material and capital expenditures are often also material. •  Property, plant, and equipment is material and capital expenditures are often also material.

Equity as a % of Total Assets: 15.5%

•  Long-term operating leases may be significant. Expect a significant increase in net fixed assets and financing debt under the new accounting rules for leased assets.

Colleges, Universities, and Professional Schools

Net Fixed Assets as a % of Total Assets: 50.7%

•  Property, plant, and equipment is material.

•  P  roperty, plant, and equipment is a key asset.

Profit Before Tax as a % of Total Assets: 1.1%

•  More recent investments are often investments in technology more than bricks and mortar.

Operating Debt as a % of Total Assets: 22.5% Financing Debt as a % of Total Assets: 62.0%

Sales ÷ Net Fixed Assets: 0.8

Operating Debt as a % of Total Assets: 13.3%

•  Many properties are financed with longterm debt.

Financing Debt as a % of Total Assets: 29.3% Equity as a % of Total Assets: 57.4%

Understanding the Results of Analytical Procedures Analytical procedures are required as part of risk assessment. They are cost-effective and they may assist the auditor in planning the nature, extent, and timing of other procedures. Illustration 13.14 presents some example analytical procedures along with an explanation of the problems they might identify. Plant assets should be relatively stable and grow at approximately the rate of sales growth. Results of analytical procedures could highlight issues related to appropriateness of depreciation expense and proper capitalization of costs in plant asset accounts.

ILLUSTRATION 13.14   Analytical procedures for property, plant, and equipment

Ratio

Formula

Audit Significance

Fixed assets turnover

Net sales Average fixed assets

An unexpected increase in fixed assets turnover may indicate the failure to record or capitalize depreciable assets.

Total assets turnover

Net sales Average total assets

An unexpected increase in total assets turnover may indicate the failure to record or capitalize depreciable assets.

Return on total assets

{Net income + [Interest × (1 – Tax rate)]} Average total assets

An unexpected increase in return on assets may indicate the failure to record or capitalize depreciable assets.

Depreciation expense as a percent of property, plant, and equipment

Depreciation expense Average property, plant, and equipment

An unexpected increase or decrease in the depreciation expense as a percent of depreciable assets may indicate an error in calculating depreciation.

Repair expenses to net sales

Repair and maintenance expense Net sales

An unexpected increase in repair and maintenance expense may indicate the possibility that assets that should have been capitalized were expensed.

 Auditing Property, Plant, and Equipment  13-31

Assessing Inherent Risk Inherent risk for property, plant, and equipment is not straightforward. The following discussion outlines some key factors that influence the auditor’s thinking about inherent risk: •  Existence. Inherent risk for the existence assertion may be low because fixed assets are not vulnerable to theft. However, the appropriate classification of transactions may be an issue when companies make decisions about whether a transaction should be directly expensed versus capitalized as an asset. WorldCom and other companies managed earnings by capitalizing transactions rather than appropriately expensing items. The existence of assets is called into question if they should be directly expensed. •  Completeness. Inherent risk may be high or maximum if it is difficult to determine if the economic substance of a lease is an operating lease or a finance (capital) lease. However, beginning in 2019, most leases will be treated as finance leases for public companies. •  Rights and obligations. Inherent risk is often high because assets are usually pledged as collateral for underlying debt. •  Valuation and allocation. Inherent risk may be high or maximum depending on the industry, the degree of difficulty associated with estimating useful lives and salvage values for depreciation methods, and the extent to which the value of long-lived assets is impaired. •  Presentation and disclosure assertions. Fixed assets disclosures are relatively straightforward and misstatements represent only a moderate inherent risk.

Professional Environment  Restatements Related to Long-Lived Assets Audit Analytics2 recently reported a summary of restatements due to property, plant, and equipment, intangible asset, or fixed asset issues for a 17-year period ending in 2017. Property, plant, and equipment, intangible asset, or fixed asset issues consist of misstatements either in calculation, approach, or theory that have taken place in the recording of assets, goodwill, intangibles, or contra liabilities that are required to be valued or assessed for de-

Disclosure Year Expense recording issues % of all financial statement restatements

clines in value on a period basis. This description covers misreporting of fixed assets, buildings, leasehold improvements, intangibles, goodwill, securities, investments, etc. As seen below, during the period of 2004–2005, these misstatements are in excess of 13.2% of all restatements. However, during the period of 2007–2017, these misstatements decrease significantly as a percentage of all financial statement restatements (5.7% to 8.3% of all restatements).

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2012 2013 130

208

13.7% 13.2%

2014

183

95

61

49

63

70

63

50

61

49

49

39

9.8%

7.4%

6.3%

5.9%

7.4%

8.3%

7.4%

5.7%

7.1%

6.5%

7.2%

7.1%

Assessing Control Risk and Fraud Risk Strong entity-level controls, such as a strong control environment, effective risk assessment, effective accountability for the use of resources, effective monitoring of the control system, and strong IT general controls, continue to be important. One of the key transactions associated with plant assets is the initial accounting for the acquisition of plant assets. The features of the accounting system and specific control procedures associated with the expenditure process, discussed in Chapter 12, apply to the acquisition of property, plant, and equipment and the appropriate classification of repair and maintenance expenditures. The controls described in Chapter 12 over the occurrence, completeness, accuracy, cutoff, and classification of purchases should also control the acquisition of fixed assets. Transactions that are individually material, such as the acquisition of land, buildings, or major capital expenditures, are usually subject to additional controls including capital budgets and authorization by the board of directors. Further, a disclosure committee may be involved in addressing the appropriate classification of complex leases as operating leases or finance leases (up through the adoption of 2 Don Whalen, Olga Usvyatsky, and Dennis Tanona, 2017 Financial Restatements, A Seventeen Year Comparison (Audit Analytics: Sutton, MA, 2018).

13-32  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

new accounting standards for lease recognition), as well as reviewing depreciation policies for new assets and the reasonableness of assumptions about useful lives and salvage values. Once depreciation polices are determined, software applications are used to calculate depreciation expense and these programs usually include reasonableness tests such as limit tests to ensure that assets are not overdepreciated (e.g., the book value of assets should be greater than zero). Controls over the disposition of assets should include specific authorization controls for the sale or trade-in of fixed assets. Because the sale or trade-in of fixed assets is less routine, an entity may develop specific controls to test the completeness and accuracy of accounting for these transactions. Controls over fixed asset balances often include physical controls over fixed assets as well as the maintenance of a fixed asset inventory that is periodically checked against existing assets. Controls over the valuation of assets at historic costs are directly related to the controls over the valuation of recorded transactions. The disclosure committee should also review any rights or obligations issues and issues surrounding asset impairment on a regular basis. Finally, the disclosure committee should review all financial statement disclosures before they are presented to the auditor.

Fraud Risk Assessment Frauds related to property, plant, and equipment are similar to other frauds discussed in Chapter 12 related to purchasing and procurement fraud. Many fixed asset frauds involve fictitious invoices, phantom vendors, or bid rigging and kickbacks. Auditors should also be alert to fraudulent financial reporting schemes that capitalize items that should be expensed. The opportunity to commit these frauds can be significantly reduced with strong internal controls over fixed asset acquisitions.

Audit Data Analytics as a Risk Assessment Procedure Audit data analytics as a risk assessment procedure are probably most effective in the audit of capitalintensive companies, such as an oil refinery. Several examples of audit data analytics include: •  Searching the audit population for significant gains or losses on the disposal of assets. This may be an indication of poor decisions about useful lives or salvage values affecting depreciation calculations. •  Analyzing capital expenditures versus expenditures for repair and maintenance. •  Analyzing the most common requests for maintenance. •  Analyzing construction costs to determine the amount of work allocated to various contracts. An excessive amount of work allocated to one contractor may surface problems with bid rigging or kickbacks.

Determining an Audit Strategy As we have discussed in other audit areas, the audit strategy is highly dependent on the client’s system of internal controls. A strong tone at the top regarding reporting accurate earnings will affect professional judgments about depreciation calculations and decisions about capitalizing versus expensing various transactions. The auditor’s strategy in a recurring audit also focuses on auditing three key transaction streams: (1) acquisitions of PPE, (2) depreciation of PPE, and (3) disposals of PPE. When internal controls are strong, and the results of analytical procedures appear normal, the auditor may perform limited testing of these three transaction streams. On the other hand, if a private company or not-for-profit organization is undergoing significant capital expansion, and internal controls are weak, the auditor will likely increase sampling and audit a more significant portion of fixed asset additions.

Substantive Tests for Property, Plant, and Equipment Possible substantive tests for the audit of property, plant, and equipment in a recurring engagement are shown in Illustration 13.15. Each substantive test is explained in the following sections.

 Auditing Property, Plant, and Equipment  13-33 ILLUSTRATION 13.15  Substantive tests for property, plant, and equipment

Category

Substantive Test

Assertions

Initial procedures

1. Obtain an understanding of the entity and its environment and determine: All a. The significance of plant assets, and changes in plant assets, to the entity. b. Key economic drivers that influence the entity’s acquisition of plant assets. c. Industry standards for the extent to which the entity is capital-intensive and the impact of plant assets on earnings. d. The degree to which the company has operating leases and finance leases to finance assets. 2. Perform initial procedures on plant asset balances and records that will be subjected to further testing. a. Trace beginning balance for plant assets and accumulated depreciation to the prior year’s Existence, Completeness working papers. b. Review activity in general ledger accounts for plant assets and depreciation expense and Valuation and allocation investigate entries that appear unusual in amount or source. c. Obtain client-prepared schedules of plant asset additions, retirements, and depreciation expense, and determine that they accurately represent the underlying accounting records from which they were prepared by:   i. Footing and cross-footing the schedules and reconciling the totals with increases or decreases in the related general ledger balances during the period. ii. Testing agreement of items on schedules with entries in related general ledger accounts.

Analytical procedures

3. Perform analytical procedures: a. Develop an expectation for plant assets using knowledge of the industry and the entity’s business activity. b. Calculate ratios such as:   i. Fixed asset turnover.   ii. Depreciation expense as a percent of sales. iii. Repair and maintenance expense as a percent of sales.   iv. Rate of return on assets. c. Analyze ratio results relative to expectations based on prior years, industry data, budgeted amounts, or other data.

All

Tests of details of transactions

4. Vouch plant asset additions to supporting documentation. 5. Vouch plant asset disposals to supporting documentation. 6. Vouch a sample of larger entries to repairs and maintenance expense. 7. Vouch the recording of new finance leases and operating leases to underlying contracts.

Occurrence, Accuracy Occurrence, Accuracy Completeness, Valuation Occurrence, Completeness, Accuracy, Rights and obligations* Valuation and allocation

8. Evaluate the fair presentation of depreciation expense by evaluating the appropriateness of useful lives and estimated salvage values. Tests of details of balances

Presentation and disclosure

9. Inspect plant assets. a. Inspect additions to plant assets. b. Tour other plant assets and be alert to evidence of additions and disposals not included on client’s schedules and to conditions that bear on the proper valuation and classification of the plant assets. 10. Confirm if assets are pledged as collateral for loans. 11. Examine any significant events that could result in an impairment of the value of plant assets.

Existence

12. Compare statement presentation with GAAP. a. Determine that plant assets and related expenses, gains, and losses are properly identified and classified in the financial statements. b. Determine the appropriateness of disclosures related to the cost, book value, depreciation methods, and useful lives of major classes of plant assets, the pledging of plant assets as collateral, and the terms of lease contracts. c. Evaluate the completeness of presentation and disclosures for property, plant, and equipment in drafts of financial statements to determine conformity to GAAP by reference to disclosure checklist. d. Read disclosures and independently evaluate their understandability.

Classification and understandability, Accuracy and valuation Accuracy and valuation, Occurrence and rights and obligations Completeness

*In this case, testing transactions also provides evidence about an account balance assertion.

Existence, Completeness

Rights and obligations Valuation and allocation

Classification and understandability

13-34  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Initial Procedures An important initial procedure involves obtaining an understanding of the importance of property, plant, and equipment to the business and industry. As discussed earlier, it is important for the auditor to understand how assets support core activities of the entity and the generation of earnings. This understanding of the economic substance behind plant asset transactions provides the context for evaluating the reasonableness of evidence collected during the audit. Before performing other substantive tests in the audit program, the auditor determines that the beginning general ledger balance for plant asset accounts agrees with the prior period’s working papers. Among other things, this comparison will confirm that any adjustments determined to be necessary at the conclusion of the prior audit that were reflected in the prior period’s published financial statements were properly booked and carried forward. Next, the auditor should test the mathematical accuracy of client-prepared schedules of additions and disposals and reconcile the totals with changes in the related general ledger balances for plant assets during the period. In addition, the auditor should test the schedules by vouching items on the schedules to entries in the ledger accounts and tracing ledger entries to the schedules to determine that they are an accurate representation of the accounting records from which they were prepared. The schedules may then be used as the basis for several of the other audit procedures. Illustration 13.16 illustrates an auditor’s lead sheet schedule for plant assets and accumulated depreciation.

ILLUSTRATION 13.16  Property, plant, and equipment lead schedule Client: New Millennium Ecoproducts                       Bell & Bowerman, LLP

   

  

Property, Plant, and Equipment, and Accumulated Depreciation             Reference: G - Lead      

  Prepared by: W.C.B.

    

Date: 2/4/23

Reviewed by: R. E. Z.

Date: 2/12/23

Period-end: 12/31/22 Property, Plant, and Equipment W/P Acct. Ref. No. Account Title G-1 301 Land

Balance 12/31/21

Additions Disposals

Adjustments DR / (CR)

Balance 12/31/22

$ 450,000 (a) 2,108,000 (a) $ 125,000

G-3 303 Machinery and Equipment

3,757,250 (a)

(✓)

140,000

379,440 (a)

$ 84,320

25,000

(b)

4,392,250

1,074,210 (a)

352,910

883,400

217,450 (a)

43,250

(a) Traced to general ledger and 12/31/21 working papers.

(✓)

(✓)



(✓)

$7,933,650 $1,671,100

(✓✓)

(✓)

Adjustments (DR) / CR

Balance 12/31/22 $

2,208,000

$

Disposals

(a)

(b)

110,000

$1,245,000 $480,000



Depreciation Expense

$(25,000)

980,000 $370,000

853,400 (a) $7,168,650

Balance 12/31/21

$ 450,000 $

G-2 302 Buildings G-4 304 Furniture and Fixtures

Accumulation Depreciation

G-5 G-5 $172,500 G-5

(b)

462,760

1,000

(b)

1,255,620

21,000

$480,480

$193,500

(✓)

(✓)



$(1,000)

239,700 $ –

(✓)

$1,958,080

(✓✓)

(b) To reclassify cost and related accumulated depreciation from purchased equipment recorded as buildings. See Adjusting entry #2 on W/P AE-4

(✓) Footed. (✓✓) Footed and cross-footed.

