Beruflich Dokumente
Kultur Dokumente
Page 1 / 133
4.2. Accounting Activities at the Assertion Level 4.3. Controls at the Assertion Level International Audit Workbook (Interntional Audit Workbook) 4.4. Test the Operating Effectiveness of Selected Controls 4.5. Control Deficiencies 4.6. Substantive Approach 4.7. Financial Reporting 4.8. Risk of Significant Misstatement (RoSM) Chapter 5 - Substantive Testing 5.1. Risk of Significant Misstatement 5.2. Substantive Procedures 5.3. Nature, Timing, and Extent of Substantive Procedures 5.4. Substantive Analytical Procedures 5.5. Tests of Details 5.6. Computer Assisted Audit Techniques 5.7. Substantive Sampling Techniques 5.8. External Confirmations Chapter 6 - Completion 6.1. Performing Completion Procedures 6.2. Audit Objectives Associated with Significant Risks 6.3. Significant Findings and Issues 6.4. Results of Audit Procedures 6.5. Independence and Ethical Issues Chapter 7 - Specific Topics Chapter 8 - Engagements to Review Interim Financial Information of an Audit Client 8.1 Obtain an Understanding of the Entity and Its Environment, Including Its Internal Control 8.2 Inquiries, Analytical Procedures, and Other Review Procedures 8.3 Evaluate the Results of Our Review 8.4 Other Considerations 8.5 Obtain Management Representation Letters 8.6 Other Information That Accompanies the Interim Financial Information
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis 8.8 Reporting thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
Page 2 / 133
8.5 Obtain Management Representation Letters 8.6 Other Information That AccompaniesAudit WorkbookFinancial Information International the Interim (Interntional Audit Workbook) 8.7 Communication with Management and Those Charged with Governance 8.8 Reporting Chapter 9 - Group Audits Appendix A - Audit Workbook Supplement 2009 Introduction and Contents
Interntional Audit Workbook
LCE User Guide - the detailed guide to all the functionality available in the tool 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis Audit of Trex - a practical example of an audit engagement in LCE, using the new features thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. available in the tool
Page 3 / 133
LCE Tips - a short list of tips to bring a new user quickly up to speed Virtual LCE - a comprehensive presentation ofWorkbook (Interntionalscreenshot-based and intuitive International Audit LCE, but using a Audit Workbook) format LCE User Guide - the detailed guide to all the functionality available in the tool Audit of Trex - a practical example of an audit engagement in LCE, using the new features available in the tool
Description of Contents
The contents of this Workbook are based on the April 2008 version of KAM International, the related Global Workpapers (GWPs), and KAM Alert 2008/04 (i.e., revisions related to materiality). The Audit Workbook addresses the audit workflows, specific topics (fraud, laws and regulations, subsequent events, etc.), engagement management topics, and GWPs. To the extent possible, the Audit Workbook also includes flow charts, decision trees, and graphics related to the audit methodology. The content of the Workbook is presented in a variety of styles, as follows: Content that is displayed in this style of box and that is not part of a table signifies a definition. A term that is highlighted in blue signifies that this term is defined within the Audit Workbook. A listing of these terms and the page number where the definition can be found is included in the Index. All examples are presented in italics. Content which is displayed with an exclamation sign signifies that engagement teams generally should be alert to this topic area (e.g., revenue recognition).
Content which is displayed with a checkmark indicates that additional assistance is available in the form of Practice Aids or Attachments to the GWPs.
Content which is displayed with a light bulb indicates tips (i.e., additional information that the engagement team may consider).
Content which is displayed in this style of box with light yellow shading signifies that the content is applicable to SE or VSE engagements. This content is not included in KAM International and generally represents tips or additional information that engagement teams working on such engagements may consider.
Interntional Audit Workbook
Page 4 / 133
engagement client and engagement acceptance and continuance setting the terms of the audit International Audit Workbook (Interntional Audit Workbook) working papers and how we manage them, and reporting on our findings, including required communications.
Others that may be involved in an audit engagement include: engagement quality control reviewer U.S. GAAP/GAAS and IFRS assignments reviewing partners external experts (employed or contracted by the entity) other KPMG locations, and other independent auditors.
For guidance regarding other KPMG locations and other independent auditors, refer to the KAM Alert expected to be released in 2008. Additionally, the engagement team considers the effects of the work performed by internal audit or the use of a service organization by the entity when planning and performing the audit.
The engagement partner should: take responsibility for the overall quality on each audit engagement to which that partner is assigned [2068.3.3]
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG be satisfied that appropriate procedures regarding the acceptance and continuance of client International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis relationships and specific audit engagements have been followed, and that conclusions reached thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
be satisfied that the engagement team collectively has the appropriate capabilities, competence,
The engagement partner should: take responsibility for the overall quality on each audit engagement to which that partner is assigned [2068.3.3] be satisfied that appropriate procedures regarding the acceptance and continuance of client relationships and specific audit engagements have been followed, and that conclusions reached in this regard are appropriate and have been documented [2068.3.4] be satisfied that the engagement team collectively has the appropriate capabilities, competence, and time to perform the audit engagement in accordance with professional standards and regulatory and legal requirements, and to enable an auditor's report that is appropriate in the circumstances to be issued [2068.3.5] consider whether members of the engagement team have complied with ethical requirements [2068.3.6] take responsibility for the direction, supervision, and performance of the audit engagement in compliance with professional standards and regulatory and legal requirements, and for the auditor's report that is issued to be appropriate in the circumstances [2068.3.7] be responsible for the engagement team undertaking appropriate consultation on difficult or contentious matters [2068.3.8] be satisfied that members of the engagement team have undertaken appropriate consultation during the course of the engagement, both within the engagement team and between the engagement team and others at the appropriate level within or outside the firm [2068.3.8] be satisfied that the nature and scope of, and conclusions resulting from, such consultations are documented and agreed with the party consulted [2068.3.8], and determine that conclusions resulting from consultations have been implemented. [2068.3.8]
For audits of financial statements of listed entities and for other audit engagements where an engagement quality control review is performed in accordance with the firm's policies, the engagement partner should: [2068.3.9] determine that an engagement quality control reviewer has been appointed discuss significant matters arising during the audit engagement, including those identified during the engagement quality control review, with the engagement quality control reviewer, and not issue the audit report until the engagement quality control review is completed. Where more than one KPMG firm is providing services to a client, the lead partner from the originating KPMG firm is responsible for the overall client relationship. RMM-G 24.1.2
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG supervise and direct the professional staff on the engagement International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
prepare and/or supervise the preparation of reports to management review engagement working papers.
Page 6 / 133
monitor the progress of the engagement against expectations (progress and completion dates and budget) and keep the engagement partner informed of significant variances
International Audit Workbook (Interntional Audit Workbook)
resolve issues with the engagement team members as they arise and discuss them with the engagement partner, as appropriate supervise and direct the professional staff on the engagement prepare and/or supervise the preparation of reports to management review engagement working papers.
When determining if the use of a KPMG specialist is appropriate, we consider: [2074.2] applicable policies for involvement of KPMG specialists, including IRM specialists and tax specialists our assessment of the risk of material misstatement due to fraud for the engagement the risk of significant misstatement related to the audit objective being examined whether the matter relates to an audit objective associated with a significant risk the nature and complexity of the information, data, or calculations to be audited whether the client has developed the information, data, or calculations internally as opposed to engaging the services of an independent third party; and whether the engagement team possesses sufficient experience to review the information, data, or calculations provided by the client, and any other audit evidence available.
KPMG specialists may include the following: KPMG specialist Criteria for involvement
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis IRM specialist The audit engagement partner, in consultation with the IRM specialist's, makes an thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
assessment of the nature, timing, and extent of the IRM specialist's involvement in each phase of the audit for audit engagements of clients that meet at least one of the following criteria: [2075.4.1]
Page 7 / 133
KPMG specialists may include the following: KPMG specialist IRM specialist Criteria for involvement The audit engagement partner, in consultation with the IRM specialist's, makes an assessment of the nature, timing, and extent of the IRM specialist's involvement in each phase of the audit for audit engagements of clients that meet at least one of the following criteria: [2075.4.1] the entity is listed the entity is a financial institution the audit engagement is greater than 1,000 hours (calculated at the entity level for single entities or at the consolidation level including multilocation involvement, if any), or Information Technology is critical to the operation of its business.
When it is decided not to involve IRM specialists on clients that meet any of the above criteria, this decision is approved and signed by the IRM specialist, and the rationale is documented in the Planning Document. [2075.4.2] Tax specialist The engagement partner discusses with a tax specialist the likely tax risks and whether his or her involvement is necessary to support the audit. In some countries, the engagement partner or manager may also be designated as a tax specialist, in which case the involvement of another tax specialist would be unnecessary. [2075.4.7] The factors to consider in deciding whether to include a KPMG valuation specialist as part of the engagement team include: [2075.4.11] the materiality of the estimate the nature and complexity of the estimate and the risk of significant misstatement for the related audit objective whether the client has developed the estimate internally as opposed to engaging the services of an independent third party, and whether the audit engagement team possesses sufficient skills to review fair value measurements provided by the client.
Valuation specialist
Additional guidance regarding certain accounts subject to valuation is available in the Other Topics chapter. Forensics specialist The engagement partner, risk management partner, and engagement quality control reviewer may consult with a forensic specialist when addressing difficult matters and risk management considerations including: [2075.6] client/engagement acceptance and continuance procedures evaluation of possible fraud risks evaluation of the entity's controls to prevent, deter, or detect fraud design of our audit response to identified fraud risks, and evaluation of the results of our audit response to identified fraud risks.
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG engagement partner's judgment, the circumstances of the engagement, and the risks International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. to be addressed in the audit. [2075.7]
The nature and extent of forensic specialist involvement will vary based on the
There may be a number of other KPMG specialists available. Engagement teams are
Page 8 / 133
design of our audit response to identified fraud risks, and evaluation of the results of our audit response to identified fraud International Audit Workbook (Interntional Audit Workbook) risks.
The nature and extent of forensic specialist involvement will vary based on the engagement partner's judgment, the circumstances of the engagement, and the risks to be addressed in the audit. [2075.7] Other KPMG specialists There may be a number of other KPMG specialists available. Engagement teams are encouraged to review the practice pages available via KWorld to identify the specialists available in their area.
The engagement team may use the Practice Aid - IT Criticality Checklist available on ARO to help determine whether IT is critical to the business. [2075.4.1.3] A forensic specialist may also assist the engagement team in performing fraud related controls evaluation and testing and substantive procedures.
Reviewing Partners
Reviewing partners may include the following individuals: Partner Criteria for involvement
Engagement quality control An engagement quality control review is required for: [2076.1.7] reviewer audits of general purpose financial statements of a listed entity audit of general purpose financial statements of a nonlisted entity of significant public interest higher-risk engagements (as designated by the local risk management partner).
An IFRS reviewing partner reviews the required documents when the financial statements with which we are associated are prepared in accordance with IFRSs and the entity is a listed entity, an entity of significant public interest, or the engagement is a higher-risk engagement. [2076.3]
A filing review partner performs a filing review with respect to U.S.-SEC registration statements on Forms S-1, S-3, S-4, S-8, F-1, F-2, F-3, F-4, or 20-F; annual reports on Forms 20-F, 40-F, or 10-K; and any other U.S.-SEC filings that include or incorporate by reference an auditor's report issued by a non-U.S. KPMG member firm 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG on the financial statements of a U.S.-SEC registrant. Filing reviews of Rule 144A International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. exempt offering documents, for securities that include registration rights, are also performed, because of the expectation of a subsequent U.S.-SEC filing. [2078.1]
Page 9 / 133
A filing review partner also performs a filing review with respect to other U.S.-SEC
is a higher-risk engagement. [2076.3] Filing review partner A filing review partner performs a(Interntional Auditwith respect to U.S.-SEC registration International Audit Workbook filing review Workbook) statements on Forms S-1, S-3, S-4, S-8, F-1, F-2, F-3, F-4, or 20-F; annual reports on Forms 20-F, 40-F, or 10-K; and any other U.S.-SEC filings that include or incorporate by reference an auditor's report issued by a non-U.S. KPMG member firm on the financial statements of a U.S.-SEC registrant. Filing reviews of Rule 144A exempt offering documents, for securities that include registration rights, are also performed, because of the expectation of a subsequent U.S.-SEC filing. [2078.1] A filing review partner also performs a filing review with respect to other U.S.-SEC filings that contain, or incorporate by reference, an auditor's report issued by a nonU.S. KPMG member firm on financial statements other than those of the SEC registrant (e.g., financial statements presented pursuant to Rule 3-05 and Rule 3-09 of Regulation S-X). [2078.2] Designated review partner (for reports filed with certain foreign regulatory authorities) A designated partner ("designated review partner") reviews the required documents when the financial statements with which we are associated, or our report, are included in a document that is to be filed with certain foreign regulatory authorities, or in a document offering securities in the United States that are exempt from registration requirements of the U.S. Securities Act of 1933 based on Rule 144A. [2077.1]
The understanding obtained may lead us to decide that the assessment of the risk of significant misstatement (RoSM = inherent risk of error + control risk) will not be affected by controls at the service organization. If this is the case, further 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG consideration is unnecessary. [2123.2]
International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
When we determine that If we conclude that the activities of the service organization are significant to the the activities of the service entity and relevant to the audit, we obtain a sufficient understanding of the service organization are significant organization, including its internal control, to identify and assess the risks of material
Page 10 / 133
service organization, including the contractual terms for the relevant activities undertaken by the service organization. The understanding obtained may lead us to Audit Workbook) assessment of the risk of International Audit Workbook (Interntional decide that the significant misstatement (RoSM = inherent risk of error + control risk) will not be affected by controls at the service organization. If this is the case, further consideration is unnecessary. [2123.2] When we determine that the activities of the service organization are significant to the entity and relevant to the audit If we conclude that the activities of the service organization are significant to the entity and relevant to the audit, we obtain a sufficient understanding of the service organization, including its internal control, to identify and assess the risks of material misstatement and design further audit procedures in response to the assessed risks. [2116] To obtain this understanding we may: read the third-party report of the service organization auditor perform the appropriate procedures ourselves, or request the service organization to have its auditor perform the appropriate risk assessment procedures.
We may use either a Type A or Type B report to obtain an understanding of the internal control. [2137.1] When we take a controls approach We obtain audit evidence about the operating effectiveness of controls when our risk assessment includes an expectation of the operating effectiveness of the service organization's controls or when substantive procedures alone do not provide sufficient appropriate audit evidence at the assertion level. We may also conclude that it would be efficient to obtain audit evidence from tests of controls. [2132.1] Audit evidence about the operating effectiveness of controls may be obtained by: [2133] obtaining a Type B service organization auditor's report performing tests of the entity's controls over the activities of the service organization, and For example, we may test the entity's independent reperformance of selected items processed by the service organization or test the entity's reconciliation of output reports to source documents. visiting the service organization and performing tests of the service organization's controls ourselves.
If we plan to use Type B reports, we consider whether: [2139.2] the controls tested are relevant to the entity's classes of transactions, account balances derived from estimates, other account balances and disclosures, and related assertions and our audit objectives the tests of control performed by the service organization auditor are adequate, and the results of the tests of control performed by the service organization auditor are adequate for our audit purposes.
Service organization auditor's reports will usually be in one of the following formats: [2137.1] Type A: report on the design and implementation of internal control, or Type B: report on the design, implementation, and operating effectiveness of internal control.
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG We use Type A reports to obtain an understanding of the internal control. [2139.1] International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
We use Type B reports to obtain audit evidence about the operating effectiveness of controls. [2139.1.1]
Page 11 / 133
Service organization auditor's reports will usually be in one of the following formats: [2137.1] Type A: report on the design and implementation of internal control, or
International Audit Workbook (Interntional Audit Workbook)
Type B: report on the design, implementation, and operating effectiveness of internal control.
We use Type A reports to obtain an understanding of the internal control. [2139.1] We use Type B reports to obtain audit evidence about the operating effectiveness of controls. [2139.1.1]
!
Applicability
If we have determined that there is a need and plan to use the work of an external expert in an audit engagement, we: Procedure/Considerations Consider whether the external expert: has professional certification or licensing by, or membership in, an appropriate professional body, and has experience and reputation in the field for which we are seeking audit evidence.
The risk that an external expert's objectivity will be impaired increases when the external expert is: employed by the entity, or related in some manner to the entity.
Obtain sufficient Review the instructions from the entity to the external expert or discussion with the appropriate audit evidence external expert, regarding matters such as: that the scope of the 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG the objectives and scope of the external expert's work International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis expert's work is adequate thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. for purposes of the audit, the specific matters that we expect the external expert's report and to cover
Page 12 / 133
Obtain sufficient appropriate audit evidence that the scope of the expert's work is adequate for purposes of the audit, and
Review the instructions from the entity to the external expert or discussion with the external expert, regarding matters such as: the objectives and scope of the external expert's work the specific matters that we expect the external expert's report to cover the intended use of the external expert's work the extent of the external expert's access to the appropriate records and files clarification of the external expert's relationship with the entity confidentiality of the entity's information, and information regarding the assumption and methods intended to be used by the external expert and their consistency with those used in prior periods.
Evaluate the Consider: appropriateness of the the source data used by the external expert expert's work as audit evidence regarding the the assumptions and methods used and their consistency with assertion being considered the prior period, and the results of the external expert's work, in light of our overall knowledge of the business obtained in performing the audit.
The external expert is responsible for the reasonableness and appropriateness of the assumptions and methods used, together with their application. [2171] KPMG specialists may assist the engagement team to evaluate the work of an external expert. If the results of the expert's work do not provide sufficient appropriate audit evidence or if the results are not consistent with other audit evidence, we should resolve the matter by: [2174]/[2175] discussing the external expert's results with management and the external expert performing additional audit procedures, and/or considering engaging or asking management to engage another external expert.
We document our evaluation of the professional competence and objectivity of the expert and the adequacy of the expert's work for the purpose of the audit in the Evaluation of External Experts working paper. [2175.3]
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis As part of our understanding, we consider the organizational status of the internal thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
We document our understanding of internal audit activities in the Entity Level Controls
Page 13 / 133
To the extent that the internal audit function operates as part of management's control system, we obtainWorkbook (Interntional Audit Workbook) International Audit a sufficient understanding of internal audit activities to identify and assess the risks of material misstatement of the financial statements and to design and perform further audit procedures. As part of our understanding, we consider the organizational status of the internal audit function and the scope of their responsibilities. We document our understanding of internal audit activities in the Entity Level Controls Program.
When we intend to use the Make an assessment of the internal audit function by obtaining information about work of the internal audit matters such as: function, including direct the nature and extent of their assignments assistance provided by the internal audit function whether management acts on their reports and recommendations and how this is evidenced the technical competence of the internal audit function the due professional care, especially whether their work is adequately planned, supervised, and reviewed, and the objectivity of internal auditing.
When we conclude that internal audit activities are not relevant to our work or that it would not be effective to consider their work further, we need not give further consideration to internal auditing. When we use the specific work of the internal audit function Evaluate whether: the work is performed by those with adequate technical training and proficiency the work of internal auditing is properly supervised, reviewed, and documented sufficient appropriate audit evidence is obtained to be able to draw a reasonable conclusion conclusions are appropriate in the circumstances and reports are consistent with the results of the work performed, and any exceptions or unusual matters disclosed by internal auditing are properly resolved by management.
In evaluating the work of the internal audit function, we may observe the procedures performed by internal audit, inquire of the internal audit function about the nature of its work, reperform some of the work performed by the internal audit function, perform different audit procedures, or examine internal audit working papers. When we request direct assistance from the internal audit function Inform internal audit of their responsibilities, the objectives of the procedures they are to perform, and matters that may affect the nature, timing, and extent of audit procedures. We also supervise their work and review the working papers that the internal audit function prepares on our behalf. We consider whether the work was adequately performed and evaluate whether the results are consistent with the conclusions in our audit report.
KPMG and the client should agree on the terms of the engagement, which are set out in an engagement letter.
Audit documentation may include e-mail where correspondence is related to "significant matters."
Working papers or audit documentation may be recorded on paper or on electronic or other media. [2553] Examples of working papers include, among other things, standard KPMG working paper templates, copies of client prepared documents or schedules, transcripts, analyses, letters of confirmation and representation, notes and other memoranda (including computer files), internal KPMG memos and external correspondence with the client and relevant third parties (including e-mail) concerning significant matters, and final deliverables prepared and accumulated in connection with an audit. Our working papers may also include abstracts or copies of the entity's records if considered appropriate. [2553] For example, we include significant and specific contracts and agreements as part of the working papers if considered appropriate. Audit documentation ordinarily excludes the following: superseded drafts of working papers and financial statements notes that reflect incomplete or preliminary thinking previous copies of documents corrected for typographical or other errors duplicates.
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis Draft working papers or other documents are discarded when the working paper or other document is finalized (except thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
when the local firm's document retention policy provides otherwise), or when a decision is made not to proceed. [2564.0.1]
Page We do not retain documentation that is incorrect or superseded (except pursuant to the local firm's document retention 15 / 133
superseded drafts of working papers and financial statements notes that reflect incomplete or preliminary thinking
International Audit Workbook (Interntional Audit Workbook) previous copies of documents corrected for typographical or other errors
duplicates.
Draft working papers or other documents are discarded when the working paper or other document is finalized (except when the local firm's document retention policy provides otherwise), or when a decision is made not to proceed. [2564.0.1] We do not retain documentation that is incorrect or superseded (except pursuant to the local firm's document retention policy). [2565.8] Work papers stand on their own. Although oral explanations may be used to explain or clarify information contained in the working papers, they do not represent adequate support for the work we performed or conclusions reached. [2565.1]
We should prepare the audit documentation so as to enable an experienced auditor, having no previous connection with the audit, to understand: [2561] the nature, timing, and extent of the audit procedures performed to comply with ISAs and applicable legal and regulatory requirements the results of the audit procedures and the audit evidence obtained, and significant matters arising during the audit and the conclusions reached thereon.
Audit documentation is prepared on a timely basis and provides a sufficient and appropriate record of the basis for our report.
SE
institutions) 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. entities that have an essential public service responsibility due to the nature of their operations, and
Page 16 / 133
higher-risk engagements.
entities where other significant stakeholders rely on the financial statements as their primary basis for obtaining reliable financial International on Workbook informationAuditthe entity(Interntional Audit Workbook) entities subject to industry-wide regulations (e.g., financial institutions) entities that have an essential public service responsibility due to the nature of their operations, and higher-risk engagements.
Additionally, engagement hours are not expected to exceed 1,000 hours. VSE In order to utilize the VSE GWPs, the engagement meets all of the qualitative and quantitative criteria set forth below: the planned hours directly related to completing the audit engagement and issuance of the auditor's report do not exceed 500[[1]] hours if the global Client/Engagement Acceptance/Continuance (CEAC) process is used, the client/engagement is considered a "low" risk client/engagement or, "medium" risk1 with the approval of the risk management partner if another CEAC process is used, the client/engagement is classified in the lowest risk category the entity is not a listed entity whose debt or equity securities are traded in a public market, and the financial statements of the entity will not be included in the regulatory filings of such a listed entity the entity has limited sources of revenue the entity has a limited number of owners, management, and users of the financial statements the entity's principal operations, which may include functions, branches, or subsidiaries, are in a single country or jurisdiction, and a substantive approach will be taken for substantially all significant accounts and disclosures.
Additionally, VSE GWPs may be used for audits of wholly owned subsidiaries (regardless of the number of planned audit hours) where all of the following criteria are met: all of the criteria for use of the VSE GWPs included above are met KPMG is the auditor of the consolidated group accounts the entity is a wholly owned subsidiary of the group, and the audit is being performed for local statutory purposes onlythere is no requirement for any group reporting in order to issue the auditor's report on the consolidated entity.
Additional guidance regarding the use of VSE Global Work Papers is included in the VSE Audit Guidance Document accompanying the VSE Global Work Papers. The VSE Global Work Papers and the related VSE Audit Guidance Document can be accessed from ARO. Other workflows that may Engagement teams that are required to complete the Supplemental U.S. Procedures
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG be applicable Checklist may be required to complete either the Integrated Audit working papers or International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis the FSA Public working papers as noted in that Checklist. [2571.1.2] thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
The Integrated Audit working papers are used when we perform an audit in accordance PCAOB Auditing Standard No. 5, "An Audit of Internal Control Over
Page 17 / 133
VSE Audit Guidance Document accompanying the VSE Global Work Papers. The VSE Global Work Papers and the related VSE Audit Guidance Document can be accessed from ARO. International Audit Workbook (Interntional Audit Workbook) Other workflows that may be applicable Engagement teams that are required to complete the Supplemental U.S. Procedures Checklist may be required to complete either the Integrated Audit working papers or the FSA Public working papers as noted in that Checklist. [2571.1.2] The Integrated Audit working papers are used when we perform an audit in accordance PCAOB Auditing Standard No. 5, "An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements." The Integrated Audit working papers that incorporate the provisions of AS 5 are available on ARO and can be dragged and dropped into specific areas of the Vector audit file. Additional guidance on using Vector with the Integrated Audit workflow can be found on the Vector Web site. FSA Public working papers The FSA Public working papers are used for financial statement audits of a public company when an integrated audit is not performed and we issue an auditor's report on the financial statements that refer to PCAOB standards. Engagement teams performing audits of financial statements of foreign private issuers, when an integrated audit is not performed, are not required to, but may use the FSA Public set of working papers. The FSA Public working papers are available on ARO. Additional guidance on using Vector with the FSA Public workflow can be found on the Vector Web site * GWPs or workflow can be used by a participating location in a multilocation audit (including subsidiaries of public/listed entities), if the location meets the criteria for utilizing the GWPs/workflow, unless the originating location specifies in the inter-office instructions that an alternative audit workflow is to be used, for example FSA. An integrated audit is an audit of internal control over financial reporting (ICOFR) performed in conjunction with an audit of the financial statements in accordance with PCAOB Auditing Standard No. 5, "An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements." Guidance regarding integrated audits performed in accordance with the PCAOB Auditing Standard No. 5 is not included in KAM International or in the Audit Workbook. For guidance regarding engagements performed pursuant to this standard, refer to the Integrated Audit Manual and the Integrated Audit working papers available on ARO under the United States country page
In addition, the engagement partner considers the following qualitative criteria: Qualitative criteria Less complex application of risk assessment procedures KAM requires the performance of risk assessment procedures in order to identify those audit risks at a financial statement and assertion level. In a less complex entity, the extent of risk assessment procedures required is reduced as risks at a financial statement and assertion level are easier to identify than in a more complex entity. The implication of less extensive risk identification procedure is reduced documentation. business from a few process owners rather than a number of process owners and operational staff.
procedures required is reduced as risks at a financial statement and assertion level are easier to identify than in a Workbook (Interntional Audit Workbook) International Audit more complex entity. The implication of less extensive risk identification procedure is reduced documentation. We often obtain much of our understanding of the business from a few process owners rather than a number of process owners and operational staff. The performance of senior and other managerial functions is concentrated in a small number of individuals. The operations of the entity are relatively less complex and there are only a few core business processes within which the entity is involved. The operations of the entity are restricted to a limited number of locations and each of these locations is not of a specialized nature. The entity provides a limited number of products or services The entity usually has less formal objectives and strategies. This is complemented with a less formal budgeting and financial reporting process. Less sophisticated accounting systems, which are not supported by a complex IT environment. Less complex entities generally have fewer employees involved in the accountancy systems and as a result have limited segregation of duties. The owner and/or senior management is actively involved in daily operations of the organization.
Audit teams using LCE to perform an audit on a non-complex listed entity complete the Additional procedures when auditing a listed entity using LCEdocument. [2574.0.3.1] Refer to the Less Complex Entities User Guide on the LCE Homepage for additional guidance and information when performing an audit using the LCE workflow. The LCE Homepage is available by selecting Audit Technology from the Global Audit Portal.
