Vous êtes sur la page 1sur 133

International Audit Workbook (Interntional Audit Workbook)

Interntional Audit Workbook

International Audit Workbook


Chapter 1 - Introduction and Contents Purpose of Audit Workbook Description of Contents Chapter 2 - Engagement Management 2.1 Team Member Roles 2.2. Client and Engagement Acceptance and Continuance 2.3 Setting the Terms of the Audit 2.4 Audit Documentation 2.5. Review 2.6. Communications with Management and Those Charged with Governance Chapter 3 - Planning 3.1. Preliminary Engagement Activities 3.2. Kickoff Discussion 3.3. Engagement Scope 3.4. Audit Strategy Decisions 3.5. Risk Assessment Procedures 3.6. Understanding the Entity 3.7. Risk Assessment and Planning Discussion 3.8. Summary of Identified Risks 3.9. Planned Audit Approach 3.10. Changes to Our Audit Strategy or Planned Audit Approach Chapter 4 - Control Evaluation 4.1. Entity Level Controls 4.2. Accounting Activities at the Assertion Level 4.3. Controls at the Assertion Level 4.4. Test the Operating Effectiveness of Selected Controls
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis 4.5. Control Deficiencies thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

4.6. Substantive Approach

Page 1 / 133

4.2. Accounting Activities at the Assertion Level 4.3. Controls at the Assertion Level International Audit Workbook (Interntional Audit Workbook) 4.4. Test the Operating Effectiveness of Selected Controls 4.5. Control Deficiencies 4.6. Substantive Approach 4.7. Financial Reporting 4.8. Risk of Significant Misstatement (RoSM) Chapter 5 - Substantive Testing 5.1. Risk of Significant Misstatement 5.2. Substantive Procedures 5.3. Nature, Timing, and Extent of Substantive Procedures 5.4. Substantive Analytical Procedures 5.5. Tests of Details 5.6. Computer Assisted Audit Techniques 5.7. Substantive Sampling Techniques 5.8. External Confirmations Chapter 6 - Completion 6.1. Performing Completion Procedures 6.2. Audit Objectives Associated with Significant Risks 6.3. Significant Findings and Issues 6.4. Results of Audit Procedures 6.5. Independence and Ethical Issues Chapter 7 - Specific Topics Chapter 8 - Engagements to Review Interim Financial Information of an Audit Client 8.1 Obtain an Understanding of the Entity and Its Environment, Including Its Internal Control 8.2 Inquiries, Analytical Procedures, and Other Review Procedures 8.3 Evaluate the Results of Our Review 8.4 Other Considerations 8.5 Obtain Management Representation Letters 8.6 Other Information That Accompanies the Interim Financial Information
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis 8.8 Reporting thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

8.7 Communication with Management and Those Charged with Governance

Chapter 9 - Group Audits

Page 2 / 133

8.5 Obtain Management Representation Letters 8.6 Other Information That AccompaniesAudit WorkbookFinancial Information International the Interim (Interntional Audit Workbook) 8.7 Communication with Management and Those Charged with Governance 8.8 Reporting Chapter 9 - Group Audits Appendix A - Audit Workbook Supplement 2009 Introduction and Contents
Interntional Audit Workbook

Chapter 1 - Introduction and Contents


This Workbook is intended to serve only as a partial summary of various tools and workflows associated with the performance of a KPMG audit. The KPMG Audit Manual (KAM) International continues to be the primary source of KPMG policy and guidance related to the performance of a KPMG audit. KAM International is available on Accounting Research Online (ARO) and may also be available on your desktop. Guidance on using KAM International can be accessed by selecting the "KAM Help File" from the KAM International Welcome Screen. This Workbook is intended to provide further discussion relating to the interpretation of KAM International. The way in which KAM International is applied to the circumstances of the particular audit is a matter of judgment for the engagement partner and the engagement team. Guidance regarding integrated audits performed in accordance with the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5, "An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements," is not included in KAM International or in the Audit Workbook. For guidance regarding engagements performed pursuant to this standard, refer to the KPMG Integrated Audit Manual and the Integrated Audit working papers available on ARO. This Workbook is for internal use only and is not to be distributed outside of KPMG.

Purpose of Audit Workbook


The Audit Workbook is designed to provide you with assistance in the use of various tools developed to perform a KPMG audit. The Workbook is not intended to be a comprehensive summary of the KPMG Audit Methodology. Accordingly, engagement teams are expected to continue to refer to KAM International with respect to the substance of KPMG policies, bold type paragraphs, and guidance related to the performance of a KPMG audit. The KPMG Audit Methodology is designed to comply with International Standards on Auditing (ISAs). ISAs are available via ARO and can be accessed by selecting "Professional Standards" from the KAM International Welcome Screen. Audit professionals refer to additional internal and external sources of guidance and/or consultation (including consultation with other members of the engagement team), as appropriate. In addition to the Audit Workbook, engagement teams are encouraged to use the Audit Toolkit. The Audit Toolkit is a list of information organized by audit workflow (FSA, IA, SE, and VSE), which engagement teams will find useful when performing an audit. For the Less Complex Entity (LCE) workflow, the following additional materials are available in the LCE home page (accessible from the Global Audit home page or from the Vector home page): LCE Overview - brief presentation of LCE and of the new features available LCE Tips - a short list of tips to bring a new user quickly up to speed Virtual LCE - a comprehensive presentation of LCE, but using a screenshot-based and intuitive format

LCE User Guide - the detailed guide to all the functionality available in the tool 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis Audit of Trex - a practical example of an audit engagement in LCE, using the new features thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. available in the tool
Page 3 / 133

LCE Tips - a short list of tips to bring a new user quickly up to speed Virtual LCE - a comprehensive presentation ofWorkbook (Interntionalscreenshot-based and intuitive International Audit LCE, but using a Audit Workbook) format LCE User Guide - the detailed guide to all the functionality available in the tool Audit of Trex - a practical example of an audit engagement in LCE, using the new features available in the tool

Description of Contents
The contents of this Workbook are based on the April 2008 version of KAM International, the related Global Workpapers (GWPs), and KAM Alert 2008/04 (i.e., revisions related to materiality). The Audit Workbook addresses the audit workflows, specific topics (fraud, laws and regulations, subsequent events, etc.), engagement management topics, and GWPs. To the extent possible, the Audit Workbook also includes flow charts, decision trees, and graphics related to the audit methodology. The content of the Workbook is presented in a variety of styles, as follows: Content that is displayed in this style of box and that is not part of a table signifies a definition. A term that is highlighted in blue signifies that this term is defined within the Audit Workbook. A listing of these terms and the page number where the definition can be found is included in the Index. All examples are presented in italics. Content which is displayed with an exclamation sign signifies that engagement teams generally should be alert to this topic area (e.g., revenue recognition).

Content which is displayed with a checkmark indicates that additional assistance is available in the form of Practice Aids or Attachments to the GWPs.

Content which is displayed with a light bulb indicates tips (i.e., additional information that the engagement team may consider).

Content which is displayed in this style of box with light yellow shading signifies that the content is applicable to SE or VSE engagements. This content is not included in KAM International and generally represents tips or additional information that engagement teams working on such engagements may consider.
Interntional Audit Workbook

Chapter 2 - Engagement Management


This section addresses: the roles of team members and other people or functions that may be involved in an audit engagement client and engagement acceptance and continuance setting the terms of the audit working papers and how we manage them, and

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis reporting on our findings, including required communications. thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

2.1 Team Member Roles

Page 4 / 133

engagement client and engagement acceptance and continuance setting the terms of the audit International Audit Workbook (Interntional Audit Workbook) working papers and how we manage them, and reporting on our findings, including required communications.

2.1 Team Member Roles


Engagement teams may include the following members: engagement partner engagement manager other professional staff KPMG specialists (including IRM, tax, forensic specialists, etc.) external experts (contracted by the KPMG member firm)

Others that may be involved in an audit engagement include: engagement quality control reviewer U.S. GAAP/GAAS and IFRS assignments reviewing partners external experts (employed or contracted by the entity) other KPMG locations, and other independent auditors.

For guidance regarding other KPMG locations and other independent auditors, refer to the KAM Alert expected to be released in 2008. Additionally, the engagement team considers the effects of the work performed by internal audit or the use of a service organization by the entity when planning and performing the audit.

2.1.1 Engagement Partner


The engagement partner is responsible for the conduct of the engagement in accordance with the engagement letter or instructions and applicable laws, regulations, and professional standards. [2068.0.1] The engagement partner is responsible for the overall performance and the technical quality of the audit, including: [2068.1] directing the audit in accordance with KPMG policies and bold type paragraphs determining materiality for planning purposes at the financial statement level and subsequent revisions, if applicable reviewing and approving significant deliverables prior to releasing them outside of KPMG the quality of deliverables, ensuring that deliverables are consistent with the deliverables specified in the engagement letter or any variation to it conducting a review to determine that the work performed during the audit supports the engagement deliverables, and forming the audit opinion.

The engagement partner should: take responsibility for the overall quality on each audit engagement to which that partner is assigned [2068.3.3]

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG be satisfied that appropriate procedures regarding the acceptance and continuance of client International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis relationships and specific audit engagements have been followed, and that conclusions reached thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

in this regard are appropriate and have been documented [2068.3.4]


Page 5 / 133

be satisfied that the engagement team collectively has the appropriate capabilities, competence,

forming the audit opinion.


International Audit Workbook (Interntional Audit Workbook)

The engagement partner should: take responsibility for the overall quality on each audit engagement to which that partner is assigned [2068.3.3] be satisfied that appropriate procedures regarding the acceptance and continuance of client relationships and specific audit engagements have been followed, and that conclusions reached in this regard are appropriate and have been documented [2068.3.4] be satisfied that the engagement team collectively has the appropriate capabilities, competence, and time to perform the audit engagement in accordance with professional standards and regulatory and legal requirements, and to enable an auditor's report that is appropriate in the circumstances to be issued [2068.3.5] consider whether members of the engagement team have complied with ethical requirements [2068.3.6] take responsibility for the direction, supervision, and performance of the audit engagement in compliance with professional standards and regulatory and legal requirements, and for the auditor's report that is issued to be appropriate in the circumstances [2068.3.7] be responsible for the engagement team undertaking appropriate consultation on difficult or contentious matters [2068.3.8] be satisfied that members of the engagement team have undertaken appropriate consultation during the course of the engagement, both within the engagement team and between the engagement team and others at the appropriate level within or outside the firm [2068.3.8] be satisfied that the nature and scope of, and conclusions resulting from, such consultations are documented and agreed with the party consulted [2068.3.8], and determine that conclusions resulting from consultations have been implemented. [2068.3.8]

For audits of financial statements of listed entities and for other audit engagements where an engagement quality control review is performed in accordance with the firm's policies, the engagement partner should: [2068.3.9] determine that an engagement quality control reviewer has been appointed discuss significant matters arising during the audit engagement, including those identified during the engagement quality control review, with the engagement quality control reviewer, and not issue the audit report until the engagement quality control review is completed. Where more than one KPMG firm is providing services to a client, the lead partner from the originating KPMG firm is responsible for the overall client relationship. RMM-G 24.1.2

2.1.2 Engagement Manager


The following activities are examples of engagement manager responsibilities: [2071.1] assist the engagement partner in the development of the expected scope and conduct of the audit review and approve the planned activities prior to the start of significant fieldwork schedule professional staff and maintain liaison with the entity on the timing of the engagement monitor the progress of the engagement against expectations (progress and completion dates and budget) and keep the engagement partner informed of significant variances resolve issues with the engagement team members as they arise and discuss them with the engagement partner, as appropriate

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG supervise and direct the professional staff on the engagement International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

prepare and/or supervise the preparation of reports to management review engagement working papers.

Page 6 / 133

monitor the progress of the engagement against expectations (progress and completion dates and budget) and keep the engagement partner informed of significant variances
International Audit Workbook (Interntional Audit Workbook)

resolve issues with the engagement team members as they arise and discuss them with the engagement partner, as appropriate supervise and direct the professional staff on the engagement prepare and/or supervise the preparation of reports to management review engagement working papers.

2.1.3 Other Professional Staff


The following activities are examples of other professional staff responsibilities: [2072.1] understand and perform the tasks assigned to them prepare certain working papers and make them available for review by the appropriate member of the engagement team, and inform the engagement partner and/or manager about issues or problems as they arise.

2.1.4 KPMG Specialists


If expertise in a field other than accounting or auditing is necessary to obtain sufficient appropriate audit evidence, we determine whether to use the work of a KPMG specialist. A KPMG specialist is a person possessing special knowledge, skills, and experience in a particular field, other than auditing and accounting. [2073.2] The engagement partner and manager: [2073.7] determine the need for participation of KPMG specialists in the audit define the roles and responsibilities of the KPMG specialists confirm satisfaction of procedures performed by the KPMG specialists confirm that documentation of such procedures has been prepared in accordance with applicable KPMG policies and other requirements, and discuss any issues arising from the specialist's work with the KPMG specialist and appropriately consider the results of the specialist's work in the audit.

When determining if the use of a KPMG specialist is appropriate, we consider: [2074.2] applicable policies for involvement of KPMG specialists, including IRM specialists and tax specialists our assessment of the risk of material misstatement due to fraud for the engagement the risk of significant misstatement related to the audit objective being examined whether the matter relates to an audit objective associated with a significant risk the nature and complexity of the information, data, or calculations to be audited whether the client has developed the information, data, or calculations internally as opposed to engaging the services of an independent third party; and whether the engagement team possesses sufficient experience to review the information, data, or calculations provided by the client, and any other audit evidence available.

KPMG specialists may include the following: KPMG specialist Criteria for involvement

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis IRM specialist The audit engagement partner, in consultation with the IRM specialist's, makes an thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

assessment of the nature, timing, and extent of the IRM specialist's involvement in each phase of the audit for audit engagements of clients that meet at least one of the following criteria: [2075.4.1]

Page 7 / 133

any other audit evidence available.


International Audit Workbook (Interntional Audit Workbook)

KPMG specialists may include the following: KPMG specialist IRM specialist Criteria for involvement The audit engagement partner, in consultation with the IRM specialist's, makes an assessment of the nature, timing, and extent of the IRM specialist's involvement in each phase of the audit for audit engagements of clients that meet at least one of the following criteria: [2075.4.1] the entity is listed the entity is a financial institution the audit engagement is greater than 1,000 hours (calculated at the entity level for single entities or at the consolidation level including multilocation involvement, if any), or Information Technology is critical to the operation of its business.

When it is decided not to involve IRM specialists on clients that meet any of the above criteria, this decision is approved and signed by the IRM specialist, and the rationale is documented in the Planning Document. [2075.4.2] Tax specialist The engagement partner discusses with a tax specialist the likely tax risks and whether his or her involvement is necessary to support the audit. In some countries, the engagement partner or manager may also be designated as a tax specialist, in which case the involvement of another tax specialist would be unnecessary. [2075.4.7] The factors to consider in deciding whether to include a KPMG valuation specialist as part of the engagement team include: [2075.4.11] the materiality of the estimate the nature and complexity of the estimate and the risk of significant misstatement for the related audit objective whether the client has developed the estimate internally as opposed to engaging the services of an independent third party, and whether the audit engagement team possesses sufficient skills to review fair value measurements provided by the client.

Valuation specialist

Additional guidance regarding certain accounts subject to valuation is available in the Other Topics chapter. Forensics specialist The engagement partner, risk management partner, and engagement quality control reviewer may consult with a forensic specialist when addressing difficult matters and risk management considerations including: [2075.6] client/engagement acceptance and continuance procedures evaluation of possible fraud risks evaluation of the entity's controls to prevent, deter, or detect fraud design of our audit response to identified fraud risks, and evaluation of the results of our audit response to identified fraud risks.

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG engagement partner's judgment, the circumstances of the engagement, and the risks International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. to be addressed in the audit. [2075.7]

The nature and extent of forensic specialist involvement will vary based on the

Other KPMG specialists

There may be a number of other KPMG specialists available. Engagement teams are

Page 8 / 133

design of our audit response to identified fraud risks, and evaluation of the results of our audit response to identified fraud International Audit Workbook (Interntional Audit Workbook) risks.

The nature and extent of forensic specialist involvement will vary based on the engagement partner's judgment, the circumstances of the engagement, and the risks to be addressed in the audit. [2075.7] Other KPMG specialists There may be a number of other KPMG specialists available. Engagement teams are encouraged to review the practice pages available via KWorld to identify the specialists available in their area.

The engagement team may use the Practice Aid - IT Criticality Checklist available on ARO to help determine whether IT is critical to the business. [2075.4.1.3] A forensic specialist may also assist the engagement team in performing fraud related controls evaluation and testing and substantive procedures.

U.S. GAAP/GAAS and IFRS Assignments


Engagement teams reporting on financial statements or financial information in accordance with U.S. Generally Accepted Accounting Principles /U.S. Generally Accepted Auditing Standards (U.S. GAAP/GAAS assignments) or IFRS assignments refer to the policies and guidance in KAM International as follows: KAM International reference [2075.8] [2075.30] Guidance

U.S. GAAS assignments IFRS assignments

Reviewing Partners
Reviewing partners may include the following individuals: Partner Criteria for involvement

Engagement quality control An engagement quality control review is required for: [2076.1.7] reviewer audits of general purpose financial statements of a listed entity audit of general purpose financial statements of a nonlisted entity of significant public interest higher-risk engagements (as designated by the local risk management partner).

IFRS reviewing partner

An IFRS reviewing partner reviews the required documents when the financial statements with which we are associated are prepared in accordance with IFRSs and the entity is a listed entity, an entity of significant public interest, or the engagement is a higher-risk engagement. [2076.3]

A filing review partner performs a filing review with respect to U.S.-SEC registration statements on Forms S-1, S-3, S-4, S-8, F-1, F-2, F-3, F-4, or 20-F; annual reports on Forms 20-F, 40-F, or 10-K; and any other U.S.-SEC filings that include or incorporate by reference an auditor's report issued by a non-U.S. KPMG member firm 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG on the financial statements of a U.S.-SEC registrant. Filing reviews of Rule 144A International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. exempt offering documents, for securities that include registration rights, are also performed, because of the expectation of a subsequent U.S.-SEC filing. [2078.1]
Page 9 / 133

Filing review partner

A filing review partner also performs a filing review with respect to other U.S.-SEC

is a higher-risk engagement. [2076.3] Filing review partner A filing review partner performs a(Interntional Auditwith respect to U.S.-SEC registration International Audit Workbook filing review Workbook) statements on Forms S-1, S-3, S-4, S-8, F-1, F-2, F-3, F-4, or 20-F; annual reports on Forms 20-F, 40-F, or 10-K; and any other U.S.-SEC filings that include or incorporate by reference an auditor's report issued by a non-U.S. KPMG member firm on the financial statements of a U.S.-SEC registrant. Filing reviews of Rule 144A exempt offering documents, for securities that include registration rights, are also performed, because of the expectation of a subsequent U.S.-SEC filing. [2078.1] A filing review partner also performs a filing review with respect to other U.S.-SEC filings that contain, or incorporate by reference, an auditor's report issued by a nonU.S. KPMG member firm on financial statements other than those of the SEC registrant (e.g., financial statements presented pursuant to Rule 3-05 and Rule 3-09 of Regulation S-X). [2078.2] Designated review partner (for reports filed with certain foreign regulatory authorities) A designated partner ("designated review partner") reviews the required documents when the financial statements with which we are associated, or our report, are included in a document that is to be filed with certain foreign regulatory authorities, or in a document offering securities in the United States that are exempt from registration requirements of the U.S. Securities Act of 1933 based on Rule 144A. [2077.1]

2.1.5 Use of a Service Organization by the Entity


When an entity uses a service organization, transactions that affect the entity's financial statements are subjected to policies and procedures that are, at least in some part, physically and operationally separate from the entity. [2113.3] We consider how the entity's use of a service organization affects the entity's internal control so as to identify and assess the risk of material misstatement and to design and perform further audit procedures. [2113.1] A client may use a service organization such as one that executes transactions and maintains related accountability or records transactions and processes related data (e.g., a computer information systems service organization). [9237] Our approach to considering the effect of the entity's use of a service entity and our documentation of such consists of the following: Applicability Where the entity uses a service organization Procedure When obtaining our understanding, we determine the significance of service organization activities to the entity and the relevance to the audit. [2115] We consider the following: the nature of the services provided by the service organization and significance of those services to the user entity, including the user entity's internal control the nature and materiality of the transactions processed or accounts affected by the service organization and the degree of interaction between the activities of the service organization and those of the user entity, and the nature of the relationship between the user entity and the service organization, including the contractual terms for the relevant activities undertaken by the service organization.

The understanding obtained may lead us to decide that the assessment of the risk of significant misstatement (RoSM = inherent risk of error + control risk) will not be affected by controls at the service organization. If this is the case, further 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG consideration is unnecessary. [2123.2]
International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

When we determine that If we conclude that the activities of the service organization are significant to the the activities of the service entity and relevant to the audit, we obtain a sufficient understanding of the service organization are significant organization, including its internal control, to identify and assess the risks of material

Page 10 / 133

service organization, including the contractual terms for the relevant activities undertaken by the service organization. The understanding obtained may lead us to Audit Workbook) assessment of the risk of International Audit Workbook (Interntional decide that the significant misstatement (RoSM = inherent risk of error + control risk) will not be affected by controls at the service organization. If this is the case, further consideration is unnecessary. [2123.2] When we determine that the activities of the service organization are significant to the entity and relevant to the audit If we conclude that the activities of the service organization are significant to the entity and relevant to the audit, we obtain a sufficient understanding of the service organization, including its internal control, to identify and assess the risks of material misstatement and design further audit procedures in response to the assessed risks. [2116] To obtain this understanding we may: read the third-party report of the service organization auditor perform the appropriate procedures ourselves, or request the service organization to have its auditor perform the appropriate risk assessment procedures.

We may use either a Type A or Type B report to obtain an understanding of the internal control. [2137.1] When we take a controls approach We obtain audit evidence about the operating effectiveness of controls when our risk assessment includes an expectation of the operating effectiveness of the service organization's controls or when substantive procedures alone do not provide sufficient appropriate audit evidence at the assertion level. We may also conclude that it would be efficient to obtain audit evidence from tests of controls. [2132.1] Audit evidence about the operating effectiveness of controls may be obtained by: [2133] obtaining a Type B service organization auditor's report performing tests of the entity's controls over the activities of the service organization, and For example, we may test the entity's independent reperformance of selected items processed by the service organization or test the entity's reconciliation of output reports to source documents. visiting the service organization and performing tests of the service organization's controls ourselves.

If we plan to use Type B reports, we consider whether: [2139.2] the controls tested are relevant to the entity's classes of transactions, account balances derived from estimates, other account balances and disclosures, and related assertions and our audit objectives the tests of control performed by the service organization auditor are adequate, and the results of the tests of control performed by the service organization auditor are adequate for our audit purposes.

Service organization auditor's reports will usually be in one of the following formats: [2137.1] Type A: report on the design and implementation of internal control, or Type B: report on the design, implementation, and operating effectiveness of internal control.

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG We use Type A reports to obtain an understanding of the internal control. [2139.1] International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

We use Type B reports to obtain audit evidence about the operating effectiveness of controls. [2139.1.1]

Page 11 / 133

Service organization auditor's reports will usually be in one of the following formats: [2137.1] Type A: report on the design and implementation of internal control, or
International Audit Workbook (Interntional Audit Workbook)

Type B: report on the design, implementation, and operating effectiveness of internal control.

We use Type A reports to obtain an understanding of the internal control. [2139.1] We use Type B reports to obtain audit evidence about the operating effectiveness of controls. [2139.1.1]

2.1.6 External Experts


An external expert is a person or firm, not employed by KPMG, possessing special skills, knowledge, and experience in a particular field other than auditing and accounting. An external expert may be contracted by KPMG directly, contracted by management of the entity under audit, or employed by that entity. [2142], [2142.1] External experts may include property appraisers, environmental engineers, lawyers, etc. The engagement partner and manager are responsible for determining whether an external expert is involved in the audit. To determine the need to use the work of an external expert, we consider: [2155] our knowledge and previous experience of the matter being considered the risk of material misstatement based on the nature, complexity, and materiality of the matter being considered the significance of the audit objective, transactions, and related account balance being examined in relation to the financial statements as a whole whether the matter relates to an audit objective associated with a significant risk the quantity and quality of other audit evidence obtained related to the audit objective, transactions, and related account balance being examined, and the complexity or subjectivity of the audit objective. It is important to document and agree upon the work to be performed by external experts and their reporting requirements.

!
Applicability

If we have determined that there is a need and plan to use the work of an external expert in an audit engagement, we: Procedure/Considerations Consider whether the external expert: has professional certification or licensing by, or membership in, an appropriate professional body, and has experience and reputation in the field for which we are seeking audit evidence.

Evaluate the professional competence of the expert

Evaluate the objectivity of the expert

The risk that an external expert's objectivity will be impaired increases when the external expert is: employed by the entity, or related in some manner to the entity.

Obtain sufficient Review the instructions from the entity to the external expert or discussion with the appropriate audit evidence external expert, regarding matters such as: that the scope of the 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG the objectives and scope of the external expert's work International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis expert's work is adequate thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. for purposes of the audit, the specific matters that we expect the external expert's report and to cover
Page 12 / 133

Obtain sufficient appropriate audit evidence that the scope of the expert's work is adequate for purposes of the audit, and

employed by the entity, or related in some manner to the entity.


International Audit Workbook (Interntional Audit Workbook)

Review the instructions from the entity to the external expert or discussion with the external expert, regarding matters such as: the objectives and scope of the external expert's work the specific matters that we expect the external expert's report to cover the intended use of the external expert's work the extent of the external expert's access to the appropriate records and files clarification of the external expert's relationship with the entity confidentiality of the entity's information, and information regarding the assumption and methods intended to be used by the external expert and their consistency with those used in prior periods.

Evaluate the Consider: appropriateness of the the source data used by the external expert expert's work as audit evidence regarding the the assumptions and methods used and their consistency with assertion being considered the prior period, and the results of the external expert's work, in light of our overall knowledge of the business obtained in performing the audit.

The external expert is responsible for the reasonableness and appropriateness of the assumptions and methods used, together with their application. [2171] KPMG specialists may assist the engagement team to evaluate the work of an external expert. If the results of the expert's work do not provide sufficient appropriate audit evidence or if the results are not consistent with other audit evidence, we should resolve the matter by: [2174]/[2175] discussing the external expert's results with management and the external expert performing additional audit procedures, and/or considering engaging or asking management to engage another external expert.

We document our evaluation of the professional competence and objectivity of the expert and the adequacy of the expert's work for the purpose of the audit in the Evaluation of External Experts working paper. [2175.3]

2.1.7 Internal Audit


With respect to the internal audit function, the level of work that we perform depends on the particular circumstances of the audit, as follows: Applicability Where the entity has an internal audit function Procedure/Consideration To the extent that the internal audit function operates as part of management's control system, we obtain a sufficient understanding of internal audit activities to identify and assess the risks of material misstatement of the financial statements and to design and perform further audit procedures. audit function and the scope of their responsibilities.

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis As part of our understanding, we consider the organizational status of the internal thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

We document our understanding of internal audit activities in the Entity Level Controls

Page 13 / 133

Where the entity has an internal audit function

To the extent that the internal audit function operates as part of management's control system, we obtainWorkbook (Interntional Audit Workbook) International Audit a sufficient understanding of internal audit activities to identify and assess the risks of material misstatement of the financial statements and to design and perform further audit procedures. As part of our understanding, we consider the organizational status of the internal audit function and the scope of their responsibilities. We document our understanding of internal audit activities in the Entity Level Controls Program.

