Chapter 3

Section 1 - Engagement Acceptance and Understanding the Assignment

*mastering the area of internal controls*

1. Appointment of the Auditor

a. Audit Committees responsible for selection and appointment of independent(I)
auditor & review the nature and scope of the engagement
i. Sarbanes-Oxley Act: (applies to public companies)
1. Auditors report to and are overseen by the clients audit committee
(public companies)
a. Auditor must perform integrated audit of FS and I.C. over F.R. if
client is an issuer/public company
2. Audit committee pre-approves all services provided by auditor.
3. Specified non-audit services are prohibited
ii. Consider Firm Client Acceptance and Continuance Policies before accepting
engagement, the auditor should consider and document compliance w/ firms quality
control policies and procedures
1. Firms Ability to Meet Deadlines
a. Not accept engagement if cannot meet deadlines
b. Examples: timing & complexity of engagement and availability of audit
staf
2. Ability to Staff Engagement
3. Independence required in ALL audit engagements
a. Not required in compilation, BUT must disclose lack of independence
4. Integrity of Client Management
a. Do not accept if client lacks integrity
5. Group Audits
a. Will the group engagement team obtain sufficient evidence
iii. Establish the Presence of the Preconditions for an Audit
1. If not present, auditor should not accept engagement
2. Preconditions for an Audit
a. AFRF is the framework acceptable
i. Nature of entity (business, non-for-profit)
ii. Purpose of FS (wide range of users)
iii. Nature of FS (complete set of financials or single FS)
iv. Whether law or regulation prescribes the framework

b. Managements responsibilities:
i. Financial statements
ii. Accounting policies
iii. Internal control (design, implement, maintenance) DIM from chapter 2
iv. Compliance with laws
v. Making all financial records available to auditor
vi. Providing management representation letter (at the end of the audit)
vii. Adjust FS to correct material misstatements identified by auditor
viii. Provide auditor with:
1. Access to all information mgmt. is aware of
2. Any additional information the auditor requested
c. Management Imposed Scope Limitation (lack of record) do not accept engagement if,
imposes a cope limitation that will result in disclaimer opinion being issued
i. Audit Required by Law or Regulation
1. If required by law to have an audit, then a disclaimer opinion is OK
ii. Scope Limitation that DO NOT Preclude Engagement acceptance
1. If qualified opinion, or scope is beyond managements control, the auditor can
ACCEPT the engagement
3. Agreement on Audit Engagement Terms (Engagement Letter) Signed Agreement
a. Reasons for Agreement written agreement to reduce risk of auditor misinterpret data

i. PCAOB standards auditor must agree to terms with the audit committee
b. Contents:
i. Required Contents:
1. Objective and scope of audit
2. Responsibilities of the auditor
3. Responsibilities of management (see PRECONDITIONS for audit)
4. Statement inherit limitations on audit (we arent going to discover everything)
a. Auditor MUST report these below if discovered!
b. FS fraud
c. Asset misappropriation
d. Corruption (doing business in countries you shouldnt be in, etc.)
5. Identify the A. financial reporting framework (IRRS, US STANDANDS, etc.)
6. Reference to expected form and content of any reports issued
ii. Other Contents:
1. Refer to elaboration of the scope of the audit
2. Form of any other communication
3. Arrangements regarding planning and audit performance
a. Timing when will it be available
b. Client assistance who will be there to help us
c. Document availability
4. Expectation that mgmt. will provide written representation
5. Mgmt. will make information available to auditor on time
6. Mgmt. will inform auditor about subsequent events
7. Fees & billing arrangements
8. Arrangements concerning the involvement of other auditors
9. Arrangements to be made w/ predecessor auditor
10. Any restriction on auditors liability
11. Obligations of auditor to provide audit documentation
12. Additional services to be provided to further agreements
4. Recurring Audits existing client that auditor audited in PY
a. Revise the engagement letter (if necessary)
i. Just think about what changes are made in company or w/ the laws or reporting
requirements
b. Terms of the engagement NOT revised just remind mgmt. of the terms of old EL
i. Written or Oral
5. Initial Audits (talk to old/prior CPA) new clients that are being audited
a. Communication w/ the Predecessor Auditor BEFORE engagement acceptance (MANDATORY to
make inquiries of predecessor auditor)
i. Review prior CPAs work papers (evidence)
1. Reasoning: the see how they got to their ending balance numbers, b/c their
ending numbers are YOUR beginning balance numbers this year

ii. Information that might bear on management integrity

iii. Disagreements with management over accounting principles, auditing
procedures, or other similarly significant matters
iv. Predecessors understanding as to the reasons for the change of auditors
v. Communication to management, the audit committee, and those charged with
governance regarding fraud, illegal acts by client, and matters relating to
internal control (old end balance is CY beginning balanced)
1. IF CLIENT IS UNWILLING TO AGREE TO LET NEW AUDITOR TALK TO OLD AUDITOR,
THE NEW AUDITOR SHOULD CONSIDER IF THEY WANT TO ACCEPT THE
ENGAGEMENT => scope limitation
b. Opening Balances
i. Auditors Responsibilities
1. Obtain enough evidence if their opening balances contain a misstatement that
could affect current period FS & to see if there are consistent => methodology
used (was there any changes in the Applicable Financial Reporting Framework
(AFRF))
ii. Audit Procedures
1. Read the most recent FS and the PY auditors report

a. If PY auditor opinion was modified, CY auditor should consider the effect

on risk of material misstatement in current period
i. If modification is relevant, the CY auditor should modify their
opinion on current period FS
b. **The CY auditor should request mgmt. to authorize the
predecessor auditor to allow a review on CY auditors
documentation**
i. Not their engagement letters, BUT THEIR work papers
1. Work papers = documentation = evidence
iii. Auditor Remains Responsible
1. Solely responsible for the audit work performed and conclusion reached during
audit
a. NO REFERENCE TO THE OLD AUDITOR SHOULD BE MADE
iv. Material Misstatement in Opening Balance
1. If material misstatement was made by PY auditor that efects CY auditors
opening balanced, then the CY auditor should arrange meeting involving both
the auditors and the client
v. Effect on the Auditors Report
1. Qualified or Disclaimer (GAAS ISSUE)
a. Not able to obtain enough evidence regarding opening balance
2. Qualified or Adverse (GAAP ISSUE)
a. Opening balance contains a misstatement that affects current period FS
b. Not consistently applying accounting principle from PY to CY
c. Change in accounting policy is not disclosed

