Database - 1.3. Auditing & Attestation

Auditing & Attestation 3

Auditing & Attestation 3

1. Planning and supervision ................................................................................................
3
2. Fraud and illegal acts ...................................................................................................
25
3. Risk assessment ..........................................................................................................
36
4. Internal control ...........................................................................................................
44
5. Responding to assessed risks ........................................................................................
57
6. Appendix: Examples of fraud risk factors.........................................................................
66
7. Class questions ...........................................................................................................
69
A3-
2
Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-3
A

OF THE
PPOINTMENTAUDITOR
P

S
REDECESSOR/UCCESSOR
C
OMMUNICATIONS
PLANNING AND SUPERVISION

I. INTRODUCTION

The first standard of fieldwork states:

"The auditor must adequately plan the work and must properly supervise any assistants."

Planning and supervision are continuous functions that last throughout the audit, although they may

be delegated by the in-charge auditor to other personnel. The earlier the auditor is appointed, the

more efficient the audit plan and performance can be.

In meeting the planning standard, the auditor should first obtain information about both the client

and the industry in which the client is functioning. Then, based on this understanding, the auditor

should make preliminary assessments of audit risk and materiality. Obviously, more work is

required to obtain information regarding a new client than for an existing client.

II. APPOINTMENT OF THE AUDITOR

A. AUDIT COMMITTEES

The audit committee of the client's board of directors is responsible for the

selection and appointment of the independent external auditor, and for reviewing the nature

and scope of the engagement. Thus, the auditor will have some interaction or

communication with the audit committee during the planning phase.

1. Sarbanes-Oxley Act

a. Under the Sarbanes-Oxley Act (generally applying to public companies), auditors

report to and are overseen by the client's audit committee.

b. The audit committee must pre-approve all services provided by the auditor.

c. Certain specified non-audit services (covered in Auditing & Attestation 2) are

prohibited.

2. Those Charged with Governance

The term "those charged with governance" refers to those who bear responsibility to

oversee the obligations, financial reporting process, and strategic direction of an entity.

This term is broadly interpreted to encompass the terms "board of directors" and "audit

committee."

B. TIMING

Although early appointment of the auditor allows the auditor to plan a more efficient audit, an

auditor is permitted to accept an engagement near or after year-end. The auditor should

consider whether late appointment will pose limitations on the audit that may lead to a

qualified opinion or a disclaimer of opinion, and should discuss such concerns with the client.

C. NEW CLIENT RELATIONSHIP: TALK TO PREDECESSOR AUDITOR

A predecessor auditor is one who is engaged to audit a prior financial

statement (even if the audit is not completed). In a new client relationship, it

is mandatory to make inquiries of the predecessor auditor. Client

permission is needed, however. If the client is unwilling to agree to this

procedure, the auditor should consider the implications and decide whether to accept the

engagement. The inquiries between the successor auditor and the predecessor auditor may

be oral or written.

Auditing & Attestation 3 Becker CPA Review

A3-
4 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
1. Before Acceptance

The successor auditor is required to make inquiries of the predecessor auditor
before
accepting an engagement. Inquiries should be made regarding:

a. Information that might bear on management integrity;

b. Disagreements with management over accounting principles, auditing

procedures, or other similarly significant matters;

c. The predecessor's understanding as to the reasons for the change of auditors;

and

d. Communication to management, the audit committee, and those charged with

governance regarding fraud, illegal acts by the client, and matters relating to

internal control.

2. After Acceptance

After

a. Making specific inquiries of the predecessor regarding matters that the successor

believes may affect the conduct of the audit, such as audit areas that have

required an inordinate amount of time or audit problems that arose from the

condition of the accounting system and records; and

b. Reviewing the predecessor's audit documentation. While the predecessor may

use judgment to decide the extent of access provided to the successor, review of

any documentation related to matters of continuing accounting and auditing

significance (e.g., contingencies, balance sheet accounts, etc.) would generally

be permitted.
acceptance, the audit may be facilitated by:
3. Successor Remains Responsible

The predecessor auditor should indicate that he or she is not responsible for the

sufficiency or appropriateness of the information in the audit documentation for the

successor auditor's purposes. In fact, while the successor auditor may consider

information obtained from the review of the predecessor's audit documentation, the

successor remains solely responsible for the audit work performed and the conclusions

reached during the current audit.

4. Discovery of Problems

If, during the course of an audit, a successor auditor uncovers potential problems

relating to the predecessor auditor's report, he or she should ask the client to arrange a

meeting (involving both auditors and the client) to resolve the matter. If the client's

management refuses to inform the predecessor auditor, or if the successor auditor is

not satisfied with the resolution, the successor auditor should consider the implications

on the current audit and whether to resign from the engagement.

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-5
III. PRELIMINARY ENGAGEMENT ACTIVITIES

Prior to performing any significant audit activities, the auditor should consider whether or not to

continue the client relationship and the specific engagement. The auditor should also evaluate

compliance with ethical requirements.

A. CONSIDER WHETHER OR NOT TO CONTINUE THE CLIENT RELATIONSHIP AND THE

SPECIFIC ENGAGEMENT

1. Assess the Auditability of the Client

The auditor should assess the auditability of the potential client. Factors to be

considered include:

a. The Integrity of Management

Concerns about management's integrity may increase the likelihood of financial

statement misrepresentation.

b. The Availability and Adequacy of the Client's Accounting Records

(1) The auditor should determine whether sufficient appropriate audit evidence

is likely to be available to support an opinion on the financial statements.

(2) The auditor should determine whether management maintains an

adequate internal control environment sufficient to provide reliable financial

reporting.

c. The Ability of the Auditor to Perform the Audit after Consideration of:

(1) The auditor's knowledge of the client's industry and the possible need for a

specialist.

(2) The auditor's independence of the client.

(3) Scope limitations.

(4) Staffing needs of the engagement.

(5) The auditor's ability to comply fully with the Code of Professional Conduct.

d. The Nature and Scope of the Engagement

Since applicable professional standards, requirements, responsibilities, and

limitations vary with the nature and scope of an engagement, the auditor must

consider if an audit provides appropriate scope or if the nature of the

engagement should be something other than an audit.

2. Assess Business Risk

a. Client's Business Risk

The client's business risk is the risk that events may occur that will negatively

impact the company. In the extreme case, a high level of business risk might

make the client less desirable from an audit perspective, since it increases

certain fraud risk factors.

b. CPA's Business Risk

The CPA's business risk is the risk that the engagement will not prove to be

profitable, and is also considered in determining whether or not to accept an

engagement.

A
UDITABILITY
Auditing & Attestation 3 Becker CPA Review

A3-
6 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
U
NDERSTANDING
W
ITH THE CLIENT
B. EVALUATE COMPLIANCE WITH ETHICAL REQUIREMENTS

1. Independence

The auditor should consider whether or not the necessary independence has been

maintained.

2. Quality Control Policies and Procedures

As part of the pre-acceptance phase of any engagement, the accountant must

document compliance with the firm's quality control policies and procedures regarding

acceptance or continuance of clients and engagements.

IV. ESTABLISHING AN UNDERSTANDING WITH THE CLIENT

An understanding with the client should be established for services to be performed for

each engagement, and this understanding should be documented through a written

communication with the client. If the auditor believes an understanding with the client has

not been established, he or she should decline to accept or perform the engagement.

PASS KEY

An engagement letter is a presumptively mandatory requirement (i.e., it is required in most circumstances).

A. REASONS FOR UNDERSTANDING

An understanding reduces the risk that either the auditor or the client may misinterpret the

needs or expectations of the other party. For example, an understanding reduces the risk

that the client may inappropriately rely on the auditor to:

1. Protect the entity against certain risks (e.g., defalcations) or

2. Perform certain functions (e.g., establishing and maintaining effective internal control

over financial reporting) that are the client's responsibility.

B. COVERAGE

The understanding may include overall audit strategy, but typically would not include specific

audit procedures (unless those procedures were requested by the client).

The understanding should include:

1. Objectives of the Engagement

a. The objective of the audit is the expression of an opinion on the financial

statements. The financial statements should be identified (i.e., name of entity,

year-end, and statements to be audited).

2. Management's Responsibilities

a. Management is responsible for:

(1) The entity's financial statements (and tax returns), and the selection and

application of accounting policies.

(2) Establishing and maintaining effective internal control over financial

reporting.

(3) Identifying and ensuring that the entity complies with the laws and

regulations applicable to its activities, and preventing/detecting fraud.

(4) Making all financial records and related information available to the auditor.

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-7
(5) Providing the auditor with a letter, at the conclusion of the engagement,

that confirms certain representations made during the audit.

(6) Adjusting the financial statements to correct material misstatements

identified by the auditor.

(7) Affirming to the auditor in the representation letter that the effects of any

uncorrected misstatements are immaterial (both individually and in the

aggregate) to the financial statements taken as a whole.

3. Auditor's Responsibilities

a. The auditor is responsible for conducting the audit in accordance with generally

accepted auditing standards (GAAS), which require:

(1) That the auditor obtain reasonable assurance (rather than absolute

assurance) about whether the financial statements are free of material

misstatement, whether caused by error or fraud.

(2) That the auditor obtain an understanding of the entity and its environment,

including its internal control, sufficient to assess risk and to design

appropriate auditing procedures.

b. If, for any reason, the auditor is unable to complete the audit or is unable to form

or has not formed an opinion, he or she may:

(1) Decline to express an opinion, or

(2) Decline to issue a report as a result of the engagement.

4. Limitations of the Engagement

a. Since an auditor obtains only reasonable assurance, a material misstatement

may remain undetected.

b. An audit is not designed to detect error or fraud that is immaterial to the financial

statements.

c. An audit is not designed to provide assurance on internal control, or to identify

significant deficiencies.

(1) The auditor is, however, responsible for ensuring that those charged with

governance are aware of any significant deficiencies noted.

5. Other Matters

The understanding may also include:

a. The overall audit strategy.

b. Arrangements involving the conduct of the engagement, such as timing, client

assistance, and the availability of documents.

(1) The names of specific client personnel to be contacted during the

engagement may be provided.

c. The involvement, if applicable of:

(1) Specialists.

(2) Internal auditors.

(3) A predecessor auditor.

d. Arrangements regarding fees and billing (e.g., method, amount, and frequency of

payment).

Auditing & Attestation 3 Becker CPA Review

A3-
8 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
e. Any limitation of or other arrangements regarding the liability of the auditor or the

client.

(1) For example, indemnification to the auditor for liability arising from knowing

misrepresentations to the auditor by management. (Regulators, including

the Securities and Exchange Commission, may restrict or prohibit such

liability limitation arrangements.)

f. Conditions under which access to the audit documentation may be granted to

others.

g. Additional services to be provided relating to regulatory requirements.

h. Arrangements regarding other services to be provided in connection with the

engagement, or particular audit procedures requested by the client.

C. DOCUMENTATION

The auditor should document the understanding with the client through a written

communication (e.g., a client engagement letter). The engagement letter should be accepted

(signed and dated) by the client.

V. PLANNING THE AUDIT

A. OBJECTIVE

The objective of the planning phase is the development of an overall strategy for the audit,

including its conduct, organization, and staffing. The nature, extent, and timing of planning

procedures will vary based on the size and complexity of the entity, and on the auditor's

experience with and understanding of the entity.

B. REQUIREMENTS

The auditor is required to:

1. Obtain an understanding of the entity and its environment, including its internal control,

sufficient to assess risk and design audit procedures.

a. The auditor must plan the audit to be responsive to the initial risk assessment,

but should also be prepared to make revisions to audit strategy based on the

results of audit procedures.

2. Obtain knowledge of the client's business and industry.

3. Use analytical procedures as a planning procedure.

4. Develop and document an audit plan (covered later).

5. Consider materiality and audit risk.

C. KNOWLEDGE OF THE CLIENT'S INDUSTRY

Obtaining knowledge about the client's industry helps to highlight practices unique to that

industry that may have an effect on the client's financial statements. The most common

sources of industry information are:

1. AICPA accounting and audit guides;

2. Trade publications and professional trade associations;

3. Government publications; and

4. AICPA Accounting Trends and Techniques (an annual survey of accounting practices).

P
LANNING
Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-9
D. KNOWLEDGE OF THE CLIENT'S BUSINESS

The auditor should obtain knowledge relating to the client's business before commencing the

audit. Understanding the client's business provides information regarding events and

transactions that may affect the client's financial statements. The auditor may:

1. Tour Client Facilities

A tour of the client's facilities gives the auditor an excellent opportunity to meet the

client's personnel and observe the general operation of the company. A well-organized

tour can often save the auditor much time and effort during the course of the audit. As

a practical matter, this step is most important for new client relationships.

2. Review the Financial History of the Client

The auditor should review written documents relating to the current and past financial

history of the client. These may include:

a. Previous audit reports;

b. Annual and permanent audit files;

c. Prior year and interim financial statements;

d. Minutes of stockholders' and board of directors' meetings;

e. Communications with third parties;

f. SEC filings;

g. Dun and Bradstreet reports; and

h. Tax returns.

3. Obtain an Understanding of Client Accounting

The auditor should obtain an understanding of client accounting methodology because

it affects the design of internal control, which in turn impacts planned audit procedures.

Specifically, the auditor should obtain an understanding of:

a. Methods used to gather and process accounting information, including the extent

to which computer processing is used and the use of any outside service

organization. Such methods influence the client's design of internal control and

the auditor's consideration thereof. Review of the client's policies and

procedures manual often provides information about client accounting.

b. Events and transactions that may affect the financial statements or require

special audit consideration.

c. Other factors affecting audit risk, such as related party transactions.

d. Applicable accounting and auditing pronouncements.

4. Inquire of Client Personnel

The auditor should inquire about current business developments affecting the entity.

Auditing & Attestation 3 Becker CPA Review

A3-
10 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A
NALYTICAL
P
ROCEDURES
E. ANALYTICAL PROCEDURES

Analytical procedures are evaluations of financial information made by a study of plausible

relationships among both financial and nonfinancial data. At all stages of the audit, an

understanding of these relationships is essential.

1. Use of Analytical Procedures

Analytical procedures are used:

a. For planning the nature, extent, and timing of other auditing procedures

(mandatory);

b. As substantive tests to obtain audit evidence (optional);

c. As an overall review in the final review stage of the audit (mandatory).

2. Analytical Procedures Performed During Planning

The planning process

assist in planning the nature, extent, and timing of the auditing procedures that will be

used to gather audit evidence.

a. During planning, analytical procedures consist of a review of data aggregated at

a high level, such as comparing financial statements to budgeted or anticipated

results.

b. Generally, financial data is used, though relevant nonfinancial data (e.g., number

of employees, square footage of selling space, or volume of goods produced)

may also be considered.
must include application of analytical procedures, performed to
c. Purpose

The objective of analytical procedures used during planning is to:

(1) Enhance the auditor's understanding of the client's business and of

transactions and events that have occurred since the last audit date.

(2) Identify unusual transactions and events, and amounts, ratios, or trends

that might be significant to the financial statements and may represent

specific risks relevant to the audit.

Analytical procedures are discussed further in Auditing & Attestation 4.

F. OVERALL AUDIT STRATEGY

1. General Strategy Considerations

The auditor should establish an overall strategy for the audit, considering factors such

as:

a. Characteristics of the engagement, including the basis of reporting, industryspecific

reporting requirements, and locations of the entity.

b. The reporting objectives, including the timing and nature of required

communications.

c. Preliminary evaluations of materiality, audit risk, and internal control, including

entity-specific or industry-related developments.

d. The involvement of other auditors, specialists, internal auditors, or service

organizations.

e. The effect of information technology.

f. Knowledge gained from prior experience with the entity.

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-11
2. Resource Allocation

The auditor should allocate appropriate resources to the engagement. Allocation of

resources includes:

a. Determining the appropriate staffing for the engagement (i.e., number of staff

members to assign, skill levels required, etc.).

b. Scheduling audit work, team meetings, and reviews.

3. Small Entities

For a small entity, establishment of an audit strategy may be a simple, less formal

process, such as preparing a brief memorandum at the end of one audit and updating it

at the beginning of the next.

4. Communication with Those Charged with Governance

The auditor is required to communicate the planned scope and timing of the audit with

those charged with governance (covered further in Auditing & Attestation 5).