When we intend to use the Make an assessment of the internal audit function by obtaining information about work of the internal audit matters such as: function, including direct the nature and extent of their assignments assistance provided by the internal audit function whether management acts on their reports and recommendations and how this is evidenced the technical competence of the internal audit function the due professional care, especially whether their work is adequately planned, supervised, and reviewed, and the objectivity of internal auditing.

When we conclude that internal audit activities are not relevant to our work or that it would not be effective to consider their work further, we need not give further consideration to internal auditing. When we use the specific work of the internal audit function Evaluate whether: the work is performed by those with adequate technical training and proficiency the work of internal auditing is properly supervised, reviewed, and documented sufficient appropriate audit evidence is obtained to be able to draw a reasonable conclusion conclusions are appropriate in the circumstances and reports are consistent with the results of the work performed, and any exceptions or unusual matters disclosed by internal auditing are properly resolved by management.

In evaluating the work of the internal audit function, we may observe the procedures performed by internal audit, inquire of the internal audit function about the nature of its work, reperform some of the work performed by the internal audit function, perform different audit procedures, or examine internal audit working papers. When we request direct assistance from the internal audit function Inform internal audit of their responsibilities, the objectives of the procedures they are to perform, and matters that may affect the nature, timing, and extent of audit procedures. We also supervise their work and review the working papers that the internal audit function prepares on our behalf. We consider whether the work was adequately performed and evaluate whether the results are consistent with the conclusions in our audit report.

2.2. Client and Engagement Acceptance and Continuance


Client and engagement acceptance and continuance policies, other requirements, and guidance are set out in the Risk Management Manual - Global in chapters 20 and 21, briefly discussed in KAM International, and are defined more specifically by each KPMG member firm in compliance with the Risk Management Manual - Global.

2.3 Setting the Terms of the Audit

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.


Page 14 / 133

KPMG and the client should agree on the terms of the engagement, which are set out in an engagement letter.

2.2. Client and Engagement Acceptance and Continuance


Client and engagement acceptance and continuance policies, other requirements, and guidance are set out in the Risk International Audit Workbook (Interntional Audit Workbook) Management Manual - Global in chapters 20 and 21, briefly discussed in KAM International, and are defined more specifically by each KPMG member firm in compliance with the Risk Management Manual - Global.

2.3 Setting the Terms of the Audit


KPMG and the client should agree on the terms of the engagement, which are set out in an engagement letter. Policies and guidance on engagement letters are set out in KAM International and in chapter 21 of the Risk Management Manual - Global.

2.4 Audit Documentation


This section addresses: definition of audit documentation criteria for selecting the appropriate audit workflow documenting the nature, timing, and extent of the audit procedures performed documenting significant findings or issues arising during the audit and the conclusions reached thereon audit file assembly working paper retention

2.4.1 Definition of Audit Documentation


Audit documentation is the record of audit procedures performed (including Planning), relevant audit evidence obtained, and conclusions reached. In the KPMG audit, terms such as "Global Work Papers," "working papers," or "work papers" are used when referring to audit documentation.

Audit documentation may include e-mail where correspondence is related to "significant matters."

Working papers or audit documentation may be recorded on paper or on electronic or other media. [2553] Examples of working papers include, among other things, standard KPMG working paper templates, copies of client prepared documents or schedules, transcripts, analyses, letters of confirmation and representation, notes and other memoranda (including computer files), internal KPMG memos and external correspondence with the client and relevant third parties (including e-mail) concerning significant matters, and final deliverables prepared and accumulated in connection with an audit. Our working papers may also include abstracts or copies of the entity's records if considered appropriate. [2553] For example, we include significant and specific contracts and agreements as part of the working papers if considered appropriate. Audit documentation ordinarily excludes the following: superseded drafts of working papers and financial statements notes that reflect incomplete or preliminary thinking previous copies of documents corrected for typographical or other errors duplicates.

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis Draft working papers or other documents are discarded when the working paper or other document is finalized (except thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

when the local firm's document retention policy provides otherwise), or when a decision is made not to proceed. [2564.0.1]

Page We do not retain documentation that is incorrect or superseded (except pursuant to the local firm's document retention 15 / 133

superseded drafts of working papers and financial statements notes that reflect incomplete or preliminary thinking
International Audit Workbook (Interntional Audit Workbook) previous copies of documents corrected for typographical or other errors

duplicates.

Draft working papers or other documents are discarded when the working paper or other document is finalized (except when the local firm's document retention policy provides otherwise), or when a decision is made not to proceed. [2564.0.1] We do not retain documentation that is incorrect or superseded (except pursuant to the local firm's document retention policy). [2565.8] Work papers stand on their own. Although oral explanations may be used to explain or clarify information contained in the working papers, they do not represent adequate support for the work we performed or conclusions reached. [2565.1]

We should prepare the audit documentation so as to enable an experienced auditor, having no previous connection with the audit, to understand: [2561] the nature, timing, and extent of the audit procedures performed to comply with ISAs and applicable legal and regulatory requirements the results of the audit procedures and the audit evidence obtained, and significant matters arising during the audit and the conclusions reached thereon.

Audit documentation is prepared on a timely basis and provides a sufficient and appropriate record of the basis for our report.

2.4.2 Criteria for Selecting the Appropriate Audit Workflow


We complete different sets of working papers depending upon which audit workflow is used for the engagement, as follows: Workflow FSA Applicability The FSA Global Work Papers (GWPs) may be used for audits that do not issue an auditor report that refers to the Public Company Accounting Oversight Board (PCAOB) standards and in the judgment of the engagement partner application of the Small Entity (SE), Very Small Entity (VSE), or Less Complex Entity (LCE) audit workflow is not suitable. The determination of whether to use the SE or VSE, GWPs or the LCE workflow is based on the judgment of the engagement partner that, in addition to meeting the qualitative and quantitative criteria set forth in KAM International, the GWPs/workflow are appropriate (1) to address engagement risk and "audit risk" (i.e., the interaction of inherent risk, control risk, and detection risk) and (2) to comply with the KPMG Audit Methodology and with local auditing standards and requirements. It may not be appropriate for the following entities to utilize the SE GWPs: entities with a high degree of outside ownership in the entity from a nonmanagement/owner perspective public/listed entities and their subsidiaries entities where other significant stakeholders rely on the financial statements as their primary basis for obtaining reliable financial information on the entity entities subject to industry-wide regulations (e.g., financial

SE, VSE, LCE

SE

institutions) 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. entities that have an essential public service responsibility due to the nature of their operations, and
Page 16 / 133

higher-risk engagements.

entities where other significant stakeholders rely on the financial statements as their primary basis for obtaining reliable financial International on Workbook informationAuditthe entity(Interntional Audit Workbook) entities subject to industry-wide regulations (e.g., financial institutions) entities that have an essential public service responsibility due to the nature of their operations, and higher-risk engagements.

Additionally, engagement hours are not expected to exceed 1,000 hours. VSE In order to utilize the VSE GWPs, the engagement meets all of the qualitative and quantitative criteria set forth below: the planned hours directly related to completing the audit engagement and issuance of the auditor's report do not exceed 500[[1]] hours if the global Client/Engagement Acceptance/Continuance (CEAC) process is used, the client/engagement is considered a "low" risk client/engagement or, "medium" risk1 with the approval of the risk management partner if another CEAC process is used, the client/engagement is classified in the lowest risk category the entity is not a listed entity whose debt or equity securities are traded in a public market, and the financial statements of the entity will not be included in the regulatory filings of such a listed entity the entity has limited sources of revenue the entity has a limited number of owners, management, and users of the financial statements the entity's principal operations, which may include functions, branches, or subsidiaries, are in a single country or jurisdiction, and a substantive approach will be taken for substantially all significant accounts and disclosures.

Additionally, VSE GWPs may be used for audits of wholly owned subsidiaries (regardless of the number of planned audit hours) where all of the following criteria are met: all of the criteria for use of the VSE GWPs included above are met KPMG is the auditor of the consolidated group accounts the entity is a wholly owned subsidiary of the group, and the audit is being performed for local statutory purposes onlythere is no requirement for any group reporting in order to issue the auditor's report on the consolidated entity.

Additional guidance regarding the use of VSE Global Work Papers is included in the VSE Audit Guidance Document accompanying the VSE Global Work Papers. The VSE Global Work Papers and the related VSE Audit Guidance Document can be accessed from ARO. Other workflows that may Engagement teams that are required to complete the Supplemental U.S. Procedures

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG be applicable Checklist may be required to complete either the Integrated Audit working papers or International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis the FSA Public working papers as noted in that Checklist. [2571.1.2] thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

Integrated Audit working papers

The Integrated Audit working papers are used when we perform an audit in accordance PCAOB Auditing Standard No. 5, "An Audit of Internal Control Over

Page 17 / 133

VSE Audit Guidance Document accompanying the VSE Global Work Papers. The VSE Global Work Papers and the related VSE Audit Guidance Document can be accessed from ARO. International Audit Workbook (Interntional Audit Workbook) Other workflows that may be applicable Engagement teams that are required to complete the Supplemental U.S. Procedures Checklist may be required to complete either the Integrated Audit working papers or the FSA Public working papers as noted in that Checklist. [2571.1.2] The Integrated Audit working papers are used when we perform an audit in accordance PCAOB Auditing Standard No. 5, "An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements." The Integrated Audit working papers that incorporate the provisions of AS 5 are available on ARO and can be dragged and dropped into specific areas of the Vector audit file. Additional guidance on using Vector with the Integrated Audit workflow can be found on the Vector Web site. FSA Public working papers The FSA Public working papers are used for financial statement audits of a public company when an integrated audit is not performed and we issue an auditor's report on the financial statements that refer to PCAOB standards. Engagement teams performing audits of financial statements of foreign private issuers, when an integrated audit is not performed, are not required to, but may use the FSA Public set of working papers. The FSA Public working papers are available on ARO. Additional guidance on using Vector with the FSA Public workflow can be found on the Vector Web site * GWPs or workflow can be used by a participating location in a multilocation audit (including subsidiaries of public/listed entities), if the location meets the criteria for utilizing the GWPs/workflow, unless the originating location specifies in the inter-office instructions that an alternative audit workflow is to be used, for example FSA. An integrated audit is an audit of internal control over financial reporting (ICOFR) performed in conjunction with an audit of the financial statements in accordance with PCAOB Auditing Standard No. 5, "An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements." Guidance regarding integrated audits performed in accordance with the PCAOB Auditing Standard No. 5 is not included in KAM International or in the Audit Workbook. For guidance regarding engagements performed pursuant to this standard, refer to the Integrated Audit Manual and the Integrated Audit working papers available on ARO under the United States country page

Integrated Audit working papers

Criteria for use of LCE working papers


The LCE workflow may be used for audit engagements which meet all of the following criteria: [2574.0.3] not a U.S. SEC registrant or a "substantial role" assignment of a U.S. SEC registrant, and when the entity is part of a group audit, the group auditor has not specified the use of an alternative work flow.

In addition, the engagement partner considers the following qualitative criteria: Qualitative criteria Less complex application of risk assessment procedures KAM requires the performance of risk assessment procedures in order to identify those audit risks at a financial statement and assertion level. In a less complex entity, the extent of risk assessment procedures required is reduced as risks at a financial statement and assertion level are easier to identify than in a more complex entity. The implication of less extensive risk identification procedure is reduced documentation. business from a few process owners rather than a number of process owners and operational staff.

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis We often obtain much of our understanding of the thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.


Page 18 / 133

procedures required is reduced as risks at a financial statement and assertion level are easier to identify than in a Workbook (Interntional Audit Workbook) International Audit more complex entity. The implication of less extensive risk identification procedure is reduced documentation. We often obtain much of our understanding of the business from a few process owners rather than a number of process owners and operational staff. The performance of senior and other managerial functions is concentrated in a small number of individuals. The operations of the entity are relatively less complex and there are only a few core business processes within which the entity is involved. The operations of the entity are restricted to a limited number of locations and each of these locations is not of a specialized nature. The entity provides a limited number of products or services The entity usually has less formal objectives and strategies. This is complemented with a less formal budgeting and financial reporting process. Less sophisticated accounting systems, which are not supported by a complex IT environment. Less complex entities generally have fewer employees involved in the accountancy systems and as a result have limited segregation of duties. The owner and/or senior management is actively involved in daily operations of the organization.

Concentration of management functions

Limited sources of income

Less sophisticated record keeping

Unsophisticated entity level controls

There is no maximum audit hour criterion. [2574.0.3.0.1]

Audit teams using LCE to perform an audit on a non-complex listed entity complete the Additional procedures when auditing a listed entity using LCEdocument. [2574.0.3.1] Refer to the Less Complex Entities User Guide on the LCE Homepage for additional guidance and information when performing an audit using the LCE workflow. The LCE Homepage is available by selecting Audit Technology from the Global Audit Portal.

Refer to KAM for policies and guidance regarding the receipt of a Preservation Notice where the engagement has been performed using LCE. The following table indicates the working papers to be prepared for each audit workflow: [2566.1] Global Work Papers Audit Workflow FSA SE VSE

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis Audit Checklist Co Sp thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

Audit Program

Sp

Sp

Sp

Page 19 / 133

The following table indicates the working papers to be prepared for each audit workflow: [2566.1] Global WorkInternational Audit Workbook (Interntional Audit Workbook) Audit Workflow Papers FSA Audit Checklist Audit Program Audit Program for Specific Topics Completion Document Entity Level Controls Program Evaluation of Design and Implementation and Test of Operating Effectiveness Template (if applicable) Evaluation of External Experts (if applicable) Evaluation of Internal Audit Function (if applicable) Evaluation of Service Organization Function (if applicable) Financial Reporting Audit Program IDEACAATs Document (if applicable) Instructions for Inventory Count Attendance (if applicable) IT General Controls Program (if applicable) KPMG Monetary Unit Sampling Document (if applicable) KPMG Sampling Plan (if applicable) Planning Document Substantive Analytical Procedures Template (if applicable) Summary of Audit Differences and related Summary of Audit Differences Template Test of Details Document (if applicable) Planning and Completion Document Interim Review Checklist (if applicable) Interim Review Program (if applicable) Summary of Review Differences and related Summary of Review Differences Template (if applicable) Co Common version of Global Work Paper is used for these workflows. Sp Global Work Paper specific to the audit workflow is used. N/R Global Work Paper is not required for this workflow.
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis Completion of the applicable KPMG audit documentation, which includes Global Work Papers and electronic work flows, is thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. required for all audit engagements. [2569]
Page 20 / 133

SE VSE Sp Sp Sp

Co Sp Sp Sp SP Co

Sp N/R Sp N/R N/R N/R

Co Co Co Co Co Co Sp Co Co Sp Co Co SP N/R N/R N/R N/R

Co N/A Co Co Co N/A Sp N/R N/R N/R

Co Common version of Global Work Paper is used for these workflows.


International Audit Workbook (Interntional Audit Workbook) Sp Global Work Paper specific to the audit workflow is used.

N/R Global Work Paper is not required for this workflow. Completion of the applicable KPMG audit documentation, which includes Global Work Papers and electronic work flows, is required for all audit engagements. [2569] The documentation for an SE and VSE engagement must comply with all policies and guidance contained in KAM International that are applicable to the engagement. However, the extent of documentation is scaled to the size and complexity of the particular engagement.

2.4.3 Documenting the Nature, Timing, and Extent of the Audit Procedures Performed
In documenting the nature, timing, and extent of audit procedures performed, we should record: [2565.9.3] Preparer and reviewer The preparer(s) and reviewer(s) of each working paper signs or initials and dates each working paper. [2565.9.4] A preparer's and/or reviewer's printed name and date on a working paper also may constitute evidence of signature. [2565.9.6] Multipage working papers The preparer may indicate evidence of preparation of the working paper on the first page only, where it has been prepared by one person. [2565.9.6.1] A reviewer may indicate evidence of review on the first page of a multiple page working paper and, if the reviewer has not reviewed the entire document, the sections reviewed. [2565.9.7.1] Final version For Global Work Papers that are prepared throughout the audit, we document evidence of review on the final version. [2565.9.8] The date audit work was completed, and the date and extent of review We record the date the working paper was completed on each working paper. [2565.9.5] Working paper dating by preparers and reviewers follows a convention that includes the day, month, and year. [2565.9.4] Where documents are faxed or e-mailed to a reviewer and the review is evidenced on a returned faxed document or in a reply e-mail, the reviewer initials and includes the date of review on the original working papers by the audit file assembly date. [2565.9.10] Identifying characteristics of the specific items or matters being tested Identifying characteristics of the specific items or matters being tested will vary with the nature of the audit procedure and the item or matter being tested. [2565.4] For example, for: a test of purchase orders; we may record the dates and unique purchase order numbers of the documents selected for testing selection or review of all items over a specific amount from a given population; we may record the scope of the procedure and identify the population (for example, all journal entries over a specified amount from the journal register)

systematic sampling from a population of documents; we may record the source, the starting point, and the sampling interval 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG of the documents selected (for example, a systematic sample of International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. period shipping reports selected from the shipping log for the from 1 April to 30 September, starting with report number Page 21 / 133 12345 and selecting every 125th report)

selection or review of all items over a specific amount from a given population; we may record the scope of the procedure and identify the population (for example, all journal entries over aInternational Audit Workbook (Interntional Audit Workbook) specified amount from the journal register) systematic sampling from a population of documents; we may record the source, the starting point, and the sampling interval of the documents selected (for example, a systematic sample of shipping reports selected from the shipping log for the period from 1 April to 30 September, starting with report number 12345 and selecting every 125th report) inquiries; we may record the dates of the inquiries and the names and job designations of the entity personnel observations; we may record the process or subject matter being observed, the relevant individuals, their respective responsibilities, and where and when the observation was carried out.

When using the Monetary Unit Sampling (MUS) routine in IDEA, the MUS planning, extraction, and evaluation report contains sufficient detail to be able to reproduce the sample from the sample file.

2.4.4 Documenting Significant Findings or Issues Arising During the Audit and the Conclusions Reached Thereon
Discussions of significant findings or issues When we discuss significant findings or issues with management and others (i.e., those charged with governance, other personnel within the entity, and external parties, such as persons providing professional advice to the entity), we document on a timely basis the discussions in our working papers. We provide appropriate references to the working papers where the discussions are documented, in the Completion Document. [2565.6] The documentation includes: [6313.7] the significant findings or issues discussed when and with whom the discussions took place.

We may include other appropriate records such as agreed minutes of discussions prepared by the entity's personnel. [6313.8] Significant findings and issues are those documented in the Completion Document. Contradicting or inconsistent information We document the information that contradicts or is inconsistent with our final conclusions regarding a significant finding or issue together with our response in the Completion Document. [2565.7.1] For example, our working papers may include procedures performed in response to the information, documentation of consultations on, or resolution of, differences in professional judgment among members of the engagement team or between the engagement team and others consulted. Departures from bold type paragraphs In exceptional circumstances, we may judge it necessary to depart from a bold type paragraph that is relevant in the circumstances of the audit, in order to achieve more effectively the objective of the engagement. [1005]/[1007.1]

We document how the alternative audit procedures performed were sufficient and appropriate to replace that bold type paragraph and achieve the objective of the audit, and, unless otherwise clear, the reasons for the departure, in the Completion 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG Document. In these exceptional circumstances, provided the departure is International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis appropriately documented, we are not precluded from representing compliance with thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. ISAs. [1007.1]
Page 22 / 133

Documentation is not required where the bold type paragraph is not relevant in the

Departures from bold type paragraphs

In exceptional circumstances, we may judge it necessary to depart from a bold type paragraph that is relevant in the circumstances of the audit, in order to achieve more effectively the objective of the engagement. [1005]/[1007.1]
International Audit Workbook (Interntional Audit Workbook)

We document how the alternative audit procedures performed were sufficient and appropriate to replace that bold type paragraph and achieve the objective of the audit, and, unless otherwise clear, the reasons for the departure, in the Completion Document. In these exceptional circumstances, provided the departure is appropriately documented, we are not precluded from representing compliance with ISAs. [1007.1] Documentation is not required where the bold type paragraph is not relevant in the circumstances of the audit or an ISA includes conditional requirements and the specified conditions do not exist. [1007.2]

We consult with the risk management partner when we judge it necessary to depart from a bold type paragraph that is relevant in the circumstances of the audit. [1007.1]

2.4.5 Audit File Assembly


When undertaking an audit under ISAs, the audit file assembly date is the date by which an engagement team assembles a complete and final set of working papers for retention. The date is ordinarily not more than 60 calendar days from the date of the auditor's report. [9031.1] The date of the auditor's report is the date selected by us to date our report on the financial statements. Our report is not dated earlier than the date on which we have obtained sufficient appropriate audit evidence on which to base the opinion on the financial statements. [9067.2] Where we issue two or more different reports in respect of the same subject matter information of an entity (e.g., we issue an auditor's report on a component's financial information for group consolidation purposes and, at a subsequent date, an auditor's report on the same financial information for statutory purposes), the time limits for the assembly of final engagement files address each report as if it were for a separate engagement. In such an instance, we assemble the audit file necessary to support the report on a component's financial information for group consolidation purposes based on the date of the group auditor's report on the consolidated financial statements. We complete the assembly of the audit file necessary to support our statutory audit report based on the date of our statutory audit report. [2621.7] [2621.7.1] Where both reports are supported by the same working papers, one of the two audit files may contain cross references to the audit working papers in the other audit file, provided each audit working paper is dated so that it is clear from the working paper when the audit evidence was documented and reviewed. [2621.7.2] The auditor's report date and the audit file assembly date are documented in the Audit Checklist. The process of assembling the final audit file and modifying working papers are illustrated below. [2620.1]

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.


Page 23 / 133

International Audit Workbook (Interntional Audit Workbook)

Changes that are administrative in nature (refer to the green box above) may be made to the audit documentation during the final assembly process. [2621.9] For example, changes that are administrative in nature include: deleting or discarding superseded documentation sorting, collating, and cross-referencing working papers signing off on checklists relating to the file assembly process documenting audit evidence that we have obtained, discussed, and agreed with the relevant members of the audit team before the date of the report.

Modifications to audit working papers for exceptional circumstances that arose after the date of the auditor's report (refer to the grey box above) and that required us to perform new or additional procedures or that led us to reach new conclusions and those made after the audit file assembly date (refer to the blue box above), are documented in the Audit Checklist, Appendix I, Audit Working Paper Modification Template. Subject to relevant laws, regulations, professional standards, and KPMG policies, modifications to audit working papers after the audit file assembly date may include: [2620] comments added to clarify existing working papers preparation of additional working papers to more fully document work performed during the engagement deletion of extraneous comments or review notes included in the working papers deletion of a working paper that has been superseded or no longer serves a useful purpose, and/or modifications of comments included in the working papers. The engagement partner notifies the engagement quality control reviewer, when the engagement requires an engagement quality control review, of changes related to audit objectives associated with a significant risk when exceptional circumstances arise after the date of our report that require us to perform new or additional audit procedures or that lead us to reach new conclusions, and substantive modifications are made to working papers. [2623]

2.4.5S Consideration of omitted documentation and other procedures identified after 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG the date of auditor's report

The engagement team does not have a responsibility to carry out a retrospective review of its work after the date of the auditor's report. However the auditor's report and working papers relating to a particular engagement may be subjected to / 133 Page 24 review after the date of the auditor's report in connection with the firm's quality performance program or inspection carried

International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

objectives associated with a significant risk when exceptional circumstances arise after the date of our report that require us to perform new or additional audit procedures or that lead us to reach new conclusions, and substantive modifications are made to working papers. [2623]
International Audit Workbook (Interntional Audit Workbook)

2.4.5S Consideration of omitted documentation and other procedures identified after the date of auditor's report
The engagement team does not have a responsibility to carry out a retrospective review of its work after the date of the auditor's report. However the auditor's report and working papers relating to a particular engagement may be subjected to review after the date of the auditor's report in connection with the firm's quality performance program or inspection carried out by a regulatory authority. [2625.12] Accordingly, after the date of the auditor's report, even though there may be no indication that the financial statements are materially misstated, it may be determined that one or more procedures considered necessary at the time of the audit of the financial statements in the circumstances then existing were omitted from the audit. [2625.13] The appropriate course of action may depend on the requirements of local laws or regulations. [2625.16]

The engagement partner consults with the local risk management partner to determine an appropriate course of action when an auditing procedure considered necessary at the time of the audit of the financial statements in the circumstances has been omitted, which may include consultation with legal counsel. [2625.17] If we determine and demonstrate that sufficient procedures were performed, sufficient evidence was obtained, and appropriate conclusions were reached, but that the documentation thereof is not adequate, we consider what additional documentation is needed. For further guidance on adding such documentation, see sections titled "After the date of the auditor's report" and "After the audit file assembly date" in the Engagement Management chapter of KAM. [2625.14] If we cannot determine or demonstrate that sufficient procedures were performed, sufficient evidence was obtained, or appropriate conclusions were reached, we apply the following guidance to assess the significance of the omitted procedure, at the time it is identified, to the present ability to support the previously expressed opinion on the financial statements: [2625.15] Circumstance The previously issued audit opinion on the financial statements cannot be supported without performing the omitted procedure and that there are persons currently relying, or likely to rely, on the previously issued auditors report. [2625.20] As a result of the subsequent performance of the omitted procedure or alternative procedures, we become aware that facts regarding the financial statements existed at the date of our report that would affect the report had we been aware of them. [2625.21] Course of Action The engagement team promptly undertakes to perform the omitted procedure or alternative procedures that would provide a satisfactory basis for the opinion. [2625.20]

We: consult with the risk management partner consult with legal counsel follow the guidance in the section titled, "Subsequent events" in the Control Evaluation chapter of KAM. [2625.21]

If we determine that the omitted procedure needs to be performed but we are unable to perform the procedure or alternative procedures. [2625.22]

We consult with OGC to determine an appropriate course of action concerning our responsibilities to the client, regulatory authorities, if any, having jurisdiction over the client, and persons relying, or likely to rely, on our report. [2625.22]

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis 2.4.6 Working Paper Retention thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

After the assembly of the final audit file has been completed, we should not delete or discard audit documentation before 25 / 133 Page the end of its retention period. [2625.7]

be performed but we are unable to perform the procedure or alternative procedures. [2625.22]

course of action concerning our responsibilities to the client, regulatory authorities, if any, having jurisdiction over the client, and persons relying, or likely to rely, International Audit Workbook (Interntional Audit Workbook) on our report. [2625.22]

2.4.6 Working Paper Retention


After the assembly of the final audit file has been completed, we should not delete or discard audit documentation before the end of its retention period. [2625.7] KPMG member firms' and functions' retention policies are a matter of judgment in light of local laws and regulations, as well as business needs. Consistent with International Standards on Quality Control (ISQC) 1, the retention period for audit engagement documentation is ordinarily no shorter than five years from the date of the auditor's report, or, if later, the date of the group auditor's report. [2695] Additional policies and guidance regarding retention and destruction of working papers are included in sections 25.6 and 25.8 of the Risk Management Manual - Global. [2707] For local requirements, please refer to the local Risk Management Manual. In cases where several KPMG locations are involved, the originating location may request that participating locations follow the retention requirements of the originating location, when those exceed the requirements of the participating location.

!
2.5. Review

All working papers are reviewed by another engagement team member more experienced than the preparer. [2575] Working papers prepared by the engagement partner are reviewed by another partner assigned to the engagement, and/or the engagement manager, and/or the engagement quality control reviewer, as appropriate in the engagement circumstances. [2575.1] The purpose of reviewing audit working papers is to reach an affirmative conclusion that the working papers support KPMG's opinion on the financial statements and show that the audit complies with KPMG policies, professional standards, and regulatory and legal requirements. [2582] The engagement partner and an engagement manager review audit documentation relating to the following: audit objectives associated with significant risks (significant inherent risk of error or fraud) audit objectives with RoSM assessed as high, and significant findings and issues.

