Powered by:

Reading Material For

Online Entrance Examination

30-Days Training
International Audit
www.futurense.com
 Powered by:

Click on the button to

Watch the Video Explations

AUD-0
Intro to Auditing & Attestation
https://www.youtube.com/watch?v=hV0aHZ3DIU4
WATCH NOW

AUD-2.3
Risk Assessment: Audit Risk
https://www.youtube.com/watch?v=lJyH-elTjSE

WATCH NOW

AUD-3.1
Internal Controls: Integrated Framework
https://www.youtube.com/watch?v=7nReC1KLjic
WATCH NOW

AUD-3.2
Auditor's Consideration of Internal Control
https://www.youtube.com/watch?v=jcwiAXzzt08
WATCH NOW

AUD-4.1 to 4.3
Audit Evidence
https://www.youtube.com/watch?v=WgAqnwnADhU
WATCH NOW

www.futurense.com
 Powered by:

Pre-reading

Material
Generally Accepted Auditing Standards

futurense.com |
AUD-Intro Miles CPA Review

0.1) Introduction to F/S Auditing

What? Examination of F/S

Why? To give objective opinion as to fairness of F/S in conformity with US GAAP

When? After the management prepares the F/S (Management = Prepare F/S)

Who? Independent & expert external auditor (Auditor = Express Opinion on F/S)

Where? Report audit findings in Audit Report

How? By performing audit as per GAAS (non-issuers) and/or PCAOB AS (issuers)

Audited F/S
(Management’s
Responsibility)

Management’s F/S CPA Auditor’s audit

per GAAP per GAAS

Audit Report with

Opinion on F/S
(Auditor’s
Responsibility)

A0-2
Miles CPA Review AUD-Intro

0.2) GAAS - Traditional Framework

➢ 10 Generally Accepted Auditing Standards (GAAS) - Traditional Framework

{General TIP to take a Field PIC and Report All Clean & Dirty Elements}

3 General 3 Fieldwork 4 Reporting

Standards Standards Standards
• Training & • Planning & • Accounting =
Proficiency Supervision US GAAP

• Independence • Internal • Consistency

Controls
• Professional • Disclosures
Care • Corroborative
Audit Evidence • Expression of
an opinion

Note:
- Traditionally, auditors have classified the GAAS into the 10 basic standards as above with 3 groups -
general, fieldwork and reporting. Until December 15, 2012, these were authoritative standards and
were directly reflected in the Statements of Auditing (SAS) issued by the Auditing Standards Board
(ASB) of the AICPA
- However, effective December 15, 2012, the ASB issued “clarified” SAS for clarity and for convergence
with ISA (International Standards of Auditing). Though the above classification of GAAS has now been
incorporated into various clarified SAS and are still broadly applicable, the above classification is no
longer authoritative
- In short, the standards have remained the same but the classification has been modified.
Nevertheless, throughout the course, we will continue to use the “10” GAAS framework as it is very
effective in understanding and recapitulating the audit process
- Refer to Topic 0.3 for further information on clarified SAS

A0-3
AUD-Intro Miles CPA Review

I) General Standards
➢ 3 General Standards {General TIP} - Auditor qualification and quality of work

T 1) Training & Proficiency - Auditor must have adequate technical training and proficiency to
perform the audit. Attained by:
✓ Accounting education
✓ Auditing experience
✓ Industry knowledge

I 2) Independence - Auditor must maintain independence in mental attitude in all matters relating
to the audit
✓ In an audit engagement, requirement for independence is in the public interest
 Auditor’s independence from the entity safeguards the auditor’s ability to form an audit
opinion without being affected by influences that might compromise that opinion
 Independence enhances the auditor’s ability to act with integrity, to be objective, and to
maintain an attitude of professional skepticism
 Independence implies an impartiality that recognizes an obligation to be fair not only to
management and those charged with governance of an entity but also users of F/S who
may rely upon the independent auditor’s report
✓ Concept of independence refers to independence both in fact and appearance
 Fact is the real state of mind (e.g., material direct interest in client)
 Appearance is how it appears to outsiders (e.g., immaterial direct interest in client)

P 3) Professional care - Auditor must exercise due professional care in the performance of the audit
and the preparation of the report
✓ Maintain an attitude of professional skepticism throughout the audit
 Questioning mind - alert to conditions that may indicate possible misstatement due to
fraud/error (e.g., contradictory evidence, info that questions reliability of documents/
responses, conditions that may indicate fraud, need for additional audit procedures)
 Critical assessment of audit evidence if sufficient & appropriate (e.g., questioning
contradictory audit evidence and reliability of documents/responses)
 Neither assume management is dishonest nor assume unquestioned honesty
 Note: Auditor may accept records & documents as genuine unless the auditor has
reason to believe the contrary
✓ Exercise professional judgment in planning & performing the audit - Make informed
decisions about courses of action appropriate in the circumstances
 E.g., Decisions relating to audit risk, materiality, audit procedures, audit evidence
(sufficient & appropriate?), evaluating management judgments, audit opinion
 Needs to be exercised throughout the audit; also needs to be appropriately documented
 Professional judgment can be evaluated based on whether the judgment reached
reflects a competent application of auditing standards and accounting principles and is
appropriate given the facts & circumstances that were known to the auditor
✓ Provide reasonable assurance (though not absolute assurance) that F/S are free of material
misstatement (whether caused by error or fraud)

A0-4
Miles CPA Review AUD-Intro

II) Fieldwork Standards

➢ 3 Fieldwork Standards {Field PIC} - Planning audit and accumulating/evaluating evidence

P 1) Planning & Supervision

✓ Auditor must adequately plan the work
 Auditor should establish an overall audit strategy that sets the scope, timing, and
direction of the audit and that guides the development of the audit plan
✓ Auditor should take responsibility for the direction, supervision, and performance of the
audit engagement

I 2) Internal Controls -
✓ Auditor must obtain a sufficient understanding of the entity and the environment, including
its I/C, to
 Assess risk of material misstatement (RMM) of F/S whether due to error or fraud
 Determine the nature, extent and timing (NET) of audit procedures
✓ Appropriate I/C provide confidence to the auditor that material misstatements will be
prevented, or detected and corrected, on a timely basis
 Strong I/C = Substantive testing = Evidence 
 Weak I/C = Substantive testing = Evidence 

= Supports auditor’s opinion (not F/S)

C 3) Corroborative audit evidence
✓ Auditor must obtain sufficient & appropriate (corroborative) audit evidence by performing
audit procedures to afford a reasonable basis for an opinion regarding the F/S under audit
✓ Auditor needs to:
 Determine overall responses to address RMM at the F/S level
 Design and perform further audit procedures to respond to the assessed RMM at F/S
and relevant assertion levels
 Evaluate the sufficiency and appropriateness of the audit evidence obtained
✓ Note: Sufficiency & appropriateness of audit evidence is based on the auditor’s judgment

Note:
Weak I/C does not mean F/S are misstated
But the auditor needs to do more substantive testing and gather more evidence to
support his opinion on F/S

A0-5
AUD-Intro Miles CPA Review

III) Reporting Standards

➢ 4 Reporting Standards {Report All Clean & Dirty Elements} - GAAS audit to check for GAAP

A 1) Accounting Principles = US GAAP

✓ Auditor must state in auditor’s report whether F/S are presented in compliance with an
applicable financial reporting framework (e.g., US GAAP)
✓ Explicit statement in audit report

C 2) Consistency
✓ Auditor must identify in the auditor’s report those circumstances in which accounting
principles have not been consistently observed in the current period in relation to the
preceding period
✓ Implicit in audit report (i.e., implied that GAAP is applied consistently unless otherwise
stated by the auditor in the auditor’s report) Silence = ok

D 3) Disclosures
✓ When the auditor determines that informative disclosures are not reasonably adequate, the
auditor must so state in the auditor’s report
✓ Implicit in audit report (i.e., implied that disclosures are reasonably adequate unless
otherwise stated by the auditor in the auditor’s report) Silence = ok

E 4) Expression of an Opinion
✓ The auditor must either express an opinion regarding the F/S, taken as a whole, or state
that an opinion cannot be expressed, in the auditor’s report
✓ 2 choices
 Express an opinion on F/S taken as a whole (complete F/S including footnotes)
- Different opinions are ok (e.g., unqualified opinion on one of the F/S while having a
qualified opinion on another)
- One statement opinions are ok in limited reporting engagements
 Disclaim an opinion stating reasons for the same (e.g., auditor was not independent,
audit work was inadequate)
✓ In all cases where an auditor’s name is associated with F/S, the auditor should clearly
indicate the scope of audit in the audit report
 Character of the auditor’s work
 Degree of responsibility the auditor is taking
✓ Explicit statement in audit report

A0-6
Miles CPA Review AUD-Intro

0.3) GAAS - As Codified in AU-C Sections of

Statements of Auditing Standards (SAS)
➢ In the US, AICPA’s ASB (Auditing Standards Board) develops and issues GAAS in the form of SAS
(Statements on Auditing Standards) which are codified as AU-C sections
• Internationally, ISA (International Standards on Auditing) are issued by the IAASB (International
Auditing and Assurance Standards Board)

➢ “Clarified” SAS - In an effort to make US GAAS easier to read, understand, and apply, the ASB
redrafted all of the auditing sections in the Codification of SAS for clarity and to converge with ISA
• Effective for audits of F/S for periods ending on or after December 15, 2012
• Codification of clarified standards use “AU-C” section numbers instead of “AU” section numbers

I) Purpose & Premise of an Audit

➢ Purpose of an audit - Provide F/S users with auditor’s opinion on whether F/S are presented fairly,
in all material respects, in accordance with an applicable financial reporting framework
• Enhances the degree of confidence that intended users can place in the F/S
• However, note that an audit of F/S does not assure the future viability of the entity nor the
efficiency or effectiveness with which management has conducted the affairs of the entity
✓ Nevertheless, in some circumstances, applicable law or regulation may require auditors to
provide opinion on other specific matters (e.g., effectiveness of I/C) where the auditor
would undertake further work given the responsibilities to provide such additional opinion

➢ Premise of an audit - Management and, when appropriate, those charged with governance have
acknowledged certain responsibilities that are fundamental to the conduct of the audit including
• Preparation and fair presentation of F/S in accordance with the applicable financial reporting
framework
✓ F/S may be prepared in accordance with
 General purpose framework - designed to meet the common financial information
needs of a wide range of users (e.g., US GAAP, IFRS); or
 Special purpose framework - basis of accounting other than GAAP which uses a definite
set of logical, reasonable criteria that is applied to all material items appearing in F/S
(e.g., cash, tax, regulatory, contractual basis of accounting, or other basis of accounting)
• Design, implementation, and maintenance of I/C relevant to the preparation and fair
presentation of F/S that are free from material misstatement, whether due to fraud or error
• To provide the auditor with
✓ Access to all information that is relevant to the preparation and fair presentation of the F/S,
such as records, documentation, and other matters
✓ Additional information that the auditor may request from management and, when
appropriate, those charged with governance for the purpose of the audit
✓ Unrestricted access to persons within the entity from whom the auditor determines it
necessary to obtain audit evidence
A0-7
AUD-Intro Miles CPA Review

II) Overall Objectives of the Independent Auditor

➢ Overall objectives of the auditor when conducting a F/S audit are:

• Obtain reasonable assurance about whether the F/S as a whole are free from material
misstatement, whether due to error or fraud - Enables the auditor to express an opinion on
whether the F/S are presented fairly, in all material respects, in accordance with an applicable
financial reporting framework
✓ Reasonable assurance - High, but not absolute, level of assurance
 Achieved when the auditor has obtained sufficient appropriate audit evidence to reduce
audit risk (i.e., risk that the auditor expresses an inappropriate opinion when the F/S are
materially misstated) to an acceptably low level
 Not absolute assurance because there are inherent limitations of an audit that result in
most of the audit evidence, on which the auditor draws conclusions and bases the
auditor’s opinion, being persuasive rather than conclusive
• Report on F/S, and communicate as required by GAAS, in accordance with the auditor’s
findings - Auditor expresses an opinion in accordance with the auditor’s finding, or states that
an opinion cannot be expressed
✓ The opinion states whether the F/S are presented fairly, in all material respects, in
accordance with an applicable financial reporting framework