Section 2 Planning and Supervision - GAAS

1. Planning & Supervision: revise the audit strategy & audit plan based on the results of audit
procedures (means that it is undated constantly)
a. Overview of Planning: auditor will discuss type, scope, and timing with clients mgmt
i. Obtain understanding of entity and environment (internal control, assess risk,
design audit procedure)
ii. Obtain knowledge of clients industry and business
iii. Use analytical procedures as planning procedure
1. Plan technical and personnel aspects of the audit
iv. Develop and document an audit plan
v. Consider materiality and audit risk
b. Involvement of Key Engagement Team Members:
i. The engagement partner is responsible for: (just in case taken to court)
1. Planning the audit
2. Supervising the work
3. Compliance with auditing standards
ii. EP may ask for assistance from engagement team members to fulfill
responsibilities
1. They will need to be informed of their roles
c. Supervision of Assistants: CPA document evidence is to support their express opinion
i. GAAS requires proper supervision to support work is adequate to accomplish the
objectives
ii. (N.E.T. used to cover client records & I.C.) Nature , Extent, & Timing of
Supervision: stated by the PCAOB
a. Nature example: controlled testing, combined
b. Extent example: a lot or a little
c. Timing example: at interim, year-end, or combination of both
i. *based on what we had in our Audit Strategy*
2. Size and complexity of the entity
3. Nature of work assigned
4. Assessed risk of material misstatement

a. To compare work from the assistant to what the auditors report

5. Qualifications of the assistants
a. Knowledge & skill levels
iii. If auditor and assistant have disagreement on final report, the assistant will
document the details of the disagreement
2. Knowledge of the Clients Business & Industry to understand events & transactions
that will occur
i. *This is done once the engagement is accepted!
ii. *review the accounting policies put in place
b. Knowledge of the Clients Industry helps auditor highlight practices unique to that
industry
i. Sources used to help with knowledge:
1. AICPA accounting and audit guides
2. Trade publications
3. Government publications
4. AICPA Accounting Tends & Techniques (survey of accounting practices)
c. Knowledge of the Clients Business (fundamental understanding of the business)
i. *This is done BEFORE commencing the audit!
1. Tour the Client Facilities
2. Review the Financial History of the Client
a. Written documentation relating CY & PY financial history of the
client
3. Obtain an Understanding of Client Accounting interpret information
correctly regarding the business
a. Methods used
i. Influences the design of internal controls
b. Policies
c. Unusual events
d. Related party transactions
4. Inquire of Client Personnel
3. Develop the Audit Strategy outlines the scope of audit, reporting objectives, timing,
required communication, & factors that determine the focus of the audit
a. Overall Audit Strategy written: nature, extent, and timing (N.E.T.)
i. Relates to FS assertions
b. Scope of the Audit = EXTENT of the work you are going to do
i. Use of services
ii. Effect of IT on the audit
iii. Characteristics of the audit
iv. Size and complexity of the client being audited
v. Knowledge gained from prior experience w/ client
c. Reporting Objectives, Audit Timing, & Required Communication
i. Deadlines for interim and final reporting
ii. Key dates for meetings w/ mgmt.
iii. Nature & timing of audit team communications
iv. Expected communications w/ 3rd parties
d. Factors that Determine the Focus of the Audit = NATURE
i. Preliminary evaluation of materiality, audit risk, & I.C. to develop an OVERALL
AUDIT STATEGY
1. Example they would look at: interim financials
a. Financial statements from the prior year
ii. Material locations and account balances
iii. Areas w/ higher risk of misstatements
iv. Accounting changes in specific business or industry
e. Materiality for the FS as a WHOLE based on professional judgment

1. Viewed by a reasonable investor as altering the mix of information

ii. Includes both qualitative & quantitative judgement
1. Performance materiality is the amount or amounts set by the auditor at
less than materiality
iii. *Auditor uses the smallest level of misstatement that could afect the
financials*
1. To establish nature, extent, & timing
f. Materiality for Particular Classes of Transactions, Account Balances, or Disclosures
i. Separate levels of materiality are applied to each of the ones list in (f)
g. Materiality in Group Audits
h. Revising the Assessment of Materiality = CHANGE N.E.T.
i. As you gain experience, obtain more documentation, etc., you will change the
Nature, Extent, & Timing (N.E.T.)
4. Developing the Audit Plan based on the audit strategy and outline the N.E.T. of the
procedures performed during audit (written plan is REQUIRED) GAAS
a. Audit Procedures
i. Risk Assessment Procedures (required in ALL FS audits) used to obtain an
understanding of the entity and its environment (internal controls, risks for
misstatements, & N.E.T.)
1. Assess risk of material misstatement
2. Results affect whether and to what extent further audit procedure are
necessary
ii. Further Audit Procedures
1. Applied at relevant assertion level for material account balance,
transaction class, and disclosures
2. Include tests of operating effectiveness of controls (prevent & detect
misstatements) audit test internal controls effectiveness
a. Areas we like to rely on
b. Computer systems (real-time information)
3. Substantive procedures (detect misstatements)
a. Test of transaction classes, account balances, & disclosures
b. Testing the dollar balances detect material misstatements
c. Analytical procedures are done at the beginning and end of audit
4. Timing of Audit Procedures mgmts discussion
i. Example: inventory
b. Nature type
c. Extent scope
d. Timing when
b. Financial Statement Assertions they are claims & assertions, made implicitly
or explicitly by mgmt. (COVERU) *mgmt. COVERSU!* (page 19)
i. C Completeness all transactions & events that should have been recorded
have been recorded
1. Account balances, transactions, & disclosures
ii. O Cutof transactions have been recorded in proper period
1. Transactions
iii. V Valuation, Allocation, & Accuracy financials are recorded & disclosed
properly with the adjustments needed
1. Account balances, transactions, & disclosures
iv. E Existence balances exist & have been recorded & disclosed to entity
1. Account balances & transactions
v. R Rights & Obligation entity holds or controls the rights to assets & liabilities
are the obligation of the entity
1. Account balances & disclosures

vi. U Understanding & Classification transaction are recorded in proper

accounts, financial information is presented correctly & disclosures are clearly
expressed
1. Disclosures
a. PCAOB state that the assertions are: C.E.O. A.P.R.O.V.E.D.
c. Drafting the Audit Plan (required) written N.E.T
i. After sufficient planning information has been gathered, an audit plan should be
drafted.
1. Is a listing of detailed audit procedures to accomplish objectives of audit
5. The Role of Clients Internal Auditor - DOES NOT judgement
a. When planning the audit, the auditor should consider the extent of involvement of
the clients internal auditors in the performance of the audit. While internal auditors
must maintain objectivity and integrity, they are NOT independent of the client,
their employer. The independent external auditor cannot share with the internal
auditor any of the responsibility for audit decisions, judgments, or assessments
made as part of the audit.
i. We can use the internal auditor, BUT they cannot do those things
1. Help prepare spreadsheets, post things in work papers, etc.
ii. *the higher the level, the more objectivity can be assumed
1. Better to report to people high up ex. Audit committee
iii. *to whom internal auditors report
b. Effects of the Internal Auditors Work
i. High risk of misstatements, internal auditors work alone cannot eliminate direct
testing by the CPA
c. External Auditor Responsibilities
*external auditor should supervise & review all the work performed on the audit
i. Obtain an understanding of the internal audit function (part of the monitoring
component of controls)
ii. Evaluate the Internal Auditor Function (N.E.T)
1. Direct Assistance:
a. If the auditor decides to make use of the internal auditors work,
competence and objectivity must be assessed (also done to the
specialist)
i. Prior experience
ii. Prior evaluation
iii. Talk to management
1. Examples: obtain understanding of I.C., perform test
on controls, and performing substantive testing
2. Independent Auditor Should Access these BEFORE Use the work of Internal
Auditor in assisting you in the audit:
a. Objectivity organizational level to which the internal auditor
reports (may report lack of independence)
b. Competence is reflected by education, performance evaluations,
the audit plan, audit procedures, & quality of the audit
documentation
i. Example: consider the internal auditors compliance with
professional auditing standards
c. Application of systematic and disciplined approach
3. Least likely to be obtained? The results of analytical activities
iii. The external auditor (independent auditor) should supervise and review all work
performed on the audit cannot share assessments of risks performed
iv. External auditor remains SOLELY RESPONSIBLE for the report of the FS
1. Internal auditors are not able to make judgement calls

