Audit Chapter – 2

2.1 Quality Control

Elements of Quality Control
 Statement of Quality Controls standards (SQCS) are issued by the Auditing
Standards Board (ASB) to provide guidance with respect to quality control.

 6 elements of Quality Control policies and procedures applicable to firms accounting

and auditing practice:

H - Human Resources
E - Engagement/ Client Acceptance and Continuance
L - Leadership Responsibilities
P - Performance of the engagement
M - Monitoring
E - Ethical Requirements

Human Resources

1. Recruitment and hiring

2. Determining capabilities and competencies
3. Assigning personnel to engagements
4. Professional Development
5. Performance Evaluations
6. Compensation
7. Advancement

Engagement/Client Acceptance and Continuance (MCQ’s)

- Minimize the likelihood of association with a client whose management lacks

integrity.
- Consider the reputation of client, it’s owners, KMP, RP
- Undertake only those engagements which the firm can reasonably expect to
complete with professional competence (Must have personnel with appropriate
knowledge)
- Firms should be able to perform the engagement within the reporting deadline.
- Can comply with legal and ethical requirements.
- Have an understanding with the client regarding nature, scope and limitations of
the service to be provided.
- Must have policies and procedures for withdrawal from an engagement.

 Examples:

- Reviewing the financial statements and credit ratings of the proposed clients.
- Inquiring of 3rd parties as to the reputation of the proposed client.

CPA – AUDIT NOTES | Shikhar Sehgal

 - Evaluating the firm's ability to service the client properly.
- Periodically re-evaluating clients for continuance, including consideration of
significant issues that arise during the current or prior period engagements.

Leadership Responsibilities

- Firm’s leadership bears ultimate responsibility for the firm’s quality control system
and should create a culture that emphasizes quality.
- “Tone at the Top” influences attitude throughout the firm

Performance

- Achieve a consistently high level of performance.

- Ensure that the engagement is appropriately supervised and reviewed.
- Maintain confidentiality, safe custody, integrity, accessibility, retrievability and
retention of engagement documentation.
- Provide means to resolve difference of opinion.
- Allow consultation with experts inside or outside the firm.
- Establish and follow guidelines to determine when engagement quality control
review should be performed.

Example: Engagement documentation will be filed with document control. Document

control will only release documentation to approved personnel.

Monitoring

- Ongoing consideration and evaluation of the design and effectiveness of the

quality control system
- A partner with appropriate experience should bear responsibility for the
monitoring process.
- Monitoring procedures:

 Peer Review:
- One CPA firm reviews another CPA firm’s compliance with it’s Quality Control
system.
- Required every three years in order to maintain the membership in AICPA

 “Wrap-up” or second partner “preissurance” review of the audit documentation by

a partner not otherwise involved in the audit. Reviewers should make significant
judgements made by the engagement team and related conclusions reached in
forming the overall conclusion. The SOX requires such review for every public
company audit report.

The procedures should be documented, including evaluation of deficiencies

noted and corrective action taken.

Ethical Requirements

- Maintaining independence in fact and appearance in all required circumstances.

- All firm personnel should confirm their independence in writing at least annually.
- Should perform all professional responsibilities with integrity.

CPA – AUDIT NOTES | Shikhar Sehgal

 - Maintain objectivity in discharging professional responsibilities.

Example: At least annually, all firm personnel that are subject to independence requirements
will confirm their independence in writing.

2) Other Considerations
 Quality control policies and procedures should be communicated to firm personnel.
(Written communication is not required but it can be helpful)

 GAAS vs QCS (IMP):

GAAS: Relate to the conduct of each individual audit engagement.

QCS: Relate to the conduct of all professional activities of the firm’s practice as a whole.

Note: Failed quality control does not mean that a specific engagement was not performed in
accordance with appropriate standards (GAAP or GAAS)

3) Reviewing the work of Others

 Engagement Partner should review:

- Critical areas of judgement.

- Significant Risks (Always include revenue recognition and management override)
- Other areas that the partner considers important.
 Documentation requirement:

- Include who performed the work, date the work was completed, who reviewed the
audit documentation and the date of the review.

4) QCS for Non-Issuers

 Based on AICPA standards.

 Objective of the auditor is to implement quality control procedures at the engagement

level provides reasonable assurance that:

- The audit complies with the professional standards and applicable legal and
regulatory requirements.
- The auditor issues a report that is appropriate.

 Engagement quality control review is not required.

 QC review is performed only when required by the firm.

 QC reviewers can be a partner or other qualified persons in the firm with appropriate
experience that is not a part of the engagement.

CPA – AUDIT NOTES | Shikhar Sehgal

  Engagement QC reviewer’s evaluation of the engagement team’s significant
judgement and conclusions should include:

- Discussion of significant findings.

- Reading of the FS
- Review of the audit documentation.
- Evaluation of the conclusions.