Substantive Analytical Procedures An important part of auditing property, plant, and equipment involves determining that the financial information is consistent with the auditorʼs expectations. During risk assessment, the auditor develops expectations by being knowledgeable of the business and industry and performing analytical procedures. The analytical procedures in Illustration 13.14 can be used again during risk response to assess the reasonableness of balances for plant assets, depreciation expense, repair and maintenance expense, and expenses associated with operating leases. The auditor should maintain an appropriate level of professional skepticism and investigate any abnormal results by performing tests of details to gather additional evidence. If, however, the results of substantive analytical procedures at interim or year-end are consistent with the auditorʼs expectations, the audit strategy might be modified to reduce the extent of tests of transactions and/or balances.

 Auditing Property, Plant, and Equipment  13-35

Tests of Details of Transactions The following substantive tests address three types of transactions for property, plant, and equipment: (1) additions, (2) disposals, and (3) repair and maintenance. Vouch plant asset additions. All major additions should be supported by documentation in the form of authorizations in a capital budget, receiving reports, vouchers, vendor invoices, contracts, and canceled checks. The recorded amounts should be vouched to supporting documentation. If there are numerous transactions, the vouching may be done on a sample basis. In performing this procedure, the auditor ensures that appropriate accounting recognition has been given to installation costs, freight-in, and similar costs. For construction in progress, the auditor may review the contract and documentation in support of construction costs. When plant assets are acquired under a finance lease, the cost of the property and the related liability should be recorded at the present value of the future minimum lease payments. The accuracy of the clientʼs determination of the present value of the lease liability should also be verified by recomputation. Vouching property, plant, and equipment additions provides evidence about the existence and valuation and allocation assertions. When you look at Illustration 13.16, testing of the additions to Buildings, Machinery and Equipment, and Furniture and Fixtures would be found on working papers G-2, G-3, and G-4, respectively. Vouch plant asset disposals. Evidence of sales, retirements, and trade-ins should be available to the auditor in the form of cash remittance advices, written authorizations, and sales agreements. The documentation should be carefully examined to determine the accuracy and propriety of the accounting records, including the recognition of a gain or loss, if any. The following procedures may also be useful to the auditor in determining whether all retirements have been recorded: •  Analyze the miscellaneous revenue accounts for proceeds from sales of plant assets. •  Investigate the disposition of facilities associated with discontinued product lines and operations. •  Review insurance policies for termination or reductions of coverage. •  Make inquiry of management as to retirements. Evidence that all retirements or disposals have been properly recorded relates to the existence and valuation and allocation assertions. Evidence supporting the validity of transactions that reduce plant asset balances relates to the completeness assertion. Finally, evidence obtained while auditing disposals of plant assets may assist in the audit of depreciation expense. Significant losses on the disposal of assets may indicate that depreciation estimates may be inadequate. Significant gains may indicate the client is overly aggressive in depreciating assets. When you look at Illustration 13.16, testing of the disposals of Machinery and Equipment, and Furniture and Fixtures would be found on working papers G-3 and G-4, respectively. Inspect entries to repairs and maintenance expense. The purpose of the auditor’s test of repair and maintenance expense is to determine the propriety and consistency of these charges. Propriety involves a consideration of whether the client has made appropriate distinctions between items that should be capitalized or expensed. Accordingly, the auditor should scan the individual charges to identify those that are sufficiently material are capitalized. For these items, the auditor should examine supporting documentation, such as the vendor invoice, company work order, and management authorization, to determine the propriety of the charge or the need for an adjusting entry. The auditor should also consider other expenses that an entity might have capitalized, such as the capitalization of interest costs related to self-constructed assets. Consistency refers to a determination of whether the company’s criteria for distinguishing between capital items and expenditures are the same as in the preceding year. This substantive procedure provides important evidence concerning the completeness assertion for plant assets because it should reveal expenditures that should be capitalized. Inspecting the entries to repairs expense also results in evidence about the valuation of the plant assets. Examine entries for depreciation expense. In this test, the auditor seeks evidence on the reasonableness, consistency, and accuracy of depreciation expense for the period. An essential starting point for the auditor is determining the depreciation methods used by the client during the year under audit. The methods can be identified from a review of depreciation schedules prepared by the client and inquiry of the client. The auditor must then determine whether the

13-36  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

methods currently in use are consistent with the preceding year. During a recurring audit, this can be established by a review of the prior year’s working papers. Determination of the reasonableness of depreciation expense involves a consideration of such factors as (1) the client’s past history in estimating useful lives and (2) the remaining useful lives of existing assets. The auditor’s verification of accuracy is achieved through recalculation. Ordinarily, this is done on a selective basis by recomputing the depreciation on major assets and testing depreciation recorded on additions and retirements during the year. Evidence of unusual gains and losses on the retirement or sale of assets may indicate that depreciation estimates may be misstated. Illustration 13.16 shows that testing depreciation expense would be found on working paper G-5.

Audit Reasoning Example Large Gains and the Reasonableness of Depreciation Expense

David, an audit manager, was reviewing Kristina’s work in auditing plant assets for a construction company that did a great deal of road building and repair work. David comments, “I see that there were significant gains when the company replaced a variety of equipment this year. You have correctly tested the calculation of the gains. Do you think there are other issues for this year’s audit?” Kristina is a bit puzzled. “If the gains are correct, what other issues might there be?” David comments, “If there are so many gains, and they are relatively large, is that an indication of underdepreciating these assets? If these assets are underdepreciated, could we have a similar problem with other assets on the books? Let’s go back and look at the current depreciation methods for these classes of assets. If we recalculated depreciation for the existing assets, using different assumptions, would we find a material difference from our current depreciation calculations? I think we need to look carefully at this issue.”

Tests of Details of Balances In many ways the auditor’s tests of transactions also serve as tests of balances. If the auditor traces the beginning balance to prior year’s working papers, and then obtains sufficient, appropriate evidence about the transactions for the period, the auditor has audited the ending balance. The following procedures focus on inspecting plant assets, determining if assets have been pledged as collateral for loans, and evaluating whether assets have been impaired. Inspect plant assets. Often, the auditor will tour the client’s facilities and inspect plant assets. Inspecting enables the auditor to obtain direct personal knowledge of the existence of plant assets. In a recurring engagement, detailed inspections may be limited to items listed on the schedule of plant asset additions. During a tour of plant assets, an auditor should be alert to other evidence relevant to plant assets. For example, the astute auditor will look for indications of additions or retirements not listed on the schedules that relate to the completeness and existence assertions, and to evidence regarding the general condition of other plant assets, and whether they are currently being used, that relates to the valuation and allocation assertion. Confirm if assets have been pledged as collateral for loans. The auditor will often obtain evidence about whether assets have been pledged as collateral for loans when sending confirmations regarding loans and debt agreements. Even though invoices for the purchase of property, plant, and equipment might be marked “paid,” it is possible that the same asset has been pledged as collateral for a loan. Lease agreements convey to the lessee the right to use property, plant or equipment for a specific period of time. Auditors should read lease agreements to determine the proper accounting classification of leases. When finance leases exist, both an asset and a liability should be recognized on the balance sheet. Examination of lease agreements also provides significant evidence relevant to note disclosures. These procedures provide important evidence related to the rights and obligations assertion. Examine impairment of property, plant, and equipment. Events may occur between acquiring and retiring an asset that affect the valuation and allocation assertion and require immediate write-down of the asset, as addressed in ASC 360. An impairment exists when the cost of a plant asset, or group of assets, exceeds its fair value and is not recoverable. Auditors should be alert to a significant decrease in the market price of a plant asset, a change in how the

 Auditing Financing Activities  13-37

company uses an asset, or changes in the business climate that could affect an asset’s value. An auditor will normally test an asset for recoverability by comparing its estimated future undiscounted cash flows with its carrying value. The asset is impaired when the future cash flows are less than the carrying amount.

Tests of Details of Presentation and Disclosure Financial statement presentation requirements for plant assets are moderately extensive. For example, the note disclosure should show depreciation expense for the year, cost and book values for major classes of plant assets, and depreciation methods used. Evidence concerning these matters is acquired through the substantive tests described in the preceding sections. Property pledged as security for loans should also be disclosed. Information on pledging may be obtained by reviewing minutes of board meetings or contractual agreements, confirming debt agreements, and inquiring of management. The appropriateness of the client’s disclosures related to leased assets can be determined by understanding the terms of the lease agreement. Auditors normally test the completeness of disclosures by using a disclosure checklist. Finally, an auditor with significant experience will read the disclosures to evaluate their understandability.

Cloud 9 - Continuing Case Ian and Suzie have already discussed their approach to PPE acquisitions and disposals, plus using limited recalculation and analytical procedures for depreciation expense testing. Suzie reminds Ian that they need to design substantive procedures to assess asset values. Asset impairments must be recognized under the accounting standards, and the auditors will need to gather evidence

about Cloud 9’s processes for identifying and recognizing asset impairments. Suzie will discuss with Sharon Gallagher, the audit manager, how they want to approach the issue of asset impairments. However, going into this meeting, Suzie does not anticipate changes in the business climate, or changes in how Cloud 9 uses its assets that would indicate potential impairments.

Before You Go On 3.1 Explain how the audit of property, plant, and equipment would be different for a computer manufacturer than for a hotel and motel chain. 3.2 Assume that, when performing analytical procedures, an auditor notices a material increase in repair and maintenance expense as a percent of net sales. What assertions might be misstated? 3.3 Explain the relationship between internal controls over the acquisition of fixed assets and internal controls found in the purchases process. What additional controls might you expect to find related to the acquisition of fixed assets? 3.4 Explain the general audit strategy for auditing property, plant, and equipment. 3.5 Explain the evidence that would show a company is underdepreciating plant, and equipment.

Auditing Financing Activities lea rning objective 4 Evaluate how an auditor determines and executes an audit strategy for long-term debt and interest expense, and stockholders’ equity. The following section focuses on auditing financing activities. Financing activities include transactions and events whereby cash is obtained from, or repaid to, lenders (debt financing) or owners (equity financing). Financing activities include acquiring debt, finance leases, issuing

financing activities  transactions and events whereby cash is obtained from, or repaid to, lenders (debt financing) or owners (equity financing)

13-38  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

bonds, or issuing preferred or common stock. Financing activities would also include payments to retire debt, reacquisition of stock (treasury stock), and payment of dividends. If the auditor knows that changes have occurred in investing activities, changes in financing activities often are predictable. If, for example, an entity finances equipment with a finance lease, the value of the additions to assets and debt are directly related.

Understanding the Flow of Transactions Following is a summary of common financial statement accounts associated with long-term debt or equity transactions an auditor usually encounters.

Short-Term and Long-Term Debt Transactions

Stockholders’ Equity Transactions

Loans payable

Preferred stock

Mortgages payable

Common stock

Bonds payable

Treasury stock

Bond premium (discount)

Paid-in capital

Interest payable

Retained earnings

Interest expense

Dividends

Gain (loss) on retirement of bonds

Dividends payable

The population of debt and equity instruments is usually small. For example, a public company may have fewer than 50 different notes payable, or only one to three classes of equity securities, which are small population sizes. As a result, audit strategy often focuses on auditing the entire population of debt and equity at year-end. Audit data analytics software is most often used with large populations of data, such as inventory or sales transactions. Since borrowing and equity transactions usually represent relatively small populations, audit data analytics are typically not used to audit financing transactions.

Understanding the Entity and Its Environment When an auditor performs risk assessment procedures and develops a business-based approach to auditing financing activities, it is essential to understand how the entity chooses a financing strategy, and the types of financial instruments used by the entity. Recall that Illustration 13.13 provides summary financial information related to an entity’s choice of operating debt, financing debt, and equity for the various industries we have been following in Chapters 11 and 12. There continues to be significant variation from industry to industry; therefore, it is critical for the auditor to develop a good understanding of the audit client and its business environment to develop expectations regarding the client’s financial statements. For example, the average level of debt in the hotel and motel industry represents 62% of total assets. Alternatively, colleges, universities and professional schools that have significant fixed assets have a capital structure that is heavily equity financed and debt represents only 29% of total assets. It is particularly important for auditors to understand the client’s financing strategy and the types and complexity of financial instruments used. There is often a direct connection between a client’s investment in property, plant, and equipment (or other long-term assets) and the entity’s financing activities. An auditor should understand how a company plans to fund the acquisition of long-term assets. Some entities may generate sufficient cash flow from operations to allow for the purchase of PPE. Most entities, however, will use some form of debt or equity to fund the acquisition of longterm assets.

 Auditing Financing Activities  13-39

Understanding the Results of Analytical Procedures Analytical procedures are required during risk assessment. They are cost-effective and they may assist the auditor in evaluating the reasonableness of the financial statements. Further, an auditor should develop an expectation for any of the ratios or analytical procedures discussed below. Once an auditor understands the long-term assets that an entity has acquired, the auditor should also obtain an understanding of how the entity financed the acquisitions. If the auditor understands the entity’s investing activities and the nature of the business, the entity’s financing activities should be predictable. Illustration 13.17 presents some example analytical procedures along with an explanation of the problems they might identify. These analytical procedures provide indicators of the entity’s need for financing, its ability to service debt, and the reasonableness of interest costs (both interest expense and capitalized interest). illustration 13.17   Analytical procedures commonly used to audit long-term debt

Ratio Free cash flow

Formula

Audit Significance

Cash flow from operations – Capital expenditures

Negative free cash flows indicate the need for, and approximate amount of, expected financing to prevent drawing down on cash or investments.

Interest-bearing debt to total assets

Interest-bearing debt Total assets

Provides a reasonableness test of the entity’s proportion of debt that may be compared with prior years’ experience or industry data.

Stockholders’ equity to total assets

Stockholders’ equity Total assets

Provides a reasonableness test of the entity’s proportion of equity that may be compared with prior years’ experience or industry data.

Comparing return on assets with the incremental cost of debt Return on common equity Sustainable growth rate

Current portion of debt and dividends to cash flow from operations

If ROA > the incremental cost of debt: {Net income + [Interest × (1 – tax rate)]} Average total assets (Net income – Preferred dividends) Average common stockholders’ equity Return on common equity × (1 – Dividend payout rate)

(Current portion of debt + Dividends) Cash flow from operations

If a company is able to generate a higher rate of return on assets than its incremental cost of debt, this is a signal that an entity may use debt financing to expand the assets and earnings of the entity. Provides a reasonableness test of stockholders’ equity given the company’s earnings and financing structure. Provides an estimate of rate of sales growth that can be obtained without changing the entity’s profitability or financing structure. The auditor should expect changes in the financing structure when sales grow significantly faster than the sustainable growth rate. A test of the entity’s ability to service its financing obligations. Ratios less than 1.0 indicate potential liquidity problems.

Times interest earned

Income before interest and income taxes (Interest expense + Capitalized interest)

A test of the entity’s ability to generate earnings to cover the cost of debt service. Ratios less than 1.0 indicate the entity’s earnings are insufficient to cover financing costs.

Interest expense to interestbearing debt

(Interest expense + Capitalized interest) Average interest-bearing debt

A reasonableness test of recorded interest expense that should approximate the entity’s average cost of debt capital.