Refer to KAM for policies and guidance regarding the receipt of a Preservation Notice where the engagement has been performed using LCE. The following table indicates the working papers to be prepared for each audit workflow: [2566.1] Global Work Papers Audit Workflow FSA SE VSE
Audit Program
Sp
Sp
Sp
Page 19 / 133
The following table indicates the working papers to be prepared for each audit workflow: [2566.1] Global WorkInternational Audit Workbook (Interntional Audit Workbook) Audit Workflow Papers FSA Audit Checklist Audit Program Audit Program for Specific Topics Completion Document Entity Level Controls Program Evaluation of Design and Implementation and Test of Operating Effectiveness Template (if applicable) Evaluation of External Experts (if applicable) Evaluation of Internal Audit Function (if applicable) Evaluation of Service Organization Function (if applicable) Financial Reporting Audit Program IDEACAATs Document (if applicable) Instructions for Inventory Count Attendance (if applicable) IT General Controls Program (if applicable) KPMG Monetary Unit Sampling Document (if applicable) KPMG Sampling Plan (if applicable) Planning Document Substantive Analytical Procedures Template (if applicable) Summary of Audit Differences and related Summary of Audit Differences Template Test of Details Document (if applicable) Planning and Completion Document Interim Review Checklist (if applicable) Interim Review Program (if applicable) Summary of Review Differences and related Summary of Review Differences Template (if applicable) Co Common version of Global Work Paper is used for these workflows. Sp Global Work Paper specific to the audit workflow is used. N/R Global Work Paper is not required for this workflow.
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis Completion of the applicable KPMG audit documentation, which includes Global Work Papers and electronic work flows, is thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. required for all audit engagements. [2569]
Page 20 / 133
SE VSE Sp Sp Sp
Co Sp Sp Sp SP Co
N/R Global Work Paper is not required for this workflow. Completion of the applicable KPMG audit documentation, which includes Global Work Papers and electronic work flows, is required for all audit engagements. [2569] The documentation for an SE and VSE engagement must comply with all policies and guidance contained in KAM International that are applicable to the engagement. However, the extent of documentation is scaled to the size and complexity of the particular engagement.
2.4.3 Documenting the Nature, Timing, and Extent of the Audit Procedures Performed
In documenting the nature, timing, and extent of audit procedures performed, we should record: [2565.9.3] Preparer and reviewer The preparer(s) and reviewer(s) of each working paper signs or initials and dates each working paper. [2565.9.4] A preparer's and/or reviewer's printed name and date on a working paper also may constitute evidence of signature. [2565.9.6] Multipage working papers The preparer may indicate evidence of preparation of the working paper on the first page only, where it has been prepared by one person. [2565.9.6.1] A reviewer may indicate evidence of review on the first page of a multiple page working paper and, if the reviewer has not reviewed the entire document, the sections reviewed. [2565.9.7.1] Final version For Global Work Papers that are prepared throughout the audit, we document evidence of review on the final version. [2565.9.8] The date audit work was completed, and the date and extent of review We record the date the working paper was completed on each working paper. [2565.9.5] Working paper dating by preparers and reviewers follows a convention that includes the day, month, and year. [2565.9.4] Where documents are faxed or e-mailed to a reviewer and the review is evidenced on a returned faxed document or in a reply e-mail, the reviewer initials and includes the date of review on the original working papers by the audit file assembly date. [2565.9.10] Identifying characteristics of the specific items or matters being tested Identifying characteristics of the specific items or matters being tested will vary with the nature of the audit procedure and the item or matter being tested. [2565.4] For example, for: a test of purchase orders; we may record the dates and unique purchase order numbers of the documents selected for testing selection or review of all items over a specific amount from a given population; we may record the scope of the procedure and identify the population (for example, all journal entries over a specified amount from the journal register)
systematic sampling from a population of documents; we may record the source, the starting point, and the sampling interval 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG of the documents selected (for example, a systematic sample of International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. period shipping reports selected from the shipping log for the from 1 April to 30 September, starting with report number Page 21 / 133 12345 and selecting every 125th report)
selection or review of all items over a specific amount from a given population; we may record the scope of the procedure and identify the population (for example, all journal entries over aInternational Audit Workbook (Interntional Audit Workbook) specified amount from the journal register) systematic sampling from a population of documents; we may record the source, the starting point, and the sampling interval of the documents selected (for example, a systematic sample of shipping reports selected from the shipping log for the period from 1 April to 30 September, starting with report number 12345 and selecting every 125th report) inquiries; we may record the dates of the inquiries and the names and job designations of the entity personnel observations; we may record the process or subject matter being observed, the relevant individuals, their respective responsibilities, and where and when the observation was carried out.
When using the Monetary Unit Sampling (MUS) routine in IDEA, the MUS planning, extraction, and evaluation report contains sufficient detail to be able to reproduce the sample from the sample file.
2.4.4 Documenting Significant Findings or Issues Arising During the Audit and the Conclusions Reached Thereon
Discussions of significant findings or issues When we discuss significant findings or issues with management and others (i.e., those charged with governance, other personnel within the entity, and external parties, such as persons providing professional advice to the entity), we document on a timely basis the discussions in our working papers. We provide appropriate references to the working papers where the discussions are documented, in the Completion Document. [2565.6] The documentation includes: [6313.7] the significant findings or issues discussed when and with whom the discussions took place.
We may include other appropriate records such as agreed minutes of discussions prepared by the entity's personnel. [6313.8] Significant findings and issues are those documented in the Completion Document. Contradicting or inconsistent information We document the information that contradicts or is inconsistent with our final conclusions regarding a significant finding or issue together with our response in the Completion Document. [2565.7.1] For example, our working papers may include procedures performed in response to the information, documentation of consultations on, or resolution of, differences in professional judgment among members of the engagement team or between the engagement team and others consulted. Departures from bold type paragraphs In exceptional circumstances, we may judge it necessary to depart from a bold type paragraph that is relevant in the circumstances of the audit, in order to achieve more effectively the objective of the engagement. [1005]/[1007.1]
We document how the alternative audit procedures performed were sufficient and appropriate to replace that bold type paragraph and achieve the objective of the audit, and, unless otherwise clear, the reasons for the departure, in the Completion 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG Document. In these exceptional circumstances, provided the departure is International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis appropriately documented, we are not precluded from representing compliance with thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. ISAs. [1007.1]
Page 22 / 133
Documentation is not required where the bold type paragraph is not relevant in the
In exceptional circumstances, we may judge it necessary to depart from a bold type paragraph that is relevant in the circumstances of the audit, in order to achieve more effectively the objective of the engagement. [1005]/[1007.1]
International Audit Workbook (Interntional Audit Workbook)
We document how the alternative audit procedures performed were sufficient and appropriate to replace that bold type paragraph and achieve the objective of the audit, and, unless otherwise clear, the reasons for the departure, in the Completion Document. In these exceptional circumstances, provided the departure is appropriately documented, we are not precluded from representing compliance with ISAs. [1007.1] Documentation is not required where the bold type paragraph is not relevant in the circumstances of the audit or an ISA includes conditional requirements and the specified conditions do not exist. [1007.2]
We consult with the risk management partner when we judge it necessary to depart from a bold type paragraph that is relevant in the circumstances of the audit. [1007.1]
Changes that are administrative in nature (refer to the green box above) may be made to the audit documentation during the final assembly process. [2621.9] For example, changes that are administrative in nature include: deleting or discarding superseded documentation sorting, collating, and cross-referencing working papers signing off on checklists relating to the file assembly process documenting audit evidence that we have obtained, discussed, and agreed with the relevant members of the audit team before the date of the report.
Modifications to audit working papers for exceptional circumstances that arose after the date of the auditor's report (refer to the grey box above) and that required us to perform new or additional procedures or that led us to reach new conclusions and those made after the audit file assembly date (refer to the blue box above), are documented in the Audit Checklist, Appendix I, Audit Working Paper Modification Template. Subject to relevant laws, regulations, professional standards, and KPMG policies, modifications to audit working papers after the audit file assembly date may include: [2620] comments added to clarify existing working papers preparation of additional working papers to more fully document work performed during the engagement deletion of extraneous comments or review notes included in the working papers deletion of a working paper that has been superseded or no longer serves a useful purpose, and/or modifications of comments included in the working papers. The engagement partner notifies the engagement quality control reviewer, when the engagement requires an engagement quality control review, of changes related to audit objectives associated with a significant risk when exceptional circumstances arise after the date of our report that require us to perform new or additional audit procedures or that lead us to reach new conclusions, and substantive modifications are made to working papers. [2623]
2.4.5S Consideration of omitted documentation and other procedures identified after 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG the date of auditor's report
The engagement team does not have a responsibility to carry out a retrospective review of its work after the date of the auditor's report. However the auditor's report and working papers relating to a particular engagement may be subjected to / 133 Page 24 review after the date of the auditor's report in connection with the firm's quality performance program or inspection carried
International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
objectives associated with a significant risk when exceptional circumstances arise after the date of our report that require us to perform new or additional audit procedures or that lead us to reach new conclusions, and substantive modifications are made to working papers. [2623]
International Audit Workbook (Interntional Audit Workbook)
2.4.5S Consideration of omitted documentation and other procedures identified after the date of auditor's report
The engagement team does not have a responsibility to carry out a retrospective review of its work after the date of the auditor's report. However the auditor's report and working papers relating to a particular engagement may be subjected to review after the date of the auditor's report in connection with the firm's quality performance program or inspection carried out by a regulatory authority. [2625.12] Accordingly, after the date of the auditor's report, even though there may be no indication that the financial statements are materially misstated, it may be determined that one or more procedures considered necessary at the time of the audit of the financial statements in the circumstances then existing were omitted from the audit. [2625.13] The appropriate course of action may depend on the requirements of local laws or regulations. [2625.16]
The engagement partner consults with the local risk management partner to determine an appropriate course of action when an auditing procedure considered necessary at the time of the audit of the financial statements in the circumstances has been omitted, which may include consultation with legal counsel. [2625.17] If we determine and demonstrate that sufficient procedures were performed, sufficient evidence was obtained, and appropriate conclusions were reached, but that the documentation thereof is not adequate, we consider what additional documentation is needed. For further guidance on adding such documentation, see sections titled "After the date of the auditor's report" and "After the audit file assembly date" in the Engagement Management chapter of KAM. [2625.14] If we cannot determine or demonstrate that sufficient procedures were performed, sufficient evidence was obtained, or appropriate conclusions were reached, we apply the following guidance to assess the significance of the omitted procedure, at the time it is identified, to the present ability to support the previously expressed opinion on the financial statements: [2625.15] Circumstance The previously issued audit opinion on the financial statements cannot be supported without performing the omitted procedure and that there are persons currently relying, or likely to rely, on the previously issued auditors report. [2625.20] As a result of the subsequent performance of the omitted procedure or alternative procedures, we become aware that facts regarding the financial statements existed at the date of our report that would affect the report had we been aware of them. [2625.21] Course of Action The engagement team promptly undertakes to perform the omitted procedure or alternative procedures that would provide a satisfactory basis for the opinion. [2625.20]
We: consult with the risk management partner consult with legal counsel follow the guidance in the section titled, "Subsequent events" in the Control Evaluation chapter of KAM. [2625.21]
If we determine that the omitted procedure needs to be performed but we are unable to perform the procedure or alternative procedures. [2625.22]
We consult with OGC to determine an appropriate course of action concerning our responsibilities to the client, regulatory authorities, if any, having jurisdiction over the client, and persons relying, or likely to rely, on our report. [2625.22]
After the assembly of the final audit file has been completed, we should not delete or discard audit documentation before 25 / 133 Page the end of its retention period. [2625.7]
be performed but we are unable to perform the procedure or alternative procedures. [2625.22]
course of action concerning our responsibilities to the client, regulatory authorities, if any, having jurisdiction over the client, and persons relying, or likely to rely, International Audit Workbook (Interntional Audit Workbook) on our report. [2625.22]
!
2.5. Review
All working papers are reviewed by another engagement team member more experienced than the preparer. [2575] Working papers prepared by the engagement partner are reviewed by another partner assigned to the engagement, and/or the engagement manager, and/or the engagement quality control reviewer, as appropriate in the engagement circumstances. [2575.1] The purpose of reviewing audit working papers is to reach an affirmative conclusion that the working papers support KPMG's opinion on the financial statements and show that the audit complies with KPMG policies, professional standards, and regulatory and legal requirements. [2582] The engagement partner and an engagement manager review audit documentation relating to the following: audit objectives associated with significant risks (significant inherent risk of error or fraud) audit objectives with RoSM assessed as high, and significant findings and issues.
Such audit documentation includes those related to critical areas of judgment, especially those related to difficult or contentious matters identified during the course of the engagement and other areas the engagement partner considers important. The extent of review of such audit documentation by the engagement partner and manager is a matter of professional judgment determined by the engagement partner. [2576] The engagement partner and manager are responsible for satisfying themselves that the audit documentation meets KPMG standards and the requirements of applicable laws, regulations, and professional standards. [2576.1] In addition, the engagement partner and manager review and sign the Planning Document, the Entity Level Controls Program, the Completion Document, the Summary of Audit Differences, and the Audit Checklist. [2580] The reviewer considers whether: [2583] the audit work has been performed in accordance with KPMG policies, professional standards, and regulatory and legal requirements significant matters have been raised for further consideration appropriate consultations have taken place and the resulting conclusions have been documented
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG and implemented, and International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. there is no need to revise the nature, timing, and extent of work performed.
The reviewer also considers a variety of other matters, including whether: [2584]
Page 26 / 133
the audit work has been performed in accordance with KPMG policies, professional standards, and regulatory and legal requirements
International Audit Workbook (Interntional significant matters have been raised for further consideration Audit Workbook)
appropriate consultations have taken place and the resulting conclusions have been documented and implemented, and there is no need to revise the nature, timing, and extent of work performed.
The reviewer also considers a variety of other matters, including whether: [2584] the engagement team has obtained an appropriate understanding of the business the objectives of the audit procedures are achieved and conclusions expressed are consistent with the results of the audit work performed and support the audit opinion on the financial statements the working papers are relevant to the audit, adequately document the audit evidence obtained, and are internally consistent issues were properly identified during the audit, brought to the attention of the engagement partner, and resolved or reported to management, as appropriate
Points raised during the review of working papers are cleared and, where appropriate, the working papers are revised. Except pursuant to the applicable local firm's retention policies, review notes are not retained after the date of our report. [2589]
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG
consistent with the scope outlined in our engagement letter with the client and are in compliance with KPMG policies, methodologies, and procedures; professional standards; and applicable local laws and regulations. [2844] Before communicating with those charged with governance, we (Interntional Audit Workbook) International Audit Workbook usually discuss the matters with management, except where those matters relate to questions of management competence or integrity, to clarify facts and issues and to give management an opportunity to provide further information. [2903] Our communications with those charged with governance may be made orally or in writing. The decision whether to communicate orally or in writing is affected by factors such as the following: [2911] the size, operating structure, legal structure, and communications processes of the entity being audited the nature, sensitivity, and significance of the audit matters of governance interest to be communicated the arrangements made with respect to periodic meetings or reporting of audit matters of governance interest the amount of ongoing contact and dialogue the auditor has with those charged with governance, and statutory and regulatory requirements.
When audit matters of governance interest are communicated orally, we document in the working papers the matters communicated and any responses to those matters. This documentation may take the form of a copy of the minutes of our discussion with those charged with governance. In certain circumstances, depending on the nature, sensitivity, and significance of the matter, it may be advisable to confirm in writing with those charged with governance any oral communications on audit matters of governance interest. [2912] We communicate material weaknesses to management in writing. [2913.2]
We should communicate audit matters of governance interest on a timely basis. 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. Identified fraud or evidence Required communications for all entities include: that fraud may exist identified fraud or information that indicates that a fraud may
Page 28 / 133
financial statements or the auditor's report expected modifications to our report, and any other matters agreed upon in the engagement letter.
International Audit Workbook (Interntional Audit Workbook)
We should communicate audit matters of governance interest on a timely basis. Identified fraud or evidence Required communications for all entities include: that fraud may exist identified fraud or information that indicates that a fraud may exist [2854] identified fraud involving management, employees who have significant roles in internal control, or others where the fraud results in a material misstatement in the financial statements [2861.1] suspected fraud involving management, in which case we communicate our suspicions and the nature, timing, and extent of audit procedures to complete the audit, and [2855] material weaknesses in the design or implementation of internal control to prevent and detect fraud which may have come to our attention.
Additional matters to be considered for communication with those charged with governance include, for example: failure by management to appropriately respond to an identified fraud actions by management that may be indicative of fraudulent financial reporting concerns about the adequacy and completeness of the authorization of transactions that appear to be outside the normal course of business failure by management to appropriately address identified material weaknesses internal control concerns about the nature, extent, and frequency of management's assessment of the controls in place to prevent, deter, and detect fraud and the risk that the financial statements may be misstated, and our evaluation of the entity's control environment, including any questions regarding the competence and integrity of management.
When we determine that there is audit evidence that fraud exists or may exist (as outlined above), we communicate the matter as soon as practicable to the appropriate level of management. [2862] When we discover a suspected or possible fraud, we promptly bring the matter to the attention of the engagement partner. [2866.2] Noncompliance with laws and regulations When we discover a suspected or possible instance of noncompliance with laws or regulations, including a possible illegal act, we promptly bring the matter to the attention of the engagement partner who then reports the matter to the risk management partner and follows local consultation and reporting protocols. [2869.1] If we believe there may be noncompliance, we should document the findings and discuss them with management. [2868] We should, as soon as practicable, either communicate with those charged with governance or obtain audit evidence that they are appropriately informed regarding 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG noncompliance that comes to our attention. [2869] If we suspect that members of senior management, including members of the board of directors, are involved in noncompliance, we should report the matter to the next higher level of authority at the entity, if it exists, such as an audit committee or a
International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
Page 29 / 133
If we believe there may be noncompliance, we should document the findings and discuss them with management. [2868]
International Audit Workbook (Interntional Audit Workbook)
We should, as soon as practicable, either communicate with those charged with governance or obtain audit evidence that they are appropriately informed regarding noncompliance that comes to our attention. [2869] If we suspect that members of senior management, including members of the board of directors, are involved in noncompliance, we should report the matter to the next higher level of authority at the entity, if it exists, such as an audit committee or a supervisory board. [2874] If in our judgment the noncompliance is believed to be intentional and material, we should communicate the finding without delay. [2873] Material weaknesses and other deficiencies in internal control We should make those charged with governance or management aware as soon as practical and at the appropriate level of responsibility, of material weaknesses in the design or implementation of internal control that have come to our attention. [2878] When in our judgment there is a material weakness in the entity's risk assessment process, we include such internal control weakness in our communication. [2879.1] We also include identified risks of material misstatement which the entity has either not controlled, or for which the relevant control is inadequate. We also consider communicating deficiencies that had a significant effect on our audit approach, but are not considered to be material weaknesses. If we communicate additional deficiencies to management, we also consider communicating such deficiencies to those charged with governance. [2885.0.1] We communicate material weaknesses to those charged with governance and management in writing. [2879] Role of the engagement partner Misstatements We communicate the identity and role of the engagement partner to key members of client management and those charged with governance. [2887] We communicate misstatements, whether or not they are recorded by the entity, that have, or could have, a significant effect on the entity's financial statements, to the relevant persons who are charged with governance. This communication includes the misstatements in Schedules 1, 2, and 3 of the Summary of Audit Differences. [2895.1] If we have identified a significant misstatement resulting from error, we should communicate the misstatement to the appropriate level of management on a timely basis, and consider the need to report it to those charged with governance. [2895.7]
For an SE or VSE engagement, our responsibility (as set forth above) to communicate weaknesses in internal control applies equally to an audit relating to owner-managed and smaller entities, even when: we believe the owner-manager may already be informed about such matters we are not sure if weaknesses in internal control, particularly those related to limited segregation of duties, can be addressed in a cost-beneficial manner.
It is only by communicating identified weaknesses that we can be certain that management and those charged with governance have been informed of the problem.
Footnotes
[1] Planned hours should not exceed 200 hours if the client/engagement is considered "medium" risk based on the global CEAC process. Risk management partner approval is obtained for engagements intending to use the VSE workflow where the client/engagement is considered "medium" risk based on the global CEAC process. [back] 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG Interntional Audit Workbook International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
Chapter 3 - Planning
Page 30 / 133
[1] Planned hours should not exceed 200 hours if the client/engagement is considered "medium" risk based on the global CEAC process. Risk management partner approval is obtained for International Audit Workbookuse the VSE Audit Workbook) the client/engagement is considered engagements intending to (Interntional workflow where "medium" risk based on the global CEAC process. [back] Interntional Audit Workbook
Chapter 3 - Planning
The objectives of Planning are to: [3002] obtain an understanding of the entity's business and its industry and environment, its accounting policies and practices, and its financial performance understand and evaluate the design and the implementation of entity level controls relevant to the audit assess risks of material misstatement of the financial statements, including risks of error and fraud develop our audit strategy in response to those risks determine significant accounts and disclosures, and develop our planned audit approach for significant accounts and disclosures.
Planning an audit involves establishing the overall audit strategy for the engagement and developing an audit plan to reduce audit risk to an acceptably low level. The involvement of the engagement partner and other key members of the engagement team in planning the audit draws on their experience and insight thereby enhancing the effectiveness and efficiency of the planning process. [3070] Adequate planning helps to devote the appropriate attention to important areas of the audit, to identify and resolve potential problems on a timely basis, and to properly organize and manage the audit engagement so that it is performed in an effective and efficient manner. Adequate planning also assists in the proper assignment of work to engagement team members, facilitates the direction and supervision of engagement team members and the review of their work, and assists, where applicable, in coordination of work done by auditors of components, KPMG specialists and external experts. The nature and extent of planning activities will vary according to the size and complexity of the entity, our previous experience with the entity, and changes in circumstances that occur during the audit engagement. [3071] Although planning for SE and VSE engagements may not be carried out until after year-end, all planning activities are completed and documented in the SE Planning Document or VSE Planning and Completion Document, as 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG appropriate, before we begin activities related to Control Evaluation and Substantive Testing. Effective planning International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. results in an effective and efficient audit.
Page 31 / 133
where applicable, in coordination of work done by auditors of components, KPMG specialists and external experts. The nature and extent of planning activities will vary according to the size and complexity of the entity, our previous experience with the entity, and changes in circumstances that occur during the audit engagement. [3071]
International Audit Workbook (Interntional Audit Workbook)
Although planning for SE and VSE engagements may not be carried out until after year-end, all planning activities are completed and documented in the SE Planning Document or VSE Planning and Completion Document, as appropriate, before we begin activities related to Control Evaluation and Substantive Testing. Effective planning results in an effective and efficient audit.
may be relevant in the judgment of the engagement partner, the optional kickoff discussion and the required risk assessment and planning discussion, addressed later in this chapter, may be either combined or split into a series Workbook (Interntional Audit Workbook) International Audit of discussions. [3104.1] In practice, the kickoff discussion may be held in different ways and involve different engagement team members based on the judgment of the engagement partner. For smaller engagements, an informal discussion between the partner and manager might be appropriate while on a more complex engagement the involvement of the in-charge or KPMG specialists might be more effective. [3102]
We consider whether local regulations specify certain financial reporting requirements for the industry in which the entity operates. For example, additional accounting or financial reporting rules for financial institutions. For example, specific requirements as set forth in the engagement letter, such as deliverables in addition to the audit report on the financial statements, timing requirements, or expected communications to management or those charged with governance.
Other information that will For example, regulatory filing documents of listed companies, such as the Form 10-K include financial statements for an entity subject to regulation by the U.S.-SEC. or our report to be read as part of our audit
In Vector, you define what industry sector the client operates in and the location of its operations. The decisions made relating to the industry determine the additional knowledge that is delivered to the user to aid in the completion of the engagement, for example, industryspecific substantive audit procedures (only available for certain industries). Once you have decided on the appropriate industry-country combination, you use the workflow drop-down menu to select the appropriate workflow, namely FSA, SE, VSE, IA, or LCE.
specific substantive audit procedures (only available for certain industries). Once you have decided on the appropriate industry-country combination, you use the workflow drop-down menu to select the appropriate workflow, namely FSA, SE, VSE, IA, or LCE.
International Audit Workbook (Interntional Audit Workbook)
Ordinarily, we document the following matters that pertain to timing of audit activities: [3184] external deliverables fieldwork other activities, such as: specific audit procedures (i.e., physical inventory observation and confirmation of accounts receivable) meetings and other communication with management and those charged with governance team meetings and other communications among engagement team members.
We plan and document the role, the name, and the key responsibilities of engagement team members that are unique to the audit engagement. [3212] The nature, timing, and extent of resources necessary to perform the engagement include consideration of the following: [3207] the resources to deploy for specific audit areas For example, the use of appropriately experienced team members for highrisk areas or the involvement of KPMG specialists or external experts on complex matters. the extent of resources to allocate to specific audit areas For example, the number of team members assigned to observe the inventory count at material locations, the extent of review of other auditors' work in the case of group audits, and the audit budget in hours to allocate to high-risk areas. when these resources are deployed, and For example, whether at an interim audit stage or at key cutoff dates. how such resources are managed, directed, and supervised.
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG For example, when team meetings and engagement partner and manager International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis reviews are expected to take place. thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
We plan and document the planned communication with the engagement quality control reviewer, the IFRS reviewing partner, the filing review partner and other
Page 34 / 133
how such resources are managed, directed, and supervised. For example, when team meetings and engagement partner and manager reviews are expected to take place.
We plan and document the planned communication with the engagement quality control reviewer, the IFRS reviewing partner, the filing review partner and other reviewing partners (if applicable), its timing, and the team members responsible for that communication. [3227] We plan and document the involvement of other KPMG locations and the subject matter and audit scope of their involvement, including specific audit procedures (for example, an inventory observation). [3240]/[3240.1] We also plan whether others will be involved, such as internal auditing, service organizations, and external experts.
Involvement of others
We plan the nature, timing, and extent of direction and supervision of engagement team members based on the assessed risk of material misstatement. As the assessed risk of material misstatement increases, for the area of audit risk, we ordinarily increase the extent and timeliness of direction and supervision of engagement team members and perform a more detailed review of their work. Similarly, we plan the nature, timing, and extent of review of the engagement team's work based on the capabilities and competence of the individual team members performing the audit work. [3221] Establishing the audit strategy will vary according to the size of the entity and the complexity of the audit. [3080.1]
Due to the nature of an SE engagement, it is expected that the "Involvement of Others" section of the SE Planning Document will often not be applicable. In those instances, the section is marked as such.
3.4.1 Materiality
Financial reporting frameworks often discuss the concept of materiality in the context of the preparation and presentation of financial statements. Although financial reporting frameworks may discuss materiality in different terms, they generally explain that: [3115] misstatements, including omissions, are considered to be material if they, individually or in the aggregate, could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements judgments about materiality are made in light of surrounding circumstances, and are affected by the size or nature of a misstatement, or a combination of both judgments about matters that are material to users of the financial statements are based on a consideration of the common financial information needs of users as a group. The possible effect of misstatements on specific individual users, whose needs may vary widely, is not considered, and judgments about materiality are made in relation to the relevant financial reporting period.
We should consider materiality when: [ISA 320.8] [3118] determining the nature, timing, and extent of audit procedures, and evaluating the effect of misstatements.
Materiality for planning purposes (MPP) represents a quantitative measurement of the magnitude of an omission or misstatement in the financial statements that, in light of the surrounding circumstances, makes it probable that economic decisions of users would have been changed or influenced by the omission or misstatement.
