Audit Update (Audit Clarity Standards) By Buchbinder Tunick & Company LLP MACPA’s 2013 Employee Benefit Plan Conference May 6, 2013
Audit Clarity Project • •
•
•
•
The issuance of the clarified standards reflects the ASB's established clarity drafting conventions designed to make the standards easier to read, understand, and apply. Among other improvements, generally accepted auditing standards (GAAS) now specify more clearly the objectives of the auditor and the requirements with which the auditor has to comply when conducting an audit in accordance with GAAS. As the ASB redrafted the standards for clarity, it also converged the standards with the International Standards on Auditing (ISAs), issued by the International Auditing and Assurance Standards Board (IAASB). Although the purpose of redrafting the auditing standards is for clarity and convergence and not to create additional requirements, auditors will need to make some adjustments to their practices as a result of this project. The clarified standards generally will be effective for audits of financial statements for periods ending on or after December 15, 2012. Thus, the clarified standards will be effective for calendar year 2012 audits.
2
AU-C 200, Overall Objectives Objectives AU-C 200 contains three objectives for the auditor: • The auditor aims to obtain reasonable assurance about whether the financial statements are free from material misstatement. • The auditor is charged with reporting on the financial statements and effectuating other communications required by GAAS. • If reasonable assurance is not obtained and qualification in the report is insufficient in the circumstances, the auditor disclaims an opinion or withdraws from the engagement
3
AU-C 200, Overall Objectives, continued Requirements • Much of AU-C 200 is taken from existing standards. According to AU-C 200, the auditor is required to: • Be independent (AU-C 200.15). • Comply with relevant ethics requirements (this is required by the Code of Professional Conduct, anyway) (AU-C 200.16). • Maintain an attitude of professional skepticism (AU-C 200.17). • Exercise professional judgment in planning and performing the engagement (AU-C 200.18). • Obtain sufficient appropriate audit evidence to reduce audit risk to an appropriately low level (AU-C 200.19). • Comply with GAAS (AU-C 200.20). 4
AU-C 200, Overall Objectives, continued New Requirements The clarified standards add the following requirements (although some of them might been implied in the existing literature). They should be incorporated as necessary into the audit: • AU-C 200.20 explicitly requires compliance with all AU-C sections in effect and for which the circumstances addressed exist. • AU-C 200.21 requires the auditor to understand the entire text of the relevant AU-C section, including the explanatory material. • AU-C 200.22 prohibits the auditor from representing that he or she complied with GAAS unless all the relevant AU-C sections have been complied with. • AU-C 200.23 requires the auditor to determine the need for specific procedures and evaluate the sufficiency of evidence obtained by reference to the objectives in each AU-C section. • AU-C 200.24 allows the auditor to disregard an AU-C section requirement only if the section is irrelevant or the conditions underlying the requirement do not exist. 5
AU-C 200, Overall Objectives, continued New Requirements • AU-C 200.26 permits disobeying a presumptively mandatory requirement only when it would be ineffective to implement it (AU-C 200.24); the prior literature provided only that the departure had to be documented. (The documentation requirement is now in AU-C 230.13.) • AU-C 200.29 requires that if an AU-C section objective cannot be achieved, the auditor should evaluate whether it requires an opinion modification or withdrawal. (Failure to achieve an objective is a significant finding or issue requiring documentation; see AU-C 230.)
6
AU-C 210, Terms of Engagement Objectives • In deciding to undertake an audit engagement, the auditor's objective is to establish whether the preconditions for the engagement are present and confirm that there is a common understanding between the client and the auditor about the terms of the engagement (AU-C 210.03) Requirements • Certain preconditions have to be present for an auditor to accept an audit engagement. The auditor should determine that: • The financial reporting framework (that is, the basis of accounting and disclosure underlying the financial statements, for example, GAAP) to be applied is acceptable (AU-C 210.06a). • Management acknowledges and understands that it is responsible for the preparation of the financial statements, internal control, and providing the auditor with access to information and personnel (AU-C 210.06b). Even when the client is a third party, rather than management, the auditor has to obtain this acknowledgment from management of the entity (AU-C 210.A22). 7
AU-C 210, Terms of Engagement , continued Requirements • The auditor should generally not accept the audit engagement if: • The preconditions are not met (AU-C 210.08). • A client-imposed scope limitation is expected to necessitate a disclaimer of opinion (AU-C 210.07).
8
AU-C 210, Terms of Engagement, continued New Requirements The clarified standards add the following requirements, which should be incorporated as necessary into the audit: • AU-C 210.06 establishes the following preconditions for the audit: – –
acceptability of the financial reporting framework and acknowledgment of management's responsibilities regarding the financial statements, internal control, and auditor access to information and personnel.
• AU-C 210.07 prohibits accepting engagements to audit non-regulated entities when the auditor expects to issue a disclaimer due to a client-imposed scope limitation. • AU-C 210.10 requires the engagement letter to identify the financial reporting framework and refer to the form of the report expected to be issued. • AU-C 210.13 requires that, when using a multi-year engagement letter, the auditor remind management of the terms of the engagement each year and document the reminder. • AU-C 210.14 allows changes in terms of service only if there is a reasonable justification for the change. 9
Quality Control Objectives • The auditor's objective is to implement quality controls at the engagement level to provide reasonable assurance that the audit complies with professional standards and relevant regulations and that the auditor's report is appropriate in the circumstances (AU-C 220.08). •
AU-C 220 establishes requirements for quality control procedures in an engagement done under the SASs.
•
It replaces AU 161, which merely reminded auditors that, under the quality control standards (SQCS No. 8), a firm has a responsibility to adopt quality controls to provide it with reasonable assurance that its personnel comply with GAAS.
•
The new standard incorporates into GAAS specific quality control requirements at the engagement level (as opposed to the firm level).
10
Quality Control, continued New Requirements (Previously required under SQCS No. 8) • The engagement partner is required to: • Determine that an appropriate course of action has been taken in response to any noncompliance with ethics requirements (AU-C 220.12). • Conclude about compliance with independence requirements by identifying and evaluating potential threats to independence and taking appropriate action to mitigate them (AU-C 220.13). • Be satisfied about the appropriateness of procedures applied and conclusions reached about acceptance and continuance of client relationships and audit engagements (AU-C 220.14). • Be satisfied that the audit team, including specialists, have the necessary competence and skills (AU-C 220.16). • Take responsibility for the direction, supervision, and performance of the engagement and the conclusions reached (AU-C 220.17-.19).
11
Quality Control, continued New Requirements (Previously required under SQCS No. 8) • The engagement partner is required to: • Take responsibility for the consultation process on difficult or contentious matters and their resolution (AU-C 220.20). • Determine whether an engagement quality control review is required under firm policies and, if so, discuss and resolve relevant issues with the quality control reviewer (AU-C 220.21). • Consider whether the results of the firm's monitoring program negatively affect the engagement (AU-C 220.24).
12
Quality Control, continued New Requirements (Previously required under SQCS No. 8) • Throughout the engagement, the entire engagement team should be alert for evidence of noncompliance with ethics requirements (AU-C 220.11). •
The following items have to be documented under AU-C 220: • Issues regarding compliance with ethics requirements and their resolution. • Conclusions on compliance with independence requirements, including relevant discussions. • Conclusions about client and engagement acceptance and continuance. • The nature, scope, and conclusions related to consultations (AU-C 220.25).
13
Quality Control, continued New Requirements (Previously required under SQCS No. 8) • The engagement quality control reviewer should document: • Performance of the procedures required by the firm. • The date of the conclusion of the review. • That the reviewer is not aware of unresolved issues suggesting inappropriate judgments or conclusions (AU-C 220.26). •
In addition, the standard reiterates the requirements in SQCS No. 8 regarding the responsibilities of engagement quality control reviewers and documentation of the review.
14
Audit Documentation Objectives • The documentation should provide a sufficient and appropriate basis for the auditor's report and evidence that the audit was planned and performed in accordance with GAAS and other applicable legal and regulatory requirements (AU-C 230.05). Requirements • AU-C 230 requires preparation of audit documentation on a timely basis (AU-C 230.07). It does not define “timely basis” but notes that documentation prepared at the time the work is performed or shortly thereafter tends to be more accurate than documentation prepared much later (AU-C 230.A3).
15
Audit Documentation, continued Requirements • The documentation has to provide a sufficient understanding of both the work performed and its results to an “experienced auditor,” that is, a reader who is unconnected with the audit but has practical audit experience and a reasonable understanding of: (a) audit processes, (b) requirements applicable to the engagement, (c) the entity's business environment, and (d) audit and financial reporting issues relevant to the entity's industry. Specifically, the documentation should provide: • The nature, timing, and extent of audit procedures applied. • The results of the audit procedures. • The audit evidence obtained. • The significant findings or issues arising during the audit. • The conclusions reached regarding significant findings or issues and the underlying judgments made in reaching them (AU-C 230.08).
16
Audit Documentation, continued Requirements • The following matters should be specifically documented: • The identifying characteristics of specific items or matters tested. • Who performed the work and the date the work was completed. • Who reviewed the work and the date and extent of the review (AU-C 230.09). [Evidence of the review need not appear on each workpaper (AU-C 230.A15).] • Abstracts or copies of contracts or agreements inspected (AU-C 230.10). • The nature of significant findings or issues discussed with management, those charged with governance, or others as well as when and with whom the discussions took place (AU-C 230.11). • How the auditor addressed information that was inconsistent with the auditor's conclusions (AUC 230.12). [For example, additional procedures or resolutions of differences of opinion (AU-C 230.A18).] • The justification for any departure from a relevant presumptively mandatory requirement in GAAS and how the alternative procedure applied instead was sufficient to achieve the requirement's intent (AU-C 230.13). • The report release date (AU-C 230.15).
17
Audit Documentation, continued Requirements • After the date of the audit report, the auditor might apply additional procedures or draw new conclusions, for example, because he or she becomes aware of information that existed at the time of the audit report or because the auditor realizes a necessary procedure was omitted. In such a case, the auditor should document: • The circumstances encountered. • The additional audit procedures applied, the evidence obtained, the conclusions reached, and their effect on the audit report. • When and by whom the audit documentation was changed and reviewed (AU-C 230.14).
18
Audit Documentation, continued Requirements • Audit documentation should be assembled in an audit file no later than 60 days (or as directed by state law if less – NYS requires 45 days) after the report release date (AU-C 230.16). No information should be discarded after the file is completed until the end of the document retention period—at least five years (AU-C 230.17). If the auditor needs to add documentation after the file completion date for reasons other than new information coming to his or her attention or an omitted procedure, for example, to address concerns from monitoring inspections or peer reviewers, the workpapers should document: • The specific reasons the changes were made. • When and by whom the changes were made and reviewed (AU-C 230.18). •
The auditor is required to adopt reasonable procedures to keep client information confidential (AU-C 230.19). Client confidentiality is required by rule 301 of the Code of Professional Conduct (ET 301.01).
19
Audit Documentation, continued New Requirements •
The clarified standards add the following requirements, which should be incorporated as necessary into the audit: • AU-C 230.07 requires timeliness in documentation preparation. • AU-C 230.08 requires that documentation be sufficient for an experienced auditor to understand the judgments made in reaching conclusions. This element was not required in AU 339. AU-C 230.A12 suggests the auditor might document, for example, the rationale for the auditor's conclusion when addressing a requirement that he or she should consider a procedure or the basis for the auditor's conclusions regarding subjective matters, such as estimates.
20
Fraud Objectives • The auditor's objectives in applying AU-C 240 are to: • Identify and assess the risks of material misstatement due to fraud. • Design and implement appropriate responses to the assessed risk of material fraud and obtain sufficient appropriate evidence. • Respond appropriately to frauds identified or suspected during the audit (AU-C 240.10).
21
Fraud, continued Requirements • AU-C 200 requires the exercise of professional skepticism throughout the audit. •
The auditor should be aware that it is possible that, despite the auditor's experience with management and those charged with governance, a material fraud could exist (AU-C 240.12).
•
Nonetheless, auditors may accept records and documents as genuine unless something comes to their attention to indicate that they might not be. In that case, the auditor should investigate further (AU-C 240.13).
•
The new standard imposes a new requirement to also investigate responses from management or those charged with governance that are inconsistent, vague, implausible, or otherwise unsatisfactory (AU-C 240.14). Although this might have been implied in the previous standards, it is now explicit.
22
Fraud, continued Requirements • The brainstorming discussion (how and where the financial statements might be misstated due to fraud , including how a fraud can be perpetrated and concealed) should involve “key members of the engagement team, including the engagement partner” and should ignore beliefs about the honesty and integrity of the client. Communication of fraud issues is not limited to the meeting, it should continue throughout the engagement, particularly when new risks are identified. The brainstorming meeting should address: • Internal or external factors that might create an incentive or opportunity for fraud. • The risk of management override of controls. • Circumstances, such as earnings management, that might indicate manipulation of financial statement amounts and how manipulation might be accomplished (this is a new requirement). • The importance of maintaining professional skepticism throughout the engagement. • Possible responses to fraud risks (AU-C 240.15). 23
Fraud, continued Requirements • The auditor should make inquiries of the following parties (and others within the entity as appropriate: • Management. The auditor should inquire about: • Management's process for identifying material fraud risks and its assessment and identification of those risks. • Communications about fraud risks to those charged with governance. • Communications with employees about ethical behavior. • Knowledge of any actual, alleged, or suspected fraud (this inquiry should extend beyond management) (AU-C 240.18-.19). • Internal auditors. The auditor should inquire about— • Their views about risks of fraud. • Knowledge or suspicions of fraud. • Procedures done during the year to detect fraud. • Management's responses to procedures to detect fraud (AU-C 240.19).