5) QCS for Issuers

 Based on PCAOB standards.

 Require an engagement quality review and concurring approval of the audit report.

 Reviewing partner should be the one who is not associated with the engagement.

 Review process:

- Evaluate significant judgements related to planning, risk identified and materiality.

- Evaluate responses to significant risks.
- Evaluate judgements about materiality, corrected and uncorrected
misstatements.
- Evaluation of firm’s independence.
- Ensure completion of the documentation and no unresolved issues.
- Review FS and management's report on IC
- Evaluate CAM’s

 According to PCAOB standards, each of the following should be included in the

documentation of an engagement QC review:

- The date on which the engagement quality control reviewer provided concurring
approval of issuance.
- Identification of the documents reviewed by the engagement quality reviewer and
others who assisted the reviewer.
- Identification of the engagement quality reviewer and others who assisted the
reviewer.
- The engagement quality reviewer is required to identify the fraud workpapers.
Please note that they are not required to include an assessment of the
workpapers reviewed.

 Concurring Approval of issuance

 The firm cannot give the client permission to use the engagement report until
the engagement quality reviewer provides concurring approval of issuance.

 The engagement quality reviewer may provide concurring approval of

issuances only if there are no significant engagement deficiencies.

 Significant deficiencies:
- Failed to obtain sufficient appropriate evidence.

CPA – AUDIT NOTES | Shikhar Sehgal

 - Inappropriate overall conclusion.
- Report is not appropriate.
- The firm is not independent of the client.

Notes:

 CPA firm- Comply with QCS

 Audit engagement- Comply with GAAS
 QCS apply to audit, attestation, accounting and review services by CPA firm
 A CPA firm should establish procedures for conducting and supervising work at all
organizational levels to provide reasonable assurance that the work performed meets
the firm’s QCS. To achieve this goal the firms would most likely establish procedures
for reviewing the audit documentation and engagement reports. This relates to the
quality control element of performance.

CPA – AUDIT NOTES | Shikhar Sehgal

2.2 Documentation
Audit Documentation (working papers) is the principal record of the audit procedures
performed, evidence obtained and conclusions reached. Working papers documents the
procedures that are applied and the conclusions reached in an audit engagement.

Audit Documentation should:

- Comply with GAAS standards.

- Show that the accounting records reconcile with the financial statements.
- Support auditor’s opinion.
- Contain enough information to allow an inexperienced auditor with no
previous connection to the audit to understand that the work was performed.
- Aid in training and in conduct/supervision of audit.
- Include who performed the audit documentation with date and time.
- Include who reviewed the documentation with date and time.

Audit documentation is divided into Permanent and Current files: (IMP)

- Permanent (Continuous file): Carried forward from year to year. Example:

Articles of Incorporation, flowchart of IC, copy of pension contract plan,
leases, bond agreements, contracts, stock options, *minutes of meetings* etc.

- Current File: This year’s “stuff” Example: Bank Recons. FS, Auditor’s report,
working TB, Bank statements, Attorney’s letters, lead schedules.

Ownership and confidentiality: (IMP)

- Audit documentation is auditor’s independent property.
- It can’t be disclosed without client’s permission, except for:

1. A quality review program.

2. The subpoena court order.
3. An investigation conducted by AICPA or by state statute.
4. Requested by our attorney i.e (the CPA firm) if we are sued by our
client.
5. When requested by the successor auditor of that client and you are
the predecessor auditor* Predecessor auditor is the one who was
engaged to perform but did not complete an audit.

*Note: Disclosure of audit documents by the Predecessor

auditor to the current auditor is not mandatory by law and is up
to the predecessor.

CPA – AUDIT NOTES | Shikhar Sehgal

Retention and Completion:

1. Report Release date: The date on which the auditor grants the client, permission to
use the report. (Ownership of WP remains with the CPA firm)

2. Document Completion Date: Auditor is granted a certain window of time following the
report release date to assemble the final audit documentation file. The auditor must
not make any deletions to Audit documentation before the end of specified retention
period.

 SAS rules (non-issuers): 60 Days

 PCAOB rules (Issuers): 45 Days

3. Document Retention:

 SAS rules (non-issuers): 5 years

 PCAOB rules (issuers): 7 years

 Audit documentation serves the following purpose:

1. Provide principal support to the auditor's report.
2. Assistance in Planning, conduct and supervision of the audit.
3. Accountability
4. Useful Information.

 The complexity and size of the entity will most likely influence the form and extent of
the auditor’s documentation of an entity’s internal control environment. For eg. A
smaller, less complex entity will typically have fewer controls than a larger complex
entity and therefore most likely would result in less documentation about the entity’s
IC. Factors affecting the nature and extent of audit documentation:

- The risk of material misstatement.

- The extent to which judgement was required in performing the work and
evaluating the results.
- The nature of specific auditing procedures.
- The significance of the evidence obtained.
- The nature and extent of problems identified.
- The need to document conclusions that may not be obvious.

