Auditing: A Practical Approach with Data Analytics 1119401747, 9781119401742

The explosion of data analytics in the auditing profession demands a different kind of auditor. Auditing: A Practical Ap

3,669 487 6MB

English Pages 736 [733] Year 2019

Report DMCA / Copyright

DOWNLOAD FILE

Polecaj historie

Auditing: A Practical Approach with Data Analytics
 1119401747, 9781119401742

Table of contents :
Cover......Page 1
Title Page......Page 7
Copyright......Page 8
Index......Page 9

Citation preview

Auditing and Assurance Standards PCAOB (Public Company Accounting Oversight Board, pcaobus.org) Standard AS 1015 AS 1101 AS 1105 AS 1201 AS 1205 AS 1210 AS 1215 AS 1220 AS 1301 AS 2101 AS 2105 AS 2110 AS 2201

Title

Due Professional Care in the Performance of Work Audit Risk Audit Evidence Supervision of the Audit Engagement Part of the Audit Performed by Other Independent Auditors Using the Work of a Specialist Audit Documentation Engagement Quality Review Communications with Audit Committees Audit Planning Consideration of Materiality in Planning and Performing an Audit Identifying and Assessing Risks of Material Misstatement An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements AS 2301 The Auditor’s Responses to the Risks of Material Misstatement AS 2305 Substantive Analytical Procedures AS 2310 The Confirmation Process AS 2315 Audit Sampling AS 2401 Consideration of Fraud in a Financial Statement Audit AS 2405 Illegal Acts by Clients AS 2410 Related Parties AS 2415 Consideration of an Entity’s Ability to Continue as a Going Concern AS 2501 Auditing Accounting Estimates AS 2502 Auditing Fair Value Measurements and Disclosures AS 2505 Inquiry of a Client’s Lawyer Concerning Litigation, Claims, and Assessments AS 2605 Consideration of the Internal Audit Function AS 2610 Initial Audits—Communication Between Predecessor and Successor Auditors AS 2801 Subsequent Events AS 2805 Management Representations AS 2810 Evaluating Audit Results AS 2820 Evaluating Consistency of Financial Statements AS 2905 Subsequent Discovery of Facts Existing at the Date of the Auditor’s Report AS 3101 The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion AS 3105 Departures from Unqualified Opinions and Other Reporting Circumstances Ethics and Independence Rules: 3501 Definition of Terms Employed in Section 3, Part 5 of the Rules 3502 Responsibility to Not Knowingly or Recklessly Contribute to Violations 3520 Auditor Independence 3521 Contingent Fees 3522 Tax Transactions 3523 Tax Services for Persons in Financial Reporting Oversight Roles 3524 Audit Committee Pre-approval of Certain Tax Services 3525 Audit Committee Pre-approval of Non-audit Services Related to Internal Control over Financial Reporting 3526 Communication with Audit Committees Concerning Independence

Text Chapter Chapter 3 Chapter 3 Chapters 5, 7, 13 Chapter 14 Chapters 5, 15 Chapters 5, 12 Chapters 5, 8, 14 Chapter 14 Chapters 3, 4, 14 Chapter 3 Chapter 3 Chapters 3, 4, 5, 6, 8 Chapters 1, 6, 8, 15 Chapters 3, 9 Chapter 9 Chapters 5, 11 Chapter 10 Chapters 3, 14 Chapter 4 Chapter 4 Chapters 14, 15 Chapter 9 Chapter 9 Chapter 14 Chapter 5 Chapter 3 Chapter 14 Chapter 14 Chapters 9, 14 Chapter 15 Chapter 15 Chapters 1, 15 Chapter 15 Chapter 2 Chapter 2 Chapter 2 Chapter 2 Chapter 2 Chapter 2 Chapter 2 Chapter 2 Chapter 2

Auditing Standards Board (AICPA, American Institute of Certified Public Accountants, aicpa.org) Standard

Title

Text Chapter

AICPA AICPA AICPA AU-C 200

Audit Guide: Audit Sampling Code of Professional Conduct Guide to Audit Data Analytics Overall Objectives of the Independent Auditor and Conduct of an Audit in Accordance with Generally Accepted Auditing Standards Terms of Engagement Quality Control for an Engagement Conducted in Accordance with Generally Accepted Auditing Standards Audit Documentation Consideration of Fraud in a Financial Statement Audit Consideration of Laws and Regulations in an Audit of Financial Statements The Auditor’s Communication with Those Charged with Governance Communicating Internal Control Related Matters Identified in an Audit Planning an Audit Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement Materiality in Planning and Performing an Audit Performing Audit Procedures in Response to Assessed Risks and Evaluating Audit Evidence Obtained Evaluation of Misstatements Identified During the Audit Audit Evidence Audit Evidence—Specific Considerations for Selected Items External Confirmations Opening Balances—Initial Audit Engagements, Including Reaudit Engagements Analytical Procedures Audit Sampling Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures Related Parties Subsequent Events and Subsequently Discovered Facts The Auditor’s Consideration of an Entity’s Ability to Continue as a Going Concern Written Representations Special Considerations—Audits of Group Financial Statements (Including the Work of Component Auditors) Using the Work of Internal Auditors Using the Work of an Auditor’s Specialist Forming an Opinion and Reporting on Financial Statements Modifications to the Opinion in the Independent Auditor’s Reports Emphasis-of-Matter Paragraphs and Other-Matter Paragraphs in the Independent Auditor’s Report Consistency of Financial Statements An Audit of Internal Control That Is Integrated with an Audit of Financial Statements A Firm’s System of Quality Control

Chapter 10 Chapter 2 Chapter 7 Chapters 1, 3

AU-C 210 AU-C 220 AU-C 230 AU-C 240 AU-C 250 AU-C 260 AU-C 265 AU-C 300 AU-C 315 AU-C 320 AU-C 330 AU-C 450 AU-C 500 AU-C 501 AU-C 505 AU-C 510 AU-C 520 AU-C 530 AU-C 540 AU-C 550 AU-C 560 AU-C 570 AU-C 580 AU-C 600 AU-C 610 AU-C 620 AU-C 700 AU-C 705 AU-C 706 AU-C 708 AU-C 940 QC 10

Chapter 3 Chapter 14 Chapters 5, 7, 8, 14 Chapters 3, 9, 14 Chapters 4, 14 Chapters 4, 14 Chapters 6, 8 Chapter 3 Chapters 3, 4, 5, 6, 7, 8, 9 Chapter 3 Chapters 3, 9 Chapters 9, 14 Chapters 5, 7, 13 Chapters 13, 14 Chapters 5, 11 Chapter 9 Chapters 9, 14 Chapter 10 Chapter 9 Chapter 4 Chapters 14, 15 Chapters 14, 15 Chapter 14 Chapters 5, 15 Chapter 5 Chapters 5, 12 Chapters 1, 15 Chapter 15 Chapter 15 Chapter 15 Chapter 15 Chapter 3

WileyPLUS gives you the freedom and flexibility to tailor curated content and easily manage your course to keep students engaged and on track.

When course materials are presented in an organized way, students are more likely to stay focused, develop mastery, and participate in class. WileyPLUS gives students a clear path through the course material. Starting with Wiley’s quality curated content, you can customize your course by setting the pacing of content and even integrating videos, files, or links to relevant material. The easy-to-use, intuitive interface saves you time getting started, managing day-to-day class activities, and helping individual students stay on track.

Customized Content

Interactive eTextbook

Drag-and-Drop Customization

Using the content editor, you can add videos, documents, pages, or relevant links to keep students motivated.

Students can easily search content, highlight and take notes, access instructor’s notes and highlights, and read offline.

Quick reordering of chapters lets you match content to your needs.

Linear Design and Organization

Calendar

Instructor App

The drag-and-drop calendar syncs with other features in WileyPLUS— like assignments, syllabus, and grades—so that one change on the calendar shows up in all places.

You can modify due dates, monitor assignment submissions, change grades, and communicate with your students all from your phone.

Chapters include eTextbook content, videos, and practice questions.

Wileyplus.com/instructors

Auditing A Practical Approach with Data Analytics

First Edition

Raymond N. Johns on PhD, CPA Portland State University Portland, Oregon

Laura D . Wiley PhD, CPA Louisiana State University Baton Rouge, Louisiana

Adapted from Robyn Moroney, Fiona Campbell, and Jane Hamilton, Auditing: A Practical Approach, Third Edition (Wiley, 2016)

Director AND VICE PRESIDENT Michael McDonald SENIOR Acquisitions Editor Emily Marcoux Instructional Design Lead Ed Brislin SENIOR PRODUCT DESIGNER Matt Origoni Marketing Manager Jenny Geiler Editorial Supervisor Terry Ann Tatro EDITORIAL Assistant Kirsten Loose Senior Content Manager Dorothy Sinclair Senior Production Editor Valerie Vargas SENIOR DESIGNER Wendy Lai Cover Image © nikkytok/Shutterstock This book was set in Source Sans Pro by Aptara®, Inc. and printed and bound by Quad Graphics/ Versailles. The cover was printed by Quad Graphics/Versailles. Founded in 1807, John Wiley & Sons, Inc. has been a valued source of knowledge and understanding for more than 200 years, helping people around the world meet their needs and fulfill their aspirations. Our company is built on a foundation of principles that include responsibility to the communities we serve and where we live and work. In 2008, we launched a Corporate Citizenship Initiative, a global effort to address the environmental, social, economic, and ethical challenges we face in our business. Among the issues we are addressing are carbon impact, paper specifications and procurement, ethical conduct ­within our business and among our vendors, and community and charitable support. For more information, please visit our website: www.wiley.com/go/citizenship. Copyright © 2019 John Wiley & Sons, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc. 222 Rosewood Drive, Danvers, MA 01923, website www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, (201)748-6011, fax (201)748-6008, website http://www.wiley.com/go/permissions. ISBN-13: 978-1-119-40181-0 The inside back cover will contain printing identification and country of origin if omitted from this page. In addition, if the ISBN on the back cover differs from the ISBN on this page, the one on the back cover is correct. Printed in America. 10

9

8

7

6

5

4

3

2

1

Brief Contents 1 Introduction and Overview of Audit and Assurance   1-1 2 Professionalism and Professional Responsibilities   2-1 3 Risk Assessment Part I: Audit Risk and Audit Strategy   3-1 4 Risk Assessment Part II: Understanding the Client   4-1 5 Audit Evidence   5-1 6 Gaining an Understanding of the Client’s System of Internal Control  6-1 7 Audit Data Analytics   7-1 8 Risk Response: Performing Tests of Controls   8-1 9 Risk Response: Performing Substantive Procedures   9-1 10 Risk Response: Evaluating Audit Data Analytics and Audit Sampling for Substantive Tests   10-1 11 Auditing the Revenue Process   11-1 12 Auditing the Purchasing and Payroll Processes   12-1 13 Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)   13-1 14 Completing the Audit   14-1 15 Reporting on the Audit   15-1 Appe nd ix A  

Cloud 9 Inc. Audit  A-1

GLOSS ARY    G-1 I n d e x   I -1

v

From the Authors Auditing is about earning the public trust. Auditors serve that public trust by being independent of the companies they audit—in mental attitude and in fact. You will find that auditing is about developing an inquisitive mind and mastering decision-making; you must master an audit logic (the audit risk model) and develop audit strategies. To help you develop both skills, we have taken a very practical approach in this text, as follows:

Auditing is about developing an inquisitive mind and mastering decision-making. To help you develop both skills, we have taken a very practical approach in this text, as well as incorporated audit data analytics (ADA) to help you embrace an increasing variety of fascinating technologies being used by auditors.

•  Provided a variety of audit reasoning examples, which demonstrate the practical application of auditing skills and concepts through brief real-world scenarios, in each chapter. •  Included an audit decision-making example at the end of each chapter. Each example illustrates a process of identifying the issue, gathering information and evidence, analyzing and evaluating information and evidence, and drawing conclusions. •  Added professional environment examples that illustrate issues that auditors deal with on a day-to-day basis. •  Written the text in a conversational writing style that you should enjoy.

In addition, you must also embrace an increasing variety of fascinating technologies being used by auditors. To help you do this, we have: •  Included a separate chapter on audit data analytics, including an overview of the most popular audit data analytics (ADA) software applications currently used. •  Integrated the use of audit data analytics into many chapters. •  Offered IDEA-based cases available in WileyPLUS. The accounting and auditing skills you build in this course will serve you for the rest of your life as you develop an independence of thought and action. Your journey of developing a questioning mindset, developing an investigative intuitiveness, and learning how to recognize accounting issues that do not pass the “smell test” will open many opportunities. If you keep asking questions, continue to explore the application of new technologies, and stay true to the importance of integrity and independent thought and actions that will earn the public trust, you should have a rich and rewarding career. We are excited and honored to lead you on this “auditing” journey. We hope you dive into the material and explore the resources provided in this text and WileyPLUS. Above all else, we wish you great success! Raymond N. Johnson, PhD, CPA Laura D. Wiley, PhD, CPA

vi

©Aaron Hogan, Eye Wander Photo

©The National Association of State Boards of Accountancy

About the Authors

Raymond N. Johnson

Laura D. Wiley

Raymond N. Johnson, PhD, CPA, has taught auditing concepts and practices, financial statement analysis, and a case course focused on developing students’ critical thinking skills at Portland State University for 35 years. He was the first recipient of Harry C. Visse Excellence in Teaching Fellowship and is currently a professor emeritus from Portland State University. He has also taught auditing and accounting at Bond University, The University of Queensland, the Australian National University, and Southampton University. Dr.  Johnson is Chair of the International Accounting Education Standards Board’s Consultative Advisory Group. Previously, he served on the NASBA board of directors for seven years, and he previously chaired NASBA’s Education Committee and the NASBA Ethics Committee. He also served on an AACSB Task Force that was responsible for the most recent update to AACSB Accounting Accreditation rules. Dr. Johnson served a three-year term on the AICPA Professional Ethics Executive Committee which sets ethical standards for CPAs in the United States. He is a former member of NASBA’s Standard Setting Advisory Committee and served for seven years on the NASBA/AICPA International Qualifications Appraisal Board. Previously, Dr. Johnson served on the Oregon Board of Accountancy for seven years and was Chair of the Board for two years. Dr. Johnson is a past president of the Oregon Society of CPAs. He has previously served as staff to the U.S. Auditing Standards Board, and he has written numerous academic and professional articles.

Laura Wiley, PhD, CPA, is the Assistant Department Chair and senior instructor in the Department of Accounting at the E. J. Ourso College of Business, Louisiana State University (LSU). She came to LSU in 1996 and teaches financial accounting and auditing courses. She also leads a studyabroad excursion in the Master of Accountancy program, taking students on educational business trips to Central and South American countries. Dr. Wiley is active in the Society of Louisiana CPAs (LCPA) and has served as the chair of the Accounting Education Issues committee since 2014. She received the LCPA’s Distinguished Achievement in Education award in 2015 and the Outstanding Teacher Award from the E. J. Ourso College of Business in 1999 and 2014. Dr. Wiley has consulted with large and small companies on accounting-related matters and conducted onsite training sessions for company employees. Over her career, she has also been a presenter at numerous CPE events and published in the Journal of Accounting Education. Prior to coming to LSU, she was an auditor with PricewaterhouseCoopers in Atlanta, Georgia. She earned her bachelor’s degree in accounting from The University of Alabama, her master’s degree in accounting from LSU, and her doctorate in human resource education and workforce development from LSU. Her research interests are accounting education and financial literacy. She is an active licensed CPA in the state of Louisiana.

vii

Unique Pedagogical Framework Auditing provides key learning aids to help students master the content and prepare them for a successful career in accounting.

c07AuditDataAnalytics.indd Page 1 06/03/19 3:36 PM F-0590

/208/WB02435/9781119401810/ch07/text_s

ChApter 7

Each chapter begins with a flowchart detailing exactly what section of the audit process students are about to learn. The chart helps students see the big picture of the audit process.

Audit Data Analytics Special thanks to Dr. Adrian Gepp of Bond University, Queensland, Australia, for his invaluable assistance in co-authoring this chapter.

The Audit Process Overview of Audit and Assurance (Chapter 1) Professionalism and Professional Responsibilities (Chapter 2) Client Acceptance/Continuance and Risk Assessment (Chapters 3 and 4) Gaining an Understanding of the Client

Identify Significant Accounts and Transactions

Set Planning Materiality

Gaining an Understanding of the System of Internal Control (Chapter 6)

Make Preliminary Risk Assessments

Performing Tests of Controls (Chapter 8)

Audit Data Analytics (Chapter 7)

Audit Evidence (Chapter 5)

Develop Responses to Risk and an Audit Strategy

Performing Substantive Procedures (Chapter 9) Audit Sampling for Substantive Tests (Chapter 10)

Auditing the Purchasing and Payroll Processes (Chapter 12)

Auditing the Revenue Process (Chapter 11)

Auditing the Balance Sheet and Related Income Accounts (Chapter 13)

c03RiskAssessmentPartI.indd Page 3-2 24/01/19 9:35 PM F-0590

Completing and Reporting on the Audit (Chapters 14 and 15) Drawing Audit Conclusions

Procedures Performed Near the End of the Audit c05AuditEvidence.indd Page 2 04/03/19 8:37 PM F-0590

3-2

CH A PT E R 3

/208/WB02435/9781119401810/ch03/text_s

Risk Assessment Part I

LearningLearning Objectives

Reporting

/208/WB02435/9781119401810/ch05/text_s

Objectives have been carefully crafted to reflect the Bloom’s Taxonomy framework, LO 5 Explain how auditors determine their audit strategy and how audit strategy affects audit decisions. well asofreinforce the practical auditing skills LO 2 Identifyas the diff erent phases an audit. LO 6 Explain the fraud risk assessment process and analyze fraud risk. LO 3 Explain and apply the concept of materiality. that students will develop. LO 4 Explain professional skepticism and apply the LO 1 Evaluate client acceptance and continuance decisions.

5-2

Chapt e r 5

audit evidence

Learning Objectives

7-1

LO 1 Define management assertions about classes of transactions, account balances, and presentation and disclosure. LO 2 Discuss the characteristics of audit evidence.

LO 4 evaluate when it is appropriate for auditors to use the work of others.

audit risk model.

Auditing and Assurance Standards

LO 5 Document the details of evidence gathered in working papers.

LO 3 apply the procedures for gathering audit evidence, including the use of audit data analytics.

P C AO B

AUDIT ING STA NDA R D S B OA R D

AS 1015 Due Professional Care in the Performance of Work

AU-C 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards

AS 1101 Audit Risk AS 1301 Communications with Audit Committees

Auditing and Assurance Standards

AS 2101 Audit Planning

Au d i t i n g StA n dA rd S B OArd Auditing and Assurance Standards Au-C 230 audit Documentation that are disAu-C 315 Understanding the entity and Its environment AS 1205 part of the audit performed by Other cussed are listed at the beginning each chapter and assessing the risks of of Material Misstatement Independent auditors 500 audit evidence AS 1210 for Using the Work of a Specialist quick reference. AAu-C complete overview of all Au-C 505 external Confirmations AS 1215 audit Documentation Au-Cthe 600 Special Considerations—audits of Group isrisksavailable at front of the text. AS 2110 standards Identifying and assessing of Material Financial Statements (Including the Work of Component

AS 2105 Consideration of Materiality in Planning and Performing an Audit

PCAOB

AS 1105 audit evidence

Misstatementc03RiskAssessmentPartI.indd Page 3-40

24/01/19 9:35 PMauditors) F-0590

Au-C 610 Using the Work of Internal auditors

AS 2605 Consideration of the Internal audit Function

Au-C 620 Using the Work of an auditor’s Specialist

C HAPT E R 3

Risk Assessment Part I

c05AuditEvidence.indd Cloud 9 - Continuing Case Page 5-6 Cloud 9 - Continuing Case

AS 2301 The Auditor’s Responses to the Risks of Material Misstatement AS 2401 Consideration of Fraud in a Financial Statement Audit

/208/WB02435/9781119401810/ch03/text_s

AS 2310 the Confirmation process

3-40

AS 2110 Identifying and Assessing Risk of Material Misstatement

AS 2610 Initial Audits—Communication Between Predecessor and Successor Auditors

AU-C 240 Consideration of Fraud in a Financial Statement Audit AU-C 300 Planning an Audit AU-C 315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement AU-C 320 Materiality in Planning and Performing an Audit AU-C 330 Performing Audit Procedures in Response to Assessed Risks and Evaluating Audit Evidence Obtained QC10 A Firm’s System of Quality Control

Cloud 9 - Continuing Case Sharon and Josh have already discussed some specific client accep-

1/15/19 9:44 PM f-1241

explains they also must consider the overall integrity of the client (that is, management of Cloud 9). This means they need to perform W&S Partners has just won the January 31, 2023, audit for W&S Partners use the following percentages as starting handle and themselves. At the next planning meeting for the Cloud 9 audit, Pickering and document procedures that are likely to provide information Cloud 9. The audit teamSuzie assigned to this client is: the accounts receivable points forinventory the various bases: Second, Sharon is worried about how they will gather evidence regarding a presents the results of the analytical procedures performed so far about the client’s integrity. Josh is a little skeptical. “Do you mean Base Threshold (%) subsidiary of Cloud 9 located in Vietnam. W&S Partners does not and a working draft of the audit program. The audit manager, that we should ask them if they are honest?” Sharon suggests it is • Partner, Jo Wadley C H APT E R an 5 office AuditinEvidence before have Vietnam, so they mustIncome determine the tax most effec- 5.0 Sharon Gallagher, and the audit senior, Josh Thomas, are5-6 also inprobably more useful to ask others, and the key people to ask are • Audit Manager, Sharon Gallagher Total revenue 0.5 tive and efficient way to gather evidence regarding the subsidiary. volved in the planning, with special responsibility for the internal the existing auditors. Josh is still skeptical. “The existing auditors • Audit Senior, Josh Thomas Gross profites 2.0 used in operations has been appropriately In the planning meeting, considers thethat following control assessment. • the An team auditor verifi equipment marked are Ellis & Associates. Are they going to help us take one of their 0.5 questions: The meeting’s agenda is to• discuss theManager, availableMark sources of evIT Audit Batten clients from them?” Sharon says the client must give permission down ifTotal it isassets impaired (risk of overstatement). Equity 1.0 idence at Cloud 9 and specify these in the detailed audit program. first, and, if that is given, the existing auditor will usually state •  What evidence is available? • Experienced staff, Suzie Pickering The team members also must ensure they have enough evidence whether or not there were any issues that the new auditor should These starting points can be increased or decreased by taking •  What criteria will the team use to choose among alternative • First-year , Ian Harper of the to conduct the audit. Two specific issues staff worry members be aware of before accepting the work. This type of communicainto account qualitative client factors, which could be: Cloud 9 - sources Continuing Case of evidence? team. First, there are three very large asset balances on Cloud 9’s tion is covered by AS 2610 (AU-C 210 for private company clients) Asvaluation a part of the risk Josh assessment phase for• the neware audit, • The naturethe of the client’s business and industry (for example, What the the implications of using work of specialists trial balance that have particular issues. suggests Ian and Suzie have talked in general terms about the • No accounts receivables were omitted when calculating the audit team needs to gain an of Cloud 9’salready structure rapidly changing, either through growth or downsizing, or and other auditors? that a specialist will be required for the derivatives, butunderstanding they can errors that could occur in Cloud 9’s accounts receivable. For total—completeness. and its business environment, determine materiality, and assess an unstable environment). other clerical errors the risk of material misstatement.example, This will basic assist mathematical the team in de-mistakes• and Accounts(orreceivables in the total do exist at yearWhether the client is a public •company subsidiaryincluded of) could affthe ectnature, the customer’s total in either direction. Suzie emveloping an audit strategy and designing extent, and end—existence. subjectthis to regulations. phasizes that Cloud 9’s management asserts error did not timing of audit procedures. • fraud. Accounts receivables belong to Cloud 9 and have not been • The knowledge of or high risk of exist when they prepared the fi nancial statements—i.e., they One task during the planning phase is to consider the consold or factored—rights and obligations. assert that accounts valued correctly. Auditors cept of materiality as it applies to the client. Auditorsreceivable will de- areTypically, income before tax is used; however, it cannot be used must gather about each assertion for each transaction • Bad debts have been provided for—valuation and allocation. sign procedures to identify and correct errorsevidence or irregularities if reporting a loss for the year or if profi tability is not consistent. In Chapters 3 and 4, we considered audit riskinand assessment. Those chapters focused class, account, and statements note the risk financial statements. Now that that would have a material effect on the financial When calculating PM based on interim gures,the it may nec- are not included in the earlier • Salesfifrom nextbeperiod on the the decision-making importance of risk identification helpbetter, ensure auditor’sthe desired level of risk is the auditors to plan Ian understands idea he the can identify assertions and affect of the users of this thetofinancial essary to annualize the results. This allows period—cutoff. Ian is a bit confused about this because cutrelate to audit the potential errors in accounts receivable that statements. Materiality is used inthat determining procedures the audit properly based on an approximate off is anprojected assertionyear-end for transactions, not assets. Suzie agrees they discussed earlier: and sample selections, and evaluating differences from client balance. Then, at year-end, the figure isitadjusted, if necessary, to is a special sort of assertion that relates to transactions or records to audit results. Materiality •is No the mathematical maximum amount of or other reflectclerical the actual results. events, but also gives evidence about balance sheet accounts mistakes errors exist that misstatement, individually or in aggregate, canthe betotal accepted (e.g., an overstatement of revenue is also an overstatement couldthat affect receivables in either direction—valuaRequired in the financial statements. In selecting figure to be of receivables). tion the andbase allocation. Answer the following questions based on the information preused to calculate materiality, the auditors should consider the sented for Cloud 9 in the appendix to this text and in the current key drivers of the business. They should ask, “What are the end chapter and previous chapters. users (that is, stockholders, banks, etc.) of the accounts going The last category of assertions focuses on presentation and disclosure in the financial to be looking at?” For example, will stockholders be interested a. Using the 31, 2022, trialprobably balance (in the appendix to of the assertions in this category statements andOctober the notes. You’ve noticed that most in profit figures that can be used to pay dividends and increase this listed text), calculate planning materiality and include theThat justi-makes sense considering the note are also in one or both of the other categories. share price? fication and for the basis that youin have for yourstatements calculation. are inherently tied with a client’s disclosures presentation theused financial W&S Partners’ audit methodology dictates that one planb. Discuss how planningbalances. materiality would begather used toevidence detertransactions andthe year-end Auditors that disclosed items represent ning materiality (PM) amount is to be used for the financial mine materiality. events andperformance transactions that occurred and pertain to the entity, (10) occurrence and rights statements as a whole. The basis selected for determining materiality is the one determined to be the key driver of the business.

and obligations, that allamount itemsisthat should increased have been c. If the planningand materiality subsequently or disclosed are included in the fidecreased later in which the audit, that impact the audit? nancial statements, is how (11) would completeness. Auditors ensure items included in the financial statements are appropriately presented and disclosures are clearly expressed, which is

and is part of professional ethics. Sharon also gives Josh the task of researching Cloud 9’s press coverage, with special focus on anything that may indicate poor management integrity. Sharon emphasizes they must perform and document procedures to determine whether W&S Partners is competent to perform the engagement and has the capabilities, time, and resources to do so. For example, they must make sure they have audit team members who understand the clothing and footwear business. They also must have enough staff to complete the audit on time. In addition, Sharon and Josh must perform and document procedures to show that W&S Partners can comply with all parts of the code of professional conduct, not just those that focus on independence threats and safeguards. Finally, they can draft the engagement letter to cover the contractual relationship between W&S Partners and Cloud 9.

A Cloud 9 Continuing Case exercise applies concepts introduced in each chapter, concludes each chapter, and is available as an assessment question.

/208/WB02435/9781119401810/ch05/text_s tance issues, such as independence threats and safeguards. Sharon

Chapter Preview—Audit Process in Focus

viii

AU-C 210 Terms of Engagement

controls continue to be strong, she will also perform substantive procedures on the existence of inventory at an interim date.

  UN I Q UE P E DAG OG I C A L FRA MEWORK   ix

Illustration 3.12 provides a diagram of the process used when developing the audit strategy for an account or assertion. Notice that the left side of the diagram provides an overview of the reliance on controls approach described in this section.

c05AuditEvidence.indd Page 5-27 1/15/19 9:44 PM f-1241

ILLUSTRATION c06GainingAnUnderstandingOfTheClientsSystemOfInternalControl.indd Page 4 04/03/19 3.12 5:48 PM F-0590

Identify inherent risks at the account or assertion level

Process used when developing an audit strategy at the account or assertion level

Determine whether an6-4 internal control(s) C h apt e r 6 canGaining an Understanding of the Client’s System of Internal Control mitigate the risk factor

/208/WB02435/9781119401810/ch05/text_s

Detailed illustrations help students visualize complex processes and important concepts. /208/WB02435/9781119401810/ch06/text_s

Documentation—Audit Working Papers

5-27

alternative for environmentally conscientious customers. NME operates from three locations and produces a wide range of household products that it sells to supermarkets and specialty stores. the most front commonly of every audit file is a copy of the client’s trial balance that supports the fiYES NO The COSO framework has global acceptance and At is the recognized framenancial statements. TheIttrial balance is then referenced into the appropriate lead and supportwork for understanding and evaluating a system of internal control. has three dimensions, schedules in the audit file whereofaudit work is documented for each account in the trial as shown in Illustration 6.1. First, the COSO ing framework discusses the objectives internal balance. At Bell & Bowerman, LLP, the trial balance is referenced using the letter “A”; cash control. Second, the COSO framework discusses important components of internal control. Does the control(s) andobjectives cash equivalents in variousfit banks referenced into the C Lead; accounts receivable are NOF-0590 Third, the COSO framework discusses how these and components into are an orgac03RiskAssessmentPartI.indd Page 3-15 24/01/19 9:35 PM /208/WB02435/9781119401810/ch03/text_s exist? referenced into the E Lead; inventory accounts are referenced into the F Lead; property, plant nizational structure. and equipment are referenced into the K Lead; and so on. The first working paper example is the cash and cash equivalents lead schedule Objectives iLLuStrAtiOn 6.1 (see Illustration 5.8). The purpose of this lead is to summarize all general ledger accounts YES The relationship among the that are combined into the cash and cash equivalents account on the financial statements. Professional Skepticism and Audit Risk 3-15 three dimensions of internal The lead schedule also has adjusting journal entries, if any, that are proposed by the auditor. control: objectives, components, In the top-left corner of the lead schedule are the client name, period-end, and currency and organizational structure unit (in this example, balances are rounded to the nearest thousand dollars). In the top Test the Control environment control(s) center of the lead schedule is section identification (C). In the top-right corner, details of Auditors have a responsibility to plan and perform an audit with professional skepticism. the working paper preparer and reviewers are documented. Next, details of the cash and Risk assessment Professional skepticism is an attitude adopted by auditors when conducting all phases of the cash equivalents balance are listed. For each item listed in the lead schedule, the following audit. It means that auditors remain independentIncrease of the extent entity,ofitsdetailed management, and its staff are noted: Control activities Is the control(s) professional skepticism an when completing the audit work.NO In a practical sense, professional skepticism means ausubstantive procedures effective? Does it work? attitude that a• questionperformed at year-end ditors maintain a questioning mind and thoroughly investigate all evidence presented by the Information andincludes communication General ledger account number, per the client records. ing mind, being alert to condiclient (AS 1015.07). For example, AU-C 200.A22 states auditors should be skeptical if any of General ledger account name, per the client records. tionsMonitoring that may activities indicate• possible the following arise during the audit: misstatement due to fraud or • Preadjusted balance, any adjustments, and the audit-adjusted current-year balance per YES error, and a critical assessment of • Audit evidence recently gathered that is contradictory to other evidence previously gathered. the client’s trial balance (TB).

Organizational structure

ce

Entity Division Operating unit Function

Co m

pl ia n

s

po

rti ng

er at io n

Re

Op

Professional Skepticism

Components

Substantive Approach

Reliance on Controls Approach

the COSO Framework

audit evidence

• New information that brings into question the reliability of clientObjectives documents or responses of Internal Control • The prior-year balance, per the prior-year audit file (PY). to auditor inquiries. The COSO framework depicted in Illustration 6.1 identifies three objectives of internal control that allow organizations to focus on the differing purposes of internal control. These three • Situations that indicate the need for additional audit procedures objectives beyond what are:is required ILLUSTRATION 5.8 Working paper example: Cash lead schedule by generally accepted auditing standards. • Operations objectives. These pertain to the Client: effectiveness and efficiency of the entity’s opNew Millennium Ecoproducts Bell & Bowerman, LLP Does maintaining professional skepticism mean auditors should assume clientincluding manage-operational and financial erations, performance goals, and safeguarding assetsC–LEAD Period-end: 12/31/2022 Reference: C-Lead Currency unit: $000 ment is being dishonest? The answer is no. Auditors should not assume management against loss. is dishonest, but at the same time, auditors should not assume management is always honest or These pertain to internal and external financial and nonfinancial • Reporting objectives. correct. Using professional skepticism means that even if auditors believe management andencompass reliability, timeliness, Lead schedule: reporting and may transparency, or other terms as set those charged with governance are being honest, they should gather reliable evidence to sup- recognized standard setters, or the entity’s policies. forth by regulators, PreAdjusted port management’s responses to auditor inquiries and to support amounts and disclosures adjusted current-year • Compliance objectives. These pertain to adherence to laws and regulations to which the in the financial statements. all phases of the audit, auditors should keep these /208/WB02435/9781119401810/ch03/text_s c03RiskAssessmentPartI.indd Page 3-28 24/01/19 9:35 PMThroughout F-0590 Account balance balance entity is subject. Account name no. 12/31/2022 Adjustments 12/31/2022 questions in mind when gathering audit evidence: Is this information reliable? Do we need to perform more audit procedures? When auditors exercise professional skepticism during the 10100 Control—Integrated Cash in Bank: Wells Fargo $ 11,000 $0 $ 11,000 TB (COSO, Internal Framework, 2013) risk assessment phase, it helps to ensure they are using appropriate assumptions when develCash in Bank: U.S. Bank 134 0 134 TB 10200 oping their audit strategy that will be used in the risk response phase.These In thethree reporting phase,of internal control help the objectives auditor understand why the controls are auditors use Assessment professional skepticism when evaluating the evidence gathered and forming an important and the problems they are designed 10300 to prevent. understanding the 3-28 CHAPTE R 3 Risk Part I CashWithout in Bank: Barclays 126in0 126 TB opinion that the financial statements are presented fairly. tention of management in implementing internal controls, harder to understand 56 how 10400 CashitinisBank: Citigroup 0 56 TB controls prevent, or detect and correct, financial statement misstatements. Management • Ongoing losses. 10500 Short-Term Deposits 5,796 0 5,796 TB and those charged with governance are concerned about adequately controlling the entity’s • Rapid growth. Total Cash andregulations. Cash $17,112 $0 $17,112 operations, its financial reporting, and its compliance with laws and The exterPoor cash flowsProfessional combined withSkepticism high earnings. Audit Reasoning• Example nal auditor, on the other hand, is primarily concerned withEquivalents the reporting objectives and the objectives related to safeguarding ofKey assets. to audit tick marks (TM): • Pressure to meet market expectations and operations profit targets. Perform less extensive • Conditions detailed substantivethat may provide evidence of possible fraud. procedures at interim

Many illustrations, such as working papers and confirmations, present documents that students will encounter in a real-world audit.

Prepared by: Reviewed by: Reviewed by:

Prior-year balance 12/31/2021

KM 1/21/2023 SO 1/22/2023 MM 1/24/2023

Variance

% Variance

Ref

$ 10,500

PY

$500

5%

C01

134

PY

0

0%

C02

126

PY

0

0%

C03

50

PY

6

12%

C04

5,600

PY

196

4%

C05

Audit Reasoning Examples apply chapter concepts in brief real-world scenarios that students might encounter in a professional environment. They also provide real-world company examples of chapter concepts. $16,410

$702

4%

TB Agrees to client’s trial balance. An auditor was auditing• aPlanning recreational vehicle dealership. The auditor had obtained some to list on a(RV) stock exchange. PY Agrees to prior-year audit file. initial financial information from the client showing unaudited results for the end of the third Components of Internal Control • Planning to raise debt or renegotiate a loan. quarter. Sales were up and profit margins were up, making it the best year so far for the client. Background: No significant changes in banks or bank accounts from the prior period. Note: Analytical review on movements in the cash flows has The client being about to enter into ainventory signifi cant newshowed contract. The second dimension depicted in on Illustration 6.1 identifies Interim records showed •that inventory was also up, and the client’s records over of the COSO framework been performed the cash flow schedule — seefive A1.1. 300 RVs on hand at the •end the third quarter. Theofaudit senior wenttied tointegrated talk to the components audit manof internal control: A of signifi cant proportion remuneration to earnings (that is, bonuses or stock options). Comments: Cash and cash equivalents: In line with budget and change consistent with level of activity for the period (see also our review of the ager about the good news and the client’s performance. The audit manager asked the senior a key statement of cash flows referenced in A1.1). Short-term deposits: Although the balance is very consistent with previous period, inclusion of • Control environment. question. “You did the inventory observation last year. How many RVs did the client have then?” short-term deposits within cash and cash equivalents is acceptable (refer to C5). “I think it was about 210,” the senior replied. Then the audit manager asked, “How was the lot • Riskfull assessment. last year?” The senior replied that it was “almost overflowing” the year before. The manager then • Control activities. said, “Let’s look at this more skeptically. I don’t think they have storage capacity for another 90 I Audit Reasoning Example Fraud at Toshiba: Part RVs even though sales are up. There could be an error in the inventory records. This information makes me believe that the existence of inventory is a very high inherent risk.” You may be familiar with Toshiba Corporation, a publicly traded Japanese company headquartered in Tokyo that makes consumer electronics, household electronics, office equipment, and more. In July 2015, the CEO of Toshiba announced he was resigning amid an accounting scandal in which profits had been overstated for the past seven years by approximately $1.9 billion (224.8 billion yen). What incentives and pressures were involved that led to the fraud? The technology industry is extremely competitive and Toshiba’s upper management set aggressive profit targets. home electronics and appliances division was showing losses and the memory chip division Audit risk is the risk that The an auditor expresses an inappropriate audit opinion when financial was feeling pressure because of decreasing demand from Chinese electronics companies.6 As an statements are materially misstated (AU-C 200 Overall Objectives of the Independent Auditor example, in September 2012, the head of the digital products and service division was told by the and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards and CEO to improve a 24.8 billion yen loss into a 12 billion yen profit in just three days!7 Think about AS 1101 Audit Risk). Thishow means audit reportwould stateslearn the about financial statements aretopresented the the external auditor the incentives given lower-level management. How fairly, in all material respects, in actuality the fiabout nancial might when an internal auditor learn thesestatements incentives?contain a material

Audit Risk

c05AuditEvidence.indd Page 5-20 1/15/19 9:44 PM f-1241

error or fraud. While it is impossible to eliminate audit risk, auditors aim to reduce it to an

Opportunities to Perpetrate a Fraud

5-20

After identifying one or more incentives or pressures to commit a fraud, auditors assess whether a client’s employees have an opportunity to perpetrate a fraud. Auditors utilize their knowledge of how other frauds have been perpetrated to assess whether the same opportunities exist at the client. While the examples below of opportunities to commit a fraud suggest a fraud may have been committed, their existence does not mean a fraud has definitely occurred. Auditors must use professional judgment to assess each opportunity in the context of other risk indicators and consider available evidence thoroughly. Examples of opportunities that increase the risk that a fraud may have been perpetrated include:

Professional Environment boxes provide in-depth discussions of how concepts in a chapter are applied in the business world. transactions close to year-end.

/208/WB02435/9781119401810/ch03/text_s

• Significant adjusting entries and reversals after year-end. • Significant related-party transactions (discussed further in Chapter 4). • Poor corporate governance mechanisms. 3-32

CHAPT E R 3

• Poor of internal control (discussed further in Chapters 6 and 8). Risk Assessment Part system I • A high turnover of staff with accounting or internal control responsibilities.

Audit Decision-Making Example 6

E. Pfanner and M. Fujikawa, M. “Toshiba Slashes Earnings for be Past Seven Years,”locations The Walldue Street • Fraud risk may high in some to Journal, the opportuSeptember 7, 2015. https://www.wsj.com/articles/toshiba-slashes-earnings-for-past-7-years-1441589473 nity offered by weak internal controls. You have been assigned to the7 audit of inventory for a private K. Nagata. “Pressure to show a profit led to Toshiba’s accounting scandal,” The Japan Times, September 18, • The auditor needs to determine how internal controls afft-ect company that owns and operates a chain of retail jewelers. The 2015. http://www.japantimes.co.jp/news/2015/09/18/business/corporate-business/pressure-to-show-a-profi audit strategy, and whether the auditor wants one audit stratcompany’s sales revenue has grown by 300% in the last two years, led-to-toshibas-accounting-scandal/#.WNJjNmQrLjA egy for part of the inventory and another audit strategy for primarily by acquisitions. Seventy-eight percent of the value of the another part of the inventory. company’s inventory is in wedding rings, diamonds, gold necklaces, and high-end watches. Because the company has grown Analysis and Evaluation of Alternatives through acquisition, the company has not yet brought two acquired companies (representing 35% of sales) under the company’s Analysis of risk: inventory system. As a result, the company is currently operating • Inherent risk factors include valuable inventory that is subwith three different inventory-control systems. The core inventory ject to theft and misappropriation. system being used by retail stores represents 65% of sales. Sixty • Internal controls are not uniform. Based on prior year’s evipercent of inventory was tested in the prior year and controls over dence and a preliminary understanding of the system in the the existence of inventory were effective. current year, strong internal controls appear to operate over The CFO’s top priority is to put all retail operations under this only 60% of the inventory. one inventory-control system by the end of the fiscal year (January 31). He is particularly concerned about lower than expected • It may be more efficient to physically inspect inventory as of gross margins at some of the acquired stores, and he expects that one date and use one audit strategy for all inventory testing. better inventory control will improve this situation. In addition, • Fraud risk is considered to be high at locations where invengold prices have risen 15% in the last 12 months, and the company tory controls are not strong. is making sure it is not selling “conflict diamonds” illegally traded to fund conflict in war-torn areas of Africa. Your responsibility is Conclusions Regarding Audit Strategy for the Existence to develop an audit strategy for testing the existence of inventory.

Background Information

Identify the Audit Issue The focus of attention in this instance is to develop an audit strategy for testing the existence of inventory. The auditor may develop a different audit strategy for testing the valuation of that inventory.

Gather Information and Evidence Important information includes: • A significant portion of the inventory is high in value, small in size, and susceptible to theft. • A good system of internal controls may not be operating effectively and uniformly. • The weak gross margins in some stores may be evidence of inventory shrinkage or theft.

of Inventory

• Inherent risk is set at the maximum because inventory is high in value and susceptible to theft and misappropriation. • Control risk is set at high, as 40% of inventory may not have sufficient internal controls. • Fraud risk is considered high due to the opportunity offered by weak internal controls. • This results in setting detection risk at low. • Low detection risk impacts the nature, timing, and extent of substantive testing. For example, the auditor will plan testing of the physical existence of inventory at year-end, select a larger number of locations to visit, and vary the extent of inventory testing at each location depending on internal controls over the counting of inventory at each location.

CPAexcel CPAexcel questions and other resources are available in WileyPLUS.

Audit Evidence

Professional Environment Working with IT Auditors

• Accounts that rely on estimates and judgment (discussed further in Chapter 9).

A high volume of c03RiskAssessmentPartI.indd Page 3-32 24/01/19• 9:35 PM F-0590

CH A PT E R 5

/208/WB02435/9781119401810/ch05/text_s

Specialist IT auditors are often used in audits of clients with complex information technology (IT) environments because the effective audit of the IT systems contributes to overall audit quality. Large audit firms usually have such specialists within the firm, but smaller audit firms could engage external IT consultants for this part of the financial statement audit. In general, reliance on an IT specialist is appropriate when the financial statement auditor complies with the conditions of AU-C 620. If the IT expert and the financial statement auditor do not work well together, audit quality can be impaired. For this reason, researchers have investigated the factors that affect the way that financial statement auditors work with specialist IT auditors. Brazel12 reviewed this research evidence and drew the following conclusions. First, responses from financial statement auditors in the United States who were surveyed about their experiences with IT auditors indicated that they believe IT auditors’ competence levels vary in practice. Financial statement auditors also said that IT auditors appear to be overconfident in their abilities in some settings, and questioned the value provided by IT auditors to the financial statement audit. Second, Brazel suggests the research shows that both financial statement auditors’ IT ability and experience and the IT auditor’s competence affect how these two professions interact on an audit engagement. This indicates that audit firms need to ensure that staff training and scheduling produce appropriate combinations of financial statement auditors and IT auditors on an engagement.

Finally, Brazel argues that the research findings demonstrated that auditors need to consider the implications of finding a balance between greater software-assisted audit techniques training for financial statement auditors and greater use of IT specialists for overall audit efficiency and effectiveness. The role of IT audit specialists could grow to become even more than a support function for auditors. Some researchers suggest that in e-businesses, the external financial statement auditor’s authority will be challenged by IT audit specialists because of technological change and its impact on auditing.13 In e-businesses, economic transactions are captured, measured, and reported on a real-time basis without either internal human intervention or paper documentation.14 Auditing is likely to become more real-time and continuous to reflect the pattern of the transactions. If traditional auditors are unwilling or unable to adapt to the new environment, their role could be taken over by IT specialists. Other developments such as reporting using XBRL (eXtensible Business Reporting Language) provide challenges for auditors as they have to adapt their techniques and approaches to audit financial information that is disaggregated and tagged. Users can extract and analyze XBRL data directly without re-entry and the tag provides additional information about the calculation and source of the data. This means auditors have to recognize that their clients are reporting financial data with different levels of information and users might have greater expectations of the data. Learn more about XBRL at www.xbrl.org.

Cloud 9 - Continuing Case Josh will take responsibility for obtaining a specialist’s opinion on the derivatives. He knows that W&S Partners has other staff (who are not part of the audit team) who can provide additional expertise. However, because he believes the accounts are so material to the audit and derivatives have become such a big issue in audits in recent years, he deems an external specialist’s opinion is also required. He

has some experience of using a derivatives specialist on prior audits, and he also plans to ask Jo Wadley (the partner) to recommend a suitable specialist. Josh plans to investigate any possible connections between the specialist and Cloud 9 that could adversely impact the specialist’s objectivity before engaging him for this audit.

Work of Internal Auditors Each chapter concludes Using withthean Audit Decision-Making Example that takes students through specific steps of the audit process while offering solutions to issues presented throughout the example. internal auditors employees of the client who perform assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance, risk management, and internal control processes

The role of the internal audit function was introduced in Chapter 1. Internal auditors are employees of the client who perform assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance, risk management, and internal control processes. Not every client will have an internal audit function. For example, small and medium-sized companies, especially private companies, may not have the resources to staff an internal audit function. But if the client does have an internal audit function, what role, if any, do the internal auditors play in the financial statement audit? According to AU-C 610 12

J. F. Brazel. “How do financial statement auditors and IT auditors work together?” The CPA Journal, November, 2008, pages 38–41. A. Kotb, C. Roberts, & S. Sian. “E-business Audit: Advisory Jurisdiction or Occupational Invasion?” Critical Perspectives on Accounting 23, no. 6 (2012), pages 468–82. 14 Kotb et al., 2012. 13

Engaging Students with WileyPLUS Auditing is completely integrated with WileyPLUS, featuring a suite of teaching and learning resources developed under the close review of the authors. Driven by the same basic beliefs as the text, WileyPLUS allows students to practice their understanding of concepts and access the content and resources needed to master the material. Features of the WileyPLUS course include the following:

Student Practice Each chapter includes practice questions for each learning objective that students can review to assess their understanding of chapter topics.

Tableau Homework Assignments Tableau visualizations accompanied by questions are available with most chapters. Tableau visualizations allow students to interpret visualizations and think critically about data.

IDEA Cases Select chapters include IDEA cases that allow students to use IDEA software to analyze data. An IDEA casebook and accompanying data sets, provided by Audimation Data Analytic Software and Services, is also available.

Real-World Videos  loomberg videos accompany each chapter, B providing students with relevant examples of auditing practices in the professional world.

x

   ENGAGING STUDENTS WITH WILEYPLUS  xi

Relevant Accounting Articles Up-to-date accounting articles are posted to the Wiley accounting update site, www.wileyaccountingupdates.com. Many of these news updates direct students to news-related videos and articles that address auditing-related topics.

Adaptive Practice Adaptive practice is a tool students can use to understand the essentials of auditing. Students can answer a multiple-choice question and, based on their response, the adaptive practice software will recommend another question to help students assess their understanding of a topic. Detailed reports also help students identify where they need to focus their studies. There are hundreds of adaptive questions for students to answer in the Auditing course.

Preparing for the CPA Exam For each chapter in the WileyPLUS course, students can access CPAexcel videos, CPA Exam Practice Questions in the PrometricTM Testing Interface, and Task-Based Simulations (TBSs), which are the primary form of assessment used by the American Institute of Certified Public Accountants (AICPA). These resources: 1. Reinforce understanding of course topics. 2. Demonstrate relevance to show students how the auditing content they are learning will be assessed on the CPA exam. 3.  Build student confidence with early exposure to CPA exam questions.

CPA Exam Practice Questions in the Prometric™ Testing Interface Wiley partners with CPAexcel to provide pre-created CPA exam practice questions for each chapter that recreate the environment students will encounter on the CPA exam.

Task-Based Simulation in the Prometric™ Testing Interface CPA simulations recreate the simulation environment students will see on the CPA exam. Similar to the CPAexcel multiple-choice homework questions, instructors can assign a simulation as a gradable assignment.

CPA Exam Video Lessons Each chapter includes CPA exam text discussions and videos that provide students with insight into auditing topics commonly addressed on the CPA exams.

CPA Exam Assignment Each chapter includes one pre-created CPA exam assignment that allows instructors to assign multiple-choice questions adapted from prior CPA exams. Student performance is tied to the WileyPLUS gradebook. xii

Student Assessment Each chapter of Auditing in WileyPLUS has over 300 assessment questions that can help keep your students engaged and on track.

End-of-Chapter Assessment Questions and Problems Each Auditing text chapter concludes with over 40 gradable assessment questions and problems you can use to gauge students’ understanding and ability to apply auditing concepts, as follows: •  Multiple-Choice Questions—Available to quickly and effectively test students’ understanding of the chapter material. •  Short Answer Questions—Open-ended questions that require students to begin thinking critically about the auditing process. •  Analysis Problems—Designed after scenarios students might encounter as auditors in the business world, analysis problems assess how well students understand specific topics in a chapter.

Cases Because no two audits are alike, Auditing uses a practical, case-based approach to help students develop professional judgment, think critically about the auditing process, and develop the decision-making skills necessary to perform a real-world audit. The best way for a student to learn auditing is to actually do auditing. To help provide real-world application, we have developed the following cases: •  Audit Decision Cases—Three cases run through most of the text chapters and provide a broad review of the audit process (King Companies, Inc., Mobile Security, Inc., and Brookwood Pines Hospital). In addition, chapter-specific cases help you assess students’ understanding of topics that are the focus of a particular chapter. •  Cloud 9 Continuing Case—Requires students to apply chapter concepts to the ongoing Cloud 9 case that is highlighted in the chapter. To help you more easily identify what questions you want to assign, questions are tagged with learning objectives, professional AICPA and AACSB outcome standards, Bloom’s Taxonomy, level-of-difficulty, and a recommended time of completion. You can track student performance in the WileyPLUS gradebook.

Test Bank Each chapter of the test bank has between 130–175 questions that you can assign to students in an exam or as graded practice. Question types include true/false, multiple-choice, fill-inthe blank, and short answer questions. To help you more easily identify what questions you want to assign, questions are tagged with learning objectives, professional AICPA and AACSB outcome standards, Bloom’s Taxonomy, level-of-difficulty, and a recommended time of completion. You can track student performance in the WileyPLUS gradebook.

xiii

Acknowledgments Auditing has benefited tremendously from the input of students who have used this text’s material in class, manuscript reviewers, and those who have supported the writing. We are very appreciative of all the suggestions and comments received. The thoughts, ideas, and recommendations of reviewers, editorial staff, and ancillary authors is deeply appreciated. Anne Albrecht Texas Christian University

Walied Keshk California State University—Fullerton

Dwayne Powell Arkansas State University

Matthew Anderson Michigan State University

Katherine Kinkela Iona College

Matthew Reidenbach Pace University—New York

Marie Blouin Ithaca College

Milton Krivokuca California State University—Dominguez Hills

Gary Schneider California State University—Monterey Bay

A. Faye Borthick Georgia State University

Ellen L. Landgraf Loyola University—Chicago

Dan Schrag Baldwin Wallace University

Billy Brewster Texas State University

Betsy Lin Montclair State University

Edward B. Seibert Wesley College

Jeffrey R. Cohen Boston College

Cathy Liu University of Houston—Downtown

Jamie L. Seitz University of Southern Indiana

Laurence DeGaetano Montclair State University

Joe Looney Hofstra University

Suzanne Seymoure Saint Leo University, University Campus

Kristina Demek University of Central Florida

Roger Martin University of Virginia

Philip Slater Forsyth Technical Community College

Lisa Derouin Wisconsin Lutheran College

Linda McCann Metropolitan State University

Vicki Stewart Texas A&M University—Commerce

Raymond Elson Valdosta State University

Karen McDougal Pennsylvania State University—Brandywine

Paula Thomas Middle Tennessee State University

Reza Espahbodi Washburn University of Topeka

Linda McKeag University of Dubuque

Andrea Tietjen Caldwell College

Magdy Farag California Polytechnic University—Pomona

Mary Mindak DePaul University

Patricia Timm Northwood University—Michigan

Dale Flesher University of Mississippi

Paula Mooney Savannah State University

Madeline Trimble Illinois State University

Scott Fulkerson University of California—Santa Barbara

Grace Mubako California Stata University—Sacramento

Richard Turpen University of North Carolina—Asheville

Lori Fuller West Chester University

Christine Noel Metropolitan State University of Denver

Lisa Victoravich University of Denver

Abo-El-Yazeed Habib Minnesota State University—Manka

Connie O’Brien Minnesota State University—Mankato

Jim Vogt University of Colorado—Denver

James Hansen Weber State University

Aimee Pernsteiner University of Wisconsin—Eau Claire

Rick Warne University of Cincinnati

Julia Higgs Florida Atlantic University

Rossen Petkov Lehman College

Amanda Warren University of Tennessee—Knoxville

Karen Hooks Florida Atlantic University

Lincoln Pinto Concordia University Chicago

Barrett Wheeler Tulane University

Carol Jessup University of Illinois—Springfield

Marshall Pitman University of Texas—San Antonio

Fengyun Wu Manhattan College

Bill Joyce Bemidji State University

xiv

  Acknowledgments   xv

Ancillary Authors, Contributors, Proofreaders, and Accuracy Checkers

Eric Johnson University of Wyoming

Margaret B. Shackell-Dowell Ithaca College

Joe Johnston Illinois State University

Philip J. Slater Forsyth Technical Community College

Sanaz Aghazadeh Louisiana State University

Brett Kawada San Diego State University

Vicki Stewart Texas A & M University—Commerce

LuAnn Bean Florida Institute of Technology

Jason MacGregor Baylor University

Jaclyn Strauss Purdue Global

Joe Brazel North Carolina State University

Linda McKeag University of Dubuque

Floran Syler Azusa Pacific University

Rich Brody The University of New Mexico

Anita Morgan Indiana University

Andrea Tietjen Caldwell College

Emily Cokeley Rochester Institute of Technology

Byron Pike Minnesota State University—Mankato

Jim Vogt San Diego State University

Sheila Coomes Kansas State University

Sridhar Ramamoorti University of Dayton—Ohio

Rick Warne University of Cincinnati

Kel-Ann Eyler Georgia College and State University

Matthew Sargent University of Texas—Arlington

Gail E. Wright

Paul Franklin Purdue Global

Edward Seibert Wesley College

Amber Gray Adrian College

Tim Seidel Brigham Young University

Frederick Harmon University of Bridgeport

Jamie Seitz University of Southern Indiana

We also want to thank several individuals for their help in moving this text from concept to publication. This work would not have come to fruition without the extensive support and guidance of Emily Marcoux, Michael McDonald, Joel Hollenbeck, Ed Brislin, Matt Origoni, Valerie Vargas, Sandra Rigby, Kirsten Loose, Terry Ann Tatro, Nicola Smith, and Jackie Henry at Aptara.

Ally Zimmerman Northern Illinois University

We appreciate suggestions and comments from users— instructors and students alike. Please send us your thoughts and ideas about the text. Raymond Johnson Laura Wiley Baton Rouge, Louisiana Portland, Oregon

Table of Contents 1 Introduction and Overview of Audit and Assurance 

1-1

Assurance, Attestation, and Audit Services  1-3 Different Assurance Services  1-6 Financial Statement Audits  1-6 Compliance Audits  1-7 Operational (Performance) Audits  1-7 Internal Audits  1-8 Demand for Audit and Assurance Services  1-8 Financial Statement Users  1-9 Sources of Demand for Audit and Assurance Services  1-10 Preparers and Auditors  1-11 Preparer Responsibility  1-11 Auditor Responsibility  1-11 Assurance Providers  1-12 The Role of Regulators and Regulations  1-13 Securities and Exchange Commission (SEC)  1-13 Public Company Accounting Oversight Board (PCAOB)  1-13 American Institute of Certified Public Accountants  (AICPA) 1-15 Financial Accounting Standards Board (FASB)  1-17 Committee on Sponsoring Organizations of the Treadway   Commission (COSO)  1-18 National Association of State Boards of Accountancy   (NASBA) and State Boards of Accountancy  1-18 Audit Report on Financial Statements  1-19 Reasonable Assurance and the Financial Statements  1-19 Materiality and the Financial Statements  1-20 The Auditorʼs Report on Financial Statements  1-20 Audit Report on Internal Controls over   Financial Reporting  1-25 Reasonable Assurance and Internal Controls  1-25 The Auditor’s Report on Internal Control over Financial  Reporting 1-26 The Audit Expectation Gap  1-28

2 Professionalism and Professional Responsibilities 

2-1

Professionalism and Accounting  2-3 The Structure of the AICPA Code of Professional   Conduct  2-5 Conceptual Framework for Members   in Public Practice  2-7 Integrity and Objectivity  2-11 xvi

Independence  2-12 Key Individuals and Independence Requirements  2-13 Employment or Association with an Attest Client  2-17 Nonattest Services  2-18 SEC and PCAOB Independence Rules  2-20 General Standards  2-23 Other Rules of Conduct for Members in   Public Practice  2-24 Accounting Principles Rule  2-25 Fees and Other Types of Remuneration  2-25 Confidential Information  2-26 Auditor Liability Under Common Law  2-26 Liability to Clients  2-27 Contract Law  2-27 Tort Law  2-28 Cases Illustrating Liability to Clients  2-28 Liability to Third Parties  2-29 Burden of Proof and Common Law Defenses  2-32 Auditor Liability Under Statutory Law  2-33 The Securities Act of 1933  2-34 The Securities Act of 1934  2-35 The Foreign Corrupt Practices Act of 1977  2-36 The Private Securities Litigation Reform Acts of 1995 and  1998 2-36 The Sarbanes-Oxley Act of 2002  2-37 Criminal Liability  2-39

3 Risk Assessment Part I: Audit Risk and Audit Strategy 

3-1

Client Acceptance and Continuance Decisions  3-3 Phases of an Audit  3-8 Risk Assessment Phase  3-9 Risk Response Phase  3-9 Concluding and Reporting on an Audit  3-10 Materiality  3-10 Qualitative and Quantitative Materiality  3-11 Setting Materiality  3-11 Professional Skepticism and Audit Risk  3-14 Professional Skepticism  3-15 Audit Risk  3-15 The Audit Risk Model and Its Components  3-17 Audit Strategy  3-21 Reliance on Controls Approach  3-22 Substantive Approach  3-24 Fraud Risk  3-25 Incentives and Pressures to Commit a Fraud  3-27

  Table Opportunities to Perpetrate a Fraud  3-28 Attitudes and Rationalization to Justify a Fraud  3-29 Fraud Risk Assessment Process  3-30

4 Risk Assessment Part II:

Understanding the Client 

4-1

Understanding the Client  4-3 Gain an Understanding of the Entity  4-3 Gain an Understanding of the Industry and Business  Environment 4-8 Compliance with Laws and Regulations  4-10 Client Approaches to Measuring Performance  4-12 Profitability  4-12 Liquidity, Solvency, and Cash Flow  4-13 Analytical Procedures  4-14 Comparisons  4-14 Trend Analysis  4-15 Common-Size Analysis  4-15 Ratio Analysis  4-16 Audit Data Analytics  4-20 Factors to Consider When Conducting   Analytical Procedures  4-20 Related Parties  4-22 Corporate Governance  4-23 Internal Control and Information Technology  4-26 Closing Procedures  4-27

5 Audit Evidence 

5-1

Management Assertions  5-3 Characteristics of Audit Evidence  5-7 Sufficient Audit Evidence  5-7 Appropriate Audit Evidence  5-8 Audit Risk and Sufficient Appropriate Audit Evidence  5-9 Procedures for Gathering Audit Evidence  5-10 Inspection of Documents and Assets  5-11 Observation  5-12 Inquiry  5-12 Confirmation  5-13 Recalculation  5-15 Reperformance  5-16 Analytical Procedures  5-16 Scanning  5-16 Audit Data Analytics (ADA)  5-16 Using the Work of Others  5-18 Using the Work of a Specialist  5-18 Using the Work of Internal Auditors  5-20 Using the Work of Another Auditor  5-23 Documentation—Audit Working Papers  5-24 Permanent File  5-25 Current File  5-26

of Contents   xvii

6 Gaining an Understanding of

the Client’s System of Internal Control  6-1

Internal Control Defined  6-3 The COSO Framework  6-4 Inherent Limitations  6-6 Entity-Level Internal Controls  6-7 The Control Environment  6-7 Risk Assessment  6-10 Control Activities  6-11 Information and Communication  6-14 Monitoring Activities  6-16 Internal Control in Small Entities  6-17 Transaction-Level Internal Controls  6-19 Example Transaction Flows—Sales Process  6-19 Example Transaction Flows—Cash Receipts  6-21 Information Technology (IT) Controls  6-23 Benefits and Risks of IT Systems  6-23 IT General Controls  6-24 IT Application Controls  6-25 IT-Dependent Manual Controls  6-27 Documenting Internal Controls  6-29 Identifying Strengths and Weaknesses in a   System of Internal Controls  6-31 Management Letters  6-33

7 Audit Data Analytics 

7-1

Steps in Performing Audit Data Analytics  7-3 Step 1: Plan the Audit Data Analytics  7-5 Step 2: Access and Prepare the Data for Audit Data  Analytics 7-6 Step 3: Consider the Relevance and Reliability of the   Data Used  7-6 Step 4: Perform the Audit Data Analytics  7-7 Step 5: Evaluate the Results and Draw Conclusions  7-8 Audit Documentation  7-9 Steps Associated with Accessing and Preparing Data for   Audit Data Analytics  7-11 Is the Data Complete?  7-11 Does the Data Need to Be Cleaned?  7-11 Key Questions to Be Addressed in Evaluating the Relevance   and Reliability of Data Used in Audit Data Analytics  7-12 Using Audit Data Analytics as a Risk Assessment   Procedure  7-13 Understanding the Risk Analysis Decision Tree  7-14 What Do We Mean by Notable Items?  7-15 Tools for Searching for Notable Items  7-15 What to Do When ADA Identifies a Large Number of Items   for Further Consideration  7-16

xviii  Table of Contents  

Applying Audit Data Analytics as a Risk Assessment   Procedure  7-17 Cluster Analysis  7-18 Matching Information in Key Data Fields  7-25 Regression Analysis  7-30 Visualization  7-34 Using Audit Data Analytics as a Substantive Test  7-37 Applying Audit Data Analytics as a Substantive Test  7-38 Validating Sales Revenue and Accounts Receivable with   Subsequent Cash Receipts  7-38

8 Risk Response: Performing Tests of Controls 

8-1

Steps in Assessing Control Risk  8-3 Understand Entity-Level Controls  8-3 Understand the Flow of Transactions  8-3 Identify What Can Go Wrong (WCGW)  8-4 Identify Relevant Controls to Test  8-5 Determine Preliminary Audit Strategy  8-5 Perform Tests of Controls  8-5 Evaluate Evidence and Assess Control Risk  8-5 Reporting Findings  8-5 Types of Controls  8-7 Preventive and Detective Controls  8-7 Manual and Automated Controls  8-10 Procedures for Testing Controls  8-13 Inquiry  8-13 Observation  8-14 Inspection of Physical Evidence  8-14 Reperformance  8-14 Software-Based Audit Techniques  8-14 Selecting and Designing Tests of Controls  8-15 Which Controls Should Be Selected for Testing?  8-16 The Extent of Tests of Controls  8-17 Timing of Tests of Controls  8-21 Benchmarking  8-22 Selecting and Designing Tests of Controls—A Summary  8-23 Results of the Auditor’s Testing  8-26 Documenting Conclusions  8-29

9 Risk Response: Performing Substantive Procedures 

9-1

Audit Risk and Substantive Procedures  9-3 Risk Response at the Financial Statement Level  9-5 Nature of Substantive Procedures  9-7 Initial Procedures  9-8 Substantive Analytical Procedures  9-9 Tests of Details  9-13 ADA and Substantive Procedures  9-13

Timing of Substantive Procedures  9-14 Extent of Substantive Procedures  9-16 Auditing Accounting Estimates  9-19 Nature of Accounting Estimates  9-19 Risk Assessment Procedures for   Accounting Estimates  9-21 Risk Response Procedures for Accounting Estimates  9-22 Example of Auditing Accounting Estimates  9-24 Documenting Results of Substantive Procedures  9-26

10 Risk Response: Evaluating Audit

Data Analytics and Audit Sampling for Substantive Tests  10-1

Using Audit Data Analytics versus Audit Sampling  10-3 When to Use Audit Data Analytics  10-3 When to Use Audit Sampling  10-3 Audit Sampling Defined  10-5 Sampling Risk and Nonsampling Risk  10-6 Statistical and Nonstatistical Sampling  10-8 Sampling Methods  10-9 Random Selection  10-9 Systematic Selection  10-10 Haphazard Selection  10-11 Professional Judgment in Selecting and Evaluating   Sample Items  10-11 Factors That Influence the Sample Size—Substantive   Testing  10-11 A Basic Framework for Audit Sampling  10-14 Step 1: Determine the Objectives of the Substantive  Test 10-14 Step 2: Determine the Substantive Audit Procedures to  Perform 10-14 Step 3: Determine Whether to Audit a Sample   or the Entire Population  10-15 Step 4: Define the Population and Sampling Unit  10-16 Applying Probability-Proportionate-to-Size Sampling   for Substantive Testing  10-16 Step 5: Choose the Audit Sampling Technique  10-17 Step 6: Determine Sample Size Using Professional  Judgment 10-18 Step 7: Select a Representative Sample  10-21 Step 8: Apply Audit Procedures  10-22 Step 9: Evaluate Sample Results  10-22 Applying Nonstatistical Sampling for Substantive   Testing  10-28 Step 5: Choose the Audit Sampling Technique  10-28 Step 6: Determine Sample Size Using   Professional Judgment  10-29 Step 7: Select a Representative Sample  10-29 Step 8: Apply Audit Procedures  10-30 Step 9: Evaluate Sample Results  10-30 Step 10: Document Conclusions  10-32

  Table of Contents   xix

Appendix 10A: Applying Classical Variables   Sampling for Substantive Testing  10-33 Step 5: Apply Classical Variables Sampling  10-33 Step 6: Determine the Sample Size  10-34 Step 7: Select a Random Sample  10-37 Step 8: Apply Audit Procedures  10-37 Step 9: Evaluate the Sample Results  10-38 Step 10: Document Results  10-39

11 Auditing the Revenue Process 

11-1

Nature of the Revenue Process  11-3 Understanding the Entity and Its Environment  11-4 Understanding the Client’s Revenue Process  11-4 Analytical Procedures  11-6 Other Considerations Regarding the Entity   and Its Environment  11-8 Inherent Risks in the Revenue Process  11-9 Control Activities for Credit Sales  11-12 Example Transaction Flows—Sales Process  11-13 Identify What Can Go Wrong (WCGW) and Identify   Key Controls—Credit Sales and Accounts  Receivable 11-16 Control Activities for Cash Receipts  11-18 Example Transaction Flows—Cash Receipts  11-19 Identify WCGW and Identify Key Controls—Cash  Receipts 11-21 Control Activities for Sales Adjustments   and Revenue Process Disclosures  11-23 Granting Sales Returns and Allowances  11-23 Determining Uncollectible Accounts  11-24 Other Controls in the Revenue Process  11-24 Tests of Controls in the Revenue Process and   Audit Strategy  11-25 Tests of Controls in the Revenue Process  11-25 Fraud Risk Assessment  11-26 Audit Data Analytics as a Risk Assessment Procedure  11-27 The Risk of Material Misstatement and Audit Strategy  11-27 Substantive Tests for the Revenue Process  11-28 Initial Procedures  11-30 Substantive Analytical Procedures  11-31 Audit Data Analytics as a Substantive Test  11-31 Tests of Details of Transactions  11-32 Tests of Details of Balances  11-33 Tests of Details of Presentation and Disclosure  11-38

12 Auditing the Purchasing and Payroll Processes 

12-1

Nature of Purchase Transactions and Balances  12-3 Understanding the Entity and Its Environment  12-4 Understanding the Client’s Purchasing Process  12-4 Analytical Procedures  12-7

Other Considerations Regarding the Entity   and Its Environment  12-7 Inherent Risks in the Purchasing Process  12-8 Control Activities for Purchases  12-11 Example Transaction Flows—Credit Purchases  12-12 Identify What Can Go Wrong (WCGW) and Identify Key   Controls—Purchases and Accounts Payable  12-15 Control Activities for Cash Disbursements  12-18 Example Transaction Flows—Cash Disbursements  12-18 Identify What Can Go Wrong (WCGW) and   Identify Key Controls—Cash Disbursements  12-19 Evaluated Receipt Settlement (ERS)  12-21 Initiating an ERS Transaction  12-21 Receiving Goods  12-22 Recording Payables  12-22 Electronic Payment  12-22 Internal Controls in an ERS System  12-23 Control Activities for Purchase Adjustments and   Purchasing Process Disclosures  12-24 Purchase Returns and Allowances  12-24 Other Controls in the Purchasing Process  12-25 Tests of Controls in the Purchasing Process and   Audit Strategy  12-26 Tests of Controls in the Purchasing Process  12-26 Fraud Risk Assessment  12-27 Audit Data Analytics as a Risk Assessment Procedure  12-27 The Risk of Material Misstatement and Audit  Strategy 12-28 Substantive Procedures for the Purchasing   Process  12-28 Initial Procedures  12-30 Substantive Analytical Procedures  12-30 Audit Data Analytics as a Substantive Test  12-31 Tests of Details of Transactions  12-31 Tests of Details of Balances  12-32 Tests of Details of Presentation and Disclosure  12-33 Appendix 12A: Auditing Payroll  12-34 Explain the Nature of Payroll Transactions and   Balances  12-34 Understanding the Entity and Its Environment  12-35 Understanding the Client’s Payroll Process  12-35 Analytical Procedures  12-36 Other Considerations Regarding the Entity and Its  Environment 12-36 Inherent Risks Related to Payroll  12-37 Control Activities for Payroll  12-38 Example Transaction Flows—Payroll  12-38 Identify What Can Go Wrong (WCGW) and Identify Key  Controls—Payroll 12-40 Tests of Controls in the Payroll Process and Audit   Strategy  12-42 Tests of Controls for Payroll  12-43 Fraud Risk Assessment  12-43 Audit Data Analytics Used in Fraud Risk Assessment  12-44

xx  Table of Contents

The Risk of Material Misstatement and Audit  Strategy  12-44 Substantive Tests for the Payroll Process  12-45 Initial Procedures  12-46 Substantive Analytical Procedures  12-47 Audit Data Analytics as a Substantive Test  12-47 Tests of Details of Transactions  12-47 Tests of Details of Balances  12-48 Tests of Disclosures  12-48

13 Auditing Various Balance Sheet Accounts (and Related Income Statement Accounts)  13-1

Auditing Cash and Cash Equivalents  13-3 Understanding the Flow of Transactions  13-3 Understanding the Entity and Its Environment  13-3 Understanding the Results of Analytical Procedures  13-4 Assessing Inherent Risk  13-4 Assessing Control Risk and Fraud Risk  13-4 Determining an Audit Strategy  13-4 Substantive Tests of Cash Balances  13-5 Auditing Inventory on the Balance Sheet  13-11 Understanding the Flow of Transactions  13-12 Understanding the Entity and Its Environment  13-12 Understanding the Results of Analytical  Procedures 13-13 Assessing Inherent Risk  13-14 Assessing Control Risk and Fraud Risk  13-15 Determining an Audit Strategy  13-18 Substantive Tests of Inventory  13-19 Auditing Property, Plant, and Equipment  13-28 Understanding the Flow of Transactions  13-28 Understanding the Entity and Its Environment  13-29 Understanding the Results of Analytical Procedures  13-30 Assessing Inherent Risk  13-31 Assessing Control Risk and Fraud Risk  13-31 Determining an Audit Strategy  13-32 Substantive Tests for Property, Plant, and Equipment  13-32 Auditing Financing Activities  13-37 Understanding the Flow of Transactions  13-38 Understanding the Entity and Its Environment  13-38 Understanding the Results of Analytical  Procedures 13-39 Assessing Inherent Risk  13-39 Assessing Control Risk and Fraud Risk  13-40 Determining an Audit Strategy  13-41 Substantive Tests of Long-Term Debt  13-41 Substantive Tests of Stockholders’ Equity  13-44

14 Completing the Audit 

14-1

Audit Procedures for Loss Contingencies  14-3 Subsequent Events  14-7 Engagement Wrap-Up  14-10 Final Analytical Procedures  14-11 Final Evaluation of Audit Findings  14-11 Completion of Working Paper Review  14-16 Engagement Quality Review  14-17 Completion of Documentation  14-17 Going Concern  14-18 Management Representation and Communication   with Those Charged with Governance  14-21 Management Representation Letter  14-21 Communication with Those Charged with Governance  14-24

15 Reporting on the Audit 

15-1

Standard Unmodified/Unqualified Audit Report  15-3 Additional Paragraph for the Standard Unmodified   Report  15-7 Going Concern Paragraph  15-7 Consistency of Financial Statements  15-8 Emphasis Added at Discretion of the Auditor  15-10 Opinion Based in Part on the Report of Another   Auditor  15-12 Modifying the Audit Opinion  15-14 Departure from Applicable Financial Reporting  Framework 15-15 Scope Limitation  15-17 Subsequently Discovered Facts  15-22 Subsequently Discovered Facts That Become Known   Before the Report Release Date  15-22 Subsequently Discovered Facts That Become Known After   the Report Release Date  15-24 Reports on the Audit of icfr  15-26 Standard Unqualified Opinion on ICFR  15-26 Modified Opinion on ICFR  15-27 Compilation and Review Engagements  15-30 Compilation of Financial Statements  15-30 Review of Financial Statements  15-32 Appendix A   Cloud 9 Inc. Audit  A-1

Cloud 9 Inc. Company Background  A-1 Personnel  A-2 Financial Information  A-2 Transcript of Meeting with David Collier  A-4

Glossary  G-1 Index   I-1

Chapter 1 Introduction and Overview of Audit and Assurance The Audit Process Overview of Audit and Assurance (Chapter 1)

Professionalism and Professional Responsibilities (Chapter 2) Client Acceptance/Continuance and Risk Assessment (Chapters 3 and 4) Identify Significant Accounts and Transactions Make Preliminary Risk Assessments

Set Planning Materiality

Gaining an Understanding of the System of Internal Control (Chapter 6)

Audit Evidence (Chapter 5)

Develop Responses to Risk and an Audit Strategy

Performing Tests of Controls (Chapter 8)

Performing Substantive Procedures (Chapter 9) Audit Sampling for Substantive Tests (Chapter 10)

Auditing the Revenue Process (Chapter 11)

Auditing the Purchasing and Payroll Processes (Chapter 12)

Audit Data Analytics (Chapter 7)

Gaining an Understanding of the Client

Auditing the Balance Sheet and Related Income Accounts (Chapter 13)

Completing and Reporting on the Audit (Chapters 14 and 15) Procedures Performed Near the End of the Audit

Drawing Audit Conclusions

Reporting

1-1

1-2  Ch a pte r 1   Introduction and Overview of Audit and Assurance

Learning Objectives LO 1  Differentiate among assurance, attestation, and audit services. LO 2  Describe the different types of assurance services. LO 3 Explain the demand for audit and assurance services. LO 4  Discuss the different roles of the financial statement preparer and the auditor.

LO 6 Explain the concepts of reasonable assurance, materiality, and the nature of an unqualified/ unmodified report on the audit of financial statements. LO 7 Explain the concept of reasonable assurance and the nature of an unqualified report on internal controls over financial reporting. LO 8  Discuss the audit expectation gap.

LO 5  Identify the roles of different regulators and organizations that affect the audit profession.

Auditing and Assurance Standards PCAOB

Auditing Standards Board

Framework for Audits of Public Companies

Framework for Audits of Private Companies

AS 2201 An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements

AU-C 200  Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Generally Accepted Auditing Standards

AS 3101 The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion

AU-C 700  Forming an Opinion and Reporting on Financial Statements

Cloud 9 - Continuing Case This text is designed to provide you with the opportunity to learn about auditing by using a practical, problem-based approach. Each chapter begins with some information about an example audit client—Cloud 9 Inc. (Cloud 9). The chapter then provides the underlying concepts and background information needed to deal with this client’s situation and the problems facing its auditor. As you work through the chapters, you will gradually build your knowledge of auditing by studying how the contents of each chapter are applied to Cloud 9. The end-of-chapter exercises and problems also provide you with the opportunity to study other aspects of Cloud 9’s audit, in addition to applying the knowledge gained in the chapter to other practical examples. Cloud 9 Inc., a listed company (publicly traded) in the United States (U.S.), is looking to expand. McLellan’s Shoes was seen as a potential target. In 1985, Ron McLellan started McLellan’s Shoes in Seattle, Washington, manufacturing and retailing customized basketball shoes. Ron borrowed from the bank to start the company, using his

house as security, and over the years he worked very hard to establish a profitable niche in the highly competitive sport shoe market. Ron repaid the bank in 1999, and he vows to never borrow again. As the business grew, Ron’s wife and three adult children started to work with him, with responsibility for administration, marketing and sales, production, and distribution. By the early 2000s, Ron’s business employed 20 people full-time, most of whom work in production. There are also several casual employees and part-time staff in the retail outlet in Seattle, particularly during busy periods. In February 2020, Ron received a call from Chip Masters, the senior vice president of Cloud 9. Chip expressed an interest in buying McLellan’s Shoes. Ron wants to retire, and his children are starting to fight among themselves about who is going to take over their father’s business. Ron is looking for an exit strategy, but he does not want Chip to know that. He asks if Chip is ready to talk about the price. Chip says he is, but first he needs to see the audited financial statements for McLellan’s Shoes.

 Assurance, Attestation, and Audit Services  1-3

Ron asks for some time. He tells Chip that he first needs to talk to his family and will then get back to him. When Ron puts the phone down, he immediately calls his friend from the golf club, Ernie Black, who is a CPA. For years, Ernie has been suggesting to Ron that his business affairs need attention. Ron is good at making deals

and working hard, but he has never bothered with sophisticated financial arrangements. He is still running his business as a sole proprietor (not a corporation), and his wife does all the tax returns. Ron is in a panic—he wants to sell McLellan’s Shoes, but what is he going to do about Chip’s request for audited financial statements?

Chapter Preview: Audit Process in Focus The purpose of this chapter is to provide an overview of assurance, attestation, and audit services. While the focus of this text is the audit of financial statements, in this chapter we define assurance and attest engagements and differentiate among the types of assurance engagements. The assurance engagements explained in this chapter include financial statement audits, compliance audits, operational (performance) audits, and internal audits. We also discuss why there is a demand for audit and assurance services and then discuss the separate roles of the financial statement preparer and the auditors. Regulatory bodies and other organizations that impact the audit profession are introduced in this chapter. Also, the audit reports issued by auditors at the completion of the audit are discussed with the goal of explaining what is communicated in the auditor’s report. We discuss the audit expectation gap in the last section of this chapter.

Cloud 9 - Continuing Case Chip Masters has asked Ron McLellan for audited financial statements of McLellan’s Shoes. Ron has never had an audit and is not sure what it involves. He has heard about tax audits, safety audits, efficiency audits, as well as financial statement audits. Are they

all the same thing? Ernie explains to Ron that there are several services that people call “audits” that are different from financial statement audits. However, all these services, including financial statement audits, can be defined as assurance services.

Assurance, Attestation, and Audit Services Lea rning Objective 1 Differentiate among assurance, attestation, and audit services. The terms assurance, attestation, and auditing are sometimes used interchangeably, but they actually represent different types of services. They are similar in that they all represent a common process of an independent accounting firm taking information prepared by someone else and comparing that information to an established set of criteria. At the end of the service, the independent accounting firm provides a written report about the results of the service performed. This process is important because it adds credibility, or integrity, to the information, which makes it more useful for decision making. An everyday example of this process would be needing a physical exam from a medical doctor before joining a sports team. The doctor would be the independent professional. The doctor would conduct the physical exam and compare your results to standards considered acceptable for someone of your age and height. At the completion of the physical exam, the doctor would provide you with written documentation stating that you were in good physical condition to play on the sports team. The service provided by the doctor improves the “integrity” of your claim that you are in good condition to participate on the team. The relationship of assurance, attestation, and auditing services is shown in Illustration 1.1 and resembles overlapping umbrellas. We will refer to Illustration 1.1 as we discuss the three services in more detail.

1-4  Ch a pte r 1   Introduction and Overview of Audit and Assurance illustration 1.1   Relationship of assurance, attestation, and auditing services

Assurance Services

Risk advisory services Examination of financial forecast

audit services  services by an independent CPA that provide financial statement users with (1) an opinion on whether the financial statements are presented fairly, in all material respects, in accordance with an applicable financial reporting framework and, in some cases, (2) an opinion on the effectiveness of ICFR, which enhance the degree of confidence that intended users can place in the financial statements

attestation services  services performed when an independent practitioner, or CPA, is engaged to issue a report on subject matter that is the responsibility of another party

Attestation Services Review of historical financial statements Audit Services Historical Internal financial controls statements

Website security

Data integrity Agreed-upon procedures

Audit services are the most specific and narrow of the three services; therefore, it is the smallest umbrella in Illustration 1.1. Two primary types of audit services are an audit of financial statements and an audit of internal controls over financial reporting (ICFR). The purpose of an audit of financial statements is to provide financial statement users with an opinion by the auditor on whether the financial statements are presented fairly in accordance with an applicable financial reporting framework. The purpose of an audit of ICFR is to provide financial statement users with an opinion by the auditor on the design and operating effectiveness of ICFR. These audit services enhance the degree of confidence that intended users can place in the financial statements (AU-C 200.04). Some key concepts in these descriptions require further explanation. The financial statements refer to historical financial statements of either a public or private company. The auditor refers to an independent certified public accountant, or CPA, who is qualified to perform the auditing service. The only professional who can sign an audit report on historical financial statements and internal controls for a public or private company is a CPA. The applicable financial reporting framework refers to the set of standards used in preparing the historical financial statements, such as generally accepted accounting principles (GAAP) in the United States, International Financial Reporting Standards (IFRS), or governmental accounting standards for governmental entities. The intended users refer to any group that will be using the financial statements to make decisions, such as investors and creditors. Companies produce financial information that goes beyond historical financial statements. Examples include financial forecasts and detailed schedules for specific accounts. When CPAs are hired to report on the integrity of this type of financial information, it is called an attestation service. Attestation services are performed when an independent practitioner, or CPA, is engaged to issue a report on subject matter that is the responsibility of another party. As depicted in Illustration 1.1, audit services fall under the umbrella of attestation services, but so do other services that involve a CPA reporting on other financial information. Note the use of the term practitioner in the definition of attestation services. The term practitioner is used rather than auditor because attestation services encompass more than just the audit of historical financial statements and internal controls. Another example of an attestation service is a review of historical financial statements. Small private companies often do not want or need a service as extensive as an audit of the financial statements in which the auditor has to express an opinion on the fair presentation of the financial statements. In a review engagement, the practitioner expresses limited assurance that no material modifications need to be made to the financial statements. So a review of historical financial statements is a less extensive and, therefore, less expensive service that

 Assurance, Attestation, and Audit Services  1-5

can be very useful for smaller private companies. A more detailed discussion of a review is presented in Chapter 15. The largest umbrella in Illustration 1.1 represents assurance services. Assurance services are independent professional services that improve the quality of information, or its context, for decision makers. Some key concepts are included in this definition. The term independent is common to audit, attestation, and assurance services. Independent implies that the service is performed by someone who was not involved with the creation of the information and who is objective in the evaluation of the information. (Chapter 2 covers the concept of independence in more depth.) The term quality refers to the relevance and reliability of the information. The term information refers to subject matter that can be financial or nonfinancial, historical or prospective, standalone data or entire systems of data, internal or external to a company. Essentially, the concept of assurance services encompasses any service that a professional provides that involves improving the quality of information that was prepared by someone else. Both attestation and audit services fall under the broad term of assurance services, and therefore are depicted under the assurance umbrella in Illustration 1.1. While the audit of a company’s historical financial statements and internal controls is the focus of this text, there are other types of audit and assurance services that warrant some discussion. The next section provides a description of these different types of services.

assurance services  independent professional services that improve the quality of information, or its context, for decision makers

Professional Environment  Becoming a CPA Certified public accountants (CPA) are the only licensed accounting professionals in the United States. CPA licenses are not issued at the national level but at the state level. To become a licensed CPA, an individual must earn the three Es – Education, Exam, and Experience.1 The first step is meeting the education requirements set by a state board of accountancy, which vary from state to state. All states require a bachelor’s degree and completion of 150 hours of total college credit to be a licensed CPA. Within the 150 hours, some states require completion of courses in specific subject areas in accounting, business, or ethics. (See the discussion in this chapter on National Association of State Boards of Accountancy (NASBA) and State Boards of Accountancy.) The second step is passing the Uniform CPA Examination, or CPA exam. The CPA exam is accepted for CPA licensure by all states, which is why it is called the “uniform” CPA exam. The CPA exam consists of four sections: Auditing and Attestation (AUD), Business Environment and Concepts (BEC), Financial Accounting and Reporting (FAR), and Regulation (REG). The testing time for

each section is four hours for a total test time of 16 hours. Each part of the exam consists of multiple-choice items and task-based simulations, and the BEC section also contains written communication items. Exam candidates can take one part of the exam at a time and have 18 months to pass all four parts once the first part has been successfully passed. The final step is work experience. Work experience requirements also vary by state. In general, states require one to two years of work experience under the supervision of a licensed CPA. The work experience can be earned either before, during, or after sitting for the CPA exam, but some restrictions may apply for when the experience can be earned. A state board of accountancy will only issue a license to practice after all three Es have been earned. The purpose of the entire licensure process is to ensure that individuals possess the level of knowledge and the skills necessary to perform the duties of a CPA and to protect the public interest.

Before You Go On 1.1  Who are intended users of assurance services? 1.2  What does “independent” mean in the context of assurance services? 1.3  What is an example of an “applicable financial reporting framework”?

1 American Institute of Certified Public Accountants, The Uniform CPA Examination: Purpose and Structure (2018), www.aicpa.org/becomeacpa/cpaexam/examoverview.

1-6  Ch a pte r 1   Introduction and Overview of Audit and Assurance

Different Assurance Services Lea rning O bjective 2 Describe the different types of assurance services. In this section, we provide an overview of the most common types of assurance services that a practitioner can provide. We will discuss financial statement audits, compliance audits, operational (performance) audits, and internal audits.

Financial Statement Audits As stated earlier, the purpose of an audit of financial statements is to provide financial statement users with an opinion by the audit firm on whether the financial statements are presently fairly in accordance with an applicable financial reporting framework, which enhances the degree of confidence that intended users can place in the financial statements (AU-C 200.04). Within a U.S. context, the applicable financial reporting framework is typically GAAP. Public companies, or issuers, in the United States are required by the federal government to have an annual financial statement audit. Private companies, or non-issuers, are not required by the U.S. government to have an annual financial statement audit, but often other interested users request that a private company provide audited financial statements. A good example would be a lender (bank or other financial institution) requesting audited financial statements when considering whether to lend money to the private company. Audited financial statements add a degree of confidence that helps the lender make an informed lending decision.

Cloud 9 - Continuing Case Ron is not running a corporation. He operates his customized basketball shoe business as a sole proprietor. He is aware that big corporations have to be audited. However, because his business is not a publicly traded company, Ron does not believe that he has to have an audit. Ernie agrees that Ron does not have to

integrated audit  an audit that combines the financial statement audit with an audit of the effectiveness of ICFR

follow the same rules, but he also tells him that there are auditing standards in place that apply to a company like his. This means that although all the attention is usually on corporations, sole proprietors can, and may be required to, have their financial statements audited, too.

Certain public companies in the United States are also required to have an audit of ICFR. The objective in an audit of ICFR is to express an opinion on the effectiveness of the company’s system of internal controls over financial reporting (AS 2201.03). The reason for requiring an audit of internal controls is because effective internal control provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes (AS 2201.02). Therefore, public companies are required to have two audits every year, one on the financial statements and one on the effectiveness of the company’s internal controls. For efficiency purposes, these two audits are performed at the same time. This is referred to as an integrated audit. The objectives of the audits are not identical, however, and the auditor must plan and perform the work to achieve the objectives of each audit (AS 2201.06). Private companies are not required by the government to have an audit of ICFR. As mentioned above, other interested users, such as a lender, may require a private company to have an audit of ICFR along with an audit of the financial statements as a condition for being approved for a loan.