24
Fraud, continued Requirements • Those charged with governance. When those charged with governance are not all also members of management, the auditor should inquire about— • How they exercise oversight over the process for mitigating fraud risk. • Their views of the risk of fraud. • Knowledge of actual, suspected, or alleged fraud (AU-C 240.21-.22).
25
Fraud, continued Requirements • Considering unexpected relationships identified in preliminary analytical procedures, including procedures related to revenue (AU-C 240.22) and other information indicating risk of material fraud (AU-C 240.23). • Consider whether the events or conditions identified indicate pressure or incentive to perpetrate fraud, provide an opportunity to commit it, or indicate attitudes or rationalization to justify it (called fraud risk factors) (AU-C 240.24). Risk assessments continue throughout the audit. • Assessed risks of material misstatement due to fraud are considered significant risks and require the auditor to understand and assess the design and implementation of the related internal controls (AUC 240.27). • There is a rebuttable presumption that revenue recognition is a fraud risk and the auditor should evaluate the types of revenue, transactions, and assertions that give rise to such risks (AU-C 240.26). [The auditor can rebut this presumption; in that case, he or she has to document the reasons for that conclusion (AU-C 240.46).] • The auditor responds to fraud risks both at the financial statement level and the assertion level. –
At the financial statement level, the auditor evaluates whether the application of accounting policies is influenced by a desire to manage earnings or otherwise misstate the financial statements. The auditor's response to risks at this level involves assuring that the appropriate level of personnel has been assigned to the engagement and is appropriately supervised, and incorporating an element of unpredictability into the scope of the audit (AU-C 240.29).
26
Fraud, continued Requirements •
The auditor should address the risk of fraud resulting from management's override of internal controls. The auditor should: • Test the appropriateness of journal entries and other adjustments to the financial statements, including understanding the process for making them, assessing the related risks, and selecting adjustments made at the end of a reporting period for examination. The auditor should also inquire about inappropriate or unusual activity relating to the processing of journal entries or other adjustments. • Review estimates for bias by considering whether individually reasonable estimates taken together tend to bias the financial statements in a particular direction and by performing a retrospective review of subjective estimates made in the previous year. • Evaluate the business rationale for unusual transactions or those outside the normal course of business (AU-C 240.32).
27
Fraud, continued Requirements • At or near the end of the audit, the auditor should reevaluate the assessed risk of fraud based on the evidence accumulated during the audit, including analytical procedures related to revenue and any misstatements should be evaluated for indications of fraud. Because fraud is unlikely to be an isolated occurrence, even immaterial frauds might require a reassessment (AU-C 240.35-.37). •
The auditor might conclude that, because of an identified or suspected fraud, he or she might not be able to complete the audit. The auditor considers his or her responsibilities to report to those who engaged the auditor or regulatory authorities. If withdrawal is appropriate and possible under law or regulation, the auditor discusses the withdrawal and the reasons for it with the appropriate level of management and those charged with governance. The auditor should determine whether he or she also has to report this to the persons who engaged the auditor and regulatory authorities (AU-C 240.38).
•
If the auditor has obtained information that a fraud may exist, he or she should communicate it to an appropriate level of management as soon as practicable (AU-C 240.39) even if the matter is inconsequential (AU-C 240.A67).
28
Fraud, continued Requirements •
The auditor should communicate to those charged with governance any matters that are, in the auditor's judgment, relevant to their responsibilities (AU-C 240.41). Specifically, unless all those charged with governance are also members of management, the auditor should report on a timely basis identified or suspected fraud involving management or employees with significant roles in internal control, or whenever the fraud results in a material misstatement. If the auditor suspects fraud involving management, the auditor should communicate those suspicions and the scope of audit procedures necessary to complete the audit (AU-C 240.40). The requirement to communicate on a timely basis is new in AU-C 240; SAS No. 99 did not address the timing of the communication.
•
AU-C 240 notes that an auditor might have a legal responsibility to report actual or suspected fraud to those outside of the entity even though confidentiality standards may preclude doing so.
29
Fraud, continued Requirements •
The auditor's documentation should include: • The understanding of the entity and risks called for by AU-C 315.33 (see paragraph 302.33), including the significant decisions arrived at in the brainstorming session, how and when the session took place, and who participated, and the identified and assessed fraud risks at the financial statement and assertion levels (AU-C 240.43). The responses to assessed risks required by AU-C 315.30, including: • for fraud risk at the financial statement level, the overall responses, or •• for fraud risk at the assertion level: — the nature, timing, and extent of audit procedures and their linkage to the fraud risk, and — the results of audit procedures, including those related to management override of internal control (AU-C 240.44). • Communication about fraud to management, those charged with governance, regulators, and others (AU-C 240.45). • The reason for any conclusion that revenue recognition is not a fraud risk (AU-C 240.06).
30
Fraud, continued New Requirements •
AU-C 240.15. The brainstorming session now has to include consideration of circumstances indicating that the client might be managing earnings or intentionally misstating financial statements. While SAS No. 99 required the auditor to consider the risk of cooking the books, this specific consideration is new. • AU-C 240.35. The standard concludes that identified frauds are unlikely to be isolated occurrences and requires the auditor to act accordingly. • AU-C 240.38. As a result of an identified or suspected fraud, the auditor may find it necessary to question his or her ability to continue the audit. In that case, the auditor needs to: •• determine the professional and legal responsibilities applicable in the circumstances, including whether a requirement exists for the auditor to report to the person or persons who engaged the auditor or, in some cases, regulatory authorities; •• consider whether it is appropriate to withdraw from the engagement, when withdrawal is possible under applicable law or regulation; and •• if the auditor withdraws: — discuss with the appropriate level of management and those charged with governance the auditor's withdrawal from the engagement and the reasons for the withdrawal, and — determine whether a professional or legal requirement exists to report to the person or persons who engaged the auditor or, in some cases, to regulatory authorities, the auditor's withdrawal from the engagement and the reasons for the withdrawal.
31
Fraud, continued New Requirements • AU-C 240.39. The reporting of fraud to the appropriate level of management needs to be done as soon as practicable. SAS No. 99 did not specify a time frame. • AU-C 240.40. The communication of identified or suspected frauds to those charged with governance now has to be done on a timely basis. In addition, the communication should include frauds involving employees with significant roles in internal control. However, separate communications are not necessary when all those charged with governance are also involved in management. • AU-C 240.41. The auditor has a specific requirement to communicate to those charged with governance any fraud-related matters the auditor believes relevant to their responsibilities. • AU-C 240.42. The standard recognizes that legal or regulatory requirements might require the auditor to violate professional standards regarding client confidentiality.
32
Laws and Regulations Objectives The auditor's objectives are to: • Obtain sufficient appropriate evidence regarding financial statement items determined on the basis of laws and regulations. • Perform the procedures specified by the standard that might identify noncompliance with laws and regulations that do not have a direct effect but might nonetheless have a material effect on the financial statements. • Respond as specified to identified or suspected noncompliance with laws and regulations (AU-C 250.10).
33
Laws and Regulations, continued Requirements • AU-C315.12 requires the auditor to obtain an understanding of the entity and its environment. AU-C 250 requires the auditor to also understand the legal and regulatory framework relevant to the entity and how the entity complies with that framework. This may be done through inquiries of the client and reliance on the auditor's knowledge (AU-C 250.A8). •
The auditor has to obtain sufficient appropriate evidence regarding amounts and disclosures determined based on laws and regulations having a direct effect on the financial statements. These provisions include tax laws, pension rules, and regulations that specify amounts of revenues to be recognized under government contracts (AU-C 250.13).
34
Laws and Regulations, continued Requirements • For laws and regulations that do not have a direct effect on the financial statements, the auditor should: •
Perform the following procedures that might identify noncompliance that might have a material effect on the financial statements: • Inquire of management and, when appropriate, those charged with governance about the entity's compliance (AU-C 250.14). • Inspect correspondence, if any, with relevant licensing or regulatory authorities. The selection of correspondence to inspect is a matter of professional judgment; the standard does not require that all such correspondence be examined (AU-C 250.14 and 250.A16). • Remain alert to the possibility that procedures applied during other aspects of the audit might indicate actual or suspected noncompliance that could be material (AU-C 250.15).
•
Obtain written representations from management regarding noncompliance. Written representations are required by AU-C 580.13, but do not substitute for the other procedures required here (AU-C 250.16).
35
Laws and Regulations, continued Requirements • Identified or suspected noncompliance requires the auditor to understand the nature of the act and the surrounding circumstances and to obtain information to evaluate its possible financial statement effects. This applies to both direct- and indirect-effect laws and regulations. •
Suspected noncompliance should be discussed with management at a level above those suspected of the noncompliance (if possible) and, when appropriate, those charged with governance. The standard provides no additional criteria for determining if communication with those charged with governance is appropriate (AU-C 250.18).
•
The standard requires the following communications with those charged with governance: Suspected noncompliance, except clearly inconsequential items. If the auditor has already communicated the items to those charged with governance in their roles as part of management, the auditor need not repeat the communication (AU-C 250.21). Intentional and material noncompliance, which should be communicated as soon as practicable (AU-C 250.22). Matters involving management or those charged with governance, which should be communicated to the next higher level of authority, if there is one. The auditor should consider getting legal advice if there is no higher level of authority or if he or she believes the communication will not be acted on (AU-C 250.23).
36
Laws and Regulations, continued Requirements •
If management or those charged with governance do not provide information to persuade the auditor that the entity is in compliance and the effect on the financial statements may be material, the auditor should consider getting legal advice from the entity's or auditor's attorneys (AU-C 250.18).
•
A lack of information about suspected noncompliance may indicate the auditor does not have enough evidence to support an audit opinion (AU-C 250.19).
•
The implications of noncompliance on other aspects of the audit (for example, risk assessments and reliability of client representations) should be considered (AU-C 250.20).
37
Laws and Regulations, continued Requirements •
The audit documentation should include: • A description of identified or suspected noncompliance with laws or regulations, which may include copies of records or documents. • Results of discussions, such as minutes, with management, those charged with governance, or others (AU-C 250.28).
•
The auditor should determine whether he or she has a responsibility to report the suspected noncompliance to parties outside the entity (AU-C 250.27). The standard suggests the auditor might be asked to respond to inquiries from a successor auditor or a court order, or in compliance with requirements for entities that receive government financial assistance (AU-C 250.A28).
38
Laws and Regulations, continued New Requirements • AU-C 250.12. The auditor has to understand how the entity complies with the legal and regulatory framework to which it is subject. The auditor was already required to understand the framework itself in AU 314.21, but not how the entity complies with it. • AU-C 250.14. The auditor has to inquire about compliance specifically with those charged with governance (SAS No. 54 required only communication with the client) and inspect correspondence with regulatory authorities. • AU-C 250.21. The auditor is required to communicate noncompliance to those charged with governance, except when the matter is clearly inconsequential. AU 317.17 required only that those charged with governance be adequately informed, not that the auditor had to be the one informing them. • AU-C 250.22. The auditor is required to report noncompliance that is intentional and material as soon as practicable; there was no timeliness element in SAS No. 54. • AU-C 250.23. The suggestion to obtain legal advice when there is no authority above those involved in the noncompliance or when the auditor's communication will not be acted on is new. • AU-C 250.28. The standard now requires specific documentation of the identified noncompliance and discussions with the client and others.
39
Communication with Those Charged with Governance Objectives The auditor's objectives are to: • Communicate clearly to those charged with governance the auditor's responsibility and provide them with an overview of the planned scope and timing of the audit. • Obtain information relevant to the audit from those charged with governance. • Provide to those charged with governance timely observations arising from the audit that are significant and relevant to their responsibilities. • Promote effective two-way communication with those charged with governance (AU-C 260.05).
40
Communication with Those Charged with Governance ,continued Requirements The matters to be communicated are summarized as follows: • Responsibilities (AU-C 260.10) – Client and Auditors • Planned audit scope and timing (AU-C 260.11) • Significant findings (AU-C 260.12) Qualitative aspects of the entity's accounting practices Significant difficulties encountered in the audit Disagreements with management Other findings or issues Matters arising from the audit that were discussed with, or the subject of correspondence with, management (AU-C 260.14) • Misstatements Uncorrected misstatements (AU-C 260.13) Corrected misstatements (AU-C 260.14) • Consultations with other accountants (AU-C 260.14) • Written representations (AU-C 260.14) 41
Communication with Those Charged with Governance ,continued New Requirements •
AU-C 260.12a(i) requires a specific discussion (when applicable) of why an accounting practice adopted by the entity is not the most appropriate in the circumstances even though it is acceptable under the financial accounting framework.
42
Communicating Internal Control Deficiencies Objective The auditor's objective is to appropriately communicate significant deficiencies and material weaknesses that the audit identified as sufficiently important to merit the attention of management and those charged with governance (AU-C 265.06). Requirements • The auditor does not specifically look for internal control deficiencies, but considers those that are identified during the audit, for example, when evaluating internal control as part of risk assessment or in applying substantive procedures. If the auditor has identified control deficiencies, he or she evaluates each one to determine whether it, on its own on in combination with other deficiencies, constitutes a significant deficiency or material weakness (AU-C 265.09). •
The significance of a deficiency is a combination of the magnitude of misstatement that might result and the likelihood of a misstatement occurring as a result of the weakness. The standard does not require quantification of the probability of occurrence either as a specific percentage or range (AU-C 265.A9).