III) Conduct of an Audit in accordance with GAAS

➢ Ethical Requirements - The auditor should comply with ethical requirements related to F/S audit
engagements, including independence in both fact and appearance
• Ethical requirements consist of the AICPA Code of Professional Conduct and the rules of the
state boards of accountancy and applicable regulatory agencies that are more restrictive
• The AICPA Code of Professional Conduct establishes the fundamental principles of professional
ethics, which include the following:
✓ Responsibilities
✓ Public interest
✓ Integrity
✓ Objectivity and independence
✓ Due care
✓ Scope and nature of services

➢ Note: Auditing standards (SAS/GAAS) vs. Audit procedures

• Audit procedures = Acts/procedures performed by the auditor during the audit
• Auditing standards (GAAS) = Measures of the quality of the auditor’s performance of audit
procedures
✓ Specific audit procedures needed to comply with GAAS may vary for each engagement

A0-8
Miles CPA Review AUD-Intro

➢ Compliance with GAAS - Auditor should comply with all AU-C sections relevant to the audit
• In certain audit engagements, the auditor also may be required to comply with other auditing
requirements in addition to GAAS. GAAS do not override law/regulation that govern F/S audits
✓ E.g., Auditor may also conduct the audit in accordance with both GAAS and
 PCAOB Auditing Standards (PCAOB AS)
 International Standards on Auditing,
 Government Auditing Standards, or
 Auditing standards of a specific jurisdiction or country
✓ In the event that such law or regulation differs from GAAS, an audit conducted only in
accordance with law or regulation will not necessarily comply with GAAS
• Auditor should not represent compliance with GAAS in the auditor’s report unless the auditor
has complied with the requirements of AU-C sections relevant to the audit
✓ If an objective in a relevant AU-C section cannot be achieved, auditor should evaluate
whether this prevents him from achieving the audit’s overall objectives and thereby
requires the auditor, in accordance with GAAS, to modify the auditor’s opinion or withdraw
from the engagement (when withdrawal is possible under applicable law/regulation)
• GAAS use the following two categories of professional requirements, identified by specific
terms, to describe the degree of responsibility it imposes on auditors:
✓ Unconditional requirements - Auditor must comply in all cases in which such a requirement
is relevant. GAAS use the word "must" to indicate an unconditional requirement
✓ Presumptively mandatory requirements - Auditor must comply in all cases in which such a
requirement is relevant except in rare circumstances. GAAS use the word "should" to
indicate a presumptively mandatory requirement
 In rare circumstances, the auditor may judge it necessary to depart from a relevant
presumptively mandatory requirement (e.g., a specific audit procedure required to be
performed would be ineffective in achieving the intent of that requirement). In such
circumstances, the auditor should perform alternative audit procedures to achieve the
intent of that requirement
• The GAAS hierarchy
✓ Level 1 - Auditing Standards - SAS (AU-C)
✓ Level 2 - Interpretive publications (not standards, but recommendations on application of
GAAS in specific circumstances, including engagements for entities in specialized industries)
 Auditing interpretations of GAAS
 AICPA Audit and Accounting Guides
 AICPA Auditing Statements of Position
✓ Level 3 - Other Auditing Publications (no authoritative status but may help the auditor
understand and apply GAAS)
 AICPA auditing publications not defined as interpretive publications
 Auditing articles in the Journal of Accountancy and other professional journals
 Continuing Professional Education programs and other instruction materials, textbooks,
guide books, audit programs, and checklists
 Other auditing publications from state CPA societies, other organizations/individuals

A0-9
AUD-Intro Miles CPA Review

IV) Inherent Limitations of an Audit

➢ The auditor is unable to obtain absolute assurance that the F/S are free from material
misstatements because of the following inherent limitations of an audit:
• Nature of Financial Reporting
✓ Involves judgment by management in applying GAAP (or other framework) to the facts &
circumstances of the entity
✓ Many F/S items involve subjective decisions/assessments or a degree of uncertainty; and
there is a range of acceptable interpretations/judgments
 Therefore, some F/S items are subject to an inherent level of variability that cannot be
eliminated by audit procedures; e.g., accounting estimates (nevertheless, the auditor
does need to evaluate whether the estimates are reasonable)
• Nature of Audit Procedures - Practical and legal limits on an auditor’s ability to obtain audit
evidence, including
✓ Possibility that the information provided by management may be incomplete (intentional or
unintentional)
✓ Possibility of fraud which may be concealed by sophisticated and carefully organized
schemes (intentional)
✓ Audit is not an official investigation into alleged wrongdoing. Accordingly, the auditor is not
given specific legal powers, such as the power of search
• Timeliness of Financial Reporting and the Balance between Cost and Benefit - Expectation
that the auditor will form an opinion on F/S within a reasonable period of time and will achieve
a balance between benefit and cost, which makes it is impracticable for the auditor to address
all information that may exist or to pursue every matter exhaustively
• Other Matters - For certain assertions or subject matters, the inherent limitations on the
auditor’s ability to detect material misstatements are particularly significant; e.g.,
✓ Fraud (particularly fraud involving senior management or collusion)
✓ Related party relationships and transactions (existence & completeness)
✓ Non-compliance with laws and regulations
✓ Future events or conditions that may cause an entity to cease to continue as a going
concern

➢ Because of the inherent limitations of an audit, there is an unavoidable risk that some material
misstatements of F/S may not be detected, even though the audit is properly planned and
performed in accordance with GAAS
• Accordingly, the subsequent discovery of a material misstatement of F/S resulting from fraud or
error does not by itself indicate a failure to conduct an audit in accordance with GAAS
• However, the inherent limitations of an audit are not a justification for the auditor to be
satisfied with less than persuasive audit evidence
• Whether the auditor has performed an audit in accordance with GAAS is determined by the
audit procedures performed in the circumstances, the sufficiency and appropriateness of the
audit evidence obtained as a result thereof, and the suitability of the auditor’s report based on
an evaluation of that evidence in light of the overall objectives of the auditor

A0-10
Miles CPA Review AUD-Intro

Appendix: AU-C (Research) Can access when solving SIMs

(mostly used for Research SIMs)
➢ Authoritative Literature used for Auditing & Attestation:
• AU-C - Codification of Statements on Auditing Standards (SAS)

• PCAOB - PCAOB Auditing Standards

• ET - AICPA Code of Professional Conduct
• BL - Bylaws of the AICPA (for membership/governance)
• PR - AICPA Peer Review Standards
AUD-1
• CS - Statements on Standards for Consulting Services
• PFP - Personal Financial Planning
• VS - Statements on Standards for Valuation Services
• CPE - Continuing Professional Education
• QC - Statements on Quality Control Standards (SQCS) AUD-2
• AT-C - Statements of Standards for Attestation Engagements (SSAE)
AUD-7
• AR-C - Statements on Standards for Accounting & Review Services (SSARS)

➢ AU-C Codes are codified SAS (Statements on Auditing Standards):

AU-C 200s General Principles and Responsibilities
200 Overall Objectives of the Independent Auditor & Conduct of an Audit in Accordance With GAAS
210 Terms of Engagement
220 Quality Control for an Engagement Conducted in Accordance With GAAS
230 Audit Documentation
240 Consideration of Fraud in a Financial Statement Audit
250 Consideration of Laws and Regulations in an Audit of Financial Statements
260 The Auditor’s Communication With Those Charged With Governance
265 Communicating Internal Control Related Matters Identified in an Audit

AU-C 300s-400s Risk Assessment and Response to Assessed Risks

300 Planning an Audit P I C
315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement P IC
320 Materiality in Planning and Performing an Audit
330 Performing Audit Procedures in Response to Assessed Risks & Evaluating Audit Evidence
402 Audit Considerations Relating to an Entity Using a Service Organization
450 Evaluation of Misstatements Identified During the Audit

AU-C 500s Audit Evidence

500 Audit Evidence P I C
501 Audit Evidence - Specific Considerations for Selected Items

A0-11
AUD-Intro Miles CPA Review

505 External Confirmations

510 Opening Balances - Initial Audit Engagements, Including Reaudit Engagements
520 Analytical Procedures
530 Audit Sampling
540 Auditing Accounting Estimates, Including Fair Value Accounting Estimates & Related Disclosures
550 Related Parties
560 Subsequent Events and Subsequently Discovered Facts
570 Auditor’s Consideration of an Entity’s Ability to Continue as a Going Concern
580 Written Representations
585 Consideration of Omitted Procedures after the Report Release Date

AU-C 600s Using the Work of Others

600 Special Considerations - Audits of Group Financial Statements (Work of Component Auditors)
610 Using the Work of Internal Auditors
620 Using the Work of an Auditor’s Specialist

AU-C 700s Audit Conclusions and Reporting Report ACDE

700 Forming an Opinion and Reporting on Financial Statements
701 Communicating Key Audit Matters in the Independent Auditor’s Report
703 Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to
ERISA
705 Modifications to the Opinion in the Independent Auditor’s Report
706 Emphasis of Matter Paragraphs and Other Matter Paragraphs in Independent Auditor’s Report
708 Consistency of Financial Statements
720 Other Information in Documents Containing Audited Financial Statements
725 Supplementary Information in Relation to the Financial Statements as a Whole
730 Required Supplementary Information

AU-C 800s Special Considerations

800 Special Considerations - Audits of Financial Statements Prepared in Accordance With Special
Purpose Frameworks
805 Special Considerations - Audits of Single Financial Statements and Specific Elements, Accounts,
or Items of a Financial Statement
806 Reporting on Compliance with Aspects of Contractual Agreements or Regulatory Requirements
in Connection with Audited Financial Statements
810 Engagements to Report on Summary Financial Statements

AU-C 900s Special Considerations in the United States

905 Alerts as to the Intended Use or Purpose of the Auditor’s Written Communication
910 Financial Statements Prepared in Accordance With a Financial Reporting Framework Generally
Accepted in Another Country
915 Reports on Application of Requirements of an Applicable Financial Reporting Framework
920 Letters for Underwriters and Certain Other Requesting Parties
925 Filings with the U.S. Securities and Exchange Commission Under the Securities Act of 1933
930 Interim Financial Information
935 Compliance Audits
940 Audit of ICFR that is integrated with an audit of F/S
A0-12
 Powered by:

Pre-reading

Material
AUDIT RISK MODEL

futurense.com |
AUD-2 Miles CPA Review

2.3) Risk Assessment

I) Audit Risk Risk that the auditor will give a wrong opinion,
i.e., issue unqualified opinion on materially misstated F/S

Risk of Material Misstatement Detection Risk

Audit Risk (AR)
(RMM) (DR)

Inherent Risk Control Risk Detection Risk

(IR) (CR) (DR)

Risk of auditor giving Risk of Risk of Risk of

wrong opinion on F/S Acct system client I/C Auditor
with material missing MM missing MM missing MM
misstatements (MM)

- Functions of client entity and exist - Function of auditor

Then DR , independently of the audit effectiveness
By Subs. Test  - Auditor only assesses - Auditor determines
& Evidence  - I of ‘field PIC’ in GAAS - C of ‘field PIC’ in GAAS
- Change in assessment of IR or CR during the - Changed by varying NET
audit would require change level of DR of audit procedures