Page 35 / 133
judgments about materiality are made in relation to the relevant financial reporting period.
We should consider materiality when: [ISA 320.8] [3118] determining the nature, timing,International Audit Workbook (Interntional and Workbook) and extent of audit procedures, Audit evaluating the effect of misstatements.
Materiality for planning purposes (MPP) represents a quantitative measurement of the magnitude of an omission or misstatement in the financial statements that, in light of the surrounding circumstances, makes it probable that economic decisions of users would have been changed or influenced by the omission or misstatement. Materiality for planning purposes is determined at the financial statement level. To determine MPP, we select an appropriate benchmark and then apply an appropriate percentage to that benchmark.
It is expected that the benchmark and the percentage to be applied to the benchmark we use for determining MPP ordinarily will be consistent from period to period unless a change is considered appropriate due to a significant change in the circumstances of the entity, or a substantive change in our perception of the needs of the users of the financial statements. If we change the benchmark and/or percentage to be applied to the benchmark from that used in previous audits, we document in Attachment I to the Planning Document our rationale for the change. [3139]
Relevant financial data ordinarily includes the period-to-date financial results and financial position; budgets or forecasts for the current period; prior periods' financial results and financial position, adjusted for significant changes in the circumstances of the entity (for example, a significant business acquisition); and relevant changes of conditions in the International Audit Workbook (Interntional industry or economic environment in which the entity operates. [3141] Audit Workbook) For example, when, as a starting point, materiality for planning purposes is determined for a particular entity based on a percentage of profit before tax, circumstances that give rise to an unusual decrease or increase in profit before tax, such as significant restructuring charges, may lead the engagement partner to conclude that MPP is more appropriately determined using a normalized profit or loss before tax based on past results (normalized basis). As another example, when an entity's profit before tax is consistently nominal, as might be the case for an owner-managed business where the owner takes much of the profit before tax in the form of remuneration, the engagement partner may conclude that MPP is more appropriately determined by reference to profit before tax, adjusted for owner remuneration and related income tax.
!
Factor
The engagement partner considers the following factors in determining the percentage to be applied to the benchmark. The factors below are meant to be illustrative; there may be other factors that impact the determination of the percentage to be applied to the benchmark based on engagement specific circumstances. [3147] Higher percentageLower percentage Concentration of ownership in a small number of well informed individuals Limited debt Debt arrangements where lenders have access to management information and do not rely solely on audited financial statements The entity operates in a stable business environment The operations of the entity are relatively less complex and few core business processes in which the entity is involved The entity provides a limited number of products or services The entity has a viable sustainable business Listed or public interest entity
Business environment
The entity operates in a volatile business environment The entity has complex operations and/or diverse business processes The entity operates in locations which are subject to political instability
Other sensitivities No financial regulators Operate in a highly regulated 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG industry International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis Few changes in stakeholders thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. have occurred or are expected Intention to list or register securities
Page 37 / 133
services The entity has a viable International Audit sustainable business Workbook (Interntional Audit Workbook) No financial regulators Few changes in stakeholders have occurred or are expected Few external users of the entity's financial statements Operate in a highly regulated industry Intention to list or register securities Recent or expected sale of the entity Impact that misstatements might have on Earnings Per Share (EPS), and extent to which a change in EPS influences the users of the financial statements
Other sensitivities
The presence of one or more of the following factors may indicate that a lower SMT may be appropriate. The factors below are meant to be illustrative; there may be other factors that impact the determination of SMT based on engagement specific circumstances. [3159.3] weak control environment entity with a history of material weaknesses and/or a number of control deficiencies high turnover of senior management entity with a history of large or numerous misstatements in previous audits entity with more complex accounting issues and significant estimates, and entity that operates in a number of locations.
We determine whether, in the specific circumstances of the entity, there are particular classes of transactions, account 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG balances, or disclosures for which misstatements of lesser amounts than our SMT level could reasonably be expected to International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. influence the economic decisions of users. In such circumstances, we apply professional judgment to determine one or more lower levels of SMT to be applied to those particular classes of transactions, account balances, or disclosures. Page 38 / 133 [3159.4]
entity with a history of large or numerous misstatements in previous audits entity with more complex accounting issues and significant estimates, and entity that operates in a number of locations.
International Audit Workbook (Interntional Audit Workbook)
We determine whether, in the specific circumstances of the entity, there are particular classes of transactions, account balances, or disclosures for which misstatements of lesser amounts than our SMT level could reasonably be expected to influence the economic decisions of users. In such circumstances, we apply professional judgment to determine one or more lower levels of SMT to be applied to those particular classes of transactions, account balances, or disclosures. [3159.4] For example, the users of the financial statements may be more sensitive to quantitatively smaller misstatements related to disclosures regarding directors' remuneration or related-party transactions than for other significant accounts or disclosures. The engagement team may determine that the significant misstatement threshold for these items should be lower than that determined for other areas of the audit. [3159.4] Similarly, nonrecurring revenue may turn a loss into a profit or reverse the trend of earnings from a downward to an upward trend. The economic decisions of a user may be affected by a failure to disclose separately a nonrecurring item of revenue of that magnitude. Therefore, the engagement team may determine that a lower significant misstatement threshold for nonrecurring revenue would be appropriate. [3159.4]
When determining the audit difference posting threshold, we consider factors similar to those discussed for MPP and SMT. After consideration of qualitative factors, we may determine that a lower percentage is appropriate for the audit difference posting threshold. [3170] Audit differences detected below the audit difference posting threshold need not be summarized in the Summary of Audit Differences, and the relevant working paper is annotated to indicate that the difference is considered clearly trivial. However, we consider their qualitative aspects. [3171] The qualitative consideration of such clearly trivial audit differences is usually limited to a consideration of whether such audit differences: [3172] relate to a related party or transactions with a related party may indicate the possible existence of fraud, or individually or in the aggregate may be indicators of control deficiencies.
If an amount is considered qualitatively significant but is below the audit difference posting threshold, it is included in the Summary of Audit Differences as an audit difference. [3173]
Where MPP has been revised downward from the amount determined at planning, we revise the audit difference posting Page 39 / 133 threshold accordingly, or document why it is not necessary to revise the audit difference posting threshold. [3177]
We perform the following risk assessment procedures to obtain an understanding of the entity and its environment, including internal control: [3335] Inquiries of management Much of the information we obtain by inquiries may be useful in providing us with a and others within the entity different perspective in identifying risks of material misstatement. Therefore, we make inquiries of management and those responsible for financial reporting; others within the entity, such as production and internal audit personnel; and other employees with different levels of authority. [3339] Our risk assessment procedures include inquiries of management, those charged with governance, internal audit, and others to identify and assess risks of material misstatement related to fraud, going concern, laws and regulations, litigation and claims, and related parties as described in the Audit Program for Specific Topics. Analytical procedures We apply analytical procedures as risk assessment procedures to obtain an understanding of the entity and its environment. [3342.1] Analytical procedures may be helpful in identifying the existence of unusual transactions or events and amounts, ratios, and trends that might indicate matters that have financial statement and audit implications. [3344] Analytical procedures include procedures related to revenue accounts with the objective of identifying unusual or unexpected relationships that may indicate a risk of material misstatement due to fraudulent financial reporting. Observation and inspection Observation and inspection may support inquiries of management and others as well as provide information about the entity and its environment. Such audit procedures ordinarily include the following: [3347] observation of entity activities and operations inspection of documents, records, and internal control manuals reading reports prepared by management and those charged with governance visits to the entity's premises and plant facilities, and tracing transactions through the information system(s) relevant to financial reporting (walkthroughs).
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG engagement team members in identifying the appropriate entity personnel and the related International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. conduct all inquiries matters to be discussed and coordinating such inquiries (e.g., to be able to
An optional Practice Aid - Example Risk Assessment Inquiries is available on ARO to help
in one or a number of limited discussions with the appropriate individual, when possible and appropriate). [3340.1]
Page 40 / 133
tracing transactions through the information system(s) relevant to financial reporting (walkthroughs).
International Audit Workbook (Interntional Audit Workbook)
An optional Practice Aid - Example Risk Assessment Inquiries is available on ARO to help engagement team members in identifying the appropriate entity personnel and the related matters to be discussed and coordinating such inquiries (e.g., to be able to conduct all inquiries in one or a number of limited discussions with the appropriate individual, when possible and appropriate). [3340.1] An optional Practice Aid - Example Analytical Procedures, available on ARO, provides examples of matters that we may consider when obtaining an understanding of the measurement and review of the entity's financial performance (aggregated and disaggregated). [3509] The extent of risk assessment procedures to be performed varies depending on the specific circumstances of the engagement. At a minimum, we perform: [3356] risk assessment procedures - related to specific topics an inquiry of other KPMG engagement partners or engagement managers involved in nonaudit services provided, if any, about possible risks of material misstatement inquiries of management about changes in the entity's business and its environment, including internal control an analytical review of financial information for planning purposes, and an analysis of the results of interim reviews performed, if any.
Risk assessment procedures are carried out during the Planning phase of the audit although the nature of some SE and VSE engagements may preclude the engagement team from completing the planning prior to year-end. Completing planning after year-end does not change the nature and extent of risk assessment procedures, however, for an SE or VSE engagement, the nature and extent of operations may not require the performance of as extensive risk assessment procedures to obtain an understanding of the entity as may be required in a more complex engagement.
Planning risk assessment procedures facilitates an effective audit. A kickoff discussion may help us in planning the risk assessment procedures to be performed to obtain a sufficient understanding of the entity and its environment. Upfront planning of risk assessment procedures also provides the opportunity for the engagement partner and manager to direct the engagement team where to focus its work, and to share their experience and background knowledge about the industry and the entity. [3329] For recurring engagements, where we may use our understanding obtained in prior period audits, identifying significant changes in any of the above aspects of the entity from prior periods is particularly important in gaining a sufficient understanding of the entity to identify and assess risks of material misstatement. We also use our understanding from risk assessment procedures performed as part of engagements to review interim financial information. [3329.1]/[3355]
The industry in which the entity operates may give rise to specific risks of material misstatement arising from the nature of the business or the degree of regulation. [3443]
Page 41 / 133
of the following aspects: [3377] Business, industry, and environment The natureInternational Audit Workbookits operations, ownership, governance, types of of an entity refers to (Interntional Audit Workbook) investments, the way it is structured, and how it is financed. An understanding of the nature of an entity enables us to understand the classes of transactions, account balances derived from estimates, other account balances, and disclosures to be expected in the financial statements. [3394] The industry in which the entity operates may give rise to specific risks of material misstatement arising from the nature of the business or the degree of regulation. [3443] An understanding of the legal and regulatory environment includes procedures to assist the engagement team to: [3452] obtain an understanding of the legal and regulatory framework applicable to the entity and its industry identify instances of noncompliance with laws and regulations, including possible illegal acts evaluate the design and implementation of the entity's policies, procedures, and controls regarding compliance with the applicable legal and regulatory framework, including controls to prevent and detect noncompliance and illegal acts.
We also consider the entity's economic, political, and social environment. [3020] Accounting policies and practices We obtain an understanding of the entity's selection and application of accounting policies and consider whether they are appropriate for its business and consistent with the applicable financial reporting framework and accounting policies used in the relevant industry. [3454] Our understanding of the entity's accounting policies and practices addresses the following matters: [3022] [3458] applicable financial reporting framework, including: new accounting standards controversial or emerging areas with lack of authoritative guidance or consensus regulatory (financial reporting and tax-related) inquiries, investigations, and/or enforcement action and changes to the selection and application of accounting policies by the entity, including initial selection and application
Financial performance
critical accounting policies, and impact of the entity's structure on financial reporting.
Performance measures and their review indicate to us aspects of the entity's performance that management and others consider to be of importance. Performance measures, whether external or internal, create pressures on the entity that, in turn, may motivate management to take action to improve the business performance or to misstate the financial statements. Therefore, obtaining an understanding of the entity's performance measures assists us in considering whether such pressures result in management actions that may have increased the risks of material misstatement. [3486] Our understanding of the entity's financial performance addresses the following matters: [3487]
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis analyses prepared by the entity as well as analysis performed thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
external expectations
Page 42 / 133
risks of material misstatement. [3486] Our understanding of the entity's financial performance addresses the following International Audit Workbook (Interntional Audit Workbook) matters: [3487] external expectations analyses prepared by the entity as well as analysis performed by KPMG and the related results events or conditions raising doubt about the entity's ability to continue as a going concern.
Entity level controls are internal controls that operate at the entity level rather than at the specific assertion level. [3028.1.1] Entity level controls often have a pervasive impact on control activities over classes of transactions, account balances derived from estimates, other account balances, and disclosures. For that reason, as a practical consideration, we evaluate the design and implementation of entity level controls during Planning, because the results of that work might impact the effectiveness of control activities over accounting activities and financial reporting. [3546]
Instances or concerns of We perform the risk assessment procedures related to misconduct or unethical misconduct or unethical behavior by the entity management or personnel or those charged with governance. behavior related to [3550] financial reporting [3377.1]
We document key elements of the understanding obtained regarding each of the aspects of the entity and its environment, including each of the internal control components, to assess the risks of material misstatement of the financial statements, and the sources of information from which the understanding was obtained. [3378] The form and extent of this documentation is influenced by the nature, size, and complexity of the entity and its internal control, and availability of information from the entity. Ordinarily, the more complex the entity and the more extensive the audit procedures performed, the more extensive our documentation will be. [3379] We only document information that is relevant to our audit of the financial statements. [3384]
When obtaining an understanding of the entity for an SE or VSE engagement, we consider the following: such entities ordinarily do not have formal processes to measure and review the entity's financial performance. Management nevertheless often relies on certain key indicators that knowledge and experience of the business suggest are reliable bases for evaluating financial performance and taking appropriate action. such entities may not have "formal" or "documented" entity level controls that have been effectively designed and implemented. In such cases, we identify the control deficiencies and determine the effect on our planned audit approach and audit strategy. such entities may not have a process in place to formally report concerns of misconduct or unethical behavior. In such instances, we rely on inquiries with management, those charged with governance, and others in the entity. the form and extent of our documentation is influenced by the nature, size, and complexity of the entity and its internal control, and the availability of information from the entity. Ordinarily, audits of less complex entities will result in less extensive documentation of our understanding of the entity.
The AlacraTM Company Book and the Alacra Industry Book are optional tools available in a downloadable format at http://kpmgaasc.alacra.com/kpmgaasc/ that may be useful to obtain 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG updated information regarding a given chosen company or its industry (Alacra is a registered International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. trademark of Alacra, Inc.). [3388] The Company Book is focused on providing items containing third-party comments on the company, such as news and analyst reports. [3389]
Page 43 / 133
the entity. Ordinarily, audits of less complex entities will result in less extensive documentation of our understanding of the entity.
International Audit Workbook (Interntional Audit Workbook)
The AlacraTM Company Book and the Alacra Industry Book are optional tools available in a downloadable format at http://kpmgaasc.alacra.com/kpmgaasc/ that may be useful to obtain updated information regarding a given chosen company or its industry (Alacra is a registered trademark of Alacra, Inc.). [3388] The Company Book is focused on providing items containing third-party comments on the company, such as news and analyst reports. [3389] The Industry Book provides information on an industry and country to assist in obtaining an understanding of a client's business. [3390]
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis the firm's policies and procedures for dealing with and resolving disagreements among thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
Page 44 / 133
identified inherent risks at the assertion level for significant accounts and disclosures and the planned audit approach
International Audit Workbook (Interntional Audit Workbook)
a consideration of how unpredictability will be incorporated into the nature, timing, and extent of the audit procedures to be performed the firm's policies and procedures for dealing with and resolving disagreements among engagement team members, including KPMG specialists, or with the engagement quality control reviewer or others consulted, and that such matters may be brought to the attention of the engagement partner without fear of reprisal, and matters to be communicated to members of the team (including KPMG specialists and both originating and participating locations) not involved in the discussion.
The objective of the risk assessment and planning discussion is for members of the engagement team to gain a better understanding of the potential for material misstatements of the financial statements resulting from fraud or error in the specific areas assigned to them, and to understand how the results of the audit procedures that they perform may affect other aspects of the audit, including the decisions about the nature, timing, and extent of further audit procedures. [3561.1] The discussion provides an opportunity for more experienced engagement team members, including the engagement partner, to share their insights based on their knowledge of the entity, and for the team members to exchange information about the business risks to which the entity is subject and about how and where the financial statements might be susceptible to material misstatement, including material misstatement due to fraud. Particular emphasis is given to the discussion of the susceptibility of the entity's financial statements to material misstatement due to fraud. [3561.4]
The risk of significant misstatement at the assertion level consists of the two components: [3647]
Page 45 / 133
We do not similarly assess and document RoMM. We use RoMM to help assess whether a financial statement level risk is significant enough to be addressed in our audit strategy or planned audit approach. The risk of significant misstatement at the assertion level consists of the two components: [3647] Inherent risk is the susceptibility of an assertion to a misstatement due to error, which could be material, individually or when aggregated with other misstatements, assuming that there were no related internal controls. [9133] For example, accounts consisting of amounts derived from accounting estimates that are subject to significant measurement uncertainty pose greater risks than do accounts consisting of relatively routine, factual data. [3651] Control risk is the risk that a misstatement that could occur in an assertion and that could be material, individually or when aggregated with other misstatements, will not be prevented or detected and corrected on a timely basis by the entity's internal control. [9063] When our assessment of the risk of significant misstatement includes an expectation of the operating effectiveness of controls, we perform tests of controls to support the control risk component of the assessment of the risk of significant misstatement. [3658.2] In order to focus our control and substantive tests appropriately, we identify and define inherent risks and control risks separately. Without such identification and definition of risks, we may not design appropriate audit procedures to address the risks. In order to identify and assess the risks of misstatement, we: [3596.3] identify risks throughout the process of obtaining an understanding of the entity and its environment, including relevant controls that relate to the risks, and by considering the classes of transactions, account balances derived from estimates, other account balances, and disclosures in the financial statements relate the identified risks to what can go wrong at the assertion level consider whether the risks are of a magnitude that could result in a material misstatement of the financial statements consider the likelihood that the risks could result in a material misstatement of the financial statements, and define audit objectives with respect to the risks.
We use information gathered by performing risk assessment procedures, including the audit evidence obtained in evaluating the design of controls and determining whether they have been implemented, as audit evidence to support the risk assessment. [3596.4] We use the risk assessment to determine the nature, timing, and extent of further audit procedures to be performed. [3596.5] We determine whether the identified risks of material misstatement relate to specific classes of transactions, account balances, and disclosures and related assertions, or whether they relate more pervasively to the financial statements as a whole and potentially affect many assertions. The latter risks (i.e., risks at the financial statement level) may derive in particular from a weak control environment. [3596.6]
Due to the nature of SE and VSE engagements, it is anticipated that the entity will have a reduced number of
Financial statement level risks are risks that result from "big picture" events and conditions or lack of oversight that could affect financial statements as a whole and may result in a material misstatement due to error or fraud. [9109.1], [9110]
Due to the nature of SE and VSE engagements, it is anticipated that the entity will have a reduced number of financial statement level risks as the conditions that give rise to these risks will be limited. Risks of material misstatement at the overall financial statement level often relate to the entity's control environment (although these risks may also relate to other factors, such as changes in the entity or the entity's environment or industry or other business risks such as declining economic conditions), and are not necessarily risks identifiable with specific assertions at the class of transactions, account balance derived from an estimate, other account balance, or disclosure level. Rather, this overall risk represents circumstances that increase the risk that there could be material misstatements in any number of different financial statement assertions. [3615] The following are examples of conditions and events that may indicate the existence of financial statement level risks: [3618] operations exposed to volatile markets, such as futures trading high degree of complex regulation changes in the industry in which the entity operates developing or offering new products or services, or moving into new lines of business expanding into new locations changes in the entity, such as reorganizations or other unusual events entities or business segments likely to be sold lack of personnel with appropriate accounting and financial reporting skills inconsistencies between the entity's IT strategy and its business strategies changes in significant new IT systems related to financial reporting, and application of new accounting pronouncements.
Such risks may be especially relevant to our consideration of the risk of material misstatement arising from fraud. For example, through management override of internal control or collusion. [3616] Our responses to identified financial statement level risks may include: [3639] emphasizing to the engagement team the need to maintain professional skepticism in gathering and evaluating audit evidence assigning more experienced staff or those with special skills, or using external experts providing more supervision or professional staff incorporating additional elements of unpredictability in the selection of further audit procedures to be performed, and/or making general changes to the nature, timing, or extent of audit procedures as an overall response. For example, performing substantive procedures at period-end instead of at an interim date. In addition to the responses above, we consider whether the financial statement level risk impacts significant accounts and assertions and creates one or more assertion level risks.
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG Ineffective or partially effective entity level controls often result in financial statement level risks International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis that affect multiple significant accounts and assertions and, consequently, may also affect our thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
In addition to the responses above, we consider whether the financial statement level risk impacts significant accounts andAudit Workbook (Interntional Audit Workbook) assertion level risks. assertions and creates one or more International
Ineffective or partially effective entity level controls often result in financial statement level risks that affect multiple significant accounts and assertions and, consequently, may also affect our planned audit approach, as illustrated below.
The results of our evaluation of entity level controls and the effect of such results on our planned audit approach at the assertion level can be summarized as follows: Evaluation of entity level controls Effect of entity level controls on our planned audit approach
Appropriately designed and We may expect to find controls at the assertion level to also be effective and, thus, implemented we may plan our audit approach for selected audit objectives to include tests of the operating effectiveness of controls. [3632] Appropriately designed and We consider the effect of such deficiencies in determining our audit approach at the implemented, but with a assertion level. [3632.1] limited number of identified deficiencies Not appropriately designed It is less likely that controls at the assertion level are appropriately designed, or implemented implemented, and operating effectively; therefore, we would apply our audit approach with an emphasis on substantive procedures. [3632.2]
Smaller entities may have weak entity level controls. If there are such weaknesses, we ordinarily conduct more audit procedures as of the period-end rather than at an interim date, seek more extensive audit evidence from substantive procedures, and modify the nature of our audit procedures to obtain more persuasive audit evidence. Also, it would be unlikely that weak entity level controls would render all assertion level controls unreliable, other than in the smallest entities. Therefore, for audit objectives associated with a significant risk, we seek to identify relevant controls and consider how the controls are impacted by the weaknesses in entity level controls.
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG 3.8.3 Identified Risks at the Assertion Level International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
Assertion level risks are risks specifically related to an account balance derived from estimate, an other account balance, a class of transactions, a disclosure, or a specific assertion that may result in a material misstatement
Page 48 / 133
Also, it would be unlikely that weak entity level controls would render all assertion level controls unreliable, other than in the smallest entities. Therefore, for audit objectives associated with a significant risk, we seek to identify relevant controls and consider how the International Audit Workbookby the weaknesses in entity level controls. controls are impacted (Interntional Audit Workbook)
In Vector, the user is able to insert example industry specific assertion level risks directly into the engagement file by using the Knowledge Task Pane in the Vector document "Summary of identified risks - Part 2."
[3679.0.1]
Page 49 / 133
If there is a reasonable possibility of a misstatement in the account greater than the significant misstatement
An account is a significant account if there is a reasonable possibility that the account could contain a misstatement that, individually or whenInternational Audit Workbook (Interntional Audit Workbook) on the financial statements, aggregated with others, has a material effect considering the risks of both overstatement and understatement. The determination of whether an account is significant is based on inherent risk, without regard to the effect of controls. [3679] Significant accounts may be financial statement captions or disaggregated components of financial statement captions consisting of one or more general ledger accounts based on the judgment of the engagement team. [3679.0.1] If there is a reasonable possibility of a misstatement in the account greater than the significant misstatement threshold, considering both the risk of overstatement and understatement, the account is considered significant irrespective of its magnitude. We may determine that an account with a balance that exceeds the significant misstatement threshold does not have a risk of misstatement greater than the significant misstatement threshold and is therefore not considered to be significant. [3679.0.2]
A disclosure is a significant disclosure if there is a reasonable possibility that the disclosure could contain a misstatement that, individually or when aggregated with others, has a material effect on the financial statements, considering the risks of both overstatement and understatement. The determination of whether a disclosure is significant is based on inherent risk, without regard to the effect of controls. [9239.2]
In Vector, the user is able to insert example accounts and disclosures directly into the engagement file by using the Knowledge Task Pane in the Vector document "Planning Matrix."
Within Vector, the user is able to import accounts from the entity's trial balance using the CaseWareapplication. Once the accounts are imported into CaseWare, the user groups the disaggregated trial balance accounts into potential significant accounts. The complete list of potential significant accounts is then transferred into Vector where the user can associate a specific or generic assertion level risk to the account. (CaseWare is a registered trademark of CaseWare International, Inc.)
A relevant assertion is a financial statement assertion for a significant account or disclosure that has a reasonable possibility of containing a misstatement or misstatements that would cause the financial statements to be materially misstated. The determination of whether an assertion is a relevant assertion is based on inherent risk, without regard to the effect of controls. [9216.1]
For example, an audit objective may be to obtain audit evidence about the completeness and accuracy of sales. In
An audit objective is an objective defined by us for the purpose of efficient gathering of audit evidence about related financial statement assertions. We determine which relevant assertions related to which significant accounts or disclosures are combined into which audit objectives. For example, an audit objective may be to obtain audit evidence about the completeness and accuracy of sales. In this example, the audit objective relates to two assertions because the available audit procedures typically provide audit evidence about both. [9033] We combine assertions and related significant accounts or disclosures to determine audit objectives. [3695] For classes of transactions, we ordinarily combine the related balance sheet and income statement accounts and the related assertions into one audit objective. [3701] For other account balances, we may combine more than one assertion into one audit objective and we may also combine several significant accounts and related assertions into one audit objective. For example, an audit objective may be "existence of inventories" or "completeness, accuracy, and existence of revenue and accounts receivable."[3702] Audit objectives drive the structure of the Audit Program. It is important that we have grouped the appropriate significant accounts and assertions into the appropriate audit objectives to facilitate an effective and efficient audit approach in Control Evaluation and Substantive Testing.
Examples of specific risks that may be identified are as follows: [3668] The entity has recently entered into new markets in XXX and, in order to penetrate these markets, has begun using customer-specific contracts, rather than the entity's standard contract used in the domestic market.
Days sales outstanding for trade receivables in XXX market are 93 days vs. 61 days for the entity's other trade receivables. The sales manager for the region has indicated that collection is 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG often delayed because the customer is slow in accepting the customer-specific modifications that International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis have been made to the product. thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. As a response to declining domestic markets, the entity changed its return policies during year X2 in order to gain customer acceptance of the new product price level. The new policies are not
Page 51 / 133
The entity has recently entered into new markets in XXX and, in order to penetrate these markets, has begun using customer-specific contracts, rather than the entity's standard contract used in the domestic market. International Audit Workbook (Interntional Audit Workbook) Days sales outstanding for trade receivables in XXX market are 93 days vs. 61 days for the entity's other trade receivables. The sales manager for the region has indicated that collection is often delayed because the customer is slow in accepting the customer-specific modifications that have been made to the product. As a response to declining domestic markets, the entity changed its return policies during year X2 in order to gain customer acceptance of the new product price level. The new policies are not used consistently in all sales regions and might be misapplied by individual regions in order to raise sales. The entity's practice of bill and hold transactions provides management with an opportunity to collude with customers, falsify documents, and intentionally misapply facts and circumstances in complying with the entity's revenue recognition policy related to such transactions. In year X0, the entity tried to expand by investing in a business segment. In year X1, the business segment is following the market trend of decreasing volume. Sales numbers as of the underlying business plan of the acquisition are not reached for the second consecutive year.