•
The following are indicators of material weaknesses: • Fraud, whether or not material, by senior management. • Restatement of previously-issued financial statements for correction of a misstatement. • Material misstatements that would not have been detected by the entity's internal control. • Ineffective oversight by those charged with governance (AU-C 265.A11). 43
Communicating Internal Control Deficiencies, continued Requirements • •
•
•
In concluding that a deficiency is not a material weakness, the auditor also has to consider whether a prudent official knowing the facts and circumstances would likely agree (AU-C 265.10). The requirement to report material weaknesses and significant deficiencies applies in all GAAS audits. However, if law or regulation requires additional items to be reported or different terms to be used, the auditor should comply with those requirements (AU-C 265.A12). The auditor should report significant deficiencies and material weaknesses identified during the audit to those charged with governance. The report: • Should be in writing (AU-C 265.11). • Should be made timely (AU-C 265.11). The written report should be made no later than 60 days (45 Days) after the report release date (AU-C 265.13), although it is best made by the report release date (AU-C 265.A16). The auditor may communicate the deficiencies orally if quick action is considered preferable, but the matters communicated have to be repeated in a written communication within the 60-day (45 Days)time period (AU-C 265.A17). The auditor should also communicate to an appropriate level of management, that is, at a level with authority to understand and take appropriate remedial action (AU-C 265.A21), the following— – • Significant deficiencies and material weaknesses that the auditor communicated to those charged with governance. This communication should be in writing and made no later than 60 (45)days after the report release date (AU-C 265.13). The appropriate level of management in this case is typically the CEO or CFO, but this communication should not be made to management if it would be inappropriate in the circumstances (for example, if it relates to a fraud perpetrated by the intended recipient) (AU-C 265.11 and 265.A21). – • Other deficiencies in internal control identified during the audit that are sufficiently important to warrant management's attention. This communication may be oral or in writing (if it is oral, the auditor should document the communication in the workpapers). These matters need not include deficiencies that have been communicated to management by other parties. The appropriate level of management here is typically operational management with direct involvement (AU-C 265.A21).
44
Communicating Internal Control Deficiencies, continued Requirements •
The written communication of significant deficiencies and material weaknesses should include (AU-C 265.14): –
The definition of the term material weakness and, when relevant, the definition of the term significant deficiency.
–
A description of the significant deficiencies and material weaknesses and an explanation of their potential effects. Unremediated deficiencies reported in prior years should be reported again until they are corrected either by repeating the description or referring to the previous communication and its date (AU-C 265.A20). The potential effects of matters communicated need not be quantified but might be described in terms of the types of misstatements that could result or control objectives not achieved (AU-C 265.A29).
–
Sufficient information to enable those charged with governance and management to understand the context of the communication. In particular, the auditor should include in the communication the following elements that explain that: •• The purpose of the audit was for the auditor to express an opinion on the financial statements. •• The audit included consideration of internal control over financial reporting in order to design audit procedures that are appropriate in the circumstances but not for the purpose of expressing an opinion on the effectiveness of internal control. •• The auditor is not expressing an opinion on the effectiveness of internal control. •• The auditor's consideration of internal control was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies, and, therefore, material weaknesses or significant deficiencies may exist that were not identified.
45
Communicating Internal Control Deficiencies, continued Requirements •
The written communication of significant deficiencies and material weaknesses should include (AU-C 265.14): –
In connection with this discussion, the auditor might also choose to describe the inherent limitations of internal control, including the possibility of management override, and the specific nature and extent of the auditor's consideration of internal control during the audit (AU-C 265.A31).
–
An alert restricting the use of the communication to management, those charged with governance, others within the organization, the parties to the contract or agreement, and any governmental authority to which the auditor is required to report.
–
An alert restricting the use of the communication to management, those charged with governance, others within the organization, the parties to the contract or agreement, and any governmental authority to which the auditor is required to report.
46
Communicating Internal Control Deficiencies, continued New Requirements •
The clarified standards add the following requirements, which should be incorporated as necessary into the audit: • AU-C 265.12. The auditor is required to report significant deficiencies and material weaknesses to management in writing. And other deficiencies either orally or in writing. SAS No. 115 did not specifically mandate communication of other deficiencies to management, although it noted that the auditor may choose to communicate other deficiencies. • AU-C 265.14. The required communication now includes an explanation of the potential effects of the control weaknesses and an acknowledgment that there might be unidentified material weaknesses and significant deficiencies. • AU-C 265.15. The standard specifies the content of a no material weakness letter; the prior standard only illustrated
Requirement Deleted The following requirement previously contained in the predecessor standard has not been included in the clarified standard: AU 325.14. To consider the effectiveness of compensating controls in overcoming a weakness, the auditor was required to test the effectiveness of the compensating control. This requirement has been eliminated.
47
Planning Objective The auditor's objective is to plan the audit so that it will be performed effectively (AU-C 300.04). Audit planning involves establishing an overall audit strategy and developing an audit plan. Requirements • Planning the engagement should involve the engagement partner and key members of the engagement team. •
Planning is done throughout the engagement, HOWEVER the following preliminary audit activities have to occur at the beginning of the engagement, (AU-C 300.A8): • Continuance procedures required by AU-C 220 • Evaluation of compliance with ethics requirements • Establishing the terms of the engagement (AU-C 300.06).
48
Planning, continued Requirements •
AU-C 300 implies that some matters need to be considered before the auditor identifies and assesses risk. They include: • analytical procedures to be applied as risk assessment procedures, • the entity's legal and regulatory framework and how the entity complies with it, • determination of materiality, • the involvement of specialists, and • the application of other risk assessment procedures (AU-C 300.A2).
49
Planning, continued Requirements •
The auditor has to establish an overall audit strategy, which is the foundation for the scope, timing, and direction of the audit. It also guides the development of the audit plan (AU-C 300.07). To establish the strategy, the auditor: • identifies the engagement characteristics that define its scope, • determines the engagement's reporting objectives, • considers matters that are significant to directing the audit team, • considers the results of the preliminary audit activities, • considers the results of other engagements the engagement partner performed for the entity, and • determines the resources necessary for the engagement (AU-C 300.08).
50
Planning, continued Requirements •
The audit plan—often called the audit program—provides the details of the procedures to be applied in the engagement. The auditor should prepare an audit plan that indicates the nature and extent of the planned risk assessment procedures; the nature, timing, and extent of planned further audit procedures; and other procedures to be carried out to comply with GAAS (AU-C 300.09).
•
AU 300.A22 –
The documentation of the audit plan is a record of the planned nature, timing, and extent of risk assessment procedures and further audit procedures at the relevant assertion level in response to the assessed risks. It also serves as a record of the proper planning of the audit procedures that can be reviewed and approved prior to their performance. The auditor may use standard audit programs or audit completion checklists, tailored as needed to reflect the particular engagement circumstances.
51
Planning, continued Requirements •
The auditor should document: –
The overall audit strategy. The audit strategy document records the key decisions necessary to plan the audit and communicate significant issues to the engagement team (AU-C 300.A21). The documentation need not be complex, particularly on a small entity. It might consist of a brief memo prepared at the conclusion of the previous audit, updated based on discussions with the client (AU-C 300.A12).
–
The audit plan. The audit plan (often called the audit program) details planned risk assessment procedures and further audit procedures at the assertion level. Its development demonstrates planning the engagement (AU-C 300.A22).
–
Significant changes made during the engagement to the strategy or audit plan and the reason for the changes (AU-C 300.14).
52
Planning, continued New Requirements •
AU-C 300.05. The engagement partner has to be involved in the planning of the audit. Previous standards implied this but did not state it explicitly. The only partner-specific requirement in SAS No. 108 was participation in the discussion among the staff. • AU-C 300.11. The auditor has to plan the nature, timing, and extent of the supervision of the team and the review of its work. Planning the supervision and review was not explicit in the prior standard. • AU-C 300.13. The auditor has to document the audit strategy and the reasons for changes to the strategy or the audit plan.
53
Understanding the Entity and Assessing Risk Objective •
The auditor's objective is to understand the entity and its environment (including internal control) to identify and assess risks at the financial statement level and assertion level, in order to provide a basis to design responses to assessed risks of material misstatement and implement them (AU-C 315.03).
Requirements •
The auditor should apply risk assessment procedures to understand the entity and its environment in order to provide a basis for assessing the risks of material misstatement due to fraud or error at the financial statement level and assertion level. The required risk assessment procedures are: – – – –
Inquiries of management and others in the entity (AU-C 315.06). Analytical procedures (AU-C 315.06). Observation and inspection (AU-C 315.06 Consideration of any relevant information from the client acceptance and continuance process (AU-C 315.07).
• The engagement team should discuss (key members) the financial statements' susceptibility to material misstatement and the application of the financial reporting framework to the entity. • The auditor should consider the results of the assessment of fraud risk in assessing the risk of material misstatement (AU-C 315.09).
54
Understanding the Entity and Assessing Risk, continued Requirements The auditor should obtain an understanding of: • External matters, such as industry factors (for example, market conditions and technology affecting the entity's products or services) and regulatory issues (such as accounting principles and practices specific to the industry and relevant laws, regulations, and their enforcement) (AU-C 315.12). • The entity's operations and the structure of its ownership, governance, investments (including investments in special-purpose entities), and financing (AU-C 315.12). • Selection and application of accounting policies and the reasons for any changes to them. The auditor should evaluate the appropriateness of the policies and their consistency with those called for by the financial reporting framework and those used in the entity's industry (AU-C 315.12). • The entity's objectives and strategies and the business risks it faces (AU-C 315.12). The auditor is not responsible for considering all business risks encountered by the entity, only those that might result in a material misstatement (AU-C 315.A31). • Measurement and review of the entity's business performance, for example, the key performance measures the entity or outsiders use to assess the company's success or those the entity uses to motivate or compensate employees. These measures might highlight unexpected trends or results or help identify risks of misstatement (AU-C 315.12). If there are no such measures there might be an increased risk of material misstatements (AU-C 315.A41).
55
Understanding the Entity and Assessing Risk, continued Requirements Internal Control: •
The auditor has to understand internal controls relevant to the audit.
• Determination of which controls are relevant is a matter of professional judgment, they ordinarily deal with financial reporting (AU-C 315.13). •
In addition to understanding the controls, the auditor has to evaluate their design and determine whether they have been implemented.
•
Evaluating controls' design and determining their implementation does not mean the auditor has to test their effectiveness, but the auditor cannot rely on inquiry alone (AU-C 315.14). The auditor's procedures on internal control—even when controls are not tested—include inquiry, observation of the application of controls, inspection of documents and reports, and tracing transactions through the relevant information systems.
56
Understanding the Entity and Assessing Risk, continued Requirements Internal Control: •
The internal control model used in AU-C 315 is based on Internal Control—An Integrated Framework, developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
•
COSO identifies five components of internal control, which are discussed in the paragraphs that follow: – control environment, – risk assessment, – information and communication, – control activities, and – monitoring.
57
Understanding the Entity and Assessing Risk, continued Requirements Internal Control: Control environment- the attitudes, actions, and awareness of those charged with governance and management concerning internal control and its importance in the entity. •
•
The auditor obtains an understanding of the control environment to evaluate whether: •
the entity has created and maintained a culture of honesty and ethical behavior.
•
the strengths of the control environment collectively provide an appropriate foundation for the other components of internal control or whether, conversely, they undermine them (AU-C 315.15).
Smaller, less complex entities might have less formal control environments or ones with fewer people, but lack of size or formality does not necessarily render a control environment ineffective.
58
Understanding the Entity and Assessing Risk, continued Requirements Internal Control: •
Risk assessment - the entity's risk assessment process identifies, analyzes, and manages risks relevant to financial statement preparation and presentation. For example, it might address how the entity considers the possibility of unrecorded transactions or analyzes significant estimates. Changes to operations, personnel, accounting pronouncements, or economic conditions can affect the risk (AU-C 315.A81-82).
•
The auditor should understand whether the entity has a process for: – identifying business risks relevant to financial reporting objectives, – estimating the risks' significance, – assessing the likelihood of their occurrence, and – deciding on actions to address the risks (AU-C 315.16).
•
If the entity has not established a formal risk assessment process, the auditor should: – discuss with management whether relevant risks have been identified and how they have been addressed, and – evaluate whether the absence of a documented risk assessment process is appropriate in the circumstances [such as when management identifies risks through direct personal involvement (AU-C 315.A83)] or represents a significant deficiency or material weakness in internal control (AU-C 315.18).
59
Understanding the Entity and Assessing Risk, continued Requirements Internal Control: Information-component of internal control is made up of the procedures and records to: – – – – –
•
initiate, authorize, record, process, and report transactions; resolve incorrect processing; transfer information to the general ledger; capture other information relevant to financial reporting; and ensure information required to be disclosed under the financial reporting framework is accumulated, recorded, processed, summarized, and appropriately reported.
The auditor should understand the information system and the related business processes (that is, the development, production, and sale of the entity's products or services; compliance with laws and regulations; and recording related information in the entity's systems) related to financial reporting, including
60
Understanding the Entity and Assessing Risk, continued Requirements Internal Control: •
The auditor should understand the information system and the related business processes (that is, the development, production, and sale of the entity's products or services; compliance with laws and regulations; and recording related information in the entity's systems) related to financial reporting, including: – the significant classes of transactions in the entity's operations – the IT and manual procedures to initiate, authorize, record, process, correct as necessary, transfer to the general ledger, and report the transactions in the financial statements; – the related manual or electronic accounting records supporting information and specific accounts in the financial statements that are used to initiate, authorize, record, process, and report transactions, including the correction of mistakes and transferring information to the general ledger; – how the information system captures significant events and conditions other than transactions – the financial reporting process used to prepare the entity's financial statements, including significant accounting estimates and disclosures; and – controls surrounding journal entries, including nonstandard journal entries used to record nonrecurring, unusual transactions or adjustments (AU-C 315.19).