a. Responsible of independent auditor

6. Using the work of a Specialist may use specialist in order to obtain competent audit
evidence that material are fair & assist the entity in the prep of the FS
i. Auditor needs to obtain an understanding of the methods used by the specialist
b. Examples: can be one of your own people, outsider, or internal people of the client
i. Auditor or Managements Specialist
c. Use of an Auditors Specialist can refer to specialist in report, if they modify the
opinion!
i. Valuation of restricted securities and works of art
ii. Determination of physical characteristics (i.e. mineral reserves, fungible goods)
iii. Determination of specialized estimates (i.e. actuarial calculations)
iv. Interpretation of technical standards or legal documents
v. Competence, Capability, & Objectivity (same as with internal auditors) auditor
must be satisfied as to:
1. Competence, Capability, and Objectivity
2. Specialist who is unrelated to the client will provide a greater assurance of
reliability
d. Use of Managements Specialist
1. We need to know if mgmt. specialist has relationship w/ client
ii. Evaluate competence, capability, & objectivity of specialist
iii. Obtain understanding of work by specialist
iv. Evaluate appropriateness of the specialists work as audit evidence for relevant
assertion

Section 3 Audit Risks

1. Audit Risk (when accessing internal controls) example: issue unqualified opinion => false
FS
a. What is Audit Risk?
i. Risk that the auditor may unknowingly fail to modify appropriately the opinion
on FS that are materially misstated
1. Statement on whether FS obtains reasonable assurance on whether FS is
free from material misstatement
b. What is Material Misstatement? Omission or misstatement of accounting information
makes it probable that the judgment of a reasonable person relying on the information
would have changed or influence by the omission or misstatement
i. Misstatements by Error (unintentional) or Fraud (intentional)
1. Inaccuracy in collection or processing data
2. Departures from GAAP
3. Omissions
4. Incorrect estimates or judgments
5. Inappropriate selection or application of accounting policies
ii. Misstatements
1. Factual misstatement about which there is no doubt
2. Judgmental differences arising from judgments from mgmt. concerning
estimates that auditor considers unreasonable or inappropriate
3. Projected auditors best estimate of misstatements in populations, involving
projecting of misstatements in audit samples to entire population which was
drawn
a. Example: using sample size taken and projecting the misstatement
to the entire population
c. Audit Risk Model (risk auditor will issue the wrong opinion) risk of material
misstatement (RMM) and risk auditor will not detect such misstatements (DR or
detection risk)

i. Audit Risk (should be low) = (IR*CR) Risk of Material Misstatement (RMM)

(assessed by the auditor) * Detection Risk (DR) (controlled by the auditor)
a. Auditor cannot change RMM, but can change his assessment of the
risks
b. When RMM increases, then DR decreases to equal the same
amount originally planned
ii. Audit risk components
1. ALL risks are Quantitative (%) or non-quantitative (high, medium, or low)
iii. Risk of Material Misstatement (RMM = IR * CR) (assessed by the auditor)
1. Perform risk assessment procedures and test of controls
2. RMM is subdivided into IR and CR
a. High RMM = select more efective substantive testing
3. IR (inherit risk) (non-quantitative) susceptibility of a relevant
assertion to a material misstatement assuming no related controls
a. Example: high volume transactions, complex calculation, cash,
product obsolete, lack of working capital, decline in economy, etc.
have higher inherit risks
b. Inherit risks cannot be changed (exists independently of the audit)
4. CR (control risks) (non-quantitative) material misstatement that
occurs in assertion that will not be prevented (accounting system has
errors) or detected (internal control does not catch it) on a timely basis
by entitys internal control *auditor DOES NOT change it, they access it!
*
i. Assessed in FS assertions and then evaluate the internal
controls and acceptable level of DR for FS assertions
ii. Increasing CR = decrease detection risk (extent of test of
details
b. Auditor cannot change control risk just access it (just like inherit
risk) (exists independently of the audit)
c. Effectiveness of the design & operations of internal controls
d. *some control risks will ALWAYS exist due to inherent limitations
i. **large control risk = more work for auditor**
1. Less detection risk
ii. **low control risk = less work for auditor**
1. More detection risk
e. Accesses control risk because it afects detection risk
iv. Detection Risk (DR) (non-quantitative) risk that the auditor will not detect a
material misstatement that exists (auditor misses the mistake (error/fraud &
gives wrong opinion)
1. Effectiveness of audit procedures and manner in which they are applied
a. Detection Risk is afected by the amount of control risk determined
b. If DR decreases = more substantive testing needs to be done in
order to detect errors in FS *inversely related to substantive
testing*
c. If DR increases = less substantive testing needs to be done
(timing) (timing is substantive procedures performed)
2. Will always exist (just like control risk)
a. Less work (low control risk) = higher risk (accepted)
b. More work (large control risk) = low risk (accepted)
3. Detection risk is subdivided into test of detail risk (TB) & substantive
analytical procedure risk (AP) (just like how RMM is divided into IC & CR)
4. *DOES NOT exist independently of the FS audit* (not like IR and CR do)
a. Can be changed by the auditors discretion
v. Effect of the Audit
1. Inverse Relationship of RMM and DR

a. When RMM (CR or IR) is increasing, detection risk is decreasing (do

more work)
i. When RMM is high, auditor would consider confirming the
terms of large complex sale
b. When RMM (CR or IR) is decreasing, detection risk is increasing (do
less work)
2. The Auditor Can Change Detection Risk (by varying the nature, extent,
and timing of the audit/substantive procedures) DR decreases =>
substantive procedures increases (=more procedures that need to be
done to in the audit of FS to see if it contains errors)
i. Control risks increase = decrease detection risk=> greater
substantive testing and to get greater assurance on
substantive testing, you need to increase extent of testing
(test of details)
b. Nature = change test from less effective to more effective
procedure (direct testing)
c. Extent (use a larger sample size)
d. Timing (perform substantive test at year-end to be performed
rather than at interim) DR increases, then timing decreases
3. Substantive Procedure Required
a. There are ALWAYS some type of substantive testing that will be
done when there are control risks to try to reduce detection risks
2. Audit Risk and Materiality Consideration During an Audit
a. Overall Considerations
i. Audit risk and materiality together in designing the nature, extent, & timing of
audit procedures
ii. Affected by the size and complexity of the entity
b. Considerations at the FS Level consider risks that have a pervasive effect on the FS
i. Purpose (used to)
1. Design risk assessment procedures
2. Identify and assess risk
3. Design more procedures
4. Evaluate FS as a whole
ii. Auditors Response
c. Considerations at the Account Balance, Transaction Class, or Disclosure Item Level
(assertion categories COVERU)
i. Purpose:
1. At account balance, transaction class, or disclosure item level, used to
determine the nature, extent, and timing of audit procedures to be
applied to specific account balances, transaction classes, or disclosure
items. The audit risk model may be useful in this regard
ii. Inverse Relationship Between Audit Risk and Materiality
1. The risk of a very large misstatement may be low, whereas the risk of
small misstatement may be high. The more material the misstatement is,
the less likely the auditor will miss it