Special audit consideration may consist of the following: [9246.1] evaluation of the design and implementation of assertion level controls relevant to the identified risks a combination of test of operating effectiveness of controls and substantive procedures that are specifically responsive to an identified inherent risk audit procedures of the same type for the same assertion to obtain sufficient appropriate audit evidence over the assertion, and/or a combination of audit evidence derived from internal and external sources.
Nonroutine transactions are transactions not in the ordinary course of business or infrequent in occurrence. Management intervention may be required for such transactions to be processed. [9184] There are usually some audit objectives that carry a greater inherent risk of error or fraud, that involve considerable judgment, and/or for which it is difficult to obtain audit evidence. [3728] We define an "audit objective associated with a significant risk" as an audit objective associated with a significant account or disclosure for which a significant inherent risk of error or risk of fraud has been identified. [3730] In considering the nature of the risks, we consider a number of matters, including the following: [3733] whether the risk is a risk of fraud
whether the risk is related to recent significant economic, accounting, or other developments 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis and, therefore, requires specific attention thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. the complexity of transactions
Page 52 / 133
account or disclosure for which a significant inherent risk of error or risk of fraud has been identified. [3730] In considering the nature of the risks, we consider a number of matters, including the following: [3733]
International Audit Workbook (Interntional Audit Workbook)
whether the risk is a risk of fraud whether the risk is related to recent significant economic, accounting, or other developments and, therefore, requires specific attention the complexity of transactions whether the risk involves significant transactions with related parties the degree of subjectivity in the measurement of financial information related to the risk, especially those involving a wide range of measurement uncertainty, and whether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual. Audit objectives associated with significant risks include all audit objectives where the inherent risk assessment for error is "significant" or where a risk of fraud has been identified for the audit objective. [3748]
Association of a significant risk with an audit objective affects our audit in several ways, including: a controls approach will be taken for the audit objective when we test the operating effectiveness of automated controls, we perform these tests every year; audit evidence gained in prior periods is not sufficient our audit approach and findings are summarized in the Completion Document the engagement partner and manager are required to review related audit documentation the engagement quality control reviewer is notified of changes to audit documentation after the date of the auditor's report.
In the KPMG audit, "controls approach" and "substantive approach" have the following meaning within the context of an audit objective: [3755.0.1] we take a controls approach for an audit objective when we evaluate the design and implementation of relevant controls
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG we take a substantive approach for an audit objective when we do not evaluate the International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis design and implementation of relevant controls and do not test the operating thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
effectiveness of controls.
Page 53 / 133
In the KPMG audit, "controls approach" and "substantive approach" have the following meaning within the context of an audit objective: [3755.0.1]
International Audit Workbook (Interntional Audit Workbook)
we take a controls approach for an audit objective when we evaluate the design and implementation of relevant controls we take a substantive approach for an audit objective when we do not evaluate the design and implementation of relevant controls and do not test the operating effectiveness of controls.
In all of the above situations, we perform substantive procedures. [3755.0.2] In the KPMG audit, for each audit objective, we document in the Planning Matrix whether we will: take a "controls approach" or a "substantive approach," and audit the audit objective as a "class of transaction," an "estimate/disclosure" or an "other account balance."
These decisions are very important because they define the form of the Audit Program that we will use for each audit objective.
We determine whether we take a "controls approach" or a "substantive approach" for each audit objective, not for the audit as a whole. We cannot adopt a substantive approach for audit objectives associated with a significant risk. In determining our audit approach for audit objectives, we evaluate controls at the assertion level as follows: [3757] for all audit objectives, we understand and document the accounting activities with respect to the underlying financial information for audit objectives for which we have identified a risk of fraud as a result of our risk assessment procedures, we determine whether management has implemented controls to prevent and detect such fraud and we evaluate the design and implementation of antifraud controls relevant to the identified fraud risk for audit objectives associated with significant risks of error, we evaluate the design and implementation of controls relevant to the identified risk, and
for audit objectives where we plan to rely on controls to alter the nature, timing, or extent of our substantive audit procedures, we evaluate the design and implementation and test the operating 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG effectiveness of relevant controls. International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
When determining our general approach, we consider the volume of transactions recorded in balances for related significant accounts. The greater the volume of transactions the more likely
Page 54 / 133
for audit objectives associated with significant risks of error, we evaluate the design and implementation of controls relevant to the identified risk, and
International Audit Workbook (Interntional Audit Workbook)
for audit objectives where we plan to rely on controls to alter the nature, timing, or extent of our substantive audit procedures, we evaluate the design and implementation and test the operating effectiveness of relevant controls. When determining our general approach, we consider the volume of transactions recorded in balances for related significant accounts. The greater the volume of transactions the more likely that we will take a controls approach, as it is difficult to gain sufficient, appropriate audit evidence regarding transactions recorded in the related significant accounts without testing the operating effectiveness of controls.
We should plan to rely on controls when it is: [3757] more efficient, or not possible or practical to obtain sufficient appropriate audit evidence only from substantive audit procedures in order to reduce audit risk to an acceptably low level.
The following decision tree shows how we evaluate controls and determine further audit procedures for audit objectives not associated with a significant risk. [3758]
For all audit objectives associated with a significant risk (of fraud or error), we evaluate the design and implementation of selected controls.
We determine and document our planned audit approach for each audit objective in the Planning Matrix. The Planning Matrix documents the following steps that we perform in developing our planned audit approach: disaggregate financial statement captions into significant accounts and disclosures, which may themselves include several account balances map the specific inherent risks identified from our risk assessment procedures to significant accounts and related assertions identify other assertions for each significant account for which we need to obtain audit evidence consider whether a risk is specifically related to fraud develop audit objectives (e.g., group assertions for one or more significant accounts affected by the same risks and which we are likely to audit using the same audit procedures. These accounts are likely to be related to the same classes of transactions.) link audit objectives to the relevant Audit Programs assess the inherent risk related to each audit objective as "significant" (e.g., whether they require special audit consideration), "moderate," or "low," and determine our planned audit approach (e.g., "controls approach" or "substantive approach" and whether we will address the audit objective as "class of transaction," "estimate/disclosure," or an "account balance." In addition, we decide whether we plan to test the operating effectiveness of controls and perform substantive analytical procedures and tests of details.)
Certain audit procedures may be more appropriate for some assertions than others. For example, in relation to revenue, tests of controls may be most responsive to the assessed risk of misstatement of the completeness assertion, whereas substantive procedures may be most responsive to the assessed risk of misstatement of the existence and occurrence assertion [3768]. Our selection of audit procedures is based on the assessment of risk. The higher our assessment of risk, the more reliable and relevant is the audit evidence sought by us from substantive procedures. This may affect both the types of audit procedures to be performed and their combination. For example, we may confirm the completeness of the terms of a contract with a third party, in addition to inspecting the document. [3769]
Timing
Timing refers to when we perform audit procedures or to the period or date to which the audit evidence applies. [3781] We may perform tests of control or substantive procedures at an interim date or at period-end. The higher the risk of significant misstatement, the more likely it is that we may decide it is more effective to perform substantive procedures nearer to, or at, the period-end rather than at an earlier date and, if we have identified a risk of fraud related to the relevant assertions, to perform audit procedures unannounced or at unpredictable times. [3782] For example, performing audit procedures at selected locations on an unannounced basis.
Extent
The extent of further audit procedures includes the quantity of a specific audit procedure to be performed.[3788] For example, a sample size or the number of observations of a control activity. In particular, we ordinarily increase the extent of audit procedures as the risk of significant misstatement increases. However, increasing the extent of an audit procedure is effective only if the audit procedure itself is relevant to the specific risk; therefore, the nature of the audit procedure is the most important consideration. [3790]
element of unpredictability
performed on the audit may be better able to conceal fraudulent financial reporting. Therefore, we ordinarily incorporate an element of unpredictability in the selection of the nature, extent, and timing of auditing procedures to be performed. [3795]
Page 57 / 133
However, increasing the extent of an audit procedure is effective only if the audit procedure itself is relevant to the specific risk; therefore, the nature of the audit procedure is the most important consideration. [3790]
Individuals within the entity who are familiar with the audit procedures ordinarily performed on the audit may be better able to conceal fraudulent financial reporting. Therefore, we ordinarily incorporate an element of unpredictability in the selection of the nature, extent, and timing of auditing procedures to be performed. [3795] Incorporating an element of unpredictability may include: [3797] selecting account balances and assertions not otherwise tested due to their materiality or presumed low risk adjusting the timing of the audit procedure from when it is ordinarily expected to be undertaken using different sampling methods performing audit procedures at locations not previously visited or on an unannounced basis.
Use of CAATs
Using CAATs to perform audit procedures may enhance the effectiveness of the audit process by facilitating faster and more extensive review and analysis of large data populations. CAATs may provide the ability to analyze complete populations of data; to easily profile, extract, and summarize items based on specific characteristics; and to apply selected KPMG preprogrammed routines. [3805] CAATs procedures often require adequate planning to determine the appropriate level of skills to execute and use the results of CAATs. They may also require an appropriate level of understanding of the KPMG Routines, a standard functionality of the application used to perform CAATs, and the entity's computer-based information systems and data. Accordingly, in Planning we identify those significant accounts or disclosures and the related audit objectives where we plan to perform CAATs. [3807]
Journal entries
To respond to the risk of management override of controls, we design and perform audit procedures to test the appropriateness of journal entries recorded in the general ledger and other adjustments made in the preparation of financial statements. [7350] Audit objectives 3 and 5 and Appendix II of the Financial Reporting Audit Program provide audit procedures and guidance regarding our approach to journal entries.
IDEACAATs can help make an audit more effective. CAATs can often be performed without the involvement of IRM specialists.
the assertion level for all or some of the significant accounts or disclosures. [3816] If our overall audit strategy or planned audit procedures change significantly based on the revised consideration of assessed risks at the assertion level for all or some of the audit objectives, the related significant modifications of our audit strategy International Audit Workbook (Interntional Audit Workbook) and planned audit approach are reflected in the Audit Programs and documented in the Completion Document. [3819] The engagement partner determines whether the changes to the overall audit strategy or to planned audit procedures are such that revisions to the results and/or conclusions of Planning as a whole or only to certain audit areas are indicated. In case of revisions to the overall approach to our audit, the Planning Document is revised, the appropriate engagement team members review and sign the revised Planning Document, and the original and revised versions of the Planning Document are retained as part of our audit files. When only certain audit areas are affected, the engagement partner may determine to document the change to the audit strategy or to the planned audit procedures in the Completion Document instead of revising the Planning Document. The engagement team documents only those changes that are significant to the audit. [3820] If during Control Evaluation or Substantive Testing an additional financial statement or assertion level risk is identified or if we reassess the significance of a risk that was identified during Planning, we document in the Completion Document the modification to our audit strategy and/or planned audit procedures, including the rationale and resolution of the issue that caused the change. In addition, when applicable, we also modify the Audit Program.
Interntional Audit Workbook
The way in which internal control is designed and implemented varies with an entity's size and complexity. Specifically, smaller entities may use less formal means and simpler processes and procedures to achieve their objectives. For example, smaller entities with active management involvement in the financial reporting process may not have extensive descriptions of accounting procedures or detailed written policies. For some smaller entities, the owner-manager may perform functions that in a larger entity would be regarded as belonging to several of the components of internal control. Therefore, the components of internal control may not be clearly distinguished, but their underlying purposes are equally valid. Control Evaluation is described in the following chart:
The extent of our control evaluation work varies as follows: [4003] in Planning we evaluate the design and implementation of entity level controls and consider the impact of entity level controls on our audit strategy and planned audit approach [4003.1] for every audit objective, we obtain an understanding of, and document in the Audit Program, the relevant accounting activities with respect to the underlying financial information [4003.2] for audit objectives that include relevant assertions that are associated with a risk of fraud, we determine whether management has implemented controls to prevent and detect such fraud; we evaluate the design and implementation of antifraud controls that are relevant to the identified fraud risk and consider the risk of management override of such controls [4003.7] for audit objectives associated with a significant inherent risk of error, we evaluate the design and implementation of selected assertion level controls [4003.8] for audit objectives where we plan to rely on the operating effectiveness of controls to modify the nature, timing, and extent of our substantive procedures, we evaluate the design and implementation and test the operating effectiveness of selected assertion level controls. [4003.9]
We plan to rely on the operating effectiveness of controls to provide audit evidence and to modify the nature, timing, and extent of our substantive procedures where it is: [4003.9.0.1] more efficient to evaluate the design and implementation and test the operating effectiveness of selected controls, or not possible or practical to achieve our audit objective with audit evidence obtained only from substantive audit procedures.
or decreasing the testing that we would otherwise have performed on assertion level controls as well as the nature, timing, and extent of substantive procedures. [3028.2] Additionally, as entity level controls are likely to be Audit Workbook (Interntional Audit Workbook) as a whole, we obtain an pervasive to the financial statements International understanding of entity level controls to: [3029] identify risks of material misstatement in the financial statements determine our audit strategy, and plan the nature, timing, and extent of our further audit procedures.
Obtaining an understanding of entity level controls involves evaluating the design and implementation of the individual components of entity level controls. [3030] In a financial statement audit we are required to evaluate the design and implementation of entity level controls but we are not required to test their operating effectiveness. Where entity level controls are ineffective or partially effective, this may increase our assessment of RoSM for audit objectives and therefore, impact the nature, timing, and extent of our substantive procedures. [4912.1] We obtain this understanding and evaluate the design and implementation of entity level controls simultaneously with our risk assessment procedures in Planning. [3631] Our evaluation of entity level controls includes procedures to evaluate the design and implementation of the entity's broad programs and controls to prevent, deter, and detect fraud.
Entity level controls consist of the following components: Control environment The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for effective internal control, providing discipline and structure. [4012] In obtaining an understanding of and evaluating the design of the control environment and determining whether appropriate controls have been implemented, we understand how management, with the oversight of those charged with governance, has created and maintained a culture of honesty and ethical behavior and established appropriate controls to prevent and detect fraud and error within the entity. [4013] In obtaining and documenting an understanding of and evaluating the design of the entity's control environment, we consider each of the elements identified above and how they have been incorporated into the entity's processes. [4225] Risk assessment process The entity's risk assessment process is management's process for identifying business risks relevant to financial reporting and deciding how those risks should be managed. A precondition to risk assessment is the establishment of objectives, linked at different levels and internally consistent. [4241.1] In obtaining an understanding of the entity's risk assessment process, we determine how management identifies business risks relevant to financial reporting, estimates the significance of the risks, assesses the likelihood of their occurrence, and decides upon actions to manage them. If the entity's risk assessment process is appropriate to the circumstances, it assists us in identifying risks of material misstatement. [4244] In obtaining and documenting an understanding of the entity-wide risk assessment process, we consider whether management: [4250] effectively communicates entity-wide objectives and strategies has an ongoing risk assessment process (formal or informal)
that identifies business risks relevant to financial reporting, their 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis significance, the likelihood of their occurrence and how to thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. manage them, and adequately addresses the effects of changing conditions on the entity
Page 61 / 133
In obtaining and documenting an understanding of the entity-wide risk assessment process, we consider whether management: [4250]
International Audit Workbook (Interntional Audit Workbook) effectively communicates entity-wide objectives and strategies
has an ongoing risk assessment process (formal or informal) that identifies business risks relevant to financial reporting, their significance, the likelihood of their occurrence and how to manage them, and adequately addresses the effects of changing conditions on the entity ensures effective compliance with laws and regulations, including regulatory compliance, for all laws and regulations that have a fundamental effect on the operations of the entity assesses the entity's ability to continue as a going concern identifies and evaluates the vulnerability of the entity to fraudulent activity and whether this could result in a material misstatement in the financial statements implements controls in areas identified as a higher risk of fraudulent activity, and was involved in and communicated the outcome of this process to those charged with governance.
An information system consists of infrastructure (physical and hardware components), software, people, procedures, and data. Infrastructure and software will be absent, or have less significance, in systems that are exclusively or primarily manual. Many information systems make extensive use of IT. [4253.2] In obtaining and documenting an understanding of the information system relevant to financial reporting, we consider whether management has: [4269] developed an information system, linked to the entity's overall strategy, which is responsive to achieving the entity-wide and activity-level objectives developed an IT strategy that supports the entity's overall strategy with respect to the financial reporting information systems controls over obtaining external and internal information to provide management with necessary reports on the entity's performance relative to established financial reporting objectives, and an information system that encompasses methods and records that: identify and record all valid transactions describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period, and present properly the transactions and related disclosures in the financial statements.
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG Communication involves providing an understanding of individual roles and International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis responsibilities pertaining to internal control over financial reporting. It includes the thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
extent to which personnel understand how their activities in the financial reporting information system relate to the work of others and the means of reporting
Page 62 / 133
determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period, and
International Audit Workbook (Interntional Audit Workbook)
present properly the transactions and related disclosures in the financial statements.
Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. It includes the extent to which personnel understand how their activities in the financial reporting information system relate to the work of others and the means of reporting exceptions to an appropriate higher level within the entity. [4272.4] Open communication channels help ensure that exceptions are reported and acted on. [4272.4] Communication takes such forms as policy manuals, accounting and financial reporting manuals, and memoranda. Communication also can be made electronically, orally, and through the actions of management. [4272.5] Monitoring Monitoring of controls is a process to assess the effectiveness of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions modified for changes in conditions. Management accomplishes monitoring of controls through ongoing activities (e.g., internal audit programs), separate evaluations, or a combination of the two. Ongoing monitoring activities are often built into the normal recurring activities of an entity and may include regular management and supervisory activities. [4023.1] In obtaining and documenting an understanding of the monitoring activities, we consider whether: [4284] management monitors the results of the operations of the business units against objectives and expected results, including budgets and forecasts management ensures the effectiveness of: any self-assessment processes or periodic systems evaluations used internal audit activities (including IT internal audit) monitoring controls performed at centralized processing locations, including shared service centers, and monitoring of computer operations
management performs comparisons of amounts recorded in the accounting system with physical assets management monitors the effectiveness of internal controls over financial reporting and initiates corrective actions to its controls management considers the reliability of information related to the entity's monitoring activities management has policies and procedures for identifying, evaluating, and accounting for litigation and claims, and internal audit activity (where applicable) is adequate, including IT internal audit, and whether the head of internal audit reports directly to those charged with governance.
The control environment includes the governance and management functions and the attitudes, awareness, and actions of those charged with governance and management concerning the entity's internal control and its importance to the entity. The control environment is a component of internal control. It includes an entity's: 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis [9062]
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
commitment to competence
The control environment includes the governance and management functions and the attitudes, awareness, and actions of those charged with governance and management concerning the entity's internal control and its importance to the entity. The control environment is a component of internal control. It includes an entity's: [9062] communication and enforcement of integrity and ethical values commitment to competence participation by those charged with governance assignment of authority and responsibility management's philosophy and operating style organizational structure, and human resources policies and practices.
For an SE or VSE engagement, we consider the following: Audit evidence for elements of the control environment may not be available in documentary form, in particular for smaller entities where communication between management and other personnel may be informal, yet effective. For example, management's commitment to ethical values and competence are often implemented through the behavior and attitude they demonstrate in managing the entity's business instead of in a written code of conduct. Consequently, management's attitudes, awareness, and actions are of particular importance in the design of a smaller entity's control environment. The role of those charged with governance is often undertaken by the owner-manager where there are no other owners. Smaller entities may implement the control environment elements differently than larger entities do. For example, smaller entities might not have a written code of conduct, but instead develop a culture that emphasizes the importance of integrity and ethical behavior through oral communication and by management example. Through the visibility and direct involvement of senior management, the commitment to integrity and ethical values can be communicated verbally in staff meetings and one-onone meetings. The nature of an entity's control environment is such that it has a pervasive effect on assessing the risks of material misstatement. For example, owner/manager controls may mitigate a lack of segregation of duties in a small business. A smaller entity may not have formalized human resources policies. Policies and practices nevertheless may exist and be communicated by senior management to the staff. Expectations about the type of person to be hired can be verbally communicated and several, if not all levels, of senior management may typically be involved in the recruiting process. Formal documentation is not always necessary for a policy or control to be in place and operating effectively. The basic concepts of the entity's risk assessment process are relevant to every entity, regardless of size, but the risk assessment process is likely to be less formal and less structured in smaller entities than in larger ones. All entities should have established financial reporting objectives, but they may be recognized implicitly rather than explicitly in smaller entities. Management may be aware of risks related to these objectives without the use of a formal process but through direct personal involvement with employees and outside parties. For smaller entities, we discuss with management how risks to the business are
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG identified by management and how they are addressed. International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
Information systems and related business processes relevant to financial reporting in smaller entities are likely to be less formal than in larger entities, but their role is just as significant. Smaller entities with active management involvement may not need extensive
Page 64 / 133
All entities should have established financial reporting objectives, but they may be recognized implicitly rather than explicitly in smaller entities. Management may be aware of risks related to these objectives without the use of a formal process but through direct International Audit Workbook (Interntional Audit Workbook) personal involvement with employees and outside parties. For smaller entities, we discuss with management how risks to the business are identified by management and how they are addressed. Information systems and related business processes relevant to financial reporting in smaller entities are likely to be less formal than in larger entities, but their role is just as significant. Smaller entities with active management involvement may not need extensive descriptions of accounting procedures, sophisticated accounting records, or written policies. Ongoing monitoring activities of smaller entities are more likely to be informal and are typically performed as a part of the overall management of the entity's operations. Management's close involvement in operations often will identify significant variances from expectations and inaccuracies in financial data leading to corrective action to the control. A smaller entity's management may have a more "hands-on" involvement in most areas of the entity's operations. For example, frequent visits to the factory floor, assembly area, or warehouse and comparing physical inventory with amounts reported by the data processing system are all monitoring controls of a smaller entity. A smaller entity is less likely to undergo separate evaluations of the internal control systems; however, a "hands-on" approach involving ongoing monitoring by senior management may be just as effective. Also, a smaller entity may give accounting personnel the responsibility to evaluate controls of certain operations.
4.1.2 Prior Period Material Weaknesses and Other Deficiencies in Internal Control over Financial Reporting
Based on the actions taken by management with respect to material weaknesses and other deficiencies in internal control over financial reporting that had a significant impact on our audit approach and that were reported in the prior period, we assess the control consciousness of management. We also document any continuing control deficiencies noted and communicate them appropriately. [4216]
Entity level controls often have a pervasive impact on control activities over classes of transactions, account balances derived from estimates, other account balances, and disclosures and therefore on our assessment of the risk of significant misstatement. Our understanding and evaluation of the Workbookand implementation of entity level controls includes International Audit design (Interntional Audit Workbook) considering whether the control environment provides an appropriate foundation for the other components of internal control. The nature of the risks arising from a weak control environment is such that they are not likely to be confined to specific individual risks of material misstatement in particular classes of transactions, account balances derived from estimates, other account balances, and disclosures. Rather, weaknesses such as management's lack of competence may have a more pervasive effect on the financial statements and may, where appropriate, require an overall response by us. [4203] We conclude as to whether the design and implementation of the control environment, entity-wide risk assessment process, information systems relevant to financial reporting, and monitoring of controls are effective. Our conclusion may impact the audit approach to specific audit objectives. [4218] We evaluate the design and implementation of individual entity level controls as either effective or ineffective; we then make an overall assessment for each component of entity level controls as follows: Evaluation of entity level controls Effect of entity level controls on our planned audit approach
Effective - appropriately We may expect to find controls at the assertion level to also be effective and, thus, designed and implemented we may plan our audit approach for selected audit objectives to include tests of the operating effectiveness of controls. [3632] Partially effective We consider the effect of such deficiencies in determining our audit approach at the appropriately designed and assertion level. [3632.1] implemented, but with a limited number of identified deficiencies Ineffective - not appropriately designed or implemented It is less likely that controls at the assertion level are appropriately designed, implemented, and operating effectively; therefore, we would apply our audit approach with an emphasis on substantive procedures. [3632.2]
It would be unlikely that weak entity level controls would render all assertion level controls unreliable, other than in the smallest entities. Therefore, for audit objectives associated with a significant risk, we seek to identify relevant controls and consider how the controls are impacted by the weaknesses in entity level controls.
Based on our understanding and the evaluation of the effectiveness of entity level controls in each of the sections in the Entity Level Controls Program, we document the implications on our audit in the Planning Document. For example, if we determine: [4208] controls relating to integrity and ethical values to be ineffective, we may be unable to rely on management representations internal audit to be ineffective or not independent from those charged with governance, we may not be able to use their work or use them in a direct assist capacity on the engagement.
For an SE engagement, entity level controls are documented in the SE Planning Document.
Accounting activities is a term to describe the information system, including the related business processes International Audit Workbook (Interntional Audit Workbook) relevant to financial reporting, which includes the following: [9008] the procedures, within both IT and manual systems, by which those transactions are initiated, authorized, recorded, processed, and reported in the financial statements the related accounting records, whether electronic or manual, supporting information, and specific accounts in the financial statements with respect to initiating, recording, processing, and reporting transactions how the information system captures events and conditions, other than classes of transactions, that are significant to the financial statements the financial reporting process used to prepare the entity's financial statements, including significant accounting estimates and disclosures.
We refer to the areas listed above as accounting activities, or the information system. [4302.1] We should obtain an understanding of the information systems, including the related business processes, relevant to financial reporting. [4302] The information system relevant to financial reporting objectives includes the accounting system. It consists of the procedures and records established to: [4302.2] initiate, authorize, record, process, and report entity transactions (as well as events and conditions), and maintain accountability for the related assets, liabilities, and equity.
We organize our procedures by audit objectives. For every audit objective, we obtain an understanding of, and document the relevant accounting activities with respect to, the underlying financial information. The nature of the activities to be documented will depend on whether the significant account(s) being addressed in the audit objective is being audited as: [4303] a class of transaction an account balance derived from an estimate an "other" account balance (not derived from an estimate), or a disclosure. For classes of transactions, we obtain an understanding of accounting activities for the purpose of identifying points in the activity that introduce risk (significant risk points). [4039] Significant risk points are points where there is a reasonable possibility that a misstatement, including a misstatement due to fraud, could occur that, individually or in combination with other misstatements, would exceed the significant misstatement threshold.[4039] We identify significant risk points by answering the question: "What could go wrong and where in the process could an error occur?" [4039] Our primary concerns usually relate to determining that all transactions are properly captured and authorized, and that the system can process high volumes of transactions consistently and accurately. [4333] Account balances derived from an estimate Estimates involve judgments, and we are concerned with how management goes about identifying the estimates that need to be made, and the quality of the judgments inherent in the estimates. [4345]
Classes of transactions
For account balances derived from estimates, the risk points are likely to be the specific aspects considered in understanding the accounting activities; therefore, it is unnecessary to consider risk points in understanding and documenting activities 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG related to account balances derived from estimates. [4040] International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
Usually, the greater the degree of uncertainty surrounding an identified business risk, the greater the risk of significant misstatement in the financial statements due to the accounting estimate. This is because management may find it more difficult to
Page 67 / 133
Estimates involve judgments, and we are concerned with how management goes about identifying the estimates that need to be made, and the quality of the judgments inherent in the estimates. [4345]
International Audit Workbook (Interntional Audit Workbook)
For account balances derived from estimates, the risk points are likely to be the specific aspects considered in understanding the accounting activities; therefore, it is unnecessary to consider risk points in understanding and documenting activities related to account balances derived from estimates. [4040] Usually, the greater the degree of uncertainty surrounding an identified business risk, the greater the risk of significant misstatement in the financial statements due to the accounting estimate. This is because management may find it more difficult to establish effective controls to prevent, or to detect and correct, a significant misstatement where there is a higher degree of uncertainty. [4346.4] When obtaining an understanding of relevant accounting activities related to account balances derived from estimates, we consider:[4346]/[4346.1] "Other" account balances the underlying business risks the preparation of the estimate quality of information used assumptions on which the estimate is based qualifications and competence of the preparer, relative to the complexity, and historical accuracy of the estimate.