Limitations of an Audit A financial statement audit is conducted to enhance the reliability and credibility of the information included in the financial statements. It is not a guarantee that the financial

  Different Assurance Services  1-7

statements are free from error or fraud. The limitations of an audit are caused by (1) the nature of financial reporting, (2) the nature of audit procedures, and (3) the need for the audit to be conducted within a reasonable period of time at a reasonable cost (AU-C 200.A49). The nature of financial reporting refers to the use of judgment when preparing financial statements due to the subjectivity required when arriving at accounting estimates. Judgment is also required when selecting and applying accounting methods. For example, depreciating a piece of equipment is an estimate that requires judgment in selecting a depreciation method and determining a useful life and salvage value. The nature of audit procedures refers to the reliance on evidence provided by the client and its management. For example, what if client management withholds or hides important documents from the auditors? If auditors are unaware of this situation, they may arrive at an inappropriate conclusion based on incomplete facts. Evidence may be withheld or modified by perpetrators of fraud. It can be difficult for an auditor to determine whether a fraud has occurred because documents altered by those committing the fraud generally hide evidence. Also, auditors often use sampling techniques when testing some transactions and account balances. If a sample is not representative of all items available for testing, an auditor may arrive at an incorrect conclusion. The nature of audit procedures also refers to the concept of materiality. The Financial Accounting Standards Board (FASB) defines materiality as follows: Information is material if omitting it or misstating it could influence decisions that users make on the basis of the financial information of a specific reporting entity. (SFAC No. 8, para QC11)

materiality  the ability of information to influence decisions that users make on the basis of the financial information of a specific reporting entity

In other words, an error or misstatement in the financial statements is considered material if it impacts, or changes, the decision-making process of those individuals or groups who are using the financial statements. Therefore, when planning an audit, auditors select audit procedures that are designed to discover material misstatements. Because of time and cost constraints, it would be impractical for an audit to focus on finding all misstatements. The timeliness and cost of a financial statement audit refer to the pressures auditors face to complete their audit within a certain time frame at a reasonable cost. While it is important that auditors do not omit procedures in an effort to meet time and cost constraints, they may be under some pressure to do so. This pressure will come from clients wanting to issue their financial statements by a certain date, from clients refusing to pay additional fees for additional audit effort, and from within the accounting firm where there are pressures to complete all audits on a timely basis to avoid incurring costs that may not be recovered. By taking the time to plan the audit properly, auditors can ensure that adequate time is spent where the risks of a material error or fraud are greatest.

Compliance Audits A compliance audit involves gathering evidence to determine whether the person or entity under review has followed the rules, policies, procedures, laws, and regulations with which they must conform. One of the best examples of a compliance audit is an income tax audit. The Internal Revenue Service (IRS) may conduct an audit of an individual or a company to determine if tax laws have been followed and the correct amount of tax paid.

compliance audit  an audit to determine whether the entity has conformed with regulations, rules, or processes

Operational (Performance) Audits Operational (performance) audits are concerned with the economy, efficiency, and effectiveness of an organization’s activities. Economy refers to the cost of inputs, including wages and materials. Efficiency refers to the relationship between inputs and outputs, or the use of the minimum amount of inputs to achieve a given output. Finally, effectiveness refers to the achievement of certain goals or the production of a certain level of outputs. From an organization’s perspective, it is important to perform well across all three dimensions and not

operational (performance) audit  an assessment of the economy, efficiency and effectiveness of an organization’s operations

1-8  Ch a pte r 1   Introduction and Overview of Audit and Assurance

allow one to dominate. For example, if buying cheap inputs results in an inefficient production process, efficiency is sacrificed to achieve economic goals. Operational audits are generally conducted by an organization’s internal auditors (discussed in the next section), or they may be outsourced to an external accounting firm.

Internal Audits internal audit  a function within an entity which generally evaluates and improves risk management, internal control procedures and elements of the governance process those charged with governance  persons with responsibility for overseeing the strategic direction of the entity and the obligations related to the accountability of the entity

Internal audits are conducted to provide assurance about various aspects of an organization’s activities. The internal audit function is typically conducted by employees of the organization being audited, but can be outsourced to an external accounting firm. The function of an internal audit is determined by those charged with governance and management within the organization. While the functions of internal audits vary widely from one organization to another, they are often concerned with evaluating and improving risk management, internal control procedures, and elements of the governance process. The internal ­auditors often conduct operational audits, compliance audits, internal control assessments, and ­reviews. Many internal auditors are members of the Institute of Internal Auditors (IIA). The IIA is an international organization with more than 120,000 members that provides guidance and standards to aid internal auditors in their work. When conducting the financial statement audit, the external auditor may rely on the work done by internal auditors when evaluating the evidence needed to form an opinion on the financial statements or on ICFR. A more detailed discussion of how internal auditors may assist with the audit is provided in Chapter 5.

Cloud 9 - Continuing Case Ron is not concerned about internal audits—his business is too small for a separate internal audit function. He is also not worried about compliance and operational audits. His priority at the

­ oment is to close the deal with Chip Masters, and he still does m not know what he will do about the financial statement audit.

Before You Go On 2.1  What is the objective of a financial statement audit? 2.2  Explain the inherent limitations of a financial statement audit. 2.3  What are the three elements of an operational audit? 2.4  What are the most common functions of the internal auditors?

Demand for Audit and Assurance Services Lea rning O bjective 3 Explain the demand for audit and assurance services. In this section, we provide an overview of the primary financial statement users followed by a description of why these users may demand an audit of the financial statements.

  Demand for Audit and Assurance Services  1-9

Cloud 9 - Continuing Case Ron believes that his business has good, reliable financial records. Ron’s wife helps him keep tight control of the cash and other assets, and together they prepare some simple reports on a regular basis. Ron believes he knows exactly what is happening in the business and monitors the business’s cash flow and profit very closely. However, he has not prepared financial statements that

comply with U.S. GAAP. Is this a problem? Ernie explains to Ron that many businesses must apply the accounting standards, even if they are not corporations. It all depends on whether there are individuals or groups who are using the financial statements for decision-making purposes. Ron is a bit worried now—how does he know if he has these users?

Financial Statement Users Financial statement users include current and potential investors, suppliers, customers, lenders, employees, governments, and the general public. Each of these groups will read the financial statements for a slightly different reason as described below.

Investors Investors generally read financial statements to determine whether they should invest in the company. They are interested in the return on their investment and are concerned that the entity will remain a going concern (continue operating) into the foreseeable future. Investors may also be interested in the capacity of the company to pay a dividend. Prospective investors read financial statements to determine whether they should buy shares in the entity.

Suppliers Suppliers may read financial statements to determine whether the company can pay for goods or services supplied. They are also interested in whether the company is likely to remain a going concern (is likely to continue to be a customer of the supplier) and continue to pay its debts when they come due.

Customers In many business-to-business transactions, customers may read financial statements to determine whether a company they rely on is likely to remain a going concern and meet their needs.

Lenders Lenders may read financial statements to determine whether an entity is sufficiently creditworthy to qualify for a loan and whether it can pay the interest and principal as they come due.

Employees Employees may read financial statements to determine whether the entity can pay their wages or salaries and other benefits (for example, pensions). They may also be interested in assessing the future stability and profitability of the entity, as these affect job security.

Governments Governments may read financial statements to determine whether the company is complying with regulations, to evaluate if the company is paying a fair amount of taxes given its reported earnings, and to gain a better understanding of the company’s activities. A company in receipt of government grants often must provide a copy of its audited financial statements when applying for a grant and when reporting on how grant funds have been spent.

1-10  C h a pte r 1   Introduction and Overview of Audit and Assurance

The General Public The general public may read financial statements to determine whether they should associate with the company (for example, as a future employee, customer, or supplier), and to gain a better understanding of the company, what it does, and its plans for the future.

Sources of Demand for Audit and Assurance Services Financial statement users and their needs are many and varied. There are a number of reasons why some or all of these users would demand an audit of financial statements. These include remoteness, complexity, competing incentives, and reliability. Each of these concepts is explained below.

Remoteness Most financial statement users do not have access to the company under review. This makes it difficult to determine whether the information contained in the financial statements is a fair presentation of the entity and its activities for the relevant period.

Complexity Financial statements are complex, the amounts are often affected by significant estimates, and the disclosures often require significant knowledge and experience to evaluate. Most financial statement users do not have the accounting and legal knowledge to assess the reasonableness of complex accounting and disclosure choices being made by the company.

Competing Incentives Company managers have an incentive to disclose the information contained in the financial statements in a way that presents their performance in the best possible light. Users may find it difficult or impossible to identify when management is presenting biased information.

Reliability Financial statement users are concerned with the reliability of the information contained in the financial statements. Since they use that information to make decisions that have real consequences, it is very important that users can rely on the information contained in the financial statements. An independent third-party review of the financial statements by a team of auditors, who have the knowledge and expertise to assess the fairness of the information being presented by the preparers, helps users address all these issues. Auditors have access to company records, so they are not remote. Auditors are trained accountants and have detailed knowledge about the complex technical accounting and disclosure issues required to evaluate the choices made by the financial statement preparers. Independent auditors, whose work is regularly reviewed by regulators, have little incentive to aid the company in presenting its results in the best possible light. Auditors are concerned with verifying the information contained in the financial statements is reliable and free from any material misstatements. The audit service plays a vital role in maintaining the stability of the U.S. capital markets. Investors in public companies consider audited information reliable, which facilitates the trading of stocks and other financial instruments.

Cloud 9 - Continuing Case Ron tells Ernie that he has no remote users, such as shareholders or lenders, and his business is not very complex. He is the owner and the manager of McLellan’s Shoes and therefore has no competing incentives. For all these reasons, he has never felt the

need to purchase an audit to assure users of the reliability of his business’s financial information. Ernie agrees but points out that there is now a user who is very interested in the reliability of the financial information: Chip Masters.

 Preparers and Auditors  1-11

Before You Go On 3.1  Who are the main users of company financial statements? 3.2  Why might financial statement users demand an audit? 3.3  Explain why auditors, or CPAs, are the appropriate professionals to conduct an audit.

Preparers and Auditors Lea rning Objective 4 Discuss the different roles of the financial statement preparer and the auditor. In this section, we explain and contrast the different responsibilities of financial statement preparers and auditors. We provide details of the role that each group plays in ensuring the financial statements are an accurate representation of the company. Following this discussion is an overview of the different firms that provide assurance services.

Preparer Responsibility As you know from your financial accounting courses, the financial statements include the balance sheet (statement of financial position), income statement (statement of comprehensive income), statement of cash flows, statement of changes in equity, and accompanying notes. It is the responsibility of management, with oversight from those charged with governance (generally the board of directors), to prepare the financial statements. Specifically, management is responsible for the following: 1. Ensuring the information included in the financial statements is presented fairly and complies with the applicable financial reporting framework, which in the United States is most often GAAP. 2. Designing, implementing, and maintaining internal control relevant to the preparation and fair presentation of the financial statements. 3. Providing the auditors with access to all records, documentation, and personnel relevant to the preparation and fair presentation of the financial statements, and any additional information the auditors may consider relevant to complete the audit. The preparation of financial statements requires the use of knowledge and judgment on the part of management. Management is responsible for making estimates for some financial statement items (e.g., allowance for doubtful accounts or a goodwill impairment) and selecting appropriate accounting policies within the applicable financial reporting framework, usually GAAP (AU-C 200.A2–A3).

Auditor Responsibility The auditor’s responsibility is to provide an opinion on whether the financial statements are presented fairly in accordance with the applicable financial reporting framework. It is important to emphasize the auditor is not responsible for preparing the financial statements. Preparation of financial statements is management’s responsibility. Auditors are responsible for the following: 1.  Conducting the audit in accordance with the appropriate auditing standards. Auditing standards provide minimum requirements and guidance for the performance of an audit. Later in this chapter, we discuss the auditing standards that apply to financial statement audits.

1-12  C h a pte r 1   Introduction and Overview of Audit and Assurance professional skepticism  an attitude that includes a questioning mind, being alert to conditions that may indicate possible misstatement due to fraud or error, and a critical assessment of audit evidence

2. Planning and performing the audit with professional skepticism. Professional skepticism is an attitude adopted by auditors when conducting an audit. It means auditors remain independent of the entity, its management, and its staff when completing the audit work. In a practical sense, it means auditors maintain a questioning mind and thoroughly investigate all evidence presented by their client. Auditors must seek independent evidence to corroborate, or confirm, information provided by their client. Auditors must be suspicious when evidence contradicts documents held by their client or inquiries made of client personnel, including management and those charged with governance.

professional judgment  the application of relevant training, knowledge, and experience in making informed decisions about the courses of action that are appropriate in the circumstances of the audit engagement

3. Planning and performing the audit with professional judgment. Professional judgment relates to the application of relevant training, knowledge, and experience that auditors use while making informed audit decisions in conducting an audit. Auditors must use their judgment throughout the entire audit. For example, auditors must use judgment when determining if an information source is reliable. They must also use judgment when deciding if enough audit evidence has been gathered to support the audit opinion. The concepts of professional skepticism and professional judgment will be addressed throughout this text as we learn about the process used by auditors to arrive at their opinion. It is important to note that the auditor’s opinion on the financial statements is not meant to be a predictor of the future success of the company. Also, the opinion is not a reflection of how effectively management is performing its role of running the company. The auditor’s opinion is simply a report on whether the financial statements are fairly presented in accordance with the applicable financial reporting framework (AU-C 200.A1).

Assurance Providers Assurance services are provided by accounting and other consulting firms. The largest accounting firms in the United States are known collectively as the “Big 4” firms: Deloitte, Ernst & Young (EY), KPMG, and PricewaterhouseCoopers (PwC). These four firms operate internationally through a network of affiliate companies, and dominate the assurance market throughout the world. The next tier of accounting firms is known as the mid-tier. The firms that comprise the mid-tier have a significant presence nationally and most have international affiliations. The mid-tier firms in the United States include, among others, Grant Thornton, BDO USA, RSM, CBIZ/Mayer Hoffman McCann, and Crowe. These firms service medium-sized and smaller clients. The next tier of accounting firms are regional and local accounting firms. Regional firms have a significant presence across multiple states in a geographical region. For example, a regional firm might have offices located in the southeastern states of Georgia, Florida, Alabama, and Mississippi. The regional offices could be as large as some of the national firms, with just as many partners and professional staff. Like the national firms, the regional firms service medium-sized and smaller clients. Local accounting firms service clients in their local areas and range in size from a single-partner firm to several-partner firms. Local firms primarily service small-company clients and individuals. Many of these accounting firms provide non-assurance (or non-audit) services as well as assurance services. Independence is not required to provide non-assurance services. These non-assurance services include management consulting, business valuation, mergers and acquisitions, tax, and accounting. In Chapter 2, we will discuss rules regarding what types of non-assurance services, if any, can be provided to audit clients. Accounting firms are not the only providers of assurance services. A number of consulting firms provide assurance services in areas such as website security and environmental sustainability reporting. Consulting firms employ staff with a variety of expertise including, for example, engineers, accountants, IT professionals, scientists, and economists.

Cloud 9 - Continuing Case Ernie stresses to Ron that any financial statements prepared for McLellan’s Shoes are Ron’s responsibility, even if they are audited. The auditor must be skeptical about the claims made by

Ron in the financial statements. These claims include, for example, that the assets shown on the balance sheet exist and are valued correctly, and that the balance sheet contains a complete list

 The Role of Regulators and Regulations  1-13

of the business’s liabilities. In other words, the auditor is not just going to believe whatever Ron tells him or her. Auditors must gather evidence about the financial statements before they can give an audit opinion. Ernie also explains to Ron that because his business is relatively small, he has a choice between large and small audit firms. Very large companies must choose a Big 4 auditor because often the other auditors are too small to do the

work and still maintain their independence. If a small audit firm audits a large company, it is open to the criticism that it will not be sufficiently skeptical because it does not want to lose the fees from that client. A large audit firm has many other clients, so the fees from any one client are a relatively small part of its revenue. Ron likes the idea that the smaller audit firms are generally less expensive.

Before You Go On 4.1  Describe management’s responsibilities in terms of the financial statement audit. 4.2  What is professional skepticism? 4.3 What are non-audit services? Provide several examples of non-audit services provided by accounting firms.

The Role of Regulators and Regulations Lea rning Objective 5 Identify the roles of different regulators and organizations that affect the audit profession. In this section, we discuss the regulators and other organizations that impact the audit process and the profession.

Securities and Exchange Commission (SEC) The SEC is a federal government agency whose mission is to protect investors, maintain fair and efficient markets, and facilitate capital formation (www.sec.gov). A primary task of the SEC is to enforce and interpret securities laws. Some of the key laws that impact the audit profession are the Securities Act of 1933, the Securities Exchange Act of 1934, and the Sarbanes-Oxley (SOX) Act of 2002. The Securities Act of 1933 regulates the disclosure of financial information in a company’s initial public offering of stock and requires that the financial information be audited. The Securities Exchange Act of 1934 regulates the ongoing trading of securities after the initial public offering and requires the annual audit of a public company’s financial statements. The SOX Act of 2002 was passed to help restore investor confidence after a series of corporate accounting scandals were revealed in the late 1990s and early 2000s. The SOX Act enhanced financial disclosures for public companies and placed more emphasis on corporate responsibility. It also created the Public Company Accounting Oversight Board, or PCAOB, which oversees the audits of public companies.

Public Company Accounting Oversight Board (PCAOB) The PCAOB is a non-profit corporation established through the SOX legislation in 2002. Its mission is to oversee the audits of public companies to protect the interests of investors

1-14  C h a pte r 1   Introduction and Overview of Audit and Assurance

(www.pcaobus.org). Prior to the creation of the PCAOB, the audit profession was self-regulated. This means that audit professionals, through their own professional organization, created the auditing standards to be followed in the conduct of an audit. The audit profession also created a system of peer review for inspecting audit work to ensure auditors were following the standards, and would take enforcement action for auditors who did not perform audits according to the standards. The audit profession is still self-regulated with respect to the audits of private companies, but when the PCAOB was created, it took over the regulation and standard setting for the audits of public companies. Standards issued by the PCAOB are called Auditing Standards (AS), which provide minimum requirements and guidance for auditing services. When the PCAOB was created, it adopted the audit profession’s standards in 2003 as its interim standards, providing a starting point for the audits of public companies. Since then the PCAOB has issued its own standards that supersede, or replace, some of the interim standards. In 2015, the PCAOB reorganized its auditing standards using a topical structure and a single, integrated numbering system. The current topical organization of the PCAOB standards is listed in Illustration 1.2. Throughout the text, you will be learning some of the specific PCAOB auditing standards in the different topical categories. The beginning of each chapter will list which PCAOB standards will be discussed in that particular chapter. You will also see references to the PCAOB standards within each chapter. The reference will begin with “AS” followed by the standard number, a decimal, and then a paragraph number, such as “AS 2201.06.” ILLUSTRATION 1.2   PCAOB Auditing Standards topical organization

General Auditing Standards (1000) 1000

General Principles and Responsibilities

1100

General Concepts

1200

General Activities

1300

Auditor Communications

Audit Procedures (2000) 2100

Audit Planning and Risk Assessment

2200

Auditing Internal Control Over Financial Reporting

2300

Audit Procedures in Response to Risks – Nature, Timing, and Extent

2400

Audit Procedures for Specific Aspects of the Audit

2500

Audit Procedures for Certain Accounts or Disclosures

2600

Special Topics

2700

Auditor’s Responsibilities Regarding Supplemental and Other Information

2800

Concluding Audit Procedures

2900

Post-Audit Matters

Auditor Reporting (3000) 3100

Reporting on Audits of Financial Statements

3300

Other Reporting Topics

Matters Relating to Filings Under Federal Securities Laws (4000) Other Matters Associated with Audits (6000) Source: www.pcaobus.org/standards/auditing.

Accounting firms that want to audit public companies must register with the PCAOB. Registration involves paying fees to the board, complying with the PCAOB’s Auditing Standards, and having their audit work inspected by the board. The PCAOB has disciplinary authority over registered firms and can impose punishment on accounting firms that do not adhere to standards. Punishments can include revoking a firm’s registration, imposing monetary fines, and banning an individual within a firm from auditing public companies.

 The Role of Regulators and Regulations  1-15

American Institute of Certified Public Accountants (AICPA) The AICPA is a private professional membership organization of CPAs representing the accounting profession. There are over 400,000 members in 145 countries (www.aicpa.org). Some key activities of the AICPA include representing the profession before rule-making bodies, acting as an advocate for the profession before legislative bodies, providing educational materials to its members, and setting ethical standards for the profession. The AICPA is also responsible for creating and grading the Uniform CPA Exam. The AICPA accomplishes many of its activities through its system of committees. One of the standing committees is the Auditing Standards Board, or ASB. Prior to the creation of the PCAOB, the ASB was responsible for issuing auditing standards used for the audits of public and private companies. Since 2003, the task of the ASB has been to issue audit standards for the audits of private companies and not-for-profit organizations only. Audit standards issued by the ASB are called Statements on Auditing Standards (SAS). In an effort to improve the clarity of auditing standards, the ASB approved new clarity standards that were effective for audit periods ending after December 15, 2012. The new clarity standards include a more comprehensive set of principles underlying an audit conducted in accordance with generally accepted auditing standards (GAAS), which are presented in Illustration 1.3. These principles explicitly address the concepts of materiality and professional skepticism. The principles describe the responsibilities of management, and those charged with governance of an entity, for the financial statements. The auditor responsibilities also address the important concepts of compliance with ethical requirements (including independence requirements) and the fact that an auditor must use professional judgment. Take a few minutes to read the principles in Illustration 1.3.

Purpose of an Audit The purpose of an audit is to provide financial statement users with an opinion by the auditor on whether the financial statements are presented fairly, in all material respects, in accordance with the applicable financial reporting framework. An auditor’s opinion enhances the degree of confidence that intended users can place in the financial statements. Premise Upon Which an Audit Is Conducted An audit in accordance with generally accepted auditing standards is conducted on the premise that management, and where appropriate, those charged with governance, have responsibility: a. for the preparation and fair presentation of the financial statements in accordance with the applicable financial reporting framework; this includes the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatements, whether due to fraud or error. b.  to provide the auditor with: i.  all information, such as records, documentation, and other matters that are relevant to the preparation and fair presentation of the financial statements; ii.  any additional information that the auditor may request from management, and where appropriate, those charged with governance; and iii. unrestricted access to those within the entity from whom the auditor determines it necessary to obtain audit evidence. Responsibilities of the Auditor Auditors are responsible for having appropriate competence and capabilities to perform the audit; complying with relevant ethical requirements; and maintaining professional skepticism and exercising professional judgment, throughout the planning and performance of the audit. Performing the Audit To express an opinion, the auditor obtains reasonable assurance about whether the financial statements as a whole are free of material misstatement, whether due to fraud or error.

illustration 1.3   Principles underlying an audit conducted in accordance with generally accepted auditing standards (GAAS)

1-16  C h a pte r 1   Introduction and Overview of Audit and Assurance illustration 1.3  

(continued)

To obtain reasonable assurance, which is a high, but not absolute, level of assurance, the auditor: • plans the work and properly supervises any assistants. • determines and applies appropriate materiality level or levels throughout the audit • identifies and assesses risks of material misstatement, whether due to fraud or error, based on an understanding of the entity and its environment, including the entity’s internal control. • o  btains sufficient appropriate audit evidence about whether material misstatements exist, through designing and implementing appropriate responses to the assessed risks. The auditor is unable to obtain absolute assurance that the financial statements are free of material misstatement because of inherent limitations, which arise from: • the nature of financial reporting; • the nature of audit procedures; and • t he need for the audit to be conducted within a reasonable period of time and so as to achieve a balance between benefit and cost. Reporting the Results of an Audit Based on an evaluation of the audit evidence obtained, the auditor expresses, in the form of a written report, an opinion in accordance with the auditor’s findings, or states that an opinion cannot be expressed. The opinion states whether the financial statements are presented fairly, in all material respects, in accordance with applicable financial reporting framework. Source: AU-C Preface.

The SASs are interpretations of the principles underlying an audit conducted in accordance with GAAS. The SASs explain the nature and extent of an auditor’s responsibility and offer guidance to an auditor in performing the audit of a private company. Compliance with the SASs is mandatory for AICPA members, who must justify any departures from the standards. The SASs are numbered in the order in which they are issued by the ASB. Then the standards are organized by topical content using the AU numbering system. (Note that the “AU” stands for auditing standards, but these are not to be confused with the Auditing Standards (AS) from the PCAOB.) The AU-C topical order (the “C” denotes the clarified standards) is listed in Illustration 1.4. Throughout the text, we will be learning some of the specific ASB auditing standards in the different topical categories. The beginning of each chapter will list which ASB standards will be discussed in that respective chapter. You will also see references to the ASB standards within the text. The reference will begin with “AU-C” followed by the standard number, a decimal, and then a paragraph number, such as “AU-C 200.05.” The ASB also issues Statements on Standards for Attestation Engagements (SSAE) and Statements on Quality Control Standards (SQCS) for AICPA member firms. Another standing committee of the AICPA is the Accounting and Review Services Committee. This committee is tasked with issuing Statements on Standards for Accounting and Review Services (SSARS). The SSARS provide guidance for services provided on historical financial statements that are less extensive than an audit. An example that we discussed earlier is a review of historical ILLUSTRATION 1.4   Auditing Standards Board AU-C topical content

AU-C Section

General Topic

AU-C 200–299

General Principles and Responsibilities

AU-C 300–499

Risk Assessment and Response to Assessed Risks

AU-C 500–599

Audit Evidence

AU-C 600–699

Using the Work of Others

AU-C 700–799

Audit Conclusions and Reporting

AU-C 800–899

Special Considerations

AU-C 900–999

Special Considerations in the United States

Source: AICPA.

 The Role of Regulators and Regulations  1-17

financial statements. A more detailed discussion of accounting and review services is provided in Chapter 15. To help summarize the audit standard-setting environment in the United States, Illustration 1.5 provides a diagram of the current audit standard setting-structure for the audits of public and private companies.

ILLUSTRATION 1.5   Auditing standard setting in the United States

Audit standard setting

Statements on Auditing Standards (SAS)

Private company (non-issuer)

Public company (issuer)

AICPA’S Auditing Standards Board (ASB)

Public Company Accounting Oversight Board (PCAOB)

Statements on Standards for Attestation Engagements (SSAE)

Statements on Quality Control Standards (SQCS)

Interpretive publications from the ASB to provide guidance to CPAs and auditors

Auditing Standards (AS)

Staff audit practice alerts from the PCAOB to provide guidance to CPAs and auditors

Professional Environment  International Auditing and Assurance Standards Board (IAASB) In 1977, 63 accountancy bodies (including the AICPA) representing 51 countries signed an agreement creating the International Federation of Accountants (IFAC). The mission of IFAC is to serve the public interest and strengthen the accountancy profession by supporting the development and implementation of high-quality international standards.2 Toward this end, IFAC has established, as a standing subcommittee, the International Auditing and Assurance Standards Board (IAASB) with the responsibility and authority to issue International Standards on Auditing (ISA). The mission of the IAASB is to establish high-quality auditing, assurance, quality control, and related services standards and to improve the uniformity of practice by professional accountants throughout the world, thereby strengthening public

confidence in the global auditing profession and serving the public interest.3 Today, auditing has become a global profession. Many countries adopt IAASB standards as their own. Other countries have auditing standards that closely resemble the IAASB standards (for example, the SAS in the United States). Where differences exist between the international standards and local standards, the local member body, such as the AICPA’s ASB, is expected to give prompt consideration to such differences with a view to achieving harmonization. In recent years, the U.S. ASB and the IAASB have worked jointly in creating auditing standards that have global acceptance. Most of the auditing principles and practices discussed in this text are consistent with IAASB standards.

Financial Accounting Standards Board (FASB) The FASB is a privately funded organization whose mission is to establish financial accounting and reporting standards for nongovernmental entities with the goal of providing information

2

International Federation of Accountants website (accessed June 5, 2018), www.ifac.org.

3

International Auditing and Assurance Standards Board website (accessed June 5, 2018), www.iaasb.org.

1-18  C h a pte r 1   Introduction and Overview of Audit and Assurance

that is useful for decision making (www.fasb.org). You are probably familiar with the FASB from your financial accounting courses. The FASB maintains the Accounting Standards Codification (ASC), which represents the authoritative standards of financial reporting recognized by the SEC, the PCAOB, and the AICPA. We commonly refer to the authoritative standards as GAAP. There are seven full-time members of the FASB who have diverse backgrounds in accounting, finance, business, and research. Members of the FASB work closely with the AICPA, SEC, and the PCAOB when researching and drafting financial accounting and reporting standards.

Committee on Sponsoring Organizations of the Treadway Commission (COSO) COSO is an independent private-sector group that focuses on providing guidance to management and expertise in the areas of internal control, enterprise risk management, and fraud deterrence (www.coso.org). COSO was organized in 1985 and is sponsored by the following organizations: the American Accounting Association (AAA), the AICPA, Financial Executives International (FEI), the Institute of Internal Auditors (IIA), and the National Association of Accountants, which is now the Institute of Management Accountants (IMA). The first chairman of the commission was James C. Treadway, Jr., a former commissioner of the SEC. The group is often referred to as the “Treadway Commission.” In 1992, COSO issued a landmark report titled Internal Control—Integrated Framework. This report provided a comprehensive definition of internal controls and a framework that companies could use to design their own internal control systems. In 2013, the framework went through a comprehensive update and was reissued. This updated framework will be covered in depth in Chapter 6.

National Association of State Boards of Accountancy (NASBA) and State Boards of Accountancy CPAs are professionals who are licensed by state governments. Each state legislature has established a state board of accountancy to license and regulate CPAs to protect the public interest. Some of the functions of a state board of accountancy include: •  Issuing CPA licenses to individuals who meet all the requirements. •  Adopting and enforcing rules of professional conduct for CPAs. •  Adopting and enforcing rules regarding continuing professional education requirements. •  Investigating complaints, conducting hearings, and taking appropriate disciplinary actions, such as suspension or revocation of the CPA license. NASBA is a professional organization whose mission is to enhance the effectiveness and advance the common interests of its members, which are the state boards of accountancy (www.nasba.org). There are actually 55 jurisdictions with boards of accountancy. They include the 50 states, the District of Columbia, the Commonwealth of the Northern Mariana Islands, Guam, Puerto Rico, and the Virgin Islands. NASBA acts as a collective voice for the boards of accountancy and works to promote the interests of the state boards with legislative and regulatory bodies. NASBA also provides education and development opportunities for its members, provides technology support, and promotes ethical behavior in the profession. One of the services NASBA provides to state boards is that it serves as the application center for individuals applying to sit for the CPA exam. When you are ready to apply to take the CPA exam, you may be asked to apply through NASBA’s website.

 Audit Report on Financial Statements  1-19

Cloud 9 - Continuing Case Ernie explains that, in general, the regulators and regulations that apply to publicly traded corporations are not relevant to McLellan’s Shoes. However, any auditor Ron engages would apply the auditing and accounting standards that are relevant to an audit

engagement when auditing a small business. Since McLellan’s Shoes is a private company, the auditors would follow the auditing standards of the ASB when conducting the audit.

Before You Go On 5.1  What is the SEC and what is its role? 5.2 Which organization sets the standards for the audits of public companies? For the audits of private companies? 5.3  What are the main functions of a state board of accountancy?

Audit Report on Financial Statements Lea rning Objective 6 Explain the concepts of reasonable assurance, materiality, and the nature of an unqualified/unmodified report on the audit of financial statements. In this section, we introduce you to the independent auditor’s report, which is the “end product” of the financial statement audit. The independent auditor’s report is used to communicate the audit firm’s opinion about a company’s financial statements to interested users. We will revisit the independent auditor’s report in more depth in Chapter 15, but it is helpful to understand this report from the perspective of a financial statement reader as you begin to learn the audit process.

Reasonable Assurance and the Financial Statements We have explained how the responsibility of the auditor is to provide an opinion on whether the financial statements are presented fairly in accordance with the applicable financial reporting framework. An opinion is defined as a judgment about matters that are subjective. The preparation of financial statements is considered somewhat subjective because management must make some estimates and choose between different accounting methods. Therefore, the auditor is only required to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error. Reasonable assurance is a high, but not absolute, level of assurance (AU-C 200.06). In other words, the auditor does not “guarantee” or “certify” that the financial statements are 100% accurate because that is considered absolute assurance, which is not possible with content that is subjective. In addition, an audit could not be completed in a reasonable amount of time if auditors had to provide absolute assurance. For some accounts and transactions, auditors use sampling techniques when gathering audit evidence and therefore do not examine 100% of a company’s transactions for the period under audit. So, how do auditors know when they have gathered enough evidence? Ultimately, that is a matter of professional judgment. Since judgment is

reasonable assurance  a high, but not absolute, level of assurance

1-20  C h a pte r 1   Introduction and Overview of Audit and Assurance

audit risk  the risk that an auditor expresses an inappropriate audit opinion when the financial statements are materially misstated

involved, there will always be a risk the auditors will give the wrong opinion. This is called audit risk. Audit risk is affected by client characteristics as well as actions of the auditor. For example, when a client implements a new accounting standard, audit risk increases because there is increased risk for error when implementing a new process. The internal control system of the client also impacts audit risk. If the client has strong internal controls, it is more likely the internal controls will prevent, or detect and correct, material misstatements, which decreases audit risk. Auditors impact audit risk by the decisions made in how to conduct the audit. For example, using a larger sample size versus a smaller sample size, in general, will decrease audit risk. The concept of audit risk is covered in depth in Chapter 3. We will devote considerable attention throughout the text to the concept of audit risk and determining how auditors make important professional judgments about collecting sufficient, appropriate evidence to achieve reasonable assurance and support the audit opinion.

Materiality and the Financial Statements Although financial statements contain approximations, they must reflect a reasonable degree of precision. However, accounting is not precise, or accurate, the way we might think of Newtonian physics as being precise. If a potential misstatement of the financial statements is significant enough to influence or make a difference in the judgment or consequential activities of a financial statement user, it is considered material. Materiality is a relative concept, and it differs from company to company and from year to year for a given company. For example, a $25,000 misstatement of revenues may be material to a company with $200,000 of net income, while a $25,000 misstatement for a company with $5,000,000 in net income may be immaterial. In addition, qualitative characteristics influence materiality. For example, an error in the financial statements may be a small percentage of an account balance. This small error, however, may be considered material because it could cause an entity to breach a loan covenant, which could result in a misclassification of current and noncurrent debt. Auditors design an audit to provide reasonable assurance that the financial statements are free of material misstatement. However, auditors do not design an audit to look for immaterial misstatements because they would not influence a financial statement user. A deeper discussion of how auditors make materiality decisions can be found in Chapter 3.

Professional Environment  Materiality In the audit of a very large company, the amount of misstatement that would be considered immaterial might be quite large. Consider the audit of The Boeing Company for the year ended December 31, 2017, when Boeing had total revenues of $93.392 billion, earnings before income taxes of $10.047 billion, net income of $8.197 billion, and total assets of $92.333 billion at December 31, 2017. Boeing rounds its financial statement amounts to the nearest $1 million. For the year ended December 31, 2017, Boeing had a return on assets of 8.99%.

As an investor, would you consider a return on assets of 8.99% or 9.00% to be substantially the same? It would take approximately a $10 million misstatement to change return on assets by only 1/100 of 1% for Boeing for the year ended December 31, 2017. Alternatively, as an investor, would you consider a return on assets of 8.99% or 8.89% to be substantially the same? It would take approximately a $100 million misstatement to change return on assets by only 1/10 of 1% for Boeing for the year ended December 31, 2017.

The Auditorʼs Report on Financial Statements When the audit firm has determined that it has gathered sufficient, appropriate evidence to form an opinion, then it is ready to issue the audit report. Auditing standards require a standard format of the audit report be used for all audits. In other words, all accounting firms use the same standard format and standard wording for reporting their audit opinions. Using a standard format makes it easier for financial statement users to navigate the audit report. There is a standard

 Audit Report on Financial Statements  1-21

report for the audit of public company financial statements and a standard report for the audit of private company financial statements. The actual process of auditing the financial statements of public and private companies is similar, but there are also some differences, which will be discussed throughout the text. One of the key differences is the format of the audit reports. Illustration 1.6 provides an example of an unmodified audit report on the financial statements of McLellan’s Shoes, a private company. If auditors have determined the financial statements are presented fairly in accordance with the applicable financial reporting framework, they issue the standard unmodified report. Take a moment to read over the report. You will see some of the key concepts we have already discussed in this chapter. Sections of the report are numbered so we can further explain each component. Explanations of each numbered component follow Illustration 1.6.

[1] Independent Auditor’s Report [2] To the owners of McLellan’s Shoes: [3] Report on the Financial Statements We have audited the accompanying financial statements of McLellan’s Shoes, which comprise the balance sheets as of December 31, 2022 and 2021, and the related statements of income, changes in equity, and cash flows for the years then ended, and the related notes to the financial statements. [4] Management’s Responsibility for the Financial Statements Management is responsible for the preparation and fair presentation of these financial statements in accordance with accounting principles generally accepted in the United States of America; this includes the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error. [5] Auditor’s Responsibility Our responsibility is to express an opinion on these financial statements based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement. An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluating the overall presentation of the financial statements. We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinion. [6] Opinion In our opinion, the financial statements referred to above present fairly, in all material respects, the financial position of McLellan’s Shoes as of December 31, 2022 and 2021, and the results of its operations and its cash flows for the years then ended in accordance with accounting principles generally accepted in the United States of America. [7] Bell & Bowerman, LLP Seattle, Washington [8] February 15, 2023 Source: AU-C 700.A63 Exhibit—Illustration 1.

illustration 1.6   Example of an unmodified audit report on the financial statements of McLellan’s Shoes, a private company

1-22  C h a pte r 1   Introduction and Overview of Audit and Assurance

1. Title—The term independent is in the title of the report to emphasize the auditors are external to the company, unbiased, and therefore can provide an objective opinion. 2. Address—The report is addressed to the owners or shareholders of the company and to the board of directors, if applicable. 3. Introductory paragraph—This paragraph explains that an audit was conducted and identifies the financial statements and the date of the financial statements. 4. Management’s responsibility paragraph—This paragraph explains that management is responsible for the preparation and fair presentation of the financial statements and for the design, implementation, and maintenance of ICFR. 5. Auditor’s responsibility paragraphs—These paragraphs explain the auditors are responsible for expressing an opinion on the financial statements, for following auditing standards, for assessing the risk of material misstatement, and for obtaining reasonable assurance about the fair presentation of the financial statements. The appropriate auditing standards would be those issued by the ASB since the company is a private company. In a private company audit, auditors state they do not evaluate internal control for the purpose of expressing an opinion on internal control. The audit firm concludes with a statement that it believes it has obtained sufficient and appropriate evidence to provide a basis for its audit opinion. 6. Opinion paragraph—This paragraph clearly states the auditor’s opinion that the financial statements are fairly presented, in all material respects, in accordance with the applicable financial reporting framework, which in this example is GAAP. 7.  Signature—The firm name and location are used as the signature. 8. Date—The date represents the end of fieldwork, which is the conclusion of gathering and evaluating evidence, and drawing all conclusions for the audit. Illustration 1.7 provides an example of an unqualified audit report on the financial statements of The Boeing Company, a public company. If auditors have determined the financial statements are presented fairly in accordance with the applicable financial reporting framework, they issue the standard unqualified report. The PCAOB standards use the term unqualified report. The term unqualified is equivalent to the term unmodified used for the private company audit report. The terms are sometimes used interchangeably. Take a moment to look over the report in Illustration 1.7 and note some of the similarities and differences with the private company audit report. Again, you will see some of the key concepts discussed in this chapter. Sections of the report are numbered so we can further explain each component. Explanations of each numbered component follow Illustration 1.7. illustration 1.7   Example of an unqualified audit report on the financial statements of The Boeing Company, a public company

[1] REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM [2] To the shareholders and the Board of Directors of The Boeing Company Opinion on the Financial Statements [3] We have audited the accompanying consolidated statements of financial position of The Boeing Company and subsidiaries (the “Company”) as of December 31, 2017 and 2016, the related consolidated statements of operations, comprehensive income, equity, and cash flows, for each of the three years in the period ended December 31, 2017, and the related notes (collectively referred to as the “financial statements”). In our opinion, the financial statements present fairly, in all material respects, the financial position of the Company as of December 31, 2017 and 2016, and the results of its operations and its cash flows for each of the three years in the period ended December 31, 2017, in conformity with accounting principles generally accepted in the United States of America. [4] We have also audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (PCAOB), the Company’s internal control over financial reporting as of December 31, 2017, based on criteria established in Internal Control – Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission and our report dated February 12, 2018, expressed an unqualified opinion on the Company’s internal control over financial reporting.

 Audit Report on Financial Statements  1-23 Basis for Opinion [5] These financial statements are the responsibility of the Company’s management. Our responsibility is to express an opinion on the Company’s financial statements based on our audits. We are a public accounting firm registered with the PCAOB and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB. [6] We conducted our audits in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether due to error or fraud. Our audits included performing procedures to assess the risks of material misstatement of the financial statements, whether due to error or fraud, and performing procedures that respond to those risks. Such procedures included examining, on a test basis, evidence regarding the amounts and disclosures in the financial statements. Our audits also included evaluating the accounting principles used and significant estimates made by management, as well as evaluating the overall presentation of the financial statements. We believe that our audits provide a reasonable basis for our opinion. [7] /s/ Deloitte & Touche LLP Chicago, Illinois [8] February 12, 2018 [9] We have served as the Company’s auditor since at least 1934; however, an earlier year cannot be reliably determined.

1. Title—The term independent is also in the title of this report to emphasize the auditors are external to the company, unbiased, and therefore can provide an objective opinion. In addition, the term registered is included to emphasize the firm is registered with the PCAOB. 2. Address—The report is addressed to the shareholders and board of directors of the company. 3. Opinion paragraph—The first sentence explains that an audit was conducted and identifies the financial statements and the dates of the financial statements. The second sentence states the auditor’s opinion. Note the opinion sentence is virtually identical to the opinion paragraph for the private company audit report. 4. Paragraph referencing the audit of internal control—This paragraph is unique to the public company audit report. Public companies are required to have an audit of ICFR and auditors issue a separate opinion for that audit, which is discussed in the next section. 5. Basis for opinion paragraph—This paragraph states the differing responsibilities of management and auditors. It is similar to the responsibility paragraphs of the report for private company audits, but the private company report goes into more detail regarding the responsibilities of management and auditors. One key difference is that this paragraph references registration with the PCAOB and independence requirements of the SEC and other federal securities laws. 6. Scope paragraph—This paragraph explains, in brief terms, the process of conducting an audit. It mentions the concept of reasonable assurance about whether the financial statements are free of material misstatement. It includes an explicit statement that PCAOB auditing standards were followed since it is a public company. The scope paragraph also includes a brief discussion of the professional judgments made during the audit. Finally, it concludes with a statement that the audit firm believes that its audit provides a reasonable basis for its opinion. 7. Signature—The firm name and location is used as the signature. 8. Date—The date represents the end of fieldwork, which is the conclusion of gathering and evaluating evidence, and drawing all conclusions for the audit. 9. Auditor tenure—The final component of the report is a sentence that states the year in which the firm began serving consecutively as the company’s auditor. After reviewing the standard audit reports, you may be wondering what happens if auditors conclude the financial statements are not presented fairly in accordance with the

1-24  C h a pte r 1   Introduction and Overview of Audit and Assurance

applicable financial reporting framework? Or what happens if auditors cannot gather enough evidence to form an opinion? When situations such as these occur, auditors may have to modify their opinion. Auditing standards have established three types of modified audit opinions: a qualified opinion, an adverse opinion, and a disclaimer of opinion. Illustration 1.8 provides a brief summary of situations that could cause auditors to issue a modified opinion. It is important to note that only material situations would cause auditors to modify the opinion. The discovery of immaterial errors would not prevent the issuance of an unmodified/unqualified opinion. The different types of modified reports will be covered in depth in Chapter 15, so consider Illustration 1.8 a basic introduction to the modified reports.

ILLUSTRATION 1.8   Situations that cause a modified opinion

Situation

Type of Modified Opinion

Material departure(s) from the applicable financial reporting framework and the client refuses to make corrections

•  Qualified – financial statements are presented fairly, except for the uncorrected departure(s)

Material limitation on the auditor’s ability to gather sufficient appropriate evidence, referred to as a scope limitation

•  Qualified – financial statements are presented fairly, except for the auditor’s inability to gather evidence for a material item

•  Adverse – financial statements are not presented fairly and should not be relied upon (pervasively material departures)

•  Disclaimer of opinion – auditor was not able to gather sufficient appropriate evidence and cannot express an opinion on the financial statements (pervasively material scope limitations) Auditor is not independent

•  Disclaimer of opinion – auditor is not independent and cannot express an opinion

Professional Environment  PCAOB Releases New Audit Report Prior to 2017, the standard unqualified auditor’s report had remained substantially unchanged since the 1940s. Over the years, there had been much debate about the relevance of continuing to use the same standard report, particularly in the modern information age in which investors and other users demand better and faster information. Since 2011, the PCAOB has encouraged open discussion, comments, and feedback on various proposals for making the auditor’s report more relevant to the public. Finally, on June 1, 2017, the PCAOB adopted a new auditor reporting standard, AS 3101 The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion. The standard was approved by the SEC on October 23, 2017. The standard includes two significant changes to the existing auditor’s report. The first significant change is the communication of critical audit matters, or CAM, in the audit report. A CAM is any audit matter that was communicated to or required to be communicated to the audit committee. The rationale is that if a matter is being communicated to the audit committee, it must be important and should be made available to users of the financial statements. The standard states that a CAM “relates to accounts or disclosures that

are material to the financial statements and involves especially challenging, subjective, or complex auditor judgement” (AS 3101.11). For each CAM that is included in the auditor’s report, the auditor must identify the CAM, describe why the auditor considered the item a CAM and how it was addressed during the audit, and refer to the relevant accounts or disclosures that relate to the CAM. The second significant change is the inclusion of auditor tenure in the auditor’s report. After the signature of the firm at the conclusion of the report, there is a statement that says, “We have served as the Company’s auditor since [year]” (AS 3101 Appendix B). The firm includes the year in which it began serving consecutively as the company’s auditor. The PCAOB recognizes that including CAM in the auditor’s report is a significant change. Therefore, the requirement to include CAM will go into effect for fiscal years ending on or after June 30, 2019. The other changes to the auditor’s report, including the disclosure of auditor tenure, went into effect for fiscal years ending on or after December 15, 2017.4 The audit report for The Boeing Company in Illustration 1.7 reflects the new audit report and includes the statement about auditor tenure.

4 PCAOB Release No. 2017-001, The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion.

 Audit Report on Internal Controls over Financial Reporting   1-25

Before You Go On 6.1  Why do auditors provide reasonable assurance and not absolute assurance? 6.2 Explain the concept of materiality. How does the concept of materiality relate to reasonable assurance? 6.3  What are the meanings of the terms unqualified and unmodified in the context of an audit of financial statements?

Audit Report on Internal Controls over Financial Reporting Lea rning Objective 7 Explain the concept of reasonable assurance and the nature of an unqualified report on internal controls over financial reporting. Next, we will discuss the audit report for the audit of ICFR. Recall from earlier in the chapter that only certain public companies are required to have an audit on the effectiveness of ICFR. The SEC classifies public companies into three categories based on worldwide market value (in U.S. dollars) of outstanding voting and non-voting common equity: 1.  Large accelerated filer: $700 million or more. 2.  Accelerated filer: $75 million or more but less than $700 million. 3.  Non-accelerated filer: less than $75 million. Public companies categorized as non-accelerated filers are not required to have an audit of ICFR. Therefore, when we discuss the audit of ICFR for public companies, we are referring to public companies categorized as accelerated filers and large accelerated filers.

Reasonable Assurance and Internal Controls Section 404 of the SOX legislation requires that management accept responsibility for the design and maintenance of internal controls. It also requires that management issue a report each year asserting whether internal controls over financial reporting were effective. Further, management’s claims about the effectiveness of ICFR must be audited by the independent external auditor. The reason for requiring an audit of internal controls is because effective ICFR provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes (AS 2201.02). Here again we see the phrase reasonable assurance. If internal controls are effective, then it is more likely that the financial statements will be free of material misstatements and errors. Even though internal controls may be considered effective, it does not mean they will prevent all misstatements or errors from affecting the financial statements. There is still some risk that a material error could occur on the financial statements. Even an effective system of internal controls over financial reporting will only provide reasonable assurance, not absolute assurance, that financial statements are free from material misstatement. PCAOB Auditing Standard 2201 An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements states that auditors must conduct an integrated audit for public companies. This means auditors must plan and perform their work to achieve the objectives of both the financial statement audit and the audit of the effectiveness of ICFR simultaneously. For efficiency purposes, auditors will select audit procedures that allow them to gather evidence that is useful to both of the audits. Auditors are only

1-26  C h a pte r 1   Introduction and Overview of Audit and Assurance

required to obtain reasonable assurance about whether the company maintained effective ICFR for the period under audit. Auditors cannot provide absolute assurance about the effectiveness of internal controls for the same reasons they cannot provide absolute assurance on the fair presentation of the financial statements. The design and implementation of controls is somewhat subjective and there is not enough time for auditors to test the effectiveness of all of the entity’s internal controls. Using professional judgment, auditors select the most critical internal controls over financial reporting and test the effectiveness of those controls. This will be discussed further in Chapters 6 and 8.

The Auditor’s Report on Internal Control over Financial Reporting When auditors have determined they have gathered sufficient, appropriate evidence to form an opinion on the effectiveness of ICFR, then they are ready to issue the audit report. Similar to the financial statement audit report, AS 2201 requires a standard format of the audit report be used for all audits of effectiveness of ICFR. Illustration 1.9 provides an example of an audit report on the effectiveness of ICFR for a public company. If auditors have determined the company has maintained effective ICFR for the period under audit, then they issue the standard unqualified report. Take a moment to read over the report and you will see some similarities to the financial statement audit report for a public company. illustration 1.9   Example of an unqualified audit report on the effectiveness of ICFR for The Boeing Company, a public company

[1] REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM [2] To the Shareholders and Board of Directors of The Boeing Company [3] Opinion on Internal Control over Financial Reporting We have audited the internal control over financial reporting of The Boeing Company and subsidiaries (the “Company”) as of December 31, 2017, based on criteria established in Internal Control – Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). In our opinion, the Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 2017, based on criteria established in Internal Control – Integrated Framework (2013) issued by COSO. [4] We have also audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (PCAOB), the consolidated financial statements as of and for the year ended December 31, 2017, of the Company and our report dated February 12, 2018, expressed an unqualified opinion on those financial statements. [5] Basis for Opinion The Company’s management is responsible for maintaining effective internal control over financial reporting and for its assessment of the effectiveness of internal control over financial reporting, included in the accompanying Management’s Report on Internal Control Over Financial Reporting. Our responsibility is to express an opinion on the Company’s internal control over financial reporting based on our audit. We are a public accounting firm registered with the PCAOB and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB. [6] We conducted our audit in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects. Our audit included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, testing and evaluating the design and operating effectiveness of internal control based on the assessed risk, and performing such other procedures as we considered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion. [7] Definition and Limitations of Internal Control over Financial Reporting A company’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial

 Audit Report on Internal Controls over Financial Reporting   1-27 statements for external purposes in accordance with generally accepted accounting principles. A company’s internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements. Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. [8] /s/Deloitte & Touche LLP Chicago, Illinois [9] February 12, 2018

The key components of the unqualified report in Illustration 1.9 are as follows: 1. Title—The term independent is also in the title of this report to emphasize the auditors are external to the company, unbiased, and therefore can provide an objective opinion. In addition, the term registered is required to indicate that the firm is registered with the PCAOB. 2. Address—The report is addressed to the shareholders and board of directors of the ­company. 3. Opinion paragraph—The first sentence explains that an audit of ICFR was conducted and references the COSO Internal Control—Integrated Framework as the criteria used as the basis for determining if ICFR are effective. The second sentence states the auditor’s opinion. 4. Paragraph referencing the financial statement audit—This paragraph is a reference to the financial statement audit report and states the type of opinion that was given on the financial statements. 5. Basis for opinion paragraph—This paragraph states the different responsibilities of management and auditors. Like the audit report on the financial statements, this paragraph references registration with the PCAOB and independence requirements of the SEC and other federal securities laws. 6. Scope paragraph—This paragraph explains that auditors conducted their audit in accordance with the standards of the PCAOB. In brief terms, it explains the process of conducting an audit of the effectiveness of ICFR. It mentions that auditors are only required to obtain reasonable assurance about whether the company maintained, in all material respects, effective ICFR. It concludes with a statement that the audit firm believes its audit provides a reasonable basis for its opinion. 7. Definition and inherent limitations paragraph—This paragraph provides a definition of ICFR that is taken directly from AS 2201. This is helpful for users of the financial statements in case they are not familiar with the concept of internal controls. Also note the use of reasonable assurance in the definition to clarify that an internal control system does not eliminate all risk associated with the preparation of financial statements. The final sentence cautions not to use the current-year opinion to assume that future internal controls will be effective. Circumstances may change in the future that could render controls ineffective if the controls are not modified appropriately. 8. Signature—The audit firm’s name and location are used as the signature.

1-28  C h a pte r 1   Introduction and Overview of Audit and Assurance

9. Date—The date represents the end of fieldwork, which is the conclusion of gathering and evaluating evidence for the audit. Since the audits are integrated, the date on both the financial statement audit report and the audit report on the effectiveness of ICFR will be the same. material weakness  a deficiency, or combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis

What happens if auditors conclude the company did not maintain effective ICFR over the period under audit? That would mean the auditors discovered a material weakness in the client’s ICFR. The PCAOB defines a material weakness as follows: A deficiency, or combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis. (AS 2201.A7) If one or more material weaknesses are discovered during the audit, then auditors issue an adverse opinion on the effectiveness of ICFR that explicitly states the company did not maintain effective ICFR during the period under audit. AS 2201 dictates how auditors would modify the audit report to express an adverse opinion. If auditors encounter a material limitation in the scope of their work, they may consider disclaiming an opinion. We will cover these modifications in greater detail in Chapter 15.

Before You Go On 7.1 Explain the concept of reasonable assurance as it applies to a system of internal controls and to the audit of the effectiveness of internal controls. 7.2 What is management’s responsibility for internal controls as stated in the audit report on the effectiveness of internal controls? 7.3 What date is used on the audit report on the effectiveness of internal controls, and what does the date represent?

The Audit Expectation Gap LEA RNING OBJE CTIVE 8 Discuss the audit expectation gap. The overall audit expectation gap occurs when there is a difference between the expectations of auditors and financial statement users. The gap occurs when user beliefs do not align with an auditor’s professional responsibilities. In particular, the gap is caused by unrealistic user expectations such as: •  The auditor is providing absolute assurance. •  The auditor is guaranteeing the future viability of the entity. •  An unmodified audit opinion is an indicator of complete accuracy of the financial statements. •  The auditor will definitely find any and all fraud. •  The auditor has checked all transactions. The reality is that: •  An auditor provides reasonable assurance. •  The audit does not guarantee the future viability of the entity. •  An unmodified opinion indicates the auditor believes there are no material misstatements in the financial statements.

 The Audit Expectation Gap  1-29

•  The auditor will assess the risk of fraud and conduct tests to try to uncover any fraud, but there is no guarantee the auditor will find all material fraud, should one have occurred. •  The auditor tests a sample of transactions. The overall audit expectation gap is graphically represented in Illustration 1.10. In this figure, note the performance gap, which is the difference between auditor performance and auditing standards and regulations. There is also an expectation gap, which is the difference between a financial statement user’s expectations and auditing standards and regulations. illustration 1.10   Audit expectation and performance gaps

Auditor Performance

Auditing Standards and Performance Gap Regulations

•  Auditor failure to follow firm policy, standards, and regulations

Financial Statement Expectation Gap User’s Expectations

Auditor performance impacted by: •  Auditing standards •  Ethical standards •  Regulations •  Legislation •  F irm policy and procedures

Financial statement user’s expectations impacted by: •  Audit firm reputation •  Audit firm independence •  Reader’s knowledge of auditing •  Economic conditions

The performance gap can be reduced by: •  Auditors performing their duties appropriately, complying with auditing standards, and meeting the minimum standards of performance that should be expected of all auditors. •  Inspections of audits to ensure that auditing standards have been correctly applied. •  Assurance providers reporting accurately the level of assurance being provided. The audit expectation gap can be reduced by: •  Auditing standards being reviewed and updated on a regular basis to enhance the work being done by auditors. •  Education of financial statement users as to the responsibilities of preparers and auditors of financial statements. As described in this chapter, financial statement users rely on audited financial statements to make a variety of decisions. Financial statement users demand access to reliable information to help ensure the stability of financial markets. The audit profession is dedicated to providing reliable assurance services in the interest of protecting the public trust.

Cloud 9 - Continuing Case Ron believes that Chip Masters would know what an audit can provide, and what it cannot, because Chip is an experienced vice president of a large international company. He deals with auditors on a regular basis. Ron thanks Ernie for his time. Ernie has helped him to understand that preparing more detailed financial statements and

engaging an auditor to perform a financial statement audit would not be as bad as he first thought. Ron now understands why Ernie thinks audits are valuable, and not just another business expense. If Chip Masters thinks that Ron’s financial statements are more credible with an audit, then it is likely he will be prepared to pay a higher price for Ron’s business.

Before You Go On 8.1 Define the audit expectation gap. Define the audit performance gap. 8.2 What has caused the audit expectation gap? 8.3 What can be done to reduce the audit expectation gap? What can be done to reduce the audit performance gap?

1-30  C h a pte r 1   Introduction and Overview of Audit and Assurance

Learning Objectives Review 1  Differentiate among assurance, attestation, and audit-

ing services. An assurance engagement involves an assurance provider arriving at an opinion about some information being provided by their client to a third party. Attestation and auditing services are types of assurance services. A financial statement audit involves an audit firm obtaining evidence to support an opinion about the fair presentation of the financial statements, in all material respects, in accordance with an applicable financial reporting framework. 2  Describe the different types of assurance services. Assurance services include financial statement audits, audits of effectiveness over internal control of financial reporting, compliance audits, operational/performance audits, and internal audits. 3  Explain the demand for audit and assurance services. Financial statement users include investors (shareholders), suppliers, customers, lenders, employees, governments, and the general public. These groups of users demand audited financial statements due to their remoteness from the entity, accounting complexity, competing incentives between them and the entity’s managers, and their need for reliable information on which to base decisions. 4  Discuss the different roles of the financial statement

preparer and the auditor. It is the responsibility of the company’s management to prepare the financial statements in accordance with the applicable financial reporting framework. Management is also responsible for the design, implementation, and maintenance of internal control over financial reporting and for providing the auditors with access to all documentation needed to complete the audit. It is the responsibility of the auditor to form an opinion on the fair presentation of the financial statements. In doing so the auditor must utilize professional skepticism and professional judgment in the planning and performance of the audit and must adhere to the appropriate auditing standards. 5  Identify the roles of different regulators and organizations that affect the audit profession. Regulators and organizations that impact the audit profession include the Securities and Exchange Commission (SEC), the Public Company

Accounting Oversight Board (PCAOB), the American Institute of Certified Public Accountants (AICPA), the Financial Accounting Standards Board (FASB), the Committee on Sponsoring Organizations of the Treadway Commission (COSO), and the National Association of State Boards of Accountancy (NASBA). Auditors must follow the PCAOB’s Auditing Standards (AS) when auditing public companies and follow the Auditing Standards Board’s Statements on Auditing Standards (SAS) when auditing private companies. 6  Explain the concepts of reasonable assurance, materiality, and the nature of an unqualified/unmodified report on the audit of financial statements. Auditors are only required to provide reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to error or fraud. In a private company audit, if auditors determine the financial statements are presented fairly in accordance with the applicable financial reporting framework, then auditors issue the standard unmodified audit report. In a public company audit, if auditors determine the financial statements are presented fairly in accordance with the applicable financial reporting framework, then they issue the standard unqualified audit report. 7  Explain the concept of reasonable assurance and the nature of an unqualified report on internal controls over financial reporting. An effective system of ICFR provides reasonable assurance the financial statements will be free of material misstatements. Only public companies are required to have an audit of the effectiveness of ICFR. In the audit of the effectiveness of ICFR, auditors provide reasonable assurance regarding whether or not there is a material weakness in ICFR for the period under audit. If auditors have determined the company has maintained effective ICFR, then they issue the standard unqualified audit report on ICFR. 8  Discuss the audit expectation gap. The difference between what assurance providers provide and what financial statement users expect consists of two components: (1) the expectation gap, which is the difference between a financial statement user’s expectations and professional standards and regulations, and (2) a performance gap, which occurs when assurance providers do not follow professional standards. The total gap occurs when user beliefs do not align with what an auditor has actually done.

Key Terms Review Assurance services Attestation services Audit risk Audit services Compliance audit

Integrated audit Internal audit Materiality Material weakness Operational (performance) audit

Professional judgment Professional skepticism Reasonable assurance Those charged with governance

  Multiple-Choice Questions  1-31

CPAexcel CPAexcel questions and other resources are available in WileyPLUS.

Multiple-Choice Questions 1. (LO 1)  Which of the following is not a characteristic of an assurance service? a.  T he engagement is conducted by an independent professional. b.  The service lends credibility to information. c.  The subject matter is limited to financial information. d.  T  he service is useful for decision makers. 2. (LO 2)  An assurance service that determines whether the entity has conformed with regulations, rules or processes is a (an): a.  compliance audit. b.  financial statement audit. c.  internal audit. d.  o  perational audit. 3. (LO 2)  Operational (performance) audits are useful because they: a.  include a comprehensive audit. b.  are concerned with the economy, efficiency, and effectiveness of an organization’s activities. c.  i nvolve gathering evidence to determine whether the entity under review has followed the rules, policies, procedures, laws, or regulations with which they must conform. d.  ensure companies pay appropriate taxes. 4. (LO 2)  The function of internal audit is determined by:

7. (LO 5)  Which of the following organizations issues auditing standards for the audits of public companies?  CAOB. a.  P b.  SEC. c.  ASB. d.  COSO. 8. (LO 5)  The role of COSO is to: a.  establish financial accounting and reporting standards. b.  establish auditing standards for private companies. c.  prepare and grade the CPA exam. d.  provide guidance in the area of internal control and risk management. 9. (LO 6)  Auditors can only provide reasonable assurance that the financial statements are presented fairly because: a.  sampling techniques are used to gather evidence. b.  some items in the financial statements are subjective. c.  an audit must be completed in a reasonable amount of time. d.  All of these answer choices are correct. 10. (LO 6)  What is the appropriate date for an audit report? a.  The date the auditors were hired. b.  The date of the balance sheet.

a.  the external auditor.

c.  The conclusion of the gathering of evidence for the audit.

b.  the IIA.

d.  The date required by regulators.

c.  those charged with governance and management. d.  the government. 5. (LO 3)  All of the following are reasons why users would demand an audit of financial statements except: a.  complexity. b.  remoteness. c.  cost. d.  r eliability. 6. (LO 4)  Management is responsible for which of the following? a.  Preparing financial statements in accordance with the appropriate auditing standards. b.  Designing, implementing, and maintaining internal control relevant to the preparation of the financial statements. c.  Using professional skepticism in the preparation of the financial statements. d.  Issuing an opinion on whether the financial statements are presented fairly in accordance with the appropriate financial reporting framework.

11. (LO 7)  Auditors of publicly traded companies are required to perform a(an) ________ for their clients. a.  compliance audit b.  integrated audit c.  internal audit d.  operational audit 12. (LO 8)  The audit expectation gap occurs when: a.  auditors perform their duties appropriately and satisfy users’ demands. b.  user beliefs do not align with what professional standards and regulations expect of auditors. c.  inspections of audits ensure that auditing standards have been applied correctly and the standards are at the level that satisfy users’ demands. d.  the public is well educated about auditing.

1-32  C h a pte r 1   Introduction and Overview of Audit and Assurance

Review Questions R1.1  (LO 1)  What does assurance mean in the financial reporting context? Who are the three parties relevant to an assurance engagement? R1.2  (LO 1)  An assurance engagement involves evaluation or measurement of subject matter against criteria. What criteria are used in a financial statement audit? R1.3  (LO 2)  Discuss some limitations of a financial statement audit. R1.4  (LO 2)  Who would request an operational (performance) audit? Why? R1.5  (LO 3)  Why would investors in a company demand an audit of financial statements? R1.6  (LO 4)  Compare and contrast the responsibilities of preparers and auditors regarding a financial statement audit.

R1.7  (LO 5)  Describe the relationship between the SEC and the PCAOB. R1.8  (LO 5)  Compare and contrast the functions of a state board of accountancy and of NASBA. R1.9  (LO 5)  Briefly describe the principles underlying an audit conducted in accordance with GAAS that are issued by the ASB. R1.10  (LO 6)  Discuss the similarities and differences in the auditor’s reports for a public company client and a private company client. R1.11  (LO 7)  List and briefly describe the components of the auditor’s report on internal controls over financial reporting for a public company. R1.12  (LO 8)  Debate the audit expectation gap. Why do you think professional auditing standard do not give users what they want? Why do you think auditors sometimes do not meet professional standards?

Analysis Problems AP1.1  (LO 1, 2)  Basic   Research   Types of assurance engagements  A friend knows that you are studying auditing and asks you what the difference is between internal and external auditing.

Required Using what you learned in this chapter and from information from the AICPA website (www.aicpa.org) and the IIA website (www.theiia.org), compare and contrast the duties and characteristics of internal and external auditors. AP1.2  (LO 3)  Challenging   Demand for assurance  In 2002, the audit firm Arthur Andersen collapsed following charges brought against it in the United States relating to the failure of its client, Enron. Some other clients announced they would be dismissing Arthur Andersen as their auditor even before it was clear that Arthur Andersen would not survive.

Required Using the discussion in this chapter on the demand for audits, explain some reasons why these clients took this action. AP1.3  (LO 3, 4)  Moderate   Big 4 versus non-Big 4 assurance providers  Most audit firms maintain a website that explains the services offered by the firm and provides resources to their clients and other interested parties. The services offered by most firms include both audit and non-audit services.

Required Find the websites for a Big 4 audit firm and a mid-tier audit firm. Compare them on the following: a. The range of services provided. b. Geographic coverage (i.e., where their offices are located). c. Staff numbers and special skills offered. d. Industries in which they claim specialization. e. Publications and other materials provided to their clients or the general public. f. Marketing message. AP1.4  (LO 3, 4)  Challenging   Big 4 versus non-Big 4 assurance providers  Economic changes can affect how clients select their assurance providers.

Required a. In times of economic recession, would you expect the demand for audits to increase or decrease? b. Would you expect clients to shift from large (Big 4) auditors to mid-tier auditors, or from mid-tier auditors to Big 4 auditors in times of economic recession? Why or why not?

 Analysis Problems  1-33 AP1.5  (LO 5)  Basic   Research   Requirements to become a CPA  Each state has the power to determine the education and experience requirements to be a licensed CPA in that state. The power is delegated to the state board of accountancy in each state.

Required Visit the state board of accountancy website for the state in which you are attending college. What are the education and experience requirements? If you intend to begin your career in another state, also research the education and experience requirements for that state. What are the similarities and differences between the two states? AP1.6  (LO 5)  Basic   Research   Accounting firm registration  Since the creation of the PCAOB in 2003, accounting firms that wish to audit public companies must be registered with the PCAOB. Visit the PCAOB’s website (www.pcaobus.org) and browse the information.

Required Explain what is required for an accounting firm to be registered with the PCAOB. AP1.7  (LO 6, 7)  Basic   Audit reports  Auditor’s reports for The Boeing Company are provided in Illustrations 1.7 and 1.9 in this chapter. Both reports are signed by Deloitte & Touche LLP. Deloitte & Touche also audits Starbucks Corporation. Visit the Starbucks investor relations website to access the most recent annual report and 10-K. Find the auditor’s reports on the financial statements and the effectiveness of ICFR.

Required a. Compare the audit reports of The Boeing Company and Starbucks. What type of opinion did Starbucks receive on its financial statements and on the effectiveness of ICFR? b. What are the advantages of having a standard report format for all clients? AP1.8  (LO 4, 6, 8)  Moderate   Being an auditor  You have recently graduated from your university and started work with an accounting firm. You meet an old school friend, Kim, for dinner—you haven’t seen each other for several years. Kim is surprised that you are now working as an auditor because your childhood dream was to be a ballet dancer. Unfortunately, your knees were damaged in a fall and you can no longer dance. The conversation turns to your work and Kim wants to know how you do your job. Kim cannot understand why an audit is not a guarantee the company will succeed. Kim also thinks that company managers will lie to you to protect themselves, and as an auditor you would have to assume that you cannot believe anything a company manager says to you.

Required Compose a letter to Kim explaining the concept of reasonable assurance, and how reasonable assurance is determined. Explain why an auditor cannot offer absolute assurance. Describe the concept of professional skepticism and how it is not the same as assuming that managers are always trying to deceive auditors. Explain to Kim why her perceptions are a perfect example of the expectations gap. AP1.9  (LO 2, 4, 6, 7, 8)  Challenging   Limitations of an audit  You are an intern at a Big 4 accounting firm and have just finished your internship training. You feel a little overwhelmed with all of the information from the training session, and you are wondering if you are qualified to perform work that is of high-enough quality to meet the firm’s and the profession’s standards. What if you miss something or forget to do something? What if it takes you too long to complete your tasks? What if you spend time on something that is trivial and miss something that is important? You decide to review your notes from the training session and from your undergraduate audit course.

Required a. Discuss the limitations of an audit. b. Refer to the audit reports in Illustrations 1.6, 1.7, and 1.9. What are some key terms and phrases included in the reports that address these limitations? AP1.10  (LO 6)  Challenging   Research   Audit reports  On an international level, other countries have also discussed and implemented expanding the audit report to include more detail from auditors about critical audit matters (CAM). The United Kingdom (UK) has already moved to using an expanded

1-34  C h a pte r 1   Introduction and Overview of Audit and Assurance audit report. An example of the new audit report format can be found in the annual report of GlaxoSmithKline plc (GSK). Visit GSK’s investor website and download the most recent annual report. Find the auditor’s report in the Financial Statements section of the annual report.

Required a. Who are the auditors for GSK? b. What are some differences in the U.K. auditor’s report model compared with the current U.S. auditor’s report model for public companies? c. Which report model do you prefer and why? Would your answer change based on the type of user you are (lender, customer, investor)? Would your answer change if you were the preparer or auditor of the financial statements?

Cloud 9 - Continuing Case Ron McLellan established his business, McLellan’s Shoes, in 1985. Since then, he has run his business as a sole proprietor. Ron keeps records and his wife helps him prepare basic accounting records. As McLellan’s Shoes has no outside owners, Ron has never seen the need to have his accounts audited. When Chip Masters from Cloud 9 Inc. expressed an interest in buying McLellan’s Shoes in 2020, Ron was asked to provide audited financial statements. Ron discussed his concerns about having an audit with his friend Ernie Black. Ernie is concerned that Ron may forget their conversations and has asked you to prepare a summary of the issues listed below for Ron.

Required a. What are the main differences between a financial statement audit, a compliance audit, and an operational audit? b. What is the difference between reasonable assurance and absolute assurance? c. Why would Chip ask that Ron have the financial statements for McLellan’s Shoes audited rather than reviewed? d. What factors should Ron consider when selecting an accounting firm to complete the McLellan’s Shoes audit?

Chapter 2 Professionalism and Professional Responsibilities The Audit Process Overview of Audit and Assurance (Chapter 1) Professionalism and Professional Responsibilities (Chapter 2) Client Acceptance/Continuance and Risk Assessment (Chapters 3 and 4) Identify Significant Accounts and Transactions Make Preliminary Risk Assessments

Set Planning Materiality

Gaining an Understanding of the System of Internal Control (Chapter 6)

Audit Evidence (Chapter 5)

Develop Responses to Risk and an Audit Strategy

Performing Tests of Controls (Chapter 8)

Performing Substantive Procedures (Chapter 9) Audit Sampling for Substantive Tests (Chapter 10)

Auditing the Revenue Process (Chapter 11)

Auditing the Purchasing and Payroll Processes (Chapter 12)

Audit Data Analytics (Chapter 7)

Gaining an Understanding of the Client

Auditing the Balance Sheet and Related Income Accounts (Chapter 13)

Completing and Reporting on the Audit (Chapters 14 and 15) Procedures Performed Near the End of the Audit

Drawing Audit Conclusions

Reporting

2-1

2-2  Ch a pte r 2  Professionalism and Professional Responsibilities

Learning Objectives LO1  Explain what it means to be a professional and how these traits apply to auditors.

LO6  Evaluate the ethical behavior needed to comply with rules of conduct on general standards.

LO2  Explain the structure of the AICPA Code of Professional Conduct.

LO7  Evaluate the ethical behavior needed to comply with other rules of conduct for members in public practice.

LO3  Apply the conceptual framework approach to ethical decision making for members in public practice. LO4  Evaluate the ethical behavior needed to comply with rules of conduct on integrity and objectivity. LO5  Evaluate the ethical behavior needed to comply with rules of conduct on independence.

LO8  Evaluate an auditor’s legal liability under common law. LO9  Evaluate an auditor’s legal liability under statutory law.

Auditing and Assurance Standards pcaob Eth ics And Inde pendenc e R ules

AICPA Ethica l Sta ndards

3501  Definitions of Terms Employed in Section 3, Part 5 of the Rules

AICPA  Code of Professional Conduct

3502 Responsibility to Not Knowingly or Recklessly Contribute to Violations 3520 Auditor Independence 3521  Contingent Fees 3522 Tax Transactions 3523 Tax Services for Persons in Financial Reporting Oversight Roles 3524 Audit Committee Pre-approval of Certain Tax Services 3525 Audit Committee Pre-approval of Non-audit Services Related to Internal Control over Financial Reporting 3526  Communication with Audit Committees Concerning Independence

Cloud 9 - Continuing Case Ron McLellan came to an arrangement with Chip Masters and sold McLellan’s Shoes to Cloud 9 Inc. (Cloud 9) in 2021. As part of the sale agreement, Ron McLellan was appointed to the Cloud 9 board of directors.

The accounting firm W&S Partners is bidding for the January 31, 2023, audit of Cloud  9. The partner responsible for writing the proposal, Jo Wadley, asks Sharon Gallagher and Josh Thomas to assist. Sharon will be the audit manager if the proposal

 Professionalism and Accounting  2-3

is successful. Her task is to help write the proposal documents and win the job for the firm. However, even more importantly, she must make sure that there are no surprises for the audit team once they win the audit. Sharon knows how crucial this is. She still has nightmares about an audit she worked on when she was a new graduate at another audit firm. The client in that case threatened to dismiss the auditor when the auditor wanted him to recognize an impairment loss on some assets. The client was the firm’s largest account, and the partner was under a lot of pressure to keep the client.

Josh is an audit senior. He has not been involved in the proposal process before and needs the experience so he can be promoted to audit manager. Sharon and Josh do not know anything about Cloud 9 except that it manufactures and retails customized basketball and other sports shoes, and it is a publicly listed U.S. company. Sharon stresses to Josh that they want to know that the client is not going to be difficult to deal with and that W&S Partners can do a good job on the audit. Josh asks how they can know that now, before they start the audit.

Chapter Preview: Audit Process in Focus The purpose of this chapter is to provide an overview of professionalism and the professional responsibilities of a certified public accountant and auditor. We begin this chapter with a discussion of what it means to be a professional. The term professional is often used in a number of contexts. This introductory section discusses the various uses of the term and focuses on the relevance of the term for certified public accountants (CPAs) and auditors. A code of professional ethics is a critical part of any profession’s commitment to serve the public interest. A significant portion of this chapter focuses on the Code of Professional Conduct of the American Institute of Certified Public Accountants (AICPA). This section begins with a discussion of the organization of the AICPA Code of Professional Conduct, followed by a discussion of how to use the Code’s conceptual framework for ethical decision making. It then explores the Code’s rules related to (1) integrity and objectivity, (2) independence, (3) general standards, and (4) other rules of conduct for members in public practice. Since you are studying to be an accountant or a CPA, you should develop the ability to evaluate various situations and to appropriately apply the rules of conduct as circumstances dictate. An overview of the auditor’s legal responsibilities and liability is discussed next. An auditor’s legal responsibilities fall into two broad categories. The first is an auditor’s responsibilities under common law. Common law is a general law, such as law related to contracts, and it is derived from principles based on justice, reason, and common sense rather than absolute, fixed, or inflexible rules. The principles of common law are determined by the social needs of the community or the state. Second, the chapter discusses the auditor’s responsibilities under securities law. Securities laws have been written to address the auditor’s responsibilities related to the new issue of a security, or related to the trading of securities on various exchanges. All auditors should understand their legal obligations to clients and the third-party investors who rely on their reports.

Professionalism and Accounting LEAR NING OBJECTI VE 1 Explain what it means to be a professional and how these traits apply to auditors. Is public accounting a recognized profession? If so, what does it mean to be part of a recognized profession? What rights come with being part of a recognized profession? Further, what responsibilities come with being part of a recognized profession? Is being a professional about expertise and about quality of work in a chosen occupation, or is it something more? These are important questions, and the answers are often misunderstood by many. These issues were covered well by Robert K. Mautz in a 1988 editorial in Accounting Horizons,1 and his views are summarized below. 1 Robert K. Mautz, “Public Accounting: What Kind of Professionalism?” Accounting Horizons 2, no. 3/4 (1998), pp. 121–125.

2-4  Ch a pte r 2  Professionalism and Professional Responsibilities

One way that professionals are commonly defined is by level of expertise. Professional athletes are often referred to as “pros” because of their skill and level of expertise. The same term may be used related to virtually any occupation as a way of recognizing an individual’s high level of skill. In the competitive world, the high level of skill is usually well rewarded, and the public often measures success of competitors in monetary terms. Robert Mautz refers to this definition of a professional as an expert competitor (EC professional). In the context of an EC professional, the profession is usually defined by the line of work or occupation (e.g., football, basketball, coaching, or consulting). Another way to define a professional, or a profession, relates to a profession’s responsibility and concern for the public interest. Such professions include medicine, architecture, and public accounting. Robert Mautz refers to this definition of a professional by its concern for the public interest (CPI professional). CPI professions are often recognized by a specialized body of knowledge, a formal education process, standards governing admission to the profession, a code of ethics, recognized status indicated by a license, a public interest in the work that practitioners perform, and the recognition by practitioners of an obligation to society. The cornerstone of the public accounting profession is recognized in the public interest in the work done by CPAs. State governments (through state boards of accountancy) grant a CPA license to individuals who complete the required education, pass a professional examination (the CPA exam), and complete an experience requirement. Upon obtaining a CPA license, a CPA has the unique right to sign an audit or attest report, and to sign tax returns as a tax preparer (a right that is also granted to licensed tax preparers). Upon becoming licensed as a CPA, individuals also agree to accept the responsibility to follow professional standards (e.g., accounting and auditing standards) and a code of professional conduct (usually written into state rules or law). CPAs also have an obligation to keep their education current by taking continuing professional education. This chapter will cover the AICPA Code of Professional Conduct that is recognized by many state boards of accountancy. Chapter 1 summarized the demand for auditing and the need for auditors to be independent of management when serving the public interest by reporting on financial statements. The accounting profession has also seen firsthand the consequences of not fully meeting the demand from the public of providing reasonable assurance that financial statements are free of material misstatement. During the late 1990s and the first few years of the twenty-first century, auditors failed to find many material misstatements on a timely basis, and many times management had to restate earnings due to material misstatements. The public was not satisfied with the quality of audits of public companies. The result was the Sarbanes-Oxley Act of 2002 (SOX) and the creation of the PCAOB to provide oversight of the auditors of public companies. However, the events that led to additional regulation of the accounting profession need some perspective. When there were significant restatements of earnings, about 8% of all public companies had to restate their earnings. Eight percent was sufficient to shake the confidence of the securities markets in reported financial statements. For all that the accounting profession did right, the view was that the profession needed to do better. That said, it is important to understand that many CPAs who work as chief financial officers put fair presentation of the financial statements, and their obligation to society, ahead of their obligation to their employers. Further, many CPAs in public practice think about their responsibility to the public first and their responsibility to their clients second; they expect their own well-being will work out if they take these other responsibilities seriously.

Professional Environment The Ethics of WorldCom: Misplaced Motives, Weaknesses, and Heroism

In July 2002, WorldCom announced that it had understated expenses by over $3.8 billion (the number eventually was adjusted to over $11 billion) and the company filed for bankruptcy. This was one of the largest accounting frauds in U.S. history and the size of the accounting fraud and bankruptcy at WorldCom shook investor confidence already weakened by the prior restatement of financial statements by companies like Enron, Waste Management, and

Sunbeam. The misstatement at WorldCom propelled Congress to pass SOX. WorldCom was led by CEO Bernie Ebbers, who was focused on delivering growth through acquisitions. The acquisition strategy reached new heights when WorldCom acquired MCI Communications in 1998. Continued growth through merger demanded increasing stock prices. In 2000,

 The Structure of the AICPA Code of Professional Conduct  2-5 the company’s stock experienced a decline and, in an effort to bolster stock prices, Scott Sullivan, WorldCom CFO, asked accountants in the corporate headquarters to begin a scheme of booking quarter-end journal entries that resulted in capitalizing costs that should have been expensed. After being fired in 2002, Scott Sullivan was indicted by the Justice Department. He subsequently pleaded guilty to fraud and acknowledged that he willingly deceived investors. He also testified against CEO Bernie Ebbers and stated that Ebbers was fully aware of the accounting fraud. Scott Sullivan was sentenced to 5 years in prison and Bernie Ebbers was sentenced to, and is serving, 25 years in prison. Some of the accountants at WorldCom who participated in the fraud included Buford Yates, Jr., Betty Vinson, and Troy Normand. Mr. Normand was a CPA who worked at WorldCom from 1997 to 2002. While he questioned CFO Scott Sullivan about the journal entries that he was asked to write, during testimony Mr. Normand was asked if he ever conducted any analysis to determine whether the accounting was accurate. He answered that he did not perform any such analysis and that he never obtained any accounting justification for the entries he was asked to make. In short, Troy Norman, Betty Vinson, and Buford Yates, Jr., did not find a way to stand up to Scott Sullivan and investigate the proper accounting treatment. Rather, they subordinated their judgment to the judgment of others (mainly Scott Sullivan). However, there were those at WorldCom who did not subordinate their professional judgment. The public learned about WorldCom’s financial fraud through the hard work of several “auditing heroes” led by Cynthia Cooper, then aged 38 and WorldCom’s vice president for internal auditing, who took her public interest responsibilities seriously. What did Cynthia Cooper and her staff of internal auditors do to uncover the financial fraud? The internal audit team:

•  Followed up on an email from a local newspaper article about a former employee in WorldCom’s Texas office who had been fired after he raised questions about a minor accounting matter involving capital expenditures. •  Recognized that $2 billion in capital expenditures had not been authorized as part of the capital budget process. •  Did not settle for glib answers from the director of financial planning who described the $2 billion in capital expenditures as “prepaid capacity” but could not explain the nature of “prepaid capacity.” •  Uncovered over $500 million in capitalized computer costs that were not supported by vendor’s invoices. •  Demonstrated their independence by continuing to investigate the capitalization of line costs (fees paid to lease portions of other companies’ telephone networks) even when instructed by CFO Scott Sullivan to delay this particular internal audit until the third quarter. The issue came to a head when Cynthia Cooper and her audit team brought evidence of the improper capitalization of expense to the chairman of WorldCom’s audit committee. The audit committee instructed the internal auditors to work with WorldCom’s new external auditor, KPMG. Within a week, the internal and external auditors compiled evidence of financial fraud for the audit committee and the external auditors concluded that the accounting treatment was not in accordance with generally accepted accounting principles. CFO Scott Sullivan was given the opportunity to make his case to the audit committee, but the committee members were not persuaded. The next day, the audit committee and the board of directors made public the $3.8 billion restatement of earnings due to the fact that costs had been capitalized that should have been expensed. The audit committee and board of directors also fired Scott Sullivan.

Before You Go On 1.1  Do EC professionals exist in public accounting firms? Explain. 1.2  Explain the concept of the CPI professional and how it applies to auditors. 1.3  Would you call a plumber an EC professional or a CPI professional? Explain your reasoning.

The Structure of the AICPA Code of Professional Conduct LEAR NING OBJECTI VE 2 Explain the structure of the AICPA Code of Professional Conduct. Professional ethics represent a commitment by a profession to abide by ethical principles and rules of conduct. A commitment to ethical behavior is a key element that separates recognized professions from other occupations. A code of ethics usually represents standards of behavior that are both idealistic and practical in purposes. Although codes of ethics may be designed

2-6  Ch a pte r 2  Professionalism and Professional Responsibilities

in part to encourage ideal behavior, they must also be both practical and enforceable. To be meaningful they must strike a balance of being above the law but below the ideal. The adherence of professionals to a code of ethics significantly affects the reputation of the profession and the confidence in which it is held. The AICPA Code of Professional Conduct (the Code) provides guidance to all members of the AICPA with respect to performance of their professional responsibilities. The AICPA is an organization (discussed in Chapter 1) that represents the accounting profession, and membership is voluntary. However, CPAs must be licensed by state boards of accountancy. The state boards of accountancy and the AICPA work together on many professional issues. Further, many state boards of accountancy have incorporated the AICPA Code of Professional Conduct in state rules so that it applies to all CPAs in the state. The Code consists of principles, rules, interpretations, and other guidance for AICPA members. Each of these components is described below. principles  express the basic tenets of ethical conduct and provide the framework for the rules that govern the performance of the member’s professional responsibilities rules of conduct  establish minimum standards of acceptable conduct in the performance of professional services interpretations  provide additional guidance regarding the scope and applicability of the rules of conduct

ILLUSTRATION 2.1   Structure of the AICPA Code of Professional Conduct

•  Principles express the basic tenets of ethical conduct and provide the framework for the rules that govern the performance of a member’s professional responsibilities. The principles are not enforceable. •  Rules of conduct establish minimum standards of acceptable conduct in the performance of professional services. The AICPA bylaws require that members adhere to the rules of the code. The rules of conduct are enforceable and members must be prepared to justify departures from the rules of conduct. •  Interpretations provide additional guidance regarding the scope and applicability of the rules of conduct. A member who departs from the interpretations shall have the burden of justifying such departure in any disciplinary hearing. The AICPA Code of Professional Conduct can be found online at the AICPA website (www.aicpa.org). The Code is searchable using key words. There are also a series of hyperlinks within the Code that make it easy to find related topics. The Code can also be downloaded in PDF format. The Code is organized in four major sections as presented in Illustration 2.1: (1) a preface applicable to all AICPA members; (2) Part 1, which includes ethical rules for members

Preface: Applicable to All Members   .100  Overview of the Code of Professional Conduct   .200  Structure and Application of the Code of Professional Conduct   .300  Principles of the Code of Professional Conduct   .400  Definitions   .500  Nonauthoritative Guidance   .600  New, Revised and Pending Interpretations and Other Guidance   .700  Deleted Interpretations and Other Guidance Part 1: Members in Public Practice 1.000  Introduction and Conceptual Framework for Members in Public Practice 1.100  Integrity and Objectivity 1.200  Independence 1.300  General Standards 1.310  Compliance with Standards 1.320  Accounting Principles 1.400  Act Discreditable 1.500  Fee and Other Types of Remuneration 1.600  Advertising and Other Forms of Solicitation 1.700  Confidential Information 1.800  Form of Organization and Name

  Conceptual Framework for Members in Public Practice   2-7 Part 2: Members in Business 2.000  Introduction and Conceptual Framework for Members in Business 2.100  Integrity and Objectivity 2.310  Compliance with Standards 2.320  Accounting Principles 2.400  Act Discreditable Part 3: Other Members 3.000  Introduction 3.400  Act Discreditable

in public practice (usually CPAs in CPA firms); (3) Part 2, which includes ethical rules for members in business (such as a CFO, a controller, or an accountant working in industry or government); and (4) Part 3, which includes ethical rules for other members (e.g., non-CPA members of the AICPA). If an individual has a good understanding of this structure, it is easier to search and determine appropriate solutions to ethical dilemmas. The remainder of the discussion of the Code will focus on explaining the Conceptual Framework for Members in Public Practice as well as some key rules that are relevant to members in public practice.

Before You Go On 2.1  What is the purpose of the AICPA ethical principles? Explain their enforceability. 2.2  What is the purpose of the AICPA ethical rules? Explain their enforceability. 2.3  What is the purpose of the AICPA ethical interpretations? Explain their enforceability.

Conceptual Framework for Members in Public Practice lear ning objecti ve 3 Apply the conceptual framework approach to ethical decision making for members in public practice. The rules in the AICPA Code of Professional Conduct and related interpretations seek to address many situations for members in public practice. However, the rules and interpretations cannot address every possible relationship or circumstance that might arise. Thus, in the absence of a rule or an interpretation, a CPA should use the conceptual framework to evaluate what to do. The Code and the conceptual framework relate to all work performed by CPAs in public practice, audit engagements, tax engagements, accounting services performed for clients, or consulting engagements. Ultimately, a CPA should evaluate whether a relationship or circumstance would lead a reasonable and informed third party, who is aware of the relevant information, to conclude there is a threat to the CPA’s compliance with the rules and the threat is not capable of being reduced to an acceptable level.

ILLUSTRATION 2.1   (continued)

2-8  Ch a pte r 2  Professionalism and Professional Responsibilities

In situations where there is not a specific rule or interpretation that relates to a relationship or circumstance, the CPA should follow the steps outlined in Illustration 2.2. The following discussion explains each of these steps. ILLUSTRATION 2.2   Conceptual framework flowchart

Step 1

Identify Threats

Threats Identified

Step 2

Evaluate Significance of Threats

Threats Significant

Step 3

Identify and Apply Safeguards

Step 4

Evaluate the Effectiveness of Safeguards No Threats Identified

Threats Not Significant

Are Threats at an Acceptable Level?