 An auditor’s working TB generally consists of columns for reclassifications and

adjustments.

 Audit Documentation should give an indication that the accounting records reconcile
with the financial statements.

Audit Tick mark Tips:

 Checking mathematical accuracy for ROWS: Cross Footed

 Checking mathematical accuracy for COLUMNS: Footed

CPA – AUDIT NOTES | Shikhar Sehgal

2.3 Terms of Engagement

CPA – AUDIT NOTES | Shikhar Sehgal

Appointment of the Auditor:

- Client’s Audit Committee is responsible for the selection and appointment of the
independent external auditor. The engagement letter will be addressed to the person
who is an authorised representative of the BOD and client’s audit committee.

- Under SOX act, the auditor’s report is overseen by the client's Audit Committee. The
Audit Committee must pre approve all services provided by the auditor.

- Although early appointment of the auditor allows the auditor to plan a more efficient
audit, an auditor is permitted to accept an engagement near or after the year end.
The auditor should consider if the late appointment will pose LIMITATIONS on the
audit.

CPA – AUDIT NOTES | Shikhar Sehgal

Client Acceptance and Continuance:

As a part of pre-acceptance phase of the engagement, the auditor should assess the
following:

1. Firm’s ability to meet the reporting deadlines:

Affected by factors like timing and complexity of the engagement and the availability
of the audit staff.

2. Firm’s ability to staff the Engagement:

Must have personnel with both experience and availability.

3. Independence

4. Integrity of Client Management:

Avoid association with those who lack integrity.

5. Group Audits

Preconditions for an Audit:

Before accepting an audit engagement with a new or existing client, the auditor
should ensure that the following pre-conditions for an audit are present-

1. Applicable FRF: Auditor should determine whether the financial reporting framework
used by the client is acceptable.

2. Management Responsibilities: The management and those charged with

governance from the client’s organization should and acknowledge the following to
the auditor and understand it’s responsibilities for:

- The preparation and presentation of FS as per FRF

- For the design, implementation and maintenance of the IC
- To provide the auditor with access to all relevant information, unrestricted access
to persons within the entity for collecting necessary audit evidence.

3. Management Imposed Scope Limitations: If major scope limitations exist that will
eventually lead to disclaimer of opinion, then the auditor should not accept an
engagement. (except when the audit is required by law)

Agreement on Audit Engagement terms:

- Establishing an agreement with the client is required to reduce the risk of
misinterpretation.

- Engagement letter contents (V.IMP): The engagement letter may include the
overall audit strategy but not specific audit procedures unless requested by the
client. The agreement must include the following:

CPA – AUDIT NOTES | Shikhar Sehgal

 1. Objective and scope of the audit.
2. Responsibilities of the auditor.
3. Responsibilities of the management (for fair presentation of FS) (Written
representation)
4. Statement about inherent limitations.
5. Identification of applicable FRF
6. Reference to the expected form and content of any report to be issued.

- Engagement letter can also include other information like fees and billing
arrangements, use of specialists and internal auditors, arrangements to be made with
PY auditors etc.

- For recurring audits, the auditor should assess whether circumstances require the
terms of the engagement to be revised.

Initial Audits:

- Successor auditor MUST Communicate with the predecessor auditor. Predecessor

auditor is the one who was engaged to perform but did not complete an audit.

CPA – AUDIT NOTES | Shikhar Sehgal

 - It is mandatory to communicate with the PY auditor but with the client’s permission.
In case the client doesn’t let you talk to the PY auditor, you can decide not to accept
the engagement. Inquire the following (Oral or written):

1. Information about management’s integrity.

2. Understand PY auditor’s reason for change. (imp)
3. Disagreements with the management regarding accounting principles and
audit procedures.
4. Discussion regarding any fraud, non-compliance of laws and matters relating
to IC.

- Current auditor can discuss the following with the predecessor auditor AFTER
accepting the audit engagement:

1. Discussion on matters that may facilitate evaluation of FR consistency

between current and prior years.

2. Matters involving continuing auditing and accounting significance like-

 Contingencies
 BS accounts
 Internal controls

- During the audit, ask prior CPA about their WP for review. New auditor should
request management to allow a review of the PY auditor’s WP.

Change in Engagement

- Change in engagement can be from an audit to a review or a compilation.

- Auditor should consider:

1. Reasons for the change request.

2. Efforts required to complete the engagement.
3. Estimated additional cost

- Acceptable reasons for change:

1. Change in client’s requirement.

2. Misunderstanding as to the nature of service to be rendered.

- Unacceptable reasons for Change (Consider withdrawing)

1. Engagement would uncover fraud.

2. Client is attempting to create misleading or deceptive FS

- Scope Limitation (Consider withdrawing)

1. Client refuses to allow a correspondence with legal counsel.

2. Client refuses to provide a signed representative letter.

CPA – AUDIT NOTES | Shikhar Sehgal

Notes:

 Case: An accountant who had begun an audit of FS of a non-issuer was asked to

change the engagement to a review because of a restriction on the scope of audit. If
there is a reasonable justification for the change, the accountant’s review report
should not include reference to the original engagement, to any auditing procedures
that may have been performed or to the scope limitation that resulted in the changed
engagement.