Our understanding and documentation of accounting activities for those other significant account balances, where we are not testing the related classes of transactions, covers the activities over ensuring that the period-end account balance is not significantly misstated, as well as any controls identified related to these activities. [4368] When obtaining an understanding of relevant accounting activities and controls related to disclosures, we consider: [4370] the preparation of the disclosure the quality of information used the assumptions on which the disclosure is based, and the qualifications, competence, and objectivity of the preparer of the disclosure.
Disclosures
For disclosures, the risk points are likely to be the specific aspects considered in understanding the accounting activities. [4370.1]
The Audit Program has separate sections to document accounting activities and controls. The section used depends on whether a controls approach or substantive approach will be used and whether the audit objective addresses one or more classes of transactions, an account balance derived from an estimate, an other account balance, or a disclosure. Each section includes our specific considerations for that approach.
For SE and VSE engagements, the boxes in the Audit Program for documentation of accounting activities have been combined for consideration and documentation.
When we follow a controls approach, we document selected controls and evaluate their design and implementation. Where Page 68 we plan to rely on controls to alter the nature, timing, or extent of our substantive procedures, we also test their operating / 133
Assertion level controls include control activities, the entity's risk assessment process relevant to assertions, and the monitoring of controls applied at the assertion level. [4033.1.1] When we follow a controls approach, we document selected controls and evaluate their design and implementation. Where we plan to rely on controls to alter the nature, timing, or extent of our substantive procedures, we also test their operating effectiveness. We plan to rely on controls when it is: [3757] more efficient, or not possible or practical to obtain sufficient appropriate audit evidence only from substantive audit procedures in order to reduce audit risk to an acceptably low level.
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis Information processing A variety of controls that are performed to confirm the accuracy, thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. completeness, and
[4613.65]
authorization of transactions. The two broad groupings of control activities relating to information systems are application controls and IT general controls. Examples of application controls include exception/edit reports, system configuration/account
Page 69 / 133
relating different sets of data-operating or financial-to one another, together with analyses of the relationships and investigative and corrective actions; comparing internal data with external sources of information; and management review of International Audit Workbook (Interntional Audit Workbook) functional or activity performance, such as a bank's consumer loan manager's review of reports by branch, region, and loan type for loan approvals and collections. [4621] Information processing [4613.65] A variety of controls that are performed to confirm the accuracy, completeness, and authorization of transactions. The two broad groupings of control activities relating to information systems are application controls and IT general controls. Examples of application controls include exception/edit reports, system configuration/account mapping controls, interface/conversion controls, and system access. [4613.66] When evaluating the design and implementation and testing the operating effectiveness of controls, we identify and focus our evaluation and testing on the application control(s) that manage relevant risks rather than evaluating and testing all of the entity's application controls within a particular process. [4613.68.1] Application controls have a strong relationship with IT general controls and are audited in conjunction with those IT general controls. [4613.68.2] Physical controls [4661] These activities encompass the physical security of assets, including adequate safeguards such as secured facilities over access to assets and records; access to computer programs and data files; and periodic counting and comparison (reconciliation) with amounts shown on control records. [4662] The extent to which physical controls intended to prevent theft of assets are relevant to the reliability of financial statement preparation, and therefore the audit, depends on circumstances such as when assets are highly susceptible to misappropriation. [4664]
The concepts underlying control activities in smaller entities are likely to be similar to those in larger entities, but the formality with which they operate varies. Further, smaller entities may find that certain types of control activities are not relevant because of controls applied by management. For example, management's retention of authority for approving credit sales, significant purchases, and drawdowns on lines of credit can provide strong control over those activities, lessening or removing the need for more detailed control activities. Smaller entities often have fewer employees, which may limit the extent to which segregation of duties is practicable. However, for key areas, even in a very small entity, it can be practicable to implement some degree of segregation of duties or other form of unsophisticated but effective controls. The potential for override of controls by the owner-manager depends to a great extent on the control environment and in particular, the owner-manager's attitudes about the importance of internal control.
For an SE engagement, the IT General Controls Program has been integrated into the SE Planning Document; although the considerations remain the same, the extent of required documentation has been reduced.
Page 70 / 133
We only test the operating effectiveness of IT general controls if they support the operating effectiveness of the application controls on which we intend to rely to provide audit evidence and to modify the nature, timing, and extent of substantive International Audit Workbook (Interntional Audit Workbook) procedures. [4613.12.2] If relevant to the engagement, the audit objectives listed below are mandatory when completing the IT General Controls Program. [4613.9.1.2] For an SE engagement, the IT General Controls Program has been integrated into the SE Planning Document; although the considerations remain the same, the extent of required documentation has been reduced. If the engagement meets the criteria for the involvement of IRM specialists, then the separate IT General Controls Program is to be completed instead of the IT general controls section in the SE Planning Document. For VSE engagements, we take a substantive approach for substantially all significant accounts and disclosures. In the circumstances when there is no reliance on any IT related controls throughout the entire audit, we are not required to document our understanding of the IT general controls. However, in circumstances when we intend to rely on the operating effectiveness of automated controls (including manual controls with an IT component, or IT system generated reports) throughout the period under audit, we evaluate the design and implementation and test the operating effectiveness of such controls, including related IT general controls and document our procedures in the Audit Program - VSE. The IT General Controls Program may be used as a guide to determine the relevant work to be performed; however, completion of this document is not mandatory. The following audit objectives and components are considered in the IT General Controls Program: Audit Objective Access to programs and data To determine whether adequate controls for access to programs and data have been established to reduce the risk of unauthorized/inappropriate access to the relevant information systems related to financial reporting. [4613.17.1] Components Programs and data access components [4613.17.2] Program changes To determine whether adequate controls for program changes have been established to ensure that changes to existing systems/applications are authorized, tested, approved, properly implemented, and documented. [4613.28.1] information security policy/user awareness physical access configuration of access rules access administration identification and authentication monitoring, and super users.
Program change components [4613.28.2] authorization, development, testing, and approval migration to the production environment configuration changes, and emergency changes.
Program development To determine whether adequate controls for program development have been established to ensure that new systems/applications which are developed or acquired are authorized, tested, approved, properly implemented, and documented. [4613.43.1]
Program development components [4613.43.2] methodology for development/acquisition design, development, testing, approval, and implementation, and data migration.
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis To determine whether adequate controls for computer job processing thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
Computer operations
operations have been established to ensure that system/application processing is appropriately authorized and scheduled and deviations from scheduled
Page 71 / 133
data migration. International Audit Workbook (Interntional Audit Workbook) Computer operations To determine whether adequate controls for computer operations have been established to ensure that system/application processing is appropriately authorized and scheduled and deviations from scheduled processing are identified and resolved. [4613.51.1] End-user computing We determine whether management has implemented appropriate policies and procedures to ensure IT general controls are properly applied to end-user computing environment, including controls to address: access to programs and data program change program development, and computer operations. Computer operations components [4613.51.2] job processing backup and recovery procedures, and incident and problem management procedures.
The entity may support end-user computing with IT general controls consistent with its level of sophistication. Such general controls should, however, address access to programs and data, program change, program development, and computer operations. [4613.60.4] Management should have appropriate controls in place to ensure that policies to address IT general controls over critical data, transactions, and programs being maintained by end users exist and are being followed. Generally, IT general controls and application controls over end-user computing are documented in the relevant Audit Program. [4613.62]
We complete an IT General Controls Program for each relevant IT environment when we intend to rely on application controls to provide audit evidence and to modify the nature, timing, and extent of our substantive procedures. [4613.9.3] An IT environment is an environment where the entity has implemented a common set of policies and procedures to support the effective functioning of application controls. IT general controls, by their nature, are not limited to individual applications or locations. A single IT general control may relate to multiple applications or locations. [4613.9.3.1] For example, an ERP system often operates in a single environment, and this may cover all our financial systems, whereas "legacy" systems often have their own "computing environment" and may require a separate IT General Controls Program for each system. In the Audit Program there is a question for every control identified as to whether the control has an IT component. There will be an IT component for every IT application control and for every manual control that uses data produced by an IT system. Whenever we intend to rely on these controls to modify the nature, timing, and extent of our substantive procedures, we will need to understand the related IT general controls, evaluate their design and implementation, and test their operating effectiveness. We determine that we have the appropriate knowledge, skills, and experience within the engagement team to evaluate and test IT general controls; we will frequently involve IRM specialists in the audit to evaluate the design and implementation, and test the operating effectiveness of IT general controls and relevant automated application controls. Our response to ineffective IT general controls may include performing additional audit procedures that would enable us to continue to rely on the application control, evaluating the design and implementation, and testing the operating effectiveness of other controls designed to achieve the same control objective or increasing our assessment of control risk and therefore RoSM thereby modifying the nature, timing, and extent of our substantive procedures. We ordinarily work closely with IRM specialists in responding to ineffective IT general controls. [4793.4.0.2]
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG Where a compensating control cannot be identified for a deficient control, or the identified International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis compensating control does not operate at the same level of precision as the thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. deficient control, we
modify the nature, timing, and extent of our substantive procedures. [4793.4.1]
Page 72 / 133
design and implementation, and testing the operating effectiveness of other controls designed to achieve the same control objective or increasing our assessment of control risk and therefore RoSM thereby modifying the nature, timing, and extent Audit Workbook) International Audit Workbook (Interntional of our substantive procedures. We ordinarily work closely with IRM specialists in responding to ineffective IT general controls. [4793.4.0.2] Where a compensating control cannot be identified for a deficient control, or the identified compensating control does not operate at the same level of precision as the deficient control, we modify the nature, timing, and extent of our substantive procedures. [4793.4.1] Example controls for each of the four areas of IT general controls are accessible via the LCE global home page on KWorld by selecting LCE General Global Knowledge followed by ITGC General Global. While the knowledge has been customized to the LCE workflow, the knowledge is also applicable for use on the FSA, SE, and VSE workflows.
If we have identified a risk of fraud associated with an audit objective, we evaluate the design and implementation of antifraud controls that are relevant to the identified fraud risk and, if effectively designed and implemented, and where we intend to rely on the effectiveness of the controls to modify the nature, timing, and extent of substantive procedures, we test their operating effectiveness. We determine whether to evaluate preventative controls, detective controls, or a combination of both for individual relevant assertions for individual audit objectives. We ordinarily evaluate a combination of preventative and detective controls, although we focus on controls that detect and correct a misstatement rather than preventative controls. Detective controls may provide audit evidence in relation to one or more audit assertions and may be a more effective means of gaining audit evidence. [4420.3] We also consider the risks identified at the financial statement level and any deficiencies found in the entity level controls 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis when determining control activities to be evaluated. These may include: [4420.4]
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
the incorrect application of accounting principles, including the competency of the individuals and their ability to interpret and apply generally the applicable financial reporting framework
Page 73 / 133
assertions for individual audit objectives. We ordinarily evaluate a combination of preventative and detective controls, although we focus on controls that detect and correct a misstatement rather than preventative controls. Detective controls may provide audit evidence in relation toInternational Audit Workbook (Interntional Audit Workbook) one or more audit assertions and may be a more effective means of gaining audit evidence. [4420.3] We also consider the risks identified at the financial statement level and any deficiencies found in the entity level controls when determining control activities to be evaluated. These may include: [4420.4] the incorrect application of accounting principles, including the competency of the individuals and their ability to interpret and apply generally the applicable financial reporting framework For example, when an extended period is required for sales (for example, real estate), delivery (for example, construction contracting), or collection (for example, installment sales), there may be an increased risk that the accounting principles for revenue recognition are misapplied. a weak control environment For example, there exists an inappropriate segregation of duties or ineffective systems development process. management fraud, possibly through journal entries (including electronic manipulation) inappropriately designed computer information systems For example, computer information systems do not prevent the entry of duplicate transactions. misappropriation of assets For example, misappropriation of assets may occur if employees have access to cash or other negotiable assets. ineffective monitoring of controls For example, the timeliness and accuracy of reconciliations is not monitored. entering into business areas or transactions with which the entity has little experience.
To the extent that the design and operating effectiveness of an application control are dependent on an indirect (supporting) control, we obtain evidence regarding the operating effectiveness of the supporting control. For instance, internal controls in an application are dependent on IT general controls. [4047.2]; [4420.2.1]
Our description of a control covers: [4423] the objective of the control (including the risk it helps to mitigate) how it is performed and documented how frequently it is applied the knowledge, experience, and skills of the person performing it (if it's a manual control) the nature and size of the potential misstatements, both intentional and unintentional, that it is likely to prevent, detect, and correct, and whether the control has an IT component.
This description forms the basis for our evaluation of design and implementation, where we are concerned with whether the control is capable, if operating effectively, of preventing, or detecting and correcting a significant misstatement in the financial statements and whether the entity is using the control. [4423.3]
Page 74 / 133
financial statements and whether the entity is using the control. [4423.3]
4.3.7 Understanding Likely Sources AuditPotential Misstatements International of Workbook (Interntional Audit Workbook)
In performing our audit, we understand the likely sources of potential misstatements for classes of transactions, account balances derived from estimates, other account balances, and disclosures. [4430.1] To further understand the likely sources of potential misstatements for classes of transactions, and as a part of selecting controls to test, we perform procedures to achieve the following objectives: [4431] understand the flow of transactions related to the relevant assertions, including how these transactions are initiated, authorized, processed, and recorded verify that we have identified the relevant significant risk points identify the controls that management has implemented to address these significant risk points, and identify the controls that management has implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the entity's assets that could result in a material misstatement of the financial statements.
For a class of transactions, it is presumed that we will perform walkthroughs in order to achieve the objectives outlined above. In the event we believe that the objectives of this section can be met by performing procedures other than a walkthrough, those procedures and their relationship to the objectives are documented in the Audit Program. [4431.1] In performing a walkthrough, we follow a single transaction from origination through the entity's processes, including information systems, until it is reflected in the entity's financial records, using the same documents and information technology that entity personnel use. At the points at which important processing procedures occur, we question the entity's personnel about their understanding of what is required by the entity's prescribed procedures and controls. [9322] Walkthrough procedures usually include a combination of inquiry, observation, and inspection of relevant documentation. [4432] The procedures that we perform during our walkthrough are ordinarily sufficient to evaluate the design and implementation of controls. [4432] Walkthroughs that include a mix of inquiry, observation, inspection, and reperformance of controls may be sufficient to test the operating effectiveness of controls depending on the mix of procedures performed; the risk of failure of the control; the nature, timing, and extent of tests of operating effectiveness; and the results of those procedures. [4432.0.2]
4.3.8 Evaluate the Design and Implementation of Selected Assertion Level Controls
Obtaining an understanding of internal controls involves evaluating the design of a control and determining whether it has been implemented. Evaluating the design of a control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, material misstatements. Implementation of a control means that the control exists and that the entity is using it. We consider the design of a control in determining whether to consider its implementation. An improperly designed control may represent a material weakness in the entity's internal control and we consider whether to communicate this to management and those charged with governance. [4440]; [4114] Our procedures when evaluating the design and implementation of controls may include: [4444.1] inspection of documents and records observation of controls being performed, and/or inquiries of appropriate personnel
Inquiry alone is not sufficient to provide appropriate evidence to support a conclusion about the effective design and implementation of a control; therefore, we supplement it with other procedures. We may be able to evaluate the design and implementation of relevant controls while performing
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG a walkthrough. International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
Page 75 / 133
Although smaller entities usually do not have complex IT environments, we still consider whether specialized skills
Inquiry alone is not sufficient to provide appropriate evidence to support a conclusion about the effective design and implementation of a control; therefore, we supplement it with other procedures.
International Audit Workbook (Interntional Audit Workbook)
We may be able to evaluate the design and implementation of relevant controls while performing a walkthrough.
Although smaller entities usually do not have complex IT environments, we still consider whether specialized skills and the use of Information Risk Management professionals are necessary for testing controls that have an IT component.
We perform tests of the operating effectiveness of controls only on those controls that we have determined are suitably designed and implemented to prevent, or detect and correct, a significant misstatement in an assertion. [4703] We do not test the operating effectiveness of controls that we have determined are either not designed effectively or have not been implemented properly by the entity.
Tests of operating effectiveness are concerned with: [4703.2] how controls were applied the consistency with which they were applied during the period, and by whom they were applied.
When testing the operating effectiveness of controls, we consider the following: [4704]
Nature
There are a number of control testing techniques that we may use to obtain audit evidence about the effectiveness of the operation of controls, such as: [4730] observation We observe the performance of the control. inquiry We ask a knowledgeable person for information about the operation of a control. reperformance
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG We reperform the operation of a control to ascertain that it was performed correctly. International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
recalculation
We recalculate the mathematical accuracy of documents or record supporting the operation of a control.
Page 76 / 133
reperformance We reperform the operation of a control to ascertain that it was performed correctly.
recalculation We recalculate the mathematical accuracy of documents or record supporting the operation of a control. Recalculation can be performed by using CAATs to check the accuracy of the summarization of the file.
corroborative inquiry We corroborate results of inquiries concerning the performance of a control through confirmation with other members of the entity. Corroboration helps to confirm the validity and consistency of the application of a control.
knowledge assessment We combine inquiry, inspection, and reperformance techniques to test an individual's knowledge of a subject or his or her ability to perform a control effectively.
system query We test automated controls within an information technology application to determine whether they are operating as expected.
We should perform other audit procedures in combination with inquiry to test the operating effectiveness of controls. [4731]
Timing
The timing of tests of controls depends on our objective and determines the period of reliance on those controls. When we perform audit work before the period-end, we consider the potentially increased risk that we will not detect a significant misstatement that may exist at the period-end. We reduce this potentially increased audit risk by performing additional audit work to cover the remaining period in a way that provides a reasonable basis for extending the audit conclusions to the period-end. [4747.1] /[4748] If we test controls at a particular time, we only obtain audit evidence that the controls operated effectively at that time. However, if we test controls throughout a period, we obtain audit evidence of the effectiveness of the operation of the controls during that period. [4745] If we perform tests of controls prior to period-end, we consider the additional evidence required for the remaining period. [4743] For all controls that are tested up to an interim date, we also document in the Audit Program the procedures performed to obtain additional audit evidence that they continued to operate effectively for the remaining period. [4750.1] Relevant factors in determining what additional audit evidence to obtain about controls that were operating during the period remaining after an interim period, include: [4751] the significance of the assessed risks of significant misstatement the specific controls that were tested during the interim period the degree to which audit evidence about the operating effectiveness of those controls was obtained the length of the remaining period the extent to which the auditor intends to reduce further substantive procedures based on the reliance of controls, and
For example, if a control is automated, with effective IT general controls, inquiry alone may be sufficient regardless of the Page 77 / 133 length of the roll-forward period. If a manual control involves a high degree of subjectivity or judgment, we usually expect
the degree to which audit evidence about the operating effectiveness of those controls was obtained
International Audit Workbook (Interntional Audit Workbook) the length of the remaining period
the extent to which the auditor intends to reduce further substantive procedures based on the reliance of controls, and the control environment.
For example, if a control is automated, with effective IT general controls, inquiry alone may be sufficient regardless of the length of the roll-forward period. If a manual control involves a high degree of subjectivity or judgment, we usually expect the nature of the roll-forward procedures to be more extensive than inquiry and the roll-forward period to be limited.
Extent
When we test controls, we use our professional judgment to determine the extent of our audit procedures. We design our audit procedures to be sufficiently extensive to provide reasonable assurance that the controls operated effectively throughout the period. [4763.1] Extent includes the quantity of a specific audit procedure to be performed, for example, a sample size or the number of observations of a control activity. The extent of an audit procedure is determined by us after considering each of the following: [4763.2] The characteristics of the population Is the population from which we are selecting the sample appropriate for the specific test objective?
The degree of assurance provided by the sample and other tests of controls. Are we performing tests of controls over a single control addressing an assertion or multiple controls addressing the same assertion?
The number of control deviations that can be accepted Do we expect control deviations in the sample? Guidance below is presented separately based on our expectation regarding control deviations in the sample.
Our assessment of the risk of failure of the control If the control is not effective, is there a risk that a material misstatement would result?
We consider whether the rate of expected control deviations indicates that the control will not be sufficient to reduce the risk of significant misstatement. If the rate of expected control deviations is expected to be too high, we may determine that tests of controls for a particular assertion may not be effective. [4767.3.1]
International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
Page 78 / 133
The risk of failure is the risk that the control might not be effective and, if not effective, the risk that a material misstatement would result. We assess the risk of failure as lower or higher using our professional judgment, based on the specific circumstances of the control. [4766.3] As the risk of failure of the control increases, the evidence we obtain also increases such that we might choose to obtain more persuasive audit evidence and/or more evidence in terms of number of operations of the control tested. [4766.1.1]
Factors that affect the risk of failure associated with a control include: [4766.4] the nature and materiality of the misstatements which the control is designed to prevent or detect the assertions addressed by the control the inherent risk of error associated with the relevant significant account and assertions whether there have been changes in the volume or nature of transactions over which the control operates the competence of the personnel who perform the control or monitor its performance, and whether there have been changes in such personnel the effectiveness of relevant entity level controls, particularly monitoring controls which relate to the specific control being tested the nature of the control and the frequency with which it operates the complexity of the control and the significance of the judgments that must be made in connection with its operation whether the related significant account has a history of errors the degree to which the control relies on the effectiveness of other controls, and whether the control relies on performance by an individual or is automated.
KAM International 4766.5 contains examples of indicators of higher and lower risks of failure for each factor. Increasing the extent of an audit procedure is effective only if the audit procedure itself is relevant to the specific risk; therefore, the nature of the audit procedure is the most important consideration. [4763.7]
Sample sizes for testing manual controls when we expect no control deviations
We consider the following guidance related to the frequency of the performance of the control when planning the extent of tests of the operating effectiveness of manual controls for which we do not expect to find control deviations. We determine the appropriate number of control occurrences to test based on the following minimum sample size for the frequency of the control activity dependent on whether we have assessed a lower or higher risk of failure of the control. [4768.1] Frequency of control activity Minimum sample size Risk of failure Lower Annual 1 Higher 1
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis Quarterly (including period-end, i.e. +1) 1+1 1+1 thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
Monthly
Page 79 / 133
Risk of failure Lower International Audit Workbook (Interntional Audit Workbook) Annual Quarterly (including period-end, i.e. +1) Monthly Weekly Daily Recurring manual control (multiple times per day) 1 1+1 2 5 15 25 Higher 1 1+1 3 8 25 40
Although +1 is used to indicate that the period-end control is tested, this does not mean that for more frequent control operations the year-end operation cannot be tested.
Sample sizes for testing recurring manual controls when we accept some control deviations
In circumstances when we test a larger sample of controls and accept a small number of control deviations, when testing controls which operate at more than one homogeneous location or when we are performing a dual-purpose test, where our substantive sample size is larger than the indicated minimum for the test of operating effectiveness of the control, we use the following table to determine the number of control deviations which can be accepted for a given sample size, for both a lower or higher risk of failure of the control: [4769.2] [4769.3] Sample sizes Risk of failure Lower 50 60 71 85 98 111 124 137 150 163 175 Higher 80 95 111 133 154 175 195 215 235 255 275 1 2 3 4 5 6 7 8 9 10 11 Number of acceptable control deviations
200
314
13
Page 80 / 133
150 163 175 188 200 212 225 237 249 261 273 285
235 255 International Audit Workbook (Interntional Audit Workbook) 275 294 314 333 352 372 391 410 429 448
9 10 11 12 13 14 15 16 17 18 19 20
After determining which locations we will test, we select and test a minimum of 10 operations of the recurring manual controls at each location selected. We use the table above to determine the aggregate number of control deviations acceptable for the corresponding total sample size. [4770.6] For example, if we test a homogeneous control at 15 locations, the minimum sample size is 150 items and the maximum number of expected control deviations in the sample is 9 for a control which we assess as having a lower risk of failure. When we test controls at multiple locations, we conclude controls are effective if not more than the aggregate acceptable number of control deviations are found in the total of the sample items selected, and not more than one control deviation is found at each sampled location. [4770.7] Continuing with the previous example, if one control deviation is detected in each of nine locations, and no control deviations are detected in the remaining six locations, we conclude that the control is effective, if none of the control deviations are considered to be representative of a systematic or intentional control deviation. This table above may also be used in other circumstances in consultation with a KPMG Sampling Specialist. [4769.2] We may design a test of controls to be performed concurrently with a test of details on the same transaction. The objective of tests of controls is to evaluate whether a control operated effectively. The objective of tests of details is to detect significant misstatements at the assertion level. Although these objectives are different, both may be accomplished concurrently through performance of a test of controls and a test of details on the same transaction, also known as a dual-purpose test. [4735] For example, when attending the physical inventory count, we may select a sample of items for which we reperform the client's count to test the operating effectiveness of internal controls. This also provides us with substantive audit evidence. In some situations, a similarly designed control operates at the same time over many different components of a class of transactions, account balance, or disclosure. In these situations we use our judgment to determine the extent of testing both in terms of the frequency of testing (such as number of days, weeks, or months to test) and the number of similar operations to test at each point in time (such as number of locations or different application controls effected). [4613.14.3] For example, an entity may have one change management process to manage changes made to all of its applications. If the control to authorize, test, and approve program changes occurs 12 times during the year and includes multiple changes on each occurrence, we may choose to test 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG two occurrences of the control during the period under audit. Rather than test the operation of International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis the control to authorize, test, and approve every change at these two occurrences, we may thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. inspect the documentation to identify changes relevant to financial reporting and use professional Page 81 / 133 judgment to select a sample of the changes at each of the two occurrences. We then test the
as number of days, weeks, or months to test) and the number of similar operations to test at each point in time (such as number of locations or different application controls effected). [4613.14.3]
International Audit Workbook (Interntional Audit Workbook)
For example, an entity may have one change management process to manage changes made to all of its applications. If the control to authorize, test, and approve program changes occurs 12 times during the year and includes multiple changes on each occurrence, we may choose to test two occurrences of the control during the period under audit. Rather than test the operation of the control to authorize, test, and approve every change at these two occurrences, we may inspect the documentation to identify changes relevant to financial reporting and use professional judgment to select a sample of the changes at each of the two occurrences. We then test the operating effectiveness of this sample.
Use of audit evidence obtained in prior periods regarding the operating effectiveness of controls
This section is relevant for both manual and automated controls.
When we have determined that an assessed risk of material misstatement at the assertion level is a significant risk and we plan to rely on the operating effectiveness of controls intended to mitigate that significant risk, we should obtain the audit evidence about the operating effectiveness of those controls from tests of controls performed in the current period. [ISA 330.44][4775.5.1.4]
Our decision to base our assessment of the operating effectiveness of controls on evidence obtained in previous audits is a matter of professional judgment. [4775.5.2] If we plan to use audit evidence about the operating effectiveness of specific controls obtained in previous audits, we: establish the continuing relevance of that evidence by obtaining audit evidence about whether changes in those specific controls have occurred subsequent to the previous audit by performing a walkthrough, and test the entitys relevant monitoring controls, which provide a basis for managements assertion that there have been no changes to those specific controls and that those specific controls continue to operate effectively.
If there have been changes that affect the continuing relevance of the audit evidence obtained in the previous audit, we test the operating effectiveness of such controls in the current audit. [4775.5.8] See section titled "Understand likely sources of potential misstatements" in the Control Evaluation chapter of KAM for further guidance about walkthroughs. If we plan to rely on controls that have not changed since they were last tested, we should test the operating effectiveness of such controls at least once in every third audit. [4775.5.1.2] Factors that ordinarily decrease the period for retesting a control include: [4775.5.4] an ineffective or partially effective control environment ineffective or partially effective monitoring of controls a significant manual element to the relevant controls personnel changes that significantly affect the application of the control changing circumstances that indicate the need for changes in the control, and ineffective IT general controls.