NO

STOP

Decline or Terminate Engagement

YES

Proceed with Engagement

Step 5

Document Threats and Safeguards Applied

Step 1: Identify threats. CPAs interact with clients in a number of circumstances. CPAs need to be alert to a possible relationship or situation that might cause a threat to their compliance with ethical rules. Following is a discussion of seven common threats that CPAs in public practice should be alert to, irrespective of the services the CPA is engaged to perform: adverse interest threat  the threat that a CPA will not act with objectivity because the CPA’s interests are opposed to the client’s interests advocacy threat  the threat that a CPA will promote a client’s interests or position to the point that his or her objectivity or independence is compromised

•  Adverse interest threat. An adverse interest threat is the threat that a CPA will not act with objectivity because the CPA’s interests are opposed to the client’s interests. For example, an adverse interest threat exists if a client has expressed an intention to begin litigation against the CPA regarding the quality of tax work previously performed. •  A  dvocacy threat. An advocacy threat is the threat that a CPA will promote a client’s interests or position to the point that his or her objectivity or independence is compromised. For example, an advocacy threat exists if the CPA provides expert witness services to a client in litigation or dispute with a customer regarding a licensing arrangement. Once the CPA is advocating for a client, the CPA is no longer objective. An advocacy threat would also exist if a firm acts as an investment adviser to an officer or director of a client.

familiarity threat  the threat that, due to a long or close relationship with a client, a CPA will become too sympathetic to the client’s interests or too accepting of the client’s work or product

•  Familiarity threat. A familiarity threat is the threat that, due to a long or close relationship with a client, a CPA will become too sympathetic to the client’s interests or too accepting of the client’s work or product. For example, a familiarity threat would exist if a CPA’s immediate family member were employed by the client in a key position (such as the CFO). A familiarity threat would also exist if a former partner or professional employee of an audit firm joined the client as its CFO and had knowledge of the firms’ policies and practices for the audit engagement.

management participation threat  the threat that a CPA will take on the role of client management or otherwise assume management responsibilities

•  Management participation threat. A management participation threat is the threat that a CPA will take on the role of client management or otherwise assume management responsibilities. For example, a CPA may have a small business client, and the owner asks the CPA’s firm to do various bookkeeping services for the client. Providing bookkeeping services may cause the CPA to make various management decisions, which

  Conceptual Framework for Members in Public Practice   2-9

is a threat to the firm’s objectivity and independence. This may also put an accounting firm in a position of auditing its own work. •  Self-interest threat. A self-interest threat is the threat that a CPA could benefit, financially or otherwise, from an interest in, or relationship with, a client or persons associated with the client. For example, a self-interest threat exists when a CPA has a financial interest in the client, or a CPA’s spouse enters into employment negotiations for a key position with a client. A self-interest threat also exists if a firm has an excessive reliance on the revenues from a single client.

self-interest threat  the threat that a CPA could benefit, financially or otherwise, from an interest in, or a relationship with, a client or persons associated with the client

•  Self-review threat. A self-review threat is the threat that a CPA will not appropriately evaluate the results of a previous judgment made by, or service performed by, an individual in the CPA’s firm, and that the CPA will rely on that work in forming a judgment as part of an engagement. For example, a self-review threat exists if a CPA performs bookkeeping services for a private company client and that work needs to be evaluated by the same firm in the course of an attest engagement. (Attest engagements are explained in Chapter 1.)

self-review threat  the threat that a CPA will not appropriately evaluate the results of a previous judgment made by, or service performed by, an individual in the member’s firm, and that the CPA will rely on that work in forming a judgment as part of an engagement

•  U  ndue influence threat. An undue influence threat is the threat that a CPA will subordinate his or her judgment to an individual associated with a client or any relevant third party due to that individual’s reputation or expertise, aggressive or dominant personality, or attempts to coerce or exercise excessive influence over the CPA. For example, an undue influence threat exists if a client threatens to dismiss a firm from the current engagement, or if the client indicates that it will not award additional engagements, if the firm continues to disagree with the client on an accounting or tax matter. Step 2: Evaluate the significance of threats. If a CPA has identified a threat resulting from a relationship or circumstance, he or she should evaluate the significance of the threat. CPAs should evaluate identified threats both individually and in aggregate. The standard a CPA should use to determine if the threat is at an acceptable level is whether a reasonable and informed third party, who is aware of the relationship or circumstance, would conclude that a CPA is in compliance with the rules of the Code. If a CPA concludes the threat is not at an acceptable level, the CPA should proceed to Step 3, identify and apply safeguards.

undue influence threat  the threat that a CPA will subordinate his or her judgment to an individual associated with a client or any relevant third party due to that individual’s reputation or expertise, aggressive or dominant personality, or attempts to coerce or exercise excessive influence over the CPA

Cloud 9 - Continuing Case Familiarity is usually a greater issue for existing clients than for new clients, such as Cloud 9 for W&S Partners. However, there could be personal familiarity issues in any audit engagement. Josh is worried about asking the partners and management of the firm to declare their relationships with the management of Cloud 9.

He thinks they might regard that question as impertinent. Sharon tells Josh that she knows that the partners and managers at W&S Partners are very committed to ethical behavior. If they were not to ask this question as part of the process of accepting the new client, Sharon and Josh would be disciplined for poor performance.

Step 3: Identify and apply safeguards. There are three basic types of safeguards. The first is safeguards created by the profession (e.g., the safeguards suggested in the rules of the Code), legislation, or regulation. A CPA should be familiar with both the Code and regulatory rules that might apply. Safeguards are often suggested in these rules to guide a CPA. Second are safeguards implemented by a client. For example, a board of directors might take steps to remove a familiarity threat by reassigning a key person. However, it is not possible for an accounting firm to rely solely on safeguards implemented by the client to eliminate or reduce significant threats to an acceptable level. Finally, an accounting firm can implement safeguards within the firm. In a large accounting firm, safeguards might involve rotating someone off the engagement, or conducting an independent review of the work by another CPA. In a small accounting firm, appropriate safeguards might include the involvement of another firm. Step 4: Evaluate the effectiveness of safeguards. If a CPA concludes that threats are at an acceptable level after applying the identified safeguards, then the CPA may proceed with the professional service. However, if there are no safeguards that would eliminate the threat or reduce it to an acceptable level, or the CPA is unable to implement effective safeguards, the CPA should decline or terminate the engagement.

2-10  C h a pte r 2  Professionalism and Professional Responsibilities

Step 5: Document threats and safeguards applied. When safeguards are applied to reduce a threat to an acceptable level, best practice calls for the CPA to document the identified threats, the safeguards applied, and the CPA’s evaluation of the effectiveness of the safeguards. Consider the following example. An accounting firm is attempting to grow its audit practice and make inroads in several industries where it wants to increase its concentration of practice. In the process, it obtains a new audit client by submitting a bid for the audit below the expected cost to the firm to perform the audit. In the long run, the firm hopes to gain other clients at increased fees, and over time increase the fee for work with the new audit client. In Step 1, the CPA understands there is a self-interest threat to exercising due professional care when performing the audit. The firm understands there may be an incentive to cut corners when doing audit work in order to make a profit in performing the engagement. In Step 2, the CPA determines the threat is significant and the firm should put a safeguard in place to ensure the firm uses due professional care and follows auditing standards when performing the engagement. In Step 3, the CPA discusses the low bid with the audit team during audit planning, sets an expectation of following professional standards, and confirms that the team’s budget for the engagement will not be influenced by the low fee. In addition, the firm decides to have the work reviewed by a second audit partner to ensure compliance with firm policy and professional standards. (Note: a sole practitioner might engage another auditor to review the sole practitioner’s work.) In Step 4, the CPA determines that setting an appropriate tone at the top regarding compliance with professional standards, and the second partner review, is sufficient to mitigate the self-interest threat, and the CPA accepts the engagement. Finally, in Step 5, the CPA writes a memo to the audit engagement file explaining the threat identified, safeguards applied, and the CPA’s reasoning that the safeguards are sufficient to counter balance the self-interest threat.

Ethics Reasoning Example  A Familiarity Threat Maria is a partner in a medium-sized CPA practice, and she and her firm are bidding on a consulting engagement with Western Construction Company. Before Maria and her firm are able to make the proposal to Western Construction, Maria’s husband, Robert, comes home to share good news. Robert has just been offered his dream job as CFO of Western Construction. Maria is happy for her husband, but now she must consider the ethics of bidding on the consulting engagement. Upon searching the AICPA Code of Professional Conduct, Maria does not find a specific rule or ethics interpretation that addresses this circumstance so she applies the conceptual framework. Maria approaches her partners with the problem and the following proposed solution. Maria identifies that if her husband accepts the job, a familiarity threat is present as Maria could be viewed as too sympathetic to Western Construction’s interests. She suggests the CPA firm should disclose the conflict of interest to Western Construction and the firm replace Maria on the consulting engagement during the interview process. She would remain off the consulting engagement if her husband accepts the job. This allows the CPA firm to maintain an appropriate level of integrity and objectivity. Source: Based on the AICPA Conceptual Framework Toolkit for Members in Public Practice (2015).

The next sections address the ethical rules for members in public practice (see Illustration 2.3).

ILLUSTRATION 2.3   Ethical rules for members in public practice

Rules for Members in Public Practice

Integrity and Objectivity

Independence

General Standards

Other Rules for Members in Public Practice

  Integrity and Objectivity  2-11

Before You Go On 3.1  Explain each of the seven threats to compliance with the AICPA Code of Professional Conduct. 3.2 What is the basis for determining that a threat is at an acceptable level after the application of safeguards? 3.3 Assume that you have been the tax manager on the tax engagement of XYZ Company. Your spouse has just been offered the job of chief financial officer for XYZ Company. Is there a threat to ethical behavior? What would be an appropriate safeguard, if any, that might be applied if your spouse accepts the position with XYZ Company?

Integrity and Objectivity LEAR NING OBJECTI VE 4 Evaluate the ethical behavior needed to comply with rules of conduct on integrity and objectivity. The integrity and objectivity rule, AICPA codification section 1.100.001, reads as follows: In the performance of any professional service, a member shall maintain objectivity and integrity, shall be free of conflicts of interest, and shall not knowingly misrepresent facts or subordinate his or her judgment to others. The rule on integrity and objectivity applies to all services performed by CPAs (e.g., tax, audit, bookkeeping, or consulting services). The following discussion addresses two common issues that arise related to integrity and objectivity: conflicts of interest and subordination of judgment. A conflict of interest occurs when a CPA or accounting firm provides a professional service related to a particular matter involving two or more clients whose interests, with respect to that matter, are in conflict. In a tax matter this may occur when a CPA represents two clients (e.g., husband and wife) at the same time, who are in a legal dispute (e.g., a divorce) with each other. A larger firm may still provide tax services to the husband and to the wife, and safeguard this conflict of interest by using separate engagement teams who are provided clear policies and procedures on maintaining confidentiality. In a small firm, it is normal practice for a firm to resign providing tax services to one of the two parties in a divorce to remain free of any conflict of interest. Additional details about conflicts of interest are discussed in the AICPA Code of Professional Conduct, section 1.110. The integrity and objectivity rule also prohibits a CPA from subordinating his or her judgment when performing professional services for a client. Self-interest, familiarity, and undue influence threats to a CPA’s compliance with the integrity and objectivity rule may exist when a CPA and his or her supervisor, or another person within the accounting firm, have a difference of opinion related to the application of accounting principles, auditing standards, or other relevant professional standards. The subordination of judgment threat is at an acceptable level if the CPA concludes the position taken by the firm does not result in a material misrepresentation of fact or a violation of applicable standards, laws, or regulations. If the CPA concludes the difference of opinion may result in a material misrepresentation of fact or a violation of professional standards, then the CPA should discuss his or her concerns with the supervisor. If the difference of opinion is not resolved after discussing the concerns with the supervisor, the CPA should discuss his or her concerns with the appropriate higher level(s) of management within the CPA’s firm. Most accounting firms have specific policies for resolving these differences to ensure the firm does not violate professional standards and to protect a CPA from subordination of judgment to a supervisor.

integrity and objectivity  in the performance of any professional service, a member shall maintain objectivity and integrity, shall be free of conflicts of interest, and shall not knowingly misrepresent facts or subordinate his or her judgment to others

2-12  C h a pte r 2  Professionalism and Professional Responsibilities

Ethics Reasoning Example  Potential Subordination of Judgment James, a senior on the audit of Woodland Industries (a private company), has been discussing the adequacy of the allowance for doubtful accounts with the CFO. The CFO thought the allowance was adequate, and James thought there was evidence to support raising the allowance by $300,000. Eventually, the audit partner and the owner of Woodland Industries discussed each questionable account, and the partner and owner agreed to an adjustment of $175,000. After the meeting, the audit partner talked to James, and told James he did not want James to change any of his documentation. The audit partner told James, “I don’t want you to subordinate your judgment to mine. You document your reasoning, and I will document why I reached a different conclusion on a matter of professional judgment. That is the way we do things in our audit firm.”

Before You Go On 4.1  Define integrity and objectivity. Illustrate with an example. 4.2 Develop an example of a conflict of interest and explain a safeguard that would provide reasonable assurance that the conflict of interest does not result in a violation of the integrity and objectivity rule.

Independence LEAR NIN G OBJECTI VE 5 Evaluate the ethical behavior needed to comply with rules of conduct on independence.

independence  a member in public practice shall be independent in the performance of professional services as required by standards promulgated by bodies designated by Council

Independence is the cornerstone of the auditing profession. It is so important that every auditor’s report is entitled “Independent Auditor’s Report.” Financial statement users need to know that auditors are unbiased and independent of the entities they audit. The independence rule, AICPA codification section 1.200.001, reads as follows: A member in public practice shall be independent in the performance of professional services as required by standards promulgated by bodies designated by Council. A CPA must be independent of the client when performing attest services. Attest services include: •  Performing audits. •  Performing reviews under Statements on Standards for Accounting and Review Services (SSARS). •  Performing examinations, reviews, and agreed-upon procedures under Statements on Standards for Attestation Engagements (SSAE).

independent in fact  acting with integrity and objectivity, being honest, and not subordinating the public trust to personal gain and advantages

CPAs performing tax services or consulting services do not need to be independent of their client. Also, CPAs who compile financial statements for a client with no assurance provided do not need to be independent. However, they need to disclose that they are not independent in the compilation report. Compilation and review services are discussed further in Chapter 15. CPAs frequently think about independence in two ways, independence in fact and independence in appearance. These facets of independence are depicted in Illustration 2.4. Being independent in fact can be defined as acting with integrity and objectivity. Independence in fact is about being honest, about not subordinating the public trust to personal gain and

 Independence 2-13

advantages, and about being unbiased and impartial when performing attest services. Independence in fact is difficult for others to observe, but it is nevertheless the cornerstone upon which attest services provide value. Independent In Appearance

Independent in Fact

State of Mind

Apparent Conflict of Interest

Avoid Threats to Independence

Unbiased and Impartial; Not Subordinating the Public Trust

Follow the Rules (Minimum)

Follow Conceptual Framework

Being independent in appearance addresses a number of potential conflicts of interest that can be observed or factually determined by others. For example, an auditor (or immediate family member) having an ownership interest in an attest client, participating in a joint venture with an attest client, having litigation threatened by an attest client, or having a loan from an attest client are examples of the types of activities that impair the appearance of independence for an accounting firm. Having a financial interest in the outcome of an attest engagement may also influence independence in fact. The appearance of independence is observable and subject to enforcement under the rules of conduct. Section 1.200 of the AICPA Code of Professional Conduct specifies a number of circumstances that can impair the appearance of independence to guide CPAs in observable aspects of ethical conduct. The common factor of the issues raised in Code section 1.200 is that they are targeted to situations where CPAs appear to have a conflict of interest, such as having loans from clients or providing certain consulting services to clients. In some situations, the Code identifies safeguards that can preserve auditor independence. In other situations, the threat to independence is so significant that no safeguards are appropriate, and the relationship or circumstance is prohibited. Numerous examples are included in the following discussion. CPAs must then use common sense and be aware of apparent threats to a CPA’s independence, such as an adverse interest threat, an advocacy threat, a familiarity threat, a management participation threat, a self-interest threat, a self-review threat, or an undue influence threat. A CPA should evaluate these threats from the point of view of an independent third party, and take steps to preserve the CPA’s independence. In some cases, no safeguard may preserve independence, and the existence of the threat may require resigning from the attest engagement.

ILLUSTRATION 2.4  

Independent in fact versus independent in appearance

independent in appearance  avoiding potential conflicts of interest that can be observed by others

Cloud 9 - Continuing Case Sharon tells Josh about her experience at another accounting firm in which the client tried to pressure the audit partner into dropping a request to write down the asset values. It was an example of an undue influence threat to the auditor’s independence. Although it is difficult to stop a client from asking for a favor, the accounting

firm needs to have safeguards to prevent a simple request turning into unreasonable pressure on the audit team to meet that request. Sharon and Josh agree they need to consider the specific independence threats and safeguards for the audit of Cloud 9. The accounting firm must be independent, as well as be seen to be independent.

The following discussion explains the AICPA rule on independence and addresses some common threats to independence, such as investments in attest clients, loans to or from an attest client, taking on management responsibilities, family relationships, and performing nonattest services for an attest client.

Key Individuals and Independence Requirements Today, accounting firms have many professionals all over the globe, along with their family members, who have no influence over attest engagements of the firm. Accounting firms have also seen an increase in the number of dual-career families who potentially have independence problems when an accounting professional’s spouse works for an attest client, or receives compensation

2-14  C h a pte r 2  Professionalism and Professional Responsibilities

covered member  a person in a position to potentially influence attest decisions or the outcome of an attest engagement

ILLUSTRATION 2.5  

Definition of a covered member and activities that impair independence

through stock options or other stock ownership arrangements from an employer who is also an attest client. As a result, a CPA must think both about how his or her own activities could cause a threat to independence, as well as how the activities of his or her spouse or other family members threaten independence. The growth of non-audit services also raises questions about the ability of accounting firms to remain independent while providing services that may result in professional fees that are larger than those provided by performing an independent audit. The independence rules follow an engagement-based approach and define a level of accounting professional, a covered member, who is a person in a position to potentially influence attest decisions or the outcome of an attest engagement. While every professional in an accounting firm does not need to be independent of every attest client, the independence rules are particularly strict for accounting professionals who are defined as covered members. Illustration 2.5 summarizes the definition of a covered member and activities that impair the independence of a covered member (and his or her accounting firm) and would be prohibited under the independence rules (as they cannot be safeguarded). With respect to investments in an attest client, a covered member cannot have a direct investment in the attest client, irrespective of the materiality (or immateriality) of the investment. Therefore, a covered member cannot own one share of an attest client. Covered Members

Prohibited Activities

•  A  ny member of the engagement team

•  Cannot have a direct, or a material indirect, investment in the attest client

 artners and managers with consultation, •  P oversight, or review responsibilities related to the engagement •  D  irect supervisors of the engagement partner, including all successive senior levels •  A  ccounting firm professionals who perform (or expect to perform) more than 10 hours of nonattest services for the client •  P  artners who are in the same office as the lead partner on the engagement •  T  he firm, its benefit plans, and entities controlled by covered members

•  Cannot have a joint, closely held investment with an attest client that is material to the covered member •  Cannot have loans to or from the attest client (there are some very limited exceptions) •  Cannot be a trustee of a trust or executor of an estate who invests directly in an attest client (the AICPA and SEC permit an exception for a trustee who lacks authority to make investment decisions)

•  T  hose who evaluate partners’ performance and compensations, including members of compensation committees  ccounting firm professionals who consult •  A with the attest team regarding technical or industry-related issues specific to the engagement; this is intended to include individuals who are authorized to give advice to the attest team and there is no hours test •  I ndividuals who participate in quality-control activities for the firm

A question often comes up about owning shares in a mutual fund (where the covered member does not control the investment decisions), and the mutual fund owns shares of the attest client. This is considered an indirect investment in the attest client. A covered member can own a mutual fund where the mutual fund owns shares in the attest client, as long as the investment in the mutual fund is not material to the covered member. If the investment in the mutual fund is material to the covered member, and the mutual fund owns any shares in an attest client, independence is impaired. Covered members must also take care not to engage in joint investments with attest clients. For example, an attest partner and an attest client should not jointly own a business, or real property, together. In addition, a covered member cannot have a loan to or from an attest client. While there are some very limited exceptions (e.g., having a home mortgage from a bank who is an attest client), covered members must be very careful about making loans to, or accepting loans from, an attest client. A covered member also cannot be a trustee of a trust, or executor of an estate, that invests in an attest client. Being a trustee of a trust, or an executor of an estate,

 Independence 2-15

involves holding a key management position over the trust or estate. A covered member should not be in a management position to exercise authority over a direct investment in an attest client. Finally, the accounting firm as an entity is prohibited from the same activities as a covered member of the firm. Covered members must also be aware of potential conflicts of interest that may be raised by the activities of immediate family members and close relatives. Illustration 2.6 summarizes the definition of both immediate family members and close relatives, and activities of an immediate family member or close relative that impair the independence of the covered member (and his or her accounting firm) and would be prohibited under the independence rules. An immediate family member is one where the relationship is considered to be so close that any relationship between an immediate family member and an attest client is equivalent to the relationship between a covered member and the attest client. An immediate family member would be prohibited from making any investment, making or having a loan, or serving as a trustee of a trust or an executor of an estate that invests in an attest client. Further, as noted above, an immediate family member cannot work for an attest client in a key position. A key position would include a position where an immediate family member could exercise influence over the financial statements, such as CEO, CFO, member of the board of directors, or treasurer. In addition, a key person would be someone who prepares, or supervises others who prepare, (1) the financial statements or (2) material accounting records, or is involved in accounting decision making. Also, if a close relative held a key position with an attest client it would impair the independence of the covered member. Finally, if a close relative had a direct investment in an attest client that is material to the close relative, or had significant influence over an attest client, the covered member’s independence would be impaired.

Covered Members’ Immediate Family

Prohibited Activities

•  Spouse

•  Exactly the same as for a covered member.

•  Spousal equivalent

•  Cannot be employed in a “key position” with an attest client. A key position would be a position where the individual would:

•  Dependents

•  Exercise influence over the financial statements, such as CEO, CFO, member of the board of directors, or treasurer. •  Prepare, or supervise others who prepare, (1) the financial statements or (2) material accounting records. •  Be involved in accounting decision making.

Covered Members’ Close Relatives

Prohibited Activities

•  Parents

•  May not hold a key position with an attest client.

•  Nondependent children or stepchildren •  Brothers and sisters or stepbrothers and stepsisters

•  May not hold a material financial interest in an audit client, or have significant influence over an attest client (ASC 323–10).

An important issue for many spouses is their ability to participate in stock compensation plans. Today, it is common for many employees to be compensated with equity securities in addition to cash. If an accounting firm professional is not a covered member (e.g., a tax professional who does no work for the attest client), the spouse can work for the attest client and can participate in an employee benefit plan that includes employee stock ownership plans or employee stock option plans as long as the benefits are offered equitably to all similar employees. The same benefits are also extended to a limited group of covered members, nonattest partners and managers, and other partners in the office of the lead engagement partner that may have an immediate family member who works for an attest client as long as the immediate family member is not in a key position. Finally, an accounting firm does need to consider when the activities of professional ­employees, who are not covered members for a particular audit client, might impair the

immediate family member  a covered member’s spouse, spouse equivalent, or dependent close relative  a covered member’s parents, nondependent children, brothers and sisters, or stepbrothers or stepsisters

key position  a position with an attest client where an individual can exercise influence over the financial statements

ILLUSTRATION 2.6  

Definitions of an immediate family member and close relatives and activities that impair independence

2-16  C h a pte r 2  Professionalism and Professional Responsibilities

i­ ndependence of the firm. As a general rule, professional employees in an accounting firm who are not covered members, and their immediate family members, cannot: •  Have a direct investment of more than 5% in an attest client. •  Hold a key position with an attest client. •  Be a trustee, director or officer of an attest client, or of the client’s pension or profit-sharing trust.

Ethics Reasoning Example  Investments of an Immediate Family Member

Janice is an audit manager in a large public accounting firm with 35 offices on the East Coast. Janice has been dating Keith, a CFO of a company that is not a client of Janice’s firm. Keith has a significant investment portfolio of his own. After dating for about 4 months, Janice and Keith decide to get married. However, Janice tells Keith it is important for him to take a careful review of his investment portfolio. The policy in Janice’s firm is that she cannot have a direct investment, of any size, in any audit client of the firm. Further, she cannot have a material indirect investment in the audit client. This is so the firm is independent of its clients and can assign any staff member to any audit client. Given their relationship, Keith cannot have any investment that would be prohibited for Janice. As a result, Keith has to sell several investments and invest them in other ways.

Since independence is critical to the performance of attest services, the AICPA has published a number of interpretations of the independence rule. Illustration 2.7 summarizes these interpretations. Two key issues are discussed further next: employment or association with an attest client and nonattest services. ILLUSTRATION 2.7   Interpretations of the independence rule

AICPA Code of Professional Conduct Section

Interpretation

1.210

Conceptual Framework Approach

1.220

Accounting Firms

1.224

Affiliates, Including Governmental Units

1.228

Engagement Contractual Terms

1.230

Fees and Other Types of Remuneration

1.240

Financial Interests

1.250

Participation in Employee Benefit Plants

1.255

Depository, Brokerage, and Other Accounts

1.257

Insurance Products

1.260

Loans

1.265

Business Relationships

1.270

Family Relationship with Attest Clients

1.275

Honorary Director or Trustee of a Not-for-Profit Organization

1.277

Former Employment or Association with an Attest Client

1.279

Considering or Subsequent Employment or Association with an Attest Client

1.280

Memberships

1.285

Gifts and Entertainment

1.290

Actual or Threatened Litigation

1.295

Nonattest Services

1.297

Independence Standards for Engagements Performed in Accordance with Statements on Standards for Attestation Engagements

 Independence 2-17

Cloud 9 - Continuing Case Josh and Sharon know that they will have to put together an audit team where each member is independent with respect to Cloud 9. Jo Wadley, the partner, will discuss this matter with other partners in the office, and with other offices, to ensure that there will be no independence problems. Sharon and Josh both discuss their own independence with Jo, to confirm that there are no independence problems associated with either their investments or relationship with Cloud 9, or the investments or relationships associated with immediate family members or close relatives. Further, W&S Partners has every member

of the professional staff complete an independence questionnaire that covers direct stock ownership and spouse employment, and which serves as a basis for quality control related to independence. Jo advises them to discuss independence with all potential members of the audit team. Jo wants Sharon and Josh to make sure that every member of the audit team knows his or her responsibility to be independent, and to advise the firm of any investments in Cloud 9 or of immediate family members or close relatives who may work for Cloud 9.

Before You Go On 5.1 Explain what is meant by “independence in fact.” Explain what is meant by “independence in appearance.” Give an example of each. 5.2 An audit manager in another office from the audit client has quality control responsibilities in the same region as the audit engagement. Is the audit manager a covered member? Explain. 5.3 An audit staff person has been with the firm for only 6 months. Her spouse works for an audit client in an accounting position and makes material accounting decisions in the corporate accounting office. Are there safeguards that can be implemented to preserve the audit firm’s independence? Explain. 5.4 A partner works on the audit engagement of XYZ Company. After her husband died from a heart attack, she has had dinner a couple of times with a major shareholder in XYZ Company. The shareholder is not part of management. What are the implications if the personal relationship becomes serious between the partner and the shareholder?

Employment or Association with an Attest Client When a partner or professional employee of an accounting firm leaves the firm and is subsequently employed by the firm’s attest client, independence can be impaired inasmuch as the partner or professional employee may have continuing relationships, such as the payout of a pension plan, with the accounting firm. Furthermore, if a professional employee goes to work for an attest client, that employee may be familiar with the audit plan and/or staff working on the engagement, and there is a familiarity and undue influence risk that the former employee could influence the engagement. These are important risks that may impair an accounting firm’s independence. The rules are different for public company audit clients than for private company audit clients. With respect to public company clients, Section 206 of SOX states that the CEO, controller, CFO, chief accounting officer, or person in an equivalent position cannot have been employed by the company’s audit firm during the one-year period preceding the period under audit. With respect to private company clients, a firm’s independence will be considered impaired with respect to a client if a partner or professional employee leaves the accounting firm and is subsequently employed by the client in a key position, unless a series of safeguards discussed in Code section 1.279.02 are met. The general purpose of these safeguards is to ensure that the amounts due to the former partner or professional employee (e.g., retirement benefits) are not material to the firm, and the partner or professional employee is not in a position to influence the firm’s operations or does not participate or appear to participate in the firm’s business. The firm should also consider whether the former partner or professional employee has sufficient knowledge of the firm’s attest engagement such that the firm should consider whether to modify engagement procedures. If the former partner or professional ­employee

2-18  C h a pte r 2  Professionalism and Professional Responsibilities

joins the attest client in a key position within one year of disassociating from the firm, and has significant interaction with the engagement team, an appropriate professional in the firm should review the subsequent attest engagement to determine whether the engagement team members maintained the appropriate level of skepticism when evaluating the former partner’s or professional employee’s representations and work. A partner or professional employee merely seeking employment with an attest client may also impair independence. When a member of the attest engagement team or an individual in a position to influence the attest engagement intends to seek or discuss potential employment or association with an attest client, or is in receipt of a specific offer of employment from an attest client, independence will be impaired with respect to the client unless the person: a. Promptly reports such consideration or offer to an appropriate person in the firm. b. Removes himself or herself from the engagement until the employment offer is rejected or employment is no longer being sought. The purpose of this rule is to avoid situations where a CPA’s integrity or objectivity might be compromised. If a professional is seeking a job from an attest client, it is important to avoid a situation where the person might be tempted to take an aggressive stance in favor of the client on a matter of professional judgment while seeking the favor of a client by way of a job offer. Further, when any covered member becomes aware that a member of the attest engagement team or an individual in a position to influence the attest engagement is considering employment or association with a client, the covered member should notify an appropriate person in the accounting firm. Finally, the appropriate person in the accounting firm should consider what additional safeguards, such as additional review of any work performed by the individual considering employment with the attest client, may be necessary to provide reasonable assurance that any work performed for the client by that person was performed with objectivity and integrity.

Nonattest Services A major issue that continues to face the auditing profession is whether the performance of nonattest services (such as accounting services or internal control design and implementation) impairs an auditor’s integrity and objectivity. Critics wonder whether an auditor can be objective with respect to audit issues when fees from nonattest services exceed fees from attest services. When an auditor considers the rules related to nonattest services and independence, the auditor needs to understand that a different set of rules apply to auditors of public companies than auditors of private companies. Both the SEC and SOX set out the independence guidelines for public company audits that will be discussed in SEC and PCAOB Independence Rules. The AICPA and state boards of accountancy have rules appropriate to audits of private companies. The AICPA and many state boards of accountancy allow activities for private companies that are not allowed for public companies because many private companies (e.g., owner-managed business and small not-for-profit organizations that require audits) do not have the resources to internalize services that are often performed within public companies, such as bookkeeping, preparing financial statements, or payroll services. The demand for these services from smaller entities often causes a management participation threat. The following discussion outlines the appropriate rules for nonattest services as they relate to private company audits. AICPA independence rules (1.295) allow a member of a firm to perform nonattest services for private company attest clients under certain conditions. In each case, the CPA must evaluate the effect of nonattest services on independence. In general, a CPA should not perform management functions or make management decisions for the attest client. However, the CPA may provide advice, research materials, and make recommendations to assist the client’s management in performing its functions and making its decisions. In addition, the client must agree to perform the following functions in connection with the CPA’s engagement to perform nonattest services (safeguards implemented by the client): •  Make all management decisions and perform all management functions. •  Designate a competent employee, preferably within senior management, to oversee the services.

 Independence 2-19

•  Evaluate the adequacy and results of the services performed. •  Accept responsibility for the results of the services. •  Establish and maintain internal controls, including monitoring ongoing activities. If management cannot perform these functions (establish these safeguards), the firm’s independence is impaired. Interpretation 1.295 also indicates that before performing nonattest services, the CPA should establish, and document in writing, an understanding with the client regarding (1) the objectives of the engagement, (2) the services to be performed, (3) the client’s acceptance of its responsibilities, (4) the CPA’s responsibilities, and (5) any limitations of the engagement. It is preferable that this understanding be documented in an engagement letter (explained further in Chapter 3). In addition, the CPA should be satisfied that the client is in a position to have an informed judgment on the results of the nonattest services and the client’s management understands its responsibilities. The purpose of the AICPA rule is to allow CPAs to assist many small business clients who may not have a CPA within the entity. These entities often need outside professional expertise that the accounting firm can provide. Nevertheless, a number of general activities would be considered to impair a CPA firm’s independence when auditing non-public companies. These are summarized in Illustration 2.8, which also provides examples of how the performance of these general activities would impair an accounting firm’s independence, or how the client could take appropriate responsibilities to allow the accounting firm to assist the client without impairing the accounting firm’s independence with regard to the audit. Interpretation 1.295 provides additional specific examples of activities that would or would not impair independence. For example, CPAs can perform various accounting and bookkeeping services for an attest client. However, independence would be impaired if an accounting firm determined or changed journal entries, account codings or classification for transactions, or other accounting records without obtaining client approval; and authorized or approved transactions, prepared source documents, or made changes to source documents without client approval. Independence would not be impaired if the CPA recorded transactions for which management had determined or approved the appropriate account classification, or posted coded transactions to a client’s general ledger; prepared financial statements based on information in the trial balance; posted client-approved entries to a client’s trial balance; or proposed standard, adjusting, or correcting journal entries or other changes affecting the financial statements to the client, provided the client reviewed the entries and the CPA was satisfied management understood the nature of the proposed entries and the impact of the entries on the financial statements. You can read the actual Interpretation 1.295 for additional discussions related to payroll and other disbursements; appraisal, valuation and actuarial services; benefit plan administration; business risk consulting; corporate finance consulting; executive or employee recruiting; forensic accounting; information system design, implementation, or integration; internal audit; investment advisory or management services; and tax services.

Ethics Reasoning Example  Nonattest Services Fred Holland is a CPA in rural Wisconsin. Fred has a tax practice; he does payroll work for several businesses in the area and performs compilation and review services for some of his business clients. Fred has been careful with respect to performing payroll services as he wants to be independent of his clients. While independence is not required for compilations, Fred knows it is required for reviews and at times Fred has been requested to increase the level of assurance from a compilation to a review. As a result, whenever Fred performs payroll services for a client, he implements the following safeguards: (1) he requires the client to maintain all original time records for employees, (2) he does not sign checks on any client accounts, and (3) while Fred’s payroll system prepares checks and payroll tax returns, all of these documents are reviewed and signed by the client. Fred does not undertake a payroll engagement unless he believes the client has sufficient competence to review Fred’s work.

2-20  C h a pte r 2  Professionalism and Professional Responsibilities illustration 2.8   Independence and nonattest services for non-public clients

Examples Where Independence Is Impaired

General Activities That Will Impair Independence

Examples Where Independence Is Not Impaired

A CPA accepts responsibility to authorize payment of client funds, or accepts responsibility to sign or cosign client checks, even if only in emergency situations.

Authorizing, executing, or consummating a transaction, or otherwise exercising authority on behalf of a client or having the authority to do so

When assisting a small business client with payroll using payroll time records provided and approved by the client, the CPA can generate unsigned checks or process the client’s payroll.

Preparing source documents or originating data, in electronic or other form, evidencing the occurrence or a transaction (for example, purchase orders, payroll time records, and customer orders)

In an accounting service engagement for a non-public client, a CPA may record transactions for which management has determined or approved the appropriate account classification, or post coded transactions to a client’s general ledger and prepare financial statements based on information in the trial balance.

In a consulting engagement, a CPA acts as a promoter, underwriter, broker-dealer, or guarantor of client securities, or distributor of private placement memoranda or offering documents. In an accounting service engagement for a non-public client, a CPA determines or changes journal entries, account codings or classification for transactions, or other accounting records without obtaining client approval. A CPA prepares source documents, originates data, or makes changes to source documents without client approval. When performing payroll services, benefit plan administration, or other financial advisory services, a CPA has custody of client assets or maintains custody of client securities. In an IT engagement, a CPA supervises client personnel in the daily operation of a client’s information system. In an investment advisory engagement with an attest client, a CPA makes investment decisions on behalf of client management or otherwise has discretionary authority over a client’s investments.

In a consulting engagement, a CPA may assist in identifying or introducing the client to possible sources of capital that meet the client’s specifications or criteria.

Having custody of client assets

Another accounting firm has custody of assets and performs payroll services, benefit plan administration, or other financial advisory services.

Supervising client employees in the performance of their normal recurring activities

In an IT engagement, a CPA may design, install, or integrate a client’s information system, provided the client makes all management decisions.

Determining which recommendations In an investment advisory engagement with an attest client, a CPA can recommend the of the CPA should be implemented

allocation of funds that a client should invest in various asset classes, depending upon the client’s desired rate of return and risk tolerance.

In an attest engagement, a CPA presents business proposals to the board on the behalf of management.

Reporting to the board of directors on behalf of management

In an attest engagement, provide recommendations for improving the system for monitoring business risks.

In an investment advisory engagement, a CPA executes a transaction to buy or sell a client’s investment or has custody of client assets, such as taking temporary possession of securities purchased by a client.

Serving as a client’s stock transfer or escrow agent, registrar, general counsel, or its equivalent

In an investment advisory engagement, a CPA may review the manner in which a client’s portfolio is being managed by investment account managers, including determining whether the managers are (1) following the guidelines of the client’s investment policy statement; (2) meeting the client’s investment objectives; and (3) conforming to the client’s stated investment styles.

SEC and PCAOB Independence Rules audit committee  a committee of the board of directors responsible for oversight of internal controls, financial reporting and disclosure in the financial statements, regulatory compliance, and the company’s independent auditors

Illustration 2.9 provides the full listing of the PCAOB’s Ethics and Independence Rules. In a number of ways, the SEC and PCAOB rules related to auditor independence for public companies are stricter than the AICPA rules that apply to non-public entity audits. SOX mandates that a committee of the board of directors, called the audit committee, be directly responsible for oversight of the company’s independent auditors. (Chapter 4 provides further discussion on the role of an audit committee.) The SEC’s general standard of auditor independence is that an audit firm’s independence is impaired if a reasonable investor with knowledge of all the facts and circumstances would conclude that the firm

 Independence 2-21

PCAOB Ethics Rule Number

PCAOB Ethics Rule Title

3501

Definitions of Terms Employed in Section 3, Part 5 of the Rules

3502

Responsibility Not to Knowingly or Recklessly Contribute to Violations

3520

Auditor Independence

3521

Contingent Fees

3522

Tax Transactions

3523

Tax Services for Persons in Financial Reporting Oversight Roles

3524

Audit Committee Pre-approval of Certain Tax Services

3525

Audit Committee Pre-approval of Non-audit Services Related to Internal Control Over Financial Reporting

3526

Communication with Audit Committees Concerning Independence

Source: https://pcaobus.org/Standards/EI/Pages/default.aspx.

is not capable of exercising objective and impartial judgment on all issues encompassed within the audit engagement. The SEC developed some general rules for an audit committee to consider when evaluating an audit firm’s independence. A public company’s audit committee should consider whether a relationship with the accounting firm or service provided by the accounting firm: •  Creates a mutual or conflicting interest between the company and the accounting firm. •  Places the accounting firm in a position of auditing its own work. •  Places the accounting firm in a position of acting as management or an employee of the company. •  Places the accounting firm in a position of being an advocate for the company. To encourage the independence of audit partners, Section 203 of SOX mandates rotation of the lead audit partner and the audit partner having responsibility for reviewing the audit every five years. Additionally, SEC rules prohibit the audit firm from providing the following nonattest services to an audit client: •  Bookkeeping. •  Financial information system design and implementation. •  Appraisal or valuation series, fairness opinions, or contribution-in-kind reports. •  Actuarial services. •  Internal audit outsourcing services. •  Management functions or human resources functions. •  Broker-dealers, investment advisor, or investment banking services. •  Legal services and expert services unrelated to the audit. SEC rules also prohibit certain relationships between audit firms and the public companies they audit. The prohibited relationships include: •  Employment relationships. A one-year “cooling-off period” is required before a company can hire certain individuals formerly employed by its auditor in a financial reporting oversight role for the company. For example, an audit manager on a public company audit cannot go to work directly for a public company as its CFO or controller unless there has been at least a one-year period from the time the audit manager last worked on the audit to the time he or she is hired by that client. SEC rules ask the public company’s audit committee to consider whether the hiring of personnel who are or were formerly employed by the audit firm might affect the audit firm’s independence.

ILLUSTRATION 2.9  

PCAOB ethics and independence rules

2-22  C h a pte r 2  Professionalism and Professional Responsibilities

•  Contingent fee. Accounting firms are prohibited from performing work for public companies where the accounting firm is paid on either a contingent fee or a commission basis. The AICPA rules for auditors of non-public entities are also clear that when a firm is compensated on a commission or contingent fee basis, independence is violated. If the compensation for an accounting firm is tied to the outcome of the engagement, the firm becomes an advocate for the client with these compensation arrangements, violating a general principle of independence. •  Direct or material indirect business relationships. Accounting firms may not have any direct or material indirect business relationships with the company, its officers, directors, or significant shareholders. For example, an accounting firm may not enter into a joint venture with a public company audit client. It would be inappropriate for an auditor of a software company to enter into a business relationship with the same software company to develop accounting software to market to the public. •  Certain financial relationships. Certain financial relationships between the company and the independent auditor are prohibited. These include creditor–debtor relationships, banking relationships, broker–dealer relationships, futures commission merchant account relationships, insurance product relationships, and joint interests in investment companies. As a matter of strengthening corporate governance, the SEC rules require accounting firms to disclose to their client’s audit committee, in writing, all relationships between the accounting firm and the company that may reasonably be thought to bear on the accounting firm’s independence. SEC rules also require the auditor to confirm and discuss its independence with the client’s audit committee. As part of its responsibilities, the client’s audit committee should consider discussing the following issues with the auditor in regards to the firm’s independence disclosure: •  The processes the accounting firm uses to ensure complete disclosure of all relationships with the company and its affiliates. •  The relationships the accounting firm may have with officers, board members and significant shareholders. •  The relationships not included in the communication because they were deemed immaterial.

Professional Environment  Non-Audit Fees Prior to the passage of SOX, many accounting firms received significant fees from offering consulting services to audit clients. In some cases, the size of the consulting fee was larger than the audit fee, creating a potential conflict of interest for the audit firm. This was true for both Waste Management and Enron. The fact was also not lost on chief financial officers, who would use the size of the consulting engagement as leverage to get the auditor to go along with accounting decisions that were not black and white. Ultimately, the delivery of non-audit services to audit clients led to

a public concern about audit independence. As noted above, the SEC stepped in and now prohibits the delivery of many non-audit services to audit clients. As a result, it is common for large audit clients to use more than one accounting firm for various services. It is likely that a global audit client might use one firm for audit services, another firm for tax services, another firm for internal control consulting, and yet another firm to assist in merger and acquisition services.

Cloud 9 - Continuing Case Josh and Sharon do not know of any current work being done for Cloud 9 by W&S Partners, or any other relationships between members of the audit team and the client’s staff. However, they will check with all other departments, particularly the consulting department, and other offices of W&S Partners. They will also ask any new members of the audit team to disclose their interests and relationships with the client before they join the team.

Subsequently, the partner, Jo Wadley, advises Sharon and Josh that she has reached out to other offices and discussed the proposal with the other partners in her office. The firm is not working for Cloud 9 on any other matter. Jo, Sharon, and Josh want to make sure that there are no potential independence issues when their proposal is discussed with Cloud 9’s audit committee.

  General Standards  2-23

Before You Go On 5.5 The audit manager on an audit engagement of a large private company has been asked by the company to consider becoming the company’s CFO. What are the independence implications of this situation? What are the appropriate safeguards to preserve the firm’s independence? 5.6 An audit firm serves only private companies. It also provides tax services and investment advisory services to its clients. Can a partner in the firm advise an audit client on the allocation of funds in the client’s investment portfolio, based on the client’s desired rate of return and risk tolerances? Explain your reasoning. 5.7 Explain the general rules that an audit committee of a public company should consider when evaluating the potential services that it might request of its audit firm.

General Standards lear ning objecti ve 6 Evaluate the ethical behavior needed to comply with rules of conduct on general standards. The general standards of the AICPA Code of Professional Conduct apply to all CPAs in public practice. For example, the independence standards apply only to accounting firms that perform attest engagements, and the professionals in those firms who are in a position to influence the outcome of an attest engagement (e.g., covered members, their immediate family members, and close relatives). The general standards apply to any CPA performing any professional service for a client (e.g., tax services, consulting services, or nonattest services). Further, the same standards are found in the section of the Code related to members in business. The general standards (1.300.001) read as follows: A member shall comply with the following standards and with any interpretations thereof by bodies designated by Council: a.  Professional Competence. Undertake only those professional services that the member or the member’s firm can reasonably expect to be completed with professional competence. b.  Due Professional Care. Exercise due professional care in the performance of professional services. c.  Planning and Supervision. Adequately plan and supervise the performance of professional services. d.  Sufficient Relevant Data. Obtain sufficient relevant data to afford a reasonable basis for conclusions or recommendations in relation to any professional services performed. The standard on professional competence is clear that a CPA, or an accounting firm, should only undertake professional services that he or she reasonably expects to complete with professional competence. While a CPA does not assume infallibility of knowledge or judgment, a normal part of providing professional services involves performing additional research or consulting with others to gain sufficient competence. If a CPA is unable to gain sufficient competence, a CPA should suggest, in fairness to the client and the public, the engagement of a competent person to perform the needed professional service. For example, a tax practitioner might be approached by a tax client that needs an audit or a review of the company’s financial statements for the bank. If the tax practitioner does not have experience

professional competence  undertaking only those professional services that a CPA or a CPA’s firm can reasonably expect to complete with professional competence due professional care  exercising due professional care expected of other CPAs in the performance of professional services planning and supervision  adequately plan and supervise the performance of professional services sufficient relevant data  obtain sufficient relevant data to afford a reasonable basis for conclusion or recommendation in relation to any professional services performed

2-24  C h a pte r 2  Professionalism and Professional Responsibilities

performing audits or reviews, the practitioner should refer the engagement to another CPA with the appropriate qualifications. Alternatively, if the tax practitioner chooses to accept the engagement, he or she should take appropriate continuing professional education (CPE) courses, and consider consulting the experienced colleagues to ensure that the engagement is performed in accordance with professional standards. The due care standard expects CPAs to exercise the professional care that would be expected of other CPAs performing the same work. In particular, CPAs should follow all professional standards that relate to providing services. For example, in a tax engagement, this would include following tax practice standards. All engagements should be adequately planned and supervised. Further, in the performance of nonattest services, CPAs should obtain sufficient, relevant data to afford a reasonable basis for a conclusion or recommendation. Note that this is different than the expectation in an audit. In performing an audit, a CPA should obtain sufficient appropriate evidence, which is a higher standard. The standard of sufficient appropriate evidence is discussed further in Chapter 5. Adherence to these requirements contributes to the quality of performance of professional engagements for the benefit of clients, the public, and the overall reputation of the profession.

Ethics Reasoning Example  Professional Competence Dana Moore is a CPA in Georgia. Dana has a modestly sized tax practice, and she performs a number of audits of local school districts as well as of a few cities and counties. Dana is also on the board of directors of several charities where she interacts with some of the business people in the area. One day, a local technology entrepreneur in the area walks into her office and says, “I have worked with you on the board of directors of a local charity, and I like the perspectives you bring to the board. My company is growing and needs an audit. I know you do audits, and I am wondering if you would give me a bid on doing my company’s audit.” Dana was not expecting this, but she knows what her response should be. “I appreciate your interest in my work and my services. However, not all audits are the same. I understand the accounting and auditing issues with local governments and school districts, but I am not well-versed in the accounting, internal control, and auditing issues for technology companies. This is beyond the scope of my expertise, and I only want to consider an engagement that I can expect to complete with professional competence and due care. However, through the State Society of CPAs, I know some other auditors who might have the skills you need. Let me give you their names.”

Before You Go On 6.1 Identify two types of engagements that would be covered by the general standards in the AICPA Code of Professional Conduct. 6.2 If a CPA does not have the professional competence to complete an investment advisory engagement, what steps should the firm take to ensure that the engagement is completed with professional competence? 6.3 When evaluating whether an engagement was completed with due professional care, how might a state board of accountancy judge the due care that was used in completing an engagement?

Other Rules of Conduct for Members in Public Practice LEAR NIN G OBJECTI VE 7 Evaluate the ethical behavior needed to comply with other rules of conduct for members in public practice.

  Other Rules of Conduct for Members in Public Practice  2-25

It is not possible in the scope of this chapter to discuss all of the rules of conduct for CPAs in public practice. The following discussion addresses three additional rules of conduct that you should understand: Rule 1.320 on Accounting Principles, Rule 1.500 on Fees and Other Types of Remuneration, and Rule 1.700 on Confidential Information.

Accounting Principles Rule It is imperative that CPAs, who are experts in accounting principles, follow accounting principles in the performance of their duties. This is made clear in Rule 1.320. Further, a similar rule exists for members in business, Rule 2.320. Rule 1.320 on accounting principles reads as follows: A member shall not (1) express an opinion or state affirmatively that the financial statements or other financial data of any entity are presented in conformity with generally accepted accounting principles or (2) state that he or she is not aware of any material modifications that should be made to such statements or data in order for them to be in conformity with generally accepted accounting principles, if such statements or data contain any departure from an accounting principle promulgated by bodies designated by Council to establish such principles that has a material effect on the statements or data taken as a whole. If, however, the statements or data contain such a departure and the member can demonstrate that due to unusual circumstances the financial statements or data would otherwise have been misleading, the member can comply with the rule by describing the departure, its approximate effects, if practicable, and the reasons why compliance with the principle would result in a misleading statement. The bodies that are designated by the AICPA Council to promulgate accounting principles are (1) the Financial Accounting Standards Board (FASB), (2) the Federal Accounting Standards Advisory Board (FASAB), (3) the Governmental Accounting Standards Board (GASB), and (4) the International Accounting Standards Board (IASB). Financial statements prepared using other accounting principles would be considered financial reporting frameworks other than generally accepted accounting principles (GAAP). For example, CPAs often prepare financial statements for small businesses on a cash basis of accounting or a federal income tax basis of accounting. In these situations, the client’s financial statements, and the CPA’s report thereon, should not purport that the financial statements are in accordance with GAAP, and the financial statements and the CPA’s report should clarify the financial reporting framework used. Finally, there is a strong presumption that adherence to GAAP would, in nearly all circumstances, result in financial statements that are not misleading. The question of what constitutes unusual circumstances, referred to in the rule above, is a matter of professional judgment. In considering that judgment, a CPA must consider whether a reasonable person reading the financial statements would consider the adherence to the promulgated accounting principle to be misleading. In practice, these circumstances are extremely rare.

Fees and Other Types of Remuneration The rule on fees and other types of remuneration address two circumstances that are particularly important: Rule 1.510 on Contingent Fees and Rule 1.520 on Commissions and Referral Fees. In general, entering into a contingent fee arrangement or accepting a commission or a referral fee associated with an attest client impairs independence due to the advocacy threat associated with these types of fees. For example, if a CPA accepted a contingent fee associated with helping an attest client sell the business, the CPA would become an advocate for the client, and independence would be impaired. Further, it is particularly important that commission arrangements be disclosed to the client. For example, a CPA might be paid a commission by a software company for recommending its accounting software to a nonattest client. It is important for the client considering the accounting software to know that the

2-26  C h a pte r 2  Professionalism and Professional Responsibilities

CPA is being paid a commission if the business purchases the software, so that the client fully evaluates the product and incentives involved. It is appropriate for CPAs to perform engagements on a contingent fee basis, or to accept a commission or a referral fee, with respect to nonattest clients. However, these fee arrangements are prohibited for attest clients as they impair independence.

Confidential Information In general, a CPA in public practice shall not disclose confidential client information without the specific consent of the client. However, there are some well-known exceptions to this rule. First, the rule on confidential client information should not be construed as relieving a CPA of his or her professional obligation to comply with accounting principles. Therefore, a client cannot claim that information should not be disclosed in financial statements due to client confidentiality if the information is required by GAAP. Second, the rule on confidential client information allows a CPA to comply with a validly issued and enforceable subpoena or summons, or allows a CPA to comply with applicable laws and government regulations. For example, in certain circumstances an auditor might have to report confidential information to regulators such as the SEC if the information is not reported by management or those charged with governance of the entity. Third, the confidential client information rule does not prohibit a review of a CPA’s professional practice under the AICPA, state society, or state board of accountancy authorization. This exception allows for peer review of a CPA’s practice and allows the peer reviewer to become knowledgeable of confidential client information. However, there is an obligation on the part of the peer reviewer to respect the confidential client information rule. Finally, the confidential client information rule does not preclude a CPA from initiating a complaint with, or responding to any inquiry made by, the professional ethics division of the AICPA, a duly constituted investigative or disciplinary body of a state CPA society, or a state board of accountancy.

Before You Go On 7.1 Do the rules of conduct on accounting principles prevent a CPA from preparing financial statements for a client on a cash basis of accounting, which is not GAAP? Explain your reasoning. 7.2 Explain why accepting an engagement on a contingent fee arrangement impairs independence. 7.3 After work, can a member of an audit team discuss confidential information about a client’s business with his or her spouse, who works for the client’s competitor? Has the member violated the AICPA Code of Professional Conduct? Explain your reasoning.

Auditor Liability Under Common Law learnin g OBJECTI VE 8 Evaluate an auditor’s legal liability under common law. The previous sections have focused on an auditor’s ethical responsibilities to society (responsibilities to the client and to the public that relies on financial statements). The legal system plays an important role in supporting the quality of work performed by auditors. It provides an important framework for accountability regarding the behavior of CPAs in society.

 Auditor Liability Under Common Law  2-27

Auditors need to understand the legal impacts affecting the environment in which they work. Specifically, they need to know who can sue them, the allegations typically made in lawsuits against auditors, and defenses the auditor can use in court. Exposure to legal liability is also an incentive for auditors to conduct high-quality audits. The following discussion is broken into two sections: (1) the auditor’s liability under common law, which may vary from state to state, and (2) the federal statutes regarding an auditor’s responsibility to financial statement users. Common law is frequently referred to as unwritten law. It is based on judicial precedent rather than legislative rule. Common law is derived from principles based on justice, reason, and common sense rather than absolute, fixed, or inflexible rules. The principles of common law are determined by the social needs of the community. Therefore, common law changes in response to society’s needs. In a specific case, the accountant’s liability is determined by a state or federal court that attempts to apply case law precedents that it feels are controlling. Because there are 51 such independent jurisdictions in the United States (50 states and the District of Columbia), different decisions may result with respect to relatively similar factual circumstances. In a common law case, the judge has the flexibility to consider social, economic, and political factors as well as prior case law doctrines (precedents). Under common law, a CPA’s legal liability extends principally to two classes of parties: clients and third parties. Illustration 2.10 outlines the discussion of an auditor’s liability under common law. An audit firm may be liable to clients either under contract law or under tort law, as discussed below. An audit firm is also concerned about its exposure to liability to clients. This liability will vary from state to state depending on state laws and legal precedent. The discussion of third-party liability will address whether an audit firm is liable to primary beneficiaries of the audit, to a foreseen class of third-party users of financial statements, or to foreseeable users of financial statements.

ILLUSTRATION 2.10  

Common Law

Liability to Clients

Contract Law

Tort Law

common law  law based on justice, reason, and common sense, rather than on absolute rules

Auditor liability under common law Liability to Third Parties

Primary Beneficiaries

Foreseen Class of Third Parties

Foreseeable Third Parties

Liability to Clients A CPA is in a direct contractual relationship with clients. In agreeing to perform services for clients, the CPA assumes the role of an independent contractor. The specific service(s) to be rendered should preferably be set forth in an engagement letter, as described in Chapter 3. The term privity of contract refers to the contractual relationship that exists between two or more contracting parties. In the typical auditing engagement, it is assumed that the audit is to be made in accordance with professional standards (i.e., generally accepted auditing standards) unless the contract contains specific wording to the contrary. A CPA may be held liable to a client under either contract law or tort law. Each of these is explained below.

privity of contract  a contractual relationship that exists between two or more contracting parties

Contract Law An auditor may be liable to a client for breach of contract when the audit firm: •  Issues a standard audit report when he or she has not made an audit in accordance with generally accepted auditing standards (GAAS). •  Does not deliver the audit report by the agreed-upon date. •  Violates the client’s confidential relationship.

breach of contract  a binding agreement is not honored by one or more parties to a contract

2-28  C h a pte r 2  Professionalism and Professional Responsibilities

A CPA’s liability for breach of contract extends to subrogees. A subrogee is a party who has acquired the rights of another by substitution. For example, the bonding of the client’s employees is considered an important part of a company’s system of internal control. When an embezzlement occurs, the bonding company reimburses the insured (the client) for its losses. Then, under the right of subrogation to the insured’s contractual claim, the bonding company can bring suit against the CPA for failing to discover the fraud. When a breach of contract occurs, the client usually seeks one or more of the following remedies: (1) specific performance of the contract by the defendant (the CPA), (2) direct monetary damages for losses incurred due to the breach, or (3) incidental and consequential damages that are an indirect result of nonperformance.

Tort Law tort  a wrongful act that injures another person’s property, body, or reputation ordinary negligence  failure to exercise the degree of care a reasonable person would exercise under the same circumstances gross negligence  failure to use even slight care in the circumstances fraud  intentional deception, such as misrepresentation, concealment, or nondisclosure of a material fact, that results in injury to another

A CPA may also be liable to a client under tort law. A tort is a wrongful act that injures another person’s property, body, or reputation. A tort action may be based on any one of the following causes: •  Ordinary negligence. Failure to exercise the degree of care a person of ordinary prudence (a reasonable person) would exercise under the same circumstances •  Gross negligence. Failure to use even slight care in the circumstances •  Fraud. Intentional deception, such as misrepresentation, concealment, or nondisclosure of a material fact, that results in injury to another. In some cases a distinction has been made between fraud and constructive fraud. Constructive fraud may be inferred from gross negligence or reckless disregard for the truth. Under tort law, the injured party normally seeks monetary damages. The auditor’s documentation is vital in refuting charges for breach of contract and breach of duty in a tort action.

Cases Illustrating Liability to Clients Two cases pertaining to liability to clients are considered below. The first case involves negligence, and the second relates to breach of contract.

1136 Tenants’ Corp. v. Max Rothenberg & Co. (1971) In this case the plaintiff was a corporation owning a cooperative apartment house that sued Max Rothenberg, an accounting firm, for damages resulting from the failure of the CPA to discover the embezzlement of over $110,000 by the plaintiff’s managing agent, Riker. Riker had orally engaged Rothenberg at an annual fee of $600. The plaintiff maintained that Rothenberg had been engaged to perform all necessary accounting and auditing services. The CPA claimed he was only engaged to prepare financial statements without assurance as well as related tax returns. As evidence of their respective contentions, the plaintiff booked the accountant’s fee as auditing expenses, and the CPA defendant marked each page of the financial statements as “unaudited.” In addition, the CPA’s letter of transmittal to the financial statements stated that (1) the statements were prepared from the books and records of the corporation and (2) no independent verifications were undertaken thereon. The trial court found that the defendant was engaged to perform an audit because Rothenberg admitted that he had performed some limited auditing procedures such as examining bank statements, invoices, and bills. In fact, the CPA’s own worksheets included one entitled “Missing Invoices,” which showed over $40,000 of disbursements that did not have supporting documentation. The CPA did not inform the plaintiff of these invoices, and no effort was made to find them. The trial court also found that the CPA was negligent in the performance of the service and awarded damages totaling $237,000. The appellate court affirmed, saying:

 Auditor Liability Under Common Law  2-29

•  Regardless of whether the CPA was conducting an audit or drafting financial statements, there was a duty to inform the client of known wrongdoing or other suspicious actions by the client’s employees. •  The defendant’s worksheets indicate that the defendant did perform some audit procedures. The 1136 Tenants’ case has frequently been used to demonstrate the importance of having a written contract (engagement letter) for each professional engagement. A written contract is important, but it was not the only issue in this case. The critical issue was the CPA’s failure to inform the client of employee wrongdoing, regardless of the type of service rendered.

Fund of Funds, Ltd. v. Arthur Andersen & Co. (1982) In this case, the plaintiff sued the auditors for breach of contract because the auditors failed to disclose fraud to the client when the auditors’ engagement letter contained a specific representation that any fraud would be revealed. The fraud, totalling over $120 million, resulted from overcharges on a contract between the plaintiff and King Resources, both audited by Andersen. Andersen admitted discovery of the violation of the contract in auditing King, but declined to disclose the fraud to Fund of Funds because the AICPA’s Rule on Confidential Client Information prohibits disclosure of confidential information. The court ruled for the plaintiff on the grounds that the defendants failed to comply with the terms of their engagement letter, a breach of contract.

Liability to Third Parties The common law liability of the auditor to third parties is important in any discussion of the auditor’s legal liability. A third party may be defined as an individual who is not in privity with the parties to a contract. From a legal standpoint, there are two classes of third parties: (1) a primary beneficiary and (2) other beneficiaries. A primary beneficiary is anyone identified to the auditor by name prior to the audit who is to be the primary recipient of the auditor’s report. For example, if at the time the engagement letter is signed, the client informs the auditor that the report is to be used to obtain a loan at the Second National Bank, the bank becomes a primary beneficiary. In contrast, other beneficiaries are unnamed third parties, such as creditors and potential investors. An auditor is liable to all third parties for gross negligence and fraud under tort law. In contrast, the auditor’s liability for ordinary negligence has traditionally been different between the two classes of third parties. The following discussion explains the importance of how the case law has defined an auditor’s liability to third parties for the auditor’s negligence.

Ultramares Corp. v. Touche (1931) This decision extended the concept of privity of contract to the primary beneficiary of the auditor’s work. In this landmark case, the defendant auditors, Touche, failed to discover fictitious transactions that overstated assets and stockholders’ equity by $700,000 in the audit of Fred Stern & Co. Subsequent to the audit, Ultramares loaned Stern large sums of money that Stern was unable to repay because the company was actually insolvent. Ultramares sued the accounting firm for negligence and fraud. The court found the auditors guilty of negligence but ruled that accountants should not be liable to any third party for negligence except to a primary beneficiary. Judge Cardozo said: If liability for negligence exists, a thoughtless slip or blunder, the failure to detect a theft or forgery beneath the cover of deceptive entries may expose accountants to a liability in indeterminate amounts, for an indeterminate time, to an indeterminate class. The hazards of a business conducted on these terms are so extreme as to enkindle doubt whether a flaw may not exist in the implication of a duty that exposes to these consequences. The court also ruled that the finding on negligence does not emancipate accountants from the consequences of fraud. It concluded that gross negligence may constitute fraud. Ultramares Corp. v. Touche upheld the privity of contract doctrine under which third parties cannot sue

third party  an individual or collective group who is not in privity with the parties to a contract primary beneficiary  anyone identified to the auditor by name prior to the audit who is a recipient of the auditor’s report other beneficiaries  unnamed third parties, such as creditors, stockholders, and potential investors, who use the auditor’s report

2-30  C h a pte r 2  Professionalism and Professional Responsibilities

auditors for ordinary negligence. However, Judge Cardozo’s decision extended to primary beneficiaries the rights of one in privity of contract. Therefore, Ultramares as a primary beneficiary could sue and recover for losses suffered because of the auditor’s ordinary negligence.

Rusch Factors v. Levin (1968) The Ultramares decision remained virtually unchallenged for 37 years, and it still is followed today in many jurisdictions. However, since 1968, several court decisions have served to extend the auditor’s liability for ordinary negligence beyond the privity of contract doctrine. The following environmental factors contributed to this development: •  The concept of liability evolved significantly to include consumer protection from the wrongdoing of both manufacturers (product liability) and professionals (service liability). •  Businesses and accounting firms grew in size, making them better able to shoulder the new threshold of responsibility. •  The number of individuals and groups relying on audited financial statements grew steadily. In Rusch Factors v. Levin, the plaintiff had asked the defendant accountant to audit the financial statements of a corporation seeking a loan. The certified statements indicated that the potential borrower was solvent when, in fact, it was insolvent. Rusch Factors sued the auditor for damages resulting from its reliance on negligent and fraudulent misrepresentations in the financial statements. The defendant accountant asked for dismissal on the basis of lack of privity of contract. The court ruled in favor of the plaintiff. While the decision could have been decided on the basis of the primary beneficiary rule set forth in Ultramares, the court instead said: The accountant should be liable in negligence for careless financial misrepresentation relied upon by actually foreseen and limited classes of persons. In this case, the defendant knew that his certification was to be used for potential financiers of the … corporation (emphasis added). This decision extended the auditor’s liability from known specific primary beneficiaries, to an actually foreseen limited class of third parties known to be relying on the financial statements.

Restatement (Second) of Torts § 552 (1977) foreseen class  a limited class of third parties known to be relying on the financial statements

The shift away from Ultramares occurred in the form of judicial acceptance of the specifically foreseen class concept. Subsection (2) of the Restatement (second) of Torts § 552 extends the auditor’s liability to “a limited group of persons for whose benefit the CPA intends to supply the information.” Thus, if the client informs the CPA that the audit report is to be used to obtain a bank loan, all banks are foreseen parties, but trade creditors and potential stockholders would not be part of the foreseen class. However, a CPA would not be liable if the audit report were used by a bank to invest capital in the client’s business in exchange for common stock instead of granting a loan. The foreseen class concept does not extend to all present and future investors, stockholders, or creditors. Court decisions have not required that the injured party be specifically identified, but the class of persons to which the party belonged had to be limited and known at the time the auditor provided the information.

Rosenblum v. Alder (1983) foreseeable parties  individuals or entities who the auditor either knew, or should have known, would rely on the audit report

The Rosenblum case extended an auditor’s liability to foreseeable parties, individuals, or entities whom the auditor either knew or should have known would rely on the audit report in making business and investment decisions, and it extended the auditor’s duty of due care to any foreseeable party who suffers a pecuniary loss from relying on the auditor’s representation. Foreseeable parties include all creditors, stockholders, and present and future investors. The courts use foreseeability extensively in cases involving physical injury. For example, foreseeability is almost universally used in product liability cases when the manufacturer’s negligence causes the physical injury. This concept was first applied in an audit negligence case in the early 1980s.

 Auditor Liability Under Common Law  2-31

In reaching its decision in Rosenblum, the New Jersey Supreme Court cited the following public policy factors that appear, in part, aimed at countering Judge Cardozo’s arguments in upholding the privity doctrine in Ultramares: (1) insurance is available to accountants to cover these risks, (2) the CPA has a moral responsibility to anyone relying on his or her opinion, and (3) more rigid standards will cause accountants to do better work. The foreseeability standard was subsequently embraced by similar rulings in Wisconsin, California, and Mississippi.

Credit Alliance Corp v. Arthur Andersen & Co. (1985) In 1985, the New York Court of Appeals expressly rejected the foreseeability standard in Credit Alliance Corp. v. Arthur Andersen & Co. Instead, the court reverted to a “near privity rule,” establishing three criteria for determining whether a plaintiff can bring a claim against an auditor for ordinary negligence: (1) the plaintiff did in fact rely on the auditor’s report, (2) the auditor knew that the plaintiff intended to rely on the report, and (3) the auditor, through some actions on his or her own part, evidenced understanding of the plaintiff’s intended reliance.

Bily v. Arthur Young & Co. (1992) In 1992, in yet another landmark case known as Bily v. Arthur Young & Co., the California Supreme Court ended the foreseeability standard in that state. After perhaps the most thorough analysis by any court of the purpose and effects of audits and audit reports, and following a thorough review of approaches taken by other courts as well as the basic principles of tort liability announced in the California court’s own prior cases, it stated: We conclude that an auditor owes no general duty of care regarding the conduct of an audit to persons other than the client. An auditor may, however, be held liable for negligent misrepresentations in an audit report to those persons who act in reliance upon those misrepresentations in a transaction which the auditor intended to influence, in accordance with the rule of section 552 of the Restatement Second of Torts. . . . Finally, an auditor may also be held liable to reasonably foreseeable third persons for intentional fraud in the preparation and dissemination of an audit report. A summary of the auditor’s liability under common law is presented in Illustration 2.11.

ILLUSTRATION 2.11   Liability to third parties under common law

Rosenblum decision extends liability to foreseeable third parties

Bily decision returns California to Restatement (Second) of Torts for negligent misrepresentation

Relative exposure

Rusch Factors decision Forseen extends class liability to concept foreseen adopted in class Restatement of third (Second) parties of Torts

Ultramares decision extends liability to Liability primary excluded beneficiaries by privity of contract doctrine Pre-1931

1931

Some states adopt privity legislation restricting liability to users acknowledged by the auditor

Credit Alliance decision restricts liability to users acknowledged by the auditor

1968

1977

1983

1985

1992

1993

2-32  C h a pte r 2  Professionalism and Professional Responsibilities

Although the extent of the auditor’s exposure to liability to third parties for ordinary negligence has been subject to the court decisions in various jurisdictions, it now appears that all but three states (Mississippi, New Jersey, and Wisconsin) either embrace the Restatement (Second) of Torts, or the stricter Credit Alliance or privity legislation rules.

Burden of Proof and Common Law Defenses In general, the plaintiff must prove the following when suing an auditor: •  The auditor owed a duty of care to the plaintiff. •  The auditor breached the duty by failing to act with due care (negligence). •  The auditor’s negligence was the proximate cause of the plaintiff’s damage. •  The plaintiff had actual damages. A key issue is whether the auditor owed a duty of care to the plaintiff. As noted in the previous discussion, most states extend the auditor’s duty of care to foreseen third parties under the Restatement (Second) of Torts standard. The auditor’s defenses generally include: •  The auditor was not negligent and performed an audit in accordance with professional standards. •  No duty of care was owed to the plaintiff. •  The plaintiff had no loss. •  The loss was caused by other events. •  The plaintiff’s negligence (contributory negligence) contributed to the auditor’s failure to perform. •  The claim was invalid because the statute of limitations had expired. due care defense  the auditor’s documentation should provide evidence that the audit was performed in accordance with auditing standards generally accepted in the United States

The auditor must generally use the due care defense in breach of contract suits involving negligence. Under a due care defense, the auditor’s documentation should provide evidence that the audit was performed in accordance with auditing standards generally accepted in the United States. The due care defense is also a primary defense against tort actions, along with contributory negligence. In a contributory negligence defense, the plaintiff must have contributed to his or her own injury (loss) by his or her own negligence. Therefore, the law considers the plaintiff to be as responsible as the defendant for the injury. In such a case, there is no basis for recovery because the negligence of one party nullifies the negligence of the other party. For example, the plaintiff may have withheld vital information from the CPA during the audit, contributing to the audit firm’s failure to follow professional standards. If a plaintiff wants to prove the auditor was guilty of gross negligence or fraud, it is a much higher burden of proof. In this instance, the plaintiff must prove: •  A false representation was made by the auditor. •  The auditor knew the representation was false. •  The auditor intended to induce the plaintiff to rely on the false representation. •  The plaintiff relied on the misrepresentation. •  The plaintiff suffered damages. This is a high burden of proof and an audit firm with good quality controls would not let this situation happen. If the plaintiff can make the case that an audit firm was guilty of gross negligence or fraud, the plaintiff may be entitled to both compensatory damages and punitive damages.

Legal Reasoning Example  Duty of Care Grace Chermak is the audit partner on the audit of Price Construction LLC, a private company that manufacturers small tools. Both Grace and Price are located in a state that follows

 Auditor Liability Under Statutory Law  2-33 the restatement of torts laws. When planning the audit Grace knew the financial statements were primarily intended to be used by Last National Bank in evaluating debt covenants. After completing the audit and unbeknown to Grace, the financial statements are given to two other users: (1) another bank, and (2) a purchaser of 50% of Price Construction that was unforeseen at the time of the audit. To whom does Grace owe a duty of care under the restatement of torts law? Under restatement of torts Grace owes a duty of care to a specific class of foreseen third parties, which would include the two banks that used the financial statements. Grace does not owe the same duty of care to the purchaser of the 50% ownership interest in Price Construction. Had Grace known the financial statements would have been used in buying and selling the business, Grace might have planned the audit differently.

Before You Go On 8.1 Explain each of the two primary situations in which a CPA may be liable to his or her client. 8.2 Distinguish between foreseen and foreseeable third parties. Give an example of each. 8.3 Explain the significance of the Ultramares, Rusch Factors, Rosenblum, Credit Alliance, and Bily cases on the auditor’s liability to third parties for negligence. 8.4 What is the plaintiff’s burden of proof under common law? 8.5 Explain the due care defense as it applies to an audit.

Auditor Liability Under Statutory Law LEAR NING OBJECTI VE 9 Evaluate an auditor’s legal liability under statutory law. Statutory law is established by state and federal legislative bodies and specifically addresses auditor’s liability under certain circumstances. The following discussion addresses a number of statutory laws that address an auditor’s responsibility and liability to third-party users of financial statements. Some of these statutes also address management’s responsibility for preparing financial statements that are free of material misstatement. The discussion also addresses key cases that have set precedence under these statutes. Finally, the section concludes with a discussion of the auditor’s exposure to criminal liability under these statutes. Illustration 2.12 outlines the auditor’s liability under statutory law. The key elements of statutory law that are discussed in this section include the SEC Act of 1933, the SEC Act of 1934, the Foreign Corrupt Practices Act of 1977, the Private Securities Litigation Reform

ILLUSTRATION 2.12   Auditor liability under statutory law

Statutory Law

SEC Act of 1933

SEC Act of 1934

Foreign Corrupt Practices Act of 1977

Private Securities Litigation Reform Acts of 1995 and 1998

statutory law  law established by state and federal legislative bodies that specifically addresses the auditor’s liability under certain circumstances

Sarbanes– Oxley Act of 2002

Criminal Liability

2-34  C h a pte r 2  Professionalism and Professional Responsibilities

Acts of 1995 and 1998, the Sarbanes-Oxley Act of 2002, and the auditor’s exposure to criminal liability under statutory law.

The Securities Act of 1933 The 1933 Act is known as the Truth in Securities Act. It is designed to regulate the offering of a new security to the public through the mails or in interstate commerce. Suits against auditors under this Act are usually based on Section 11, Civil Liabilities on Account of False Registration Statement, which allows “any person” purchasing or otherwise acquiring the securities to sue when the financial statements are materially misstated. The Act makes the auditor liable for losses to third parties resulting from ordinary negligence, as well as from fraud and gross negligence, to the effective date of the registration statement. The principal effects of this Act on the parties involved in a suit may be summarized as follows. The plaintiff (e.g., investors): •  May be any person acquiring securities described in the registration statement, whether or not he or she is a client of the auditor. •  Must base the claim on an alleged material false or misleading financial statement contained in the registration statement. •  Does not have to prove reliance on the false or misleading statement or that the loss suffered was the proximate result of the statement if purchase was made before the issuance of an income statement covering a period of at least 12 months following the effective date of the registration statement. •  Does not have to prove that the auditors were negligent or fraudulent in certifying the financial statements involved. The defendant (e.g., the auditor) must prove one of the following:

due diligence defense  an audit firm must show that it made a reasonable investigation, that the firm followed auditing standards, and accordingly had reasonable grounds to believe, and did believe, that the statements certified were true at the date of the statements and as of the time the registration statement became effective

•  The audit firm made a reasonable investigation, that the firm followed auditing standards, and accordingly, had reasonable grounds to believe, and did believe, that the statements certified were true at the date of the statements and as of the time the registration statement became effective (a due diligence defense). •  The plaintiff’s loss resulted in whole or in part from causes other than the false or misleading statements. Therefore, there is a significant burden of proof that rests upon the auditor to show that the audit firm used due diligence in conducting the audit.

Escott v. BarChris Construction Corp (1968) BarChris was a company that was in constant need of cash. Purchasers of bonds filed suit under Section 11 when the company filed for bankruptcy, alleging that the registration statement pertaining to the sale of the bonds contained material false statements and material omissions. One of the defendants was Peat, Marwick, Mitchell & Co. (now KPMG), which pleaded the due diligence defense. The case revolved around the effectiveness of the audit firm’s subsequent events review (discussed in Chapter 14), called an S-1 review by the SEC. The purpose of the review was to determine whether, subsequent to the certified balance sheet, any material changes had occurred that needed to be disclosed to prevent the balance sheet from being misleading. The court concluded that Peat Marwick’s written audit program for the subsequent events review was in conformity with generally accepted auditing standards. However, it also found that the work done by the auditor who was performing his first S-1 review was unsatisfactory. The court concluded that the auditor did not meet the standards of the profession because he did not take some of the steps prescribed in the audit firm’s written program, the auditor did not spend an adequate amount of time on a task of this magnitude, and, most important of all, the auditor was too easily satisfied with glib answers given by the client.

 Auditor Liability Under Statutory Law  2-35

This case is important in that the court determined that following auditing standards generally accepted in the United States would meet the due diligence defense. The courts also determined that the subsequent events review by Peat Marwick did not meet professional standards, or the firm’s own standards.

The Securities Act of 1934 Congress passed this Act to regulate the public trading of securities in the secondary market (in contrast to the new issue of securities in the primary market covered by the 1933 Act). The 1934 Act requires companies included under the Act to (1) file a registration statement when the securities are publicly traded on a national exchange or over the counter for the first time and (2) keep the registration statement current through the filing of annual reports, quarterly reports, and other information with the SEC. Certain financial information, including the financial statements, must be audited by independent public accountants. The principal liability provisions of the 1934 Act are set forth in Sections 18 and 10. Under Section 18(a), the plaintiff: •  May be any person buying or selling the securities. •  Must prove the existence of a material false or misleading statement. •  Must prove reliance on such statement and damage resulting from such reliance. The defendant (the auditor) in a Section 18 suit must prove that he or she: •  Acted in good faith. •  Had no knowledge of the false or misleading statement. This means that the minimum basis for liability is gross negligence, not ordinary negligence. Accordingly, the auditor’s position under Section 18 is the same as under the common law doctrine of Ultramares, in which the auditor may also be held liable to third parties for gross negligence. Under Section 10(b) and the SEC-promulgated Rule 10b-5, it is unlawful for any person, directly or indirectly, to: •  Employ any device, scheme, or artifice to defraud. •  Make any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in the light of the circumstances under which they were made, not misleading. •  Engage in any act, practice, or course of business that operates, or would operate, as a fraud or deceit on any person in connection with the purchase or sale of any security. Section 10(b) and Rule 10b-5 are often referred to as the antifraud provisions of the 1934 Act. These antifraud provisions were made clear by the Ernst and Ernst v. Hochfelder decision, as discussed below. The securities acts apply to different situations. The 1933 Act applies to the initial distribution of securities (capital stock and bonds) to the public by the issuing corporation (primary market), whereas the 1934 Act applies to trading of securities in national security markets (secondary market). Differences between Section 11 of the 1933 Act and Sections 10 and 18 of the 1934 Act exist as to (1) the plaintiff, (2) proof of reliance on the false or misleading financial statements, and (3) the auditor’s liability for ordinary negligence, as summarized in Illustration 2.13. Item

1933 Act

1934 Act

Plaintiff

Any person acquiring the security

Either the buyer or seller of the security

Plaintiff must prove reliance

No

Yes

Defendant liability for ordinary negligence

Yes

No

ILLUSTRATION 2.13   Summary of differences in key sections of the 1933 and 1934 Acts

2-36  C h a pte r 2  Professionalism and Professional Responsibilities

Ernst & Ernst v. Hochfelder (1976) Lawsuits against auditors under the 1934 Act are usually based on Section 10(b) and Rule 10b-5. The plaintiffs (Hochfelder) were investors in an escrow account allegedly kept by the president (Lester K. Nay) of First Securities Co., a small brokerage firm, audited by Ernst & Ernst (now Ernst & Young). The escrow account, in which a high rate of return was promised, was a ruse perpetrated by Mr. Nay. To prevent detection, all investors were instructed to make their checks payable to Nay and to mail them directly to him at First Securities. Within the brokerage house, Nay imposed a “mail rule” that such mail was to be opened only by himself. The escrow account was not recorded on First Securities’ books. Plaintiffs sued Ernst for damages under Rule 10b-5 for aiding and abetting the embezzlement. They based their claim entirely on the premise that the auditors were negligent in their audit because they had not challenged or investigated the “mail rule.” Following conflicting lower court decisions, the U.S. Supreme Court ruled in favor of Ernst & Ernst, saying: When a statute speaks so specifically in terms of manipulation and deception, and of implementing devices and contrivances—the commonly understood terminology of intentional wrongdoing—and when its history reflects no more expansive intent, we are quite unwilling to extend the scope of the statute to negligent conduct. Based on this decision, an auditor is no longer liable to third parties under Section 10(b) and Rule 10b-5 of the 1934 Act for ordinary negligence. That is, the auditor has no liability in the absence of any intent to deceive or defraud (legally called scienter). Therefore, a plaintiff filing a lawsuit against an auditor under Rule 10(b)-5 of the 1934 Act must prove: •  The financial statements contain a material, factual misrepresentation or omission. •  The plaintiff relied on the financial statements. •  Damages were suffered as a result of the reliance on the financial statements. scienter  the auditor either had actual knowledge of the falsity of the representation, or had a reckless disregard for the truth or falsity of the representation

•  Scienter, that the auditor either had actual knowledge of the falsity of the representation, or had a reckless disregard for the truth or falsity of the representation.

The Foreign Corrupt Practices Act of 1977 The Foreign Corrupt Practices Act (FCPA), passed by Congress in 1977, makes bribing foreign officials illegal. The FCPA also addresses records retention required under the Securities Exchange Act of 1934. Through the FCPA, Congress increased the bookkeeping and accounting records requirement of those corporations bound by the 1934 Act. The major change was that the FCPA requires companies to maintain reasonable records and to have an adequate system of internal control. For records to be reasonable, they must be both complete and accurate. The FCPA applies to the work of auditors when an integrated audit reports on internal control over financial reporting. If the auditor concludes that internal control over financial reporting is effective, and it is proved otherwise, the auditor may be liable under the FCPA.

The Private Securities Litigation Reform Acts of 1995 and 1998 As a result of the Hochfelder decision, many lawsuits against auditors moved to state court under common law actions, and audit firms experienced an increase in both frivolous and abusive lawsuits. In response to this environment, Congress passed the Private Securities Litigation Reform Act of 1995 (Reform Act) to reduce frivolous litigation risk for auditors, publicly traded companies, and those parties affiliated with security issuers, such as officers, directors, and other professional advisors (e.g., underwriters and lawyers). The Reform Act substantially revised the Securities Act of 1933 and the Securities Exchange Act of 1934.

 Auditor Liability Under Statutory Law  2-37

The Reform Act instituted a system of proportionate liability whereby defendants who are not found to have “knowingly committed a violation” of securities laws are liable based on the defendant’s percentage of responsibility. This is intended to reduce the coercive pressure for innocent parties to settle meritless claims out of court rather than risk exposing themselves to liability for a grossly disproportionate share of the damages in a case. Defendants who “knowingly committed a violation” continue to be jointly and severally liable for all damages that may be assessed. For example, assume that a company has gone bankrupt, investors successfully claim the audited financial statements were materially misstated, and a jury determines that the auditor was 35% responsible for damages incurred by investors and the company was 65% responsible for the damages. Under proportionate liability, the auditor would be responsible for 35% of the damages. However, under joint and several liability, investors can recover damages from any of the defendants. If the company is bankrupt and unable to pay any damages, the auditor could potentially be responsible for 100% of the damages. If a defendant does not knowingly commit a violation of the securities acts, the Reform Act also places a cap on the proportionate share of damages that can be collected from other defendants. If another defendant’s share cannot be collected from that defendant, or from jointly and severally liable defendants, each proportionately liable defendant is then liable for a proportionate share of the uncollectible amount, only up to an amount equal to an additional 50% of such defendant’s initial share. The Reform Act imposed new reporting requirements on auditors who detect or otherwise become aware of illegal acts by issuers of securities. If an auditor concludes that an illegal act has a direct and material effect on the financial statements, and senior management has not taken appropriate action, and the failure warrants a departure from a standard report or a resignation from the engagement, the auditor should report these conclusions directly to the board of directors. The board should then notify the SEC within one day. If the board does not file a timely report with the SEC, the auditor should make a report to the SEC. The Reform Act explicitly states that the auditor will not be held liable in a private action for any finding, conclusions, or statements made in such reports. Three years later, Congress passed the Securities Litigation Uniform Standards Act of 1998. This was passed to prevent plaintiffs from evading federal courts by taking abusive lawsuits to state courts. Large class action lawsuits alleging securities fraud against auditors must now be filed in federal court. Only smaller class action lawsuits of fewer than 50 people can be filed in state court.

The Sarbanes-Oxley Act of 2002 The Sarbanes-Oxley Act of 2002 (SOX) had a number of provisions that influenced the auditing environment. SOX made it illegal for auditors to provide certain nonattest services to clients, and it changed the regulation of the auditing profession. It also significantly changed the audit environment by imposing increased penalties for management of public companies who engage in fraudulent financial reporting, as discussed below.

Changes for Auditors As discussed previously in SEC and PCAOB Independence Rules, SOX makes it “unlawful” to perform audit services for a public company and also perform the following nonattest services for audit clients: •  Bookkeeping or other services related to the accounting records or financial statements of the audit client. •  Financial information systems design and implementation. •  Appraisal or valuation services, fairness opinions, or contribution-in-kind reports. •  Actuarial services. •  Internal audit outsourcing services. •  Management functions or human resources. •  Broker or dealer, investment adviser, or investment banking services.

proportionate liability  defendants who are not found to have “knowingly committed a violation” of the securities law are liable based on the defendant’s percentage of responsibility

2-38  C h a pte r 2  Professionalism and Professional Responsibilities

•  Legal services and expert services unrelated to the audit. •  Any other service that the PCAOB determines, by regulation, is impermissible. Further, Section 203 of SOX mandates rotation of the lead audit partner and the audit partner having responsibility for reviewing the audit every five years. SOX also changed the regulatory environment. The Act gave the PCAOB authority to establish auditing standards, quality control standards, and independence standards for auditors of public companies. Prior to SOX, the auditing profession was responsible for these functions through the self-regulatory functions of the American Institute of CPAs.

Changes for Management of Public Companies SOX strengthened penalties imposed on management of public companies who were responsible for false and misleading financial statements. Following is an overview of key provisions of the Act that affect management of public companies. Section 302 requires a public company’s CEO and CFO to prepare a statement to accompany the audit report to certify the “appropriateness of the financial statements and disclosures contained in the periodic report, and that those financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the issuer.” It also creates a liability for the CEO and CFO who knowingly and intentionally make false certifications. Section 303 makes it unlawful for any officer or director of an issuer to take any action to fraudulently influence, coerce, manipulate, or mislead any auditor engaged in the performance of an audit for the purpose of rendering the financial statements materially misleading. Section 305 requires the CEO and CFO of a company that restates financial statements due to “material noncompliance” with financial reporting requirements to “reimburse the company for any bonus or other incentive-based or equity-based compensation received” during the 12 months following the issuance or filing of the noncompliant document and “any profits realized from the sale of securities of the issuer” during that period. Furthermore, this section of the Act authorizes the federal courts to “grant any equitable relief that may be appropriate or necessary for the benefit of investors” for any action brought by the SEC for violation of the securities laws. A provision within SOX is the Corporate and Criminal Fraud Accountability Act of 2002. Illustration 2.14 summarizes the key provisions of this act. ILLUSTRATION 2.14   Key provisions of the Corporate and Criminal Fraud Accountability Act of 2002

Title VIII of the Corporate and Criminal Fraud Accountability Act of 2002

Title IX of the Corporate and Criminal Fraud Accountability Act of 2002

•  Makes it a felony to “knowingly” destroy or create documents to “impede, obstruct or influence” any existing or contemplated federal investigation.

•  The maximum penalty for mail and wire fraud under the 1933 and 1934 Acts was increased from 5 to 10 years.

•  Requires auditors to maintain “all audit or review work papers” for five years. •  Extends the statute of limitations on securities fraud claims to the earlier of five years from the fraud or two years after the fraud was discovered. •  Extends “whistleblower protection” to employees of public companies and their auditors, which would prohibit the employer from taking certain actions against employees who lawfully disclose private employer information to, among others, parties in a judicial proceeding involving a fraud claim. Whistleblowers are also granted a remedy of special damages and attorney’s fees. •  Creates a new crime for securities fraud that has penalties of fines and up to 10 years imprisonment.

•  Financial statements filed with the SEC must be certified by the CEO and CFO. The certification must state that the financial statements and disclosures fully comply with provisions of the Securities Exchange Acts and that they fairly present, in all material respects, the operations and financial condition of the issuer. Maximum penalties for willful and knowing violations of this section are a fine of not more than $500,000 and/or imprisonment of up to five years. •  The SEC was given authority to seek a court freeze of extraordinary payments to directors, offices, partners, controlling persons, and agents of employees and to prohibit anyone convicted of securities fraud from being an officer or director of any publicly traded company. •  Makes it a criminal offense to tamper with a record or otherwise impede any official proceeding and asks the U.S. Sentencing Commission to review sentencing guidelines for securities and accounting fraud.

 Auditor Liability Under Statutory Law  2-39

Criminal Liability The only entities that can bring charges for criminal causes of action are governments (federal and state). Auditors can be subject to criminal liability under both the 1933 and 1934 Securities Acts. Criminal liability subjects auditors to penalties of fines or imprisonment or both. Criminal penalties are provided under Sections 17 and 24 of the Securities Act of 1933. For example, Section 24 provides for penalties on conviction of no more than $10,000 in fines or imprisonment of not more than 10 years, or both, for willfully making an untrue statement or omitting a material fact in a registration statement. Further, Section 32(a) of the Securities Act of 1934 establishes criminal liability for “willfully” and “knowingly” making false or misleading statements in reports filed under the Act. This section also provides for criminal penalties for violating the antifraud provisions of Section 10(b) consisting of fines of not more than $100,000 or imprisonment for not more than five years, or both. Further, state boards of accountancy will usually revoke CPA licenses for findings of criminal violations. In addition, SOX prohibits the destruction of documents and increases the prison penalty for such actions to 20 years. SOX also increases penalties under criminal statutes of the 1933 and 1934 Securities Act from 5 years to 10 years. Following is a summary of several key cases related to criminal liability for auditors.