CPA – AUDIT NOTES | Shikhar Sehgal

2.4 Planning

During planning, the auditor is required to:

1. Obtain knowledge of client’s business and client’s industry.

2. Develop the Audit strategy.
3. Develop the Audit plan.
4. Perform risk assessment procedures.

Knowledge of Client’s business and industry:

The auditor is not required to have prior experience with a client’s business or
industry before accepting the engagement. However, once the engagement has
been accepted, the auditor must obtain an understanding of both the client’s industry
and the business.

Industry Knowledge:

1. AICPA accounting and audit guides.

2. Trade publications and professional trade associations.
3. Government publications.
4. AICPA accounting trends and techniques.

Business knowledge:

1. Tour client’s facilities (observe the general operations)

2. Review the financial history of the client (WP’s, minutes, tax returns, SEC
filings)
3. Obtain an understanding of client’s accounting system (helps in developing
IC)
4. Inquire client’s personnel

Developing the Audit Strategy (must be written) NET**

Nature: Approach/Type of Auditing (Test of controls or substantive)

Extent: Scope (Less or more work)

Timing: When to perform (More on interim and less on BS date or vice versa?)

The audit strategy outlines:

- Factors determining the Focus of the Audit. (N)

- Scope of Audit. (E)
- Reporting Objectives, audit timings and required communications. (T)

CPA – AUDIT NOTES | Shikhar Sehgal

 - Preliminary assessment of materiality, audit risk, IC’s and tolerable
misstatement

In developing an overall audit strategy:

 The auditor should consider preliminary evaluations of materiality, audit risk

and internal control.
 The auditor may determine the extent of involvement of the client's internal
auditors.

Developing the Audit Plan (must be written)

In developing the audit plan:

- The auditor should make a preliminary assessment about materiality in the

planning stage.
- A written audit plan should establish specific audit objectives that primarily
relate to the FS assertions.

Refer chapter 3.3

Audit procedures can be categorized as:
for more details

Audit Procedures

Risk Assessment Further audit Other audit

Procedures Procedures Procedures

Test of Controls Substantive

Procedures

Risk Assessment Procedures: Risk assessment procedures are used to obtain an

understanding of the entity’s:
- IC and its environment.
- Assess the risk of material misstatement
- To determine the NTE for further audit procedures.

(Risk assessment procedures alone do not provide sufficient audit evidence

to support an audit opinion)

CPA – AUDIT NOTES | Shikhar Sehgal

Further Audit Procedures:

1. Test of Controls: To evaluate the operating effectiveness of the company’s

IC
2. Substantive Procedures: Conducted to test material misstatements. Auditor
tests Account balances ($$)

 Other Audit Procedures: May be necessary to comply with GAAP

Considerations for FS Assertions

Further audit procedures are performed at the relevant assertion levels for each:

 Material account balance

 Transaction class
 Disclosure items in FS

Assertions are claims and characteristics of FS made by the management that need
to be tested and verified by the auditors to ensure that financial records and
disclosures are correct and appropriate.

6 main FS Assertions
Completeness: All account balances, transactions and disclosures that should have
been recorded have been recorded and included in the FS.

Cut Off: Transactions have been recorded in the correct accounting period.

Valuation, Allocation and Accuracy: Account balances, transactions and

disclosures are recorded fairly and any resulting valuation or allocation adjustments
are appropriately recorded.

Existence and Occurrence: Account balances exist and transactions that have
been recorded and disclosed pertain to the entity.

Rights and Obligations: The entity holds or controls the rights to assets and the
liabilities are the obligations of the entity.

Understanding and Classification: Transactions have been recorded in the proper

accounts. Financial information is appropriately presented and described and the
disclosures are clearly expressed.

CPA – AUDIT NOTES | Shikhar Sehgal

 Notes:

 According to PCAOB standards, a centralized accounting function is

indicative of less complex functions.

 IF the assistant is having difference in opinion with the final auditor, he can
dissociate himself but must document the details of his disagreement and the
conclusion reached.

CPA – AUDIT NOTES | Shikhar Sehgal

2.5 Using the Work of Others

Client’s Internal Auditors

- Internal auditors are not independent. They cannot make judgement calls.
- Cannot share external auditor’s responsibility for audit decisions, judgements or
assessment, valuations, adequacy testing with internal auditors. But can assist in
procedures.
- In case of high risk of material misstatement or in cases of high degree of
uncertainty, Internal auditors work cannot eliminate direct testing by the external
auditor.