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG If we plan to use audit evidence about the operating effectiveness of controls obtained in previous audits, we: [4775.5.12.1] International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
describe the audit evidence obtained through a walkthrough that supports that no changes in the design or implementation of the subject controls have occurred since our last evaluation
Page 82 / 133
a significant manual element to the relevant controls personnel changes that significantly affect the application of the control
International need for changes in the control, and changing circumstances that indicate the Audit Workbook (Interntional Audit Workbook)
If we plan to use audit evidence about the operating effectiveness of controls obtained in previous audits, we: [4775.5.12.1] describe the audit evidence obtained through a walkthrough that supports that no changes in the design or implementation of the subject controls have occurred since our last evaluation include in the current audit file a copy of the prior years working papers relating to our evaluation of the design and implementation of the controls and our test of their operating effectiveness document the conclusions reached with regard to the use in the current audit of audit evidence about the operating effectiveness of controls that was obtained in a previous audit.
Our testing considerations during an audit period are made on an assertion basis and not on a control-by-control basis. Therefore, when there have been changes that affect the continuing relevance of the audit evidence about one or more controls related to an assertion, we do not use audit evidence obtained in previous audits about the operating effectiveness of other controls that operate over the same assertion. [4775.5.9] When there are a number of controls for which we determine that it is appropriate to use audit evidence obtained in prior audits, we should test the operating effectiveness of some controls each audit. [4775.5.1.3]
Underlying data represents information produced by the entity that may be included in a system generated report or a management prepared document. [4776.1] When we use information produced by the entity to perform audit procedures, we should obtain audit evidence about the accuracy and completeness of the information. [4776.2] The nature and extent of audit procedures performed will vary depending on engagement-specific circumstances and on whether the information is the product of an automated or a manual activity. [4785.2] Automated If a system-generated report is the product of an automated activity, and IT general controls are tested and found to be operating effectively for the period under audit, then we may assess the design and operating effectiveness of relevant automated application controls associated with information included in the document to determine whether such information may be used in performing further audit procedures (substantive or control). [4785.5] Manual If a management-prepared document is the product of a manual activity, then we may assess the design and operating effectiveness of relevant manual controls associated with information included in the document to determine whether such information may be used in performing further audit procedures (substantive or control). [4785.6] We refer to the sample size guidance for testing manual controls in the section titled, "Extent of tests of controls" of KAM.
When automated application controls associated with the completeness and accuracy assertions are different, relevant controls for each assertion should be assessed for effectiveness. In designing the relevant audit procedures, we assess and conclude on both the accuracy and completeness 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG assertions. International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
We refer to the sample size guidance in the section titled, "Extent of tests of controls" in KAM.
Page 83 / 133
When automated application controls associated tests of controls" of KAM. with the completeness and accuracy assertions are different, relevant controls for eachInternational Audit Workbook (Interntional Audit Workbook) assertion should be assessed for effectiveness. In designing the relevant audit procedures, we assess and conclude on both the accuracy and completeness assertions. We refer to the sample size guidance in the section titled, "Extent of tests of controls" in KAM. Procedures performed to assess the accuracy of underlying data also include checking the mathematical accuracy of such reports or documents. [4785.6.1] When IT general controls are not tested for operating effectiveness, or are deemed ineffective, or manual controls have not been determined to be effective during the period, we assess the accuracy of information included in underlying data using sampling. [4785.13] The following chart outlines the suggested sample sizes: Estimate of the number of transaction items Suggested sample size included in the population 50 or fewer 51-250 >250 5 15 25
If we detect an error while performing our audit procedures, we need to understand: the nature and cause of the error its impact on the assertion associated with the report or document whether it may be indicative of systematic error or the possible existence of fraud.
We make specific inquiries to understand these matters and their potential consequences. We use professional judgment in determining the nature and extent of additional audit procedures necessary to confirm our understanding. [4785.14.1] The nature and source of the underlying data will dictate the nature and extent of audit procedures performed to assess completeness of data. [4785.10] For example, when the underlying data does not include all items within a particular account balance, assessing completeness of information included in such documents may require alternative audit procedures. [4785.11] For example, to assess the completeness of a management-prepared document representing unpaid customer invoices outstanding greater than 90 days (90-day report), we may assess the completeness of the information included in the 90-day report by selecting source documents from the unpaid accounts file (a reciprocal population) to determine if the related invoices are appropriately reflected in, or omitted from, the 90-day report. The sample size determination should be made based on the number of individual items in the reciprocal population. We assess the completeness and accuracy of underlying data each time the underlying data is generated and the related information is used in the performance of further audit procedures (control or substantive) when we do not have evidence that the relevant controls are operating effectively for the underlying data. [4785.16] For example, where information included in underlying data (e.g., accounts receivable aging) is prepared as of an interim date and as of year-end, and is used in the performance of further audit procedures (control or substantive), completeness and accuracy are assessed as of the interim date and as of year-end.
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG does not apply to periodic controls (daily, weekly, or monthly). International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. cannot be extended If control deviations are found in tests of periodic controls, the sample size
and we conclude that the control is ineffective and consider the implication on our audit approach. [4792.3]
Page 84 / 133
This guidance relates only to recurring controls that operate each time a transaction occurs. It does not apply to periodic controls (daily, weekly, or monthly). If control deviations are found in tests of periodic controls, the sample size cannot be extended and we conclude that the control is ineffective and consider the implication on our audit approach. [4792.3]
When control deviations are detected during the performance of tests of controls, we make specific inquiries to understand the cause of the control deviations and their potential consequences, for example, by inquiring about the timing of personnel changes in key internal control functions. We determine whether such control deviations are representative of systematic or intentional control deviations. [4792.5.2] The discovery of a systematic or intentional control deviation ordinarily requires a broader consideration of possible implications than does the discovery of an error. [4792.6] If in our judgment the deviation is believed to be intentional, we follow the guidance in the section titled "Consider the fraud, earnings management, and internal control implications of audit differences" in the Completion chapter of KAM International.
!
Findings
Considering the consequences of a control deviation is a matter of professional judgment. When a deviation is not considered to be representative of a systematic or intentional control deviation, we consider if we can conclude that the control is operating effectively as follows: No expected error (normal situation) Example Sample size is less than 50 for a lower risk control or 80 for a higher risk control Conclude control is effective. [4791.2] Increased sample size sufficient that some error can be accepted (in accordance with the table above) Greater than 50 for lower risk of failure or 80 for higher risk of failure Conclude control is effective. [4791.2]
If we conclude the control deviation does not represents a systematic or intentional control deviation, we either conclude the control is not effective or carry out additional testing on a sample size at least the same size as the initial sample size. Conclude the control is not effective.
If we conclude the control deviation does not represent a systematic or intentional control deviation, we conclude the control is effective.
If we conclude the control deviation does not represent a systematic or intentional deviation, we assess the control as being effective if the number of deviations is less than or equal to the number of acceptable control deviations for the sample size and ineffective if the number of deviations found is greater than the number of acceptable control deviations for the sample size. [4792.4] 1 See below for special considerations for a homogenous control operating over multiple locations
No errors found in
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG extended sample larger initial sample size is used and the International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis number of deviations identified is greater thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
than the number of acceptable control deviations for the sample size.
Page 85 / 133
1 See below for special considerations for a homogenous control operating over multiple locations International Audit Workbook (Interntional Audit Workbook) No errors found in extended sample Conclude control is effective. We do not extend the sample size where a larger initial sample size is used and the number of deviations identified is greater than the number of acceptable control deviations for the sample size. We do not extend the sample size where a larger initial sample size is used and the number of deviations identified is greater than the number of acceptable control deviations for the sample size.
One or more errors Conclude the control is not effective. found in the extended sample size
When we test controls at multiple locations, we conclude controls are effective if not more than the aggregate acceptable number of control deviations are found in the total of the sample items selected, and not more than one deviation is found at each sampled location. If we find more than one deviation at a sampled location, we conclude that the control is ineffective at that specific location and modify the nature and extent of our test work at the specific location(s) for which the controls were deemed to be ineffective. [4792.5.1] We consider the nature and cause of the control deviation and determine whether the conditions under which the deviation occurred are applicable at other locations. [4792.5.1]
Considering the consequences of a control deviation is a matter of professional judgment and is influenced by the characteristics of the control and the number of control deviations detected. [4792.7] For example, the failure in a reconciliation control during an interim period may be corrected before the period-end, in such a way that does not impact the financial statements, while still impacting on other audit procedures. For example, if a bank reconciliation is not performed for the four months from June to September, but is performed appropriately at the periodend, the control will still be effective in relation to the recording of cash receipts and cash payments in the period and can be relied upon. However, the failure to operate the control effectively during the period does undermine the reliability of monthly management accounts and thus any trend analysis performed over the period. If control deviations are found in tests of controls which operate periodically, the sample size cannot be extended and we conclude that the control is ineffective and consider the implication on our audit approach. [4792.3]
An operating deficiency also includes the failure to implement a control that has been properly designed.
We analyze and evaluate all exceptions discovered in testing internal control over financial reporting to determine whether they represent deficiencies. In making this determination, we consider several factors, including: [4793.3] How was the exception detected? Detection by another control may be a sign of an effective detective control, while detection through management or our testing may be indicative of a deficiency.
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis Is the exception confined to a single location, process, or application, or is it pervasive in the thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. organization?
How significant is the control deviation from stated policy? For example, was the control
Page 86 / 133
We analyze and evaluate all exceptions discovered in testing internal control over financial reporting to determine whether they represent deficiencies. In making this determination, we consider several factors, including: [4793.3] How was the exception detected? Detection by another control may be a sign of an effective International Audit Workbook (Interntional Audit Workbook) detective control, while detection through management or our testing may be indicative of a deficiency. Is the exception confined to a single location, process, or application, or is it pervasive in the organization? How significant is the control deviation from stated policy? For example, was the control performed late but still before the preparation of the financial statements or was the control not performed at all? How often were exceptions detected in relation to how frequently the control is performed?
We also determine the effect of the exception on the nature and extent of additional testing that may be appropriate or necessary and on the operating effectiveness of the control being tested. A conclusion that an identified exception does not represent a control deficiency is appropriate only if evidence beyond what was initially planned and beyond inquiry supports that conclusion. [4793.4] If the results of our tests of control show that the internal controls are not designed and operating effectively, we assess control risk in terms of controls being ineffective. [4793.2] Our response to ineffective IT general controls is based on the facts and circumstances specific to each entity. The potential effect and our possible response to ineffective IT general controls are as follows: [4793.4.0.1] Effect The extent to which we may place reliance on specific controls to modify the nature, timing, and extent of the substantive procedures that we intend to perform Audit response Performing additional audit procedures that would enable us to continue to rely on the application control and/or evaluating the design and implementation, and testing the operating effectiveness of other controls designed to achieve the same control objective. [4793.4.0.2] For example, if we intend to rely on an application control consisting of a three-way match, but conclude that program change controls specific to this application control are ineffective because application developers had unrestricted access to migrate changes into the live environment, we may perform additional audit procedures that would enable us to continue to rely on the application control. We may be able to determine that: no changes were made to the application the only people that made changes to the application were authorized and the changes were appropriate.
We may also test the application control at more than one point during the audit. The number of tests of the application control depends, amongst others, on the nature and frequency of the control, the frequency of changes to the application, the assessment of inherent risk, and especially fraud risk. The number of tests is likely to be less frequent than a recurring manual control. [4775.3.1] Our assessment of control risk and therefore RoSM Increasing our assessment of control risk and therefore RoSM thereby modifying the nature, timing, and extent of our substantive procedures. [4793.4.0.2]
The engagement team ordinarily works closely with IRM specialists in responding to ineffective IT general controls. [4793.4.0.2]
Material weaknesses in internal control are control deficiencies that could have a material effect on the financial statements. [9171]
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
Our responsibility to communicate weaknesses in internal control applies equally to an SE or VSE engagement, even when:
Page 87 / 133
!
International Audit Workbook (Interntional Audit Workbook)
Material weaknesses in internal control are control deficiencies that could have a material effect on the financial statements. [9171]
Our responsibility to communicate weaknesses in internal control applies equally to an SE or VSE engagement, even when: we believe the owner-manager may already be informed about such matters, we are not sure if weaknesses in internal control, particularly those related to limited segregation of duties, can be addressed in a cost beneficial manner.
It is only by communicating identified weaknesses that we can be certain that management and those charged with governance have been informed of the problem.
In a substantive approach, we document our understanding of the accounting activities relevant to the significant accounts that the audit objective addresses, and then make our RoSM assessment. If we do not evaluate the design and implementation of controls for a particular audit objective, the assessment of RoSM is based on the assessment of inherent risk. For audit objectives for which we are adopting a substantive approach, the Audit Program has fewer sections: one section to document the accounting activities (which varies depending on whether the audit objective addresses one or more classes of transactions, an account balance derived from an estimate, an "other" account balance, or a disclosure), one section to document our RoSM assessment, and the final section to document our substantive procedures for that audit objective. We assess whether to adopt a substantive approach for individual audit objectives, not for the whole audit. We cannot adopt a substantive approach for audit objectives associated with a significant risk.
An entity's financial reporting process also includes the use of nonstandard journal entries to record nonrecurring, unusual entries or adjustments.
International Audit Workbook (Interntional Audit Workbook)
Examples of such entries include consolidating adjustments and entries for a business combination or disposal or nonrecurring estimates such as an asset impairment. [4803] In manual, paper-based general ledger systems, nonstandard journal entries may be identified through inspection of ledgers, journals, and supporting documentation. However, when automated procedures are used to maintain the general ledger and prepare financial statements, such entries may exist only in electronic form and may be more easily identified through the use of computer-assisted audit techniques (CAATs). [4803] In addition, we understand how the incorrect processing of transactions is resolved, for example, whether there is an automated suspense file and how it is used by the entity to ensure that suspense items are cleared out on a timely basis, and how system overrides or bypasses to controls are processed and accounted for. [4804] For each of the mandatory financial reporting audit objectives we: [4808] document the activities relevant to the audit for each financial reporting audit objective evaluate the design and implementation of selected controls and test their operating effectiveness when we plan to rely on the operating effectiveness of controls to modify the nature, timing, or extent of our substantive procedures, and perform substantive procedures to obtain audit evidence.
A smaller entity will often be less likely to have effective controls over the financial reporting process. Accordingly, we may take a substantive approach in completing the mandatory audit objectives listed below unless: a significant inherent risk of error or a fraud risk has been identified with respect to the audit objective it is more efficient to take a controls approach, or it is only possible to reduce audit risk to an acceptably low level by performing tests of controls.
3. Journal entries
4. Subsequent events
5. Adjustments
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG This audit objective may not be applicable if consolidated financial statements are not International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis presented. thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
6. Cash flows
To obtain sufficient appropriate evidence that the cash flows have been accumulated, recorded, processed, summarized, and reported appropriately in the statement of
Page 89 / 133
5. Adjustments
To obtain sufficient appropriate audit evidence that recurring and nonrecurring adjustments to consolidated financial statements, such as consolidating and International Audit Workbook (Interntional Audit Workbook) eliminating entries, report combinations, classifications, and "top-side" journal entries, have been authorized and recorded appropriately. [4808.27] This audit objective may not be applicable if consolidated financial statements are not presented.
6. Cash flows
To obtain sufficient appropriate evidence that the cash flows have been accumulated, recorded, processed, summarized, and reported appropriately in the statement of cash flows. [4808.31] This audit objective may not be applicable if a cash flows statement is not required.
7. Equity
To obtain sufficient appropriate evidence that the movements in equity have been accumulated, recorded, processed, summarized, and reported appropriately in the statement of changes in equity. [4808.35]
"Top-side" entry is a term commonly used to describe journal entries or adjustments that are initiated by the parent company as part of the preparation of the financial statements for the group ("push-down" entries or adjustments) and relate to the subsidiary. Such entries may be recorded as consolidation or "post closing" entries, or the subsidiary may be instructed to record the entry in its general ledger or through its reporting package to the parent company. In general, these entries are usually initiated by management-level personnel and are not routine or associated with the normal processing of transactions. "Top-side" entries or adjustments may be initiated by the parent company or another subsidiary, which include in their results the results of the subsidiary that has been instructed to record the journal entry or adjustment. [9310] "Post closing" entry is a term commonly used to describe journal entries processed as part of preparation of the entity's financial statements, which are usually made after a reporting period has ended, but before the financial statements for the period have been filed. They may or may not be reflected in the entity's general ledger. For the purposes of our audit, these include entries that are made subsequent to the closing of the general ledger that the engagement team is auditing. [9198.2]
Appendix I to the Financial Reporting Audit Program contains mandatory substantive audit procedures in relation to the subsequent events audit objective.
If we do not evaluate the design and implementation of controls for a particular audit objective, the assessment of RoSM is based on the assessment of inherent risk. Our evaluation of entity level controls can also affect our assessment of RoSM for audit objectives. Where entity level controls are poor or ineffective, this may increase our assessment of RoSM. Effective entity level controls cannot reduce our assessment of RoSM. [4912.1]
When assessing RoSM, we also consider the nature, cause (if known), and amount of audit differences from the audit of the 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis prior period's financial statements. [4920]
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
Normally, for low or moderate inherent risks, we will evaluate the design and implementation of
Page 90 / 133
Our evaluation of entity level controls can also affect our assessment of RoSM for audit objectives. Where entity level controls are poor or ineffective, this may increase our assessment International Audit Workbook (Interntional Audit Workbook) of RoSM. Effective entity level controls cannot reduce our assessment of RoSM. [4912.1]
When assessing RoSM, we also consider the nature, cause (if known), and amount of audit differences from the audit of the prior period's financial statements. [4920] Normally, for low or moderate inherent risks, we will evaluate the design and implementation of controls only when we also intend to test the operating effectiveness so that we can obtain audit evidence that the controls are operating effectively and therefore we can modify the nature, timing, and extent of our substantive procedures. For low or moderate inherent risks, if we plan to obtain all the audit evidence from substantive procedures, then we would not need to evaluate the design and implementation of controls. For significant inherent risks, we have to evaluate the design and implementation of controls whether or not we plan to obtain audit evidence over the operating effectiveness of controls. The following matrix indicates a suggested RoSM assessment, given our assessment of inherent risk and whether: [4935] controls are effectively designed and implemented and whether we obtained sufficient appropriate audit evidence that the control is operating effectively (column 1), or we have chosen not to test the operating effectiveness of the control (column 2), or controls are not effective. These controls may be either improperly designed or not implemented, or not operating effectively.
This matrix is not intended to be prescriptive. If we determine that a lower (or higher) RoSM than that suggested by the matrix is appropriate, we can make such a choice of RoSM provided this decision is appropriately justified and documented and justified in the Audit Program. [4936]
Effective entity level controls support RoSM assessments suggested by the above RoSM matrix. However, deficiencies in entity level controls could undermine the effectiveness of some of the control activities and therefore may require us to amend upwards our assessment of RoSM for some or all audit objectives. [4937] For example, if entity level controls are deficient, an RoSM assessment suggested by this matrix may be increased from low to moderate or from moderate to high, requiring further audit procedures to obtain more persuasive audit evidence than 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG would have been necessary if we did not have deficiencies in entity level controls. International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
In performing substantive procedures, we may detect misstatements in amounts or frequency greater than is consistent with our control risk assessment. In circumstances where we obtain
Page 91 / 133
Effective entity level controls support RoSM assessments suggested by the above RoSM matrix. However, deficiencies in entity level controls could undermine the effectiveness of some of the control activities and therefore may require us to amend upwards our assessment of RoSM for some or all audit objectives. [4937]
International Audit Workbook (Interntional Audit Workbook)
For example, if entity level controls are deficient, an RoSM assessment suggested by this matrix may be increased from low to moderate or from moderate to high, requiring further audit procedures to obtain more persuasive audit evidence than would have been necessary if we did not have deficiencies in entity level controls. In performing substantive procedures, we may detect misstatements in amounts or frequency greater than is consistent with our control risk assessment. In circumstances where we obtain audit evidence from performing further audit procedures that tends to contradict our control risk assessment on which we originally based the RoSM assessment, we revise the control risk assessment and modify the nature, timing, or extent of further planned audit procedures accordingly. [4945] For example, the extent of misstatements that we detect by performing substantive procedures may alter our judgment about the control risk assessment and may indicate a material weakness in internal control. In addition, analytical procedures performed at the overall review stage of the audit may indicate a previously unrecognized RoSM. If, as a result of the substantive procedures performed, we determine that the RoSM assessment is to be revised upward, we: revise our RoSM assessment upward to reflect a different assessment of inherent risks subsequent to completion of the Planning Document, and determine whether the revised RoSM assessment is a significant change, which is documented in the Completion Document
The previously documented assessment is retained, and a revised RoSM assessment, as well as the rationale for the revised RoSM assessment, is documented in the Audit Program.
Interntional Audit Workbook
International Audit Workbook (Interntional Audit Workbook) 5.1. Risk of Significant Misstatement
During Control Evaluation, we evaluated the impact of controls on our planned audit approach, confirmed whether we are adopting a controls or a substantive approach for each audit objective, and assessed the risk of significant misstatement based on the results of our Control Evaluation procedures. [5003] We plan and perform substantive procedures to be responsive to our assessment of the risk of significant misstatement (RoSM). [5103] Substantive procedures are performed in order to detect significant misstatements at the assertion level and include substantive analytical procedures and tests of details of classes of transactions, account balances, and disclosures. [3790.4] For audit objectives that are associated with an assertion level fraud risk or for which we have assessed RoSM as high, our substantive procedures include tests of details, or a combination of tests of details and substantive analytical procedures, that are specifically responsive to the assessed risks. Substantive analytical procedures alone do not provide sufficient appropriate audit evidence for such audit objectives. [5107]
We plan our substantive procedures, based on our RoSM assessment, using the following guidelines: RoSM Assessment 1 Approach/Assessment Substantive analytical procedures only may be appropriate 2 Tests of details required 2 Low X Moderate X High
1 Refer to the RoSM Matrix in the Control Evaluation chapter for guidance on how each of the risk of significant misstatements assessments is arrived at. 2 It may be necessary to perform a combination of substantive analytical procedures and tests of details to obtain sufficient appropriate audit evidence. We consider the sufficiency and appropriateness of the audit evidence we plan to obtain from substantive analytical procedures, in the context of our assessment of the risk of significant misstatement, before deciding whether it is appropriate to perform tests of details. [5402.1]
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis the nature of specific controls (manual or automated) and whether we expect to obtain audit thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
evidence on operating effectiveness of those controls, and whether there is a risk of fraud.
Page 93 / 133
the reporting period, the nature and magnitude of the account balance or disclosure, and the assertions covered by the audit objective risks identified during Planning International Audit Workbook (Interntional Audit Workbook) the risk of significant misstatement the nature of specific controls (manual or automated) and whether we expect to obtain audit evidence on operating effectiveness of those controls, and whether there is a risk of fraud.
We consider whether we have sufficient appropriate audit evidence for all relevant assertions. [5014] For example, we may obtain audit evidence for the completeness of sales and receivables principally through tests of controls and substantive analytical procedures and obtain audit evidence about the existence and occurrence, and accuracy of sales and receivables by performing substantive procedures, such as a confirmation of balances or tests on subsequent cash receipts.
5.3.1 Nature
The nature of substantive audit procedures refers to either substantive analytical procedures or tests of details. [5121] We exercise judgment in selecting the appropriate combination of substantive procedures in response to the risk of significant misstatement. Substantive analytical procedures may or may not provide us with all the audit evidence necessary to respond to the risk of significant misstatement assessment for an audit objective. Tests of details may also be required. [5133.9.6] The nature of substantive procedures is illustrated below:
5.3.2 Timing
The timing of substantive audit procedures refers to when audit procedures are performed or the period or date to which the audit evidence applies. [5135] Timing Consideration
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG Period-end The higher the risk of significant misstatement, the more likely it is that we decide it International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.or at, the period-end is more effective to perform substantive procedures nearer to,
rather than at an earlier date, or to perform audit procedures unannounced or at unpredictable times. [5138]
Page 94 / 133
The timing of substantive audit procedures refers to when audit procedures are performed or the period or date to which the audit evidence applies. [5135]
International Audit Workbook (Interntional Audit Workbook)
Timing Period-end
Consideration The higher the risk of significant misstatement, the more likely it is that we decide it is more effective to perform substantive procedures nearer to, or at, the period-end rather than at an earlier date, or to perform audit procedures unannounced or at unpredictable times. [5138] Certain substantive procedures can be or may be performed only at or after periodend. [5141] For example, agreeing or reconciling the financial statements with the accounting records and examining adjustments made during the course of preparing the financial statements.
Prior to period-end
When substantive procedures are performed at an interim date, the risk that misstatements may exist at the period-end and are not detected increases. This risk increases as the remaining period is lengthened. [5150] If we perform substantive procedures prior to period-end, we consider the additional audit evidence required for the remaining period. [5151]
5.3.3 Extent
The extent of an audit procedure includes the quantity of a specific audit procedure to be performed. [5160] For example, a sample size for a test of details or the number of observations of a control activity. We increase the extent of our audit procedures if we assess the risk of significant misstatement at a higher level. [5162] The use of CAATs may enable more extensive testing of electronic transactions and account files. Such techniques can be used to select sample transactions from key electronic files, to sort transactions with specific characteristics, or to test an entire population instead of a sample. [5163.1]
We use our judgment to consider whether the precision of the procedure is appropriate given the desired level of audit evidence. [9199] Substantive analytical procedures are appropriate when: [5124]
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG can be obtained International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
data can be disaggregated and tested to an appropriate level where persuasive audit evidence
procedures are performed on large volumes of transactions that tend to be predictable over time plausible relationships exist that are sufficiently stable and predictive for us to achieve the
Page 95 / 133
We use our judgment to consider whether the precision of the procedure is appropriate given the desired level of audit evidence. [9199]
International Audit Workbook Substantive analytical procedures are appropriate when: [5124](Interntional Audit Workbook)
data can be disaggregated and tested to an appropriate level where persuasive audit evidence can be obtained procedures are performed on large volumes of transactions that tend to be predictable over time plausible relationships exist that are sufficiently stable and predictive for us to achieve the required precision when forming our expectation an expectation can be developed with sufficient precision to identify a significant misstatement at the desired level of assurance, and prior period knowledge indicates that such analysis can be effective.
When performing substantive analytical procedures, we: [5300.2] Procedure Determine audit objectives and significant account balance(s)/disclosure(s) and consider whether planned substantive analytical procedures will provide the desired level of assurance Considerations Effectively designed substantive analytical procedures may provide audit evidence as to the following assertions related to significant accounts and disclosures: C, E, A, V Prior to designing or performing substantive analytical procedures, we consider the suitability of using substantive analytical procedures given the assertion and the desired level of assurance. In determining the suitability of substantive analytical procedures, we consider: [5303] the nature of the account or disclosure the assessment of the risk of significant misstatement (RoSM) the risk of management override, and whether an expectation can be developed with sufficient precision to identify a material misstatement at the desired level of assurance.
When designing substantive analytical procedures to respond to RoSM assessment associated with an audit objective, we assess whether an expectation can be developed with sufficient precision to identify a significant misstatement at the desired level of assurance. Factors impacting the precision of a substantive analytical procedure include: [5318] the predictability of relationships between data the degree to which information can be disaggregated the availability and reliability of data and information, both financial and nonfinancial the type of procedure used.