G. THE AUDIT PLAN

1. Components of an Audit Plan

The auditor must develop an audit plan in which specific audit procedures are

documented. The audit plan should include a description of the nature, extent, and

timing of:

a. Planned Risk Assessment Procedures

(1) Planned risk assessment procedures are used to assess the risk of

material misstatement.

(2) The results of risk assessment procedures will affect whether and to what

extent further audit procedures are necessary.

b. Planned Further Audit Procedures

(1) Further audit procedures are applied at the relevant assertion level for

each material account balance, transaction class, and disclosure item.

(2) The plan for further audit procedures may include tests of the operating

effectiveness of controls, and should also include the nature, extent, and

timing of planned substantive procedures.

c. Other Audit Procedures

Other audit procedures (for example, a letter to the client's attorney) may be

necessary to comply with GAAS.

PASS KEY

A written audit plan (i.e., documentation of specific audit procedures) is
required.
2. Relationship of Audit Strategy and Audit Plan

While creation of an audit plan typically follows development of the audit strategy, the

two activities are closely interrelated and may overlap to some extent.

3. Need for a Specialist

The auditor should consider the need for a specialist, either from within the audit firm or

from the outside. For example, an information technology (IT) specialist may be used

to understand or test IT when:

Auditing & Attestation 3 Becker CPA Review

A3-
12 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
a. There are complex or interrelated systems, new systems, or changes to existing

systems.

b. The entity makes extensive use of e-commerce or other emerging technologies.

c. Significant audit evidence is only available in electronic form.

4. Timing of Audit Procedures

a. Testing at an Interim Date

During planning, the auditor generally establishes the timing of the audit work,

which may include the gathering of audit evidence at interim dates. When audit

procedures are performed before year-end, the auditor must assess the

incremental risk involved and determine whether sufficient alternative procedures

exist to extend the interim conclusions to year-end (covered later).

b. Effect of Information Technology

The auditor should consider the methods used by the client to process

accounting information, and whether those methods affect the availability of data.

For example, when computer processing is used, documents may exist only

briefly because they are discarded once information is entered into the system.

In such situations, the auditor may need to schedule audit procedures to coincide

with the availability of information. The auditor should also consider performing

tests several times during the year.

VI. MISSTATEMENTS AND MATERIALITY

A. MISSTATEMENTS

1. Misstatements can result from errors, which are unintentional, or fraud, which is

intentional. Misstatements include:

a. Inaccuracies in the collection or processing of data.

b. Departures from generally accepted accounting principles.

c. Omissions.

d. Incorrect estimates or judgments.

e. Inappropriate selection or application of accounting policies.

2. The auditor should consider what level of misstatement would be material, either alone

or when aggregated with other misstatements.

3. Misstatements may be either known or likely.

a. Known Misstatements

Known misstatements are specific misstatements identified during the audit.

b. Likely Misstatements

Likely misstatements are misstatements that the auditor considers likely to exist,

either due to differences between auditor and management judgments regarding

estimates or based on extrapolation from audit evidence.

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-13
4. Tolerable Misstatement

Tolerable misstatement (also called tolerable error) is the maximum error in a specific

population (for example, an account balance) that the auditor is willing to accept.

5. Communication to Management

All misstatements, other than those considered trivial, must be communicated to

management.

a. In this communication, the auditor should:

(1) Distinguish between known and likely misstatements.

(2) Request management to review the situation and make appropriate

corrections.

b. The auditor should reevaluate the amount of likely misstatement remaining, if

any, after management has made adjustments.

c. If management does not correct some or all of the known and likely

misstatements, the auditor should consider the implications on the auditor's

report.

B. MATERIALITY

Materiality is the amount of error or omission that would affect the judgment of a reasonable

person. The auditor's report (covered in Auditing & Attestation 1) gives

absolute, assurance that the client's financial statements as a whole are free from material

misstatement.
reasonable, not
1. Needs of Users

In determining materiality, the auditor considers the general needs of financial

statement users, rather than the needs of any specific user group. Users are assumed

to:

a. Have appropriate knowledge of business, the economy, and accounting.

b. Recognize that financial statements inherently include some level of uncertainty.

c. Understand how materiality affects both the preparation and audit of the financial

statements.

d. Have both a willingness and an ability to properly analyze the financial

statements, and to make appropriate decisions based on this analysis.

2. Preliminary Judgment about Materiality

During the planning stage, the auditor uses professional judgment to establish a

preliminary level of materiality.

a. Generally, the auditor uses financial statements (e.g., annualized interim financial

statements, prior period annual financial statements, budgets, forecasts, etc.), as

adjusted for relevant changes that have occurred, to set a preliminary measure of

materiality.

b. Tolerable error, as determined for specific account balances, transaction classes,

or disclosure items, is typically lower than overall financial statement materiality

limits.

c. Because the financial statements are interrelated, the auditor should use the

smallest level of misstatement that could be material to any one of the financial

statements.

M
ATERIALITY
Auditing & Attestation 3 Becker CPA Review

A3-
14 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
d. This preliminary assessment of materiality ordinarily will be revised as the audit

progresses. The auditor should consider whether the audit plan needs to be

modified in response to any change in the assessment of materiality, and should

not assume that a misstatement is an isolated occurrence.

3. Evaluation of Audit Findings

a. The size of a misstatement is often evaluated in comparison to a relevant

financial base, such as net income, gross sales, gross margin, total assets, or

total liabilities.

b. The auditor must consider the effects, both individually and in the aggregate, of

uncorrected misstatements (both known and likely).

c. As the aggregate of known and likely misstatements approaches the materiality

level, the auditor should consider the risk that the addition of undetected

misstatements could cause materiality levels to be exceeded.

d. Prior period misstatements may affect the financial statements of the current

period.

e. Qualitative Considerations

Qualitative considerations sometimes may cause an otherwise immaterial

misstatement to be deemed material.

(1) The specific circumstances surrounding an entity may lead to situations in

which misstatements that do not exceed materiality limits are still likely to

influence the economic decisions of users.

(2) Misstatements are more likely to be considered material if they:

(a) Affect trends in profitability or mask a change in a trend, or change a

loss into income (or vice versa).

(b) Affect the entity's compliance with loan covenants, contracts, or

regulatory provisions.

(c) Increase management compensation, indicate a pattern of

management bias, or involve fraud or an illegal act.

(d) Affect significant financial statement elements, such as those

involving recurring earnings (as opposed to those involving

nonrecurring items).

(e) Can be objectively determined, as opposed to including an element

of subjectivity.

(3) Whether or not a misstatement is considered material is ultimately a matter

of professional judgment.

C. DOCUMENTATION REQUIREMENTS

The auditor should document the following items:

1. Planning levels of materiality and tolerable misstatement, the basis for those levels,

and any subsequent changes.

2. Known and likely misstatements that were corrected by management.

3. A summary of uncorrected misstatements (both known and likely), the auditor's

conclusion regarding whether such misstatements cause the financial statements to be

materially misstated, and the basis for this conclusion.

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-15
a. Documentation of Uncorrected Misstatements

Documentation of uncorrected misstatements should include:

(1) Separate identification of known and likely misstatements.

(2) The aggregate effect on the financial statements.

(3) Relevant qualitative factors affecting materiality judgments.

VII. AUDIT RISK

A. WHAT IS AUDIT RISK?

Audit risk is the risk that the auditor may unknowingly fail to modify appropriately the opinion

on financial statements that are materially misstated.

1. Audit risk arises because the auditor obtains only reasonable (and not absolute)

assurance about whether the financial statements are free of material misstatement.

2. Audit risk should be reduced to a low level before an opinion on the financial

statements is expressed.

B. THE AUDIT RISK MODEL

1. Audit risk is comprised of the risk that the financial statements are materially misstated

(risk of material misstatement, or "RMM") and the risk that the auditor will not detect

such misstatements (detection risk, or "DR").

AR

Audit Risk

(should be low)

=

RMM

Risk of Material Misstatement

(assessed by auditor)

x

DR

Detection Risk

(controlled by auditor)

2. The components of audit risk may be assessed either quantitatively (e.g., as a

percentage), or non-quantitatively (e.g., high, medium, low, etc.).

3. Risk of Material Misstatement (RMM)

a. The auditor makes an assessment of the risk of material misstatement by

performing risk assessment procedures and, where appropriate, tests of controls

(covered later).

b. The risk of material misstatement can be subdivided into inherent risk ("IR") and

control risk ("CR").

c. Inherent Risk ("IR")

Inherent risk is the susceptibility of a relevant assertion to a material

misstatement, assuming there are no related controls.

(1) Assertions involving complex calculations, amounts derived from

estimates, and cash have relatively higher inherent risk than assertions

without those characteristics.

(2) Other factors specific to the entity and its environment may also tend to

increase inherent risk, such as technological developments that render a

product obsolete, a lack of working capital, or a decline in the overall

industry.

A
UDIT RISK
Auditing & Attestation 3 Becker CPA Review

A3-
16 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
d. Control Risk ("CR")

Control risk is the risk that a material misstatement that could occur in a relevant

assertion will not be prevented or detected on a timely basis by the entity's

internal control.

(1) Control risk is a function of the effectiveness of the design and operation of

internal control.

(2) Some amount of control risk will always exist due to inherent limitations of

any system of internal control (covered later).

e. Inherent risk and control risk exist independently of the audit, and the auditor

generally cannot change these risks.

PASS KEY

While the auditor cannot generally change the risk of material misstatement, the auditor can change his or her

this risk as the audit progresses. Many exam questions present a change in the auditor's assessed level of risk, and require

the candidate to determine the effect of this change.
assessment of
4. Detection Risk ("DR")

Detection risk is the risk that the auditor will not detect a misstatement that exists in a

relevant assertion.

a. Detection risk is a function of the effectiveness of audit procedures and of the

manner in which they are applied.

b. Some amount of detection risk will always exist because the auditor does not

examine 100 percent of an account balance or transaction class, and because

the auditor may make mistakes in applying audit procedures or in interpreting

results.

c. Detection risk can be subdivided into tests of details risk ("TD") and substantive

analytical procedures risk ("AP").

d. The auditor
can change detection risk (see below).
5. Effect on the Audit

The auditor's overall judgment about the level of risk in an engagement will affect the

staffing, level of supervision, and scope of the audit. While auditors use professional

judgment to assess each aspect of audit risk, they can change only the level of

detection risk. The auditor uses his or her assessment of the risk of material

misstatement as a basis for determining an appropriate level of detection risk.

a. Inverse Relationship of RMM to DR

When the auditor determines that the risk of material misstatement is high,

detection risk should be set at a low level. Conversely, when the risk of material

misstatement is low, the auditor can justify a higher detection risk.

b. The Auditor Can Change Detection Risk

The auditor can change the level of detection risk by varying the nature, extent,

and timing of audit procedures. For example, as the acceptable level of

detection risk decreases, the assurance provided from substantive procedures

should increase. The auditor may:

(1) Change the nature of substantive tests from a less effective to a more

effective procedure (e.g., direct test toward independent parties outside the

entity rather than toward parties or documentation inside the entity).

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-17
(2) Change the extent of substantive tests (e.g., use a larger sample size).

(3) Change the timing of substantive tests (e.g., perform substantive tests at

year-end rather than at interim).

Alternatively, if the acceptable level of detection risk increases, the assurance

that must be obtained from substantive tests decreases, allowing for somewhat

less persuasive evidence to be used, for a reduced extent of testing, or for more

testing to be performed at interim.

c. Substantive Procedures Required

Note that even when the assessed risk of material misstatement is low,

substantive procedures will always be necessary for all relevant assertions

related to material transaction classes, account balances, and disclosures.

PASS KEY

Many exam questions deal with the relationship between the risk of material misstatement (RMM) and detection risk, or

between RMM and substantive testing. While there is an inverse relationship between RMM and detection risk, there is a

direct relationship between RMM and the assurance required from substantive procedures. In other words, greater risk

requires more persuasive evidence, a larger sample size, and/or a shift from interim to year-end testing.

VIII. AUDIT RISK AND MATERIALITY: CONSIDERATION DURING AN AUDIT

A. OVERALL CONSIDERATIONS

1. Audit risk and materiality should be considered together in designing the nature, extent,

and timing of audit procedures, and in evaluating the results of those procedures.

2. Considerations of audit risk and materiality are affected by the size and complexity of

the entity, as well as the auditor's experience with and knowledge of the entity, its

environment, and its internal control.

3. Audit risk and materiality must be considered at both the financial statement level and

the account balance, individual transaction class, or disclosure item level.

B. CONSIDERATIONS AT THE FINANCIAL STATEMENT LEVEL

At the financial statement level, the auditor should consider risks that have a pervasive effect

on the financial statements, potentially affecting many relevant assertions. Audit risk at the

financial statement level often relates to the entity's control environment.

1. Purpose

Considerations of audit risk and materiality at the financial statement level are used to:

a. Design risk assessment procedures.

b. Identify and assess risk.

c. Design further audit procedures.

d. Evaluate the financial statements taken as a whole.

2. Auditor's Response

In responding to audit risk at the financial statement level, the auditor should consider:

a. The competency of personnel assigned to the engagement.

b. The potential need for a specialist.

c. The appropriate level of supervision of assistants.

Auditing & Attestation 3 Becker CPA Review

A3-
18 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
C. CONSIDERATIONS AT THE ACCOUNT BALANCE, TRANSACTION CLASS, OR

DISCLOSURE ITEM LEVEL

1. Purpose

Considerations of audit risk and materiality at the account balance, individual

transaction class, or disclosure item level are used to determine the nature, extent, and

timing of audit procedures to be applied to specific account balances, transaction

classes, or disclosure items. The audit risk model may be useful in this regard.

2. Inverse Relationship Between Audit Risk and Materiality

There is an inverse relationship between audit risk and materiality. The risk of a very

large misstatement may be low, whereas the risk of a small misstatement may be high.

Also, the more material a misstatement is, the less likely it is that the auditor will miss it.

As materiality decreases, audit risk increases.

IX. DEVELOPING THE AUDIT PLAN

A. AUDIT PROCEDURES

Audit procedures are performed to obtain evidence on which to base the audit opinion. Audit

procedures may be categorized as:

1. Risk Assessment Procedures

Risk assessment procedures are used to obtain an understanding of the entity and its

environment, including its internal control, in order to assess the risk of material

misstatement.

a. Risk assessment procedures alone do not provide audit evidence sufficient to

support an audit opinion.

2. Tests of Controls

Tests of controls are used to evaluate the operating effectiveness of internal control in

preventing or detecting material misstatements.

a. Test of controls are necessary when:

(1) The auditor's risk assessment is based to some extent on the operating

effectiveness of internal control.

(2) Substantive procedures alone are deemed to be insufficient (covered

later).

3. Substantive Procedures

Substantive procedures are used to detect material misstatements. They include tests

of details (as applied to transaction classes, account balances, and disclosures) and

substantive analytical procedures.

a. Substantive procedures are performed in response to the planned level of

detection risk, which in turn may be based (to some extent) on the results of tests

of controls.

b. Since risk assessment is judgmental, and since there are inherent limitations of

internal control, substantive procedures will always be necessary for all relevant

assertions related to each material transaction class, account balance, and

disclosure item.

Note that specific audit procedures will be covered in a later class.

A
UDIT PLAN
Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-19
B. FINANCIAL STATEMENT ASSERTIONS

1. What are Financial Statements?

Financial statements are not statements of facts. They are claims and assertions,

made implicitly or explicitly by management, about the recognition, measurement,

presentation, and disclosure of information in the financial statements.

2. Categories of Assertions

Assertions used by the auditor fall into three categories:

a. Transactions and Events

(1)

recorded have been recorded.

(2) (

the correct (proper) accounting period.

(3)

events have been recorded appropriately.

(4)

accounts.

(5)

occurred and pertain to entity.
Completeness. All transactions and events that should have beenProper Period) Cutoff. Transactions and events have been recorded inAccuracy. Amounts and other data relating to recorded transactions andClassification. Transactions and events have been recorded in the properOccurrence. Transactions and events that have been recorded have
b. Account Balances

(1)

been recorded have been recorded.

(2)

included in the financial statements at appropriate amounts, and any

resulting valuation or allocation adjustments are appropriately recorded.

(3)

and liabilities are the obligations of the entity.