- External auditor’s responsibilities w.r.t internal auditor’s work:

 Obtain an understanding of the internal audit functions.

 Must supervise and review all the work performed on the audit.

 Must remain solely responsible for the report on the FS. Internal auditors may
assist in routine tasks but are not allowed to make judgement calls.

 In case the external auditor plans to use the internal auditor’s direct
assistance, then he must assess the internal auditor’s: (Imp)

- Competence (education, exp, performance evaluation, Quality of

IC, audit plan, procedures and quality of audit documentation)

- Objectivity (Organization level to which the internal auditor

reports)

- Application of a systematic and disciplined approach. (work

done by them)

- To evaluate the above 3 the auditor:

 May consider information obtained from previous auditors

 May depend on quality reviews of internal auditor’s
activities.
 May have discussions with management personnel.

Using the work of a Specialist (**Recently amended ∴ Important)

- A specialist is a person/firm with special skills either in the field other than
accounting or auditing.

- Terminology for Specialists as per SAS and PCAOB

CPA – AUDIT NOTES | Shikhar Sehgal

 SAS (Non- Issuers) PCAOB(Issuers)

Internal Auditor Specialist Auditor-Employed Specialist

External Auditor Specialist Auditor-Engaged Specialist

Management Specialist Company Specialist

Auditor’s Specialist: An individual or organization specialized in the field other than

accounting/auditing employed to assist the external auditor to assist in obtaining
sufficient appropriate audit evidence. Employed by auditor’s firm / network firm /
external specialist.

- Determine the need for an auditor's Specialist. (like actuarial calculations,

interpreting legal documents, valuing restricted securities or work of art)
- Understand the Specialist’s field of expertise
- Evaluate the relevance, reliability and adequacy of the specialist’s work for
the auditor’s purposes.
- Specialist’s competence, capability and objectivity.
- Check specialist’s professional qualification, experience, reputation.
- Check specialist’s relationship with the entity
o If unrelated: Perfect
o If related: May be acceptable subject to additional procedures.
- Evaluate the adequacy of the specialist’s work (review WP, review reports)
- Effect on auditor’s report: (Imp)

1. If the specialist’s findings indicate that the FS are not in conformity

with GAAP, a qualified or adverse opinion would be issued.
2. If a modified or unmodified opinion with an EOM or explanatory para is
issued, then the auditor can take specialist’s reference with his/her
permission.
3. If there is an unmodified opinion, then no reference should be made.

Management’s Specialist: An individual or organization specialized in the field other

than auditing/accounting employed to assist the entity in the preparation of FS.
Cannot make judgement calls.

 If management specialist’s information to be used as audit evidence, then the

auditor should:

1. Evaluate the competence, capability and the objectivity of the

specialist.
2. Obtain an understanding of the work of the specialist.
3. Evaluate the appropriateness of the specialist’s work

Notes:

 Auditor does not share the responsibility for the audit report with the specialist
and internal auditor even if both are deemed to be objective and component.
Audit report is the responsibility of the external auditor.

CPA – AUDIT NOTES | Shikhar Sehgal

 2.6 Materiality
Materiality is the amount of error or omission that would affect the judgement of a
reasonable person. It should be based on professional judgement.

Materiality levels are generally considered in terms of the smallest aggregate levels of misstatements
that could be considered material to any one financial statement.

Materiality for FS as a whole need to be expressed as a specific amount.

Both qualitative and quantitative factors must be considered while setting materiality and the
auditor should use the smallest level of misstatement that could be material to any one of the
FS.

Auditors should make preliminary assessment of materiality as a part of audit strategy and
should revise them when required throughout the audit. Following factors are used to make
preliminary assessment:

- Prior period financial results.

- Any significantly known or expected changes in the entity’s circumstances.
- Changes in the conditions of the industry or the economy as a whole.
- FS benchmark should be as a %.
- Examples of materiality benchmarks: Total revenue, gross profits, PBT, net
assets.

Types of Materiality

o Overall Materiality: Materiality for FS as a whole. (Smallest aggregate level of

misstatement)

Overall Materiality = Applicable Benchmark * Applicable Percentage

o Performance Materiality: Amount set by an auditor at less than overall materiality

For Non-Issuers level for FS as a whole. This is to reduce the probability of misstatements exceeding
overall materiality for FS as a whole. It is a % of overall materiality

High likelihood of uncorrected / undetected misstatements: Lower % of overall

materiality say 60%

Low likelihood of uncorrected / undetected misstatements: Higher % of overall

materiality say 80%

o Tolerable Materiality: Maximum error in a population that the auditor is willing to

For Issuers accept.

o Component Materiality: In order to reduce the risk that the aggregate of the
undetected misstatements in the group financial statements of a non-issuer exceeds
the materiality for group FS as a whole, an auditor should establish a component
materiality that is lower than the materiality for the group FS.