Section 4 Fraud Risk

1. What is Fraud? *lie, steal, or cheat*
a. Fraud (a lot of cover-up occurs = more difficult to find those) vs. Errors (human
mistakes find a lot of those)
i. Errors unintentional misstatements or omissions of amounts or disclosures in
FS

1. Examples: gathering or processing accounting data, inaccurate

accounting estimates, & misapplication of accounting principles
ii. Fraud intentional acts by 1 or more people among mgmt.
1. Fraud risk is high, then make detection risk less
b. Types of Fraud
i. Fraudulent Financial Reporting intentional (lying)
a. Example: mgmt interest in maintaining the entitys earnings trend
by using an aggressive accounting principle
b. Example: mgmt has frequent dispute w/ the auditor on accounting
matters
2. Manipulation or alteration of accounting records or documents
3. Misrepresentation in FS of events, transactions, or significant information
a. Example: entity has a decline in customer purchases, so the entity
may misstate the FS to show that they arent losing customers and
profit
b. Example: entity cannot generate cash flows, but they are reporting
earnings growth in the company. RAISES A RED FLAG!
4. Intentional misapplication of accounting principles
a. Example: mgmt interest in maintaining the entitys earnings trend
by using an aggressive accounting principle
ii. Misappropriation of Assets - intentional
1. Stealing of assets when it causes the FS not in conformity w/ GAAP
a. Example: lack of independent checks
b. Example: bearer bonds have the highest misappropriation of
assets no records kept of the owner or transactions involving
ownership
iii. Corruption (cheating)
c. Characteristics of Fraud
i. Fraud Risk Factors:
1. Incentive/Pressures: a reason to commit fraud
a. Example: mgmt. pressures for meeting deadlines (budgets)
2. Opportunity: a lack of efective controls
a. Example: mgmt. override or possible of cutting corners
3. Rationalization/Attitude: an attempt to justify fraudulent behavior
a. Example: requires ethics course for CPA (ethics & integrity)
2. Consideration of Fraud During an Audit (companies of mgmt. will try to CONCEAL IT)
a. Reasonable Assurance even a (quality) properly executed audit may FAIL to detect
fraud due to collusion (example: 2 employees in diferent departments are
circumventing an internal control) hardest to detect
i. Fraud (intentional) is a higher risk to NOT detect than an error
1. Just think of Rosemary from Dental TLC (hard to detect)
2. Mgmt fraud from material misstatement is HARDER to detect than
employee fraud
a. Fraud is difficult to detect because people will try to conceal it!
b. Responsibility
i. Managements Responsibility (think of M.R. D.I.M. from chapter1)
1. Design, implement, & maintain to prevent, deter, & detect fraud
ii. Auditors Responsibility
1. Design (plan and perform) the audit to obtain reasonable assurance
about whether the FS are free of material misstatement whether caused
by error or fraud
2. *Must provide a documentation to support your conclusion*
3. Auditor should ALWAYS have professional skepticism
c. Audit Requirements

i. Professional Skepticism auditor must have a questioning mind and a critical

assessment
ii. Audit Procedures (page A3 30)
1. Discuss fraud risk with engagement personnel
2. Obtain information to identify specific fraud risks
3. Assess fraud risk and develop an appropriate response
4. Evaluate audit evidence regarding fraud
5. Make appropriate communications about fraud
6. Document the auditors consideration of fraud
d. Required Discussion Among Engagement Personnel REQUIRED if due to fraud in the
Planning Process
i. Discussion Topics: brainstorming primary objective is the assess for potential
of material misstatement due to fraud
1. *consideration of the risk of mgmt. override of controls opportunity by
mgmt*
a. 3 Types of Fraud Environment: (discussed during the Planning
stage)
i. Pressure
ii. Opportunity
iii. Rationalization (ethics & integrity)
ii. Other Requirements discussion should involve ALL key members of audit team
(engagement partner, specialist) and may occur in multiple locations.
1. Communication should CONTINUE throughout audit!
2. Audit documentation must include a description of the discussion
e. Obtaining Information
i. Inquire of Entity Personnel Regarding Their Views of Fraud Risk
a. *auditor job to communicate*
2. The auditor should direct inquiries to management, employees involved
in financial reporting, operating personnel, internal auditors, in-house
legal counsel, those charged with governance, etc.
a. Inconsistent responses indicates there is a need for ADDITIONAL
evidence
b. PCAOB requires that auditor NEEDS to ask mgmt. & audit
committee if they received & responded to tips or complaints
regarding entitys financial reporting
i. This is a WHISTLEBLOWER!
ii. Consider the Results of Analytical Procedures (REQUIRED in planning & final
review substantive testing the audit)
1. Perform analytical procedures related to revenue, in order to indicate if
fraud due to unusual relationships
2. Use of data aggregated at a high level
iii. Evaluate Fraud Risk Factors
1. Existence of Risk Factors
2. Absence of Risk Factors
a. Lack of observation of any or ALL of the 3 fraud risks (pressure,
opportunity, & rationalization) does not imply that there is no fraud
risk
i. Just means that the fraud is lower
f. Identifying Risks use of information to identify the risk as a result of material
misstatement
i. Attributes of Risk
1. Type of risk: Does it involve fraudulent reporting, misappropriation of
assets, or corruption? (discussed earlier in section)
2. Significance of the risk: Can it lead to a material misstatement?

3. Likelihood of the risk: How likely is this to happen?

4. Pervasiveness of the risk: Does it affect the FS as a whole or only specific
accounts, transactions, or assertions?
a. Example: if evidence is misplaced, then the auditor should
reevaluate the risk of fraud
ii. Presumption of Risk (SEC told auditor that there are ALWAYS 2 risks exist in
every audit)
1. Improper revenue recognition analytical procedures are REQUIRED
(PCAOB)
a. Example of not helping the auditor: sales commission
2. Mgmt. override of controls
iii. Additional Considerations determines the NET (nature, extent, & timing of the
work you do)
1. The size, complexity, and ownership characteristics of the entity
a. Large entities may have audit committee, internal audits, formal
code of conduct
b. Smaller entity may lack such features
i. Example: big companies may have more risks BUT may have
more controls
2. Susceptibility of item manipulation (GREATEST RISK):
a. High degree of mgmt. judgment is involved
b. Highly complex accounting principles
g. Accessing Risks
h. 3 Responding to Assesses Fraud Risk
i. Required Response
1. Overall, General Response
a. Assigning personnel to the engagement
i. Based on response or determination of risk will determine
the experience of auditor you assign to the engagement
b. Determining the appropriate level of supervision of engagement
personnel
c. Evaluating managements selection and application of accounting
principles
d. Unpredictability in audit from year to year
i. Fraudster will have a less likely chance of getting away with
fraud if he doesnt know when it is coming
2. Response Encompassing Specific Audit Procedures (N.E.T)
a. Nature change nature of specific procedures by seeking evidence
that is more reliable
b. Extent vary the extent of testing by increasing sample size,
performing testing at a more detailed level
c. Timing judgement to determine the appropriate timing for audit
procedures
3. Response Addressing Risks Related to Mgmt Override (one of 2 items the
presume a MAJOR risk)
a. Examine journal entries for evidence of possible material
misstatement due to fraud
i. Example: JE for seldom used accounts, individuals who dont
usually make JE, & JE for post-closing w/out explanation
b. Review accounting estimates that could be a result of material
misstatement due to fraud
i. Example: comparing to prior year estimates
c. Evaluate business purpose for significant unusual transactions
i. Example: transactions are overly complex
ii. Significant Risks