United States v. Simon (1969) This was a criminal case brought under Section 24 of the 1933 Securities Act. The case involved the adequacy of disclosure about loans made by Continental Vending to its affiliated company, Valley Commercial Corporation, which subsequently lent the money to the president of Continental (Roth). The loans to Roth were secured primarily by the pledging of Continental common stock owned by Roth. Valley, in turn, pledged this stock as collateral against the loans from Continental. The government charged that the disclosure was false and misleading. The defendants (two partners and an audit senior) argued that the disclosure was in conformity with GAAP and that such compliance was a conclusive defense against criminal charges of misrepresentation. The trial judge rejected this argument and instructed the jury that the “critical test” was whether the balance sheet fairly presented financial position without reference to generally accepted accounting principles. The jury concluded that the balance sheet did not present fairly, and the three defendants were convicted of the criminal charges. The U.S. Court of Appeals refused to reverse the decision and held that We do not think the jury was . . . required to accept the accountants’ evaluation whether a given fact was material to overall fair presentation, at least not when the accountant’s testimony was not based on specific rules and prohibitions to which they could point, but only on the need for the auditor to make an honest judgment and their conclusion that nothing in the financial statements themselves negated the conclusion that an honest judgment had been made. Such evidence may be highly persuasive, but it is not conclusive, and so the trial judge correctly charged. The defendants were found guilty. They were fined $17,000 and their licenses to practice as CPAs were revoked because of the criminal conviction. The defendants did not receive jail time.

United States v. Natelli (1975) This was a landmark case because the auditors were convicted and sentenced to time in prison. Anthony Natelli, a Peat, Marwick, Mitchell & Company (now KPMG) partner, and audit supervisor Joseph Scansaroli were involved in the audit of National Student Marketing Corporation. The financial statements for fiscal year ended August 31, 1968, were misstated because the company reported as actual sales amounts that were really only commitments. A material amount of the commitments were known to be uncollectible and were written off in the next fiscal year, but were still shown as income in the financial statements used in the

criminal liability  subjects auditors to penalties of fines or imprisonment or both; the only entities that can bring charges for criminal causes of action are federal or state governments

2-40  C h a pte r 2  Professionalism and Professional Responsibilities

September 30, 1969, proxy statement. The two auditors were convicted of willingly and knowingly making false and misleading statements in the proxy statements under the Securities Act of 1934. Both received fines in addition to prison sentences. Scansaroli’s conviction was later reversed.

United States v. Weiner (1978) This case was associated with the audit of Equity Funding Corporation of America. Equity Funding sold insurance. To maintain the value of the company’s stock, management directed that fraudulent sales of insurance policies, and related receivables, be recorded in the company’s records. Eventually the fraud evolved to a reissuance scheme in which fraudulent insurance policies were resold to other insurers. The scheme required a massive amount of fictitious document creation and recordkeeping to maintain appearances. The auditors were found guilty because the fraud was so extensive that they should have known about it. One public accounting firm partner and two managers received criminal convictions and over $40 million of civil penalties were paid.

ESM Government Securities v. Alexander Grant & Co. (1987) The ESM case involved a fraud perpetrated by ESM management that was voluntarily revealed to the Alexander Grant (now Grant Thornton) audit partner responsible for the engagement. The audit partner, Joe Gomez, chose to remain silent about the fraud with the expectation that management would be able to reverse the problems if given time. In addition, the fraud had been going on for years, and Gomez did not want to admit and report to his firm that he had missed finding the fraud in prior audits. Because of his silence, which helped the fraud to continue, Gomez was charged with knowingly filing false and misleading audit reports. In addition, he was charged with having received secret payments from ESM officers totaling $125,000. Gomes was sentenced to 12 years in prison.

HealthSouth (2003) HealthSouth made its name as a provider of outpatient surgery, diagnostic, imaging, and rehabilitation health-care services. In 2003, the company and CEO Richard M. Scrushy were charged with accounting fraud and overstating earnings. The fraud dealt with intentional manipulation of corporate accounts to increase earnings so that the company would meet analyst’s expectations. Scrushy was accused of managing the company in such a way that it influenced employees to participate in the fraud. He placed extreme emphasis on meeting earnings expectations. The entire senior management team was relatively young and inexperienced, enabling Scrushy to manage the team through fear. HealthSouth’s CFO, William T. Owens, admitted to accounting fraud and instructing subordinates to make phony accounting entries. He turned himself in to authorities in 2003 and testified against Scrushy. Scrushy was eventually acquitted of criminal wrongdoing in 2005. Nevertheless, he settled with the SEC in 2007 for $77.5 million plus $3.5 million in civil penalties. In 2009, Scrushy was sued for fraud by HealthSouth investors, and he was ordered to repay his company $2.8 billion.

Cloud 9 - Continuing Case Sharon, Josh, and Ian Harper (a first-year audit staff) are having lunch and talking about Cloud 9, a potential audit client. Ian asks, “Cloud 9 is a public company and has operations in a number of states, as well as internationally. I remember from my auditing class that an auditor’s legal liability may differ from state to state, and that federal laws, which are different, may take precedence over state laws. In this litigious environment, how does the firm plan to adequately protect itself with this apparent patchwork of

different laws?” Sharon turns to Josh, asking him what he thinks about this question. Josh answers that one defense that is virtually universal is the due diligence defense. W&S Partners has invested significant time and effort in developing a strong system of quality control. If the firm’s working papers show that the auditors have used due diligence in carrying out their audit, the firm should be able to fend off legal liability. Sharon agrees with Josh. “It is very important that we follow professional standards at all times.”

  Learning Objectives Review  2-41

Before You Go On 9.1 What transactions are covered by the Securities Act of 1933? Develop examples of transactions that are, and are not, covered by this Act. 9.2 What is the burden of proof for the plaintiff and the defendant auditor under the Securities Act of 1933? Explain in the context of the BarChris case. 9.3 Explain the conditions of auditor liability under Rule 10(b)-5 of the 1934 Securities Exchange Act. What were the findings under this section as they related to the Hochfelder case? 9.4 What is proportionate liability under the Private Securities Reform Act of 1995? What finding is important for a defendant to obtain the benefits of proportionate liability? 9.5 Explain how SOX significantly changed the audit environment for auditors. 9.6 Explain how criminal liability is different from civil liability. Illustrate your discussion with the results of actual cases.

Learning Objectives Review 1  Explain what it means to be a professional and how

these traits apply to auditors. The term professional is often used loosely in various contexts. Robert Mautz talked articulately about the difference between the expert competitor (EC) professional and the concern for the public interest (CPI) professional. Auditors fall into the category of CPI professionals. CPI professions are often recognized by a specialized body of knowledge, a formal education process, standards governing admission to the profession, a code of ethics, recognized status indicated by a license, a public interest in the work that practitioners perform, and the recognition by practitioners of an obligation to society. Auditors are granted an exclusive license to perform audits in exchange for their responsibility to the public to provide reasonable assurance that financial statements are free of material misstatements. 2  Explain the structure of the AICPA Code of Profes-

sional Conduct. The AICPA Code of Professional Conduct applies to all AICPA members as well as to all CPAs in many states. The Code consists of principles, rules, and interpretations. Rules of conduct are enforceable and a CPA must be prepared to justify departures from the rules. Further, members whose conduct departs from interpretations have the burden of justifying the departure in a disciplinary hearing. The Code is also structured into four parts: a preface applicable to all members; Part I, which includes ethical rules for members in public practice; Part II, which includes ethical rules for members in business; and Part III, which includes ethical rules for other members (e.g., non-CPA members of the AICPA). 3  Apply the conceptual framework approach to ethical

decision making for members in public practice. The conceptual framework is designed to assist CPAs in situations that are not addressed in the rules or interpretations of the AICPA

Code of Professional Conduct. Illustration 2.2 depicts the five steps a CPA should apply when considering evaluating an ethical situation: (1) identify threats to compliance with rules, (2) evaluate the significance of the threat, (3) identify and apply safeguards, (4) evaluate the effectiveness of the safeguards, and (5) document the threats and safeguards applied. A CPA should judge his or her ethical conduct from the perspective of a reasonable and informed third party. 4  Evaluate the ethical behavior needed to comply with

rules of conduct on integrity and objectivity. The ethical rule on integrity and objectivity requires a CPA to (1) be free of conflicts of interest, (2) not knowingly misrepresent facts, and (3) not subordinate his or her judgment to others. 5  Evaluate the ethical behavior needed to comply with rules of conduct on independence. A CPA should be both independent in fact (act with integrity and objectivity) and independent in appearance in the eyes of reasonable and informed third parties. It is important for CPAs to understand how independence rules apply to covered members, immediate family members, close relatives, and other professionals in an audit firm. CPAs also need to understand what is prohibited or allowed in terms of investments in an attest client, loans to or from an attest client, employment relationship with an attest client, or the performance of nonattest services for an attest client. 6  Evaluate the ethical behavior needed to comply with rules of conduct on general standards. The general standards apply to any CPA performing any professional engagement for a client. At a minimum a CPA must have the appropriate professional competence to complete the engagement, use due professional care, adequately plan and supervise the engagement, and obtain sufficient relevant data to support conclusions or recommendations.

2-42  C h a pte r 2  Professionalism and Professional Responsibilities

7  Evaluate the ethical behavior needed to comply with

other rules of conduct for members in public practice. It is not possible to cover all the remaining rules of conduct for members in public practice. Illustration 2.1 provides a general outline of the rules of conduct for members in public practice. In particular, you should understand a CPA’s responsibility for complying with accounting principles and the types of engagements and the situations in which it is appropriate for a CPA to accept a commission, a referral fee, or a contingent fee. A CPA must also take care not to disclose confidential client information without the specific consent of the client, and a CPA must be cognizant of specific situations where confidential client information may be disclosed. 8  Evaluate an auditor’s legal liability under common law Auditors are liable to clients for their negligent actions that result in either breach of contract or tort actions. Auditor liability to third parties under common law varies from state to state. Three important doctrines that address common law to third parties are (1) the primary beneficiaries doctrine, (2) the restatement of torts doctrine, and (3) the foreseeable third parties doctrine. These doctrines explain when an auditor would be liable to third parties for ordinary negligence. Illustration 2.11 identifies important cases discussed in the chapter that address liability to third parties under common law. The auditor’s primary defense under common law is the due care defense, where the auditor’s working papers and documentation show that an audit was performed in accordance with auditing standards generally accepted in the United States. 9  Evaluate an auditor’s legal liability under statutory law.

summarized in Illustration 2.13. Under the 1933 Securities Act, auditors are liable for their negligence to persons who purchased or otherwise acquired a new issue of securities covered by a registration statement that included a material misstatement of fact in the financial statements. Under the 1934 Act, the auditor must be found to intend to deceive or defraud or be guilty of gross negligence to be found liable. Today, investors who suffer damages due to material misstatements in financial statements often find it easier to sue auditors under common law than under the 1934 Securities Act. The two most important reforms under the Private Securities Litigation Reform Act of 1995 include instituting a system of proportionate liability and a cap on damages into the federal securities laws. In addition, the law imposed new reporting requirements on auditors who detect or otherwise become aware of illegal acts that have a material effect on the financial statements by issuers of securities. The law also instituted a number of other reforms, making it difficult to bring frivolous lawsuits against auditors. SOX significantly changed the audit environment for both auditors and management. This section of the chapter discusses both nonattest services that are now unlawful for auditors to perform for audit clients, and the PCAOB’s responsibility for setting auditing standards, quality control standards, and independence standards for auditors of public companies. In addition, the section describes the legal liability of management, particularly the CEO and CFO. Knowing and willful violation of SOX can result in fines and imprisonment. Finally, improved systems of internal control are designed to improve the audit environment. The federal government can bring criminal charges against auditors under the 1933 and 1934 Securities Act for willfully and knowingly making false or misleading statements in reports filed under the Acts. Criminal penalties include fines and imprisonment. Also, state boards of accountancy have the ability and will usually revoke CPA licenses for criminal violations.

The auditor’s liability to financial statement users under the Securities Acts of 1933 and 1934 are significantly different, as

Key Terms Review Adverse interest threat Advocacy threat Audit committee Breach of contract Close relative Common law Covered member Criminal liability Due care defense Due diligence defense Due professional care Familiarity threat Foreseeable parties Foreseen class

Fraud Gross negligence Immediate family member Independence Independent in appearance Independent in fact Integrity and objectivity Interpretations Key position Management participation threat Ordinary negligence Other beneficiaries Planning and supervision Primary beneficiary

Principles Privity of contract Professional competence Proportionate liability Rules of conduct Scienter Self-interest threat Self-review threat Statutory law Sufficient relevant data Third party Tort Undue influence threat

 Audit Decision-Making Example  2-43

Audit Decision-Making Example Background Information Lisa Cole is a tax partner in the mid-sized CPA firm of Cole and Bayless LLP. Cole and Bayless LLP has been doing significant tax work and advising the owners of Aiwa Hardware on business restructuring over the last two years. Lisa’s husband, Perry, is one of six investors and owners of Aiwa Hardware. As a result, a conflict of interest was identified and disclosed to the owners of Aiwa Hardware. Lisa has not been allowed to have any connection to, or influence on, the tax or business restructuring engagements for Aiwa Hardware, and a second partner reviewed these engagements to ensure the firm acted with integrity and objectivity. Aiwa Hardware owes Cole and Bayless LLP $200,000 in fees for the tax and restructuring work. On December 1, 2021, after significant discussions between Fifth State Bank and the owners of Aiwa Hardware, the bank will require audited financial statements from Aiwa Hardware for the year ended December 31, 2022. Aiwa Hardware has not been audited before and the only financial information used by the bank have been tax returns. After discussions on December 3, 2021, involving Aiwa Hardware’s owners and the accounting firm’s managing partner Rick Bayless, the following conclusions are reached: (a) Perry Cole will sell his share to the other five investors and owners of Aiwa Hardware for cash as of December 15, 2021, and will discontinue any participation in the business as of that date and (b) Rick Bayless will accept an offer from the remaining owners of Aiwa Hardware to give Cole and Bayless, LLP a secured, interest-bearing note dated December 15, 2021, in settlement of the outstanding account receivable to the CPA firm with repayment terms over 3 years. On May 1, 2022, Rick Bayless and Lee Aiwa sign an engagement letter for Cole and Bayless LLP to do the audit of Aiwa Hardware for the year ended December 31, 2022.

Identify the Ethics Issue(s) Identify any threats to ethical behavior on the part of Cole and Bayless LLP. Also address the significance of the threats and any safeguards that can be put in place to reduce the threat to an acceptable level.

Gather Information and Evidence Ethical threats include: •  A familiarity threat presents a conflict of interest and a threat to acting with integrity and objectivity (ET 1.110.010.04)— exists because Lisa Cole is a partner in the CPA firm and her husband is an owner in Aiwa Hardware through December 15, 2021. •  A self-interest threat presents a conflict of interest and a threat to acting with integrity and objectivity (ET 1.110.010.04)—

exists because Lisa Cole is a partner in the CPA firm and her husband is an owner in Aiwa Hardware through December 15, 2021. •  A self-interest threat presents a conflict of interest and a threat to acting with integrity and objectivity (ET 1.110.010.04)— exists because Cole and Bayless LLP has a direct investment in Aiwa Hardware in the form of a secured debt instrument as of December 15, 2021. •  A self-interest threat presents a conflict of interest and a threat to independence (ET 1.120.010.16)—exists because Cole and Bayless LLP has direct investment in Aiwa Hardware in the form of a secured debt instrument, as of December 15, 2021.

Analysis and Evaluation of Alternatives •  Cole and Bayless LLP does not need to be independent to do tax work or consulting work (advising on business restructuring). It does need to be independent to do any attest work, including auditing the financial statements of Aiwa Hardware. •  The fact that Lisa Cole’s conflict of interest is disclosed to the client; she is not allowed to perform any work, or influence the work for Aiwa Hardware; and a second partner reviews the work for Aiwa Hardware is sufficient to ensure the integrity and objectivity of the firm with respect to performing tax and consulting services for Aiwa Hardware (ET 1.110.010). •  Lisa’s husband sells his ownership interest in Aiwa Hardware and discontinues any participation in the Aiwa Hardware business prior to the period under audit beginning January 1, 2022. This eliminates the familiarity and self-interest threats associated with his ownership interest for periods beginning after January 1, 2022. •  A self-interest threat presents a conflict of interest, and a threat to independence exists because Cole and Bayless LLP has a direct investment in Aiwa Hardware in the form of a secured debt instrument. No safeguard (ET 1.210.010.02) can be put in place to safeguard this threat and Cole and Bayless LLP is not independent with respect to performing any attest work for Aiwa Hardware, including an audit. The independence of Cole and Bayless LLP is impaired. The fact that the relationship is known by Aiwa Hardware does not eliminate the threat to independence.

Ethical Conclusions Cole and Bayless can continue to perform tax and consulting engagements for Aiwa Hardware. However, the firm cannot perform any attest engagements because the firm is not independent. There is no safeguard to the self-interest threat created by the direct investment in Aiwa Hardware.

CPAexcel CPAexcel questions and other resources are available in WileyPLUS.

2-44  C h a pte r 2  Professionalism and Professional Responsibilities

Multiple-Choice Questions 1.  (LO 1)  A key aspect of the “concern for the public interest” definition of a professional is: a.  the level of professional expertise of the professional. b.  t he fact that there are situations where professionals must put the interest of society ahead of the interest of their clients or their own well-being. c.  t he incorporation of this definition into the Sarbanes-Oxley Act of 2002. d.  the unique ability of CPAs to sign attest reports. 2.  (LO 2)  Which of the following statements is true about interpretations of the AICPA Code of Professional Conduct? a.  Interpretations are not enforceable by the AICPA in a disciplinary matter. b.  I nterpretations are strictly enforceable by the AICPA in a disciplinary matter. c.  I nterpretations are strictly enforceable by the AICPA and all state boards of accountancy in a disciplinary matter. d.  An AICPA member who departs from an interpretation has the burden of justifying a departure in any disciplinary hearing. 3.  (LO 3)  In the conceptual framework to the AICPA Code of Professional Conduct, a self-interest threat is: a.  the threat that a CPA could benefit, financially or otherwise, from an interest in, or a relationship with, a client or persons associated with the client. b.  t he threat that a CPA will not act with objectivity because the CPA’s interests are opposed to the client’s interests c.  t he threat that a CPA will take on the role of client management or otherwise assume management responsibilities.

6.  (LO 5)  A CPA who is a “covered person” purchased stock in a client corporation and placed it in a trust as an educational fund for the CPA’s minor child. The trust securities were not material to the CPA but were material to the child’s personal net worth. Would the independence of the CPA be considered impaired with respect to the client? a.  Yes, because the stock would be considered an indirect financial interest that is material to the CPA’s child. b.  No, because the CPA would not be considered to have a direct financial interest in the client. c.  Y  es, because the stock would be considered a direct financial interest and, consequently, materiality is not a factor. d.  No, because the CPA would not be considered to have a material indirect financial interest in the client. 7.  (LO 5)  Under the AICPA ethics rules on independence, which of the following individuals would not be a covered member? a.  A consulting manager in another office who provides 100 hours of non-audit services to the audit client. b.  A partner in the same office as the lead partner who provides no services to the audit client. c.  A  partner in another office who evaluates partner performance and compensation, but provides no services to the audit client. d.  A tax partner in another office who provides 9 hours of tax services to the audit client. 8.  (LO 5)  Which of the following best describes the independence requirements for a close relative of a covered member? a.  A close relative cannot have an immaterial, direct investment in an audit client. b.  A close relative cannot have a loan from an audit client.

d.  the threat that a CPA will promote a client’s interests or position to the point that the CPA’s objectivity or independence is compromised.

c.  A close relative cannot hold a key position with an audit client.

4.  (LO 4)  A CPA would violate the AICPA rule on integrity and objectivity if:

9.  (LO 6)  The essence of the due care standard is that the auditor should not be guilty of:

d.  A close relative cannot have an immaterial, indirect investment in an audit client.

a.  a CPA in industry knowingly misrepresented the earnings of the company he worked for.

a.  bias.

b.  a CPA in public practice represented both the buyer and seller in helping the parties negotiate the sale (purchase) of a business.

c.  fraud.

c.  a CPA who was an audit staff member subordinated his or her judgment to that of the audit partner. d.  All of the answers are violations of the AICPA rule on ­integrity and objectivity. 5.  (LO 5)  According to the profession’s ethical standards, an auditor would be considered independent in which of the following instances? a.  A professional employee, who does not work on the audit, has a spouse who is a marketing manager for an audit client. b.  The auditor is also an attorney who advises the client as its general counsel. c.  An employee of the auditor donates service as treasurer of a charitable organization that is a client. d.  The client owes the auditor fees for two consecutive annual audits.

b.  errors in judgment. d.  negligence. 10.  (LO 7)  Without the consent of the client, a CPA should not disclose confidential client information contained in working papers to a: a.  voluntary quality control review board. b.  CPA firm that is a likely successor auditor. c.  f ederal court that has issued a valid subpoena. d.  disciplinary body created under state statute. 11.  (LO 8)  If a stockholder sues a CPA for common law fraud based on false statements contained in the financial statements audited by the CPA, which of the following is the CPA’s best defense? a.  The CPA did not financially benefit from the alleged fraud. b.  There was contributory negligence of the client. c.  T  he stockholder lacks privity to sue. d.  The auditor followed GAAS.

 Review Questions  2-45 12.  (LO 8)  Starr Corp. approved a plan of merger with Silo Corp. One of the determining factors in approving the merger was the strong financial statements of Silo, which were audited by Cox & Co., CPAs. Starr had engaged Cox to audit Silo’s financial statements. While performing the audit, Cox failed to discover material fraud, which subsequently caused Starr to suffer substantial losses. For Cox to be liable under common law under the Ultramares decision, Starr, at a minimum, must prove that Cox: a.  was a party to the fraud. b.  acted recklessly or with a lack of reasonable grounds for belief. c.  failed to exercise due care. d.  w  as grossly negligent. 13.  (LO 9)  When a plaintiff is suing the auditor for damages under Rule 10(b)-5 of the 1934 Securities Act, which of the following is not part of the plaintiff’s burden of proof?

c.  The plaintiff relied on the financial statements. d.  Damages were suffered as a result of reliance on the financial statements. 14.  (LO 9)  One of the elements necessary to recover damages if there has been a material misstatement in a registration statement filed pursuant to the Securities Act of 1933 is that: a.  t here was a material false or misleading statement in the financial statements. b.  the plaintiff knew the auditor. c.  issuer and plaintiff were in privity of contract with each other. d.  issuer failed to exercise due care in connection with the sale of the securities.

a.  The financial statements contained a material, factual misrepresentation or omission. b.  The auditor was negligent.

Review Questions R2.1  (LO 1)  Explain the “public interest” in the work performed by auditors. R2.2  (LO 1)  There are a series of characteristics associated with CPI professionals. Explain how they apply to architecture and to public accounting. R2.3  (LO 2)  Explain the differences between Parts 1, 2, and 3 of the AICPA Code of Professional Conduct. R2.4  (LO 2, 3)  Assume that a CPA has an opportunity to bid on a new audit client. The accounting firm is being considered because the CPA’s best friend from college is the CFO of the potential client. Apply the conceptual framework for members in public practice to this situation. Explain any threats involved and whether any safeguards can be applied to reduce the threat to an acceptable level. R2.5  (LO 2, 3)  Assume that a CPA has just received a new audit client. The client will be the firm’s largest audit client, and the firm will have to hire one new staff member to staff the engagement. The fees will represent 25% of the firm revenues. Apply the conceptual framework for members in public practice to this situation. R2.6  (LO 4)  Explain the rule on integrity and objectivity. Give examples of conflicts of interest, knowingly misrepresenting facts, or subordinating judgment. R2.7  (LO 5)  Is it appropriate for an audit firm to ask questions of an employee about his or her investments or the investments of his or her spouse? Why or why not? R2.8  (LO 3, 5)  What independence problems are created when an audit manager is approached by a private company audit client, which he or she audits, to become the company’s CFO? Are there appropriate safeguards that can be put in place to protect the audit firm’s independence?

R2.9  (LO 5)  List three situations in which the SEC and PCAOB independence rules are stricter than the AICPA rules. Give an example of each. R2.10  (LO 6)  The AICPA rule on general standards identifies four aspects of professional behavior. Identify each of the four aspects and develop an example illustrating the violation of each aspect. R2.11  (LO 7)  Henry Owens, CPA works in a local accounting firm. He is the tax manager on a major client in the office. The firm prepares compiled financial statements for the client on a quarterly basis. The client was impacted by the BP oil spill off the Gulf coast, and the client would like to engage Henry to help the business prepare a claim for damages from BP. The client would like to pay Henry on a contingent fee basis where Henry and his firm would receive 15% of any amounts recovered in a settlement with BP. Henry would receive no fee unless amounts are recovered. Can Henry accept this engagement? Why or why not? R2.12  (LO 8)  What does a third-party user of financial statements have to prove under common law in a suit against an auditor for the auditor’s negligence? Illustrate each item with an example. R2.13  (LO 8)  John Rodrigeuz purchased newly issued bonds of Fly By Night Airlines in the primary market. Subsequently Fly By Night went bankrupt. What statutory law applies to this transaction? What does John have to prove in a lawsuit against Fly By Night’s auditors? R2.14  (LO 9)  Mary Chen purchased shares of Fly By Night Airlines in the secondary market. Subsequently Fly By Night went bankrupt. What statutory law applies to this transaction? What does Mary have to prove in a lawsuit against Fly By Night’s auditors?

2-46  C h a pte r 2  Professionalism and Professional Responsibilities

Analysis Problems AP2.1  (LO 2, 3)  Basic   Framework for ethical decision making  Assume that you are the audit partner on an engagement for a client that has had a string of operating losses. You know the CFO, who is a former audit manager of your firm. The company still has a positive net worth, but you are worried that the company might have to close down within the next year or so. When you tell the CFO that the company should make full disclosure in the notes concerning substantial doubt about the company’s ability to continue as a going concern, your colleague says, “Hogwash! There’s no substantial doubt. The probability of our having to close down is remote. We’ll make no such disclosure. To do so would only make our customers and creditors nervous, possibly making such a disclosure a self-fulfilling prophecy. Our competitors are as bad off as we are, and their auditors aren’t making them send out a distress signal.” You agree that the determination of “substantial doubt” is a judgment call.

Required Apply the five-step Conceptual Framework for Members in Public Practice to this dilemma. AP2.2  (LO 5)  Moderate   Independence  The attribute of independence has been traditionally associated with the CPA’s function of auditing and expressing opinions on financial statements.

Required a. What is meant by “independence” as applied to the CPA’s function of auditing and expressing opinions on financial statements? Discuss. b. The Wallydrug Company is indebted to a CPA for unpaid fees and has offered to issue to the CPA unsecured interest-bearing notes. Would acceptance of these notes have any bearing on the CPA’s independence with respect to Wallydrug Company? Discuss. c. The Rocky Hill Corporation was formed on October 1, 2021, and its fiscal year will end on September 30, 2022. You audited the corporation’s opening balance sheet and rendered an unqualified opinion on it. A month after rendering your report, you are offered the position of secretary of the board of directors because of the need for a complete set of officers and for convenience in signing various documents. You will have no financial interest in the company through stock ownership or otherwise, will receive no salary, will not keep the books, and will not have any influence on its financial matters other than occasional advice on income tax matters and similar advice normally given a client by a CPA. 1. Assume that you accept the offer but plan to resign the position prior to conducting your annual audit, with the intention of again assuming the office after rendering an opinion on the statements. Can you render an independent opinion on the financial statements? Discuss. 2. Assume that you accept the offer on a temporary basis until the corporation has gotten under way and can find a replacement for secretary of the board of directors. In any event, you would permanently resign the position before conducting your annual audit. Can you render an independent opinion on the financial statements? Discuss. AP2.3  (LO 5)  Challenging   Public Company   Research   Independence  Jones and Jones, CPA, has a manufacturing client, Widgit Technologies, Inc. (WTI), that is a small, owner-managed business with annual revenues of approximately $8 million. WTI employs a bookkeeper but is not large enough to employ a CPA in-house. WTI regularly asks Margaret Jones, the partner on the engagement, for advice on accounting issues, and Jones and Jones drafts the financial statements for the company. The client reviews the financial statements before they are printed by Jones and Jones with an audit opinion attached. During the current year, WTI asked Jones and Jones to assist the company by rendering a business valuation service. WTI is asking Jones and Jones to (1) estimate the value of WTI and (2) consult with WTI in the form of making recommendations on steps that WTI can take that will grow the value of the business.

Required a. Since Jones and Jones is preparing the financial statements for WTI, is Jones and Jones independent with respect to WTI? What conditions, if any, must Jones and Jones meet in order to be independent with respect to WTI? b. Would Jones and Jones be independent if WTI were a public company subject to SEC rules and regulations? Explain your reasoning.

 Analysis Problems  2-47 c. Can Jones and Jones take on the business valuation services and consulting engagement and remain independent with respect to WTI? Explain your reasoning. d. Can Jones and Jones take on the business valuation services and consulting engagement if WTI were a public company subject to SEC rules and regulations? Explain your reasoning. AP2.4  (LO 4, 5, 6, 7)  Moderate   Research   Rules of conduct  In the practice of public accounting, an auditor who is a member of the AICPA is expected to comply with the rules of the AICPA Code of Professional Conduct. Listed below are circumstances that raise a question about an auditor’s ethical conduct.   1. The auditor has a bank loan with a bank that is an audit client.   2. An unqualified opinion is expressed when the financial statements of a county are prepared in conformity with principles established by the Governmental Accounting Standards Board.   3. An auditor retains the client’s records as a means of enforcing payment of an overdue audit fee.   4. The auditor makes retirement payments to individuals who formerly were members of his firm.   5. An auditor sells her shares of stock in a client company in April prior to beginning work on the audit for the year ending December 31.   6. An auditor accepts an engagement knowing that he does not have the expertise to do the audit.   7. The auditor quotes a client an audit fee but also states that the actual fee will be contingent on the amount of work done.   8. The auditor’s firm states in a newspaper advertisement that it has had fewer lawsuits than its principal competitors.   9. The auditor resigns her position as treasurer of the client on May 1, prior to beginning the audit for the year ending December 31. 10. The auditor discloses confidential information about a client to a successor auditor. 11. The auditor accepts an audit engagement when he has a conflict of interest. 12. An auditor prepares a small brochure containing testimonials from existing clients that he mails to prospective clients. 13. An auditor complies with the technical standards of the Accounting and Review Services Committee in reviewing the financial statements of a non-public entity. 14. An auditor audits the financial statements of a local bank and also serves on the bank’s committee that approves loans. 15. An auditor pays a commission to an attorney to obtain a client.

Required a. Identify the rule of the AICPA Code of Professional Conduct that applies to each circumstance (available at the AICPA website, www.aicpa.org). b. Indicate for each circumstance whether the effect on the rule is (1) a violation, (2) not a violation, or (3) indeterminate. Give the reason(s) for your answer. AP2.5  (LO 4, 5, 6, 7)  Moderate   Research   Ethical issues  Gilbert and Bradley formed a corporation called Financial Services, Inc., each taking 50% of the authorized common stock. Gilbert is a CPA and a member of the American Institute of CPAs. Bradley is a CPCU (Chartered Property Casualty Underwriter). The corporation performs auditing and tax services under Gilbert’s direction and insurance services under Bradley’s supervision. The opening of the corporation’s office was announced by a three-inch, two-column ad in the local newspaper. One of the corporation’s first audit clients was the Grandtime Company. Grandtime had total assets of $600,000 and total liabilities of $270,000. In the course of the audit, Gilbert found that Grandtime’s building with a book value of $240,000 was pledged as security for a 10-year term note in the amount of $200,000. The client’s statements did not mention that the building was pledged as a security for the note. However, as the failure to disclose the lien did not affect either the value of the assets or the amount of the liabilities and the audit was satisfactory in all other respects, Gilbert rendered an unqualified opinion on Grandtime’s financial statements. About two months after the date of the opinion, Gilbert learned that an insurance company was planning a loan to Grandtime of $150,000 in the form of a first-mortgage note on the building. Realizing that the insurance company was unaware of the existing lien on the building, Gilbert had Bradley notify the insurance company of the fact that Grandtime’s building was pledged as security for the term note. Shortly after the events described above, Gilbert was charged with a violation of professional ethics.

2-48  C h a pte r 2  Professionalism and Professional Responsibilities

Required Identify and discuss the ethical implication of those acts by Gilbert that were in violation of the AICPA Code of Professional Conduct (available at the AICPA website, www.aicpa.org). AP2.6  (LO 4, 5, 6, 7)  Challenging   Research   Ethical issues  The following situations involve Herb Standard, staff accountant with the regional accounting firm of Cash & Green: 1. The bookkeeper of Ethical Manufacturing Company resigned two months ago and has not yet been replaced. As a result, Ethical’s transactions have not been recorded and the books are not up to date. To comply with terms of a loan agreement, Ethical needs to prepare interim financial statements but cannot do so until the books are posted. Ethical looks to Cash & Green, its independent auditors, for help and wants to borrow Herb Standard to perform the work. Ethical wants Herb because he did its audit last year. 2. Herb Standard discovered that his client, Ethical Manufacturing Company, materially understated net income on last year’s tax return. Herb informs his supervisor about this and the client is asked to prepare an amended return. The client is unwilling to take corrective measures. Herb informs the Internal Revenue Service. 3. While observing the year-end inventory of Ethical Manufacturing Company, the plant manager offers Herb Standard a fishing rod, which Ethical manufactures, in appreciation for a job well done. 4. Herb Standard’s acquaintance, Joe Lender, is chief loan officer at Local Bank, an audit client of Cash & Green. Herb approaches Joe for an unsecured loan from Local Bank and Joe approves the loan. 5. Herb Standard is a member of a local investment club composed of college fraternity brothers. The club invests in listed stocks and is fairly active in trading. Last week the club purchased the stock of Leverage Corp., a client of another Cash & Green office. Herb has no contact with the members of this office.

Required For each situation, (a) identify the ethical issues that are involved and (b) discuss whether there has or has not been any violation of ethical conduct. Support your answers by reference to the rules of the AICPA Code of Professional Conduct, available at the AICPA website (www.aicpa.org). AP2.7  (LO 8)  Moderate   Common law  Tyler Corp. is insolvent. It has defaulted on the payment of its debts and does not have assets sufficient to satisfy its unsecured creditors. Slade, a supplier of raw materials, is Tyler’s largest unsecured creditor and is suing Tyler’s auditors, Field & Co., CPAs. Slade had extended $2 million of credit to Tyler based on the strength of Tyler’s audited financial statements. Slade’s complaint alleges that the auditors were either (1) negligent in failing to discover and disclose fictitious accounts receivable created by management or (2) committed fraud in connection with Tyler. Field believes that Tyler’s financial statements were prepared in accordance with GAAP and, therefore, its opinion was proper. Slade has established that: •  The accounts receivable were overstated by $10 million. •  Total assets were reported as $24 million, of which accounts receivable were $16 million. •  The auditors did not follow their own audit program, which required that confirmation requests be sent to an audit sample representing 80% of the total dollar amount of outstanding receivables. Confirmation requests were sent to only 45%. •  The responses that were received represented only 20% of the total dollar amount of outstanding receivables. This was the poorest response in the history of the firm, the next lowest being 60%. The manager in charge of the engagement concluded that further inquiry was necessary. This recommendation was rejected by the partner in charge.  ield had determined that a $300,000 account receivable from Dion Corp. was nonexistent. Tyler’s •  F explanation was that Dion had reneged on a purchase contract before any products had been shipped. At Field’s request, Tyler made a reversing entry to eliminate this overstatement. However, Field accepted Tyler’s explanation as to this and several similar discrepancies without further inquiry. Slade asserts that Field is liable as a result of both negligence and fraud in conducting the audit.

Required Discuss Slade’s assertions and the defenses that might be raised by Field, setting forth reasons for any conclusions stated. AP2.8  (LO 8)  Challenging   Common law  Astor Inc. purchased the assets of Bell Corp. A condition of the purchase agreement required Bell to retain a CPA to audit Bell’s financial statements. The purpose of the audit was to determine whether the unaudited financial statements furnished to Astor fairly presented Bell’s financial position. Bell retained Winston & Co., CPAs, to perform the audit.

 Analysis Problems  2-49 While performing the audit, Winston discovered that Bell’s bookkeeper had embezzled $500. Winston had some evidence of other embezzlements by the bookkeeper. However, Winston decided that the $500 was immaterial and that the other suspected embezzlements did not require further investigation. Winston did not discuss the matter with Bell’s management. Unknown to Winston, the bookkeeper had, in fact, embezzled large sums of cash from Bell. In addition, the accounts receivable were significantly overstated. Winston did not detect the overstatement because of Winston’s inadvertent failure to follow its audit program. Despite the foregoing, Winston issued an unqualified opinion on Bell’s financial statements and furnished a copy of the audited financial statements to Astor. Unknown to Winston, Astor required financing to purchase Bell’s assets and furnished a copy of Bell’s audited financial statements to City Bank to obtain approval of the loan. Based on Bell’s audited financial statements, City loaned Astor $600,000. Astor paid Bell $750,000 to purchase Bell’s assets. Within six months, Astor began experiencing financial difficulties resulting from the undiscovered embezzlements and overstated accounts receivable. Astor later defaulted on the City loan. City has commenced a lawsuit against Winston based on the following causes of action: •  Constructive fraud. •  Negligence.

Required In separate paragraphs, discuss whether City is likely to prevail on the causes of action it has raised, setting forth reasons for each conclusion. AP2.9  (LO 9)  Moderate   Public Company   Statutory law—1933 Act  Dandy Container Corporation engaged the accounting firm of Adams and Adams to audit financial statements to be used in connection with a public offering of securities. The audit was completed, and an unqualified opinion was expressed on the financial statements that were submitted to the Securities and Exchange Commission along with the registration statement. Two hundred thousand shares of Dandy Container common stock were offered to the public at $11 a share. Eight months later, the stock fell to $2 a share when it was disclosed that several large loans to two “paper” corporations owned by one of the directors were worthless. The loans were secured by the stock of the borrowing corporation that was owned by the director. These facts were not disclosed in the financial statements. The director involved and the two corporations are insolvent. 1. The Securities Act of 1933 applies to the above-described public offering of securities in interstate commerce. 2. The accounting firm has potential liability to any person who acquired the stock in reliance on the registration statement. 3. The accountants could avoid liability if they could show they were neither negligent nor fraudulent. 4. The accountants could avoid or reduce the damages asserted against them if they could establish that the drop in price was due in whole or in part to other causes. 5. The Dandy investors would have to institute suit within one year after discovery of the alleged untrue statements or omissions. 6. The SEC would defend any action brought against the accountants in that the SEC examined and approved the registration statement. 7. Although Adams and Adams knew of the loans, and related collateral, and concluded that they did not need to be disclosed, they can still sustain the claim that they are only proportionally liable for any damages suffered by shareholders because the financial statements are management’s responsibility.

Required Indicate whether each of the above statements is true or false under statutory law. Give the reason(s) for your answer. AP2.10  (LO 8, 9)  Challenging   Public Company   Statutory law; common law Part I: The common stock of Wilson, Inc. is owned by 10,000 stockholders who live in several states. Wilson’s financial statements as of December 31, 2021, were audited by Doe & Co., CPAs, who rendered an unqualified opinion on the financial statements. In reliance on Wilson’s financial statements, which showed net income for 2021 of $1.5 million, Peters, on April 10, 2022, purchased 10,000 shares of Wilson stock for $200,000. The purchase was from a shareholder who lived in another state. Wilson’s financial statements contained material misstatements. Because Doe did not carefully follow GAAS, it did not discover that the statements failed to reflect unrecorded expenses that reduced Wilson’s actual net income to $800,000. After disclosure of the corrected financial statements, Peters sold his shares for $100,000, which was the highest price he could obtain. Peters has brought an action against Doe under federal securities law and state common law.

2-50  C h a pte r 2  Professionalism and Professional Responsibilities

Required Answer the following, setting forth reasons for any conclusions stated: a. Will Peters prevail on his federal securities law claims? b. Will Peters prevail on his state common law claims? Part II: Able Corporation decided to make a public offering of bonds to raise needed capital. On June 30, 2022, it publicly sold $2.5 million of 12% debentures in accordance with the registration requirements of the Securities Act of 1933. The financial statements filed with the registration statement contained the unqualified opinion of Baker & Co., CPAs. The statements overstated Able’s net income and net worth. Through negligence Baker did not detect the overstatements. As a result, the bonds, which originally sold for $1,000 per bond, have dropped in value to $700. Ira is an investor who purchased $10,000 of the bonds. He promptly brought an action against Baker under the Securities Act of 1933.

Required Setting forth reasons for any conclusions, determine if Will should prevail on his claim under the Securities Act of 1933. AP2.11  (LO 8, 9)  Challenging   Public Company   Statutory law; common law  To expand its operations, Dark Corp. raised $4 million by making a private interstate offering of $2 million in common stock and negotiating a $2 million loan from Safe Bank. The common stock was properly offered pursuant to the Securities Act of 1933. In connection with this financing, Dark engaged Crea & Co., CPAs, to audit Dark’s financial statements. Crea knew that the sole purpose for the audit was so that Dark would have audited financial statements to provide to Safe and the purchasers of the common stock. Although Crea conducted the audit in conformity with its audit program, Crea failed to detect material acts of embezzlement committed by Dark’s president. Crea did not detect the embezzlement because of its inadvertent failure to exercise due care in designing its audit program for this engagement. After completing the audit, Crea rendered an unqualified opinion on Dark’s financial statements. The purchasers of the common stock relied on the financial statements in deciding to purchase the shares. In addition, Safe Bank approved the loan to Dark based on the audited financial statements. Within 60 days after the sale of the common stock and the making of the loan by Safe, Dark was involuntarily petitioned into bankruptcy. Because of the president’s embezzlement, Dark became insolvent and defaulted on its loan to Safe. Its common stock became virtually worthless. •  A  ctions have been commenced against Crea by the purchasers of the common stock who have asserted that Crea is liable for damages under Section 10(b) and Rule 10b-5 of the Securities Exchange Act of 1934. •  Safe Bank filed suit against Crea & Co. under common law based on Crea’s negligence.

Required In separate paragraphs, discuss the merits of the actions commenced against Crea, indicating the likely outcomes and the reasons therefore. AP 2.12  (LO 2, 3, 4, 5)  Challenging   Research   Independence  Johnson and Wiley, CPAs acquires Fritz and Rufner, CPAs as of January 1, 2022. Johnson and Wiley have audited the financial statements of Matthews Grocery for the last 5 years. Fritz and Rufner provided nonattest services to Matthews Grocery that would have been prohibited for Johnson and Wiley. Fritz and Rufner resigned performing the nonattest services for Matthews Grocery as of December 1, 2021. Matthews Grocery has a calendar year end of December 31. Do any independence problems exist for Johnson and Wiley for the audits of Matthews Grocery as of December 31, 2021 and 2022? If so, can safeguards be applied to preserve Johnson and Wiley’s independence? Explain your answer and cite any professional standards that apply.

Ethical Decision Case King Companies, Inc. Question C2.1 is based on the following case. King Companies, Inc. (KCI) is a private company that owns five auto parts stores in urban Los Angeles, California. King Companies has gone from two auto parts stores to five stores in the last three years,

 Ethical Decision Case  2-51 and it plans continued growth. Eric and Patricia King own the majority of the shares in KCI. Eric is the chairman of the board of directors of KCI and CEO, and Patricia is a director as well as the CFO. Shares not owned by Eric and Patricia are owned by friends and family who helped the Kings get started. Eric started the company with one store after working in an auto parts store. To date, he has funded growth from an inheritance and investments from a few friends. Their accounting firm, Thornson & Danforth LLP, has done tax returns for the company, as well as for the King family, for the last 10 years. Thornson & Danforth is a CPA firm with 55 professionals, which performs audit and tax services for a number of clients. James Danforth, a tax partner in the CPA firm, is a long-time friend of Eric and owns 5% of KCI. In October 2021, Eric opens a conversation with James about upcoming expansion and the plan to open three to five more stores. Eric has learned this will mean taking on significant debt to fund the growth. Every lender that Eric has talked with has been impressed with the growth to date with equity, but the lenders will require an annual audit. Eric asks James if his firm can perform the annual audit. James explains his concerns about the independence of Thornson & Danforth. Because the expansion is still in the early planning stages, Eric agrees to purchase James’ 5% stake in KCI in November 2021. James expects that the first audited financial statements that KCI will need will be for the year ended December 31, 2022. C2.1  (LO 3, 5)  Challenging   Research   Application of the conceptual framework  Thornson & Danforth plans to continue to prepare tax returns for KCI and the King family. The firm also plans to perform the audit for the year ended December 31, 2022. a.  Identify any ethics issues that exist. b.  Gather appropriate information for each ethical issue. c.  Analyze the relevant information for each ethical issue and evaluate the alternatives. d.  Draw a conclusion about each ethical issue and explain your reasoning. Cite appropriate references from the AICPA Code of Professional Conduct (available at the AICPA website, www.aicpa.org).

Cloud 9 - Continuing Case Sharon Gallagher, Josh Thomas, and Jo Wadley work for the audit firm W&S Partners. Sharon is an audit manager, Josh is an audit senior, and Jo is an audit partner. They meet to discuss the results of a survey of other offices of W&S Partners, as well as their own office. The survey was directed toward determining if W&S Partners had any independence problems with respect to a new prospective client, Cloud 9 Inc. Based on the survey, they learn the following: •  J o Wadley and David Collier (Cloud 9’s CFO) both serve on the board of directors of the local chapter of Special Olympics. •  A  tax senior in another office has a sister that consults with Cloud 9 on shoe design. Cloud 9 is her largest client.

•  Fifteen employees of W&S Partners, ranging from partners to entry-level staff, own shares in retailers that sell Cloud 9 shoes. •  A survey shows that 23% of professional staff working for W&S Partners have purchased Cloud 9 shoes in the past.

Required Evaluate each of the items above and their impact on the independence of W&S Partners with respect to Cloud 9. If relevant, list any additional actions you might take before making your independence recommendation to Jo Wadley.

Chapter 3 Risk Assessment Part I Audit Risk and Audit Strategy

The Audit Process Overview of Audit and Assurance (Chapter 1) Professionalism and Professional Responsibilities (Chapter 2) Client Acceptance/Continuance and Risk Assessment (Chapters 3 and 4) Identify Significant Accounts and Transactions Make Preliminary Risk Assessments

Set Planning Materiality

Gaining an Understanding of the System of Internal Control (Chapter 6)

Audit Evidence (Chapter 5)

Develop Responses to Risk and an Audit Strategy

Performing Tests of Controls (Chapter 8)

Performing Substantive Procedures (Chapter 9) Audit Sampling for Substantive Tests (Chapter 10)

Auditing the Revenue Process (Chapter 11)

Auditing the Purchasing and Payroll Processes (Chapter 12)

Audit Data Analytics (Chapter 7)

Gaining an Understanding of the Client

Auditing the Balance Sheet and Related Income Accounts (Chapter 13)

Completing and Reporting on the Audit (Chapters 14 and 15) Procedures Performed Near the End of the Audit

Drawing Audit Conclusions

Reporting

3-1

3-2  Ch apt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Learning Objectives LO 1 Evaluate client acceptance and continuance decisions.

LO 5 Explain how auditors determine their audit strategy and how audit strategy affects audit decisions.

LO 2  Identify the different phases of an audit.

LO 6 Explain the fraud risk assessment process and analyze fraud risk.

LO 3 Explain and apply the concept of materiality. LO 4 Explain professional skepticism and apply the audit risk model.

Auditing and Assurance Standards PCAOB

Auditing Standards Board

AS 1015  Due Professional Care in the Performance of Work

AU-C 200  Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards

AS 1101  Audit Risk AS 1301  Communications with Audit Committees AS 2101  Audit Planning AS 2105  Consideration of Materiality in Planning and Performing an Audit AS 2110  Identifying and Assessing Risks of Material Misstatement AS 2301 The Auditor’s Responses to the Risks of Material Misstatement AS 2401  Consideration of Fraud in a Financial Statement Audit AS 2610  Initial Audits—Communication Between Predecessor and Successor Auditors

AU-C 210 Terms of Engagement AU-C 240  Consideration of Fraud in a Financial Statement Audit AU-C 300 Planning an Audit AU-C 315  Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement AU-C 320  Materiality in Planning and Performing an Audit AU-C 330 Performing Audit Procedures in Response to Assessed Risks and Evaluating Audit Evidence Obtained QC 10  A Firm’s System of Quality Control

Cloud 9 - Continuing Case Sharon and Josh have already discussed some specific client acceptance issues, such as independence threats and safeguards. Sharon explains they also must consider the overall integrity of the client (that is, management of Cloud 9). This means they need to perform and document procedures that are likely to provide information about the client’s integrity. Josh is a little skeptical. “Do you mean that we should ask them if they are honest?” Sharon suggests it is probably more useful to ask others, and the key people to ask are the existing auditors. Josh is still skeptical. “The existing auditors are Ellis & Associates. Are they going to help us take one of their clients from them?” Sharon says the client must give permission first, and, if that is given, the existing auditor will usually state whether or not there were any issues that the new auditor should be aware of before accepting the work. This type of communication is covered by AS 2610 (AU-C 210 for private company clients)

and is part of professional ethics. Sharon also gives Josh the task of researching Cloud 9’s press coverage, with special focus on anything that may indicate poor management integrity. Sharon emphasizes they must perform and document procedures to determine whether W&S Partners is competent to perform the engagement and has the capabilities, time, and resources to do so. For example, they must make sure they have audit team members who understand the clothing and footwear business. They also must have enough staff to complete the audit on time. In addition, Sharon and Josh must perform and document procedures to show that W&S Partners can comply with all parts of the code of professional conduct, not just those that focus on independence threats and safeguards. Finally, they can draft the engagement letter to cover the contractual relationship between W&S Partners and Cloud 9.

  Client Acceptance and Continuance Decisions  3-3

Chapter Preview: Audit Process in Focus This chapter marks the beginning of our overview of how an audit is conducted. First, we consider the factors that impact an auditor’s client acceptance/continuation decision. The first step for any audit is the decision to accept a company as a new audit client or to continue as the auditor of an existing client. Risk assessment is an important topic that we will cover in this and the next chapter. This chapter begins with a discussion of the different phases (or stages) of the audit: (1) the risk assessment phase, (2) the risk response phase (where the detailed work is conducted), and (3) the reporting phase (where the audit opinion is formed). In the risk assessment phase, auditors adopt a broad view of the client as a whole and the industry in which it operates. In this context, auditors obtain a more detailed understanding of the client in the early stages of each audit; that knowledge drives the audit planning decisions about the nature, extent, and timing of audit evidence to collect. Auditors cannot economically audit everything; therefore, the concepts of materiality, professional skepticism, and audit risk guide auditors in deciding which areas of the financial statements are most important to examine. Ultimately, auditors will develop a detailed audit strategy for the execution of the audit. This chapter concludes with a discussion of the assessment of fraud risk, which is part of the risk assessment phase of the audit. We will cover the remainder of the risk assessment procedures in Chapter 4.

Client Acceptance and Continuance Decisions Lea rning Objective 1 Evaluate client acceptance and continuance decisions. The first stage of any audit is the client acceptance or continuance decision. While the decision to take on a new client is more detailed than the decision to continue with an existing client, they have much in common. QC 10 A Firm’s System of Quality Control provides guidance on the procedures used when making the client acceptance or continuance decision. Illustration 3.1 summarizes factors that influence client acceptance and retention decisions and these factors are discussed below.

illustration 3.1   Factors that influence client acceptance and retention

Positive Factors Influencing Client Acceptance and Retention Decisions Management shows integrity in business and accounting decisions.

Factors That Influence Client Acceptance and Retention Integrity of management

Management places a premium on representational faithfulness of accounting information. The firm has expertise to perform services requested by the client or has access to specialists that can meet client needs. No independence problems exist, or independence problems can be resolved prior to client acceptance.

Negative Factors Influencing Client Acceptance and Retention Decisions Concerns exist about the integrity of management in business and accounting decisions. Management is preoccupied with meeting specific accounting numbers.

Competence issues

Independence issues

The firm does not have expertise needed to provide the full scope of services requested by the client, or does not have affiliation with specialists to meet client needs. Independence and conflict of interest issues exist that cannot be resolved prior to client acceptance. (continued)

3-4  Ch apt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy illustration 3.1   (continued)

Positive Factors Influencing Client Acceptance and Retention Decisions

Factors That Influence Client Acceptance and Retention Special circumstance and unusual risks

There are minimal regulatory reporting requirements. The client is financially stable and profitable, with no significant concerns about debt covenants.

Negative Factors Influencing Client Acceptance and Retention Decisions There are significant regulatory reporting requirements with close monitoring by regulators. The client is experiencing profitability issues, weak cash flows, and is close to violation of debt covenants.

No scope limitations exist.

The client voices significant concerns about the scope of audit work.

The entity has a strong accounting system with good internal controls.

The entity has a weak accounting system with few internal controls.

You may be wondering why the decision to take on a new client or continue with an existing client is such a big deal. More clients mean more revenue for the accounting firm, so why not accept all client engagement opportunities? The answer is because being associated with a “bad client” can damage the firm’s reputation, which causes the public to lose trust in the firm. A good example of this situation is the accounting firm Arthur Andersen LLP (“Andersen”), formerly one of the largest firms in the world. In the 1990s and early 2000s, several of Andersen’s clients were investigated by the Securities and Exchange Commission (SEC) for accounting fraud, the most well-known being Enron and WorldCom. Andersen was convicted of a felony (obstruction of justice) in the Enron case, but that was reversed by the Supreme Court in 2005.1 With the felony conviction overturned, Andersen could resume operations and audit public company clients. That has not happened. Why? The damage to the Andersen reputation was so severe that companies do not want to be associated with the Andersen name. One of the key factors that influences the client acceptance decision is the assessment of the integrity of the client’s management. When assessing management integrity, the auditor will consider the following factors: •  The reputation of the client, its management, directors, and key stakeholders. •  Client’s reasons for switching audit firms, if the company was previously audited. •  Management’s attitude to risk exposure. •  Management’s attitude to the implementation and maintenance of adequate internal controls. •  The appropriateness of management’s interpretation of accounting rules. •  Management’s willingness to allow the auditors full access to client personnel, records, and information required to form their opinion. How do auditors gather information on these factors? Information is gathered primarily through communication with individuals internal and external to the prospective client. Some of the key communications are as follows: •  Communication with the previous auditor, if the company was previously audited. (AU-C 210 Terms of Engagement and AS 2610 Initial Audits—Communications Between Predecessor and Successor Auditors require that the auditor obtain permission from the prospective client before communicating with the predecessor, or previous, auditor. If that permission is not granted, the auditor should consider the implications of that refusal when deciding whether to accept the engagement (AU-C 210.11). Illustration 3.2 lists the types of inquiries the auditor should make of the predecessor auditor.) •  Communication with client personnel. •  Communication with third parties such as client bankers and lawyers. 1

Arthur Andersen LLP vs. United States (04-368) 544 U.S. 696 (2005).

  Client Acceptance and Continuance Decisions  3-5

•  Communication with the client’s industry peers. •  Review of newspaper and magazine articles about the client, or articles in industry trade journals.

Inquiries of the predecessor auditor may be oral or written and should include: 1. Information that might bear on the integrity of management. 2. Disagreements with management about accounting policies, auditing procedures, or other significant matters. 3. Communications to those charged with governance regarding fraud and noncompliance with laws or regulations by the entity. 4. Communications to management and those charged with governance regarding significant deficiencies and material weaknesses in internal control. 5. The predecessor auditor’s understanding about the reasons for the change of auditors. Source: AU-C 210.A31 and AS 2610.09.

Before accepting a new client, consideration must be given to any threats to compliance with the fundamental principles of professional ethics, such as integrity, objectivity, independence, professional competence, and due care, as discussed in Chapter 2. Threats to the fundamental principles of professional ethics will occur if the prospective client is dishonest, involved in illegal activities, or aggressive in its interpretations of accounting rules. An accounting firm should not accept a new client if the firm is concerned about any of these issues. Potential threats to compliance with the fundamental principles of professional ethics for existing clients should be considered regularly as part of continuation decisions. To ensure professional competence and due care, a firm must be certain it has the staff available for the time required to complete the audit. The firm must ensure its audit staff has the knowledge and competence required to conduct the audit. The firm must have access to independent specialists, if required. The use of specialists will be discussed in Chapter 5. To ensure that it is independent of prospective and continuing clients, the accounting firm must review the threats to independence, described in Chapter 2, and make certain that safeguards are put in place to limit or remove those threats. If an independence threat appears insurmountable, a firm should decline an offer to be the auditor of a prospective client or resign from the audit of an existing client. An example of such a threat is fee dependence, where the fees from a client would form a significant proportion of the firm’s total fees. This can occur if a prospective client is much larger than a firm’s current clients or if an existing client has grown significantly. The firm should also consider any special circumstances or unusual risks that could be unique to a prospective or continuing client. For example, is the client financially stable, or is it experiencing profitability issues? Another issue is the regulatory environment for the client. Auditors should be aware of any issues being raised by regulators or whether the client may be close to violating regulatory requirements. These and other special circumstances should be carefully considered by the firm.

Audit Reasoning Example  Acceptance of New Client A software company is looking for a new auditor. The company has grown through an acquisition and needs an auditor that can handle its additional requirements. The new auditor sees no independence issues. Discussions with the predecessor auditor, the audit committee, and management indicate a good tone at the top and provide a consistent story about the company and its reasons for changing auditors. The new firm, with national and international offices and many clients in the software industry, sees this as a client with good potential for the firm.

illustration 3.2   Communication with the predecessor auditor

3-6  Ch apt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Audit Reasoning Example  Refusal of New Client A firm has been asked to submit a bid on a new engagement. An individual with experience in the investment industry is starting a new hedge-fund company. The company is looking for an auditor so that audited financial statements can be provided to potential investors. While the firm has 15 offices in the United States, the firm has very limited experience auditing investment companies or hedge funds. A background check on the CEO indicates he had allegations of improper business dealings and possible fraud with a company he ran five years before. The firm chooses not to bid on the audit because of concerns about possible management integrity issues, as well as concerns about its own expertise.

engagement letter  sets out the terms of the audit engagement, to avoid any misunderstandings between the auditor and the client

illustration 3.3   Example of an audit engagement letter for a private company client

The final stage in the client acceptance or continuance decision process involves the preparation of an engagement letter. AU-C 210 Terms of Engagement and AS 1301 Communications with Audit Committees provide guidance on the preparation of engagement letters. An engagement letter is prepared by an auditor and acknowledged by a client before the audit begins. It is a contract between an auditor and the client. According to auditing standards, it is not necessary to send a new engagement letter each year for a continuing client unless the terms of the engagement change. In practice, most audit firms have clients sign a new engagement letter each year to avoid any misunderstandings. The purpose of an engagement letter is to set out the terms of the audit engagement to avoid any misunderstandings between the auditor and the client. The engagement letter includes an explanation of the scope of the audit, the timing of the completion of various aspects of the audit, an overview of the client’s responsibility for the preparation of the financial statements, the requirement that the auditor have access to all information required to perform the audit, and independence considerations and fees. An example of an engagement letter for a private company client is provided in the appendix to AU-C 210 and is reproduced in Illustration 3.3. (Appendix C of AS 1301 details matters that should be included in the engagement letter for a public company client.)

To the appropriate representative of those charged with governance of ABC Company: [The objective and scope of the audit] You have requested that we audit the financial statements of ABC Company, which comprise the balance sheet as of December 31, 2022, and the related statements of income, changes in stockholders’ equity, and cash flows for the year then ended, and the related notes to the financial statements. We are pleased to confirm our acceptance and our understanding of this audit engagement by means of this letter. Our audit will be conducted with the objective of our expressing an opinion on the financial statements. [The responsibilities of the auditor] We will conduct our audit in accordance with auditing standards generally accepted in the United States of America (GAAS). Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement. An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluating the overall presentation of the financial statements. Because of the inherent limitations of an audit, together with the inherent limitations of internal control, an unavoidable risk that some material misstatements may not be detected exists, even though the audit is properly planned and performed in accordance with GAAS.

  Client Acceptance and Continuance Decisions  3-7 In making our risk assessments, we consider internal control relevant to the entity’s preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. However, we will communicate to you in writing concerning any significant deficiencies or material weaknesses in internal control relevant to the audit of the financial statements that we have identified during the audit. [The responsibilities of management and identification of the applicable financial reporting framework] Our audit will be conducted on the basis that [management and, when appropriate, those charged with governance] acknowledge and understand that they have responsibility a. for the preparation and fair presentation of the financial statements in accordance with accounting principles generally accepted in the United States of America; b.  for the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error; and c.  to provide us with

i. access to all information of which [management] is aware that is relevant to the preparation and fair presentation of the financial statements such as records, documentation, and other matters;



ii. additional information that we may request from [management] for the purpose of the audit; and



iii. unrestricted access to persons within the entity from whom we determine it necessary to obtain audit evidence.

As part of our audit process, we will request from [management and, when appropriate, those charged with governance], written confirmation concerning representations made to us in connection with the audit. [Other relevant information] [Insert other information, such as fee arrangements, billings, and other specific terms, as appropriate.] [Reporting] [Insert appropriate reference to the expected form and content of the auditor’s report. Example follows:] We will issue a written report upon completion of our audit of ABC Company’s financial statements. Our report will be addressed to the board of directors of ABC Company. We cannot provide assurance that an unmodified opinion will be expressed. Circumstances may arise in which it is necessary for us to modify our opinion, add an emphasis-of-matter or other-matter paragraph(s), or withdraw from the engagement. We also will issue a written report on [Insert appropriate reference to other auditor’s reports expected to be issued.] upon completion of our audit. Please sign and return the attached copy of this letter to indicate your acknowledgment of, and agreement with, the arrangements for our audit of the financial statements including our respective responsibilities. XYZ Partners Acknowledged and agreed on behalf of ABC Company by ___________________________ [Signed] [Name and Title] [Date] Source: AU-C 210.A42.

illustration 3.3  

(continued)

3-8  Ch apt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Cloud 9 - Continuing Case “Great news!” announces Sharon at the weekly team meeting. “We just received word that the audit engagement letter for Cloud 9 has been signed. We are now officially the auditors and the risk assessment phase starts now!” Later, at the first planning meeting, Sharon and Josh focus on assigning the tasks for gaining an understanding of Cloud 9. Ian Harper, a first-year staff, is not happy. He grumbles to another member of the team, Suzie Pickering, as he leaves the room. “This is such a waste of time. Why did we sign an engagement letter if we don’t understand the client? Why don’t we just get on with the audit? What else is there to know?” “Oh boy, are you missing the point!” Suzie says. “If you don’t understand where the risks are greatest, where are you going to start ‘getting on with it’?”

“The same place you always start,” replies Ian. Ian thinks that all audits are pretty much the same and that W&S Partners must have an audit plan they can use for the Cloud 9 audit. Suzie explains that if they tailor the plan to the client, the audit is far more likely to be efficient and effective. That is, they will get the job done without wasting time and ensure that quality evidence is gathered for the accounts that are most at risk of being misstated. If they can do this, W&S Partners will not only issue the right audit report, but they will make a profit from the audit as well. In other words, if the plan is good, performing the audit properly will be easier. Suzie realizes it will be a big job explaining this to Ian and invites him for a coffee in the staff room so they can talk. Suzie is an experienced staff and has worked with other clothing and footwear clients.

Before You Go On 1.1 What will an auditor consider in assessing the integrity of a client’s management, board, and other personnel? 1.2  How does an auditor gather information about management integrity? 1.3 What are the key components of an engagement letter?

Phases of an Audit Lea rning O bjective 2 Identify the different phases of an audit.

risk assessment phase  gaining an understanding of the client, identifying risk factors, developing an audit strategy, and setting planning materiality risk response phase  performing tests of controls and detailed substantive testing of transactions and accounts, concentrating effort where the risk of material misstatement is greatest reporting phase  evaluation of the results of the detailed testing in light of the auditor’s understanding of the client and forming an opinion on the fair presentation of the client’s financial statements

Before we begin the discussion of the different phases of an audit, it is important to emphasize that each audit is unique. For example, risks associated with the audit of a grocery store will not be the same as the risks associated with an audit of a jewelry store, even though both are retailers. Risks associated with the oil and gas industry will be different from risks associated with the computer technology industry because of different laws and regulations that apply to each industry. Auditors must tailor their audit to be specific to each client, but broadly speaking, once the client acceptance or continuance decision has been made, there are three general phases of every audit, as shown in Illustration 3.4: 1. The risk assessment phase involves gaining an understanding of the client, identifying factors that may impact the risk of a material misstatement occurring in the financial statements, performing a risk and materiality assessment, and developing an audit strategy. 2. The risk response phase of the audit involves the performance of detailed tests of controls and detailed testing of transactions and account balances, called substantive testing. 3. The reporting phase involves an evaluation of the results of the detailed testing in light of the auditor’s understanding of the client and forming an opinion on the fair presentation of the client’s financial statements. An overview of each phase of the audit follows.

 Phases of an Audit  3-9 illustration 3.4   Overview of the audit

Risk Assessment Phase

Understanding the Client

Risk Identification and Strategy

Risk Response Phase

Risk and Materiality Assessment

Tests of Controls

Reporting Phase

Substantive Testing

Conclusion and Forming an Opinion

Risk Assessment Phase AU-C 300 Planning an Audit and AS 2101 Audit Planning require auditors to plan the audit by assessing risk to reduce audit risk to an acceptably low level. Audit risk is the risk that an auditor expresses an inappropriate audit opinion when the financial statements are materially misstated (AU-C 200.14). An auditor will perform various risk assessment procedures to ensure that appropriate attention is paid to the accounts and transactions most at risk of being materially misstated. For example, the inventory account at The Boeing Company has a higher risk of material misstatement than the prepaid expenses account. Why is that? First, think about the difference in the dollar amount of the two accounts. Inventory will most likely be the largest current asset and prepaid expenses will be one of the smallest. Also, the number and complexity of transactions in the inventory account will be much higher than the number of transactions in the prepaid expenses account. Therefore, auditors should plan to devote more audit time to the inventory account than to the prepaid expenses account. This Boeing example illustrates that the risk assessment phase of the audit provides the opportunity to optimize efficiency and effectiveness when conducting an audit. Efficiency refers to the amount of time spent gathering audit evidence. Effectiveness refers to minimizing audit risk. You should also understand that the risk assessment process is an iterative process. Auditors make preliminary risk assessments while planning the audit. Those risk assessments are later confirmed, or refuted, when auditors perform tests of internal controls, or tests of account balances, transactions, or disclosures. On occasion, auditors might obtain information in the risk response phase that causes them to revise their preliminary conclusions drawn during the risk assessment phase. Auditors must be open to evaluating evidence obtained at any phase of the audit and to considering its implications for risk assessments made earlier in the audit. Illustration 3.5 provides a graphical depiction of the risk assessment phase of the audit and some key concepts that are applied during risk assessment and the other phases of the audit. The key concepts of materiality, professional skepticism, and audit risk are discussed in this chapter. The section “Audit Strategy” in this chapter discusses how, once the elements of risk assessment have been considered, auditors can develop their audit strategy. The section “Fraud Risk” closes this chapter. The remaining elements of risk assessment will be discussed in Chapter 4.

Risk Response Phase The risk response phase of the audit involves detailed testing of internal controls, transactions, account balances, and disclosures the auditors have determined to be at high risk of material misstatement. Auditors determine whether they plan to rely on the client’s system of internal controls. If so, they will test the effectiveness of internal controls, which is discussed in the section “Audit Strategy” and further in Chapter 8. Auditors will also make decisions about the extent and timing of detailed testing of account balances and transactions, which is discussed in “Audit Strategy” and further in Chapters 9 through 13. This detailed testing provides the evidence needed by auditors to determine if the financial statements are fairly presented.

audit risk  the risk that an auditor expresses an inappropriate audit opinion when the financial statements are materially misstated

3-10  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy illustration 3.5   Risk assessment

Materiality

Professional Skepticism

Understand the entity and the industry Fraud risk

Closing procedures

Audit Risk

Compliance with laws and regulations Client performance measurement

Risk Assessment

Understand internal controls and IT

Analytical procedures

Corporate governance

Related parties

Audit Strategy

Concluding and Reporting on an Audit The final phase of the audit involves drawing conclusions based upon the evidence gathered and arriving at an opinion regarding the fair presentation of the financial statements. The auditor’s opinion is expressed in the audit report (see Chapter 15). At this stage of the audit, auditors draw on their understanding of the client, their detailed knowledge of the risks faced by the client, and the conclusions drawn when testing the client’s controls, transactions, and account balances.

Before You Go On 2.1 What are the three main phases of the audit? 2.2  Briefly discuss why auditors must treat every audit as unique. 2.3 Explain how the risk assessment phase helps to improve the efficiency and effectiveness of the audit.

Materiality Lea rning O bjective 3 Explain and apply the concept of materiality. materiality  the ability of information to influence decisions that users make on the basis of the financial information of a specific reporting entity

The concept of materiality is used to guide audit testing and assess the validity of information contained in the financial statements and the notes. Information is considered material if it impacts the decision-making process of users of the financial statements. PCAOB AS 2105 includes the definition stated by the U.S. Supreme Court that “information is material if

 Materiality 3-11

there is a substantial likelihood that the . . . fact would have been viewed by a reasonable investor as having significantly altered the total mix of information made available (para 2).” This includes information that is misstated and information that is omitted but should be disclosed. Materiality is a key auditing concept that is first assessed during the risk assessment phase of every audit. This overall or planning materiality guides audit planning and testing for the financial statements as a whole. Before explaining how auditors arrive at their planning materiality assessment, it is important to differentiate between the qualitative and quantitative considerations of materiality.

Qualitative and Quantitative Materiality Information can be considered material because of its nature and/or its magnitude. An item that is considered material due to its nature is referred to as being qualitatively material. An item that is considered material due to its magnitude is referred to as being quantitatively material. While these concepts are not mutually exclusive, we explain them separately to help you differentiate between the two.

Qualitative Materiality Factors Information is considered qualitatively material if it affects a user’s decision-making process for a reason other than its magnitude. For example, a fraud, by its nature, is considered significant no matter how small it may be. Fraud that is small today could grow to a massive fraud in the future. Throughout the audit, auditors use their understanding of the client to be alert to qualitative factors that reflect on the client’s financial position, results of operations, and/or cash flows. When reading the notes to the financial statements, an auditor will assess accounting disclosure accuracy and compliance with any regulations and legislation and ensure any legal matters that should be disclosed are disclosed correctly. If any of these disclosures are inaccurate or omitted in error, the auditor will consider the potential impact on users. If the auditor believes an inaccurate disclosure or omission will affect a user’s decision-making process, it is considered qualitatively material, and the auditor will request that the client correct the disclosure or include any omitted information. Examples include a change in an accounting method, a change in operations that affects the level of risk faced by the client, or the client being in danger of breaching a debt covenant. AU-C 320 and AS 2105 refer to other items that may be considered material due to their nature rather than their size.

qualitative materiality  information or misstatements that impact a user’s decision-making process for a reason other than its magnitude

Quantitative Materiality Factors Information is considered quantitatively material if it exceeds the magnitude of an auditor’s planning materiality assessment. Auditors use their professional judgment to arrive at an appropriate planning materiality amount for each client. Planning materiality is typically a percentage of an appropriate benchmark from the financial statements. AU-C 320 provides guidance for determining an appropriate benchmark. An auditor will select a benchmark, as discussed next, and then decide on the percentage to use, depending upon the client’s circumstances.

Setting Materiality When determining planning materiality, auditors will use professional judgment and are mindful of the primary users of the financial statements. For publicly traded companies, the primary users are the stockholders. For private companies, the primary users are generally the owners and/or major lenders. Accounting firms may vary in the method they use to set planning materiality in the risk assessment phase, but common practice is to calculate a percentage of an appropriate benchmark. In selecting an appropriate benchmark, auditors can choose an item from the balance sheet or the income statement. Balance-sheet benchmarks

quantitative materiality ­ information or misstatements that exceed the magnitude of an auditor’s preliminary materiality assessment, which is a percentage of an appropriate benchmark

3-12  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

are generally total assets or equity. Income-statement benchmarks are typically profit before tax or total revenue. Auditors select an appropriate benchmark using their professional judgment based on their knowledge of the client, the client’s industry, and the needs of financial statement users for their decision making. For example, if a client is listed on the securities exchange, profit before tax is an appropriate benchmark because it drives dividends and return-on-investment decisions. However, if a client is a not-for-profit organization, either total assets or total revenue are more generally used as a benchmark. Auditing standards mention benchmarks the auditor can use, but the standards do not recommend any specific percentages that should be applied to these benchmarks. Therefore, auditors rely heavily on their professional judgment to determine an appropriate percentage of the selected benchmark. The discussion in the following Professional Environment box provides more detail of percentages that firms use when determining planning materiality. The auditing standards do require auditors to reevaluate their overall level of materiality throughout the audit. If new information comes to light that would cause the auditors to establish a different level of planning materiality, then they should examine the information and make adjustments to materiality as needed.

Professional Environment  Materiality Practices of the Major Public Accounting Firms Since auditing standards provide no guidance to auditors about what percentage to apply to benchmarks for determining planning materiality, what are public accounting firms doing? And more importantly, is there consistency among the major public accounting firms regarding the determination of planning materiality? These are important research questions that were studied by Eilifsen and Messier (2015) in their article titled “Materiality Guidance of the Major Public Accounting Firms.”2 For their study, Eilifsen and Messier asked the eight largest U.S. public accounting firms to provide them with a copy of the firm’s materiality guidance. The eight firms, in alphabetical order, were BDO USA, Crowe Horwath (now Crowe), Deloitte & Touche, EY, Grant Thornton, KPMG, McGladrey (now RSM), and PwC. An analysis of the eight firms’ materiality guidance revealed that for public company audits, seven of the eight firms use “income before income taxes” as the primary benchmark for determining planning materiality. One of the firms uses “income after income taxes” as the primary benchmark. For private company audits, in addition to income before income taxes, other acceptable benchmarks are total assets and total revenues. Firms will use other benchmarks if appropriate for unusual circumstances. For example, if the company is experiencing a loss or very poor operating results, another measure such as total equity may be a more reliable benchmark for determining planning materiality.

Once a benchmark has been selected, what percentage should be used for determining planning materiality? Six of the eight firms “expect, suggest, or require the use of 5% of income before taxes, while one firm allows 5–10%.”3 As an example, assume you are the auditor for The Boeing Company. At December 31, 2017, Boeing had income (earnings) before income tax of $10.047 billion. To determine planning materiality, you would multiply 5% by $10.047 billion, which results in planning materiality of $502,350,000. In addition, you would also consider any qualitative factors in making your final assessment of planning materiality. For the benchmarks of total assets and total revenues, seven of the eight firms used ranges of 0.25% to 2%. Using The Boeing Company example, at December 31, 2017, Boeing had total revenues of $93.392 billion. If you use 1% of total revenues, then planning materiality would be $933,920,000. This results in a higher planning materiality than using 5% of income before income tax. Ultimately, the auditors must use their professional judgment to decide on the planning materiality amount. Overall, the research by Eilifsen and Messier indicate there is significant agreement among the large firms regarding both the benchmarks used and the percentages applied to the benchmarks for determining planning materiality.

Using the Boeing example from the Professional Environment box discussion above, assume that planning materiality is $502 million. Does this mean auditors will only look for errors or misstatements that are $502 million or larger? If an account balance is less than $502 million, will auditors not perform any audit procedures on that account? The answer to both of these questions is no. Auditors plan the audit to detect material misstatements, but they must also consider the effects of smaller misstatements that may be immaterial on their own but, when added with other immaterial misstatements, may be material to the financial statements as a whole. In addition, what about misstatements that may not be detected during the audit? Auditors need to consider some margin of error for misstatements that may not be 2 A. Eilifsen and W. F. Messier, Jr., “Materiality Guidance of the Major Public Accounting Firms,”Auditing: A Journal of Practice & Theory 34, no. 2 (2015), pp. 3–26. 3

Ibid.

 Materiality 3-13

detected due to the sampling procedures used in an audit. Therefore, after determining planning materiality, auditors must determine performance materiality at the account or disclosure level. Performance materiality is an amount set by the auditor that is less than planning materiality and is used to make decisions about the extent of audit procedures for a particular class of transaction, account balance, or disclosure. Performance materiality at the individual account level should be less than the planning materiality. For example, if the planning materiality for Boeing is $502 million, auditors may decide that one-third that amount, $167 million, is an appropriate performance materiality at the account level. Auditors would then plan and perform their audit procedures using the performance materiality amount of $167 million to determine if individual accounts or transactions were materially misstated. If any account balances are less than the performance materiality amount, auditors may decide not to perform detailed audit procedures on the account because the entire account balance is considered immaterial. For example, in Note 9 of the December 31, 2017, Boeing financial statements, the “other investments” account has a balance of $30 million. Since $30 million is well below the performance materiality of $167 million, auditors would spend minimal time performing detailed audit testing on that account. As we have discussed, auditors also consider qualitative factors when deciding if an account is material. For example, in Note 5 of the December 31, 2017, Boeing financial statements, the “valuation allowance” account for accounts receivable has a balance of $62 million. At first glance this account balance may seem immaterial. However, the related account, accounts receivable, is a material amount ($10.516 billion) so the valuation allowance will be audited in conjunction with accounts receivable. In addition, since the valuation allowance is an estimate, there is risk that management may be biased when determining the amount of the allowance. Management might be overly optimistic about collection of receivables and underestimate the allowance, which would lead to overstated net accounts receivable. Therefore, because of these qualitative factors, auditors will perform detailed audit testing on the valuation allowance even though the balance is less than performance materiality. The use of performance materiality should reduce the probability that the sum of immaterial and/or undetected misstatements in the financial statements is greater than materiality for the financial statements as a whole. The auditing standards do not provide any guidelines for the determination of performance materiality. As stated in AU-C 320 Materiality in Planning and Performing an Audit: The determination of performance materiality is not a simple mechanical calculation and involves the exercise of professional judgment. It is affected by the auditor’s understanding of the entity, updated during the performance of the risk assessment procedures, and the nature and extent of misstatements identified in previous audits and, thereby, the auditor’s expectations regarding misstatements in the current period. (para. A14) Overall, the determination of both planning and performance materiality is a subjective process that will vary across firms and across clients, and it may change during the performance of an audit. The materiality level is a starting point for auditors to do the following: 1.  Determine the type and extent of risk assessment procedures to be performed. 2. Identify and assess the risk of material misstatements occurring at the financial statement level and the account balance level. 3.  Begin development of an audit strategy. This discussion of materiality can be concluded with an example of how the concept of materiality impacts the planning of the audit. If auditors determine a higher planning materiality level (higher dollar amount) is appropriate, then they will plan to gather less extensive audit evidence. A lower materiality level (lower dollar amount) will translate to auditors performing more extensive audit procedures to ensure that material misstatements will be detected. In other words, holding everything else constant, as the auditor’s evaluation of materiality decreases, the auditor is looking to obtain a more precise conclusion about the financial statements. The increased precision of the audit will cause the auditor to perform more extensive audit procedures.

performance materiality  amount or amounts set by the auditors at less than the materiality level for particular classes of transactions, account balances, or disclosures

3-14  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Audit Reasoning Example  Materiality Consider the following information (amounts in millions): Revenues Total assets Pretax income

2022

2021

2020

$1,810.0

$1,941.0

$1,916.0

1,600.0

1,721.0

1,774.0

1.5

45.2

31.9

In 2020 and 2021, the auditor used 5% of pretax income as a base for planning materiality. However, in 2022 pretax income was abnormally low while revenues and total assets had not shown the same level of change. Because pretax income was less than eight-tenths of 1% of revenue (the company basically broke even for the year), the auditor decided to use ½ of 1% of the lesser of total revenues or total assets as the base for determining planning materiality. Both revenues and assets showed more stability than pretax income in 2022.

Cloud 9 - Continuing Case Throughout their conversation, Suzie and Ian have been discussing “material” misstatements in financial statements. Ian asks, “Isn’t materiality just a number? Companies of about the same size would have the same materiality level, right?” Suzie explains that they will use a percentage of a benchmark, such as income before taxes or total revenue, as a starting place for determining materiality. Then, they will consider increasing or decreasing that amount based on qualitative factors specific to the Cloud 9 audit. For example, since Cloud 9 is a public company subject to regulation and more public scrutiny, the audit team may decide to

decrease materiality, which means the team will perform more extensive audit procedures. “Knowledge of the client’s industry is important for determining materiality,” continues Suzie. “We must be familiar with the client’s operations and the industry to understand what is important, or material, to the users of the client’s financial statements.” Ian is worried about getting the materiality level right. “What if we set it too low or too high?” Suzie explains that all parts of the audit plan, including the materiality decisions, will be reviewed throughout the audit and revised, if necessary.

Before You Go On 3.1 What is qualitative materiality? 3.2  What is quantitative materiality? 3.3 What is performance materiality?

Professional Skepticism and Audit Risk Lea rning O bjective 4 Explain professional skepticism and apply the audit risk model. As depicted in Illustration 3.5, two more key concepts that apply to all phases of the audit are professional skepticism and audit risk. These concepts were first introduced in Chapter 1 and will be explained in more detail next.

 Professional Skepticism and Audit Risk  3-15

Professional Skepticism Auditors have a responsibility to plan and perform an audit with professional skepticism. Professional skepticism is an attitude adopted by auditors when conducting all phases of the audit. It means that auditors remain independent of the entity, its management, and its staff when completing the audit work. In a practical sense, professional skepticism means auditors maintain a questioning mind and thoroughly investigate all evidence presented by the client (AS 1015.07). For example, AU-C 200.A22 states auditors should be skeptical if any of the following arise during the audit: •  Audit evidence recently gathered that is contradictory to other evidence previously gathered. •  New information that brings into question the reliability of client documents or responses to auditor inquiries. •  Conditions that may provide evidence of possible fraud. •  Situations that indicate the need for additional audit procedures beyond what is required by generally accepted auditing standards. Does maintaining professional skepticism mean auditors should assume client management is being dishonest? The answer is no. Auditors should not assume management is dishonest, but at the same time, auditors should not assume management is always honest or correct. Using professional skepticism means that even if auditors believe management and those charged with governance are being honest, they should gather reliable evidence to support management’s responses to auditor inquiries and to support amounts and disclosures in the financial statements. Throughout all phases of the audit, auditors should keep these questions in mind when gathering audit evidence: Is this information reliable? Do we need to perform more audit procedures? When auditors exercise professional skepticism during the risk assessment phase, it helps to ensure they are using appropriate assumptions when developing their audit strategy that will be used in the risk response phase. In the reporting phase, auditors use professional skepticism when evaluating the evidence gathered and forming an opinion that the financial statements are presented fairly.

Audit Reasoning Example  Professional Skepticism An auditor was auditing a recreational vehicle (RV) dealership. The auditor had obtained some initial financial information from the client showing unaudited results for the end of the third quarter. Sales were up and profit margins were up, making it the best year so far for the client. Interim records showed that inventory was also up, and the client’s inventory records showed over 300 RVs on hand at the end of the third quarter. The audit senior went to talk to the audit manager about the good news and the client’s performance. The audit manager asked the senior a key question. “You did the inventory observation last year. How many RVs did the client have then?” “I think it was about 210,” the senior replied. Then the audit manager asked, “How full was the lot last year?” The senior replied that it was “almost overflowing” the year before. The manager then said, “Let’s look at this more skeptically. I don’t think they have storage capacity for another 90 RVs even though sales are up. There could be an error in the inventory records. This information makes me believe that the existence of inventory is a very high inherent risk.”

Audit Risk Audit risk is the risk that an auditor expresses an inappropriate audit opinion when financial statements are materially misstated (AU-C 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards and AS 1101 Audit Risk). This means the audit report states the financial statements are presented fairly, in all material respects, when in actuality the financial statements contain a material error or fraud. While it is impossible to eliminate audit risk, auditors aim to reduce it to an

professional skepticism  an attitude that includes a questioning mind, being alert to conditions that may indicate possible misstatement due to fraud or error, and a critical assessment of audit evidence

3-16  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

inherent risk  the susceptibility of an assertion to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls assertions  statements or representations, explicit or implied, made by management regarding the recognition, measurement, presentation, and disclosure of items included in the financial statements ILLUSTRATION 3.6   Examples of inherent risk traits for accounts or assertions

significant risk  an identified and assessed risk of material misstatement that, in the auditor’s judgment, requires special audit consideration

acceptably low level. During the risk assessment phase, auditors will perform audit procedures to identify transactions and accounts where the risk of material misstatement is highest. The first stage in audit risk assessment involves the identification of accounts and related assertions most at risk of material misstatement, referred to as inherent risk. An assertion is a statement or representation, explicit or implied, made by management regarding the recognition, measurement, presentation, and disclosure of items included in the financial statements and notes. Assertions help guide the procedures conducted by auditors and are discussed in more depth in Chapter 5. Inherent risk assessment is affected by factors both internal and external to the client. For example, if a client sells valuable goods (e.g., jewelry), there is a risk of overstatement of inventory as goods may be stolen but remain recorded in the client’s books. Therefore, there is a risk that management’s assertion, or claim, that recorded inventory exists is not valid. In this example, the auditor may spend more time testing the existence assertion of recorded inventory than in the case of a client that sells lower-valued goods (e.g., office supplies). Illustration 3.6 provides examples of traits that would indicate higher or lower inherent risk for accounts or assertions. Higher Inherent Risk Traits

Lower Inherent Risk Traits

Transactions or account balances derived from significant estimates

Transactions or account balances easily confirmed with reliable sources

Technological developments in the client’s industry Technological developments a minimal factor increase the risk of obsolescence of certain assets in the valuation of the client’s assets Client location at risk of natural disasters such as hurricanes and flooding

Client location has minimal risk of being affected by a natural disaster

Client’s industry experiencing a period of decline

Client’s industry is thriving

Client has insufficient working capital and is at risk of violating loan contracts

Client has sufficient working capital and is not at risk of violating loan contracts

When identifying accounts and related assertions at risk of material misstatement, some risks are classified as being more significant than others. A significant risk is an identified and assessed risk of material misstatement that, in the auditor’s judgment, requires special audit consideration (AU-C 315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement and AS 2110 Identifying and Assessing Risks of Material Misstatement). When classifying risks as being significant, consideration is given to whether the risk involves: •  Fraud. •  Significant economic or accounting developments. •  Complex transactions. •  Significant related-party transactions (discussed further in Chapter 4). •  Significant subjectivity in measurement of financial information. •  Significant transactions outside the client’s normal course of business.

control risk  the risk that a client’s system of internal controls will not prevent or detect a material misstatement on a timely basis

The second stage in audit risk assessment involves gaining an understanding of the client’s system of internal controls. Auditors assess control risk, which is the risk that a client’s internal controls will not prevent or detect a material misstatement on a timely basis. Auditors are interested in whether the client has controls in place that are designed to minimize the risk of material misstatement for each account and related assertion identified as being high risk by the auditors. In the above example, if a client sells jewelry, auditors will assess whether the client has controls in place, such as a security system, to reduce the risk that inventory may be stolen. Finally, the assessed level of inherent and control risk for each assertion will guide audi­ tors in developing their audit strategy to gather appropriate audit evidence. This final assessment will depend upon the assessed risks of the account and related assertion and the deemed effectiveness of the client’s system of internal controls.

 Professional Skepticism and Audit Risk  3-17

Cloud 9 - Continuing Case Ian is still struggling with the idea of risk. He knows that audit risk is the risk that the auditor issues the wrong audit report, or gives an inappropriate audit opinion, and that audit risk is related to the client’s circumstances. But how does that actually work in practice? What does an auditor do differently for each audit? “Let’s break this down,” Suzie advises. “Auditors face the risk of stating that in their opinion the financial statements are not materially misstated, when in fact they are. So, how does a material misstatement get into the published financial statements?” Ian works through the logic. “First, the error has to be created, either by accident or on purpose. Second, the client’s internal control system must fail to either prevent the error getting into the accounts or detect the error once it is in the system. And, finally, the auditor has to fail to find the error during the audit.” “Correct!” says Suzie. “Now, before we go on, I want to break down the idea of ‘financial statements,’ too. The financial statements are the balance sheet (statement of financial position), income statement (statement of comprehensive income), cash flow statement (statement of cash flows), statement of changes in equity, and all the notes. So when we talk of the risk of misstatements, we are referring to the risk of misstatement in every line item in each of these statements. If we focus on just one line in a balance sheet—say, accounts receivable—what are the possible misstatements that could occur?”

Ian tries to work through the logic again. “The amount could be either understated or overstated. I suppose there are lots of errors that could occur. Obviously, basic math mistakes and other clerical errors could affect the total in either direction. In addition, accounts receivable would be understated if management omitted some customer receivables when they calculated the total. I think the deliberate ‘mistakes’ are more likely to overstate accounts receivable because that makes the balance sheet look better, and probably means profit is overstated, too. Accounts receivable would be overstated if some of the receivables management claimed in the total did not exist at year-end, did not belong to Cloud 9, were overvalued because bad debts were not written off, or sales from the next period were included in the earlier period.” “Very good,” says Suzie. “It is the same for every line item. Every time management prepares a financial statement, they assert that all these errors did not occur—that all the individual items in the financial statements are not materially misstated. The auditor has to break down the financial statement audit into accounts and assertions and consider the risk of misstatement for each assertion for each account or transaction class. The auditor deals with the risk of material misstatement of the entire set of financial statements by gathering evidence at the assertion level for each account. Then, all the evidence is put together so the auditor can form an opinion on the overall financial statements.”

The Audit Risk Model and Its Components Inherent risk and control risk are the client’s risks and exist separately from the audit of the financial statements. In other words, the auditors have no control over a client’s inherent and control risks. Inherent risk is driven by industry, economic, and client factors that are out of the control of the auditor. Control risk is impacted by the client’s design and implementation of internal controls, which are also out of the control of the auditor. When these two risks are combined, we refer to it as risk of material misstatement. The risk of material misstatement (RMM) is the risk that the financial statements are materially misstated prior to the audit (AU-C 200.14). Risk of material misstatement exists at the financial statement level and at the assertion level. At the financial statement level, the risk of material misstatement refers to risks that affect the financials as a whole. For example, if a client purchases a new computer system and does not adequately train staff in its use, there is a risk of errors when recording transactions used to prepare the financial statements. In this scenario, all accounts are at risk of material misstatement. At the assertion level, the risk of material misstatement refers to risks that affect classes of transactions, account balances, and disclosures. For example, if a client sells goods overseas, there is a risk that transactions may not be recorded correctly using appropriate exchange rates at the date of each transaction. In this scenario, revenue and accounts receivable are at risk of material misstatement. RMM considers (1) the inherent risk that an assertion is misstated and (2) the effectiveness of the internal controls in preventing, or detecting and correcting, misstatements on a timely basis. Therefore, auditors must identify client characteristics that place its financial statements at risk of material misstatement (inherent risk) and determine whether controls designed to limit such a risk exist and are effective (control risk). Once RMM has been assessed, auditors can plan the audit procedures to be performed in response to the assessed RMM. This leads us to the final component of audit risk, which is detection risk. Detection risk is the risk that the auditor’s procedures will not be effective in detecting a material misstatement should there be one. Detection risk is the only component of audit risk that can be controlled by the auditor, which we will discuss in more depth next. But note that it is

risk of material misstatement (RMM)  the risk that the financial statements are materially misstated prior to the audit; a combination of inherent risk and control risk

detection risk  the risk that the auditor’s testing procedures will not be effective in detecting a material misstatement

3-18  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

impossible to reduce any of these risks to zero. Risk will always exist in an audit, whether it is from economic or industry factors (inherent risk), a failure of an internal control (control risk), or a failure of an audit procedure (detection risk). Audit risk can be presented in a model that indicates the relationship between its components (AU-C 200.A36). The model states that audit risk is a function ( f ) of risk of material misstatement (which consists of inherent risk and control risk) and detection risk, as illustrated below.