(4)
Completeness. All assets, liabilities, and equity interests that should haveAllocation and Valuation. Assets, liabilities, and equity interests areRights and Obligations. The entity holds or controls the rights to assets,Existence. Assets, liabilities, and equity interests exist.
c. Presentation and Disclosure

(1)

financial statements have been included.

(2)

presented and described and disclosures are clearly expressed.

(3)

transactions have occurred and pertain to the entity.

(4)

fairly and at appropriate amounts.
Completeness. All disclosures that should have been included in theUnderstandability and Classification. Financial information is appropriatelyRights and Obligations, and Occurrence. Disclosed events andValuation and Accuracy. Financial and other information are disclosed
PASS KEY

The following mnemonic may be used to aid in your memorization of the financial statement assertions:

CPA CO CARE CURV

("A
CPA CO CARE about CURVed assertions.")
F
INANCIAL
S
TATEMENT
A
SSERTIONS
Auditing & Attestation 3 Becker CPA Review

A3-
20 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
3. Relevant Assertions

Relevant assertions are assertions that have a meaningful bearing on whether an

account is fairly stated. For example, valuation is typically not relevant to the cash

account.

a. In determining whether an assertion is relevant to a particular account, the

auditor should consider the nature of the assertion, the volume of activity related

to the assertion, and the nature and complexity of the systems used to process

information supporting the assertion.

C. USE OF ASSERTIONS

1. An auditor uses relevant assertions to form a basis for assessing risk, and for the

design and performance of further audit procedures. The auditor should identify

potential misstatements that may occur, and then design audit procedures to address

those risks.

2. The following table provides some examples of the use of relevant assertions in

developing audit procedures for inventory.

Relevant Assertion Potential Misstatement Audit Procedure

Inventories included in the

balance sheet physically

exist (existence assertion).

The inventory balance

includes amounts that

don't physically exist (i.e.,

inventory is overstated).

Physically examine

inventory items.

Inventory quantities

include all inventory on

hand (completeness

assertion).

Inventory items on hand

are excluded from the

inventory balance (i.e.,

inventory is understated).

Observe physical

inventory counts.

Inventory quantities

include all inventory stored

at outside locations

(completeness assertion).

Inventory items stored at

outside locations are

excluded from the

inventory balance (i.e.,

inventory is understated).

Obtain confirmation of

inventories held at outside

locations.

3. Note that:

a. There may be more than one relevant assertion related to the same overall

category (e.g., completeness).

b. A given audit procedure may provide evidence supporting more than one

assertion. For example, when an auditor obtains confirmation of inventories held

at outside locations, evidence is obtained not just about completeness, but also

about the existence of inventory.

c. More than one procedure may be required to fully support an assertion. For

example, in order to be reasonably certain that inventory quantities include all

inventory on hand at year-end, the auditor should also inspect receiving

transactions near year-end for recording in the proper period.

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-21
S
UPERVISION
A
UDIT
P
LAN
D. DRAFTING THE AUDIT PLAN

After sufficient planning information has been gathered, an audit plan should be

drafted. A written audit plan is

audit procedures that the auditor believes are necessary to accomplish the objectives of the

audit. It serves as the work plan for the supervising auditor and assistants working on the

engagement. Thus, the audit plan should set out procedures in reasonable detail, specifying

the nature, extent, and timing of the work to be performed, and including a reference to the

assertion under consideration (this reference may be implied as to the objective). For

example,

"Perform a specified procedure (e.g., count/vouch/trace/compare/

calculate/confirm/examine)… –
required for every audit. The audit plan is a listing ofnature
...on [a specified number of records from a specified population] –
extent
...as of [some interim date or year-end, either for the entire period

or from the date of interim fieldwork]." –
timing
As the audit progresses, the initial audit plan may need to be modified in response to

changing conditions or the results of other procedures. Modifications are often made after

assessing the risk of material misstatement, or based on the results of audit procedures. The

audit plan should be designed so that the audit evidence gathered will support the auditor's

conclusions.

X. SUPERVISION OF ASSISTANTS

GAAS requires proper supervision of assistants during the course of the audit to ensure that the

work they perform is adequate to accomplish the objectives of the examination and is consistent

with conclusions presented in the report. Guidance should be provided to assistants regarding both

technical and personnel aspects of the audit.

A. PROPER SUPERVISION

When assistants are used, proper supervision includes:

1. Directing the efforts of assistants;

2. Communicating with the audit team regarding the susceptibility of the financial

statements to material misstatement due to error or fraud;

3. Informing assistants of their responsibilities, the objectives of the procedures they are

to perform, and any matters that may affect their performance of those procedures;

4. Staying informed (e.g., by directing staff to report back) regarding significant

accounting and auditing issues, new developments, and difficulties encountered in

performing the audit;

5. Reviewing the work performed by assistants to determine whether it was adequately

performed and documented, whether the objectives of the audit were accomplished,

and whether the work is performed is consistent with the conclusions to be presented

in the auditor's report; and

6. Dealing with differences of opinion among members of the audit team.

Auditing & Attestation 3 Becker CPA Review

A3-
22 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
I
NTERNAL
A
UDITORS
B. EXTENT OF SUPERVISION

The extent of the supervision depends upon:

1. The complexity of the subject matter; and

2. The qualifications of the assistants.

C. DISAGREEMENTS WITH ASSISTANTS

A disagreement among members of the audit team regarding certain accounting and auditing

issues may exist at the end of the audit. If the differences still exist after consulting with the

auditor who has final responsibility for the audit (generally a partner), dissenting staff

members should be allowed to disassociate themselves from the resolution by documenting

their disagreement. In this event, the basis for the final resolution should also be

documented.

XI. THE ROLE OF THE CLIENT'S INTERNAL AUDITORS

When planning the audit, the auditor should consider the extent of involvement of the client's

internal auditors in the performance of the audit. While internal auditors must maintain

objectivity and integrity, they are not independent of the client, their employer. Thus, the

independent external auditor cannot share with the internal auditor any of the responsibility for audit

decisions, judgments, or assessments made as part of the audit (such as those concerning

materiality or accounting estimates), or any of the responsibility for issuing the report. The

procedures performed by the internal auditor can, however, provide information useful to the

auditor in obtaining an understanding of the internal control system, assessing risk, and performing

substantive tests. Additionally, the internal auditor may provide direct assistance to the CPA with

respect to obtaining an understanding of the entity and its environment, including its internal

control, performing tests of controls, and/or performing substantive tests.

A. EXTERNAL AUDITOR RESPONSIBILITIES

1. Obtain an Understanding of the Internal Audit Function

Since internal auditors often review and assess an entity's controls, the internal audit

function is considered to be part of the monitoring component of internal control

(covered later). The external auditor should therefore obtain an understanding of the

internal audit function (scope of activities, procedures used, access to records) and

determine whether any internal audit activities are relevant to the audit.

2. Assess Competence and Objectivity

If the auditor decides to make use of the internal auditor's work, competence and

objectivity must be assessed. Competence is reflected by education, professional

certification, experience, performance evaluations, the audit plan, audit procedures,

and the quality of audit documentation. Objectivity is reflected by the organizational

level to which the internal auditor reports, as well as by policies prohibiting audits of

areas where the internal auditor lacks independence.

3. Supervise and Review

The external auditor should supervise and review all work performed on the audit.

Evaluating the work of the internal auditor should include testing some of the internal

auditor's work, either by reperforming some of their tests or by examining similar items.

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-23
4. Bear Responsibility

The external auditor remains solely responsible for the report on the financial

statements. While the internal auditor may assist with regard to routine ministerial

tasks, he or she may not be utilized to make judgment calls, which remain the

responsibility of the independent auditor. For example, the internal auditor could check

the mathematics of an accounts receivable schedule, but could not determine the

adequacy of the allowance for doubtful accounts.

B. EFFECT OF THE INTERNAL AUDITOR'S WORK

The work of an internal auditor may aid the external auditor in obtaining an understanding of

internal control, assessing risk, and performing substantive procedures. In judging the extent

of the effect of the internal auditor's work, the CPA should consider the materiality of financial

statement amounts, the risk of material misstatement, and the degree of subjectivity involved

in evaluating evidence.

1. For assertions related to material financial statement amounts with a high risk of

material misstatement or a high degree of subjectivity, the internal auditor's work alone

cannot eliminate direct testing by the CPA (e.g., assertions about the valuation of

assets/liabilities involving significant accounting estimates, or assertions about the

existence/disclosure of related-party transactions, contingencies, uncertainties, and

subsequent events).

2. For assertions related to less material financial statement amounts with a low risk of

material misstatement or a low degree of subjectivity, direct testing by the CPA may not

be necessary (e.g., assertions about the existence of cash, prepaid assets, or fixed

asset additions).

C. DIRECT ASSISTANCE PROVIDED BY THE INTERNAL AUDITOR

An external auditor may request that the internal auditor perform a specific task to aid in the

conduct of the audit. The external auditor should supervise, review, evaluate, and test the

work performed, and there should be communication between the auditors regarding

responsibilities, objectives, and accounting/auditing issues.

Auditing & Attestation 3 Becker CPA Review

A3-
24 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
S
PECIALIST
XII. USING THE WORK OF A SPECIALIST

An independent auditor may use the work of a specialist as an audit procedure to obtain

competent audit evidence in those circumstances that are material to the fair presentation of

financial statements.

A. WHO IS A SPECIALIST?

A specialist is a person or firm with special skills in a field other than accounting or auditing

(e.g., actuaries, appraisers, attorneys, engineers, etc.).

B. USE OF A SPECIALIST

A specialist may be engaged whenever the auditor believes it is desirable or necessary. For

example:

1. Valuation of restricted securities and works of art.

2. Determination of physical characteristics (e.g., related to mineral reserves or large

quantities of fungible goods).

3. Determination of specialized estimates, such as actuarial calculations used to

determine employee benefit obligations.

4. Interpretation of technical standards or legal documents.

The specialist should have an understanding of the auditor's use of the specialist's findings.

The specialist does not have to use the same methods as the client in calculating amounts.

The auditor must understand the nature of the specialist's work and be able to evaluate the

findings for their suitability in corroborating financial statement amounts.

C. COMPETENCE AND OBJECTIVITY

The auditor must be satisfied as to the professional competence and reputation of the

specialist. Generally, a specialist who is unrelated to the client will provide the auditor with

greater assurance of reliability. A specialist who is related to the client may be acceptable in

some circumstances, but the auditor may choose to perform additional procedures in those

cases to verify objectivity.

D. EFFECT ON THE AUDITOR'S REPORT

If the specialist's findings indicate that the financial statements are not in conformity with

GAAP, a qualified or adverse opinion would be issued. An unresolved difference between

the specialist's findings and the financial statements, or an unresolved disagreement between

the auditor and the specialist, would lead to a qualified opinion or disclaimer of opinion due to

a scope limitation.

If, as a result of the work performed by the specialist, the auditor decides to add explanatory

language or depart from an unqualified opinion, the auditor may refer to the specialist in the

report. However, if the auditor is expressing a standard unqualified opinion, no reference

should be made to the work of the specialist.

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-25
FRAUD AND ILLEGAL ACTS

I. CONSIDERATION OF FRAUD DURING AN AUDIT

A. WHAT IS FRAUD?

1. Fraud vs. Error

Errors are unintentional misstatements or omissions of amounts or disclosures in the

financial statements. They include mistakes in gathering or processing accounting

data, inaccurate accounting estimates, and misunderstanding or accidental

misapplication of accounting principles.

Fraud is distinguished from error by intent of the parties involved: fraud is an intentional

action that results in misstatement of the financial statements, whereas error is an

unintentional action.

2. Types of Fraud

Misstatements may arise from either fraudulent financial reporting or misappropriation

of assets.

a. Fraudulent Financial Reporting

Fraudulent financial reporting involves intentional misstatements or omissions of

amounts or disclosures in the financial statements, designed to deceive financial

statement users. These are usually acts of management and may involve:

(1) Manipulation, falsification, or alteration of accounting records or supporting

documents from which financial statements are prepared;

(2) Misrepresentation in, or intentional omission from, the financial statements

of events, transactions, or other significant information; or

(3) Intentional misapplication of accounting principles relating to amounts,

classification, manner of presentation, or disclosures.

b. Misappropriation of Assets

Misappropriation of assets, or defalcation, involves theft of an entity's assets

when the effect of the theft causes the financial statements not to be presented

in conformity with GAAP. These acts usually involve one or more individuals

among management, employees, or third parties, and may involve stealing

assets or causing an entity to pay for something that has not been received.

3. Characteristics of Fraud

a. Fraud Risk Factors

Three conditions generally are present when fraud occurs. These conditions are

referred to as "fraud risk factors," and the auditor considers such factors in

identifying risks.

(1) Incentives/Pressures: a reason to commit fraud

(2) Opportunity: a lack of effective controls

(3) Rationalization/Attitude: an attempt to justify fraudulent behavior

The
Appendix includes detailed examples of the fraud risk factors.
F
RAUD
F
RAUD RISK
F
ACTORS
Auditing & Attestation 3 Becker CPA Review

A3-
26 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
b. Management Involvement in Fraud

Fraud often involves management since management is in a position to directly

or indirectly manipulate accounting records. Management can also override

established controls.

4. Reasonable Assurance

Due to the concealment aspects of fraud and the need to apply judgment in evaluating

fraud risk, even a properly planned and executed audit may fail to detect fraud. In

expressing an audit opinion, the auditor provides only reasonable (not absolute)

assurance that the financial statements are free of material misstatements resulting

from errors or fraud.

a. Fraud is often difficult to detect because those engaged in fraud will generally try

to conceal it. Collusion among various parties can also make it difficult to detect

fraud.

b. The concept of reasonable assurance recognizes the existence of audit risk but

implies that, based on a properly planned and executed audit, sufficient

appropriate audit evidence has been obtained to limit audit risk to a low level.

c. When an error or fraud has a direct effect on the financial statements, the auditor

stands a better chance of detecting it. The more indirect the effect of the error or

fraud is on the financial statements, the less chance the auditor has of detecting

it.

B. RESPONSIBILITY

1. Management's Responsibility

It is management's responsibility to design and implement programs and controls to

prevent, deter, and detect fraud.

2. Auditor's Responsibility

The auditor has a responsibility to plan and perform the audit to obtain reasonable

assurance about whether the financial statements are free of material misstatement,

whether caused by error or fraud. As part of audit planning, the auditor must

specifically assess the risk of material misstatement of the financial statements due to

fraud, and should consider this assessment in designing the audit procedures to be

performed. This risk assessment is an ongoing process, and should be considered in

every phase of the audit.

C. AUDIT REQUIREMENTS

1. Professional Skepticism

The auditor should maintain an attitude of professional skepticism, which includes a

questioning mind and a critical assessment of audit evidence.

a. The auditor should consider that fraud can occur regardless of any past

experience with the entity or any belief about management's honesty and

integrity.

b. The auditor should not rationalize or dismiss information that may be

indicative of fraud.

2. Audit Procedures

The auditor should perform the following procedures, which will also be covered in

greater detail below.

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-27
a. Discuss fraud risk with engagement personnel.

b. Obtain information to identify specific fraud risks.

c. Assess fraud risk and develop an appropriate response.

d. Evaluate audit evidence regarding fraud.

e. Make appropriate communications about fraud.

f. Document the auditor's consideration of fraud.

D. DISCUSSION AMONG ENGAGEMENT PERSONNEL

A discussion of the potential for material misstatement due to fraud is required as part of

planning.

1. Discussion Topics

The discussion should include:

a. "Brainstorming" (an exchange of ideas).

b. An emphasis on the importance of professional skepticism.

c. Consideration of factors that create incentives or pressures to commit fraud, that

provide an opportunity for fraud to be perpetrated, or that indicate a culture or

environment that enables management to rationalize committing fraud.

d. Consideration of the risk of management override of controls.

e. How the auditor might respond to identified fraud risks.

2. Other Requirements

The discussions should involve all key members of the audit team, may include

specialists, and may occur in multiple locations. Communication should continue

throughout the audit.

E. OBTAINING INFORMATION

The auditor should perform the following procedures to obtain information useful in identifying

potential fraud risks.

1. Inquire of Entity Personnel Regarding Their Views of Fraud Risk

a. The auditor should direct inquiries to management, employees involved in

financial reporting, operating personnel, internal auditors, in-house legal counsel,

those charged with governance, etc.

b. Inquiries should be made regarding:

(1) The overall risk of fraud.