1. Obtain an understanding of the entitys related controls

a. Example: if the controls are suitably designed & implemented to
mitigate fraud risks
2. If significant risk exist, consider WITHDRAWING from engagement
i. Evaluating Audit Evidence
i. Conditions Identified During Fieldwork
1. Discrepancies in the accounting records
2. Conflicting or missing evidential matter
3. Problematic or unusual relationships between the auditor and
management
4. Objections by mgmt. to the auditor meeting privately w/ the audit
committee
5. Frequent changes in accounting estimates
a. Hard to determine the fraudulent intent in these matters
ii. Analytical Procedures REQUIRED during: planning and final review stage of
audit
1. When performed at final stage of audit, it may indicate a fraud risk that
was not previously identified
a. Pay attention to unusual relationships relating to year-end revenue
& income
iii. Misstatements Due to Fraud
1. May be an underlying problem with mgmt. integrity (rationalization)
WITHDRAW
a. Pressure
b. Opportunity
c. Rationalization (ethics & integrity)
2. Reevaluate the assessment of fraud risk
iv. Final Evaluation
1. Consider whether the results of audit procedures affect the assessment of
the RMM due to fraud
j. Communication
i. Mgmt and Those Charged w/ Governance should be discussed w/ the
appropriate level of mgmt.
1. Discuss with senior mgmt and reported directly to those charged w/
governance w/ any significant deficiencies or material weaknesses related
to internal controls
2. Fraud involving senior management, report directly to those charged with
governance
ii. Disclose w/ Parties Outside the Entity (CPA MUST communicate with)
a. Disclosure of fraud outside of senior mgmt or parties w/
governance IS NOT part of auditors responsibility
2. To comply with certain legal and regulatory requirements
3. To a successor auditor when successor makes inquiries of the predecessor
auditor (with permission from the client first ofcourse)
4. In response to a subpoena
5. To a funding agency that receives government assistance
k. Documentation Requirements (complete documentation of auditors risk assessment
and response is required)
i. Planning among engagement personnel regarding fraud risk
ii. Procedures performed to obtain information related to fraud risk
iii. Specific identified risks of material misstatement due to fraud
iv. If auditor has not identified improper revenue recognition (#1 type of fraud
determined by COSO) as a fraud risk, support for this conclusion
1. Lie about the Good things: revenue (over 60% of fraud cases) and/or
assets

l.

2. Understate the BAD things: expenses and/or liabilities

a. *the 2 items listed above is why you must DOCUMENT*
v. Results of procedures performed to address the risk of management override of
controls
vi. Other conditions and analytical relationships that warranted further audit work
vii. Nature of communications made about fraud
Sarbanes-Oxley Act

Section 5 Compliance w/ Laws & Regulations (page A3-37)

1. Effects of Laws & Regulations (corruption => cheating)
a. Noncompliance collusion, forgery, deliberate failure to record transactions
2. Responsibility For Compliance w/ Laws & Regulations
a. Managements Responsibility
i. Conducted in accordance w/ applicable laws & regulations
1. In plain words, mgmt is responsible for NO CHEATING
b. Auditors Responsibility responsible for obtaining reasonable assurance that the FS
are free of material misstatements due to noncompliance w/ laws & regulations
1. Auditor is not responsible for preventing noncompliance (corruption) and
cannot be expected to detect noncompliance (corruption) w/ all laws &
regulations
ii. Inherent Limitations
3. Auditor Procedures Related to Noncompliance GET SIGNED MGMT REP LETTER!

Section 6 Assessing the Risks of Material Misstatement

1. Introduction we are not able to change the client system. Only Assess it
a. Purpose
i. Once we determine the RMM, then we will adjust the amount of detection risk
necessary
1. More risk = more work
2. Less risk = less work
b. Assessing the RMM I.M. A. C.P.A
i. I Internal Control Understand entity and its environment, including internal
control
ii. M Material Misstatement Assess risk of material misstatement (Id potential
misstatements)
iii. A Assessed Risk Response Respond to assessed risk level by designing
further audit procedures based on assessment (NET)
iv. C Control Testing Test internal controls to evaluate their operating
effectiveness
v. P Perform Substantive Testing Perform substantive tests
vi. A Audit Evidence Evaluate sufficiency and appropriateness of audit evidence
obtained
1. In planning the audit, the design/knowledge of internal controls helps
assess the RMM
2. I Obtaining an Understanding of the Entity and its Environment establish a frame of
reference for planning and performing the audit (professional judgment is used. Be sufficient
to assess the RMM & design & perform further audit procedures)
a. Risk Assessment Procedures used to plan the NET audit procedures (changes as
more evidence is obtained)
a. *ALWAYS necessary in FS audits!*
b. *uses substantive procedures or test of operating controls => not
required*
i. Identify specific internal controls relevant to specific
assertions

c. Analytical Procedures & Risk Assessment Procedures are Required

ii. Inquiries we are going to talk to people
1. Made by mgmt, board of directors, audit committee, internal auditors,
legal counsel, valuation experts, etc.
iii. Analytical Procedures made by financial and nonfinancial data
1. Use of Analytical Procedures required in PLANNING and FINAL REVIEW
stages
a. During planning to understand the entity
b. As substantive testing to obtain audit evidence
c. Overall review in final stage of the audit
2. Analytical Procedures Performed DURING and Audit (GAAS requires
these analytical procedures during PLANNING)
i. Design of internal controls should be used to identify the
types of potential misstatements that could occur**
b. Consist of a review of data aggregated at a high level
i. Example: compare the CY account balances for conformity
w/ predictable patterns
c. Compare recorded amounts to expectations (performance
evaluations)
i. Financial data is used though nonfinancial data
1. Example: number of employees, square footage of
selling space, or volume of goods produced),
unaudited information from internal quarterly reports,
CY & PY sales volumes
d. Objectives: to assess the RMM and to design and perform further
audit procedures
i. Enhance auditors understanding of the entity and
transactions
ii. Discover unusual transactions and events
iii. PCAOB standards perform analytical procedures related to
revenue to identify unusual transactions, ratios, or trends
(presumptive risk area)
3. Observation & Inspection by the Auditor talk to people/walk around
a. Inspect company documents, read mgmt reports, board minutes,
internal reports, visit entity, trace transactions through I.S., &
observe activities & operations
4. Risk Assessment Discussion (w/ audit team)
a. Let them know professional skepticism is essential
b. Mgmt overrides
c. Significant audit risks
5. Other Procedures done by the Auditor
a. Review external information (trade journals)
b. Information obtained on other engagements performed by the
entity
c. Prior period evidence (extent it is still relevant)
i. Example: understand transactions & events that have
occurred since last audit
iv. Selection & Application of Accounting Policies
1. Auditor needs to understand why the entity choose a certain accounting
policy & also the reason for the changes made
2. Also needs to understand of internal controls relevant to the audit
a. Internal controls affected by:
i. Charged w/ governance, mgmt, and other personnel
ii. Designed to provide reasonable assurance about the
achievement of the entitys objectives