Then DR ,
AR should be “low”, and If assessed that RMM 
By Subs. Test 
auditor avoids increase Reliance on client’s I/C 
& Evidence 
in AR by varying the level
of audit procedures


which would affect DR
If assessed that RMM  Then DR ,

Reliance on client’s I/C  By Subs. Test 

& Evidence 

A2-16
Miles CPA Review AUD-2

➢ Audit Risk (AR) - Risk that the auditor expresses an inappropriate audit opinion when F/S are
materially misstated
• AR is a function of the Risks of Material Misstatement (RMM) and Detection Risk (DR)
• Assessment of AR is a matter of professional judgment based on audit procedures (rather than
a matter capable of precise measurement)
• To obtain reasonable assurance, the auditor should obtain sufficient appropriate audit evidence
to reduce audit risk to an acceptably low level and thereby enable the auditor to draw
reasonable conclusions on which to base the auditor’s opinion
• For purposes of GAAS, AR does not include the risk that the auditor might express an opinion
that F/S are materially misstated when they are not. This risk is ordinarily insignificant
• Further, AR is a technical term related to the process of auditing; it does not refer to the
auditor’s business risks (e.g., loss from litigation in connection with the F/S audit)
➢ Materiality - Concept of materiality is applied by the auditor when both planning & performing the
audit, and in evaluating the effect of identified misstatements on the audit and uncorrected
misstatements, if any, on F/S
• In general, misstatements, including omissions, are considered material if there is a substantial
likelihood that, individually or in the aggregate, they would influence the judgement made by
a reasonable user based on F/S
✓ Judgments about materiality are made in light of surrounding circumstances, and are
affected by the size or nature of a misstatement, or a combination of both
 Involve both qualitative and quantitative considerations
 Based on a consideration of the common financial information needs of F/S users as a
group. Possible effect of misstatements on specific individual users, whose needs may
vary widely, is not considered
✓ Auditor's determination of materiality is a matter of professional judgment and is affected
by the auditor's perception of the financial information needs of users of F/S
• Performance materiality - Amount set by the auditor at less than materiality level (to reduce
probability that aggregate uncorrected/undetected misstatements exceed the materiality level)
• Auditor’s opinion addresses the F/S as a whole. Therefore, the auditor has no responsibility to
plan and perform the audit to obtain reasonable assurance that misstatements whether caused
by fraud or error, that are not material to the F/S as a whole, are detected
➢ Misstatements (includes omissions) - Difference between amount/classification/presentation/
disclosure of a reported F/S item and amount/classification/presentation/disclosure that is vs.
required for the item to be presented fairly per the applicable financial reporting framework
• Misstatements may result from fraud or error, such as
✓ Inaccuracy in gathering or processing data from which F/S are prepared
✓ Omission of an amount or disclosure
✓ Disclosures not per the applicable financial reporting framework
✓ Inappropriate selection or application of accounting policies
✓ Incorrect estimates or judgments by management
• May be distinguished as:
✓ Factual misstatements - misstatements about which there is no doubt
✓ Judgmental misstatements - arise from unreasonable accounting estimates or selection/
application of inappropriate accounting policies
✓ Projected misstatements - auditor’s best estimate of misstatements in the entire population
based on projection of misstatements identified in audit samples
A2-17
 AUD-2 Miles CPA Review

➢ AR = RMM × DR
• Risk of Material Misstatement (RMM) - “Client’s risk” which exists independent of the audit.
Exists at overall F/S level as well as relevant assertion level (transactions, balances &
disclosures). RMM at assertion level consists of 2 components (auditor may either separately
assess IR and CR, or make a single overall assessment of RMM):
Errors ✓ Inherent Risk (IR) - Susceptibility of a relevant assertion to a material misstatement before
inherent in consideration of any related I/C (i.e., assuming that there are no related I/C)
 Higher for some assertions than for others. E.g., Auditor assesses, but can’t change IR
nature of
- If complex calculations (like pensions) or estimates (like allowance for bad debts), IR 
client’s - If lot of customers pay in cash, IR  as cash is more susceptible to theft than checks
business Factors in entity and its environment (esp. business risks) may influence IR. E.g.,
- If entity’s inventory becomes obsolete rapidly (e.g., technology), IR  for inventory
- If entity lacks sufficient working capital, IR  for several assertions
- If entity in a declining industry with many business failures, IR  for several assertions
Generally, cannot be altered by either Management or Auditor
 Auditor only assesses IR (which assessment can change as audit progresses)

Client’s I/C ✓ Control Risk (CR) - Risk that the entity’s I/C will fail to prevent, or detect & correct, a
misses the material misstatement on a timely basis Auditor assesses, but cannot change CR
 Function of design/implementation & operating effectiveness of I/C effected by
error
management. Therefore, can be altered by Management, but not by Auditor
- Due to inherent limitations of I/C (e.g., human errors, collusion, etc.), CR can only be
reduced but not eliminated. Accordingly, some CR will always exist
 Auditor only assesses CR (which assessment can change as audit progresses)

Auditor • Detection Risk (DR) - Risk that the procedures performed by the auditor will not detect a
misses the material misstatement that exists
✓ Function of the effectiveness of an audit procedure and of its application by the auditor.
error
Therefore, can be altered by the Auditor (by altering the NET of substantive tests)
 Due to inherent limitations of an audit (e.g., auditor does not examine 100% of
transactions/accounts, auditor may make mistakes in applying the audit procedure,
etc.), DR can only be reduced but not eliminated. Accordingly, some DR will always exist
✓ Auditor determines DR
 For a given level of AR, acceptable level of DR is inversely related to assessed RMM.
E.g., Greater the RMM, lesser the DR needed, which may be achieved by altering:
- Nature of substantive tests - gather evidence from outside (e.g., confirmations)
- Extent of substantive tests - increase sample size
- Timing of substantive tests - move tests from interim to year-end
✓ DR can be broken down into its TWO components:
 Substantive Test of Details risk (TD)
 Substantive Analytical Procedures risk (AP)
A2-18
Miles CPA Review AUD-2

➢ Analysis of the Audit Risk Model

• AR = RMM x DR
= (IR x CR) x DR
= (IR x CR) x (TD x AP)
• Even if either of RMM or DR is low, AR may be at an acceptable level. E.g.,
✓ If no material misstatements occur, there is nothing for the auditor to detect (wherein,
RMM will be near 0)
✓ If material misstatements occur but are all prevented or detected & corrected by client I/C,
there is nothing for the auditor to detect (wherein, CR & RMM will be near 0)
✓ If material misstatements occur and client I/C fails, but auditor detects all of these, there
will be ultimately be no material misstatements in F/S (wherein, DR will be near 0, and
significantly reduce AR irrespective of high RMM)
✓ However, audit risk will be unacceptable (unmodified opinion on materially misstated F/S)
when material misstatements occur, client I/C fails AND auditor also fails to detect
• Auditor only assesses RMM, but determines DR
✓ IR & CR are entity’s risks and exist independently of the audit
✓ DR relates to the NET of audit procedures that are determined by the auditor; function of
the effectiveness of audit procedures and of their application by the auditor
• Auditor uses assessment of RMM as basis to determine appropriate DR - i.e.,
DR should bear an inverse relationship to RMM (IR x CR) Auditor revises NET of
✓ If assessed that RMM is high, DR should be set at a low level substantive tests to
✓ If assessed that RMM is low, higher DR can be justified
determine DR
 Note: Even if assessed RMM is low, some substantive tests will be required for all
relevant assertions (i.e., can reduce but not eliminate substantive tests)

RMM = IR x CR
AR = RMM x DR
 AR = IR x CR x DR

 DR = AR = AR a
RMM IR x CR

If I/C are good, If I/C are bad,

Rely on I/C  CR  Rely on I/C  CR 
Subs. Tests  DR  Subs. Tests  DR 

Implies: Implies:
1. If CR is low, may raise DR 1. If CR is high, need to decrease DR
(so that AR is unaffected) (so that AR is unaffected)
A2-19
2. Good I/C = Less work by auditor 2. Bad I/C = More work by auditor
AUD-2 Miles CPA Review

➢ Auditor’s risk assessment (during planning & performance of the audit):

• Steps:
✓ Determine the acceptable level of Audit Risk - generally set at a low level as auditor does
not want to issue a wrong opinion (i.e., unmodified opinion on materially misstated F/S)
✓ Assess RMM - may separately assess IR & CR, or make a single overall assessment of RMM
 Assess IR - based on susceptibility of relevant assertions to material misstatements
 Assess CR - based on design/implementation & operating effectiveness of client’s I/C
✓ Determine DR - based on assessed IR & CR (i.e., RMM); inversely related to RMM

• E.g.,
Effective I/C at client Ineffective I/C at client
Applying AR Rely on I/C  CR  RMM  Rely on I/C  CR  RMM 
components
Subs. Tests  DR  Subs. Tests  DR 
Determine DR As CR/RMM is low, can afford higher DR If CR/RMM is high, need to lower DR
Altering the High DR - may lower NET of substantive Low DR - need to have a higher NET of
NET of tests, i.e.: substantive tests, i.e.:
Substantive - Nature: can have less effective tests - Nature: need more effective tests (e.g.,
Tests (e.g., evidence from inside the entity) seek evidence from outside the entity)
- Extent: can reduce sample size - Extent: need to increase sample size
- Timing: more of interim testing (and - Timing: need more testing closer to
less year-end testing) is ok year-end

• Components of the audit risk model may be assessed in quantitative terms (e.g., %) or non-
quantitative terms (e.g., high, medium, or low risk)

• Consideration of Audit Risk & Materiality - Audit risk & materiality are considered throughout
the audit (esp. when determining the NET of audit procedures and evaluating audit results)
✓ Consideration levels for Audit Risk & Materiality
 Considerations at F/S Level - consider risks that relate pervasively to the F/S as a whole
and potentially affect many assertions
 Considerations at Assertion level (balances, transactions or disclosures) - used to
determine the NET of audit procedures to obtain sufficient appropriate audit evidence
✓ Inverse Relationship Between Audit Risk and Materiality
 More material a misstatement is, the less likely it is to be missed by auditor; therefore,
as materiality increases, audit risk decreases (or vice-versa)
 E.g., Risk of a very large misstatement might be very low; but the risk of a very small
misstatement could be very high

A2-20
 Powered by:

Pre-reading

Material
INTERNAL CONTROLS

futurense.com |
 AUD-3 Miles CPA Review

3.1) I/C - Integrated Framework By COSO

I) Objectives of I/C = {FAR, REG, BEC} Management is responsible for I/C

➢ I/C - Integrated Framework published by COSO (Committee of Sponsoring Organizations of the
Treadway Commission) is broadly accepted and widely used framework for I/C
• I/C is a process, effected by an entity’s board of directors, management, and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives relating to:
✓ Reporting - reliable internal and external financial & non-financial reporting {FAR}
✓ Compliance - adherence to applicable laws & regulations {REG}
✓ Operations - effectiveness & efficiency of business operations {BEC}
ICFR = Internal Controls over Financial Reporting
II) Components of I/C = {CRIME}
Under COSO’s I/C - Integrated Framework, I/C consists of 5 interrelated components (CRIME):

C "C" is the foundation for CRIME

Control Environment
(COPTER)
E R

Existent Control Activities Risk Assessment

(by Management)

M I
Information &
Monitoring
communication systems

Original framework was issued in 1992. In 2013, COSO added the 17 I/C Principles because they are
presumed essential in assessing that the 5 components (CRIME) are present and functioning properly:
Control Environment Risk Assessment Information & Monitoring Existing Control
Comm. Systems Activities
- Demonstrate commitment - Specify suitable - Use relevant - Conduct ongoing - Select & develop
to integrity & ethical values objectives information and/or separate control activities
evaluations
- Board of Directors exercise - Identify & - Communicate - Select & develop
oversight responsibility analyze risk internally - Evaluate & general controls
communicate over technology
- Establish structure, - Assess fraud risk - Communicate
deficiencies
authority & responsibility externally - Deploy through
- Identify &
policies &
- Demonstrate commitment analyze
procedures
to competence significant change
- Enforce accountability

A3-2
Miles CPA Review AUD-3

Tone at the Top

➢ Control Environment
• Set of standards, processes, and structures that provide the basis for carrying out I/C across the
organization
✓ The board of directors and senior management establish the tone of control consciousness
regarding the importance of I/C including expected standards of conduct
✓ Management reinforces expectations at the various levels of the organization
✓ Has a pervasive impact on the overall system of I/C and is the foundation for all other I/C
components

• Control environment factors include: {Mnemonic: COPTER - as if a chopper on the top!}

C ✓ Competent individuals - process to attract, develop, and retain them by HR

O ✓ Organizational structure - appropriate structure and reporting lines

P ✓ Performance - drive accountability for performance via rigor around performance

measures, incentives and rewards
Parameters of
T ✓ Those charged with governance (TCWG) - parameters enabling the board of directors to
carry out its governance oversight responsibilities

E ✓ Ethical values - commitment to integrity and ethical values

R ✓ Responsibility assignment - need to define, assign and limit authority and responsibility

• Principles (as per the 2013 framework):

✓ Commitment to integrity & ethical values {E of COPTER}
✓ Board of directors demonstrates independence from management and exercise oversight of
the development and performance of I/C {T of COPTER}
✓ Management establishes, with board oversight, structures, reporting lines, and appropriate
authorities and responsibilities in the pursuit of objectives {O & R of COPTER}
✓ Commitment to attract, develop, and retain competent individuals in alignment with
objectives {C of COPTER}
✓ Hold individuals accountable for their I/C responsibilities in the pursuit of objectives {P of
COPTER}

• E.g. of few circumstances which could raise concerns:

✓ Excessive pressure on management to meet financial targets Pressure
✓ Domination of management by a single person Opportunity
✓ Lack of a culture of honesty and ethical behavior Rationalization