(2) Identified or suspected instances of fraud.

(3) Relevant programs and controls.

(4) The extent of oversight of distant locations.

(5) Communication of management's code of ethics.

(6) Whether management has reported to those charged with governance

regarding internal control and how it functions to prevent, deter, or detect

material misstatement due to fraud.

(7) What type of oversight the audit committee provides.

c. Inconsistent responses indicate a need for additional evidence.

Auditing & Attestation 3 Becker CPA Review

A3-
28 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
2. Consider the Results of Analytical Procedures

The auditor is required to perform analytical procedures in planning the audit, and

should consider the implications of any unusual or unexpected relationships identified.

a. During planning, the auditor is specifically required to perform analytical

procedures relating to revenue, in order to identify unusual relationships that

might be indicative of fraud.

b. Analytical procedures performed during planning often use data aggregated at a

high level, and therefore such procedures may provide only a broad indication

regarding fraud risk.

3. Evaluate Fraud Risk Factors

As discussed previously, three conditions (incentives/pressures, opportunity, and

rationalization/attitude) generally are present when fraud occurs. The auditor should

use professional judgment to determine whether and to what extent such conditions

are present.

a. Existence of Risk Factors

While the risk of material misstatement due to fraud is greatest when all three

risk factors are present, the existence of all three fraud risk factors is not an

absolute indication that fraud has occurred.

b. Absence of Risk Factors

Lack of observation of any or all of the three fraud risk factors does not imply that

there is no fraud risk. One condition may be significant enough on its own to

cause a risk of material misstatement due to fraud.

4. Consider Other Relevant Information

The auditor should consider other information that might be helpful in identifying fraud

risk. Such additional information might be identified during:

a. Discussions among engagement personnel.

b. Performance of procedures relating to the acceptance/continuance of clients and

engagements.

c. Reviews of interim financial statements.

d. The evaluation of inherent risk.

F. IDENTIFYING RISKS

The auditor should use the information gathered to identify risks that may result in a material

misstatement (at either the financial statement or relevant assertion level) due to fraud.

1. Attributes of Risk

In analyzing risk, the following four attributes should be considered.

a. Type of risk: Does it involve fraudulent financial reporting or misappropriation of

assets?

b. Significance of the risk: Can it lead to a

c. Likelihood of the risk: How likely is this to happen?

d. Pervasiveness of the risk: Does it affect the financial statements as a whole or

only specific accounts, transactions, or assertions?
material misstatement?
Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-29
2. Presumption of Risk

There is a presumption in every audit that the following two risks exist:

a. Improper revenue recognition

b. Management override of controls

These risks should be addressed by the auditor in evaluating the overall fraud risk.

3. Additional Considerations

The auditor should also consider the following factors.

a. Whether and to what extent the three fraud risk factors are present.

b. The size, complexity, and ownership characteristics of the entity.

(1) Large entities may have an audit committee, an internal audit function, or a

formal code of conduct, all of which may serve to deter fraud.

(2) A smaller entity may lack such features; however, it may exhibit a strong

corporate culture that discourages fraud.

c. The susceptibility of items to manipulation. Items are more susceptible to

manipulation when they involve:

(1) A high degree of management judgment and subjectivity, or

(2) Highly complex accounting principles.

G. ASSESSING RISKS

The auditor evaluates the identified risks after considering the effect of the entity's programs

and controls.

1. The auditor is required to obtain an understanding of the entity and its environment,

including its internal control, as part of planning the audit.

2. Specific controls may mitigate specific risks; broader controls (such as those promoting

a culture of honesty) may mitigate overall risk.

3. An identified control deficiency may exacerbate the risks.

H. RESPONDING TO ASSESSED RISK

1. Required Response

The auditor is required to respond to the results of the risk assessment on three levels.

a. Overall, General Response

The auditor should consider the overall fraud risk when:

(1) Assigning personnel to the engagement.

(2) Determining the appropriate level of supervision of engagement personnel.

(3) Evaluating management's selection and application of accounting

principles.

(4) Incorporating an appropriate level of unpredictability in the selection of

auditing procedures from one year to the next.

(a) The auditor should incorporate an element of unpredictability into

every audit.

Auditing & Attestation 3 Becker CPA Review

A3-
30 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
b. Response Encompassing Specific Audit Procedures

The auditor should respond to specifically identified risks by altering the nature,

extent, or timing of audit procedures. While the auditor's response may include

both substantive tests and tests of controls, tests of controls alone generally are

insufficient due to the risk of management override.

(1) Nature

The auditor may change the nature of specific procedures by seeking

evidence that is more reliable, or by obtaining additional corroborative

evidence.

(2) Extent

The auditor may vary the extent of testing by increasing sample size,

performing testing at a more detailed level, or performing more extensive

tests.

(3) Timing

The auditor uses judgment to determine the appropriate timing for audit

procedures. While performing substantive testing at or near the end of the

reporting period generally reduces risk, at times it makes sense to apply

such procedures to transactions occurring earlier in the period.

c. Response Addressing Risks Related to Management Override

The following procedures should be performed to address the risk of

management override of controls.

(1) Examine journal entries and other adjustments for evidence of possible

material misstatement due to fraud. For example, the auditor might focus

on nonstandard or unusual entries.

(2) Review accounting estimates for biases that could result in material

misstatement due to fraud. The auditor should also perform a

retrospective review (comparing prior period estimates to actual

subsequent events) to provide insight regarding management bias.

(3) Evaluate the business purpose for significant unusual transactions. For

instance, the auditor might consider transactions that are overly complex or

those where the accounting does not reflect the underlying substance of

the transaction.

2. Significant Fraud Risk

In cases where a significant fraud risk exists, it may not be practicable or possible to

design audit procedures that sufficiently address the risks. In such cases, the auditor

may consider withdrawing from the engagement.

3. Examples of Responses to Identified Risks

Following are examples of responses an auditor might have to identified fraud risks in

the following areas.

a. Revenue Recognition

(1) Perform substantive analytical procedures relating to revenue using

disaggregated data, (e.g., comparing revenue reported by month and by

product line with comparable prior periods, including sales returns in the

analysis).

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-31
(2) Confirm with customers contract terms and the absence of side

agreements.

(3) Inquire of entity personnel regarding unusual conditions.

(4) Physically observe shipments close to period end.

(5) Test controls surrounding the electronic processing of revenue

transactions.

b. Inventory Quantities

(1) Examine inventory records to identify items requiring specific attention.

(2) Observe inventory counts on an unannounced basis.

(3) Conduct inventory counts at different locations on the same date.

(4) Conduct inventory counts at or near the end of the period.

(5) Perform more rigorous examination and additional testing during the

observation of the count.

(6) Compare quantities for the current period with prior periods.

c. Management Estimates

(1) Engage a specialist to evaluate management's estimate.

(2) Develop an independent estimate for comparison to management's

estimate.

(3) Perform a retrospective review of prior period estimates to provide insight

regarding possible management bias.

I. EVALUATING AUDIT EVIDENCE

The auditor is required to assess fraud risk throughout the audit and to evaluate, at the

completion of the audit, whether accumulated audit results affect this assessment.

1. Conditions Identified During Fieldwork

Certain conditions noted during fieldwork may affect the auditor's assessment of fraud

risk. While such conditions suggest the possibility of fraud, they are not absolute

evidence that fraud has occurred.

a. Discrepancies in the Accounting Records

Examples include incomplete, untimely, or improper recording of transactions;

unsupported or unauthorized balances or transactions; lack of agreement

between subsidiary and control accounts; last-minute adjustments that

significantly affect financial results; evidence of inappropriate access to systems

and records; or tips or complaints to the auditor about alleged fraud.

b. Conflicting or Missing Evidential Matter

Examples include missing or unavailable documents or electronic evidence;

documents that appear to have been altered; significant unexplained

reconciliation items, discrepancies between entity records and confirmations,

missing inventory or physical assets of considerable value; or inability to produce

evidence supporting systems development, modification, and implementation

activities.

Auditing & Attestation 3 Becker CPA Review

A3-
32 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
c. Problematic or Unusual Relationships Between the Auditor and

Management

Examples include denied access to records, facilities, employees, customers, or

vendors; undue time pressures imposed by management to resolve complex or

contentious issues; complaints by management about the conduct of the audit;

management intimidation of audit team members; unusual delays in providing

information; unwillingness to facilitate auditor access to key electronic files;

denial of access to key IT operations staff and facilities; unwillingness to add or

revise financial statement disclosures.

2. Analytical Procedures

The results of analytical procedures performed by the auditor during or at the

completion of the audit may indicate a fraud risk that was not previously identified. The

auditor should pay careful attention to unusual relationships relating to year-end

revenue and income.

3. Misstatements Due to Fraud

The auditor should consider whether any misstatements identified during the audit are

indicative of fraud, and should evaluate the related implications.

a. Misstatement caused by fraud (even immaterial misstatements) may be

indicative of an underlying problem with management integrity.

b. The auditor may need to reevaluate the assessment of fraud risk, the assessed

effectiveness of controls, and the appropriateness of the audit procedures

applied.

4. Final Evaluation

A final evaluation (at or near the completion of fieldwork) should be made regarding the

assessment of the risks of material misstatement due to fraud. Such evaluation should

include communication among engagement personnel and may indicate the need to

perform additional audit procedures. In situations where significant risk of material

misstatement due to fraud remains, the auditor should consider withdrawing from the

engagement.

J. COMMUNICATIONS

1. Management and Those Charged with Governance

Generally, any indication of fraud (even immaterial fraud) should be discussed with an

appropriate level of management, at least one level above those involved.

a. Fraud that causes a material misstatement of the financial statements should be

discussed with senior management and reported directly to those charged with

governance.

b. Fraud involving senior management should be reported directly to those charged

with governance.

c. The auditor should consider whether any identified risk factors represent

significant deficiencies or material weaknesses relating to the entity's internal

control. Such items should be communicated to senior management and those

charged with governance (discussed further in Auditing & Attestation 5).

d. The auditor may also choose to discuss identified fraud risks in other

communications to those charged with governance.

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-33
2. Parties Outside the Entity

Ordinarily, the disclosure of fraud outside of senior management and those charged

with governance is not part of the auditor's responsibility. However, in certain

circumstances, a duty to disclose outside the entity may exist:

a. To comply with certain legal and regulatory requirements, such as on Form 8-K

and on reports required by the Private Securities Litigation Reform Act of 1995;

b. To a successor auditor when the successor makes inquiries of the predecessor

auditor, with specific permission of the client;

c. In response to a subpoena; and

d. To a funding agency or other specified agency in accordance with requirements

for the auditors of entities that receive governmental financial assistance.

K. DOCUMENTATION REQUIREMENTS

Complete documentation of the auditor's risk assessment and response is required. The

auditor should document the following items.

1. The planning discussion among engagement personnel regarding fraud risk, including

how and when the discussion occurred, the participants, and the subject matter

discussed.

2. The procedures performed to obtain information related to fraud risk.

3. Specific identified risks of material misstatement due to fraud.

4. If the auditor has not identified improper revenue recognition as a fraud risk, support for

this conclusion.

5. The results of procedures performed to address the risk of management override of

controls.

6. Other conditions and analytical relationships that warranted further audit work.

7. The nature of communications made about fraud.

L. SARBANES-OXLEY ACT

1. Under the Sarbanes-Oxley Act, severe penalties apply to those who destroy records

(or willfully fail to maintain them for at least seven years), commit securities fraud, or

fail to report fraud. The statute of limitations for the discovery of fraud has also been

extended by this Act, and protections have been provided for corporate

"whistleblowers."

II. ILLEGAL ACTS BY CLIENTS

A. ILLEGAL ACTS DEFINED

Illegal acts are violations of laws or governmental regulations committed by the entity or by

company personnel acting on behalf of the entity.

B. AUDITOR'S RESPONSIBILITY TO DETECT ILLEGAL ACTS

1. Direct Effect on Financial Statements

The auditor's responsibility to detect illegal acts that have a material and direct effect

on financial statements is the same as that for errors and fraud. In other words, the

auditor has a responsibility to plan and perform the audit to obtain reasonable

assurance that the financial statements are free of material misstatement.

I
LLEGAL ACTS
Auditing & Attestation 3 Becker CPA Review

A3-
34 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
2. Indirect Effect on Financial Statements

The auditor is under no obligation to look for illegal acts having an indirect effect on the

financial statements. However, if specific information comes to the auditor's attention

concerning illegal acts, the auditor should apply appropriate audit procedures.

Generally, the less the act affects the financial statements, the less likely it is that the auditor

will discover it.

C. AUDIT PROCEDURES

The auditor generally does not include procedures specifically to detect illegal acts, but may

discover such acts through other procedures, such as reading minutes or making inquiries of

management or of legal counsel. Information that may be indicative of illegal acts includes:

1. Unauthorized or improperly recorded transactions;

2. Payments of unusual fines or penalties;

3. Payments that are unusually large or excessive, especially those made in cash;

4. Unexplained payments, or payments for unspecified services;

5. Investigations by governmental agencies, or known violations of laws or

regulations; and

6. Failure to file tax returns or pay other appropriate fees.

D. AUDITOR'S RESPONSE TO ILLEGAL ACTS

1. Possible Illegal Acts

When the auditor becomes aware of information concerning a possible illegal act, the

auditor should:

a. Obtain an understanding of the situation;

b. Inquire of management at a level above those involved;

c. Consult the client's legal counsel about the application of relevant laws and

regulations to the circumstances; and

d. Apply additional audit procedures, if necessary.

2. Detected Illegal Acts

When the auditor concludes that an illegal act has occurred, the auditor should:

a. Consider the effects of the illegal act on the financial statements;

b. Evaluate the materiality of the illegal act, considering both quantitative and

qualitative factors;

c. Evaluate the disclosure of loss contingencies, including possible fines, penalties,

and damages;

d. Consider the implications for other areas of the audit; and

e. Communicate the illegal act to those charged with governance.

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-35
E. EFFECT OF ILLEGAL ACTS ON THE AUDITOR'S REPORT

1. Departure from GAAP

If the auditor concludes that a material illegal act exists and that it has not been

properly accounted for or disclosed, the auditor should insist that the financial

statements be revised. If the client refuses, a qualified opinion or adverse opinion

should be issued with full disclosure of the matter.

2. Insufficient Evidence

If the auditor is precluded from obtaining sufficient appropriate audit evidence about the

illegal act, generally a disclaimer of opinion should be issued.

3. Client Response

If the client refuses to accept the auditor's report as modified, the auditor should

withdraw from the engagement and notify those charged with governance in writing.

F. IMPLICATIONS OF ILLEGAL ACTS

The auditor should consider the effect of illegal acts on the evaluation of internal control and

on the planned degree of reliance on management representations. If the client fails to take

appropriate remedial action regarding any illegal act (including those that are not material),

the auditor may consider withdrawing from the engagement.

G. COMMUNICATION OF ILLEGAL ACTS

1. Those Charged with Governance

Those charged with governance should be adequately informed of illegal acts unless

they are clearly inconsequential. Such communication may be oral or written, but oral

communications should be documented.

2. Parties Outside the Entity

Ordinarily, the disclosure of illegal acts to parties other than senior management and

those charged with governance is not part of the auditor's responsibility. However, in

certain circumstances, a duty to disclose outside the entity may exist.

a. To comply with certain legal and regulatory requirements, such as on Form 8-K

and on reports required by the Private Securities Litigation Reform Act of 1995;

(1) Under the Private Securities Litigation Reform Act of 1995, if an auditor

reports an illegal act to the board of directors of a client, and if the client

fails to take appropriate remedial action and the board fails to inform the

SEC of this fact, then the auditor is required to deliver a report concerning

the illegal act to the SEC within one business day.

b. To a successor auditor when the successor makes inquiries of the predecessor

auditor, with specific permission of the client;

c. In response to a subpoena;

d. To a funding agency or other specified agency in accordance with requirements

for audits of entities that receive governmental financial assistance.