CPA – AUDIT NOTES | Shikhar Sehgal

 The auditor should determine separate materiality levels for:

- Certain classes of transactions

- Account balances
- Disclosures

(These separate materiality levels are required when an amount less than materiality
of FS as a whole can influence economic decisions of the users)

 Points to be noted about materiality:

1. The auditor’s consideration of materiality is influenced by his/her perception

of the needs of a reasonable person relying on financial statements.

2. The concept of materiality recognizes that some matters either individually or

in aggregate are important for fair presentation of FS in conformity with
GAAP, while other matters are not important
(i.e professional judgement)

3. Materiality as a whole = Smallest aggregate level of misstatement.

4. Materiality = Quantitative + Qualitative

5. Materiality = Info that is likely to be viewed by a reasonable investor as

alerting the mix of available information.

 TBS Tip:

- Take care of singulars and plurals in the keywords.

- If in a search a few sections are missing, check them out as well. For e.g. A search
shows A6,7 and 9. Then look at what’s there in A8 as well because it will also be one
the same topic.

CPA – AUDIT NOTES | Shikhar Sehgal

2.7 Risk Assessment (Part 1)
 Risk assessment procedures are used to;
obtain an understanding of the entity and its environment including its internal
control;
in order to identify and assess the risk of material misstatement and determine
the NTE of further audit procedures.

 Risk assessment procedures alone do not provide audit evidence sufficient to

support an audit opinion but help in planning the audit procedures.

 The auditor may choose to perform substantive procedures or test of controls

concurrently with risk assessment procedures if it is efficient to do so.

Risk Assessment Procedures

The auditor performs the following risk assessment procedures:

1. Obtain an understanding of the entity and its environment.

2. Obtain an understanding of Internal control over financial reporting.
3. Inquire with the audit committee, management and others within the company
about the risk of material misstatement.
4. Perform analytical procedures to assist with planning.
5. Conduct a discussion among the engagement team members regarding the
risk of material misstatement.
6. Perform other procedures.

Obtaining an understanding of the entity and its Environment (needs

to be documented)
The auditor should obtain an understanding of the following factors and
document them:

 Industry, Regulatory and other external factors (that increases the

pressure on the company)

 Nature of the entity (understand the operations, CG, investments, SEC

filings, financial methods and FR practices)

 Entity’s selection and application of Accounting policies (Understand

disclosures, reasons for change, accounting principles in determining
management’s estimates and assumptions)

 Entity’s Objectives (Overall plans)

Strategies (used to achieve objectives)
and Business risks (that could adversely affect the entity’s ability to achieve

CPA – AUDIT NOTES | Shikhar Sehgal

 its objectives and execute it’s strategies)

 Entity’s Financial Performance: Management itself measures the entity’s

financial performance periodically to understand whether the business
performance is meeting the desired objectives;

The auditor must review this performance to understand if there is any

indication of the risk of misstatement;

For e.g. Check if there is pressure to commit fraud. Unusual growth not in
sync with performance base compensation.

Other Risk Assessment Procedures

o Analytical Procedures (Imp):

- Required during the planning stage as well as final review stage.

- Compares relationship between both financial and non-financial data.

Non-financial data is also related to the financial data in some way.

- Analytical procedures:

- Enhance the auditor’s understanding of the entity and client’s

business.

- Includes comparison between current and prior year data.

- Includes comparison of recorded amounts to independent

expectations developed by the auditor.

- Enhance the auditor’s understanding of the transactions and

events that have occurred since the last audit.

- Identify unusual transactions and events, amounts and ratios or

trends that may be significant to the FS and may represent specific
risks relevant to the audit.

Other Procedures

o Audit Data Analytics (ADA): An auditor may use ADA while performing risk
assessment procedures. ADA involves analysing patterns, identifying anomalies
and extracting useful info. 5 steps to perform ADA:

- Plan the ADA (Determine the objectives and select the data population
to be analysed)
- Access and prepare the data.
- Consider the relevance and reliability of the data used.
- Perform the ADA

CPA – AUDIT NOTES | Shikhar Sehgal

 - Evaluate the result and conclude.

 Ongoing Assessment: If the auditor’s assessment of risk changes as additional evidences is

obtained during the field work, then the auditor should revise the assessment and modify
the planned audit procedures.

Example:

 Audit Procedures:

o Test of Controls: Performed to evaluate the effectiveness of the controls.

o Test of Transactions: Test of specific transactions to evaluate if they are
recorded properly.
o Test of Detail: Audit procedures to gather significant evidence to support
specific account balances.
o Analytical Procedures: Evaluation of financial information between current and
financial year data to obtain knowledge and enhance understanding about the
entity.

CPA – AUDIT NOTES | Shikhar Sehgal

 Risk assessment procedures are performed by auditor
to obtain an initial understanding of Internal controls
to assess the risk of material misstatement in the
financial statements.