Such audit documentation includes those related to critical areas of judgment, especially those related to difficult or contentious matters identified during the course of the engagement and other areas the engagement partner considers important. The extent of review of such audit documentation by the engagement partner and manager is a matter of professional judgment determined by the engagement partner. [2576] The engagement partner and manager are responsible for satisfying themselves that the audit documentation meets KPMG standards and the requirements of applicable laws, regulations, and professional standards. [2576.1] In addition, the engagement partner and manager review and sign the Planning Document, the Entity Level Controls Program, the Completion Document, the Summary of Audit Differences, and the Audit Checklist. [2580] The reviewer considers whether: [2583] the audit work has been performed in accordance with KPMG policies, professional standards, and regulatory and legal requirements significant matters have been raised for further consideration appropriate consultations have taken place and the resulting conclusions have been documented

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG and implemented, and International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. there is no need to revise the nature, timing, and extent of work performed.

The reviewer also considers a variety of other matters, including whether: [2584]

Page 26 / 133

the audit work has been performed in accordance with KPMG policies, professional standards, and regulatory and legal requirements
International Audit Workbook (Interntional significant matters have been raised for further consideration Audit Workbook)

appropriate consultations have taken place and the resulting conclusions have been documented and implemented, and there is no need to revise the nature, timing, and extent of work performed.

The reviewer also considers a variety of other matters, including whether: [2584] the engagement team has obtained an appropriate understanding of the business the objectives of the audit procedures are achieved and conclusions expressed are consistent with the results of the audit work performed and support the audit opinion on the financial statements the working papers are relevant to the audit, adequately document the audit evidence obtained, and are internally consistent issues were properly identified during the audit, brought to the attention of the engagement partner, and resolved or reported to management, as appropriate

Points raised during the review of working papers are cleared and, where appropriate, the working papers are revised. Except pursuant to the applicable local firm's retention policies, review notes are not retained after the date of our report. [2589]

2.5.1 Restricting Access to Working Papers


All working papers, reports, and other documents are confidential and the property of KPMG. They are to be protected from loss, unauthorized destruction, or unauthorized access. [2640] The engagement partner and risk management partner are responsible for granting requests from third parties for access to our working papers, including client management. Specific legal advice is requested before the release of any document where a claim or circumstance is known to have arisen. [2648.1] Chapter 25 of the Risk Management Manual - Global provides policies and guidance on working paper storage, security, access, and confidentiality. Chapter 40 of the Risk Management Manual - Global contains IT policy and guidance as they relate to electronic working paper storage, security, access, and confidentiality. [2639.1]

2.6. Communications with Management and Those Charged with Governance


We should communicate audit matters of governance interest arising from the audit of financial statements to those charged with governance of an entity. [2841] Audit matters of governance interest are those matters that arise from the audit of financial statements and, in the opinion of the auditor, are both important and relevant to those charged with governance in overseeing the financial reporting and disclosure process. Audit matters of governance interest include only those matters that have come to the attention of the auditor as a result of the performance of the audit. [9032] We may seek to establish with those charged with governance, a mutual understanding of the form, timing, and expected general content of communications. [2845.1] To avoid misunderstandings, we make management and those charged with governance aware that we will communicate only those matters of governance interest that come to our attention as a result of the performance of our audit and that we are not required to design audit procedures for the specific purpose of identifying matters of governance interest. [2843] We ensure throughout the audit that our communications with management and those charged with governance are consistent with the scope outlined in our engagement letter with the client and are in compliance with KPMG policies, methodologies, and procedures; professional standards; and applicable local laws and regulations. [2844] Before communicating with those charged with governance, we usually discuss the matters with management, except where those matters relate to questions of management competence or integrity, to clarify facts and issues and to give management an opportunity to provide further information. [2903] Our communications with those charged with governance may be made orally or in writing. The decision whether to International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. communicate orally or in writing is affected by factors such as the following: [2911] the size, operating structure, legal structure, and communications processes of the entity being audited
Page 27 / 133

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG

consistent with the scope outlined in our engagement letter with the client and are in compliance with KPMG policies, methodologies, and procedures; professional standards; and applicable local laws and regulations. [2844] Before communicating with those charged with governance, we (Interntional Audit Workbook) International Audit Workbook usually discuss the matters with management, except where those matters relate to questions of management competence or integrity, to clarify facts and issues and to give management an opportunity to provide further information. [2903] Our communications with those charged with governance may be made orally or in writing. The decision whether to communicate orally or in writing is affected by factors such as the following: [2911] the size, operating structure, legal structure, and communications processes of the entity being audited the nature, sensitivity, and significance of the audit matters of governance interest to be communicated the arrangements made with respect to periodic meetings or reporting of audit matters of governance interest the amount of ongoing contact and dialogue the auditor has with those charged with governance, and statutory and regulatory requirements.

When audit matters of governance interest are communicated orally, we document in the working papers the matters communicated and any responses to those matters. This documentation may take the form of a copy of the minutes of our discussion with those charged with governance. In certain circumstances, depending on the nature, sensitivity, and significance of the matter, it may be advisable to confirm in writing with those charged with governance any oral communications on audit matters of governance interest. [2912] We communicate material weaknesses to management in writing. [2913.2]

2.6.1 Required Communications


Reporting requirements Guidance Audit matters of governance interest We communicate audit matters of governance interest with those charged with governance. [2847] Audit matters of governance interest include the following: [2847.1] the general approach and overall scope of the audit, including any expected limitations thereon, or any additional requirements the selection of, or changes in, significant accounting policies and practices that have or could have a material effect on the entity's financial statements the potential effect on the financial statements of any material risks and exposures, such as pending litigation, that are required to be disclosed in the financial statements significant matters with respect of fair value measurements and disclosures material uncertainties related to events and conditions that may cast significant doubt on the entity's ability to continue as a going concern disagreements with management about matters that, individually or in aggregate, could be significant to the entity's financial statements or the auditor's report expected modifications to our report, and any other matters agreed upon in the engagement letter.

We should communicate audit matters of governance interest on a timely basis. 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. Identified fraud or evidence Required communications for all entities include: that fraud may exist identified fraud or information that indicates that a fraud may
Page 28 / 133

financial statements or the auditor's report expected modifications to our report, and any other matters agreed upon in the engagement letter.
International Audit Workbook (Interntional Audit Workbook)

We should communicate audit matters of governance interest on a timely basis. Identified fraud or evidence Required communications for all entities include: that fraud may exist identified fraud or information that indicates that a fraud may exist [2854] identified fraud involving management, employees who have significant roles in internal control, or others where the fraud results in a material misstatement in the financial statements [2861.1] suspected fraud involving management, in which case we communicate our suspicions and the nature, timing, and extent of audit procedures to complete the audit, and [2855] material weaknesses in the design or implementation of internal control to prevent and detect fraud which may have come to our attention.

Additional matters to be considered for communication with those charged with governance include, for example: failure by management to appropriately respond to an identified fraud actions by management that may be indicative of fraudulent financial reporting concerns about the adequacy and completeness of the authorization of transactions that appear to be outside the normal course of business failure by management to appropriately address identified material weaknesses internal control concerns about the nature, extent, and frequency of management's assessment of the controls in place to prevent, deter, and detect fraud and the risk that the financial statements may be misstated, and our evaluation of the entity's control environment, including any questions regarding the competence and integrity of management.

When we determine that there is audit evidence that fraud exists or may exist (as outlined above), we communicate the matter as soon as practicable to the appropriate level of management. [2862] When we discover a suspected or possible fraud, we promptly bring the matter to the attention of the engagement partner. [2866.2] Noncompliance with laws and regulations When we discover a suspected or possible instance of noncompliance with laws or regulations, including a possible illegal act, we promptly bring the matter to the attention of the engagement partner who then reports the matter to the risk management partner and follows local consultation and reporting protocols. [2869.1] If we believe there may be noncompliance, we should document the findings and discuss them with management. [2868] We should, as soon as practicable, either communicate with those charged with governance or obtain audit evidence that they are appropriately informed regarding 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG noncompliance that comes to our attention. [2869] If we suspect that members of senior management, including members of the board of directors, are involved in noncompliance, we should report the matter to the next higher level of authority at the entity, if it exists, such as an audit committee or a

International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
Page 29 / 133

If we believe there may be noncompliance, we should document the findings and discuss them with management. [2868]
International Audit Workbook (Interntional Audit Workbook)

We should, as soon as practicable, either communicate with those charged with governance or obtain audit evidence that they are appropriately informed regarding noncompliance that comes to our attention. [2869] If we suspect that members of senior management, including members of the board of directors, are involved in noncompliance, we should report the matter to the next higher level of authority at the entity, if it exists, such as an audit committee or a supervisory board. [2874] If in our judgment the noncompliance is believed to be intentional and material, we should communicate the finding without delay. [2873] Material weaknesses and other deficiencies in internal control We should make those charged with governance or management aware as soon as practical and at the appropriate level of responsibility, of material weaknesses in the design or implementation of internal control that have come to our attention. [2878] When in our judgment there is a material weakness in the entity's risk assessment process, we include such internal control weakness in our communication. [2879.1] We also include identified risks of material misstatement which the entity has either not controlled, or for which the relevant control is inadequate. We also consider communicating deficiencies that had a significant effect on our audit approach, but are not considered to be material weaknesses. If we communicate additional deficiencies to management, we also consider communicating such deficiencies to those charged with governance. [2885.0.1] We communicate material weaknesses to those charged with governance and management in writing. [2879] Role of the engagement partner Misstatements We communicate the identity and role of the engagement partner to key members of client management and those charged with governance. [2887] We communicate misstatements, whether or not they are recorded by the entity, that have, or could have, a significant effect on the entity's financial statements, to the relevant persons who are charged with governance. This communication includes the misstatements in Schedules 1, 2, and 3 of the Summary of Audit Differences. [2895.1] If we have identified a significant misstatement resulting from error, we should communicate the misstatement to the appropriate level of management on a timely basis, and consider the need to report it to those charged with governance. [2895.7]

For an SE or VSE engagement, our responsibility (as set forth above) to communicate weaknesses in internal control applies equally to an audit relating to owner-managed and smaller entities, even when: we believe the owner-manager may already be informed about such matters we are not sure if weaknesses in internal control, particularly those related to limited segregation of duties, can be addressed in a cost-beneficial manner.

It is only by communicating identified weaknesses that we can be certain that management and those charged with governance have been informed of the problem.
Footnotes
[1] Planned hours should not exceed 200 hours if the client/engagement is considered "medium" risk based on the global CEAC process. Risk management partner approval is obtained for engagements intending to use the VSE workflow where the client/engagement is considered "medium" risk based on the global CEAC process. [back] 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG Interntional Audit Workbook International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

Chapter 3 - Planning

Page 30 / 133

[1] Planned hours should not exceed 200 hours if the client/engagement is considered "medium" risk based on the global CEAC process. Risk management partner approval is obtained for International Audit Workbookuse the VSE Audit Workbook) the client/engagement is considered engagements intending to (Interntional workflow where "medium" risk based on the global CEAC process. [back] Interntional Audit Workbook

Chapter 3 - Planning
The objectives of Planning are to: [3002] obtain an understanding of the entity's business and its industry and environment, its accounting policies and practices, and its financial performance understand and evaluate the design and the implementation of entity level controls relevant to the audit assess risks of material misstatement of the financial statements, including risks of error and fraud develop our audit strategy in response to those risks determine significant accounts and disclosures, and develop our planned audit approach for significant accounts and disclosures.

Planning is described in the following chart:

Planning an audit involves establishing the overall audit strategy for the engagement and developing an audit plan to reduce audit risk to an acceptably low level. The involvement of the engagement partner and other key members of the engagement team in planning the audit draws on their experience and insight thereby enhancing the effectiveness and efficiency of the planning process. [3070] Adequate planning helps to devote the appropriate attention to important areas of the audit, to identify and resolve potential problems on a timely basis, and to properly organize and manage the audit engagement so that it is performed in an effective and efficient manner. Adequate planning also assists in the proper assignment of work to engagement team members, facilitates the direction and supervision of engagement team members and the review of their work, and assists, where applicable, in coordination of work done by auditors of components, KPMG specialists and external experts. The nature and extent of planning activities will vary according to the size and complexity of the entity, our previous experience with the entity, and changes in circumstances that occur during the audit engagement. [3071] Although planning for SE and VSE engagements may not be carried out until after year-end, all planning activities are completed and documented in the SE Planning Document or VSE Planning and Completion Document, as 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG appropriate, before we begin activities related to Control Evaluation and Substantive Testing. Effective planning International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. results in an effective and efficient audit.
Page 31 / 133

where applicable, in coordination of work done by auditors of components, KPMG specialists and external experts. The nature and extent of planning activities will vary according to the size and complexity of the entity, our previous experience with the entity, and changes in circumstances that occur during the audit engagement. [3071]
International Audit Workbook (Interntional Audit Workbook)

Although planning for SE and VSE engagements may not be carried out until after year-end, all planning activities are completed and documented in the SE Planning Document or VSE Planning and Completion Document, as appropriate, before we begin activities related to Control Evaluation and Substantive Testing. Effective planning results in an effective and efficient audit.

3.1. Preliminary Engagement Activities


Our consideration of client and engagement continuance and ethical requirements, including independence, occurs throughout the performance of the audit engagement as conditions and changes in circumstances occur. However, our initial procedures on both client and engagement acceptance or continuance and evaluation of ethical requirements (including independence) are performed prior to performing other significant activities for the current audit engagement. For continuing audit engagements, such initial procedures often occur shortly after (or in connection with) the completion of the previous audit. [3061] The purpose of performing these preliminary engagement activities is to assist us in identifying and evaluating events or circumstances that may adversely affect our ability to plan and perform the audit engagement to reduce audit risk to an acceptably low level. Performing these preliminary engagement activities enable us to plan an audit engagement for which: [3062] we maintain the necessary independence and ability to perform the engagement there are no issues with management integrity that may affect our willingness to continue the engagement, and there is no misunderstanding with the client as to the terms of the engagement. Risks identified in the client/engagement acceptance/continuance process serve as a starting point for identifying financial statement level and assertion level risks, including fraud risks. [3605] It is important that the appropriate members of the engagement team be made aware of these identified risks, so that the risks can be appropriately addressed during Planning.

3.2. Kickoff Discussion


Early in audit Planning, we may have a kickoff discussion to share among key engagement team members, including KPMG specialists when appropriate, our collective knowledge about the entity and its environment and perspectives on how the audit will be approached, as well as our activities during Planning. [3099] A kickoff discussion may help us in planning the risk assessment procedures to be performed to obtain a sufficient understanding of the entity and its environment. Understanding the entity and its environment is an essential aspect of performing an audit. In particular, that understanding establishes a frame of reference within which we plan the audit and exercise professional judgment about assessing risks of material misstatement of the financial statements and responding to those risks throughout the audit. [3329]/[3327] The engagement team may use the Practice Aid - Example Kickoff Discussion Agenda, available on ARO, to assist the engagement team to effectively conduct this discussion. This practice aid contains examples of topics that may be addressed in the kickoff discussion. [3101] Depending on the size and complexity of the engagement, as well as other circumstances that may be relevant in the judgment of the engagement partner, the optional kickoff discussion and the required risk assessment and planning discussion, addressed later in this chapter, may be either combined or split into a series of discussions. [3104.1] In practice, the kickoff discussion may be held in different ways and involve different engagement team members based on the judgment of the engagement partner. For smaller 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG engagements, an informal discussion between the partner and manager might be appropriate International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.KPMG specialists while on a more complex engagement the involvement of the in-charge or might be more effective. [3102]
Page 32 / 133

may be relevant in the judgment of the engagement partner, the optional kickoff discussion and the required risk assessment and planning discussion, addressed later in this chapter, may be either combined or split into a series Workbook (Interntional Audit Workbook) International Audit of discussions. [3104.1] In practice, the kickoff discussion may be held in different ways and involve different engagement team members based on the judgment of the engagement partner. For smaller engagements, an informal discussion between the partner and manager might be appropriate while on a more complex engagement the involvement of the in-charge or KPMG specialists might be more effective. [3102]

3.3. Engagement Scope


The engagement scope is by the financial reporting and auditing frameworks, as well as industry specific or regulatory requirements related to financial reporting, if any, relevant to our audit. [3106] The engagement scope considers the following: [3107] Applicable financial reporting framework, including regulatory requirements related to financial reporting In most cases, the applicable financial reporting framework will be that of the jurisdiction in which the entity is registered or operates and the KPMG office is located, and we and the entity will have a common understanding of that framework. In some cases, there may be no local financial reporting framework, in which case the entity's choice will be governed by local practice, industry practice, user needs, or other factors. For example, the entity's competitors may apply IFRS and the entity may determine that IFRS are also appropriate for its financial reporting requirements. For example, regulations on accounting or financial reporting required by the U.S. Securities & Exchange Commission (U.S.-SEC) or a stock exchange Applicable auditing standards, including legislative and regulatory requirements Industry specific requirements related to financial reporting For example, International Standards on Auditing (ISA), national GAAS, and/or laws or regulations determining those standards.

We consider whether local regulations specify certain financial reporting requirements for the industry in which the entity operates. For example, additional accounting or financial reporting rules for financial institutions. For example, specific requirements as set forth in the engagement letter, such as deliverables in addition to the audit report on the financial statements, timing requirements, or expected communications to management or those charged with governance.

Other terms of the engagement

Other information that will For example, regulatory filing documents of listed companies, such as the Form 10-K include financial statements for an entity subject to regulation by the U.S.-SEC. or our report to be read as part of our audit

In Vector, you define what industry sector the client operates in and the location of its operations. The decisions made relating to the industry determine the additional knowledge that is delivered to the user to aid in the completion of the engagement, for example, industryspecific substantive audit procedures (only available for certain industries). Once you have decided on the appropriate industry-country combination, you use the workflow drop-down menu to select the appropriate workflow, namely FSA, SE, VSE, IA, or LCE.

3.4. Audit Strategy Decisions 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG


The overall audit strategy sets the scope, timing, and direction of the audit, and guides the development of the more detailed audit plan. [3079]
International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
Page 33 / 133

specific substantive audit procedures (only available for certain industries). Once you have decided on the appropriate industry-country combination, you use the workflow drop-down menu to select the appropriate workflow, namely FSA, SE, VSE, IA, or LCE.
International Audit Workbook (Interntional Audit Workbook)

3.4. Audit Strategy Decisions


The overall audit strategy sets the scope, timing, and direction of the audit, and guides the development of the more detailed audit plan. [3079] The audit strategy considers the results of preliminary engagement activities and, where practicable, experience gained on other engagements performed for the entity. [3078] After the preliminary engagement activities have been performed and the scope of the engagement has been determined, we make audit strategy decisions relating to the following matters: [3110] Materiality Our consideration of materiality when planning and performing audit procedures includes the concepts of: [3124] Timing of audit activities materiality for planning purposes significant misstatement threshold audit difference posting thresholds.

Ordinarily, we document the following matters that pertain to timing of audit activities: [3184] external deliverables fieldwork other activities, such as: specific audit procedures (i.e., physical inventory observation and confirmation of accounts receivable) meetings and other communication with management and those charged with governance team meetings and other communications among engagement team members.

Team assignments, including KPMG specialists

We plan and document the role, the name, and the key responsibilities of engagement team members that are unique to the audit engagement. [3212] The nature, timing, and extent of resources necessary to perform the engagement include consideration of the following: [3207] the resources to deploy for specific audit areas For example, the use of appropriately experienced team members for highrisk areas or the involvement of KPMG specialists or external experts on complex matters. the extent of resources to allocate to specific audit areas For example, the number of team members assigned to observe the inventory count at material locations, the extent of review of other auditors' work in the case of group audits, and the audit budget in hours to allocate to high-risk areas. when these resources are deployed, and For example, whether at an interim audit stage or at key cutoff dates. how such resources are managed, directed, and supervised.

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG For example, when team meetings and engagement partner and manager International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis reviews are expected to take place. thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

Communication with reviewing partners

We plan and document the planned communication with the engagement quality control reviewer, the IFRS reviewing partner, the filing review partner and other

Page 34 / 133

to high-risk areas. when these resources are deployed, and


International Audit Workbook an interim audit stage For example, whether at (Interntional Audit Workbook)or at key cutoff dates.

how such resources are managed, directed, and supervised. For example, when team meetings and engagement partner and manager reviews are expected to take place.

Communication with reviewing partners

We plan and document the planned communication with the engagement quality control reviewer, the IFRS reviewing partner, the filing review partner and other reviewing partners (if applicable), its timing, and the team members responsible for that communication. [3227] We plan and document the involvement of other KPMG locations and the subject matter and audit scope of their involvement, including specific audit procedures (for example, an inventory observation). [3240]/[3240.1] We also plan whether others will be involved, such as internal auditing, service organizations, and external experts.

Involvement of others

We plan the nature, timing, and extent of direction and supervision of engagement team members based on the assessed risk of material misstatement. As the assessed risk of material misstatement increases, for the area of audit risk, we ordinarily increase the extent and timeliness of direction and supervision of engagement team members and perform a more detailed review of their work. Similarly, we plan the nature, timing, and extent of review of the engagement team's work based on the capabilities and competence of the individual team members performing the audit work. [3221] Establishing the audit strategy will vary according to the size of the entity and the complexity of the audit. [3080.1]

Due to the nature of an SE engagement, it is expected that the "Involvement of Others" section of the SE Planning Document will often not be applicable. In those instances, the section is marked as such.

3.4.1 Materiality
Financial reporting frameworks often discuss the concept of materiality in the context of the preparation and presentation of financial statements. Although financial reporting frameworks may discuss materiality in different terms, they generally explain that: [3115] misstatements, including omissions, are considered to be material if they, individually or in the aggregate, could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements judgments about materiality are made in light of surrounding circumstances, and are affected by the size or nature of a misstatement, or a combination of both judgments about matters that are material to users of the financial statements are based on a consideration of the common financial information needs of users as a group. The possible effect of misstatements on specific individual users, whose needs may vary widely, is not considered, and judgments about materiality are made in relation to the relevant financial reporting period.

We should consider materiality when: [ISA 320.8] [3118] determining the nature, timing, and extent of audit procedures, and evaluating the effect of misstatements.

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

Materiality for planning purposes (MPP) represents a quantitative measurement of the magnitude of an omission or misstatement in the financial statements that, in light of the surrounding circumstances, makes it probable that economic decisions of users would have been changed or influenced by the omission or misstatement.

Page 35 / 133

judgments about materiality are made in relation to the relevant financial reporting period.

We should consider materiality when: [ISA 320.8] [3118] determining the nature, timing,International Audit Workbook (Interntional and Workbook) and extent of audit procedures, Audit evaluating the effect of misstatements.

Materiality for planning purposes (MPP) represents a quantitative measurement of the magnitude of an omission or misstatement in the financial statements that, in light of the surrounding circumstances, makes it probable that economic decisions of users would have been changed or influenced by the omission or misstatement. Materiality for planning purposes is determined at the financial statement level. To determine MPP, we select an appropriate benchmark and then apply an appropriate percentage to that benchmark.

Selecting the benchmark


The engagement partner exercises professional judgment when determining an appropriate benchmark on which to determine MPP. [3134] Examples of benchmarks that may be appropriate, depending on the nature and circumstances of the particular entity, include profit or loss before tax, total revenue, total expenses, total assets, and net assets. [3135] Factors to consider in determining an appropriate benchmark include: [3136] the elements of the financial statements (e.g., assets, liabilities, equity, revenue, and expenses). For purposes of determining MPP, we do not use financial measures that are not defined in a financial reporting framework (e.g., non-GAAP measures), such as EBITDA whether there are items on which the attention of the users of the financial statements tends to be focused (e.g., for purposes of evaluating financial performance, users may tend to focus on profit, revenue, or net assets) the nature of the entity, where the entity is in its life cycle, and the industry and economic environment in which the entity operates, and the entity's ownership structure, or the way it is financed (for example, if an entity is financed solely by debt rather than equity, users may put more emphasis on assets, and claims on them, than on the entity's earnings) Profit or loss before tax is often used as the benchmark for profit-oriented entities. For assetbased entities (for example, an investment fund), an appropriate benchmark may be net assets. For not-for-profit entities, an appropriate benchmark may be total assets or total expenses. [3137]

It is expected that the benchmark and the percentage to be applied to the benchmark we use for determining MPP ordinarily will be consistent from period to period unless a change is considered appropriate due to a significant change in the circumstances of the entity, or a substantive change in our perception of the needs of the users of the financial statements. If we change the benchmark and/or percentage to be applied to the benchmark from that used in previous audits, we document in Attachment I to the Planning Document our rationale for the change. [3139]

Setting the value of the benchmark


Once an appropriate benchmark has been selected, relevant financial data to be used in determining MPP is identified. Relevant financial data ordinarily includes the period-to-date financial results and financial position; budgets or forecasts for the current period; prior periods' financial results and financial position, adjusted for significant changes in the circumstances of the entity (for example, a significant business acquisition); and relevant changes of conditions in the industry or economic environment in which the entity operates. [3141] For example, when, as a starting point, materiality for planning purposes is determined for a particular entity based on a percentage of profit before tax, circumstances that give rise to an unusual decrease or increase in profit before tax, such as 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG significant restructuring charges, may lead the engagement partner to conclude that MPP is more appropriately determined International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis using a normalized profit or loss before tax based on past results (normalized basis). thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. As another example, when an entity's profit before tax is consistently nominal, as might be the case for an owner-managed / 133 Page 36 business where the owner takes much of the profit before tax in the form of remuneration, the engagement partner may

Relevant financial data ordinarily includes the period-to-date financial results and financial position; budgets or forecasts for the current period; prior periods' financial results and financial position, adjusted for significant changes in the circumstances of the entity (for example, a significant business acquisition); and relevant changes of conditions in the International Audit Workbook (Interntional industry or economic environment in which the entity operates. [3141] Audit Workbook) For example, when, as a starting point, materiality for planning purposes is determined for a particular entity based on a percentage of profit before tax, circumstances that give rise to an unusual decrease or increase in profit before tax, such as significant restructuring charges, may lead the engagement partner to conclude that MPP is more appropriately determined using a normalized profit or loss before tax based on past results (normalized basis). As another example, when an entity's profit before tax is consistently nominal, as might be the case for an owner-managed business where the owner takes much of the profit before tax in the form of remuneration, the engagement partner may conclude that MPP is more appropriately determined by reference to profit before tax, adjusted for owner remuneration and related income tax.