Assessing Inherent Risk Many auditors might think that inherent risk in the financing cycle is moderate to low. However, as noted in the following discussion of the professional environment, issues associated with debt, warrants, and equity are the number one cause of financial statement restatements. For example, in 2013, First Data Corporation refinanced its debt with borrowings of similar maturities. The company originally treated the transaction as a modification of debt rather than an extinguishment of debt. Properly treating the transaction as an extinguishment of debt resulted in recording a $56 million loss.3 Other significant inherent risks involve the proper accounting for interest rate swaps and the proper classification of equity instruments that behave like debt. There are some companies that have a relatively straightforward capital structure where accounting issues are not complex. But when an auditor finds that a client has engaged in 3

T. Shumsky, “Three Stubborn Types of Mistakes Dog Financial Reporting,” The Wall Street Journal (April 11, 2016).

13-40  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

significant new debt or equity transactions, the auditor should be prepared to study a significant volume of legal documents related to the financing transaction, and determine the impact of any legal requirements (such as debt covenants) on the entity.

Professional Environment  Restatements Related to Debt, Quasi-Debt, Warrants, and Equity Audit Analytics4 recently reported a summary of restatements due to debt, quasi-debt, warrants, and equity issues for a 17-year period ending in 2017. Debt, quasi-debt, warrants, and equity security issues consist of misstatements in approach, theory, or calculation associated with the record of debt or equity accounts. These restatements will often be about errors made in the calculation of balances arising from debt, equity, or quasi-debt/equity instruments with beneficial conversion options. For example, when convertible

Disclosure Year Expense recording issues % of all financial statement restatements

debt is issued, converted, repurchased, or paid off, GAAP requirements can be challenging. In addition, certain debt instruments can be erroneously valued. Often financial derivative requirements are at issue. During the 17-year period, these restatements were the number one source of financial statement restatements. They range from 15.7% to 23.8% of all restatements. As a result, this is a significant risk issue in all years.

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2012 2013 171

331

502

297

200

140

182

177

143

195

204

162

121

2014 87

18.0% 21.0% 27.0% 22.9% 20.7% 16.9% 21.4% 20.9% 16.8% 22.3% 23.8% 21.4% 17.8% 15.7%

Assessing Control Risk and Fraud Risk The following financing functions and related control activities are associated with the financing process: •  Authorizing bonds and capital stock. The board of directors usually authorizes financing transactions based on the entity’s strategic plans and investing activities. •  Issuing bonds and capital stock. Issues are made in accordance with board of directors’ authorizations and legal requirements, and proceeds are promptly deposited intact. Often bond and stock transactions are handled by a bond trustee or transfer agent.

bond trustee  a bond trustee is usually a commercial bank or a trust company that is given fiduciary powers by a bond issuer to enforce the terms of a bond indenture; the trustee sees that bond interest payments are made as scheduled and protects the interests of the bondholders if the issuer defaults transfer agent  a trust company, bank, or similar financial institution assigned by a corporation to maintain records of investors and account balances; the transfer agent records transactions, cancels or issues stock certificates, and processes investor mailings

•  P  aying bond interest and cash dividends. Payments are made to proper payees in accordance with board of directors’ or management authorizations. •  R  edeeming and reacquiring bonds and capital stock. Transactions are executed in accordance with board of directors’ authorizations; treasury stock certificates are physically safeguarded.  ecording financing transactions. Transactions are correctly recorded as to amount, •  R classification, and accounting period based on supporting authorizations and documentation. The duties of executing and recording financing transactions are usually segregated. Periodic independent checks are made by agreement of subsidiary ledgers to control accounts. Major financing transactions usually require involvement of the board of directors. Controls over the routine payment of principal and interest are usually subject to the standard internal controls in the expenditure process. Paying dividends requires board of directors’ authorization and is typically handled by an outside transfer agent. Controls over the completeness of transactions involve regular review by the disclosure committee, particularly with respect to accounting for any complex debt or equity security transactions. An independent review of the amortization of bond premiums or discounts also falls within the responsibilities of a disclosure committee. Management maintains subsidiary records of loan balances. It is common for management to establish an independent check of such balances against monthly statements sent by lenders. Public companies usually outsource these transactions to a transfer agent. Often a quarterly or annual reconciliation with the records of a transfer agent provide a key control. 4

Don Whalen, Olga Usvyatsky, and Dennis Tanona, 2017 Financial Restatements, A Seventeen Year Comparison (Audit Analytics: Sutton, MA, 2018).

 Auditing Financing Activities  13-41

However, as noted in the Professional Environment discussion above, many debt or equity transactions may involve complex accounting issues. When convertible debt is issued, converted, repurchased, or paid off, GAAP requirements can be challenging. Entities may engage in interest-rate swaps or other derivative financial instruments that involve complex accounting. In these situations, an entity’s internal control may involve a separate independent review of the accounting for complex transactions. Finally, the disclosure committee should review all financial statement disclosures before they are presented to the auditor. If these controls are not present, control risk should be assessed at high or maximum.

Determining an Audit Strategy Audit strategy is often determined by the nature of the entity and the complexity of the entity’s transactions. If the entity is a public company, the auditor will test controls and follow a reliance on controls approach. If the entity is not a public company, but has complex debt or equity transactions, the auditor may likely test relevant controls prior to determining an audit strategy. If the entity is not a public company, and debt and equity transactions are limited in number and straightforward, the auditor will often follow a primarily substantive approach after understanding the controls that the entity has placed in operation. For example, a small, private company may have a small number of loans, and confirming loans, loan covenants, and other terms of the loan may be a simple process.

Substantive Tests of Long-Term Debt Illustration 13.18 shows a list of possible substantive tests of long-term debt balances together with the specific audit objectives to which each test relates. The auditor relies primarily on (1) direct communication with outside independent sources, (2) review of documentation, and (3) recomputations to obtain sufficient appropriate evidence about the assertions pertaining to long-term debt balances. Each of the substantive tests is explained in the following sections.

ILLUSTRATION 13.18  Substantive tests for long-term debt

Category Initial procedures

Substantive Test 1. Obtain an understanding of the business and industry and determine:

Assertions All

a. The significance of various sources of financing (debt and equity) to the entity. b. Key economic drivers that influence the entity’s need for financing and its ability to service the cost of debt. c. Industry standards for the extent to which the industry uses debt and equity financing and the impact of debt on earnings. d. The degree to which the entity has used operating leases and finance leases to finance assets. 2. Perform initial procedures on long-term debt balances and records that will be subject to further testing. a. Trace beginning balances for long-term debt accounts to prior year’s working papers.

Existence, Completeness

b. Review activity in all long-term debt and related income statement accounts and investigate entries that appear unusual in amount or source. c. Obtain client-prepared schedules of long-term debt and determine that they accurately represent the underlying accounting records from which prepared by:

Valuation and allocation

   i. Footing and cross-footing the schedules and reconciling the totals with increases or decreases in related subsidiary and general ledger balances. ii. Testing agreement of items on schedules with entries in related subsidiary and general ledger accounts. (continued)

13-42  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts) ILLUSTRATION 13.18   (continued)

Category Analytical procedures

Substantive Test

Assertions

3. Perform analytical procedures:

All

a. Calculate appropriate debt ratios (see Illustration 13.17). b. Analyze ratio results relative to expectations based on prior year, budget, industry, or other data.

Tests of details of transactions

Tests of details of balances

4. Vouch a sample of entries in long-term debt and related interest expense accounts.

Occurrence, Accuracy, Cutoff, Classification

5. For bonds, confirm the balance and transactions with the bond trustee.

Occurrence, Accuracy, Completeness

6. Scan the cash receipts journal for large, unusual cash receipts.

Completeness

7. Confirm interest expense and recalculate as necessary.

Occurrence, Accuracy, Cutoff

8. Inspect authorizations and contracts for long-term debt.

Existence

9. Confirm debt with lenders and bond trustees.

Existence, Completeness, Valuation and allocation, Rights and obligations

Presentation 10. Compare statement presentation with GAAP. and disclosure 11. Determine that long-term debt balances are properly identified and classified in the financial statements.

Occurrence and rights and obligations Classification and understandability

12. Determine the appropriateness of disclosures concerning all terms, covenants, and retirement provisions pertaining to long-term debt.

Accuracy and valuation, Occurrence and rights and obligations

13. Evaluate the completeness of presentation and disclosures for long-term debt in drafts of financial statements to determine conformity to GAAP by reference to disclosure checklist.

Completeness

14. Read disclosures and independently evaluate their understandability.

Classification and understandability

Initial Procedures As shown in Illustration 13.18, the familiar initial procedures are applicable to long-term debt balances. It is important to obtain an understanding of the business and industry, determine the entity’s need for external financing, and determine the entity’s ability to service debt. Because financing is so clearly linked to investing activities, the auditor may perform these procedures together. For example, the same auditor may be assigned to audit purchases of plant, and equipment, long-term debt, various lease agreements, and equity. The schedules associated with long-term debt may include separate schedules of long-term notes payable to banks, obligations under finance leases, and listings of registered bondholders prepared by bond trustees.

Substantive Analytical Procedures An important part of auditing long-term debt is determining that the financial information subjected to audit is consistent with the auditor’s expectations. The earlier discussions regarding knowledge of the entity and its environment and analytical procedures addressed procedures the auditor might perform to assess the reasonableness of financial statement information regarding long-term debt and interest expense (Illustration 13.17). As part of the auditor’s responsibilities with respect to evaluating whether an entity is a going concern (discussed further in Chapter 14), the auditor will evaluate the entity’s ability to generate sufficient cash flow to meet commitments regarding interest expenses, debt maturities, and debt covenants. When performing substantive analytical procedures, the auditor should maintain an appropriate level of professional skepticism and investigate abnormal results.

 Auditing Financing Activities  13-43

Tests of Details of Transactions For notes payable, the auditor will normally vouch transactions to the cash receipts or cash disbursements journal. Payments on principal of long-term debt can be verified by an examination of vouchers and canceled checks. Payments in full can be validated by an inspection of the canceled notes. When installment payments are involved, their propriety can be traced to repayment schedules and supporting documentation from banks. For bonds, the auditor should confirm transactions and the ending balance with the bond trustee. When bond interest is paid by an independent agent, the auditor should examine the agent’s reports on payments. Issuances of debt instruments should be traced to the cash receipts journal. Bonds may also be converted into stock. Evidence of such transactions is available from the bond trustee or the transfer agent. The vouching of entries to long-term debt accounts and underlying documentation provides evidence about the occurrence of transactions and the existence of debt, accuracy and valuation, cutoff, and classification. The auditor will often test completeness by reviewing the cash receipts journal for large transactions. Completeness is also tested by tests of balances in the form of confirmation with banks, a bond trustee, or transfer agent. Evidence of interest expense and accrued interest payable is easily obtained by the auditor as part of a bank or loan confirmation. If interest expense is not confirmed, and internal controls are strong, the auditor may perform analytical procedures to estimate interest expense using the average loan balance outstanding times the interest rate. If internal controls are weak, the auditor may reperform the client’s interest calculations and trace interest payments to supporting vouchers, canceled checks, and confirmation responses. Accrued interest, in turn, is verified by identifying the last interest payment date and recalculating the amount booked by the client. Illustration 13.19 shows an example working paper related to the audit of notes payable and related interest payable.

ILLUSTRATION 13.19  Notes and interest payable working paper Client: New Millennium Ecoproducts                  Bell & Bowerman, LLP           Long-Term Debt Payable and Accrued Interest            Reference: G - Lead            

  Prepared by: W.C.B. Reviewed by: R. E. Z.

Date: 2/5/23 Date: 2/12/23

Period-end: 12/31/22                           Notes Payable Account Title 5% note payable to Sunriver National Bank (a) Due $100,000 per year to 7/3/24 (b) 4% note payable to First Trust Company Due $100,000 per year to 7/3/24

Balance 12/31/21

Borrowing

$300,000 (c) $



$300,000 (✓)

Payments

Interest Payable Balance 12/31/22

Balance 12/31/21

$100,000 (f) $200,000 (d)

$7,500

$250,000

$100,000

$450,000

$7,500

(✓)

(✓)

(✓✓)

(✓)

(c) $250,000 (g)

$250,000 (d)

$ –

Payments

(c) $12,500 (e)

$15,000

$ –

$2,500

$15,000

$15,000

$7,500

(✓)

(✓)

(✓✓)

(c) $   2,500 (e)

(a) Long-term investments in securities portfolio are pledged as security for the loan. See confirmation received from bank W/P A-4. (b) Land and building pledged as security for the loan. See confirmation received from First Trust Co. W/P A-5. (c) Agreed to general ledger and 12/31/21 working papers. (d) Agreed to general ledger at 12/31/22. (e) Recomputed interest expense with no exception. (f) Vouched payment to cash disbursements journal and supporting documentation. (g) Examined copy of note payable agreement and vouched to the cash receipts journal. (✓) Footed. (✓✓) Footed and cross-footed.

Balance 12/31/22

Expense

(f)

$5,000

(d)

(d)

13-44  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Tests of Details of Balances The authority of an entity to enter into a contractual agreement to borrow money through the issuance or incurrence of long-term debt usually rests with the board of directors. Accordingly, evidence of authorizations should be found in the minutes of board meetings. Normally, the auditor reviews only the authorizations that have occurred during the year under audit because evidence of the authorizations for debt outstanding at the beginning of the year should be in the permanent working paper file. Authorization for the new debt issue should include reference to the applicable sections of the bylaws that pertain to such financing. The inspection of contracts should also include the details of covenants and the entity’s compliance therewith, and the details of obligations under finance leases. The auditor is expected to confirm the existence and terms of long-term debt by direct communication with lenders and bond trustees. Notes payable to banks in which the client has an account are confirmed as part of the confirmation of bank balances. Other notes are confirmed with the holders by separate letter. The existence of mortgages and bonds payable normally can be confirmed directly with the bank or trustee. Each confirmation should include a request for the current status of the debt and current year’s transactions. All confirmation responses should be compared with the records and any differences should be investigated. When bonds were originally sold at a premium or discount, the auditor should review the client’s amortization schedule and verify the recorded amount of amortization by recalculation.

Tests of Details of Presentation and Disclosure In evaluating the appropriateness of the client’s classification and disclosure of long-term debt, the auditor should be aware of the requirements of the applicable financial reporting framework. The procedures of inspecting and reading debt contracts and confirming the terms of debt provide the data for use in the evaluation of note disclosures.

Substantive Tests of Stockholders’ Equity Illustration 13.20 shows a list of possible substantive tests of stockholders’ equity. The auditor relies primarily on (1) direct communication with outside independent sources and (2) review of documentation to obtain sufficient appropriate evidence about the assertions pertaining to stockholders’ equity. Each of the substantive tests is explained in the following sections. ILLUSTRATION 13.20  Substantive tests for stockholders’ equity

Category Initial procedures

Substantive Test 1. Obtain an understanding of the business and industry and determine:

Assertions All

a. The significance of various sources of financing (debt and equity) to the entity. b. Key economic drivers that influence the entity’s need for financing and its ability to obtain equity capital and pay dividends. c. Industry standards for the extent to which the industry uses equity financing. 2. Perform initial procedures on stockholders’ equity balances and records that will be subject to further testing. a. Trace beginning balance for stockholders’ equity accounts to prior year’s working papers.