3. M Assessing the Risk of Material Misstatement (internal controls) assess RMM at the FS
level and assertion level and identify any significant risks
a. Scope of the Assignment
i. Separately assess IR and CR
ii. Make a single overall assessment of the RMM
b. Assessing Specific Risks
i. Assertion Level Risks risks related to specific transactions, account balances,
or disclosures at assertion level (completeness)
1. Design test of details to ensure that sufficient audit evidence support the
planned level of assurance at the relevant assertion level
2. Assertion Levels:
a. C.O.V.E.R.U.
ii. FS Level Risks relate pervasively to the FS as a whole & potentially impact
many assertions
1. Process used to prepare the FS
2. Overall control environment
3. Lack of qualified personnel
4. Selection of accounting policies
c. Specific Risks (require a special audit consideration) (uses special audit consideration)
1. **exists when IR are exceptionally high**
a. Helps determine the nature, extent, & timing for the detection risks
ii. Factors that may be Indicative of Significant Risks
1. Non-routine, unusual, or complex transactions
2. Business risks
a. Example: down turn in the economy
3. Risk of Fraud
4. Significant related party transactions
5. Improper revenue recognition
a. **remember that it is 60% fraud of choice**
6. Accounting estimates
a. Example: where mgmt can manipulate their judgement
7. Accounting principles that are subject to different interpretations
8. Non-compliance w/ laws & regulations
a. Example: illegal acts occur
d. Other Matters Noted
e. Required Documentation
i. Discussion among audit team
ii. Key elements of the understanding of the entity and its environment
1. If procedure manuals and organizational flowcharts failed to maintain
copies, then the auditor will have to do MORE WORK to understand the
entity
iii. Assessment of the RMM (both FS & the assertion level) & basis of assessment
iv. Identified risk evaluated by the auditor
v. A more complex entity/environment is more extensive audit procedures (more
risk = more work)
1. *common sense! The more complex it is, the more work*

Section 7 Internal Control (entity, operating units, & business function)

(Prevent, detour, & defer) => Then we monitor them on the top (of pyramid) to make sure
everything is working properly and changes to the environment work for entity
1. Internal Control designed to provide reasonable assurance about achievement of the
entitys objectives
(auditor/CPA should obtain understanding
& knowledge to identify potential types of misstatements)
a. Entity Objectives

i. Reliability of financial reporting Most RELEVANT to audit (=>CRIME) and

auditor MUST consider and understand => NO FS fraud (lying)
ii. Effectiveness and efficiency of operations => asset misappropriation (stealing)
iii. Compliance with applicable laws and regulations => corruption (cheating)
b. Components of Internal Control CPA is required to understand each element of CRIME
i. Five Components of Internal Control (COSO framework) C.R.I.M.E (not to have
good internal control)
1. C Control Environment: the overall tone of the organization (MAIN
COMPONENT)
a. Mgmt sets the requirements at the top
i. There is always PRESSURE on overstating revenue & assets
and understating expenses & liabilities
1. Establish/Identify Controls => where do we put
strongest controls to help reduce those risks
(prevent, detour, & defer)
2. Set-up the controls
2. R Risk Assessment: managements identification of risk
3. I Information & Communication Systems: a means of recording
transactions & communicating responsibilities
4. M Monitoring: assessment of internal control performance over time
5. E Existing Control Activities: control policies and procedures
ii. C control environment (auditor/CPA should obtain understanding &
knowledge)
1. Control Environment:
a. Sets the tone of an organization
b. Provides discipline & structure as the foundation of internal controls
2. Control Environment Key Points:
a. Integrity and ethical values w/ people who create, administer, &
monitor internal controls
b. Competence skills & knowledge required for particular jobs
c. Participation of those charged with governance
d. Managements philosophy and operating style (w/ respect to its
approach to risk-taking, attitudes and actions toward financial
reporting)
i. Raised concerns includes:
1. Mgmt consumed w/ meeting the budget => PRESSURE
2. Mgmt dominated by 1 person => OPPORTUNITY
(mgmt override)
3. Mgmt compensation contingent upon the entitys
financial performance => RATIONALIZE
a. Example: bonus & stock options
i. Projected profit goals
e. Organizational structure framework within which the entity plans,
executes controls, & monitors its activities
i. Suitable of clients lines of reporting
f. Assignment of responsibility, authority, & accountability
g. Human resource policies (promotions)
3. Pervasive Effect of Control Environment (page A3-50) preliminary
judgments effect nature, extent, & timing (NET) the NET we get involved
in
a. Weak Control Environment (weak controls => more work)
i. Auditor may perform more substantive procedures as of the
BS date rather than at interim (short period)
ii. May modify the nature of tests to obtain more persuasive
evidence

iii.

iv.

v.

vi.

iii. Increase the extent of testing (example: more items,

locations)
b. Strong Control Environment (strong controls => less work)
i. Auditor may perform more substantive procedures at interim
date rather than at the BS date
ii. May use test that provide somewhat less persuasive
evidence
iii. Reduce the extent of testing
R Risk Assessment (by mgmt NOT auditors) analysis of risk to achieve of its
objectives (no lying, cheating, or stealing) (auditor/CPA should obtain
understanding & knowledge)
1. Key Point:
a. Risks are generally related to changes
2. Circumstances from which risk may arise include:
a. Change in regulatory environment
b. New personnel
c. New information systems or technology
d. Rapid expansion of operations
e. New business models
f. Corporate restructuring
g. Expansion or acquisition of foreign operations
h. Adoption of new accounting principles or pronouncements
I Information & Communication Systems support the identification, capture, &
exchange of information in a timely manner and communicate roles &
responsibilities (auditor/CPA should obtain understanding & knowledge
of design of controls NOT effectiveness) initiation, execution, processing,
reportig
1. Accounting Information Systems:
a. Classes of transactions significant to FS
b. Accounting processing (both automated and manual), from
initiation of a transaction to FS
c. Accounting records (automated & manual) have to be understood
d. Ways other significant events are captured by the system
e. Financial reporting process, including development of significant
accounting estimates and disclosures
M Monitoring assesses the quality of internal control performance over time,
by assessing the design & operation of controls on a timely basis (auditor/CPA
should obtain understanding & knowledge)
1. **Monitoring is responsible by mgmt** (top of the pyramid)
2. Key Points:
a. Internal audit function
b. Regular mgmt & supervisory activities
c. Other procedures such as mailing customer statements
3. Monitoring Process:
a. Ongoing monitoring
b. Evaluate communication from external parties
c. Evaluation of internal control and recommendations for
improvement
E Existing Control Activities helps ensure that mgmt objectives are carried
out & the necessary steps to address risks are taken (auditor/CPA should
obtain understanding & knowledge) PAID TIPS
1. Key Points: PAID TIPS
a. Authorization
b. Segregation of Duties
c. Safeguarding Assets