Determining the percentage applied to the benchmark


Determining a percentage to be applied to a chosen benchmark involves the exercise of professional judgment and consideration of the expectations and needs of the users of the financial statements. [3145] Where MPP is determined by reference to a net benchmark measure (e.g., profit or loss before tax or net assets), the percentage to be applied to the benchmark ordinarily falls between 3 and 10% (inclusive). [3146] Where MPP is determined by reference to a gross benchmark measure (e.g., total revenue, total expenses, or total assets), the percentage to be applied to the benchmark ordinarily falls between 0.5 and 2% (inclusive). [3146]

!
Factor

The engagement partner considers the following factors in determining the percentage to be applied to the benchmark. The factors below are meant to be illustrative; there may be other factors that impact the determination of the percentage to be applied to the benchmark based on engagement specific circumstances. [3147] Higher percentageLower percentage Concentration of ownership in a small number of well informed individuals Limited debt Debt arrangements where lenders have access to management information and do not rely solely on audited financial statements The entity operates in a stable business environment The operations of the entity are relatively less complex and few core business processes in which the entity is involved The entity provides a limited number of products or services The entity has a viable sustainable business Listed or public interest entity

Concentration of ownership/and (or) management Debt arrangements

Publicly traded debt Loan covenants sensitive to operating results

Business environment

The entity operates in a volatile business environment The entity has complex operations and/or diverse business processes The entity operates in locations which are subject to political instability

Other sensitivities No financial regulators Operate in a highly regulated 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG industry International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis Few changes in stakeholders thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. have occurred or are expected Intention to list or register securities
Page 37 / 133

services The entity has a viable International Audit sustainable business Workbook (Interntional Audit Workbook) No financial regulators Few changes in stakeholders have occurred or are expected Few external users of the entity's financial statements Operate in a highly regulated industry Intention to list or register securities Recent or expected sale of the entity Impact that misstatements might have on Earnings Per Share (EPS), and extent to which a change in EPS influences the users of the financial statements

Other sensitivities

Concurrence from the EQCR in relation to materiality


For U.S. SEC registrants, it ordinarily is expected that engagement teams will determine materiality for planning purposes not higher than 5 percent of profit or loss before tax, or 0.5 percent of total assets or revenues, as appropriate. [3148] If the engagement partner believes that a benchmark other than profit or loss before tax, total assets or total revenues is a more appropriate benchmark for determining materiality for planning purposes, or that a higher percentage than those noted above is appropriate under the circumstances, the engagement partner obtains concurrence from the engagement quality control reviewer for the benchmark and/or percentage prior to commencing significant audit procedures. [3148]

Significant misstatement threshold (SMT)


SMT is set to reduce to an appropriately low level the probability that the total of uncorrected and undetected misstatements in the financial statements exceeds MPP. [3159.1] We determine SMT for purposes of assessing the risks of material misstatement and determining the nature, timing, and extent of further audit procedures. [3159] The engagement partner uses MPP as a starting point to determine SMT. SMT cannot exceed 75% of MPP. [3159]

The presence of one or more of the following factors may indicate that a lower SMT may be appropriate. The factors below are meant to be illustrative; there may be other factors that impact the determination of SMT based on engagement specific circumstances. [3159.3] weak control environment entity with a history of material weaknesses and/or a number of control deficiencies high turnover of senior management entity with a history of large or numerous misstatements in previous audits entity with more complex accounting issues and significant estimates, and entity that operates in a number of locations.

We determine whether, in the specific circumstances of the entity, there are particular classes of transactions, account 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG balances, or disclosures for which misstatements of lesser amounts than our SMT level could reasonably be expected to International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. influence the economic decisions of users. In such circumstances, we apply professional judgment to determine one or more lower levels of SMT to be applied to those particular classes of transactions, account balances, or disclosures. Page 38 / 133 [3159.4]

entity with a history of large or numerous misstatements in previous audits entity with more complex accounting issues and significant estimates, and entity that operates in a number of locations.
International Audit Workbook (Interntional Audit Workbook)

We determine whether, in the specific circumstances of the entity, there are particular classes of transactions, account balances, or disclosures for which misstatements of lesser amounts than our SMT level could reasonably be expected to influence the economic decisions of users. In such circumstances, we apply professional judgment to determine one or more lower levels of SMT to be applied to those particular classes of transactions, account balances, or disclosures. [3159.4] For example, the users of the financial statements may be more sensitive to quantitatively smaller misstatements related to disclosures regarding directors' remuneration or related-party transactions than for other significant accounts or disclosures. The engagement team may determine that the significant misstatement threshold for these items should be lower than that determined for other areas of the audit. [3159.4] Similarly, nonrecurring revenue may turn a loss into a profit or reverse the trend of earnings from a downward to an upward trend. The economic decisions of a user may be affected by a failure to disclose separately a nonrecurring item of revenue of that magnitude. Therefore, the engagement team may determine that a lower significant misstatement threshold for nonrecurring revenue would be appropriate. [3159.4]

Audit difference posting threshold


We specify an amount below which we consider audit differences, if they exist, to be clearly trivial. We refer to this clearly trivial amount as the audit difference posting threshold. [3166] Amounts stated as clearly trivial are a matter of judgment, whereby the financial statements would not be materially misstated if audit differences below the specified amount, if any, aggregated with other audit differences, are not corrected. [3169] The engagement team determines the audit difference posting threshold, which ordinarily falls between 3 to 5% of MPP. [3167] The engagement partner may, for reclassification misstatements of the balance sheet only or the income statement only, determine an audit difference posting threshold that exceeds 3 to 5% of materiality for planning purposes. In such cases, the engagement partner discusses the audit difference posting threshold with the engagement quality control reviewer, when the engagement requires an engagement quality control review. [3175]

When determining the audit difference posting threshold, we consider factors similar to those discussed for MPP and SMT. After consideration of qualitative factors, we may determine that a lower percentage is appropriate for the audit difference posting threshold. [3170] Audit differences detected below the audit difference posting threshold need not be summarized in the Summary of Audit Differences, and the relevant working paper is annotated to indicate that the difference is considered clearly trivial. However, we consider their qualitative aspects. [3171] The qualitative consideration of such clearly trivial audit differences is usually limited to a consideration of whether such audit differences: [3172] relate to a related party or transactions with a related party may indicate the possible existence of fraud, or individually or in the aggregate may be indicators of control deficiencies.

If an amount is considered qualitatively significant but is below the audit difference posting threshold, it is included in the Summary of Audit Differences as an audit difference. [3173]

Revisions to MPP, SMT, and ADPT


MPP is revised during the course of conducting the audit in the event we become aware of information that would have significantly modified MPP determined during planning. [3152] Where the engagement team revises MPP downward from the amount determined during planning, the related SMT(s) also 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG is revised downward, and further audit procedures may need to be performed to obtain sufficient appropriate audit International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis evidence. [3163]
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

Where MPP has been revised downward from the amount determined at planning, we revise the audit difference posting Page 39 / 133 threshold accordingly, or document why it is not necessary to revise the audit difference posting threshold. [3177]

Revisions to MPP, SMT, and ADPT


MPP is revised during the course of conducting the audit in the event we become aware of information that would have International Audit Workbook significantly modified MPP determined during planning. [3152] (Interntional Audit Workbook) Where the engagement team revises MPP downward from the amount determined during planning, the related SMT(s) also is revised downward, and further audit procedures may need to be performed to obtain sufficient appropriate audit evidence. [3163] Where MPP has been revised downward from the amount determined at planning, we revise the audit difference posting threshold accordingly, or document why it is not necessary to revise the audit difference posting threshold. [3177]

3.5. Risk Assessment Procedures


Risk assessment procedures are the audit procedures performed to: [9221] obtain an understanding of the entity and its industry and environment, including its internal control, and assess the risks of material misstatement at the financial statement and assertion levels.

We perform the following risk assessment procedures to obtain an understanding of the entity and its environment, including internal control: [3335] Inquiries of management Much of the information we obtain by inquiries may be useful in providing us with a and others within the entity different perspective in identifying risks of material misstatement. Therefore, we make inquiries of management and those responsible for financial reporting; others within the entity, such as production and internal audit personnel; and other employees with different levels of authority. [3339] Our risk assessment procedures include inquiries of management, those charged with governance, internal audit, and others to identify and assess risks of material misstatement related to fraud, going concern, laws and regulations, litigation and claims, and related parties as described in the Audit Program for Specific Topics. Analytical procedures We apply analytical procedures as risk assessment procedures to obtain an understanding of the entity and its environment. [3342.1] Analytical procedures may be helpful in identifying the existence of unusual transactions or events and amounts, ratios, and trends that might indicate matters that have financial statement and audit implications. [3344] Analytical procedures include procedures related to revenue accounts with the objective of identifying unusual or unexpected relationships that may indicate a risk of material misstatement due to fraudulent financial reporting. Observation and inspection Observation and inspection may support inquiries of management and others as well as provide information about the entity and its environment. Such audit procedures ordinarily include the following: [3347] observation of entity activities and operations inspection of documents, records, and internal control manuals reading reports prepared by management and those charged with governance visits to the entity's premises and plant facilities, and tracing transactions through the information system(s) relevant to financial reporting (walkthroughs).

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG engagement team members in identifying the appropriate entity personnel and the related International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. conduct all inquiries matters to be discussed and coordinating such inquiries (e.g., to be able to

An optional Practice Aid - Example Risk Assessment Inquiries is available on ARO to help

in one or a number of limited discussions with the appropriate individual, when possible and appropriate). [3340.1]

Page 40 / 133

tracing transactions through the information system(s) relevant to financial reporting (walkthroughs).
International Audit Workbook (Interntional Audit Workbook)

An optional Practice Aid - Example Risk Assessment Inquiries is available on ARO to help engagement team members in identifying the appropriate entity personnel and the related matters to be discussed and coordinating such inquiries (e.g., to be able to conduct all inquiries in one or a number of limited discussions with the appropriate individual, when possible and appropriate). [3340.1] An optional Practice Aid - Example Analytical Procedures, available on ARO, provides examples of matters that we may consider when obtaining an understanding of the measurement and review of the entity's financial performance (aggregated and disaggregated). [3509] The extent of risk assessment procedures to be performed varies depending on the specific circumstances of the engagement. At a minimum, we perform: [3356] risk assessment procedures - related to specific topics an inquiry of other KPMG engagement partners or engagement managers involved in nonaudit services provided, if any, about possible risks of material misstatement inquiries of management about changes in the entity's business and its environment, including internal control an analytical review of financial information for planning purposes, and an analysis of the results of interim reviews performed, if any.

Risk assessment procedures are carried out during the Planning phase of the audit although the nature of some SE and VSE engagements may preclude the engagement team from completing the planning prior to year-end. Completing planning after year-end does not change the nature and extent of risk assessment procedures, however, for an SE or VSE engagement, the nature and extent of operations may not require the performance of as extensive risk assessment procedures to obtain an understanding of the entity as may be required in a more complex engagement.

Planning risk assessment procedures facilitates an effective audit. A kickoff discussion may help us in planning the risk assessment procedures to be performed to obtain a sufficient understanding of the entity and its environment. Upfront planning of risk assessment procedures also provides the opportunity for the engagement partner and manager to direct the engagement team where to focus its work, and to share their experience and background knowledge about the industry and the entity. [3329] For recurring engagements, where we may use our understanding obtained in prior period audits, identifying significant changes in any of the above aspects of the entity from prior periods is particularly important in gaining a sufficient understanding of the entity to identify and assess risks of material misstatement. We also use our understanding from risk assessment procedures performed as part of engagements to review interim financial information. [3329.1]/[3355]

3.6. Understanding the Entity


Our understanding of the entity, which we obtain by performing risk assessment procedures, consists of an understanding of the following aspects: [3377] The nature of an entity refers to its operations, ownership, governance, types of investments, the way it is structured, and how it is financed. An understanding of the nature of an entity enables us to understand the classes of transactions, account balances derived from estimates, other account balances, and disclosures to be 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG expected in the financial statements. [3394] International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

Business, industry, and environment

The industry in which the entity operates may give rise to specific risks of material misstatement arising from the nature of the business or the degree of regulation. [3443]

Page 41 / 133

of the following aspects: [3377] Business, industry, and environment The natureInternational Audit Workbookits operations, ownership, governance, types of of an entity refers to (Interntional Audit Workbook) investments, the way it is structured, and how it is financed. An understanding of the nature of an entity enables us to understand the classes of transactions, account balances derived from estimates, other account balances, and disclosures to be expected in the financial statements. [3394] The industry in which the entity operates may give rise to specific risks of material misstatement arising from the nature of the business or the degree of regulation. [3443] An understanding of the legal and regulatory environment includes procedures to assist the engagement team to: [3452] obtain an understanding of the legal and regulatory framework applicable to the entity and its industry identify instances of noncompliance with laws and regulations, including possible illegal acts evaluate the design and implementation of the entity's policies, procedures, and controls regarding compliance with the applicable legal and regulatory framework, including controls to prevent and detect noncompliance and illegal acts.

We also consider the entity's economic, political, and social environment. [3020] Accounting policies and practices We obtain an understanding of the entity's selection and application of accounting policies and consider whether they are appropriate for its business and consistent with the applicable financial reporting framework and accounting policies used in the relevant industry. [3454] Our understanding of the entity's accounting policies and practices addresses the following matters: [3022] [3458] applicable financial reporting framework, including: new accounting standards controversial or emerging areas with lack of authoritative guidance or consensus regulatory (financial reporting and tax-related) inquiries, investigations, and/or enforcement action and changes to the selection and application of accounting policies by the entity, including initial selection and application

Financial performance

critical accounting policies, and impact of the entity's structure on financial reporting.

Performance measures and their review indicate to us aspects of the entity's performance that management and others consider to be of importance. Performance measures, whether external or internal, create pressures on the entity that, in turn, may motivate management to take action to improve the business performance or to misstate the financial statements. Therefore, obtaining an understanding of the entity's performance measures assists us in considering whether such pressures result in management actions that may have increased the risks of material misstatement. [3486] Our understanding of the entity's financial performance addresses the following matters: [3487]

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis analyses prepared by the entity as well as analysis performed thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

external expectations

by KPMG and the related results

events or conditions raising doubt about the entity's ability to

Page 42 / 133

risks of material misstatement. [3486] Our understanding of the entity's financial performance addresses the following International Audit Workbook (Interntional Audit Workbook) matters: [3487] external expectations analyses prepared by the entity as well as analysis performed by KPMG and the related results events or conditions raising doubt about the entity's ability to continue as a going concern.

Entity level controls

Entity level controls are internal controls that operate at the entity level rather than at the specific assertion level. [3028.1.1] Entity level controls often have a pervasive impact on control activities over classes of transactions, account balances derived from estimates, other account balances, and disclosures. For that reason, as a practical consideration, we evaluate the design and implementation of entity level controls during Planning, because the results of that work might impact the effectiveness of control activities over accounting activities and financial reporting. [3546]

Instances or concerns of We perform the risk assessment procedures related to misconduct or unethical misconduct or unethical behavior by the entity management or personnel or those charged with governance. behavior related to [3550] financial reporting [3377.1]

We document key elements of the understanding obtained regarding each of the aspects of the entity and its environment, including each of the internal control components, to assess the risks of material misstatement of the financial statements, and the sources of information from which the understanding was obtained. [3378] The form and extent of this documentation is influenced by the nature, size, and complexity of the entity and its internal control, and availability of information from the entity. Ordinarily, the more complex the entity and the more extensive the audit procedures performed, the more extensive our documentation will be. [3379] We only document information that is relevant to our audit of the financial statements. [3384]

When obtaining an understanding of the entity for an SE or VSE engagement, we consider the following: such entities ordinarily do not have formal processes to measure and review the entity's financial performance. Management nevertheless often relies on certain key indicators that knowledge and experience of the business suggest are reliable bases for evaluating financial performance and taking appropriate action. such entities may not have "formal" or "documented" entity level controls that have been effectively designed and implemented. In such cases, we identify the control deficiencies and determine the effect on our planned audit approach and audit strategy. such entities may not have a process in place to formally report concerns of misconduct or unethical behavior. In such instances, we rely on inquiries with management, those charged with governance, and others in the entity. the form and extent of our documentation is influenced by the nature, size, and complexity of the entity and its internal control, and the availability of information from the entity. Ordinarily, audits of less complex entities will result in less extensive documentation of our understanding of the entity.

The AlacraTM Company Book and the Alacra Industry Book are optional tools available in a downloadable format at http://kpmgaasc.alacra.com/kpmgaasc/ that may be useful to obtain 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG updated information regarding a given chosen company or its industry (Alacra is a registered International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. trademark of Alacra, Inc.). [3388] The Company Book is focused on providing items containing third-party comments on the company, such as news and analyst reports. [3389]
Page 43 / 133

the entity. Ordinarily, audits of less complex entities will result in less extensive documentation of our understanding of the entity.
International Audit Workbook (Interntional Audit Workbook)

The AlacraTM Company Book and the Alacra Industry Book are optional tools available in a downloadable format at http://kpmgaasc.alacra.com/kpmgaasc/ that may be useful to obtain updated information regarding a given chosen company or its industry (Alacra is a registered trademark of Alacra, Inc.). [3388] The Company Book is focused on providing items containing third-party comments on the company, such as news and analyst reports. [3389] The Industry Book provides information on an industry and country to assist in obtaining an understanding of a client's business. [3390]

3.7. Risk Assessment and Planning Discussion


Usually, we hold a risk assessment and planning discussion after we have completed our risk assessment procedures, obtained our understanding of the entity, and made a preliminary determination of identified risks and our planned audit approach. [3559.1] We document the date of the discussion, participants, and topics discussed in the Planning Document. [3566.2] Decisions made regarding financial statement and assertion level risks, our planned audit approach at the assertion level for significant accounts and disclosures, and our audit strategy decisions are documented in the relevant section of the Planning Document. [3566.3] This discussion includes, at a minimum, the following topics: [3560.1] the importance of professional skepticism and the need to maintain a questioning mind, setting aside any of our prior beliefs that management is honest and has integrity, at all times during the audit, particularly whenever circumstances indicating possible misstatements due to fraud or error are encountered and to be rigorous in following up on such indications the responsibilities of engagement team members (which include maintaining an objective state of mind and appropriate level of professional skepticism, performing the work delegated to them in accordance with the ethical principle of due care, and promptly communicating to the engagement partner any identified fraud risk indicators or possible illegal acts) our audit strategy decisions, including the determination of materiality for planning purposes and significant misstatement threshold and how these will be used to determine the extent of testing our understanding of the entity resulting from our risk assessment procedures how the entity's accounting policies, including unusual accounting procedures, address the application of the applicable financial reporting framework to the entity's facts and circumstances a consideration of the known external and internal factors affecting the entity that may create an incentive or pressure for management or others to commit fraud, provide the opportunity for fraud to be perpetrated, and indicate a culture or environment that enables management or others to rationalize committing fraud (the "fraud triangle") a consideration of the risk of management override of controls, including override through journal entries and other audit adjustments, significant accounting estimates, or significant unusual transactions, and the risk of fraudulent revenue recognition the susceptibility of the entity's financial statements to material misstatements, whether caused by fraud or error, with special emphasis on fraud identified risks at the financial statement level identified inherent risks at the assertion level for significant accounts and disclosures and the planned audit approach a consideration of how unpredictability will be incorporated into the nature, timing, and extent of the audit procedures to be performed engagement team members, including KPMG specialists, or with the engagement quality control reviewer or others consulted, and that such matters may be brought to the attention of the engagement partner without fear of reprisal, and

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis the firm's policies and procedures for dealing with and resolving disagreements among thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
Page 44 / 133

identified inherent risks at the assertion level for significant accounts and disclosures and the planned audit approach
International Audit Workbook (Interntional Audit Workbook)

a consideration of how unpredictability will be incorporated into the nature, timing, and extent of the audit procedures to be performed the firm's policies and procedures for dealing with and resolving disagreements among engagement team members, including KPMG specialists, or with the engagement quality control reviewer or others consulted, and that such matters may be brought to the attention of the engagement partner without fear of reprisal, and matters to be communicated to members of the team (including KPMG specialists and both originating and participating locations) not involved in the discussion.

The objective of the risk assessment and planning discussion is for members of the engagement team to gain a better understanding of the potential for material misstatements of the financial statements resulting from fraud or error in the specific areas assigned to them, and to understand how the results of the audit procedures that they perform may affect other aspects of the audit, including the decisions about the nature, timing, and extent of further audit procedures. [3561.1] The discussion provides an opportunity for more experienced engagement team members, including the engagement partner, to share their insights based on their knowledge of the entity, and for the team members to exchange information about the business risks to which the entity is subject and about how and where the financial statements might be susceptible to material misstatement, including material misstatement due to fraud. Particular emphasis is given to the discussion of the susceptibility of the entity's financial statements to material misstatement due to fraud. [3561.4]

3.8. Summary of Identified Risks


We should identify and assess the risks of material misstatement at the financial statement level, and at the assertion level for classes of transactions, account balances derived from estimates, other account balances, and disclosures. [3596.2]

3.8.1 Risk of Material Misstatement


When we perform an audit, we obtain and evaluate audit evidence to obtain reasonable assurance about whether the financial statements give a true and fair view (or are presented fairly, in all material respects) in accordance with the applicable financial reporting framework. The concept of reasonable assurance acknowledges that there is a risk the audit opinion is inappropriate. Audit risk is the risk that we express an inappropriate audit opinion when the financial statements are materially misstated. [3587] Audit risk is a function of the risk of material misstatement of the financial statements (i.e., the risk that the financial statements are materially misstated prior to audit) and the risk that we will not detect such misstatement ("detection risk"). [9039] We perform audit procedures to assess the risk of material misstatement and seek to limit detection risk by performing further audit procedures based on that assessment. [3595] We reduce audit risk by designing and performing audit procedures to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base our audit opinion. Reasonable assurance is obtained when we have reduced audit risk to an acceptably low level. [3590] We refer to the risk of material misstatement of the financial statements at the financial statement level (i.e., pervasive risk of misstatement) in terms of "risk of material misstatement" or "RoMM," whereas we refer to the risk of material misstatement of the financial statements at the assertion level in terms of "risk of significant misstatement" or "RoSM." [3596] Assertion level fraud risks are addressed separately in the Audit Programs and do not affect our assessment of inherent risks of error or our assessment of RoSM. [3662.1] We assess RoSM as "high," "moderate," or "low." We do not similarly assess and document RoMM. We use RoMM to help assess whether a financial statement level risk is significant enough to be addressed in our audit strategy or 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG planned audit approach. International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

The risk of significant misstatement at the assertion level consists of the two components: [3647]

Page 45 / 133

risks of error or our assessment of RoSM. [3662.1]


International Audit Workbook (Interntional Audit Workbook) We assess RoSM as "high," "moderate," or "low."

We do not similarly assess and document RoMM. We use RoMM to help assess whether a financial statement level risk is significant enough to be addressed in our audit strategy or planned audit approach. The risk of significant misstatement at the assertion level consists of the two components: [3647] Inherent risk is the susceptibility of an assertion to a misstatement due to error, which could be material, individually or when aggregated with other misstatements, assuming that there were no related internal controls. [9133] For example, accounts consisting of amounts derived from accounting estimates that are subject to significant measurement uncertainty pose greater risks than do accounts consisting of relatively routine, factual data. [3651] Control risk is the risk that a misstatement that could occur in an assertion and that could be material, individually or when aggregated with other misstatements, will not be prevented or detected and corrected on a timely basis by the entity's internal control. [9063] When our assessment of the risk of significant misstatement includes an expectation of the operating effectiveness of controls, we perform tests of controls to support the control risk component of the assessment of the risk of significant misstatement. [3658.2] In order to focus our control and substantive tests appropriately, we identify and define inherent risks and control risks separately. Without such identification and definition of risks, we may not design appropriate audit procedures to address the risks. In order to identify and assess the risks of misstatement, we: [3596.3] identify risks throughout the process of obtaining an understanding of the entity and its environment, including relevant controls that relate to the risks, and by considering the classes of transactions, account balances derived from estimates, other account balances, and disclosures in the financial statements relate the identified risks to what can go wrong at the assertion level consider whether the risks are of a magnitude that could result in a material misstatement of the financial statements consider the likelihood that the risks could result in a material misstatement of the financial statements, and define audit objectives with respect to the risks.

We use information gathered by performing risk assessment procedures, including the audit evidence obtained in evaluating the design of controls and determining whether they have been implemented, as audit evidence to support the risk assessment. [3596.4] We use the risk assessment to determine the nature, timing, and extent of further audit procedures to be performed. [3596.5] We determine whether the identified risks of material misstatement relate to specific classes of transactions, account balances, and disclosures and related assertions, or whether they relate more pervasively to the financial statements as a whole and potentially affect many assertions. The latter risks (i.e., risks at the financial statement level) may derive in particular from a weak control environment. [3596.6]

3.8.2 Identified Risks at the Financial Statement Level


Financial statement level risks are risks that result from "big picture" events and conditions or lack of oversight that could affect financial statements as a whole and may result in a material misstatement due to error or fraud. 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG [9109.1], [9110] International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
Page 46 / 133

Due to the nature of SE and VSE engagements, it is anticipated that the entity will have a reduced number of

3.8.2 Identified Risks at the Financial Statement Level


International Audit Workbook (Interntional Audit Workbook)

Financial statement level risks are risks that result from "big picture" events and conditions or lack of oversight that could affect financial statements as a whole and may result in a material misstatement due to error or fraud. [9109.1], [9110]

Due to the nature of SE and VSE engagements, it is anticipated that the entity will have a reduced number of financial statement level risks as the conditions that give rise to these risks will be limited. Risks of material misstatement at the overall financial statement level often relate to the entity's control environment (although these risks may also relate to other factors, such as changes in the entity or the entity's environment or industry or other business risks such as declining economic conditions), and are not necessarily risks identifiable with specific assertions at the class of transactions, account balance derived from an estimate, other account balance, or disclosure level. Rather, this overall risk represents circumstances that increase the risk that there could be material misstatements in any number of different financial statement assertions. [3615] The following are examples of conditions and events that may indicate the existence of financial statement level risks: [3618] operations exposed to volatile markets, such as futures trading high degree of complex regulation changes in the industry in which the entity operates developing or offering new products or services, or moving into new lines of business expanding into new locations changes in the entity, such as reorganizations or other unusual events entities or business segments likely to be sold lack of personnel with appropriate accounting and financial reporting skills inconsistencies between the entity's IT strategy and its business strategies changes in significant new IT systems related to financial reporting, and application of new accounting pronouncements.

Such risks may be especially relevant to our consideration of the risk of material misstatement arising from fraud. For example, through management override of internal control or collusion. [3616] Our responses to identified financial statement level risks may include: [3639] emphasizing to the engagement team the need to maintain professional skepticism in gathering and evaluating audit evidence assigning more experienced staff or those with special skills, or using external experts providing more supervision or professional staff incorporating additional elements of unpredictability in the selection of further audit procedures to be performed, and/or making general changes to the nature, timing, or extent of audit procedures as an overall response. For example, performing substantive procedures at period-end instead of at an interim date. In addition to the responses above, we consider whether the financial statement level risk impacts significant accounts and assertions and creates one or more assertion level risks.

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG Ineffective or partially effective entity level controls often result in financial statement level risks International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis that affect multiple significant accounts and assertions and, consequently, may also affect our thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

planned audit approach, as illustrated below.


Page 47 / 133

In addition to the responses above, we consider whether the financial statement level risk impacts significant accounts andAudit Workbook (Interntional Audit Workbook) assertion level risks. assertions and creates one or more International

Ineffective or partially effective entity level controls often result in financial statement level risks that affect multiple significant accounts and assertions and, consequently, may also affect our planned audit approach, as illustrated below.

The results of our evaluation of entity level controls and the effect of such results on our planned audit approach at the assertion level can be summarized as follows: Evaluation of entity level controls Effect of entity level controls on our planned audit approach

Appropriately designed and We may expect to find controls at the assertion level to also be effective and, thus, implemented we may plan our audit approach for selected audit objectives to include tests of the operating effectiveness of controls. [3632] Appropriately designed and We consider the effect of such deficiencies in determining our audit approach at the implemented, but with a assertion level. [3632.1] limited number of identified deficiencies Not appropriately designed It is less likely that controls at the assertion level are appropriately designed, or implemented implemented, and operating effectively; therefore, we would apply our audit approach with an emphasis on substantive procedures. [3632.2]

Smaller entities may have weak entity level controls. If there are such weaknesses, we ordinarily conduct more audit procedures as of the period-end rather than at an interim date, seek more extensive audit evidence from substantive procedures, and modify the nature of our audit procedures to obtain more persuasive audit evidence. Also, it would be unlikely that weak entity level controls would render all assertion level controls unreliable, other than in the smallest entities. Therefore, for audit objectives associated with a significant risk, we seek to identify relevant controls and consider how the controls are impacted by the weaknesses in entity level controls.
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG 3.8.3 Identified Risks at the Assertion Level International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

Assertion level risks are risks specifically related to an account balance derived from estimate, an other account balance, a class of transactions, a disclosure, or a specific assertion that may result in a material misstatement

Page 48 / 133

Also, it would be unlikely that weak entity level controls would render all assertion level controls unreliable, other than in the smallest entities. Therefore, for audit objectives associated with a significant risk, we seek to identify relevant controls and consider how the International Audit Workbookby the weaknesses in entity level controls. controls are impacted (Interntional Audit Workbook)

3.8.3 Identified Risks at the Assertion Level


Assertion level risks are risks specifically related to an account balance derived from estimate, an other account balance, a class of transactions, a disclosure, or a specific assertion that may result in a material misstatement due to error or fraud. [9022] We consider the risk of material misstatement at the significant account (class of transactions and account balance) and disclosure level, which we refer to as "risk of significant misstatement at the assertion level" or simply "risk of significant misstatement" (RoSM), because such consideration directly assists in determining the nature, timing, and extent of further audit procedures at the assertion level. [3644] We seek to obtain sufficient appropriate audit evidence at the significant account (class of transactions and account balance) and disclosure level for audit objectives in a way that enables us, at the completion of the audit, to express an opinion on the financial statements taken as a whole at an acceptably low level of audit risk. [3644.1] When we determine the risk of significant misstatement at the assertion level, we are only concerned with the inherent risk of error. The risk of fraud is addressed separately.