Existence, Completeness

b. Review activity in stockholders’ equity accounts and investigate entries that appear unusual in amount or source.

Valuation and allocation

c. Obtain client-prepared schedules of changes in stockholders’ equity balances and determine that they accurately represent the underlying accounting records by:

Valuation and allocation

   i. Footing and cross-footing the schedules and reconciling the totals with increases or decreases in related subsidiary and general ledger balances. ii. Testing agreement of items on schedules with entries in related subsidiary and general ledger accounts. (continued)

 Auditing Financing Activities  13-45 ILLUSTRATION 13.20   (continued)

Category Analytical procedures

Substantive Test 3. Perform analytical procedures:

Assertions All

a. Calculate appropriate equity ratios such as the following:      i. Return on common stockholders’ equity.    ii. Equity to total liabilities and equity. iii. Dividend payout.   iv. Sustainable growth rate. 4. Analyze ratio results relative to expectations based on prior year, budget, industry, or other data.

Tests of details of transactions

5. Confirm equity transactions with the company’s registrar/transfer agent.

Occurrence, Completeness, Accuracy, Cutoff, Classification

6. Inspect board of directors’ minutes for authorization of equity transactions.

Completeness

Tests of details of balances

7. Review articles of incorporation and bylaws.

All

8. Review authorizations and terms of stock issues.

Existence, Completeness, Valuation and allocation

9. Confirm shares outstanding with registrar/transfer agent.

Existence, Completeness, Valuation and allocation, Rights and obligations

Presentation 10. Compare statement presentation with GAAP. and a. Determine that stockholders’ equity balances are properly identified and classified in the disclosure financial statements.

Occurrence and rights and obligations, Classification and understandability

b. Determine the appropriateness of disclosures concerning all changes in stockholders’ equity account balances during the period, par or stated values, dividend and liquidation preferences, dividends in arrears, stock option plans, conversion features, and treasury shares.

Accuracy and valuation, Occurrence and rights and obligations

c. Evaluate the completeness of presentation and disclosures for stockholders’ equity in drafts of financial statements to determine conformity to GAAP by reference to disclosure checklist.

Completeness

d. Read disclosures and independently evaluate their understandability.

Classification and understandability

Initial Procedures The auditor should obtain an understanding of the business and industry and determine (1) the entity’s need for external financing and (2) the desirability of using equity financing to support the growth of the entity. Equity financing might be used either to support investing activities or to support needed investments in working capital (e.g., growth in inventories and receivables needed to grow the entity). The schedules referred to in Illustration 13.20 for this group of procedures might include a trial balance of the stockholders’ equity ledger or listings of stockholders supplied by the registrar and transfer agent. The auditor should test the agreement of the data in the schedules with any underlying accounting records and verify that the schedules or subsidiary ledgers agree with general ledger control accounts.

Substantive Analytical Procedures Illustration 13.21 presents several ratios commonly used to evaluate the reasonableness of stockholders’ equity. The financial relationships expressed in these ratios may be helpful in evaluating the reasonableness of stockholders’ equity balances.

13-46  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts) ILLUSTRATION 13.21   Analytical procedures commonly used to audit stockholders’ equity

Ratio or Other Financial Information

Formula

Audit Significance

Return on common stockholders’ equity

(Net income – Preferred dividends) Average common stockholders’ equity

Provides a measure of the rate of return generated on the common stockholders’ investment. The auditor should understand the competitiveness factors that allow a company to obtain an unusually high return.

Equity to total liabilities and equity

Stockholders’ equity (Stockholders’ equity + Total liabilities)

Provides a reasonableness test of the entity’s proportion of equity that may be compared with prior years’ experience or industry data.

Cash dividends Net income

Auditors would normally expect low dividend payout rates for high-growth companies that need reinvested earnings to fund investments in working capital and long-term assets.

Dividend payout rate

Tests of Details of Transactions The most common equity transactions that may occur on a regular basis are (1) issuing shares when stock options are exercised, (2) repurchasing common stock, and (3) paying dividends. Each of these transactions can be confirmed with the transfer agent who is responsible for maintaining a record of equity transactions and who owns equity securities. In addition, these transactions should also be authorized in the minutes of the board of directors. If a company issues new shares, the auditor should also examine remittance advices and vouch the transactions to the cash receipts journal. The repurchase of common stock or the payment of dividends should also be examined by looking at minutes, disbursement vouchers, and the cash disbursements journal. The auditor should exercise care in determining the propriety of the accounting treatment for conversion of stock warrants, the exercise of stock appreciation rights, or the conversion of debt to equity, as the accounting for these transactions may be complex. The auditor will also vouch all entries to retained earnings such as transactions related to repurchasing common stock and paying dividends. The auditor will also verify the accuracy of closing income statement accounts to retained earnings. The client should furnish support for any prior-period adjustments or any other transactions posted to retained earnings. The auditor should also vouch the occurrence and accuracy of transactions affecting accumulated comprehensive income.

Tests of Details of Balances Copies of the articles of incorporation and the bylaws should be included in the auditor’s permanent working paper file. The auditor should also make inquiries of the client’s legal counsel about changes in either of these documents. As noted above, the auditor will send a confirmation to the company’s transfer agent, confirming the shares authorized, issued, and outstanding at the balance sheet date. Many private companies act as their own transfer agent, and the company or the company’s lawyer will maintain its own records of who owns shares. In these cases, the auditor should examine the stock certificate book to determine that (1) stubs for shares issued and outstanding have been properly filled out, (2) canceled certificates are attached to original stubs, and (3) all unissued certificates are intact. Then the auditor should determine that the changes during the year have been correctly recorded in the individual stockholders’ accounts in the subsidiary ledger. Finally, the auditor should reconcile the total shares issued and outstanding as shown in the stock certificate book with total shares reported in the stockholders’ ledger and capital stock accounts.

Tests of Details of Presentation and Disclosure Financial accounting standards provide that disclosure of changes in the separate accounts comprising stockholders’ equity is required to make the financial statements sufficiently

  Learning Objectives Review  13-47

informative. Often such disclosures are made both in the financial statements and the notes. Disclosures related to the equity section include details of stock option plans, dividends in arrears, par or stated value, and dividend and liquidation preferences. The auditor obtains evidence about the presentation and disclosure assertion from substantive procedures and from a review of the corporate minutes for provisions and agreements affecting the stockholders’ equity accounts. In reviewing the minutes, the auditor should note whether any shares of stock have been reserved for stock options or similar plans, commitments for future issuance of stock in the purchase of or merger with another company, and restrictions limiting dividend payments. Relevant evidence may also be obtained from discussions and communications with legal counsel. When evaluating the appropriateness of the client’s classification and disclosure of stockholders’ equity, the auditor should be alert for some equity instruments used by companies that behave more like debt than equity (e.g., preferred stock with a mandatory redemption date), which therefore should not be classified as stockholders’ equity.

Cloud 9 - Continuing Case Suzie and Josh (audit senior) finalize their plans for financing activities, and they note that in a low-interest-rate environment, Cloud 9 has relied on debt to finance growth and there has been little change in stockholders’ equity. They obtained significant information regarding Cloud 9’s debt agreements as part of the bank confirmation. They plan on using this information to test Cloud 9’s financing arrangements. When it comes to stockholders’ equity,

they plan to confirm shares outstanding with the registrar and transfer agent. They also expect that confirmation with the registrar/transfer agent will provide evidence on stock options exercised during the year. They will then have to look at stock option agreements to vouch these transactions. Dividends declared and paid will be vouched to board of director minutes in addition to information obtained from the registrar and transfer agent.

Before You Go On 4.1 Explain what an auditor should consider when developing an expectation for changes in long-term financing and changes in equity. 4.2 Explain why calculating a company’s sustainable growth might be a good analytical procedure for long-term financing or equity accounts. 4.3 Identify a more complex aspect of auditing stockholders’ equity that auditors should be alert to when considering inherent risk for these long-term financing and equity accounts. 4.4 Explain important internal controls an auditor would expect to find before a company entered into a new loan agreement or it issues new common stock. 4.5 Explain the general audit strategy for auditing long-term debt. 4.6 Explain the general audit strategy for auditing stockholders’ equity.

Learning Objectives Review 1  Evaluate how an auditor determines and executes an

audit strategy for cash and cash equivalents. An auditor normally expects strong internal controls over cash due to its susceptibility to misappropriation. When internal controls are strong, the auditor will normally test internal controls over bank

reconciliations at an interim date as a dual-purpose test. The auditor will also send bank confirmations to confirm bank balances, loan balances, and any assets that might be pledged as collateral. If segregation of duties does not exist, and internal controls are poor, the auditor should evaluate the risk of fraud as high. There is a significant risk associated with fraudulent cash disbursements. As a result, the auditor should plan significant tests of details of cash balances at year-end.

13-48  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts) Unlike inventory, most of the property, plant, and equipment on hand at the beginning of the year will also be on hand at the end of the year. The auditor will agree beginning balances to prior audited figures and then audit the transactions for the period to arrive at an audited ending balance. As a result, the auditor pays careful attention to internal controls over purchasing new assets, disposing of assets, as well as controls for the professional judgments associated with depreciation estimates and potential asset impairments.

2  Evaluate how an auditor determines and executes

an audit strategy, including the use of ADA, for inventory and cost of goods sold. Inventory is a significant balance sheet account for businesses that manufacture or resell goods. It is important for the auditor to determine internal controls over inventory and understand how the client determines the value of inventory that appears on the balance sheet. Most clients use a perpetual method only to keep track of inventory quantities during the year, while they use a periodic method for valuing inventory. Therefore, the process of auditing inventory is normally a two-step process. The first step involves auditing the quantities of inventory on hand (at interim or as of balance sheet date) by way of observing the client’s inventory counts. The second step involves auditing the client’s method of assigning values to each item in inventory. The auditor should also be alert to the risk that inventory should be marked down to the lower-of-cost-or-net-realizable-value.

4  Evaluate how an auditor determines and executes an

audit strategy for long-term debt and interest expense, and stockholders’ equity. Once an auditor has determined the changes in long-term assets, he or she will determine how those assets were financed (i.e., with debt or equity). A key aspect of auditing long-term debt involves confirmation of the debt with lenders, including any assets pledged as collateral for the loan, other loan restrictions, and the amount of interest expense. A key aspect of auditing stockholders’ equity involves a confirmation with the registrar of the amount of shares outstanding and reviewing board of directors’ authorization for equity transactions, such as the issuance of dividends.

3  Evaluate how an auditor determines and executes an audit strategy, including the use of ADA, for property, plant, and equipment, and depreciation expense.

Key Terms Review Bond trustee Compilation of inventory values Consignment inventory

Investing activities Kiting Transfer agent

Cutoff bank statement Cycle counts Financing activities

Audit Decision-Making Example Background Information You have been assigned to the audit of Tama Manufacturing. In performing substantive analytical procedures, you have developed the following information regarding the company’s production Sales

costs for the year. At year-end, the company shuts down production such that it has only raw materials and finished goods on hand. There is no work-in-process inventory.

Unaudited 2022

Audited 2021

Audited 2020

$12,005,336

$10,291,333

$8,892,132

Cost of raw materials used

$3,539,595

$3,173,333

$2,800,952

Direct labor cost

$1,496,230

$1,364,309

$1,191,009

Cost of payroll taxes and benefits

$480,411

$439,309

$383,184

Indirect costs

$1,309,180

$1,094,931

$962,099

  Total production costs

$6,825,416

$6,071,887

$5,337,244

$330,587

$274,764

$156,577

Beginning inventory Ending inventory

$450,016

$330,587

$274,764

Cost of goods sold

$6,705,987

$6,016,064

$5,219,057

6,873

6,222

5,600

82,429

76,863

70,723

10,000,000

10,000,000

10,000,000

Units produced

8,780,800

7,840,400

7,000,000

Units sold

8,725,500

7,775,000

6,850,100

Units in beginning inventory

415,300

349,900

200,000

Units in ending inventory

470,600

415,300

349,900

Tons of raw material used Direct labor hours Manufacturing capacity

  Multiple-Choice Questions  13-49

Identify Audit Issues

Gather Information and Evidence

You have observed inventory and have verified the ending inventory of 470,600 units. Calculate additional information as you see fit, and determine the nature of any remaining potential audit issues. Your firm has set tolerable misstatement for inventory at $20,000.

You choose to calculate the following additional information.

Gross profit Gross profit margin Inventory turnover in days

Unaudited 2022

Audited 2021

Audited 2020

$5,299,349

$4,275,269

$3,673,075

44.1%

41.5%

41.3%

21.2

18.4

15.1

Number of units produced per ton of raw materials

1,278

1,260

1,250

Number of units produced per direct labor hour

106.5

102.0

99.0

Indirect cost per unit

$0.15

$0.14

$0.14

Cost per unit of ending inventory

$0.96

$0.80

$0.79

Production cost per unit

$0.78

$0.77

$0.76

Sales growth

16.7%

15.7%

Growth of cost of goods sold

11.5%

15.3%

Inventory growth in dollars

36.1%

20.3%

Inventory growth in units

13.3%

18.7%

Analysis and Evaluation of Alternatives

Audit Conclusion

There is some inconsistent information in the analysis above. Tama Manufacturing has consistently been more productive, with an increase in the number of units produced per ton of raw materials and the number of units produced per direct labor hour. The indirect cost per unit has gone up by only $0.01 per unit. Inventory turnover in days is up, and the gross margin has increased by 2.6%. The cost per unit of ending inventory has risen significantly ($0.16 per unit and a 20% increase over the prior year). The average cost of production per unit for the year is $0.77 and yet the cost per unit of ending inventory is $0.96. Why would the cost per unit of ending inventory increase by 20% when the company is more productive?

The valuation and allocation assertion for inventory is significantly at risk of misstatement. Because of Tama’s cost-flow assumptions, the cost of ending inventory is often about $0.03 more than the average cost of production. However, the average cost of ending inventory at the end of fiscal year 2022 is $0.18 more than the average cost of production. A $0.15 per unit difference amounts to a potential overstatement of inventory and understatement of cost of goods sold in the amount of $70,590 ($0.15 × 470,600). The audit team needs to carefully review the underlying calculations for pricing ending inventory, as it is likely that inventory is overstated based on the analysis performed above.

CPAexcel CPAexcel questions and other resources are available in WileyPLUS.

Multiple-Choice Questions 1.  (LO 1)  Which of the following cash transfers results in a misstatement of cash at December 31, 2022? Cash Disbursement Cash Paid Cash Receipt Cash Received per Books by the Bank per Books by the Bank

2.  (LO 1)  Which of the following is one of the better auditing techniques that might be used by an auditor to detect kiting? a.  Review authenticated deposit slips. b.  Review subsequent bank statements and canceled checks received directly from the bank.

a.

12/31/22

1/5/23

12/31/22

1/4/23

b.

12/31/22

1/4/23

12/31/22

12/31/22

c.  P  repare a schedule of bank transfers from the client’s books.

c.

1/4/23

1/4/23

12/31/22

12/31/22

d.