61
Understanding the Entity and Assessing Risk, continued Requirements Internal Control: •
•
Communication - refers to the roles and responsibilities related to financial reporting, including whether personnel comprehend how their activities relate to those of others and how exceptions are reported. The auditor needs to understand how the entity communicates reporting roles and responsibilities and significant matters related to financial reporting. This includes: – communications between management and those charged with governance, and – external communications, such as those with regulatory authorities (AU-C 315.20). Control activities - are the functions such as authorization, performance reviews, information processing, physical controls, and segregation of duties—that help ensure management's directives are carried out. The auditor has to understand those control activities necessary to assess the risk of material misstatement at the assertion level and design further audit procedures (AU-C 315.21). The extent of the understanding is a matter of auditor judgment, but the auditor should, at a minimum, understand: – the process of reconciling detailed records to the general ledger for material account balances (AU-C 315.21), – how the entity responds to IT risks (AU-C 315.22), and – control activities related to significant risks
62
Understanding the Entity and Assessing Risk, continued Requirements Internal Control: Monitoring - Management monitors the effectiveness of its controls through either ongoing activities, separate evaluations, or a combination of the two approaches. •
In a well-designed system, the client has some means of assessing the adequacy of control design and implementation and assessing whether or not controls continue to operate effectively.
•
The auditor should understand the major activities used to monitor internal control over financial reporting, including how the entity monitors any control activities the auditor judged relevant to the audit and how it responds to control deficiencies (AU-C 315.23). The auditor should understand the sources of information used in monitoring activities and how the entity considers their reliability (AU-C 315.25).
63
Understanding the Entity and Assessing Risk, continued Requirements •
Assessing Risks - Based on the understanding obtained, the auditor should identify and assess risks of material misstatement at both the financial statement level and relevant assertion level (AU-C 315.26)
•
The auditor determines the relevance of each assertion for every significant class of transactions, account balance, or disclosure. That is, the auditor determines the likely source of misstatements in each class, balance, and disclosure ( AU-C 315.A118).
•
Assertions about classes of transactions and events for the period under audit, such as the following: Occurrence. Transactions and events that have been recorded have occurred and pertain to the entity. Completeness. All transactions and events that should have been recorded have been recorded. Accuracy. Amounts and other data relating to recorded transactions and events have been recorded appropriately. Cutoff. Transactions and events have been recorded in the correct accounting period. Classification. Transactions and events have been recorded in the proper accounts.
64
Understanding the Entity and Assessing Risk, continued Requirements •
Assertions about account balances at the period end, such as the following: Existence. Assets, liabilities, and equity interests exist. Rights and obligations. The entity holds or controls the rights to assets, and liabilities are the obligations of the entity. Completeness. All assets, liabilities, and equity interests that should have been recorded have been recorded. Valuation and allocation. Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts, and any resulting valuation or allocation adjustments are appropriately recorded.
•
Assertions about presentation and disclosure, such as the following: Occurrence and rights and obligations. Disclosed events, transactions, and other matters have occurred and pertain to the entity. Completeness. All disclosures that should have been included in the financial statements have been included. Classification and understandability. Financial information is appropriately presented and described, and disclosures are clearly expressed. Accuracy and valuation. Financial and other information is disclosed fairly and in appropriate amounts (AU-C 315.A114).
65
Understanding the Entity and Assessing Risk, continued Requirements •
•
The auditor is required to: – identify the risks throughout the process of obtaining the understanding. –
assess the identified risks and evaluate whether they relate to the financial statements overall or to individual assertions.
–
relate the identified risks to what could go wrong at the relevant assertion level; at this point the auditor may consider any mitigating controls.
–
consider the likelihood and potential magnitude of misstatements (AU-C 315.27).
Significant risks are risks of material misstatement that the auditor believes require special consideration (AU-C 315.04). In determining the significance of a risk, the auditor should consider whether: • it is a fraud risk. • it requires special attention because it is related to recent significant economic, accounting, or other developments. • it involves significant transactions with related parties. • its measurement involves a high degree of subjectivity or a wide range of measurement uncertainty. • it involves significant transactions outside the normal course of business or is otherwise unusual (AU-C 315.29).
66
Understanding the Entity and Assessing Risk, continued Requirements Documentation • The auditor should document: • the discussion among the engagement team including: • the significant decisions reached, • how and when the discussion occurred, and • who participated. •
key elements (that is, those on which the auditor based the assessment of risk of material misstatement) of the understanding of the entity and its environment and each of the internal control components. The documentation should include: • •
the sources of information for the understanding, and the risk assessment procedures applied.
•
risks of material misstatement identified and assessed at the: • financial statement level and • relevant assertion level.
•
risks identified and related controls regarding (a) significant risks and (b) situations in which controls have to be tested because sufficient evidence cannot be obtained through substantive procedures alone (AU-C 315.33).
67
Understanding the Entity and Assessing Risk, continued New Requirements •
AU 314.18-.19. The discussion among the audit team was required to specifically include critical issues and the need for skepticism. The concept of professional skepticism has not been removed; AU-C 200.17 requires the application of skepticism, but AU-C 315 does not require it to be explicitly discussed at the meeting.
•
AU 314.38. The auditor had to consider the reliability and precision of information used in performance measures.
•
AU 314.90. The auditor was required to understand reconciliation procedures for significant accounts; AUC 315.21 requires it only for material accounts.
68
Planning Materiality Objective •
The auditor's objective is to apply the concept of materiality appropriately in planning and performing the audit (AU-C 320.08).
Requirements • In performing an audit, the auditor should determine materiality for the financial statements taken as a whole (AU-C 320.10). •
If a misstatement too small to be material to the financial statements would affect the users' decisions because of its effect on one or more classes of transactions, account balances, or disclosures, the auditor should determine a lower materiality amount to be applied to tests of that class, balance, or disclosure (AU-C 320.10).
•
After determining materiality at the financial statement level, the auditor should determine performance materiality to assess the risks of material misstatement and determine the scope of further audit procedures (AU-C 320.11)
•
Performance materiality relates financial statement materiality to the tests at the transaction class, account balance, and disclosure level so that there is a low probability that uncorrected and undetected misstatements are material (AU-C 320.09). Performance materiality is less than financial statement materiality.
•
Performance materiality is what SAS No. 107 called tolerable misstatement—the maximum amount of misstatement in a population (for example, an account balance) that the auditor can accept. Before SAS No. 107, the term tolerable misstatement was used only in relation to audit sampling applications but SAS No. 107 expanded the term to include nonsampling applications. SAS No. 122 again reserves tolerable misstatement to sampling and devises a new term, performance materiality, for its counterpart in tests that do not involve sampling 69
Planning Materiality, continued Requirements •
The auditor should document: – – – –
materiality for the financial statements taken as a whole; lower materiality levels for particular classes of transactions, account balances, or disclosures when such lower amounts would be material to users; performance materiality; and revisions to materiality levels (AU-C 320.14)
New Requirements •
AU-C 320.12. The auditor should revise financial statement materiality during the audit in light of information that would have suggested a different amount if the auditor had the information when originally calculating materiality. This was implied in SAS No. 107, but is explicit here.
•
AU-C 320.14. The auditor has to document separate materiality levels for transaction classes, account balances, or disclosures when he or she determines that otherwise immaterial misstatements in them would affect the decisions of users.
70
Performing Further Audit Procedures and Evaluating Audit Results Objective •
The auditor's objective is to obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatements through designing and implementing appropriate responses to those risks (AU-C 330.03).
Requirements •
Financial Statement Level Response to Risk – Overall responses to risk
•
Responses to Risk at the Assertion Level – Substantive procedures and or Test of Controls - Should be responsive to the assessment of risks.
•
Substantive procedures - The auditor is required to apply substantive procedures to all relevant assertions related to each material class of transactions, account balance, and disclosure (AU-C 330.18). That is, they have to be applied to every assertion with a reasonable possibility of containing a material misstatement for every material account, class, or disclosure, regardless of controls.
71
Performing Further Audit Procedures and Evaluating Audit Results Requirements •
AU-C 330 provides specific requirements for the following circumstances: – External confirmations – Financial statement closing process – Significant risks – Tests done at an interim date
External confirmations: • The standard requires the auditor to consider using external confirmations (AU-C 330.19): – For accounts receivable, external confirmations are generally required (AU-C 330.20). In this context, accounts receivable consist of either the entity's claims against customers arising from the sale of goods and services in the normal course of business or a financial institution's loans. The auditor is required to confirm accounts receivable except when: • the overall account balance is immaterial, • external confirmation would be ineffective [that is, the auditor expects response rates to be inadequate or responses to be unreliable (AU-C 330.A56)], or • the auditor's assessed level of the risk of material misstatement for the relevant assertion is low and the other planned substantive procedures address that risk (AU-C 330.20). • Practitioner Question: Did they raise the bar on the need to confirm accounts receivable? –
Answer: SAS No. 67 did not contain an explicit requirement to confirm accounts receivable. The standard stopped just short of a requirement: it said that unless any of three conditions (the same ones as in AU-C 330.20) are present, there is a presumption that receivables would be confirmed. The auditor could overcome this presumption, but had to document how the presumption was overcome. Under the clarified standard, it is a requirement. If the auditor does not comply, he or she has to document how, in the absence of obtaining accounts receivable confirmations, the intent of the requirement was achieved. So, while the standard technically raises the bar, it is unlikely to cause much change in practice.
72
Performing Further Audit Procedures and Evaluating Audit Results Requirements Financial statement closing process • AU-C 330.21 requires the application of substantive procedures to the financial statement closing process. It provides two examples of such procedures: – agreeing or reconciling the financial statements with the underlying financial records, and – examining material journal entries and other adjustments made in preparing the financial statements. Significant risks • Significant risks are those risks that require special consideration. Substantive procedures should be specifically responsive to significant risks. If the auditor does not test controls related to a significant risk, the substantive procedures are required to include tests of details; they cannot consist solely of analytical procedures in that case (AU-C 330.22). Tests done at an interim date •
When applying substantive procedures at an interim date, the auditor needs to have a reasonable basis to extend the audit conclusions to the balance sheet date. This can be done by applying additional substantive procedures to the remaining period or using a combination of substantive procedures and tests of controls for the period (AU-C 330.23).
•
When interim tests identify unexpected types of misstatements, the auditor should evaluate the need to modify the risk assessment and the planned scope of substantive procedures covering the remaining period (AU-C 330.24).
73
Performing Further Audit Procedures and Evaluating Audit Results, continued Requirements Documentation -The auditor should document: • the overall responses to address the assessed risks of material misstatement at the financial statement level. • the nature, timing, and extent of further audit procedures applied. • the linkage of the further audit procedures to the assessed risks at the relevant assertion level. • the results of the audit procedures including, when not otherwise clear, the conclusions reached (AU-C 330.30). • the basis for any conclusions reached about relying on controls tested in a previous audit (AU-C 330.31). • any determination not to confirm accounts receivable when the account balance is material (AU-C 330.32). • that the financial statements agree with or reconcile to the underlying financial records (AU-C 330.33).
74
Performing Further Audit Procedures and Evaluating Audit Results, continued New Requirements •
AU-C 330.07. The auditor should obtain more persuasive evidence the higher the risk assessment.
•
AU-C 330.17. When tests of controls reveal deviations, the auditor should make specific inquiries to understand consequences of the deviations and determine whether there is a basis for reliance, whether additional tests are necessary, and whether the risk of material misstatement needs to be addressed through substantive procedures.
•
AU-C 330.20. Accounts receivable should be confirmed. This was only a presumption under SAS No. 67.
•
AU-C 330.22. If unexpected misstatements are found at an interim date, the auditor should determine whether the plan should be modified.
•
AU-C 330.23. The method of item selection should be effective to meet the purpose of the procedure.
75
Service Organizations Objective The user auditor's objectives are to: • Understand the nature and significance of the procedures applied by the service organization and their effect on the user entity's internal control to identify and assess the risks of material misstatement. • Design and perform audit procedures responsive to those risks (AU-C 402.07). Requirements •
As part of the required understanding of the user entity, the user auditor should understand how the user entity uses the service organization's services. This includes understanding: – – – –
The nature of the services provided and their effect on the user's internal control. The nature and materiality of the items processed by the service organization. The degree of interaction between the service organization and user entity. The nature of the relationship, including the contractual terms, between the two entities (AU-C 402.09).
76
Service Organizations, continued Requirements •
Before using the service auditor's type 1 or type 2 report to provide the required understanding of controls applied at the service organization, the user auditor should: –
– –
Evaluate whether the date or time period is appropriate for his or her purposes (AU-C 402.14). If the date or period is outside of the user entity's reporting period, the user auditor would need to supplement his or her understanding with information from other sources (AU-C 402.A24). Evaluate whether the evidence supplied by the report is sufficient and appropriate for the user auditor's understanding of relevant internal controls (AU-C 402.14). Understand any complementary controls at the user entity that the report identifies as relevant to the service auditor's report (AU-C 402.14). Complementary controls are those the service organization assumes the user organization will need to implement to achieve the specified control objectives (AU-C 402.08).
77
Service Organizations, continued Requirements The user auditor should determine whether the type 2 report provides sufficient evidence about control effectiveness to support the user auditor's risk assessment. The user auditor should:
•
–
Evaluate whether the period used in the report is appropriate for the user auditor's purposes.
–
Understand and test the effectiveness of any complementary controls at the user entity that the report identifies as necessary to achievement of controls relevant to the risk assessment.