In Vector, the user is able to insert example industry specific assertion level risks directly into the engagement file by using the Knowledge Task Pane in the Vector document "Summary of identified risks - Part 2."

3.9. Planned Audit Approach


We should design and perform further audit procedures whose nature, timing, and extent are responsive to the assessed risks of material misstatement at the assertion level (RoSM). [3673] Audit strategy vs. planned audit approach Our overall audit strategy sets the scope, timing, and direction of the audit, and guides the development of the more detailed audit plan. It includes materiality, timing of audit activities, team assignments, communications with reviewing partners, and involvement of others. [9197]/ [3110] Our audit plan converts the audit strategy into a more detailed plan that includes the nature, timing, and extent of audit procedures to be performed by engagement team members in order to obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level. [9037] Our planned audit approach addresses risks at the assertion level. It includes whether we plan to take a controls or substantive approach and the mix of testing we plan to perform for each audit objective. The following steps are involved in designing further audit procedures:

3.9.1 Define Significant Accounts and Disclosures


An account is a significant account if there is a reasonable possibility that the account could contain a misstatement that, individually or when aggregated with others, has a material effect on the financial statements, considering the risks of both overstatement and understatement. The determination of whether an account is significant is based on inherent risk, without regard to the effect of controls. [3679]
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG Significant accounts may be financial statement captions or disaggregated components of financial statement International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis captions consisting of one or more general ledger accounts based on the judgment of the engagement team. thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

[3679.0.1]
Page 49 / 133

If there is a reasonable possibility of a misstatement in the account greater than the significant misstatement

An account is a significant account if there is a reasonable possibility that the account could contain a misstatement that, individually or whenInternational Audit Workbook (Interntional Audit Workbook) on the financial statements, aggregated with others, has a material effect considering the risks of both overstatement and understatement. The determination of whether an account is significant is based on inherent risk, without regard to the effect of controls. [3679] Significant accounts may be financial statement captions or disaggregated components of financial statement captions consisting of one or more general ledger accounts based on the judgment of the engagement team. [3679.0.1] If there is a reasonable possibility of a misstatement in the account greater than the significant misstatement threshold, considering both the risk of overstatement and understatement, the account is considered significant irrespective of its magnitude. We may determine that an account with a balance that exceeds the significant misstatement threshold does not have a risk of misstatement greater than the significant misstatement threshold and is therefore not considered to be significant. [3679.0.2]

A disclosure is a significant disclosure if there is a reasonable possibility that the disclosure could contain a misstatement that, individually or when aggregated with others, has a material effect on the financial statements, considering the risks of both overstatement and understatement. The determination of whether a disclosure is significant is based on inherent risk, without regard to the effect of controls. [9239.2]

In Vector, the user is able to insert example accounts and disclosures directly into the engagement file by using the Knowledge Task Pane in the Vector document "Planning Matrix."

Within Vector, the user is able to import accounts from the entity's trial balance using the CaseWareapplication. Once the accounts are imported into CaseWare, the user groups the disaggregated trial balance accounts into potential significant accounts. The complete list of potential significant accounts is then transferred into Vector where the user can associate a specific or generic assertion level risk to the account. (CaseWare is a registered trademark of CaseWare International, Inc.)

3.9.2 Define Relevant Assertions


We identify the assertions that are relevant for each significant account and disclosure. [3689] Financial statement assertions are assertions by management, explicit or otherwise, that are embodied in the financial statements, as follows: [9020.1] completeness existence and occurrence accuracy valuation obligations and rights presentation and disclosure

A relevant assertion is a financial statement assertion for a significant account or disclosure that has a reasonable possibility of containing a misstatement or misstatements that would cause the financial statements to be materially misstated. The determination of whether an assertion is a relevant assertion is based on inherent risk, without regard to the effect of controls. [9216.1]

3.9.3 Determine Audit Objectives


2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG An audit objective is an objective defined by us for the purpose of efficient gathering of audit evidence about International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis related financial statement assertions. We determine which relevant assertions related to which significant thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

accounts or disclosures are combined into which audit objectives.


Page 50 / 133

For example, an audit objective may be to obtain audit evidence about the completeness and accuracy of sales. In

without regard to the effect of controls. [9216.1]


International 3.9.3 Determine Audit Objectives Audit Workbook (Interntional Audit Workbook)

An audit objective is an objective defined by us for the purpose of efficient gathering of audit evidence about related financial statement assertions. We determine which relevant assertions related to which significant accounts or disclosures are combined into which audit objectives. For example, an audit objective may be to obtain audit evidence about the completeness and accuracy of sales. In this example, the audit objective relates to two assertions because the available audit procedures typically provide audit evidence about both. [9033] We combine assertions and related significant accounts or disclosures to determine audit objectives. [3695] For classes of transactions, we ordinarily combine the related balance sheet and income statement accounts and the related assertions into one audit objective. [3701] For other account balances, we may combine more than one assertion into one audit objective and we may also combine several significant accounts and related assertions into one audit objective. For example, an audit objective may be "existence of inventories" or "completeness, accuracy, and existence of revenue and accounts receivable."[3702] Audit objectives drive the structure of the Audit Program. It is important that we have grouped the appropriate significant accounts and assertions into the appropriate audit objectives to facilitate an effective and efficient audit approach in Control Evaluation and Substantive Testing.

3.9.4 Assessing Inherent Risk of Error


We assess the inherent risk due to error for each audit objective and not for each individual inherent risk identified. Any risk of fraud associated with the audit objective is addressed separately and is not considered in our assessment of the inherent risk due to error. [3724] In assessing the inherent risk due to error for audit objectives, we use the following categories: [3723] Significant (S) Moderate (M) Low (L). When assessing the inherent risk of error, we consider the specific risks we have identified during our risk assessment procedures that may influence our inherent risk assessment. For example, if we: have identified a specific risk, it is unlikely that the assessment for inherent risk will be low have not identified a specific risk, it is unlikely that the assessment for inherent risk will be significant are considering assessing inherent risk as significant, but have not identified a specific risk, we consider whether our risk assessment is complete (e.g., is there an inherent risk present that we have not yet identified?

Examples of specific risks that may be identified are as follows: [3668] The entity has recently entered into new markets in XXX and, in order to penetrate these markets, has begun using customer-specific contracts, rather than the entity's standard contract used in the domestic market.

Days sales outstanding for trade receivables in XXX market are 93 days vs. 61 days for the entity's other trade receivables. The sales manager for the region has indicated that collection is 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG often delayed because the customer is slow in accepting the customer-specific modifications that International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis have been made to the product. thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. As a response to declining domestic markets, the entity changed its return policies during year X2 in order to gain customer acceptance of the new product price level. The new policies are not
Page 51 / 133

The entity has recently entered into new markets in XXX and, in order to penetrate these markets, has begun using customer-specific contracts, rather than the entity's standard contract used in the domestic market. International Audit Workbook (Interntional Audit Workbook) Days sales outstanding for trade receivables in XXX market are 93 days vs. 61 days for the entity's other trade receivables. The sales manager for the region has indicated that collection is often delayed because the customer is slow in accepting the customer-specific modifications that have been made to the product. As a response to declining domestic markets, the entity changed its return policies during year X2 in order to gain customer acceptance of the new product price level. The new policies are not used consistently in all sales regions and might be misapplied by individual regions in order to raise sales. The entity's practice of bill and hold transactions provides management with an opportunity to collude with customers, falsify documents, and intentionally misapply facts and circumstances in complying with the entity's revenue recognition policy related to such transactions. In year X0, the entity tried to expand by investing in a business segment. In year X1, the business segment is following the market trend of decreasing volume. Sales numbers as of the underlying business plan of the acquisition are not reached for the second consecutive year.

3.9.5 Define Audit Objectives Associated with a Significant Risk


Significant risks are those risks that, in our judgment, require special audit consideration. [9244] Significant risks often relate to significant nonroutine transactions and judgmental matters. Nonroutine transactions are transactions that are unusual due to either size or nature, and that therefore occur infrequently. Judgmental matters may include the development of accounting estimates for which there is significant measurement uncertainty. [3734] Audit objectives associated with significant risks and our response thereto benefit from the judgments of the most experienced members of the engagement team. The engagement partner is responsible for providing overall direction for the audit approach to audit objectives associated with significant risks and reviews audit working papers relating to audit objectives associated with significant risks. [9034]

Special audit consideration may consist of the following: [9246.1] evaluation of the design and implementation of assertion level controls relevant to the identified risks a combination of test of operating effectiveness of controls and substantive procedures that are specifically responsive to an identified inherent risk audit procedures of the same type for the same assertion to obtain sufficient appropriate audit evidence over the assertion, and/or a combination of audit evidence derived from internal and external sources.

Nonroutine transactions are transactions not in the ordinary course of business or infrequent in occurrence. Management intervention may be required for such transactions to be processed. [9184] There are usually some audit objectives that carry a greater inherent risk of error or fraud, that involve considerable judgment, and/or for which it is difficult to obtain audit evidence. [3728] We define an "audit objective associated with a significant risk" as an audit objective associated with a significant account or disclosure for which a significant inherent risk of error or risk of fraud has been identified. [3730] In considering the nature of the risks, we consider a number of matters, including the following: [3733] whether the risk is a risk of fraud

whether the risk is related to recent significant economic, accounting, or other developments 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis and, therefore, requires specific attention thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. the complexity of transactions
Page 52 / 133

whether the risk involves significant transactions with related parties

account or disclosure for which a significant inherent risk of error or risk of fraud has been identified. [3730] In considering the nature of the risks, we consider a number of matters, including the following: [3733]
International Audit Workbook (Interntional Audit Workbook)

whether the risk is a risk of fraud whether the risk is related to recent significant economic, accounting, or other developments and, therefore, requires specific attention the complexity of transactions whether the risk involves significant transactions with related parties the degree of subjectivity in the measurement of financial information related to the risk, especially those involving a wide range of measurement uncertainty, and whether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual. Audit objectives associated with significant risks include all audit objectives where the inherent risk assessment for error is "significant" or where a risk of fraud has been identified for the audit objective. [3748]

Association of a significant risk with an audit objective affects our audit in several ways, including: a controls approach will be taken for the audit objective when we test the operating effectiveness of automated controls, we perform these tests every year; audit evidence gained in prior periods is not sufficient our audit approach and findings are summarized in the Completion Document the engagement partner and manager are required to review related audit documentation the engagement quality control reviewer is notified of changes to audit documentation after the date of the auditor's report.

3.9.6 Our General Approach


In designing the audit procedures we include in the Audit Program, we consider matters such as the following: [3753] the significance of the risk of significant misstatement the likelihood that a significant misstatement will occur the characteristics of the class of transactions, account balance derived from an estimate, other account balance, or disclosure involved the nature of the specific controls used by the entity and in particular whether they are manual or automated, and whether we expect to obtain audit evidence to determine if the entity's controls are effective in preventing, or detecting and correcting, material misstatements.

In the KPMG audit, "controls approach" and "substantive approach" have the following meaning within the context of an audit objective: [3755.0.1] we take a controls approach for an audit objective when we evaluate the design and implementation of relevant controls

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG we take a substantive approach for an audit objective when we do not evaluate the International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis design and implementation of relevant controls and do not test the operating thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

effectiveness of controls.
Page 53 / 133

In the KPMG audit, "controls approach" and "substantive approach" have the following meaning within the context of an audit objective: [3755.0.1]
International Audit Workbook (Interntional Audit Workbook)

we take a controls approach for an audit objective when we evaluate the design and implementation of relevant controls we take a substantive approach for an audit objective when we do not evaluate the design and implementation of relevant controls and do not test the operating effectiveness of controls.

In all of the above situations, we perform substantive procedures. [3755.0.2] In the KPMG audit, for each audit objective, we document in the Planning Matrix whether we will: take a "controls approach" or a "substantive approach," and audit the audit objective as a "class of transaction," an "estimate/disclosure" or an "other account balance."

These decisions are very important because they define the form of the Audit Program that we will use for each audit objective.

We determine whether we take a "controls approach" or a "substantive approach" for each audit objective, not for the audit as a whole. We cannot adopt a substantive approach for audit objectives associated with a significant risk. In determining our audit approach for audit objectives, we evaluate controls at the assertion level as follows: [3757] for all audit objectives, we understand and document the accounting activities with respect to the underlying financial information for audit objectives for which we have identified a risk of fraud as a result of our risk assessment procedures, we determine whether management has implemented controls to prevent and detect such fraud and we evaluate the design and implementation of antifraud controls relevant to the identified fraud risk for audit objectives associated with significant risks of error, we evaluate the design and implementation of controls relevant to the identified risk, and

for audit objectives where we plan to rely on controls to alter the nature, timing, or extent of our substantive audit procedures, we evaluate the design and implementation and test the operating 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG effectiveness of relevant controls. International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

When determining our general approach, we consider the volume of transactions recorded in balances for related significant accounts. The greater the volume of transactions the more likely

Page 54 / 133

for audit objectives associated with significant risks of error, we evaluate the design and implementation of controls relevant to the identified risk, and
International Audit Workbook (Interntional Audit Workbook)

for audit objectives where we plan to rely on controls to alter the nature, timing, or extent of our substantive audit procedures, we evaluate the design and implementation and test the operating effectiveness of relevant controls. When determining our general approach, we consider the volume of transactions recorded in balances for related significant accounts. The greater the volume of transactions the more likely that we will take a controls approach, as it is difficult to gain sufficient, appropriate audit evidence regarding transactions recorded in the related significant accounts without testing the operating effectiveness of controls.

We should plan to rely on controls when it is: [3757] more efficient, or not possible or practical to obtain sufficient appropriate audit evidence only from substantive audit procedures in order to reduce audit risk to an acceptably low level.

The following decision tree shows how we evaluate controls and determine further audit procedures for audit objectives not associated with a significant risk. [3758]

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.


Page 55 / 133

International Audit Workbook (Interntional Audit Workbook)

For all audit objectives associated with a significant risk (of fraud or error), we evaluate the design and implementation of selected controls.

We determine and document our planned audit approach for each audit objective in the Planning Matrix. The Planning Matrix documents the following steps that we perform in developing our planned audit approach: disaggregate financial statement captions into significant accounts and disclosures, which may themselves include several account balances map the specific inherent risks identified from our risk assessment procedures to significant accounts and related assertions identify other assertions for each significant account for which we need to obtain audit evidence consider whether a risk is specifically related to fraud develop audit objectives (e.g., group assertions for one or more significant accounts affected by the same risks and which we are likely to audit using the same audit procedures. These accounts are likely to be related to the same classes of transactions.) link audit objectives to the relevant Audit Programs assess the inherent risk related to each audit objective as "significant" (e.g., whether they require special audit consideration), "moderate," or "low," and determine our planned audit approach (e.g., "controls approach" or "substantive approach" and whether we will address the audit objective as "class of transaction," "estimate/disclosure," or an "account balance." In addition, we decide whether we plan to test the operating effectiveness of controls and perform substantive analytical procedures and tests of details.)

An example Planning Matrix is shown below:

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.


Page 56 / 133

International Audit Workbook (Interntional Audit Workbook)

3.9.7 Nature, Timing, and Extent of Further Audit Procedures


Nature
The nature of further audit procedures refers to: [3767] their purpose (tests of control or substantive procedures, including tests of details, and substantive analytical procedures) their type (inspection, observation, inquiry, confirmation, recalculation, reperformance, or analytical procedures).

Certain audit procedures may be more appropriate for some assertions than others. For example, in relation to revenue, tests of controls may be most responsive to the assessed risk of misstatement of the completeness assertion, whereas substantive procedures may be most responsive to the assessed risk of misstatement of the existence and occurrence assertion [3768]. Our selection of audit procedures is based on the assessment of risk. The higher our assessment of risk, the more reliable and relevant is the audit evidence sought by us from substantive procedures. This may affect both the types of audit procedures to be performed and their combination. For example, we may confirm the completeness of the terms of a contract with a third party, in addition to inspecting the document. [3769]

Timing
Timing refers to when we perform audit procedures or to the period or date to which the audit evidence applies. [3781] We may perform tests of control or substantive procedures at an interim date or at period-end. The higher the risk of significant misstatement, the more likely it is that we may decide it is more effective to perform substantive procedures nearer to, or at, the period-end rather than at an earlier date and, if we have identified a risk of fraud related to the relevant assertions, to perform audit procedures unannounced or at unpredictable times. [3782] For example, performing audit procedures at selected locations on an unannounced basis.

Extent
The extent of further audit procedures includes the quantity of a specific audit procedure to be performed.[3788] For example, a sample size or the number of observations of a control activity. In particular, we ordinarily increase the extent of audit procedures as the risk of significant misstatement increases. However, increasing the extent of an audit procedure is effective only if the audit procedure itself is relevant to the specific risk; therefore, the nature of the audit procedure is the most important consideration. [3790]

3.9.8 Other Considerations


2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis Incorporation of an Individuals within the entity who are familiar with the audit procedures ordinarily thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

element of unpredictability

performed on the audit may be better able to conceal fraudulent financial reporting. Therefore, we ordinarily incorporate an element of unpredictability in the selection of the nature, extent, and timing of auditing procedures to be performed. [3795]

Page 57 / 133

However, increasing the extent of an audit procedure is effective only if the audit procedure itself is relevant to the specific risk; therefore, the nature of the audit procedure is the most important consideration. [3790]

3.9.8 Other Considerations


Incorporation of an element of unpredictability

International Audit Workbook (Interntional Audit Workbook)

Individuals within the entity who are familiar with the audit procedures ordinarily performed on the audit may be better able to conceal fraudulent financial reporting. Therefore, we ordinarily incorporate an element of unpredictability in the selection of the nature, extent, and timing of auditing procedures to be performed. [3795] Incorporating an element of unpredictability may include: [3797] selecting account balances and assertions not otherwise tested due to their materiality or presumed low risk adjusting the timing of the audit procedure from when it is ordinarily expected to be undertaken using different sampling methods performing audit procedures at locations not previously visited or on an unannounced basis.

Use of CAATs

Using CAATs to perform audit procedures may enhance the effectiveness of the audit process by facilitating faster and more extensive review and analysis of large data populations. CAATs may provide the ability to analyze complete populations of data; to easily profile, extract, and summarize items based on specific characteristics; and to apply selected KPMG preprogrammed routines. [3805] CAATs procedures often require adequate planning to determine the appropriate level of skills to execute and use the results of CAATs. They may also require an appropriate level of understanding of the KPMG Routines, a standard functionality of the application used to perform CAATs, and the entity's computer-based information systems and data. Accordingly, in Planning we identify those significant accounts or disclosures and the related audit objectives where we plan to perform CAATs. [3807]

Journal entries

To respond to the risk of management override of controls, we design and perform audit procedures to test the appropriateness of journal entries recorded in the general ledger and other adjustments made in the preparation of financial statements. [7350] Audit objectives 3 and 5 and Appendix II of the Financial Reporting Audit Program provide audit procedures and guidance regarding our approach to journal entries.

IDEACAATs can help make an audit more effective. CAATs can often be performed without the involvement of IRM specialists.

3.10. Changes to Our Audit Strategy or Planned Audit Approach


As a result of unexpected events, changes in conditions, or the audit evidence obtained from the results of audit procedures, we may need to modify the overall audit strategy and audit plan, and thereby the resulting planned nature, timing, and extent of further audit procedures. [3815] In such circumstances, we reevaluate the planned audit procedures based on the revised consideration of assessed risks at the assertion level for all or some of the significant accounts or disclosures. [3816] If our overall audit strategy or planned audit procedures change significantly based on the revised consideration of assessed risks at the assertion level for all or some of the audit objectives, the related significant modifications of our audit strategy and planned audit approach are reflected in the Audit Programs and documented in the Completion Document. [3819] The engagement partner determines whether the changes to the overall audit strategy or to planned audit procedures are 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis such that revisions to the results and/or conclusions of Planning as a whole or only to certain audit areas are indicated. In thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. case of revisions to the overall approach to our audit, the Planning Document is revised, the appropriate engagement team members review and sign the revised Planning Document, and the original and revised versions of the Planning Document58 / 133 Page are retained as part of our audit files. When only certain audit areas are affected, the engagement partner may determine

the assertion level for all or some of the significant accounts or disclosures. [3816] If our overall audit strategy or planned audit procedures change significantly based on the revised consideration of assessed risks at the assertion level for all or some of the audit objectives, the related significant modifications of our audit strategy International Audit Workbook (Interntional Audit Workbook) and planned audit approach are reflected in the Audit Programs and documented in the Completion Document. [3819] The engagement partner determines whether the changes to the overall audit strategy or to planned audit procedures are such that revisions to the results and/or conclusions of Planning as a whole or only to certain audit areas are indicated. In case of revisions to the overall approach to our audit, the Planning Document is revised, the appropriate engagement team members review and sign the revised Planning Document, and the original and revised versions of the Planning Document are retained as part of our audit files. When only certain audit areas are affected, the engagement partner may determine to document the change to the audit strategy or to the planned audit procedures in the Completion Document instead of revising the Planning Document. The engagement team documents only those changes that are significant to the audit. [3820] If during Control Evaluation or Substantive Testing an additional financial statement or assertion level risk is identified or if we reassess the significance of a risk that was identified during Planning, we document in the Completion Document the modification to our audit strategy and/or planned audit procedures, including the rationale and resolution of the issue that caused the change. In addition, when applicable, we also modify the Audit Program.
Interntional Audit Workbook

Chapter 4 - Control Evaluation


The objective of Control Evaluation is to gain an understanding of the entity's accounting activities and to evaluate controls so that we can assess the risk of significant misstatement for each audit objective and plan our substantive procedures. [4002] Internal control is the process designed and affected by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of the entity's objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. [9141] Internal control consists of the following components: [9142] the control environment the entity's risk assessment process the information system, including the related business processes, relevant to financial reporting, and communication control activities, and monitoring of controls.

The way in which internal control is designed and implemented varies with an entity's size and complexity. Specifically, smaller entities may use less formal means and simpler processes and procedures to achieve their objectives. For example, smaller entities with active management involvement in the financial reporting process may not have extensive descriptions of accounting procedures or detailed written policies. For some smaller entities, the owner-manager may perform functions that in a larger entity would be regarded as belonging to several of the components of internal control. Therefore, the components of internal control may not be clearly distinguished, but their underlying purposes are equally valid. Control Evaluation is described in the following chart:

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.


Page 59 / 133

Control Evaluation is described in the following chart:


International Audit Workbook (Interntional Audit Workbook)

The extent of our control evaluation work varies as follows: [4003] in Planning we evaluate the design and implementation of entity level controls and consider the impact of entity level controls on our audit strategy and planned audit approach [4003.1] for every audit objective, we obtain an understanding of, and document in the Audit Program, the relevant accounting activities with respect to the underlying financial information [4003.2] for audit objectives that include relevant assertions that are associated with a risk of fraud, we determine whether management has implemented controls to prevent and detect such fraud; we evaluate the design and implementation of antifraud controls that are relevant to the identified fraud risk and consider the risk of management override of such controls [4003.7] for audit objectives associated with a significant inherent risk of error, we evaluate the design and implementation of selected assertion level controls [4003.8] for audit objectives where we plan to rely on the operating effectiveness of controls to modify the nature, timing, and extent of our substantive procedures, we evaluate the design and implementation and test the operating effectiveness of selected assertion level controls. [4003.9]

We plan to rely on the operating effectiveness of controls to provide audit evidence and to modify the nature, timing, and extent of our substantive procedures where it is: [4003.9.0.1] more efficient to evaluate the design and implementation and test the operating effectiveness of selected controls, or not possible or practical to achieve our audit objective with audit evidence obtained only from substantive audit procedures.

4.1. Entity Level Controls


Entity level controls are internal controls that operate at the entity level rather than at the specific assertion level and therefore generally include all components of internal control except control activities, which are considered at the assertion level. [3028.1.1] We consider entity level controls early in the audit process because our evaluation of these controls can result in increasing or decreasing the testing that we would otherwise have performed on assertion level controls as well as the nature, timing, and extent of substantive procedures. [3028.2] Additionally, as entity level controls are likely to be pervasive to the financial statements as a whole, we obtain an understanding of entity level controls to: [3029] identify risks of material misstatement in the financial statements 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis determine our audit strategy, and thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. plan the nature, timing, and extent of our further audit procedures.
Page 60 / 133

or decreasing the testing that we would otherwise have performed on assertion level controls as well as the nature, timing, and extent of substantive procedures. [3028.2] Additionally, as entity level controls are likely to be Audit Workbook (Interntional Audit Workbook) as a whole, we obtain an pervasive to the financial statements International understanding of entity level controls to: [3029] identify risks of material misstatement in the financial statements determine our audit strategy, and plan the nature, timing, and extent of our further audit procedures.

Obtaining an understanding of entity level controls involves evaluating the design and implementation of the individual components of entity level controls. [3030] In a financial statement audit we are required to evaluate the design and implementation of entity level controls but we are not required to test their operating effectiveness. Where entity level controls are ineffective or partially effective, this may increase our assessment of RoSM for audit objectives and therefore, impact the nature, timing, and extent of our substantive procedures. [4912.1] We obtain this understanding and evaluate the design and implementation of entity level controls simultaneously with our risk assessment procedures in Planning. [3631] Our evaluation of entity level controls includes procedures to evaluate the design and implementation of the entity's broad programs and controls to prevent, deter, and detect fraud.

Entity level controls consist of the following components: Control environment The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for effective internal control, providing discipline and structure. [4012] In obtaining an understanding of and evaluating the design of the control environment and determining whether appropriate controls have been implemented, we understand how management, with the oversight of those charged with governance, has created and maintained a culture of honesty and ethical behavior and established appropriate controls to prevent and detect fraud and error within the entity. [4013] In obtaining and documenting an understanding of and evaluating the design of the entity's control environment, we consider each of the elements identified above and how they have been incorporated into the entity's processes. [4225] Risk assessment process The entity's risk assessment process is management's process for identifying business risks relevant to financial reporting and deciding how those risks should be managed. A precondition to risk assessment is the establishment of objectives, linked at different levels and internally consistent. [4241.1] In obtaining an understanding of the entity's risk assessment process, we determine how management identifies business risks relevant to financial reporting, estimates the significance of the risks, assesses the likelihood of their occurrence, and decides upon actions to manage them. If the entity's risk assessment process is appropriate to the circumstances, it assists us in identifying risks of material misstatement. [4244] In obtaining and documenting an understanding of the entity-wide risk assessment process, we consider whether management: [4250] effectively communicates entity-wide objectives and strategies has an ongoing risk assessment process (formal or informal)

that identifies business risks relevant to financial reporting, their 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis significance, the likelihood of their occurrence and how to thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. manage them, and adequately addresses the effects of changing conditions on the entity
Page 61 / 133

In obtaining and documenting an understanding of the entity-wide risk assessment process, we consider whether management: [4250]
International Audit Workbook (Interntional Audit Workbook) effectively communicates entity-wide objectives and strategies

has an ongoing risk assessment process (formal or informal) that identifies business risks relevant to financial reporting, their significance, the likelihood of their occurrence and how to manage them, and adequately addresses the effects of changing conditions on the entity ensures effective compliance with laws and regulations, including regulatory compliance, for all laws and regulations that have a fundamental effect on the operations of the entity assesses the entity's ability to continue as a going concern identifies and evaluates the vulnerability of the entity to fraudulent activity and whether this could result in a material misstatement in the financial statements implements controls in areas identified as a higher risk of fraudulent activity, and was involved in and communicated the outcome of this process to those charged with governance.