1/3/23

1/5/23

1/4/23

1/4/23

d.  Prepare year-end bank reconciliation.

13-50  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts) 3.  (LO 1)  When detection risk is low, the auditor is likely to: a.  prepare the bank reconciliation using bank data in the client’s possession or audit the bank reconciliation using a cutoff bank statement obtained from the bank. b.  scan bank reconciliations and test items on bank reconciliations on a sample basis. c.  test the client’s internal controls over the preparation of bank reconciliations. d.  confirm bank balances with the Federal Deposit Insurance Corporation. 4.  (LO 2)  A client maintains perpetual inventory records in both quantities and dollars. If the assessed level of control risk is low, an auditor would probably: a.  insist that the client perform physical counts of inventory items several times during the year. b.  observe the client’s inventory count at an interim date. c.  increase the extent of tests of controls over inventory. d.  request the client to schedule the physical inventory count at the end of the year. 5.  (LO 2)  For which of the following companies would the auditor have the least concern about the existence of inventory? a.  A retail grocer. b.  A computer manufacturer. c.  An oil and gas field equipment manufacturer. d.  A hotel. 6.  (LO 2)  The primary objective of a CPA’s observation of a client’s physical inventory count is to: a.  discover whether a client has counted a particular inventory item or group of items. b.  obtain direct knowledge that the inventory exists and has been properly counted. c.  provide an appraisal of the quality of the merchandise on hand on the day of the physical count. d.  allow the auditor to supervise the conduct of the count to obtain assurance that inventory quantities are reasonably accurate. 7.  (LO 2)  In the audit of inventory, selecting inventory items from a perpetual master file, going to the locations, and obtaining test counts is intended to produce evidence for which audit assertion? a.  Completeness. b.  Rights and obligations. c.  Existence. d.  Valuation and allocation. 8.  (LO 2)  Which of the following would represent the best evidence for testing the net realizable value of inventory? a.  Investigate sales prices on the sale of inventory made after year-end. b.  Vouch inventory prices to vendor invoices at an interim date. c.  Vouch inventory prices to the perpetual inventory. d.  Investigate all prices that have decreased by more than 5% during the year.

9.  (LO 3)  From year one to year two, the ratio of sales to fixed assets declined significantly. This is a possible indication that: a.  the client is overdepreciating fixed assets. b.  the client is capitalizing costs that should be expensed. c.  the client has used debt to finance acquisitions of fixed assets. d.  the client has treated finance leases as operating leases. 10.  (LO 3)  When auditing a fixed asset account such as land, buildings, and equipment, the auditor will normally: a.  vouch the book value of fixed assets to underlying purchase documents. b.  place the greatest emphasis on tests of balances at year-end. c.  trace transactions from receiving documents to recording of the purchase. d.  use a combination of of agreeing beginning balances to prior year working papers and then testing transactions during the year. 11.  (LO 3)  An auditor analyzes repairs and maintenance primarily to obtain evidence in support of the assertion that all: a.  non-capitalizable expenditures have been recorded. b.  expenditures for property and equipment have not been charged to expense. c.  non-capitalizable expenditures for repairs and maintenance have been recorded in the proper period. d.  expenditures for property and equipment have been recorded in the proper period. 12.  (LO 3)  If an auditor performs analytical procedures on rent expense and finds that rent expense has increased 50%, he or she is most likely to perform which of the following additional procedures? a.  Test rent cutoff to determine if all rent has been recorded. b.  Vouch rent payments to underlying documents to determine that all vouchers have receiving reports.  ouch larger items in rent expense in a search for unrecorded c.  V finance leases. d.  Perform tests of controls to ensure that all rent transactions are authorized. 13.  (LO 4)  An auditor’s program to examine long-term debt most likely would include steps that require: a.  correlating interest expense recorded for the period with outstanding debt. b.  comparing the carrying amount of the debt to its year-end market value. c.  v erifying the existence of the holders of the debt by direct confirmation. d.  inspecting the accounts payable subsidiary ledger for unrecorded long-term debt. 14.  (LO 4)  When a client does not maintain its own stock records, the auditor should obtain a written confirmation from the transfer agent and registrar concerning: a.  restrictions on the payment of dividends. b.  guarantees on preferred stock liquidation value. c.  t he number of shares subject to agreements to repurchase. d.  the number of shares issued and outstanding.

 Analysis Problems  13-51

Review Questions R13.1  (LO1)  How can an auditor use results from procedures performed during the control risk assessment phase to affect the nature of substantive testing when testing cash balances? R13.2  (LO1)  Explain the difference between the audit of the processes impacting cash and the substantive testing of the cash balance. How is audit testing for each affected by the outcome of controls testing?

R13.7  (LO3)  Explain the relationship between the repairs and maintenance expense account and the PPE asset account. Why is the auditor interested in examining debits to both accounts when auditing PPE? Explain your answer with reference to the assertions at risk. R13.8  (LO3)  Why is an auditor interested in PPE that is not currently being used or could become idle in the near future?

R13.3  (LO1)  What information is obtained by sending a bank confirmation? Explain the importance of a bank confirmation to the audit of cash balances, including the assertions that are addressed by obtaining a bank confirmation.

R13.9  (LO4)  Explain why completeness is a more critical assertion for long-term debt than for cash, inventory, or PPE. What procedures are primarily designed to address the completeness assertion for longterm debt?

R13.4  (LO2)  In the context of auditing inventory, explain why an audit team cannot use the same combination of audit procedures for every audit.

R13.10  (LO4)  Explain the importance of obtaining confirmations regarding notes payable.

R13.5  (LO2)  How would an auditor test the existence of inventory on hand in a public warehouse? R13.6  (LO2)  Explain the difference between year-end counting of inventory and cycle counts. What conditions should exist at a client that conducts cycle counts and uses the perpetual inventory to value inventory at quarter-end?

R13.11  (LO4)  Explain how an auditor will usually test interest expense when auditing notes payable. R13.12  (LO4)  What considerations apply in determining the appropriate level of detection risk for stockholders’ equity?

Analysis Problems AP13.1  (LO 1)  Basic   Designing audit procedures for cash  Julie is designing the audit program for cash for her client, Onslow Services Corp. (Onslow). Onslow is a property management services company. It deals with six major clients and several smaller clients, each with a number of properties for rent in the central business district of Minneapolis, Minnesota. Onslow finds tenants, conducts credit checks, negotiates tenancy agreements, and arranges cleaning and maintenance services for each property. Onslow has a staff of 15 and operates from an office in downtown Minneapolis. Other than a small petty cash amount, no cash is kept on the premises because rents are directly deposited by the tenants to Onslow’s bank account. After the relevant fees are deducted, Onslow remits the rents monthly to the property owners. These transactions pass through a bank account kept solely for this purpose. In addition, Onslow maintains a trust account (for any client moneys held on trust) and a general operating account (for salaries and other expenses).

Required a.  Advise Julie about the controls over cash that should be maintained by Onslow. b.  Assuming these controls are present and operating effectively, suggest the appropriate substantive procedures for Onslow’s cash balance. AP13.2  (LO 1)  Moderate   Finding fraud related to cash  Patricia Company had poor internal control over its cash transactions. Facts about its cash position at November 30, 2022, were as follows: The cash ledger showed a balance of $18,901.62, which included undeposited receipts which were on hand at November 30. A credit of $100 on the bank’s records did not appear on the books of the company. The balance per bank statement was $15,550. Outstanding checks were #62 for $116.25, #183 for $150, #284 for $253.25, #8621 for $190.71, #8623 for $206.80, and #8632 for $145.28.

13-52  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts) The cashier subtracted undeposited receipts of $3,794.41 and prepared the following reconciliation: Balance per books, November 30, 2022

$18,901.62

Add: Outstanding checks 8621

$190.71

8623

206.80

8632

145.28

442.79 19,344.41

Less: Undeposited receipts

(3,794.41)

Balance per bank, November 30, 2022

15,500.00

Deducted: Unrecorded credit

100.00

True cash, November 30, 2022

$15,450.00

Required a.  Prepare a working paper showing how much the cashier embezzled. b.  How did the cashier attempt to conceal this theft? c.  Using only the information given, name two specific features of internal control that were apparently lacking.

(AICPA adapted)

AP13.3  (LO 1)  Moderate   Review of client-prepared bank reconciliation  The following clientprepared bank reconciliation is being examined by Kautz, CPA, during an audit of the financial statements of Cynthia Company: Cynthia Company Bank Reconciliation Village Bank Account 2 December 31, 2022 Balance per bank (a)

$ 18,375.91

Deposits in transit (b)   12/30

$1,471.10

  12/31

2,840.69

   Subtotal

4,311.79 22,687.70

Outstanding checks (c)   837   1941

6,000.00 671.80

  1966

320.00

  1984

1,855.42

  1985

3,621.22

  1987

2,576.89

  1991

4,420.88

   Subtotal

(19,466.21) 3,221.49

NSF check returned 12/29 (d)

200.00

Bank charges (e)

550.00

Error check No. 1932 (f)

148.10

Customer note collected by the bank   ($2,750 plus $275 interest) (g) Balance per books (h)

(3,025.00) $ 1,094.59

Required Indicate one or more auditing procedures that should be performed by Kautz in gathering evidence in support of each of the items (a) through (h) above. (AICPA adapted)

AP13.4  (LO 1)  Moderate   Bank transfer schedule, kiting  LMN Company has a June 30 year-end and maintains three bank accounts: City Bank–Regular, City Bank–Payroll, and Metro Bank–Special.

 Analysis Problems  13-53 Your analysis of cash disbursements records for the period June 23 to July 6 reveals the following bank transfers: Check No.

Date of Check

Bank Drawn On

Payee

Amount

2476

June 23

Regular

Payroll

$100,000

2890

June 25

Regular

Payroll

200,000

3140

June 28

Regular

Special

100,000

A1006

June 29

Special

Payroll

50,000

A1245

June 30

Special

Regular

25,000

3402

June 30

Regular

Special

125,000

You determine the following facts about each of the first five checks: (1) the date of the cash disbursements journal entry is the same as the date of the check, (2) the payee receives the check two days later, (3) the payee records and deposits the check on the day it is received, and (4) it takes five days for a deposited check to clear banking channels and be paid by the bank on which it is drawn. Check 3402 was not recorded as a disbursement until July 1. This check was picked up by the payee on the date it was issued, and it was included in the payee’s after-hours bank deposit on June 30.

Required a.  What are the purposes of the audit of bank transfers? b.  Prepare a bank transfer schedule as of June 30 using the format shown in Illustration 13.3. c.  Prepare separate adjusting entries for any checks that require adjustment. d.  In the reconciliation for the three bank accounts, indicate the check numbers that should appear as (1) an outstanding check or (2) a deposit in transit. e.  Which check(s) may be indicative of kiting? AP13.5  (LO 1)  Moderate   Research   Proof of cash  Look up and watch a YouTube video on “proof of cash.”

Required Answer the following questions. 1.  Explain how a proof of cash differs from a bank reconciliation. 2.  If internal controls are weak and segregation of duties are poor, what benefits are obtained by performing a proof of cash versus a bank reconciliation? 3.  Does performing a proof of cash eliminate the need to perform tests of transactions for cash receipts and cash disbursements? AP13.6  (LO 2)  Moderate   Inventory valuation  The following is a copy of the auditor’s working paper for auditing inventory balances for the client Zack’s Electrical Supply. It shows the details of the net realizable value (NRV) tests. Client: Zack’s Electrical Supply

Bell & Bowerman, LLP

Prepared by: R.E.J.

Date: 2/8/23

Period-end: 12/31/22

Reference  F07

Reviewed by: L.E.W.

Date: 2/16/23

F07 – NET REALIZABLE VALUE TESTING [A] Sample Item Number Code Description Category

[B]

[B/A = C]

Quantity Total in Inventory Inventory Value

[D]

Unit Price

TM/Ref

[E]

[D − E − C]

Selling Price Distribution per Unit Costs? TM/Ref

Variance

Allowance Amount Needed? ($000) Comments

Key item 700025 switches etc…

Purchased goods

2,000

$10,000

$ 5

SL

$ 33

1



$ 27

No



$(121)

Representative sample 1

701442 routers

Purchased goods

25,000

$13,500,000

$540

SL

$420

1



Yes

$(3,250)

3

800245 fuses

Purchased goods

440

7,000

16

SL

28

1



11

No



4 5

800347 covers etc…

Purchased goods

288

4,200

15

SL

45

1



29

No



Key to audit tick marks:

✓  Agrees to supporting documentation of sales invoices posted after year-end. Comments:

None (no error detected, exception noted was correctly provided for by the company).

13-54  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Required a.  Why does an auditor test for NRV? b.  Find the details of the inventory items selected for NRV testing. What is a “key item”? Explain how the auditor has decided whether or not the inventory items should be shown at NRV or cost. c.  Are any inventory items to be written down to NRV in this example? If so, by how much? AP13.7 (LO 2)  Moderate   Evaluation of internal controls—raw materials inventory  You have been engaged by the management of Alden, Inc. to review its internal controls over the purchase, receipt, storage, and issue of raw materials. You have prepared the following comments that describe Alden’s procedures: 1.  Raw materials, which consist mainly of high-cost electronic components, are kept in a locked storeroom. Storeroom personnel include a supervisor and four clerks. All are well-trained, competent, and adequately bonded. Raw materials are removed from the storeroom only on written or oral authorization of one of the production managers. 2.  There are no perpetual inventory records; therefore, the storeroom clerks do not keep records of goods received or issued. To compensate for the lack of perpetual records, inventory is counted monthly by the storeroom clerks, who are well-supervised. Appropriate procedures are followed in making the inventory count. 3.  After the physical count, the storeroom supervisor matches quantities counted against a predetermined reorder level. If the count for a given part is below the reorder level, the supervisor enters the part number on a materials requisition list and sends this list to the accounts payable clerk. The accounts payable clerk prepares a purchase order for a predetermined reorder quantity for each part and mails the purchase order to the vendor from whom the part was last purchased. 4.  When ordered materials arrive at Alden, they are received by the storeroom clerks. The clerks count the merchandise and agree the counts to the shipper’s bill of lading. All vendors’ bills of lading are initialed, dated, and filed in the storeroom to serve as receiving reports.

Required Describe the deficiencies in internal control and recommend improvements in Alden’s procedures for the purchase, receipt, storage, and issue of raw materials. Organize your answer sheet as follows: Deficiency

Recommended Improvements

(AICPA adapted)

AP13.8  (LO 2)  Moderate   Inventory  Brompton Hardware runs a network of small hardware retail outlets across the state. All sales are paid by cash or credit card, and are processed through electronic cash registers. A wide range of goods are held in inventory by the stores, meaning that the business deals with a large number of suppliers. All goods are purchased on credit with varying terms, depending on the supplier. Invoices are paid by check after a package of documen ts is collated and approved for payment. Ordering of goods and subsequent payments are processed by the central office with delivery direct from supplier to the stores—no central warehouse is used. Brompton uses a perpetual stock system to track inventory quantities and conducts test counts at regular periods throughout the year.