–
Evaluate the adequacy of the period covered. The user auditor should evaluate whether the period covered by the service auditor's tests of controls and the period covered by the user entity's financial statements substantially overlap; if they do not, the user auditor might need additional evidence. If there is no overlap, the user auditor cannot rely on the service auditor's tests.
–
Evaluate the time elapsed since the controls were tested. The longer the time elapsed, the more likely relevant controls might have changed subsequent to the report.
–
Evaluate whether the tests of controls and their results are relevant to the user entity's financial statement assertions and whether they provide the evidence needed to support the user auditor's risk assessments (AU-C 402.17).
If there are control deviations at the service organization, the service auditor identifies them in the description of tests of controls and, if significant, in the opinion on operating effectiveness. The user auditor is responsible for determining the effect of those deviations on risk assessment at the user entity (AU-C 402.A39). 78
Service Organizations, continued Requirements •
The user auditor has a responsibility under AU-C 265 to report significant deficiencies and material weaknesses in internal control to those charged with governance of the user entity. The user auditor might report the following types of weaknesses specific to an audit involving a service organization: – – –
Controls needed at the user entity to monitor control effectiveness at the service organization. Necessary complementary controls at the user entity that have not been implemented. Missing or ineffective controls at the service organization (AU-C 402.A40).
79
Service Organizations, continued New Requirements • AU-C 402.03. The controls applied by a service organization regarding the user entity's journal entries are considered relevant to a user auditor; SAS No. 70 did not identify this aspect of processing as relevant. • AU-C 402.09. The user auditor is required to understand how the user entity uses the service organization. • AU-C 402.10-.12. These paragraphs specifically require evaluation of design and implementation of controls at the user entity related to the service organization, determination of whether the understanding of controls at the service organization is sufficient, and actions to obtain an additional understanding when necessary. These requirements were not explicit in SAS No. 70, although they could be inferred from SAS No. 108. That is, AU-C 402 updates existing guidance for concepts and terminology introduced in the risk-assessment standards. • AU-C 402.13. The auditor should be satisfied about the adequacy of standards underlying a service auditor's report when the report is not issued under SSAE No. 16. • AU-C 402.14. The standard creates new requirements for determining the adequacy of the report for understanding internal control at the service organization. • AU-C 402.15. The user auditor has to specifically consider whether records at the user entity will be sufficient; this was not explicit in SAS No. 70 but could be inferred from other sections of the literature. • AU-C 402.19. The user auditor should specifically inquire about fraud, noncompliance, and misstatements that might have been reported by the service organization and evaluate their effect on the scope of the audit
80
Evaluation of Misstatements Objective •
The auditor's objectives are to evaluate the effects of misstatements identified on the audit and any uncorrected misstatements on the financial statements (AU-C 450.04).
Requirements •
If the auditor identified misstatements during the audit, they should be accumulated, although this need not include misstatements that are clearly trivial (AU-C 450.05). Clearly trivial is substantially less than material. The standard does not indicate a cut-off but indicates that a clearly trivial misstatement is at least an order of magnitude lower than material (AU-C 450.A2), implying that it is in the range of no more than 10% of materiality. (PPC's Guide to Audits of Nonpublic Companies suggests 3%-5% of materiality.) If, because of qualitative issues, there is uncertainty about whether a potential misstatement is clearly trivial, it is not (AU-C 450.A2).
•
The auditor should document: – The amount below which misstatements would be considered clearly trivial. – All misstatements—whether or not corrected by the client—accumulated during the audit. – The auditor's conclusion about whether uncorrected misstatements are material individually and in the aggregate. – The basis for the auditor's conclusion about the materiality of uncorrected misstatements (AU-C 450.12).
81
Evaluation of Misstatements, concluded New Requirements • AU-C 450.07. The auditor is required to request that management correct all identified misstatements; AU 312.45 required that the auditor request correction of known misstatements and investigation of likely ones. • AU-C 450.08. The auditor has to apply procedures after management examines the misstated account balance or class of transactions; AU 312.08 left this to the auditor's discretion. • AU-C 450.10. The auditor needs to reassess materiality before analyzing the effect of uncorrected misstatements. •
AU-C 450.12. The auditor is required to document the amount considered to be “clearly trivial.”
82
Audit Evidence Objective •
The auditor's objective is to design and perform audit procedures to enable him or her to obtain sufficient appropriate audit evidence to support reasonable conclusions as the basis for the opinion (AU-C 500.04).
Requirements •
The auditor is required to obtain sufficient and appropriate audit evidence by designing and applying appropriate audit procedures to support the auditor's opinion (AU-C 500.06). Potential audit procedures to obtain evidence include:
•
– – – – – –
Inspection (examination of records or documents). Observation (looking at processes or procedures performed by others). External confirmation (obtaining evidence directly from third parties). Recalculation (checking the mathematical accuracy of documents or records). Reperformance (independent execution of internal controls originally applied by the client). Analytical procedures (evaluation of financial information through analysis of plausible relationships among data). Analytical procedures include scanning for unusual items. – Inquiry (seeking information of knowledgeable persons •
Evidence has to be both sufficient and appropriate. • Sufficient means there is enough of it • Appropriate means it is relevant to the assertion and reliable (AU-C 500.05) 83
Audit Evidence, continued Requirements •
•
•
•
Relevance - deals with whether it bears on the assertion in question, for example, testing the details of recorded transactions in an account balance typically provides little information about completeness (whether there are unrecorded transactions). Evidence should also be reliable. In general, information is more reliable if it is: – obtained from independent sources outside of the entity, – subject to effective internal control, – obtained directly by the auditor (as opposed to indirectly or by inference), – in documentary form (as opposed to obtained orally), and – provided by original documents (AU-C 500.A32). Sufficiency and appropriateness are measured in comparison to the risk of material misstatement: generally the higher the risk, the greater the need for one or both attributes.
Management Specialist • If the auditor uses information provided by a management's specialist, the auditor should: – Evaluate the specialist's competence, capabilities, and objectivity – Obtain an understanding of the specialist's work. – Evaluate the appropriateness of the specialist's work for the assertion in question (AU-C 500.08).
84
Audit Evidence, continued Requirements •
Management Specialist • The Competence, Capabilities, and Objectivity of a Management's Specialist: (as suggested in the application guidance): – Information regarding the competence, capabilities, and objectivity of a management's specialist may come from a variety of sources, such as the following: • Personal experience with previous work of that specialist • Discussions with that specialist • Discussions with others who are familiar with that specialist's work • Knowledge of that specialist's qualifications, membership in a professional body or industry association, license to practice, or other forms of external recognition • Published papers or books written by that specialist • An auditor's specialist, if any, that assists the auditor in obtaining sufficient appropriate audit evidence with respect to information produced by the management's specialist •
Matters relevant to evaluating the competence, capabilities, and objectivity of a management's specialist include whether that specialist's work is subject to technical performance standards or other professional or industry requirements, for example, ethical standards and other membership requirements of a professional body or industry association, accreditation standards of a licensing body, or requirements imposed by law or regulation
85
Audit Evidence, continued Requirements •
Management Specialist
•
The Competence, Capabilities, and Objectivity of a Management's Specialist (as suggested in the application guidance): : – Other matters that may be relevant include: • the relevance of the capabilities and competence of the management's specialist to the matter for which that specialist's work will be used, including any areas of specialty within that specialist's field. For example, a particular actuary may specialize in property and casualty insurance but have limited expertise regarding pension calculations. • the competence of the management's specialist with respect to relevant accounting requirements, for example, knowledge of assumptions and methods, including models, when applicable, that are consistent with the applicable financial reporting framework. • whether unexpected events, changes in conditions, or the audit evidence obtained from the results of audit procedures indicate that it may be necessary to reconsider the initial evaluation of the competence, capabilities, and objectivity of the management's specialist as the audit progresses.
86
Audit Evidence, continued Requirements •
Management Specialist
•
Obtaining an Understanding of the Work of the Management's Specialist (as suggested in the application guidance): – Aspects of the field of the management's specialist relevant to the auditor's understanding may include: • whether that specialist's field has areas of specialty within it that are relevant to the audit. • whether any professional or other standards and regulatory or legal requirements apply. • what assumptions and methods are used by the management's specialist and whether they are generally accepted within that specialist's field and appropriate for financial reporting purposes. • the nature of internal and external data or information the management's specialist uses. –
In the case of a management's specialist engaged by the entity, there will ordinarily be an engagement letter or other written form of agreement between the entity and that specialist. Evaluating that agreement when obtaining an understanding of the work of the management's specialist may assist the auditor in determining for the auditor's purposes the appropriateness of : • the nature, scope, and objectives of that specialist's work; • the respective roles and responsibilities of management and that specialist; and • the nature, timing, and extent of communication between management and that specialist, including the form of any report to be provided by that specialist.
87
Audit Evidence, continued Requirements • •
Management Specialist Evaluating the Appropriateness of the Work of the Management's Specialist (as suggested in the application guidance): • Considerations when evaluating the appropriateness of the work of the management's specialist as audit evidence for the relevant assertion may include (as suggested in the application guidance): • the relevance and reasonableness of that specialist's findings or conclusions, their consistency with other audit evidence, and whether they have been appropriately reflected in the financial statements; • if that specialist's work involves use of significant assumptions and methods, the relevance and reasonableness of those assumptions and methods; and • if that specialist's work involves significant use of source data, the relevance, completeness, and accuracy of that source data.
88
Evidence for Specific Items Objective The auditor's objective is to obtain sufficient appropriate audit evidence regarding each of the relevant assertions. Requirements • Inventory - The clarified standard still calls for observation of physical inventories, but is less strict about the timing of the observation and ramifications of failure to observe them. On the other hand, it establishes additional requirements about the procedures to be applied in observing inventories •
Physical inventory – The auditor should attend the physical count of material inventories unless it is impractical to do so (AU-C 501.11) (In this context, impractical does not mean merely inconvenient (AU‐C 501.A34).) – If attendance is impractical (for example, the inventory count is in a physically dangerous location), the auditor should apply alternative procedures to obtain evidence about the existence and condition of inventory. Failing that, the auditor should modify the opinion (AU-C 501.14). – If the auditor is unable to attend the physical inventory because of unforeseen circumstances, rather than impracticality, the auditor should observe, or make, counts at a different date and apply procedures to the intervening transactions (AU-C 501.13).
89
Evidence for Specific Items, continued Requirements • Physical inventory – When attending the physical count, the auditor should: • evaluate management's count instructions, • observe the performance of the count procedures, • inspect the inventory, and • perform test counts (AU-C 501.11). – –
–
After count attendance, the auditor should perform audit procedures on the final inventory records to determine they accurately reflect the count (AU-C 501.11). The physical inventory can be conducted at a date other than the balance sheet date. In that case, the auditor should also obtain evidence about whether changes between the count date and balance sheet date are recorded properly (AUC 501.12). AU 331 implied that taking physical inventories as of a date other than the balance sheet date (or within a reasonable time period of the balance sheet date) required a perpetual inventory system. Under SAS No. 122 (AU-C 501.A31), this alternative does not depend on the existence of a perpetual inventory system.
90
Evidence for Specific Items, continued Requirements •
Litigation, Claims, and Assessments • The auditor has to apply procedures to identify litigation, claims, and assessments that might result in a material misstatement. At a minimum, the auditor should (AU-C 501.16): • inquire of entity management (including in-house legal counsel); • obtain a description of litigation, claims, and assessments through year-end to the date the description is furnished; • review relevant minutes, documents, and correspondence regarding litigation, claims, and assessments; and • review legal expenses •
For actual or potential litigation, claims, and assessments, the auditor has to obtain evidence regarding the period in which the event occurred, the probability of an unfavorable outcome, and the potential loss (AU-C 501.17).
•
If the procedures applied in AU-C 501.16 identify any actual or potential litigation, claims, or assessments that could result in a material misstatement, the auditor should seek direct communication with the entity's outside legal counsel (AU-C 501.18) and, when it has responsibility for such matters, in-house legal counsel (AU-C 501.19).
•
Correspondence with in-house counsel is done in addition to correspondence with outside counsel; it cannot replace it (AU-C 501.19). The auditor should request the client to authorize counsel to discuss the matters with him or her (AU-C 501.21). 91
Evidence for Specific Items, continued Requirements •
Litigation, Claims, and Assessments • SAS No. 12 did not distinguish between situations in which potential or actual legal issues were identified and those when they were not. In both situations, the auditor was required to get confirmation from legal counsel. Under AU-C 501, the auditor need not do so if, after applying the procedures in AU-C 501.16, no issues have been identified (AU-C 501.18). •
Before SAS No. 122, if the client paid an attorney or consulted on any potential litigation, even if no losses were expected, the auditor generally sent an attorney letter. Under the clarified standard, if there are no claims, litigation, or assessments that could give rise to the risk of material misstatement, no letter needs to be sent. Assume, for example, management says that early in the year, just to be on the safe side, it asked its attorney about a possible exposure, although it had no real worry. If the attorney said there was no risk and the client believes there is none, the auditor might decide no communication is required.
•
AU-C 501.20 calls for the auditor to document the basis for any decision not to seek direct communication with counsel when communication is required under this standard. The standard intends that any decision not to correspond with counsel—even when no items were identified in the identification procedures in AU-C 501.16—should be documented.
•
If there are items for which communication is required, the need to send an attorney letter is a presumptively mandatory requirement. An auditor who does not send the letter in that case must document the justification for not sending it and a description of how the intent of the requirement was achieved through other means. 92
Evidence for Specific Items, continued Requirements •
Litigation, Claims, and Assessments • The auditor should modify the audit opinion if: – The entity's legal counsel refuses to respond appropriately to the audit inquiry and the auditor cannot obtain necessary evidence through alternative procedures. The ability to rely on alternative procedures here is new; SAS No. 12 did not recognize this possibility. – Management refuses to allow the auditor to communicate or meet with outside counsel (AU-C 501.24).