The amount of audit evidence derived from a substantive analytical procedure varies with its precision. Generally, the more precise the procedure, the more persuasive the audit evidence obtained. [5319] Identify key factors and key We develop expectations based on our understanding of the key factors and key relationships impacting an relationships that impact an account balance or disclosure. [5322] account/disclosure and set Key factors are often the common drivers of a number of the relationships in the expectation(s) 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG financial statements and are frequently the same factors that management may International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis consider in preparing budgets, forecasts, or financial reports. These factors may be thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. either financial or nonfinancial. [5323] Key relationships usually tie the key factors to account balances or disclosures within
Page 96 / 133
the audit evidence obtained. [5319] Identify key factors and key We develop expectations Workbook (Interntional Audit Workbook)the key factors and key International Audit based on our understanding of relationships impacting an relationships that impact an account balance or disclosure. [5322] account/disclosure and set Key factors are often the common drivers of a number of the relationships in the expectation(s) financial statements and are frequently the same factors that management may consider in preparing budgets, forecasts, or financial reports. These factors may be either financial or nonfinancial. [5323] Key relationships usually tie the key factors to account balances or disclosures within the financial statements or represent interrelationships between financial statement captions. [5324] For example, the number of employees is the key factor and the average salary per employee the key relationship underlying an entity's annual salary expense. When information produced by the entity is used in setting the expectation, we obtain audit evidence about the accuracy and completeness of that information. This may be obtained by either evaluating the design and operating effectiveness of controls over the production and maintenance of both financial and nonfinancial information used in the substantive analytical procedure, or by performing other procedures to support the completeness and accuracy of the underlying information. [5328] When considering management information such as budgets or forecasts in developing our expectation(s), we obtain an understanding of the process used by management in producing these budgets/forecasts. [5329] Where our expectation(s) is developed based on the results of inquiries of management, we corroborate this information prior to relying on the results of substantive analytical procedures. [5330] Set acceptable difference
an acceptable difference of not more than the significant misstatement threshold. [5336] We consider using an acceptable difference that is lower than the significant misstatement threshold when we have a moderate or high level of risk of significant misstatement. [5337] We use our judgment to adjust the precision of the substantive analytical procedure such that the acceptable difference is a reasonable percentage of the total balance that is subject to the substantive analytical procedure. [5338] For example, where the balance of the significant account is only just above the significant misstatement threshold we may use our judgment and set an acceptable difference lower than the significant misstatement threshold. Compare recorded amount We evaluate the results of the substantive analytical procedure by comparing the with expectation entity's recorded amount to our expectation. When the entity's recorded amount falls within the acceptable difference around our expectation, the procedure is complete and we have obtained the audit evidence we planned to obtain from the procedure. [5342.1] Investigate difference that falls outside range of acceptable difference When the entity's recorded amount falls outside the range of acceptable difference around our expectation, we investigate the reason for the difference. [5342.2] The investigation of a difference that falls outside the range of acceptable difference around our expectation ordinarily consists of the following: inquiries of management
where appropriate, redesign the substantive analytical procedure to take into account additional information. [5343.1]
Page 97 / 133
around our expectation, we investigate the reason for the difference. [5342.2] The investigation of a difference that falls outside the range of acceptable difference around ourInternational Audit Workbook (Interntional Audit Workbook) expectation ordinarily consists of the following: inquiries of management corroborating managements explanation, and where appropriate, redesign the substantive analytical procedure to take into account additional information. [5343.1]
Where investigation of the difference identifies that all or a portion of the difference is due to client error and we can quantify this error, we include the error on the Summary of Audit Differences, where this equals or exceeds the audit difference posting threshold. Where management provides a reasonable and valid explanation for any difference remaining after identification of an error, we corroborate management's explanation and where appropriate, redesign the substantive analytical procedure to take into account this additional information. [5344.1] Where management is unable to provide a reasonable and valid explanation for all or a portion of the difference or management's explanation cannot be corroborated, we reconsider our audit approach as we have not been able to obtain the audit evidence we planned from the substantive analytical procedure. [5344.2] Revise expectation and acceptable difference, if appropriate, and compare revised expectation with recorded amount. Where reasonable and valid explanations have been provided by management as to why the recorded amount falls outside the range of acceptable difference and we have been able to corroborate the explanation, we consider revising our expectation and acceptable difference, where appropriate, to take into consideration the additional information provided by management. [5345.1]
We document the performance of substantive analytical procedures and our conclusion in the Substantive Analytical Procedure Template or in the working papers. [5353.1/5354] Example substantive analytical procedures as well as example completed Substantive Analytical Procedures Templates and spreadsheets supporting the completed templates for interest expense, depreciation expense, and payroll expense are available on ARO and can also be accessed from the Global Assurance Practice Page.
Where a significant account balance is inherently predictable and we are able to develop a precise expectation, therefore our acceptable difference is small, regardless of the assessed RoSM, a difference higher than the acceptable difference may be indicative of fraud or error and require further investigation. [5340]
Management is unable to Where management is unable to provide a reasonable and valid explanation for all or provide a reasonable and a portion of the difference or management's explanation cannot be corroborated, we valid explanation for the reconsider our audit approach as we have not been able to obtain the audit evidence difference or we planned from the substantive analytical procedure. This situation may be 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG management's explanation indicative of fraud and require further investigation and additional procedures. International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis cannot be corroborated [5344.2] thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
Page 98 / 133
Management is unable to provide a reasonable and valid explanation for the difference or management's explanation cannot be corroborated
Where management is unable to provide a reasonable and valid explanation for all or a portion of the difference or management's explanation cannot be corroborated, we International Audit Workbook (Interntional Audit Workbook) reconsider our audit approach as we have not been able to obtain the audit evidence we planned from the substantive analytical procedure. This situation may be indicative of fraud and require further investigation and additional procedures. [5344.2]
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG For example, transposed digits or other numerical errors. International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
When performing tests of details, we may choose to: [5011] test the entire population
Page 99 / 133
For example, maintenance expense coded to an asset account. differences in amounts for data captured or processed. For example, transposed digits or other numerical errors. Choose selection methods for testing When performing tests of details, we may choose to: [5011] test the entire population select items with specific characteristics for testing select a sample by using KPMG Monetary Unit Sampling (MUS), the KPMG Sampling Plan, or other substantive sampling techniques with the involvement of a KPMG sampling specialist.
International Audit Workbook (Interntional Audit Workbook)
Methods of selection
Examples of when it may be appropriate to apply this method of selection For example, it may be appropriate to test everything when the population consists of a small number of large value items, when the risk of significant misstatement is high, and when other means do not provide sufficient appropriate audit evidence. For example, it may also be appropriate to test everything when the repetitive nature of a calculation or other process performed automatically by an information system makes it cost effective, for example, through the use of CAATs.
Considerations
Entire population
For example, identifying items that meet Selecting specific items is likely to be more certain criteria, such as amounts that are effective when any of the following are true: greater than the significant misstatement [5415] threshold, inventory items that have not we assess the risk of moved for more than six months, or accounts significant misstatement as receivable that are older than three months. low and we already have For example, we may select items that are audit evidence from suspicious, unusual, risk prone, or that have substantive analytical a history of being misstated, for example procedures for the population foreign currency transactions. being tested the population contains a
small number of individually 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis significant items thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. the population mainly contains nonroutine
Page 100 / 133
For example, we may select items that are audit evidence from suspicious, unusual, risk prone, or that have substantive analytical a history of being misstated, for example procedures for the population foreign currencyInternational Audit Workbook (Interntional Audit Workbook) transactions. being tested the population contains a small number of individually significant items the population mainly contains nonroutine transactions or accounting estimates we identified a risk of fraud and we apply our audit procedures to items with specific characteristics.
When we select key items for testing, we still need to obtain sufficient appropriate audit evidence relevant to the remaining population when that remaining population is considered significant. We use judgment to determine whether the remaining population is considered significant. [5425] To select specific items, we may use scanning. Scanning includes searching for large or unusual items in the accounting records (for example, nonstandard journal entries), as well as in transaction data (for example, suspense accounts, adjusting journal entries) for indications of misstatements that have occurred. Since we test the items selected by scanning, we obtain audit evidence about those items. Our scanning also may provide some audit evidence about the items not selected since we have used professional judgment to determine that the items not selected are less likely to be misstated. [5421.2] Substantive sampling For example, if the population contains a Substantive sampling is likely to be more large number of items, substantive sampling effective when any of the following are true: is likely to be more effective. [5415] we assess the risk of significant misstatement as high and have no audit evidence from substantive analytical procedures the population mainly contains routine transactions.
KPMG Substantive Sampling Techniques are appropriate: [5505] for audit objectives relevant to existence and occurrence, accuracy, valuation and obligations, and rights assertions
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG when there are many items in International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis the population thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
for audit objectives relevant to existence and occurrence, accuracy, valuation and International Audit Workbook (Interntional Audit Workbook) obligations, and rights assertions when there are many items in the population when the expected difference in the population is less than the significant misstatement threshold.
! ! ! !
When we perform tests of details using a specific items approach, our audit findings relate only to those specific items. If we identify audit differences in auditing the specific items, those audit differences are known audit differences and are not extrapolated to, or projected over, the entire population from which the specific items were selected. [5424] The existence of differences in specific items selected for testing may be indicative of audit differences in the remainder of the population. We consider the characteristics of the audit difference identified and the characteristics of the remaining population when determining the nature, timing, and extent of any additional procedures to be performed on the remaining population. [5424] In determining which selection method to use, we may determine that items in the population with certain characteristics have a higher risk of intentional misstatement due to fraud and thus, selecting specific items to test is likely to be more effective in addressing the fraud risk than selecting a representative sample. An IRM specialist may assist the engagement team in planning and performing tests of details. These may include reperformance techniques such as CAATs or in-built report writing tools. [5404] For each relevant assertion associated with an assertion level fraud risk, we: [3743.1] evaluate the design and implementation of antifraud controls that are relevant to the identified fraud risk and consider the risk of management override of such controls test the operating effectiveness of selected assertion level controls when we plan to rely on the operating effectiveness of controls to modify the nature, timing, or extent of our substantive procedures, and perform substantive procedures including tests of details.
The use of the KPMG MUS or the KPMG Sampling Plan may not be the most effective approach when performing substantive tests of details to address the risk of fraud because misstatements due to fraud are ordinarily not distributed randomly throughout the population. Consequently, we usually perform substantive sampling techniques in combination with specific items testing. [5526.1]
Using Computer Assisted Audit Techniques (CAATs) to perform audit procedures may enhance the audit process by facilitating faster and more extensive review and analysis of large data populations. CAATs provide the ability to analyze complete populations of data; to profile, extract, and summarize items based on specific characteristics; and to apply International Audit Workbook (Interntional Audit in the performance of: [5467] selected preprogrammed routines that can be used during Substantive TestingWorkbook) substantive analytical procedures tests of details of transactions and balances extracting data for audit testing, and/or reperforming calculations performed by the entity's accounting systems.
IDEAis a technology tool for applying CAATs to perform data analysis procedures. IDEAmay be used to read, display, sample, and extract data from client data files. In addition to the standard functionality of the application, KPMG has developed preprogrammed routines based on commonly employed audit procedures. IDEASmart Analyzer Routines have been developed for the areas of accounts receivable, inventory, journal entries, fixed assets, and accounts payable. KPMG Monetary Unit Sampling is also performed using the platform of IDEA. [5466] Example routines that are available in Smart Analyzer are as follows: Accounts receivable routines Journal entry routines Inventory routines Fixed assets routines Accounts payable routines Aging by due date/invoice date Debtors with total amount greater than credit limit Debtors with net credit balances Duplicate or missing journal entries Out-of-balance journal entries Journal entries by user Zero or negative unit cost Negative quantity on hand Last sales price lower than unit cost Recalculate straight line depreciation Depreciation exceeding cost Fixed assets duplicate field search Duplicate invoices or payments Invoices without purchase order numbers Creditors with net debit balances
When we apply substantive sampling, we use one of the following KPMG substantive sampling techniques: [5521] KPMG Monetary Unit Sampling (KPMG MUS). KPMG MUS is a statistical sampling technique with a selection probability that is proportionate to the size of an item in the population and statistically projects audit differences discovered in sample items. KPMG Sampling Plan. The KPMG Sampling Plan is a nonstatistical sampling approach. We select samples using a haphazard method. We may use other substantive sampling techniques with the involvement of a KPMG Sampling Specialist. [5521.1] We consider the involvement of KPMG sampling specialists in the following circumstances: [5696] the engagement team plans to use MUS sample items for other than a substantive audit procedure substantive sampling is used for financial statement audits which require confidence levels that are different from those stated at KAM 5569 engagement team plans to use MUS in selecting items from complex populations such as those involving multiple locations engagement team plans to use substantive sampling techniques other than those outlined in the KAM section titled, KPMG Substantive Sampling Techniques engagement team will use specific tolerable deviation rates, expected error rates, and/or confidence levels to be achieved with an attribute sample, or engagement team plans to use substantive sample in selecting items as a basis for forming a statistical conclusion expressed in a special report, attestation engagement other than a financial statement audit, or for performing and reporting on an agreed-upon procedures engagement.
The list of scenarios above is not meant to be exhaustive. The engagement partner uses judgment as to the knowledge and experience of the engagement team to consider whether involvement of a KPMG sampling specialist is appropriate. [5697] The KPMG MUS Document and Test of Details Document, both available on ALex, have been
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG updated to incorporate the revisions to KAM relating to consultation considerations involving International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis KPMG sampling specialists. thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
The main features of the KPMG substantive sampling techniques are illustrated in the following table: [5522]
The engagement partner uses judgment as to the knowledge and experience of the engagement team to consider whether involvement of a KPMG sampling specialist is appropriate. [5697]
International Audit Workbook (Interntional Audit Workbook)
The KPMG MUS Document and Test of Details Document, both available on ALex, have been updated to incorporate the revisions to KAM relating to consultation considerations involving KPMG sampling specialists. The main features of the KPMG substantive sampling techniques are illustrated in the following table: [5522] KPMG Monetary Unit Sampling (KPMG MUS) Type Attributes Statistical Monetary attribute selection probability proportionate to the size of an item KPMG Sampling Plan
Nonstatistical Selection is haphazard and selection probability is not proportionate to the size of an item Stratification is necessary to reduce the sample size Sample size is larger than the KPMG Monetary Unit Sampling technique KPMG Sampling Plan for tests of details is usually only efficient and effective for sample sizes greater than 5 Sample size is increased when the most likely audit difference is larger than one-sixth (1/6) but not more than one-half (1/2) of the significant misstatement threshold The KPMG Sampling Plan indicates the monetary amount above which items are individually significant. This amount may be increased not to exceed the significant misstatement threshold Haphazard selection of items KPMG Sampling Plan Excel template (plan and evaluate)
Sample size is smaller than the KPMG Sampling Plan KPMG MUS does not have sample size limitations
Sample size may be expanded to increase the precision of the projected results
Significant items
The planned sampling interval indicates the monetary amount above which items are individually significant
Value weighted random selection of items KPMG Monetary Unit Sampling Routine in IDEA(plan, select, and evaluate)
KPMG MUS may be more effective and efficient than the KPMG Sampling Plan. KPMG MUS provides a smaller sample size and more robust results than the KPMG Sampling Plan. Also, if we plan to apply KPMG MUS, it is not necessary to identify individually significant items. The identification of such items is embedded in the process of selection of sample items. Manual identification of significant items when using the KPMG Sampling Plan requires care as it is susceptible to manual errors.
Use of the KPMG MUS or KPMG Sampling Plan may not be the most effective approach when performing substantive tests of details to address the risk of fraud because misstatements due to fraud are not ordinarily distributed randomly throughout the population. If the KPMG MUS or the KPMG Sampling Plan is used, it is usually performed in combination with a specific items testing. [5526.1]
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG We use professional judgment to determine the appropriate criteria (e.g., specific days, number International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis of entries by user, amount) to select journal entries for further evaluation. thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. This process may
include combining results for the different selection criteria in order to determine the journal entries to be tested. [5416.6.1]
The identification of such items is embedded in the process of selection of sample items. Manual identification of significant items when using the KPMG Sampling Plan requires care as it is susceptible to manual errors. Audit Workbook (Interntional Audit Workbook) International
Use of the KPMG MUS or KPMG Sampling Plan may not be the most effective approach when performing substantive tests of details to address the risk of fraud because misstatements due to fraud are not ordinarily distributed randomly throughout the population. If the KPMG MUS or the KPMG Sampling Plan is used, it is usually performed in combination with a specific items testing. [5526.1] We use professional judgment to determine the appropriate criteria (e.g., specific days, number of entries by user, amount) to select journal entries for further evaluation. This process may include combining results for the different selection criteria in order to determine the journal entries to be tested. [5416.6.1]
The use of the KPMG substantive sampling techniques is illustrated in the following decision tree: [5525]
Substantive sampling alone is inappropriate for testing completeness. Other procedures, such as substantive analytical procedures, are performed to test for completeness. [5511]
Please refer to the KPMG Monetary Unit Sampling Routines User Guide - International and the
Substantive sampling alone is inappropriate for testing completeness. Other procedures, such as substantive analytical procedures, are performed to test for completeness. [5511]
Please refer to the KPMG Monetary Unit Sampling Routines User Guide - International and the KSP Practice Aide, which are available on ARO for specific guidance related to the use of these substantive sampling techniques.
When using KPMG Monetary Unit Sampling we also recalculate the total upper precision limit and most likely audit difference. We do not project an anomalous audit difference to the sampled population. [5625.3.1], [5694.11]
The KPMG MUS Document and Test of Details Document, both available on ALex, have been updated to incorporate the revisions to KAM relating to anomalous audit differences.
Appropriate
Inappropriate
This section provides guidance on substantive attribute sampling techniques when testing attributes for tests of details. [5694.14] The main considerations when using attribute sampling are summarized in the table below: Appropriate Tests directed at underlying data (assumptions) Substantive testing Substantive sampling Inappropriate Tests directed at monetary values Tests of controls Monetary values are assigned to each unit within the population subject to the test to allow for a MUS or KSP sample
Substantive attribute sampling may be appropriate in those situations where non financial data is used by management to calculate or derive a financial amount that is included in the financial information of an entity and the purpose of the test is to conclude on the existence and/or accuracy of the data (i.e., the attribute). [5694.14.2] Attribute data may be provided to an external expert or included in a model for developing an estimate. Often such situations arise where management develops estimates such as pension liabilities, claim reserves, and warranties, among others. [5694.14.2] The following table illustrates the minimum sample sizes for substantive attribute sampling: [5694.18] Risk of significant misstatement Audit evidence obtained from substantive procedures other than sampling Little or None Low Moderate High 25 40 65 Moderate NA 25 50 Extensive NA NA NA
We may consider increasing the sample from the minimum sample size outlined above based on judgment considering the following factors: [5694.17] the results of audit procedures performed in previous periods relative to the attributes the sensitivity of the attribute to error, and the relationship of the attribute to the estimate or disclosure subject to testing.
We also consider the impact of an error for an attribute(s) subject to testing when designing our tests. We consult with a sampling specialist to assist in determining an appropriate sample size when an engagement team expects to achieve certain tolerable deviation rates, expected error rates, and/or confidence levels with an attribute sample. [5694.20] The sample sizes included in the table above are based on expectation that no errors will be detected in the sample. Therefore when no errors are discovered during testing, we conclude that the test objective is achieved. [5694.19] If we find an error in our sample, we: [5694.19]
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG investigate the nature and cause of the error including the impact of such International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. error(s) to the estimate or disclosure,
discuss the error(s) discovered with management and if applicable, others such as external experts and internal KPMG specialists, and
The sample sizes included in the table above are based on expectation that no errors will be detected in the sample. Therefore when no errors are discovered during testing, we conclude that the test objective is achieved. [5694.19]
International Audit Workbook (Interntional Audit Workbook)
If we find an error in our sample, we: [5694.19] investigate the nature and cause of the error including the impact of such error(s) to the estimate or disclosure, discuss the error(s) discovered with management and if applicable, others such as external experts and internal KPMG specialists, and depending on the nature and cause of the error(s) discovered, we determine the nature and extent of additional audit procedures to perform.
When substantive attribute sampling is used in the audit examination of items, judgment may involve consideration of the relationship between the attribute being tested and the ultimate monetary errors in the financial statements, as well as the amount of monetary error that would lead to a material misstatement. The evaluation of the monetary impact may be difficult and require the client to perform further analysis of the data. [5694.16]
Control minimizes the possibility that the results will be biased because of the interception and alteration of confirmation requests or responses. [5724] Any restrictions included in When we seek to confirm certain balances or other information, and management the response or imposed requests us not to do so, we should consider whether there are valid grounds for by management such a request and obtain audit evidence to support the validity of management's requests. If we agree to management's request not to seek external confirmation regarding a particular matter, we should apply alternative audit procedures to obtain sufficient appropriate audit evidence regarding that matter. [5745] When we consider the reasons provided by management, we apply an attitude of professional skepticism and consider whether: [5746] the request has any implications regarding management's integrity
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG management's request may indicate the possible existence of International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis fraud or error, and thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
the alternative procedures will provide sufficient appropriate audit evidence regarding this matter.
When we consider the reasons provided by management, we apply an attitude of professional skepticism and consider whether: [5746] the request has Workbook (Interntionalregarding management's International Audit any implications Audit Workbook) integrity management's request may indicate the possible existence of fraud or error, and the alternative procedures will provide sufficient appropriate audit evidence regarding this matter.
The assertion that is being addressed will determine the type of confirmation that is prepared. For example, if the engagement team is testing the completeness assertion with respect to a liability, then suppliers with zero or low balances may be selected and the confirmation designed for the suppliers to provide the outstanding balance. In this case, you are trying to determine if there are items missing from the liability account. We consider other audit procedures to complement confirmation procedures or to be used instead of confirmation procedures, for assertions not adequately addressed by confirmations. [5753]
A positive external confirmation requests the respondent to reply to the auditor in all cases, either by indicating agreement with the given information, or to fill in information. [5759] A response to a positive confirmation request is usually expected to provide reliable audit evidence. However, there is a risk that a respondent may reply to the confirmation request without verifying that the information is correct. We can reduce this risk by not stating the amount (or other information) on the confirmation request, but instead ask the respondent to fill in the amount or furnish other information. This may result in lower response rates, because additional effort is required of the respondents. [5760] A negative external confirmation requests the respondent to reply only in the event of disagreement with the information provided in the request. [5764] However, if no response has been received, there will be no explicit audit evidence that intended third parties have received the requests and verified that the information is correct. Accordingly, negative confirmation requests usually provide less reliable audit evidence than positive confirmation requests, and we usually do not use them as a primary source of audit evidence. [5765] Negative confirmation requests may reduce the risk of significant misstatement to an acceptable level when: [5767] the risk of significant misstatement is low we test a large number of small balances we do not expect a substantial number of errors, and/or there is no reason to believe that respondents will disregard the requests.
The type of information that we request may affect the response rate and nature of the evidence obtained as respondents may not always be able to confirm certain types of information. The balance of certain loans and leases may be difficult to confirm. Instead, the confirmation may be designed to confirm the original balance, monthly payment, term, etc. For suppliers or customers, it may be easier to confirm a single invoice rather than the entire amount outstanding.
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG We take appropriate follow-up action for nonresponding accounts; consider second and, International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis sometimes, third requests (oral or written); and if appropriate, perform alternative audit thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
procedures. [5727]
For example, for receivables, compare to subsequent cash receipts, if they can be specifically
confirmation may be designed to confirm the original balance, monthly payment, term, etc. For suppliers or customers, it may be easier to confirm a single invoice rather than the entire amount outstanding.
International Audit Workbook (Interntional Audit Workbook)
We take appropriate follow-up action for nonresponding accounts; consider second and, sometimes, third requests (oral or written); and if appropriate, perform alternative audit procedures. [5727] For example, for receivables, compare to subsequent cash receipts, if they can be specifically identified to items outstanding at the confirmation date, and/or customer purchase orders and shipping documents. We ordinarily confirm the following: bank balances, including: [5782] bank balances (including those held by "licensed deposit takers" or similar financial institutions) at the period-end. the entity's "main" bank accounts and those accounts expected to have balances at periodend that are greater than the significant misstatement threshold guarantees and financial instruments (including derivatives) with banks with whom we confirm "main" bank accounts, to obtain audit evidence relevant to the appropriate disclosure and presentation of guarantees and financial instruments, and
We may confirm other guarantees and financial instruments (including derivatives) with other third parties. [5784] trade receivables balances (including balances with related parties). [5791] We ordinarily also confirm the terms of the transaction and other key information, which may affect the accounting for the transaction. [5795] For example, rights of return, allowances and rebates, special agreements, payment terms, etc. We also consider obtaining external confirmations for: [5708.1] loans from lenders related-party transactions terms of sales contracts (for revenue recognition) inventories held by third parties at bonded warehouses for processing or on consignment property title deeds held by lawyers for safe custody or as security investments purchased from stockbrokers but not delivered at the period-end date payables balances, and unusual or complex transactions.
Interntional Audit Workbook
Chapter 6 - Completion
The objective of Completion is to form an audit opinion. Before we form an audit opinion, the engagement team: [6001.2] performs and documents results of audit procedures performed during Completion evaluates on an overall basis the results of audit procedures performed and findings for audit objectives associated with significant risks, including the risk of fraud
evaluates significant findings and issues resulting from the audit, actions taken to address them (including additional evidence obtained), and the basis for the conclusions reached. Significant findings and issues are matters that are important to the procedures performed, evidence 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG obtained, or conclusions reached. International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
evaluates independence and ethical issues, and forms an audit opinion after reviewing the financial statements and evaluating all audit findings.
Page 111 / 133
evaluates on an overall basis the results of audit procedures performed and findings for audit objectives associated with significant risks, including the risk of fraud
International Audit Workbook (Interntional Audit Workbook)
evaluates significant findings and issues resulting from the audit, actions taken to address them (including additional evidence obtained), and the basis for the conclusions reached. Significant findings and issues are matters that are important to the procedures performed, evidence obtained, or conclusions reached. evaluates independence and ethical issues, and forms an audit opinion after reviewing the financial statements and evaluating all audit findings.
In developing an opinion, we consider all relevant audit evidence, regardless of whether it appears to corroborate or to contradict the assertions in the financial statements. [6042] Sufficiency is the measure of the quantity of audit evidence. The quantity of the audit evidence necessary is affected by the risk of misstatement and also by the quality of such audit evidence.
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis Appropriateness is the measure of the quality of evidence, that is, its relevance and reliability in providing support thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
for, or detecting misstatements in, the classes of transactions, account balances derived from estimates, other account balances and disclosures, and related assertion.
In developing an opinion, we consider all relevant audit evidence, regardless of whether it appears to corroborate or to contradict the assertions in the financial statements. [6042]
International Audit Workbook (Interntional Audit Workbook)
Sufficiency is the measure of the quantity of audit evidence. The quantity of the audit evidence necessary is affected by the risk of misstatement and also by the quality of such audit evidence. Appropriateness is the measure of the quality of evidence, that is, its relevance and reliability in providing support for, or detecting misstatements in, the classes of transactions, account balances derived from estimates, other account balances and disclosures, and related assertion. Our judgment as to what constitutes sufficient appropriate audit evidence is influenced by such factors as the following: [6044] significance of the potential misstatement in the assertion and the likelihood of its having a material effect, individually or aggregated with other potential misstatements, on the financial statements effectiveness of management's responses and controls to address the risks experience gained during previous audits with respect to similar potential misstatements results of audit procedures performed, including whether such audit procedures identified specific instances of fraud or error source and reliability of the available information persuasiveness of the audit evidence, and/or understanding of the entity and its environment, including its internal control.