Auditing & Attestation 3 Becker CPA Review

A3-
36 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
O
BTAINING AN
U

THE
NDERSTANDING OFENTITY AND ITS
E
NVIRONMENT
I

entity, and

environment –

obtain an

understanding
nternal control,
M

misstatement –

assess the risk
aterial
A

risk response
ssessed level of
C
ontrol testing
P

substantive testing
erform
A

evaluate

appropriateness &

sufficiency
udit evidence –
RISK ASSESSMENT

I. INTRODUCTION

The second standard of fieldwork states:

"The auditor must obtain a sufficient understanding of the entity and its environment, including

its internal control, to assess the risk of material misstatement of the financial statements

whether due to error or fraud, and to design the nature, timing, and extent of further audit

procedures."

The second standard of fieldwork requires the auditor to obtain an understanding of the entity and

its environment, including its internal control. The auditor must perform risk assessment

procedures to obtain this understanding.

A. OVERVIEW OF AUDIT STEPS

The auditor performs a series of steps in assessing risk and responding appropriately to that

risk.

1. Obtain an understanding of the entity and its environment, including its internal control.

2. Assess the risk of material misstatement.

3. Respond to the assessed level of risk by designing further audit procedures based on

this assessment.

4. Test internal controls to evaluate their operating effectiveness.

5. Perform substantive tests.

6. Evaluate the sufficiency and appropriateness of audit evidence obtained.

II. OBTAINING AN UNDERSTANDING OF THE ENTITY AND ITS ENVIRONMENT

Obtaining an understanding of the entity and its environment is critical,

as it establishes a frame of reference within which the audit is planned

and performed. While the extent of this understanding is left to the

auditor's professional judgment, it must be sufficient both to assess the

risk of material misstatement and to design and perform further audit procedures.

A. RISK ASSESSMENT PROCEDURES

The auditor should use the following risk assessment procedures to

obtain an understanding of the entity and its environment, including its

internal control.

1. Inquiries

a. Inquiries are generally made of management and others within the entity.

b. Inquiries may also be made of other parties, including the board of directors,

internal auditors, and parties outside the entity (external legal counsel, valuation

experts, etc.).

2. Analytical Procedures

Analytical procedures involve comparison of recorded amounts to the auditor's

expectations and are covered later in the course.

R
ISK ASSESSMENT
P
ROCEDURES
Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-37
3. Observation and Inspection

The auditor may observe activities and operations, inspect company documents, read

management reports, board minutes, and internal audit reports, visit the entity's

premises, and trace transactions through the information system.

4. Discussion Among the Audit Team

The members of the audit team, including the auditor with final responsibility for the

audit, other key members of the audit team, and perhaps specialists (as necessary),

should discuss the susceptibility of the financial statements to material misstatement.

This discussion:

a. Should include areas of significant audit risk, areas susceptible to management

override of controls, application of GAAP to the specific facts and circumstances

surrounding the entity, areas involving unusual accounting procedures, important

control systems, and materiality levels.

b. Allows more experienced team members to share their insights with less

experienced staff.

c. May be held concurrently with the discussion involving fraud risk.

d. Should emphasize the need to exercise professional skepticism, and to be alert

for and rigorously investigate any potential misstatements.

5. Other Procedures

In obtaining an understanding, the auditor should also consider:

a. Reviewing external information (e.g., trade journals, analysts' reports, etc.).

b. The results of the fraud risk assessment.

c. Information obtained during the client acceptance or continuance process.

d. Information obtained on other engagements performed for the entity.

e. Prior period evidence, to the extent that it is still relevant.

B. RISK ASSESSMENT PROCEDURES AND AUDIT EVIDENCE

1. Risk assessment procedures sometimes provide audit evidence about transactions,

balances, disclosures, or controls, even if they were not designed to provide such

evidence.

2. The auditor may also choose to perform substantive procedures or tests of controls

concurrently with risk assessment procedures, if it is efficient to do so.

C. ONGOING ASSESSMENT

Obtaining an understanding of the entity and its environment is a process that continues and

evolves throughout the audit, and the auditor's assessment of risk may change as additional

audit evidence is obtained. For example, the initial risk assessment may presume effective

operation of controls, but:

1. Tests of controls may indicate that controls are not operating effectively, or

2. The auditor may detect more or less frequent misstatements than would have been

expected given the initial risk assessment.

In such situations, the auditor should revise the assessment and modify planned audit

procedures.

Auditing & Attestation 3 Becker CPA Review

A3-
38 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
D. FACTORS TO UNDERSTAND

The auditor should obtain an understanding of the following factors, and should also consider

whether any of the factors have changed significantly as compared to the prior period.

1. Industry, Regulatory, and Other External Factors

Industry, regulatory, and other external factors include the competitive environment,

customer/supplier relationships, technological developments, and general economic

conditions.

2. The Nature of the Entity

The nature of the entity includes the entity's operations, ownership, governance,

investments, structure, and financing.

3. Objectives, Strategies, and Business Risks

a. Objectives

Objectives are the overall plans for an entity.

b. Strategies

Strategies are the means used to achieve objectives.

c. Business Risks

Business risks result from events or circumstances that could adversely affect

the entity's ability to achieve its objectives and execute its strategies.

(1) Business risk often arises from change or complexity.

(2) The auditor does not have a responsibility to identify and assess all

business risks, but having an understanding of such risks often aids the

auditor in identifying related risks of material misstatement. For example, a

competitive risk may render a company's product obsolete or reduce its

value, and failure to recognize this change could result in a material

misstatement of inventory.

4. The Entity's Financial Performance

Management measures and reviews the entity's financial performance to evaluate

whether business performance is meeting the desired objectives. The auditor should

obtain an understanding of this measurement and review, as it may indicate a risk of

misstatement. For example, in situations where management receives performancebased

compensation, unusual growth or profitability may be indicative of management

bias in the financial statements.

5. Internal Control, Including the Selection and Application of Accounting Policies

Internal control is a process—effected by those charged with governance,

management, and other personnel—designed to provide reasonable assurance about

the achievement of the entity's objectives. Internal control will be covered in further

detail in a later section of this class.

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-39
S
IGNIFICANT RISKS
I

entity, and

environment –

obtain an

understanding
nternal control,
M

misstatement –

assess the risk
aterial
A

risk response
ssessed level of
C
ontrol testing
P

substantive testing
erform
A

evaluate

appropriateness &

sufficiency
udit evidence –
III. ASSESSING THE RISKS OF MATERIAL MISSTATEMENT

Throughout the process of obtaining an understanding of the entity and its

environment, the auditor should identify risks and relevant controls.

A. PURPOSE OF ASSESSING RISK

Information gathered by performing risk assessment procedures serves as

evidence to support the auditor's risk assessment. This assessment, in turn,

is used to determine the nature, extent, and timing of further audit

procedures.

B. ASSESSING SPECIFIC RISKS

For each identified risk, the auditor should consider:

1. What could go wrong at the relevant assertion level.

2. The significance and likelihood of potential material misstatements.

3. Whether the risk is significant enough to require special audit consideration (see

"significant risks," covered below).

4. Whether substantive tests alone are insufficient to reduce detection risk to an

acceptably low level (i.e., whether evaluation of controls is also necessary—covered

later).

5. Whether the risk relates to a specific relevant assertion or whether it has a more

pervasive effect on the financial statements. For example, a weak control environment

is likely to affect many relevant assertions and will require an overall response by the

auditor.

C. SIGNIFICANT RISKS

Significant risks are those that, in the auditor's judgment, require special

audit consideration.

1. Factors that May Be Indicative of Significant Risks

The presence of any of the following factors should be considered in identifying

significant risks:

a. Nonroutine, unusual, or complex transactions.

b. Business risks that may result in material misstatement.

c. Fraud risk.

d. Significant related party transactions.

e. Accounting estimates or other subjective measurements of financial information.

f. Accounting principles that are subject to different interpretations.

2. Response to Significant Risks

For significant risks, the auditor should:

a. Evaluate the design of the entity's related controls.

b. Determine whether the controls have been implemented.

c. Evaluate whether and how management responds to such risks.

(1) If management does not respond appropriately, the auditor should

communicate the matter to those charged with governance and should

consider the implications on the assessment of risk.

R
ISK ASSESSMENT
Auditing & Attestation 3 Becker CPA Review

A3-
40 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
D. TESTS OF CONTROLS

In making risk assessments, the auditor should identify those controls that are likely to

prevent or detect and correct material misstatements in specific relevant assertions. If the

risk assessment is based on effective operation of those controls, they must be tested by the

auditor.

1. A specific control may be sufficient to address an identified risk on its own, or it may

address risk only when a considered in conjunction with additional elements of internal

control.

2. Controls that are more directly related to an assertion generally are more effective in

preventing or detecting and correcting misstatements in that assertion, than are

controls which relate only indirectly to an assertion.

3. Obtaining an understanding of a control is not sufficient to determine whether the

control is operating effectively.

E. OTHER MATTERS NOTED

In assessing the risks of material misstatement, the auditor may note:

1. Significant control-related matters that should be communicated to those charged with

governance.

2. Internal control matters, situations that reflect on management integrity, or insufficient

entity records, each of which may affect the auditability of the entity. In such cases, the

auditor may need to consider qualifying the opinion, disclaiming an opinion, or

withdrawing from the engagement.

IV. DOCUMENTATION REQUIREMENTS

A. REQUIRED DOCUMENTATION

The auditor should document:

1. The discussion among the audit team, including how and when it occurred, the

participants, the subject matter discussed, and significant decisions reached.

2. Key elements of the understanding of the entity and its environment (including each of

the components of internal control), the sources of information used to develop the

understanding, and the risk assessment procedures performed.

3. The assessment of the risks of material misstatement (at both the financial statement

and relevant assertion level) and the basis for the assessment.

4. The identified risks and related controls evaluated by the auditor.

B. EXTENT OF DOCUMENTATION

A more complex entity/environment results in more extensive audit procedures, which in turn

should result in more extensive audit documentation.

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-41
C. FORM OF DOCUMENTATION

PASS KEY

Documentation may include any item the auditor can
F I N D:
• F
lowchart
• I
nternal Control Questionnaire or Checklists
• N
arrative
• D
ecision Table
1. Flowcharts

A flowchart is a symbolic diagram representing the sequential flow of authority,

processes, and documents. It can be an essential aid in understanding and evaluating

internal control.

Flowcharting is of use to the auditor in two ways. First, flowcharts of systems are

prepared in order to evaluate internal control. Second, IT flowcharts, used as

documentation tools in programming, are useful to the auditor in evaluating the internal

control in an automated accounting environment.

a. Flowcharts Used to Evaluate Systems

An adequate flowchart shows the origin of each document in the system, its

subsequent processing, and its final disposition. Flowcharts are useful to the

auditor in evaluating internal control because they document the steps in a

process and the practices in use. The use of standard symbols makes

flowcharts easy to understand.

Sample flowcharts for the major transaction cycles appear in Auditing &

Attestation 4.

b. IT Flowcharts Used as Documentation

IT flowcharts are initially created to document the logic and existing flow of a

computer program. The auditor can use these flowcharts to evaluate both the

flow of the program and the internal controls related to the IT function in general.

c. Flowchart Organization

Flowcharts should:

(1) Show the general flow of documents and data.

(2) Start at the top of the page and move from top to bottom and from left to

right.

(3) Use descriptive wording geared to the reader.

(4) Avoid intersecting flow lines by using off-page/on-page connectors.

Auditing & Attestation 3 Becker CPA Review

A3-
42 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
d. Flowcharting Symbols

The symbols shown in this box and used in the diagrams in Auditing &

Attestation 4 represent the most commonly used symbols.

Document or

Report

Computer

Process

Key Entry

Tape File

Yes

Decision No

Manual

Process

Disk File

Display

A On-page connector

12 Off-page connector

D Off-line (paper) file; filed by:

D = Date, A = Alpha, N = Numeric

Data flow arrows

Communication link

Data

(e.g., journals,

ledgers, etc.)

2. Internal Control Questionnaires

An internal control questionnaire generally consists of a list of questions to be

answered by "Yes" or "No" response. A negative response is designed to draw

attention to a possible weakness in internal control. Written explanations are required

for "No" answers. The questionnaire format can also be open-ended, requiring

explanation by the employee being interviewed.

The questions address internal controls over an element, account, or process.

Specifically, questions should address each of the relevant control procedures.

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-43
3. Narratives

A narrative is a written version of a flowchart. It is a description of the auditor's

understanding of the system of internal control. A narrative is prepared by following a

sequence of events for a transaction. Note that flowcharts are more appropriate for

documenting complex control structures, while written narratives are more appropriate

for less complex structures.

EXAMPLE

Sales Processing System Written Narrative

Customer purchase orders are received and a sales order is prepared in duplicate. New customers' orders are

approved for credit while any orders received from old customers are automatically granted credit. The finished goods

department fills the order and sends the sales order to the shipping department where a bill of lading is prepared. A

copy of the bill of lading is then sent to the billing department where a sales invoice is prepared. A copy of the sales

invoice is sent to the accounts receivable department for posting to the accounts receivable ledger.

4. Decision Trees or Tables

Decision trees are graphic illustrations that depict the logic of an operation or process.

They generally employ questions with "Yes" or "No" answers, which direct the user to

the next relevant questions. Decision tables are graphic illustrations that depict the

logical relationships of a system in table form. Both approaches document the auditor's

understanding of a process.

Auditing & Attestation 3 Becker CPA Review

A3-
44 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
INTERNAL CONTROL

I. INTERNAL CONTROL

Internal control is a process—effected by those charged with governance, management, and other

personnel—designed to provide reasonable assurance about the achievement of the entity's

objectives.

A. ENTITY OBJECTIVES

Objectives represent what an entity strives to achieve. An entity's objectives may be divided

into three categories:

1. Reliability of financial reporting.

2. Effectiveness and efficiency of operations.

3. Compliance with applicable laws and regulations.

B. COMPONENTS OF INTERNAL CONTROL

1. Five Components of Internal Control

Internal control consists of five interrelated components, discussed further below. The

components represent means used by an entity to help it achieve its objectives.

a.

b.

c.

communicating responsibilities.

d.

e.
Control Environment: the overall tone of the organization.Risk Assessment: management's identification of risk.Information and Communication Systems: a means of recording transactions andMonitoring: assessment of internal control performance over time.Existing Control Activities: control policies and procedures.
2. Auditor's Use of Components

a. Useful Framework

While the five components of internal control provide a useful framework for

identifying and evaluating controls, the auditor should be more concerned with

whether and how a specific control prevents, or detects and corrects, material

misstatements, than with the classification of controls into categories.

b. Relevance to the Audit

(1) Internal control is relevant to the entire entity or to any of the entity's

operating units or business functions.

(2) The five components of internal control are applicable to the audit of every

entity.

(3) Each of the five components of internal control may affect any of the three

entity objectives, but not all of an entity's objectives and related controls

are relevant to the audit. Generally, those controls that pertain to the first

objective, reliability of financial reporting, are most relevant to the audit; it is

primarily those controls that the auditor must consider and understand.

(a) The auditor need not assess all controls related to financial

reporting, but rather applies professional judgment in determining

which controls to assess.

C

R

I

M

E

I
NTERNAL CONTROL
Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-45
(b) Controls relating to the operations and compliance objectives may

occasionally be relevant to the audit, for example, if they relate to

nonfinancial data used in analytical procedures, or if they relate to

noncompliance with laws or regulations that have a direct and

material effect on the financial statements.

(c) Controls related to the safeguarding of assets often relate to both

financial reporting and operations objectives. The auditor would

generally consider only those controls related to financial reporting,

such as controls that limit access to the programs used to process

cash disbursements.

(4) Controls over the completeness and accuracy of information may be

relevant to the audit, if the auditor intends to make use of such information.

c. Factors Affecting Application of Framework

The applicability and importance of internal control components are affected by

the entity's size, organization, complexity, information processing methodology,

and ownership-management characteristics. The auditor does not need to

understand each component with the same degree of detail in every case.

C. AUDITOR'S UNDERSTANDING OF INTERNAL CONTROL

The auditor should obtain an understanding of the five components of internal control

sufficient to:

1. Evaluate the design of relevant controls and determine whether they have been

implemented.

a. Evaluating the design of a control involves determining whether it is capable of

preventing or detecting and correcting material misstatements.

b. A control has been implemented if it exists and is being used.

c. The auditor uses observation and inspection, and may trace transactions through

the client's system, to obtain evidence about the design and implementation of

controls. Inquiry alone is not sufficient.