Required a.  What controls would you expect to see over inventory movements at the local store level and the central office? b.  Explain how you would audit the physical inventory count for Brompton Hardware. What details would you focus on most? AP13.9  (LO 2)  Moderate   ADA   Inventory data analytics  An auditor is conducting an audit of the financial statements of a wholesale cosmetics distributor with an inventory consisting of thousands of individual items. The distributor keeps its inventory in its own distribution center and two public

 Analysis Problems  13-55 warehouses. An inventory database is maintained and updated after each transaction. The database contains the following information: 1.  Item number. 2.  Location of item. 3.  Description of item. 4.  Quantity on hand. 5.  Cost per item. 6.  Date of last purchase. 7.  Date of last sale. 8.  Quantity sold during year. The auditor is planning to observe the distributor’s physical count of inventories as of an interim date. The auditor will have access to the inventory as of the date of the physical count and will use a general-purpose audit software package.

Required The auditor is planning to perform inventory substantive tests. Identify the inventory tests and describe how the use of audit software and the database might be helpful to the auditor in performing such tests. Organize your answer as follows: How Audit Software and Data Analytics Might Be Helpful for Substantive Tests

Inventory Substantive Test 1. Observe the physical count, making and recording test counts when applicable.

1. Determine which items are to be test-counted by selecting a random sample of a representative number of items from the inventory file as of the date of the physical count. (AICPA adapted)

AP13.10  (LO 3)  Basic   PPE additions and disposals  The following is a copy of the auditor’s working paper for auditing additions and disposals relevant to the balance of property, plant, and equipment (PPE) for the client New Millennium Ecoproducts. Client: New Millennium Ecoproducts

Bell & Bowerman, LLP

Prepared by: W.C.B. Date: 2/4/23

Period-end: 12/31/22

Reference  K02

Reviewed by: R.E.Z.

K02 – Additions and Disposals

Date: 2/12/23

Currency unit: $000 Section 1: Additions Asset Code Description 700025 N/A

Depreciation Starting Date TM/Ref

Category

Delivery van (15)

Equipment

CPX 120

Asset under construction

Section 2: Disposals

AssetLife (years) Amount

TM/Ref

5/1/22

(c)

10

$2,750



N/A

(c)

N/A

$ 500



Asset Code

Description

Category

Gross Book Value

Accumulated Depreciation

Net Book Value

Selling Price

TM/Ref

Gain/(Loss) on Disposal

600662

Delivery van

Equipment

$350

$280

$70

$75



$5

Key to audit tick marks: ✓  Agrees to purchase invoice.

✓  Agrees to sales invoice and receipt of payment.

(c)  Depreciation starting date appears reasonable. Comments: •  No issue from testing of additions. •  Gain on disposal of item tested is not material and confirms relevance of depreciation rate used by company.

13-56  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Required a.  What assertions are relevant to additions and disposals of PPE? b.  Find the details of the additions. Explain the difference between the two items, particularly with respect to depreciation. c.  Find the details of the disposal. How much was the gain on sale? Why is the auditor interested in the amount of the gain? Explain the comment by the auditor about the disposal in the working paper.

AP13.11  (LO 3)  Moderate   Substantive testing of PPE  Fabrication Holdings Inc. (FH) has been a client of KFP LLP for many years. You are an audit senior and have been assigned to the FH audit for the first time for the financial year-end June 30, 2022. During March 2022, you are completing the risk assessment for PPE, which is one of FH’s most material accounts. You are also aware that FH has made a large investment in a new manufacturing process to place itself in a more competitive position. Your analytical procedures indicate an increase in acquisitions of PPE.

Required a.  What is the key assertion at risk for the PPE additions? Why is it at risk? Explain. b.  Identify the relevant substantive tests of details that would be appropriate to address the assertion at risk identified in (a) above. c.  How would your answers to the previous questions change if the PPE additions had been manufactured in-house by FH’s engineers and toolmakers, rather than purchased? AP13.12  (LO 4)  Challenging   Substantive tests, assertions, and types of evidence for financing activities  The following transactions and events relate to financing transactions at Weber Inc.   1.  Declare cash dividend on common stock.   2.  Issue bonds.   3.  Pay bond interest.   4.  Purchase 500 shares of treasury stock.   5.  Pay cash dividend declared in 1 above.   6.  Issue additional common stock for cash.   7.  Accrue bond interest payable at year-end.   8.  Redeem outstanding bonds.   9.  Establish appropriation for bond retirement. 10.  Announce a two-for-one stock split.

Required a.  Identify the substantive test that should verify each transaction or event. b.  For each test, indicate the financial statement assertion(s) to which it pertains. c.  Indicate the source of evidence obtained from the substantive test (i.e., outside party, client-generated, auditor personal knowledge or observation, documented, oral. (Use a tabular format for your answers with one column for each part.) AP13.13  (LO 4)  Moderate   Substantive tests and disclosures for long-term debt  Andrews, CPA, has been engaged to audit the financial statements of Broadwall Corporation for the year ended December 31, 2022. During the year, Broadwall obtained a long-term loan from a local bank pursuant to a financing agreement that provided that the: 1.  Loan was to be secured by the company’s inventory and accounts receivable. 2.  Company was to maintain a debt-to-equity ratio not to exceed 2:1. 3.  Company was not to pay dividends without permission from the bank. 4.  Monthly installment payments were to commence July 1, 2022. In addition, during the year the company borrowed from the president of the company, on a short-term basis, including substantial amounts just prior to the year-end.

 Audit Decision Cases  13-57

Required a.  For purposes of Andrews’ audit of the financial statements of Broadwall Corporation, what substantive tests should Andrews employ in examining the described loans? Do not discuss internal control. b.  What are the financial statement disclosures that Andrews should expect to find with respect to the loans from the president? (AICPA adapted)

AP13.14  (LO 4)  Moderate   Confirmation of stock outstanding  You are engaged in doing the audit of a corporation whose records you have not previously audited. The corporation has both an independent transfer agent and a registrar for its capital stock. The transfer agent maintains the record of stockholders, and the registrar checks that there is no over-issue of stock. Signatures of both are required to validate certificates. It has been proposed that confirmations be obtained from both the transfer agent and the registrar as to the stock outstanding at the balance sheet date. If such confirmations agree with the books, no additional work is to be performed as to capital stock.

Required If you agree that obtaining the confirmations as suggested would be sufficient in this case, give the justification for your position. If you do not agree, state specifically all additional steps you would take and explain your reason for taking them. (AICPA adapted)

Audit Decision Cases Mobile Security, Inc. Question C13.1 is based on the following case. Mobile Security, Inc. (MSI) has been an audit client of Leo & Lee, LLP for the past 12 years. MSI is a small, publicly traded aviation company based in Cleveland, Ohio, where it manufactures hightech unmanned aerial vehicles (UAV), also known as drones, and other surveillance and security equipment. MSIʼs products are primarily used by the military and scientific research institutions, but there is growing demand for UAVs for commercial and recreational use. MSI must go through an extensive bidding process for large government contracts. Because of the sensitive nature of government contracts and military product designs, both the facilities and records of MSI must be highly secured. In October 2022, MSI installed a new cloud-based inventory costing system to replace a system that had been developed in-house. The old system could no longer keep up with the complex and detailed manufacturing costing process that provides information to support competitive bidding. MSIʼs IT department, together with the consultants from the software company, implemented the new inventory costing system which went live on December 1, 2022. Key operational staff and the internal audit team from MSI were significantly engaged in the selection, testing, training, and implementation stages. C13.1  (LO 2)  Challenging   ADA   Public Company   Substantive testing of inventory a. Gather information: What inventory items would you expect to see in MSIʼs accounts? How would the cost of each item be calculated? b.  Analysis: Suggest substantive procedures for each account balance assertion that you would use in the audit of inventory for MSI. c. Analysis: What are the implications, if any, of the new inventory costing system for planned uses of audit data analytics as a substantive test?

13-58  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Circuits Technology, Inc. This case has two phases. Question C13.2 is based on Phase I. Question C13.3 is based on Phase II.

Phase I: Company History and Background You are about to begin the audit of Circuits Technology Inc. (CTI) for the year ended December 31, 2022. CTI resells, installs, and provides computer networking products (client software, and gateway hardware and software) to other businesses. Jessica Freeman founded the business in the late 1990s and grew the business to a stable and profitable enterprise in a major metropolitan area. Jessica owns 60% of the business and four other shareholders (a brother, a sister, her father, and a friend) own 10% each. The minority shareholders contributed capital to the company when it was getting started and the owners make up the board of directors. They usually meet only once a year to discuss dividends to be declared. During the rest of the year, the minority owners leave the day-to-day management decisions to Jessica, who also has controlling interest in the company. The business grew rapidly in the first five years and then it settled into a steady performance mode. In 2011, during its growth stage, Jessica was approached about merging the business with a larger company, but she decided that she did not want to merge the company, even if it meant limiting the growth of the business. CTI was her baby. Jessica enjoyed being CEO, she knew the business inside and out, and she did not want to be subordinate to someone else. The business was organized as a Subchapter S Corporation and it was distributing a nice return to shareholders, so family members and friends were happy with her decisions. Jessica had her fingers in every aspect of the business and she was boss. CTI performed solidly until 2019. Then the entire industry became much more competitive. A significant portion of the demand that had been generated by cloud computing had been met, competition increased, and the steady business slowed down such that cash flow did not come as easily. Jessica and her sales staff had to work harder to close deals as the industry became more competitive. Rob Kaiser, the CFO, began complaining about Jessica’s increasing intrusion into the company’s finances in late 2020. During the period of steady performance, he and Jessica met quarterly to discuss the company’s performance and finances. They would go over the entity’s operating performance, its investing activities, and cash management; the primary focus of attention was the annual distribution of earnings to shareholders. On occasion, Jessica would want to structure a client contract in a particular way, or she would come in and insist on an additional discount for a particular customer, but Jessica generally let Rob manage the finances of the business. Now things had changed, particularly in the competitive environment where there were numerous vendors chasing each customer. Jessica regularly discussed the accounting for particular transactions. It was not uncommon for Jessica to come in and tell someone in accounting to change a sales invoice to offer a particular price discount to a customer. Further, there were often heated discussions between Rob and Jessica over the monthly financial statements. Jessica knew the business and sometimes would not accept his explanations for draft financial statements that showed performance falling below Jessica’s expectations. She had built the business, was involved in key decisions, and she knew what profit margins should result. For example, gross margins should not fall below 52% as they did in 2019. In her view, this was due to problems in the accounting system. In some cases, Jessica was correct. Accounting was not a high priority. The first priority had to be sales and customer satisfaction. Jessica swallowed hard when she had to hire Rob, but it was clear that it would be more cost-effective to hire someone in-house to manage finances than to subcontract to a CPA firm. However, accounting never had a significant budget. It could invest in technology and software, but it was always several people short of full staffing for the accounting system. Rob and his two salaried employees were cross-trained on most aspects of the accounting system, and everyone worked long hours. As a result, errors happened. The previous audit detected problems in the purchasing process and some vendors’ invoices had been paid twice. These problems usually surrounded rush purchases for clients where the vendor was asking for significant upfront payments. The auditors also noted some cutoff problems in sales and purchases, and proposed an audit adjustment to the allowance for doubtful accounts. In Rob’s opinion, this was the result of his department being stretched too thin. In recent years, Jessica has paid considerable attention to the financial performance in the last two quarters of the year. Her major concern has focused on the company’s profitability and ability to pay shareholder distributions. During the year-end close last year, Jessica stopped by Rob’s office daily to ask about the journal entries being made that day and their impact on earnings. This just added to the pressure on Rob to “get the job done.” Rob was also concerned about managing the relationship with First State Bank. Over the years, the business relationship changed from one where CTI had significant deposits with First State Bank and used occasional seasonal borrowing, to one where the line of credit has not been retired in the last 18 months. First State Bank, which had previously been satisfied with reviewed financial statements, now

 Audit Decision Cases  13-59 requested audited financial statements. Further, First State Bank established the following debt covenants. •  Dividends are restricted to 90% of net income. •  CTI must keep a minimum current ratio of 2.50:1. •  CTI must keep a minimum quick ratio of 1.2:1. •  CTI’s debt-to-equity ratio cannot exceed 1.00:1. Rob keeps a tight control on cash. An independent bank reconciliation is performed monthly. Further, Rob closely tracks when vendor payments are due. With the exception of 2020, he has been able to keep the accounts payable turnover somewhere between 30 and 38 days. Rob would like to collect receivables faster, but the nature of the company’s service, which involves installation of hardware and software to the customer’s satisfaction, results in collection periods approaching 90 days. The company does not rely on programmed control procedures to monitor individual transactions. CTI does not have the staff to follow up on exception reports that might be generated by the accounting system. The primary controls in place involve Rob’s independent review of transactions on a monthly basis. In addition, Jessica keeps a close eye on revenues, expenses, and profit margins, and she demands explanations from Rob when actual results deviate from her expectations. C13.2  (LO 2)  Challenging   Risk assessments and substantive tests for inventory a.  Evaluate the effectiveness of CTI’s control environment. b.  Assess risk at the financial statement level. 1.  Evaluate inherent risk at the financial statement level. 2.  Evaluate the risk of fraud. Specifically, consider each aspect of the fraud triangle; (i) incentives and pressures, (ii) opportunity, and (iii) attitudes and rationalization. c.  What is the potential for the effectiveness of the management performance reviews performed by Rob and Jessica with respect to the following assertions? 1.  Existence of inventory. 2.  Valuation of inventory and cost of sales. d.  Prepare a letter with any internal control recommendations that you have for management. Each specific recommendation should describe the current system, explain the risk involved, and make specific recommendations for improvement. You may assume that issues have already been discussed with management regarding the audit adjustments found in prior audits, so focus your attention on other issues that are of concern to you.