AR = f(RMM * DR) AR = f(IR * CR * DR) where: AR = Audit risk RMM = Risk of material misstatement IR = Inherent risk CR = Control risk DR = Detection risk

Auditors plan and perform their audit to keep audit risk at an acceptably low level (AU-C 200). If inherent and control risks are high for an assertion, the auditor will set detection risk as low, to maintain a low audit risk. Illustration 3.7 provides an example of a high risk assertion at the account level. After reviewing the example, you’ll see there is an inverse relationship between the risk of material misstatement (inherent and control risks combined) and detection risk (as set by the auditor). A low detection risk means the auditors increase the amount of detailed audit procedures used to test the year-end account balances and transactions from throughout the year. ILLUSTRATION 3.7   High risk assertion with qualitative analysis

Audit risk =

Low

Risk of material misstatement Inherent risk

Control risk

High

High

Detection risk

Low

Audit Reasoning Example  High Risk Assertion A client sells high-end fashion clothing and has inadequate security. Inherent risk is high for the existence assertion of inventory as clothing may be stolen. Control risk is high since there is inadequate security, which increases the risk of theft. The auditor cannot rely on the client’s security system to reduce the risk of material misstatement associated with the existence of inventory. The auditor will set a low detection risk and spend more time performing audit procedures to determine that recorded inventory actually exists.

Audit Reasoning Example  High Risk Assertion A client is an importer with inexperienced clerical staff. Inherent risk is high for the accuracy assertion of recorded purchases as they involve foreign currency translation. Control risk is high as clerical staff are inexperienced and not accustomed to recording complex foreign currency transactions. The auditor will set a low detection risk and spend more time performing audit procedures to determine that purchases are recorded at appropriate amounts.

 Professional Skepticism and Audit Risk  3-19

The audit risk model can also be used for quantitative analysis in which all risks are stated as a percentage ranging from 1% to 100%. Suppose auditors want to keep audit risk low at 1%, which means a 1% risk they will issue an inappropriate opinion. If inherent risk and control risk are both high, say 100% inherent risk and 80% control risk, then what will detection risk be? Refer to Illustration 3.8 for the mathematical analysis. Solving for detection risk, the answer would be a 1.25% risk that the auditors’ procedures will not be effective in detecting a material misstatement. Another way to state it is the auditors are 98.75% confident that their audit procedures will detect a material misstatement if present. A 1.25% detection risk is a low detection risk, which implies auditors will perform extensive detailed testing of related account balances and use larger sample sizes.

Audit risk

Risk of material misstatement

Detection risk

=

Inherent risk

×

Control risk

×

.01

=

1.00

×

.80

×

?

.01

=

1.00

×

.80

×

.0125

ILLUSTRATION 3.8   High risk assertion with quantitative analysis

In contrast, if inherent risk and control risk are low, the auditor can set detection risk as high. Review Illustration 3.9 for an example of this situation. Remember, there is an inverse relationship between the risk of material misstatement (inherent and control risks combined) and detection risk (as set by the auditor). By setting detection risk as high, auditors reduce the level of reliance placed on their detailed testing of the account balance or transactions. Auditors are not eliminating the detailed testing of account balances and transactions; rather, they are acknowledging that the account, transaction class, or assertion is low risk. If risk of material misstatement is low, then extensive detailed testing is not required.

Audit risk =

Low

Risk of material misstatement Inherent risk

Control risk

Low

Low

ILLUSTRATION 3.9  

Detection risk

High

Audit Reasoning Example  Low Risk Assertion A client sells concrete pipe and has a high-voltage fence surrounding the pipe inventory. Inherent risk is low for the existence assertion of inventory as concrete pipe is very heavy and difficult to move. It is unlikely that recorded pipe does not exist. After testing that the security system is working and has been operational throughout the year, the auditor can set control risk low. In this case, the auditor will need to spend less time performing detailed audit procedures to determine that recorded pipe actually exists.

Audit Reasoning Example  Low Risk Assertion A client has implemented a strong system of internal controls over purchases of raw materials (e.g., grain). Inherent risk is low for the accuracy assertion of recorded purchases as the pricing of raw materials is not complex. After testing that programmed controls and related manual

Low risk assertion with qualitative analysis

3-20  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy follow-up are working properly, the auditor will verify that access to the program is limited to authorized personnel and that the program has not been tampered with. When the auditor is satisfied the program is working well and the client’s controls are effective, the auditor can set control risk as low. In this case, the auditor will spend less time performing detailed audit procedures on raw materials to determine that the recorded amount is accurate.

Using the quantitative analysis, suppose auditors assess inherent risk and control risk as low: 30% and 5%, respectively. Refer to Illustration 3.10 for the mathematical analysis. Solving for detection risk, the answer would be a 67% risk that the auditors’ procedures will not be effective in detecting a material misstatement. This is a stark contrast to the detection risk of 1.25% in Illustration 3.8. But remember, as inherent risk and/or control risk decrease, detection risk will increase, reflecting that less extensive substantive testing will be conducted by auditors because the client’s internal controls are effective for the related account balance and assertion.

ILLUSTRATION 3.10   Low risk assertion with quantitative analysis

Audit risk

Risk of material misstatement

Detection risk

=

Inherent risk

×

Control risk

×

.01

=

.30

×

.05

×

?

.01

=

.30

×

.05

×

.667

The quantitative analysis highlights the role of detection risk in changing how auditors respond to their client’s risk of material misstatement. As stated earlier, inherent risk and control risk are the client’s risks, and the auditor has no control over them. Auditors can only assess the level of inherent and control risks. Auditors can control detection risk by planning to perform more or less detailed audit procedures. The components of the model can be rearranged to solve for detection risk as follows:

DR = AR ÷ RMM where: DR = Detection risk AR = Audit risk RMM = Risk of material misstatement

The examples provided in this section are extremes. The reality will often fall somewhere in between, where inherent risk is high, but the client has an effective system of internal controls in place to mitigate that risk. For example, a client sells high-end fashion clothing and has effective security and controls, so the risk of material misstatement for the existence assertion of inventory is low. Alternatively, if inherent risk is low, the client may not consider it worthwhile investing in sophisticated control procedures (that is, any benefit is perceived to exceed the cost). For example, a client sells concrete pipe and has minimal security controls because the pipe would be very difficult to steal. In both cases, auditors will perform less extensive audit procedures when testing the existence of inventory.

  Audit Strategy  3-21

Cloud 9 - Continuing Case Cloud 9 sells athletic shoes and apparel. The shoes are likely to “go out of fashion” reasonably quickly, making obsolescence a big issue. These factors affect the inherent risk of inventory valuation. There is also a risk of errors occurring in transactions with suppliers and customers, which will affect inventory balances. How high

is the control risk? Much to Suzie’s delight, Ian suggests they will be able to make better assessments of both inherent and control risk for all assertions once they have a better understanding of the client and its system of internal control.

Before You Go On 4.1 Why is an attitude of professional skepticism important for auditors? 4.2  What is significant risk? 4.3 What are the components of the audit risk model? 4.4 What is the relationship between risk of material misstatement and detection risk?

Audit Strategy Lea rning Objective 5 Explain how auditors determine their audit strategy and how audit strategy affects audit decisions. The results of the auditor’s determination of materiality and audit risk lead to the development of an overall audit strategy. The audit strategy provides the basis for developing an audit plan that details the nature, extent, and timing of audit procedures to be performed. The nature of an audit procedure refers to what type of procedure will be used, such as tests of controls or substantive procedures. The auditor also needs to determine that the evidence collected is both reliable and relevant to the assertion being tested. The extent of an audit procedure refers to how much testing will be done, for example, how large of a sample size to use. Detection risk influences decisions about sample size. For example, when detection risk is low, auditors will use larger sample sizes than when detection risk is high. The timing of an audit procedure refers to when it will be performed. The determination of when procedures will be performed is dependent on the effectiveness of the client’s controls and will be further discussed below. The process of developing an audit strategy helps auditors allocate audit resources efficiently and make decisions such as which audit staff will be assigned to the audit, a time budget for the completion of the audit, and a schedule for when certain audit procedures will be performed. Illustration 3.11 illustrates a general timeline of when audit activities occur for the audit of a client that uses a calendar year-end. Most of the audit planning and risk assessment occur during the second and third quarters of the client’s accounting year. The period referred to as “interim” is typically during the latter part of the third quarter and into the fourth quarter. The “year-end” period is just before the client’s balance sheet date and the 4- to 6-week period after the client’s year-end. The period is referred to as “year-end” because the client’s accounting year has substantially finished and the account balances reflect the totals for the year under audit. In the audit of private companies, many times the auditor will not begin

audit strategy  the determination of the amount of time spent testing the client’s internal controls and conducting detailed testing of transactions and account balances nature of an audit procedure  the determination of what type of audit procedure to use, such as tests of controls or substantive procedures tests of controls (controls testing)  audit procedures designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level substantive procedures (substantive testing or tests of details)  audit procedures designed to detect material misstatements at the assertion level extent of an audit procedure  the determination of the quantity of audit procedures to be performed timing of an audit procedure  the determination of when an audit procedure is to be performed

3-22  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

“year-end” procedures until several weeks after year-end when the client has completed all year-end closing procedures. This timeline will be a helpful resource for you as we discuss audit strategy and activities occurring during the different phases of the audit. The remainder of this section discusses two broad audit strategies that auditors can follow. These strategies are detailed in depth in AU-C 330 Performing Audit Procedures in Response to Assessed Risks and Evaluating Audit Evidence Obtained and AS 2301 The Auditor’s Responses to the Risks of Material Misstatement. ILLUSTRATION 3.11   Timeline of audit activities

Risk Assessment Phase

Risk assessment and audit planning

1/1/2022

6/30

Risk Response Phase

Interim testing

9/30

Reporting Phase

Year-end substantive testing

Issue audit report

11/30 1/31 12/31/2022 2/15

3/31/2023

Period covered by the 2022 financial statements

Reliance on Controls Approach An audit strategy is developed at the account or assertion level, such as for accounts receivable, inventory, and other line items on the financial statements. The first step is to identify inherent risks at the account or assertion level during the risk assessment phase when auditors are gaining an understanding of the client and the environment in which it operates, which is discussed in depth in Chapter 4. If inherent risk is determined to be high for an account or assertion, the next step is to determine if an internal control is in place to mitigate the risk of a material misstatement. If an internal control is in place, auditors will determine if the control is operating effectively—that is, does it work? Auditors will usually perform tests of controls during interim testing. If results from the tests of controls show the internal control is effective at preventing and/or detecting material misstatements, auditors will conclude that control risk is low and overall risk of material misstatement (RMM) is low. Recall that RMM is a function of both inherent risk and control risk. Therefore, an effective internal control can mitigate the high inherent risk for an account or assertion. If RMM is low, the audit strategy will be to rely more on the client’s internal controls and less on the auditor’s substantive procedures. The nature, extent, and timing of substantive procedures would be adjusted since the client’s internal control is strong. For example, auditors may perform substantive procedures for balance sheet accounts one or two months prior to year-end, rather than at year-end, and may decide to use smaller sample sizes since RMM is low. Performing substantive procedures one or two months prior to year-end for lower-risk accounts, rather than waiting to perform the procedures at year-end, helps auditors use their time efficiently. The year-end time period can be more focused on performing substantive procedures for higher-risk accounts and assertions. Note that auditors can never completely rely on a client’s system of internal controls and will always conduct some substantive procedures to gather evidence regarding the account balances in the financial statements.

  Audit Strategy  3-23

Audit Reasoning Example  Existence of Inventory Jennifer is auditing a private company that manufactures batteries for cell phones. The company has good perpetual inventory records and inventory controls. In the prior year audit, tests of controls confirmed the company had excellent internal controls over inventory. In planning this year, based on inquiries with various client personnel, the system has not changed. Therefore, Jennifer is planning to test controls at an interim date, and if this year’s tests of controls confirm that controls continue to be strong, she will also perform substantive procedures on the existence of inventory at an interim date.

Illustration 3.12 provides a diagram of the process used when developing the audit strategy for an account or assertion. Notice that the left side of the diagram provides an overview of the reliance on controls approach described in this section.

ILLUSTRATION 3.12   Process used when developing an audit strategy at the account or assertion level

Identify inherent risks at the account or assertion level

Determine whether an internal control(s) can mitigate the risk factor

Does the control(s) exist?

NO

NO

Substantive Approach

Reliance on Controls Approach

YES

YES

Test the control(s)

Is the control(s) effective? Does it work?

YES

Perform less extensive detailed substantive procedures at interim

NO

Increase extent of detailed substantive procedures performed at year-end

3-24  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Substantive Approach Referring to Illustration 3.12, the substantive approach is detailed on the right side of the diagram. The process for a substantive approach begins in the same way as a reliance on controls approach. Auditors identify inherent risks at the account or assertion level during the risk assessment phase. If inherent risk is determined to be high for an account or assertion, the next step is to determine if an internal control is in place to mitigate the risk of a material misstatement. If there is no internal control in place, auditors assess RMM as high since both inherent and control risk are high. If there is an internal control in place, auditors may decide to test the effectiveness of the internal control. The test of controls may reveal that the internal control is not operating effectively. This situation would also cause auditors to assess RMM as high. If RMM is high, the audit strategy will be to perform extensive detailed substantive procedures and place little or no reliance on the client’s internal controls. The nature, extent, and timing of substantive procedures would be adjusted since the client’s internal control is weak or nonexistent. For example, auditors will perform their substantive procedures at year-end so the entire account balance can be tested rather than testing at interim when the account balance is not yet reflecting the entire year’s activity. Auditors will also use larger sample sizes and perform more extensive substantive procedures since RMM is high and detection risk is low. Illustration 3.12 illustrates the extreme of each approach, but auditors can also use a blended approach. For example, if inherent risk is assessed as moderate or low, auditors may decide to perform some tests of controls or not perform any tests of controls. The decision regarding control testing would then impact the nature, extent, and timing of the substantive procedures. Control risk and the testing of controls are discussed further in Chapters 6 and 8. Essentially, the process of determining an audit strategy for an account or assertion is heavily influenced by materiality, professional skepticism, and the risk of material misstatement.

Audit Reasoning Example  Valuation of Inventory Jennifer is auditing a private company that manufactures batteries for cell phones. While the company has good perpetual inventory records and inventory controls, Jennifer is concerned about reported problems with lithium-ion battery fires. It is not clear that the industry has solved these problems. The company has already noted a slowing in sales of one battery model. As a result, Jennifer is concerned about the lower-of-cost-or-net-realizable-value (LCNRV) issues that may arise by year-end. Will the company have problems selling the inventory of batteries on hand at year-end? Because of the volatile market of lithium-ion batteries, Jennifer plans to audit the valuation of inventory at net realizable value after year-end using a primarily substantive approach.

Cloud 9 - Continuing Case Suzie explains that Cloud 9’s audit could be planned and conducted in different ways, depending on the audit strategy adopted. In fact, the overall audit strategy sets the scope, timing, and direction of the audit, and guides the development of the detailed audit plan. “What audit strategy would be suitable for Cloud 9? Start by thinking about the scope of the audit,” she prompts. “The scope is about the different types of work we have to do—some audits have extra requirements.” “I suppose we should find out if Cloud 9 has any special requirements. The fact that it is a public company means we must follow the PCAOB auditing standards and conduct an audit of both the financial statements and the effectiveness of internal controls,” Ian suggests. “That is a good start,” says Suzie. “What else?”

“Well, I can think of several other things, such as whether any other auditors will be involved, whether there are any foreign currency translation issues, any industry-specific regulations (although I don’t think this is as big an issue for clothing and footwear as it would be for banks, for example), whether there are any service organizations involved such as payroll services, and whether software-aided audit technology is going to be used.” “Very good,” says Suzie. “That will do for now. What about timing issues? Are there any special things we should take into account for Cloud 9?” “What is the date the audit has to be finished?” asks Ian. “Good question,” says Suzie. “We will have a deadline, so we obviously have to work toward it.”

  Fraud Risk  3-25

“Also,” says Ian, “when are our staff available, and when are Cloud 9’s key people available to talk to us?” “Yes,” says Suzie. “This is all basic. But if we don’t ask these really important questions, we will find ourselves unable to meet the deadline and perhaps under pressure to cut corners. We also have to think about timing of requests to third parties for information. Now, can you think of anything regarding the direction of the audit?” “I understand about the extra requirements and working out the timing. But I don’t really know what you mean by direction,” Ian says, confused. “We have already discussed it to some extent,” Suzie explains. “Remember when we spoke about the risk for Cloud 9 created by obsolescence of inventory, and errors occurring with transactions with customers and suppliers? ‘Direction’ is about where we think there should be extra attention because of higher risk, and how we give that extra attention. We could, for example, make sure we have suitable experts available, if required, to value the inventory. This is also where we bring in our work on

materiality, both setting materiality for planning purposes, and identifying the material account balances. In our plan, we need to allocate additional time to areas where there may be higher risk of material misstatement. And, one of our biggest tasks will be considering the evidence about the design and operating effectiveness of internal controls at Cloud 9, which we haven’t yet considered in detail.” “I see,” says Ian. “If we assess the internal controls as being strong, then we plan to do more testing of controls (to confirm our assessment), and less testing of the underlying substance of transactions and account balances. We have to put this in our plan now. But what if our first thoughts about controls are wrong? Will our plan be wrong?” “That happens,” replies Suzie. “That is why our initial plan is constantly changing as we gather more information about the client. Particularly, as in this case, for a new client that we don’t have a lot of detailed information on yet. However, we already know what accounts are important to Cloud 9—the client’s previous years’ financial statements and interim results show us that.”

Before You Go On 5.1 What is the purpose of developing an overall audit strategy? 5.2  Describe the audit strategy when the auditor adopts a predominantly substantive approach. 5.3 Why would the auditors adopt a reliance on controls approach?

Fraud Risk Lea rning Objective 6 Explain the fraud risk assessment process and analyze fraud risk. During the risk assessment phase of the audit, auditors assess the risk of material misstatement due to error or fraud. Error refers to an unintentional misstatement in amounts or disclosures in the financial statements. Fraud, however, is an intentional act involving the use of deception that results in the misstatement of financial statements that are being audited (AU-C 240.11 and AS 2401.05). As you can imagine, fraud can be difficult to uncover because the perpetrator(s) will go to great lengths to conceal the deception. Therefore, auditors should adopt an attitude of professional skepticism to ensure any indicator of a potential fraud is properly investigated. This means auditors must remain independent of the client, maintain a questioning attitude, and search thoroughly for corroborating evidence to validate information provided by the client. Auditors must not assume that past experience with the client’s management and staff is indicative of the current risk of fraud. Auditors should be alert for red flags4 that indicate a fraud may have occurred. Examples of red flags include: •  Substantial discrepancy between financial growth and growth in related nonfinancial measures. •  A high turnover of key employees. 4

J. D. Wilson and J. J. Root, Internal Auditing Manual, 2nd ed. (Warren, Gorham & Lamont, 1989).

error  an unintentional misstatement in amounts or disclosures in the financial statements fraud  an intentional act through the use of deception that results in a misstatement in financial statements that are the subject of an audit

3-26  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

•  Key employees with accounting or internal control responsibilities refusing to take leave. •  Overly dominant management. •  Poor compensation practices. •  Inadequate training programs. •  A complex business structure. fraudulent financial reporting  intentional misstatements, including omissions of amounts and disclosures in financial statements, to deceive financial statement users misappropriation of assets  intentional theft of a company’s assets by employees

•  No (or ineffective) internal auditing staff. •  A high turnover of auditors. •  Unusual transactions such as large adjusting entries at the end of a period. •  Weak internal controls. There are two kinds of fraud. Fraudulent financial reporting is intentionally misstating items or omitting important facts from the financial statements. Misappropriation of assets involves some form of theft. Illustration 3.13 provides examples of financial reporting and misappropriation of assets frauds.

illustration 3.13   Examples of frauds

Fraudulent Financial Reporting

Misappropriation of Assets

•  Improper asset valuations

•  Using a company credit card for personal use

•  Unrecorded liabilities

•  Employees remaining on the payroll after ceasing employment

•  Timing differences such as bringing forward the recognition of revenues and delaying the recognition of expenses

•  Unauthorized discounts or refunds to customers

•  Recording fictitious sales

•  Using a company car for unauthorized personal use

•  Capitalizing items that should be expensed •  Inappropriate application of accounting principles

fraud risk factors  conditions that indicate an incentive or pressure to commit fraud, provide an opportunity to commit fraud, or indicate rationalizations to justify fraudulent actions

•  Theft of inventory by employees or others •  Writing checks to fictitious vendors

The responsibility for preventing and detecting fraud rests with client management and those charged with governance. Prevention refers to the use of controls and procedures aimed at avoiding a fraud. Detection refers to the use of controls and procedures aimed at uncovering a fraud should one occur. It is the responsibility of auditors to assess the risk of fraud and the effectiveness of the client’s attempts to prevent and detect fraud via its internal control system. When assessing the risk of fraud, auditors consider the fraud risk factors that may be present, such as incentives and pressures to commit a fraud, opportunities to perpetrate a fraud, and attitudes and rationalizations used to justify committing fraud (AU-C 240.A75). Illustration 3.14 illustrates the fraud risk factors, which are explained in more depth in the following sections.

ILLUSTRATION 3.14  

Fraud risk factors

Opportunity

Fraud Pressure

Rationalization

  Fraud Risk  3-27

Professional Environment  Importance of Professional Skepticism The PCAOB periodically issues Staff Audit Practice Alerts (“Alerts”). These Alerts “highlight new, emerging, or otherwise noteworthy circumstances that may affect how auditors conduct audits under the existing requirements of PCAOB standards and relevant laws.”5 The Alerts are not rules of the board but are meant to provide guidance in the application of the standards. Alert No. 10, Maintaining and Applying Professional Skepticism in Audits, was issued on December 4, 2012. The purpose of Alert No. 10 is to remind auditors of the requirement to appropriately apply professional skepticism throughout the audit, but especially in situations that involve significant management judgment and in the consideration of fraud. During inspections of the work of registered accounting firms, PCAOB inspectors found many instances of auditors failing to appropriately apply professional skepticism in certain aspects of the audit. Alert No. 10 identifies some impediments to the application of professional skepticism of which auditors should be aware. One impediment is unconscious human bias toward client preferences. For example, auditors may feel pressure to maintain good client relationships to ensure future audit engagements. This could cause auditors to rationalize or evaluate information in a manner that is consistent with what the client wants rather than what would be in the best interests of external users of the financial statements. Other examples of human bias include an overconfidence in management, a desire to keep audit costs low, and/ or a desire to sell other services to the client. Another impediment to the application of professional skepticism is the workload of the auditors. Audit firms typically experience a “busy season” in which the audits of many of the firm’s clients happen simultaneously. Audit team partners and managers may experience heavy workloads and try to meet multiple deadlines simultaneously. They may feel pressure to complete work too quickly, which could lead to gathering less evidence than is necessary, or to gathering evidence that is the easiest to obtain rather than gathering evidence that is the most reliable and relevant. What can auditors do to improve the application of professional skepticism throughout the audit process? PCAOB standards

require that registered audit firms establish a system of quality control to provide reasonable assurance that audit personnel are complying with professional standards. Some elements of a firm’s quality control system that can help ensure the appropriate application of professional skepticism include: •  Firm culture—Communication from firm leadership should emphasize the application of professional skepticism. •  Performance appraisal, promotion, and compensation processes—Firm personnel should be rewarded for adhering to professional standards in performing the audit rather than rewarded for getting work done faster or selling more services to existing clients. •  Professional competence and assigning personnel to engagement teams—Personnel assigned to audit engagements should possess the appropriate technical training and experience required for the client circumstances. •  Documentation—All areas of the audit should be properly documented. This is especially relevant for areas that require significant judgment. •  Monitoring—If a firm identifies a deficiency in which there was a failure to appropriately apply professional skepticism in performing the audit, the firm should take corrective action and modify its procedures as needed. It is the responsibility of the engagement partner to supervise the audit team members by being actively involved in planning, directing, and reviewing the work of the other team members. The partner and senior audit team members can help less experienced team members to apply professional skepticism. More senior team members may also be better equipped to challenge the financial reporting position of senior management when necessary. Ultimately, it is the responsibility of each individual auditor on the engagement team to appropriately apply professional skepticism throughout the audit to better serve the interests of external users.

Incentives and Pressures to Commit a Fraud In assessing the risk of fraud, auditors consider incentives and pressures faced by client personnel to commit a fraud. While the examples provided below indicate that client personnel may be inclined to commit a fraud, they in no way indicate that a fraud has definitely occurred. When auditors become aware of any of these risk factors, in isolation or combination, they plan their audit to obtain evidence in relation to each risk factor. Examples of incentives and pressures that increase the risk of fraud include: •  The client operating in a highly competitive industry. •  A significant decline in demand for the client’s products or services. •  Falling profits. •  A threat of takeover. •  A threat of bankruptcy. 5 PCAOB Staff Audit Practice Alert No. 10, Maintaining and Applying Professional Skepticism in Audits (December 4, 2012), www.pcaobus.org/standards/pages/guidance.

3-28  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

•  Ongoing losses. •  Rapid growth. •  Poor cash flows combined with high earnings. •  Pressure to meet market expectations and profit targets. •  Planning to list on a stock exchange. •  Planning to raise debt or renegotiate a loan. •  The client being about to enter into a significant new contract. •  A significant proportion of remuneration tied to earnings (that is, bonuses or stock options).

Audit Reasoning Example  Fraud at Toshiba: Part I You may be familiar with Toshiba Corporation, a publicly traded Japanese company headquartered in Tokyo that makes consumer electronics, household electronics, office equipment, and more. In July 2015, the CEO of Toshiba announced he was resigning amid an accounting scandal in which profits had been overstated for the past seven years by approximately $1.9 billion (224.8 billion yen). What incentives and pressures were involved that led to the fraud? The technology industry is extremely competitive and Toshiba’s upper management set aggressive profit targets. The home electronics and appliances division was showing losses and the memory chip division was feeling pressure because of decreasing demand from Chinese electronics companies.6 As an example, in September 2012, the head of the digital products and service division was told by the CEO to improve a 24.8 billion yen loss into a 12 billion yen profit in just three days!7 Think about how the external auditor would learn about the incentives given to lower-level management. How might an internal auditor learn about these incentives?

Opportunities to Perpetrate a Fraud After identifying one or more incentives or pressures to commit a fraud, auditors assess whether a client’s employees have an opportunity to perpetrate a fraud. Auditors utilize their knowledge of how other frauds have been perpetrated to assess whether the same opportunities exist at the client. While the examples below of opportunities to commit a fraud suggest a fraud may have been committed, their existence does not mean a fraud has definitely occurred. Auditors must use professional judgment to assess each opportunity in the context of other risk indicators and consider available evidence thoroughly. Examples of opportunities that increase the risk that a fraud may have been perpetrated include: •  Accounts that rely on estimates and judgment (discussed further in Chapter 9). •  A high volume of transactions close to year-end. •  Significant adjusting entries and reversals after year-end. •  Significant related-party transactions (discussed further in Chapter 4). •  Poor corporate governance mechanisms. •  Poor system of internal control (discussed further in Chapters 6 and 8). •  A high turnover of staff with accounting or internal control responsibilities. •  A nonexistent or ineffective whistleblower system.

6 E. Pfanner and M. Fujikawa, “Toshiba Slashes Earnings for Past Seven Years,” The Wall Street Journal (September 7, 2015), https://www.wsj.com/articles/toshiba-slashes-earnings-for-past-7-years-1441589473. 7 K. Nagata, “Pressure to Show a Profit Led to Toshiba’s Accounting Scandal,” The Japan Times (September 18, 2015), http://www.japantimes.co.jp/news/2015/09/18/business/corporate-business/pressure-to-show-a-profitled-to-toshibas-accounting-scandal/#.WNJjNmQrLjA.

  Fraud Risk  3-29

•  Reliance on complex transactions. •  Transactions out of character for a business (for example, invoicing sales before delivery of the goods to customers).

Audit Reasoning Example  Fraud at Toshiba: Part II Returning to the Toshiba fraud, what opportunities existed at Toshiba for such a massive fraud to occur? Overall, there was a lack of internal controls in upper management and an unethical corporate culture led by upper management. Controls that did exist were overridden by upper management’s pressure to show profits. Compounding the problem was the Japanese culture of obedience, which disallows subordinates refusing orders from upper management. One of the areas that was heavily manipulated was estimates involving long-term projects. Estimation techniques relied heavily on internal data, and internal controls over the estimation process were easily overridden by upper management.8 It is easier to see these risk factors with hindsight. However, if you were working on the Toshiba audit, could you find the warning signs and adjust the audit appropriately?

Attitudes and Rationalization to Justify a Fraud Together with the identification of incentives, pressures, and opportunities to perpetrate a fraud, auditors assess the attitudes and rationalization of client management and staff to fraud. Attitude refers to ethical beliefs about right and wrong, while rationalization refers to an ability to justify an act. While the examples below indicate that a fraud may occur in companies where these characteristics are identified, they do not mean a fraud has occurred. Examples of attitudes and rationalizations used to justify a fraud include: •  Management and employees who do not place a high priority on the entity’s value or ethical standards. •  Management attempts to justify marginal or inappropriate accounting, on the basis of materiality, on a recurring basis. •  An excessive focus on maximization of profits and/or stock price. •  A poor attitude regarding compliance with accounting regulations. •  Rationalization that other companies make the same inappropriate accounting choices.

Audit Reasoning Example  Fraud at Toshiba: Part III In the Toshiba fraud, upper management’s rationalization for fraudulent financial reporting was to maintain the company’s stock price by maximizing profits. One thing history tells us is that fraud never successfully maintains the stock price nor maximizes profits. As a result of the Toshiba fraud, the stock price dropped about 70% from May 2015 to February 2016. Nine members of senior management resigned in the wake of the fraud, including the CEO at the time the scandal was made public, and two former CEOs who were still with the company but in different roles.9 Toshiba is also being sued by multiple groups, including a Japanese bank seeking 1 billion yen ($8.7 million) in damages on behalf of its pension fund clients, 45 overseas institutional investors seeking 16.7 billion yen in damages, and 15 different groups and individuals in Japan seeking a total of 15.3 billion yen.10

8 “Toshiba Accounting Scandal,” Summary for a meeting of the International Ethics Standards Board for Accountants (IESBA), Agenda item F-2 (September 2015), https://www.ethicsboard.org/system/files/meetings/ files/Agenda_Item_F-2_-_Toshiba_Accounting_Scandal_0.pdf. 9

Ibid.

10

T. Uranaka and M. Yamazaki, “Trust Banks Plan to Sue Toshiba over 2015 Accounting Scandal,” Reuters (January 30, 2017), http://www.reuters.com/article/us-toshiba-accounting-idUSKBN15E03A.

3-30  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy In future chapters on internal control, we will discuss the importance of “tone at the top” and the control environment. While a goal of management is to maximize profits, auditors must be alert to a management that is willing to give tacit approval of fraud in order to keep the share price high.

Fraud Risk Assessment Process Perpetrators of fraud will go to great lengths to hide their activities from auditors. That is why auditors must maintain an attitude of professional skepticism and a questioning mindset, and investigate any indicators of potential fraud. The primary procedures auditors use in the fraud risk assessment process are brainstorming among the audit team members and inquiry of management and others internal or external to the client. Auditors are required to discuss among the audit team members the susceptibility of the client’s financial statements to a material fraud. This discussion usually takes place in a “brainstorming session” in which members of the audit team are encouraged to share thoughts and ideas about how a fraud might be conducted and concealed (AU-C 240.15 and AS 2110.52). The discussion includes topics related to gaining an understanding of the entity and its environment as these topics are also related to risk of fraud. For example, discussions about changes in the client’s industry or changes in the client’s internal controls lead to ideas about why management would have an incentive or opportunity to commit fraud. The brainstorming session also serves as an opportunity for more senior members of the audit team to share important information about the client with new members of the audit team. The audit team members should be encouraged to share information about fraud risk at any time during the performance of the audit. Auditors inquire of management and other client personnel about any knowledge of fraud that has occurred. They inquire about specific internal controls that management has in place to prevent and detect fraud, and how often these controls are monitored and modified as needed. The client’s audit committee of the board of directors (discussed further in Chapter 4) should also be involved in the assessment of fraud risk. Auditors should directly inquire of the audit committee members regarding their role in fraud prevention and detection. If the client has an internal audit function, auditors also make inquiries about fraud risk assessment of the internal auditors. Auditors may also consider inquiry of external parties, such as vendors and customers, if necessary. Auditors must extensively document their fraud risk assessment. The documentation should provide details of the brainstorming session, including when it took place and the audit team members who participated. The significant risks identified by auditors and the planned audit response to those risks are also documented.

Cloud 9 - Continuing Case Suzie explains fraud risk is always present, even though actual fraud is reasonably rare, and auditors must explicitly consider it as part of their risk assessment. Being aware of the incentives, pressures, opportunities, and attitudes within the client relating to fraud helps the auditor make the assessment. Ian admits he has a little trouble understanding the difference between incentives and attitudes. He thinks he understands the concept of opportunity.

Suzie explains that incentives relate to the factor that pushes (or pulls) a person to commit a fraud. Examples include a need for money to pay debts or gamble. Attitudes, or rationalization, relate to the thinking about the act of fraud. For example, the person believes it is acceptable to steal from a mean boss; that is, the theft is justified by the boss’s “meanness.”

Before You Go On 6.1 What are the responsibilities of the client and the auditor when it comes to fraud? 6.2  Explain four incentives and pressures that increase the risk of fraud. 6.3 Explain four opportunities that increase the risk of fraud.

Key Terms Review  3-31

Learning Objectives Review 1  Evaluate client acceptance and continuance decisions. Factors to consider include the integrity of the client, such as its reputation and its attitude to risk, accounting policies, and internal controls (see Illustration 3.1). An auditor will gain an understanding of the client via communication with the client’s prior auditor (in the case of a client acceptance decision), staff, management, and other relevant parties. The final stage in the client acceptance or continuance decision process involves the preparation of an engagement letter, which sets out the terms of the audit engagement, to avoid any misunderstandings between the auditor and the client. 2  Identify the different phases of an audit. The phases of an audit include risk assessment, risk response, and reporting. During the risk assessment phase, an auditor will gain an understanding of the client, identify risks, set the planning materiality, and develop an audit strategy. During the risk response phase, an auditor will execute the detailed testing of controls, account balances, and transactions. The final phase of every audit involves reviewing all of the evidence gathered throughout the audit and arriving at a conclusion regarding the fair presentation of the client’s financial statements. The auditor will then prepare an audit report that reflects the auditor’s opinion based upon the audit findings. 3  Explain and apply the concept of materiality. Information is considered to be material if it impacts the decisionmaking process of users of the financial statements. Planning materiality guides audit planning and testing for the financial statements as a whole. Performance materiality is an amount less than planning materiality that is determined at the account balance, class of transactions, or disclosure level. Auditors consider both quantitative and qualitative factors when determining materiality. 4  Explain professional skepticism and apply the audit risk model.

Auditors are required to maintain professional skepticism, or a questioning attitude, during the planning and performance of an audit. Audit risk is the risk that an auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. The three components of audit risk are inherent risk, control risk, and detection risk. The risk of material misstatement consists of inherent risk and control risk. Both professional skepticism and audit risk are key concepts used by the auditor when developing an audit strategy. 5  Explain how auditors determine their audit strategy

and how audit strategy affects audit decisions. The assessed level of the risk of material misstatement (RMM) for an account or assertion drives the development of the audit strategy and the nature, extent, and timing of audit procedures to be performed. If RMM is low, the auditors may rely on a controls approach. Under this approach, the auditors will extensively test internal controls to determine if they are effective, and spend less time performing substantive procedures. If RMM is high, the auditors may pursue a substantive approach. Under this approach, the auditors will spend little or no time testing internal controls and will focus their efforts on performing substantive procedures on the year-end account balance and assertions. 6  Explain the fraud risk assessment process and analyze fraud risk. Error is an unintentional misstatement in an amount or disclosure in the financial statements. Fraud is an intentional act using deception that results in the misstatement of the financial statements that are being audited. The two kinds of fraud are financial reporting fraud and misappropriation of assets. When assessing the risk of fraud, the auditors should consider the fraud risk factors that may be present, such as incentives and pressures to commit a fraud, opportunities to perpetrate a fraud, and attitudes and rationalizations used to justify committing a fraud. The primary procedures that auditors use in the fraud risk assessment process are brainstorming among the audit team members and inquiry of management and others internal or external of the client.

Key Terms Review Assertions Audit risk Audit strategy Control risk Detection risk Engagement letter Error Extent of an audit procedure Fraud

Fraud risk factors Fraudulent financial reporting Inherent risk Materiality Misappropriation of assets Nature of an audit procedure Performance materiality Professional skepticism Qualitative materiality

Quantitative materiality Reporting phase Risk assessment phase Risk of material misstatement Risk response phase Significant risk Substantive procedures Tests of controls Timing of an audit procedure

3-32  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Audit Decision-Making Example Background Information You have been assigned to the audit of inventory for a private company that owns and operates a chain of retail jewelers. The company’s sales revenue has grown by 300% in the last two years, primarily by acquisitions. Seventy-eight percent of the value of the company’s inventory is in wedding rings, diamonds, gold necklaces, and high-end watches. Because the company has grown through acquisition, the company has not yet brought two acquired companies (representing 35% of sales) under the company’s inventory system. As a result, the company is currently operating with three different inventory-control systems. The core inventory system being used by retail stores represents 65% of sales. Sixty percent of inventory was tested in the prior year and controls over the existence of inventory were effective. The CFO’s top priority is to put all retail operations under this one inventory-control system by the end of the fiscal year (January 31). He is particularly concerned about lower than expected gross margins at some of the acquired stores, and he expects that better inventory control will improve this situation. In addition, gold prices have risen 15% in the last 12 months, and the company is making sure it is not selling “conflict diamonds” illegally traded to fund conflict in war-torn areas of ­Africa. Your responsibility is to develop an audit strategy for testing the existence of inventory.

Identify the Audit Issue The focus of attention in this instance is to develop an audit strategy for testing the existence of inventory. The auditor may develop a different audit strategy for testing the valuation of that inventory.

Gather Information and Evidence Important information includes: •  A significant portion of the inventory is high in value, small in size, and susceptible to theft. •  A good system of internal controls may not be operating effectively and uniformly. •  The weak gross margins in some stores may be evidence of inventory shrinkage or theft.

•  Fraud risk may be high in some locations due to the opportunity offered by weak internal controls. •  The auditor needs to determine how internal controls affect audit strategy, and whether the auditor wants one audit strategy for part of the inventory and another audit strategy for another part of the inventory.

Analysis and Evaluation of Alternatives Analysis of risk: •  Inherent risk factors include valuable inventory that is subject to theft and misappropriation. •  Internal controls are not uniform. Based on prior year’s evidence and a preliminary understanding of the system in the current year, strong internal controls appear to operate over only 60% of the inventory. •  It may be more efficient to physically inspect inventory as of one date and use one audit strategy for all inventory testing. •  Fraud risk is considered to be high at locations where inventory controls are not strong.

Conclusions Regarding Audit Strategy for the Existence of Inventory •  Inherent risk is set at the maximum because inventory is high in value and susceptible to theft and misappropriation. •  Control risk is set at high, as 40% of inventory may not have sufficient internal controls. •  Fraud risk is considered high due to the opportunity offered by weak internal controls. •  This results in setting detection risk at low. •  Low detection risk impacts the nature, timing, and extent of substantive testing. For example, the auditor will plan testing of the physical existence of inventory at year-end, select a larger number of locations to visit, and vary the extent of inventory testing at each location depending on internal controls over the counting of inventory at each location.

CPAexcel CPAexcel questions and other resources are available in WileyPLUS.

Multiple-Choice Questions 1.  (LO 1)  If a prospective new audit client does not allow the ­auditor to contact its existing auditor:

c.  the existing auditor should contact the new auditor to tell them all about the client.

a.  the auditor should contact the existing auditor anyway ­because it is their duty.

d.  t he auditor should respect the prospective client’s right to privacy.

b.  t he auditor should consider that a negative factor on the ­integrity of client management.

Review Questions  3-33 2.  (LO 2)  The risk assessment phase of an audit does not include: a.  gaining an understanding of the client. b.  audit execution and reporting. c.  identification of factors that may affect the risk of a material misstatement in the financial statements. d.  d  evelopment of an audit strategy and a risk and materiality assessment. 3.  (LO 3)  Which of the following is an example of a qualitative materiality factor? a.  The client is experiencing a slowdown in sales and is struggling to pay vendors on time. b.  Inventory represents 40% of current assets. c.  The client installed a new security system to protect the building. d.  T  otal salaries expense is greater than 5% of income before taxes. 4.  (LO 4)  An attitude of professional skepticism means: a.  the auditor can rely on past experience to determine current risk of fraud. b.  any indicator of fraud is properly investigated. c.  the auditor can rely on management assertions. d.  the auditor is independent of the client. 5.  (LO 4)  An auditor will identify accounts and related assertions at risk of material misstatement: a.  after testing internal controls. b.  after writing the audit report. c.  to plan the audit to focus on those accounts. d.  to eliminate audit risk. 6.  (LO 4)  Which component of audit risk can the auditor control? a.  Inherent risk. b.  Control risk.

c.  Financial risk.

d.  Detection risk. 7.  (LO 5)  Obtaining positive results from testing controls means that: a.  the auditor can completely rely on a client’s system of internal controls. b.  no substantive testing is required. c.  the auditor can plan to reduce the reliance on detailed ­substantive testing of transactions and account balances. d.  materiality will be set at a low dollar amount. 8.  (LO 5)  The audit strategy known as the predominantly “substantive approach”: a.  is appropriate when internal controls are very strong. b.  means the auditor will spend minimum effort testing the client’s system of internal controls. c.  requires the auditor to conduct extensive control testing. d.  means the auditor will conduct some interim testing and minimal year-end account-balance testing. 9.  (LO 5)  The audit strategy known as “reliance on controls approach”: a.  is appropriate when internal controls are minimal. b.  means the auditor will spend minimum effort testing the client’s system of internal controls. c.  requires the auditor to conduct extensive control testing. d.  means the auditor will conduct extensive year-end accountbalance testing. 10.  (LO 6)  An example of an incentive or pressure that increases the risk of fraud is: a.  the client operates in a highly competitive industry. b.  the client has a history of reporting losses. c.  a significant percentage of management pay is tied to earnings. d.  All of these answer choices are correct.

Review Questions R3.1  (LO 1)  Why are there procedures governing the client acceptance or continuance decision? Explain why auditors do not accept every client. R3.2  (LO 1)  What is the purpose of the engagement letter? Are all engagement letters the same? R3.3  (LO 2)  Explain the relationship between the risk assessment, risk response, and reporting phases of an audit. R3.4  (LO 2)  Are all audits the same? Why might an audit change from year to year? R3.5  (LO 3)  How does the auditor’s assessment of planning materiality affect audit planning? What does an auditor consider when making the preliminary assessment of planning materiality? R3.6  (LO 3)  The quantitative materiality of an item is assessed relative to a particular benchmark. What are some of the choices for this benchmark, and what factors guide the auditor in this choice?

R3.7  (LO 3)  Explain the relationship between planning materiality and performance materiality. R3.8  (LO 3)  Explain how setting a lower materiality level affects the number of items that are material and affects the decisions about the nature, extent, and timing of the audit procedures. R3.9  (LO 4)  Consider this statement, “Auditors should only use professional skepticism when considering fraud risk.” Do you agree or disagree with this statement? Support your position. R3.10  (LO 4)  Explain the approach adopted by auditors of identifying accounts and related assertions at risk of material misstatement. How does this approach help reduce audit risk to an acceptably low level? R3.11  (LO 4)  Consider the following statement: “When inherent and control risk are assessed as high, the risk of material misstatement is assessed as high, and an auditor will set detection risk as low to reduce audit risk to an acceptably low level.” Explain what it means to set detection risk as low. What does this mean for the operation of the audit?

3-34  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy R3.12  (LO 5)  If auditors adopt a predominantly substantive approach to the audit, do they have to consider and test the client’s internal controls? Explain. R3.13  (LO 5)  If auditors adopt a reliance on controls approach, do they have to perform any substantive procedures? Explain. R3.14  (LO 5)  A client has physical controls over inventory, including a locked warehouse with access restricted to authorized personnel. Testing of these physical controls over inventory shows that they

are very effective. Can the auditor conclude that the valuation assertion for inventory is not at risk? Explain. R3.15  (LO 6)  In the context of fraud, explain the differences between (1) incentives and pressures, (2) opportunity, and (3) attitudes and rationalization. Why is it important for an auditor to consider client systems relevant to all three concepts? R3.16  (LO 6)  In the context of fraud risk assessment, what is the purpose of the brainstorming session?

Analysis Problems AP3.1  (LO 1)  Basic   Client continuance  Star Software is a client of Jones & Parker, LLP. Star has experienced increased competition in its industry that has resulted in decreased profits over the last three years. In an effort to stay financially sound, Star is considering employee layoffs to decrease expenses. Star is planning significant layoffs in the accounting and finance department and within the internal audit function. Star management feels that internal controls are well established and fewer employees are needed to monitor the internal control system. Also, since the accounting function is heavily dependent on IT, fewer employees are needed to keep track of the company’s accounting data.

Required What issues should Jones & Parker consider when deciding whether to continue the client relationship with Star Software? If Star were your client, would you continue to be the auditor? Explain. AP3.2  (LO 1)  Moderate   Research   Client acceptance decision  The audit committee of the board of directors of WaterFun Corporation asked DDD LLP to audit WaterFun’s financial statements for the 2022 fiscal year. DDD requested permission to communicate with the predecessor auditor and was granted permission by WaterFun’s management to do so.

Required a.  What inquiries should DDD make of the predecessor auditor? b.  Assuming that DDD is satisfied with the results of the communication with the predecessor auditor, the next step is to draft an engagement letter that will be presented to the audit committee of WaterFun. Discuss the key items that should be included in an engagement letter. (Research AU-C 210.A23 to provide a full response. ASB standards can be accessed at the AICPA website, www.aicpa.org). c.  What if WaterFun’s management does not grant permission for DDD to communicate with the predecessor auditor? What action would DDD take next? AP3.3  (LO 1)  Challenging   Public Company   Client acceptance decision  Godwin, Key & Associates is a small, but rapidly growing, accounting firm. Its success is largely due to the growth of several clients that have been with the firm for more than five years. One of these clients, Carolina Company Inc., is preparing to transition from a private company to a publicly traded company and must comply with additional reporting regulations. Carolina Company’s rapid growth has meant that it is financially stretched, and its accounting systems are struggling to keep up with the growth in business. The client continuance decision is about to be made for the next fiscal year. The managing partner of Godwin, Key & Associates, Rebecca Sawyer, has recognized that the firm needs to make some changes to deal with the issues created by the changing circumstances of its major client and the firm’s overall growth. She is particularly concerned that the firm could be legally liable if Carolina Company’s financial situation worsens and it fails.

Required Evaluate the factors that Rebecca should consider when making the client continuance decision for Carolina Company Inc. for the next fiscal year. AP3.4  (LO 3)  Basic   Materiality assessment  Mark Jackson is the manager on the audit team for a new client, Central Companies (CC). CC is a home appliance and lighting retailer specializing in high-end kitchen equipment and specialty light fixtures. The client engaged Mark’s accounting firm in

Analysis Problems  3-35 August 2022 in preparation for the December 31, 2022, audit. From January 2022 onward, CC has consistently paid its inventory suppliers late, well past the suppliers’ agreed-upon credit terms. Some suppliers are even demanding cash on delivery from CC and no longer extending credit. Mark is also aware from his review of correspondence between CC and its bank that the company has been experiencing cash flow problems since 2021.

Required Discuss how this information impacts Mark’s assessment of planning materiality for CC. AP3.5  (LO 3, 4)  Moderate   Audit risk components and materiality  Carl’s Computers imports computer hardware and accessories from China, Japan, and South Korea. It has branches in every U.S. capital city, and the main administration office and central warehouse are in Chicago, Illinois. There is a branch manager in each store plus a number (depending on the size of the store) of full-time staff. There are also several part-time staff who work on weekends since the stores are open both Saturday and Sunday. Either the branch manager or a senior member of the full-time staff is on duty at all times to supervise the part-time staff. Both part-time and full-time staff members are required to attend periodic company training sessions covering product knowledge and inventory- and cash-handling requirements. The inventory is held after its arrival from overseas at the central warehouse and distributed to each branch on receipt of an inventory transfer request authorized by the branch manager. The value of inventory items ranges from a few cents to several thousand dollars. Competition is fierce in the computer hardware industry. New products are continuously coming onto the market, and large furniture and office supply discount retailers are heavy users of advertising and other promotions to win customers from specialists like Carl’s Computers. Carl’s Computers’ management has faced difficulty keeping costs of supply down and has started to use new suppliers for some computer accessories such as printers and ink.

Required a.  Evaluate the inherent risks for inventory for Carl’s Computers. How would these risks affect the accounts? b.  Identify strengths and weaknesses in the inventory control system. c.  Comment on materiality for inventory at Carl’s Computers. Is inventory likely to be a material balance? Would all items of inventory be audited in the same way? Explain how the auditor would deal with these issues. AP3.6  (LO 4)  Basic   Audit risk and revenue  Ajax Finance Inc. (Ajax) provides small and ­medium-sized personal, car, and business loans to clients. It has been operating for more than 10 years and has always been run by Bill Short. Bill has been the public face of the finance company, appearing in most of its television and radio advertisements, and developing a reputation as a friend of the “little person” who has been mistreated by the large finance companies and banks. Ajax’s major revenue stream is generated by obtaining large amounts on the wholesale money market and lending in small amounts to retail customers. Margins are tight, and the business is run as a “no frills” service. Offices are modestly furnished, and the mobile lenders drive small, basic cars when visiting clients. Ajax prides itself on full disclosure to its clients, and all fees and services are explained in writing to clients before loans are finalized. However, although full disclosure is made, clients who do not read the documents closely can be surprised by the high exit charges when they wish to make early repayments or transfer their business elsewhere. Ajax’s mobile lenders are paid on a commission basis. They earn more when they write more loans. For example, they are encouraged to sell credit cards to any person seeking a personal loan. Ajax receives a commission payment from the credit-card companies when it sells a new card, and Ajax also receives a small percentage of the interest charges paid by clients on the credit card.

Required Analyze the inherent and control risks for Ajax’s revenue. What type of misstatements would be most likely for revenue? AP3.7  (LO 4)  Basic   Control risk  All Tunes Satellite Radio (ATS) provides a subscription service to satellite radio channels. Customers can pay for a subscription on monthly basis, or pay for a year in advance and receive a 15% discount. Approximately 53% of customers pay in advance. When ATS receives payment in advance, a deferred revenue account (Unearned Revenue) is credited. At the end of each month as the satellite radio service is provided to customers, ATS makes an adjusting entry to recognize subscription revenue. If controls over the recording of deferred revenue or the subsequent adjusting entry are not functioning properly, then revenue transactions will not be properly classified.

3-36  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Required Analyze how the balance sheet and income statement may be at risk of material misstatement if controls over the proper allocation of revenue are not functioning properly. AP3.8  (LO 5)  Moderate   Audit strategy  All Tunes Satellite Radio (ATS) provides a subscription service to satellite radio channels. Customers can pay for a subscription on a monthly basis, or pay for a year in advance and receive a 15% discount. Approximately 53% of customers pay in advance. When ATS receives payment in advance, a deferred revenue account (Unearned Revenue) is credited. At the end of each month as the satellite radio service is provided to customers, ATS makes an adjusting entry to recognize subscription revenue. The audit team is planning a reliance on controls strategy to obtain evidence of revenue recognition for ATS. The team will be testing internal controls over the recognition of subscription revenue during interim.

Required a.  Explain the type of audit strategy planned by the audit team for gathering evidence about revenue recognition. b.  Suppose during the interim testing of internal controls the team discovers a significant number of instances in which subscription revenue received in advance is recognized immediately as revenue. Analyze how the audit strategy will be impacted. AP3.9  (LO 4, 5)  Challenging   Determining an audit strategy  Avery Island Dairy is a boutique cheese maker based on Avery Island, Louisiana. Over the years, the business has grown by supplying local retailers and through exports. In addition, there is a “farm-gate” shop and café located next to the main processing plant on Avery Island serving tourists who also visit the other specialist food and wine businesses in the region. Quality control over the cheese-manufacturing process and storage of raw materials and finished products at Avery Island Dairy is extremely high. All members of the business are committed to high product quality because any poor food-handling practices that could result in a drop in cheese quality or contamination of the products would ruin the business very quickly. The export arm has become the largest revenue earner for the business and is managed by the younger of the two brothers who have run Avery Island Dairy since it was established. Jim Guidry has a natural flair for sales and marketing but is not very good at completing the associated detailed paperwork. Some of the export deals have been poorly documented, and Jim often agrees to different prices for different clients without consulting his older brother, Bob, or informing the sales department. Consequently, there are often disputes about invoices, and Jim makes frequent adjustments to customer accounts using credit notes when clients complain about their statements. Jim sometimes falls behind in responding to customer complaints because he is very busy juggling the demands of making export sales and running his other business, Café Consulting, which provides contract staff for the café business at Avery Island Dairy.

Required a.  Identify the factors that would affect the preliminary assessment of inherent risk and control risk at Avery Island Dairy. b.  Analyze how these factors would influence your choice between the predominantly substantive approach and the reliance on controls approach for sales, inventory, and receivables. AP3.10  (LO 4, 6)  Moderate   Public Company   Financial reporting fraud risk  Vaughan Enterprises Inc. has grown from its beginnings in the steel fabrication business to become a multinational manufacturer and supplier of all types of packaging, including metal, plastic, and paper-based products. It has also diversified into a range of other businesses, including household appliances in Europe, ­Australia, and Asia. The growth in the size of the business occurred gradually under the leadership of the last two CEOs, both of whom were promoted from within the business. At the beginning of last year, the incumbent CEO died of a heart attack and the board took the opportunity to appoint a new CEO from outside the company. Despite the company’s growth, returns to shareholders have been stagnant during the last decade. The new CEO has a reputation of turning around struggling businesses by making tough decisions. The new CEO has a five-year contract with generous bonuses for improvements in various performance indicators, including sales/assets, profit from continuing operations/net assets, and stock price. During the first year, the new CEO disposed of several components of the business that were not profitable. Very large losses on the discontinued operations were recorded, and most noncurrent assets throughout the business were written down to recognize impairment losses. These actions resulted in a

Analysis Problems  3-37 large overall loss for the first year, although a profit from continuing operations was recorded. During the second year, recorded sales in the household appliances business in Europe increased dramatically, and, combined with various cost-saving measures, the company made a large profit. The auditors have been made aware through various conversations with middle management that there is now an extreme focus on maximizing profits through boosting sales and cutting costs. The attitude toward compliance with accounting regulations has changed, with more emphasis on pleasing the CEO rather than taking care to avoid breaching either internal policies or external regulations. The message is that the company has considerable ground to make up to catch up with other companies in both methods and results. Meanwhile, the share price over the first year-and-a-half of the CEO’s tenure has increased 65%, and the board has happily approved payment of the CEO’s bonuses and granted the CEO additional stock options in recognition of the change in the company’s results.

Required a.  Analyze the incentives, pressures, and opportunities to commit financial reporting fraud, and attitudes and rationalizations to justify a fraud in the above case. b.  What fraudulent financial reporting would you suspect could have occurred at Vaughan? c.  Explain why professional skepticism would be critical in assessing the risk of fraud. AP3.11  (LO 6)  Moderate   Public Company   Fraud risk  Pelican Oil is a publicly traded oil and gas company specializing in global exploration and offshore drilling. Even though Pelican has been operating for almost 30 years, it is still considered a “newcomer” in the industry. The key leaders in the industry are large conglomerates that have been operating for over 100 years. Over the last 18 months, the global supply of oil has exceeded the demand, resulting in a significant drop in oil prices. A drop in oil prices means decreased revenue for oil and gas companies of all sizes. For smaller companies in the industry like Pelican, significant drops in oil prices are harder to withstand. (The larger conglomerates are so well diversified that they have an easier time withstanding fluctuations in the oil market.) In response to the drop in oil prices and decreased demand, Pelican has temporarily suspended drilling operations and laid off employees in the field and in the corporate office. You are preparing for the upcoming audit of Pelican. Looking at the interim financial statements for the current year, you calculate an 18% decrease in revenue compared to the same interim period from the previous year. You have been reading in the global financial news that the drop in oil prices has led to increased fraud in the industry, with much of the fraud being committed by senior managers. The audit team is meeting tomorrow to have a brainstorming session about fraud risk for Pelican Oil.

Required To prepare for the brainstorming meeting, research online the types of fraud that occur in the oil and gas industry. Assess the risk of fraud for Pelican Oil by discussing the fraud risk factors that may be present. AP3.12  (LO 6)  Challenging   Fraud   Research   The auditor and the Ponzi scheme  Bernard Madoff was convicted in 2009 of running a Ponzi scheme, the biggest in U.S. history. A Ponzi scheme is essen­tially the process of taking money from new investors on a regular basis and using the cash to pay promised returns to existing investors. The high and steady returns received by existing investors are the attraction for new investors, but they are not real returns from investments. As long as new investors keep contributing and existing investors do not seek redemptions (the return of their money), the scheme continues. However, eventually, as in the Madoff situation, circumstances change, the scheme is discovered, and the remaining investors find that their capital has disappeared. At age 71, Madoff was sentenced to prison for 150 years and will die in jail. Madoff’s auditor, David G. Friehling was accused of creating false and fraudulent audited financial statements for Madoff’s firm, Bernard L. Madoff Investment Securities LLC. Prosecutors alleged that these fraudulent reports covered the period from the early 1990s to the end of 2008.11

Required a.  Research the case against David Friehling. Write a report explaining his role in the Madoff Ponzi scheme and the outcome of the legal action against him. b.  Explain how Friehling’s actions violated U.S. auditing standards and professional ethics.

11

D. Searcey and A. Efrati, “Sins and Admission: Getting into Top Prisons,” The Wall Street Journal: Europe (July 17–19, 2009), p. 29; C. Bray and Efrati, “Madoff Ex-Auditor Set to Waive Indictment,” The Wall Street Journal: Europe (July 17–19, 2009), p. 29.

3-38  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Audit Decision Cases King Companies, Inc. Questions C3.1 and C3.2 are based on the following case. King Companies, Inc. (KCI) is a private company that owns five auto parts stores in urban Los Angeles, California. KCI has gone from two auto parts stores to five stores in the last three years, and it plans continued growth. Eric and Patricia King own the majority of the shares in KCI. Eric is the chairman of the board of directors of KCI and CEO, and Patricia is a director as well as the CFO. Shares not owned by Eric and Patricia are owned by friends and family who helped the Kings get started. Eric started the company with one store after working in an auto parts store. To date, he has funded growth from an inheritance and investments from a few friends. Eric and Patricia are thinking about expanding by opening three to five additional stores in the next few years. In October 2021, Eric approached your accounting firm, Thornson & Danforth LLP, to conduct an annual audit of KCI for the year ended December 31, 2022. KCI has not been audited before, but this year the audit has been requested by the company’s bank because of anticipated bank loans and by a new private equity investor that has just acquired a 20% share of KCI. KCI employs 20 full-time staff. These workers are employed in store management, sales, parts delivery, and accounting. About 40% of KCI’s business is retail walk-in business, and the other 60% is regular customers where KCI delivers parts to their locations and bills these customers on account. During peak periods, KCI also uses part-time workers. Eric is focused on growing revenues. Patricia trusts the company’s workers to work hard for the company and she feels they should be rewarded well. The accounting staff, in particular, is very loyal to the company. Eric tells you that accounting staff enjoy their jobs so much they have never taken any annual vacations, and hardly any workers ever take sick leave. There are two people currently employed as accounting staff, the most senior of whom is Jonathan Jung. Jonathan heads the accounting department and reports directly to Patricia. He is in his late fifties and hopes to retire in two or three years and move away from Los Angeles. Jonathan keeps a close watch on accounting and does many activities himself, including opening mail, cash receipts and vendor payments, depositing funds received, performing reconciliations, posting journals, and performing the payroll function. His second employee, Abby Owens, is a recent college graduate who just passed the CPA exam. Abby is responsible for the payroll functions and posting all journal entries into the accounting system. Jonathan and Abby often help each other out in busy periods. C3.1  (LO 3, 4)  Challenging   Materiality and audit risk  Analysis and evaluation: What qualitative factors in the background information would you consider when determining planning materiality for the 2022 audit of KCI? Evaluate how each factor affects your assessed audit risk and your initial assessment of the planning materiality. C3.2  (LO 6)  Challenging   Assessing fraud risk a.  Gather information: Identify and explain any significant fraud risk factors for KCI. b.  Analysis: For each fraud risk factor you identify, analyze how the risk will affect your approach to the audit of KCI.

Mobile Security, Inc. Questions C3.3 and C3.4 are based on the following case. Mobile Security, Inc. (MSI) has been an audit client of Leo & Lee LLP for the past 12 years. MSI is a small, publicly traded aviation company based in Cleveland, Ohio, where it manufactures high-tech unmanned aerial vehicles (UAV), also known as drones, and other surveillance and security equipment. MSI’s products are primarily used by the military and scientific research institutions, but there is growing demand for UAVs for commercial and recreational use. MSI must go through an extensive bidding process for large government contracts. Because of the sensitive nature of government contracts and military product designs, both the facilities and records of MSI must be highly secured. In October 2022, MSI installed a new cloud-based inventory costing system to replace a system that had been developed in-house. The old system could no longer keep up with the complex and detailed manufacturing costing process that provides information to support competitive bidding. MSI’s IT department, together with the consultants from the software company, implemented the

Audit Decision Cases  3-39 new inventory costing system which went live on December 1, 2022. Key operational staff and the internal audit team from MSI were significantly engaged in the selection, testing, training, and implementation stages. MSI’s fiscal year-end is June 30. The following table shows financial information for the first two quarters of the fiscal year-end June 30, 2023 (amounts in millions). Note that the financial data listed are for the three-month quarter ended (i.e., the second quarter does not include the first quarter data). Item Total assets Total revenues Pretax income

1st Quarter

2nd Quarter

$96.0 33.0 3.2

$92.0 31.0 2.8

The pretax income for the first two quarters is reasonable with a net profit margin falling between 8–10% of sales. Based on prior years, pretax income for the third quarter usually holds steady relative to the second quarter, but pretax income for the fourth quarter typically decreases by 20% over the third quarter as governments reach the end of their spending budgets. C3.3  (LO 4)  Challenging   Public Company   Assessing inherent risk  Gather information: Considering both industry and entity factors, what are the major inherent risks in the MSI audit? C3.4  (LO 3)  Challenging   Public Company   Assessing planning materiality  Analysis and evaluation: Discuss the factors to consider when determining planning materiality for MSI. Calculate an amount for planning materiality for the audit of fiscal year-end June 30, 2023.

Brookwood Pines Hospital Question C3.5 is based on the following case. Goodfellow & Perkins gained a new client, Brookwood Pines Hospital (BPH), a private, not-for-profit hospital. The fiscal year-end for Brookwood Pines is June 30. You are performing the audit for the 2023 fiscal year end, and the audit is currently in the risk assessment phase. The healthcare industry can be very complicated, especially in the area of billing for services provided. BPH contracts with private physician groups who use the hospital facilities, equipment, and nursing staff to treat patients. The physicians in the private group are not employees of the hospital; they are simply using the hospital facilities to treat patients. For example, a group of urologists have their own practice, separate from the hospital, where they treat patients. If one of the patients needs a surgical procedure that must be done at a hospital, then the attending urologist will approve the paperwork required to admit the patient to BPH. BPH offers inducements to the urologists so they will refer patients to BPH rather than a competing hospital. One of the inducements BPH offers is free office space in the hospital for the doctors to use when they are treating patients in the hospital. After the doctor and hospital services are provided to the patient, the patient and/or the patient’s insurance company is billed. The doctor will bill for the services he or she provided, and the hospital will bill for the use of hospital facilities and staff. Doctors and hospitals bill using a coding system that is standardized across the healthcare industry and consists of three main code sets: ICD, CPT, and HCPCS. Using a coding system is more efficient and data-friendly compared to writing a narrative about the procedures performed. However, the coding system is very complex, with thousands of different codes for medical procedures and diagnoses. To complicate matters even more, for patients who are covered by government-sponsored Medicare or Medicaid, doctors and hospitals must adhere to complicated government regulations surrounding billings to Medicare and Medicaid. As healthcare costs continue to rise each year, BPH administrators struggle to maintain consistent profitability. They look for ways to keep costs low and also to collect from patients and insurance companies as quickly as possible. In addition, BPH must have a strong risk management team to handle unique situations that may occur in hospitals, such as malpractice lawsuits and periodic inspections by the state department of health and hospitals. Negative publicity for BPH could lead to decreased revenues if physicians decide to contract with a competing hospital.

Required a.  Gather information: Research online to learn more about common types of health care fraud. Identify and explain any significant fraud risk factors for BPH. b.  Analysis: Which financial statement accounts would you identify as being at significant risk for material misstatement?

3-40  C ha pt e r 3   Risk Assessment Part I: Audit Risk and Audit Strategy

Cloud 9 - Continuing Case W&S Partners has just won the January 31, 2023, audit for Cloud 9. The audit team assigned to this client is:

W&S Partners use the following percentages as starting points for the various benchmarks: Threshold (%) Benchmark Income before tax 5.0 0.5 Total revenue Gross profit 2.0 Total assets 0.5 Equity 1.0

•  Partner, Jo Wadley •  Audit manager, Sharon Gallagher •  Audit senior, Josh Thomas •  IT audit manager, Mark Batten •  Experienced staff, Suzie Pickering •  First-year staff, Ian Harper As a part of the risk assessment phase for the new audit, the audit team needs to gain an understanding of Cloud 9’s structure and its business environment, determine materiality, and assess the risk of material misstatement. This will assist the team in developing an audit strategy and designing the nature, extent, and timing of audit procedures. One task during the planning phase is to consider the concept of materiality as it applies to the client. Auditors will design procedures to identify and correct errors or irregularities that would have a material effect on the financial statements and affect the decision-making of the users of the financial statements. Materiality is used in determining audit procedures and sample selections, and evaluating differences from client records to audit results. Materiality is the maximum amount of misstatement, individually or in aggregate, that can be accepted in the financial statements. In selecting the benchmark to be used to calculate materiality, the auditors should consider the key drivers of the business. They should ask, “What are the end users (that is, stockholders, banks, etc.) of the accounts going to be looking at?” For example, will stockholders be interested in profit figures that can be used to pay dividends and increase share price? W&S Partners’ audit methodology dictates that one planning materiality (PM) amount is to be used for the financial statements as a whole. The benchmark selected for determining materiality is the one determined to be the key driver of the business.

These starting points can be increased or decreased by taking into account qualitative client factors, which could be: •  The nature of the client’s business and industry (for example, rapidly changing, either through growth or downsizing, or an unstable environment). •  Whether the client is a public company (or subsidiary of) subject to regulations. •  The knowledge of or high risk of fraud. Typically, income before tax is used; however, it cannot be used if reporting a loss for the year or if profitability is not consistent. When calculating PM based on interim figures, it may be necessary to annualize the results. This allows the auditors to plan the audit properly based on an approximate projected year-end balance. Then, at year-end, the figure is adjusted, if necessary, to reflect the actual results.

Required Answer the following questions based on the information presented for Cloud 9 in the appendix to this text and in the current chapter and previous chapters. a. Using the October 31, 2022, trial balance (in the appendix to this text), calculate planning materiality and include the justification for the benchmark that you have used for your calculation. b. Discuss how the planning materiality would be used to determine performance materiality. c. If the planning materiality amount is subsequently increased or decreased later in the audit, how would that impact the audit?

Chapter 4 Risk Assessment Part II Understanding the Client

The Audit Process Overview of Audit and Assurance (Chapter 1) Professionalism and Professional Responsibilities (Chapter 2) Client Acceptance/Continuance and Risk Assessment (Chapters 3 and 4) Identify Significant Accounts and Transactions Make Preliminary Risk Assessments

Set Planning Materiality

Gaining an Understanding of the System of Internal Control (Chapter 6)

Audit Evidence (Chapter 5)

Develop Responses to Risk and an Audit Strategy

Performing Tests of Controls (Chapter 8)

Performing Substantive Procedures (Chapter 9) Audit Sampling for Substantive Tests (Chapter 10)

Auditing the Revenue Process (Chapter 11)

Auditing the Purchasing and Payroll Processes (Chapter 12)

Audit Data Analytics (Chapter 7)

Gaining an Understanding of the Client

Auditing the Balance Sheet and Related Income Accounts (Chapter 13)

Completing and Reporting on the Audit (Chapters 14 and 15) Procedures Performed Near the End of the Audit

Drawing Audit Conclusions

Reporting

4-1

4-2  Ch a pte r 4  Risk Assessment Part II: Understanding the Client

Learning Objectives LO 1 Apply procedures to gain an understanding of the client. LO 2 Explain how clients measure performance and how it impacts the auditor’s risk assessment. LO 3  Demonstrate how auditors use analytical procedures when assessing risk, including the use of audit data analytics.

LO 5  Describe common corporate governance structures and how they impact the auditor’s risk assessment. LO 6 Explain how a client’s internal control and information technology (IT) can affect risk. LO 7  Discuss how client closing procedures can affect risk and a client’s reported results.

LO 4  Define related party transactions and explain how they affect the auditor’s risk assessment.

Auditing and Assurance Standards PCAOB

Auditing Standards Boa rd

AS 1301  Communications with Audit Committees

AU-C 250  Consideration of Laws and Regulations in an Audit of Financial Statements

AS 2110  Identifying and Assessing Risks of Material Misstatement AS 2405  Illegal Acts by Clients

AU-C 260 The Auditor’s Communication with Those Charged with Governance AU-C 315  Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

AS 2410 Related Parties

AU-C 550 Related Parties

Cloud 9 - Continuing Case Ian knows there are many possible problems in an audit that would cause the auditor to issue the wrong type of audit report, but he is struggling to understand why the audit team will spend time gaining an understanding of a client. How does this help? Why aren’t audits all the same? Suzie explains to Ian that issuing the wrong type of audit report is a risk the auditor always faces, but the risk varies across audits. The variation in the risk is partly related to how well the audit team performs its tasks, which is dependent on the team members’

levels of skill, effort, supervision, and so on. But the variation in risk is also related to the particular characteristics of the client and its environment. Some clients are more likely than others to have errors or deficiencies in their accounting and financial reporting systems, operations, or underlying data. Even within one client’s business, some areas are more likely to have problems than others. Suzie asks Ian to think about what sort of problems Cloud 9’s draft financial statements are most likely to have, and why.

Chapter Preview: Audit Process in Focus In Chapter 3, we began our discussion of risk assessment by considering the audit as a whole and the development of a unique audit strategy for each client. This chapter focuses on the remainder of the risk assessment process. Remember, the purpose of risk assessment procedures is to assess the risk that a material misstatement, caused by error or fraud, could occur in the client’s financial statements. The risk assessment procedures we discuss in this chapter include gaining an understanding of the client, its industry, related party transactions, corporate governance, internal controls, the information technology environment, significant accounts and transactions, and closing procedures. Two sections of this chapter deal with performance measurement and analytical procedures. By understanding how a client assesses its own performance, auditors gain insight into which accounts may be at risk of material misstatement. Recall from Chapter 3 that the risk of material misstatement is a combination of inherent risk and control risk. Many of the factors discussed in this chapter impact the auditor’s assessment of inherent risk. Chapter 6 will discuss controls a client might put in place to reduce control risk and the overall risk of material misstatement.

  Understanding the Client  4-3

Understanding the Client Lea rning Objective 1 Apply procedures to gain an understanding of the client. We will continue the discussion of risk assessment procedures that was started in Chapter 3. Illustration 4.1 presents the graphical depiction of risk assessment that was introduced in Chapter 3 (Illustration 3.5). The concepts of materiality, professional skepticism, and audit risk were discussed in Chapter 3, along with fraud risk assessment. The remaining risk assessment procedures from Illustration 4.1 will be discussed in this chapter, starting with “Understand the entity and the industry,” then proceeding clockwise. illustration 4.1   Risk assessment Materiality

Professional Skepticism

Understand the entity and the industry Fraud risk

Closing procedures

Audit Risk

Compliance with laws and regulations Client performance measurement

Risk Assessment

Understand internal controls and IT

Analytical procedures

Corporate governance

Related parties

Audit Strategy

Gain an Understanding of the Entity It is important for auditors to understand a client’s business because often inherent risk is related to underlying business risks. For example, what are some business risks of a fast-food restaurant? Some that come to mind are high employee turnover, strong competition, and quickly changing customer preferences. Would a high-end restaurant face the same business risks as a fast-food restaurant? Since they are both in the food-service industry, there may be some similarities, but there will also be different risks because they have different business models, profit margins, and volumes of transactions. For example, a high-end restaurant would be more at risk when the economy is suffering from a recession. Consumers may cut back on spending, especially on luxury items such as an expensive meal at a high-end restaurant. Auditors must approach each client as unique when gaining an understanding of the entity, even if some clients are in the same industry. AU-C 315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement and AS 2110 Identifying and Assessing Risks of Material Misstatement provide guidance on the steps to take when gaining an understanding of a client. How do

4-4  Ch a pte r 4  Risk Assessment Part II: Understanding the Client

entity-level risk  client risk that affects multiple financial statement accounts, assertions, and transaction classes transaction-level risk  client risk that affects only one transaction class, account, or assertion

auditors develop a knowledgeable perspective about the entity and its risks when the auditors are external and independent of the client? They use specific procedures such as interviewing client personnel and others outside the entity, performing analytical procedures (covered in depth later in this chapter), observing client operations, and inspecting documents. For example, when auditors read the minutes of board of directors’ meetings, they are inspecting a document (the minutes). By reading the minutes, auditors can gain an understanding of key issues and strategic initiatives being discussed by the board. When gaining an understanding of the client, auditors consider issues at both the entity and industry levels. For new clients, this process is very detailed and time consuming. For a continuing client, this process is less onerous and involves updating the knowledge gained on previous audits. By gaining an understanding of the client, the auditor is in a stronger position to assess entity-level risks and the financial statement accounts that require closer examination. Entity-level risks often affect multiple accounts and assertions. For example, if management is close to breaching a debt covenant that requires maintaining a certain current ratio, management may have an incentive to either overstate current assets or understate current liabilities. This could be accomplished in a number of ways that could affect one or more current asset or current liability accounts. Alternatively, transaction-level risk affects only one transaction class, such as revenue and accounts receivable. Understanding the entity may illuminate both entity-level risks and transaction-level risks. Illustration  4.2 summarizes factors that can increase or decrease inherent risk in the client’s financial statements. Each factor in Illustration 4.2 is numbered, and the following paragraphs provide more discussion of each of these factors auditors consider when gaining an understanding of the client. (1) Major customers are identified so the auditor may consider whether those customers have a good reputation, are on good terms with the client (that is, likely to remain a customer in the future), and are likely to pay the client on a timely basis. Dissatisfied customers may withhold payment, which affects the allowance for doubtful accounts and the client’s cash flow, or decide not to purchase from the client in the future, which can affect the client’s operations. If a client has only one or a few customers, this risk is increased if losing a major customer would cause the client to significantly curtail operations. The auditor also considers the terms of any long-term contracts between the client and the client’s customers. (2) Major suppliers are identified to determine whether they are reputable and supply quality goods on a timely basis. Consideration is given to whether significant levels of goods are returned to suppliers as faulty, the terms of any contracts with suppliers, and the terms of payment to suppliers. Auditors assess whether the client pays its suppliers on a timely basis. If the client is having trouble paying its suppliers, it may have trouble sourcing goods as suppliers may refuse transactions with a company that does not pay on time. Significant cash flow issues may be an indicator of going concern problems. Auditors identify whether the client is an (3) importer or exporter of goods. If the client trades internationally, auditors consider the stability of the country (or countries) the client trades with, the stability of the foreign currency (or currencies) the client trades in, tariffs or other barriers to trade, the effectiveness of any risk management policies the client uses to limit exposure to currency fluctuations (such as hedging policies), and the appropriateness of accounting for realized and unrealized gains and losses. Auditors consider the client’s capacity to adapt to (4) changes in technology and other trends. If the client is not well-positioned to adjust to such changes, it risks falling behind competitors and losing market share, which in the longer term can affect the client’s operations. If the client operates in an industry subject to frequent change, it risks significant losses if it does not keep abreast of such changes and “move with the times.” For example, if a client sells laser printers, auditors need to assess whether the client is up to date with changes in technology and customer demands for environmentally friendly printers. The financial statement consequences could include losses for obsolete inventory and accruals for loss contingencies associated with possible environmental cleanup. The nature of any (5) warranties provided to customers is assessed by the auditors. If the client provides warranties on products sold, auditors need to assess the likelihood that goods will be returned and the risk the client has underprovided for that rate of return (adequacy of the warranty liability). Auditors pay particular attention to goods being returned for the same problems, indicating there may be a systemic fault. For example, if the client sells quality pens and the auditors notice that a number of pens are being returned because the mechanism to twist the pen open is faulty, auditors will assess the likelihood

  Understanding the Client  4-5 illustration 4.2   Entity factors that influence inherent risk

Lower Inherent Risk Assessments Satisfied customers who pay on time and are likely to remain a customer in the future

Factors That Influence Inherent Risk Higher Inherent Risk Assessments (1) Major customers

Client has many customers

Dissatisfied customers who may withhold payment or decide to not purchase from the client in the future Client has only one or very few customers

Reputable suppliers that supply goods on a timely basis

(2) Major suppliers

Few goods are returned to supplier as faulty

Suppliers may not supply goods on a timely basis Significant amounts of goods are returned to the suppliers because they are faulty

Client pays suppliers on a timely basis

Client does not pay suppliers on a timely basis Trades with countries that are stable

(3) Importer or exporter

Trades with countries that are not stable

Trades in stable foreign currencies

Trades in unstable foreign currencies

Minimal tariffs or barriers to trade

Complex tariffs and other barriers to trade

Client maintains effective risk management policies regarding foreign trade

Client does not maintain effective risk management policies regarding foreign trade

Client well-positioned to adjust to changes in technology Client does not offer warranties on its products

(4) Changes in technology (5) Warranties

If client does offer warranties, product quality is high and the likelihood that goods will be returned is low Few discounts are given by the client to its customers

(6) Discounts

(7) Client reputation

Client has few locations and primary operations are centralized

(8) Operations

No international operations

Client does not have a good reputation with customers, employees, and/or the wider community in which it operates Client has larger number of locations and operations are decentralized Multiple locations operated internationally

(9) Selection and application of accounting principles

Recent implementation of new accounting standard Change in the application of an accounting standard

Personnel involved in the selection and application of accounting standards are competent and experienced Determination of account balance is objective and supported by transactions with third parties

Client offers discounts to its customers, possibly because it does not have much bargaining power Client misses opportunities to take advantage of supplier discounts

Client has good reputation with customers, suppliers, employees, and the wider community in which it operates

No change in the application of accounting standards

Client offers warranties on its products History of poor product quality and goods being returned for the same problem

Client takes advantage of discounts offered by suppliers

No recent implementation of new standards

Client falls behind with changes in technology and has not “kept up with the times”

Personnel involved in the selection and application of accounting standards lack competence and experience

(10) Significant accounts and classes of transactions

Determination of account balance involves considerable subjectivity

Transactions are routine and relatively homogeneous

Transactions are complex and unique

Account has low volume of transactions

Account has high volume of transactions

Less complex payroll system and benefit structures

(11) Relations with employees

Defined-contribution pension plans

More complex payroll system and benefit structures Defined-benefit pension plans

Less reliance on debt for financing

(12) Sources of financing

Heavy reliance on debt as a source of financing

Pays interest payments on time

Struggles to pay interest payments on time

Less risk of violating terms of debt covenants

Higher risk for violating terms of debt covenants which could indicate going concern issues

Simple capital structure Pays dividends from operating cash flow

(13) Ownership structure

Complex capital structure Struggles to pay dividends from operating cash flow

4-6  Ch a pte r 4  Risk Assessment Part II: Understanding the Client

that other pens will be returned for the same reason, the steps being taken by the client to rectify the problem, and whether the warranty liability is adequate in light of this issue. The financial statement impact would involve the adequacy of a warranty reserve and the adequacy of reserve for lower-of-cost-or-net-realizable-value issues with inventory. Auditors review the terms of (6) discounts given by the client to its customers and received by the client from its suppliers. An assessment is made of the client’s bargaining power with its customers and suppliers to determine whether discounting policies are putting profit margins at risk, which may place the future viability of the client at risk. Auditors consider the (7) client’s reputation with its customers, suppliers, employees, shareholders, and the wider community. A company with a poor reputation places future profits at risk and increases the risk of going concern issues. It is also not in the best interest of the auditor to be associated with a client that has a poor reputation, as we discussed in Chapter 3. Auditors gain an understanding of client (8) operations. Auditors note where the client operates, the number of locations in which it operates, and dispersion of these locations. The more spread out the client’s operations are, the harder it is for the client to effectively control and coordinate its operations, which increases the risk of errors in the financial statements. Auditors visit locations where inherent risk is greatest to assess the processes and procedures at each site. If the client has operations interstate or overseas, auditors may plan a visit to those sites by audit staff from affiliated offices at those locations where risk is greatest. For example, an auditor is more likely to visit client operations if the client opens a new, large site or if the business is located in a country where there is a high rate of inflation or where there is a high risk of theft. Auditors must gain an understanding of the client’s procedures for the (9) selection and application of accounting principles. They need to know who oversees the financial reporting process on a daily basis, an individual or a group, and consider the qualifications of those involved. Client personnel with more experience generally are more competent at applying complex accounting principles. Other considerations include whether the client has implemented a new accounting standard or changed how an accounting standard is applied. Financial reporting is already a complex process, but when implementing a new standard or making changes with a current standard, inherent risk increases because of the possibility of applying the accounting standard incorrectly. (10) Significant accounts and classes of transactions are identified during the risk assessment phase. Recall from Chapter 3 that a significant risk could be an account, transaction, or activity that has an increased risk of causing a material misstatement on the financial statements. For example, the inventory account would be a significant account for a large retail client for several reasons. It is probably the largest current asset for the client, it has a large volume of transactions, and some of the transactions may involve complex contractual arrangements with suppliers. Auditors devote more audit time to the inventory account since it poses a higher inherent risk. Another example would be a client’s process of determining if goodwill has been impaired. Since there is subjectivity involved in the measurement of this financial statement item, auditors may plan audit procedures to ensure adequate time is spent testing the client’s goodwill impairment procedures. Keep in mind, an account or class of transactions that is significant for one client may not be significant for other clients, even if they are in the same industry. For example, not every client is going to have a goodwill account. Auditors determine significant accounts and classes of transactions on a client-by-client basis. An understanding is gained of the client’s (11) relations with its employees. Auditors consider how a client pays its employees, the mix of wages and bonuses, and the attitude of employees to their employer. The more complex a payroll system, the more likely it is that errors can occur. Auditors might also expect more complex control systems when payroll transactions are complex. When employees are unhappy, there is greater risk of industrial action, such as strikes, which disrupt client operations. Auditors assess a client’s debt and equity sources, the reliability of future (12) sources of financing, the structure of debt, and the reliance on debt versus equity financing. Auditors determine whether the client is meeting interest payments on debt and repaying debt when it is due. If a client has a covenant with a lender, auditors need to understand the terms of that covenant and the nature of the restrictions it places on the client. Debt covenants vary. A company may, for example, agree to limit further borrowings, to freeze a line of credit for a period of time, or to maintain a certain debt-to-equity ratio. If the client does not meet the

  Understanding the Client  4-7

conditions of a debt covenant, the lender may recall the debt, placing the client’s liquidity position at risk, and increasing the risk the client may not continue as a going concern. Auditors learn about the client’s (13) ownership structure, such as the amount of debt financing relative to equity, the use of different forms of shares, and the differing rights of shareholder groups. The client’s dividend policy and its ability to meet dividend payments out of operating cash flow are also of interest when evaluating whether an entity is a going concern. Also, complex ownership arrangements and differing rights of shareholder groups will require more complex disclosures by the client.

Audit Reasoning Example  Samsung Fire Fiasco Most likely you are familiar with Samsung and own at least one Samsung product, such as a TV, kitchen appliance, or laptop. Samsung has consistently been the top seller of smartphones worldwide, and in 2017 Samsung had 21% of the global smartphone market share.1 In the third and fourth quarters of 2016, Samsung experienced a public relations nightmare when some customers had problems with their Galaxy Note 7 smartphones catching fire. An investigation determined that the battery in the phone had the potential to catch fire when overheated. Samsung recalled all of the nearly three million Galaxy Note 7 devices that had been sold and permanently ended production of the device.2 Suppose you are on the audit team for the December 31, 2016, financial statement audit for Samsung. How does the Galaxy Note 7 situation impact the inherent risk factors listed in Illustration 4.2? Here are some examples: •  Customers may decide not to purchase Samsung mobile devices in the future, which impacts revenues and profits. •  Samsung may consider switching battery suppliers, which could affect costs and product quality. •  Samsung must honor the warranty on the phone and issue refunds and/or replacement products to customers, which impacts profits. •  Samsung’s reputation was tarnished by the negative publicity, and the situation sparked multiple lawsuits that will drag on for years and cost Samsung millions of dollars. During the audit, you and the other audit team members would plan to give additional audit attention to accounts and note disclosures directly impacted by the Galaxy Note 7 situation, such as warranty-related accounts, inventory (lower-of-cost-or-net-realizable value), sales returns, and contingent liability accruals.

Another important component of understanding the entity includes gaining an understanding of the client’s system of internal controls as it relates to the audit. This includes learning about the design of the client’s internal controls and the different components of the client’s internal control system. Strong internal controls both reduce the likelihood of material misstatement and change the nature of audit tests. A thorough discussion of gaining an understanding of the client’s system of internal controls is covered in Chapter 6.

Cloud 9 - Continuing Case Ian is starting to think about Cloud 9 more closely. He can remember something being said about Cloud 9 importing the shoes from a production plant in Vietnam and then wholesaling them to major department stores. “OK,” says Suzie. “Let’s just take that one aspect of the operations and think about the issues that could arise.”

Ian realizes the department stores would be customers of Cloud 9 (although they should check that the stores actually purchase the shoes rather than hold them on consignment). If there were a mistake or a dispute with one of the stores, or if the store were in financial difficulty, the collectibility of accounts receivable would be in doubt, so assets could be overstated. If the store disputed a sale,

1 Chandan, “Smartphone Manufacturers in the World 2017,” https://www.techzac.com/top-10-smartphonemanufacturers-in-the-world/ (accessed August 30, 2017). 2

S. Pham, “Samsung Blames Batteries for Galaxy Note 7 Fires” (January 23, 2017), http://money.cnn.com/2017.

4-8  Ch a pte r 4  Risk Assessment Part II: Understanding the Client

or a sales return was not recorded correctly, sales (and profit) could be overstated. Is Cloud 9 liable for warranty expenses if the shoes are faulty? The auditors would need to read the terms of the contract to determine if a warranty liability should be recorded on the balance sheet. What about the balance of inventory? Do the shoes belong to Cloud 9 when they are being shipped from Vietnam, or only after they arrive at the warehouse? Is Cloud 9 exposed to foreign currency exchange risk and how is this accounted for?

Suzie points out that the answer to each of these questions could be different for Cloud 9 than for other clients because of its different circumstances. Auditors need to gain an understanding of these circumstances so they can assess the risk that accounts receivable, sales, sales returns, inventory, and liabilities are misstated. Once they understand all the risks, they are in a position to decide how they will audit Cloud 9.