2. Assess the risk of material misstatement.

3. Design the nature, extent, and timing of further audit procedures.

a. Identify the types of potential misstatements;

b. Consider factors that affect the risks of material misstatement;

c. Design tests of controls, when applicable (covered in more detail later); and

d. Design substantive procedures.

D. AUDITOR'S UNDERSTANDING OF ACCOUNTING POLICIES

The auditor should:

1. Obtain an understanding of how the entity selects and applies accounting policies, and

consider whether they are appropriate in the circumstances.

2. Consider when and how the entity will implement new financial reporting standards and

regulations.

3. Evaluate financial statement presentation and disclosure, including form, arrangement,

and content.

Auditing & Attestation 3 Becker CPA Review

A3-
46 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
E. SMALL AND MIDSIZED ENTITIES

Small and midsized entities often use less formal means to achieve internal control

objectives. For example, while a small or midsized entity may not have written or extensive

policies and procedures manuals or an independent party charged with governance, its

management may be more actively involved in financial reporting, or may establish a

corporate culture emphasizing integrity. The auditor must use his or her judgment to apply

the components of internal control and to make an overall assessment of control risk.

F. INHERENT LIMITATIONS OF INTERNAL CONTROL

Internal control provides only reasonable (not absolute) assurance regarding the

achievement of objectives due to the following inherent limitations of internal control.

1. Human error, which may include errors in the design or use of automated controls.

2. Deliberate circumvention of controls by collusion of two or more people.

3. Management override of internal control.

4. Segregation of duties may be difficult to achieve in a smaller entity.

G. EFFECT OF INFORMATION TECHNOLOGY ON INTERNAL CONTROL

1. Effect on Internal Control

An entity's use of information technology may affect any of the five components of

internal control:

a. Management's failure to appropriately address IT risks may negatively impact the

control environment.

b. The use of IT may enhance an entity's

information.

c. Many

way in which IT is used often affects an entity's internal control.

d. Much of the information used in

accuracy of the IT system is crucial.

e. The use of IT may affect the way in which

implemented. Also, the effectiveness of user controls may depend upon the

accuracy of information provided to the user by IT systems.
risk assessment by providing more timelyinformation and communication systems make extensive use of IT, and themonitoring is provided by IT, and therefore, theexisting control activities are
2. Manual vs. Automated Controls

a. Manual controls may be more appropriate than automated controls in situations

where judgment and discretion is required, such as circumstances in which

misstatements are difficult to define, anticipate, or predict.

b. Manual controls, however, may pose additional risks because they can be more

easily ignored or overridden, they are subject to human error, and they are less

consistent than automated controls.

3. Testing Automated Controls

a. In testing automated controls, the auditor needs to identify and test not just

specific application controls but relevant general controls on which the

application controls depend. (Application controls and general controls are

covered further below.)

b. In a manual system, manual controls such as approvals, reviews, and

reconciliations are used. In an automated system using information technology,

both manual and automated controls may be used; however, even manual

controls may be dependent to some extent on the effective functioning of IT.

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-47
4. IT Benefits

IT is used by an entity to improve the efficiency and effectiveness of its internal control.

The auditor should consider the effect of such benefits as part of assessing internal

control. Benefits may include:

a. The ability to process large volumes of transactions and data accurately and

consistently.

b. Improved timeliness and availability of information.

c. Facilitation of data analysis and performance monitoring.

d. Reduction in the risk that controls will be circumvented.

e. Enhanced segregation of duties through effective implementation of security

controls.

5. IT Risks

The use of IT may also create additional internal control risks. The auditor must

evaluate the entity's use of IT to determine whether and to what extent the following

risks exist:

a. Potential reliance on inaccurate systems.

b. Unauthorized access to data, which may result in loss of data and/or data

inaccuracies.

c. Unauthorized changes to data, systems, or programs.

d. Failure to make required changes or updates to systems or programs.

6. Organizational Structure of the IT Department

In a computerized environment with a well-defined system of internal control, there

should be five separate and distinct functions. There should be no overlapping or

cross-supervision among the functions.

a. Control Group

The control group is responsible for internal control within the IT department

itself. This group maintains an error log in which they keep track of errors, and

they assume responsibility for determining the cause and developing an

appropriate resolution.

b. Operators

Operators convert data into machine readable form (e.g., keypunch data, scan

data, etc.) during the input stage. The processing manager has primary

responsibility for error detection and correction. Operators are given run

manuals for their own areas.

c. Programmers

Programmers develop and write computer programs. They are responsible for

debugging programs and writing run manuals.

d. Analysts

Analysts determine what is needed and design the overall system, while

programmers do the detailed work to make it happen.

e. Librarian

The librarian keeps track of program and file use, maintains storage of all data

and backups, and controls access to programs.

C

O

P

A

L

Auditing & Attestation 3 Becker CPA Review

A3-
48 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
II. INTERNAL CONTROL COMPONENTS

Following is a more detailed description of the five components of internal control.

A. IMPORTANCE OF THE CONTROL ENVIRONMENT

The control environment is the foundation for each of the other internal control components.

2

R

Assessment

by Management
isk
3

I

and

Communication

Systems
nformation
4

M
onitoring
5

E

Control

Activities
xisting
1

C
ontrol Environment
PASS KEY

The examiners' questions focus on the control environment and on an entity's existing control activities.

B. INTERNAL CONTROL COMPONENTS

1. Control Environment

a. The control environment:

(1) Sets the tone of an organization, influencing the control consciousness of

its people.

(2) Provides discipline and structure as the foundation for all other

components of internal control.

(3) Originates with, and is generated by, management and those charged with

governance.

b. The control environment includes such factors as:

(1) Communication and enforcement of integrity and ethical values of the

people who create, administer, and monitor internal controls. The control

environment is affected by the collective effect of control environment

factors, such as written policy statements and codes of conduct,

management's actions to reduce occurrence of unethical acts, and

management's reaction to violations.

(2) Commitment to competence as reflected in management's consideration of

the knowledge and skills required for particular jobs.

(3) Participation of those charged with governance, including an assessment

of their knowledge, experience, stature, and independence from

management, the extent of their scrutiny of activities and willingness to

raise difficult questions, and their interaction with internal and external

auditors.

C

C

OF
OMPONENTSINTERNAL
C
ONTROL
C R I M E

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-49
(4) Management's philosophy and operating style, particularly with respect to

its approach to risk-taking, its attitudes and actions toward financial

reporting, and its attitudes toward information processing, accounting

functions, and personnel.

PASS KEY

The following circumstances would raise concerns regarding management's philosophy and operating style:

A. Management consumed with meeting the budget.

B. Management dominated by one person.

C. Management compensation contingent upon the entity's financial performance.

(5) Organizational structure, which is the framework within which the entity

plans, executes, controls, and monitors its activities, including

establishment of key areas of authority and responsibility and lines of

reporting.

(6) Assignment of authority, responsibility, and accountability.

(7) Human resource policies and practices related to recruitment, orientation,

training, evaluating, counseling, promoting, compensating, and remedial

activities.

c. The auditor's focus must be on the substance of the control environment rather

than the form, because appropriate procedures may be established but not

enforced.

d. Those Charged with Governance

The auditor should understand the attitudes, awareness, and actions of those

charged with governance, with respect to internal control. The responsibilities of

those charged with governance include:

(1) Overseeing the financial reporting and disclosure process.

(2) Balancing the conflicting pressures that may be placed on management

(i.e., fair financial reporting vs. positive operating results).

(3) Bearing responsibility, together with management, for the prevention and

detection of error and fraud.

(4) Overseeing "whistle-blower" procedures.

(5) Overseeing the process for reviewing the effectiveness of the entity's

internal control.

e. Pervasive Effect of Control Environment

The control environment has a pervasive effect on the auditor's risk assessment,

and preliminary judgments about its effectiveness may influence the nature,

extent, and timing of further audit procedures to be performed.

(1) Weak Control Environment

When there is a weak control environment, the auditor may perform more

substantive procedures as of the balance sheet date rather than at interim;

may modify the nature of tests to obtain more persuasive evidence; or may

increase the extent of testing (e.g., include more items, locations, etc.).

Auditing & Attestation 3 Becker CPA Review

A3-
50 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
(2) Strong Control Environment

When there is a strong control environment, the auditor may perform tests

at an interim date rather than at the balance sheet date; may use tests that

provide somewhat less persuasive evidence; or may reduce the extent of

testing.

2. Risk Assessment

Risk assessment is an entity's identification and analysis of risks to achievement of its

objectives. (Note that this component concerns the assessment by management of

risk facing the entity, not the auditor's assessment of control risk.)

a. The entity's risk assessment for financial reporting purposes involves the

identification, analysis, and management of business risks relevant to the

preparation of fairly presented GAAP financial statements.

b. Relevant accounting risks include, for example, the occurrence of external and

internal events and circumstances that may adversely affect the entity's ability to

initiate, authorize, record, process, and report financial data.

c. Circumstances from which risks may arise include:

(1) Change in the regulatory or operating environment

(2) New personnel

(3) New or revamped information systems

(4) Rapid expansion of operations

(5) Incorporation of new technology

(6) New business models, products, or activities

(7) Corporate restructuring

(8) Expansion or acquisition of foreign operations

(9) Adoption of new or different accounting principles or pronouncements

d. Management may take action to address risk, or may decide to accept a risk

based on cost or other considerations.

e. The auditor should consider whether business risks identified by management

may result in material misstatement. If management fails to identify a significant

risk, the auditor should consider why the entity's risk assessment process failed.

3. Information and Communication Systems

Information and communication systems support the identification, capture, and

exchange of information in a timely and useful manner.

a. Information

The information system relevant to financial reporting objectives consists of the

procedures (both automated and manual) and records established to initiate,

authorize, record, process, and report entity transactions, events, and conditions,

and to maintain accountability for the related assets, liabilities, and equity. It

encompasses the accounting system as well as any other methods and records

that:

(1) Identify and record all valid transactions.

(2) Describe transactions in a timely manner and in sufficient detail to allow

proper classification.

R

I

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-51
(3) Measure and record the proper monetary value of transactions.

(4) Determine and ensure proper recording of transactions and events in the

appropriate time period.

(5) Present transactions and related disclosures properly in the financial

statements.

b. The Accounting Information System

The auditor is especially interested in the business processes relevant to

financial reporting, and should obtain an understanding of:

(1) The classes of transactions that are significant to the financial statements.

(2) Accounting processing (both automated and manual), from initiation of a

transaction to inclusion in the financial statements.

(3) The accounting records (both electronic and manual), supporting

information, and specific accounts involved in initiating, authorizing,

recording, processing, and reporting transactions.

(4) The way in which other significant events and conditions are captured by

the system.

(5) The financial reporting process, including the development of significant

accounting estimates and the inclusion of appropriate disclosures.

c. Communication

Communication involves providing an understanding of individual roles and

responsibilities pertaining to internal control over financial reporting.

Communication may be written (policy and procedure manuals, financial

reporting manuals, and memoranda), oral, or by example (through the actions of

management). The auditor should obtain an understanding of:

(1) The methods used to communicate roles, responsibilities, and significant

matters related to financial reporting.

(2) Communications between management and those charged with

governance (particularly the audit committee), and between management

and external parties, such as regulatory authorities.

4. Monitoring

Monitoring is the process that assesses the quality of internal control performance over

time, by assessing the design and operation of controls on a timely basis and taking

the necessary corrective actions.

a. Establishing and maintaining internal control is a responsibility of management.

Management must monitor controls to determine whether they are operating as

intended and whether they have been modified appropriately for changes in

conditions.

b. The monitoring process may include:

(1) Ongoing monitoring activities built into normal recurring activities, including

regular management and supervisory activities.

(2) Separate evaluations of internal control performance.

(3) An internal audit function that provides both an evaluation of internal

control (including its strengths and weaknesses) and recommendations for

improvement.

M

Auditing & Attestation 3 Becker CPA Review

A3-
52 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
(4) Evaluation of communications from external parties, such as customers

(through the payment or questioning of invoices), regulatory agencies, and

independent external auditors.

c. The auditor should obtain an understanding of the activities used by the entity to

monitor internal control and to initiate corrective actions.

5. Existing Control Activities

a. Existing control activities are the policies and procedures that help ensure that

management directives are carried out and that necessary steps to address risks

are taken.

PASS KEY

To help you remember the control activities in a strong system of internal control:

• P
renumbering documents
• A
uthorization of transactions
• I
ndependent checks to maintain asset accountability
• D
ocumentation
• T
imely and appropriate performance reviews
• I
nformation processing controls
• P
hysical controls for safeguarding assets
• S
egregation of duties
b. Control activities relevant to an audit include the following procedures.

(1) Prenumbering of Documents

Prenumbering helps to assure that:

(a) All transactions are recorded (completeness).

(b) No transactions are recorded more than once (existence).

(2) Authorization of Transactions

Authorization should occur before commitment of resources.

(3) Independent Checks to Maintain Asset Accountability

Independent checks involve the verification of work previously performed

by others. Examples include:

(a) Review of bank reconciliations.

(b) Comparison of subsidiary records to control accounts.

(c) Comparison of physical counts of inventory to perpetual records.

(4) Documentation

Documentation provides evidence of the underlying transactions and is a

basis for establishing responsibility for the execution and recording of

transactions.

E

P

A

I

D

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-53
(5) Timely and Appropriate Performance Reviews

(a) Comparison of actual performance to budgets, forecasts, and prior

periods.

(b) Comparison of financial and nonfinancial information (for example,

the management of a sports team might use attendance data to

ascertain the reasonableness of ticket sales).

(c) Review and evaluation of functions or activities (for example, sales

reports, receivable reports, etc., may be used to analyze

performance and to identify errors).

(6) Information Processing Controls

Information processing general and application controls ensure that

transactions are valid, properly authorized, and completely and accurately

recorded.

(a) Application controls apply to the processing of individual

"applications," such as controls surrounding receivables or controls

surrounding payroll.

(b) General controls apply to information processing throughout the

company, and include controls such as access controls, controls

related to software/hardware acquisition, change, and maintenance,

and controls over data center/network operations.

(7) Physical Controls for Safeguarding Assets

Physical controls for safeguarding assets involve security devices and

limited access to programs and to restricted areas, including computer

facilities. Physical controls include:

(a) Physical segregation and security of assets, protective devices, and

bonded or independent custodians (e.g., banks, safe deposit boxes,

lock boxes, independent warehouses).

(b) Authorized access to assets and records (such as through the use of

computer access codes, prenumbered forms, and required

signatures on documents for the removal or disposition of assets).

(c) Periodic counting and comparison of actual assets with amounts

shown in accounting records (e.g., physical counts and inspections

of assets, reconciliations, and user review of computer-generated

reports).

(8) Segregation of Duties

Segregation of duties involves ensuring that individuals do not perform

incompatible duties. Duties should be segregated such that the work of

one individual provides a crosscheck on the work of another individual.

Generally, assigning different people the responsibilities of authorizing

transactions, recording transactions, and maintaining custody of the related

assets reduces the opportunities for any individual to both perpetrate and

conceal errors or fraud in the normal course of duties.

S

P

I

T

Auditing & Attestation 3 Becker CPA Review

A3-
54 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
PASS KEY

The examiners frequently test segregation of duties. To help you remember the functions that should not be combined:

"Segregation of duties" is your
ARC to protect against a flood of troubles:
• A
uthorization
• R
ecordkeeping
• C
ustody of related assets
c. The auditor often obtains knowledge about control activities while studying the

other components of internal control, and uses judgment to determine whether

additional knowledge must be obtained.

(1) An audit does not require an understanding of all control activities.

(2) The auditor's primary consideration should be whether, and how, a control

prevents, or detects and corrects, material misstatements.

SUMMARY OF THE FIVE COMPONENTS OF INTERNAL CONTROL

Component Description Key Points

Control Environment
Sets the tone of the organization. ?????? Integrity
??????
Competence
??????

governance
Participation of those charged with
??????
Management philosophy
??????
Organizational structure
??????
Assignment of responsibility
??????
Human resource policies
Risk Assessment

risks relevant to the preparation of

the financial statements.

Risks are generally related to changes.
Identification by management of the
Information

and Communication

Systems

Methods used to classify and report

transactions, and to communicate roles

and responsibilities.