Phase II CTI prices its inventory at FIFO. You select a random sample of 35 items for price testing and find the following results as of year-end 2022. The total book value of inventory is $1,027,000. You should assume that errors exist in the unsampled portion of the population in the same proportion that they exist in the sample. Quantity per Auditor

Price per Auditor

Inventory Cost per Auditor

7,512.00

6

$1,252.00

$ 7,512.00

$

5,100.00

4

$1,275.00

$ 5,100.00

$

8,953.00

7

$1,279.00

$ 8,953.00

$2,200.00

$ 17,600.00

8

$1,200.00

$ 9,600.00

3

$1,400.00

$

4,200.00

3

$1,400.00

$ 4,200.00

8

$1,410.00

$ 11,280.00

8

$1,410.00

$11,280.00

11609

4

$1,400.00

$

5,600.00

4

$1,400.00

$ 5,600.00

11877

9

$ 810.00

$

7,290.00

9

$ 510.00

$ 4,590.00

9

12145

10

$ 750.00

$

7,500.00

10

$ 500.00

$ 5,000.00

10

12413

9

$ 750.00

$

6,750.00

9

$ 750.00

$ 6,750.00

11

12681

8

$ 800.00

$

6,400.00

8

$ 800.00

$ 6,400.00

12

12949

7

$1,800.00

$ 12,600.00

7

$ 800.00

$ 5,600.00

13

13217

4

$2,750.00

$ 11,000.00

4

$1,750.00

Inventory Cost per Client

SKU #

Quantity per Client

Price per Client

1

10001

6

$1,252.00

$

2

10269

4

$1,275.00

3

10537

7

$1,279.00

4

10805

8

5

11073

6

11341

7 8

$ 7,000.00 (continued)

13-60  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts) (continued)

Price per Client

Inventory Cost per Client

Quantity per Auditor

Price per Auditor

Inventory Cost per Auditor

SKU #

Quantity per Client

14

13485

5

$2,750.00

$ 13,750.00

5

$1,750.00

$ 8,750.00

15

13753

6

$ 800.00

$

4,800.00

6

$ 800.00

$ 4,800.00

16

14021

2

$ 800.00

$

1,600.00

2

$ 800.00

$ 1,600.00

17

14289

3

$ 900.00

$

2,700.00

3

$ 900.00

$ 2,700.00

18

14557

1

$ 900.00

$

900.00

1

$ 900.00

$

19

14825

5

$1,000.00

$

5,000.00

5

$ 900.00

$ 4,500.00

20

15093

18

$1,000.00

$ 18,000.00

18

$1,000.00

$18,000.00

21

15361

16

$1,250.00

$ 20,000.00

16

$1,000.00

$16,000.00

22

15629

14

$1,250.00

$ 17,500.00

14

$1,000.00

$14,000.00

23

15897

9

$2,000.00

$ 18,000.00

9

$1,750.00

$15,750.00

24

16165

5

$2,000.00

$ 10,000.00

5

$1,750.00

$ 8,750.00

25

16433

2

$3,000.00

$

6,000.00

2

$3,000.00

$ 6,000.00

26

16701

8

$ 250.00

$

2,000.00

8

$ 250.00

$ 2,000.00

27

16969

8

$ 275.00

$

2,200.00

8

$ 275.00

$ 2,200.00

28

17237

8

$ 270.00

$

2,160.00

8

$ 270.00

$ 2,160.00

29

17505

15

$ 200.00

$

3,000.00

15

$ 100.00

$ 1,500.00

30

17773

12

$ 400.00

$

4,800.00

12

$ 250.00

$ 3,000.00

31

18041

12

$ 410.00

$

4,920.00

12

$ 250.00

$ 3,000.00

32

18309

11

$ 400.00

$

4,400.00

11

$ 310.00

$ 3,410.00

33

18577

9

$ 410.00

$

3,690.00

9

$ 310.00

$ 2,790.00

34

18845

6

$ 750.00

$

4,500.00

6

$ 650.00

$ 3,900.00

35

19113

4

$ 750.00

$

3,000.00

4

$ 750.00

$ 3,000.00

Total

$264,705.00

900.00

$216,295.00

In addition, you find a journal entry where Rob has capitalized half of December’s payroll for six network installers’ work on two contracts as part of work in progress. The amount of gross payroll amounts to $15,600 plus 35% for the cost of payroll taxes and benefits. The total of payroll included in work in process amounted to $21,060. Further investigation shows that the client was billed for all work performed on those contracts as of December 31, 2022. C13.3  (LO 2)  Challenging   Further risk assessments and substantive tests for inventory a.  Evaluate the implications of the evidence you noted above. 1.  What are the implications of your direct findings for fair presentation in the financial statements? You may assume that it is your best guess that errors found in your sample are representative of errors that would exist in items that you did not sample. 2.  Based on your findings, what additional audit procedures should be performed, if any? b. What additional issues do you want to discuss with company management and the board of directors? Draft your additional management letter comments regarding the issues that you want to discuss with CTI management, and indicate (in the margin) who you would have the conversations with. c. As the auditor for CTI, what conversations or correspondence, if any, should you have with First State Bank?

Brookwood Pines Hospital Question C13.4 is based on the following case. Goodfellow and Perkins LLP is a successful mid-tier accounting firm with a large range of clients across Texas. During 2022, Goodfellow and Perkins gained a new client, Brookwood Pines Hospital, a private, notfor-profit hospital. The fiscal year-end for Brookwood Pines is June 30. You are performing the audit field work for the 2023 fiscal year-end. The field work must be completed in time for the audit report to be signed on August 21, 2023. The balance sheet for Brookwood Pines includes the caption “Property, Plant, and Equipment.” Goodfellow and Perkins has been asked by the company’s management if audit adjustments or

 Audit Decision Cases  13-61 reclassifications are required for the following material items that have been included in or excluded from property, plant, and equipment: 1.  A tract of land was acquired during the year. The land is the future site for expansion of the hospital, which will be constructed in the following year. Commissions were paid to the real estate agent used to acquire the land, and expenditures were made to relocate the previous owner’s equipment. These commissions and expenditures were expensed and are excluded from property, plant, and equipment. 2.  Clearing costs were incurred to make the land ready for construction. These costs were included in property, plant, and equipment. 3.  During the land-clearing process, timber and gravel were recovered and sold. The proceeds from the sale were recorded as other income and are excluded from property, plant, and equipment. 4.  A group of diagnostic machines was purchased under a royalty agreement that provides royalty payments based on how often the machines were used to deliver diagnostics services. The cost of the machines, freight costs, unloading charges, and royalty payments were capitalized and are included in property, plant, and equipment. C13.4  (LO 3)  Challenging   Auditing plant assets a.  Analysis: Identify the relevant assertions for property, plant, and equipment, and indicate the principal substantive tests pertaining to each. b.  Evaluate: Indicate whether each of the items numbered 1 to 4 above requires one or more audit adjustments or reclassifications, and explain why such adjustments or reclassifications are required or not required. Organize your answers as follows:

Item Number

Is Audit Adjustment or Reclassification Required? (Yes or No)

Reasons Why Audit Adjustment or Reclassification Is Required or Not Required

(AICPA adapted)

The Lewis Company Question C13.5 is based on the following case. Lewis Com­pany is a biotechnology company that recently received U.S. Food and Drug Administration (FDA) approval for a new drug that treats Parkinson’s disease. Sales are showing early signs of success. On the wave of this success, Lewis Company acquired a patent for a related drug that is designed to treat Alzheimer’s disease from Brown and Harley, another biotechnology company. Brown and Harley has completed successful animal tests with the patented drug, known as AZH. Now that Lewis has acquired the patent, Lewis will have to take the drug through human trials and obtain FDA approval, a process that could last two to four years. Lewis agreed to pay Brown and Harley $10 million for the patent on February 29, 2022. Brown and Harley’s book value associated with the patent was only $500,000. Lewis acquired the patent from Brown and Harley for $1 million in cash and $9 million in 9%, preferred stock redeemable on February 29, 2026. Lewis accounted for the transaction by debiting an asset account for the patent in the amount of $10 million, with an intent to amortize the patent over 16 years, the remaining legal life of the patent, crediting cash for $1 million and crediting stockholders’ equity accounts for $9 million. C13.5  (LO 4)  Challenging   Auditing financing transactions and balances a. Gather information: What is the economic substance of the patent acquired by Lewis Company? In your opinion, has Lewis Company accurately accounted for the investing side of the transaction? b. Analysis: Describe the audit procedures that you would perform in 2022 to audit the patent. For each procedure, describe how the procedure satisfies the audit of financial statement assertions. c. Gather information: What is the economic substance of the preferred stock issued by Lewis Company? In your opinion, has Lewis Company accurately accounted for the financing side of the transaction? d. Analysis: Describe the audit procedures that you would perform in 2022 to audit the preferred stock. For each procedure, describe how the procedure satisfies the audit of financial statement assertions.

13-62  C h a pte r 13  Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)

Cloud 9 - Continuing Case Answer the following questions based on the information for Cloud 9 presented in the appendix to this text, as well as the current and earlier chapters. You should also consider your answers to the case study questions in earlier chapters. You have obtained the following information about property, plant, and equipment for Cloud 9. Property, Plant, and Equipment Balance January 31, 2022

Acquisitions

Disposals

Balance January 31, 2023

Property, plant, and equipment

$100,065,433

$9,451,131

$1,813,390

$107,703,174

Assets audited by W&S Partners

$ 78,951,627

$7,468,810

$1,405,165

$ 85,015,272

Assets audited by other auditors

21,113,806

1,982,321

408,225

22,687,902

$100,065,433

$9,451,131

$1,813,390

$107,703,174

Accumulated Depreciation Beginning January 31, 2022

Depreciation Expense

Disposals

Ending January 31, 2023

Accumulated depreciation

$37,803,894

$5,576,162

$1,153,117

$42,226,939

Assets audited by W&S Partners

$29,180,183

$4,383,307

$ 895,992

$32,667,498

Assets audited by other auditors

8,623,711

1,192,855

257,125

9,559,441

$37,803,894

$5,576,162

$1,153,117

$42,226,939

Required

1.  Occurrence of disposals of property, plant, and equipment.

a. You are auditing the acquisition of property, plant, and equipment. Explain the audit procedures to audit the following assertions.

2.  Accuracy of disposals of property, plant, and equipment.

1. Occurrence of acquisitions of property, plant, and equipment. 2.  Accuracy of acquisitions of property, plant, and equipment. 3. Completeness of acquisitions of property, plant, and equipment. b. You are auditing the disposals of property, plant, and equipment. Explain the audit procedures to audit the following assertions.

Stratum

3. Completeness of disposals of property, plant, and equipment. c. How does auditing the disposals of property, plant, and equipment provide evidence related to depreciation expense? d. You select the following sample of acquisitions of property, plant, and equipment. What can you conclude about the acquisitions of property, plant, and equipment from this evidence? Tolerable misstatement for property, plant, and equipment is $1 million.

Book Value of Population

Size of Stratum

Size of Sample

Book Value of Sample

Audited Value of Sample

1

> $750,000

$2,678,016

 4

 4

$2,678,016

$3,143,213

2

$250,000 − $750,000

2,343,151

 6

 3

1,231,576

1,231,576

3

< $250,000

2,447,643

27

10

$7,468,810

932,534

932,534

$4,842,126

$5,307,323

Chapter 14 Completing the Audit The Audit Process Overview of Audit and Assurance (Chapter 1) Professionalism and Professional Responsibilities (Chapter 2) Client Acceptance/Continuance and Risk Assessment (Chapters 3 and 4) Identify Significant Accounts and Transactions Make Preliminary Risk Assessments

Set Planning Materiality

Gaining an Understanding of the System of Internal Control (Chapter 6)

Audit Evidence (Chapter 5)

Develop Responses to Risk and an Audit Strategy

Performing Tests of Controls (Chapter 8)

Performing Substantive Procedures (Chapter 9) Audit Sampling for Substantive Tests (Chapter 10)

Auditing the Revenue Process (Chapter 11)

Auditing the Purchasing and Payroll Processes (Chapter 12)

Audit Data Analytics (Chapter 7)

Gaining an Understanding of the Client

Auditing the Balance Sheet and Related Income Accounts (Chapter 13)

Completing and Reporting on the Audit (Chapters 14 and 15) Procedures Performed Near the End of the Audit

Drawing Audit Conclusions

Reporting

14-1

14-2  C h a pte r 14  Completing the Audit

Learning Objectives LO 1 Apply the audit procedures used to search for loss contingencies.

LO 3  Describe engagement wrap-up procedures performed at the conclusion of the audit.

LO 2  Distinguish between the two types of material subsequent events and evaluate what effect they have on the financial statements, if any.

LO 4 Evaluate the going concern assumption for a client. LO 5  Discuss what reporting is required to management and those charged with governance.

Auditing and Assurance Standards PCAOB

Auditing Standards Board

AS 1201  Supervision of the Audit Engagement

AU-C 220  Quality Control for an Engagement Conducted in Accordance with Generally Accepted Auditing Standards

AS 1215 Audit Documentation AS 1220 Engagement Quality Review AS 1301  Communications with Audit Committees AS 2401  Consideration of Fraud in a Financial Statement Audit AS 2415  Consideration of an Entity’s Ability to Continue as a Going Concern AS 2505  Inquiry of a Client’s Lawyer Concerning Litigation, Claims, and Assessments AS 2801  Subsequent Events AS 2805  Management Representations AS 2810 Evaluating Audit Results

AU-C 230 Audit Documentation AU-C 240  Consideration of Fraud in a Financial Statement Audit AU-C 250  Consideration of Laws and Regulations in an Audit of Financial Statements AU-C 260 The Auditor’s Communication with Those Charged with Governance AU-C 450 Evaluation of Misstatements Identified During the Audit AU-C 501 Audit Evidence—Specific Considerations for Selected Items AU-C 520 Analytical Procedures AU-C 560  Subsequent Events and Subsequently Discovered Facts AU-C 570 The Auditor’s Consideration of an Entity’s Ability to Continue as a Going Concern AU-C 580  Written Representations

Cloud 9 - Continuing Case The partner on the Cloud 9 audit, Jo Wadley, has called a meeting with the audit team (Sharon Gallagher, Josh Thomas, and Mark Batten) to discuss the completion of the audit. Jo wants to be sure that she is briefed on all contentious matters so that she can resolve them at the scheduled meetings with Cloud 9’s audit committee and management. Sharon, Josh, and Mark hold a preliminary meeting to prepare for the meeting with the partner. On the agenda are final

evidence and misstatements evaluation, search for loss contingencies, subsequent events procedures and evidence, going concern procedures and assessment, and communication with Cloud 9’s audit committee. What issues have arisen with Cloud 9’s audit? How can they make sure the partner is fully prepared for the meeting with the client’s management?

 Audit Procedures for Loss Contingencies  14-3

Chapter Preview: Audit Process in Focus As the audit is nearing completion, specific procedures must be performed before auditors can draw an overall conclusion on the audit. In this chapter, we discuss audit procedures for loss contingencies, subsequent events, and auditing the going concern assumption. We also describe how auditors revisit key audit planning items, such as materiality, audit risk, and risk of fraud, to determine if their original assessments are still valid or if adjustments are required that may alter the nature and extent of audit procedures. Experienced members of the audit team review working papers to ensure the planned audit procedures have been performed and properly documented. Auditors evaluate the misstatements identified throughout the audit and analyze the effect of uncorrected misstatements on the financial statements as a whole to form the audit opinion. This chapter also reviews other wrap-up procedures including final analytical procedures, engagement quality review, and final assembly of the audit documentation. Prior to issuing the audit report, auditors obtain a representation letter from management and communicate significant findings or issues from the audit to those charged with governance.

Audit Procedures for Loss Contingencies Lea rning Objective 1 Apply the audit procedures used to search for loss contingencies.