A3-3
 AUD-3 Miles CPA Review

➢ Risk assessment By Management

• Dynamic & iterative process for identification, analysis, and management of risks
✓ Risk - possibility that an event will occur and adversely affect the achievement of objectives
{FAR, REG & BEC objectives!}
✓ To manage risks, risks are considered relative to established risk tolerances
• Principles (as per the 2013 framework):
✓ Specify objectives with sufficient clarity to enable identification & assessment of risks
✓ Identify risks to the achievement of objectives across the entity and analyze risks as a basis
for determining how the risks should be managed
✓ Consider the potential for fraud in assessing risks
✓ Identify and assess significant changes that could impact the system of I/C
• Risks {esp. relevant to FAR or financial reporting objective} include external and internal factors
such as changes in operating environment, new personnel, new or revamped information
systems, rapid growth, new technology, new business models/products/activities, corporate
restructurings, foreign operations, new accounting pronouncements, changes in economic
conditions

➢ Information and Communication

Includes • Communication of relevant & quality information to support the functioning of I/C - both
accounting internally (within the entity) and externally (external parties)
• Principles (as per the 2013 framework):
system
✓ Obtain or generate and use relevant, quality information to support the functioning of I/C
✓ Communicate internally information, including objectives and responsibilities for I/C,
necessary to support the functioning of I/C
✓ Communicate externally regarding matters affecting the functioning of I/C

➢ Monitoring By Management
• Ascertaining whether each of the five components of I/C is present and functioning
✓ Via ongoing and/or separate evaluations
 Ongoing evaluations - built into business processes at different levels of the entity,
provide timely information
 Separate evaluations - conducted periodically, will vary in scope and frequency
depending on assessment of risks, effectiveness of ongoing evaluations, and other
management considerations
✓ Findings are evaluated against criteria established by regulators, recognized standard-
setting bodies or management and the board of directors, and deficiencies are
communicated to management and the board of directors as appropriate
• Principles (as per the 2013 framework):
✓ Select, develop & perform ongoing and/or separate evaluations to ascertain whether the
components of I/C are present and functioning
✓ Evaluate & communicate I/C deficiencies in a timely manner to parties responsible for
taking corrective action, including senior management & board of directors, as appropriate

A3-4
Miles CPA Review AUD-3

➢ Existent control activities

• Policies and procedures that help ensure that management directives are carried out;
performed at all levels of the entity, at various stages within business processes, and over the
technology environment
✓ May be preventive or detective in nature
✓ May encompass a range of manual & automated activities
• Principles (as per the 2013 framework):
✓ Select and develop control activities that contribute to the mitigation of risks to the
achievement of objectives to acceptable levels
✓ Selects and develop general control activities over technology to support the achievement
of objectives
✓ Deploy control activities through policies that establish what is expected and in procedures
that put policies into action
• Examples of specific control activities include those relating to the following:
✓ Performance reviews
 Reviews/analysis of actual performance vs. budget, forecast, prior-period performance
 Analyze relationships between different sets of data (operating or financial)
 Comparing internal data with external sources of information
 Review of functional or activity performance
✓ Information processing
 General IT controls - policies & procedures that relate to many applications and support
the effective functioning of application controls by helping to ensure the continued
proper operation of information systems
- E.g., access controls; hardware/software controls, controls over data centers &
networks
 Application controls - apply to the processing of individual applications
- E.g., controls to check arithmetical accuracy, controls to maintain and review
accounts and trial balances; automated controls, such as edit checks of input data
and numerical sequence checks; manual follow-up of exception reports
✓ Physical controls - controls that encompass the
 Physical security of assets & records; e.g., secured facilities
 Authorization for access to computer programs and data files
 Periodic counting and comparison with amounts shown on control records; e.g.,

*
comparing the results of cash, security, and inventory counts with accounting records
✓ Segregation of duties - Assigning below responsibilities to different people to reduce the
opportunity for any person to be in a position to perpetrate & conceal errors/fraud in the
normal course of business {Mnemonic: A|R|C|C}
A  Authorization or approval of transactions

R  Recording of transactions

C  Custody of assets

C  Comparison via independent checks & evaluations

A | R|C|C A3-5
AUD-3 Miles CPA Review

III) Limitations of I/C

➢ Though I/C provide reasonable assurance of achieving the entity’s objectives, limitations do exist
• Even an effective system of I/C can experience a failure - i.e., I/C provide reasonable but not
absolute assurance
• Management should be aware of these limitations when selecting, developing & deploying I/C
so that they can minimize these to the extent practical
➢ Limitations may result from: {Mnemonic: COCOC}
C • Competence issues which could lead to mistakes or misjudgments
✓ Human judgment in decision making can be faulty and subject to bias
✓ Human failures such as simple errors can lead to breakdown
✓ Objectives established as a precondition to I/C may not be suitable

O • Obsolescence due to externalities - External events outside the organization’s control may arise
and render existing I/C obsolete

C • Collusion - Ability of management, other personnel, and/or third parties to circumvent controls
through collusion (though there may be segregation of duties for ARCC)
O • Override by management - Ability of management to override I/C

C • Cost constraints - Entities may have cost-benefit constraints (i.e., cost of I/C may exceed
benefits derived)

IV) Regulations for I/C

➢ Foreign Corrupt Practices Act (1977) - Makes it unlawful for issuers to make payments (i.e., bribes)
to foreign government officials to assist in obtaining or retaining business
• Includes accounting provisions designed to operate in tandem with the anti-bribery provisions;
requires issuers to maintain proper books/records and adequate I/C

➢ Sarbanes Oxley Act (2002) - Besides other provisions, requires management of issuers to certify
ICFR, while auditors of issuers are required to perform ‘integrated audit’ (audit of F/S + ICFR)
• Section 302: Makes officers responsible for I/C - Officers certify that they Management = I/C
✓ Acknowledge their responsibility for establishing and maintaining ICFR
✓ Have evaluated the effectiveness of ICFR, presented their conclusion as to effectiveness and
disclosed any material changes in the company’s ICFR
• Section 404: Auditors required to attest to management’s assessment of effectiveness of I/C
over financial reporting Auditor = Express opinion on F/S + ICFR (Integrated Audit)
✓ Auditor examines design and operating effectiveness of I/C so as to provide an opinion on
management’s assertion of I/C

A3-6
Miles CPA Review AUD-3

(This page is left blank for any reference notes on

I/C - Integrated Framework)

A3-7
 AUD-3 Miles CPA Review

3.2) Auditor’s Consideration of I/C = {RUCPAS}

{I of the field PIC}:

RU The auditor must obtain a sufficient understanding of the entity and its environment, including its I/C,
C to assess the risk of material misstatement (RMM) of the F/S whether due to error or fraud, and
P to design the nature, extent and timing (NET) of further audit procedures
A Further audit procedures = Test of controls + Substantive tests
S
➢ Audits of Non-issuers (only F/S)
• Auditor expresses an opinion on the client’s F/S, not on I/C
• However, the auditor is “required” to perform Risk Assessment procedures (including obtaining
an Understanding of the entity and its environment, including its I/C) which helps the auditor
✓ Assess RMM (at the F/S level and the assertion level)
✓ Determine DR and design the NET of further audit procedures
 Inverse relationship between CR and DR - stronger the I/C (CR ), lesser the substantive
testing (Sub ), which allows higher level of DR (DR )
• As part of further audit procedures by the auditor, it is “optional” to perform test of controls
though it is “required” to perform substantive tests to provide a reasonable basis to express an
opinion on F/S. The auditor generally performs test of controls if:
✓ Auditor’s RMM assessment includes an expectation that I/C are effective (i.e., auditor
intends to rely on I/C to design the NET of substantive tests), or
✓ Substantive tests alone are not sufficient (e.g., IT environments where all transactions are
processed thru the IT system and there is no documentation)
• Note: Even though the auditor does not provide any assurance on I/C, the auditor should report
all significant deficiencies and material weaknesses in I/C (which come to the auditor’s
attention) to management and TCWG
• Note: Even non-issuers “may” opt for an integrated audit (audit of F/S + audit of ICFR)

➢ Audits of Issuers (F/S + I/C)

• SOX / PCAOB AS requires integrated audit for SEC registrants such that the auditor provides
opinion on client’s F/S as well as effectiveness of client’s ICFR
✓ Although the objectives of an audit of F/S and an audit of ICFR are not the same, the auditor
plans and performs the “integrated audit” to achieve their respective objectives
simultaneously, which means that the auditor is “required” to perform test of controls
 To obtain sufficient appropriate audit evidence to support the auditor’s opinion on ICFR
 To support the auditor’s CR/RMM assessment for purposes of the audit of F/S
• Management vs. Auditor responsibility for ICFR:
✓ Management is responsible for designing, implementing, & maintaining effective ICFR and
for its assessment about the effectiveness of ICFR (per suitable criteria - i.e., I/C Integrated
Framework developed by COSO)
✓ Auditor is only responsible for his opinion on the effectiveness of ICFR

A3-8
Miles CPA Review AUD-3

➢ Applying the Audit Risk model to the audit:

• Assessing and responding to RMM at the F/S level - Risks that relate pervasively to the F/S as a
whole and potentially affect many assertions

R Risk Assessment Procedures

Understand I/C {CRIME}

U - Evaluate design & implementation of I/C
- Document the understanding

CR/RMM Assessment:
C Is there a basis to rely
on I/C?

Develop Overall responses to F/S level risks

{TUNA}

✓ Overall responses to address assessed RMM at F/S level may include: {TUNA fish to energize
the auditor before the question on “RUCPAS” where he looks at RMM at assertion level}
T  Team on the audit engagement
- Emphasize need to maintain professional skepticism
- Assign more experienced staff or those with specialized skills or using specialists
- Providing more supervision
U  Unpredictability to be incorporated in the selection of further audit procedures
N  NET of audit procedures
- Assessed RMM at F/S level significantly affects auditor’s general approach; e.g.,
▪ Substantive approach - Emphasis on substantive procedures, or
▪ Combined approach - Use tests of controls as well as substantive tests
- Auditor may also make general changes to the NET of audit procedures. E.g.,
▪ Nature - Modify audit procedures to obtain more persuasive audit evidence
▪ Extent - Obtaining more extensive audit evidence
▪ Timing - Performing substantive tests at period-end instead of interim date
A  Accounting policies selected/applied by the entity - Evaluate if appropriate & consistent
with requirements of the applicable financial reporting framework (e.g., US GAAP, IFRS)
- Evaluate for fraud risk esp. if subjective measurements & complex transactions

A3-9
AUD-3 Miles CPA Review

• Assessing and responding to RMM at the assertion level (balances/transactions/disclosures):

R Risk Assessment Procedures

Risk Understand I/C {CRIME}

U What’s the Form?
Assessment - Evaluate design & implementation of I/C
Procedures - Document the understanding

C Is the Form ok?

YES NO
CR/RMM Assessment:
(CR below max level) (CR at max level)
Is there a basis to rely
on I/C?
Test of
P controls

Perform test of controls to determine What’s the Substance? This approach is

operating effectiveness of I/C possible only if
the client is a
non-issuer

A Is the Substance ok?

Assess results of
YES test of controls: Can NO
we support a lower
CR?