??????

processing, and reporting entity

transactions, conditions, and events
Initiating, authorizing, recording,
??????

responsibilities
Communicating roles and
Monitoring

the quality of internal control performance

over time.
Procedures established to assess
??????
Internal audit function
??????

activities
Regular management and supervisory
??????

customer statements
Other procedures such as mailing
Existing Control

Activities

Policies and procedures established

to ensure that management objectives are

carried out.

??????
Authorization
??????
Segregation of duties
??????
Safeguarding of assets
??????
Asset accountability
C

R

I

M

E

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-55
S
ERVICE
O
RGANIZATIONS
III. THE EFFECT OF SERVICE ORGANIZATIONS ON INTERNAL CONTROL

Many companies use outside organizations (commonly called "service bureaus") to

process some portion of their accounting transactions (e.g., ADP and Paychex are service bureaus

that provide processing for payroll checks and reports). A service organization's services are

considered to be part of an entity's information system when those services affect the initiation,

execution, processing, or reporting of the user company's transactions. In such cases, it may not

be practicable for the user company to implement its own effective controls for those transactions,

and controls placed in operation by the service organization are considered to be part of the user

organization's information system. For this reason, the service auditor's report may be useful to the

user auditor in evaluating the effect of the service organization on the user organization's internal

control.

A. USER AUDITOR RESPONSIBILITIES

1. The user auditor must consider the effect of the service bureau on the internal control

of the user organization and the availability of evidence to:

a. Obtain the necessary understanding of the user organization's internal control to

plan the audit,

b. Assess control risk at the user organization, and

c. Perform substantive procedures.

2. The user auditor should make inquiries concerning the service auditor's professional

reputation.

3. The user auditor should not make reference to the report of the service auditor as a

basis, in part, for the user auditor's own opinion on the user organization's financial

statements.

B. SERVICE AUDITOR RESPONSIBILITIES

1. The service auditor should inquire of management regarding subsequent events that

would have a significant effect on user organizations, and should obtain a management

representation letter.

2. The service auditor is responsible for representations in the service auditor's report and

for exercising due care in the application of procedures that support those

representations.

3. The service auditor's report should describe the scope and nature of the auditor's

procedures.

4. There are two types of reports a service auditor may provide:

a. Report on Controls Placed in Operation

A "report on controls placed in operation" may aid the auditor in obtaining an

understanding of controls; however, it is provided when tests of operating

effectiveness were not performed, and therefore it does not provide the user

auditor with a basis for reducing the assessment of control risk.

Reports on controls placed in operation should state whether the controls were

suitably designed, and whether they were implemented. The report should also

include a disclaimer of opinion on the operating effectiveness of the controls.

Auditing & Attestation 3 Becker CPA Review

A3-
56 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
b. Report on Controls Placed in Operation and Tests of Operating

Effectiveness

A "report on controls placed in operation and tests of operating effectiveness"

may provide evidence that would allow a reduction in the assessed level of

control risk. Alternatively, such evidence (to allow reduction in assessed risk)

can be obtained directly by the user auditor, either by testing the user

organization's controls over the service organization's activities, or by performing

tests of controls at the service organization.

Reports on controls placed in operation and tests of operating effectiveness

should state whether the controls were suitably designed, whether they were

implemented, and whether they were operating effectively.

5. The controls at a service organization may have been designed under the assumption

that there would be certain complementary controls implemented by user

organizations. The service auditor should obtain an understanding of the effect of user

controls on the achievement of stated control objectives.

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-57
I

entity, and

environment –

obtain an

understanding
nternal control,
M

misstatement –

assess the risk
aterial
A

risk response
ssessed level of
C
ontrol testing
P

substantive testing
erform
A

evaluate

appropriateness &

sufficiency
udit evidence –
RESPONDING TO ASSESSED RISKS

I. RESPONDING TO ASSESSED RISK

A. TWO LEVELS OF RESPONSE

In order to reduce audit risk to an acceptably low level, the auditor should

respond to the assessed level of risk in two ways:

1. An overall response, to address risk at the financial statement level.

2. A response at the relevant assertion level, whereby the nature, extent,

and timing of audit procedures are designed to address risks related to

specific assertions.

B. OVERALL RESPONSE TO FINANCIAL STATEMENT RISK

1. In response to risk assessed at the financial statement level, the

auditor may:

a. Communicate to the audit team an increased need for professional skepticism.

b. Assign staff with more experience or specialized skills.

c. Increase the level of supervision.

d. Incorporate a greater level of unpredictability into the audit.

e. Make changes to the nature, extent, or timing of tests, such as shifting

substantive procedures closer to period end.

2. The auditor's understanding of the control environment will affect his or her assessment

of overall risk at the financial statement level.

3. The auditor's general approach to the audit may consist of either a substantive

approach, in which substantive procedures are emphasized, or a combined approach,

in which both tests of controls and substantive procedures are used.

C. RESPONSE TO RISKS AT THE RELEVANT ASSERTION LEVEL

1. There should be a clear linkage between the assessed level of risk at the relevant

assertion level and the nature, extent, and timing of further audit procedures.

PASS KEY

Three elements of further audit procedures can be varied by the auditor. An easy way to remember these elements is: We

cast our "NET" over the audit:

• N
ature
• E
xtent
• T
iming
a. Nature

The nature of an audit procedure includes both its purpose (test of control vs.

substantive procedure) and its type (inspection, observation, inquiry,

confirmation, recalculation, reperformance, or analytical procedure).

(1) The higher the auditor's risk assessment, the more reliable and relevant

audit evidence must be. The auditor varies the nature of audit procedures

in order to achieve the desired level of reliability and relevancy.

R
ESPONDING TO
A
SSESSED RISKS
Auditing & Attestation 3 Becker CPA Review

A3-
58 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
(2) If the auditor uses information provided by the entity's information system,

the accuracy and completeness of that system must be tested.

(3) In responding to assessed risks, the nature of selected audit procedures is

of primary importance.

b. Extent

The extent of an audit procedure refers to the quantity to be performed, such as

the number of observations to be made, or the sample size to be used.

(1) The higher the auditor's risk assessment, the greater the extent of audit

procedures should be.

(2) The auditor should also consider the tolerable misstatement and the

degree of assurance the auditor plans to obtain.

c. Timing

Audit tests may be performed at an interim date or at period end.

(1) The higher the auditor's risk assessment, the closer to period end

substantive procedures should be performed.

(2) Performing audit procedures before period end allows earlier identification

of significant matters; however, additional evidence is necessary for the

remaining period.

(3) In considering the timing of audit tests, the auditor should consider when

relevant information is available. Some procedures occur only at certain

times, or electronic data may not be retained indefinitely.

2. In designing further audit procedures that are responsive to the assessed risks, the

auditor should consider:

a. The significance and likelihood of the risk;

b. The characteristics of the transaction, balance, or disclosure;

c. The nature of controls used (especially whether they are manual or automated);

and

d. Whether the auditor expects to test the operating effectiveness of the controls.

3. Audit procedures should be performed to determine whether the financial statements

are presented in a manner that classifies and describes financial information

appropriately, and includes adequate disclosure of material matters.

4. Audit Approach

The auditor's specific approach to identified risks at the relevant assertion level may

consist of either a substantive approach or a combined approach.

a. Substantive Approach

For certain relevant assertions and risks, only substantive procedures will be

performed. This may occur because either:

(1) There are no effective controls relative to the specific assertion; or

(2) It would not be efficient to test the operating effectiveness of controls.

b. Combined Approach

Both tests of the operating effectiveness of controls and substantive procedures

are used. Typically, if controls are operating effectively, less assurance will be

required from substantive procedures.

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-59
c. Tests of Controls May Be Required

In situations where a significant amount of information is initiated, authorized,

recorded, processed, or reported electronically, substantive procedures alone

may not be sufficient.

(1) The appropriateness and sufficiency of electronic audit evidence may be

dependent upon the effectiveness of related controls.

(2) There may be a relatively high potential for improper initiation or alteration

of information.

(3) For example, when an entity makes heavy use of information technology to

conduct its business, documentation of transactions may only be produced

or maintained through the information system. In such cases, substantive

procedures alone would not suffice; tests of the operating effectiveness of

controls would also be required.

d. Dual-Purpose Tests

(1) A dual-purpose test is a test of controls that is performed concurrently with

a test of details on the same transaction.

(2) The purpose of a test of controls is to evaluate the operating effectiveness

of a control, whereas the purpose of a test of details is to support relevant

assertions or to detect material misstatements. A dual-purpose test should

be designed to accomplish both objectives.

e. Results of Testing

(1) The fact that a substantive procedure does not identify any material

misstatements does not necessarily imply that the related control is

operating effectively.

(2) Material misstatements that the auditor detects through performance of

substantive procedures should be considered by the auditor when

assessing operating effectiveness.

(a) If the entity's internal control activities did not identify the material

misstatement, it may be considered a significant deficiency or a

material weakness (covered in a later class).

PASS KEY

AUDIT APPROACH

Status of Internal Control

None or Weak

Some

Strong

Risk Level

High

Medium

Low

Perform Control Tests

No (unless heavy use of IT)

Yes

Yes

Perform Substantive Testing

Yes – Maximum

Minimal (but never eliminate for

material balances, transaction

classes, or disclosures)

Auditing & Attestation 3 Becker CPA Review

A3-
60 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
I

entity, and

environment –

obtain an

understanding
nternal control,
M

misstatement –

assess the risk
aterial
A

risk response
ssessed level of
C
ontrol testing
P

substantive testing
erform
A

evaluate

appropriateness &

sufficiency
udit evidence –
II. TESTS OF CONTROLS

A. WHEN TO PERFORM TESTS OF CONTROLS

1. Tests of controls are performed when the auditor's risk assessment is

based on the assumption that controls are operating effectively, or

when substantive procedures alone are insufficient.

2. The auditor is not required to evaluate operating effectiveness as part of

obtaining an understanding of internal control. (Obtaining an

understanding of internal control includes evaluating the design of

controls and determining whether they have been implemented.)

a. Some risk assessment procedures performed to obtain an

understanding of internal control may provide evidence about

operating effectiveness, even if they were not intended for that purpose.

(1) For example, as long as there are adequate controls surrounding computer

security and program changes, the consistent nature of IT processing may

allow procedures performed to determine whether an automated control

has been implemented to also serve as a test of that control's operating

effectiveness.

b. If it is efficient to do so, the auditor may choose to test the operating

effectiveness of controls concurrently with obtaining an understanding of internal

control.

c. Only those controls that are suitably designed to prevent or detect material

misstatements are subject to tests of operating effectiveness.

B. TESTS OF OPERATING EFFECTIVENESS

Testing the operating effectiveness of controls includes obtaining evidence regarding:

1. How controls were applied.

2. The consistency with which controls were applied.

3. By whom or by what means controls were applied.

C. NATURE OF TESTS OF CONTROLS

1. Tests of the operating effectiveness of controls include: inquiries, inspection,

observation, and reperformance.

a. Inquiry alone is not sufficient.

b. Observation is generally pertinent only at the point in time when it is made, so

observation should be supplemented with other procedures, such as inquiry or

inspection.

2. The auditor should obtain evidence about the operating effectiveness of:

a. Controls directly related to the relevant assertions.

b. Other (indirect) controls that affect the direct controls (for example, controls

related to the accuracy of information in an exception report).

3. For some controls, operating effectiveness may be evidenced by documentation; for

other controls (such as the assignment of responsibility or segregation of duties),

documentation may not be available or relevant. To test such controls, the auditor

would likely rely on inquiry and observation.

4. As the planned level of assurance (about operating effectiveness) increases, the

auditor should obtain more reliable or more extensive audit evidence.

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-61
D. EXTENT OF TESTS OF CONTROLS

The auditor should consider the following factors in determining the appropriate extent of

testing controls:

1. How frequently the control is performed.

2. The length of time during which the auditor wishes to rely on the control.

3. The relevance and reliability of the evidence to be obtained.

4. The extent to which other tests provide audit evidence about the same assertion.

5. The extent to which the auditor wishes to rely on the operating effectiveness of the

control.

6. The expected deviation rate from the control.

E. TIMING OF TESTS OF CONTROLS

1. Testing at a Particular Time versus Testing Throughout a Period

a. When tests of controls are performed at one particular time, they provide

evidence that controls operated effectively only at that time. Controls tested

throughout the period provide evidence of operating effectiveness during that

period.

b. The auditor may choose to test the operational effectiveness of a control only at

one particular time, but then supplement this test with other tests that provide

evidence for the remainder the period. For example, tests relating to the

modification and use of computer programs may provide evidence that a control

operated consistently throughout the period.

c. Tests related to period-end controls, such as tests of controls over the counting

of physical inventory at period end, may be performed at only one time, if the

auditor only intends to rely on the control at that one time.

d. Controls that are tested only during an interim period should be supplemented by

additional evidence for the remaining period.

2. Evidence Obtained in Prior Audits

Evidence obtained in a prior audit about the operating effectiveness of controls may be

used in the current audit, as long as the auditor obtains evidence about whether

changes in those controls have occurred.

a. If controls have changed since they were last tested, operating effectiveness

must be retested in the current period.

b. Even if controls have not changed, operating effectiveness must be tested at

least once every third year.

(1) Care should be taken to avoid the possibility that all controls are tested in

the same period, with no controls tested in the intervening two periods.

c. The auditor may also choose, based on the circumstances, to retest operating

effectiveness more often than once every third year.

(1) Generally, the higher the assessed risk, or the greater the intended

reliance on controls, the more frequently the auditor will choose to test

operating effectiveness.

(2) A weak control environment or a significant manual component to relevant

controls may also result in more frequent testing, or in choosing not to rely

on prior period evidence at all.

d. The auditor may not rely on audit evidence obtained in prior audits for controls

that mitigate a significant risk.

Auditing & Attestation 3 Becker CPA Review

A3-
62 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
I

entity, and

environment –

obtain an

understanding
nternal control,
M

misstatement –

assess the risk
aterial
A

risk response
ssessed level of
C
ontrol testing
P

substantive testing
erform
A

evaluate

appropriateness &

sufficiency
udit evidence –
III. SUBSTANTIVE TESTING

A. SUBSTANTIVE PROCEDURES

1. Substantive procedures are used to detect material misstatements at

the relevant assertion level.

2. Substantive procedures should be designed to be responsive to

assessed risks; however, regardless of the assessed risk, substantive

procedures are required for each material transaction class, account

balance or disclosure.

a. For significant risks, substantive procedures should be designed

that are specifically responsive to those risks.

3. Substantive procedures should include:

a. Agreement of the financial statements to the underlying accounting records.

b. Examination of material journal entries or adjustments made while preparing the

financial statements.

B. NATURE OF SUBSTANTIVE PROCEDURES

1. Types of Substantive Procedures

There are two types of substantive procedures:

a. Tests of details applied to transaction classes, account balances, and

disclosures.

b. Substantive analytical procedures.

2. Selection of Substantive Procedures

The auditor may use only substantive analytical procedures, only tests of details, or a

combination of both.

a. Substantive analytical procedures are often used when there is a large volume of

predictable transactions.

b. Tests of details are generally more appropriate when obtaining evidence

regarding the existence and valuation of account balances.

c. The auditor's determination as to which substantive procedures to use is affected

by the operating effectiveness of controls. For example, if the auditor wishes to

use information generated by the entity as part of an analytical procedure,

effective controls should surround the preparation of that information.

3. Directional Testing

a. In designing substantive procedures to test the existence or occurrence

assertion, the auditor should select from financial statement amounts and obtain

evidence supporting the inclusion of those amounts in the financial statements.

b. In designing substantive procedures to test the completeness assertion, the

auditor should select from evidence indicating that an item should be included in

the financial statements, and then determine whether the item is in fact included.

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-63
Financial Statements

Trial Balance

General Ledger

Subsidiary Ledger

Books of Original Entry

Source Documents

Execution of Event

Transaction Approved

V O U C H

Testing for Existence

Testing for
Support
T R A C E

Testing for Completeness

Testing for
Coverage
race

ouch

C. EXTENT OF SUBSTANTIVE PROCEDURES

1. The extent of substantive procedures is affected by:

a. The risk of material misstatement: The greater this risk, the less detection risk

that can be accepted, and the greater the extent of substantive procedures.

b. Control risk: If controls are operating effectively, the extent of substantive

procedures may be reduced.