d. Asset accountability
2. Strong system of internal controls:
a. P Pre-numbering documents example: checkbook
i. All transactions are recorded (completeness)
ii. No transaction recorded more than once (existence)
b. A Authorization of transactions example: signed approval
i. Authorization should occur before commitment of resources
c. I Independent checks to maintain asset accountability example:
checks & balances
i. Review bank recons
ii. Compare subsidiary records to control accounts
iii. Compare of physical count of inventory to perpetual records
d. D Documentation example: paper trail
i. Provides evidence of underlying transaction
e. T Timely and appropriate performance reviews example:
analytical procedures
i. Comparison of actual performance to budgets, forecasts, and
prior periods
ii. Comparison of financial and nonfinancial information
f. I Information processing controls
i. Ensure that transactions are valid, authorized, and
completely and accurately recorded
1. Application controls: processing of individual
applications (i.e. controls surrounding payroll)
2. General controls: apply to information processing
throughout the company
g. P Physical controls for safeguarding assets example: security
i. Physical segregation of security of assets
ii. Authorized access to assets and records
iii. Periodic counting and comparison of actual assets with
amounts shown in accounting records
h. S Segregation of duties (ARC)
i. One individual provides a crosscheck on the work of another
individual
ii. Assign different people the responsibilities of authorizing
transactions, recording transactions & maintaining custody of
the related asset => reduce opportunity for individuals to
both perpetrate and conceal errors or fraud
1. Client internal control should separate these functions
from a flood of troubles:
a. A Authorization
b. R Recordkeeping
c. C Custody of related assets
2. (inherent limitations) Internal control environ. should
detect fraud by one person, NOT
a. Collusion
b. Management override ex. CEO requests check
w/out docs
c. Human erroe
2. Auditors Consideration of Internal Control (how auditor will assess the risk) IM A CPA
(material misstatement)
a. Consideration of the COSO Framework more concerned w/ whether & how a specific
control (afects FS assertions) prevents, detects, and correct material misstatements,
than with the classification of the controls
i. Relevance to the Audit

1. CRIME not to have strong internal controls

b. Identifying Controls Relevant to Reliable Financial Reporting (RMM) prevent, detect,
& correct material misstatements
i. Preventive Controls
1. Designed to provide reasonable assurance that only valid transactions
are recognized, approved, and submitted for processing
a. BEFORE processing activity occurs
ii. Detective Controls
1. Designed to provide reasonable assurance that errors or irregularities are
discovered & corrected in a timely manner
a. AFTER processing has been completed
c. Evaluate the Design & Implementation of Internal Control auditor needs to obtain an
understanding of the 5 components on internal control CRIME
i. Evaluate the Design & Implementation of Relevant Controls
1. Design capable of preventing or detecting & correcting material
misstatement
a. CPA required responsibility:
i. An understanding of each element of CRIME as it pertains to
financial reporting
2. Implementation control is being used
a. Awareness of existence of the procedure and responsibility
b. Working knowledge of how procedures should be performed
3. Procedures
ii. Assess the RMM (ultimate goal of control risk) to identify the potential
misstatements
1. Understand design and implementation of entitys control required to
complete the assessment of RMM
iii. Design the Nature, Extent, & Timing of Further Audit Procedures (we will
perform)
1. Based on the potential misstatements that you could occur in internal
controls
d. Walkthrough
i. Confirm the auditors understanding
ii. Includes Inquiry & additional procedures
1. Additional Procedures:
a. Observe individuals performing their information processing
i. Design to prevent/detect material misstatements
b. Re-perform the information processing or control procedures
c. Inspect relevant documents & accounting records
d. Corroborate inquiry responses w/ others knowledgeable about
information processing and control procedures
e. Document the Understanding of Internal Control FIND (page A3-60)
i. MUST document the understanding of the design and implementation of the
entitys internal control it is a visual to see strengths and weaknesses where
they apply
1. Flowchart depicts auditors understanding of internal control (more
complex controls)
2. Internal control questionnaire or checklists
3. Narrative (less complex controls) paragraph after paragraph after
paragraph explaination
4. Documentation from the client (including procedure manuals and
organizational charts)
a. F Flowcharts represents the sequential flow of authority,
processes, and documents 1) prepared to evaluate internal control

2)evaluate internal control in an automated accounting

environment
i. System Flowcharts (visual) shows origin or each document
in the system (document the steps in a process)
ii. Program Flowchart created by IT to document the logic
and existing flow of a computer program
1. **Diamond shape ALWAYS a connection b/w things
w/ a decision going on there! (BIG decision)**
iii. Flowchart Organization
b. I Internal Control Questionnaire yes or no (written explanation
REQUIRED)
1. **used for each assertion of mgmt, so as to
COVERU
2. MOST common ones I will be associated w/
3. Huge document of paper we give to the client
ii. Negative response = possible weakness in internal control
iii. Questions should address each element of the control
procedures
c. N Narratives description of understanding of the system of
internal controls
i. It is a sequence of events for transactions
ii. HARD TO SEE WEAKNESSES IN INTERNAL CONTROL
iii. Best to use when documenting less complex control
structures
d. D Documentation from the Client
f. Effect of Information Technology on Internal Control C.R.I.M.E.
1. If evidence is not retrieved, it is difficult to determine timing of control
testing and substantive testing
2. May be impossible to resolve detection risk through substantive testing
alone (MUST do control testing as well)
ii. Manual Controls are used to monitor automated controls (CPA MUST document
evidence)

Section 8 Responding to the Assessed RMM (I.M. A. C.P.A.)

I Internal Control Understand entity and its environment, including internal control
M Material Misstatement Assess risk of material misstatement
A Assessed Risk Response Respond to assessed risk level by designing further audit procedures
based on assessment
C Control Testing Test internal controls to evaluate their operating effectiveness
P Perform Substantive Testing Perform substantive tests
A Audit Evidence Evaluate sufficiency and appropriateness of audit evidence obtained
1. Responding to the Assessed RMM
a. Levels of Response
i. To reduce audit risk to low level, auditor should respond:
1. Overall response: address risk at FS level
2. Response at assertion level, the NET (nature, extent, & timing) of audit
procedures are designed to address risks
b. Overall Response to FS Level Risk
i. In response to risk assessed at the FS level, the auditor may:
1. Address increased need for professional skepticism
2. Assign more experienced staff or specialized skills
3. Increase supervision
4. Incorporate greater level of unpredictability into the audit