Information system and communication

An information system consists of infrastructure (physical and hardware components), software, people, procedures, and data. Infrastructure and software will be absent, or have less significance, in systems that are exclusively or primarily manual. Many information systems make extensive use of IT. [4253.2] In obtaining and documenting an understanding of the information system relevant to financial reporting, we consider whether management has: [4269] developed an information system, linked to the entity's overall strategy, which is responsive to achieving the entity-wide and activity-level objectives developed an IT strategy that supports the entity's overall strategy with respect to the financial reporting information systems controls over obtaining external and internal information to provide management with necessary reports on the entity's performance relative to established financial reporting objectives, and an information system that encompasses methods and records that: identify and record all valid transactions describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period, and present properly the transactions and related disclosures in the financial statements.

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG Communication involves providing an understanding of individual roles and International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis responsibilities pertaining to internal control over financial reporting. It includes the thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

extent to which personnel understand how their activities in the financial reporting information system relate to the work of others and the means of reporting

Page 62 / 133

determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period, and
International Audit Workbook (Interntional Audit Workbook)

present properly the transactions and related disclosures in the financial statements.

Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. It includes the extent to which personnel understand how their activities in the financial reporting information system relate to the work of others and the means of reporting exceptions to an appropriate higher level within the entity. [4272.4] Open communication channels help ensure that exceptions are reported and acted on. [4272.4] Communication takes such forms as policy manuals, accounting and financial reporting manuals, and memoranda. Communication also can be made electronically, orally, and through the actions of management. [4272.5] Monitoring Monitoring of controls is a process to assess the effectiveness of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions modified for changes in conditions. Management accomplishes monitoring of controls through ongoing activities (e.g., internal audit programs), separate evaluations, or a combination of the two. Ongoing monitoring activities are often built into the normal recurring activities of an entity and may include regular management and supervisory activities. [4023.1] In obtaining and documenting an understanding of the monitoring activities, we consider whether: [4284] management monitors the results of the operations of the business units against objectives and expected results, including budgets and forecasts management ensures the effectiveness of: any self-assessment processes or periodic systems evaluations used internal audit activities (including IT internal audit) monitoring controls performed at centralized processing locations, including shared service centers, and monitoring of computer operations

management performs comparisons of amounts recorded in the accounting system with physical assets management monitors the effectiveness of internal controls over financial reporting and initiates corrective actions to its controls management considers the reliability of information related to the entity's monitoring activities management has policies and procedures for identifying, evaluating, and accounting for litigation and claims, and internal audit activity (where applicable) is adequate, including IT internal audit, and whether the head of internal audit reports directly to those charged with governance.

The control environment includes the governance and management functions and the attitudes, awareness, and actions of those charged with governance and management concerning the entity's internal control and its importance to the entity. The control environment is a component of internal control. It includes an entity's: 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis [9062]
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

communication and enforcement of integrity and ethical values


Page 63 / 133

commitment to competence

directly to those charged with governance.


International Audit Workbook (Interntional Audit Workbook)

The control environment includes the governance and management functions and the attitudes, awareness, and actions of those charged with governance and management concerning the entity's internal control and its importance to the entity. The control environment is a component of internal control. It includes an entity's: [9062] communication and enforcement of integrity and ethical values commitment to competence participation by those charged with governance assignment of authority and responsibility management's philosophy and operating style organizational structure, and human resources policies and practices.

For an SE or VSE engagement, we consider the following: Audit evidence for elements of the control environment may not be available in documentary form, in particular for smaller entities where communication between management and other personnel may be informal, yet effective. For example, management's commitment to ethical values and competence are often implemented through the behavior and attitude they demonstrate in managing the entity's business instead of in a written code of conduct. Consequently, management's attitudes, awareness, and actions are of particular importance in the design of a smaller entity's control environment. The role of those charged with governance is often undertaken by the owner-manager where there are no other owners. Smaller entities may implement the control environment elements differently than larger entities do. For example, smaller entities might not have a written code of conduct, but instead develop a culture that emphasizes the importance of integrity and ethical behavior through oral communication and by management example. Through the visibility and direct involvement of senior management, the commitment to integrity and ethical values can be communicated verbally in staff meetings and one-onone meetings. The nature of an entity's control environment is such that it has a pervasive effect on assessing the risks of material misstatement. For example, owner/manager controls may mitigate a lack of segregation of duties in a small business. A smaller entity may not have formalized human resources policies. Policies and practices nevertheless may exist and be communicated by senior management to the staff. Expectations about the type of person to be hired can be verbally communicated and several, if not all levels, of senior management may typically be involved in the recruiting process. Formal documentation is not always necessary for a policy or control to be in place and operating effectively. The basic concepts of the entity's risk assessment process are relevant to every entity, regardless of size, but the risk assessment process is likely to be less formal and less structured in smaller entities than in larger ones. All entities should have established financial reporting objectives, but they may be recognized implicitly rather than explicitly in smaller entities. Management may be aware of risks related to these objectives without the use of a formal process but through direct personal involvement with employees and outside parties. For smaller entities, we discuss with management how risks to the business are

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG identified by management and how they are addressed. International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

Information systems and related business processes relevant to financial reporting in smaller entities are likely to be less formal than in larger entities, but their role is just as significant. Smaller entities with active management involvement may not need extensive

Page 64 / 133

All entities should have established financial reporting objectives, but they may be recognized implicitly rather than explicitly in smaller entities. Management may be aware of risks related to these objectives without the use of a formal process but through direct International Audit Workbook (Interntional Audit Workbook) personal involvement with employees and outside parties. For smaller entities, we discuss with management how risks to the business are identified by management and how they are addressed. Information systems and related business processes relevant to financial reporting in smaller entities are likely to be less formal than in larger entities, but their role is just as significant. Smaller entities with active management involvement may not need extensive descriptions of accounting procedures, sophisticated accounting records, or written policies. Ongoing monitoring activities of smaller entities are more likely to be informal and are typically performed as a part of the overall management of the entity's operations. Management's close involvement in operations often will identify significant variances from expectations and inaccuracies in financial data leading to corrective action to the control. A smaller entity's management may have a more "hands-on" involvement in most areas of the entity's operations. For example, frequent visits to the factory floor, assembly area, or warehouse and comparing physical inventory with amounts reported by the data processing system are all monitoring controls of a smaller entity. A smaller entity is less likely to undergo separate evaluations of the internal control systems; however, a "hands-on" approach involving ongoing monitoring by senior management may be just as effective. Also, a smaller entity may give accounting personnel the responsibility to evaluate controls of certain operations.

4.1.1 Evaluate the Design and Implementation of Entity Level Controls


Evaluating the design of a control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, material misstatements. [9099.0.1] Implementation of a control means that the control exists and that the entity is using it. [4440] Audit procedures performed to gain an understanding about the design and implementation of relevant controls may include inquiring of entity personnel, observing the application of specific controls, and inspecting documents and reports. [4210] Inquiry alone is not sufficient to evaluate the design of a control relevant to an audit and to determine whether it has been implemented. We usually perform a combination of inquiry and other techniques to obtain sufficient appropriate audit evidence to support a conclusion about the design of a control. We focus on combinations of controls, in addition to specific controls in isolation, when assessing whether the objectives of the control criteria have been achieved. We also consider the audit evidence obtained from our previous experience with the entity. [4211]

4.1.2 Prior Period Material Weaknesses and Other Deficiencies in Internal Control over Financial Reporting
Based on the actions taken by management with respect to material weaknesses and other deficiencies in internal control over financial reporting that had a significant impact on our audit approach and that were reported in the prior period, we assess the control consciousness of management. We also document any continuing control deficiencies noted and communicate them appropriately. [4216]

4.1.3 Effect of Entity Level Controls on Our Audit


Entity level controls often have a pervasive impact on control activities over classes of transactions, account balances derived from estimates, other account balances, and disclosures and therefore on our assessment of the risk of significant misstatement. Our understanding and evaluation of the design and implementation of entity level controls includes considering whether the control environment provides an appropriate foundation for the other components of internal control. The nature of the risks arising from a weak control environment is such that they are not likely to be confined to 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG specific individual risks of material misstatement in particular classes of transactions, account balances derived from International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis estimates, other account balances, and disclosures. Rather, weaknesses such as management's lack of competence may thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. have a more pervasive effect on the financial statements and may, where appropriate, require an overall response by us. Page 65 / 133 [4203]

Entity level controls often have a pervasive impact on control activities over classes of transactions, account balances derived from estimates, other account balances, and disclosures and therefore on our assessment of the risk of significant misstatement. Our understanding and evaluation of the Workbookand implementation of entity level controls includes International Audit design (Interntional Audit Workbook) considering whether the control environment provides an appropriate foundation for the other components of internal control. The nature of the risks arising from a weak control environment is such that they are not likely to be confined to specific individual risks of material misstatement in particular classes of transactions, account balances derived from estimates, other account balances, and disclosures. Rather, weaknesses such as management's lack of competence may have a more pervasive effect on the financial statements and may, where appropriate, require an overall response by us. [4203] We conclude as to whether the design and implementation of the control environment, entity-wide risk assessment process, information systems relevant to financial reporting, and monitoring of controls are effective. Our conclusion may impact the audit approach to specific audit objectives. [4218] We evaluate the design and implementation of individual entity level controls as either effective or ineffective; we then make an overall assessment for each component of entity level controls as follows: Evaluation of entity level controls Effect of entity level controls on our planned audit approach

Effective - appropriately We may expect to find controls at the assertion level to also be effective and, thus, designed and implemented we may plan our audit approach for selected audit objectives to include tests of the operating effectiveness of controls. [3632] Partially effective We consider the effect of such deficiencies in determining our audit approach at the appropriately designed and assertion level. [3632.1] implemented, but with a limited number of identified deficiencies Ineffective - not appropriately designed or implemented It is less likely that controls at the assertion level are appropriately designed, implemented, and operating effectively; therefore, we would apply our audit approach with an emphasis on substantive procedures. [3632.2]

It would be unlikely that weak entity level controls would render all assertion level controls unreliable, other than in the smallest entities. Therefore, for audit objectives associated with a significant risk, we seek to identify relevant controls and consider how the controls are impacted by the weaknesses in entity level controls.

Based on our understanding and the evaluation of the effectiveness of entity level controls in each of the sections in the Entity Level Controls Program, we document the implications on our audit in the Planning Document. For example, if we determine: [4208] controls relating to integrity and ethical values to be ineffective, we may be unable to rely on management representations internal audit to be ineffective or not independent from those charged with governance, we may not be able to use their work or use them in a direct assist capacity on the engagement.

For an SE engagement, entity level controls are documented in the SE Planning Document.

4.2. Accounting Activities at the Assertion Level


Accounting activities is a term to describe the information system, including the related business processes relevant to financial reporting, which includes the following: [9008] the procedures, within both IT and manual systems, by which those transactions are 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis initiated, authorized, recorded, processed, and reported in the financial statements thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. the related accounting records, whether electronic or manual, supporting information, and specific accounts in the financial statements with respect to initiating, recording,
Page 66 / 133

Accounting activities is a term to describe the information system, including the related business processes International Audit Workbook (Interntional Audit Workbook) relevant to financial reporting, which includes the following: [9008] the procedures, within both IT and manual systems, by which those transactions are initiated, authorized, recorded, processed, and reported in the financial statements the related accounting records, whether electronic or manual, supporting information, and specific accounts in the financial statements with respect to initiating, recording, processing, and reporting transactions how the information system captures events and conditions, other than classes of transactions, that are significant to the financial statements the financial reporting process used to prepare the entity's financial statements, including significant accounting estimates and disclosures.

We refer to the areas listed above as accounting activities, or the information system. [4302.1] We should obtain an understanding of the information systems, including the related business processes, relevant to financial reporting. [4302] The information system relevant to financial reporting objectives includes the accounting system. It consists of the procedures and records established to: [4302.2] initiate, authorize, record, process, and report entity transactions (as well as events and conditions), and maintain accountability for the related assets, liabilities, and equity.

We organize our procedures by audit objectives. For every audit objective, we obtain an understanding of, and document the relevant accounting activities with respect to, the underlying financial information. The nature of the activities to be documented will depend on whether the significant account(s) being addressed in the audit objective is being audited as: [4303] a class of transaction an account balance derived from an estimate an "other" account balance (not derived from an estimate), or a disclosure. For classes of transactions, we obtain an understanding of accounting activities for the purpose of identifying points in the activity that introduce risk (significant risk points). [4039] Significant risk points are points where there is a reasonable possibility that a misstatement, including a misstatement due to fraud, could occur that, individually or in combination with other misstatements, would exceed the significant misstatement threshold.[4039] We identify significant risk points by answering the question: "What could go wrong and where in the process could an error occur?" [4039] Our primary concerns usually relate to determining that all transactions are properly captured and authorized, and that the system can process high volumes of transactions consistently and accurately. [4333] Account balances derived from an estimate Estimates involve judgments, and we are concerned with how management goes about identifying the estimates that need to be made, and the quality of the judgments inherent in the estimates. [4345]

Classes of transactions

For account balances derived from estimates, the risk points are likely to be the specific aspects considered in understanding the accounting activities; therefore, it is unnecessary to consider risk points in understanding and documenting activities 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG related to account balances derived from estimates. [4040] International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

Usually, the greater the degree of uncertainty surrounding an identified business risk, the greater the risk of significant misstatement in the financial statements due to the accounting estimate. This is because management may find it more difficult to

Page 67 / 133

Account balances derived from an estimate

Estimates involve judgments, and we are concerned with how management goes about identifying the estimates that need to be made, and the quality of the judgments inherent in the estimates. [4345]
International Audit Workbook (Interntional Audit Workbook)

For account balances derived from estimates, the risk points are likely to be the specific aspects considered in understanding the accounting activities; therefore, it is unnecessary to consider risk points in understanding and documenting activities related to account balances derived from estimates. [4040] Usually, the greater the degree of uncertainty surrounding an identified business risk, the greater the risk of significant misstatement in the financial statements due to the accounting estimate. This is because management may find it more difficult to establish effective controls to prevent, or to detect and correct, a significant misstatement where there is a higher degree of uncertainty. [4346.4] When obtaining an understanding of relevant accounting activities related to account balances derived from estimates, we consider:[4346]/[4346.1] "Other" account balances the underlying business risks the preparation of the estimate quality of information used assumptions on which the estimate is based qualifications and competence of the preparer, relative to the complexity, and historical accuracy of the estimate.

Our understanding and documentation of accounting activities for those other significant account balances, where we are not testing the related classes of transactions, covers the activities over ensuring that the period-end account balance is not significantly misstated, as well as any controls identified related to these activities. [4368] When obtaining an understanding of relevant accounting activities and controls related to disclosures, we consider: [4370] the preparation of the disclosure the quality of information used the assumptions on which the disclosure is based, and the qualifications, competence, and objectivity of the preparer of the disclosure.

Disclosures

For disclosures, the risk points are likely to be the specific aspects considered in understanding the accounting activities. [4370.1]

The Audit Program has separate sections to document accounting activities and controls. The section used depends on whether a controls approach or substantive approach will be used and whether the audit objective addresses one or more classes of transactions, an account balance derived from an estimate, an other account balance, or a disclosure. Each section includes our specific considerations for that approach.

For SE and VSE engagements, the boxes in the Audit Program for documentation of accounting activities have been combined for consideration and documentation.

4.3. Controls at the Assertion Level


Assertion level controls include control activities, the entity's risk assessment process relevant to assertions, and the 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis monitoring of controls applied at the assertion level. [4033.1.1]
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

When we follow a controls approach, we document selected controls and evaluate their design and implementation. Where Page 68 we plan to rely on controls to alter the nature, timing, or extent of our substantive procedures, we also test their operating / 133

been combined for consideration and documentation.


International Audit 4.3. Controls at the Assertion Level Workbook (Interntional Audit Workbook)

Assertion level controls include control activities, the entity's risk assessment process relevant to assertions, and the monitoring of controls applied at the assertion level. [4033.1.1] When we follow a controls approach, we document selected controls and evaluate their design and implementation. Where we plan to rely on controls to alter the nature, timing, or extent of our substantive procedures, we also test their operating effectiveness. We plan to rely on controls when it is: [3757] more efficient, or not possible or practical to obtain sufficient appropriate audit evidence only from substantive audit procedures in order to reduce audit risk to an acceptably low level.

4.3.1 Control Activities


Control activities are a component of internal control. They are the policies and procedures that help ensure that management's directives are carried out. For example, that necessary actions are taken to address risks that threaten the achievement of the entity's objectives. [4406] We consider whether, and how, a specific control activity, individually or in combination with others, prevents, or detects and corrects, material misstatements in classes of transactions, account balances derived from estimates, other account balances, or disclosures. [4046] We need to distinguish between accounting activities and control activities where we plan to obtain audit evidence through tests of operating effectiveness of the relevant assertion level controls. Testing an accounting activity rather than a control will not provide the necessary audit evidence. Examples of control activities include approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, segregation of duties, and information processing activities such as exception/edit reports, system configuration/account mapping controls, and interface/conversion controls. Our emphasis is on identifying and obtaining an understanding of control activities that address the points where we consider that material misstatements are more likely to occur. For classes of transactions, these are the significant risk points that we identified when documenting our understanding of the accounting activities. For a class of transactions, we generally seek to identify those controls that cover more than one significant risk point. For account balances derived from estimates or for disclosures, these are the specific aspects considered in understanding the accounting activities that we have documented. [4046.1]/[4047] When multiple control activities achieve the same control objective, it may not be necessary to obtain an understanding of each of the control activities related to such objective. [4047] Examples of specific control activities include those relating to: Segregation of duties [4614] Assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets is intended to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of the person's duties. [4615] These control activities include reviews and analyses of actual performance versus budgets, forecasts, prior period performance, or other key performance indicators; relating different sets of data-operating or financial-to one another, together with analyses of the relationships and investigative and corrective actions; comparing internal data with external sources of information; and management review of functional or activity performance, such as a bank's consumer loan manager's review of reports by branch, region, and loan type for loan approvals and collections. [4621]

Performance reviews [4620]

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis Information processing A variety of controls that are performed to confirm the accuracy, thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. completeness, and

[4613.65]

authorization of transactions. The two broad groupings of control activities relating to information systems are application controls and IT general controls. Examples of application controls include exception/edit reports, system configuration/account

Page 69 / 133

relating different sets of data-operating or financial-to one another, together with analyses of the relationships and investigative and corrective actions; comparing internal data with external sources of information; and management review of International Audit Workbook (Interntional Audit Workbook) functional or activity performance, such as a bank's consumer loan manager's review of reports by branch, region, and loan type for loan approvals and collections. [4621] Information processing [4613.65] A variety of controls that are performed to confirm the accuracy, completeness, and authorization of transactions. The two broad groupings of control activities relating to information systems are application controls and IT general controls. Examples of application controls include exception/edit reports, system configuration/account mapping controls, interface/conversion controls, and system access. [4613.66] When evaluating the design and implementation and testing the operating effectiveness of controls, we identify and focus our evaluation and testing on the application control(s) that manage relevant risks rather than evaluating and testing all of the entity's application controls within a particular process. [4613.68.1] Application controls have a strong relationship with IT general controls and are audited in conjunction with those IT general controls. [4613.68.2] Physical controls [4661] These activities encompass the physical security of assets, including adequate safeguards such as secured facilities over access to assets and records; access to computer programs and data files; and periodic counting and comparison (reconciliation) with amounts shown on control records. [4662] The extent to which physical controls intended to prevent theft of assets are relevant to the reliability of financial statement preparation, and therefore the audit, depends on circumstances such as when assets are highly susceptible to misappropriation. [4664]

The concepts underlying control activities in smaller entities are likely to be similar to those in larger entities, but the formality with which they operate varies. Further, smaller entities may find that certain types of control activities are not relevant because of controls applied by management. For example, management's retention of authority for approving credit sales, significant purchases, and drawdowns on lines of credit can provide strong control over those activities, lessening or removing the need for more detailed control activities. Smaller entities often have fewer employees, which may limit the extent to which segregation of duties is practicable. However, for key areas, even in a very small entity, it can be practicable to implement some degree of segregation of duties or other form of unsophisticated but effective controls. The potential for override of controls by the owner-manager depends to a great extent on the control environment and in particular, the owner-manager's attitudes about the importance of internal control.

4.3.2 IT General Controls


IT general controls are policies and procedures that relate to many applications and support the effective functioning of application controls (i.e., automated controls and manual controls with an IT component by helping to ensure the continued proper operation of information systems. Application controls may not operate effectively unless adequate IT general controls are in place to support them. [4613.4] For example, limits over who can approve check requisitions in the system are irrelevant if the IT general controls are not adequate to help ensure that these limits are consistently applied (e.g., through periodic review by management of whether individual access rights are appropriately limited in accordance with business policies). We only test the operating effectiveness of IT general controls if they support the operating effectiveness of the application controls on which we intend to rely to provide audit evidence and to modify the nature, timing, and extent of substantive procedures. [4613.12.2] If relevant to the engagement, the audit objectives listed below are mandatory when completing the IT General Controls Program. [4613.9.1.2] 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG
International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

For an SE engagement, the IT General Controls Program has been integrated into the SE Planning Document; although the considerations remain the same, the extent of required documentation has been reduced.

Page 70 / 133

We only test the operating effectiveness of IT general controls if they support the operating effectiveness of the application controls on which we intend to rely to provide audit evidence and to modify the nature, timing, and extent of substantive International Audit Workbook (Interntional Audit Workbook) procedures. [4613.12.2] If relevant to the engagement, the audit objectives listed below are mandatory when completing the IT General Controls Program. [4613.9.1.2] For an SE engagement, the IT General Controls Program has been integrated into the SE Planning Document; although the considerations remain the same, the extent of required documentation has been reduced. If the engagement meets the criteria for the involvement of IRM specialists, then the separate IT General Controls Program is to be completed instead of the IT general controls section in the SE Planning Document. For VSE engagements, we take a substantive approach for substantially all significant accounts and disclosures. In the circumstances when there is no reliance on any IT related controls throughout the entire audit, we are not required to document our understanding of the IT general controls. However, in circumstances when we intend to rely on the operating effectiveness of automated controls (including manual controls with an IT component, or IT system generated reports) throughout the period under audit, we evaluate the design and implementation and test the operating effectiveness of such controls, including related IT general controls and document our procedures in the Audit Program - VSE. The IT General Controls Program may be used as a guide to determine the relevant work to be performed; however, completion of this document is not mandatory. The following audit objectives and components are considered in the IT General Controls Program: Audit Objective Access to programs and data To determine whether adequate controls for access to programs and data have been established to reduce the risk of unauthorized/inappropriate access to the relevant information systems related to financial reporting. [4613.17.1] Components Programs and data access components [4613.17.2] Program changes To determine whether adequate controls for program changes have been established to ensure that changes to existing systems/applications are authorized, tested, approved, properly implemented, and documented. [4613.28.1] information security policy/user awareness physical access configuration of access rules access administration identification and authentication monitoring, and super users.

Program change components [4613.28.2] authorization, development, testing, and approval migration to the production environment configuration changes, and emergency changes.

Program development To determine whether adequate controls for program development have been established to ensure that new systems/applications which are developed or acquired are authorized, tested, approved, properly implemented, and documented. [4613.43.1]

Program development components [4613.43.2] methodology for development/acquisition design, development, testing, approval, and implementation, and data migration.

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis To determine whether adequate controls for computer job processing thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

Computer operations

Computer operations components [4613.51.2]

operations have been established to ensure that system/application processing is appropriately authorized and scheduled and deviations from scheduled

backup and recovery procedures, and incident and problem management

Page 71 / 133

are authorized, tested, approved, properly implemented, and documented. [4613.43.1]

design, development, testing, approval, and implementation, and

data migration. International Audit Workbook (Interntional Audit Workbook) Computer operations To determine whether adequate controls for computer operations have been established to ensure that system/application processing is appropriately authorized and scheduled and deviations from scheduled processing are identified and resolved. [4613.51.1] End-user computing We determine whether management has implemented appropriate policies and procedures to ensure IT general controls are properly applied to end-user computing environment, including controls to address: access to programs and data program change program development, and computer operations. Computer operations components [4613.51.2] job processing backup and recovery procedures, and incident and problem management procedures.

The entity may support end-user computing with IT general controls consistent with its level of sophistication. Such general controls should, however, address access to programs and data, program change, program development, and computer operations. [4613.60.4] Management should have appropriate controls in place to ensure that policies to address IT general controls over critical data, transactions, and programs being maintained by end users exist and are being followed. Generally, IT general controls and application controls over end-user computing are documented in the relevant Audit Program. [4613.62]

We complete an IT General Controls Program for each relevant IT environment when we intend to rely on application controls to provide audit evidence and to modify the nature, timing, and extent of our substantive procedures. [4613.9.3] An IT environment is an environment where the entity has implemented a common set of policies and procedures to support the effective functioning of application controls. IT general controls, by their nature, are not limited to individual applications or locations. A single IT general control may relate to multiple applications or locations. [4613.9.3.1] For example, an ERP system often operates in a single environment, and this may cover all our financial systems, whereas "legacy" systems often have their own "computing environment" and may require a separate IT General Controls Program for each system. In the Audit Program there is a question for every control identified as to whether the control has an IT component. There will be an IT component for every IT application control and for every manual control that uses data produced by an IT system. Whenever we intend to rely on these controls to modify the nature, timing, and extent of our substantive procedures, we will need to understand the related IT general controls, evaluate their design and implementation, and test their operating effectiveness. We determine that we have the appropriate knowledge, skills, and experience within the engagement team to evaluate and test IT general controls; we will frequently involve IRM specialists in the audit to evaluate the design and implementation, and test the operating effectiveness of IT general controls and relevant automated application controls. Our response to ineffective IT general controls may include performing additional audit procedures that would enable us to continue to rely on the application control, evaluating the design and implementation, and testing the operating effectiveness of other controls designed to achieve the same control objective or increasing our assessment of control risk and therefore RoSM thereby modifying the nature, timing, and extent of our substantive procedures. We ordinarily work closely with IRM specialists in responding to ineffective IT general controls. [4793.4.0.2]
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG Where a compensating control cannot be identified for a deficient control, or the identified International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis compensating control does not operate at the same level of precision as the thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. deficient control, we

modify the nature, timing, and extent of our substantive procedures. [4793.4.1]
Page 72 / 133

design and implementation, and testing the operating effectiveness of other controls designed to achieve the same control objective or increasing our assessment of control risk and therefore RoSM thereby modifying the nature, timing, and extent Audit Workbook) International Audit Workbook (Interntional of our substantive procedures. We ordinarily work closely with IRM specialists in responding to ineffective IT general controls. [4793.4.0.2] Where a compensating control cannot be identified for a deficient control, or the identified compensating control does not operate at the same level of precision as the deficient control, we modify the nature, timing, and extent of our substantive procedures. [4793.4.1] Example controls for each of the four areas of IT general controls are accessible via the LCE global home page on KWorld by selecting LCE General Global Knowledge followed by ITGC General Global. While the knowledge has been customized to the LCE workflow, the knowledge is also applicable for use on the FSA, SE, and VSE workflows.