•
The inquiry letter to the client's outside or in-house counsel should include: a. Identification of the entity, including subsidiaries, and the date of the audit. b. A list prepared by management (or a request by management that the legal counsel prepare a list) that describes and evaluates pending or threatened litigation, claims, and assessments with respect to which the legal counsel has been engaged and to which the legal counsel has devoted substantive attention on behalf of the company in the form of legal consultation or representation. c. A list prepared by management that describes and evaluates unasserted claims and assessments that management considers to be probable of assertion and that, if asserted, would have at least a reasonable possibility of an unfavorable outcome with respect to which the legal counsel has been engaged and to which the legal counsel has devoted substantive attention on behalf of the entity in the form of legal consultation or representation. 93
Evidence for Specific Items, continued Requirements •
The inquiry letter to the client's outside or in-house counsel should include: d. Regarding each matter listed in item b, a request that the legal counsel either provide the following information or comment on those matters on which the legal counsel's views may differ from those stated by management, as appropriate: (1) A description of the nature of the matter, the progress of the case to date, and the action that the entity intends to take (for example, to contest the matter vigorously or to seek an out-ofcourt settlement). (2) An evaluation of the likelihood of an unfavorable outcome and an estimate, if one can be made, of the amount or range of potential loss. (3) With respect to a list prepared by management (or by the legal counsel at management's request), an identification of the omission of any pending or threatened litigation, claims, and assessments or a statement that the list of such matters is complete. e. Regarding each matter listed in item c, a request that the legal counsel comment on those matters on which the legal counsel's views concerning the description or evaluation of the matter may differ from those stated by management.
94
Evidence for Specific Items, continued Requirements •
The inquiry letter to the client's outside or in-house counsel should include: f. A statement that management understands that whenever, in the course of performing legal services for the entity with respect to a matter recognized to involve an unasserted possible claim or assessment that may call for financial statement disclosure, the legal counsel has formed a professional conclusion that the entity should disclose or consider disclosure concerning such possible claim or assessment, the legal counsel, as a matter of professional responsibility to the entity, will so advise the entity and will consult with the entity concerning the question of such disclosure and the requirements of the applicable financial reporting framework (for example, the requirements of Financial Accounting Standards Board [FASB] Accounting Standards Codification [ASC] 450, Contingencies). g. A request that the legal counsel confirm whether the understanding described in item f is correct. h. A request that the legal counsel specifically identify the nature of, and reasons for, any limitation on the response. i. A request that the legal counsel specify the effective date of the response (AU-C 501.22).
95
Evidence for Specific Items, continued New Requirements •
The clarified standards add the following requirements. : • AU-C 501.11 requires four specific procedures regarding the physical inventory count. • AU-C 501.19 requires the auditor to send an inquiry letter to in-house counsel, in addition to outside counsel, when it is responsible for litigation, claims, and assessments. • AU-C 501.20 requires documentation when there is outside counsel and the auditor does not send an attorney letter. • AU-C 501.21 requires the auditor to ask the client to authorize legal counsel to discuss applicable matters with him or her. • AU-C 501.22i calls for the inquiry letter to ask for the date of the attorney's review. • AU-C 501.24 says the auditor should modify the opinion when management refuses to allow the auditor to communicate or meet with outside counsel.
96
External Confirmations Objective •
The auditor's objective when using external confirmations is to design and perform the procedure to obtain relevant and reliable audit evidence
Requirements •
•
The auditor who uses external confirmations should maintain control over the confirmation requests. The auditor should: • Determine the information to be confirmed or requested such as balances, transactions, or terms of contracts or agreements. • Select the party to confirm the information, which should be someone the auditor believes to be knowledgeable about the matter to be confirmed. • Design the confirmation request. This involves determining that the request is directed to the appropriate party and directing that the response go directly to the auditor. • Send the requests and any follow-up requests to the confirming party (AU-C 505.07). Management might refuse the auditor's request to externally confirm certain information. If so, the auditor needs to ask about management's reason for the refusal and then seek evidence about the reason's validity and reasonableness (AU-C 505.06). – For example, management might be reluctant to allow the auditor to confirm an amount that is the subject of a legal dispute or ongoing negotiations (AU-C 505.A9). If management's refusal is unreasonable, the auditor should communicate with those charged with governance and consider the effect on the audit opinion (AU-C 505.07). – Alternative procedures ‐ if such procedures are insufficient to provide the needed audit evidence, the auditor should communicate with those charged with governance and consider the effect on the auditor's report (AU‐C 505.07). 97
External Confirmations, continued Requirements
•
•
The auditor should obtain additional evidence if there are doubts about the reliability of the confirmation response.
•
Electronic confirmations present different issues than paper confirmations. The application guidance in the standard provides the following observations about electronic confirmations: • The auditor may use a third party who provides access to the confirming party's information. • If access codes to the confirming party's information are provided by management (as opposed to a third party), the procedure is not considered an external confirmation (AU-C 505.A1). • It may be necessary to apply procedures to verify management-supplied email addresses of respondents (AU-C 505.A7). • The electronic process used to receive responses might not be secure or might be improperly controlled, affecting the reliability of the confirmation (AU-C 505.A13). • It might be difficult to determine whether responses received via email or fax actually came from the parties purporting to send them or whether the data in them has been altered. It might be appropriate to use a system that validates the respondent or contact the respondent directly (AU-C 505.A14). • The auditor may rely on a system that creates a secure confirmation environment that mitigates the risk of interception or alteration if he or she is satisfied that it is secure and properly controlled (AU-C 505.A15). Language, such as a statement that it might be incomplete or that it should not be relied on, does raise reliability questions and needs to be followed up (AU-C 505.A20).
98
External Confirmations, continued Requirements •
The auditor should apply alternative procedures (such as examination of subsequent settlement) for each confirmation request that does not produce a response (AU-C 505.12). However, in this context: – Although not explicit, this guidance would not appear relevant to negative confirmations. – It might not be necessary to apply alternative procedures if (a) considering the nonresponses to indicate complete disagreement would not affect the auditor's conclusion about whether the financial statements are materially misstated (if the procedure is a sampling application, the unconfirmed amount would have to be projected to the population and aggregated with other uncorrected misstatements uncovered during the audit) and (b) there are no unusual characteristics common to the nonresponses (AU-C 505.A26). – Alternative procedures will be insufficient if the auditor has determined that a written response to a positive confirmation request is necessary in the circumstances (AU-C 505.13).
• •
The auditor is required to investigate exceptions to determine whether they indicate misstatements (AU-C 505.14). AU-C 240.35 requires the auditor to consider whether exceptions suggest fraud. Unlike the case of a nonresponse, the clarified standard does not permit the auditor to merely consider a small exception to be a misstatement; it requires investigation. It does not specify the extent of the investigation, though it should be sufficient to evaluate whether it is indicative of fraud.
99
External Confirmations, continued Requirements • Negative confirmations are those in which the confirming party responds only in the case of disagreement. The auditor may use negative confirmations as the sole substantive procedure for an assertion only if: a. risk of material misstatement in that assertion is assessed as low based on tests of controls, b. the population consists of a large number of small, homogeneous items, c. a very low exception rate is expected, and d. the auditor has no reason to believe recipients would disregard the requests (AU-C 505.15). •
AU-C 505 has expanded the use of negative confirmations. SAS No. 67 prohibited their use as audit evidence to reduce audit risk unless three conditions were met: the risk of material misstatement was low, the population consisted of a large number of small items (they did not have to be homogeneous), and the auditor had no reason to believe recipients would disregard them. Under the new standard, they can always be used to provide audit evidence in combination with other procedures, and can even be the sole substantive procedure for an assertion if the above conditions are met.
•
Practical question - How do I consider the audit evidence from negative confirmations? – An auditor does not know if nonresponses mean the confirming party agreed with the balance, found a discrepancy but chose not to respond because it was in his or her favor, or merely disregarded it. Accordingly, negative confirmations ordinarily do not lend themselves to sampling applications. They can be effective in some situations. For example, third parties are much more likely to identify misstatements that would harm them than those that would benefit them. Typically, negative confirmations are more effective in suggesting a problem (a large number of undeliverable requests or amounts in disagreement suggest a problem) than quantifying one or determining that one does not exist. 100
External Confirmations, continued New Requirements •
AU-C 505.08. The auditor is required to inquire about the reasons for management's refusal to allow certain matters to be confirmed and evaluate their implications on the risk of material misstatement and scope of testing.
•
AU-C 505.09. If management's refusal to allow confirmations is unreasonable, the auditor should communicate with those charged with governance [this was implicit in SAS No. 114 (AU 380.39) but is explicit here].
•
AU-C 505.10. The auditor should obtain additional evidence if there are doubts about the reliability of responses.
•
AU-C 505.11. The auditor has to evaluate the implications of unreliable responses on the risk of material misstatement and on the scope of procedures.
•
AU-C 505.14. The auditor is required to investigate exceptions to determine whether they indicate misstatements; AU 330.33 required only that they be considered.
101
Opening Balances Objective •
The auditor's objective is to obtain evidence about opening balances that materially affect the financial statements and consistency of the application of accounting policies during the current year with those of the previous period (AU-C 510.04).
Requirements • The auditor should understand the prior-period financial statements. He or she should read them and any auditor's report on them for information relevant to balances and consistency of accounting principles (AU-C 510.06). •
If the financial statements were audited, the auditor should request that management allow the predecessor to provide access to its workpapers (AU-C 510.07). [AU-C 210.11 ) requires the successor to request that management authorize the predecessor to respond fully to the auditor's inquiries.]
•
The requirements related to predecessor auditors do not apply if the date of the most recently audited financial statements is more than one year before the beginning of the earliest period to be audited (AU-C 510.02). This is different than AU 315.02 (footnote 1), which indicated the standard did not apply if the prior audited financial statements were dated more than two years before the beginning of the period.
•
The auditor should evaluate the ramifications on audit risk if the predecessor modified the opinion on the prior-year financial statements (AU-C 510.11).
102
Opening Balances, continued Requirements •
Access to the predecessor auditor and his or her audit documentation is the primary method that the auditor uses to obtain evidence about opening balances. – The predecessor may request written confirmation of the successor's use of the workpapers and may determine what level of access to permit. – If access is denied or too limited to provide the evidence necessary on opening balances, the successor will have to obtain the evidence through other means, such as audit tests, or will have to modify the opinion (AU-C 500.08c). – If the auditor is denied access to the predecessor's workpapers, he or she has to directly obtain sufficient evidence on opening balances; reliance on the prior year audit report is insufficient
•
The auditor should: – Determine that opening balances represent the closing balances at the end of the prior period (or have been appropriately restated). – Determine that opening balances are based on appropriate accounting principles. – Evaluate whether sufficient evidence about opening balances has been obtained. When applying procedures to current year balances, the auditor should either— •• review the predecessor auditor's audit documentation regarding those balances, or •• perform audit procedures on them (AU-C 510.08).
103
Opening Balances, continued Requirements •
Practitioner Question: Does reviewing the predecessor's workpapers provide sufficient evidence about the opening balances? Answer: No. The auditor has to obtain evidence about the opening balances. Some, but not all, of this evidence typically comes from the review of the predecessor's audit documentation. But the auditor has to obtain some evidence directly. This evidence might come from testing the opening balances or by inference. For example, evidence about opening accounts receivable and payable may come from the ultimate settlement of those items.
•
The auditor might discover information leading him or her to believe the financial statements audited by a predecessor are materially misstated. In that case, the auditor should: – – –
•
Request management to inform the predecessor and arrange for the three parties to discuss the information. Communicate information to the predecessor that the latter needs to consider (AU-C 510.12). If management refuses to comply or the auditor is not satisfied with how the matter is resolved, evaluate any implications on the current engagement and whether to withdraw or disclaim an opinion (AU-C 510.13).
The auditor has to have sufficient evidence regarding opening balances. If not, the opinion needs to be modified for a scope limitation (AU-C 510.15).
104
Opening Balances, continued New Requirements •
AU-C 510.06. The auditor is explicitly required to read the prior year financial statements and auditor's report.
•
AU-C 510.08. Although the auditor was required to obtain evidence about opening balances under SAS No. 84, it did not require the specific procedures in this paragraph.
•
AU-C 510.09-.10. The requirements regarding misstatements and consistency issues in opening balances were not explicit in SAS No. 84, but they were required elsewhere in auditing standards.
•
AU-C 510.11. The auditor has to evaluate the effect of a modification of the predecessor auditor's report in considering the report for the current year.
105
Analytical Procedures Objective •
The auditor has two objectives: •
For substantive analytical procedures: obtain relevant and reliable evidence. • For the overall review: design and apply analytical procedures to assist in forming an overall conclusion about whether the financial statements are consistent with the auditor's understanding of the entity (AU-C 520.03).
Requirements •
Substantive Procedures -The auditor's decision to use analytical procedures as substantive procedures is a matter of professional judgment. The auditor might choose to use them for certain assertions and not others, or use them alone or in some combination with tests of details. Applying substantive analytical procedures is a five-step process. 1.
Determine the suitability of the procedure in light of the assertion, the risk of material misstatement, and any tests of details that will be applied (AU-C 520.05a). Substantive analytical procedures tend to be more effective: • In a stable environment. • When the expected relationship is predictable. • When applied to large volumes of transactions. • When the amount at issue is not subject to management discretion.