S Substantive Tests Rely on I/C  - Pre- Rely on I/C  - Plan

planned level of extensive Substantive tests
Rely on I/C  - Reduced Substantive tests
Substantive tests (can Rely on I/C  - Plan
reduce but can’t eliminate) extensive Substantive tests

Combined Approach = Test of controls + Substantive tests Substantive Approach -

NOT for Issuers as opinion on
I/C is reqd. (Integrated Audit)
Rely on I/C  CR  Rely on I/C  CR 
Subs. Tests  DR  Subs. Tests  DR 
A3-10
 Miles CPA Review AUD-3

R U C P A S
➢ Risk assessment procedures R=U+C
• Provide basis for identification & assessment of RMM
✓ {RUC of RUCPAS} - Risk Assessment procedures enable the auditor in:
 Understanding the entity & its environment, including its I/C
 CR/RMM Assessment
✓ Start for audit procedures {RUC of RUCPAS}. But risk assessment procedures, by themselves,
do not provide sufficient appropriate audit evidence on which to base the audit opinion
• The auditor needs to identify and assess RMM at:
✓ F/S level (i.e., relate pervasively to F/S as whole and potentially affect many assertions), and
✓ Relevant assertion level for classes of transactions, balances and disclosures
• Include the following procedures {WA-IIO - WArm-up to get to rIIO}
✓ Walk-through - Following a transaction and trace its processing through the entity’s
information processing system and all the way through to its reporting in the F/S
 Focus on Inquiry of client personnel; Also includes the other procedures in RIIO
(Reperformance, Inspection, Observation)
✓ Analytical procedures - to identify aspects of the entity of which the auditor was unaware
and may assist in assessing RMM
 May enhance auditor’s understanding of client’s business & significant transactions/
events that have occurred; also, may help identify the existence of unusual
transactions/events and amounts/ratios/trends that might indicate matters with audit
implications. Unusual or unexpected relationships may also be identified
 However, as a risk assessment procedure, analytical procedures use data aggregated at
a high level and results provide only a broad initial indication about whether a material
misstatement may exist. Accordingly, need to complement with other info gathered
✓ Inquiries of management, internal auditors, TCWG, others within the entity
 Inquiry is often the starting point for Understanding I/C and may allow the auditor to
gather info about I/C design, but inquiry alone is not sufficient. Therefore, need to
corroborate responses to inquiries by performing at least one other risk assessment
procedure; but if better evidence is not available by performing other procedures,
auditor may corroborate inquires made of multiple people (e.g., inquiry about
implementation of the company’s code of conduct with the management as well as
company personnel, and corroborating both the responses)
✓ Inspection of relevant documentation (e.g., I/C manuals)
✓ Observation of the application of specific controls
• Auditor may use other info:
✓ Info from the auditor’s client acceptance or continuance process (if relevant)
✓ Info obtained from prior audits, or from other engagements performed by the audit partner
for the client (also determine if any changes have occurred since then)
• Engagement partner & other key engagement team members should discuss the susceptibility
of the entity’s F/S to material misstatement
• Planning of the auditor’s risk assessment procedures {RUC of RUCPAS} occurs early in the audit
process. However, planning the NET of further audit procedures {PAS of RUCPAS} depends on
the outcome of those risk assessment procedures
✓ As discussed in AUD-2.2, planning is a continual/iterative process (not a discrete phase of an
audit); and auditor updates/changes the overall audit strategy and audit plan, as necessary,
during the course of the audit

A3-11
 AUD-3 Miles CPA Review

R U C P A S
➢ Understand the entity & its environment, including its I/C
• Understand “entity & its environment” {OPEN} - Auditor should obtain an understanding of:
✓ Objectives & strategies of the entity, and related business risks
✓ Performance (esp. financial performance) of the entity
✓ External factors - Relevant industry, regulatory, and other external factors
✓ Nature of the entity
 Operations
 Ownership and governance structures
 Investments made or proposed to be made by the entity
 Financing structure
 Accounting policies selected & applied (including reasons for any changes)

• Understand I/C - Evaluate the design & implementation of I/C relevant to the audit
✓ Evaluate design of I/C - i.e., determine whether the control is capable of either
 Preventing material misstatements, or
 Detecting & correcting material misstatements
✓ Determine whether the controls are implemented - i.e., placed in operation
✓ If improper design/implementation = significant deficiency or material weakness in I/C
✓ Not sufficient to test the operating effectiveness of I/C; e.g., obtaining audit evidence about
the implementation of a ‘manual’ control at a point in time does not provide evidence
about the operating effectiveness of the control at other times during the period under
audit (case may be different for automated controls which may be consistent)

• Understanding of the design & implementation of I/C is used by the auditor to:
C ✓ Assess RMM - Identify & assess RMM, whether due to fraud or error, at F/S and relevant
assertion levels
P ✓ Design the NET of further audit procedures (tests of controls and substantive procedures) -
A Identify controls that might reduce RMM (i.e., can be relied on) which would enable the
S auditor to reduce substantive testing

• Note: Not all of client’s I/C are relevant to the audit (e.g., certain operational controls may
affect but are not directly related to financial reporting). When performing a F/S audit, the
auditor’s consideration of I/C is limited to controls deemed “relevant to the audit”; e.g.,
✓ Controls relating to the elements of the five I/C components {“CRIME”}
✓ Controls relating to anti-fraud programs & controls
✓ Controls related to “significant risks”
✓ Controls related to circumstances when substantive procedures alone will not provide
sufficient appropriate audit evidence
✓ Other controls that the auditor determines to be relevant to the audit

Management = Implements I/C (CRIME)

Auditor = Obtains understanding of I/C (CRIME)

A3-12
 Miles CPA Review AUD-3

• May use the Top-Down Approach to Understanding I/C -

✓ Describes the auditor’s sequential thought process in identifying risks and I/C to test, not
necessarily the order in which the auditor will perform audit procedures
✓ Indicative flow:
 Begin at F/S level
- Use auditor’s understanding of the overall risks to I/C
- Focus on entity-level controls (including evaluation of I/C components - “CRIME”)
 Work down to significant classes of transactions/balances/disclosures, and their
relevant assertions
- Direct attention to classes of transactions/balances/disclosures and assertions that
present a reasonable possibility of material misstatement of F/S
 Verify the auditor’s understanding of the risks in the entity’s processes
 Select those activity-level controls for testing that sufficiently address the assessed
RMM to each relevant assertion
✓ Helps the auditor to identify & focus on key controls (via the focus on objectives related to
significant classes of transactions/balances/ disclosures, and their relevant assertions)
✓ Illustrative diagram - Start with F/S on “top” and work “down” to the individual controls

Begin @ F/S F/S Begin at F/S level

Work down to identify

Transactions/balances/ Sales Cash A/R Significant transactions/
Work disclosures balances/ disclosures
down
Assertions Completeness Valuation Existence Relevant assertions

Risks Risk #A Risk #B Risk #C Risks (i.e., What can go

wrong?)

Control Objective #1 Objective #2 Objective #3 Control objectives (which

Objectives may mitigate risk)

Key Controls Control #a Control #b Control #c Select controls for testing

A3-13
AUD-3 Miles CPA Review

• Controls @Entity-level vs. Activity-Level

✓ Entity-level Controls vs. Activity-Level Controls
 Entity-level controls - Controls designed to address risks that relate pervasively to the
F/S as a whole and potentially affect many assertions. E.g.,
- controls related to the control environment {C of CRIME}
- controls over management override {C of CRIME}
- the entity’s risk assessment process {R of CRIME}
- centralized processing and controls, including shared service environments
- controls to monitor other controls, like internal auditors, TCWG {M of CRIME}
- controls over the period-end financial reporting process
- programs and controls that address significant business risks
 Activity-level controls - Controls that address risk related to specific classes of
transactions, account balances, and disclosures; e.g., control to ensure that all A/R that
have been recorded actually exist
✓ Since entity-level controls are pervasive, it may be more effective and efficient for the
auditor to evaluate the design & implementation of entity-level controls before evaluating
activity-level controls. In some cases, the failure of entity-level controls may make render
activity-level controls ineffective
E.g., If an entity has a weak control environment (evidenced by management override of
I/C), it would render ineffective any activity-level controls in the revenue cycle. Therefore,
though the auditor would obtain an understanding of these activity-level controls, he may
not want to test their operating effectiveness and rely on them

• Preventive vs. Detective Controls

✓ Preventive controls - Identify misstatements as they occur and “prevent” them from further
processing (often costlier to implement). E.g., Use of security devices to safeguard inventory
✓ Detective controls - “Detect & correct” misstatements after they have occurred and already
entered the system (often cheaper to implement). E.g., Periodic physical inventory counts

• Document understanding of I/C

✓ Document key elements of the understanding obtained regarding:
 Each of the aspects of the “entity and its environment” {OPEN}
 Each of the I/C components {CRIME}
 Risk assessment procedures performed
 Identified & assessed RMM at F/S level and assertion level
 Any significant risks identified and related I/C
✓ Form & extent of documentation is influenced by the nature, size & complexity of the entity
and its I/C, availability of info from the entity, and audit methodology & technology used in
the course of the audit
 E.g., If info system is complex, may use flowchart, I/C questionnaire or decision table to
document. But in case only a few transactions are processed (e.g., investments), may
document in narrative form
 E.g., If management has good I/C documentation, these can be used as a reference by
the auditor; and auditor documentation may focus on the auditor’s assessment of I/C

A3-14
Miles CPA Review AUD-3

✓ Few techniques for documenting the auditor’s understanding of I/C: FIND

F  Flowchart - Graphical depiction of the sequential flow of data/operations
- Reflects the flow of I/C process
- Weakness in I/C may not be clearly reflected
- Requires knowledge of flowcharting symbols (below) & is time-consuming
Document or Data (e.g., Computer Process
Decision box (e.g., Printing Manual
Report Journal,
(Yes / No) docs.) operation
Ledger)
(e.g., Invoice, (Prepare,
PO) match)
On-line Off-line
Tape On-Page Off-Page
Manual Disc storage storage
storage Connector Connector
Input storage file (disc,
file
(Keyboard) drum)
(master
data)

I  I/C Questionnaire & Checklists - Generally consists of a list of questions which may be
responded with Yes/No (but format can also be open-ended)
- Structured approach, easy to complete
- Weakness in I/C often reflected in “No” responses
- Sample Internal Control Questionnaire [excerpt] to be answered in Yes/No
Existing Control Activities:
A Are credit sales authorized by credit team?
R Are sales invoices pre-numbered, pre-printed and numerically controlled?
C Does the warehouse receive an internal sales order before dispatching goods to customers?
C Does the internal audit team periodically reconcile Sales and A/R?
S Are functions of authorization, recordkeeping, custody & comparison segregated?

N  Narrative memoranda - Written description of auditor’s I/C structure

- Lengthy, time-consuming & less effective (may be ok for small clients or if few
transactions)
- Weakness in I/C may not be clearly reflected

D  Decision table/tree - Lists rules based on possible conditions and respective actions to
be taken. Generally uses questions which may be responded with Yes/No
- Describes the logic of I/C process, but does not reflect the I/C flow
- Weakness in I/C often reflected in “No” responses
- Sample decision table (simplified):
Rules
1 2 3 4 5 6 7
Conditions
Proper authorization Yes Yes Yes Yes No No No
Proper recordkeeping Yes Yes No No Yes Yes No
Proper segregation of duties Yes No Yes No Yes No -*
Actions
Perform all relevant tests of control X
Perform limited tests of control X X X
Don’t perform tests of control (CR = max.) X X X
* Since response to first 2 questions are no, the response for the 3rd question is irrelevant (as test of
controls would anyways not be performed)

A3-15
 AUD-3 Miles CPA Review

R U C P A S
Is there a basis for reliance on I/C?
➢ CR/RMM Assessment
• The auditor should:
✓ Identify risks while Understanding the entity & its environment, including its I/C
 Assess the identified risks and evaluate whether they relate more pervasively to the F/S
as a whole and potentially affect many assertions
 Relate the identified risks to what can go wrong at the relevant assertion level, taking
account of relevant I/C that the auditor intends to test
✓ Consider the likelihood of potential misstatement(s), and whether these are of a magnitude
that could result in a material misstatement
✓ Determine if any identified risks are significant risks (requiring special audit consideration)
 In making this judgment, exclude effects of identified related I/C (i.e., assume no I/C)
 E.g., risk of fraud, complex transactions, related party transactions, unusual transactions
 Note: Not all high risks are significant risks. E.g., collectability of accounts receivable may
be a high risk but not a significant risk; i.e., no special audit consideration is required
beyond extensive but customary substantive tests of collectability
• Basically, to provide a basis for designing & performing further audit procedures, the auditor
should identify & assess RMM at:
✓ F/S level (i.e., relate pervasively to F/S as whole and potentially affect many assertions), and
 E.g., Risk relating to the regulatory environment in which the client operates is a
pervasive risk that affects many of F/S assertions in many accounts
 If possible, risk that exists at the F/S level should be related to specific assertions
 Auditor’s response - In addition to developing assertion-specific responses, these risks
may require the auditor to develop an overall response {TUNA}
✓ Relevant assertion level for classes of transactions, balances & disclosures
 E.g., Risk related to the valuation of inventory is restricted to that account and assertion
and the related determination of cost of sales
 Though the auditor expresses an audit opinion on the F/S as a whole, the auditor applies
the audit risk model and assesses risk at a more granular level (i.e., assertion level). To
accomplish this detailed level of risk assessment, the auditor considers what can be
misstated in transactions/balances/disclosures, and their relevant assertions
 Auditor’s response - These risks should be considered when designing the NET and
subsequently performing further audit procedures (test of controls & substantive tests).
Also, auditor may use either of the below approaches:
Only Substantive - Substantive approach - Perform ONLY substantive tests (no tests of controls) if:
tests ▪ I/C appear to be non-existent/inadequate/ineffective (i.e., CR = max.), or
▪ Auditor believes that test of controls will be inefficient (cost-benefit analysis)
- Combined approach - Perform BOTH test of controls and substantive tests if:
Test of controls +
▪ Auditor’s RMM assessment includes an expectation that I/C are effective (i.e.,
Substantive tests auditor intends to rely on I/C to design the NET of substantive tests), or
▪ Substantive tests alone are not sufficient (e.g., IT environments)
• Note: The auditor’s assessment of RMM may change during the course of the audit as
additional audit evidence is obtained
✓ If the audit evidence obtained from performing further audit procedures is inconsistent
with the audit evidence on which the auditor originally based the assessment, auditor
should revise the assessment and modify the further audit procedures accordingly
A3-16
Miles CPA Review AUD-3