4.3.3 Risk Assessment Process Relevant to Assertions


In addition to identifying risks at the entity level, management identifies risks at the activity level. If we intend to rely on risk assessment controls that are unique to a particular audit objective, we document and evaluate these controls in the same manner as other assertion level controls. [4411.1] If management does not have adequate processes to identify assertion level risks, we need to assess how management has determined that internal control is sufficient to address risks of significant misstatement at the assertion level.

4.3.4 Monitoring of Controls at the Assertion Level


In addition to entity level monitoring controls, management also monitors activity level controls. If we intend to rely on management's monitoring of activity level controls that are unique to a particular audit objective, we document and evaluate these controls in the same manner as other assertion level controls. [4418.1]

4.3.5 Select Relevant Controls


An audit does not require an understanding of all the control activities related to each significant class of transactions, account balance derived from an estimate, other account balance and disclosure in the financial statements, or for every assertion relevant to them. Therefore, our emphasis is on identifying and obtaining an understanding of control activities that address the points where we consider that material misstatements are more likely to occur. [4420.1.2] When multiple control activities achieve the same control objective, it may not be necessary to obtain an understanding of each of the control activities related to such objective. Our focus is on obtaining an understanding of (including documenting such understanding) and evaluating those control(s) that effectively address the specified risk. [4420.1.3] For classes of transactions, we select control activities that address the significant risk points that we identified when documenting our understanding of the accounting activities.

If we have identified a risk of fraud associated with an audit objective, we evaluate the design and implementation of antifraud controls that are relevant to the identified fraud risk and, if effectively designed and implemented, and where we intend to rely on the effectiveness of the controls to modify the nature, timing, and extent of substantive procedures, we test their operating effectiveness. We determine whether to evaluate preventative controls, detective controls, or a combination of both for individual relevant assertions for individual audit objectives. We ordinarily evaluate a combination of preventative and detective controls, although we focus on controls that detect and correct a misstatement rather than preventative controls. Detective controls may provide audit evidence in relation to one or more audit assertions and may be a more effective means of gaining audit evidence. [4420.3] We also consider the risks identified at the financial statement level and any deficiencies found in the entity level controls 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis when determining control activities to be evaluated. These may include: [4420.4]
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

the incorrect application of accounting principles, including the competency of the individuals and their ability to interpret and apply generally the applicable financial reporting framework

Page 73 / 133

assertions for individual audit objectives. We ordinarily evaluate a combination of preventative and detective controls, although we focus on controls that detect and correct a misstatement rather than preventative controls. Detective controls may provide audit evidence in relation toInternational Audit Workbook (Interntional Audit Workbook) one or more audit assertions and may be a more effective means of gaining audit evidence. [4420.3] We also consider the risks identified at the financial statement level and any deficiencies found in the entity level controls when determining control activities to be evaluated. These may include: [4420.4] the incorrect application of accounting principles, including the competency of the individuals and their ability to interpret and apply generally the applicable financial reporting framework For example, when an extended period is required for sales (for example, real estate), delivery (for example, construction contracting), or collection (for example, installment sales), there may be an increased risk that the accounting principles for revenue recognition are misapplied. a weak control environment For example, there exists an inappropriate segregation of duties or ineffective systems development process. management fraud, possibly through journal entries (including electronic manipulation) inappropriately designed computer information systems For example, computer information systems do not prevent the entry of duplicate transactions. misappropriation of assets For example, misappropriation of assets may occur if employees have access to cash or other negotiable assets. ineffective monitoring of controls For example, the timeliness and accuracy of reconciliations is not monitored. entering into business areas or transactions with which the entity has little experience.

To the extent that the design and operating effectiveness of an application control are dependent on an indirect (supporting) control, we obtain evidence regarding the operating effectiveness of the supporting control. For instance, internal controls in an application are dependent on IT general controls. [4047.2]; [4420.2.1]

4.3.6 Documentation of Controls


We document controls after we have documented the accounting activities and, for classes of transactions, the significant risk points.

Our description of a control covers: [4423] the objective of the control (including the risk it helps to mitigate) how it is performed and documented how frequently it is applied the knowledge, experience, and skills of the person performing it (if it's a manual control) the nature and size of the potential misstatements, both intentional and unintentional, that it is likely to prevent, detect, and correct, and whether the control has an IT component.

This description forms the basis for our evaluation of design and implementation, where we are concerned with whether the control is capable, if operating effectively, of preventing, or detecting and correcting a significant misstatement in the financial statements and whether the entity is using the control. [4423.3]

4.3.7 Understanding Likely Sources of Potential Misstatements


In performing our audit, we understand the likely sources of potential misstatements for classes of transactions, account balances derived from estimates, other account balances, and disclosures. [4430.1] 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG To further understand the likely sources of potential misstatements for classes of transactions, and as a part of selecting thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. controls to test, we perform procedures to achieve the following objectives: [4431] understand the flow of transactions related to the relevant assertions, including how these
International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis

Page 74 / 133

financial statements and whether the entity is using the control. [4423.3]

4.3.7 Understanding Likely Sources AuditPotential Misstatements International of Workbook (Interntional Audit Workbook)
In performing our audit, we understand the likely sources of potential misstatements for classes of transactions, account balances derived from estimates, other account balances, and disclosures. [4430.1] To further understand the likely sources of potential misstatements for classes of transactions, and as a part of selecting controls to test, we perform procedures to achieve the following objectives: [4431] understand the flow of transactions related to the relevant assertions, including how these transactions are initiated, authorized, processed, and recorded verify that we have identified the relevant significant risk points identify the controls that management has implemented to address these significant risk points, and identify the controls that management has implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the entity's assets that could result in a material misstatement of the financial statements.

For a class of transactions, it is presumed that we will perform walkthroughs in order to achieve the objectives outlined above. In the event we believe that the objectives of this section can be met by performing procedures other than a walkthrough, those procedures and their relationship to the objectives are documented in the Audit Program. [4431.1] In performing a walkthrough, we follow a single transaction from origination through the entity's processes, including information systems, until it is reflected in the entity's financial records, using the same documents and information technology that entity personnel use. At the points at which important processing procedures occur, we question the entity's personnel about their understanding of what is required by the entity's prescribed procedures and controls. [9322] Walkthrough procedures usually include a combination of inquiry, observation, and inspection of relevant documentation. [4432] The procedures that we perform during our walkthrough are ordinarily sufficient to evaluate the design and implementation of controls. [4432] Walkthroughs that include a mix of inquiry, observation, inspection, and reperformance of controls may be sufficient to test the operating effectiveness of controls depending on the mix of procedures performed; the risk of failure of the control; the nature, timing, and extent of tests of operating effectiveness; and the results of those procedures. [4432.0.2]

4.3.8 Evaluate the Design and Implementation of Selected Assertion Level Controls
Obtaining an understanding of internal controls involves evaluating the design of a control and determining whether it has been implemented. Evaluating the design of a control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, material misstatements. Implementation of a control means that the control exists and that the entity is using it. We consider the design of a control in determining whether to consider its implementation. An improperly designed control may represent a material weakness in the entity's internal control and we consider whether to communicate this to management and those charged with governance. [4440]; [4114] Our procedures when evaluating the design and implementation of controls may include: [4444.1] inspection of documents and records observation of controls being performed, and/or inquiries of appropriate personnel

Inquiry alone is not sufficient to provide appropriate evidence to support a conclusion about the effective design and implementation of a control; therefore, we supplement it with other procedures. We may be able to evaluate the design and implementation of relevant controls while performing
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG a walkthrough. International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
Page 75 / 133

Although smaller entities usually do not have complex IT environments, we still consider whether specialized skills

Inquiry alone is not sufficient to provide appropriate evidence to support a conclusion about the effective design and implementation of a control; therefore, we supplement it with other procedures.
International Audit Workbook (Interntional Audit Workbook)

We may be able to evaluate the design and implementation of relevant controls while performing a walkthrough.

Although smaller entities usually do not have complex IT environments, we still consider whether specialized skills and the use of Information Risk Management professionals are necessary for testing controls that have an IT component.

4.4. Test the Operating Effectiveness of Selected Controls


When performing tests of the operating effectiveness of controls, we obtain audit evidence that controls operate effectively. This includes obtaining audit evidence about how controls were applied at relevant times during the period under audit, the consistency with which they were applied, and by whom or by what means they were applied. [9191] Therefore, we may perform a test of operating effectiveness at more than one point during the period under audit. [4703.1] We perform tests of operating effectiveness of controls in the following two circumstances: [4700.1] when substantive procedures alone do not provide sufficient appropriate audit evidence, and when the nature, extent, and timing of our planned substantive procedures include an expectation that controls are operating effectively (i.e., when we plan to rely on controls to modify the extent of our substantive testing).

We perform tests of the operating effectiveness of controls only on those controls that we have determined are suitably designed and implemented to prevent, or detect and correct, a significant misstatement in an assertion. [4703] We do not test the operating effectiveness of controls that we have determined are either not designed effectively or have not been implemented properly by the entity.

Tests of operating effectiveness are concerned with: [4703.2] how controls were applied the consistency with which they were applied during the period, and by whom they were applied.

When testing the operating effectiveness of controls, we consider the following: [4704]

Nature
There are a number of control testing techniques that we may use to obtain audit evidence about the effectiveness of the operation of controls, such as: [4730] observation We observe the performance of the control. inquiry We ask a knowledgeable person for information about the operation of a control. reperformance

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG We reperform the operation of a control to ascertain that it was performed correctly. International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

recalculation

We recalculate the mathematical accuracy of documents or record supporting the operation of a control.

Page 76 / 133

We observe the performance of the control. inquiry


International Audit Workbook the operation Workbook) We ask a knowledgeable person for information about (Interntional Audit of a control.

reperformance We reperform the operation of a control to ascertain that it was performed correctly.

recalculation We recalculate the mathematical accuracy of documents or record supporting the operation of a control. Recalculation can be performed by using CAATs to check the accuracy of the summarization of the file.

inspection We look at records or documents supporting the operation of a control.

corroborative inquiry We corroborate results of inquiries concerning the performance of a control through confirmation with other members of the entity. Corroboration helps to confirm the validity and consistency of the application of a control.

knowledge assessment We combine inquiry, inspection, and reperformance techniques to test an individual's knowledge of a subject or his or her ability to perform a control effectively.

system query We test automated controls within an information technology application to determine whether they are operating as expected.

We should perform other audit procedures in combination with inquiry to test the operating effectiveness of controls. [4731]

Timing
The timing of tests of controls depends on our objective and determines the period of reliance on those controls. When we perform audit work before the period-end, we consider the potentially increased risk that we will not detect a significant misstatement that may exist at the period-end. We reduce this potentially increased audit risk by performing additional audit work to cover the remaining period in a way that provides a reasonable basis for extending the audit conclusions to the period-end. [4747.1] /[4748] If we test controls at a particular time, we only obtain audit evidence that the controls operated effectively at that time. However, if we test controls throughout a period, we obtain audit evidence of the effectiveness of the operation of the controls during that period. [4745] If we perform tests of controls prior to period-end, we consider the additional evidence required for the remaining period. [4743] For all controls that are tested up to an interim date, we also document in the Audit Program the procedures performed to obtain additional audit evidence that they continued to operate effectively for the remaining period. [4750.1] Relevant factors in determining what additional audit evidence to obtain about controls that were operating during the period remaining after an interim period, include: [4751] the significance of the assessed risks of significant misstatement the specific controls that were tested during the interim period the degree to which audit evidence about the operating effectiveness of those controls was obtained the length of the remaining period the extent to which the auditor intends to reduce further substantive procedures based on the reliance of controls, and

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis the control environment. thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

For example, if a control is automated, with effective IT general controls, inquiry alone may be sufficient regardless of the Page 77 / 133 length of the roll-forward period. If a manual control involves a high degree of subjectivity or judgment, we usually expect

the degree to which audit evidence about the operating effectiveness of those controls was obtained
International Audit Workbook (Interntional Audit Workbook) the length of the remaining period

the extent to which the auditor intends to reduce further substantive procedures based on the reliance of controls, and the control environment.

For example, if a control is automated, with effective IT general controls, inquiry alone may be sufficient regardless of the length of the roll-forward period. If a manual control involves a high degree of subjectivity or judgment, we usually expect the nature of the roll-forward procedures to be more extensive than inquiry and the roll-forward period to be limited.

Extent
When we test controls, we use our professional judgment to determine the extent of our audit procedures. We design our audit procedures to be sufficiently extensive to provide reasonable assurance that the controls operated effectively throughout the period. [4763.1] Extent includes the quantity of a specific audit procedure to be performed, for example, a sample size or the number of observations of a control activity. The extent of an audit procedure is determined by us after considering each of the following: [4763.2] The characteristics of the population Is the population from which we are selecting the sample appropriate for the specific test objective?

The degree of assurance provided by the sample and other tests of controls. Are we performing tests of controls over a single control addressing an assertion or multiple controls addressing the same assertion?

The number of control deviations that can be accepted Do we expect control deviations in the sample? Guidance below is presented separately based on our expectation regarding control deviations in the sample.

Our assessment of the risk of failure of the control If the control is not effective, is there a risk that a material misstatement would result?

The number of control deviations that can be accepted


We normally do not expect to find control deviations when we select controls to test.However, there may be circumstances where we are prepared to accept a small number of control deviations but still consider it appropriate to rely on the operating effectiveness of the control to provide audit evidence to enable us to modify the nature, timing, or extent of our substantive procedures. [4767.2] Circumstances in which we may be willing to accept some control deviations include those where: [4767.3] transactions which are subject to the control are not individually large, complex, or likely to include a significant misstatement the operation of the control does not require significant judgment, or we are not obtaining a large part of our audit evidence with respect to the relevant Audit objective from our test of the operating effectiveness of this control.

We consider whether the rate of expected control deviations indicates that the control will not be sufficient to reduce the risk of significant misstatement. If the rate of expected control deviations is expected to be too high, we may determine that tests of controls for a particular assertion may not be effective. [4767.3.1]

Our assessment of the risk of failure of the control


The risk of failure is the risk that the control might not be effective and, if not effective, the risk that a material misstatement would result. We assess the risk of failure as lower or higher using our professional judgment, based on the 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG specific circumstances of the control. [4766.3] As the risk of failure of the control increases, the evidence we obtain also increases such that we might choose to obtain more persuasive audit evidence and/or more evidence in terms of

International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
Page 78 / 133

tests of controls for a particular assertion may not be effective. [4767.3.1]

Our assessment of the risk of failure of the control


International Audit Workbook (Interntional Audit Workbook)

The risk of failure is the risk that the control might not be effective and, if not effective, the risk that a material misstatement would result. We assess the risk of failure as lower or higher using our professional judgment, based on the specific circumstances of the control. [4766.3] As the risk of failure of the control increases, the evidence we obtain also increases such that we might choose to obtain more persuasive audit evidence and/or more evidence in terms of number of operations of the control tested. [4766.1.1]

Factors that affect the risk of failure associated with a control include: [4766.4] the nature and materiality of the misstatements which the control is designed to prevent or detect the assertions addressed by the control the inherent risk of error associated with the relevant significant account and assertions whether there have been changes in the volume or nature of transactions over which the control operates the competence of the personnel who perform the control or monitor its performance, and whether there have been changes in such personnel the effectiveness of relevant entity level controls, particularly monitoring controls which relate to the specific control being tested the nature of the control and the frequency with which it operates the complexity of the control and the significance of the judgments that must be made in connection with its operation whether the related significant account has a history of errors the degree to which the control relies on the effectiveness of other controls, and whether the control relies on performance by an individual or is automated.

KAM International 4766.5 contains examples of indicators of higher and lower risks of failure for each factor. Increasing the extent of an audit procedure is effective only if the audit procedure itself is relevant to the specific risk; therefore, the nature of the audit procedure is the most important consideration. [4763.7]

Sample sizes for testing manual controls when we expect no control deviations
We consider the following guidance related to the frequency of the performance of the control when planning the extent of tests of the operating effectiveness of manual controls for which we do not expect to find control deviations. We determine the appropriate number of control occurrences to test based on the following minimum sample size for the frequency of the control activity dependent on whether we have assessed a lower or higher risk of failure of the control. [4768.1] Frequency of control activity Minimum sample size Risk of failure Lower Annual 1 Higher 1

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis Quarterly (including period-end, i.e. +1) 1+1 1+1 thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

Monthly

Page 79 / 133

Risk of failure Lower International Audit Workbook (Interntional Audit Workbook) Annual Quarterly (including period-end, i.e. +1) Monthly Weekly Daily Recurring manual control (multiple times per day) 1 1+1 2 5 15 25 Higher 1 1+1 3 8 25 40

Although +1 is used to indicate that the period-end control is tested, this does not mean that for more frequent control operations the year-end operation cannot be tested.

Sample sizes for testing recurring manual controls when we accept some control deviations
In circumstances when we test a larger sample of controls and accept a small number of control deviations, when testing controls which operate at more than one homogeneous location or when we are performing a dual-purpose test, where our substantive sample size is larger than the indicated minimum for the test of operating effectiveness of the control, we use the following table to determine the number of control deviations which can be accepted for a given sample size, for both a lower or higher risk of failure of the control: [4769.2] [4769.3] Sample sizes Risk of failure Lower 50 60 71 85 98 111 124 137 150 163 175 Higher 80 95 111 133 154 175 195 215 235 255 275 1 2 3 4 5 6 7 8 9 10 11 Number of acceptable control deviations

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis 188 294 thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. 12

200

314

13

Page 80 / 133

150 163 175 188 200 212 225 237 249 261 273 285

235 255 International Audit Workbook (Interntional Audit Workbook) 275 294 314 333 352 372 391 410 429 448

9 10 11 12 13 14 15 16 17 18 19 20

After determining which locations we will test, we select and test a minimum of 10 operations of the recurring manual controls at each location selected. We use the table above to determine the aggregate number of control deviations acceptable for the corresponding total sample size. [4770.6] For example, if we test a homogeneous control at 15 locations, the minimum sample size is 150 items and the maximum number of expected control deviations in the sample is 9 for a control which we assess as having a lower risk of failure. When we test controls at multiple locations, we conclude controls are effective if not more than the aggregate acceptable number of control deviations are found in the total of the sample items selected, and not more than one control deviation is found at each sampled location. [4770.7] Continuing with the previous example, if one control deviation is detected in each of nine locations, and no control deviations are detected in the remaining six locations, we conclude that the control is effective, if none of the control deviations are considered to be representative of a systematic or intentional control deviation. This table above may also be used in other circumstances in consultation with a KPMG Sampling Specialist. [4769.2] We may design a test of controls to be performed concurrently with a test of details on the same transaction. The objective of tests of controls is to evaluate whether a control operated effectively. The objective of tests of details is to detect significant misstatements at the assertion level. Although these objectives are different, both may be accomplished concurrently through performance of a test of controls and a test of details on the same transaction, also known as a dual-purpose test. [4735] For example, when attending the physical inventory count, we may select a sample of items for which we reperform the client's count to test the operating effectiveness of internal controls. This also provides us with substantive audit evidence. In some situations, a similarly designed control operates at the same time over many different components of a class of transactions, account balance, or disclosure. In these situations we use our judgment to determine the extent of testing both in terms of the frequency of testing (such as number of days, weeks, or months to test) and the number of similar operations to test at each point in time (such as number of locations or different application controls effected). [4613.14.3] For example, an entity may have one change management process to manage changes made to all of its applications. If the control to authorize, test, and approve program changes occurs 12 times during the year and includes multiple changes on each occurrence, we may choose to test 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG two occurrences of the control during the period under audit. Rather than test the operation of International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis the control to authorize, test, and approve every change at these two occurrences, we may thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. inspect the documentation to identify changes relevant to financial reporting and use professional Page 81 / 133 judgment to select a sample of the changes at each of the two occurrences. We then test the

as number of days, weeks, or months to test) and the number of similar operations to test at each point in time (such as number of locations or different application controls effected). [4613.14.3]
International Audit Workbook (Interntional Audit Workbook)

For example, an entity may have one change management process to manage changes made to all of its applications. If the control to authorize, test, and approve program changes occurs 12 times during the year and includes multiple changes on each occurrence, we may choose to test two occurrences of the control during the period under audit. Rather than test the operation of the control to authorize, test, and approve every change at these two occurrences, we may inspect the documentation to identify changes relevant to financial reporting and use professional judgment to select a sample of the changes at each of the two occurrences. We then test the operating effectiveness of this sample.

Use of audit evidence obtained in prior periods regarding the operating effectiveness of controls
This section is relevant for both manual and automated controls.

When we have determined that an assessed risk of material misstatement at the assertion level is a significant risk and we plan to rely on the operating effectiveness of controls intended to mitigate that significant risk, we should obtain the audit evidence about the operating effectiveness of those controls from tests of controls performed in the current period. [ISA 330.44][4775.5.1.4]

Our decision to base our assessment of the operating effectiveness of controls on evidence obtained in previous audits is a matter of professional judgment. [4775.5.2] If we plan to use audit evidence about the operating effectiveness of specific controls obtained in previous audits, we: establish the continuing relevance of that evidence by obtaining audit evidence about whether changes in those specific controls have occurred subsequent to the previous audit by performing a walkthrough, and test the entitys relevant monitoring controls, which provide a basis for managements assertion that there have been no changes to those specific controls and that those specific controls continue to operate effectively.

If there have been changes that affect the continuing relevance of the audit evidence obtained in the previous audit, we test the operating effectiveness of such controls in the current audit. [4775.5.8] See section titled "Understand likely sources of potential misstatements" in the Control Evaluation chapter of KAM for further guidance about walkthroughs. If we plan to rely on controls that have not changed since they were last tested, we should test the operating effectiveness of such controls at least once in every third audit. [4775.5.1.2] Factors that ordinarily decrease the period for retesting a control include: [4775.5.4] an ineffective or partially effective control environment ineffective or partially effective monitoring of controls a significant manual element to the relevant controls personnel changes that significantly affect the application of the control changing circumstances that indicate the need for changes in the control, and ineffective IT general controls.

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG If we plan to use audit evidence about the operating effectiveness of controls obtained in previous audits, we: [4775.5.12.1] International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

describe the audit evidence obtained through a walkthrough that supports that no changes in the design or implementation of the subject controls have occurred since our last evaluation

Page 82 / 133

a significant manual element to the relevant controls personnel changes that significantly affect the application of the control
International need for changes in the control, and changing circumstances that indicate the Audit Workbook (Interntional Audit Workbook)

ineffective IT general controls.

If we plan to use audit evidence about the operating effectiveness of controls obtained in previous audits, we: [4775.5.12.1] describe the audit evidence obtained through a walkthrough that supports that no changes in the design or implementation of the subject controls have occurred since our last evaluation include in the current audit file a copy of the prior years working papers relating to our evaluation of the design and implementation of the controls and our test of their operating effectiveness document the conclusions reached with regard to the use in the current audit of audit evidence about the operating effectiveness of controls that was obtained in a previous audit.

Our testing considerations during an audit period are made on an assertion basis and not on a control-by-control basis. Therefore, when there have been changes that affect the continuing relevance of the audit evidence about one or more controls related to an assertion, we do not use audit evidence obtained in previous audits about the operating effectiveness of other controls that operate over the same assertion. [4775.5.9] When there are a number of controls for which we determine that it is appropriate to use audit evidence obtained in prior audits, we should test the operating effectiveness of some controls each audit. [4775.5.1.3]

Reliability of underlying data


When performing a substantive test using sampling techniques such as KPMG MUS or the KPMG Sampling Plan for the purpose of forming a monetary conclusion on the population, we do not use the guidance included in this section. [4777]

Underlying data represents information produced by the entity that may be included in a system generated report or a management prepared document. [4776.1] When we use information produced by the entity to perform audit procedures, we should obtain audit evidence about the accuracy and completeness of the information. [4776.2] The nature and extent of audit procedures performed will vary depending on engagement-specific circumstances and on whether the information is the product of an automated or a manual activity. [4785.2] Automated If a system-generated report is the product of an automated activity, and IT general controls are tested and found to be operating effectively for the period under audit, then we may assess the design and operating effectiveness of relevant automated application controls associated with information included in the document to determine whether such information may be used in performing further audit procedures (substantive or control). [4785.5] Manual If a management-prepared document is the product of a manual activity, then we may assess the design and operating effectiveness of relevant manual controls associated with information included in the document to determine whether such information may be used in performing further audit procedures (substantive or control). [4785.6] We refer to the sample size guidance for testing manual controls in the section titled, "Extent of tests of controls" of KAM.

When automated application controls associated with the completeness and accuracy assertions are different, relevant controls for each assertion should be assessed for effectiveness. In designing the relevant audit procedures, we assess and conclude on both the accuracy and completeness 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG assertions. International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

We refer to the sample size guidance in the section titled, "Extent of tests of controls" in KAM.

Page 83 / 133

When automated application controls associated tests of controls" of KAM. with the completeness and accuracy assertions are different, relevant controls for eachInternational Audit Workbook (Interntional Audit Workbook) assertion should be assessed for effectiveness. In designing the relevant audit procedures, we assess and conclude on both the accuracy and completeness assertions. We refer to the sample size guidance in the section titled, "Extent of tests of controls" in KAM. Procedures performed to assess the accuracy of underlying data also include checking the mathematical accuracy of such reports or documents. [4785.6.1] When IT general controls are not tested for operating effectiveness, or are deemed ineffective, or manual controls have not been determined to be effective during the period, we assess the accuracy of information included in underlying data using sampling. [4785.13] The following chart outlines the suggested sample sizes: Estimate of the number of transaction items Suggested sample size included in the population 50 or fewer 51-250 >250 5 15 25

If we detect an error while performing our audit procedures, we need to understand: the nature and cause of the error its impact on the assertion associated with the report or document whether it may be indicative of systematic error or the possible existence of fraud.

We make specific inquiries to understand these matters and their potential consequences. We use professional judgment in determining the nature and extent of additional audit procedures necessary to confirm our understanding. [4785.14.1] The nature and source of the underlying data will dictate the nature and extent of audit procedures performed to assess completeness of data. [4785.10] For example, when the underlying data does not include all items within a particular account balance, assessing completeness of information included in such documents may require alternative audit procedures. [4785.11] For example, to assess the completeness of a management-prepared document representing unpaid customer invoices outstanding greater than 90 days (90-day report), we may assess the completeness of the information included in the 90-day report by selecting source documents from the unpaid accounts file (a reciprocal population) to determine if the related invoices are appropriately reflected in, or omitted from, the 90-day report. The sample size determination should be made based on the number of individual items in the reciprocal population. We assess the completeness and accuracy of underlying data each time the underlying data is generated and the related information is used in the performance of further audit procedures (control or substantive) when we do not have evidence that the relevant controls are operating effectively for the underlying data. [4785.16] For example, where information included in underlying data (e.g., accounts receivable aging) is prepared as of an interim date and as of year-end, and is used in the performance of further audit procedures (control or substantive), completeness and accuracy are assessed as of the interim date and as of year-end.

4.4.1 Deviations Discovered During Testing


This guidance relates only to recurring controls that operate each time a transaction occurs. It

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG does not apply to periodic controls (daily, weekly, or monthly). International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. cannot be extended If control deviations are found in tests of periodic controls, the sample size

and we conclude that the control is ineffective and consider the implication on our audit approach. [4792.3]

Page 84 / 133

4.4.1 Deviations Discovered During Testing


International Audit Workbook (Interntional Audit Workbook)

This guidance relates only to recurring controls that operate each time a transaction occurs. It does not apply to periodic controls (daily, weekly, or monthly). If control deviations are found in tests of periodic controls, the sample size cannot be extended and we conclude that the control is ineffective and consider the implication on our audit approach. [4792.3]

When control deviations are detected during the performance of tests of controls, we make specific inquiries to understand the cause of the control deviations and their potential consequences, for example, by inquiring about the timing of personnel changes in key internal control functions. We determine whether such control deviations are representative of systematic or intentional control deviations. [4792.5.2] The discovery of a systematic or intentional control deviation ordinarily requires a broader consideration of possible implications than does the discovery of an error. [4792.6] If in our judgment the deviation is believed to be intentional, we follow the guidance in the section titled "Consider the fraud, earnings management, and internal control implications of audit differences" in the Completion chapter of KAM International.