Every company, no matter how big or how small, faces risk of events happening today that have consequences in the future. For example, the explosion of the Deepwater Horizon offshore oil rig (operated by BP) in 2010 resulted in worker injuries and fatalities and damage to the environment in the Gulf of Mexico. Many lawsuits against BP followed, and some are still not resolved almost a decade after the incident. What is the proper accounting treatment for a situation like this one in which the company could still be liable to many different groups over an extended period of time? FASB ASC Topic 450, Contingencies, provides accounting guidance for events, or potential events, that create uncertainty for a company. FASB defines a loss contingency as an existing condition or situation involving uncertainty as to possible loss that will ultimately be resolved when one or more future events occur or fail to occur. Some other examples of a loss contingency include income tax disputes with the IRS, guarantees of debt of others, threat of expropriation of assets, and pending or threatening litigation with employees, customers, vendors, or shareholders. To account for a loss contingency, company management must determine the likelihood that the future event will trigger a loss. FASB ASC Topic 450 classifies the likelihood of loss contingencies into three categories: 1.  Probable. The future event is likely to occur. 2.  R  easonably possible. The chance of the future event occurring is more than remote but less than likely. 3.  Remote. The chance of the future event occurring is slight. If management determines the loss contingency is probable and an amount can be reasonably estimated, then the company must record a liability and a related expense or loss and disclose the relevant details of the event in the notes to the financial statements. If the loss contingency is reasonably possible or the amount cannot be reasonably estimated, then only a disclosure in the notes is required. If the likelihood of a loss contingency is remote, then nothing needs to be disclosed in the notes. Since there is no crystal ball to see into the future, you can appreciate that determining the likelihood of a loss contingency occurring and trying to estimate a reasonable amount for a future loss involves significant judgment by management. Therefore, the role of auditors is to

loss contingency  an existing condition or situation involving uncertainty as to possible loss that will ultimately be resolved when one or more future events occur or fail to occur

14-4  C h a pte r 14  Completing the Audit

determine if management’s assessment is reasonable, appropriate liabilities have been ­recorded, and the disclosures are complete. Auditors should carefully consider the completeness assertion for loss contingencies. Management may not be sufficiently objective and could fail to identify loss contingencies or may classify identified contingencies as remote to avoid accruing or disclosing them. Failing to identify one or more material loss contingencies is a material misstatement. During the execution of all phases of the audit, the audit team should be watchful for evidence of any potential loss contingencies. Many of the risk assessment procedures used to gain an understanding of the entity, the industry, and its environment may identify the possibility of loss contingencies. Substantive procedures used when testing account balances and classes of transactions may also bring to light potential loss contingencies. Illustration 14.1 provides examples of audit procedures used during risk assessment and/or risk response that can reveal the potential risk for loss contingencies. ILLUSTRATION 14.1  

Risk assessment and risk response procedures that may identify loss contingencies

Risk assessment and risk response procedures that can reveal the potential risk for loss contingencies: 1.  Confirming with financial institutions, including guarantees of debt of others. 2.  Inspecting the minutes of board of directors’ meetings. 3.  Inspecting contracts, leases, and correspondence from governmental agencies. 4.  Inspecting tax returns and correspondence with the IRS. 5.  Inquiring of management regarding the completeness of recorded liabilities. 6.  Inquiring of client’s legal counsel.

legal letter  an audit inquiry sent to a client’s external and in-house legal counsel to obtain information about litigation, assessments, and claims

ILLUSTRATION 14.2  

Example of legal letter used for Cloud 9 audit

Toward the end of the audit, auditors perform an inquiry procedure specifically designed to gather information about loss contingencies arising from litigation, claims, and assessments. Auditors will communicate directly with the client’s external legal counsel by sending a letter of inquiry, often referred to as a legal letter. If the client has in-house legal counsel responsible for litigation, claims, and assessments, a legal letter will also be sent to the in-house legal counsel. Attorneys and their clients have a privileged relationship. That means attorneys cannot talk about their client’s cases to anyone without permission from the client. Therefore, before auditors can communicate with the client’s legal counsel, client management must give permission to the attorneys to discuss their cases with the auditors. The client grants permission to the attorneys by signing the legal letter. Legal letters are sent to all attorneys the client paid for legal services. AU-C 501 Audit Evidence—Specific Considerations for Selected Items and AS 2505 Inquiry of a Client’s Lawyer Concerning Litigation, Claims, and Assessments provide guidance for the content of the legal letter. The objective of the legal letter is to gather audit evidence regarding the existence of uncertainties arising from litigation, claims, and assessments; the time period in which the cause for the legal action occurred; the probability of an unfavorable outcome for the client; and an estimate of the potential loss. A legal letter used for the Cloud 9 audit is presented in Illustration 14.2, followed by explanations of the bracketed numbers. The format and wording of the letter is dictated by auditing standards, so all auditors will follow the same basic format. [1] Cloud 9 Inc. [2] March 1, 2023 [3] Smith, Day, & Jones 18696 11th Street, Suite 5000 Seattle, WA 95686 To Legal Counsel: [4] In connection with an audit of our financial statements as of January 31, 2023, and for the year then ended, please furnish our auditors, W&S Partners, P.O. Box 525, Seattle, WA 95688, with the information requested below concerning contingencies involving matters with respect to which you have devoted substantial attention on behalf of the company in the form of legal c­ onsultation or representation.

 Audit Procedures for Loss Contingencies  14-5 [5] Regarding pending or threatened litigation, claims, and assessments, please include in your response: (1) the nature of each matter, (2) the progress of each matter to date, (3) how the Company is responding or intends to respond (for example, to contest the case vigorously or seek an out-of-court settlement), and (4) an evaluation of the likelihood of an unfavorable outcome and an estimate, if one can be made, of the amount or range of potential loss. Accordingly, please furnish to our auditors such explanation, if any, that you consider necessary to supplement the foregoing information, including an explanation of those matters for which your views may differ from those of management. [6] We understand that whenever, in the course of performing legal services for us with respect to a matter recognized to involve an unasserted possible claim or assessment that may call for financial statement disclosure, you have formed a professional conclusion that we should disclose or consider disclosure concerning such possible claim or assessment, as a matter of professional responsibility to us, you will so advise us and will consult with us concerning the question of such disclosure and the applicable requirements of FASB ASC 450. Please specifically confirm to our auditors that our understanding is correct. [7] Your response should include matters that existed as of January 31, 2023, and during the period from that date to the effective date of your response. Please specifically identify the nature of and reasons for any limitations on your response. Our auditors expect to have the audit completed about March 15, 2023. They would appreciate receiving your reply by that date with a specified effective date no earlier than March 7, 2023. Sincerely, [8]James W. Harley Chief Executive Officer Cloud 9 Inc. Source: AU-C 501.A69 and AS 2505A.

Sections of the letter in Illustration 14.2 are numbered to correspond with the following explanations: 1. Client letterhead—The legal letter is prepared on the client’s letterhead because the client must grant permission for the attorneys to respond. Auditors oversee the preparation and content of the letter and have control over the mailing and receipt of the letter. 2. Date of the letter—The letter is sent about mid-way through the completion of year-end fieldwork. 3. Name and address of attorneys—A legal letter should be sent to all attorneys the client hired during the year for legal services. Auditors can obtain a listing by inspecting the transactions and invoices related to the client’s legal services expense account. 4. Request for information—This paragraph identifies the financial statements under audit and states a request to supply information directly to the auditors. 5. Response regarding pending or threatened litigation—This paragraph requests that the attorneys provide a list and description of pending or threatened litigation, claims, and assessments. Notice auditors are seeking the attorney’s evaluation of the likelihood of an unfavorable outcome and an estimate, if possible, of the potential loss. 6. Response regarding unasserted claims or assessments—This paragraph requests that the attorneys confirm their responsibility to inform management of situations that may involve possible unasserted claims or assessments that may require disclosure. Notice the reference to the applicable financial reporting framework, which for Cloud 9 is GAAP. 7. Time frame for preparing the response—This paragraph specifies the time parameters for the attorney’s response. The response should include matters that existed at January 31, 2023, and any matters after year-end up to the date of the attorney’s response letter. Ideally, the date of the attorney’s response should coincide with the end of fieldwork, in this case March 15, 2023, or very close to that date. Also, this paragraph requests the attorneys state any reasons for limitations on their response. 8.  Signature—The letter is signed by the client’s chief executive officer.

ILLUSTRATION 14.2  

(continued)

14-6  C h a pte r 14  Completing the Audit

The nature of the legal environment in the United States is such that it could take years for a lawsuit or other action to be settled and/or resolved. Therefore, it may not be possible for the legal counsel to evaluate the time frame of an outcome or a reasonable amount for a loss. In many cases, just disclosure of the pending litigation, rather than accrual in the financial statements, is the appropriate way to account for the uncertainty. (See the following Professional Environment segment for a real-world example.) If the attorneys refuse to respond appropriately to the legal letter, then it is considered a limitation on the scope of the audit, which may impact the opinion in the auditor’s report. If auditors cannot gather sufficient appropriate evidence regarding loss contingencies, then it may not be possible to issue an unmodified opinion. Situations causing modifications to the audit report will be discussed in Chapter 15.

Professional Environment  Litigation Contingencies Large publicly traded companies are under great scrutiny, not only by regulators such as the SEC but also by the public. Therefore, it is no surprise that large companies typically have legal issues in process all the time, such as contract negotiations or disputes with suppliers or customers and hiring or firing issues with employees. A majority of these issues are immaterial to the financial statements as a whole and do not garner public attention through media outlets or disclosure in the financial statements. A common practice by companies is to include a generic disclosure in the financial statements to inform financial statement readers that various legal matters are ongoing. For example, the following statement is from Note 15 in the fiscal year 2017 Starbucks annual report that was filed with the SEC: Starbucks is party to various other legal proceedings arising in the ordinary course of business, including, at times, certain employment litigation cases that have been certified as class or collective actions, but is not currently a party to any legal proceeding that management believes could have a material adverse effect on our consolidated financial position, results of operations or cash flows. A disclosure like this one alerts the public that legal matters are an ordinary part of conducting business, but at the present time there is no expectation that any of the legal matters could have a material impact on the financial statements. Investors can access the annual reports of public companies online and find disclosures similar to this one in the notes of many companies. Starbucks did have a material litigation contingency that was first disclosed in the fiscal year 2011 financial statements. Starbucks and Kraft had entered into a contract in 2004 for Kraft to manage the distribution, marketing, advertising, and promotion of Starbucks products. By the end of 2010, the two parties were in dispute. Starbucks claimed that Kraft materially breached their contract, and therefore Starbucks was discontinuing the distribution agreement. Here is an excerpt from Note 15 of the Starbucks fiscal year 2011 financial statements (emphasis added): While Starbucks believes we have valid claims of material breach by Kraft under the Agreement that allowed us to terminate the Agreement and certain other relationships with Kraft without compensation to Kraft, there exists the possibility of material adverse outcomes to Starbucks in the arbitration or to resolve the matter. At this time, the Company is unable to esti-

mate the range of possible outcomes with respect to the arbitration as we have not received any statement or articulation of damages from Kraft nor have we estimated the damages to Starbucks caused by Kraft’s breaches. Information in this regard will be provided during the discovery process and is currently expected to be available in late March or early April 2012. In the Starbucks fiscal year 2012 financial statements, an update of the dispute with Kraft was provided in Note 15. More information was provided regarding the amount of damages Kraft was seeking, but the dispute had not been resolved by the time the financial statements were issued. Starbucks did not accrue any loss contingencies because it determined the amount of the possible loss could not be reasonably estimated. An excerpt from the note is provided below (emphasis added). Notice the use of the terms from FASB ASC 450, such as “probable” and “reasonably possible.” On April 2, 2012, Starbucks and Kraft exchanged expert reports regarding alleged damages on their affirmative claims. Starbucks claimed damages of up to $62.9 million from the loss of sales resulting from Kraft’s failure to use commercially reasonable efforts to market Starbucks® coffee, plus attorney fees. Kraft’s expert opined that the fair market value of the Agreement was $1.9 billion. After applying a 35% premium and 9% interest, Kraft claimed damages of up to $2.9 billion, plus attorney fees. The arbitration hearing commenced on July 11, 2012 and was completed on August 3. Starbucks presented evidence of material breaches on Kraft’s part and sought nominal damages from Kraft for those breaches. Kraft presented evidence denying it had breached the parties’ Agreement and sought damages of $2.9 billion plus attorney fees. We expect a decision from the Arbitrator in the first half of fiscal 2013. At this time, Starbucks believes an unfavorable outcome with respect to the arbitration is not probable, but as noted above is reasonably possible. As also noted above, Starbucks believes we have valid claims of material breach by Kraft under the Agreement that allowed us to terminate the Agreement without compensation to Kraft. In addition, Starbucks believes Kraft’s damage estimates are highly inflated and based upon faulty analysis. As a result, we cannot reasonably estimate the possible loss. Accordingly, no loss contingency has been recorded for this matter.

  Subsequent Events  14-7 In the Starbucks fiscal year 2013 financial statements, another update of the dispute with Kraft was provided in Note 15. The results from the arbitration were released. When two parties agree to let a dispute be settled with arbitration, the decision from the arbitration is considered final. In other words, there is no appeal process by either party. Here is an excerpt from Note 15, fiscal year 2013: On November 12, 2013, the arbitrator ordered Starbucks to pay Kraft $2,227.5 million in damages plus prejudgment interest and attorney’s fees. We have estimated prejudgement interest, which includes an accrual through

the estimated payment date, and attorneys’ fees to be approximately $556.6 million. As a result, we recorded a litigation charge (expense) of $2,784.1 million in our fiscal year 2013 operating results. The dispute was settled after being disclosed for two years. The outcome was definitely unfavorable for Starbucks since it was ordered to pay cash of $2.2 billion plus interest and attorney’s fees to Kraft. This is a great example of the uncertainty involved with litigation disputes and the subjectivity involved with determining if a potential loss contingency should be accrued or just disclosed.

Cloud 9 - Continuing Case Josh (senior) mailed out the legal letters two weeks prior to the expected completion of fieldwork date. He sent letters to all attorneys that Cloud 9 paid for legal services during the year. All

responses have been received from the attorneys. Based on the responses, there do not seem to be any pending legal issues that would have a material effect on Cloud 9’s financial statements.

Before You Go On 1.1  What is a loss contingency? Provide an example. 1.2  Explain the audit procedures used to identify loss contingencies. 1.3  List three items that are included in a legal letter and explain why each is important.

Subsequent Events Lea rning Objective 2 Distinguish between the two types of material subsequent events and evaluate what effect they have on the financial statements, if any.

The financial statements are prepared by client management on the basis of conditions existing at year-end, which would be December 31 for a calendar-year entity. As you have learned in previous chapters, many of the substantive audit procedures are performed after the year-end date and up through the date of the audit report. How long is this period of time between year-end and the audit report? The answer depends on whether the audit is for a public company or private company. For public companies, the SEC has strict deadlines for the filing of Form 10-K, which is the document that contains the company’s audited annual financial statements. Illustration 14.3 summarizes the SEC’s filing deadlines for Form 10-K. For private companies, the timeline for completion of an audit varies widely, depending on the needs of the users of the financial statements. The most common user of a private company’s financial statements is a bank or other lender. Typically, debt covenants require audited financial statements anywhere from 90–120 days after the ­company’s year-end.

14-8  C h a pte r 14  Completing the Audit ILLUSTRATION 14.3  

Public company filing deadlines for Form 10-K

Category of Filer

Deadline to File

Large accelerated filer ($700 million* or more)

60 days from fiscal year-end

Accelerated filer ($75 million* or more but < $700 million*)

75 days from fiscal year-end

Non-accelerated filer (