R U C P A S
Test the operating effectiveness of I/C
➢ Perform tests of controls
• Auditor should design and perform tests of controls to obtain sufficient appropriate audit
evidence about the operating effectiveness of relevant controls if
✓ Auditor’s RMM assessment includes an expectation that I/C are effective (i.e., auditor
intends to rely on I/C to design the NET of substantive tests), or
✓ Substantive tests alone are not sufficient (e.g., IT environments where all transactions are
processed thru the IT system and there is no documentation)
• Greater the reliance the auditor intends to place on I/C, the more persuasive the audit evidence
from the test of controls should be
• Risk Assessment Procedures vs. Tests of Controls:
Risk assessment procedures Test of Controls
RUCPAS? RUC PA
Evaluation Evaluate design & Evaluate operating effectiveness of
implementation of I/C I/C
Purpose Look at the “form” of I/C; Look at the “substance” of I/C;
Question is - Are I/C “present”? Question is - Are I/C “functioning”?
Procedures WA-IIO RIIO

✓ Note: Although some risk assessment procedures may not have been specifically designed
as tests of controls, they may nevertheless provide audit evidence about the operating
effectiveness of the controls and, consequently, serve as tests of controls
 E.g., Auditor’s risk assessment procedures may have included the following:
▪ Inquiring about management’s use of budgets
▪ Observing management’s comparison of monthly budgeted and actual expenses
▪ Inspecting reports pertaining to the investigation of variances between
budgeted and actual amounts
These audit procedures provide knowledge about the design of the entity’s budgeting
policies and whether they have been implemented but also may provide audit evidence
about the effectiveness of the operation of budgeting policies in preventing, or
detecting and correcting, material misstatements in the classification of expenses.
• Dual Purpose tests - Concurrent performance of Test of Controls & Substantive test of details.
E.g., Examination of invoice to determine whether it has been approved (test of control) and to
provide substantive evidence of $ value of the transaction (substantive test) concurrently
✓ Note that the objective of the both the tests are different:
 Test of controls - Use "RIIO" to test the operating effectiveness of I/C ("ARCCS")
 Substantive Test of Details - Use "RIIO CAR RACE" to accumulate corroborative audit
evidence relating to management assertions of "COVER UP" {covered in AUD-4}

A3-17
AUD-3 Miles CPA Review

• Procedures which may be used for test of controls {RIIO around A|R|C|C}:
R ✓ Re-performance - Auditor independently executes the procedures or controls that were
originally performed by the client personnel
 E.g., If billings clerk matches sales orders & bill of lading before invoicing, auditor may
pull a sample of invoices that were generated and try to locate and match to the sales
orders & bill of lading for these invoices

I ✓ Inquiry - Auditor seeks info of knowledgeable persons, both financial and non-financial,
from within/outside the entity (oral/written); thereafter, evaluates response received
 E.g., Inquire about credit procedure for new customers

I ✓ Inspection - Auditor examines records or documents (may be internal/external,

paper/electronic) or physically examines an asset
 Auditor may vouch or trace {VRE, TOC - Think of your instructor, remember Varun’s
Really Excellent in Training Of CPAs}
- Vouching - Examine documents in Reverse order of preparation to test the assertion
of Existence & Occurrence (e.g., account books → source documents)
- Tracing - Examine documents in Order of preparation to test the assertion of
Completeness (e.g., source documents → account books)

RE
F/S
Trial Balance

OC
Ledger
Journal
Source documents

 Used for I/C where operating effectiveness is evidenced by documentation, such that
auditor can inspect such documents to obtain evidence about operating effectiveness.
E.g., Auditor may inspect (vouch) a sample of sales invoices to shipping documents and
approved sales orders

O ✓ Observation - Auditor looks at a process/procedure being performed by others

 E.g., Auditor may observe warehouse personnel dispatch goods per sales order

Auditor uses RIIO to test if

ARCCS are operating effectively

A3-18
Miles CPA Review AUD-3

• NET of Test of controls

✓ Nature & Extent of Test of Controls -
 In designing & performing tests of controls, auditor should
- Perform RIIO to obtain audit evidence about operating effectiveness of I/C, including
▪ how the controls were applied at relevant times during the period under audit
▪ the consistency with which they were applied
▪ by whom or by what means they were applied, including, when applicable,
whether the person performing the control possesses the necessary authority &
competence to perform the control effectively
- Determine whether the controls to be tested depend upon other controls (indirect
controls) and, if so, whether it is necessary to obtain audit evidence supporting the
operating effectiveness of those indirect controls
E.g., when the auditor decides to test the effectiveness of a user review of exception
reports detailing sales in excess of authorized credit limits:
▪ Direct control = user review and related follow up
▪ Indirect control = control over accuracy of info in reports; e.g., general IT controls
 Due to inherent consistency of IT processing, may not be needed to increase “extent” of
testing of an automated control, which is expected to function consistently unless the
program is changed. Once the auditor determines that an automated control is
functioning as intended (as of the implementation date or a later date), the auditor may
consider performing tests to determine that the control continues to function
effectively. Such tests might include determining that:
- No changes to the program are made without appropriate program change controls
- Authorized version of the program is used for processing transactions
- Other relevant general controls are effective
✓ Timing of Tests of Controls -
 Using audit evidence obtained during an interim period - Auditor should
- Obtain audit evidence about significant changes to those controls subsequent to the
interim period, and
- Determine the additional audit evidence to be obtained for the remaining period
(e.g., by extending the test of controls over the remaining period, or testing the
entity’s monitoring of controls)
 Using audit evidence obtained in previous audits - Auditor should perform audit
procedures to establish the continuing relevance of that info to the current audit by
performing RIIO to confirm the understanding of those specific controls, and
- If there have been changes that affect the continuing relevance of the audit
evidence from previous audits, auditor should test the controls in the current audit
- If there have not been such changes, auditor should test the controls at least once in
every third audit (and should test some controls during each audit to avoid the
possibility of testing all the controls on which the auditor intends to rely in a single
audit period with no testing of controls in the subsequent two audit periods)
▪ However, PCAOB AS (for issuers) does not allow the auditors of issuers to use
results of previous years' test of controls in the current audit
 Controls over Significant Risks - If the auditor plans to rely on controls over a risk the
auditor has determined to be a significant risk, auditor should test the operating
effectiveness of those controls in the current period
A3-19
 AUD-3 Miles CPA Review

R U C P A S Can I/C be relied?

➢ Assess results (Evaluate operating effectiveness of I/C => reassess CR => determine DR)
• Assessing the results of test of controls -
✓ If I/C operating as expected - may not need to modify the planned NET of substantive tests
✓ If I/C not operating as expected - may need to modify the planned NET of substantive tests

R U C P A S Test of $$$ - transactions,

➢ Substantive Procedures (covered in detail in AUD-4) account balances & disclosures
• Designed to detect material misstatements at the relevant assertion level
✓ Auditor may perform either/both of: {RIIO CAR RACE Apps}
 Tests of details (classes of transactions, account balances, disclosures) {RIIO CAR RACE}
 Substantive analytical procedures {Apps}

✓ Understanding the NET of substantive tests:

 Nature (What?) - Test of details & Substantive analytical procedures
 Extent (How much?) - Greater the RMM & CR, more the substantive procedures (as
planned level of DR would decrease)
 Timing (When?) - Interim, at period end or after period end

✓ Management assertions include {COVER UP}

 Completeness (Tracing)
 Cut-Off
 Valuation, Allocation & Accuracy
 Existence or Occurrence (Vouching)
 Rights & Obligations
 Understanding & Classification
 Presentation & Disclosure

A3-20
Miles CPA Review AUD-3

• The NET of substantive tests should be responsive to the assessed RMM, including the results
of tests of controls and the planned level of DR
✓ Even if I/C are effective and assessed RMM is low, can reduce but not eliminate substantive
tests [since I/C only reduce but not eliminate RMM on F/S]
Effective I/C at client Ineffective I/C at client
Applying AR Rely on I/C  CR  RMM  Rely on I/C  CR  RMM 
components
Subs. Tests  DR  Subs. Tests  DR 
Determine DR As CR/RMM is low, can afford higher DR If CR/RMM is high, need to lower DR
Altering the High DR - may lower NET of substantive Low DR - need to have a higher NET of
NET of tests, i.e.: substantive tests, i.e.:
Substantive - Nature: can have less effective tests - Nature: need more effective tests (e.g.,
Tests (e.g., evidence from inside the entity) seek evidence from outside the entity)
- Extent: can reduce sample size - Extent: need to increase sample size
- Timing: more of interim testing (and - Timing: need more testing closer to
less year-end testing) is ok year-end

Audit procedures = RUCPAS

R
U Risk Assessment Procedures
C

P Further Audit Procedures =

A Test of controls +
S Substantive tests

A3-21
AUD-3 Miles CPA Review

(This page is left blank for any reference notes on

Auditor’s Consideration of I/C)

A3-22
 Powered by:

Pre-reading

Material
MANAGEMENT ASSERTIONS

futurense.com |
Miles CPA Review AUD-4

4.1) Audit Evidence P I C

I) Audit Evidence = Sufficient & Appropriate
{C of the field PIC}:
Corroborative Audit Evidence - The auditor must obtain sufficient appropriate Audit Evidence by
performing audit procedures to afford a reasonable basis for an opinion regarding the F/S under audit

➢ Corroborative Audit Evidence - Info used by the auditor in arriving at the conclusions on which the
audit opinion is based, including info in the accounting records underlying the F/S and other info
• Gathered by performing audit procedures (RUCPAS) and is cumulative in nature
✓ R + U + C = Risk Assessment Procedures
✓ P+A = Test of Controls (RIIO)
✓ S = Substantive Procedures (RIIO CAR RACE Apps) “Further” audit procedures
• Besides audit procedures, may also include info from other sources; e.g., previous audits, audit
firm’s quality control procedures for client acceptance & continuance
• Must “corroborate” to management assertions regarding F/S (COVER UP)
If RMM ↑, Substantive Tests ↑ Audit Evidence ↑ DR ↓
If RMM ↓, Substantive Tests ↓ Audit Evidence ↓ DR ↑
➢ Audit Evidence must be Sufficient (quantity) AND Appropriate (quality)
• Includes:
✓ Accounting records - Records of initial accounting entries & supporting records. E.g., checks,
invoices, contracts, journal entries, ledgers, records (spreadsheets, computations, etc.)
 However, underlying accounting data alone is not sufficient & appropriate
✓ Other Info - Minutes, confirmations from third parties, analysts’ reports, comparable data
about competitors (benchmarking), control manuals, info obtained from audit procedures
• Auditor must use judgment to evaluate both sufficiency and appropriateness of audit evidence
✓ When using info produced by the entity, auditor should evaluate whether the info is
sufficiently reliable for the auditor’s purposes, including (as necessary):
 Evaluating whether info is sufficiently precise and detailed
 Obtaining audit evidence about the accuracy and completeness of the info
✓ If entity uses specialists for certain significant areas (e.g., actuarial, fair value), auditor
should evaluate specialists’ competence & objectivity, obtain an understanding of the work
of specialists and evaluate the appropriateness of specialists’ work
✓ When audit evidence obtained from one source is inconsistent with that obtained from
another (or auditor has doubts over reliability of audit evidence), auditor should determine
necessary modifications or additions to audit procedures to resolve the matter
• Auditor should consider NET of further audit procedures to judge if evidence is sufficient &
appropriate
✓ Sufficiency relates closely to extent of testing
✓ Appropriateness relates closely to nature & timing (for timing, substantive tests near to at
year-end are more effective than interim; also, need to incorporate unpredictability)