5. Change the NET, such as shifting substantive procedures closer to period

end
c. Response to Risks at the Relevant Assertion Level (page A3-66)
i. Design audit procedures that address the RMM (IR*CR) for each assertion to
each significant account balance, or disclosure
ii. Link b/w level of risk at the assertion level and the NET (nature, extent, &
timing) of further audit procedures (can be changed by auditor => detection
risk)
1. Nature: both its purpose (test of controls vs. substantive procedure) and
its audit type (inspection, observation, inquiry, confirmation,
recalculation, reperformance, or analytical procedures)
a. Higher the assessed RMM, the more reliable the evidence must be
b. Accuracy & completeness used in IS, MUST be tested
c. Responding to assessed risks, nature of audit procedure is of
primary importance
d. Auditor varies nature of audit procedure to achieve desired level of
reliability & relevancy
2. Extent: refers the quantity to be performed (example: # of observations
or sample size)
a. higher assessed RMM = greater the extent of audit procedures
b. auditor consider the tolerable misstatement and degree of
assurance the auditor plans to obtain
3. Timing: performed at interim date (strong) or at period end (weak)
i. if it is strong, you can test the functions to see if it
functioning as designed
1. example: strong inventory control at interim
(September) and then do a roll forward at period end
(December)
ii. if it is weak, you cannot test at interim and then roll forward,
you MUST test at the ENTIRE year (more of a burden b/c it
takes so much longer when you are working on other
clients)
b. Higher the assessed RMM, the closer to period end substantive
procedures (activities performed by auditor to detect material
misstatements or fraud at assertion level) be performed
c. audit procedures BEFORE period end allows early identification of
significant matters and additional procedures will be NECESSARY for
remaining period
d. auditor considers when relevant information is available
iii. 2 Audit Approaches specific approach to identified risks at the assertion level;
General rule is that you will do 1 or the other of the 2 approaches!
1. Substantive Approach (control risk is assessed at maximum = determines
on the controls)
i. In IT, you are REQUIRED to do test of controls & substantive
testing
ii. Strong system of controls = lower risk level = lower the
amount of substantive testing = perform control testing
iii. Weak system of control = risk level high = NO control
testing (unless heavy in IT) => substantive test ONLY
b. No effective control relative to specific assertion
c. Control are assessed as ineffective
i. **no strong controls to rely upon**
d. (decided not to perform test of controls) NOT be efficient to test
the operating effectiveness of controls
i. **cost-benefit relationship** (better to do all testing at once)

ii. DO NOT test controls (purpose is to rely upon controls) if

ineffective at reducing substantive testing
1. If controls are working = less RMM => less assurance
from substantive testing
e. Examples of Substantive Testing:
i. confirm receivables - $ balance testing
ii. counting of the inventory substantive physical testing
1. **these are NOT used in control tests P.A.I.D. T.I.P.S.
associated w/ internal controls
2. Combined Approach - test the operating effectiveness of controls &
substantive testing are used
3. Test of Control May Be Required (IT) large amount of information is
initiated, authorized, recorded, processed, or reportedly electronically,
substantive procedures MAY NOT be sufficient
a. Test of Controls generally required when:
i. highly automated processing
ii. audit evidence is obtained is electronic form
4. Dual-Purpose Tests
iv. Response to Significant Risks
1. Controls are designed & implemented
2. Test the operating effectiveness of controls in current period. CANNOT
rely on test of controls performed in prior periods
a. Only the controls that are suitably designed to prevent or detect
material misstatements are subject to operating efectiveness =
less RMM = less work on our part
3. Link substantive testing in response to the risk
2. Test of Controls I.M. A. C.P.A. (evaluate their operating efectiveness)
a. When to Perform Test of Controls (strengths & IT got to do them) LESS RMM => LESS
WORK ON YOUR PART
i. Test of Controls are performed when:
1. The auditors risk assessment is based on the assumption that controls
are operating effectively
2. When substantive procedures alone are insufficient. (Test Control
Strengths, typically not weaknesses)
a. Inspect client records documenting the use & changes to IT
programs
ii. **NOT required to evaluate the operating efectiveness when obtaining an
understanding of the design and implementation of internal control**
b. Test of Operating Effectiveness
i. PCAOB states when performing test of controls, auditor must obtain evidence
were both designed and operating effectively DURING period of reliance
c. Nature of Tests of Controls evidence produced from least to most: inquiries,
inspection, observation, and reperformance tests to obtain audit evidence
about control risk
i. Inquiry alone is not sufficient
ii. Observation be supported with inquiry or inspection (efectiveness of control
activity)
1. Reliance on operating effectiveness of control increases = auditor should
obtain more reliable audit evidence
a. Audit Evidence Hierarchy: (think of the vowels in English language)
i. Auditor s Knowledge
ii. External Evidence
iii. Internal Evidence certain documents recon to other
documents

iv. Oral Evidence

v. U - know it (just a plug)
d. Extent of Test of Controls
i. Control on transaction basis, auditor use sampling to test the control
ii. IT is consistent, so may only test a few instances of the operation of an
automated control
e. Timing of Tests of Controls
i. Testing at a Particular Time vs. Testing throughout the Period
1. Tests of controls are performed at one particular time, they provide
evidence that controls operated effectively only at that time. Controls
tested throughout the period provide evidence of operating effectiveness
during that period
2. Controls tested at interim period should be supplemented by additional
evidence for the remaining period - ROLL FORWARD (discussed earlier in
section)
a. This is kind of common sense. Test in middle will require more tests
to reach the end of the period
ii. Evidence Obtained in Prior Audit
3. Substantive Procedures I.M. A. C.P.A (perform substantive testing)
i. $ balances, analytical procedures, & ratios
b. Substantive Procedures
i. Used to detect material misstatements at the relevant assertion level
1. Example: account balances complete, revenue complete, ownership of all
the assets
ii. NET should be responsive to the assessed RMM
1. Results of test of controls
2. Planned level of detection risk
iii. Regardless of RMM, substantive testing is REQUIRED for each material
transaction class, account balance, or disclosure
c. Nature of Substantive Procedures
i. Two types:
1. Tests of details ($) - transaction class, account balance, and disclosures
2. Substantive analytical procedures
d. Extent of Substantive Procedures
i. In designing test of details, the extent of substantive procedures generally refer
to sample size
1. Affected by:
a. Planned level of detection risk
b. Tolerable misstatement
c. Expected misstatement
d. Nature of population
e. Timing of Substantive Procedures
i. Interim Testing
1. Procedures done at interim will require additional evidence for the
remaining period ROLL FORWARD
2. Increases the risk that the auditor will not detect material misstatement
in the FS
a. ONLY IF
RMM is low!
b. *ALL companies should be audited at interim testing*
4. Evaluating the Sufficiency and Appropriateness of Audit Evidence I.M. A. C.P.A. (existing audit
evidence)
a. Results of Further Audit Procedures
i. May lead the auditor to:
1. Reassess the RMM will always evolve
a. Will adjust NET of substantive procedures (work you will do)

2. Identify control deficiencies (chapter 5) from test of controls or

substantive procedures
3. Identify misstatements from substantive procedures (chapter 4)
b. Revising the Assessed RMM when there is a change in the assessed level of risk,
auditor should modify planned audit procedures accordingly
i. If fraud is discovered, auditor should not assume it is an isolated occurrence,
but consider whether the instance affects the assessed RMM
c. Sufficiency and Appropriateness of Audit Evidence auditor uses judgment to evaluate
i. But consider:
1. Significance and likelihood of potential misstatements
2. Effectiveness of managements responses and controls
3. Experience gained during previous audits
4. Results of audit procedures performed
5. Source, reliability, and persuasiveness of audit evidence obtained
6. Understanding of the entity and its environment