106
Analytical Procedures, continued Requirements 2 Evaluate the reliability of the data that the auditor will use to develop his or her expectation (AU-C 520.05b). This is influenced by the source of the information and how it is prepared, including the internal controls applied in its creation. 3 Develop an expectation about the amount that should have been recorded (or the ratio that should exist between the recorded amount and some other amount). The expectation should be sufficiently precise to allow the auditor to identify a misstatement that would be material (AU-C 520.05c). When the expectation is more precise, the range of expected differences between the auditor's expectation and the recorded amount tends to be smaller, allowing a better identification of potential material misstatements. 4 After determining the amount of difference between the expectation and the recorded amount the auditor can accept, compare the expectation and recorded amount (AU-C 520.05d). The difference the auditor can accept is a factor of materiality and the allowable level of risk for the procedure. 5 If the analytical procedure results in an unacceptable fluctuation from the auditor's expectation, the auditor should investigate the difference. The investigation should involve inquiry of management and obtaining appropriate evidence relevant to management's response. If management cannot provide an explanation or the explanation is inadequate, the auditor should apply other procedures to obtain the needed evidence (AU-C 520.07). •
Overall Review - The auditor is required to use analytical procedures near the end of the audit to form an overall conclusion about whether the financial statements are consistent with the auditor's understanding of the entity (AU-C 520.06). These procedures might be similar to those applied in planning the engagement. When the financial statement elements differ from what the auditor would expect based on the understanding of the entity, the auditor is required to investigate the differences, just as in the case of substantive analytical procedures (AU-C 520.07). 107
Analytical Procedures, continued Requirements •
Documentation – The auditor should document: • The expectations developed for substantive analytical procedures and the factors considered in their development, unless otherwise readily determinable from the documentation. • Results of the comparison of recorded amounts (or ratios) to the auditor's expectations for substantive analytical procedures. • Any additional audit procedures related to the investigation of differences from the auditor's expectation and their results for both substantive analytical procedures and those used in the overall review (AU-C 520.08).
New Requirement • AU-C 520.07. The standard explicitly requires the auditor to obtain evidence relevant to management's responses regarding unexpected differences in analytical procedures done in the overall review. AU 329.23 merely said additional evidence may be needed. In addition, the documentation required in AU-C 520.08 regarding the investigation exceeds the documentation in SAS No. 56, which required specific documentation only of substantive analytical procedures.
108
Estimates Objectives •
The auditor's objective is to obtain the necessary audit evidence regarding: • he reasonableness of accounting estimates, including fair values, that are recognized or disclosed in the financial statements, and • the adequacy of financial statement disclosures regarding estimates (AU-C 540.06).
Requirements •
All Estimates, Including Fair Values - As part of the understanding of the entity and its environment (see AU-C 315), the auditor should understand the financial reporting framework's requirements for measuring or disclosing estimates and how management identifies transactions, events, or conditions that create the need for estimates. The auditor should inquire about changes in circumstances that require new estimates or changes to existing ones (AU-C 540.08).
109
Estimates, continued Requirements •
When the understanding is necessary, it should include: – The methods, such as models, the entity used in making the estimate. – Relevant internal controls over estimate development. – Whether management has used a specialist in developing the estimate. – The assumptions underlying the estimate. – Whether the methods or assumptions used have changed since the prior period and, if so, why (or, if not, whether they should have). – Whether management has assessed the effect of estimation uncertainty (that is, the inherent lack of precision in measurement; see paragraph 407.8) and, if so, how the assessment was done (AU-C 540.08).
•
To identify and assess risks in the current period, the outcome or subsequent re-estimation of prior-period estimates should be reviewed (AU-C 540.09). procedure may be used to identify management bias and be done concurrently with the retrospective review required by AU-C 240.32 as part of the consideration of fraud risk (see paragraph 206.13), or may inform the auditor's judgment of management's track record. A difference between the estimate and ultimate outcome does not necessarily mean the financial statements were misstated or the auditor's conclusion was flawed; the estimate may have been appropriate based on the information available at the time.
110
Estimates, continued Requirements •
There are four approaches that the auditor may use to obtain evidence about whether the estimate is stated correctly. – Corroboration through subsequent events. – Testing management's calculation. – Reliance on internal control over the estimation process. – Developing an independent estimate (AU-C 540.13).
•
Testing management's calculation involves recalculating the estimate using management's approach and evaluating the reliability of the data used to derive it. The auditor should evaluate: – The appropriateness of the method used. – The reasonableness of the assumptions used. The assumptions should be consistent with current and expected conditions, the entity's experience, and other assumptions underlying the financial statements (AU-C 540.A81). The assumptions used might indicate high estimation uncertainty, which would suggest the estimate is a significant risk (AU-C 540.A80). When the assumptions are based on unobservable inputs in fair value estimates, the auditor might have to combine this approach with other audit procedures discussed in paragraph 407.10 (AU-C 540.A84). – The reliability of the data on which the estimate is based. AU-C 500.09 calls for obtaining audit evidence about the accuracy and completeness of these data and evaluating whether they are sufficiently precise for the purpose (AU-C 540.13b).
111
Estimates, continued Requirements Significant Risks - some accounting estimates are considered significant risks, which demand additional procedures. The auditor should, in addition to the other procedures described in AU-C 540, evaluate the following for estimates that are significant risks: • How management considered alternative assumptions or outcomes, why it rejected them, and how management addressed estimation uncertainty (AU-C 540.15a). One method management might use, for example, is sensitivity analysis, which might show to which assumptions the estimate is particularly sensitive. • Whether management's significant assumptions are reasonable (AU-C 540.15b). • Management's intent and ability to carry out specific courses of action, when relevant to the estimate (AU-C 540.15c). New Requirements • The clarified standard strengthens the existing requirements regarding uncertainties, which were less specific in the old standards. The major change is the discussion of estimation uncertainty: the need to evaluate it, the requirement to consider whether the uncertainty indicates the existence of a significant risk, and the possible need to disclose it in the financial statements. It also provides additional details regarding the considerations about significant risks.
112
Related Parties Objectives The auditor's objectives are to: • Obtain an understanding of related-party relationships and transactions in order to: • Recognize any fraud risk factors arising from them relevant to identification and assessment of risk of material fraud. •
•
Conclude whether the financial statements are fairly presented in regard to related-party relationships and transactions.
Obtain evidence regarding whether the financial statements appropriately identify, account for, and disclose related‐party relationships and transactions (AU‐C 550.09).
Requirements •
•
The audit team should specifically consider the financial statements' susceptibility to material misstatement that could result from related party relationships and transactions as part of the discussions of risk (see AU-C 315.11) and fraud (see AU-C 240.15) (AU-C 550.13). The auditor should ask management about: – The identity of related parties and how they differ from the prior year. – The nature of the relationship with those parties. – Whether the entity entered into any transactions with them during the period and the type and purpose of the transactions (AU-C 550.14).
113
Related Parties, continued Requirements •
The auditor should obtain an understanding of the entity's internal controls regarding related-party activity. AU-C 550.A19 notes that the risk of management override and, thus, fraud, might be higher for related-party activity. The auditor should understand controls over: – – –
•
Identification, accounting for, and disclosing related-party relationships and transactions. Authorization and approval of significant related-party transactions and arrangements. Authorization and approval of significant transactions and arrangements outside the normal course of business (AU-C 550.15).
The auditor should share the identity of, and other relevant information about, related parties with the engagement team ( AU-C 550.18). This is preferably done at an early stage of the audit (AU-C 550.A29). The same holds true for parties in interest as defined in ERISA.
114
Related Parties, continued Requirements •
If the auditor discovers information indicating the existence of relationships or transactions management did not identify, the auditor should: – Confirm the existence of the relationship or transaction (AU-C 550.22). – Promptly communicate the relevant information to the engagement team. – Request management to identify all transactions with these related parties. – Inquire why the entity's controls did not identify or disclose them. – Apply appropriate substantive procedures on the relationships or transactions. – Reconsider the risk of additional unidentified related-party relationships or transactions and perform additional procedures as necessary. – Evaluate the audit implications when the nondisclosure appears intentional (AU-C 550.23). The implications of fraud risk include re-evaluation of the reliability of management's responses to inquiries and written representations (AU-C 550.A40).
•
As part of risk assessment, the auditor is required to assess the risks of material misstatement associated with related-party activities and to consider whether they represent significant risks (AU-C 550.19). To assess fraud risk, the auditor should consider the fraud risk factors identified (AU-C 550.20). – A particular risk factor for fraud in related-party activity is the related party's domination of the entity or its management (AU-C 550.A31).
115
Related Parties, continued Requirements •
Transactions Outside the Normal Course of Business ‐ If the auditor identifies significant transactions outside the normal course of business, he or she should ask management about the nature of the transactions and whether related parties are involved (AU‐C 550.17). This involves obtaining an understanding of the business rationale behind the transactions and their terms and conditions (AU‐C 550.A27). Such transactions should be treated as significant risks (AU‐C 550.19). –
If related-party transactions are outside the normal course of business, the auditor should inspect the underlying agreements or contracts and evaluate whether: • The business rationale, or lack of one, suggests fraud. • The terms are consistent with management's explanations. • The transactions have been accounted for and disclosed appropriately (AU-C 550.24).
•
The auditor should obtain evidence that related-party transactions outside the normal course of business have been appropriately authorized and approved (AU-C 550.24).
•
The auditor should communicate significant findings and issues regarding related-party matters to those charged with governance – Significant findings or issues might involve lack of disclosure to the auditor, transactions that were not appropriately authorized or approved, disagreements with management over disclosure, noncompliance with laws or regulations regarding specific types of transactions, or difficulty in identifying the party that ultimately controls the entity (AU-C 550.A52).
116
Related Parties, continued Requirements •
Documentation - The auditor should document the names of identified related parties and the nature of the relationships (AUC 550.28).
New Requirements • • • • •
AU-C 550.16 requires the auditor to inspect specific types of documents in the search for related parties. AU-C 550.17, .19, and .24 establish specific procedures regarding transactions outside the normal course of business. AU-C 550.22 and .23 call for specific procedures to be applied when the auditor identifies previously-unidentified related party relationships or transactions. AU-C 550.26 requires disclosures that may go beyond those required under the financial reporting framework if necessary to achieve fair presentation. AU-C 550.27 specifically requires documentation that was implied in the prior standard.
117
Subsequent Events Objectives •
AU-C 560 provides guidance on three distinct time periods: – The period between the balance sheet date and the date of the auditor's report. – The period between the auditor's report date and the report release date . – The period following release of the auditor's report.
•
There are two sets of objectives: – one that deals with the current auditor and – another applicable to a predecessor auditor requested to reissue a report.
•
The current auditor's objectives are to: • Obtain appropriate evidence that events occurring between the dates of the financial statements and auditor's report that require adjustment or disclosure in the financial statements are appropriately reflected in the statements in accordance with the financial reporting framework. • Respond appropriately to facts discovered after the report date that would have caused the auditor to change the report if discovered earlier (AU-C 560.05). •
The predecessor auditor's objective is to perform specified procedures to determine whether the previously-issued audit report is still appropriate before reissuing it (AU‐C 560.06).
118
Subsequent Events, continued Requirements •
Procedures between Financial Statement Date and Auditor's Report Date: • The auditor should apply procedures to identify subsequent events that require adjustment of, or disclosure in, the financial statements (AU-C 560.09). • Unlike its predecessor, AU-C 560 does not define what types of events require adjustment or disclosure (it no longer defines type 1 or type 2 subsequent events). Instead, it relies on the definition in the financial reporting framework being used, which, like U.S. GAAP, might use the distinctions previously described in AU 560. • The procedures should be applied to the date of the report or as near to it as practicable (AU-C 560.10).
•
The nature and extent of the subsequent events procedures should be based on the auditor's risk assessment, but should include: – Obtaining an understanding of management's procedures to ensure subsequent events are identified. – Asking management (and those charged with governance, when appropriate) whether any subsequent events occurred that might affect the financial statements. – Reading minutes of post-balance-sheet date meetings of owners, management, and those charged with governance or, when minutes are not available, inquiring about the matters discussed. – Reading the latest subsequent interim financial statements, if available (AU-C 560.10).
119
Subsequent Events, continued Requirements •
Procedures between Auditor's Report Date and Report Release Date • Although the auditor is not required to continue to apply procedures after the report date, information (called subsequently discovered facts) might come to the auditor's attention after the date of the report but before it is released. • If the information might have affected the auditor's report if he or she had known about it before the report date, the auditor should discuss the matter with management (and, if appropriate, those charged with governance) and determine if the financial statements require revision. • If the financial statements need to be revised, the auditor should inquire how management intends to address the issue (AU-C 560.12). –
•
•
If management revises the financial statements, the auditor should apply appropriate audit procedures on the matter (AU-C 560.13).
The auditor has two alternatives for dating the auditor's report: – Date the report as of the date that the additional procedures were completed. In this case, the subsequent event procedures should be extended to that date. Dual-date the report. In this case the date of the report would read, “ [Original Date of Auditor's Report] , except as to note X,” indicating that only the matter in note X has been subjected to auditing procedures after the original report date (AU-C 560.13).