Gain an Understanding of the Industry and Business Environment At the industry level, auditors are interested in the client’s position within its industry, the level of competition in that industry, and the client’s size relative to its competitors. Auditors evaluate the client’s reputation among its peers and the level of government support for companies operating in that industry. Another consideration is the level of demand for the products sold or services supplied by companies in that industry and the factors that affect that demand. For example, an ice cream manufacturer is affected by the weather, which causes revenue to be seasonal. This would be important for auditors to know because during the slow season, revenue may be at higher inherent risk if the client is trying to maintain a certain profit target. A summary of some key industry and business environment factors that can influence inherent risk is provided in Illustration 4.3. Each factor in Illustration 4.3 is numbered, and the following paragraphs provide more discussion of these industry and business environment factors that auditors consider when gaining an understanding of the client. illustration 4.3   Industry and business environment factors that influence inherent risk

Lower Inherent Risk Assessments

Industry Factors That Influence Inherent Risk

Less competitive industry, which puts less stress on the client’s ability to generate a profit

(1) Level of competition

Good reputation relative to others in the industry

(2) Reputation

Customers and suppliers may be attracted to conduct business with the client versus a competitor A new industry with considerable government support and incentives

Higher Inherent Risk Assessments Very competitive industry, which puts more stress on the client’s ability to generate a profit Poor reputation relative to others in the industry Customers and suppliers may shift business to a competitor

(3) Legal, political, and regulatory environment

A new industry with little or no government support

New or established industry with intense international competition with considerable government support and incentives

New or established industry with intense international competition with little or no government support

Industry with minimal government regulation and no special taxes or unique financial reporting requirements

Heavily regulated industry with special taxes and unique regulations and financial reporting requirements

Demand is not seasonal, which provides steady revenue flow

(4) Demand

Seasonal demand for products, which leads to sporadic revenue flow

Industry minimally affected by trends/customer preferences

Industry subject to changing trends/ customer preferences

Industry has low risk of technological obsolescence

Industry subject to technological obsolescence

Economy as a whole experiences an upturn, which leads to easily sustainable profit levels

(5) Economy

Economy as a whole experiences a downturn, which leads to pressure to maintain expected profit levels

  Understanding the Client  4-9

Auditors compare the client with its close competitors nationally and internationally. When auditors have a number of clients that operate in the same industry, and the audit firm has significant experience auditing clients in that industry, this stage of the audit is more straightforward than if the client operates in an industry the auditors are not already familiar with. The audit team assesses the (1) level of competition in the client’s industry. The more competitive the client’s industry, the more pressure is placed on the client’s profits, which will assist auditors when developing expectations regarding the client’s profitability. In an economic downturn, the weakest companies in highly competitive industries face financial hardship and possible going concern problems. A key issue for an auditor is the client’s position among its competitors and its ability to withstand downturns in the economy. Auditors also consider the client’s (2) reputation relative to other companies in the same industry. If the client has a poor reputation, customers and suppliers may shift their business to a competing firm, threatening the client’s profits. In such circumstances, a client’s management may resort to aggressive accounting choices to improve profits (or reduce losses). The audit team can assess the client’s reputation by reading articles and industry publications. Auditors consider the (3) legal, political, and regulatory environment for the client’s industry. This issue is important if the industry faces significant competition internationally or the industry is new and requires time to become established. Support is sometimes provided to industries that produce items in line with government policy, such as manufacturers of water tanks, solar heating, and reduced-flow taps in the context of environmental policies. Regulations can affect a client’s ability to continue operating or affect continued profitability, for example, through different taxes and charges imposed on companies operating in the industry. Some industries have unique accounting and financial reporting requirements, such as the oil and gas industry. The audit team must be alert to how changes in the regulatory environment might affect the client’s profitability and operations. The auditors should understand the level of (4) demand for the goods sold or services provided by companies in the client’s industry. If a client’s products or services are seasonal, this will affect revenue flow. As mentioned, if a client is an ice-cream producer, sales would be expected to increase in the summer; however, if the weather is unseasonal, profits may suffer. If a client sells swimsuits, sales will fall in a cool summer. If a client sells ski equipment, sales will fall if the winter brings little snow. If a client operates in an industry subject to changing trends, such as fashion, the client risks inventory obsolescence if it does not keep up and move quickly with changing styles. When a product or process is subject to technological change, there is the risk a client will quickly be left behind by its competitors. If products become obsolete, it will affect the lower-of-cost-or-net realizable value accounting for inventory, and it might affect the collectibility of receivables related to inventory sold to customers that has not yet been sold to end consumers. Finally, when gaining an understanding of a client, auditors assess how factors in the (5) economy affect the client. Economic upturns and downturns, changes in interest rates, and currency fluctuations affect most companies. The audit team is concerned with the client’s susceptibility to these changes and its ability to withstand economic pressures. The auditors also determine if negative consequences have been appropriately reported in the financial statements.

Audit Reasoning Example  Economic Upturns and Downturns During an economic upturn, companies are under pressure to perform as well as or better than competitors, and shareholders expect consistent improvements in profits. When conducting the audit in this environment, more focus is given to the risk of overstatement of revenues and understatement of expenses. What about an economic downturn? When the economy as a whole is poor and the entire industry is down, does management face the same pressures? During an economic downturn, management may decide to “take a bath,” meaning that companies may purposefully understate profits. When the economy is poor, there is a tendency to maximize write-offs because a fall in profits can easily be explained to shareholders when most companies in the industry are also experiencing a decline in earnings. In other words, management decides, “If it’s already a bad year, let’s make it a really bad year.” A benefit of “taking a bath” is it provides a low base from which to demonstrate an improvement in results in the following year. When conducting the audit during times when the economy is in recession and clients may be tempted to “take a bath,” how would auditors modify their audit approach? More focus is given to the risk of understatement of revenues and overstatement of expenses.

4-10  C h a pte r 4  Risk Assessment Part II: Understanding the Client

Compliance with Laws and Regulations illegal acts  violations of laws or governmental regulations

direct and material effect  a situation in which noncompliance with laws and regulations impacts amounts and disclosures already included in the financial statements indirect effect  a situation in which noncompliance with laws and regulations does not have a direct impact on amounts and disclosures in the financial statements, but could require the creation of a contingent liability or an additional disclosure

Auditors should also obtain a general understanding of laws and regulations that apply to the client’s industry and operations. For example, manufacturing clients must adhere to regulations imposed by the Environmental Protection Agency (EPA) and the Occupational Safety & Health Administration (OSHA). If a client commits an illegal act by not complying with applicable regulations, the client may be fined or may be subject to future litigation. It is the responsibility of company management and those charged with governance to ensure that policies and internal controls are in place to assist in the prevention and timely detection of noncompliance with laws and regulations. What is the auditor’s responsibility regarding illegal acts committed by the client? Remember, the objective of the audit is to determine if the financial statements are presented fairly in accordance with the appropriate financial reporting framework. An auditor is not expected to be an expert in non-accounting laws and regulations such as environmental regulations and health and safety laws, but an illegal act by the client could impact the financial statements through fines and litigation. AU-C 250 Consideration of Laws and Regulations in an Audit of Financial Statements and AS 2405 Illegal Acts by Clients address the auditors’ responsibility as it relates to the client’s compliance with laws and regulations. For illegal acts that have a direct and material effect on the financial statements, the auditors have the same responsibility for detecting those acts as they do for detecting material misstatements caused by error or fraud. Many of the laws and regulations that would have a direct and material effect on the financial statements are already familiar to the auditors. For example, auditors regularly investigate the compliance with tax law and fair presentation of income tax expense in the income statement, as well as compliance with pension laws and pension disclosures in the financial statements. For illegal acts that have a material but indirect effect on the financial statements, the auditor’s responsibility is limited to performing specified audit procedures that may identify noncompliance. Some examples of laws and regulations that could fall into this category are environmental and safety regulations, or food and drug administration regulations. If information comes to the auditors’ attention that provides evidence concerning the occurrence of possible illegal acts, the auditors should use professional skepticism and perform further audit procedures to specifically determine if an illegal act has occurred, and whether a contingent liability that is material to the financial statements should be recorded or disclosed. It is important to note that an audit conducted according to standards provides no assurance that all illegal acts that have an indirect effect on the financial statements will be detected or any contingent liabilities that may result will be disclosed (AS 2405.07 and AU-C 250.A3). If auditors discover or suspect that an illegal act has occurred, they should gain an understanding of the nature of the act, gather information to determine the possible effects on the financial statements, and document all of their work. The audit team should discuss the situation with management at a level above those involved with the suspected noncompliance and, if appropriate, also discuss the situation with those charged with governance. Auditors should consider the implications of noncompliance on other areas of the audit, such as audit risk, materiality, and reliability of management representations. For example, if an illegal act occurred, auditors should re-evaluate the internal controls that should have prevented or detected the illegal act. If the controls are determined to be weak, auditors may need to adjust the audit strategy to perform more substantive testing rather than relying on the internal controls. It is important to remember the entire risk assessment process is an iterative process, and auditors may come across evidence that contradicts prior risk assessments. In these situations, auditors should revise their risk assessments and decisions about the nature, timing, and extent of audit procedures in light of the new evidence. If management or those charged with governance do not respond appropriately to an identified situation of noncompliance, the auditors should consult with their own legal counsel and consider withdrawing from the audit. Reporting illegal acts to external parties is generally not part of the auditor’s responsibility because of the auditor’s ethical obligation of client confidentiality, as discussed in Chapter 2.

  Understanding the Client  4-11

Audit Reasoning Example  Illegal Act, Direct and Material Effect Henry is an audit associate assigned to the audit of Quick Fix Burgers, a regional fast-food chain. To gain an understanding of the client’s payroll system, Henry obtained a listing of all employees and then queried the client’s system to provide a listing of all checks made payable to employees for the last month of the second quarter. Quick Fix pays its employees twice a month; therefore, each employee should receive two paychecks each month. While scanning the report, Henry noticed that some of the frontline employees, such as cashiers and cooks, had three or four checks for the month. He selected one of the employees who had received four checks and looked more closely at the supporting detail. Two of the checks were payment for 10 hours worked during the first and second half of the month, and these checks had state and federal income taxes withheld along with Social Security and Medicare. The other two checks were for a single amount, which was about the same amount as the net pay on the payroll checks, but with no withholdings or other payroll deductions, and were paid on the same date as the payroll checks. Why might there be these additional checks to employees? Were they reimbursements for expenses incurred by the employee? Or could Quick Fix Burgers be trying to avoid payroll taxes, such as the employer share of Social Security and Medicare, by calling these additional payments “employee reimbursements”? Failure on the part of employers to remit the appropriate amount of payroll taxes is an illegal act that can lead to significant fines and penalties. If Quick Fix is under-reporting an employee’s hours and the related payroll taxes, then both expenses (wages expense and payroll tax expense) and liabilities (wages payable and payroll taxes payable) will be understated and have a material and direct effect on the financial statements.

Audit Reasoning Example  Illegal Act, Material but Indirect Effect Henry is an audit associate assigned to the audit of Quick Fix Burgers, a regional fast-food chain. A month ago, Quick Fix received some bad publicity because two customers, who had eaten at two different Quick Fix restaurants, posted on social media they had become seriously ill after eating at Quick Fix. One of the customers was admitted to a hospital and posted that doctors suspected it was a case of E. coli that could be caused by unsanitary food handling. Henry had a meeting with Quick Fix’s controller and asked about the social media posts. The controller said, “All of our restaurants are inspected by the state health department, and we have always received excellent scores. We have not been contacted by the health department regarding those posts on social media.” When Henry gets back to his desk he thinks, what if the health department does contact Quick Fix regarding the incidents? What if Quick Fix did violate some health regulations? Does failure to comply with health regulations impact the financial statements directly? No, it does not. But could there be a material indirect effect on the financial statements? Yes. Customers who became sick could pursue legal action against Quick Fix, which could lead to a contingent liability and related expense, not to mention bad publicity. Henry documents this information in his risk assessment notes and will follow up on the situation during interim and year-end audit work.

Cloud 9 - Continuing Case Suzie explains to Ian that the partner, Jo Wadley, has asked her to join the team for this audit because she has experience in the clothing and footwear industry. Jo wants to make sure the team’s industry knowledge is very strong. Several other members of the team also have experience in auditing clients in the retail industry, including Jo and manager Sharon Gallagher. In addition, Josh is highly regarded at W&S Partners for his knowledge of receivables and cash-receipts systems.

Suzie has the task of leading the team writing the report on the industry-specific economic trends and conditions. The report must include an assessment of the competitive environment, including any effects of technological changes and relevant legislation. So that Ian can appreciate how understanding the client is an important part of the risk assessment phase, Suzie asks him to help write the report on the product, customer, and supplier elements. Then, together, they will assess the specific risks arising from the entire report, including risks at the economy level, for the Cloud 9 audit.

4-12  C h a pte r 4  Risk Assessment Part II: Understanding the Client

Before You Go On 1.1  What is the purpose of gaining an understanding of a client? 1.2 Explain how changing trends in an industry affect the inherent risk for an audit client, for example, in the energy industry. Illustrate with a few tangible examples. 1.3 Give an example of an illegal act that could have a material but indirect effect on the financial statements.

Client Approaches to Measuring Performance Lea rning O bjective 2 Explain how clients measure performance and how it impacts the auditor’s risk assessment.

key performance indicators (KPIs)  measurements, agreed to beforehand, that can be quantified and reflect the success factors of an organization

Part of the process used when gaining an understanding of a client involves learning how a ­client measures its own performance. The key performance indicators (KPIs) used by a client to monitor and assess its own performance and the performance of its senior staff provide auditors with insights into the accounts their client focuses on when compiling its financial statements and which accounts are potentially at risk of material misstatement. Some KPIs are common to many clients, such as return on assets and return on stockholders’ equity. Other KPIs will vary from industry to industry and client to client. For example, a client in the airline industry is concerned about revenue per passenger mile, a client in the retail industry is concerned about inventory turnover, and a client in the finance industry is concerned about its risk-weighted assets and interest margins. It is very important for auditors to understand which KPIs a client is most concerned about in that year so the audit can be planned around relevant accounts. It is inappropriate to assume all clients use the same KPIs. It is also inappropriate to assume a client will use the same KPIs every year. Just as businesses change their focus, KPIs change to help businesses achieve new goals.

Profitability profitability  the ability of a company to earn a profit

price–earnings (PE) ratio  measures how much a stockholder is willing to pay per dollar of earnings earnings per share (EPS) ratio  measures the earnings return on each common share issued

It is common for companies to use profitability measures to assess their performance and that of their senior staff. Companies often track their revenue and expenses over time and assess the variability from budgets, goals, or expectations. A company will compare its revenues and expenses with close competitors and assess its ability to compete, as well as whether results are matching expectations based on known factors such as seasonality or economic downturns. This also provides auditors with valuable insights into the expectations of management. A company’s management will track revenues from month to month to identify and explain trends. Management of a large company will compare revenues earned across divisions to highlight good and poor performance. Comparisons among divisions, or against budget, may be used to assess how well managers of those divisions are controlling costs. Changes from one year to the next may reflect an increased cost of doing business or highlight that it may be time to source cheaper suppliers or focus on production or product changes. Companies are concerned about their stockholders (owners). The price–earnings (PE) ratio (market price per share divided by earnings per share) shows how much a stockholder is willing to pay per dollar of earnings. For example, a PE of 10 means investors (and potential investors) are willing to pay 10 times current earnings for a company’s shares. This gives value to the future earning capacity of the enterprise. The earnings per share (EPS) ratio (profits available to common shareholders divided by weighted average common stock shares issued)

  Client Approaches to Measuring Performance  4-13

reflects the earnings return on each common share issued. When a client’s PE or EPS ratios are in decline, auditors may be concerned that management is under pressure to manipulate earnings. The cash earnings per share (CEPS) ratio (operating cash flow divided by outstanding shares) shows the cash flow capacity of a company for each common share issued. CEPS may be a more reliable indicator of a company’s financial health because it excludes noncash components such as depreciation and amortization, as well as noncash mark-to-market earnings. Retailers and manufacturers are generally concerned about their inventory turnover (cost of sales divided by average inventory), often at a department level. An assessment of this ratio is made within the context of the industry in which a company operates. For example, a company that sells perishable goods such as ice cream requires a much higher turnover than a company that sells nonperishable goods such as furniture. If a client’s inventory turnover slows significantly, auditors may be concerned that inventory is overvalued.

cash earnings per share (CEPS) ratio  shows cash flow capacity of a company for each common share issued

Liquidity, Solvency, and Cash Flow Liquidity is the ability of a company to meet its needs for cash in the short term, and solvency is the ability to meet its long-term financial obligations. It is vital for a company to have access to cash to pay its debts when they fall due. If it cannot meet these obligations, a company may be forced into liquidation. Companies require cash to pay their employees’ wages, utility bills, supplier bills, interest payments on borrowed funds, dividends to stockholders, and so on. In the longer term, companies need cash to repay long-term debt and undertake capital investment. Because cash is so vital, cash flow is closely monitored by the company and by external users, such as analysts and stockholders. To gain an understanding of a client’s cash flow, auditors analyze the cash flow statement. Recall from your previous accounting courses that the cash flow statement summarizes all cash activities into three categories: operating activities, investing activities, and financing activities. The cash flow provided, or used, by operating activities indicates a company’s ability to generate cash. For analysis purposes, the cash flow from operations amount can be adjusted for any one-time influences on cash flow from operations to determine sustainable cash flow from operations. For example, if the client made a large, onetime litigation payment, that amount could be added back to the cash flow from operations amount to provide a more realistic view of cash flow generated from normal and recurring operating activities. Companies often agree to debt covenants with lenders when taking on loans. That is, they promise to maintain specified profitability, liquidity, or other financial ratios, or to seek the lender’s permission before taking on new borrowings or acquiring other companies. These covenants are written into the borrowing contracts and restrict a company’s activities. If a company breaches a debt covenant, it may need to renegotiate or repay the loan. By understanding how their client measures and assesses its own performance and any restrictions implied by debt covenants, auditors gain a deeper understanding of the accounts potentially at risk of material misstatement. For example, if a client is close to violating the terms of a debt covenant, management may have incentive to misstate reported amounts in ways to show compliance with covenants.

liquidity  the ability of a company to pay its current debts when they fall due solvency  the ability of a company to meet its long-term financial obligations

sustainable cash flow from operations  cash flow from operations adjusted for one-time influences

Cloud 9 - Continuing Case In her discussions with the partner, Jo Wadley, Suzie learns the senior people in the Cloud 9 accounting/finance department are entitled to receive stock options if revenue targets are met. Cloud 9’s share price (which determines the value of the stock options) reflects market expectations about future profits. Cloud 9 has taken on additional debt this year, and costs are rising because of issues associated with its drive to increase

market share. These results increase interest expense and decrease profitability, potentially reducing the value of the stock options. Suzie decides to allocate time in the audit plan to consider whether these pressures could impact any of the senior staff’s incentives and increase inherent risk and possibly fraud risk.

4-14  C h a pte r 4  Risk Assessment Part II: Understanding the Client

Before You Go On 2.1  What is a PE ratio? Why is it important to auditors? 2.2 Explain how internal performance reports may be used by auditors to assess the risk of material misstatement. 2.3 What is a debt covenant? Develop an example of why a debt covenant is important to assessing the risk of material misstatement.

Analytical Procedures Lea rning O bjective 3 Demonstrate how auditors use analytical procedures when assessing risk, including the use of audit data analytics.

analytical procedures  evaluations of financial information through analysis of plausible relationships among financial and nonfinancial data

As auditors gain an understanding of their client, the industry in which it operates, and how the client measures its own performance, they can develop their own expectations regarding the client’s financial statement items. For example, if auditors are aware their client has borrowed a significant amount of money in the previous financial year, a reduction in the client’s debt-to-equity ratio would be unusual and would warrant further investigation. This is an example of auditors using analytical procedures to assess risk. AU-C 315 and AS 2110 define analytical procedures as evaluations of financial information through analysis of plausible relationships among financial and nonfinancial data. Analytical procedures involve the identification of fluctuations in accounts that are inconsistent with the auditors’ expectations based upon their understanding of the client. It is essential that auditors have clear expectations about their client’s results for the reporting period before conducting analytical procedures, so that unexpected fluctuations can be correctly identified and investigated. Analytical procedures are conducted throughout an audit. During the risk assessment phase, analytical procedures are used to aid in the risk identification process. During the risk response phase, analytical procedures are an efficient method of testing account balances that are derived from estimates. At the conclusion of the audit, analytical procedures are used to assess whether the financial statements reflect the auditors’ knowledge of their client and the client’s industry. In this chapter we concentrate on the application of analytical procedures during the risk assessment phase. The use of analytical procedures when conducting substantive procedures and during the conclusion of the audit is discussed in Chapters 9 to 14. Analytical procedures are conducted during the risk assessment phase of the audit to: •  Highlight unusual fluctuations in accounts. •  Aid in the identification of risk. •  Enhance the understanding of a client and its industry. •  Identify the accounts at risk of material misstatement. •  Minimize audit risk by concentrating audit effort where the risk of material misstatement is greatest. AU-C 315 and AS 2110 require auditors to perform analytical procedures as part of their risk identification process, even if the data is preliminary or aggregated at a high level. Analytical procedures include simple comparisons, trend analysis, common-size analysis, and ratio analysis. Let’s discuss each of these forms of analysis and factors to consider when conducting analytical procedures.

Comparisons Comparisons are often made between account balances for the current year and the previous year(s), the current year and the budget, or the current year and industry data. When comparing

 Analytical Procedures  4-15

account balances from one year to the next, significant changes can be tracked and investigated further by the auditors. Auditors will assess these changes in light of their expectations based upon their understanding of the client and any changes experienced over the previous year. For example, if the client had opened a new retail outlet, total sales would be expected to have increased by a predictable amount since the previous year. When comparing account balances with budgeted amounts, auditors are concerned with uncovering variations between actual results and those expected by the client. Significant unexpected variations should be discussed with client personnel and the results of such inquiry should be corroborated by other evidence. Comparisons of one year to the next involve only limited data. As a result, auditors keep results of analytical procedures for continuing clients so they have running data over a number of years to spot changing trends more easily.

Trend Analysis Trend analysis (or horizontal analysis) is a comparison of account balances over time. It is conducted by selecting a base year and then restating all accounts in subsequent years as a percentage of that base. It allows auditors to gain an appreciation of how various accounts have changed through time. When conducting a trend analysis, it is important for auditors to consider significant changes in economy-wide factors, such as a recession, which may affect their interpretation of the trend. Illustration 4.4 provides an example of a trend analysis. 2020 (in $ millions)

2021 % Change Compared to 2020

2022 % Change Compared to 2020

2023 % Change Compared to 2020

Sales

250

(20)

(10)

20

Cost of sales

110

(10)

0

10

Interest expense

10

(30)

30

0

Wages expense

70

(20)

30

6

Rent expense

40

0

0

0

Cash

400

20

10

25

Inventory

350

30

20

10

Trade receivables

300

(10)

5

15

trend analysis  a comparison of account balances over time

ILLUSTRATION 4.4  

Trend analysis

Income statement items

Balance sheet items

Various accounts can be selected for inclusion in a trend analysis. Accounts that vary from one year to the next are generally the focus. In the trend analysis depicted in Illustration 4.4, 2020 was selected as the base year. The following years appear as a percentage increase or decrease of the 2020 amount. For example, sales in 2021 were 20% lower than sales in 2020; in 2022 sales were only 10% lower than the 2020 figure, and in 2023 sales grew to 20% higher than the 2020 amount. A trend analysis allows auditors to assess movements in the accounts over time and determine whether the underlying trends match their understanding of the client and its operations over the period under review.

Common-Size Analysis Common-size analysis (or vertical analysis) is a comparison of account balances to a single line item. In the balance sheet, the line item used is generally total assets. In the income statement, the line item used is generally sales or revenue. A common-size analysis allows auditors to gain a deeper appreciation of how much each account contributes to the totals presented in the financial statements. By preparing common-size accounts for several years, auditors can trace the relative contribution of various accounts through time. Illustration 4.5 provides an example of a common-size analysis.

common-size analysis  a comparison of account balances to a single line item

4-16  C h a pte r 4  Risk Assessment Part II: Understanding the Client ILLUSTRATION 4.5  

2020 %

2021 %

2022 %

2023 %

100

100

100

100

44

50

48

40

Interest expense

4

4

6

3

Wages expense

28

28

22

25

Rent expense

16

20

18

13

5

4

4

3

Inventory

20

27

23

23

Trade receivables

18

25

22

18

Payables

15

15

17

16

100

100

100

100

Common-size analysis Income statement items Sales Cost of sales

Balance sheet items Cash

Total assets

The common-size analysis depicted in Illustration 4.5 shows that cost of sales grew and then decreased as a proportion of sales. This may reflect a change in prices charged by suppliers, prices charged to customers, and/or quantity of goods on hand. In the balance sheet, inventory levels rose and then dropped, which may indicate a build-up of inventory on hand when sales dropped in 2021.

Ratio Analysis Auditors perform ratio analysis to assess the relationship between various financial statement account balances. Auditors will calculate profitability, liquidity, and solvency ratios.

Profitability Ratios Profitability ratios reflect a company’s ability to generate earnings and ultimately the cash flow required to pay debts, meet other obligations, and fund future expansion. Common profitability ratios, shown in Illustration 4.6, include the gross profit margin, profit margin, return on assets, and return on stockholders’ equity. ILLUSTRATION 4.6   Common profitability ratios

Ratio Gross profit margin Profit margin Return on assets (ROA) Return on stockholders’ equity (ROE)

gross profit margin  measures whether a seller of goods has sufficient markup on goods sold to pay other expenses profit margin  measures profitability after taking into account all operating expenses

Formula Gross profit Net sales Net income Net sales Net income Average total assets Net income Average equity

The gross profit and profit margins indicate the proportion of sales turned into profits. The gross profit margin indicates whether a seller of goods has a sufficient markup on goods sold to pay for other expenses. A markup is the difference between the selling price of goods and the cost of goods sold. A decline in this ratio indicates a client may be paying more for its inventory or charging less to its customers. If the gross profit margin continues to decline, the client may have a loss if it is not able to cover its operating expenses. The profit margin indicates the profitability of a company after taking into account all operating expenses. By looking at the trend in the profit margin over time, auditors can

 Analytical Procedures  4-17

identify variability in the profit-earning capacity of their client. If the profit margin is steadily falling, this may affect the future viability of the client. A profit margin that varies widely from year to year indicates volatility and uncertainty, which makes it difficult to assess the fair presentation of the current reported earnings without further investigation. The return on assets (ROA) ratio indicates the ability of a company to generate income from its average investment in total assets. The return on stockholders’ equity (ROE) ­ratio indicates the ability of a company to generate income from the funds invested by its common stockholders. If a company is unable to generate a sufficient return on funds invested, there may be insufficient funds available to pay dividends and invest in future growth. Auditors calculate these ratios to assess trends in profitability. If the ROA and ROE, and resulting cash flow, are falling, it will affect the ability of their client to pay dividends and interest, and repay loans, all of which depend on the client’s ability to generate cash. Auditors compare the current year and previous years to identify trends in their client’s profitability. Comparisons are also made with budgeted results and with competitors. When comparing actual results with the budget, auditors assess how profitable the client is compared to management’s expectations as outlined in the budget. Auditors discuss any significant variance with management. When comparing their client with competitors, auditors assess their client’s profitability relative to companies of a similar size operating in the same industry. Any significant trends that appear unusual when compared to previous years, budget, or competitors are investigated further by the audit team as a possible indication of a risk of a material misstatement.

return on assets (ROA) ratio  measures ability to generate income from average investment in total assets return on stockholders’ equity (ROE) ratio  measures ability to generate income from funds invested by common stockholders

Liquidity and Activity Ratios Liquidity ratios reflect a company’s ability to meet its short-term debt obligations, and activity ratios measure a company’s ability to convert its assets to cash. If a company is unable to pay its debts when they fall due, key employees may leave, suppliers may refuse to supply goods, and lenders may demand the repayment of loans. Auditors are concerned with their client’s liquidity situation to alert them to any potential going concern issues. Some important short-term liquidity ratios, shown in Illustration 4.7, include the current ratio, the acid-test (quick) ratio, free cash flow, and the ability of cash flow from operations to cover current debt and dividends. The turnover ratios are activity ratios and serve as indicators of managerial efficiency and client activity. Ratio Current ratio Acid-test (quick) ratio Sustainable free cash flow Ability of cash flow from operations to cover current debt and dividends Inventory turnover in days Receivables turnover in days Payables turnover in days Gross operating cycle Net operating cycle

ILLUSTRATION 4.7   Common liquidity and activity ratios

Formula Current assets Current liabilities

Cash + Short-term investments + Receivables (net) Current liabilities

Sustainable cash flow from operations – Capital expenditures Sustainable cash flow from operations

Current portion of financing debt + Dividends 365 days ÷

( (

365 days ÷ 365 days ÷

(

Cost of sales Average Inventory

)

Net credit sales Average net receivables Cost of sales

) )

Average accounts payable

Receivables turnover in days + Inventory turnover in days Gross operating cycle – Payables turnover in days

The current ratio indicates how well current assets cover current liabilities. A ratio that is greater than 1.0 indicates a company should be able to meet its short-term commitments when they fall due. In reality, this will depend upon the ability of a company to convert its inventory and receivables into cash on a timely basis. The acid-test (quick) ratio indicates

current ratio  measures ability to meet short-term obligations as they come due acid-test (quick) ratio  measures ability to meet shortterm obligations with liquid assets such as cash, short-term investments, and receivables

4-18  C h a pte r 4  Risk Assessment Part II: Understanding the Client

sustainable free cash flow  measures cash flow remaining after covering cash outflows for operations and capital expenditures ability of cash flow from operations to cover current debt and dividends  measures ability to cover current debt maturities and dividends with operating cash flow inventory turnover in days  measures how many days, on average, it takes a company to sell its inventory

receivables turnover in days  measures how many days, on average, it takes a company to collect its receivables

payables turnover in days  measures how many days, on average, it takes a company to pay its suppliers

gross operating cycle  measures how many days, on average, it takes to purchase inventory, sell it, and collect the receivable net operating cycle  measures how many days, on average, it takes a company to purchase and sell inventory, collect the receivable, and pay back creditors

how well liquid assets cover current liabilities. Liquid assets include cash, short-term investments, and receivables. Acceptable current and acid-test ratio benchmarks vary from one industry to another. Auditors compare the trend in both ratios over time to assess whether their client’s liquidity situation is improving or deteriorating. Auditors also compare their client’s ratios with the industry average to assess their client’s liquidity relative to close competitors. If a client’s liquidity situation is deteriorating or is poor when compared to the industry average, auditors may be concerned about the future viability of the company. Sustainable free cash flow measures the cash flow remaining after covering cash outflows for operations and capital expenditures. Larger numbers indicate a company has the capacity to finance operations and capital expenditures with operating cash flow, and it has the ability to take advantage of opportunities that may arise unexpectedly. For example, a large free cash flow balance could indicate the client could acquire another company if the opportunity was available. The ability of cash flow from operations to cover current debt and dividends estimates the company’s ability to cover current debt maturities and dividends with operating cash flow. A larger number indicates an increased ability to cover current debt maturities and dividends with operating cash flow. Inventory turnover in days measures how many days, on average, it takes a company to sell its inventory. In general, the lower the number of days the better, because companies prefer to sell their inventory quickly, and generate a profit, rather than have it sit on a shelf or in a warehouse. This ratio will vary widely from one industry to another. For example, the inventory turnover in days for a supermarket would be much lower than for a luxury boat manufacturer. Auditors look at the trend in this ratio to determine whether inventory is being sold more quickly or more slowly from year to year. They also compare the inventory turnover in days for their client to the industry average to determine whether their client is competitive with its rivals. If a client operates in a high-technology industry or the fashion industry, where customer preferences change quickly, an increase in the inventory turnover in days may indicate the client is not keeping up with change and products are not being sold as quickly. When a client’s inventory turnover in days increases by more than expected, auditors will spend more time testing the valuation of inventory. Inventory may need to be written down in response to slowing demand. In this situation, auditors will also investigate whether sales revenue has fallen in line with the slowing movement of inventory. Receivables turnover in days measures how many days, on average, it takes a company to collect cash from its customers. In general, a lower number of days is better. The sooner a company can collect cash from customers, the sooner that cash can be used to purchase more inventory, pay down debt, or finance new capital assets. The receivables turnover in days should be compared to the client’s credit terms that it offers customers. For example, if the credit terms are 3/10, net/30, auditors would expect the receivables turnover in days to be about 30 days or maybe less. If the ratio is 41 days, it may indicate the client is making sales to customers who are unable to pay for their goods on a timely basis or the client is not following up with customers who are late in paying. In this example, auditors will spend more time considering the adequacy of the allowance for doubtful accounts. Payables turnover in days measures how many days, on average, it takes a company to pay its suppliers. A lower number of days means a company is paying off its short-term debt at a faster rate. The payables turnover in days should be compared with the average time frame the client’s vendors allow for payment. For example, suppose most of the client’s vendors allow 30 days for the client to remit payment of an invoice. If the client’s ratio is 58 days, it may indicate the client is struggling to make vendor payments and is consistently late. This could lead to late fees and possibly vendors not wanting to sell to the client any more. It may also indicate that controls over accounts payable are weak. In this example, auditors will spend more time considering controls over the accounts payable process to ensure all liabilities that occurred are properly recorded in accounts payable. Gross operating cycle is an estimate of the number of days it takes for a company to purchase inventory, sell it, and collect the receivable. A smaller amount of days represents faster turnover of a company’s merchandise, which is desirable to maintain strong cash flow. Net operating cycle is the gross operating cycle minus the payables turnover in days. The net operating cycle reflects that a company may use credit to finance inventory purchases. It is an estimate of how long the company is waiting to sell inventory, collect on receivables, and then

 Analytical Procedures  4-19

pay back creditors. A smaller number of days indicates a faster turnover of merchandise. It is important to remember that different industries have different capital needs and product life cycles; therefore, determining whether a company has a long or short operating cycle should be made within the industry context.

Solvency Ratios Solvency ratios are used to assess the long-term viability of a company. Liquidity ratios take a short-term view of a company whereas solvency ratios have a long-term perspective. Common solvency ratios are the debt-to-equity ratio and times-interest-earned ratio, as shown in Illustration 4.8. Ratio

Formula

Debt to equity Times interest earned

Total liabilities Total equity Income before income taxes and interest expense Interest expense

The debt-to-equity ratio indicates the relative proportion of total assets being funded by debt relative to equity. A high debt-to-equity ratio increases the risk that a client will not be able to meet principal and interest payments to lenders when due. Companies with long-term debt are more likely to have debt covenants with a lender, which may restrict the company’s activities. Auditors consider the trend in the client’s debt-to-equity ratio over time and gain an understanding of the make-up of total liabilities (e.g., what percentage of debt is current versus long-term). An increasing ratio may indicate a client will not be able to repay its loans when they fall due and increases the risk a client will breach a debt covenant. Auditors also compare a client’s debt-to-equity ratio with similar companies in the same industry, as this ratio tends to vary across industries. The times-interest-earned ratio measures the ability of earnings to cover interest payments. A low ratio indicates a client may have difficulty meeting its interest payments to lenders. Auditors consider how this ratio has changed over time. A downward trend is a concern as it indicates lenders may charge the client a higher rate of interest on future borrowings. At the extreme, lenders may demand the repayment of debt if the client does not make interest payments on time.

Audit Reasoning Example  Ratio Analysis Sadie is conducting ratio analysis during the risk assessment phase for the audit of Bayou Sports Shop. She has calculated the following ratios for Bayou and compared them to the industry ­average: Ratio Receivables turnover in days Inventory turnover in days Current ratio Debt-to-equity ratio

ILLUSTRATION 4.8   Common solvency ratios

Bayou Sports Shop 27 days 58 days 1.88 1.21

Industry Average 26 days 61 days 2.0 .50

When compared to the industry averages, what areas appear to be risky for Bayou? ­Bayou is consistent with the industry in terms of collecting receivables, turning over inventory, and maintaining liquidity. In terms of solvency, Bayou’s debt-to-equity ratio is more than double the industry average. Compared to others in the industry, Bayou has more debt, which means more cash is being used to pay interest on the debt. Bayou has increased risk of not being able to pay interest payments on time if the economy takes a downturn and sales decline. Sadie documents a follow-up procedure to inspect loan documents to see if there are any debt covenants that require Bayou to maintain certain ratios. If the debt-to-equity ratio continues to increase, Bayou could be in violation of a debt covenant and be required to pay back borrowed funds immediately.

debt-to-equity ratio  measures the relative proportion of equity and debt used to finance total assets

times-interest-earned ratio  measures ability of earnings to cover interest payments

4-20  C h a pte r 4  Risk Assessment Part II: Understanding the Client

Audit Data Analytics audit data analytics (ADA)  using software to discover and analyze patterns, identify anomalies, and extract other useful infor­­­ mation in data underlying the subject matter of an audit through analysis, modeling, and visualization for the purpose of planning or performing an audit

More sophisticated analytical procedures are used by some auditors. Audit data analytics (ADA) is the use of software to conduct detailed analysis of client data, such as information contained in the client’s ledgers and journals. These applications can be used to conduct the analysis outlined above, as well as to search for unusual transactions, including those that occur at odd times, are for unusual amounts, or within unusual accounts. An in-depth discussion of ADA is provided in Chapter 7, and ADA is also addressed in other chapters throughout the text. Here is a brief discussion of using ADA to conduct cluster analysis, time-series analysis, and regression analysis. Cluster analysis involves sorting client data into various dimensions or measures. For example, client data can be sorted across dimensions such as location, cost center, or manager. It can then be measured as inventory purchased, inventory sold, inventory on hand, sales, or rent expense across those dimensions. Once measured data are sorted by dimensions, they can be analyzed to determine whether the relationships between the various data are consistent with the auditors’ understanding of their client. Journal entry summaries provide condensed overviews of transactions. Summaries can be prepared using a range of criteria by month, by division, or by manager. Time-series analysis can be used to analyze data that occur regularly within the client, for example, sales and purchases. This form of analysis uses data from the past to predict the future. For example, sales made in the past can be used to predict sales in the period under audit. Significant fluctuations in expected sales trends are then investigated by the audit team. When assessing variations, auditors incorporate their understanding of changes that have occurred in the current year that may explain the variations observed. For example, the client may have closed some retail outlets, which would explain a sharp decline in sales. When conducting a time-series analysis, auditors look at the long-term trend, seasonal variation (for example, sales of ice cream are likely to be higher in summer), and unexpected variations. Regression analysis can be used to investigate the relationships among different groups of data or variables. This analysis considers the relationship between a dependent variable, such as sales, and various independent variables, such as selling costs, purchases, and advertising expense. Regression analysis provides a statistical measure of the associations among data. It establishes whether movements in the independent variables result in a change in the dependent variable. Significant differences between what the regression model predicts and the client’s reported balances are investigated as they indicate a potential misstatement, such as an overstatement of sales relative to associated expenses.

Factors to Consider When Conducting Analytical Procedures There are several factors to consider when conducting analytical procedures. The first is the reliability of client data. If auditors believe there is a significant risk the client’s records are unreliable due to, for example, poor internal controls, then auditors are less likely to rely on analytical procedures. Another issue is the ability to make comparisons over time. If the client has changed accounting methods, this will reduce the comparability of the underlying data. In this case, auditors will need to restate prior years’ financial statement data using the current accounting methods before making any comparisons. Finally, if past results are unaudited, they are considered less reliable for comparison purposes. During the risk assessment phase, auditors may only have access to their client’s half-year results. They will need to annualize revenue and expense items before making comparisons with the prior year. If a client earns revenues evenly throughout the year, it is appropriate to double the half-year revenues. If a client earns more revenues in some months relative to

 Analytical Procedures  4-21

others (for example, an ice-cream seller earns more in warmer months), trends must be considered when annualizing half-year results. When comparing actual financial results to budgeted results, auditors must consider the reliability of the budget. This can be assessed by comparing budgets to actual results for prior years. If the client continually overestimates earnings, for example, auditors take this into account when comparing actual and budgeted results for the current period. Auditors must be careful when benchmarking a client with industry data. If the client is significantly smaller or larger than most companies in its industry, comparison may not be valid. If competitors do not use the same accounting methods, the comparison is problematic. If the client has very different results and ratios from the industry average, there may be a problem with the industry data rather than with the client data. In conducting analytical procedures, the following information sources are generally considered to be reliable: •  Information generated by an accounting system that has effective internal controls. •  Information generated by an independent reputable external source. •  Audited information. •  Information generated using consistent accounting methods. •  Information from a source internal to the client that has proven to be accurate in the past (for example, preparation of budgets). Auditors document the results of the analytical procedures, including the accounts identified as being at risk of material misstatement. These results are used to further refine the audit strategy and develop the audit plan.

Cloud 9 - Continuing Case Ian volunteers to start the analysis of Cloud 9’s interim results and previous period’s financial data. He previously attended a training session on the W&S Partners’ software that he will use to produce reports showing unusual relationships and fluctuations. Suzie is grateful for the help but cautions Ian, “You do realize that judging what is ‘unusual’ is a little more complex than getting a software application to identify a change above a certain percentage? You need considerable industry experience and client knowledge to

make sense of the information. For example, no change in a figure can be more suspicious than a large change, depending on the circumstances.” “Yes, I realize that, and I know that I don’t have the experience to complete the analysis, but I am hoping to learn from you by seeing what you do with the data and reports that I hadn’t even considered doing,” he says.

Before You Go On 3.1 Why are liquidity ratios calculated? Develop an example of how a liquidity ratio might help the auditor in risk assessment. 3.2 What is a trend analysis and why might an auditor use this form of analysis for risk assessment? 3.3 Explain the factors that the auditor should consider when performing analytical procedures in the risk assessment process.

4-22  C h a pte r 4  Risk Assessment Part II: Understanding the Client

Related Parties Lea rning O bjective 4 Define related party transactions and explain how they affect the auditor’s risk assessment.

related party  an affiliate, principal owner, manager, or other party that is not independent of the entity

Another risk assessment procedure is the search for related party relationships and transactions. What is a related party? According to FASB ASC Topic 850, Related Party Disclosures, related parties of a company include the following: •  Affiliates of the entity. •  Investments in other entities accounted for by the equity method. •  Trusts for employee benefit plans, such as pensions, that are managed by or under the trusteeship of management. •  Principal owners of the entity and their immediate family members. •  Management of the entity and their immediate family members. •  Other parties that can significantly influence management or operating policies of the entity. Financial reporting frameworks, such as GAAP, require disclosure of related party relationships, transactions, and accounts so financial statement users can understand their potential effects on the financial statements. Companies can have transactions with related parties frequently in the normal course of business, but because they are related parties, there is a risk that some of the transactions may not be accounted for according to their true substance. In other words, transactions with related parties may not be the same as “arm’s-length” transactions between independent and unrelated buyers and sellers or borrowers and lenders. For example, a company may loan money to an affiliated company, but have no scheduled terms for how or when the money will be paid back. Should this be accounted for as a loan? Is that the true substance of the transaction? If related party transactions are not accounted for properly, then one or more material misstatements could occur in the financial statements. AU-C 550 Related Parties and AS 2410 Related Parties provide audit guidance associated with related party transactions and disclosures. During the risk assessment phase, the objective of the auditors is to gain an understanding of a client’s related party relationships and transactions. The audit team should gain an understanding of the client’s procedures for identifying related parties, authorizing transactions with related parties, and disclosing the relationships and transactions in the financial statements. The client should have internal controls in place to ensure related parties are identified and disclosed. Discussion among audit team members should include an emphasis on maintaining professional skepticism and considering how related parties may be involved in fraud. The existence of related parties is a fraud risk factor because fraud may be more easily committed among related parties (see the section “Opportunities to Perpetrate a Fraud” in Chapter 3). For example, transactions between the client and a known business partner of a key manager could be arranged for the purpose of misappropriating (stealing) assets. Another example would be a major stockholder paying back a loan at period end, but the client lending the same amount of money back to the stockholder shortly after period end. This is a scheme referred to as “period-end window dressing.” Auditors use specific procedures to confirm related parties that have been identified by management and to identify additional related parties that management’s processes may not have identified. Some common procedures used by auditors to identify related parties are listed in Illustration 4.9. Note these procedures are used during risk assessment and throughout the remaining phases of the audit. Auditors should always be mindful of potential related parties because client circumstances could change and new relationships could be created at any time during the client’s year. Auditors should document all identified related parties and the nature of the relationships. If any of the related party relationships or transactions are identified as posing a significant risk of material misstatement, auditors will plan to gather more evidence or adjust audit procedures, as needed, during the risk response phase of the audit.

  Corporate Governance  4-23

Procedures to identify related parties: •  Obtain a listing of related parties from management.

illustration 4.9   Procedures used by auditors to identify related parties

•  Read minutes of the board of directors’ meetings. •  Review client filings with the SEC, if applicable. •  Read contracts or other agreements related to significant unusual transactions. •  Review life insurance policies purchased by the client. •  Review conflict-of-interest statements from management. •  Review shareholder registers to identify the principal shareholders. •  Review correspondence from the client’s advisors, such as attorneys or consultants. •  Obtain a listing of the trustees of pension plans and other trusts for the benefit of employees.

Audit Reasoning Example  Related Parties Juan is assigned to the audit of MED Inc., a new client that manufactures medical supplies made from fabrics, such as bandages, blankets, and head caps, for newborn babies. Throughout the year, MED Inc. hires temporary workers as needed to meet demand when customers place large or unexpected orders. MED Inc. uses the services of three personnel agencies to find temporary workers and pays finder’s fees to the personnel agencies. While reviewing the amounts paid to the three personnel agencies, Juan notices that one agency is being paid considerably more than the other two. Juan meets with the controller, Amanda, to gain a better understanding of the transactions with the personnel agencies. Amanda says, “The primary agency we use is Any Time Workers. The agency opened last year, and it’s actually owned by the wife of our VP of Operations. She has done a great job keeping us supplied with workers so we can keep up with demand.” Back at his desk, Juan documents his conversation with Amanda and notes this is a related party situation. What potential risks are created by this situation? First, there is a disclosure risk. The audit team must ensure that MED Inc. is disclosing the related party and the transactions. Second, the existence of related party transactions is a fraud risk factor. Could the payments to MED Inc. be a misappropriation of assets? Is MED Inc. paying Any Time Workers above-market prices for its services, or paying for services it has not actually received? Could inflated payments represent additional compensation for the VP of Operations, via his wife’s company, to avoid payroll tax expenses associated with making bonus payments? This type of thought process is an example of Juan using professional skepticism. He will keep these risks in mind when planning the audit procedures related to the transactions with the personnel agencies.

Before You Go On 4.1  What is a related party? Provide at least two examples. 4.2  Why is an auditor interested in identifying related parties during the risk assessment phase of an audit? 4.3  Are procedures to identify related parties only performed during risk assessment? Explain.

Corporate Governance Lea rning Objective 5 Describe common corporate governance structures and how they impact the auditor’s risk assessment. Corporate governance refers to the people, systems, and processes within companies used to ensure that companies are well-managed and that, among other things, risks are identified

corporate governance  refers to the people, systems, and processes within companies used to ensure that companies are well-managed and that risks are identified and controlled by management and entity personnel

4-24  C h a pte r 4  Risk Assessment Part II: Understanding the Client board of directors  a group that represents the shareholders and is responsible for ensuring the company is being run to benefit the shareholders executive directors  employees of the company who also hold a position on the board of directors non-executive directors  board members who are not employees of the company; their involvement on the board is limited to preparing for and attending board meetings and relevant board committee meetings

and controlled by management and entity personnel. In publicly traded companies, the group responsible for overseeing management is the board of directors. The board of directors represents the shareholders and is responsible for ensuring the company is being run to benefit the shareholders. The board of directors will hold meetings at least once a quarter, but will meet more often as needed. A board is comprised of a mixture of executive and non-executive directors. Executive directors are also part of the company’s management team, and they are fulltime employees of the company, such as the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO). Non-executive directors are not part of the company’s management team, and their involvement is limited to preparing for and participating in board meetings and relevant board committee meetings. The audit partner will meet with members of the board when necessary throughout the audit. Illustration 4.10 depicts the composition of the board of directors and serves as a reference for the remaining discussion of corporate governance. Board of Directors

ILLUSTRATION 4.10  

Composition of a board of directors

Executive directors

Non-executive directors

Audit committee Direct communication Auditors

audit committee  a committee of the board of directors responsible for oversight of internal controls, financial reporting and disclosure in the financial statements, regulatory compliance, and the company’s independent auditors those charged with governance  persons with responsibility for overseeing the strategic direction of the entity and the obligations related to the accountability of the entity

During risk assessment, auditors gain an understanding of a client’s corporate governance structure. It is important that the board of directors has a mixture of executive and non-executive members. The executive members have a deeper understanding of the company and its workings, which is why auditors meet with executive directors, such as the CFO, throughout the audit. The non-executive members may be better representatives of shareholders as they are not company employees and can be more impartial in their strategic decision-making. Ideally, non-executive directors should be somewhat independent of the company and be objective and knowledgeable about the industry and financial reporting. The presence of non-executive board members helps to reduce the risk of material misstatement because they provide oversight of top-level management decisions, such as the amount of dividends declared, plans for significant asset purchases, purchases and sales of major investments, and major agreements with other companies. The auditor reads minutes of board meetings to learn about these key decisions regarding the strategic direction of the company. Boards of larger entities will also have a series of committees made up of various, but not all, members of the board. It is the role of these committees to efficiently deal with specific important issues. The main board committee the auditors interact with is the audit committee. The audit committee is responsible for overseeing the accounting and financial reporting processes of the company and the audit of the financial statements. While ultimate responsibility for the financial reporting process rests with the full board, an audit committee can improve the efficiency of achieving this goal. Some private companies may not have an audit committee or even a board of directors. In that case, auditors should communicate with those charged with governance. Those charged with governance are individuals with the responsibility for overseeing the strategic direction of the entity and the obligations related to the accountability of the entity, including the financial reporting process. Those charged with governance may include management personnel, such as executive members of a governance board or an owner-manager (AU-C 260.06). For public companies, SOX has specific requirements for the composition and duties of the audit committee. These specific requirements are listed in Illustration 4.11. AS 1301 Communication with Audit Committees requires that auditors establish an understanding with the audit committee regarding the terms of the audit engagement and then document that understanding in the engagement letter. Auditors should meet with the audit committee before the engagement starts to discuss the auditor’s responsibilities, significant accounting policies, and other issues. If the audit committee has concerns over a certain area of the entity, the audit committee members can request that auditors perform specific procedures such as conducting special investigations or visiting specific locations of the client company. These requested activities would be in addition

  Corporate Governance  4-25

to the audit teams’ planned procedures, and not restrict the scope of the auditor’s planned procedures. PCAOB and ASB standards also require that auditors communicate important details about the audit to the audit committee during or towards the conclusion of the audit. These required communications will be discussed in Chapter 14. SOX requirements and duties for audit committees of public companies: •  Audit committee members must be independent members of the board of directors, not executive directors or otherwise affiliated with the issuer. •  Audit committee members cannot accept consulting or advisory fees from the issuer, beyond the normal director compensation.

ILLUSTRATION 4.11   Sarbanes-Oxley Act of 2002, Section 301: Public company audit committees and Section 407: Disclosure of audit committee financial expert

•  At least one audit committee member must be a “financial expert” as evidenced through education or work experience. •  The audit committee is responsible for the appointment, compensation, and oversight of the auditors. •  Auditors report directly to the audit committee, and the audit committee is responsible for resolving any disagreements between management and auditors over financial reporting. •  The audit committee establishes procedures for receiving complaints regarding accounting or internal control matters of the company, including receipt of anonymous complaints from employees. •  The audit committee has authority to engage legal counsel if necessary.

Professional Environment  Recruiting for an Audit Committee The passing of the Sarbanes-Oxley Act of 2002 significantly changed the landscape of corporate governance. In particular, the audit committee has taken on more responsibility in areas such as whistle-blowing, auditor oversight, and internal controls over financial reporting. The increased duties of the audit committee are making it more challenging for companies to find qualified candidates to serve on audit committees. In December 2015, the chairwoman of the Securities and Exchange Commission, Mary Jo White, was speaking to the American Institute of CPAs in Washington, D.C. She stated, “Just meeting the technical requirements of financial literacy may not be enough to fully understand the financial reporting requirements or to challenge senior management on major, complex decisions. I have growing concerns about the amount of work required of some audit committees.”3

As the requirements for the audit committee position have increased, the supply of qualified individuals has decreased. With increased workloads for audit committee members, potential candidates are reluctant to serve on multiple boards as they have done in the past. Some companies are enlisting the help of search firms to find qualified candidates and are trying to be more creative with potential recruits. The typical “go-to” candidate for an audit committee member would be a retired CFO or retired auditor. However, there are plenty of other qualified candidates, but it may take more effort to find them. In fact, finding candidates that are not the typical audit committee candidate could have a positive effect by bringing more diversity to the audit committee. Committee members with more diverse backgrounds could bring different perspectives to the group and could be willing to ask different questions.

Cloud 9 - Continuing Case The partner, Jo Wadley, and manager, Sharon Gallagher, are working on the task of assessing the quality of corporate governance at Cloud 9. Typically, the most senior people on the audit team talk to the client’s senior people. However, the work done by Suzie, Ian, and others on the audit team will also inform the

assessment of Cloud 9’s corporate governance quality because lower-level workers often have some interesting stories to relate about how things really work at a company. Suzie will be thinking about these issues when she visits the client’s premises next week.

Before You Go On 5.1  What is the purpose of a board of directors? 5.2  What is the difference between executive directors and non-executive directors? 5.3  According to SOX, what are some duties of the audit committee of the board of directors?

3

R. Teitelbaum and K. Johnson, “Boards Face Recruiting Challenges,” Wall Street Journal (December 14, 2015), www.wsj.com.

4-26  C h a pte r 4  Risk Assessment Part II: Understanding the Client

Internal Control and Information Technology Lea rning O bjective 6 Explain how a client’s internal control and information technology (IT) can affect risk.

information technology (IT)  the use of computers to process, record, and store financial reporting data and other information

According to AU-C 315, auditors must gain an understanding of the client’s system of internal controls. The concept of control risk was discussed in Chapter 3. Recall that if strong internal controls exist at the account or assertion level, then auditors may adopt a reliance on controls approach and perform less extensive substantive testing. However, if the internal controls are weak at the account or assertion level, then auditors will rely less on internal controls and adopt a substantive approach. An in-depth discussion of the specific procedures used by auditors to gain an understanding of a client’s system of internal controls is covered in Chapter 6. Auditors also consider the particular risks faced by the client associated with information technology (IT). IT is a part of most companies’ accounting processes, which include transaction initiation, recording, processing, correction as needed; transfer to the general ledger; and compilation of the financial statements. AU-C 315 and AS 2110 require that auditors gain an understanding of the client’s IT system, the associated risks, and related controls. Risks associated with IT include unauthorized access to computers, software, and data; errors in applications; lack of backup; and loss of data. Unauthorized access to data can occur when there is insufficient security or poor password protection procedures. Unauthorized access can result in data being lost or distorted. Unauthorized access to application software can result in either fraud or misstatements in the financial statements. Access can be limited in a number of ways, including security protocols (such as locked doors) and frequent changes of passwords. Errors in programming can occur if applications are not tested thoroughly. It is important that new applications and changes to applications are tested extensively before being put into operation. Errors can also occur if mistakes are made when writing an application or if applications are deliberately changed to include errors. Deliberate changes may be made by staff or outsiders who gain unauthorized access to a client’s IT system. For example, unhappy staff may purposefully change an application, causing errors to embarrass their boss or to perpetrate fraud. Therefore, it is important that access be limited to authorized staff. Errors can also occur if application changes are not processed on a timely basis. Applications may need to be changed due to changes in sales prices, updating of discounts being offered to customers, and so on. It is important that these changes be made by authorized personnel on a timely basis to avoid errors and that there are appropriate controls over such changes. New applications can be purchased “off the shelf” from a software provider or developed internally by a client’s staff. When a client purchases a general-purpose application off the shelf, there is a risk it will require modification to suit the client’s operations, which can lead to errors. An advantage of purchasing general-purpose applications from reputable companies is they will have been tested before being made available for sale. In contrast, when a client’s staff develops an application, the application is more likely to have the features required, but there is a risk of errors if the application is written by inexperienced staff or it is not adequately tested before being put into operation. When a client installs a new IT system, there are a number of risks, such as the risk the system may not be appropriate for the client and its reporting requirements. After installation, there is the risk that data may be lost or corrupted when transferring information from an existing system to the new system, or the risk that the new system does not process data appropriately. There is the risk that client staff are not adequately trained to use the new system effectively. It is important that a client has appropriate procedures for selecting new IT systems, changing from an existing system to a new system, training staff in using the new system, and ensuring that a new system includes embedded controls to minimize the risk of material misstatement. An in-depth discussion of IT controls is presented in Chapter 6. At the risk assessment phase, and as part of assessing control risk, it is important for auditors to identify significant risks, as well as any controls that mitigate those risks.

  Closing Procedures  4-27

Cloud 9 - Continuing Case Suzie explains to Ian that her experience in the clothing and footwear industry has taught her to be very inquisitive about the systems used to manage orders. She has seen a few clothing businesses fail because they could not get their goods to retail outlets in time. Fashion is such a fickle market that even being a few weeks late means stores run out of inventory, and when inventory does arrive, stores have to discount it to sell it. After this occurs a

couple of times, retailers turn to more reliable suppliers, even if the designs aren’t as imaginative. Suzie has heard that Cloud 9 is very reliant on inventory management software developed internally. Because it is not a widely used package, she does not know anything about it and is concerned about its ability to provide reliable data. Suzie and Ian decide to allocate extra time to assessing the reliability of this software.

Before You Go On 6.1 What are some of the risks associated with the use of IT? Explain the risks and develop an example of how they might be controlled. 6.2 What are two common sources of new application software? What risks are present when an entity introduces a new application and how might those risks be controlled?

Closing Procedures Lea rning Objective 7 Discuss how client closing procedures can affect risk and a client’s reported results. Auditors also consider the adequacy of the client’s closing procedures. If the client’s closing procedures are weak, there is increased risk that revenues and expenses will not be recorded in the proper period, which can lead to material misstatements on both the income statement and balance sheet of two consecutive periods. Revenue and expense items must include all transactions that occurred during the accounting period and exclude transactions that relate to other periods. Asset and liability balances must include all relevant items, accruals must be complete, and contingent liabilities must accurately and completely reflect potential future obligations. Auditors are concerned that transactions and events have been recorded in the correct accounting period. The client should have controls in place to ensure the closing procedures are performed correctly. A common risk is that management may override controls when preparing adjusting and allocating entries, especially if management is under pressure to meet certain earnings targets. Oversight of this process is the responsibility of those charged with governance. It is the responsibility of auditors to assess the internal controls over the closing procedures. Auditors must determine the risk associated with the client’s closing procedures. In addition to the annual financial statements, clients prepare monthly, quarterly, and/or semiannual financial statements for internal and/or external purposes. Auditors can review these statements to assess the accuracy of the client’s closing procedures. If there are significant issues, where closing procedures are inadequate and transactions are not always recorded in the appropriate reporting period, auditors will plan to spend more time conducting detailed testing of transactions and balances around year-end. There are a number of ways auditors can assess the adequacy of their client’s closing procedures. Clients that prepare financial statements monthly are more likely to have

closing procedures  processes used by a client when finalizing the accounts for an accounting period

4-28  C h a pte r 4  Risk Assessment Part II: Understanding the Client

well-established closing procedures than clients that prepare financial statements only annually. Auditors verify the accuracy of accrual and deferral calculations around year-end and look at earnings trends to assess whether the reported income is in line with similar prior-year periods (months or quarters). For example, revenues are generally higher for an ice-cream seller in warmer months, and wages are generally higher during months when extra staff are hired to help with the increased activity. If auditors believe the client is under pressure to report strong results, there is risk that revenues earned after year-end may be included in the current year’s income and expenses incurred before year-end may be excluded. Alternatively, if auditors believe their client is under pressure to smooth its income and not report any unexpected increases, there is risk that revenues earned just before year-end will be excluded from current income and expenses incurred after year-end will be included. In both cases, auditors will perform procedures to confirm that transactions are recorded in the appropriate ­accounting period.

Audit Reasoning Example  Period-End Closing Entries at WorldCom A summary of the WorldCom scandal was provided in Chapter 2. The WorldCom case is an excellent example of the importance of gaining an understanding of the pressures faced by the client, the corporate governance structure, and the client’s closing procedures. WorldCom was under significant pressure to increase its stock price, which translated to incentive for management to commit fraud. Scott Sullivan, the CFO, saw an opportunity to perpetrate fraud through quarter-end journal entries. As the CFO, Scott used his authority to instruct his accounting staff to make entries that resulted in capitalizing costs on the balance sheet that should have been expensed on the income statement. There was no accounting justification for the entries. Who was supposed to have oversight of the closing process? Since WorldCom was a public company, the audit committee should have had oversight of the closing process because closing entries impact the financial statements as a whole. During the years the fraud was occurring, were the members of the audit committee fulfilling their duties? Were they asking for verification and explanation of the period-end entries? If they were, what type of information and documentation was Scott providing them? Was the audit committee being skeptical or overly trusting of Scott? These same questions can be directed at Arthur Andersen, WorldCom’s external auditor. Were the auditors fulfilling their duties by gaining an understanding of the client’s processes for period-end closing entries? Were the auditors using professional skepticism when interviewing Scott and other accounting staff? Most likely, the answer is “no.”

Cloud 9 - Continuing Case The partner, Jo Wadley, has learned of pressure on Cloud 9’s management to increase revenue by 3% this year. Jo is also aware of cost increases associated with a new store and sponsorship deals. Jo believes this places additional pressure on

Cloud 9’s management to meet targets resulting in additional risks for closing procedures and has instructed Josh to allocate additional time to auditing closing procedures on the Cloud 9 audit.

Before You Go On 7.1  Explain how an auditor can assess the risk associated with the client’s closing procedures. 7.2 What is the particular risk when an auditor believes that the economy has taken a downturn and the client has an incentive to overstate poor results to improve the picture for future periods?

  Key Terms Review  4-29

Learning Objectives Review 1  Apply procedures to gain an understanding of the client. An auditor will need to gain an understanding of the client to aid in the risk assessment process. This process involves consideration of issues at the entity level, the industry level, and the broader economic level. At the entity level, an auditor will identify the client’s major customers, suppliers, and stakeholders (that is, banks, shareholders, and employees), significant accounts and classes of transactions, who the client’s competitors are, the capacity of the client to adapt to changes in technology, and compliance with applicable laws and regulations. At the industry level, an auditor is interested in the client’s position within its industry. At the economic level, an auditor will assess how well-positioned the client is to cope with current and changing government policies, regulations, laws, and economic conditions.

unrelated buyers and sellers or borrowers and lenders. In addition, related party transactions are considered a fraud risk factor because fraud may be more easily committed between related parties. Auditors perform procedures to confirm related parties that have been identified by management and to identify additional related parties that management’s processes may not have identified. If any of the related party relationships or transactions are identified as posing a significant risk for material misstatement, the auditors will plan to gather more evidence or adjust audit procedures, as needed, during the risk response phase of the audit. 5  Describe common corporate governance structures

and how they impact the auditor’s risk assessment.

The different ways that clients measure their own performance was reviewed in this chapter to highlight that, by understanding how a client measures its own performance, the auditors can plan their audit to take into consideration areas where their client may be under pressure to achieve certain outcomes. This helps the auditors identify accounts and classes of transactions likely to be misstated.

Corporate governance refers to the people, systems, and processes within companies used to ensure that companies are well-managed and that, among other things, risks are identified and controlled by management and entity personnel. In publicly traded companies, the group responsible for overseeing management is the board of directors. The board of directors is composed of executive and non-­ executive members. The audit committee, composed of non-executive members of the board, is responsible for overseeing the accounting and financial reporting processes of the company and the audit of the financial statements. The audit committee is tasked with hiring the auditors, and the auditors must communicate with the audit committee as needed and as required by standards and regulations.

3  Demonstrate how auditors use analytical proce-

6  Explain how a client’s internal control and informa-

2  Explain how clients measure performance and how it

impacts the auditor’s risk assessment.

dures when assessing risk, including the use of audit data analytics.

Analytical procedures are conducted at the risk assessment phase of the audit to identify unusual fluctuations, help identify risks when gaining an understanding of a client, identify the accounts at risk of material misstatement, and reduce audit risk by concentrating audit effort where the risk of material misstatement is greatest. Many processes can be used when conducting analytical procedures. The processes discussed in this chapter include comparisons, trend analysis, common-size analysis, and ratio analysis. 4  Define related party transactions and explain how

they affect the auditor’s risk assessment.

A related party is an affiliate, principal owner, manager, or other party that is not independent of the client. Financial reporting frameworks, such as GAAP, require that companies disclose related party relationships and transactions. Transactions with related parties may not be at the same “arm’s length” as transactions between independent and

tion technology (IT) can affect risk.

Auditors must gain an understanding of a client’s internal controls to assess control risk and develop an audit strategy. They must also identify risks associated with information technology, such as unauthorized access to software applications or data, errors in programming, and inadequate testing of new or changed systems. During the risk assessment phase of the audit, the auditors will assess the likelihood that the client’s financial statements are misstated due to limitations of its IT system. 7  Discuss how client closing procedures can affect risk

and a client’s reported results.

There are a number of risks associated with a client’s closing procedures. Closing procedures are the processes used by a client at monthend, quarter-end, or year-end to ensure that appropriate adjusting entries are made and transactions are recorded in the appropriate accounting period. From an audit perspective, the auditor should determine the risk that a material misstatement may occur during the client’s closing procedures.

Key Terms Review Ability of cash flow from operations to cover   current debt and dividends Acid-test (quick) ratio Analytical procedures

Audit committee Audit data analytics (ADA) Board of directors Cash earnings per share (CEPS) ratio

Closing procedures Common-size analysis Corporate governance Current ratio

4-30  C h a pte r 4  Risk Assessment Part II: Understanding the Client Debt-to-equity ratio Direct and material effect Earnings per share (EPS) ratio Entity-level risk Executive directors Gross operating cycle Gross profit margin Illegal acts Indirect effect Information technology (IT)

Inventory turnover in days Key performance indicators (KPIs) Liquidity Net operating cycle Non-executive directors Payables turnover in days Price–earnings (PE) ratio Profitability Profit margin Receivables turnover in days

Related party Return on assets (ROA) ratio Return on stockholders’ equity (ROE) ratio Solvency Sustainable cash flow from operations Sustainable free cash flow Those charged with governance Times-interest-earned ratio Transaction-level risk Trend analysis

Audit Decision-Making Example Background Information Your client, Baldwin Industries, manufactures personal computers, tablets, and cell phones. Baldwin Industries has positioned itself to be very price competitive and, as a result, sales have grown by 50% over the last two years. At the beginning of the current fiscal year, the board of directors approved a new compensation structure for all high-level and executive-level employees, such that bonuses are based on the company’s sales growth and profit margins. In the fourth quarter of the current fiscal year, Baldwin Current Year Unaudited Current ratio Quick ratio Debt to equity Sales to total assets % Profit before tax to sales Return on assets Return on equity Accounts receivable turnover in days Inventory turnover in days Gross operating cycle Accounts payable turnover in days Net operating cycle

released a new cell-phone product about four months ahead of schedule to be the first to market with new technologies, despite having three months of inventory on hand of the current model. The results of analytical procedures performed in planning the audit are below. Given this information, explain the inherent risk factors and risks of material misstatement that are present in the audit. Be specific about the potential misstatements that may be present and connect the risk factors to the potential misstatements identified.

Prior Year Audited

4.82 3.37 .21 1.34 12.3% 16.5% 19.8% 86.4 180.0 266.4 22.0 244.5

5.50 3.09 .16 1.16 5.7% 6.7% 7.0% 74.8 169.4 244.2 27.6 216.6

Second Prior Year Audited 5.56 2.96 .15 1.12 6.3% 7.31% 7.9% 76.2 166.3 242.5 29.1 213.4

Prior Year Industry Median 5.61 2.94 .21 1.10 7.3% 8.0% 9.9% 69.9 152.4 222.3 33.6 188.7

Second Prior Year Industry Median 5.64 2.89 .19 1.08 9.1% 9.8% 11.9% 75.3 160.6 235.9 30.8 205.1

Identify the Audit Issue

f.  Inventory turnover in days is increasing.

Identify specific inherent risks or risks of material misstatement in the audit of Baldwin Industries. Show the logic between the risk factors and the risks of material misstatement identified.

g.  Accounts payable turnover in days is decreasing.

Gather Information and Evidence Specific risk factors identified include: a. Compensation has changed for high-level and executivelevel employees to reward increases in sales and profit margin. b. Baldwin has recorded significant sales growth over the last two years (50%). c. Baldwin released a new product with new technology when it had significant levels of the existing product on hand. d.  The industry is very price-competitive. e.  Accounts receivable turnover in days is increasing.

h. In the current year, Baldwin has recorded significant ­increases in sales, profit margins, return on assets, and return on equity. i.  Profit margins are stronger than the industry medians.

Analysis and Evaluation of Alternatives Following is an analysis of the risk factors identified above: a. Changes in compensation may increase the risk that managers might push the limit on accounting issues or engage in fraudulent financial reporting to secure better compensation. b. The sales growth experienced over the last two years combined with the slower collection period (e) may indicate revenue-recognition problems.

  Multiple-Choice Questions  4-31 c., d. Releasing the new product to the market in a price-­ competitive industry (d) with significant quantities on hand of the old product increases the risk that the older product may not be sold at a price that will recover the cost of inventory on hand. This might require write-downs of the value of inventory on hand. e. The slower collection period may indicate an increased risk of collectibility of receivables. f. Slower inventory turnover in days may indicate inventory obsolescence or lower-of-cost-or-net-realizable-value problems with older models without new technology features. g. Decreasing accounts payable turnover in days may indicate potential for unrecorded liabilities and unrecorded expenses. h. Sales growth may be the result of premature revenue recognition (see b above). Improved profit margin could be the result of potential unrecorded liabilities. i. Strong profit margins may be the result of unrecorded ­expenses and liabilities.

Conclusions Regarding Inherent Risk and Risk of Material Misstatement The following risks are considered significant (before considering any internal controls that may mitigate these risks): •  Revenue recognition problems may exist based on the increase in sales to total assets, the increase in accounts receivable turnover in days, and the incentive for managers to increase compensation based on sales. •  Inventory may have a lower-of-cost-or-net-realizable-value problem because Baldwin released new technology while it still had significant inventories of the older technology and because of the increase in inventory turnover in days. •  There may be a completeness problem with both liabilities and expenses as evidenced by the decrease in accounts payable turnover in days and the increase in the company’s profit margins. •  There may be problems with the adequacy of the allowance for doubtful accounts based on the increase in accounts receivable turnover in days.

CPAexcel CPAexcel questions and other resources are available in WileyPLUS.

Multiple-Choice Questions 1.  (LO 1)  When gaining an understanding of the client, the auditor will consider: a.  related party identification. b.  the appropriateness of the client’s system of internal controls to mitigate identified business risks. c.  controls over the technology used to process and store data electronically. d.  All of these answer choices are correct. 2.  (LO 1)  When gaining an understanding of the client, the auditor will identify the geographic location of the client because: a.  more centralized clients are harder to control. b.  the auditor will only visit one location to assess processes and procedures. c.  the auditor may plan to use staff from affiliated offices to visit overseas locations. d.  more decentralized clients are easier to control. 3.  (LO 1)  When gaining an understanding of the client’s sources of financing, the auditor: a.  is not interested in debt covenants because most debt contracts are the same. b.  ignores the relative reliance on debt versus equity funding because that is a management decision, not an audit issue. c.  determines if the client is meeting principal and interest payments when they are due.

d.  determines if the client is writing off uncollectible accounts receivable. 4.  (LO 1)  When gaining an understanding of the client at the industry level, the auditor will: a.  consider the level of demand for the goods provided by companies in the industry. b.  determine if the client has centralized or decentralized operations. c.  assess the amount of faulty goods the client returns to suppliers. d.  determine if the client has a simple or complex capital structure. 5.  (LO 2)  Companies use profitability measures to assess performance and to: a.  assess their ability to compete. b.  maintain consistency in operations each month. c.  measure their ability to pay short term debts on time. d.  measure their ability to pay long term debts on time. 6.  (LO 3)  Common uses of analytical procedures include all of the following except: a.  risk identification during the risk assessment stage. b.  testing account balances derived from estimates during the risk response stage. c.  overall assessment of financial statements at the final review stage of the audit. d.  test of internal controls.

4-32  C h a pte r 4  Risk Assessment Part II: Understanding the Client 7.  (LO 3)  Analytical procedures: a.  cannot be performed on interim data. b.  a re not affected by different accounting methods between the client and other members of the industry. c.  must take into account seasonal variation in the client’s business. d.  are only useful if the client’s variation from budget is low. 8.  (LO 4)  Which of the following statements is false regarding related parties? a.  Management should have controls in place for identifying related parties. b.  R  elated party transactions do not have to be disclosed if they are conducted at “arm’s length.” c.  A subsidiary company is considered a related party. d.  The presence of related parties is considered a fraud risk ­factor. 9.  (LO 5)  An audit committee of a publicly traded company should be composed of: a.  executive and non-executive members of the board of directors.

b.  the CFO and two other board members who are also shareholders. c.  the audit partner, the CFO, and a shareholder. d.  m  embers of the board of directors who are independent directors. 10.  (LO 6)  Risks of material misstatement that are associated with a client’s IT system include all of the following except: a.  failure to accrue for a contingent liability. b.  a terminated employee who is still able to log on to the client’s IT system. c.  the installation of new software that still needs modifications to operate as needed. d.  no schedule for backing up data. 11.  (LO 7)  Client closing procedures: a.  are routine transactions that do not impact audit risk. b.  are the responsibility of those charged with governance who must ensure that transactions are recorded in the correct accounting period. c.  affect expense accounts only. d.  affect balance sheet accounts only.

Review Questions R4.1  (LO 1)  Explain the importance of the risk assessment phase of a financial statement audit.

of these explanations is the most likely cause of the change in the ratio?

R4.2  (LO 1)  List and briefly explain the key factors the auditor would consider during risk assessment.

R4.7  (LO 3)  What is a time-series analysis? How could it be useful to an auditor?

R4.3  (LO 1)  When gaining an understanding of a client, an auditor will be interested in an entity’s relationships with both its suppliers and customers. What aspects of these relationships will the auditor be interested in and how would they affect the assessment of audit risk?

R4.8  (LO 4)  Why is it important to maintain professional skepticism when gaining an understanding of related party transactions?

R4.4  (LO 2)  What is the difference between liquidity and solvency? Why does this difference matter to an auditor?

R4.10  (LO 5)  Why is it important that an audit committee not have any executive directors as members?

R4.5  (LO 3)  Explain, using examples, how you could use analytical procedures in assessing the risk of material misstatement of sales revenue.

R4.11  (LO 6)  Why does an auditor need to understand a client’s IT system? Explain how IT affects the financial statements.

R4.6  (LO 3)  What are some possible explanations of a change in the gross profit margin? How could the auditor investigate which

R4.9  (LO 5)  Do only publicly traded companies have good corporate governance? Explain.

R4.12  (LO 7)  Create an example of a client closing procedure. Using your example, analyze the accounts that would be affected if the closing procedure is performed inadequately.

Analysis Problems AP4.1  (LO 1)  Basic   Risk assessment  Michael has drafted an audit plan for a new client. The client is Countrywide Capers, a party supplies rental business. Countrywide Capers earns 80% of its revenue from renting marquees, tables and chairs, lights, and other party equipment and 20% from sales of disposable tableware, utensils, napkins, and tablecloths. Michael’s plan shows that audit time is divided to reflect this revenue pattern (that is, 80% of the audit time is spent on the rental business and 20% of the time is spent on the retail business). Michael believes that the significance of the revenue activities should be the only driver of the audit plan because the client has no related parties and has a simple, effective corporate governance structure.

Required What questions would you have for Michael before accepting his audit plan?

 Analysis Problems  4-33 AP4.2  (LO 1)  Moderate   Understanding the client and its risks—risk assessment  Ivy Brown is preparing a report for the engagement partner of an existing client, Scooter Inc., an importer of scooters and other low-powered motorcycles. Ivy has been investigating certain aspects of Scooter’s business given the change in economic conditions over the past 12 months. She has found that Scooter’s business, which experienced rapid growth over its first five years in operation, has slowed significantly during the last year. Initially, sales of scooters were boosted by good economic conditions and solid employment growth, coupled with rising gas prices. Consumers needed transportation to get to work and the high gas prices made the relatively cheap running costs of scooters seem very attractive. In addition, the low purchase price of a small motorcycle or scooter, at between $3,000 and $8,000, meant that almost anyone who had a job could obtain a loan to buy one. However, Ivy has found that the sales of small motorcycles and scooters have slowed significantly, and all importers of these products, not just Scooter, are being adversely affected. The onset of an economic recession has restricted employment growth and those people who still have jobs are less certain of continued employment. In addition, the slowdown in the world economy has made gas prices fall, further reducing demand for this type of economical transportation. Ivy has also discovered that, due to the global financial crisis, the finance company used by Scooter’s customers to finance the purchase of scooters and motorcycles has announced that it will not be continuing to provide loans for any type of vehicle with a purchase price of less than $10,000.

Required a.  Identify industry and business environment issues that potentially impact the audit of Scooter Inc. b.  Evaluate how industry and business environment issues can impact risk assessment by identifying specific financial statement risks and related accounts that would require closer examination. AP4.3  (LO 1)  Moderate   Research   Noncompliance with laws and regulations   As part of your intern training at a large public accounting firm, you have been asked to conduct research about audit procedures related to client noncompliance with laws and regulations. You will report the findings of your research to the other interns in your training class.

Required Access the Clarified Statements on Auditing Standards at the AICPA website (www.aicpa.org). Navigate to AU-C 250 and answer the following questions: a.  What might be indicators that a client has committed an illegal act? b.  What are some specific procedures the auditor can use to obtain an understanding of an identified or suspected illegal act? c.  In what situations might an auditor have a duty to notify external parties about a client’s noncompliance with laws and regulations? AP4.4  (LO 1, 3)  Basic   Understanding the client  The audit team is preparing to audit a new client in the fashion industry. The client imports garments from manufacturers in several Asian countries and retails them in a chain of shops located throughout the United States. You have access to the following information for the client: a.  Prior period financial statements. b.  Anticipated results for the current year. c.  Industry averages.

Required Discuss how you would use the information to understand your new client. AP4.5  (LO 2, 3)  Moderate   Planning analytical procedures using profitability ratios   Li Chen has calculated profitability ratios using data extracted from his client’s pre-audit trial balance. He also has the values for the same ratios for the preceding two years (using audited figures). The data for the gross profit and profit margins are:

Gross profit margin Profit margin

2022

2021

2020

45%

35% 15%

40% 20%

9%

Li is a little confused because the profit margin shows declining profitability but the gross profit margin has improved in the current year and is higher in 2022 than in the previous two years.

4-34  C h a pte r 4  Risk Assessment Part II: Understanding the Client

Required a.  Create a list of possible explanations for the pattern observed in the gross profit and profit margins. b. Which of your explanations suggest additional audit work should be planned? For each, discuss the accounts and/or transactions that would need special attention in the audit. AP4.6  (LO 2, 3)  Challenging   Analytical procedures for liquidity and solvency issues   Bright Spark Fashion has retail outlets in six large regional cities in the eastern United States. The shops are run by local managers, but purchasing decisions for all stores are handled by Ray Bright, the owner of the business. Fashion is an extremely competitive business. Bright Spark Fashion sells only for cash and generates sales through a reputation of low prices for quality goods. The winter clothing moves quite slowly, but summer fashion sells very well, providing a disproportionate amount of the business’s sales and profits. Ray is constantly monitoring cash flow and negotiating with suppliers about payment terms and with banks about interest rates and extensions of credit. Jenna Kowalski has the tasks of assessing the liquidity and solvency of Bright Spark Fashion and identifying the audit risks arising from this aspect of the business. She discovers a major long-term debt is due to be retired two months after the close of the fiscal year, but Ray is having difficulty obtaining approval from his current bank for a renewal of the debt for a further two-year term. In addition, interest rates have risen since the last fixed rate was agreed to two years ago, adding an additional 2% to the likely rate for the new debt (if it is approved). The seasonality of the business means that inventory levels fluctuate considerably. At the end of the year (January 31), Ray has placed prepaid orders for the summer fashion and the goods have started arriving in the stores by March.

Required a. What liquidity and solvency issues does Bright Spark Fashion face? Evaluate the likely impact of each issue on liquidity and solvency ratios. b.  Advise Jenna Kowalski about the audit risks for Bright Spark Fashion and propose how she could take these into account in the audit plan. AP4.7  (LO 4)  Moderate   Research   Understanding related party transactions  During the risk assessment phase for a new client, you have been assigned the task of identifying related parties. You need to refresh your memory regarding why identifying related parties is necessary in the audit.

Required Access the Clarified Statements on Auditing Standards at the AICPA website (www.aicpa.org). Navigate to AU-C 550 and answer the following questions: a. What is an “arm’s-length transaction” as defined by the standard? b. Identify examples of how related party relationships and transactions may give rise to higher risks of material misstatement than transactions with unrelated parties. AP4.8  (LO 1, 5)  Moderate   Public Company   Research   Understanding the client and its governance  Ajax Inc. is a public company and a new client of Hawthorne Partners, a medium-sized audit firm. Jeffrey Rush is the engagement partner on the audit and has asked the members of the audit team to begin the process of gaining an understanding of the client, in accordance with AS 2110. One audit manager leads the group investigating the industry and economic factors, and another helps Jeffrey consider issues at the entity level. Jeffrey will hold discussions with members of the audit committee and will discuss a wide range of issues. He has a meeting arranged for next week with the four members of the audit committee, including the chair of the committee, Stella South, who, like the other members of the audit committee, is an independent director.

Required a.  Access AS 2110 at the PCAOB website (www.pcaobus.org). Make a list of the main factors that will be considered by each audit manager’s group. b. Based on the information, can you conclude that Ajax Inc. complies with Section 301 of the Sarbanes-Oxley Act regarding its audit committee? Explain. AP4.9  (LO 6)  Moderate   IT risk assessment  Genesis Physical Therapy has been providing outpatient physical therapy services for 30 years. The owners, Jesse and Janice, have been slow to implement updated technology for the accounting system because it is costly. However, at the beginning of the current year, they decided to install a new patient revenue system. It is an off-the-shelf product that is marketed to the healthcare industry. The auditor asked one of Genesis’ accounting staff for feedback about the new system. The staff member provided the following comments: • “A frequent error has been occurring in which we invoice people who were past patients because they happened to have the same last name as one of our current patients.”

 Analysis Problems  4-35 • “We had a power outage a couple of weeks ago, and we had to re-enter all patient services that had been provided for that week because they had not been saved.” • “When we first starting using the system, we had a significant number of complaints from patients because they were being billed for more than their insurance would allow. We discovered a month later there was an error in the billing calculation formula in the system. We fixed the error and it has been functioning properly.”

Required Evaluate the audit risks associated with the new patient revenue system. AP4.10  (LO 6)  Challenging   Assessing the risks associated with information technology  Shane Woodrow is getting to know his new client Clarrie Potters, a large discount electrical retailer. Shane discovers that toward the end of last year, Clarrie Potters installed a new IT system for inventory control. The system was not operating prior to the end of the last financial year so its testing was not included in the previous audit. The new system was custom-built for Clarrie Potters by a Chicago-based software company by modifying another system it had designed for a furniture manufacturer and retailer.

Required Evaluate the audit risks associated with the installation of the new inventory IT system at Clarrie Potters. AP4.11  (LO 1, 7)  Challenging   Public Company   Impact of closing procedures on performance  Dunks Holdings Inc. (Dunks) is an importer of hardware goods and distributes the goods to hardware retailers around the country. The growth in the do-it-yourself (DIY) market that has accompanied the boom in house prices in most capital cities over the past five years has provided consistent sales growth for both hardware retailers and wholesalers like Dunks. However, the recession, which began last year, has cast doubt on the ability of this sector to keep growing. Some analysts believe the DIY market will not be affected by the recession because in tough economic times home owners increase their “nesting’’ behavior. They spend even more on improving their homes and retreat from outside activities such as vacations, the theater, and restaurants. This view is disputed by other analysts who believe that job losses and general pessimism in the economy will impact adversely on all company profits, including Dunks. Dunks’s share price has fallen over the last year as doubt about its ability to grow its profits in the current year spreads. The CEO and other senior management have large bonuses linked to both share prices and company profitability and there is a mood within the company that achieving sales and profit targets this year is vital to avoid job losses at the company. You have been brought into the audit team for Dunks this year and given the responsibility for auditing Dunks’ closing procedures. Dunks has a monthly reporting system for internal management, but you notice the reports are being issued later in each month this year than they were last year.

Required a.  Evaluate why and how the circumstances described above could affect your risk assessment. b. How would you audit Dunks’ closing procedures? Which potential errors would be of most interest? Explain. AP4.12  (LO 1, 7)  Challenging   Public Company   Research   Annual reports—disclosures  Publicly traded companies are required to make certain disclosures in their annual reports about the compensation paid to their top executives. One reason for this is to help interested stakeholders assess the performance of executives. It also helps boards of directors and companies set appropriate compensation levels based on what other companies in the same industry and/or of the same size are paying their executives. These disclosures are audited.

Required Obtain the annual proxy statements of 10 publicly traded U.S. companies in the same industry. (Hint: Go to www.sec.gov, click on Fast Answers in the Education tab, and then search for an explanation on the required disclosure of executive compensation as a fast way to find the information on the SEC’s website.) Summarize the information on executive compensation and describe the data using graphs and/or tables. Write a report addressing the following questions (justify your responses by referring to the data where appropriate). •  How are the executives paid (cash, bonuses)? •  Which companies’ executives are paid the most and what is the range of pay? • Which companies’ executives’ pay is most linked to the company’s profit and/or stock price performance? (Explain any assumptions you have to make.) • Overall, what do you conclude about how company executives are paid and how clearly the compensation data is reported?

4-36  C h a pte r 4  Risk Assessment Part II: Understanding the Client

Audit Decision Cases King Companies, Inc. Question C4.1 is based on the following case. King Companies, Inc. (KCI) is a private company that owns five auto parts stores in urban Los Angeles, California. KCI has expanded from two auto parts stores to five stores in the last three years, and it plans continued growth. Eric and Patricia King own the majority of the shares in KCI. Eric is the chairman of the board of directors and CEO of KCI, and Patricia is a director as well as the CFO. Shares not owned by Eric and Patricia are owned by friends and family who helped the Kings get started (Eric started the company with one store after working in an auto parts store). To date, Eric has funded growth from an inheritance and investments from a few friends. Eric and Patricia are thinking about expanding by opening three to five additional stores in the next few years. In October 2021, Eric approached your accounting firm, Thornson & Danforth, LLP, to conduct an annual audit of KCI for the year ended December 31, 2022. KCI has not been audited before, but this year the audit has been requested by the company’s bank because of anticipated bank loans and by a new private equity investor that has just acquired a 20% share of KCI. KCI employs 20 full-time staff. These workers are employed in store management, sales, parts delivery, and accounting. About 40% of KCI’s business is retail walk-in business, and the other 60% is regular customers where KCI delivers parts to their locations and bills these customers on account. During peak periods, KCI also uses part-time workers. Eric is focused on growing revenues. Patricia trusts the company’s workers to work hard for the company and she feels they should be rewarded well. The accounting staff, in particular, is very loyal to the company. Eric tells you that the accounting staff enjoys their jobs so much they have never taken any annual vacations, and hardly any workers ever take sick leave. There are two people currently employed as accounting staff, the most senior of whom is Jonathan Jung. Jonathan heads the accounting department and reports directly to Patricia. He is in his late fifties and hopes to retire in two or three years and move away from Los Angeles. Jonathan keeps a close watch on accounting and does many activities himself, including opening mail, cash receipts and vendor payments, depositing funds received, performing reconciliations, posting journals, and performing the payroll function. The second employee, Abby Owens, is a recent college graduate who just passed the CPA exam. Abby is responsible for the payroll functions and posting all journal entries into the accounting system. Jonathan and Abby often help each other out in busy periods. C4.1  (LO 1, 3)  Challenging   Gaining an understanding of a new client  Gather information: You have access to the following information for KCI: 1. Prior period financial statements. 2. Budgets for the current year. 3. Industry comparisons. Plan, in detail, the types of analytical procedures the audit team will use to gain an understanding of KCI.

Mobile Security, Inc. Question C4.2 is based on the following case. Mobile Security, Inc. (MSI) has been an audit client of Leo & Lee, LLP for the past 12 years. MSI is a small, publicly traded aviation company based in Cleveland, Ohio, where it manufactures high-tech unmanned aerial vehicles (UAV), also known as drones, and other surveillance and security equipment. MSI’s products are primarily used by the military and scientific research institutions, but there is growing demand for UAVs for commercial and recreational use. MSI must go through an extensive bidding process for large government contracts. Because of the sensitive nature of government contracts and military product designs, both the facilities and records of MSI must be highly secured. The MSI board of directors consists of 12 members. The CEO and CFO are board members, and the remaining 10 board members are not employees of MSI. One of the board members, who is part of the audit committee, is stepping down next month, so MSI is looking to fill that spot. C4.2  (LO 5)  Moderate   Public Company   Research   Audit committees a. Gather information: As MSI is looking for someone to fill the vacant board position, what requirements must be followed? What characteristics or qualities would be ideal for the board member to have?

 Audit Decision Cases  4-37 b. Gather information: Go to www.pcaobus.org and access AS 1301 Communication with Audit Committees. Discuss specific items the auditors must communicate with the audit committee before the audit begins. (Note: Do not discuss the auditor’s requirements for communicating the results of the audit.)