2.8 Risk Assessment (Part 2)

An entity’s objectives w.r.t Internal Control:

1. Reliability of Financial reporting.

2. Effectiveness and efficiency of Operations. (Auditor is not required to obtain

understanding of effectiveness of the Internal Controls)

3. Compliance with applicable laws and regulations.

An auditor’s objectives w.r.t Internal control:

1. An auditor must obtain an understanding of the Internal control during the planning
stage itself.

2. The auditor should obtain sufficient understanding of the design of relevant Internal
controls pertaining to Financial Reporting in each of the 5 components of IC

3. While obtaining an understanding of the IC, the auditor should concentrate on the
substance of the control over their form because management may establish
appropriate procedures but not enforce compliance with them. Substance over form
relates to controls that appear on the surface to exist but in reality, are not operating
effectively.

4. Auditor is most likely concerned with IC that provide reasonable assurance about the
entity’s ability to process and summarize financial data.

5. An auditor’s primary consideration regarding an entity’s Internal control is whether

the controls affect the Financial Statement assertions.

Inherent Limitations of Internal Control:

- Management override of Internal Control.

- Human error.
- Deliberate circumvention of control by collusion of 2 or more people

CPA – AUDIT NOTES | Shikhar Sehgal

5 Components of Internal Control:

Control Environment:
 The control environment reflects the overall attitude, awareness and actions of those
charged with governance i.e BOD, mgmt., owners and others concerning the importance
of controls and its emphasis in the entity.

 IC is relevant to the entire entity including operating units and entity’s business
functions.

 An auditor would most likely consider the management’s operating style when
evaluating the control environment of an audit client. The management’s philosophy
and operating style include the management’s approach to taking and managing
business risks, attitudes and actions towards FR.

CPA – AUDIT NOTES | Shikhar Sehgal

Risk Assessment:

 An auditor needs to understand how the management addresses risks relevant to FR in

order to properly plan an audit.

 Adoption of new accounting principles.

 New personnel.
 Incorporation of new technology.

Information and Communication Systems:

 Enhanced timeliness of information. Describe the transactions in a timely manner.

 Proper presentation of transactions and related systems.

 The auditor is interested in the business process relevant to FR and should obtain an
understanding of
o The classes of transactions that are significant to FS.
o The FR processes
o The accounting records.

Monitoring:

 Internal audit functions.

Existing Control Activities: (PAID TIPS)

o Prenumbering of Documents: Helps in assuring that-

 All transactions are recorded. (Consistency)

 No transactions are recorded more than once. (Existence)

o Authorization of Transactions: Should occur before the commitment of

resources.

o Independent checks to maintain Asset Accountability: Involves verification of

work previously performed by others, reviews and comparisons.

o Documentation

o Timely and appropriate Financial performance reviews:

 Comparison of actual performance to budgets, forecasts and prior

periods.

CPA – AUDIT NOTES | Shikhar Sehgal

  Comparison of financial and non-financial information.

o Information processing controls:

 General Controls: Applies to information processing throughout the

company.
 Application Controls: Applies to processing of individual transactions.

o Physical controls of Safeguarding the Assets

o Segregation of Duties

Auditors Consideration of Internal Controls

o Check that the IC is relevant to the entity.

o Check that the 5 components of IC are applicable to the entity and their effect
on the entity’s 3 objectives.

o It is not mandatory for the auditor to assess all of an entity's IC. The auditor
must use his judgement to determine which controls should be assessed.

o Identify controls relevant to reliable FR:

 Preventive Controls: Designed to provide reasonable assurance that

only valid transactions are recognized, approved and submitted for
processing. (Before processing)

 Detective Controls: Detective controls are reasonable assurance that

errors or irregularities are discovered and corrected on a timely basis.
(After processing)

o Walkthroughs: Walk-throughs trace transactions relevant to FR through the

A walkthrough follows a accounting system from inception through recording in the GL to presentation in
transaction from its origin the FS. An auditor’s flowchart is a diagrammatic representation of the auditor’s
until it is reflected in the FS. understanding of the client’s information system relevant to Financial Reporting.

o Documentation: The auditor MUST document the understanding of the entity’s

IC (FIND)

 Flowchart: Depicts auditor’s understanding of IC.

CPA – AUDIT NOTES | Shikhar Sehgal

  IC Questionnaires: List of questions to be answered as Yes or No
 Narratives: Written versions of Flowchart.
 Documentation from the client

Other Audit Considerations (Information Technology)

o Entity’s use of IT may affect the 5 components of IC

o IT systems may make it impossible to resolve the detection through substantive

testing alone. Therefore, must do control testing as well.

o Manual vs Automated controls in IT systems:

 Manual Controls: Used when judgement and discretion are required

such as large, unusual and non-recurring transactions. They are also
used to monitor the automated controls.