2. In designing tests of details, the extent of substantive testing generally refers to sample

size.

a. Sample size is affected by the planned level of detection risk, the tolerable

misstatement, the expected misstatement, and the nature of the population.

3. In planning substantive analytical procedures, the auditor should consider the amount

of difference from the expectation that will be acceptable.

a. The acceptable amount of difference is primarily based on the level of tolerable

misstatement, but should also include consideration of the possibility that a

combination of misstatements could aggregate to an unacceptable amount.

Auditing & Attestation 3 Becker CPA Review

A3-
64 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
I

entity, and

environment –

obtain an

understanding
nternal control,
M

misstatement –

assess the risk
aterial
A

risk response
ssessed level of
C
ontrol testing
P

substantive testing
erform
A

evaluate

appropriateness &

sufficiency
udit evidence –
D. TIMING OF SUBSTANTIVE PROCEDURES

1. Interim Testing

a. If substantive procedures are performed at an interim date, the auditor should

perform further substantive procedures, or substantive procedures combined with

tests of controls, to provide a reasonable basis for extending audit conclusions to

period end.

b. Performing substantive procedures at an interim date increases the risk that the

auditor will not detect material misstatements in the financial statements. The

longer the period between the interim date and period end, the greater the risk.

c. In certain situations, such as those in which there is an identified fraud risk, the

auditor may choose to perform substantive procedures at or near period end.

d. If substantive analytical procedures are to be used to extend audit conclusions to

period end, the auditor should consider whether:

(1) Period-end balances are reasonably predictable with respect to amount,

relative significance, and composition.

(2) The entity's accounting procedures are appropriate.

(3) The entity's information system will provide sufficient information to allow

investigation of unusual or unexpected transactions or balances.

e. If misstatements are discovered at an interim date, the auditor should modify the

related risk assessment and the procedures to be performed for the remaining

period, or should consider repeating audit procedures at period end.

f. Evidence obtained from substantive tests performed in a prior audit generally is

not sufficient for the current period.

IV. EVALUATING THE SUFFICIENCY AND APPROPRIATENESS OF AUDIT

EVIDENCE

A. REVISING THE RISK ASSESSMENT

1. Audit evidence obtained may cause the auditor to modify his or her

initial risk assessment. For example:

a. Audit evidence may differ significantly from the information on

which initial risk assessments were based.

b. Analytical procedures may indicate a previously unrecognized

risk.

c. Identification of material misstatements may alter the auditor's

judgment as to the operating effectiveness of controls.

2. The auditor should not assume that an identified instance of fraud or error is an

isolated occurrence, but instead should consider whether such an instance affects the

assessed risk of material misstatement.

3. All relevant audit evidence should be considered, regardless of whether it is consistent

with or contradicts relevant assertions in the financial statements.

4. When there is a change in the assessed level of risk, the auditor should modify planned

audit procedures accordingly.

A
UDITING AT
I
NTERIM
Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-65
B. SUFFICIENCY AND APPROPRIATENESS OF EVIDENCE

The auditor uses judgment to evaluate the sufficiency and appropriateness of audit evidence,

but should consider the:

1. Significance and likelihood of potential misstatements.

2. Effectiveness of management's responses and controls.

3. Experience gained during previous audits.

4. Results of audit procedures performed.

5. Source, reliability, and persuasiveness of audit evidence obtained.

6. Understanding of the entity and its environment.

V. DOCUMENTATION REQUIREMENTS

The auditor should document:

1. The overall response addressing assessed risk at the financial statement level.

2. The nature, extent, and timing of further audit procedures.

3. The linkage of those audit procedures with assessed risks at the relevant assertion level.

4. The results of audit procedures.

5. The conclusions reached regarding the use of prior period audit evidence in evaluating the

current operating effectiveness of controls.

Auditing & Attestation 3 Becker CPA Review

A3-
66 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
APPENDIX: EXAMPLES OF FRAUD RISK FACTORS

Fraud risk factors may relate to misstatements arising from fraudulent financial reporting or to

misstatements arising from misappropriation of assets.

I. MISSTATEMENTS ARISING FROM FRAUDULENT FINANCIAL REPORTING

A. INCENTIVES/PRESSURES

1. Threatened Financial Stability or Profitability

a. High degree of competition or market saturation.

b. High vulnerability to rapid changes.

c. Significant decline in customer demand; increasing business failures in the

industry/economy.

d. Imminent threat of bankruptcy, foreclosure, or takeover due to operating losses.

e. Recurring negative cash flows or an inability to generate cash flows while

reporting earnings and growth.

f. Rapid growth or unusual profitability.

g. New accounting, statutory, or regulatory requirements.

2. Excessive Pressure for Management to Meet Third Party Expectations

a. High expectations created in press releases or annual reports.

b. Need for additional financing to stay competitive.

c. Difficulty in meeting legal or contractual requirements.

d. Adverse consequences on significant pending transactions, if poor financial

results are reported.

3. Threats to Management or the Board of Directors' Personal Financial Situation

Based on the Entity's Financial Performance

a. Significant financial interests in the entity.

b. Significant management compensation contingent on achieving aggressive

financial targets.

c. Personal guarantees of entity debts.

4. Excessive Pressure on Management or Operating Personnel to Meet Financial

Targets

B. OPPORTUNITIES

1. The Nature of the Industry or the Entity's Operations

a. Significant related-party transactions not in the ordinary course of business.

b. Ability to dominate an industry sector and dictate terms resulting in inappropriate

transactions.

c. Significant estimates involving subjective judgments or uncertainties.

d. Significant, unusual, or highly complex transactions that pose difficult "substance

over form" questions.

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-67
e. Significant operations in jurisdictions with different business environments and

cultures.

f. Significant bank accounts, subsidiaries, or branch operations in tax-haven

jurisdictions without a clear business justification.

2. Ineffective Monitoring of Management

a. Domination of management by a single person or small group without

compensating controls.

b. Ineffective oversight by those charged with governance.

3. Complex or Unstable Organizational Structure

a. Difficulty in determining the controlling interest in the entity.

b. Overly complex organization structure involving unusual lines of authority.

c. High turnover of senior management, counsel, or board members.

4. Deficiencies in Internal Control

a. Inadequate monitoring of controls.

b. High turnover or employment of ineffective accounting, internal audit, or

information technology staff.

c. Ineffective accounting and information systems.

C. ATTITUDES/RATIONALIZATIONS

Risk factors related to attitudes and rationalizations may be present when the auditor

becomes aware of any of the following situations.

1. Ineffective communication of the entity's values.

2. Excessive involvement of nonfinancial management in selection of accounting

principles or determination of significant accounting estimates.

3. Known history of securities law violations or claims against the entity or senior

management.

4. Management's excessive interest in maintaining or increasing the stock price and

earnings trend.

5. Practice of committing to aggressive or unrealistic earnings projections.

6. Failure to correct known significant deficiencies or material weaknesses in internal

control on a timely basis.

7. Inappropriate means of cutting earnings for tax reasons.

8. Recurring attempts by management to justify inappropriate accounting based on

materiality.

9. Strained relationship between management and the current or predecessor external

auditors.

a. Frequent disputes with the current or predecessor auditor.

b. Unreasonable demands on the auditor, such as unreasonable time constraints.

c. Inappropriate restrictions on the auditor.

d. Domineering management behavior, such as attempts to influence the scope of

the auditor's work.

Auditing & Attestation 3 Becker CPA Review

A3-
68 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
II. MISSTATEMENTS ARISING FROM MISAPPROPRIATION OF ASSETS

A. INCENTIVES/PRESSURES

1. Pressures on Management or Employees Created by Personal Financial

Obligations

2. Adverse Relationships Between the Entity and Employees

a. Anticipated future layoffs.

b. Recent or anticipated changes in compensation/benefits.

c. Rewards (promotion, compensation, etc.) inconsistent with expectations.

B. OPPORTUNITIES

1. Susceptibility of Assets to Misappropriation

a. Large amounts of cash on hand or processed.

b. Inventory characteristics, such as small size, high value, or high demand.

c. Easily convertible assets, such as bearer bonds, diamonds, or computer chips.

d. Fixed asset characteristics, such as small size, marketability, or lack of

observable ownership identification.

2. Inadequate Internal Control Over Assets

a. Inadequate segregation of duties or independent checks.

b. Inadequate management oversight.

c. Inadequate job applicant screening of employees with access to assets.

d. Inadequate recordkeeping with respect to assets.

e. Inadequate system of authorization and approval of transactions.

f. Inadequate physical safeguards over assets.

g. Lack of complete and timely reconciliations of assets.

h. Lack of timely and appropriate documentation.

i. Lack of mandatory vacations for key employees.

j. Inadequate management understanding of information technology.

k. Inadequate access controls over automated records.

C. ATTITUDES/RATIONALIZATIONS

Risk factors related to attitudes and rationalizations may be present when the auditor

becomes aware of any of the following situations.

1. Disregard for the need to monitor or reduce risk related to theft.

2. Disregard for internal control over misappropriation of assets by overriding controls or

by failing to correct known internal control deficiencies.

3. Behavior indicating dissatisfaction with the company.

4. Changes in behavior or lifestyle that may indicate that assets have been stolen.

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-69
AUDITING & ATTESTATION 3

Class Questions Answer Worksheet

MC Question Number

First Choice Answer

Correct Answer

NOTES

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

15.

16.

17.

18.

19.

20.

Grade:

Multiple-choice Questions Correct / 20

Detailed explanations to the class questions are located in the back of this textbook.
= __________% Correct
Auditing & Attestation 3 Becker CPA Review

A3-
70 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
NOTES

Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-71
CLASS QUESTIONS

1. CPA-04620

A successor auditor should request the new client to authorize the predecessor auditor to allow a review

of the predecessor's:

Engagement letter Working papers

a. Yes Yes

b. Yes No

c. No Yes

d. No No

2. CPA-04621

A document in an auditor's working papers includes the following statement:

"Our audit is subject to the inherent risk that material errors and fraud, including defalcations, if they

exist, will not be detected. However, we will inform you of fraud that comes to our attention, unless it

is inconsequential."

The above passage is most likely from a(an):

a. Comfort letter.

b. Engagement letter.

c. Letter of audit inquiry.

d. Representation letter.

3. CPA-05603

Which of the following is always necessary in a financial statement audit?

I. Tests of the operating effectiveness of controls.

II. Analytical procedures.

III. Risk assessment procedures.

a. I, II, and III.

b. I and III.

c. I and II.

d. II and III.

4. CPA-02679

Of the following nonfinancial information, what would an auditor most likely consider in performing

analytical procedures during the planning phase of an audit?

a. Turnover of personnel in the accounting department.

b. Objectivity of audit committee members.

c. Square footage of selling space.

d. Management's plans to repurchase stock.

5. CPA-02675

During the initial planning phase of an audit, a CPA most likely would:

a. Identify specific internal control activities that are likely to prevent fraud.

b. Evaluate the reasonableness of the client's accounting estimates.

c. Discuss the timing of the audit procedures with the client's management.

d. Inquire of the client's attorney as to whether any unrecorded claims are probable of assertion.

Auditing & Attestation 3 Becker CPA Review

A3-
72 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
6. CPA-02754

Inherent risk and control risk differ from detection risk in that they:

a. Arise from the misapplication of auditing procedures.

b. May be assessed in either quantitative or nonquantitative terms.

c. Exist independently of the financial statement audit.

d. Can be changed at the auditor's discretion.

7. CPA-02759

On the basis of audit evidence gathered and evaluated, an auditor decides to increase the assessed risk

of material misstatement from that originally planned. To achieve an overall audit risk level that is

substantially the same as the planned audit risk level, the auditor would:

a. Decrease substantive testing.

b. Decrease detection risk.

c. Increase inherent risk.

d. Increase materiality levels.

8. CPA-02682

For which of the following judgments may an independent auditor share responsibility with an entity's

internal auditor who is assessed to be both competent and objective?

Assessment of Assessment of

inherent risk control risk

a. Yes Yes

b. Yes No

c. No Yes

d. No No

9. CPA-02903

Which of the following statements best describes an auditor's responsibility to detect errors and fraud?

a. An auditor should design an audit to provide reasonable assurance of detecting errors and fraud that

are material to the financial statements.

b. An auditor is responsible to detect material errors, but has no responsibility to detect fraud that is

concealed through employee collusion or management override of internal control.

c. An auditor has no responsibility to detect errors and fraud unless analytical procedures or tests of

transactions identify conditions causing a reasonably prudent auditor to suspect that the financial

statements were materially misstated.

d. An auditor has no responsibility to detect errors and fraud because an auditor is not an insurer and an

audit does not constitute a guarantee.

10. CPA-04619

Which of the following circumstances most likely would cause an auditor to suspect that there are material

misstatements in an entity's financial statements?

a. The entity's management places

b. Significant differences between the physical inventory count and the accounting records are
no emphasis on meeting publicized earnings projections.not
investigated.

c. Monthly bank reconciliations ordinarily include several large outstanding checks.

d. Cash transactions are electronically processed and recorded, leaving
no paper audit trail.
Becker CPA Review Auditing & Attestation 3

© 2009 DeVry/Becker Educational Development Corp. All rights reserved.
A3-73
11. CPA-02872

An auditor who discovers that a client's employees paid small bribes to municipal officials most likely

would withdraw from the engagement if:

a. The payments violated the client's policies regarding the prevention of illegal acts.

b. The client receives financial assistance from a federal government agency.

c. Documentation that is necessary to prove that the bribes were paid does

d. Management fails to take the appropriate remedial action.
not exist.
12. CPA-02386

When the auditor's risk assessment is based on the effective functioning of internal control, audit work

most likely would involve:

a. Performing more extensive substantive tests with larger sample sizes than originally planned.

b. Reducing inherent risk for most of the assertions relevant to significant account balances.

c. Changing the timing of substantive tests by omitting interim-date testing and performing the tests at

year-end.

d. Identifying specific internal controls relevant to specific assertions.

13. CPA-02322

An auditor is required to document the auditor's understanding of the

I. Entity's control activities that help ensure management directives are carried out.

II. Entity's control environment factors that help the auditor plan the engagement.

a. I only.

b. II only.

c. Both I and II.

d. Neither I nor II.

14. CPA-02498

An auditor's flowchart of a client's information system relevant to financial reporting is a diagrammatic

representation that depicts the auditor's:

a. Assessment of control risk.

b. Identification of weaknesses in the system.

c. Assessment of the control environment's effectiveness.

d. Understanding of the system.

15. CPA-02374

In obtaining an understanding of the entity and its environment, including its internal control, an auditor is

required to obtain knowledge about the:

a. Design of relevant internal controls pertaining to financial reporting in each of the five internal control

components.

b. Effectiveness of the internal controls that have been implemented.

c. Consistency with which the internal controls are currently being applied.

d. Controls related to each principal transaction class and account balance.

Auditing & Attestation 3 Becker CPA Review

A3-
74 © 2009 DeVry/Becker Educational Development Corp. All rights reserved.
16. CPA-02348

In planning an audit, the auditor's knowledge about the design of relevant internal controls should be used

to:

a. Identify the types of potential misstatements that could occur.

b. Assess the operational efficiency of internal control.

c. Determine whether controls have been circumvented by collusion.

d. Document the assessed level of control risk.

17. CPA-02482

Which of the following are considered control environment factors?

Human resource

Detection policies and

risk practices

a. Yes Yes

b. Yes No

c. No Yes

d. No No

18. CPA-02506

An auditor should obtain sufficient knowledge of an entity's information system relevant to financial

reporting to understand the:

a. Safeguards used to limit access to computer facilities.

b. Process used to prepare significant accounting estimates.

c. Procedures used to assure proper authorization of transactions.

d. Policies used to detect the concealment of fraud.

19. CPA-02473

Proper segregation of duties reduces the opportunities to allow persons to be in positions to both:

a. Journalize entries and prepare financial statements.

b. Record cash receipts and cash disbursements.

c. Establish internal controls and authorize transactions.

d. Perpetrate and conceal errors and fraud.

20. CPA-02372

Which of the following types of evidence would an auditor most likely examine to determine whether

internal controls are operating as designed?

a. Gross margin information regarding the client's industry.

b. Confirmations of receivables verifying account balances.

c. Client records documenting the use of IT programs.

d. Anticipated results documented in budgets or forecasts.