Brookwood Pines Hospital Question C4.3 is based on the following case. Goodfellow & Perkins LLP is a successful mid-tier accounting firm with a large range of clients across Texas. During 2022, Goodfellow & Perkins gained a new client, Brookwood Pines Hospital (BPH), a private, not-for-profit hospital. The fiscal year-end for BPH is June 30. Goodfellow & Perkins is performing the audit for the fiscal year-end June 30, 2023. BPH provides medically necessary care to patients, regardless of their ability to pay. Both uninsured and underinsured patients are offered discounts of up to 100% of charges based on their income as a percentage of the federal poverty-level guidelines. BPH does not pursue collection of these accounts; therefore, they are not reported in patient service revenue and accounts receivable. The cost of providing the charity care is included in operating expenses. BPH’s investments consist of mutual funds, common equities, corporate and U.S. government debt issues, state and municipal government debt issues, and trusts. A majority of the investments are the result of charitable contributions to the hospital by generous donors. Earnings from the investments are used to cover the costs of the charity care. BPH is also eligible for certain government grants to help cover the costs of the charity care. Selected financial statements and other financial information are provided below. Since BPH operates as a non-for-profit, it reports assets, liabilities, and net assets. (Note: Net assets takes the place of equity since there are no owners.) Brookwood Pines Hospital Statement of Financial Position (in thousands) June 30, 2023

June 30, 2022

$   43,077 22,725 119,380 9,208 2,364 10,740 25,792

$   36,361 49,338 99,962 5,099 1,953 10,056 23,193

233,286

225,962

Long-term investments Property and equipment, net Prepaid pension cost Insurance recoverable, less current portion Other assets, net   Total assets

915,088 576,432 19,760 11,619 31,535 $1,787,720

807,321 538,981 7,248 10,723 28,463 $1,618,698

Liabilities and net assets Accounts payable Accrued salaries and benefits Grants payable, current portion Accrued expenses and other current liabilities Due to third-party payors Current accrued liabilities under self-insurance programs Current maturities of long-term debt Short-term debt Long-term debt subject to short-term refinancing agreements

$   38,431 52,361 6,459 19,209 72,494 15,709 5,040 14,550 0

$   39,547 50,754 8,459 27,380 67,687 14,965 4,928 0 53,132

  Total current liabilities

224,253

266,852

Long-term debt, net, less current maturities Accrued liabilities under self-insurance program, less current portion Grants payable, less current portion Other liabilities

220,796 82,618 13,245 42,669

179,530 82,559 16,489 48,336

  Total liabilities

583,581

593,766 (continued)

Assets Cash and cash equivalents Short-term investments Patient accounts receivable, net Current portion of pledges and grants receivable, net Current portion of insurance recoverable Inventory Other current assets   Total current assets

4-38  C h a pte r 4  Risk Assessment Part II: Understanding the Client

Net assets:   Without donor restrictions   With donor restrictions    Total net assets     Total liabilities and net assets

June 30, 2023

June 30, 2022

1,138,140 65,999 1,204,139 $1,787,720

962,652 62,280 1,024,932 $1,618,698

Brookwood Pines Hospital Statement of Operations Year Ended June 30 (in thousands) Revenue Net patient service revenue Estimated uncollectible accounts Net patient service revenue after estimated   uncollectible accounts Rental and other revenue Net assets released from donor restrictions and   federal and state grants   Total revenue Expenses Salaries and employee benefits Supplies Purchased services Depreciation and amortization Insurance Rent and utilities Repairs and maintenance Interest Texas hospital assessment Other   Total expenses

2023

2022

$791,572 (33,675)

$706,073 (25,810)

757,897 42,727

680,263 41,975

4,541

4,407

805,165

726,645

$377,895 146,172 89,774 47,858 17,430 15,218 14,722 7,351 17,227 21,324

$344,360 126,633 79,391 45,630 18,132 13,935 14,563 8,874 14,081 21,151 754,971

686,750

50,194

39,895

109,212 6,254

25,951 (6,202)

   Operating income Nonoperating gains (losses) Investment return Change in fair value of certain investments Contribution of DeLaune unrestricted net   assets Grants provided Other   Total nonoperating gains, net    Excess of revenues over expenses

0 (3,362) 1,630

64,995 (4,458) (489)

113,734

79,797

$163,928

$119,692

Selected information from the cash flow statement is as follows (in thousands): Item

2023

2022

Net cash provided by operating activities

$63,648

$67,903

Net cash used in investing activities

(60,394)

(75,300)

3,463

3,706

Net cash provided by financing activities

C4.3 (LO 1, 3)  Challenging   Analytical procedures  Analysis: Using BPH’s financial data, perform analytical procedures to gain an understanding of BPH. Conduct a trend analysis, common-size analysis, and ratio analysis. Based on your analysis, document in a memo your understanding of the client, potential problem areas (accounts at risk of material misstatement), and any other special concerns. (Note: Some ratios provided in the text may need to be modified for a not-for-profit organization. If necessary, use the internet for additional research about financial ratios used in the hospital industry.)

 Audit Decision Cases  4-39

Cloud 9 - Continuing Case Part 1: Gain an Understanding of the Client W&S Partners began the planning phase of the Cloud 9 audit. As part of the risk assessment phase for the new audit, the audit team needs to gain an understanding of Cloud 9’s structure and its business environment, determine materiality, and assess inherent risk. This will assist the team in developing an audit strategy and designing the nature, extent, and timing of audit procedures.

considered probable given Cloud 9’s operations. Use the factors listed in Illustrations 4.2 and 4.3 as a guide for your research.

Part 2:  Analytical Procedures Required

Required

Answer the following questions based on the information presented for Cloud 9 in the appendix to this text and the current and earlier chapters. You should also consider your answers to the case study questions in earlier chapters.

Answer the following questions based on the additional information about Cloud 9 presented in the appendix to this text and the current and earlier chapters. You should also consider your answer to the case study questions in earlier chapters where relevant. Your task is to research the retail and wholesale footwear industries and report back to the audit team. Your report will form part of the overall understanding of Cloud 9’s structure and its environment. You should concentrate your research on providing findings from those areas that have a financial reporting impact and are

b. Which specific areas do you believe should receive special emphasis during your audit? Consider your discussion of the analytical procedures results as well as your preliminary estimate of materiality. Prepare a memorandum to Suzie Pickering outlining potential problem areas (that is, where possible material misstatements in the financial statements exist) and any other special concerns.

a. Using analytical procedures and the information provided in the appendix, perform an analysis of Cloud 9’s financial position and its business risks. Discuss the ratios indicating a significant or an unexpected fluctuation.

Chapter 5 Audit Evidence The Audit Process Overview of Audit and Assurance (Chapter 1) Professionalism and Professional Responsibilities (Chapter 2) Client Acceptance/Continuance and Risk Assessment (Chapters 3 and 4) Identify Significant Accounts and Transactions Make Preliminary Risk Assessments

Set Planning Materiality

Gaining an Understanding of the System of Internal Control (Chapter 6)

Audit Evidence (Chapter 5)

Develop Responses to Risk and an Audit Strategy

Performing Tests of Controls (Chapter 8)

Performing Substantive Procedures (Chapter 9) Audit Sampling for Substantive Tests (Chapter 10)

Auditing the Revenue Process (Chapter 11)

Auditing the Purchasing and Payroll Processes (Chapter 12)

Audit Data Analytics (Chapter 7)

Gaining an Understanding of the Client

Auditing the Balance Sheet and Related Income Accounts (Chapter 13)

Completing and Reporting on the Audit (Chapters 14 and 15) Procedures Performed Near the End of the Audit

Drawing Audit Conclusions

Reporting

5-1

5-2  Ch a pte r 5  Audit Evidence

Learning Objectives LO 1  Define management assertions about classes of transactions, account balances, and presentation and disclosure. LO 2  Discuss the characteristics of audit evidence.

LO 4 Evaluate when it is appropriate for auditors to use the work of others. LO 5  Document the details of evidence gathered in working papers.

LO 3 Apply the procedures for gathering audit evidence, including the use of audit data analytics.

Auditing and Assurance Standards PCAOB

Auditing Standards Board

AS 1105 Audit Evidence

AU-C 230 Audit Documentation

AS 1205 Part of the Audit Performed by Other Independent Auditors

AU-C 315  Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

AS 1210  Using the Work of a Specialist

AU-C 500 Audit Evidence

AS 1215 Audit Documentation

AU-C 505 External Confirmations

AS 2110  Identifying and Assessing Risks of Material Misstatement

AU-C 600  Special Considerations—Audits of Group Financial Statements (Including the Work of Component Auditors)

AS 2310 The Confirmation Process

AU-C 610  Using the Work of Internal Auditors

AS 2605  Consideration of the Internal Audit Function

AU-C 620  Using the Work of an Auditor’s Specialist

Cloud 9 - Continuing Case At the next planning meeting for the Cloud 9 audit, Suzie Pickering presents the results of the analytical procedures performed so far and a working draft of the audit program. The audit manager, Sharon Gallagher, and the audit senior, Josh Thomas, are also involved in the planning, with special responsibility for the internal control assessment. The meeting’s agenda is to discuss the available sources of evidence at Cloud 9 and specify these in the detailed audit program. The team members also must ensure they have enough evidence to conduct the audit. Two specific issues worry members of the team. First, there are three very large asset balances on Cloud 9’s trial balance that have particular valuation issues. Josh suggests that a specialist will be required for the derivatives, but they can

handle the accounts receivable and inventory themselves. Second, Sharon is worried about how they will gather evidence regarding a subsidiary of Cloud 9 located in Vietnam. W&S Partners does not have an office in Vietnam, so they must determine the most effective and efficient way to gather evidence regarding the subsidiary. In the planning meeting, the team considers the following questions: •  What evidence is available? •  What criteria will the team use to choose among alternative sources of evidence? •  What are the implications of using the work of specialists and other auditors?

Chapter Preview—Audit Process in Focus In Chapters 3 and 4, we considered audit risk and risk assessment. Those chapters focused on the importance of risk identification to help ensure the auditor’s desired level of risk is

  Management Assertions  5-3

achieved. This chapter begins the discussion of obtaining audit evidence in response to identified risks. Once auditors have identified the key risk factors for their client, they will plan “what” to test, “how” to test it, and “who” should test it. In this chapter, we explain “what” the auditors are testing by defining and describing management assertions. Then, we discuss characteristics of audit evidence, including traits that make some types of evidence more appropriate than others. Next, we discuss the “how” of gathering audit evidence. What specific procedures do auditors perform to gather evidence? You have already been introduced to the broad categories of risk assessment procedures, tests of controls, and substantive tests. This chapter will describe specific actions auditors perform to gather evidence at the risk assessment and risk response phases of the audit. In most audits, the audit team will perform all of the evidence gathering procedures, but “who” else may perform evidence-gathering procedures for the audit? We discuss situations in which auditors may use the work of others, such as specialists in a field other than accounting or auditing, the client’s internal auditors, or auditors from another accounting firm. Finally, auditors document the details of their risk assessment, tests of controls, and substantive tests in their working papers. An auditor’s working papers provide proof of audit work completed, procedures used, and evidence gathered. Each accounting firm has its own working paper format and preferences. This chapter provides some examples of a typical audit file and the types of working papers it may contain.

Management Assertions Lea rning Objective 1 Define management assertions about classes of transactions, account balances, and presentation and disclosure. It is the responsibility of management and those charged with governance to ensure the financial statements are fairly presented. When preparing the financial statements, management makes assertions about each account and related disclosures in the notes. An assertion is a statement or representation, explicit or implied, made by management regarding the recognition, measurement, presentation, and disclosure of items included in the financial statements and notes. For example, when reporting inventory, management is claiming, or asserting, that the items exist, are owned by the entity, represent a complete list of the inventory owned, and are valued appropriately. When reporting sales, management is asserting that the amount represents sales of the entity that occurred during the accounting period. Management also asserts that sales are recorded at the correct amount, represent a complete list of all sales, and are classified correctly. During the risk assessment phase, auditors use management assertions as a guide when determining the different types of potential material misstatements that could occur, or what can go wrong in the financial statements. Assertions also guide auditors in the collection of evidence, as the evidence used to evaluate many assertions is unique to that assertion. For example, evidence the auditor will use to evaluate the completeness of revenues is different from the evidence used to evaluate the occurrence of revenues. AU-C 315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement provides a summary of the assertions used by auditors. The assertions are divided into the three categories of classes of transactions and events, account balances at the period-end, and presentation and disclosure. The assertions are summarized in Illustration 5.1. Each assertion in Illustration 5.1 is numbered and the following paragraphs provide more discussion of each one.

assertion  statement or representation, explicit or implicit, made by management regarding the recognition, measurement, presentation, and disclosure of items included in the financial statements and notes

5-4  Ch a pte r 5  Audit Evidence illustration 5.1   Assertions by category

Assertions About Classes of Transactions and Events for the Period Under Audit (1) Occurrence

Transactions and events that have been recorded have occurred and pertain to the entity.

(2) Completeness

All transactions and events that should have been recorded have been recorded.

(3) Accuracy

Amounts and other data relating to recorded transactions and events have been recorded appropriately.

(4) Cutoff

Transactions and events have been recorded in the correct accounting period.

(5) Classification

Transactions and events have been recorded in the proper accounts.

Assertions About Account Balances at the Period-End (6) Existence

Assets, liabilities, and equity interests exist.

(7) Rights and obligations

The entity holds or controls the rights to assets, and liabilities are the obligations of the entity.

(8) Completeness

All assets, liabilities, and equity interests that should have been recorded have been recorded.

(9) Valuation and allocation

Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts, and any resulting valuation or allocation adjustments are appropriately recorded.

Assertions About Presentation and Disclosure (10) Occurrence and rights and obligations

Disclosed events, transactions, and other matters have occurred and pertain to the entity.

(11) Completeness

All disclosures that should have been included in the financial statements have been included.

(12) Classification and understandability

Financial information is appropriately presented and described, and disclosures are clearly expressed.

(13) Accuracy and valuation

Financial and other information are disclosed fairly and in appropriate amounts.

Source: AU-C 315.A128.

Let’s discuss these assertions in more detail, beginning with the assertions about classes of transactions and events for the period under audit, and what can go wrong with each assertion. When considering (1) occurrence, auditors gather evidence to verify that a recorded transaction or event, such as revenue or an expense item, actually took place and relates to the entity. This assertion is particularly important when auditors believe there is a risk of overstatement and that some transactions are recorded but did not actually occur. For example, a client may record revenues prematurely in error, or management might record fictitious sales to overstate revenues and profit. When considering (2) completeness, auditors gather evidence that all transactions have been recorded and the financial statements are not understated or overstated because transactions have been omitted. This assertion is particularly important when auditors believe there is a risk of understatement and that some transactions or events that should have been recorded have not been recorded. For example, a client may have incurred an expense but not recorded it because the vendor’s invoice had not been received, or because management intended to understate expenses and overstate profit. When considering (3) accuracy, auditors gather evidence that transactions and events have been recorded at appropriate amounts. This assertion is important when auditors believe there is a risk the reported amounts are not accurate. For example, a client might inadvertently use the wrong price on an invoice or may have complex foreign exchange calculations where errors can easily occur. When considering (4) cutoff, auditors search for evidence that transactions have been recorded in the correct accounting period. This assertion is particularly important for transactions close to year-end. For example, a client may record a sale before year-end that actually occurred after year-end, or a client may record an expense after year-end that was actually incurred before year-end. Unintentional cutoff mistakes may happen when internal controls

  Management Assertions  5-5

are poor. Alternatively, a client may be motivated to record an expense or revenue in the wrong period to manipulate net income for the period. When considering (5) classification, auditors gather evidence that transactions and events have been recorded in the proper accounts. For example, a client may have recorded a routine maintenance expense in a fixed asset account when it should be recorded in an expense account. Auditors should be alert to misstatements that result in capitalizing an amount that should be expensed.

Audit Reasoning Example  Wells Fargo Scandal Wells Fargo is an international banking giant headquartered in San Francisco. In 2016, news broke that Wells Fargo employees had participated in various fraud schemes to increase revenue. One of the schemes was charging auto loan customers for vehicle insurance without their knowledge. Which assertion about classes of transactions is violated with this scheme? Did these revenues actually occur? Wells Fargo was collecting actual payments from actual customers, so this wasn’t a case of fictitious customers. But charging customers without their consent is fraudulent and violates the occurrence assertion. Why did Wells Fargo employees participate in this scheme? The company had very aggressive internal sales goals with compensation tied to sales performance. Wells Fargo management encouraged cross-selling to existing customers as a way to boost revenues, and employees felt pressure to meet the lofty sales goals. In July 2017, Wells Fargo announced “it would issue $80 million in refunds or account adjustments to more than 570,000 auto loan customers who were charged for vehicle insurance without their knowledge.”1 Consideration of the occurrence assertion for revenues is a relevant assertion for all audits. Historically, many accounting frauds have involved overstatement of revenues either through creation of fictitious revenue, improper period-end cutoff, and/or improper application of revenue recognition rules. Auditors spend considerable time gathering evidence to support management’s assertion that recorded revenue occurred and relates to the entity.

The next category of assertions focuses on account balances at the end of the period, which is typically fiscal year-end. When considering (6) existence, auditors search for evidence to verify that asset, liability, and equity items on the balance sheet actually exist. This assertion is important when auditors believe there is a risk of overstatement. For example, a client may miscount inventory, resulting in an overcount and overstatement, or a client may attempt to overstate inventory or accounts receivable to improve financial ratios for the period. When considering (7) rights and obligations, auditors gather evidence to verify recorded assets are owned by the entity and recorded liabilities represent commitments of the entity. This assertion is particularly important when auditors believe there is a risk that recorded assets or liabilities are not owned by the entity. This assertion is different from existence, as the assets and liabilities may exist but not be owned by the entity. An example of inventory that physically exists but does not satisfy the rights and obligations assertion is inventory held on consignment in the client’s warehouse (and therefore not owned by the entity), which is incorrectly recorded as an asset. When considering (8) completeness, auditors search for assets, liabilities, and equity items to ensure they have been recorded. This assertion is particularly important when auditors believe there is a risk of understatement and the client has omitted some items from the balance sheet. For example, a client may fail to record various accrued liabilities due to an error or an attempt to improve reported financial ratios for the period. When considering (9) valuation and allocation, auditors search for evidence that assets, liabilities, and equity items have been recorded at appropriate amounts and allocated to the correct general ledger accounts. With respect to assets, auditors need to be aware of both valuation at historical cost and any fair value tests that may be relevant. This assertion is particularly important when auditors believe there is a risk of over- or undervaluation. For example: •  An auditor verifies that inventory has been appropriately recorded at the lower of cost or net realizable value (risk of overstatement). •  An auditor tests for the adequacy of the allowance for doubtful accounts (risk of understatement or overstatement depending on the client’s motivation). 1

K. McCoy, “Wells Fargo’s Legal Challenges Accumulate,” USA Today (August 9, 2017), p. 2B.

5-6  Ch a pte r 5  Audit Evidence

•  An auditor verifies that equipment used in operations has been appropriately marked down if it is impaired (risk of overstatement).

Cloud 9 - Continuing Case Ian and Suzie have already talked in general terms about the errors that could occur in Cloud 9’s accounts receivable. For example, basic mathematical mistakes and other clerical errors could affect the customer’s total in either direction. Suzie emphasizes that Cloud 9’s management asserts this error did not exist when they prepared the financial statements—i.e., they assert that accounts receivable are valued correctly. Auditors must gather evidence about each assertion for each transaction class, account, and note in the financial statements. Now that Ian understands this idea better, he can identify the assertions that relate to the potential errors in accounts receivable that they discussed earlier: •  No mathematical mistakes or other clerical errors exist that could affect the total receivables in either direction—valuation and allocation.

•  No accounts receivables were omitted when calculating the total—completeness. •  Accounts receivables included in the total do exist at yearend—existence. •  Accounts receivables belong to Cloud 9 and have not been sold or factored—rights and obligations. •  Bad debts have been provided for—valuation and allocation. •  Sales from the next period are not included in the earlier ­period—cutoff. Ian is a bit confused about this because cutoff is an assertion for transactions, not account balances. Suzie agrees it is a special sort of assertion that relates to transactions or events, but also gives evidence about balance sheet accounts (e.g., an overstatement of revenue is also an overstatement of receivables).

The last category of assertions focuses on presentation and disclosure in the financial statements and the notes. You’ve probably noticed that most of the assertions in this category are also listed in one or both of the other categories. That makes sense considering the note disclosures and presentation in the financial statements are inherently tied with a client’s transactions and year-end balances. Auditors gather evidence that disclosed items represent events and transactions that occurred and pertain to the entity, (10) occurrence and rights and obligations, and that all items that should have been disclosed are included in the financial statements, which is (11) completeness. Auditors ensure items included in the financial statements are appropriately presented and disclosures are clearly expressed, which is (12) classification and understandability, and financial and other information is disclosed fairly and in appropriate amounts, which is (13) accuracy and valuation. The PCAOB standards also address management assertions but in a more condensed manner than the ASB standards. AS 1105 Audit Evidence lists just five assertions and does not use the three categories of assertions like the ASB standard. The five assertions defined in AS 1105.11 are: •  Existence or occurrence—Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period. •  Completeness—All transactions and accounts that should be presented in the financial statements are so included. •  Valuation or allocation—Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. •  Rights and obligations—The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date. •  Presentation and disclosure—The components of the financial statements are properly classified, described, and disclosed.

relevant assertion  an assertion that has a reasonable possibility of containing a material misstatement or misstatements that would cause the financial statements to be materially misstated and, therefore, has a meaningful impact on whether the account is fairly stated

You can see there are similarities with the assertions listed in both sets of standards. The ASB standard simply provides a more detailed description of the assertions, especially in the category of presentation and disclosure. Recall from Chapter 4 that one of the risk assessment procedures is to identify significant accounts and classes of transactions. Once these are identified, auditors assess the risk of material misstatement at the relevant assertion level for these significant classes of transactions and account balances. Relevant assertions are assertions that have a reasonable possibility of containing a material misstatement that would cause the financial statements to be materially misstated and, therefore, have a meaningful impact on whether the account is fairly stated (AU-C 315.A131). All assertions may not be relevant for a particular account balance

  Characteristics of Audit Evidence  5-7

or transaction. For example, the valuation of cash is typically not an issue, but the existence of cash is always relevant because there is risk that a client may overstate its cash balance due to the misappropriation of cash. Once the relevant assertions are identified for significant accounts and classes of transactions, auditors can proceed with planning their audit procedures to gather evidence in support of management assertions. The specific procedures auditors will use to gather evidence are detailed in the audit program. The audit program is part of the audit documentation that lists the details of the audit procedures to be used when testing controls and when conducting detailed substantive procedures. Audit procedures will be further discussed in this chapter in the section “Procedures for Gathering Audit Evidence.” Audit documentation is discussed in the section “Documentation—Audit Working Papers.”

audit program  a listing of details of the audit procedures to be used when testing controls, conducting detailed substantive audit procedures, and completing the audit

Before You Go On 1.1 When auditing accounts receivable, what will an auditor search for when testing for rights and obligations? 1.2 What does the accuracy assertion mean? Develop an example in the context of purchases of inventory. 1.3 What is the auditor trying to ensure when considering the cutoff assertion? Develop an example in the context of payroll transactions.

Characteristics of Audit Evidence Lea rning Objective 2 Discuss the characteristics of audit evidence. Audit evidence is the information auditors use when arriving at their opinion on the fair presentation of the client’s financial statements (AU-C 500 Audit Evidence and AS 1105 Audit Evidence). It is the responsibility of management and those charged with governance to ensure the financial statements are prepared in accordance with the appropriate financial reporting framework (usually GAAP). They are also responsible for ensuring that accurate accounting records are maintained and any potential misstatements are prevented, or detected and corrected. It is the responsibility of auditors to gather sufficient appropriate evidence to arrive at their opinion. Before considering the different procedures auditors will use for gathering evidence, we start with a discussion of what is meant by the phrase sufficient appropriate evidence.

audit evidence  information gathered by the auditor that is used when forming an opinion on the fair presentation of a client’s financial statements

Sufficient Audit Evidence Sufficient refers to the quantity of audit evidence gathered. Essentially, auditors determine at what point they have gathered enough evidence to support their opinion on the financial statements. AU-C 500.A4 and AS 1105.05 state the quantity of evidence needed is affected by the risk of material misstatement in a relevant assertion for an account balance or class of transactions. In other words, as risk increases, the amount of evidence the auditor should gather also increases. For example, the existence assertion for the accounts receivable balance is typically a relevant assertion because of the risk of overstatement of receivables due to premature revenue recognition, which inflates revenues and receivables. In contrast, the risk of understatement of accounts receivable, which is the completeness assertion, is typically low because a client would most likely record all credit sales and related accounts receivable. In this scenario, auditors will gather more evidence in support of the existence assertion since it presents the higher risk of material misstatement. Auditors should also be alert that, for some private companies needing audits, the incentive might be to understate pretax profits in order to minimize income tax expense.

sufficient  refers to the quantity of audit evidence gathered

5-8  Ch a pte r 5  Audit Evidence

Appropriate Audit Evidence appropriate  refers to the quality of audit evidence gathered

relevance  refers to the logical connection with the assertion being tested

reliability  refers to the source, form, or nature of the audit evidence

Appropriate refers to the quality of audit evidence gathered. The concepts of quantity and quality are interrelated as the quality of evidence gathered will affect the quantity required. Typically, the higher the quality of the evidence, the less quantity that may be required. What contributes to the quality of audit evidence? AU-C 500.A5 and AS 1105.06 state the quality of audit evidence is determined by its relevance and reliability in providing support for the conclusions on which the auditor’s opinion is based. Relevance of audit evidence refers to its relationship to the assertion being tested. In other words, does the evidence gathered really support the assertion being tested? For example, if auditors are testing for the completeness of the accounts payable balance, they are trying to determine if all accounts payable owed have been properly recorded. Suppose auditors inspect a sample of accounts payable balances from the ledger and verify they are true payables owed by the client. Have the auditors gathered evidence about completeness? No, they have not. They have gathered evidence in support of the existence assertion: that payables that have been recorded actually do exist. To gather relevant evidence for the completeness assertion, auditors must use a different procedure. Auditors could examine a client’s unpaid invoices file and determine if payables have been properly created for any unpaid invoices. This procedure would provide relevant, or appropriate, evidence in support of the completeness assertion. Reliability of audit evidence refers to the source of the evidence and form or nature of the evidence. In general, here are some guidelines regarding the reliability of audit evidence provided in AU-C 500.A32 and AS 1105.08: •  Evidence gathered from a knowledgeable source independent of the client is more reliable than evidence gathered solely from internal client sources. •  The reliability of evidence generated internally from the client is increased when the client’s internal controls over the information are effective. •  Evidence obtained directly by the auditor is more reliable than evidence obtained indirectly by the auditor. •  Evidence provided by original documents is more reliable than evidence obtained from copies, scans, or faxes. However, this could be mitigated if internal control over the duplication of documents is effective. •  Evidence that has been documented (paper or electronic form) is more reliable than strictly oral evidence obtained by having a discussion with an individual. Some examples of these reliability guidelines are provided in Illustration 5.2.

ILLUSTRATION 5.2    

Examples of reliability of   audit evidence

Nature/Source of   Evidence

Example

Independent source

Auditors communicate directly with a client’s bank regarding the existence of the client’s cash account balances at year-end. The bank confirms the cash balances directly with the auditor. This is more reliable than relying solely on the client’s internal records related to its cash account balances.

Effective internal controls

If auditors determine that controls over the client’s accounting information system are effective, then information generated from the client’s accounting information system is deemed more reliable than if controls were weak.

Direct knowledge by auditor

Auditors visit a client’s warehouse to observe, in person, the physical count of the client’s inventory to support the existence assertion of inventory. This is more reliable than auditors reading a summary report of the physical count or interviewing client personnel about the physical count.

Original documents

Auditors review the original title to verify the client’s rights to a piece of equipment. Inspecting the original title is more reliable than inspecting a copy because a copy can be altered and/or forged.

Documented

Auditors read the minutes from a board of directors’ meeting. This documented evidence, either written or in electronic form, is more reliable than interviewing one of the board members about the topics covered in the meeting.

  Characteristics of Audit Evidence  5-9

Cloud 9 - Continuing Case Whenever Suzie’s draft audit program shows the team relying on internally generated evidence, it also includes requirements to obtain additional evidence. This is because the evidence obtained from the client is less persuasive than evidence gathered directly

by an auditor or externally generated evidence that has passed through the client’s hands. Therefore, the audit program includes plans to obtain evidence from tests of controls for each assertion, to support the conclusion that internal controls are strong.

Audit Risk and Sufficient Appropriate Audit Evidence In Chapter 3, we discussed the audit risk model. Let’s discuss how the audit risk model impacts the gathering of audit evidence. Audit risk affects the quantity and quality of evidence gathered by an auditor during the risk response phase. When there is a significant risk of material misstatement with an assertion and the client’s system of internal controls is not considered to be effective at reducing that risk, detection risk is set as low. (See Illustration 5.3.) How would this scenario impact the quality and quantity of evidence to be gathered? When detection risk is low, auditors want to decrease the risk that their audit procedures will not detect a material misstatement. Therefore, auditors would plan for substantive procedures that result in higher quality evidence and possibly gather an increased quantity of evidence for that assertion.

Risk of material misstatement Audit risk =

Low

Inherent risk

Control risk

High

High

Detection risk

Level of sufficient appropriate evidence

Low

Increased

ILLUSTRATION 5.3    

High risk assertion

When the risk of material misstatement with an assertion is inherently low and the client’s system of internal controls is considered effective at reducing risk, then detection risk is set as high. First, the auditor will obtain evidence through risk assessment procedures to support the low inherent risk assessment, and perform tests of controls to support the low control risk assessments. Second, since detection risk is high, that means auditors are willing to accept a higher risk that their audit procedures may not detect a material misstatement. Therefore, auditors would plan for substantive procedures that may result in lower quality evidence and possibly a decreased quantity of evidence for that assertion. This scenario is demonstrated in Illustration 5.4.

Risk of material misstatement Audit risk =

Low

Inherent risk

Control risk

Low

Low

Detection risk

Level of sufficient appropriate evidence

High

Decreased

The risk patterns illustrated in Illustrations 5.3 and 5.4 are extremes. The risk of material misstatement associated with most assertions falls somewhere in between. Ultimately, the amount of evidence gathered when conducting substantive procedures is a matter for professional judgment and will vary from assertion to assertion and client to client. Nevertheless,

ILLUSTRATION 5.4    

Low risk assertion

5-10  C h a pte r 5  Audit Evidence

there is a direct relationship between the risk of material misstatement (inherent and control risk) and the extent of sufficient appropriate evidence gathered when testing transactions and balances.

Cloud 9 - Continuing Case Ian thinks he finally understands. To limit the risk of an inappropriate audit opinion for Cloud 9, the audit team will assess inherent risk and control risk at the assertion level for account balances and transactions. They make the inherent and control risk assessments after gaining an understanding of the client because these risks are influenced by the client’s circumstances. If inherent and control risk are assessed as high, the audit team will set detection risk as low. This means the audit team will

need to gather more, better-quality evidence through substantive testing than if inherent and control risk are assessed as low. In addition, planning materiality is set by considering what would be influential to users of the financial statements. The lower the detection risk and materiality level, the more sufficient appropriate evidence that needs to be gathered. Suzie thinks the time spent having coffee with Ian has been well worth it!

Before You Go On 2.1  What are two characteristics of appropriate audit evidence? Develop an example of each. 2.2 What is a disadvantage of using evidence that is generated internally by the client? Explain with an example. 2.3 Describe the relationship between the risk of material misstatement and sufficient appropriate audit evidence. Develop an example in the context of auditing the occurrence of revenues.

Procedures for Gathering Audit Evidence Lea rning O bjective 3 Apply the procedures for gathering audit evidence, including the use of audit data analytics.

accounting records  client’s records of the initial accounting entry and supporting documents

Auditors spend a considerable amount of total audit time on the process of obtaining and evaluating audit evidence in support of management assertions. The primary source of the evidence is the client’s accounting records. The accounting records consist of the records of initial accounting entry and supporting documents such as checks, invoices, contracts, general and subsidiary ledgers, and client-prepared spreadsheets and cost allocations. Auditors also gather evidence from other sources independent of the client to corroborate, or confirm, amounts recorded in the client’s accounting records. Audit evidence consists of any information that supports and corroborates management’s assertions and any information that contradicts the assertions. In some situations, the absence of information may also constitute audit evidence (AU-C 500.A1). For example, suppose a client recorded the purchase of a new piece of equipment, which increased total assets. Auditors would observe the tangible asset and inspect the vendor’s invoice for the purchase in support of the existence assertion, and make inquiries about how the equipment was financed. If there is no invoice to corroborate the purchase of a new piece of equipment, then perhaps the client did not actually buy the equipment. The equipment could be a short-term rental and therefore should not be recorded as an asset. The absence of an invoice would serve as audit evidence that contradicts management’s assertion.

 Procedures for Gathering Audit Evidence  5-11

Let’s now discuss “how” auditors gather audit evidence. Audit procedures are the methods used by auditors in gathering evidence and they are classified into three general categories: 1.  Risk assessment procedures (discussed in Chapters 3 and 4)—Methods used to gain an understanding of a client and its industry for the purpose of identifying risk of material misstatement. 2.  Tests of controls (discussed in Chapters 3 and 8)—Methods used to determine the operating effectiveness of the client’s controls in preventing, or detecting and correcting, material misstatements at the assertion level. 3.  Substantive procedures (discussed in Chapters 3 and 9–14)—Methods designed to detect material misstatements at the assertion level. Two categories of substantive procedures are tests of details (of account balances, transactions, and disclosures) and substantive analytical procedures. We introduced these categories in Chapters 3 and 4 in the discussion of risk assessment, audit risk, and audit strategy. We now detail the specific procedures auditors perform to gather sufficient appropriate evidence. The specific procedures described in the rest of this section are used as risk assessment procedures, tests of controls, or substantive procedures as determined by the auditors.

Inspection of Documents and Assets Inspection involves the examination of documents and physical assets. Let’s first discuss the inspection of documents. The documents could be internally or externally generated and in paper or electronic form. Inspection of documents can be used as a risk assessment procedure, test of controls, or a substantive procedure. For example, as a risk assessment procedure, auditors inspect the board of directors’ meeting minutes to become familiar with the objectives and strategies of the client. As a test of controls, auditors inspect purchase orders for proper authorization by a manager before a purchase is made. As a substantive procedure, auditors inspect vendor invoices in support of management’s assertion of the valuation of inventory. When used as a substantive procedure to test management’s assertions of occurrence and completeness, the inspection procedure can be further explained by the direction of the testing. First, auditors want to determine if transactions recorded in sales revenue actually occurred. They start by selecting transactions from the sales journal or ledger and then examining the underlying source documents, such as a shipping document and an invoice to the customer as shown in Illustration 5.5. This procedure is called vouching. Auditors are essentially working backward from the recording of the event back to the supporting documentation. Vouching provides evidence that recorded transactions actually occurred.

Source document

Direction of Testing

Assertion

Vouching

Existence or occurrence

Journal

Tracing

inspection  an evidence-­ gathering procedure that involves examining documents and physical assets

vouching  a type of inspection in which auditors select transactions from a journal or ledger and work backward to examine the underlying source documents. Vouching provides evidence for the occurrence or existence assertion ILLUSTRATION 5.5     Vouching versus tracing

Ledger

Completeness

What if auditors are gathering evidence in support of the completeness assertion for sales? They want to determine if all sales that occurred have been completely recorded. This time, auditors will start with the underlying source documents and work forward to follow the transaction through to recording in the journal and ledger (see Illustration 5.5). This process is called tracing. In the sales example, auditors would start with a sales order, then follow the

tracing  a type of inspection in which auditors select source documents and work forward to follow the transaction through to recording in the journal and ledger; tracing provides evidence for the completeness assertion

5-12  C h a pte r 5  Audit Evidence

transaction forward to a shipping document, to an invoice to a customer, and then to related journal entries and posting to the ledger. Inspection is also used to gather evidence for assertions related to physical assets. For example, auditors inspect an actual piece of machinery in a client’s factory to support the existence assertion. If the machinery is not being used, perhaps it is obsolete or in need of repairs. This evidence is used to determine if assets should be written down below cost, which relates to the valuation and allocation assertion.

Cloud 9 - Continuing Case Suzie will head the team gathering evidence about inventory. There are some issues with Cloud 9’s inventory control, including difficulties in delivering merchandise from the warehouse to the store in a timely manner. Suzie is also concerned about the thefts at Cloud 9’s retail store. Although Cloud 9’s management has been very open in disclosing the thefts, Suzie is concerned about what this means for the effectiveness of inventory control. She plans to inspect inventory and gather evidence of its existence and quality (because obsolescence is another major concern). Sharon will also assign a team to inspect the furniture and equipment, and the leasehold improvements, as there have been some major additions this year because of the new store opening. Ian is a little concerned about being asked to inspect assets. “I don’t understand how inspection can sometimes relate to the existence assertion and other times relate to the completeness

a­ ssertion. How do I know when the evidence relates to one assertion and not the other?” he asks Suzie. Suzie tries to explain that it depends on the process. If you start with the accounting records and then gather evidence to support the records, you are gathering evidence about existence. For example, the furniture and equipment ledger account has a record stating that Cloud  9 owns a copy machine. The record contains information about brand, size, and other details. Can you agree the records to the physical item? That is, can you find the copy machine in the office? If so, you have evidence that it exists. (You would also do separate tests for its valuation and rights and obligations.) However, if you see a copy machine in the office, your question is then whether the item is in the accounting records. That is, are the accounting records complete? In this case, you start with the physical item and trace it through to the records. If the copy machine is entered in the ledger, you have evidence about the completeness of the accounting records.

Observation observation  an evidence-­ gathering procedure that involves watching a process or procedure being carried out by client personnel or another party

Observation is an audit procedure that involves watching a process or procedure being carried out by client personnel or another party. It is used most often as a risk assessment procedure or a test of controls. For example, auditors observe the opening of the mail to determine whether the appropriate control procedures over the handling of cash receipts are being followed with appropriate segregation of duties. Keep in mind that observation only provides evidence of a process at the time auditors observe it happening, and people tend to alter behaviors when being watched. Auditors must determine whether there is evidence that the procedures observed have been applied consistently throughout the period under audit.

Inquiry inquiry  an evidence-gathering procedure that involves asking questions verbally or in written form to gain an understanding of various matters throughout the audit

Inquiry involves asking questions verbally or in written form of knowledgeable individuals internal or external to the client. Inquiry is used when gaining an understanding of the client and to corroborate other evidence gathered throughout the audit. For example, during risk assessment, auditors will inquire of client management regarding various topics such as related parties, corporate governance, and major customers. The results of inquiries of client personnel and third parties are documented by the auditor. If the evidence is particularly important, auditors may document the information more formally and ask the other party (or parties) to the discussion to sign their agreement that the auditors have recorded the discussion accurately. As a test of controls or substantive procedure, inquiry of client personnel, on its own, typically does not provide reliable evidence to reduce audit risk to a low-enough level for a relevant assertion (AS 1105.17). Additional evidence needs to be gathered to corroborate the client’s statements. For example, auditors ask the CFO about any new or updated lease agreements. The CFO tells the auditors the company signed a lease agreement for a new manufacturing facility. The auditors will document the response but will also follow up by ­inspecting the actual signed lease agreement. This is an example of auditors using professional skepticism by verifying statements made by the client.

 Procedures for Gathering Audit Evidence  5-13

Audit Reasoning Example  Evidence for Relevant Assertion Your client is Jane’s Apparel, a national chain of women’s clothing stores. There are 500 Jane’s stores located in malls across the United States. Inventory is a key account for Jane’s, and the existence assertion for inventory is always a relevant assertion. As part of your risk assessment procedures, you meet with the national inventory manager, Carla, to inquire about internal controls over inventory and other issues about inventory for the current-year audit. Carla says, “As you know, one of our biggest problems is employee theft of our merchandise. We just recently decided to hire an outside company to perform our annual physical inventory count rather than having our own employees perform the count. Although it will be an additional cost for us, we think the benefits of an independent inventory count will be worth it. It will deter employee theft and hopefully detect instances of theft that are occurring.” After your meeting, you document Carla’s responses to your inquiries. You are excited about the news of an independent company performing the inventory count and discuss it with another member of your audit team, John. You say to John, “Since an independent company is performing the count, I guess that means we do not have to observe the physical inventory count anymore. We can use the report from the independent company, right?” John thinks for a moment, then says, “I agree that it is an improvement in internal controls to have an independent company physically count the inventory. But remember, we have documented that the existence of inventory is a relevant assertion. Therefore, we must gather an increased level of sufficient, appropriate evidence to support our conclusion. Can we rely solely on inquiry of the client? Can we rely on the report from the independent company that is counting the inventory? I recommend that we still observe the physical inventory counting, even though it is being performed by an independent company. As we have done before, we will select a sample of stores from across the country and have auditors from our firm present while the inventory is being counted.” You agree with John that having your auditors observe the physical inventory count provides more relevant and reliable evidence to support the existence assertion for inventory.

Confirmation AU-C 505 External Confirmations and AS 2310 The Confirmation Process provide guidance on the use of external confirmations. External confirmation is an audit procedure in which the auditor corresponds directly with a third party, either in paper or electronic form. The third party is asked to respond directly to the auditor, not to the client, on the matter(s) included in the confirmation. Evidence obtained from external confirmations is considered reliable because it is obtained from an independent source outside of the client. However, auditors must maintain control over the confirmations at all times. Specifically, auditors determine the following for the confirmations:

external confirmation  an audit procedure in which the auditor corresponds directly with a third party, either in paper or electronic form, and the third party responds directly to the auditor on the matter(s) included in the confirmation

1.  What information should be confirmed or requested? 2.  Who is the appropriate confirming third party? 3.  How should the confirmation request be designed? 4.  How will the third party respond directly to the auditor? 5.  When should the confirmation request be sent? 6. If applicable, how should auditors follow up on requests when the third party has not responded? External confirmations can be sent to any third parties the auditors deem necessary, but the most common confirmations are with the client’s bank and customers. A bank confirmation is a request for information about the amount of cash held in the bank, details of any loans with the bank (e.g., interest rates and terms), and details of any pledges of assets made to guarantee loans. This information is used to confirm that the cash listed on the client’s balance sheet actually exists, is recorded at the appropriate amount (valuation and ­allocation assertion), is in the client’s name (rights and obligations assertion), and that all loans with the bank are included in the liability section of the balance sheet (completeness assertion). The bank confirmation also requests details of interest rates paid on the client’s cash balances, if applicable, and interest rates charged on bank overdrafts and loans. This information

bank confirmation  correspondence sent directly by the auditors to their client’s bank requesting information such as cash held in the bank and details of any loans with the bank and interest rates charged

5-14  C h a pte r 5  Audit Evidence

receivable confirmation  correspondence sent directly by the auditors to their client’s customers requesting information about amounts owed to the client by the customer

positive confirmation  correspondence sent directly by an auditor to a third party, who is asked to respond to the auditor on the matter(s) included in the letter in all circumstances (that is, whether they agree or disagree with the information included in the auditor’s letter) negative confirmation  correspondence sent directly by an auditor to a third party, who is asked to respond to the auditor on the matter(s) included in the letter only if the party disagrees with the information provided

is used when auditing interest income and interest expense items (accuracy assertion). We will cover the bank confirmation in depth in Chapter 13. Receivable confirmations can be sent to customers to verify amounts owed to the client. Auditors select the customers to whom they will send confirmations. Criteria used when selecting the customer balances to confirm include materiality (large trade receivables), age (overdue accounts), and location (if customers are dispersed, a selection from various locations). The primary assertion being tested when using receivable confirmations is existence. The confirmations provide audit evidence that the customers exist. They also provide some evidence on ownership (rights and obligations assertion), as customers confirm that they owe money to the client. Customers are only asked to confirm they owe the amount outstanding at year-end (or at an interim date). They do not confirm their intention to pay the amount due. Therefore, confirmations provide very little evidence regarding the valuation and allocation assertion. There are two types of external confirmations: positive and negative. ­Positive confirmations ask recipients to reply in all circumstances. If a response cannot be obtained, auditors must perform follow-up procedures. Negative confirmations ask recipients to reply only if they disagree with the information provided. If a recipient does not respond to a negative confirmation, it is assumed they agree with the information provided. But could there be other reasons why there is no response? What if the customer never ­received the confirmation, perhaps because of an address error? What if it is sitting on someone’s desk and has not been opened? Because of these “unknowns,” this form of request is of limited benefit when the assertion being tested is existence. According to AU-C 505.15 and AS 2310.20, auditors should not use negative confirmations as the sole audit procedure unless all of the following conditions are present: 1.  Auditors have assessed the risk of material misstatement for accounts receivable as low. 2.  Auditors have gathered sufficient appropriate evidence that internal controls are effective. 3.  The population of accounts receivable balances consists of a large number of small account balances. 4.  Auditors expect a low exception rate. 5.  Auditors are not aware of any circumstances that would cause the recipients to disregard the confirmation request. In practice, negative confirmations are not commonly used. Positive confirmations provide superior evidence because auditors must follow up on any nonresponses by verifying the appropriate recipient and sending a follow-up request or by completing alternative procedures. When auditors send a positive receivable confirmation, they ordinarily include the amount recorded in their client’s records for each customer to confirm. There is risk that a customer may sign and return the confirmation to the auditor without checking the balance outstanding. As the primary assertion being tested when using this audit procedure is existence, rather than valuation and allocation, this issue is not of great concern. Auditors will rely on other procedures to provide evidence on the valuation and allocation of the receivable balance. If auditors were to send a confirmation to customers requesting they provide the balance outstanding, there is risk that customers will not respond as locating the amount owed takes some effort to find, which would reduce the overall response rate and the amount of evidence available for the existence assertion. We will revisit the accounts receivable confirmation process in Chapter 11.

Professional Environment  Updating Audit Confirmation Standards How has technology influenced audit practice and standards? According to Daniel Goelzer, a former member of the Public Company Accounting Oversight Board (PCAOB), it has impacted practice more than the standards. In 2009, Goelzer believed that changes to the U.S. standard on audit confirmations

(at the time AU Section 3302) were necessary to bring it into the twenty-first century.3 Goelzer suggested that technological innovations such as the internet and email have changed confirmation practice since AU Section 330 was written in the early 1990s.4

2 Public Company Accounting Oversight Board (PCAOB), AU Section 330 The Confirmation Process, www. pcaobus.org. 3 D. L. Goelzer, “Statement on Consideration of Concept Release on Possible Revisions to the Standard on Audit Confirmations” (April 14, 2009), www.pcaobus.org; WebCPA 2009, PCAOB Mulls Revising Audit Confirmation Standards (April 14, 2009), www.webcpa.com. 4 Goelzer, 2009.

 Procedures for Gathering Audit Evidence  5-15 In the United States, the practice of audit confirmations is essentially mandatory, unlike the situation that typically prevails in the rest of the world where confirmations are an optional procedure—a tool available for auditors to select as part of a package of audit procedures.5 The U.S. requirement to use confirmations dates back to a famous fraud case, McKesson Robbins, in the 1930s.6 In that case, around $19 million of a total of $87 million in assets were entirely fictitious and the fraud would probably have been discovered if audit confirmations had been used appropriately.7 More recent scandals, such as the Madoff, Satyam, and Parmalat cases, have meant that the confirmation process is back in the spotlight.8 The PCAOB believes that a new confirmation standard should take into account today’s sophisticated security and encryption tools for email and online transactions. Specifically, some confirming parties have indicated that instead of responding to confirmation requests, they prefer to allow the auditors to have electronic access to the company’s accounts so the auditor may directly check the confirming party’s records.9 Former PCAOB member Steven Harris believed “the standard should address the use and reliability of confirmations received electronically. It should address the authenticity and accuracy of direct access to online account information.”10 In addition, auditors are continu­ ally faced with disclaimers—clauses inserted into a client’s customer’s reply to a confirmation request disclaiming responsibility for any inaccuracy in the information provided. In a litigious ­society like the United States, these disclaimers are routinely used to avoid legal liability for statements made. However, the auditor is then faced with a decision; that is, how much weight should be placed on a statement that is accompanied by a disclaimer? The

PCAOB included this issue in its request for public comment on the new standard. The comment period for the proposed rule closed in September 2010. The PCAOB received 27 comment letters, 19 of which were from accounting firms and associations of accountants. There was general acknowledgment from the respondents that the existing standard needs to be revised. However, there were two primary recommendations from the respondents. One recommendation is that the standard should be modified to be based more on principles and risk rather than being a hard rule that auditors must use confirmations. With a model based on principles and risk, auditors can rely more on their professional judgment when determining if confirmations are appropriate for a given client. The second recommendation is that additional research should be conducted to determine how additional confirmation requirements will affect the confirming parties. Currently, the PCAOB has not issued any updated standard on the confirmation process.11 The clarified standards of the Auditing Standards Board include an updated standard on external confirmations that became effective for audit periods ending after December 31, 2012. Paragraph A15 of AU-C 505 addresses the issue of validating the source of replies received in electronic format, such as email. It may be possible for the auditor to establish a secure environment for electronic responses, for example, by the use of encryption, electronic digital signatures, and procedures, to verify website authenticity. However, if this is not possible and the auditor has doubts about the reliability of any form of evidence obtained through the confirmation procedure, AU-C 505 requires the auditor to consider alternative procedures, for example, telephone contact with the respondent (AU-C 505.A14).

Cloud 9 - Continuing Case Suzie explains to Ian that they use external confirmations to gather sufficient appropriate evidence about the existence of Cloud 9’s customers. However, the confirmations will not be appropriate for valuation purposes, as a reply from a customer to confirm the debt exists does not mean the customer is going to pay the debt when it is due. The audit team will use other procedures to provide evidence about the valuation assertion for accounts receivable.

Suzie also suggests that bank confirmations will be useful on the Cloud 9 audit for the rights and obligations, existence, and valuation assertions for bank accounts. The audit team will also ask the banks to supply any information they have about any other bank accounts or loans, which is useful for gathering evidence about the completeness assertion for these accounts. Suzie incorporates her ideas on confirmations into the draft audit program.

Recalculation Recalculation is the audit procedure of checking the mathematical accuracy of documents or records. Recalculation can be performed manually or electronically with the aid of software. Some recalculations are simple, such as footing (adding/subtracting figures) a column in a clientprepared spreadsheet. Other recalculations are more complex, such as foreign currency translation, payroll taxes, interest on loans outstanding, and depreciation. When ­conducting 5

Ibid. Ibid. 7 S. B. Harris, “Statement on Proposed Auditing Standard on Confirmation” (July 13, 2010), www.pcaobus.org. 8 WebCPA, 2009. 9 Harris, 2010. 10 WebCPA, 2009. 11 Public Company Accounting Oversight Board (PCAOB), “Transcript Excerpt and Slides: Standing Advisory Group Meeting,” Docket 28 (October 14, 2010), www.pcaobus.org. 6

recalculation  an audit procedure that involves checking the mathematical accuracy of documents or records

5-16  C h a pte r 5  Audit Evidence

complex recalculations, auditors agree the amounts included in the calculations to externally prepared documents, when available, and check that the formulas are used appropriately and are free of errors.

Reperformance reperformance  an audit procedure that involves the independent execution of procedures or controls that were originally performed by client personnel

Reperformance involves the independent execution of procedures or controls that were originally performed by client personnel. In other words, the auditors will “re-do” a procedure that was performed by the client to determine if the auditors get the same result. Reperformance is commonly used as a test of controls. For example, a client’s control procedure over cash disbursements states that checks are prepared only after all source documents have been independently approved in a voucher packet. Auditors can reperform this procedure by looking at approved voucher packets awaiting check processing. Auditors reperform the act of agreeing all of the source documents and verify that an approval signature is on the packet. Another example is reperforming a bank reconciliation the client has prepared. Client personnel prepare bank reconciliations for all bank accounts each month as an internal control procedure. Auditors will reperform the bank reconciliation to gather evidence that the procedure was performed correctly.

Analytical Procedures analytical procedures  evaluations of financial information through analysis of plausible relationships among both financial and nonfinancial data

Recall from Chapter 4 that analytical procedures are evaluations of financial information through analysis of plausible relationships among both financial and nonfinancial data. Some examples of analytical procedures include data comparisons, ratio analysis, and trend analysis. During risk assessment, analytical procedures are required and are used to identify accounts at risk of material misstatement, which aids in planning the audit. They can also be used as a substantive procedure to gather sufficient appropriate evidence, but auditing standards do not require the use of analytical procedures during the risk response phase. When properly designed and executed, analytical procedures may provide an efficient alternative to other audit procedures and, in some cases, may provide the most effective test of the appropriateness of account balances. For example, when auditing management’s estimate of the allowance for doubtful accounts or the accrual for warranty costs, auditors compare the current-year estimates with prior-year estimates, taking into consideration any increases or decreases in sales. Based on the results, auditors may decide that no further substantive testing is needed. In other situations, analytical procedures may provide the only method of gathering evidence. For example, if the client does not maintain an effective costing system, auditors could estimate manufacturing overhead in finished inventory by relating actual overhead for the year to actual direct labor. The use of analytical procedures as a substantive procedure is covered in more depth in Chapter 9.

Scanning scanning  a type of analytical procedure in which auditors use their professional judgment to review accounting data to identify unusual or significant items to examine further

Scanning is a type of analytical procedure in which auditors use their professional judgment to review accounting data to identify unusual or significant items that may be an indication of a material misstatement. Scanning includes the identification of unusual individual items within an account balance or other accounting records such as journals, reconciliations, and detailed transaction reports. Examples of unusual items include a large dollar amount for a transaction, such as a very large cash receipt that might be evidence of a loan, or a nonstandard journal entry. Once an unusual item is identified, auditors may decide to further examine the item using other audit procedures, such as inspection or recalculation.

Audit Data Analytics (ADA) As clients have incorporated more technology into their processes, so have auditors. Auditors use software to assist with gathering evidence. Software usage ranges from simple techniques, such as electronic spreadsheets and software for a paperless audit, to more sophisticated procedures, such as cluster analysis.

 Procedures for Gathering Audit Evidence  5-17

Auditors use software to perform procedures such as calculations (for example, the summing of a report) and logic tests (for example, sorting or comparing current-year amounts with prior years), and to select key items and representative samples for testing. Audit data analytics (ADA) is using software to discover and analyze patterns, identify anomalies, and extract other useful information from client data. Auditors then use “visualization” techniques to draw conclusions and communicate the information. Visualization refers to the use of graphics to explain and communicate findings. Typical visualization techniques include graphs, charts, trend lines, scatter diagrams, and dashboards. For example, traditional audit techniques would compare aggregate figures, such as current-year sales compared to prior-year sales, or quarterly sales totals in the current year to quarterly sales totals from the prior year. ADA software can provide a deeper examination of sales activity by summarizing every sales transaction for the year into a graph that shows a trend line with time on the x-axis and dollars of sales on the y-axis. This deeper analysis shows more detailed trends with highs and lows of sales activity. Knowing more about their clients helps auditors plan a more effective audit. Using ADA software makes the audit (1) more comprehensive because each item in a client’s file can be examined and subjected to a variety of tests and (2) more efficient because the software can handle large volumes of data, thereby reducing time-consuming clerical tasks. Using software also allows auditors to concentrate on designing the test criteria and evaluating and interpreting the results, rather than on performing the detailed audit procedures. ADA can be used during risk assessment and risk response. The main considerations in deciding whether to use ADA are the completeness of the client’s records and the reliability of the client’s data. As with any audit procedure, the nature and ­extent of the procedures performed with ADA will largely depend on the evaluation of the effectiveness of the client’s information technology controls. The use of ADA will be covered in more depth in Chapters 7 and 11–13.

audit data analytics (ADA)  using software to discover and analyze patterns, identify anomalies, and extract other useful information in data underlying the subject matter of an audit through analysis, modeling, and visualization for the purpose of planning or performing an audit visualization  using graphics to explain and communicate findings

Cloud 9 - Continuing Case Suzie and Ian have already begun gathering evidence by performing the analytical procedures on Cloud 9’s interim results and prior-period statements. Further evidence gathering at the risk assessment phase will be performed by members of the team when they begin their assessment of the internal controls system by inspecting the relevant documents. They will gather evidence from observing personnel performing their duties and making inquiries of members of Cloud 9’s staff and management. In addition, the partner, Jo Wadley, held discussions with the previous auditors (Ellis & Associates) before accepting the client. The record of these discussions, plus others that Jo held with Cloud 9 management, is already in the evidence files. Ian has some questions about the evidence: in particular, why the audit team is bothering to gather verbal evidence,

through ­inquiry, which has low persuasiveness. Suzie explains that all forms of evidence have their limitations. Observation is useful to see how staff perform their tasks (as opposed to what the manuals say they should be doing), but people often “behave” better when they are being watched. Documents can be lost or altered, or misinterpreted, and not everything is written down. Electronic evidence is hard to audit if the system does not have a “hack-proof” audit trail. Signatures on documents do not mean the signor actually read the document properly, and people can pre- or post-date documents. Auditors must use professional judgment and skepticism to determine the appropriateness and sufficiency of evidence by considering it as a whole and be prepared to follow up on any problems or discrepancies they observe until any doubts are satisfactorily resolved.

Before You Go On 3.1 Explain the procedures of vouching and tracing. Illustrate with an example in the context of the revenue process. 3.2  What is a bank confirmation? Why is it an important confirmation? 3.3 How is a positive confirmation different from a negative confirmation? 3.4 Explain the audit procedure of reperformance. Illustrate with an example in the context of revenue transactions.

5-18  C h a pte r 5  Audit Evidence

Using the Work of Others Lea rning O bjective 4 Evaluate when it is appropriate for auditors to use the work of others. We have covered a significant amount of information regarding the planning and design of an audit. As you have probably concluded, an audit requires many hours of work by a team of auditors. The size of an audit team will vary depending on the size and complexity of the client. The composition of a general audit team is depicted in Illustration 5.6. You can think of the composition of an audit team like a triangle, with more team members at the base of the triangle and fewer at the top. The senior and associates perform the detailed testing under the supervision of the manager. The partner holds ultimate responsibility for audit decisions, supervision of the team members, and the issuance of the final audit report. Throughout the engagement, as audit procedures are completed and documented, they are reviewed by an audit team member with seniority over the team member who did the work. Chapter 14 will provide more information about the review of audit documentation. ILLUSTRATION 5.6     General structure of an   audit team

Partner

10 or more years’ experience

Manager

Senior/In-charge

Staff/Associates

6–10 years’ experience 2–5 years’ experience 0–3 years’ experience

In Illustration 5.6, the approximate years of experience for each level of team member are also shown in the diagram. When assigning the audit team, an accounting firm will make sure it assigns individuals with appropriate audit experience. An appropriate response to an identified risk may be assigning an individual with the right experience. For example, when fraud risk is high, the accounting firm may assign an individual with more audit experience in a particular industry to audit an assertion than when fraud risk is low. In some situations, the audit team will rely on the work of others during the risk assessment and/or risk response phase of the audit. Some examples include relying on an industry or technical specialist, the client’s internal auditors, and/or other auditors. These situations will be discussed in the following sections.

Using the Work of a Specialist specialist  an individual or organization with expertise in a field other than accounting or auditing whose work in that field is used by the auditors to assist in obtaining sufficient appropriate evidence

Some audits may require the use of a specialist when gaining an understanding of a client, testing internal controls, and/or performing substantive tests. A specialist is an individual or an organization with expertise in a field other than accounting or auditing whose work in that field is used by the auditors to assist in obtaining sufficient appropriate audit evidence. The specialist may be an employee of the accounting firm or may be contracted by the accounting firm as needed. Some examples of when a specialist may be used include estimating oil and mineral reserves for inventory reporting and performing actuarial calculations for the determination of employee benefit plan liabilities. Specialists may also be used to evaluate the quality of inventory, such as taking samples of grain from a grain elevator to determine if the grain has any bacteria or other attributes that could affect its quality.

  Using the Work of Others  5-19

AU-C 620 Using the Work of an Auditor’s Specialist and AS 1210 Using the Work of a ­ pecialist provide guidelines for auditors when using the work of a specialist. The first step S is for auditors to determine whether a specialist is required. The need to engage the services of a specialist depends on the knowledge of the audit team, the significance and complexity of the item, the risk of material misstatement of the account or assertion, and the availability of appropriate alternative corroborating evidence. If the audit team has experience with the item being audited and can draw on their knowledge from previous audits of that client or similar companies in the same industry, there is less need to use a specialist. If auditors decide they do not have the expertise necessary to test and evaluate the accuracy of reported information, they can seek assistance in the form of a specialist’s opinion to corroborate other evidence obtained. For example, a licensed appraiser may be engaged to provide an opinion on the value of a client’s property, a geologist may be engaged to evaluate the quantity and quality of mineral deposits, a vintner may be engaged to assess the quality and value of wine stocks, or an actuary may be engaged to develop an estimate of a pension liability. Once it has been determined that a specialist is required, the next step is for the auditors to determine the scope of the work to be carried out and agreed to by the specialist. The agreement can be in the form of a formal engagement letter with the specialist or recorded in the audit planning documents when using a specialist from the accounting firm. Auditors determine the nature, timing, and extent of work to be completed by the specialist. It is important that auditors are involved in setting the scope of the work required because the judgment of the specialist forms part of the audit evidence upon which auditors form their audit opinion. Written instructions to the specialist can cover the (1) issues the specialist is to report upon, such as the market price of properties owned by the client; (2) the details to be included in the report, such as computations used in arriving at their conclusion; (3) the sources of data to be used, such as market interest rates or market prices of shares; (4) clarification of the way the auditors intend to use the information included in the specialist’s report; and (5) notice that the specialist’s report and the data used in compiling the report must remain confidential. Before contacting a specialist, auditors should assess the competence, capability, and objectivity of the specialist. Competence refers to the expertise of the specialist. What are the qualifications of the specialist? Does he or she maintain a license or certification in a relevant field? How many years of experience does the specialist have in the relevant field? Capability refers to the ability of the specialist to perform the required work. For example, does the specialist have the time and resources needed to complete the work? Is the specialist located in the area or will significant travel be required? Objectivity refers to the possible effects that bias, conflicts of interest, or the influence of others may have on the professional judgment of the specialist (AU-C 620.A15). Auditors should inquire of the client and of the specialist as to whether any interests or relationships exist between the client and the specialist that would impair the specialist’s objectivity. For example, does the specialist have any financial interests or outside business relationships with the client? The specialist is not required to be completely independent of the client. If some type of relationship does exist between the client and the specialist, auditors may decide to perform some additional procedures with respect to the specialist’s work to determine that the findings are reasonable. Once the specialist’s work is complete, auditors will assess the specialist’s report. The report should detail each stage of the process used in arriving at the overall conclusion in the report, including information about the data sources or estimation models used, or calculations conducted. Auditors assess the consistency of any assumptions made with those made in prior years and with other known information and with conclusions drawn with corroborating evidence gathered by the audit team. The responsibility for arriving at an overall conclusion regarding fair presentation of a client’s financial statements rests with the auditors. When auditors decide to use a specialist, that responsibility is not reduced in any way. It is the responsibility of auditors to assess the quality of the evidence provided by a specialist and determine whether it is reliable and objective. Auditors do this by following the process outlined above. They will determine the need for a specialist, the scope of the specialist’s work, and the competence and objectivity of the specialist. Finally, auditors will assess the quality of the specialist’s report and the reliability of the information included in it.

5-20  C h a pte r 5  Audit Evidence

Professional Environment  Working with IT Auditors Specialist IT auditors are often used in audits of clients with complex information technology (IT) environments because the effective audit of the IT systems contributes to overall audit quality. Large audit firms usually have such specialists within the firm, but smaller audit firms could engage external IT consultants for this part of the financial statement audit. In general, reliance on an IT specialist is appropriate when the financial statement auditor complies with the conditions of AU-C 620. If the IT expert and the financial statement auditor do not work well together, audit quality can be impaired. For this reason, researchers have investigated the factors that affect the way that financial statement auditors work with specialist IT auditors. Brazel12 reviewed this research evidence and drew the following conclusions. First, responses from financial statement auditors in the United States who were surveyed about their experiences with IT auditors indicated that they believe IT auditors’ competence levels vary in practice. Financial statement auditors also said that IT auditors appear to be overconfident in their abilities in some settings, and questioned the value provided by IT auditors to the financial statement audit. Second, Brazel suggests the research shows that both financial statement auditors’ IT ability and experience and the IT auditor’s competence affect how these two professions interact on an audit engagement. This indicates that audit firms need to ensure that staff training and scheduling produce appropriate combi­ nations of financial statement auditors and IT auditors on an ­engagement.

Finally, Brazel argues that the research findings demon­ strated that auditors need to consider the implications of finding a balance between greater software-assisted audit techniques training for financial statement auditors and greater use of IT specialists for overall audit efficiency and effectiveness. The role of IT audit specialists could grow to become even more than a support function for auditors. Some researchers suggest that in e-businesses, the external financial statement auditor’s authority will be challenged by IT audit specialists because of technological change and its impact on auditing.13 In e-businesses, economic transactions are captured, measured, and reported on a real-time basis without either internal human intervention or paper documentation.14 Auditing is likely to become more real-time and continuous to reflect the pattern of the transactions. If traditional auditors are unwilling or unable to adapt to the new environment, their role could be taken over by IT specialists. Other developments such as reporting using XBRL (eXtensible Business Reporting Language) provide challenges for auditors as they have to adapt their techniques and approaches to audit financial information that is disaggregated and tagged. Users can extract and analyze XBRL data directly without re-entry and the tag provides additional information about the calculation and source of the data. This means auditors have to recognize that their clients are reporting financial data with different levels of information and users might have greater expectations of the data. Learn more about XBRL at www.xbrl.org.

Cloud 9 - Continuing Case Josh will take responsibility for obtaining a specialist’s opinion on the derivatives. He knows that W&S Partners has other staff (who are not part of the audit team) who can provide additional expertise. However, because he believes the accounts are so material to the audit and derivatives have become such a big issue in audits in recent years, he deems an external specialist’s opinion is also required.

He has some experience with using a derivatives specialist on prior audits, and he also plans to ask Jo Wadley (the partner) to recommend a suitable specialist. Josh plans to investigate any possible connections between the specialist and Cloud 9 that could adversely impact the specialist’s objectivity before engaging him for this audit.

Using the Work of Internal Auditors internal auditors  employees of the client who perform assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance, risk management, and internal control processes

The role of the internal audit function was introduced in Chapter 1. Internal auditors are employees of the client who perform assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance, risk management, and internal control processes. Not every client will have an internal audit function. For example, small and medium-sized companies, especially private companies, may not have the resources to staff an internal audit function. But if the client does have an internal audit function, what role, if any, do the internal auditors play in the financial statement audit? According to AU-C 610 12

J. F. Brazel, “How Do Financial Statement Auditors and IT Auditors Work Together?” The CPA Journal (November 2008), pp. 38–41. 13 A. Kotb, C. Roberts, and S. Sian, “E-business Audit: Advisory Jurisdiction or Occupational Invasion?” Critical Perspectives on Accounting 23, no. 6 (2012), pp. 468–482. 14 Kotb et al., 2012.

  Using the Work of Others  5-21

Using the Work of Internal Auditors and AS 2605 Consideration of the Internal Audit Function, auditors may (1) use the work of internal auditors in gathering audit evidence and (2) use internal auditors to provide direct assistance under the direction, supervision, and review of the external auditors. If external auditors intend to use the work of internal auditors, they must first assess the objectivity, competence, and processes of the internal audit function. The concepts of objectivity and competence discussed above in the context of a specialist also apply when considering internal auditors. Since internal auditors are employees of the client, they are not independent. However, a well-designed internal audit function can operate free of bias and avoid conflicts of interest. Illustration 5.7 lists factors for auditors to consider when assessing the objectivity and competence of the internal audit function. Auditors should also consider the processes of the internal audit function. Essentially, auditors want to determine if the internal auditors follow a systematic and disciplined approach to their work and have quality control procedures in place. Ideally, the internal audit function should plan, supervise, document, and review its activities in a way that is distinct from other monitoring activities within the entity.

Factors that impact objectivity: •  Internal auditors report directly to the board of directors, audit committee, or owner-manager. •  There is no assignment of managerial or operational duties that are outside of the internal audit function. •  Policies prohibit internal auditors from auditing areas where relatives are employed or areas where the internal auditor was previously assigned before moving to the internal audit function. •  Internal auditors are members of a professional body that obligates compliance with professional standards regarding objectivity. Factors that impact competence: •  Evidence of technical training and proficiency shown by education, years of experience, and professional certification in a relevant field. •  Internal auditors hold membership in relevant professional bodies that require compliance with professional standards and continuing professional education. •  Staffing is appropriate to the size of the entity. •  There are established policies for hiring, training, and assigning internal auditors. •  Quality-of-work documentation and reports exist.

If auditors determine that the internal auditors are objective, competent, and follow appropriate procedures, then the next step is to determine how the internal auditors’ work may affect the nature, timing, and extent of the audit. Procedures planned or already performed by the internal audit function may be the same as, or very similar to, audit procedures the external auditor would design and perform, particularly in the area of evaluation of the performance of internal controls. Therefore, work already performed or planned to be performed by the internal auditors can affect the auditors’ risk assessment procedures, testing of controls, and/or substantive procedures performed. Here are some examples: •  The internal auditors have developed a flowchart for a new sales and receivables software application. The external auditors obtain a copy and review the flowchart to gain an understanding of the new application. If the auditors are satisfied with the quality of the flowchart, they will not need to prepare their own flowchart, which improves the efficiency of the audit. •  The internal auditors have tested relevant controls over the completeness assertion for accounts payable. The results of the internal auditors’ procedures provide evidence that controls are operating effectively. If satisfied that the controls are operating effectively, auditors may reduce the extent of their testing of these controls.

ILLUSTRATION 5.7    

Factors that impact objectivity and competence of internal   auditors

5-22  C h a pte r 5  Audit Evidence

•  As part of their own work, the internal auditors confirm a sample of accounts receivable balances to ensure a new sales and receivables software application is functioning ­properly. Auditors may use this work as evidence obtained and then reduce the number of additional receivable balances that would be confirmed. When determining the extent to which the internal auditors’ work will affect the auditors’ procedures, auditors consider the materiality of the account balance or transaction; the risk of material misstatement of the assertions related to the account balance, transaction, or disclosure; and the amount of subjectivity involved in evaluating the evidence gathered (AU 2605.20). As these factors increase, the need for auditors to perform their own tests of the related assertions also increases. Remember, external auditors have sole responsibility for expressing an opinion on the fair presentation of the financial statements. That responsibility is not decreased by the use of work performed by internal auditors. External auditors may also obtain direct assistance from internal auditors to carry out audit procedures the external auditors would normally do themselves. In this scenario, internal auditors would be under the direction, supervision, and review of the external auditors. When determining the nature of work to be assigned to internal auditors, external auditors should follow the same guidelines as mentioned in the previous paragraph. As the factors of materiality, risk of material misstatement, and subjectivity increase, the need for external auditors to perform the procedures will increase. An example might be the valuation assertion for assets that require significant accounting estimates. Areas involving less materiality, lower risk of material misstatement, and less subjectivity are more appropriate to assign to internal auditors. An example might be the existence assertion for prepaid expenses. External auditors should obtain written acknowledgment from management, or those charged with governance, regarding the use of internal auditors for direct assistance with the audit. This written acknowledgment can be included within the audit engagement letter or prepared as a separate document. Audit evidence obtained from the internal auditors and the work performed by internal auditors providing direct assistance are included in the external auditors’ documentation as evidence of work completed. Also included is the evaluation of the objectivity, competence, and procedures of the internal auditors. Audit documentation is discussed further in this chapter in the section “Documentation—Audit Working Papers.”

Audit Reasoning Example  Consideration of Internal Audit Function One of your clients is Mary Lee’s Cookie Company. Mary Lee’s produces various types of cookies and sells them at grocery stores and convenience stores across the United States. Mary Lee’s is a family-run, private company, and it has experienced significant growth over the last six years. The founder and chair of the board of directors, Mary Lee Nguyen, has a goal of taking the company public one day, so she wants to start preparing the company to be run more like a public company. Therefore, she has decided to create an internal audit function. Two months after the conclusion of the prior-year audit, Mary Lee hired Kathy Bourgeois to lead the internal audit function. Kathy has three years of internal audit experience working at a public company, and she is a certified internal auditor (CIA). To add to her department, Kathy has hired a recent college graduate who has taken courses in internal auditing, and she also has a current college student who is interning part-time. Kathy and her team will report directly to Mary Lee and the board of directors. One of Kathy’s first tasks has been to document Mary Lee’s transaction processes and internal controls. Can your audit team use the work of Kathy’s team regarding the transaction flows and internal controls documentation? Are Kathy and her team objective and competent? You consider objectivity. Kathy is a CIA and therefore must comply with professional standards to maintain her certification. The internal audit function reports to the board of directors, not to a member of management. No one in the internal audit function is assigned managerial duties. Therefore, based on these factors, the internal audit function seems to be objective. Now you consider competence. Kathy is a CIA, but she only has three years of work experience. The rest of her department, a recent college graduate and an intern, is not experienced. The internal audit department has only been functioning for a few months. Based on

  Using the Work of Others  5-23 these factors, you do not consider the internal audit function highly competent at this time. Therefore, for the current-year audit, you do not plan to use any of the work of Mary Lee’s internal auditors. However, over time, the internal audit function may develop more competence and you may consider using the work of the internal auditors or obtaining direct assistance from them.

Using the Work of Another Auditor Sometimes auditors must rely on work performed by a separate accounting firm. For example, when auditing a consolidated company, the auditors may rely on another accounting firm to audit a subsidiary that is located in a foreign country. AU-C 600 Special Considerations—Audits of Group Financial Statements (Including the Work of Component Auditors) provides guidance when using the work of another audit firm. Group financial statements include the financial information of more than one entity, or component, such as consolidated financial statements prepared by a parent company. A component is an entity or business activity that is required by the applicable financial reporting framework to prepare financial information that will be included in group financial statements. An audit of group financial statements is referred to as a group audit. The group engagement team will establish the overall group audit strategy and communicate with the component auditors. The component auditors are from a different audit firm and gather evidence on a component that will be used as audit evidence for the group audit. The group engagement partner is the partner responsible for the performance of the group audit engagement and for the auditor’s report on the group financial statements. When making a client acceptance or continuance decision, auditors will consider their capacity to undertake the audit and the proportion of the financial statements for which they will rely on component auditors. The group engagement partner’s firm should audit the majority of a client’s financial statements and be knowledgeable about the components of the financial statements they do not audit themselves. For example, when accepting a new client that has a 50% interest in a joint venture in another country that is audited by another audit firm, the group engagement partner must be knowledgeable about the business of the joint venture so that he or she can evaluate the risks associated with the joint venture and how the joint venture is reported in the financial statements of the potential audit client. Without such knowledge, the firm should not accept the new client. When assigning work to a component auditor, the group engagement partner will consider the capacity of the other auditor to undertake the work. The group engagement partner will also consider the reputation of the component auditor and ensure that it is a member of a reputable professional body. It is the responsibility of the group engagement partner to ensure the work completed by a component auditor meets the group engagement partner’s requirements and standards. AU-C 600 sets out the responsibilities of the group engagement partner when using the work of a component auditor. The group engagement partner is responsible for the direction, supervision, and performance of the group audit engagement. The two auditors may discuss the detailed procedures to be used, and the group engagement partner then reviews the main conclusions drawn in the documentation of the component auditor. The extent of review of the component auditor’s work depends on a number of factors. The group engagement partner will spend more time when the component is material and/or at risk of material misstatement. The group engagement partner will spend less time if the component auditor has a good reputation and/or has done audit work for the group engagement partner in the past, and if the financial statements being audited by the component auditor are at low risk of material misstatement. The group engagement partner uses the evidence provided by a component auditor when drawing a final conclusion on the fair presentation of the group financial statements. Chapter 15 will discuss what modifications may be required to the independent auditor’s report when component auditors are used. The corresponding PCAOB standard for using the work of another auditor is AS 1205 Part of the Work Performed by Other Independent Auditors. The guidance in the PCAOB standard

group financial statements  financial statements that include the financial information of more than one entity, or component component  an entity or business activity whose financial information is required by an applicable financial reporting framework to be included in group financial statements group audit  an audit of group financial statements group engagement team  partners and staff who establish the overall group audit strategy, communicate with component auditors, perform work on the consolidation process, and evaluate audit evidence to form an opinion on the group financial statements component auditor  an audit firm that performs work on the financial information of a component that will be used as audit evidence for the group audit group engagement partner  the partner who is responsible for the group audit engagement and its performance and for the auditor’s report on the group financial statements that is issued on behalf of the firm

5-24  C h a pte r 5  Audit Evidence

is essentially the same as the ASB standard for private companies. The key difference is the PCAOB standard uses different terminology. The term “principal auditor” is used instead of “group engagement team” and “group engagement partner.” The term “other auditors” is used instead of “component auditors.”

Cloud 9 - Continuing Case Sharon knows that Cloud 9 has production operations in Vietnam. The previous auditors, Ellis & Associates, used an accounting firm based in Vietnam to gather evidence regarding the inventory and property, plant, and equipment at the Vietnamese production facilities. If they want to use the same

Vietnamese accounting firm, Sharon will need to assess the reputation of the other firm and the firm’s capacity to take on the engagement. Sharon decides to set up a meeting with the partner (Jo) to further discuss how to proceed with gathering evidence related to the Vietnamese operations.

Before You Go On 4.1  What factors may influence an auditor’s decision on the need to use a specialist? Illustrate with an example. 4.2  Why might an external auditor want to use the work of the internal audit function? Illustrate with an example. 4.3  Who is the group engagement partner? Why is this position important? 4.4  What are some of the factors that a group engagement partner will consider when assigning work to a component auditor?

Documentation—Audit Working Papers Lea rning O bjective 5 Document the details of evidence gathered in working papers.

working papers  paper or electronic documentation of the audit created by the audit team as evidence of the work completed

In this chapter, we have discussed the characteristics of audit evidence, the procedures for gathering audit evidence, and situations when others may be used to gather audit evidence to support management assertions. Next, we cover procedures for documenting all of the audit evidence that has been gathered. AU-C 230 Audit Documentation and AS 1215 Audit Documentation require auditors to document each stage of the audit in their working  papers to provide a record of work completed and evidence gathered in forming their audit opinion. Determining what and how much to document is a matter of professional judgment, but the documentation must be sufficient to enable an experienced auditor, having no connection with the audit, to understand the procedures performed and the conclusions reached. Auditors document each stage of the audit and the procedures used. During the risk assessment phase, auditors document their understanding of the client, the risks identified, analytical procedures used to aid in risk identification, their materiality assessment, the understanding of the client’s system of internal controls, the understanding of the client’s information technology, related parties identified, and a preliminary audit strategy. During the

  Documentation—Audit Working Papers  5-25

risk response phase, auditors develop an audit program, and document details of tests undertaken, copies of significant documents referenced, correspondence with the client’s lawyers and bankers, confirmations received from customers, and inquiries of management. Documentation will vary from client to client. It will depend upon the audit procedures used, the risks identified, the extent of judgment used, the persuasiveness of the evidence gathered, the nature and extent of exceptions noted, and the audit methodology utilized (AU-C 230). An audit working paper generally includes: •  Client name. •  Period under audit. •  Title describing the contents of the working paper. •  File reference indicating where the working paper fits in the audit file. •  Initials identifying the preparer of the working paper together with the date the working paper was prepared. •  Initials identifying the reviewer(s) of the working paper together with the date(s) the working paper was reviewed. •  Cross-referencing between working papers indicating where further work and evidence is summarized elsewhere. Working papers for each client consist of two main files called the permanent file and the current file.

Permanent File The permanent file includes client information and documentation that applies to multiple audits. In the first year of a continuing audit, auditors gather information that will be relevant to future audits. The information included in the permanent file is checked and updated at the start of each annual audit. The permanent file usually contains the client’s head-office address, other locations, and contact details (telephone, fax, and email). Information about key personnel and an organizational chart are included in the permanent file. A client’s organizational chart includes details of key roles within the organization and the names of the people in those roles. The file may also include the details of the client’s bank(s) and lawyer(s). The permanent file includes copies of long-term contracts and agreements. These documents will be used to calculate interest payable on outstanding long-term loans, or enable the assessment of any lease obligations. Debt covenants will be included in the permanent file. Auditors can check the details of these agreements to assess the client’s compliance with covenants. If a client has long-term commitments with customers and suppliers, auditors will include the relevant documentation in the permanent file. Key long-term investments will be detailed, including the details of the broker used for these transactions. The permanent file includes details of the client’s board of directors and its subcommittees, such as the audit committee. The file includes the minutes of significant meetings held by the client, such as its board of directors’ meetings. It may include details of bonus and stock option plans for the client’s senior staff. The permanent file details a client’s primary accounting policies and methodologies. Prior financial statements and audit reports are included in the permanent file. Details of prior analytical procedures are included and added to so auditors can observe changing trends. Flowcharts and narratives detailing a client’s system of internal controls are included in the permanent file and amended as needed during the risk assessment phase of each audit. Reports sent to the client during previous audits will be included in the permanent file. For example, letters to management that detail weaknesses in internal controls identified by the auditors in previous years are included and referred to by the auditors. When planning future audits, auditors read these reports and discuss their contents with the client’s management.

permanent file  contains client information that is relevant for more than one audit

5-26  C h a pte r 5  Audit Evidence

Cloud 9 - Continuing Case Cloud 9’s permanent file contains the basic information about the company (that is, its headquarters’ address, key senior staff and their employment contracts) plus a copy of the engagement letter appointing W&S Partners and stating the scope of the audit.

Sharon and Suzie have gathered copies of some of the relevant agreements and will add these and more to the permanent file. Josh’s documentation of Cloud 9’s system of internal control will be added to the permanent file once it is completed.

Current File current file  contains client information that is relevant for the duration of one audit

The current file is developed as audit work is performed and includes client information and documentation that apply to the current year’s audit. Contents of the current file vary from client to client depending on the accounts in the client’s financial statements and the client’s activities. The current file includes the details of all testing and evidence gathered in preparation of the audit report. The current file also includes correspondence among the auditors and the client, the client’s bankers, and the client’s lawyers that pertain to the current audit period. Correspondence with other auditors, specialists, and relevant third parties is also included. The engagement letter is included in the current file, along with the management letter detailing any weaknesses uncovered in the client’s system of internal control. Representation letters (discussed in Chapter 14) and confirmation letters are also included in the current file. The current file includes extracts from the minutes of meetings, such as the board of directors’ meetings, that pertain to the current audit. The file includes details of the audit planning process and the audit program. The current file also includes detailed descriptions of evidence gathered, testing conducted, and audit procedures performed. It will detail the analytical procedures, tests of controls, and detailed substantive testing undertaken, as well as the conclusions drawn at the completion of testing. The current file includes testing of any subsequent events (discussed in Chapter 14) and a copy of the final audit opinion.

Examples of Working Papers

lead schedule  summarizes the detail included in a specific account on the financial statements

This section provides two examples of working papers. While each accounting firm has its own way of documenting evidence, most have common elements. To aid your understanding, examples are provided of how a fictitious accounting firm, Bell & Bowerman, LLP, prepares its working papers. Working papers are prepared and stored electronically. Once the audit is concluded, the accounting firm usually retains a paper copy of working papers, as well as an electronic copy of files and working papers. An accounting firm will back up electronic files and archive working papers in a location that is secure. (Chapter 14 provides more details on documentation retention.) Once they are completed, working papers are typically electronically locked so they cannot be modified. Each audit has a unique file name for ease of identification, which usually includes the client’s name and the year-end of the financial statements being audited. Each current file created for an audit is divided into unique sections with each section representing a different element of the audit (e.g., cash, accounts receivable, or inventory). Each section contains (1) a lead schedule that summarizes the detail included in the financial statements for a particular account, and (2) supporting working papers that provide evidence obtained related to that account. Each working paper generally includes details such as the client’s name, the period under audit, a file reference, cross-references to other parts of the audit file, details of the testing conducted, comments/conclusions drawn, and identification of the preparer and reviewers. For illustration, a series of working papers are presented for a fictional client of Bell & Bowerman, LLP, New Millennium Ecoproducts (NME). The working paper examples are for the audit period ending December 31, 2022. NME was created by its founders, brothers Tomas and Charles Delron, avid environmentalists, at the turn of the twenty-first century. The vision for the company is to produce everyday products in a sustainable way, providing an affordable

  Documentation—Audit Working Papers  5-27

alternative for environmentally conscientious customers. NME operates from three locations and produces a wide range of household products that it sells to supermarkets and specialty stores. At the front of every audit file is a copy of the client’s trial balance that supports the financial statements. The trial balance is then referenced into the appropriate lead and supporting schedules in the audit file where audit work is documented for each account in the trial balance. At Bell & Bowerman, LLP, the trial balance is referenced using the letter “A”; cash and cash equivalents in various banks are referenced into the C Lead; accounts receivable are referenced into the E Lead; inventory accounts are referenced into the F Lead; property, plant and equipment are referenced into the K Lead; and so on. The first working paper example is the cash and cash equivalents lead schedule (see Illustration 5.8). The purpose of this lead is to summarize all general ledger accounts that are combined into the cash and cash equivalents account on the financial statements. The lead schedule also has adjusting journal entries, if any, that are proposed by the auditor. In the top-left corner of the lead schedule are the client name, period-end, and currency unit (in this example, balances are rounded to the nearest thousand dollars). In the top center of the lead schedule is section identification (C). In the top-right corner, details of the working paper preparer and reviewers are documented. Next, details of the cash and cash equivalents balance are listed. For each item listed in the lead schedule, the following are noted: •  General ledger account number, per the client records. •  General ledger account name, per the client records. •  Preadjusted balance, any adjustments, and the audit-adjusted current-year balance per the client’s trial balance (TB). •  The prior-year balance, per the prior-year audit file (PY).

illustration 5.8   Working paper example: Cash lead schedule Client: New Millennium Ecoproducts Period-end: 12/31/2022 Currency unit: $000

Bell & Bowerman, LLP C–LEAD

Reference: C-Lead

Prepared by: Reviewed by: Reviewed by:

KM 1/21/2023 SO 1/22/2023 MM 1/24/2023

Lead schedule:

Account no.

Account name

Preadjusted balance 12/31/2022

Adjusted current-year balance 12/31/2022

10100

Cash in Bank: Wells Fargo

$ 11,000

$0

$ 11,000

TB

$ 10,500

10200

Cash in Bank: U.S. Bank

134

0

134

TB

10300

Cash in Bank: Barclays

126

0

126

10400

Cash in Bank: Citigroup

56

0

10500

Short-Term Deposits

5,796

Total Cash and Cash Equivalents

$17,112

Prior-year balance 12/31/2021

Variance

% Variance

Ref

PY

$500

5%

C01

134

PY

0

0%

C02

TB

126

PY

0

0%

C03

56

TB

50

PY

6

12%

C04

0

5,796

TB

5,600

PY

196

4%

C05

$0

$17,112

$702

4%

Adjustments

$16,410

Key to audit tick marks (TM): TB Agrees to client’s trial balance. PY Agrees to prior-year audit file. Background: No significant changes in banks or bank accounts from the prior period. Note: Analytical review on movements in the cash flows has been performed on the cash flow schedule — see A1.1. Comments: Cash and cash equivalents: In line with budget and change consistent with level of activity for the period (see also our review of the statement of cash flows referenced in A1.1). Short-term deposits: Although the balance is very consistent with previous period, inclusion of short-term deposits within cash and cash equivalents is acceptable (refer to C5).

5-28  C h a pte r 5  Audit Evidence

•  Variance and percentage change, the calculated difference between the prior-year and current-year balances. •  The cross-reference to the working paper where supporting documentary evidence is kept for each balance (e.g., C02). The final section of the lead working paper includes any relevant background information about the account and comments based upon completed testing. The second working paper example relates to accounts receivable and would be found in the “E” section of the audit file (see Illustration 5.9). As noted before, in the top left corner are the client name, period-end, and currency unit ($000). In the top center are the working paper reference (E02) and title (confirmations and related alternative procedures). The upper-right corner of the working paper shows who performed and who reviewed the audit procedures. Next, the date of the interim confirmation is noted. In this case, the confirmation was conducted for the accounts receivable balance at two months prior to year-end. The balance in the accounts receivable account on that date is noted ($9,500) and cross-referenced to the accounts receivable subsidiary ledger (SL) and another part of the accounts receivable section of the audit file (E03). Receivable balances for a sample of customers were confirmed as of October, 31, 2022. The date the confirmations were sent is then noted. The first request was sent on November 5, 2022, and a second request was sent on December 10, 2022, to customers that did not reply to the first request. The table contains details of the customers who were sent confirmation requests. (This working

illustration 5.9   Working paper example—Confirmations and related alternative procedures Client: New Millennium Ecoproducts E02– CONFIRMATIONS AND RELATED ALTERNATIVE PROCEDURES

Period-end: 12/31/2022 Currency unit: $000

Confirmation/Interim date

10/31/2022

AR as of confirmation date

$9,500

SL/E03

Bell & Bowerman, LLP

Prepared by:

DM 12/14/2022

Reference: E02

Reviewed by:

SO 12/17/2022

Reviewed by:

MM 12/19/2022

Date 1st request sent

11/5/2022

Date 2nd request sent

12/10/2022

Alternative procedures in case of no response or variance Balance per customer as of confirmation Date date Received [B] TM/Ref

Account or invoice number

Customer name

Balance as of confirmation date [A]

TM/Ref

123456

Greenwash

$2,000

SL

654321

EcoFriend

$545

SL

789789

BigSupa

$6,000

SL

11/19/2022

$6,000

E02.2



987654

Cleanair

$500

SL

11/20/2022

$450

E02.3

$50

11/28/2022

$2,000

E02.1

Variance [A – B]

Subsequent cash receipts [C]

Date or source

Alternative procedures other than subsequent cash receipts Total TM/Ref [D] TM/Ref [C + D] Comments

– $545

– $400

11/18/2022



$145

β

$545 –

$50



11/1/2022



$50 –

Key to audit tick marks (TM): ✓ Agrees to check copy/remittance advice, which indicates invoice was paid subsequent to the confirmation date. β Agrees to shipping reports signed by external carriers, which indicates item was shipped prior to the confirmation date. SL Agrees to subledger—accounts receivable. Comments: • A: OK payment made by customer prior to the confirmation date, but received by the client just after confirmation date. This timing difference does not affect the existence of receivables as of the end of October.

A

  Documentation—Audit Working Papers  5-29

paper shows audit work for only a few customers, just to provide an example.) The table documents: •  The account or invoice number per the accounts receivable subsidiary ledger (SL). •  The customer name per the accounts receivable subsidiary ledger (SL). •  The balance at confirmation date per the accounts receivable subsidiary ledger (SL). •  The date the auditor received a response from the customer. •  The balance outstanding at the confirmation date according to the customer correspondence (filed and cross-referenced E02.1, E02.2, E02.3). •  Any variance between the client records and the customer correspondence, which is calculated and listed by the auditor. •  An explanation of alternative procedures used when a customer has not responded or if the customer’s response varies from the client’s records. The table also includes several tick marks (✓, β) that cross-reference to explanatory comments by the auditor at the bottom of the page. In this case, the tick marks ✓ and β refer to audit procedures performed on customers EcoFriend and Cleanair that are explained at the bottom of the working paper. The following discussion interprets the audit work documented on this working paper. The table shows the following audit work was performed to evaluate the appropriateness of the accounts receivable balances for four customers that were selected for confirmation. •  Customer Greenwash confirmed the balance owed to NME as $2,000. •  No response was received from EcoFriend. The auditor determined that EcoFriend paid $400 on November 18, 2022, and also vouched the remaining balance to underlying shipping documents that shows the goods had been shipped and title had passed to Eco­ Friend prior to the confirmation date. With this evidence, the auditor determined that $545 was the correct receivable balance as of the confirmation date. •  Customer BigSupa confirmed the balance owed to NME as $6,000. •  Customer Cleanair confirmed it owed $450 to NME. The variance of $50 represented a cash receipt on November 1, 2022, that was likely in the mail to NME prior to October 31, 2022. The bottom part of the working paper includes the auditor’s comments related to the last customer, Cleanair. The auditor concluded the timing difference did not affect the existence of a receivable as of the end of October.