 Automated Controls: Used when there is high volume or recurring

transactions.

o IT Benefits:

 Ability to process large volumes of data.

 Improved timeliness and availability of data.
 Enhanced ability to monitor performance.
 Enhance segregation of duties: (COPAL)
 Control Group
 Operators
 Programmers
 Analysts (Systems)
 Librarian

o IT Risks:

 Potential reliance on inaccurate systems.

 Potential data loss.
 Failure to make required changes on time.
 Unauthorized changes to the data
 Unauthorized access may result in loss of important data.

 Notes:

o An auditor’s knowledge of the design of relevant internal controls should be

used identify the types of potential misstatements that could occur.

CPA – AUDIT NOTES | Shikhar Sehgal

o The concept of reasonable assurance recognizes that the cost of an entity’s
internal control should not exceed the benefits that are expected to be derived.
The cost benefit relationship is a primary criterion that should be considered in
designing internal control.

CPA – AUDIT NOTES | Shikhar Sehgal

2.9 The Effect of IT on Audit
Difference between manual and computerized IT environment

o Segregation of Duties: In a computerized environment, transaction processing

often results in a combination of functions that are normally separated in a
manual environment. (COPAL)

o Disappearing Audit Trail: Due to lack of paper documentation, audit tests

should be performed on a regular basis in the computerized IT environment.

o Uniform Transaction processing: Processing consistency in a computerized

environment is reduced but the risk of systematic errors can increase (like
programming logic)

o Computer Initiated Transactions: Automated transactions are not subject to

authorization like manual transactions and may not be well documented.

o Potential for Increased error and Irregularities: Due to decreased human

involvement, increased remote access which increases the chances of
unauthorized access. (-ve)

o Potential for increased supervision and review: Computer systems provide

more opportunities for integration of audit and analytical procedures. (+ve)

Auditing around the computer (Manual audit procedures)

o The auditor tests the input data, processes the data independently and then
compares independent results with program results.
o Appropriate for small and simple batches.
o Emphasis is on input and output stages of the transaction process.
o Risks: Insufficient paper-based evidence and insufficient audit procedures.

Auditing through the computer (CAAT)

o Emphasis is on input and output stages of the transaction process.

o Suitable for highly automated and complex systems.

o Transaction Tagging: A technique to electronically mark or tag specific

transactions and follow them through the client’s system.

CPA – AUDIT NOTES | Shikhar Sehgal

o Embedded Audit Modules: Helps in collecting transaction data requested
(specific data) by the auditor. For e.g. An auditor wants to examine all
transactions affecting a specific account greater than $500

o Test Data: (uses dummy data)

- Uses the application program to process a set of test data, the result of
which are already known.
- Test data consists of “dummy data” that run’s through client’s computer
system. The data should be processed under the auditor’s control.
- Client’s system is used to process the auditor’s data, off line, while still
under the auditor’s control.
- Live computer files are not affected.
- Ex: Invalid#, excess pay rate, excess hours.

o Integrated Test Facility (Imp): (uses dummy accounts)

- Similar to test data, but here live data is used.
- Used for large data.
- Test data must be separated from live data before the reports are
created.
- Client’s personnel are not involved that dummy (simulated) accounts
are there for test data.

o Parallel Simulation:
- Auditor reprocesses/reperforms some or all of client’s live data using
software’s provided by the auditor and then compares the result with
client’s file.
- For controlled processing, the auditor observes an actual processing run
and compares the actual result with expected results (Auditor’s
software)
- For controlled reprocessing, the auditor uses old archived process copies
and compares it with the actual processing run. Differences, if any
indicate there have been changes to a program.

CPA – AUDIT NOTES | Shikhar Sehgal

Generalized Audit Software Packages (GASP’s)

o GASP allows the auditor to perform test of controls and substantive tests
directly on the client’s system. The auditor first defines the client’s system to the
GASP and then specifies the tests and selections that should be made.
o GASP requires little technical knowledge of the client’s hardware and software
features.
o Advantages:
- Requires little technical knowledge.
- Can reduce audit time without sacrificing quality.
- Allows auditor to test a much higher % of transactions which would
result in a more reliable audit.
o Ex:
 Examining transactions of controlled compliance.
 Recalculating amounts and totals.
 Reconciling data from two separate lines.
 Performing statistical analysis.
 GASP allows the auditor to perform test of controls and substantive
tests directly on the client’s system. The auditor first defines the
client’s system to the GASP
 Notes:

1. Continuous performance audit tests are required when financial data is processed
electronically, without provision of paper documentation to ensure that controls are
operating effectively throughout the period under audit.

2. In computer audit applications, efficient and effective system usage requires:

- Identification of the appropriate audit tasks.
- Appropriate softwares to perform the selected audit tasks.

CPA – AUDIT NOTES | Shikhar Sehgal