A4-3
 AUD-4 Miles CPA Review

Sufficient Quantity = N E T
➢ “Sufficient” - Measure of the quantity of audit evidence
• Based on auditor’s judgment Reasonable assurance, not
✓ Want evidence that is persuasive (even if not conclusive) absolute assurance
✓ May consider the relationship between the cost of obtaining audit evidence and the
usefulness of the info obtained (however, difficulty or expense is not in itself a valid basis
for omitting an audit procedure for which there is no appropriate alternative)
• If Sufficiency of evidence ↑, achieved DR ↓ Quantity ↑ DR ↓
✓ Quantity of evidence required is affected by:
 RMM - Higher the assessed RMM, the more audit evidence is likely to be required
- E.g., If RMM ↑, need to reduce DR ↓, and may need more quantity and/or better
quality of evidence
 Quality (or appropriateness) of evidence - higher the quality, the lesser may be required
- However, obtaining more audit evidence may not compensate for its poor quality
Appropriate Quality = N E T
➢ “Appropriate” - Measure of the quality of the audit evidence (i.e., its relevance and reliability in
providing support for the conclusions on which the auditor’s opinion is based)
• Relevance - Relates to the purpose of the audit procedure and, when appropriate, the assertion
under consideration; e.g., if the purpose is to test for overstatement of A/R, confirmations may
be a relevant audit procedure
• Reliability - Influenced by the source and nature of audit evidence, and is dependent on the
individual circumstances under which it is obtained
✓ Source of audit evidence:
 Obtained directly by auditor (auditor developed - e.g., inventory observation)
- More reliable than audit evidence obtained indirectly or by inference
 Obtained from knowledgeable independent sources outside the entity (outside - e.g.,
bank confirmation, analysts’ reports, competitor data)
- More reliable than evidence obtained from inside of the entity
 Prepared by outsider but obtained from entity (outside/inside - e.g., bank statement)
 Generated internally by entity (inside - e.g., sales invoice, management representation)
- More reliable if related I/C are effective
- Though management representation is generated internally, it is required in every
audit (and auditor’s reliance on the same may be affected by factors like fraud risk)
- Note: Accounting records alone do not provide sufficient appropriate audit evidence
✓ Form of audit evidence:
 Audit evidence in documentary form (paper/electronic) is more reliable than evidence
obtained orally (e.g., written minutes of meeting is more reliable than subsequent oral
representation of the matters discussed)
 Audit evidence by original documents is more reliable than photocopies/facsimiles/etc.
whose reliability depends on I/C over their preparation and maintenance
• If Appropriateness of evidence ↑, achieved DR ↓ Quality ↑ DR ↓
✓ Thus, if acceptable level of DR is low, auditor will seek higher overall levels of
persuasiveness (though evidence may be a mix of sources including auditor developed,
outside, outside/inside and inside)

A4-4
Miles CPA Review AUD-4

II) Audit Evidence = Response to assessed RMM

➢ Audit Risk (as studied in AUD-2):

If RMM ↑, Substantive Tests ↑ Audit Evidence ↑ DR ↓

If RMM ↓, Substantive Tests ↓ Audit Evidence ↓ DR ↑
A4-5
 AUD-4 Miles CPA Review

➢ Responding to assessed RMM in order to reduce audit risk to an acceptably low level (2 ways):
• At the F/S level - Overall responses to address assessed RMM at F/S level may include {TUNA}:
T ✓ Team on the audit engagement - Emphasize professional skepticism, more experienced staff
or specialists, more supervision
U ✓ Unpredictability to be incorporated in the selection of further audit procedures
N ✓ NET of audit procedures - Affects auditor’s general approach (substantive/combined)
 Besides, auditor may make general changes to the NET of audit procedures. e.g., N -
more persuasive audit evidence, E - more extensive audit evidence, T - substantive tests
at year-end instead of interim
A ✓ Accounting policies selected/applied by the entity - Evaluate if appropriate

•At the relevant assertion level - Design and perform further audit procedures whose NET are
responsive to the assessed RMM
✓ In designing the further audit procedures to be performed, the auditor should
 Consider reasons for assessed RMM at the relevant assertion level for each class of
transactions, account balance, and disclosure, including
- Likelihood of material misstatement due to particular characteristics (Inherent Risk)
- Whether risk assessment takes into account relevant I/C (Control Risk)
 Higher the RMM, higher the persuasiveness of audit evidence needed
✓ Consider whether auditor is required to obtain audit evidence to determine if I/C is effective
R U C P A S  Yes - Combined approach (Test of controls + Substantive procedures) if
- Auditor intends to rely on I/C to determine NET of substantive tests (and, thus,
wants to test if I/C are operating effectively)
- Substantive tests, by themselves, would not provide sufficient appropriate audit
evidence; e.g., when an entity conducts its business using IT and no documentation
of transactions is produced or maintained, other than through the IT system
 No - Substantive approach (Only Substantive procedures); used for certain assertions if
X
R U C P A S - Ineffective I/C, or
- Inefficient (cost/benefit) to test effectiveness of I/C
✓ NET of further audit procedures
What?  Nature of audit procedures - Refers to purpose (e.g., test I/C, test $ for existence) & type
(RIIO for test of controls & RIIO CAR RACE Apps for substantive tests)
- Determines if Audit Evidence is Appropriate (Relevant + Reliable)
- As RMM ↑, Appropriateness for Audit Evidence must be ↑
How much? Extent of audit procedures - Refers to the quantity to be performed (e.g., sample size,

number of observations). Based on auditor’s judgment regarding tolerable
misstatement, expected misstatement, assessed RMM, allowable risk, etc.
- Determines if Audit Evidence is Sufficient
- As RMM ↑, Extent ↑, Sufficiency of Audit Evidence must be ↑
When?  Timing of audit procedures - Refers to when the audit procedures are performed or the
period or date to which the audit evidence applies (e.g., interim vs. period end)
- As RMM ↑, perform substantive tests closer to period end (also, incorporate more
unpredictability while performing the further audit procedures)
Determines if audit evidence = sufficient
N E T
A4-6
Determines if audit evidence = appropriate
Miles CPA Review AUD-4

(This page is left blank for any reference notes on

Audit Evidence)

A4-7
AUD-4 Miles CPA Review

4.2) Management Assertions

➢ In representing that the F/S are in accordance with the applicable financial reporting framework
(e.g., GAAP), management implicitly or explicitly makes assertions regarding the recognition,
measurement, presentation, and disclosure of the various elements of F/S and related disclosures

➢ Summarized as COVER UP {The professionally skeptic auditor should know that Management is
trying to COVER UP with all its assertions}

Completeness = All transactions, balances & disclosures are recorded

Existence = Whatever is recorded is bona fide

A4-8
Miles CPA Review AUD-4

➢ Assertions used by the auditor to consider the different types of potential misstatements that may
occur fall into the following categories (3 categories for the 13 management assertions):
• Assertions about classes of transactions and events for the period under audit
• Assertions about account balances at the period-end
• Assertions about presentation and disclosure
Classes of Transactions & Events Account Balances at year-end Presentation & Disclosures
C Completeness - All transactions & Completeness - All assets, liabilities Completeness - All disclosures that
events that should have been & equity interests that should have should have been included in the F/S
recorded have been recorded been recorded have been recorded have been included
O Period Cutoff - Transactions & events
have been recorded in the correct
accounting period
V Accuracy - Amounts and other data Allocation and Valuation - Assets, Accuracy and Valuation - Financial
relating to recorded transactions liabilities & equity interests are and other info is disclosed fairly and
have been recorded appropriately included at appropriate amounts at appropriate amounts
and any resulting valuation or
allocation adjustments are recorded
appropriately
E Occurrence - Transactions & events Existence - Assets, liabilities &
that have been recorded have equity interests exist
occurred and pertain to the entity
R Rights & Obligations - The entity Rights & Obligations, and
holds or controls the rights to Occurrence - Disclosed transactions
assets, and liabilities are the & events have occurred and pertain
obligations of the entity to the entity
U Classification - Transactions & events Understanding & classification -
P have been recorded in the proper Financial info is appropriately
accounts presented and described and info in
disclosures is expressed clearly

➢ Relevant assertions for classes of transactions, account balances, and disclosures - Used by auditor
to assess RMM and to design & perform further audit procedures
• Relevant assertions are those that have a meaningful bearing on whether the transaction/
account/disclosure is fairly stated. Not all assertions will always be relevant
✓ E.g., Valuation may not be relevant to the cash account unless currency translation is
involved; however, existence and completeness are always relevant
✓ E.g., Valuation may not be relevant to the gross amount of A/R balance but is relevant to
the related allowance accounts
✓ Also, in some circumstances, auditors focus on the presentation & disclosure assertions
separately in connection with the period-end financial reporting process
• Identifying relevant assertions includes determining the source of likely potential
misstatements. Attributes indicating if the particular assertion is relevant include:
✓ Nature of the assertion
✓ Volume of transactions or data related to the assertion
✓ Nature & complexity of the systems, including the use of IT
• In identifying & assessing RMM at the relevant assertion level, auditor may conclude that the
identified risks relate more pervasively to F/S as a whole and potentially affect many assertions
A4-9
AUD-4 Miles CPA Review

(This page is left blank for any reference notes on

Management Assertions)

A4-10
 Miles CPA Review AUD-4

4.3) Substantive Procedures

I) Audit Procedures = R U C P A S

Audit Objective = Detect any material misstatements in F/S

➢ Auditor should obtain evidence to draw reasonable conclusions on which to base his opinion, by
R performing the following audit procedures:
U • Risk assessment procedures - Performed to obtain an understanding of the entity & its
environment, including its I/C, to identify & assess RMM at F/S & relevant assertion levels. By
C themselves, do not provide sufficient appropriate audit evidence as a base for audit opinion
• Tests of controls (RIIO) - Performed to test the operating effectiveness of I/C in preventing, or
P
detecting & correcting, material misstatements at the relevant assertion level. Needed if:
A ✓ Auditor intends to rely on I/C to determine NET of substantive tests
✓ Substantive tests , by themselves, would not provide sufficient appropriate audit evidence;
e.g., accounting in IT environments
S • Substantive procedures (RIIO CAR RACE Apps) - Performed to detect material misstatements at
Also called the assertion level. Required for each material transaction class, account balance, and
Further disclosure item irrespective of assessed RMM (even if low). 2 categories of substantive tests:
Audit
✓ Test of details (RIIO CAR RACE) - Applies to transaction classes, account balances &
Procedures
disclosures
✓ Analytical procedures (Apps) - Evaluations of financial info through analysis of plausible
relationships among both financial and non-financial data; encompass investigation of any
identified fluctuations or unusual/unexpected/inconsistent relationships
 More applicable to large volumes of transactions that tend to be predictable over time

➢ “Further audit procedures” = Test of controls + Substantive procedures

• Called “further” audit procedures because these are designed based on the risk assessment and
follow the risk assessment procedures
Test of Controls: Substantive Procedures:
Audit Procedure = RIIO Audit Procedure = RIIO CAR RACE Apps
To Test = ARCCS of I/C To Test = COVER UP of Management Assertions
(Optional for non-issuers) (Mandatory - however, may choose between RIIO CAR RACE Apps)

A4-11
 AUD-4 Miles CPA Review

RUCPAS
II) Substantive Procedures = Test of details + Analytical Procedures
RIIO CAR RACE Apps
➢ Auditor’s Substantive Procedures = Test of details {RIIO CAR RACE} + Analytical Procedures {Apps}
To test the management assertions of COVER UP

• Sample/Indicative substantive procedures to test the management assertions:

↑race in Order for Completeness

Vouch in Reverse-order for Existence

A4-12
Miles CPA Review AUD-4

III) Test of Details = RIIO CAR RACE Test of details = $ testing

➢ Tests of details refer to tests applied to transaction classes, account balances & disclosures
• Includes the following types of procedures {RIIO CAR RACE}
R ✓ Re-performance - Independently execute procedures/controls that were originally
performed by entity personnel; e.g., re-performing the ageing of A/R

I ✓ Inquiry - Seek info (financial/non-financial) of knowledgeable persons internally (e.g.,

management, employees) or externally (e.g., attorney); may be written or oral

I ✓ Inspection - Examine documents/records {VRE,TOC}

 Vouch in Reverse order of preparation to test Existence/Occurrence (e.g., account books
→ source documents; sales journal to shipping documents to test if sales had occurred)
 Trace in Order of preparation to test for Completeness (e.g., source documents →
account books; receiving report to purchase journal to test completeness for purchases)