Cloud 9 - Continuing Case The first major item in the current file for Cloud 9 is the audit plan with the detailed audit program. The current file also contains documentation for every test performed during the audit. Ian is still struggling with how to correctly complete the papers. He often forgets to complete all the relevant fields and Sharon

and Josh are continually sending papers back to him with requests to clarify some of his comments. However, embedding the working papers in Excel has made life easier, because an error message will be generated if certain key fields are not completed.

Before You Go On 5.1  What is a current file? 5.2  What is a permanent file and how does it relate to a current year’s audit? 5.3  What will an auditor document during the risk assessment phase of the audit?

5-30  C h a pte r 5  Audit Evidence

Learning Objectives Review 1  Define management assertions about classes of

transactions, account balances, and presentation and disclosure. When preparing the financial statements, management will make assertions about each account and related disclosures in the notes. Auditors use these assertions to assess the risk of material misstatement and design audit procedures. The assertions used when considering classes of transactions and events are occurrence, completeness, accuracy, cutoff, and classification. The assertions used when considering account balances at period-end are existence, rights and obligations, completeness, and valuation and allocation. The assertions used when considering presentation and disclosure are occurrence and rights and obligations, completeness, classification and understandability, and accuracy and valuation. The auditors will determine the relevant assertions for significant accounts and transactions to plan the audit procedures used to gather evidence. 2  Discuss the characteristics of audit evidence. Sufficient appropriate evidence is a core concept in auditing. Sufficient relates to the quantity and appropriate relates to the quality of audit evidence gathered. For evidence to be of high quality, it must be both relevant and reliable. The audit risk model impacts the quality and quantity of evidence to be gathered. For high risk assertions, auditors may increase the quantity and quality of evidence gathered. For low risk assertions, auditors may modify the quantity and quality of evidence gathered. Ultimately, the determination of sufficient appropriate evidence is a matter of professional judgment. 3  Apply the procedures for gathering audit evidence,

including the use of audit data analytics. Audit procedures are the specific methods used by auditors to gather evidence to support management assertions. The audit procedures are inspection of documents (including vouching and tracing), observation, inquiry, confirmation, recalculation, reperformance, analytical procedures, scanning, and audit data analytics (ADA). These

procedures can be used during risk assessment, for testing of controls, and as substantive tests of account balances, transactions, and disclosures. 4  Evaluate when it is appropriate for auditors to use

the work of others. In some situations, the audit team will rely on the work of others during the risk assessment and/or risk response phase of the audit. A specialist with expertise in a field other than accounting or auditing may be used by the auditors to assist in obtaining sufficient appropriate audit evidence. If the client has an internal audit function, the auditors may use the work of the internal auditors and/or obtain direct assistance from the internal auditors to carry out audit procedures that the external auditors would normally do themselves. A group auditor may need to use the work of a component auditor when their client operates in a number of locations or has subsidiaries spread around the country or the globe. In all cases when using the work of others, the auditors should first assess the objectivity, competence, and capability of the individuals or firms that will be used. 5  Document the details of evidence gathered in work-

ing papers. Audit evidence is documented in an auditor’s working papers. Audit working papers include the client’s name, the period under audit, a title describing the contents of the working paper, a file reference indicating where the working paper fits in the audit file, the initials identifying the preparer of the working paper together with the date the working paper was prepared, the initials identifying the reviewer(s) of the working paper together with the date(s) the working paper was reviewed, and cross-referencing between working papers indicating where further work and evidence are summarized elsewhere. Working papers are stored in either the permanent file or the current file. The permanent file includes client information and documentation that apply to multiple audits. The current file includes client information and documentation that apply to the current year’s audit.

Key Terms Review Accounting records Analytical procedures Appropriate Assertion Audit data analytics (ADA) Audit evidence Audit program Bank confirmation Component

Component auditor Current file External confirmation Group audit Group engagement partner Group engagement team Group financial statements Inquiry Inspection

Internal auditors Lead schedule Negative confirmation Observation Permanent file Positive confirmation Recalculation Receivable confirmation Relevance

  Audit Decision-Making Example  5-31 Relevant assertion Reliability Reperformance Scanning

Specialist Sufficient Tracing

Visualization Vouching Working papers

Audit Decision-Making Example Background Information You have been assigned to the audit of a new client, Acadian Chemicals (AC), headquartered in southern Louisiana. AC produces a product called carbon black. It is a black powder that is used in making other products, such as toner for printers/copy machines and vehicle tires. The powder is produced in four different grades, from very fine powder to coarser powder. The finished powder is stored in a large silo that has four compartments for the four different grades of powder. The silo is about two stories tall and can store a maximum of 700,000 pounds of powder. The bottom of the silo can be opened to fill 20-pound bags, 50-pound sacks, or entire train cars so the powder can be shipped to customers for further refinement into other products. The 20-pound bags and 50-pound sacks are stored in a large warehouse located on the production premises. You have toured the production facility and have seen the warehouse and the storage silo. There are no windows in the silo to see how much powder is inside, and no lighting inside of the silo. At the top of the silo, there is a lid for each compartment that can be opened, but when you look in, all you see is darkness. At any given time during the year, about 40% of AC’s inventory is stored in the silo, waiting to be packaged and shipped. The production facility operates continuously, 24 hours a day, 7 days a week.

Identify the Audit Issue One of the issues here is determining what assertion is most at risk with the inventory that is stored in the silo. Another issue is determining what audit procedures to use to gather sufficient appropriate evidence regarding the inventory that is in the silo.

Gather Information and Evidence Important information includes: •  A material portion (40%) of the inventory is stored in the silo; therefore, it should be audited. However, there is no way to see how much is actually in the silo. •  Since the production facility operates continuously, there is always powder being loaded into at least one compartment of the silo. It is not possible to stop production for purposes of determining what is in the silo. Even if production could be stopped, it is still not possible to see what or how much is in the silo. •  Fraud risk may be high because AC management could lie about how much is in the silo in an effort to overstate inventory. Management could also put something different in the silo, such as sand, thereby providing false information about the silo’s contents.

•  Risk of theft of the powder is low because it is not a product that is easy to steal or in demand (unlike jewelry or cars). •  The client has a method of determining how much is in the silo. The client uses a “strapping tool” to measure the empty part of the silo. The strapping tool is basically a tape measure on a reel with a weight on the end of the tape measure. From the top of each compartment of the silo, the client lowers, or reels, the tape measure down into each compartment. When the weight on the end of the tape hits the powder, the client stops reeling and looks at the measurement on the tape. Essentially, the client is measuring the empty part of the compartment. Once the measurement is obtained, it is entered into a client-prepared spreadsheet that contains a formula. The total volume of the silo, minus the strapping tool measurement (converted into a volume amount), equals an estimate of volume of powder in the silo.

Analysis and Evaluation of Alternatives Analysis of risk and alternatives: •  Risk of material misstatement is high for the existence assertion of powder stored in the silo. •  Visually observing the amount of inventory in the silo is not possible in this situation. However, you can reperform the client’s procedure of using the strapping tool to measure the empty part of the tank, and then use the client’s spreadsheet formula to determine the volume of powder in the silo. •  You may consider hiring a specialist to assist in the observation of inventory in the silo. The specialist can also inspect the client’s spreadsheet formula to ensure it is mathematically reasonable and consistent with what is used in the industry.

Audit Conclusion Since AC is a new client with a unique inventory situation, your firm will hire a specialist in the carbon black industry to perform procedures on the client’s spreadsheet and measurement process for inventory in the silo. The specialist will summarize his or her findings in a report that will be included in the audit documentation for AC. If the specialist determines that AC’s procedures are reasonable and consistent with the industry, then the specialist probably will not be needed for future audits unless the client’s process for storing the powder changes significantly.

5-32  C h a pte r 5  Audit Evidence

CPAexcel CPAexcel questions and other resources are available in WileyPLUS.

Multiple-Choice Questions 1.  (LO 1)  The three categories of management assertions are: a.  journal entries, ledgers, and trial balances. b.  journal entries, account balances, and financial statements. c.  transactions, ledgers, and account balances. d.  classes of transactions, account balances, and presentation and disclosure. 2.  (LO 1)  The assertion related to recording transactions in the correct accounting period is: a.  accuracy. b.  completeness. c.  cutoff. d.  occurrence. 3. (LO 1)  A detailed listing of the specific audit procedures to be used to gather evidence for an account is called the: a.  permanent file. b.  audit strategy. c.  audit program. d.  accounting records. 4. (LO 2)  The quantity of evidence that an auditor will gather: a.  varies with the assessed risk of material misstatement. b.  is the same for most audits because it has to be appropriate. c.  depends on the size of the audit team. d.  is the same for clients in the same industry. 5. (LO 2)  Which is generally the most reliable form of evidence? a.  Internally generated evidence from the client’s IT system. b.  Internally generated evidence based on discussions with upper management. c.  Externally generated evidence held by the client. d.  Externally generated evidence sent directly to the auditor. 6. (LO 3)  An external confirmation sent to a bank: a.  requests information about the bank balances and loan amounts. b.  requests information about interest rates paid on deposits and charged on loans. c.  is relevant to the audit of interest revenue and expense. d.  All of these answer choices are correct. 7. (LO 3)  When an auditor inspects a tangible asset to support a balance in the client’s records, the auditor is gathering evidence to support the: a.  completeness assertion. b.  existence assertion. c.  valuation and allocation assertion. d.  rights and obligations assertion.

8. (LO 3)  When an auditor inspects loan documentation and ­traces the details to recording in the client’s records, the auditor is gathering evidence to support the: a.  completeness assertion. b.  existence assertion. c.  valuation and allocation assertion. d.  rights and obligations assertion. 9. (LO 3)  Which audit procedure is being used when an auditor checks the calculations in a client-prepared spreadsheet? a.  Analytical procedure. b.  Recalculation. c.  Reperformance. d.  Scanning. 10. (LO 4)  If a specialist is engaged to assist with the audit: a.  it means the auditor does not have the requisite skill and knowledge to assess the item. b.  it means the auditors should not have taken on the audit because they are not qualified. c.  the PCAOB must be contacted and permission obtained before the specialist starts work. d.  the auditor does not have to take responsibility for the fair presentation of the item in the financial statements. 11. (LO 4)  Before the external auditors decide to use the work performed by the internal auditors, the external auditors must first assess: a.  the size of the internal audit function relative to the client. b.  the independence of the internal auditors. c.  the supervision skills of the internal audit function. d.  t he competence and objectivity of the internal audit function. 12. (LO 5)  The working papers for a client contain both a permanent and a current file. The difference between the two files is that: a.  the permanent file is kept by the audit partner in charge and cannot be altered after the first audit engagement is com­ pleted, but the current file can be updated. b.  the copy of the permanent file must be sent to a regulator (PCAOB or State Board of Accountancy) and the current file is not. c.  the permanent file includes documents that relate to the client and are relevant for more than one year’s audit, and the current file includes the details of work completed and evidence gathered that relate to the current year’s audit. d.  the permanent file cannot be altered, but the current file can be altered.

 Analysis Problems  5-33

Review Questions R5.1  (LO 1)  Are financial statements considered statements of fact? Discuss in the context of management assertions.

R5.7  (LO 3)  Differentiate between recalculation and reperformance, and provide an example of each.

R5.2  (LO 2)  Explain why the quality of audit evidence is determined by the choice of audit procedure and the assertion most at risk of material misstatement.

R5.8  (LO 4)  If an auditor does not have sufficient knowledge and skill in an area, the auditor can ask for the assistance of a specialist. Does this create a problem? Explain how an auditor knows if the specialist’s work is reasonable if the auditor is not also a specialist.

R5.3  (LO 2)  Discuss why an auditor must consider the reliability of audit evidence. R5.4  (LO 3)  Explain how inspecting a client’s tangible assets provides evidence about the completeness and existence assertions.

R5.9  (LO 4)  Describe the general composition of an external audit team. Discuss whether a client’s internal auditors can be part of the external audit team.

R5.5  (LO 3)  Differentiate between the “occurrence” and “existence” assertions. How do both differ from “completeness”?

R5.10  (LO 4)  Provide examples of situations in which an auditor would use the work of a component auditor.

R5.6  (LO 3)  List and describe the procedures for gathering audit evidence. At which stage(s) of the audit is each procedure appropriate?

R5.11  (LO 5)  List some key elements that would be included in any working paper document.

Analysis Problems AP5.1  (LO 1)  Basic   Assertions at risk  The inventory of a large grocery store client is material, and it is the largest current asset on the balance sheet. The cost of inventory items ranges from very small amounts (like individual candy at the checkout line) to larger amounts (like prime meat and specialty deli items). Typical risks for a grocery store are theft and spoilage of inventory. During the second quarter, the client caught three employees in a scheme of stealing produce and meats from the store and selling them, at a discount, to friends and family. Based on an investigation by authorities and store management, the scheme had been operating for about two months.

Required Based on the information, evaluate which accounts and assertions are at risk of misstatement. AP5.2  (LO 1)  Basic   Assertions at risk  Davis Do-It-Center (Davis) is a local hardware store with five locations in southern Georgia. The company has been operating for over 70 years. In the last 15 years, the two owners, who are brothers, have been working hard to transition from manual processes to electronic systems. Recently, one of the store managers had to fill in at the checkout register, which uses a scanning system to capture the sales price of each item, and noticed that the scanned sales prices of some items were incorrect. The manager alerted one of the brothers about the issue. Upon further investigation, this brother discovered that the scanning system was pulling sales prices from outdated price lists for three inventory categories: lawn and garden, plumbing, and paint supplies.

Required Based on the information, evaluate which accounts and assertions are at risk of misstatement. AP5.3  (LO 1, 2)  Moderate   Assertions and evidence  Propel Equipment rents heavy equipment, such as cranes, bulldozers, and dump trucks, to industrial contractors. One of Propel’s larger expenses is repairs and maintenance on the rental equipment. The company’s policy is to capitalize repairs that improve the useful life or increase the operating efficiency of the equipment. Routine repair and maintenance costs should be expensed as incurred. Business has been slow for the last two quarters, so Propel is taking advantage of the “down time” to catch up on repair and maintenance items. Propel’s auditors have completed their risk assessment procedures and noted the increased activity with repairs and maintenance. Since business is slow, auditors also noted there is increased risk that management may try to understate expenses to inflate profit.

Required a.  If Propel management incorrectly capitalizes repairs and maintenance expenses, evaluate which accounts and assertions are at risk of misstatement. b.  If auditors determine there is increased risk for understatement of expenses, how does that impact the sufficiency and appropriateness of the audit evidence?

5-34  C h a pte r 5  Audit Evidence AP5.4  (LO 1, 2, 3)  Moderate   Types and persuasiveness of audit evidence  Jenna is working on the audit of a client’s accounts receivable. During the last few weeks, she has conducted interviews with the accounts receivable manager, the chief financial officer, and staff working in the accounts receivable department. She has overseen the external confirmations of accounts receivable, 30% of which required the recipient to respond whether or not the amount stated was correct. Jenna also inspected subsequent cash receipts from the client’s customers. She vouched a sample of accounts receivable balances back to the underlying invoices, cash receipts and sales returns, and traced a sample of these documents to the accounts receivable ledger.

Required a.  List the audit procedures used by Jenna to gather evidence and comment on the reliability of the evidence. b.  Relate each type of evidence to the relevant accounts receivable assertions. AP5.5  (LO 1, 2, 3)  Moderate   Audit evidence  James Thomas is responsible for preparing bank reconciliation statements at Ajax Inc. Ajax has many bank accounts, including separate accounts for each major branch, accounts for payments of salaries and dividends, and accounts kept in foreign currency for overseas divisions. James maintains records including bank statements and weekly bank reconciliations for each account. In addition, there are files containing correspondence with banks about disputed transactions, dishonored checks from Ajax’s customers, and other bank-initiated transactions such as fees and interest.

Required a.  Comment on the appropriateness of the evidence in James’ files for Ajax’s financial statement audit. b.  Explain how an auditor would obtain more appropriate evidence for the relevant assertions for the bank accounts at Ajax. AP5.6  (LO 1, 2, 3)  Basic   Audit evidence  An audit associate is preparing an audit program for the audit of a client’s revenue transactions. To gather evidence in support of the occurrence assertion, the associate included the following audit procedure in the audit program: Select a sample of authorized shipping documents and approved customer orders and trace them to recording in the sales journal.

Required a.  Evaluate the relevance of the procedure in addressing the occurrence assertion. b.  Comment on the reliability of the evidence gathered using the procedure. AP5.7  (LO 1, 2, 3)  Moderate   Audit evidence  An audit associate is preparing an audit program for the audit of a client’s inventory purchases transactions. To gather evidence in support of the cutoff assertion, the associate included the following audit procedure in the audit program: Select a sample of receiving reports in the warehouse for three days before and after year-end and inspect related journal entries in inventory/accounts payable to determine that purchases were recorded in the proper period.

Required a.  Evaluate the relevance of the procedure in addressing the cutoff assertion. b.  Comment on the reliability of the evidence gathered using the procedure. AP5.8  (LO 1, 2, 3)  Basic   Audit evidence  An audit associate is preparing an audit program for the audit of a client’s allowance for doubtful accounts. To gather evidence in support of the valuation assertion, the associate included the following audit procedure in the audit program: Confirm accounts receivable by sending positive confirmations to a sample of customer account balances.

Required a.  Evaluate the relevance of the procedure in addressing the valuation assertion. b.  Comment on the reliability of the evidence gathered using the procedure. AP5.9  (LO 1, 2, 3)  Challenging   Gathering evidence  Max Crowe is an associate auditor who has just started with the team conducting the audit of a new client in the construction industry. Max is shadowing Susan Wong, an experienced auditor. Susan is showing Max how to be a member of an audit team and is trying to teach Max about the benefits of getting to know the client. Susan is also trying to help Max develop experience in picking up subtle signals about the client’s problems and what the client might be trying to hide from the auditor.

 Analysis Problems  5-35 Max is getting a little frustrated with the “shadowing” assignment. He cannot understand why Susan is spending so much time talking to the client’s staff and touring the various construction sites and offices. When Susan is not doing this, she is working on a spreadsheet of the client’s previous financial statements and unaudited interim data. Max wants to know when they are going to do some “real” work and start gathering audit evidence. Susan tells Max that they have already started.

Required a.  Discuss Susan’s comment that they have already started the audit. What evidence have they gathered so far? b.  Explain what work is being done with the spreadsheets of financial data. Give some specific examples for this client. How is this type of work relevant to different phases of the audit? c.  When Susan is touring the client’s premises, she is taking notes of equipment and furniture she sees, especially anything that looks either newly purchased or older and unused. Explain why she is doing this. AP5.10  (LO 4)  Moderate   Using the work of internal auditors  Theobald Inc. has an internal audit department that primarily focuses on audits of the efficiency and effectiveness of its production departments. The other main role of the internal audit department is auditing compliance with various government regulations surrounding correct disposal of waste and storage of raw materials at its five factories. Theobald’s internal audit department is run by Harry Potts, a CPA and a member of the Institute of Internal Auditors. There are three other members of the department, all of whom have experience in performance auditing and, in addition, have completed industry-run training courses in waste management and handling dangerous goods. Harry meets regularly with the chief production manager and sends monthly reports to the CEO and the board of directors. Your initial investigations suggest that Harry is highly regarded within Theobald, and his reports are often discussed at board meetings. In most cases, the board authorizes the actions recommended in Harry’s reports with respect to major changes to production and logistics.

Required Evaluate the extent of reliance the external auditor should place on the work of the internal audit department at Theobald Inc. Explain the likely impact of the internal audit department’s work on the audit plan. AP5.11  (LO 4)  Challenging   Research   Using a specialist  SolarTubeGen is a start-up company in the renewable energy sector. The founder of SolarTubeGen, Fritz Herzberg, has developed cutting-edge technology to convert the energy in the sun’s rays to electricity via a novel system of mirrors designed to focus the sun’s rays onto tubes containing a patented type of gas, which then heats and expands to drive turbines. Ramirez & Walker LLP has won the contract for the first audit of SolarTubeGen on the basis of its expertise in the energy sector. However, the lead partner, Mark Ramirez, recognizes the success of the audit is dependent on the correct assessment of the technology being used at SolarTubeGen. Mark specified in the successful audit bid documents that the audit will use an external specialist to help with valuation of the company’s assets. Fritz Herzberg is very protective of his company’s intellectual property and is resistant to Mark’s first suggested specialist, Manfred Hamburg. Fritz believes that Manfred Hamburg is hostile toward him because they clashed when they both worked for a German company making photovoltaic cells in the 1990s. Fritz has suggested another specialist, Lily Beilherz, with whom he has had good working relations over the last 20 years.

Required a.  Advise Mark Ramirez about the choice of a specialist for the audit of SolarTubeGen. What must he consider when making his choice? Refer to AU-C 620 Using the Work of an Auditor’s Specialist to support your answer. (ASB standards can be accessed at www.aicpa.org/research/ standards.) b.  SolarTubeGen takes over another renewable energy company during the second-year audit. The new subsidiary is based in another country and has previously been audited by a local audit firm. Evaluate how Mark should handle the new audit responsibilities brought about by the client’s ­expansion. AP5.12  (LO 3, 5)  Moderate   Research   Documentation  Jennifer Jones is reading documents prepared by the members of the team working on the audit of receivables for a private company audit client. Jennifer is the senior manager assisting the engagement partner, Ruby Rogers. Jennifer and Ruby have worked together on many audits, and Jennifer knows the types of questions Ruby will ask about the working papers if they are not up to the standard required by AU-C 230. Jennifer is trying to make sure that all documents are up to the required standard before Ruby sees them tomorrow. Jennifer is particularly concerned about the documents relating to the receivable confirmations. This is because the audit assistant who wrote the confirmation results recommended that no further work was required. On review of the results, Jennifer discovered the audit assistant had incorrectly

5-36  C h a pte r 5  Audit Evidence treated “no reply” results as acceptable for a positive confirmation, when they are acceptable only for a negative confirmation. Jennifer had ordered further work be done to follow up on these “no reply” results.

Required a.  What is the minimum standard that audit documentation must meet? b.  Propose how you would treat the corrections made to the audit assistant’s recommendations and the additional work on receivable confirmations in the working papers. Refer to both AU-C 505 External Confirmations and AU-C 230 Audit Documentation in your answer. AP5.13  (LO 4, 5)  Challenging   Fraud   Public Company   Research   Overstating revenue— Satyam Computer Services, Ltd  In April 2011, the SEC charged Satyam Computer Services Ltd., an India based-company, with fraudulently overstating the company’s revenue, income, and cash balances by more than $1 billion over five years. The SEC also sanctioned the company’s auditors for conducting deficient audits that allowed the fraud to go undetected for years. The auditors were five India-based affiliates of PricewaterhouseCoopers (PwC). The SEC stated that “PW India’s failure to properly execute third-party confirmation procedures resulted in the fraud at Satyam going undetected for years.”15

Required a.  Go to www.sec.gov and research the Satyam fraud scandal. Briefly summarize the fraud, such as the time period over which it took place, who was involved, and how it was conducted. b.  Go to www.pcaobus.org and search for PCAOB Release No. 105-2011-002. Summarize the audit deficiencies noted by the PCAOB in the audit of the cash and receivables balances. Also summarize how the auditors violated Auditing Standard No. 3 Audit Documentation. (Note that the Auditing Standards have since been reorganized. The documentation standard is now AS 1215.) What penalties/ punishment was levied on the PwC affiliate firms?

Audit Decision Cases King Companies, Inc. Questions C5.1 and C5.2 are based on the following case. King Companies, Inc. (KCI) is a private company that owns five auto parts stores in urban Los Angeles, California. KCI has gone from two auto parts stores to five stores in the last three years, and it plans continued growth. Eric and Patricia King own the majority of the shares in KCI. Eric is the chairman of the board of directors and CEO of KCI, and Patricia is a director as well as the CFO. Shares not owned by Eric and Patricia are owned by friends and family who helped the Kings get started. Eric started the company with one store after working in an auto parts store. To date, he has funded growth from an inheritance and investments from a few friends. Eric and Patricia are thinking about expanding by opening three to five additional stores in the next few years. KCI employs 20 full-time staff. These workers are employed in store management, sales, parts delivery, and accounting. About 40% of KCI’s business is retail walk-in business, and the other 60% is made up of regular customers for whom KCI delivers parts to their locations and bills these customers on account. During peak periods, KCI also uses part-time workers. As part of gaining an understanding of KCI, you inspect (1) the accounts receivable trial balance that lists amounts owed by each customer and (2) an aging of accounts receivable schedule. One customer, Tire Repair Specialists (TRS), has a large material balance that is more than 90 days past due. You discuss the TRS balance with Jonathan, one of KCI’s accounting staff, and he says there are rumors that TRS is having serious financial difficulty. Jonathan says no adjustment or allowance has been made regarding the TRS account. You just completed a continuing professional education (CPE) course at your firm, Thornson & Danforth, about audit documentation. AU-C 230 has specific requirements about documenting audit work. In particular, paragraph 9 states: “In documenting the nature, timing and extent of audit procedures performed, the auditor should record: a.  the identifying characteristics of the specific items or matters tested; b.  who performed the audit work and the date such work was completed; and c.  who reviewed the audit work performed and the date and extent of such review.” 15

Securities Exchange Commission (SEC), “SEC Charges India-Based Affiliates of PWC for Role in Satyam Accounting Fraud,” Release 2011-82 (April 5, 2011), www.sec.gov.

 Audit Decision Cases  5-37 In addition, paragraph 11 states: “The auditor shall document discussions of significant findings or issues with management, those charged with governance, and others, including the nature of the significant finding or issues discussed, and when and with whom the discussions took place.” C5.1  (LO 1)  Moderate   Assertions at risk  Analysis and evaluation: Based on the information, evaluate which accounts and assertions are at risk of misstatement. C5.2  (LO 5)  Moderate   Documentation  Analysis: Describe how you would apply the mandatory requirements of AU-C 230 when documenting your understanding related to the potential bad debt.

Mobile Security, Inc. Question C5.3 is based on the following case. Mobile Security, Inc. (MSI) has been an audit client of Leo & Lee, LLP for the past 12 years. MSI is a small, publicly traded aviation company based in Cleveland, Ohio, where it manufactures hightech unmanned aerial vehicles (UAV), also known as drones, and other surveillance and security equipment. MSI’s products are primarily used by the military and scientific research institutions, but there is growing demand for UAVs for commercial and recreational use. MSI must go through an extensive bidding process for large government contracts. Because of the sensitive nature of government contracts and military product designs, both the facilities and records of MSI must be highly secured. MSI has a small internal audit department that is led by Lorenzo Mandella, a former audit senior of Leo & Lee who worked on the MSI audit. Lorenzo never took the time to sit for the CPA exam and therefore was not able to advance to manager at Leo & Lee. He was thankful that the opportunity at MSI became available. Lorenzo was hired by MSI five years ago as MSI’s first internal auditor. He was tasked with establishing the internal audit function and hiring more internal audit staff as needed. Over the past five years, he has hired three additional internal audit staff. Two of his staff are CPAs and one is a certified internal auditor (CIA). The two CPAs have 2-3 years of external audit experience from working at a mid-size public accounting firm. The CIA is a recent college graduate whose only work experience was an internal audit internship for a health insurance company. On a day-to-day basis, Lorenzo works closely with the CFO and other accounting personnel as part of internal control monitoring. The CFO will ask Lorenzo’s group to perform audits of accounts if errors are suspected. Lorenzo reports to the audit committee as needed, particularly if there are issues with internal controls that the audit committee should be made aware of. Lorenzo and the rest of his group do not have any managerial duties outside of their internal audit role. C5.3  (LO 4)  Moderate   Public Company   Research   Considering the work of internal 

auditors  Analysis and evaluation: Using AS 2605 as a guide, discuss how Leo & Lee would evaluate the internal audit function of MSI. Based on the information, make a decision regarding the use of MSI’s internal auditors and defend your decision. (PCAOB auditing standards can be accessed at www.pcaobus.org.)

Brookwood Pines Hospital Question C5.4 is based on the following case. Goodfellow & Perkins LLP is a successful mid-tier accounting firm with a large range of clients across Texas. During 2022, Goodfellow & Perkins gained a new client, Brookwood Pines Hospital (BPH), a private, not-for-profit hospital. The fiscal year-end for BPH is June 30. Goodfellow & Perkins is performing the audit for the fiscal year-end June 30, 2023. BPH provides medically necessary care to patients, regardless of their ability to pay. Both uninsured and underinsured patients are offered discounts of up to 100% of charges based on their income as a percentage of the federal poverty level guidelines. BPH does not pursue collection of these accounts; therefore, they are not reported in patient service revenue and accounts receivable. The cost of providing the charity care is included in operating expenses. BPH’s investments consist of mutual funds, common equities, corporate and U.S. government debt issues, state and municipal government debt issues, and trusts. A majority of the investments are the result of charitable contributions to the hospital by generous donors. Earnings from the investments are used to cover the costs of the charity care. BPH is also eligible for certain government grants to help cover the costs of the charity care.

5-38  C h a pte r 5  Audit Evidence The breakdown by payor of BPH’s accounts receivable balance approximates the following:

Medicare

16%



Medicaid

12%



Blue Cross

19%



Other insurance providers

33%



Patients

20%

The historical estimated allowance for uncollectible accounts is approximately 23%. The following table lists selected asset accounts for BPH as of June 30, 2023 and 2022 (amounts in thousands). Account Cash and cash equivalents Short-term investments

June 30, 2023

June 30, 2022

$   43,077

$   36,361

22,725

49,338

119,380

99,962

10,740

10,056

915,088

807,321

57,839

58,140

  Buildings

577,546

556,590

  Equipment and furniture

194,481

169,603

  Construction in progress

89,890

58,290

919,756

842,623

Accumulated depreciation

343,324

303,642

Property and equipment, net

576,432

538,981

Patient accounts receivable, net Inventory Long-term investments Property and equipment:   Land

Total current assets Total assets

233,286

225,962

1,787,720

1,618,698

C5.4  (LO 1, 2, 3)  Challenging   Assertions and audit procedures  Analysis: Select three asset accounts that you consider significant accounts for BPH and explain why they are significant. For each significant account that you identify, determine the two most relevant assertions for that account and select one audit procedure that would provide sufficient appropriate audit evidence related to each of the relevant assertions.

Cloud 9 - Continuing Case W&S Partners will need the assistance of auditors in Vietnam and a derivatives specialist to complete the Cloud 9 audit. The other auditors will be asked to provide evidence about the inventory shipped to the United States from the production plant in Vietnam and about the property, plant, and equipment at the Vietnam plant. Although the inventory is sent FOB shipping point, there have been several occasions when the shipping agent was unable to place the inventory on a ship. In these cases, the inventory was stored in the shipping agent’s warehouse until a vessel became available. Suzie has some concerns about the quality of the warehouses because if the goods are damaged they could become worthless, and the value of goods in transit will be overstated. In addition, Josh has asked Jo Wadley (the partner) for help in choosing a specialist to help with valuation aspects of the audit of derivatives. Jo has provided him with three names of specialists in the field, but she has had no personal experience with any of them. Josh must make a choice and engage the specialist soon to be sure the specialist’s opinion will be received in time to complete the audit.

Answer the following questions based on the information presented for Cloud 9 in the appendix to this text and the current and earlier chapters. You should also consider your answers to the case study questions in earlier chapters.

Required a. Access AS 1205 Part of the Audit Performed by Other Independent Auditors at www.pcaobus.org. Explain the procedures that W&S Partners must complete before engaging other auditors to perform the work on the inventory and property, plant, and equipment in Vietnam. Cite the audit standard in your response. b. Access AS 1210 Using the Work of a Specialist at www.pcaobus. org. Advise Josh on engaging the derivatives specialist. Discuss the qualities the specialist must possess. What must the specialist provide to Josh so that he can be sure he has sufficient appropriate evidence about the derivatives? What steps must Josh perform? Cite the audit standard in your response.

Chapter 6 Gaining an Understanding of the Client’s System of Internal Control The Audit Process Overview of Audit and Assurance (Chapter 1) Professionalism and Professional Responsibilities (Chapter 2) Client Acceptance/Continuance and Risk Assessment (Chapters 3 and 4) Identify Significant Accounts and Transactions Make Preliminary Risk Assessments

Set Planning Materiality

Gaining an Understanding of the System of Internal Control (Chapter 6)

Audit Evidence (Chapter 5)

Develop Responses to Risk and an Audit Strategy

Performing Tests of Controls (Chapter 8)

Performing Substantive Procedures (Chapter 9) Audit Sampling for Substantive Tests (Chapter 10)

Auditing the Revenue Process (Chapter 11)

Auditing the Purchasing and Payroll Processes (Chapter 12)

Audit Data Analytics (Chapter 7)

Gaining an Understanding of the Client

Auditing the Balance Sheet and Related Income Accounts (Chapter 13)

Completing and Reporting on the Audit (Chapters 14 and 15) Procedures Performed Near the End of the Audit

Drawing Audit Conclusions

Reporting

6-1

6-2  Ch a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

Learning Objectives LO 1  Define internal control and describe the COSO framework.

LO 5  Discuss the different techniques used to document internal controls.

LO 2 Explain and evaluate internal controls at the entity level.

LO 6 Explain the importance of identifying strengths and weaknesses in a system of internal control.

LO 3 Explain and evaluate internal controls at the transaction level.

LO 7 Explain how to communicate internal control weaknesses to those charged with governance.

LO 4 Explain and evaluate information technology (IT) controls.

Auditing and Assurance Standards PCAOB

Auditing Standards Board

AS 2110  Identifying and Assessing Risks of Material Misstatement

AU-C 265  Communicating Internal Control Related Matters Identified in an Audit

AS 2201 An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements

AU-C 315  Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Cloud 9 - Continuing Case Sharon Gallagher (audit manager), Josh Thomas (audit senior), Ian Harper, and Suzie Pickering (both audit staff) are meeting to discuss their internal control assessment for Cloud 9. Sharon asks, “What is the purpose of understanding Cloud 9’s system of internal control?” Ian answers, “We need to understand the system in order to issue a report on internal controls over financial reporting.” Sharon responds, “If Cloud 9 were a private company, would we still need to understand the system of internal control?” ­Suzie now jumps into the conversation. “In every audit we need to understand the strengths and weaknesses in an entity’s system of internal control. For Cloud 9, this helps us understand control risk and which internal controls to test. If Cloud 9 were a private ­company, we

would still need to understand the system of internal controls to evaluate control risk and determine audit strategy.” ­Sharon summarizes, “You are right, Suzie. We need to understand internal controls at both the entity level and at the transaction level. This helps us assess risk. We hope to find sound internal control strengths at all levels, so we can test controls and support our opinion on internal controls since it is a public company. However, we should also be alert to any significant deficiencies or material weaknesses in internal controls. Both need to be reported to the board of directors and we need to include a discussion of any material weaknesses in our audit report on internal controls. This process all begins by understanding the internal controls that Cloud 9 has placed in operation.”

Chapter Preview: Audit Process in Focus An integrated audit focuses on internal controls to (1) express an opinion on the effectiveness of internal control over financial reporting (ICFR), and (2) permit the auditor to make judgments about the evidence needed for the financial statement audit. To form an opinion on ICFR, the audit team must obtain an understanding of the entity’s system of ICFR, gather evidence, evaluate the evidence, and verify it against some form of independent reference. The most commonly accepted global framework is the Internal Control—Integrated Framework developed by the Committee of Sponsoring Organizations of the Treadway ­Commission

  Internal Control Defined  6-3

(COSO).1 This framework enables organizations to effectively and efficiently develop systems of internal control. It also provides a common framework for users to understand audits of internal control over financial reporting. When internal controls put in place by management conform to the COSO framework and function effectively, internal control is described as strong. When they do not agree closely to the COSO framework, or they do not operate effectively, the internal control is described as weak. Recall from Chapter 1 that if a public company has one material weakness in ICFR, the company will receive an adverse opinion on ICFR. In audits of private companies, not-for-profit entities, and governments, where the auditor does not have to issue a report on ICFR, the auditor must still understand the system of internal control, evaluate control risk, and assess the impact of internal controls on audit strategy. In this chapter, we begin with a discussion of how the client’s system of internal controls relates to an integrated audit. This involves understanding: •  What is meant by the term internal control. •  The objectives of the internal controls put in place by management. •  The components of internal control (at the entity level and at the transaction level). •  What the auditor should understand about the client’s system of internal control. Next, we focus on information technology (IT) controls and how they work. This chapter concludes with a discussion of identifying strengths and weaknesses in a system of internal control and how weaknesses are communicated to both management and those charged with governance.

Internal Control Defined Lea rning Objective 1 Define internal control and describe the COSO framework. Why is understanding the internal controls of an organization important? It is because when controls are effective, the organization is more likely to achieve its strategic and operating objectives. Internal control is a very broad concept and encompasses all of the elements of an organization—its resources, systems, processes, culture, structure, and tasks. When these elements are taken together, they support the organization’s ability to achieve its objectives. Internal control is defined by COSO as follows: Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the objectives related to operations, reporting and compliance.2 Understanding internal control is important to (1) audit internal controls over financial reporting and (2) make a preliminary assessment of control risk. Control risk is a key component of the overall audit risk assessment and provides evidence that influences the resulting audit strategy developed by the auditor. Both AS 2110 Identifying and Assessing Risks of Material Misstatement and AU-C 315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement require the auditor to obtain an understanding of an entity’s internal controls. This applies to all audits, including when the auditor of a private company decides that an entirely substantive approach (control risk is assessed at the maximum) is the appropriate response to the risks identified. Understanding an entity’s system of internal control assists the auditor both in identifying the types of misstatements that are likely to occur and the risk of fraud in the financial statement audit. 1

COSO, Internal Control—Integrated Framework (AICPA: Durham, NC, 2013). Ibid.

2

internal control  a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the objectives related to operations, reporting, and compliance

6-4  Ch a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

The COSO Framework

Objectives

Components

m pl ia nc

Control environment Risk assessment Control activities

Entity Division Operating unit Function

Co

tin po r Re

Op er

at io

g

ns

The relationship among the three dimensions of internal control: objectives, components, and organizational structure

e

ILLUSTRATION 6.1  

Organizational structure

The COSO framework has global acceptance and is the most commonly recognized framework for understanding and evaluating a system of internal control. It has three dimensions, as shown in Illustration 6.1. First, the COSO framework discusses the objectives of internal control. Second, the COSO framework discusses important components of internal control. Third, the COSO framework discusses how these objectives and components fit into an organizational structure.

Information and communication Monitoring activities

Objectives of Internal Control The COSO framework depicted in Illustration 6.1 identifies three objectives of internal control that allow organizations to focus on the differing purposes of internal control. These three objectives are: •  Operations objectives. These pertain to the effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss. •  Reporting objectives. These pertain to internal and external financial and nonfinancial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, recognized standard setters, or the entity’s policies. •  Compliance objectives. These pertain to adherence to laws and regulations to which the entity is subject. (COSO, Internal Control—Integrated Framework, 2013) These three objectives of internal control help the auditor understand why the controls are important and the problems they are designed to prevent. Without understanding the intention of management in implementing internal controls, it is harder to understand how controls prevent, or detect and correct, financial statement misstatements. Management and those charged with governance are concerned about adequately controlling the entity’s ­operations, its financial reporting, and its compliance with laws and regulations. The external auditor, on the other hand, is primarily concerned with the reporting objectives and the ­operations objectives related to safeguarding of assets.

Components of Internal Control The second dimension of the COSO framework depicted in Illustration 6.1 identifies five ­integrated components of internal control: •  Control environment. •  Risk assessment. •  Control activities.

  Internal Control Defined  6-5

•  Information and communication. •  Monitoring activities. Within the five components of internal control, the 2013 COSO framework clearly articulates 17 principles that are essential to evaluating whether the five components of internal control are present and operating effectively. The principles also apply to an entity’s operations, reporting, and compliance internal control objectives. These components and principles are summarized in Illustration 6.2.

Control Environment 1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence from management and exercises ­oversight over the development and performance of internal control. 3.  Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The organization demonstrates a commitment to attract, develop, and retain competent ­individuals in alignment with objectives. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. Risk Assessment 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risk as a basis for determining how the risks should be managed. 8. The organization considers the potential for fraud in assessing the risks to the achievement of objectives. 9. The organization identifies and assesses changes that could significantly impact the system of internal control. Control Activities 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. The organization selects and develops general control activities over technology to support the achievement of objectives. 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into actions. Information and Communication 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 14. The organization internally communicates information, including objectives and ­responsibilities for internal control, necessary to support the functioning of internal ­control. 15. The organization communicates with external parties regarding matters affecting the functioning of internal control. Monitoring 16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. (COSO, Internal Control—Integrated Framework, 2013)

illustration 6.2   Seventeen COSO principles of internal control

6-6  Ch a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

Organizational Structure The third dimension of the COSO framework depicted in Illustration 6.1 describes an entity’s organizational structure. While some private companies or not-for-profit organizations may have simple organizational structures, and some multinational organizations have complex organizational structures, the key issue is that some controls are implemented at the entity level, while other controls may be implemented at a division, operating unit, or function level. All three internal control objectives (operations, reporting, and compliance) should be accomplished throughout the organizational structure of the entity. When understanding a client’s system of internal control, the auditor must consider the client’s objectives and the five components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring). Within this context, the auditor must understand the scope of the control implemented by the client and the number of transactions that may be affected by the control implemented by the client. The controls related to financial reporting and to the safeguarding of assets are most relevant to an audit of ICFR as well as to an audit of the financial statements. Other controls related to operations, other types of reporting, and compliance may be relevant when they affect the data or evidence used by the auditor when performing audit procedures.

Inherent Limitations Internal control, no matter how effective, can only provide an entity with reasonable assurance in achieving its financial reporting objectives. For example, people may have effective alarm systems in their homes, but if they are in a hurry and leave the house without activating the alarm system, the control is ineffective. Common inherent limitations in internal control include: •  Ability of management to override internal control. •  Human error that results in a breakdown in internal control. •  Ineffective understanding of the purpose of a control. •  Collusion by two or more individuals to circumvent a control. •  Overriding or disabling a control within a software program. •  Decisions made by management as to the nature and extent of the control it chooses to implement. Another example is a person may receive a daily exception report but not know what to do with it. If potential errors are not investigated and corrected, the programmed control that flags items for review loses its effectiveness.

Before You Go On 1.1  What is the purpose of a system of internal control? 1.2  Why is it important to understand the client’s system of internal control? 1.3  Explain the three objectives of internal control. 1.4  Identify the five components of internal control. 1.5 Explain the relationship between internal control objectives, internal control components, and organizational structure. 1.6  Describe the inherent limitations of internal control.

 Entity-Level Internal Controls  6-7

Entity-Level Internal Controls Lea rning Objective 2 Explain and evaluate internal controls at the entity level. PCAOB AS 2201 describes a top-down approach to understanding internal control over ­financial reporting and selecting which specific internal controls to test. A top-down approach begins by considering what can go wrong in the financial statements. The auditor needs to understand what could go wrong both at the entity and transaction levels, and controls the client may have in place at both levels. Therefore, the auditor focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions. The internal control components listed in Illustrations 6.1 and 6.2, when collectively considered, are often referred to as entity-level controls because each of them exists at an entity (organizational) level rather than at a transactional level. For example, a control ensuring that sales are recorded in the sales ledger is a transaction-level control. A control such as strong tone at the top of the organization emphasizing the importance of internal control is an entity-level control. Gaining an understanding of the entity-level internal control components helps in establishing the appropriate level of professional skepticism; gaining an understanding of the client’s business and financial reporting risks; and making assessments of the risk of material misstatement. Understanding all of these elements determines the nature, timing, and extent of audit procedures. The 17 COSO principles of internal control (see Illustration 6.2) are usually implemented at the entity level. If the entity-­level controls are weak, it is less likely that transaction-level controls will be effective. This section focuses on how the auditor gains an understanding of entity-level controls using the 17 COSO principles as a framework.

entity-level controls  the client’s control environment, risk assessment process, information system, control activities, and monitoring of controls that exist at the organizational level

The Control Environment The control environment sets the tone of an entity and influences the control consciousness of its people. It is the foundation for all other components of internal control and is often thought of as a combination of the culture, structure, and discipline of an organization. It reflects the overall attitude, awareness, and actions of management, the board of directors, any others charged with governance, and owners concerning the importance of controls and the emphasis given to controls in determining the organization’s policies, processes, and organizational structure. The control environment includes the first five principles summarized in Illustration 6.2.

Principle 1. The organization demonstrates a commitment to integrity and ethical values.  Integrity and ethical values are essential elements of the control environ-

ment and affect the design, administration, and monitoring of key processes. Integrity and ethical values are the products of the organization’s ethical and behavioral standards, how the standards are communicated, and how they are monitored and enforced in its business activities. They include management’s actions to remove or reduce incentives, pressures, and opportunities that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of the organization’s values and behavioral standards to personnel through policy statements, codes of conduct, and the examples set by management. For example, management may put in place methods for personnel to raise questions about the appropriateness of accounting and financial reporting at progressively higher levels, including a hotline that is monitored by the audit committee or the internal audit group. This, coupled with other procedures, may support an effective control environment. It is also important that management is seen as complying with its own policies.

Principle 2. The board of directors demonstrates independence from management and exercises oversight over the deployment and performance of internal control.  The organization’s control environment is influenced significantly by

its board of directors and others charged with governance of the entity, for example, the audit

control environment  the attitudes, awareness, and actions of management and those charged with governance concerning the entity’s internal control and its importance in the entity

6-8  Ch a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

committee members. The board of directors oversees the entity’s accounting and financial reporting policies and procedures, including its system of internal control. As a result, those charged with governance have an obligation to be concerned with the entity’s system of internal control, internal and independent (external) audit processes, and financial reporting to shareholders and the investing public. In determining the effectiveness of the participation of those charged with governance, in particular the board of directors, auditors consider the board’s independence from management, the experience of its members, the extent of its involvement and scrutiny of management’s day-to-day activities, and its interactions with the internal and/or external auditors. For example, if the board has regular and open communications with its auditors, management may be more willing to inform the board of issues arising in the system of internal control on a timely basis (to avoid “surprises”).

Principle 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.  Organizational structure reflects management philosophy and

company size. Management’s assignment of authority and responsibility relates to organizational structure. Many ways exist to assign authority and responsibility. Some entities empower employees across the entire organizational hierarchy with decision-making authority. Others limit decision-making authority. The key to successful empowerment and an effective control environment is to: •  Delegate only as much authority as is needed to achieve the organization’s goals. •  Ensure that those making decisions understand that they will be held accountable. •  Hold those who are responsible accountable for their actions. Assignment of authority and responsibility includes how authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established. It includes policies related to appropriate business practices, knowledge and experience of key personnel, and resources provided for carrying out duties. It also includes policies and communications directed toward ensuring all employees understand the organization’s objectives, know how their individual roles and actions contribute to those objectives, and recognize how they will be held accountable for their actions and decisions.

Principle 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.  A key aspect of

setting the tone at the top involves management’s commitment to ensure that workers have the knowledge, skills, and training to make appropriate judgments required by their job responsibilities. A commitment to competence requires two management steps. First, management needs to decide what skills are required to appropriately perform job responsibilities. Second, management must staff those jobs with individuals who have the needed skills. Trade-offs can be made in fulfilling these required steps, such as placing a less experienced person in a demanding job and providing that person with extra supervision. Regardless of how it is accomplished, a strong control environment involves a commitment to job responsibilities with people of sufficient competence. Auditors use professional judgment to determine whether they believe management and employees appear to be competent to carry out their assigned roles and receive adequate supervision where required. For example, do employees have the knowledge and expertise necessary to understand and execute the requirements of generally accepted accounting principles (or another reporting framework that is applicable to the entity)? The PCAOB emphasizes the importance of commitment to competence by stating that, for ICFR to operate effectively, it must function as intended and be implemented by a person with appropriate qualifications. The lack of personnel with appropriate skills may be an internal control deficiency.

Principle 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.  The discussion related to assigning authority and responsibility in Principle 3 above notes several keys to successful empowerment and an effective control environment, including holding those who are responsible accountable for their actions. When individuals or managers are not held accountable, little attention is given to the accounting system and the completeness and accuracy of

 Entity-Level Internal Controls  6-9

i­ nformation that flows from the accounting system. If a manager is not held accountable for the results of his or her operating unit, there is little incentive to correct errors in accounting for transactions. Although written job descriptions should delineate specific duties and reporting relationships, it is important for the auditor to understand informal structures that may exist and how individuals are held accountable for their actions. The auditor should also be aware of how management assigns authority and responsibility for IT, and how individuals responsible for IT are held accountable, particularly with respect to procedures for authorizing and approving system changes. A lack of accountability over making changes in programmed control procedures creates an environment that is conducive to utilizing IT to cover employee fraud. When gaining an understanding of the control environment, the auditor considers each of the five principles just discussed and their interrelationships. In particular, the auditor needs to understand whether there are any significant deficiencies related to one principle that may have an impact on the effectiveness of other principles or other components of internal control. If the control environment is weak, it decreases the likelihood that other components of internal control will be effective. The assessment of internal controls, as well as the impact of weaknesses in or exceptions to internal controls, is discussed in more detail in Chapter 8.

Cloud 9 - Continuing Case During an interview Josh and Sharon held with David Collier, CFO of Cloud 9, they learned a lot about the tone at the top at Cloud 9. Top-level management and the board of directors adopted a code of conduct that emphasizes the importance of management and other employees acting with integrity. Cloud 9’s board members and senior managers attend training and awareness sessions on the code at least annually. In addition, there has been a rigorous process of embedding the code’s main points throughout the company’s policies and procedures, most of which have been rewritten in the previous two years. Josh intentionally conducts interviews with employees at all levels within Cloud 9. He finds that all employees have

attended training on the code of conduct. Several accounting personnel add that while the company has financial goals to achieve, the emphasis from the top has been getting the ­f inancial numbers right. Accurate financial reporting is a top priority. A copy of the company’s code of conduct and the policies and procedures are included in the audit working papers. Josh also writes a description of the company’s efforts to communicate its approach to management integrity in the report. He assesses the control environment at Cloud 9 as likely to be effective.

Audit Reasoning Example  Tone at the Top Susan Larson, a senior manager, was having lunch with Linh Sun (an audit senior) and Peter Miller (a new audit staff). All three were working on an audit of a pharmaceutical client. Both Linh and Peter were focused on understanding the client’s system of internal control for a new audit client. Susan commented, “I want you to get a good feel for the control environment and the tone at the top about financial reporting by talking to employees at all levels of the organization, particularly in accounting. Wells Fargo has been in the news recently because the tone at the top focused on hitting targets at any cost, and there were significant negative consequences for those who did not meet artificially high expectations. At one end of the spectrum, you have companies like Wells Fargo with a poor tone at the top. At the other end of the spectrum, I had a client that I approached with a misstatement that was significant, but probably had not met our materiality threshold. After the controller understood the underlying cause of the misstatement, and how their control system failed to detect the problem, the controller announced that the company would book the adjustment, even though it decreased unaudited earnings that had previously been announced. When I asked the controller about his reasoning, he stated, ‘We are more concerned about our credibility with investors than one earnings announcement.’ These are the two ends of the spectrum, and our new audit client may be somewhere in between these two examples. I want you to determine where on this control environment spectrum this new client is.”

6-10  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

Risk Assessment risk assessment process  the entity’s process for identifying and responding to risks that an organization will not achieve its objectives

All entities, regardless of their size, structure, nature, or industry, encounter risks at all levels within the organization. Risk is defined as anything that can keep an organization from achieving its objectives (operations, reporting, or compliance). Therefore, an entity’s risk ­assessment process is its process for identifying and responding to risks that an organization will not achieve its objectives. Risks will affect the entity’s ability to survive, compete, grow, and improve the quality of its products, services, and people. It follows that objectives must be set and threats to achieving those objectives must be identified before the risks can be assessed. It is not possible to reduce these risks to zero; however, management (in conjunction with those charged with governance) needs to determine how much risk is acceptable to the organization. Some organizations have a risk committee, which is responsible for ensuring that all of these risks are identified, managed, and reported to the board of directors. An organization’s risk assessment process is different from the auditor’s consideration of risk. The purpose of the entity’s risk assessment process is to identify, analyze, and manage the risks that affect its ability to achieve its operational effectiveness. If a risk is not properly identified, it is likely there will be no control designed to mitigate the risk. In an audit, the purpose is to assess the combined inherent, control, and detection risks to evaluate the likelihood that material misstatements could occur in the financial statements (see discussion in Chapter 3 of the audit risk model). An effective risk assessment process requires management and the board of directors to implement the following four principles.

Principle 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.  If risk

is defined as anything that can keep an organization from achieving its operations, reporting, or compliance objectives, risk assessment begins with clearly articulating the entity’s objectives. Objectives must be clearly set so that threats to achieving those objectives can be identified, and risks can be assessed. It is important for management (and auditors) to understand the relationship between the entity’s objectives and risks that can affect financial reporting. For example, a company may plan on introducing new technology. However, if it introduces the new technology to the marketplace while it still has a significant inventory of older technology on hand, the introduction of new technology may cause existing inventory to become obsolete or have a lower-of-cost-or-net realizable value problem. The auditor needs to be alert to make sure that the financial consequences of business risks are fairly presented in an entity’s financial statements.

Principle 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risk as a basis for determining how the risks should be managed.  The identification and analysis of risk involves several steps.

Management should establish a process for (1) identifying risk relevant to the achievement of the entity’s objectives, (2) estimating the significance of the risks, (3) assessing the likelihood of their occurrence, and (4) deciding about actions to address those risks. For example, new legislation or regulation might force changes to operating policies or strategies. Illustration 6.3 provides some examples of external and internal risk factors that an entity might consider.

Principle 8. The organization considers the potential for fraud in assessing the risks to the achievement of objectives.  Fraud risk was discussed in Chapter 3.

In a strong system of internal control, management should be alert to financial reporting frauds, misappropriation of assets, and various types of corruption associated with fraud or other types of misconduct. When assessing fraud risks, management should consider the three elements of the fraud triangle: (1) incentives and pressures to commit fraud, (2) opportunities to perpetrate fraud, and (3) attitudes and rationalization. A good system of internal control should significantly reduce or eliminate the opportunity to perpetrate a fraud. Therefore, management should consciously assess the risk of fraud and put appropriate controls in place to reduce fraud risk to an acceptable level.

Principle 9. The organization identifies and assesses changes that could significantly impact the system of internal control.  Risks can arise or change as a result of

changes to the organization and the environment in which it operates. These include changes in the operating environment, personnel, technology, growth, business structures, and accounting pronouncements. It is important for the auditor to understand the risks identified by the entity,

 Entity-Level Internal Controls  6-11 ILLUSTRATION 6.3  

External Risk Factors •  Technological development can affect the nature and timing of research and development, or lead to changes in procurement.

Examples of risk factors

•  Changing customer needs or expectations can affect product development, production processes, customer service, pricing, or warranties. •  Competition can alter marketing or service activities. •  New legislation and regulation can force changes in operating policies and strategies. •  Natural catastrophes can lead to changes in operations or information systems and highlight the need for contingency planning. •  Economic changes can have an impact on decisions related to financing, capital expenditures, and expansion. Internal Risk Factors •  Ability to adjust existing operations and legacy IT infrastructures to meet performance expectations. •  A disruption in information systems processing can adversely affect the entity’s operations. •  The quality of personnel hired and methods of training and motivation can influence the level of control consciousness within the entity. •  A change in management responsibilities can affect the way certain controls are implemented. •  The nature of the entity’s activities, and employee accessibility to assets can contribute to misappropriation of resources. •  An unassertive or ineffective board or audit committee can provide opportunities for indiscretions.

as this will assist the auditor in considering where (and if) a material misstatement in the financial statements might exist. The overall potential for risks to have a material impact on financial reporting is increased when management appears willing to accept unusually high risks in making business decisions, enters into major commitments without sufficient consideration of the risks, and fails to closely monitor and control the risks associated with commitments.

Cloud 9 - Continuing Case In their interview, Josh and Sharon ask David Collier about Cloud 9’s risk assessment process. They want to know which risks management has identified so that they can consider whether those risks could cause a material misstatement in the accounts. They also want to know about the company’s methods of responding to the identified risks. David Collier tells them that Cloud 9’s management continually monitors its competitors’ activities. It also considers the risk of interruption to supplies because of shipping problems and labor disputes at production plants or transport companies. Other examples of risks that could have a major impact on the accounts are the use of forward exchange contracts to control the risks caused by purchasing in foreign currencies. Cloud 9 management is also very aware of risks associated with the just-in-time inventory system, which has had some problems lately, and has planned some changes to deal with those problems. Management is monitoring the risks of using a soccer player as a spokesperson for the brand, plus the broader risks arising from

sponsorship of the soccer team, because there has been a lot of adverse publicity about soccer players’ behavior over the past year. Such adverse publicity could impact negatively on sales. Cloud 9’s management ensures that the soccer team’s management keeps the company’s management informed of players’ activities, where appropriate. Management has also assessed fraud risks, and it believes that between the company’s code of conduct, tone at the top about its code of conduct, and strong system of internal controls, the incentives for fraud and the opportunity to commit fraud are minimal. Josh concludes from the interview and from Suzie’s review of documents including company plans, board minutes, and significant contracts and agreements that Cloud 9 has a potentially effective system of risk assessment because it actively searches out and considers potential risks to the business, and it has developed action plans to deal with each risk depending on its likely ­occurrence.

Control Activities Control activities are policies and procedures that help ensure management’s directives are carried out and that necessary actions are taken to address risks impacting the achievement of the organization’s objectives. Control activities, whether automated or manual, have various

control activities  policies and procedures that help ensure that management directives are carried out

6-12  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

objectives and are applied at various organizational and functional levels. Effective control activities require management and the board of directors to implement the following three principles.

Principle 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.  Management, with the oversight of the board of directors, selects and develops control activities to ensure that the entity achieves its objectives. Control activities often use a combination of IT and manual controls. AU-C 315.A99 provides the following examples of control activities: •  Authorization controls. •  Performance reviews. •  Information-processing controls. •  Physical controls. •  Segregation of duties. Each of these categories of control activities is discussed below. Authorization controls. A major purpose of proper authorization procedures is to ensure that every transaction is authorized by management personnel acting within the scope of their authority. Each transaction should be properly authorized and approved in accordance with management’s general or specific authorization. General authorization relates to the general conditions under which transactions are authorized, such as standard price lists for products and credit policies for charge sales. Specific authorization relates to the granting of the authorization on a case-by-case basis. When transactions are individually processed, authorization is usually provided in the form of a signature or stamp on the source document or in the form of electronic authorization that leaves a computerized audit trail. Proper authorization procedures often have a direct effect on control risk for existence and occurrence assertions, and in some cases, the valuation and allocation assertion, such as the authorization of an expenditure or the authorization of a customer’s credit limit. The board of directors may authorize capital expenditures at a designated amount. Expenditures in excess of that amount might indicate existence problems (an invalid transaction) or classification problems (expenses classified as assets). Performance reviews. Examples of performance reviews include management review and analysis of: •  Reports that summarize the detail of account balances such as an aged trial balance of accounts, reports of cash disbursements by department, or reports of sales activity and gross profit by customer or region, salesperson, or product line. •  Actual performance versus budgets, forecasts, or prior-period amounts. •  The relationship of different sets of data such as nonfinancial operating data and financial data (for example, comparison of hotel occupancy statistics with revenue data). Management’s use of reports that drill down and summarize the transactions that make up sales or cash disbursements may provide an independent check on the accuracy of the accounting information. For example, a university department chair might review the details of the payroll that was charged to his or her department on a monthly basis. The quality of this review may provide control over the occurrence, completeness, and accuracy of payroll transactions. Management’s analysis of operating performance may serve another purpose similar to the auditor’s use of analytical procedures in audit planning. That is, management may develop nonfinancial performance measures that correlate highly with financial outcomes, and those measures may allow management to detect accounts that might be misstated. Information-processing controls. Information-processing controls address both IT risks and risks related to financial statement assertions. These controls are particularly relevant to the financial statement audit. Most entities, regardless of size, now use IT for data processing in general and for accounting systems in particular. In such cases, it is useful to further categorize information-processing controls as general controls and application controls. IT general controls are the subject of Principle 11 and are discussed in detail in this chapter in the section “Information Technology (IT) Controls.”

 Entity-Level Internal Controls  6-13

Physical controls. Physical controls are concerned with limiting the following two types of access to assets and important records: (1) direct physical access and (2) indirect access through the preparation or processing of documents such as sales orders and disbursement vouchers that authorize the use or disposition of assets. Physical controls pertain primarily to security devices and measures used for the safekeeping of assets, documents, records, and software programs or files. Security devices include on-site safeguards such as fireproof safes and locked storerooms, and off-site safeguards such as bank deposit vaults and certified public warehouses. Security measures also include limiting access to storage areas to authorized personnel. Such controls reduce the risk of theft or misappropriation of assets. Physical controls also involve the use of mechanical and electronic equipment in executing transactions. For example, cash registers help to ensure that all cash receipt transactions are rung up, and they provide locked-in summaries of daily receipts. Finally, physical control activities include periodic counts of assets and comparison with amounts shown on control records. Examples include petty cash counts and physical inventory counts. Segregation of duties. Illustration 6.4 depicts strong segregation of duties. Authorization of transactions

Maintaining custody of assets

Compare recorded accountability with assets

ILLUSTRATION 6.4  

Appropriate segregation of duties

Maintaining recorded accountability in accounting records

Failure to maintain strong segregation of duties makes it possible for an individual to commit an error or fraud and then be in a position to conceal it in the normal course of his or her duties. For example, an individual who processes cash remittances from customers (has access to the custody of assets) should not also have authority to approve and record credits to customers’ accounts for sales returns and allowances or write-offs (authorize transactions). In such a case, the individual could steal a cash remittance and cover the theft by recording a sales return or allowance or bad-debt write-off. Sound segregation of duties also involves comparing recorded accountability with assets on hand. For example, sound internal control involves independent bank reconciliations comparing bank balances with book balances for each bank account. Perpetual inventory records should also be periodically compared with inventory on hand. Sound segregation of duties limits the opportunity for individuals to perpetrate fraud.

Principle 11. The organization selects and develops general control activities over technology to support the achievement of objectives.  IT general controls

are policies and procedures that relate to many software applications and support the effective functioning of IT application controls. IT general controls function at an entity level to control a wide variety of IT risks. IT general controls maintain the integrity of information and security of data. They commonly include controls over: •  Data center and network operations. •  System software acquisition, change, and maintenance. •  Program changes. •  Access security. •  Application system acquisition, development, and maintenance.

6-14  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

If IT general controls are weak, it is less likely that IT application controls will be effective, which would lead the auditor to assess control risk as high. These controls are discussed in more detail later in this chapter in the section “Information Technology (IT) Controls.”

Principle 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into actions.  A

good system of internal control needs to be both properly designed and placed in operation. At the entity level, management (with board of director oversight) needs to address both the effectiveness of the design of internal controls and the effectiveness of how internal controls actually operate. Management and the board of directors should oversee the testing of internal controls to determine whether they prevent material misstatements or detect and correct material misstatements on a timely basis. In understanding the client’s control activities at the entity level, consideration is given to factors such as: •  The extent to which performance of control activities relies on IT. •  Whether the necessary policies and procedures exist with respect to each of the entity’s activities, including IT security and system development. •  The extent to which controls included in the organization’s policies are being applied. •  Whether management has clear objectives in terms of budget, profit, and other financial and operating goals, and whether these objectives are clearly written, communicated throughout the entity, and actively monitored. •  Whether planning and reporting systems are in place to identify variances from planned performance and communicate such variances to the appropriate level of management. •  Whether the appropriate level of management investigates variances and takes appropriate and timely corrective actions. •  To what extent duties are divided or segregated among different people to reduce the risk of errors, fraud, or manipulation of results. •  Whether software is used to control access to data and programs and, if so, the extent to which segregation of incompatible duties is achieved by implementing these software controls. •  Whether periodic comparisons are made of amounts recorded in the accounting system with physical assets. •  Whether adequate safeguards are in place to prevent unauthorized access to or destruction of documents, records, and assets. Compared to other types of entity-level controls, the auditor finds control activities the easiest to test because their operation is readily verifiable. For example, the controls surrounding the counting of inventory can be observed, while management’s integrity is not observable or easily verified. This concept is covered in more detail in Chapter 8.

information and communication  the information and communication system relevant to financial reporting objectives, which includes the accounting system, consists of methods and records established to identify, assemble, analyze, classify, record, and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets and liabilities; communication involves a clear understanding of individual roles and responsibilities pertaining to ICFR

Information and Communication The role of information systems is to capture and exchange the information needed to conduct, manage, and control an entity’s operations. The quality of information and communication affects management’s ability to make appropriate decisions in controlling the organization’s activities and to prepare reliable financial reports. Information and communication involve capturing and providing information to management and employees so that they can carry out their responsibilities, including providing an understanding of individual roles and responsibilities as they relate to internal controls over financial reporting. An effective system of information and communication requires management and the board of directors to implement the following three principles.

Principle 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.  Information is needed at all levels of the entity to run the business, and to assist in the achievement of

 Entity-Level Internal Controls  6-15

financial reporting, operating, and compliance objectives. An array of information is used. Financial information, for instance, is used not only in developing financial reports for external dissemination; it may also be used for operational decisions, such as monitoring performance and allocating resources. Similarly, operating information (for example, airborne particle emissions, personnel data) may be needed to achieve compliance and financial reporting objectives, as well as operating objectives. However, certain operating information (for example, purchases and sales data) is essential for developing financial reports. As such, information developed from internal and external sources, both financial and nonfinancial, is relevant to all three objectives. Information is identified, captured, processed, and reported by information systems. Information systems may be computerized, manual, or a combination thereof. The term “information systems” is frequently used in the context of processing internally generated data relating to transactions (for example, sales) and internal operating activities (for example, production processes). However, information systems as they relate to internal controls are much broader— they also deal with information about external events, activities, and conditions. Auditors are most interested in the information systems that are relevant to the financial reporting objective. AU-C 315.A92 states that the information systems relevant to financial reporting objectives, which includes the accounting system, consist of the procedures and records designed and established to: •  Initiate, authorize, record, process, and report entity transactions (as well as events and conditions) and maintain accountability for the related assets, liabilities, and equity. •  Resolve incorrect processing of transactions (for example, automated suspense files and procedures followed to clear suspense items out on a timely basis). •  Process and account for system overrides or bypasses to controls. •  Transfer information from the transaction-processing system to the general ledger. •  Capture information relevant to financial reporting for events and conditions other than transactions, such as the depreciation and amortization of assets and change in the recoverability of accounts receivable. •  Ensure information required to be disclosed by the applicable financial reporting framework is accumulated, recorded, processed, summarized, and appropriately reported in the financial statements.

Principle 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.  Communication by an entity of roles and respon-

sibilities related to operations, financial reporting, and compliance objectives involves providing an understanding of individual roles and responsibilities. It is important for senior management to communicate a clear message that internal control responsibilities are to be taken seriously. It is important for employees to believe that their supervisors really want to know about problems, and that the supervisors take necessary actions. Communication of information within the entity often includes clearly stating control objectives, the importance and benefits of effective internal control, roles and responsibility in performing controls, and the expectations to communicate within the entity significant issues related to internal control, including noncompliance with controls or policies. Many public companies also have hotlines for confidential reporting of suspected violations of policies, codes of conduct, or other concerns employees may have about financial reporting.

Principle 15. The organization communicates with external parties regarding matters affecting the functioning of internal control.  There are a number of

ways communication with external parties may improve the system of internal control. For example, it is important for an entity to consider how it receives information from customers regarding incorrect billings, late shipments, or shipments of incorrect items. An entity also should consider how it receives information from vendors regarding late payments or incorrect payments. If this information goes to an independent party within the entity, it will provide feedback on the effectiveness of the entity’s system of internal control. It is also important for a company to consider how it shares information within the entity regarding regulatory examinations or tax audits.

6-16  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

An entity may also want to communicate its code of conduct with vendors, so that vendors understand the entity’s values and ethical culture prior to doing business. Ultimately, public companies need to communicate with stakeholders and the SEC regarding any material weaknesses in ICFR.

Cloud 9 - Continuing Case Josh has significant experience in understanding information systems and, based on the interview with David Collier, which covered the information systems at a high level, Josh can conclude that the entity-level controls in this area are likely to be effective. Josh will gather further information in an interview with Cloud 9’s

financial controller, Carla Johnson. Based on this second interview and a review of the company’s documents, he and Suzie will write a description of their understanding of the processes used in each of the major transaction cycles.

Monitoring Activities After establishing and maintaining internal controls, management must monitor the controls to assess whether they are operating as intended. Over time, systems of internal controls change, and the way controls are applied may evolve. Also, the circumstances for which the system of internal controls was originally designed may change, causing it to be less effective in warning management of risks brought about by new conditions. Accordingly, management needs to determine whether its internal controls continue to be relevant and able to address new risks. Effective processes to monitor controls require management and the board of directors to implement the following two principles.

monitoring  a process that assesses the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions

Principle 16. The organization selects, develops, and performs ongoing and/ or separate evaluations to ascertain whether the components of internal control are present and functioning.  Monitoring is a process of assessing the quality

of internal control performance over time, considering whether controls are operating as intended, and making sure controls are modified as appropriate for changes in conditions. It involves assessing the design and implementation of controls on a regular basis and taking necessary corrective actions. This process is accomplished through ongoing activities and separate evaluations, or a combination of the two. Ongoing monitoring procedures are built into the normal recurring activities of the entity and include regular management and supervisory activities. For example, managers of sales, purchasing, and production at divisional and corporate levels should understand the entity’s operations and question the accuracy of reports that differ significantly from their knowledge of operations. Monitoring activities may include using information obtained from communications with external parties. For example, an entity’s customers ordinarily verify and corroborate their billing data by paying their invoices or by complaining about overcharging or other errors. Much of the information used in monitoring is produced by the entity’s information systems. If management assumes that data used for monitoring is accurate without having a basis for the assumption, errors may exist in the information, potentially leading management to incorrect conclusions about its monitoring activities. One of the most common monitoring activities is the internal audit function. In many organizations, internal auditors (or personnel performing similar functions) contribute to the monitoring of the client’s activities through separate evaluations. They regularly provide information about the functioning of internal controls, focusing considerable attention on the evaluation of the design and implementation of controls. They communicate information about strengths and weaknesses and make recommendations for improving internal control. The importance that a company places on its internal audit function also provides evidence about its overall commitment to internal control. Refer to Chapter 5 for a discussion of how external auditors may use the work of internal auditors.

Principle 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.  As discussed above, an entity may learn about deficiencies in internal control

from sources such as outside customers or vendors, managers evaluating the accuracy of the

 Entity-Level Internal Controls  6-17

information about the objectives for which they are held accountable, information that may surface through hotlines, and regular ongoing evaluation by management or internal auditors. The monitoring function is most effective when deficiencies are reported to those responsible for taking corrective action on a timely basis. It is also common for any deficiency to be reported to management at least one level above the individuals responsible for taking corrective action. Senior management and the board of directors should get a report of deficiencies noted and corrective actions taken on a regular basis. When the auditor obtains an understanding of the client’s monitoring processes at the entity level, the auditor considers factors such as the following: •  Whether periodic evaluations of internal control are made. •  The extent to which personnel, in carrying out their regular duties, obtain evidence as to whether the system of internal controls continues to function. •  The extent to which communications from external parties corroborate internally generated information, or indicate problems. •  Whether management implements internal control recommendations made by internal and external auditors. •  Management’s approach to correcting known significant deficiencies on a timely basis. •  Management’s approach to dealing with reports and recommendations from regulators. •  The existence of an internal audit function that management uses to assist in its monitoring activities. •  Evaluations or observations made by the external auditors.

Cloud 9 - Continuing Case In the interview with David Collier, Sharon and Josh ask questions about both the control activities and the monitoring of those activities at Cloud 9. Sharon and Josh are particularly interested in the systems used at the company to make sure that information about management’s plans is transmitted throughout the organization and that there are policies and procedures to ensure that the ­appropriate actions are taken and reviewed. In addition to asking David Collier about these matters, ­Suzie reads the policy and procedures manuals. Josh and Suzie then take a tour of the offices and other facilities. For example, Cloud 9 has a tightly structured system of performance reviews. Managers at each level must report financial and operating ­performance

against budgets at regular intervals. Higher-level managers are able to access information about activities within their area of responsibility for monitoring purposes through the information system. Although there have been some issues with theft of goods from the retail store, the losses have been contained following the installation of additional security, including cameras. Josh and Sharon have been particularly impressed with Cloud 9’s thorough approach to appropriate segregation of duties. Josh is able to conclude that, at an entity level, there is sufficient evidence that these controls are potentially effective. He asks Suzie to review the specific controls that affect transaction processes in more detail and document their understanding of these processes.

Internal Control in Small Entities In smaller entities, there are often limitations surrounding the entity’s ability to put effective internal controls in place. This is due to the limited number of employees, which in turn impacts the ability of the organization to segregate duties. Also, it is often not practical for smaller organizations to create an appropriate paper trail of documentation that allows an assessment of internal controls to be made. However, despite the size limitations of these entities, internal controls may still exist. Ordinarily in smaller businesses there is an owner-manager (and primary stakeholder in the business) who is heavily involved in the day-to-day running of the business. This can be both a strength and a weakness. It is a strength (assuming the owner-manager is competent) because he or she is closely involved in the business and day-to-day operations, including the selling of goods and services as well as the daily cash management of the operations. Effective ownermanager performance reviews make it unlikely that material errors that might occur would not be detected by the owner-manager. It is also a weakness because that same owner-manager is in a position to override internal controls.

6-18  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

The risk of management override can be reduced by establishing documented policies and procedures. However, if no such procedures or controls are in place, the risk of management override will need to be reduced from an audit perspective by the performance of additional audit procedures (through an increase in substantive procedures).

Professional Environment  Human Risks Why do controls fail? Once a computer is programmed to do something, it will keep doing exactly what it is programmed to do. Will employees do exactly what they are told to do, every time? A perfect control is no match for the employee who doesn’t know how to operate the control or isn’t careful. In an article explaining the human side of risk,3 Russell Jackson urges internal auditors to take a careful look at the human element of risk by considering how controls are used by employees, and to not just concentrate on evaluating the design of control systems within organizations. External auditors also need to recognize that financial reporting misstatement risk does not simply come from an organization’s processes or controls, but from the people behind the processes and controls who might make mistakes or commit fraud. Human risks are perennial because they are among the most difficult to define, control, and manage.4 A report conducted by Ernst & Young (EY)5 shows that human resource (HR) issues rank among the top five business risks to a company’s results. The EY report contains the results from surveying senior finance, accounting, risk, and HR executives at 150 Fortune 1000 companies. The executives were asked to rank the HR issues that they perceived as having a high impact and likelihood of occurrence within a global organization. The top five HR issues were: 1.  Talent management and succession planning. 2.  Ethics/tone at the top.

3.  Regulatory compliance. 4.  Pay and performance alignment. 5.  Employee training and development. The executives in these 150 companies were also asked about the methods used to monitor these risks. The results show that 41% of executives surveyed admit to reviewing these risks on an ad hoc basis or never.6 These results reinforce the view that HR issues are not managed effectively in many ­organizations. One aspect of HR risk that is closely related to external auditing is the effect of HR policies on promoting and communicating ethical values throughout the organization and ensuring that the appropriate “tone at the top” trickles down through the organization. The EY survey revealed that these issues have become more visible and significant in recent years, possibly as a result of adverse publicity about corporate ethics. However, although ethics is becoming more significant as a HR risk, the executives responding to the survey rated the likelihood of ethical problems arising throughout the organization as low. The survey’s authors suggest HR executives should pay more attention to the alignment between values espoused by company management in public arenas and actual practices by employees at all levels within the organization.7

Before You Go On 2.1  What are the five components of internal control? 2.2  Briefly explain the important aspects of a strong control environment. 2.3 Explain the key elements of the client’s risk assessment process and how they interact with other components of internal control. 2.4 What are the five common categories of control activities? Why is segregation of duties important when understanding internal control? 2.5  Briefly explain the information and communication component of internal control. 2.6 Develop several examples of monitoring activities that an auditor might expect to find in entity-level controls.

3

R. Jackson, “The Human Side of Risk,” Internal Auditor, vol. 64, no. 5 (October 2007), pp. 38–44.

4

Ernst & Young, 2008 Global Human Resources (HR) Risk: From the Danger Zone to the Value Zone, Accelerating Business Improvement by Navigating HR Risk (2008), p. 5, www.ey.com. 5

Ernst & Young, 2008.

6

S. Steffee, “HR Risks Are Largely Ignored,” Internal Auditor, vol. 65, no. 6 (December 2008), pp. 14–15.

7

Ernst & Young, 2008.

 Transaction-Level Internal Controls  6-19

Transaction-Level Internal Controls Lea rning Objective 3 Explain and evaluate internal controls at the transaction level. Now that we have discussed entity-level controls, we will briefly overview transaction-level controls. Transaction-level controls are discussed in more detail in Chapters 8, 11, 12, and 13. As explained previously, entity-level controls are at the entity-wide or whole-­organization level and have the potential to impact all of the processes management puts in place for the entire organization. As its name suggests, transaction-level controls are controls that affect a particular transaction or group of transactions. Transactions in this sense refer to transactions that are ordinarily recorded in the general ledger for the client and span from initiation of the transaction through to the reporting of the transaction in the financial statements. Transaction-level controls are those controls that respond to things that can go wrong with transactions. They need to be sensitive enough to either prevent an error from occurring, or to detect the error, report it, and have it corrected on a timely basis. These controls are referred to as preventive and detective controls and are explained further in Chapter 8. An important process used for developing an audit strategy for various assertions involves the following steps:

transaction-level controls  controls that affect a particular transaction or group of transactions

1. Understand entity-level controls. 2. Understand the flow of transactions. 3. Identify what can go wrong (WCGW) for financial statement assertions. 4. Identify relevant controls to test. 5. Determine a preliminary audit strategy. 6. Perform tests of controls. 7. Evaluate audit evidence, assess control risk, and reevaluate audit strategy (if necessary). 8. Report internal control weaknesses to those charged with governance. Steps 2–5 focus significant attention on understanding internal controls at the transaction level. The auditor often obtains this understanding by performing a walkthrough of a transaction cycle, such as the sales process or a cash receipts process. A walkthrough involves following a transaction from initiating the transaction until it is recorded in the financial records. The auditor will understand the documents used by the client, as well as the entity’s use of information technology. The auditor will often ask questions of the entity’s personnel about their understanding of their responsibilities and controls that they are involved in. Through inquiry and observation, the auditor obtains an understanding of transaction-level controls as well as the adequacy of segregation of duties. The discussion below provides examples of the flow of a transaction from initiating the transaction, to exchanging the title to a good or service, to recording the transaction in the general ledger.

Example Transaction Flows—Sales Process The transaction flow in a typical sales process for a client that sells goods includes processing orders, approving credit, shipping goods, invoicing customers, and recording sales and accounts receivables. The transaction flows for a client that sells services are similar but instead of shipping goods the client sells or performs the services. Common documents and files that are found in the process of selling goods include: •  Customer master file—An electronic file containing the customer shipping and billing ­information and the customer credit limit.

walkthrough  following a transaction from initiating the transaction until it is recorded in the financial records

6-20  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control

•  Sales order—A client-prepared prenumbered document that includes customer information, description and quantity of what was ordered, terms of sale, and authorization of the sales order. •  Bill of lading—A shipping document that serves as acknowledgement of receipt of goods for delivery by a freight carrier. •  Packing slip—A client-prepared document with the details of items included in a shipment. •  Sales invoice—A client-prepared document stating the particulars of a sale, including the amount owed, terms, and date of sale. It is used to bill customers, and it provides the basis for recording a sale in the sales journal. •  Sales cycle database—Electronic files that accumulate data on sales, cash receipts, and accounts receivable. •  Monthly statements of receivable balances—A report sent to each customer showing the beginning receivable balance, transactions during the month, and the ending receivable balance. This chapter will discuss sales in the context of a client that sells goods. Examples of risks and controls that can be put in place relating to sales are described in Illustration 6.5. ILLUSTRATION 6.5   Sales process example risks and controls

Transaction

Documents and Files

Risks (WCGW)

Example Control

Key Assertion*

Initiating Credit Sales

Customer master file

Sales may be made to unauthorized customers

Only a limited number of individuals can change the customer master file and all file changes are reviewed by appropriate levels of management

Occurrence, Valuation and allocation

Sales order

Sales may be made to unauthorized customers

The software application matches the customer on the sales order with the customer master file

Occurrence, Accuracy

Sales order

Sales may be made without credit approval

The software application matches amount of sales order with credit authorization on the customer master file

Occurrence, Valuation and allocation

Perpetual inventory

Goods may be released from warehouse for unauthorized orders

The software application matches all goods pulled from inventory (perpetual inventory) to approved sales order

Occurrence

Bill of lading and packing slip

Products are shipped without shipping documents being generated

Application control generates packing slip and delivery documentation when order is processed

Accuracy, ­Completeness

Goods ordered may not be shipped

The software application prints a report of all unfilled sales orders

Completeness

Some shipments may not be billed

The software application prints a ­report of all bills of lading not matched with sales invoices

Completeness

Delivering Goods

Recording Sales

Sales invoice

Invoices are prenumbered and accounted for Sales invoice

Billing may be made for fictitious transactions, or duplicate billing may be made

The software application matches sales invoice information with underlying shipping information

Occurrence

(continued)

 Transaction-Level Internal Controls  6-21 illustration 6.5   (continued)

Transaction

Documents and Files

Risks (WCGW)

Example Control

Key Assertion*

Sales invoice

Sales invoices may be recorded in the incorrect accounting period

The software application matches sales invoice date with accounting period in which goods are shipped

Cutoff

Sales invoice

Sales invoices may be recorded in the incorrect amount

The software application matches sales invoice quantities with shipping information and prices with master price list

Accuracy

Sales invoice Sales cycle database

Invoices may not be journalized or posted to customer accounts

The software application checks runto-run total of beginning receivables, plus sales transactions with the sum of ending receivables.

Accuracy, Completeness

Sales invoice

Sales invoices may be billed to the wrong customer

The software application matches customer number on sales invoice with customer number of sales order and bill of lading

Accuracy

Monthly statements of receivable balances

Customers may be billed incorrect amounts

Mailing of monthly statements with independent follow-up on customer complaints

Completeness, Occurrence, Accuracy, Cutoff

*Most assertions may apply. However, this example has focused on the key assertion(s) for each WCGW.

Example Transaction Flows—Cash Receipts The cash receipts function, which includes the processing of receipts from cash and credit sales, involves the following subfunctions: (1) receiving cash, (2) depositing cash, and (3) recording the receipts. As in the case of credit sales transactions, segregation of duties in performing these subfunctions is an important internal control. Today, many cash receipts ­involve the electronic transfer of funds and cash is received directly by the bank. Alternatively, in some circumstances, cash or checks may be received by the entity that is responsible for both receiving and depositing cash. A major risk in processing cash receipts transactions is the possible theft of cash before or after a record is made of the cash receipt. Thus, control procedures should provide reasonable assurance that documentation establishing accountability is created at the moment cash is received and that cash is subsequently safeguarded. Common documents and files that are found in the cash receipts process include: •  Remittance advice—A document received from the customer showing details of payments made by the customer. •  Prelist of cash receipts—An internally prepared document showing the listing of cash ­received from customers. •  Remittance report from the bank—A document prepared by the bank showing the details of electronic funds transfers received by the bank from customers. •  Bank deposit slip—A receipt from the bank showing the total amount deposited with the bank. •  Sales cycle database—Electronic files accumulating data on sales, cash receipts, and accounts receivables. •  Independent bank reconciliation—Independent person reconciles cash account in the general ledger with the bank statement from the bank. •  Monthly statements of receivable balances—A report sent to each customer showing the beginning receivable balance, transactions during the month, and the ending receivable balance. Examples of what can go wrong and controls that can be put in place relating to cash receipts are shown in Illustration 6.6.

6-22  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control ILLUSTRATION 6.6   Cash receipts process example risks and controls

Transaction

Documents and Files

Risks (WCGW)

Example Control

Key Assertion*

Receiving Cash

Prelist of cash receipts

Cash sales may not be recorded

Use of cash registers or point-of-sale devices

Completeness

Prelist of cash receipts

Mail receipts may be lost or misappropriated after receipt

Immediate preparation of prelist of mail receipts; restrictive endorsement of checks immediately upon receipt

Completeness

Prelist of cash receipts Remittance advices

Checks received may not agree with prelist of cash

Independent check of agreement of remittance advices with prelisting of cash received

Completeness, Occurrence, Accuracy

Depositing Cash

Bank deposit slip Prelist of cash receipts Bank remittance report

Cash may not be deposited intact daily

Independent check of agreement of prelisting of cash receipts or bank remittance report with validated deposit slip

Completeness, Accuracy

Recording Cash Receipts

Sales database Prelist of cash receipts Bank ­remittance report

Cash receipts may be recorded in error

Software application agreement of amounts journalized and posted with the prelist of cash receipts or bank remittance report

Completeness, Occurrence, Accuracy, Cutoff

Independent bank ­reconciliation

Errors may be made in journalizing cash receipts

Preparation of periodic independent bank reconciliations

Completeness, Occurrence, Accuracy, Cutoff

Monthly statement to customers

Receipts may be posted to the wrong customer account

Mailing of monthly statements to customers

Completeness, Occurrence, Accuracy, Cutoff, Classification

*Most assertions may apply. However, this example has focused on the key assertion(s) for each WCGW.

Audit Reasoning Example  Transaction-Level Internal Controls Jonathan Briggs (an audit manager) was talking with Marisa Sherwani (an audit senior) about the audit of a private company with retail hardware operations in thirty states. Jonathan states: “I have reviewed the work that you and the team have done to document the revenue process, purchases process, and payroll process. While you have documented the transaction flow from initiating the transaction to the general ledger, now I want you to turn your attention to the period-end financial reporting process. Adjusting journal entries and consolidating entries can have a material impact on the client’s financial statements. Specifically, I want you to pay attention to: •  The locations involved in the month-end reporting process. •  T  he financial inputs used, adjusting and consolidating journal entries developed, reviews performed, and outputs used by the company to produce the monthly and annual financial statements. •  The extent of involvement of IT in each month-end reporting process. •  Who participates from management in this process. •  The types of adjusting and consolidating entries developed at month-end. •  T  he nature and extent of the oversight of the process by management, the board of directors, or the audit committee.”

Before You Go On 3.1  What is the difference between entity-level controls and transaction controls? 3.2  Explain the process of a system walkthrough. 3.3 Explain one risk, and corresponding control to address the risk, for each assertion related to credit sales transactions. 3.4 Explain one risk, and corresponding control to address the risk, for each assertion related to cash receipt transactions.

  Information Technology (IT) Controls  6-23

Information Technology (IT) Controls Lea rning Objective 4 Explain and evaluate information technology (IT) controls.

Benefits and Risks of IT Systems In order to understand internal control in an IT environment, it is important to understand the benefits and risks of IT systems. The major benefits of IT systems over manual systems include the following: •  IT systems can provide greater consistency in processing than manual systems because they uniformly subject all transactions to the same controls. •  More timely software-generated accounting reports may provide management with more effective means of analyzing, supervising, and reviewing the operations of the company. •  IT systems enhance the ability to monitor the entity’s performance and activities. Important risks of IT systems over manual systems include the following: •  The IT system may produce a transaction trail that is available for audit for only a short period of time. •  There is often less documentary evidence of the performance of control procedures in IT systems. •  Files and records in IT systems are usually in machine-sensible form and cannot be read without a computer. •  The decrease of human involvement in IT processing can obscure errors that might be observed in manual systems. •  IT systems may be more vulnerable to physical disaster, unauthorized manipulation, and mechanical malfunction than information in manual systems. •  Various functions may be concentrated in IT systems, with a corresponding reduction in the traditional segregation of duties followed in manual systems. •  Changes in the system are often more difficult to implement and control in IT systems than in manual systems. •  IT systems are vulnerable to unauthorized changes in programs, systems, or data in ­master files. •  Reliance is placed on systems that process inaccurate data, process data inaccurately, or both. •  Unauthorized access to data may result in the destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions, or inaccurate recording of transactions. •  There may be inappropriate or unauthorized manual intervention. Many IT risks are controlled by layering control activities. Illustration 6.7 provides an important overview of IT control activities and describes how controls function in IT systems, regardless of the methods of input, data organization, data processing, or output devices. The following paragraphs describe the control procedures depicted in Illustration 6.7. IT general controls at the entity level control program development, program changes, computer operations, and access to programs and data. They represent a higher level of controls designed to provide reasonable assurance that individual software applications operate consistently and effectively. General controls will be discussed in more detail in the next ­section, “IT General Controls.”

6-24  C h a pte r 6   Gaining an Understanding of the Client’s System of Internal Control ILLUSTRATION 6.7  

Data input

Information technology ­controls

IT application controls during processing of transaction

IT general controls

Output of processed transactions and reports

Exception reports

User controls over assertions

Manual follow-up

Another layer of control is provided by IT application controls, which are designed to prevent or detect potential misstatements in specific transaction processes. For purposes of illustration, consider the processing of a sales order. When a sales order is input, the software application subjects the data to application controls that check, for example, the validity of a customer number or whether a customer has reached its credit limit. IT application controls are designed to provide reasonable assurance that the IT system records, processes, and reports data properly for specific purposes, such as sales, purchases, payroll, or inventory control. IT application controls will be discussed in more detail in the section “IT Application Controls.” The output of processing and IT application controls are usually twofold. First, the software will process and produce transactions and reports. In some systems, the processed transactions or reports will be subject to manual controls such as supervisory review. Second, the system generates exception, or error, reports. Some exception reports may appear on a screen, such as an edit check of the validity of a customer number. Some exception reports may result in printed reports, such as all daily transactions where customers exceeded their credit limit. In either case, people must follow up on the exceptions noted by the software application. The effectiveness of the control depends on the effectiveness of both the programmed application control and the manual follow-up. In some instances, software programs only process and record data, and data input to the system is not subject to IT application controls that might identify potential misstatements. In such cases, other controls must be applied. These are discussed in the section “IT-Dependent Manual Controls.”

IT General Controls IT general controls  controls of program development, program changes, computer operations, and access to programs and data; these entity-level controls are designed to provide reasonable assurance that individual software applications operate consistently and effectively

The purpose of IT general controls is to control program development, program changes, compu