If we have not obtained sufficient appropriate audit evidence as to a material financial statement assertion, we should attempt to obtain further audit evidence. [6047] If we are unable to obtain sufficient appropriate audit evidence, we should express a qualified opinion or a disclaimer of opinion. [6048]
Such sufficient disclosures relate to the form, arrangement, and content of the financial statements and their appended notes, including, for example, the terminology used, the amount of detail given, the classification of items in the statements, and the bases of amounts set forth. We prepare or review a reconciliation of amounts audited in the working papers to the amounts reported in the financial 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG statements to provide a trail from the financial statements to the audit procedures performed.[6056] International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
We conduct our overall review of the financial statements in the context of our understanding of the entity's applicable Page 113 / 133 financial reporting framework for accounting policies applied by the entity and within the industry. [6057]
material transactions and events on the information conveyed in the financial statements. Such sufficient disclosures relate to the form, arrangement, and content of the financial statements and their appended notes, including, for example, the terminology used, the amount(Interntional given, the classification of items in the statements, of detail Audit Workbook) International Audit Workbook and the bases of amounts set forth. We prepare or review a reconciliation of amounts audited in the working papers to the amounts reported in the financial statements to provide a trail from the financial statements to the audit procedures performed.[6056] We conduct our overall review of the financial statements in the context of our understanding of the entity's applicable financial reporting framework for accounting policies applied by the entity and within the industry. [6057] In addition to our evaluation of the audit evidence for audit objectives, we perform the following procedures:
If we determine that an account or disclosure initially identified as nonsignificant during Planning is significant at period-end, we obtain sufficient appropriate audit evidence to support the significant account or disclosure.[6073.1] The conclusions drawn from the results of such audit procedures are intended to corroborate conclusions formed during the audit of individual components or elements of the financial statements and assist in arriving at the overall conclusions as to the reasonableness of the financial statements. [6063]
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG For example, for a private entity audit, it may be appropriate to conduct inquiries during Planning International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis with a brief update with some or all of the client interviewees shortly before thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. the date of our audit
report.
Page 114 / 133
For example, for a public entity audit, it may be appropriate to conduct inquiries during Planning,
appropriate, regarding fraud and other specific topics. During Completion, we update these inquiries.
International Audit Workbook (Interntional Audit Workbook)
The timing and extent of updated inquiries is determined by the engagement team based on the entity's specific circumstances. [7375] For example, for a private entity audit, it may be appropriate to conduct inquiries during Planning with a brief update with some or all of the client interviewees shortly before the date of our audit report. For example, for a public entity audit, it may be appropriate to conduct inquiries during Planning, conduct additional interviews during each interim review, and update some or all of the interviews shortly before the date of our audit report.
If as a result of our inquiries, we identify new financial statement level/assertion level risks relevant to specific topics, we document these risks and how we addressed them. [6123]
6.1.4 Final Evaluation of Audit Results for Specific Topics and Subsequent Events
During Completion, we perform audit procedures, in order to evaluate the results of procedures performed in the audit, including those related to specific topics, to fraud and to subsequent events, to determine if our previous assessments of our responses to risks related to such matters should be modified. [6125] This evaluation is primarily qualitative and based on our judgment. Such an evaluation may provide further insight about the risks of significant misstatement due to fraud, other Specific Topics and subsequent events, and whether there is a need to perform additional or different audit procedures. [6126] Based on the audit procedures performed and the audit evidence obtained, we evaluate whether the assessments of the risk of significant misstatement at the assertion level remain appropriate. Such an evaluation may provide further insight about the risks of material misstatement due to fraud and whether there is a need to perform additional or different audit procedures. As part of this evaluation, we consider whether there has been appropriate communication with other engagement team members throughout the audit regarding information or conditions indicative of risk of material misstatement due to fraud.[7369.1] When we confirm that, or are unable to conclude whether, the financial statements are materially misstated as a result of fraud, we should consider the implications for the audit. [7370] We perform sufficient procedures to confirm or dispel a suspicion that the financial statements are materially misstated due to fraud. If we are not able to dispel such suspicion, we consider the effect on our report and follow applicable local consultation protocols. [7371] We specifically consider whether the following may be indicative of fraud and investigate and perform additional procedures as appropriate:[6006] conditions or information gained throughout the audit analytical procedures performed on period-end data corrected and uncorrected audit differences, as well as any omissions or other errors in presentation and disclosure summarized in the Summary of Audit Differences.
The engagement team needs to determine that the appropriate standard management
The engagement team needs to determine that the appropriate standard management representation letter template is used and that the template is appropriately customized to the entity's circumstances.
6.3.1 Significant Findings and Issues Identified During a Review of Interim Financial 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG Information International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
We document significant findings and issues identified during the review of interim financial information and the effect on Page 116 / 133 our audit approach in the annual audit. [6157]
The engagement partner and an engagement manager review all audit documentation relating to significant findings and issues. [6154]
International limited to, the matters described below. [6153] Significant findings and issues include, but are not Audit Workbook (Interntional Audit Workbook)
6.3.1 Significant Findings and Issues Identified During a Review of Interim Financial Information
We document significant findings and issues identified during the review of interim financial information and the effect on our audit approach in the annual audit. [6157]
6.3.2 Significant Matters Involving the Selection, Application, and Consistency of Accounting Principles, Including Related Disclosures
Significant matters involving the selection, application, and consistency of accounting principles, including related disclosures, include, but are not limited to, accounting for complex or unusual transactions, accounting estimates, and uncertainties as well as related management assumptions. [6160]
6.3.3 Disagreements within the Engagement Team and with Those Consulted
Where differences of opinion arise within the engagement team, with those consulted and, where applicable, between the engagement partner and the engagement quality control reviewer, the engagement team should follow the firm's policies and procedures for dealing with and resolving differences of opinion. [6286] If a difference of opinion is initially identified, but is later resolved to the satisfaction of all parties involved, such as through additional discussion, research, or consultation or through new or revised facts, it is not necessary to document the initially identified matter as a difference of opinion. However, it may be appropriate to document the conclusions reached on the matter elsewhere in the working papers. [6288.1] In the event of differences of opinion, we do not release the report until the matter is resolved and documented. [2811.1]
If we encounter significant difficulties in applying our audit procedures, we resolve the difficulties and document the rationale used to resolve those significant difficulties. In resolving such difficulties, we consider modifying our audit strategy and the planned audit procedures, which may include increasing our assessment of the risk of significant misstatement for certain audit objectives. [6297] If we are not able to overcome such difficulties by performing alternative audit procedures and we do not obtain sufficient appropriate audit evidence, we consider the impact on our audit report and modify the report accordingly. Further guidance on modifications to our report is included in the International Standards Report Manual. [6299]
6.3.5 Matters That Resulted in or Could Have Resulted in a Modification of Our Report
We document the significant matters that resulted in or could have resulted in the modification of our report in the Completion Document. We also document, if applicable, how we have resolved the matter(s) that could have resulted in a modification to our report, as well as the rationale for modifying or for not modifying our report. [6302] Our report is considered to be modified in the following situations: [6302.1] 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG
International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis matters that do not affect our audit opinion (unless local laws, regulations, and professional thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
unqualified opinion with an emphasis of matter paragraph (in some countries these matters
We document the significant matters that resulted in or could have resulted in the modification of our report in the Completion Document. We also document, if applicable, how we have resolved the matter(s) that could have resulted in a International Audit Workbook (Interntional Audit Workbook) modification to our report, as well as the rationale for modifying or for not modifying our report. [6302] Our report is considered to be modified in the following situations: [6302.1] matters that do not affect our audit opinion (unless local laws, regulations, and professional standards do not enable the auditor to modify the auditor's report) unqualified opinion with an emphasis of matter paragraph (in some countries these matters are not considered as a modification of the auditor's report)
matters that affect our audit opinion qualified opinion disclaimer of opinion, and adverse opinion.
Guidance regarding modifications of our report is included in the International Standards Reports Manual, which can be found on ARO. [6302.2]
The engagement team documents consultations with other KPMG professionals that involve difficult or contentious matters to enable an understanding of: [6309] the issue on which consultation was sought; and the results of the consultation, including any decisions taken, the basis for those decisions, and how they were implemented.
We provide relevant documentation of the consultation to the professionals we have consulted and ask them to: [6310] indicate that they concur with the conclusions reached by the engagement team, and confirm that documentation includes a factual representation of the matters considered and the conclusions reached.
6.3.7 Discussion of Significant Findings and Issues (Including Significant Risks) with Management and Others
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis When we discuss significant findings or issues (including matters that give rise to significant risks) with management and thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. others, we document on a timely basis the discussions in our working papers. [6313.5]
Page Others with whom we may discuss significant findings or issues include those charged with governance, other personnel 118 / 133
confirm that documentation includes a factual representation of the matters considered and the conclusions reached.
International Audit Workbook (Interntional Audit Workbook)
6.3.7 Discussion of Significant Findings and Issues (Including Significant Risks) with Management and Others
When we discuss significant findings or issues (including matters that give rise to significant risks) with management and others, we document on a timely basis the discussions in our working papers. [6313.5] Others with whom we may discuss significant findings or issues include those charged with governance, other personnel within the entity, and external parties, such as persons providing professional advice to the entity. [6313.6]
revise the audit difference posting threshold accordingly, or document why it is not necessary to revise the audit difference 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG posting threshold. International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
We document the revised MPP, SMT, and ADPT in the Completion Document.
Page 119 / 133
Significant modifications of Significant modifications to our audit strategy may result from: [6179]
revise downward the related SMT(s) determine whether further audit procedures need to be International to obtain sufficient appropriate audit performed Audit Workbook (Interntional Audit Workbook) evidence, and revise the audit difference posting threshold accordingly, or document why it is not necessary to revise the audit difference posting threshold.
We document the revised MPP, SMT, and ADPT in the Completion Document. Significant modifications of Significant modifications to our audit strategy may result from: [6179] audit strategy and planned unexpected events, changes in conditions, or audit evidence audit procedures obtained during the course of the audit the identification of financial statement level risks that occurred after we determined our audit strategy during Planning the identification of significant accounts and disclosures that were initially identified as nonsignificant during Planning revisions to materiality for planning purposes changes in the timing of our audit procedures changes in responsibilities of engagement team members, including KPMG specialists, and/or changes in the involvement of others.
As a result of unexpected events, changes in conditions, or evidence obtained from our audit procedures, we may modify our audit plan and thereby the resulting planned nature, timing, and extent of further audit procedures. Information may come to our attention that differs significantly from the information available when we planned the audit procedures. [6183] For example, we may obtain audit evidence through the performance of substantive procedures that contradicts the audit evidence obtained with respect to the testing of the operating effectiveness of controls. In such circumstances, we reevaluate the planned audit procedures based on the revised consideration of assessed risks at the assertion level for all or some of the classes of transactions, account balances derived from estimates, other account balances, or disclosures. [6184] Material weaknesses and other deficiencies in internal control over financial reporting We analyze and evaluate all exceptions discovered in internal control over financial reporting to determine whether they represent deficiencies. [4793.3] A control deficiency may consist of either a design or an operating deficiency. A design deficiency exists when either a necessary control is missing or an existing control is not properly designed so that even when the control is operating as designed, the control objective is not always met. An operating deficiency exists when a properly designed control either is not operating as designed or the person performing the control does not possess the necessary authority or qualifications to perform the control effectively. [6189] Material weaknesses in internal control are control deficiencies that could have a material effect on the financial statements. [6191] When we identify deficiencies in internal control over financial reporting, we make a determination as to whether these control deficiencies, individually or in combination, represent material weaknesses. [6191.1] We document the material weaknesses and other deficiencies in internal control over financial reporting that have a significant effect on our audit approach in the Completion Document. For each material weakness or other deficiency, we describe the deficiency, the related audit objective, and the effect on our audit approach. 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis Additionally, we document the specific members of management and/or those thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. charged with governance to whom the deficiency was communicated and the form of communication, whether in writing or orally. [6201] Page 120 / 133
determination as to whether these control deficiencies, individually or in combination, represent material weaknesses. [6191.1] We document the material weaknesses andAudit Workbook) International Audit Workbook (Interntional other deficiencies in internal control over financial reporting that have a significant effect on our audit approach in the Completion Document. For each material weakness or other deficiency, we describe the deficiency, the related audit objective, and the effect on our audit approach. Additionally, we document the specific members of management and/or those charged with governance to whom the deficiency was communicated and the form of communication, whether in writing or orally. [6201] Material misstatements or omissions in the financial statements Misstatements in the financial statements can arise from error or fraud. The primary factor that distinguishes fraud from error is whether the underlying cause (action that results in the audit difference) is intentional or unintentional. [6204] Misstatements may include: [6204.2] unrecorded audit differences, audit differences corrected by the entity, or uncorrected and corrected omissions or other errors in financial statement presentation and disclosure.
An audit difference is an audit finding in which we do not agree with the amount or classification of items or totals in the income statement or balance sheet. [9029]
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG and the factual context in which the user of the financial statements would view the financial International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis statement item containing the misstatement thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
the number of financial statement captions affected, such as whether the potential misstatement affects the amounts and presentation of many financial statement captions
In evaluating the effect of uncorrected audit differences, we consider the following factors: [6215] the significance of an item to the financial statements of a particular entity, such as inventories to International Audit Workbook (Interntional Audit Workbook) a manufacturing company the relative size of the misstatement compared with the financial statements taken as a whole and the factual context in which the user of the financial statements would view the financial statement item containing the misstatement the number of financial statement captions affected, such as whether the potential misstatement affects the amounts and presentation of many financial statement captions the likelihood that undetected misstatements, when considered with the aggregate uncorrected misstatements, could exceed materiality the nature and cause of each misstatement, including a consideration of whether the misstatement may indicate the possible existence of fraud whether the misstatements indicate a pattern. If a pattern appears to exist, we consider whether to apply audit procedures specifically to detect other similar differences.
In making materiality judgments, individually and in the aggregate, we consider: [6213] both quantitative and qualitative factors, and the results of our assessment of the risk of material misstatements due to fraud and error.
statement ("rollover") and balance sheet ("iron curtain") methods. [6229.2] In most cases, the more significant misstatement identified, when assessed under the balance sheet and the income statement methods, requires a more detailed evaluation and consideration. However, in some instances, because of International Audit Workbook (Interntional Audit Workbook) qualitative factors to be considered, the lesser of the two methods may be more important when evaluating materiality. [6229.3] Quantification under both methods is to be determined, and consideration given to relevant quantitative and qualitative factors in reaching a conclusion on the materiality of the misstatements. [6229.4] Once we have considered each individual error, we evaluate the effect of uncorrected errors in the aggregate. Under the dual method, we evaluate the total error using the balance sheet method ("iron curtain") and the total error using the income statement method ("rollover") not by combining the "higher of" amount associated with each individual uncorrected misstatement. [6229.7]
Change in methods
We use a consistent method from period to period when evaluating uncorrected audit differences for all accounts and for all periods subject to our audit. [6231] The following table summarizes the alternatives available when the engagement team is considering a change in methods of evaluating uncorrected audit differences. [6231.1, 6231.2, 6231.3] Current period proposed method Method used in prior period IS method Income statement (IS) method Balance sheet (BS) method Not appropriate Dual method Not appropriate Not appropriate BS method May use Dual method May use
May use
We consult the risk management partner when a change in methods for evaluating uncorrected audit differences is contemplated, and the change affects our conclusion on the materiality of audit differences. [6232] The method used may be predetermined by local auditing standards. Communication in the interoffice instructions of the method to be used facilitates consistent use of a single method by all participating offices in a multilocation engagement.
6.4.3 Consider the Fraud and Earnings Management Implications of Audit Differences
When we identify a misstatement, we should consider whether such a misstatement may be indicative of fraud, and if there is such an indication, we should consider the implications of the misstatement in relation to other aspects of the audit, particularly the reliability of management representations. [6236] If our audit findings indicate possible fraud, we also consider the potential effect, including whether the audit differences resulted from an attempt to manage earnings. [6241] Earnings management includes the recording of accounting entries, without any event to justify the accounting, to alter results if the perceived motivation is to conform to the user's expectations. Earnings management may also include the failure to record or correctly record transactions for that same purpose. [6242] We consider all corrected and uncorrected misstatements arising from the audit to determine if they occurred as a result of one or more control deficiencies. [6243.1]
We accumulate in the Summary of Audit Differences identified misstatements, including audit differences and omissions and other errors. We include all corrected and uncorrected audit differences when such misstatements are equal to or greater than the audit difference posting threshold. If an audit difference is qualitatively significant but is below the audit difference posting threshold, it is included in the Summary of Audit Differences. [6245] These misstatements are reflected in the Summary of Audit Differences as follows: [6204.3] Schedule 1 - Summary of Uncorrected Audit Differences Schedule 2 - Summary of Corrected Audit Differences, and Schedule 3 - Summary of Omissions and Other Errors in Presentation and Disclosure.
We complete either Schedule 1A, Schedule 1B or Schedule 1C based on the method used in evaluating uncorrected audit differences as follows: [6247.1] Schedule 1A - Dual method Schedule 1B - Rollover (income statement) method Schedule 1C - Iron curtain (balance sheet) method.
statement, balance sheet, or statement of cash flows, such as erroneous descriptions. [6271.1] In an SE or VSE engagement, the engagement team often works closely Audit Workbook) in determining the International Audit Workbook (Interntional with the entity presentation and disclosure in the financial statements. In such cases, all omissions and other errors in financial statement presentation and disclosure that have not been corrected and are not "de miminis" are included in Schedule 3. The engagement team uses its judgment as to whether corrected omissions and errors are also included on Schedule 3.
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG evaluate information on identified breaches, if any, of the firm's independence policies and International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. engagement procedures to determine whether they create a threat to independence for the audit
take appropriate action to eliminate such threats or reduce them to an acceptable level by applying safeguards. The engagement partner should promptly report to the firm any failure to
The engagement partner should form a conclusion on compliance with independence requirements that apply to the audit engagement. In doing so, the engagement partner should: [6315]
International Audit Workbook (Interntional Audit Workbook)
obtain relevant information from the firm and, where applicable, network firms to identify and evaluate circumstances and relationships that create threats to independence evaluate information on identified breaches, if any, of the firm's independence policies and procedures to determine whether they create a threat to independence for the audit engagement take appropriate action to eliminate such threats or reduce them to an acceptable level by applying safeguards. The engagement partner should promptly report to the firm any failure to resolve the matter for appropriate action, and document conclusions on independence and any relevant discussions with the firm that support these conclusions.
The engagement partner should consider whether members of the engagement team have complied with ethical requirements. [6316]
The Specific Topics chapter of KAM, Chapter 7, has been rewritten consistent with the Audit Program for Specific Topics (Revised) (APST (Revised)) and the Specific Topics Inquiries Document (STID). The Specific Topics chapter of KAM should be read in conjunction with the Audit Program for Specific Topics (Revised) and the Specific Topics Inquiries Document. The chapter is designed to support and provide additional guidance on the procedures included in the Audit Program for Specific Topics (Revised) and the inquiries in the Specific Topics Inquiries Document to the extent that procedures are not already supported by Guidance Attachments that accompany the Audit Program for Specific Topics (Revised).
The following table indicates the applicability of the Audit Program for Specific Topics (Revised) (APST (Revised)) and the Specific Topics Inquiries Document (STID) for each audit workflow:
This section provides guidance in relation to an existing audit client for which we conduct an audit of its financial statements and therefore have an understanding of the entity and its environment, including its internal control on which to base our review procedures. If we were recently appointed as the entity's auditor, and therefore have not audited the most recent annual financial statements, we apply additional procedures as described in the section titled, "KPMG was not the auditor of the most recent annual financial statements" in the Other Engagement chapter of KAM International. [8901.3.2]
If we are engaged to perform a review of interim financial information (by an entity to which we are the appointed independent auditor) we should perform the review in accordance with International Standards on Review Engagements (ISRE) 2410. [8902.1] If we are engaged to perform a review of interim financial information, and we are not the auditor of the entity, or if we are engaged to review other financial information, we perform the review in accordance with ISRE 2400, "Engagements to Review Financial Statements." [8903]
The objective of an engagement to review interim financial information is to enable us to express a conclusion whether, on the basis of the review, anything has come to our attention that causes us to believe that the interim financial information is not prepared, in all material respects, in accordance with an applicable financial reporting framework. This objective differs significantly from that of an audit conducted in accordance with International Standards on Auditing. A review of interim financial information does not provide a basis for expressing an opinion whether the interim financial information gives a true and fair view, or is presented fairly, in all material respects, in accordance with an applicable financial reporting framework. [8903.1] A review, in contrast to an audit, is not designed to obtain reasonable assurance that the interim financial information is free from material misstatement. A review may bring significant matters affecting the interim financial information to our attention, but it does not provide all of the audit evidence that would be required in an audit. [8905] The following Global Work Papers are applicable to an engagement to conduct a review of interim financial information in accordance with ISRE 2410: [8954.4] Interim Review Checklist Interim Review Program Summary of Review Differences.
We make inquiries, primarily of persons responsible for financial and accounting matters, and perform analytical and other review procedures in order to reduce to a moderate level the risk of expressing an inappropriate conclusion when the interim financial information is materially misstated. [8905.1]
8.1 Obtain an Understanding of the Entity and Its Environment, Including Its Internal Control
When performing a review of interim financial information, we should have an understanding of the entity and its environment, including its internal control, as it relates to the preparation of both annual and interim financial information, sufficient to plan and conduct the engagement so as to be able to: [8929] identify the types of potential material misstatement and consider the likelihood of their
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG occurrence, and International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. a basis for select the inquiries, analytical, and other review procedures that will provide us with
reporting whether anything has come to our attention that causes us to believe that the interim financial information is not prepared, in all material respects, in accordance with the applicable
When performing a review of interim financial information, we should have an understanding of the entity and its environment, including its internal control, as it relates to the preparation of both annual and interim financial information, International Audit be able (Interntional sufficient to plan and conduct the engagement so as to Workbook to: [8929]Audit Workbook) identify the types of potential material misstatement and consider the likelihood of their occurrence, and select the inquiries, analytical, and other review procedures that will provide us with a basis for reporting whether anything has come to our attention that causes us to believe that the interim financial information is not prepared, in all material respects, in accordance with the applicable financial reporting framework.
When we have audited the entity's financial statements for one or more annual periods and have obtained an understanding of the entity and its environment, including its internal control, as it relates to the preparation of annual financial information, which is sufficient to conduct the audit, we: [8930] update our understanding of the entity as discussed in the section titled "Understanding the entity" of the Planning chapter, and obtain a sufficient understanding of internal control as it relates to the preparation of interim financial information, as it may differ from internal control as it relates to annual financial information. The procedures we perform to update our understanding of the entity and its environment, including its internal control, are included in the Interim Review Program. [8930.1] Although we perform these procedures to update our understanding of internal control over the preparation of annual financial information and to obtain a sufficient understanding of internal control as it relates to the preparation of interim financial information. Our review procedures may lead us to come across matters that cause us to conclude that there are deficiencies in the design or implementation of internal controls over financial reporting. These procedures may also lead us to conclude that deficiencies in internal control which were identified during the most recent audit are of continuing significance. We document such deficiencies in the Interim Review Program and consider whether communication with management and those charged with governance is appropriate. [8934]
Additional guidance regarding this procedure We apply analytical procedures to interim financial information to identify and provide a basis for inquiry about the relationships and individual items that appear to be unusual and that may indicate a material misstatement. Analytical procedures may include ratio analysis and statistical techniques such as trend analysis and may be performed manually or with the use of computer-assisted techniques. [8939.0.2]
Professional judgment is used to determine which members of management we need to direct our inquiries to and we also consider whether direct inquiries to other, nonmanagement members of the entity are necessary (e.g., production and internal 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis audit personnel). [8938]
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
Page 128 / 133
Make inquiries
A review ordinarily does not require tests of accounting records through inspection, observation,
include ratio analysis and statistical techniques such as trend analysis and may be performed manually or with the use of computer-assisted techniques. [8939.0.2]
International Audit Workbook (Interntional Audit Workbook)
Make inquiries
Professional judgment is used to determine which members of management we need to direct our inquiries to and we also consider whether direct inquiries to other, nonmanagement members of the entity are necessary (e.g., production and internal audit personnel). [8938]
A review ordinarily does not require tests of accounting records through inspection, observation, or confirmation procedures. Procedures for performing a review of interim financial information are ordinarily limited to making inquiries, primarily of persons responsible for financial and accounting matters, and applying analytical and other review procedures, rather than corroborating information obtained concerning significant accounting matters relating to the interim financial information. Our understanding of the entity and its environment, including its internal control, the results of the risk assessments relating to the preceding audit, and our consideration of materiality as it relates to the interim financial information, affects the nature and extent of the procedures applied. [8937]
We use the same method for evaluating uncorrected audit differences for the review of interim financial information as we use during the annual audit.
review of the interim financial information also may be used for the annual audit. For example, performing audit procedures on significant or unusual transactions that occurred during the period, such as business combinations, restructurings, orInternational Audit Workbook (Interntional Audit Workbook) significant revenue transactions. To the extent these interim review procedures are used or referenced to in the period-end audit, we may retain the interim documentation in the interim review file and include a reference from the audit file to the interim review file. However, certain jurisdictions may require a separate set of work papers for each engagement. In these cases, relevant work papers would need to be copied and placed in both the interim review file and the period-end audit file. [8954.6]
the possibility of resigning from the appointment to audit the annual financial statements. 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis Our communications of fraud or noncompliance are consistent with our communication during the annual audit. thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
8.8 Reporting
we should consider: [8968] whether to modify the report, or the possibility of withdrawing from the engagement, and
International Audit Workbook (Interntional Audit Workbook)
the possibility of resigning from the appointment to audit the annual financial statements.
Our communications of fraud or noncompliance are consistent with our communication during the annual audit.
8.8 Reporting
Chapter 41, "Reporting on Interim Financial Information" of the International Standards Reports Manual contains guidance on reporting in conformity with, and example reports prepared in accordance with, International Standards on Review Engagements. [8973]
Interntional Audit Workbook
The Group Audit Instructions, available on ALex, contain additional guidance on preparing audit instructions for group audit engagements. [8511] The Financial Shared Services Centres Audit Workbook provides guidance on special considerations when we are engaged to perform a group audit and/or statutory audit engagement where all or some of the financial reporting activities of the group are centralized at an intra-group financial shared services centre. The Financial Shared Services Centres Audit Workbook is available on ALex. [8512] In addition to the policies, requirements and guidance set out in the group audits chapter in KAM, we comply with the policies, requirements and guidance set out in the Risk Management Manual - Global relevant to group audits, including those in Chapter 24 for multi-firm engagements. [8503.1] The following table indicates the applicability of Group Audit Global Work Papers for each audit workflow:
Control Evaluation and Substantive Testing 2.1 Use of audit evidence obtained in prior periods regarding the operating effectiveness of controls Reliability of underlying Control Evaluation 4.4 Supersedes content in the section titled, "Using Audit Evidence Gained in Prior Periods" Supersedes content in the
2.2
2.3
Substantive attribute
N/A
New content
obtained in prior periods section titled, "Using Audit regarding the operating Evidence Gained in Prior effectiveness of controls Workbook (Interntional Audit Workbook) Periods" International Audit 2.2 Reliability of underlying data Control Evaluation 4.4 Supersedes content in the section titled, "Reliability of underlying data" New content
2.3
Substantive attribute sampling Substantive analytical procedures - set acceptable difference KPMG Sampling Plan sample size factors Anomalous audit differences Involvement of KPMG sampling specialists
N/A
2.4
2.5
2.6
N/A
New content
2.7
Other Key Updates 3.1 Criteria for use of LCE working papers Engagement Management 2.4.2 Supersedes content regarding LCE New content
3.2
Consideration of omitted N/A documentation and other procedures identified after the date of auditor's report Concurrence from EQCR in Planning 3.4.1 relation to materiality
3.3
Supersedes content regarding concurrence from the engagement quality control reviewer New content Supersedes all content in this section
3.4 3.5