120
Subsequent Events, continued Requirements •
•
Procedures between Auditor's Report Date and Report Release Date • Because the management representation letter should be dated as of the auditor's report, the treatment of the subsequently discovered fact affects the rep letter. • When the auditor extends the report date to the date of the additional procedures, the representation letter should be dated as of that date as well. • When the auditor dual-dates the report, the auditor uses the original letter supplemented by additional written representations as of the later date about whether any information has come to management's attention to require modification of the previous representations and whether any other subsequent events have occurred (AU-C 560.13). Procedures after Report Release Date • If, after the report is released, the auditor becomes aware of a fact that might have changed the report if discovered earlier, the auditor should consider the matter the same way a subsequently discovered fact is considered before the release date – This requirement applies even if the auditor has withdrawn or been discharged (AU-C 560.A18). •
•
Management revises the financial statements, the auditor's procedures regarding the revision, the report date, and representation letter requirements are also the same as when the facts arose before the report release date After the completion of the auditor's procedures, a new auditor's report with a different date will be issued on the revised financial statements. The previous report should not be relied on; if the report was made available to third parties, the auditor should assess management's actions to inform them timely of the situation and that the financial statements are not to be relied on (AU-C 560.16). 121
Subsequent Events, continued Requirements •
•
Procedures after Report Release Date • If the auditor's opinion on the revised financial statements is different from the original opinion, the auditor should include an emphasis-of-matter or other-matter paragraph that indicates: – The type of opinion expressed in that report. – The substantive reasons the opinion was changed. – That the auditor's opinion is different from the previous opinion (AU-C 560.16). If the auditor believes the financial statements need to be revised and management refuses to do so, the auditor's actions depend on whether the financial statements have been made available to third parties: – If they have not been made available, the auditor should notify management (and, unless they are all part of management, those charged with governance) not to make the financial statements available until the financial statements have been revised and a new report issued. – If they have been made available (including being made available after the auditor notified management not to do so), the auditor should assess management's actions to inform users timely of the situation and that the financial statements are not to be relied on (AU-C 560.17). – When the original financial statements need revision but management does not take appropriate action to make sure third parties relying on them are informed of the situation, the auditor should notify management and those charged with governance (unless all of them are also part of management) that the auditor will seek to prevent future reliance on his or her report. If the entity still does not take appropriate action, the auditor should act to prevent reliance on the report (AU-C 560.18). In this case, the auditor might seek legal advice, which might suggest that the auditor notify management, regulatory authorities, and anyone the auditor knows to be relying on the financial statements (AU-C 560A.24). 122
Management Representations Objectives The auditor's objectives are to: •
Obtain written representations from management (and, when appropriate, those charged with governance) that they have fulfilled their responsibility for: • the preparation and presentation of the financial statements and • the completeness of the information provided to the auditor. • •
Support other audit evidence through written representations. Respond appropriately to the representations obtained or when the requested representations are not provided (AU-C 580.06).
Requirements • The auditor should request written representations from those in management with appropriate knowledge and responsibilities (AU-C 580.09).
123
Management Representations, continued Requirements • The auditor should request written representations from those in management with appropriate knowledge and responsibilities (AU-C 580.09). • The auditor should request management to provide written representations that: • Responsibility for financial statement preparation and presentation a. It has fulfilled its responsibility, as set out in the terms of engagement, for: (1) The preparation and presentation of the financial statements in accordance with the financial reporting framework.
•
(2) The design, implementation, and maintenance of internal control relevant to the preparation and presentation of financial statements that are free from material misstatement, whether due to fraud or error (AU-C 580.10). b. If the auditor deems it necessary (such as in the case of management changes after the engagement letter was signed or when the auditor believes there might be misunderstandings), it reconfirms its acknowledgment and understanding of its responsibilities regarding preparation and presentation of the financial statements and internal control in addition to the representations that it has fulfilled those responsibilities (AU-C 580.A8). Responsibility for information provided and completeness c. It has provided the auditor with all relevant information and access, as agreed on in the terms of engagement. d. All transactions have been recorded and reflected in the financial statements (AU-C 580.11). e. If the auditor deems it necessary (such as in the case of management changes after the engagement letter was signed or when the auditor believes there might be misunderstandings), it reconfirms its acknowledgment and understanding of its responsibilities regarding providing access to information and completeness of the financial records in addition to the representations that it has fulfilled those responsibilities (AU-C 580.A8). 124
Management Representations, continued Requirements • Fraud f. It acknowledges its responsibility for the design, implementation, and maintenance of internal controls to prevent and detect fraud. g. It has disclosed to the auditor the results of its assessment of the risk that the financial statements may be materially misstated as the result of fraud. h. It has disclosed to the auditor its knowledge of fraud or suspected fraud affecting the entity involving management, employees who have significant roles in internal control, or others when the fraud could have a material effect on the financial statements.
•
•
•
i. It has disclosed to the auditor its knowledge of any allegations of fraud or suspected fraud affecting the entity's financial statements communicated by employees, former employees, regulators, or others (AU-C 580.12). Laws and regulations j. It has disclosed to the auditor all instances of identified or suspected noncompliance with laws and regulations whose effects should be considered by management when preparing financial statements (AU-C 580.13). Uncorrected misstatements k. It believes the effects of uncorrected misstatements are immaterial, individually and in the aggregate, to the financial statements as a whole. A summary of such items should be included in, or attached to, the written representations (AU-C 580.14). Litigation and claims l. It has disclosed to the auditor all known actual or possible litigation and claims whose effects should be considered by management when preparing the financial statements and has accounted for and disclosed them in accordance with the applicable financial reporting framework (AU-C 580.15). 125
Management Representations, continued Requirements • Estimates m. It believes significant assumptions it used in making estimates are reasonable (AU-C 580.16). •
Related-party transactions n. It has disclosed to the auditor the identity of the entity's related parties and all the related-party relationships and transactions of which it is aware. o. It has appropriately accounted for and disclosed such relationships and transactions (AU-C 580.17).
•
•
Subsequent events p. It has adjusted the financial statements or disclosed all events occurring subsequent to the date of the financial statements for which the applicable financial reporting framework requires adjustment or disclosure (AU-C 580.18). The representation letter should also include: • specific representations required by other AU-C sections, and • other representations the auditor believes necessary to support other evidence related to the financial statements or specific assertions (AU-C 580.19).
•
The date of the representation letter should be the same as the audit report date (AU-C 580.20). When the auditor changes the date on the report in response to subsequently discovered facts, the representation letter should be dated accordingly. 126
Management Representations, continued Requirements •
In some cases, logistical issues preclude management from signing and delivering the physical letter on the date of the auditor's report. The auditor may, in those cases, accept management's oral confirmation at the report date that it reviewed and will sign the letter without exception. The auditor should have the signed letter, however, before releasing the audit report (AU-C 580.A27). It is reasonable to conclude that receipt of an email or facsimile of the signed letter accompanied by a statement that the original letter has been mailed would be sufficient to allow the auditor to release the report.
•
The representation letter should be for all financial statements and for all periods covered by the auditor's report (AU-C 580.20).
127
Management Representations, continued Requirements If . . .
The auditor should . . .
The auditor has doubts about management's competence, integrity, ethics, or diligence,
Determine the effect on the reliability of oral and written representations and on audit evidence in general (AU-C 580.22).
Written representations are inconsistent with other evidence,
Perform other procedures to resolve the matter. Inability to resolve it might raise questions about management's competence, integrity, ethics, or diligence (see above) (AU-C 580.23).
The auditor concludes the written representations are not reliable,
Take appropriate action, including determining the effect
The auditor concludes that doubts about management's integrity indicate that the representations are not reliable regarding its responsibility for financial statement preparation and presentation, auditor access to information, or completeness of records,
Disclaim an opinion or withdraw from the engagement (AU-C 580.25).
Management does not provide the requested representations about its responsibility for financial statement preparation and presentation, auditor access to information, or completeness of records,
Disclaim an opinion or withdraw from the engagement (AU-C 580.25).
Management does not provide one or more requested representations (other than those noted above),
• Discuss the matter with management. • Reevaluate management's integrity and the effect on reliability of representations and evidence in general . • Take appropriate action, including determining the effect on the opinion (AU-C 580.26).
128
Management Representations, continued New Requirements •
AU-C 580.22, .24, and .25 establish new requirements to consider management integrity and reliability of the representations and to take action if the auditor has doubts.
129
Auditor’s Reports Objectives •
The auditor's objectives are to: – form an opinion on the financial statements based on the evidence obtained about the financial statements audited and – express the opinion and the basis for it through a written report (AU-C 700.10).
Requirements •
Forming an Opinion • The auditor is required to form an opinion on the financial statements' conformity with the financial reporting framework (AU-C 700.13). This involves concluding whether they are materially misstated. The auditor considers whether – sufficient appropriate evidence has been obtained – determines whether uncorrected misstatements are material and – evaluates the statements' presentation (AU-C 700.14).
130
Auditor’s Reports, continued Requirements •
Forming an Opinion • In evaluating whether the financial statements conform to the financial reporting framework, the auditor should evaluate: •
•
Management bias and other qualitative aspects of the entity's accounting practices (AU-C 700.15). Biases do not, in and of themselves, materially misstate the financial statements. But their cumulative effect, when considered together with uncorrected misstatements, might. Management's lack of neutrality might manifest itself in selective correction of the financial statements (for example, making only those adjustments that increase income) or in making accounting estimates that are consistently at the extreme of a reasonable range (AU-C 700.A6-.A7). Whether, in view of the framework's requirements: » Significant accounting policies are adequately disclosed, consistent with the framework, and appropriate. » Accounting estimates are reasonable. » The information in the financial statements is relevant, reliable, comparable, and understandable. » Disclosures are adequate to enable users to understand the effect of underlying transactions and events. » The terminology, including statement titles, used in the financial statements is appropriate (AU-C 700.16). • The overall presentation, structure, and content of the financial statements (AU-C 700.17). • Whether the statements, including the notes, achieve fair presentation (AU-C 700.17). • Whether the financial statements adequately refer to, or describe, the financial reporting framework (AU-C 700.18). (U.S. GAAP does not call for a specific statement identifying the framework, such as “these financial statement are based on U.S. GAAP.” Discussions with AICPA staff indicate that it was intended that this requirement could be met through disclosure of significant accounting policies.) 131
Auditor’s Reports, continued Requirements • The Opinion • If: • The auditor concludes the financial statements are presented fairly, in all material respects, in accordance with the financial reporting framework, an unmodified opinion is expressed (AU-C 700.19). • The auditor concludes the financial statements as a whole are materially misstated or is unable to obtain sufficient evidence to conclude they are not materially misstated, the auditor issues a modified opinion (see section 602) (AU-C 700.20). •
The standard explains that financial statements that conform to the framework do not necessarily achieve fair presentation. It distinguishes between the need for additional disclosures, which might be necessary to achieve fair presentation, and the need to depart from an established accounting principle, which it characterizes as extremely rare (AU-C 700.A14) •
Practitioner Question: What does the “fair presentation” requirement call for? Does this mean conformity with GAAP is not enough? Do I have to second-guess the FASB? » Answer: There has to be a financial reporting framework, such as GAAP, underlying the financial statements, and the entity's transactions have to be recognized and measured in accordance with the framework (except in the rare situations). However, the auditor might conclude that additional disclosures are necessary to inform users of significant matters. Auditors have always had the obligation to consider the need for additional disclosures—the third reporting standard under GAAS required a report modification if disclosures were not reasonably adequate (AU 150.02). The language used in SAS No. 122 indicates that the separate fairness criterion applies to the adequacy of disclosures, not to recognition and measurement. 132
Auditor’s Reports, continued AU-C 700 Report
Comparison to SAS No. 58 Report
Independent Auditor's Report
Unchanged
[Appropriate Addressee]
Unchanged
We have audited the accompanying financial statements of ABC Company, which comprise the balance sheet as of December 31, 20X1, and the related statements of income, changes in stockholders' equity, and cash flows for the year then ended, and the related notes to the financial statements.
Reference to the financial statements as a group and reference to the financial statement notes are new.
Management's Responsibility for the Financial Statements
Heading is new.
Management is responsible for the preparation and fair presentation of these financial statements in accordance with accounting principles generally accepted in the United States of America; this includes the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error.
The reference to “preparation and presentation” is new.
133
Auditor’s Reports, continued AU-C 700 Report
Comparison to SAS No. 58 Report
Auditor's Responsibility
Heading is new.
Our responsibility is to express an opinion on these financial statements based on our audit. We conducted our audit in accordance with auditing standards generally accepted in the United States of America. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement.
No change except that it has been separated from the rest of the existing auditor's responsibility paragraph.
An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on the auditor's judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity's preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity's internal control. Accordingly, we express no such opinion. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluating the overall presentation of the financial statements.
First sentence is rephrased but otherwise unchanged.
We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinion.
The reference to the evidence obtained is added.
The second through fourth sentences are new. The last sentence is rephrased but otherwise unchanged.
134
Auditor’s Reports, continued AU-C 700 Report
Comparison to SAS No. 58 Report
Opinion
Heading is new.
In our opinion, the financial statements referred to above present fairly, in all material respects, the financial position of ABC Company as of December 31, 20X1, and the results of its operations and its cash flows for the year then ended in accordance with accounting principles generally accepted in the United States of America.
No change
[Auditor's Signature]
No change
[Auditor's City and State]
New requirement
[Date of the Auditor's Report]
No change
135
Auditor’s Reports, continued New Requirements •
AU-C 700.17b establishes a requirement to consider whether, despite conformity with the financial reporting framework, the financial statements should disclose additional matters to be considered fair. This was always allowed in the standards, but not explicitly required in SAS No. 58.
•
AU-C 700.18 requires the auditor to evaluate if the financial statements adequately refer to or describe the financial reporting framework. This was not required under SAS No. 58 [although it was called for when reporting on financial statements prepared on an other comprehensive basis of accounting in SAS No. 62 (AU 623.10)].
•
The report has additional elements and structure.
136
Other topics
• • • •
Group audits Modified opinions Emphasis-of-matter and Other-Matter paragraphs Interim financial information
137