O ✓ Observation - Look at a process/procedure performed by others. e.g., observation of

inventory count by entity personnel, observation of control activities

C ✓ Confirmation (external) - Obtain direct written response from a third party about balances/
transactions or even terms of an agreement. e.g., A/R confirmation, A/P confirmation, bank
confirmation, confirmation from lenders ($ due, terms of repayment, restrictive covenants),
confirmation from bonded warehouse (for inventory held), confirmation from
lawyers/financers (for property title deeds held by them for safe custody or as security)

A ✓ Asset Inspection - Physically examine tangible assets; e.g., PP&E

✓ Reconciliation - Compare & agree $ from two sources; e.g., cash balance per books to cash
R
balance per bank, lead schedules to general ledger, physical inventory count to perpetual
inventory records

R ✓ Recalculation, Footing & Crossfooting - Check mathematical accuracy of documents/

records by recomputing, adding down (footing), adding across (crossfooting); e.g.,
recalculating for depreciation & amortization

A ✓ Auditing related accounts simultaneously - Test revenue/expense $ (I/S) alongside related

asset/liability $ (B/S); e.g., Sales & A/R, COGS & Inventory, Interest expense & Debt,
Repairs/maintenance & PP&E capital additions, Dividend/interest income & Investments

C ✓ Cut-off procedures - Test transactions (esp. around year-end) to validate if they are
recorded in the correct accounting period; e.g., sales, purchases, inventory, cash, accruals

✓ Events subsequent to B/S date - Perform procedures to test for events after B/S date upto
E
the date of the auditor’s report; e.g., settlement of contingent liability after B/S date

A4-13
AUD-4 Miles CPA Review

• ‘Directional testing’ by Inspection (Vouching & Tracing) {VRE,TOC - Think of your instructor,
remember Varun’s Really Excellent in Training Of CPAs}
✓ Vouching - Examine documents in Reverse order of preparation to check management
assertion of Existence & Occurrence (e.g., account books → source documents)
 Existence = Whether what is recorded has occurred (or exists)
✓ Tracing - Examine documents in Order of preparation to check management assertion of
Completeness (e.g., source documents → account books)
 Completeness = Whether all transactions have been recorded
• Possible approaches for Test of Details (may also use a combination):
✓ Test of Transactions - Auditor tests transactions during the period
 Esp. if few transactions, large $ amounts
 E.g., Investments, PP&E, Bonds, N/P, stockholders equity
✓ Test of Account Balances - Auditor tests the period-end balance
 Esp. if numerous transactions, small $ amounts
 E.g., Cash, A/R, Inventory, A/P
• NET of the test of details - Based on RMM assessment & level of DR that needs to be achieved
✓ Nature - Auditor determines whether to perform test of details, analytical procedures, or a
combination of both. Also, test of details are designed based on relevant assertion(s):
 Tests of details related to Existence/occurrence assertion may involve selecting from
items contained in a F/S amount and obtaining the relevant audit evidence
 Tests of details related to Completeness assertion may involve selecting from items that
are expected to be included in the relevant F/S amount and investigating whether they
are included. E.g., Auditor may inspect subsequent cash disbursements & compare them
with the recorded A/P to determine whether any purchases had been omitted from A/P
✓ Extent - Ordinarily, extent implies sample size. Few methods of selecting items for testing:
 Select all items - e.g., population with small number of large $-value items
 Select specific items - e.g., testing all items above a certain $ amount
 Audit sampling - Testing a sample to project results to the population {cover in AUD-5}
✓ Timing - Generally, substantive tests closer to period-end may be more effective than
interim testing (esp. in cases where RMM is high)
 May do a combination of interim & period-end testing - For substantive tests performed
at an interim date, the auditor should cover the remaining period by performing
- Substantive tests, combined with tests of controls for the intervening period, or
- Substantive tests only for the intervening period
 If auditor detects unexpected misstatements at an interim date (based on assessment of
RMM), auditor may need to modify NET of substantive tests for the remaining period
 Note that some procedures cannot be performed until period-end (e.g., search for
unrecorded liabilities or obtaining management representation) and some must be
performed close to B/S date (e.g., observation of inventory or marketable securities)
• Cost/Benefit - Auditor may consider the cost/benefit relationship in selecting appropriate audit
procedures. However, difficulty, time, or cost are NOT valid reasons to omit an audit procedure
(if audit evidence is less than persuasive and there is no alternative procedure)

A4-14
 Miles CPA Review AUD-4

Apps = Ratio Analysis /

IV) Analytical Procedures = Apps BRIEF yet insightful
➢ Analytical procedures - Evaluations of financial info through analysis of plausible relationships
among both financial and non-financial data; encompass investigation of any identified fluctuations
or unusual/unexpected/inconsistent relationships
• Based on the basic premise that plausible relationships among data may reasonably be
expected to exist and continue (in the absence of known conditions to the contrary)
✓ E.g., Gross margin % would be expected to conform to a predictable pattern based on
recent history of the entity and industry
• Analytical procedures include consideration of {BRIEF, yet insightful}
B ✓ Budget vs. Actual - Comparing actual F/S with anticipated results of the entity (e.g., budgets
or forecasts), or expectations of the auditor (e.g., estimation of depreciation)
R ✓ Relationships, ratios & trends in F/S elements - Considering relationships among F/S
elements (e.g., gross margin % trend/pattern; interest costs on I/S should relate to the
borrowing on B/S)
I ✓ Industry vs. Entity - Comparing entity F/S with similar industry info (e.g., comparison of the
entity’s ratio of sales to A/R and gross margin % with industry averages or other entities of
comparable size in the same industry)
E ✓ Earlier periods vs. This period - Comparing entity F/S with comparable info for prior periods

F
✓ Financial vs. Non-financial - Considering relationships between financial info and relevant
nonfinancial info (e.g., payroll costs vs. number of employees, sales vs. production capacity)
• May be applied to consolidated F/S, components, and individual elements of info
✓ May use disaggregated data; e.g., comparing revenue reported by month and by product
line or business segment during the current reporting period with comparable prior periods
• Analytical procedures range from performing simple comparisons to performing complex
analyses using advanced statistical techniques
• Scanning - Type of analytical procedure involving exercise of auditor’s professional judgment to
review accounting data to identify significant or unusual items to test. May include:
✓ Identification of unusual individual items within account balances or other data
✓ Searching for large or unusual items in the accounting records (e.g., non-standard journal
entries), as well as in transaction data (e.g., suspense accounts and adjusting journal
entries) for indications of misstatements
• In general, relationships involving I/S accounts tend to be more predictable than those
Only I/S = ok involving only B/S accounts (because I/S accounts represent transactions over a period of time,
whereas B/S accounts represent amounts as of a point in time)
I/S + B/S = ok
✓ E.g., Depreciation expense has a predictable relationship with PP&E (as it is calculated based
Only B/S = ? on useful life of assets). However, the relationship between Accumulated depreciation and
PP&E may not be as predictable
✓ Also, transactions or accounts less subject to management discretion are more predictable
• Auditor develops expected $/ratios (based on consideration of BRIEF), and then compares
actual recorded $/ratios vs. auditor’s expected $/ratios
✓ Comparison should always include actual recorded $/ratio for the results to make sense
Actual vs. Budget = ok
Actual vs. Prior year = ok
A4-15
Budget vs. Prior = meaningless
 AUD-4 Miles CPA Review

• Analytical procedures performed at various stages during an audit:

Stage Required? Purpose Remarks
Planning Mandatory May identify aspects of Apply to F/S data aggregated at the
the entity of which the highest level and only provide a broad
auditor was unaware initial indication (since auditor is still in
and may assist in planning stage);
assessing RMM in order May enhance auditor’s understanding
to provide a basis for of the client’s business and identify
planning the NET of unusual $/ratio/trends or unusual/
further audit unexpected relationships that may
procedures. have audit implications
Substantive Optional To obtain evidence on Generally more applicable to large
Maybe Procedures (may be relevant assertions for volumes of transactions that tend to be
substituted transactions/ balances & predictable over time;
by test of reduce DR. Auditor’s Effectiveness & efficiency depends on
details) decision whether to use: - Nature of assertion,
- test of details ONLY, - Plausibility & predictability of the
- substantive analytical relationship,
procedures ONLY, or - Availability & reliability of data used,
- combination of both. - Precision of expectation
Overall Mandatory Assist the auditor when Apply to F/S data in order to:
Review forming an overall - Consider adequacy of evidence
conclusion about gathered in response to unusual or
whether F/S are unexpected balances identified
consistent with the during the audit
auditor’s understanding - Identify unusual or unexpected
of the entity (performed balances or relationships that were
at or near the end of the not identified earlier (e.g., large
audit). income $ reported in last few weeks
Generally performed by of the period that is inconsistent
the audit partner. with trends in cash flow from
operations)

• Ratios - Commonly used while considering BRIEF (budgets, relationships of F/S elements,
budgets, industry averages, earlier periods, financial vs. non-financial info). Few types:
✓ Liquidity ratios - current ratio, quick ratio
 E.g., Low current ratio (less than 1) may indicate that the entity may be unable to pay its
debts as they become due, and may lead to a going concern issue
✓ Activity ratios - A/R turnover, inventory turnover, asset turnover, etc.
 E.g., Low inventory turnover ratio may reflect that inventory comprises obsolete
inventory which may need to be written-down
✓ Profitability ratios - profit margin, return on assets, return on equity, etc.
✓ Coverage ratios - debt to equity, times interest earned, debt coverage ratio, etc.
A4-16
Miles CPA Review AUD-4

Ratio Formula Purpose or Use

LIQUIDITY RATIOS - Measure the entity’s ability to pay its maturing obligations in the short-term
Working capital Current assets - Current liabilities Measures entity’s operating liquidity
Current ratio Current assets Measures entity’s ability to pay short-
Current liabilities term obligations
Quick or acid-test Cash, marketable securities & receivables Measures entity’s ability to immediately
ratio Current liabilities pay its short-term obligations
Current cash debt Net cash provided by operating activities Measures entity’s ability to pay its
coverage ratio Average current liabilities current liabilities from its operations
ACTIVITY RATIOS - Measure the efficiency of the entity’s business operations
Receivables Net credit sales Measures entity’s ability to efficiently
turnover Average trade receivables (net) extend credit & collect funds from A/R
Inventory turnover COGS Measures the number of times inventory
Average Inventory is sold/used during the period
Asset turnover Net sales Measures entity’s ability to efficiently use
Average Assets its assets to generate sales
# of days supply in 365 / Inventory Turnover OR Measures number of days required to sell
average inventory Average (ending) inventory inventory
Average daily COGS
# of days sales in 365 Measures number of days required to
average receivable Receivables Turnover collect A/R
PROFITABILITY RATIOS - Measure entity’s ability to generate earnings
Profit margin Net income Measures net income generated for each
(Gross margin) Net sales $ of sales
Rate of return on Net Income Measures net income generated for each
assets Average total assets $ of assets
Return on equity Net Income minus preferred dividends Measures net income generated for each
Average common stock holders equity $ of stockholders’ equity
Earnings per share Net Income minus preferred dividends Measures net income generated on each
Weighted shares outstanding share of common stock
Price-earnings Market price of stock Measures the ratio of the entity’s stock
ratio Earnings per share market price to earnings per share
Payout ratio Cash dividends Measures % of earnings distributed to
Net income stockholders as cash dividends
COVERAGE RATIOS - Measures the entity’s ability to meet its financial obligations
Debt to equity Total debt Measures how much debt entity is using
Stockholder’s equity relative to its stockholders’ equity
Debt to total Total debt Measures how much debt entity is using
assets Total assets relative to its total assets
Times interest Income before interest and taxes (EBIT) Measures entity’s ability to meet its
earned Interest expense interest payment obligations
Cash debt Net cash provided by operating activities Measures how much of entity’s liabilities
coverage ratio Average total liabilities can be paid with cash from operations
Book value per Common stockholders equity Measures $ each common stock holder
share Outstanding shares would get if entity liquidated at B/S $

A4-17
 AUD-4 Miles CPA Review

(This page is left blank for any reference notes on

Substantive Procedures)

Audit Procedures = RUCPAS

R
Risk Assessment
U
Procedures
C
P = Test of controls (RIIO around ARCCS)
Further Audit
A
Procedures
S = Substantive Tests (RIIO CAR RACE Apps around
COVER UP)

Test of Details Analytical Procedures

(RIIO CAR RACE) (Apps)

Test of Test of
Transactions Balances

A4-18
thankyou