!
Findings

Considering the consequences of a control deviation is a matter of professional judgment. When a deviation is not considered to be representative of a systematic or intentional control deviation, we consider if we can conclude that the control is operating effectively as follows: No expected error (normal situation) Example Sample size is less than 50 for a lower risk control or 80 for a higher risk control Conclude control is effective. [4791.2] Increased sample size sufficient that some error can be accepted (in accordance with the table above) Greater than 50 for lower risk of failure or 80 for higher risk of failure Conclude control is effective. [4791.2]

No errors found in initial sample One error found in initial sample

If we conclude the control deviation does not represents a systematic or intentional control deviation, we either conclude the control is not effective or carry out additional testing on a sample size at least the same size as the initial sample size. Conclude the control is not effective.

If we conclude the control deviation does not represent a systematic or intentional control deviation, we conclude the control is effective.

More than one error found in the initial sample

If we conclude the control deviation does not represent a systematic or intentional deviation, we assess the control as being effective if the number of deviations is less than or equal to the number of acceptable control deviations for the sample size and ineffective if the number of deviations found is greater than the number of acceptable control deviations for the sample size. [4792.4] 1 See below for special considerations for a homogenous control operating over multiple locations

No errors found in

Conclude control is effective.

We do not extend the sample size where a

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG extended sample larger initial sample size is used and the International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis number of deviations identified is greater thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

than the number of acceptable control deviations for the sample size.

Page 85 / 133

1 See below for special considerations for a homogenous control operating over multiple locations International Audit Workbook (Interntional Audit Workbook) No errors found in extended sample Conclude control is effective. We do not extend the sample size where a larger initial sample size is used and the number of deviations identified is greater than the number of acceptable control deviations for the sample size. We do not extend the sample size where a larger initial sample size is used and the number of deviations identified is greater than the number of acceptable control deviations for the sample size.

One or more errors Conclude the control is not effective. found in the extended sample size

When we test controls at multiple locations, we conclude controls are effective if not more than the aggregate acceptable number of control deviations are found in the total of the sample items selected, and not more than one deviation is found at each sampled location. If we find more than one deviation at a sampled location, we conclude that the control is ineffective at that specific location and modify the nature and extent of our test work at the specific location(s) for which the controls were deemed to be ineffective. [4792.5.1] We consider the nature and cause of the control deviation and determine whether the conditions under which the deviation occurred are applicable at other locations. [4792.5.1]

Considering the consequences of a control deviation is a matter of professional judgment and is influenced by the characteristics of the control and the number of control deviations detected. [4792.7] For example, the failure in a reconciliation control during an interim period may be corrected before the period-end, in such a way that does not impact the financial statements, while still impacting on other audit procedures. For example, if a bank reconciliation is not performed for the four months from June to September, but is performed appropriately at the periodend, the control will still be effective in relation to the recording of cash receipts and cash payments in the period and can be relied upon. However, the failure to operate the control effectively during the period does undermine the reliability of monthly management accounts and thus any trend analysis performed over the period. If control deviations are found in tests of controls which operate periodically, the sample size cannot be extended and we conclude that the control is ineffective and consider the implication on our audit approach. [4792.3]

4.5. Control Deficiencies


A control deficiency may consist of either a design or operating deficiency. A design deficiency exists when either a necessary control is missing or an existing control is not properly designed so that even when the control is operating as designed, the control objective is not always met. An operating deficiency exists when a properly designed control either is not operating as designed or the person performing a control does not possess the necessary authority or qualifications to perform the control effectively. [4793.1]

An operating deficiency also includes the failure to implement a control that has been properly designed.

We analyze and evaluate all exceptions discovered in testing internal control over financial reporting to determine whether they represent deficiencies. In making this determination, we consider several factors, including: [4793.3] How was the exception detected? Detection by another control may be a sign of an effective detective control, while detection through management or our testing may be indicative of a deficiency.

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis Is the exception confined to a single location, process, or application, or is it pervasive in the thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. organization?

How significant is the control deviation from stated policy? For example, was the control

Page 86 / 133

We analyze and evaluate all exceptions discovered in testing internal control over financial reporting to determine whether they represent deficiencies. In making this determination, we consider several factors, including: [4793.3] How was the exception detected? Detection by another control may be a sign of an effective International Audit Workbook (Interntional Audit Workbook) detective control, while detection through management or our testing may be indicative of a deficiency. Is the exception confined to a single location, process, or application, or is it pervasive in the organization? How significant is the control deviation from stated policy? For example, was the control performed late but still before the preparation of the financial statements or was the control not performed at all? How often were exceptions detected in relation to how frequently the control is performed?

We also determine the effect of the exception on the nature and extent of additional testing that may be appropriate or necessary and on the operating effectiveness of the control being tested. A conclusion that an identified exception does not represent a control deficiency is appropriate only if evidence beyond what was initially planned and beyond inquiry supports that conclusion. [4793.4] If the results of our tests of control show that the internal controls are not designed and operating effectively, we assess control risk in terms of controls being ineffective. [4793.2] Our response to ineffective IT general controls is based on the facts and circumstances specific to each entity. The potential effect and our possible response to ineffective IT general controls are as follows: [4793.4.0.1] Effect The extent to which we may place reliance on specific controls to modify the nature, timing, and extent of the substantive procedures that we intend to perform Audit response Performing additional audit procedures that would enable us to continue to rely on the application control and/or evaluating the design and implementation, and testing the operating effectiveness of other controls designed to achieve the same control objective. [4793.4.0.2] For example, if we intend to rely on an application control consisting of a three-way match, but conclude that program change controls specific to this application control are ineffective because application developers had unrestricted access to migrate changes into the live environment, we may perform additional audit procedures that would enable us to continue to rely on the application control. We may be able to determine that: no changes were made to the application the only people that made changes to the application were authorized and the changes were appropriate.

We may also test the application control at more than one point during the audit. The number of tests of the application control depends, amongst others, on the nature and frequency of the control, the frequency of changes to the application, the assessment of inherent risk, and especially fraud risk. The number of tests is likely to be less frequent than a recurring manual control. [4775.3.1] Our assessment of control risk and therefore RoSM Increasing our assessment of control risk and therefore RoSM thereby modifying the nature, timing, and extent of our substantive procedures. [4793.4.0.2]

The engagement team ordinarily works closely with IRM specialists in responding to ineffective IT general controls. [4793.4.0.2]

Material weaknesses in internal control are control deficiencies that could have a material effect on the financial statements. [9171]
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

Our responsibility to communicate weaknesses in internal control applies equally to an SE or VSE engagement, even when:

Page 87 / 133

!
International Audit Workbook (Interntional Audit Workbook)

Material weaknesses in internal control are control deficiencies that could have a material effect on the financial statements. [9171]

Our responsibility to communicate weaknesses in internal control applies equally to an SE or VSE engagement, even when: we believe the owner-manager may already be informed about such matters, we are not sure if weaknesses in internal control, particularly those related to limited segregation of duties, can be addressed in a cost beneficial manner.

It is only by communicating identified weaknesses that we can be certain that management and those charged with governance have been informed of the problem.

4.6. Substantive Approach


A "substantive approach" for certain audit objectives may be applied when we have obtained an understanding of entity level controls and all of the following criteria are met: [4006] the audit objective does not include relevant assertions associated with a significant risk (i.e., significant inherent risk of error or a fraud risk) it is possible and practical to obtain sufficient appropriate audit evidence only from substantive audit procedures in order to reduce audit risk to an acceptably low level, and it is not more efficient to test the operating effectiveness of controls.

In a substantive approach, we document our understanding of the accounting activities relevant to the significant accounts that the audit objective addresses, and then make our RoSM assessment. If we do not evaluate the design and implementation of controls for a particular audit objective, the assessment of RoSM is based on the assessment of inherent risk. For audit objectives for which we are adopting a substantive approach, the Audit Program has fewer sections: one section to document the accounting activities (which varies depending on whether the audit objective addresses one or more classes of transactions, an account balance derived from an estimate, an "other" account balance, or a disclosure), one section to document our RoSM assessment, and the final section to document our substantive procedures for that audit objective. We assess whether to adopt a substantive approach for individual audit objectives, not for the whole audit. We cannot adopt a substantive approach for audit objectives associated with a significant risk.

4.7. Financial Reporting


We obtain an understanding of the financial reporting process used to prepare the entity's financial statements, including significant accounting estimates and disclosures. [4801] Preparation of the entity's financial statements include procedures that are designed to ensure information required to be disclosed by the applicable financial reporting framework is accumulated, recorded, processed, summarized, and appropriately reported in the financial statements. [4802] An entity's financial reporting process also includes the use of nonstandard journal entries to record nonrecurring, unusual entries or adjustments. Examples of such entries include consolidating adjustments and entries for a business combination or disposal or nonrecurring estimates such as an asset impairment. [4803] In manual, paper-based general ledger systems, nonstandard journal entries may be identified through inspection of International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. ledgers, journals, and supporting documentation. However, when automated procedures are used to maintain the general ledger and prepare financial statements, such entries may exist only in electronic form and may be more easily identified Page 88 / 133 through the use of computer-assisted audit techniques (CAATs). [4803]
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG

An entity's financial reporting process also includes the use of nonstandard journal entries to record nonrecurring, unusual entries or adjustments.
International Audit Workbook (Interntional Audit Workbook)

Examples of such entries include consolidating adjustments and entries for a business combination or disposal or nonrecurring estimates such as an asset impairment. [4803] In manual, paper-based general ledger systems, nonstandard journal entries may be identified through inspection of ledgers, journals, and supporting documentation. However, when automated procedures are used to maintain the general ledger and prepare financial statements, such entries may exist only in electronic form and may be more easily identified through the use of computer-assisted audit techniques (CAATs). [4803] In addition, we understand how the incorrect processing of transactions is resolved, for example, whether there is an automated suspense file and how it is used by the entity to ensure that suspense items are cleared out on a timely basis, and how system overrides or bypasses to controls are processed and accounted for. [4804] For each of the mandatory financial reporting audit objectives we: [4808] document the activities relevant to the audit for each financial reporting audit objective evaluate the design and implementation of selected controls and test their operating effectiveness when we plan to rely on the operating effectiveness of controls to modify the nature, timing, or extent of our substantive procedures, and perform substantive procedures to obtain audit evidence.

A smaller entity will often be less likely to have effective controls over the financial reporting process. Accordingly, we may take a substantive approach in completing the mandatory audit objectives listed below unless: a significant inherent risk of error or a fraud risk has been identified with respect to the audit objective it is more efficient to take a controls approach, or it is only possible to reduce audit risk to an acceptably low level by performing tests of controls.

Mandatory financial reporting audit objectives


1. Comparative information To obtain sufficient appropriate audit evidence that comparative information is appropriately reported and the correct opening balances are processed and appropriately reported. [4808.2] 2. Presentation To obtain sufficient appropriate audit evidence that the overall financial statement presentation, including preparation of financial statements and related footnote disclosures and other additional information are accumulated, processed, summarized, and presented fairly; this includes documentation which demonstrates that the financial statements agree or reconcile with the underlying accounting records. [4808.6] To obtain sufficient appropriate audit evidence that the completeness, existence, and accuracy of journal entries, including standard and nonstandard journal entries and other adjustments are not significantly misstated. [4808.14] To obtain sufficient appropriate audit evidence that all material subsequent events have been accumulated, recorded, processed, summarized, and reported appropriately. [4808.21] To obtain sufficient appropriate audit evidence that recurring and nonrecurring adjustments to consolidated financial statements, such as consolidating and eliminating entries, report combinations, classifications, and "top-side" journal entries, have been authorized and recorded appropriately. [4808.27]

3. Journal entries

4. Subsequent events

5. Adjustments

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG This audit objective may not be applicable if consolidated financial statements are not International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis presented. thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

6. Cash flows

To obtain sufficient appropriate evidence that the cash flows have been accumulated, recorded, processed, summarized, and reported appropriately in the statement of

Page 89 / 133

5. Adjustments

To obtain sufficient appropriate audit evidence that recurring and nonrecurring adjustments to consolidated financial statements, such as consolidating and International Audit Workbook (Interntional Audit Workbook) eliminating entries, report combinations, classifications, and "top-side" journal entries, have been authorized and recorded appropriately. [4808.27] This audit objective may not be applicable if consolidated financial statements are not presented.

6. Cash flows

To obtain sufficient appropriate evidence that the cash flows have been accumulated, recorded, processed, summarized, and reported appropriately in the statement of cash flows. [4808.31] This audit objective may not be applicable if a cash flows statement is not required.

7. Equity

To obtain sufficient appropriate evidence that the movements in equity have been accumulated, recorded, processed, summarized, and reported appropriately in the statement of changes in equity. [4808.35]

"Top-side" entry is a term commonly used to describe journal entries or adjustments that are initiated by the parent company as part of the preparation of the financial statements for the group ("push-down" entries or adjustments) and relate to the subsidiary. Such entries may be recorded as consolidation or "post closing" entries, or the subsidiary may be instructed to record the entry in its general ledger or through its reporting package to the parent company. In general, these entries are usually initiated by management-level personnel and are not routine or associated with the normal processing of transactions. "Top-side" entries or adjustments may be initiated by the parent company or another subsidiary, which include in their results the results of the subsidiary that has been instructed to record the journal entry or adjustment. [9310] "Post closing" entry is a term commonly used to describe journal entries processed as part of preparation of the entity's financial statements, which are usually made after a reporting period has ended, but before the financial statements for the period have been filed. They may or may not be reflected in the entity's general ledger. For the purposes of our audit, these include entries that are made subsequent to the closing of the general ledger that the engagement team is auditing. [9198.2]

Appendix I to the Financial Reporting Audit Program contains mandatory substantive audit procedures in relation to the subsequent events audit objective.

4.8. Risk of Significant Misstatement (RoSM)


The risk of significant misstatement at the assertion level is the risk that an assertion relating to a significant account or disclosure could be materially misstated due to error. We assess the risk of significant misstatement for audit objectives by considering our separate assessments of inherent risk (made during Planning) and control risk (determined in Control Evaluation). The assessed level of risk of significant misstatement (high, moderate, or low) impacts the nature, timing, and extent of our substantive procedures and is a factor in determining sample sizes if KPMG Monetary Unit Sampling or the KPMG Sampling Plan is used. [9224]

If we do not evaluate the design and implementation of controls for a particular audit objective, the assessment of RoSM is based on the assessment of inherent risk. Our evaluation of entity level controls can also affect our assessment of RoSM for audit objectives. Where entity level controls are poor or ineffective, this may increase our assessment of RoSM. Effective entity level controls cannot reduce our assessment of RoSM. [4912.1]

When assessing RoSM, we also consider the nature, cause (if known), and amount of audit differences from the audit of the 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis prior period's financial statements. [4920]
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

Normally, for low or moderate inherent risks, we will evaluate the design and implementation of

Page 90 / 133

Our evaluation of entity level controls can also affect our assessment of RoSM for audit objectives. Where entity level controls are poor or ineffective, this may increase our assessment International Audit Workbook (Interntional Audit Workbook) of RoSM. Effective entity level controls cannot reduce our assessment of RoSM. [4912.1]

When assessing RoSM, we also consider the nature, cause (if known), and amount of audit differences from the audit of the prior period's financial statements. [4920] Normally, for low or moderate inherent risks, we will evaluate the design and implementation of controls only when we also intend to test the operating effectiveness so that we can obtain audit evidence that the controls are operating effectively and therefore we can modify the nature, timing, and extent of our substantive procedures. For low or moderate inherent risks, if we plan to obtain all the audit evidence from substantive procedures, then we would not need to evaluate the design and implementation of controls. For significant inherent risks, we have to evaluate the design and implementation of controls whether or not we plan to obtain audit evidence over the operating effectiveness of controls. The following matrix indicates a suggested RoSM assessment, given our assessment of inherent risk and whether: [4935] controls are effectively designed and implemented and whether we obtained sufficient appropriate audit evidence that the control is operating effectively (column 1), or we have chosen not to test the operating effectiveness of the control (column 2), or controls are not effective. These controls may be either improperly designed or not implemented, or not operating effectively.

This matrix is not intended to be prescriptive. If we determine that a lower (or higher) RoSM than that suggested by the matrix is appropriate, we can make such a choice of RoSM provided this decision is appropriately justified and documented and justified in the Audit Program. [4936]

Effective entity level controls support RoSM assessments suggested by the above RoSM matrix. However, deficiencies in entity level controls could undermine the effectiveness of some of the control activities and therefore may require us to amend upwards our assessment of RoSM for some or all audit objectives. [4937] For example, if entity level controls are deficient, an RoSM assessment suggested by this matrix may be increased from low to moderate or from moderate to high, requiring further audit procedures to obtain more persuasive audit evidence than 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG would have been necessary if we did not have deficiencies in entity level controls. International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

In performing substantive procedures, we may detect misstatements in amounts or frequency greater than is consistent with our control risk assessment. In circumstances where we obtain

Page 91 / 133

Effective entity level controls support RoSM assessments suggested by the above RoSM matrix. However, deficiencies in entity level controls could undermine the effectiveness of some of the control activities and therefore may require us to amend upwards our assessment of RoSM for some or all audit objectives. [4937]
International Audit Workbook (Interntional Audit Workbook)

For example, if entity level controls are deficient, an RoSM assessment suggested by this matrix may be increased from low to moderate or from moderate to high, requiring further audit procedures to obtain more persuasive audit evidence than would have been necessary if we did not have deficiencies in entity level controls. In performing substantive procedures, we may detect misstatements in amounts or frequency greater than is consistent with our control risk assessment. In circumstances where we obtain audit evidence from performing further audit procedures that tends to contradict our control risk assessment on which we originally based the RoSM assessment, we revise the control risk assessment and modify the nature, timing, or extent of further planned audit procedures accordingly. [4945] For example, the extent of misstatements that we detect by performing substantive procedures may alter our judgment about the control risk assessment and may indicate a material weakness in internal control. In addition, analytical procedures performed at the overall review stage of the audit may indicate a previously unrecognized RoSM. If, as a result of the substantive procedures performed, we determine that the RoSM assessment is to be revised upward, we: revise our RoSM assessment upward to reflect a different assessment of inherent risks subsequent to completion of the Planning Document, and determine whether the revised RoSM assessment is a significant change, which is documented in the Completion Document

The previously documented assessment is retained, and a revised RoSM assessment, as well as the rationale for the revised RoSM assessment, is documented in the Audit Program.
Interntional Audit Workbook

Chapter 5 - Substantive Testing


The objective of Substantive Testing is to perform substantive audit procedures to respond to our assessment of the risk of significant misstatement for each audit objective. [5002] Substantive Testing is described in the following chart: [5004]

5.1. Risk of Significant Misstatement


During Control Evaluation, we evaluated the impact of controls on our planned audit approach, confirmed whether we are 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG adopting a controls or a substantive approach for each audit objective, and assessed the risk of significant misstatement International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. based on the results of our Control Evaluation procedures. [5003]
Page We plan and perform substantive procedures to be responsive to our assessment of the risk of significant misstatement 92 / 133 (RoSM). [5103]

International Audit Workbook (Interntional Audit Workbook) 5.1. Risk of Significant Misstatement

During Control Evaluation, we evaluated the impact of controls on our planned audit approach, confirmed whether we are adopting a controls or a substantive approach for each audit objective, and assessed the risk of significant misstatement based on the results of our Control Evaluation procedures. [5003] We plan and perform substantive procedures to be responsive to our assessment of the risk of significant misstatement (RoSM). [5103] Substantive procedures are performed in order to detect significant misstatements at the assertion level and include substantive analytical procedures and tests of details of classes of transactions, account balances, and disclosures. [3790.4] For audit objectives that are associated with an assertion level fraud risk or for which we have assessed RoSM as high, our substantive procedures include tests of details, or a combination of tests of details and substantive analytical procedures, that are specifically responsive to the assessed risks. Substantive analytical procedures alone do not provide sufficient appropriate audit evidence for such audit objectives. [5107]

We plan our substantive procedures, based on our RoSM assessment, using the following guidelines: RoSM Assessment 1 Approach/Assessment Substantive analytical procedures only may be appropriate 2 Tests of details required 2 Low X Moderate X High

1 Refer to the RoSM Matrix in the Control Evaluation chapter for guidance on how each of the risk of significant misstatements assessments is arrived at. 2 It may be necessary to perform a combination of substantive analytical procedures and tests of details to obtain sufficient appropriate audit evidence. We consider the sufficiency and appropriateness of the audit evidence we plan to obtain from substantive analytical procedures, in the context of our assessment of the risk of significant misstatement, before deciding whether it is appropriate to perform tests of details. [5402.1]

5.2. Substantive Procedures


Regardless of the assessed levels of risk of significant misstatement, we perform substantive procedures including substantive analytical procedures, tests of details, or both for all relevant assertions. [5119]

5.3. Nature, Timing, and Extent of Substantive Procedures


When deciding on the nature, timing, and extent of substantive audit procedures, we consider the following: [5013] the characteristics of a particular class of transactions; for example, the volume of transactions in the reporting period, the nature and magnitude of the account balance or disclosure, and the assertions covered by the audit objective risks identified during Planning the risk of significant misstatement

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis the nature of specific controls (manual or automated) and whether we expect to obtain audit thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

evidence on operating effectiveness of those controls, and whether there is a risk of fraud.

Page 93 / 133

the reporting period, the nature and magnitude of the account balance or disclosure, and the assertions covered by the audit objective risks identified during Planning International Audit Workbook (Interntional Audit Workbook) the risk of significant misstatement the nature of specific controls (manual or automated) and whether we expect to obtain audit evidence on operating effectiveness of those controls, and whether there is a risk of fraud.

We consider whether we have sufficient appropriate audit evidence for all relevant assertions. [5014] For example, we may obtain audit evidence for the completeness of sales and receivables principally through tests of controls and substantive analytical procedures and obtain audit evidence about the existence and occurrence, and accuracy of sales and receivables by performing substantive procedures, such as a confirmation of balances or tests on subsequent cash receipts.

5.3.1 Nature
The nature of substantive audit procedures refers to either substantive analytical procedures or tests of details. [5121] We exercise judgment in selecting the appropriate combination of substantive procedures in response to the risk of significant misstatement. Substantive analytical procedures may or may not provide us with all the audit evidence necessary to respond to the risk of significant misstatement assessment for an audit objective. Tests of details may also be required. [5133.9.6] The nature of substantive procedures is illustrated below:

5.3.2 Timing
The timing of substantive audit procedures refers to when audit procedures are performed or the period or date to which the audit evidence applies. [5135] Timing Consideration

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG Period-end The higher the risk of significant misstatement, the more likely it is that we decide it International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.or at, the period-end is more effective to perform substantive procedures nearer to,

rather than at an earlier date, or to perform audit procedures unannounced or at unpredictable times. [5138]

Page 94 / 133

The timing of substantive audit procedures refers to when audit procedures are performed or the period or date to which the audit evidence applies. [5135]
International Audit Workbook (Interntional Audit Workbook)

Timing Period-end

Consideration The higher the risk of significant misstatement, the more likely it is that we decide it is more effective to perform substantive procedures nearer to, or at, the period-end rather than at an earlier date, or to perform audit procedures unannounced or at unpredictable times. [5138] Certain substantive procedures can be or may be performed only at or after periodend. [5141] For example, agreeing or reconciling the financial statements with the accounting records and examining adjustments made during the course of preparing the financial statements.

Prior to period-end

When substantive procedures are performed at an interim date, the risk that misstatements may exist at the period-end and are not detected increases. This risk increases as the remaining period is lengthened. [5150] If we perform substantive procedures prior to period-end, we consider the additional audit evidence required for the remaining period. [5151]

5.3.3 Extent
The extent of an audit procedure includes the quantity of a specific audit procedure to be performed. [5160] For example, a sample size for a test of details or the number of observations of a control activity. We increase the extent of our audit procedures if we assess the risk of significant misstatement at a higher level. [5162] The use of CAATs may enable more extensive testing of electronic transactions and account files. Such techniques can be used to select sample transactions from key electronic files, to sort transactions with specific characteristics, or to test an entire population instead of a sample. [5163.1]

5.4. Substantive Analytical Procedures


Substantive analytical procedures consist of the evaluation of financial information through a study of plausible relationships among both financial and nonfinancial data. They also encompass the investigation of identified fluctuations and relationships that are seemingly inconsistent with other relevant information or deviate significantly from predicted amounts. [5300.1] When designing substantive analytical procedures, we assess whether an expectation can be developed with sufficient precision to identify a significant misstatement at the desired level of assurance. Factors impacting the precision of a substantive analytical procedure include: nature of the account and its predictability the degree to which information can be disaggregated availability and reliability of the data, both financial and nonfinancial nature and relevance of the information the type of procedure used.

We use our judgment to consider whether the precision of the procedure is appropriate given the desired level of audit evidence. [9199] Substantive analytical procedures are appropriate when: [5124]
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG can be obtained International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

data can be disaggregated and tested to an appropriate level where persuasive audit evidence

procedures are performed on large volumes of transactions that tend to be predictable over time plausible relationships exist that are sufficiently stable and predictive for us to achieve the

Page 95 / 133

We use our judgment to consider whether the precision of the procedure is appropriate given the desired level of audit evidence. [9199]
International Audit Workbook Substantive analytical procedures are appropriate when: [5124](Interntional Audit Workbook)

data can be disaggregated and tested to an appropriate level where persuasive audit evidence can be obtained procedures are performed on large volumes of transactions that tend to be predictable over time plausible relationships exist that are sufficiently stable and predictive for us to achieve the required precision when forming our expectation an expectation can be developed with sufficient precision to identify a significant misstatement at the desired level of assurance, and prior period knowledge indicates that such analysis can be effective.

When performing substantive analytical procedures, we: [5300.2] Procedure Determine audit objectives and significant account balance(s)/disclosure(s) and consider whether planned substantive analytical procedures will provide the desired level of assurance Considerations Effectively designed substantive analytical procedures may provide audit evidence as to the following assertions related to significant accounts and disclosures: C, E, A, V Prior to designing or performing substantive analytical procedures, we consider the suitability of using substantive analytical procedures given the assertion and the desired level of assurance. In determining the suitability of substantive analytical procedures, we consider: [5303] the nature of the account or disclosure the assessment of the risk of significant misstatement (RoSM) the risk of management override, and whether an expectation can be developed with sufficient precision to identify a material misstatement at the desired level of assurance.

Consider factors impacting precision

When designing substantive analytical procedures to respond to RoSM assessment associated with an audit objective, we assess whether an expectation can be developed with sufficient precision to identify a significant misstatement at the desired level of assurance. Factors impacting the precision of a substantive analytical procedure include: [5318] the predictability of relationships between data the degree to which information can be disaggregated the availability and reliability of data and information, both financial and nonfinancial the type of procedure used.

The amount of audit evidence derived from a substantive analytical procedure varies with its precision. Generally, the more precise the procedure, the more persuasive the audit evidence obtained. [5319] Identify key factors and key We develop expectations based on our understanding of the key factors and key relationships impacting an relationships that impact an account balance or disclosure. [5322] account/disclosure and set Key factors are often the common drivers of a number of the relationships in the expectation(s) 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG financial statements and are frequently the same factors that management may International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis consider in preparing budgets, forecasts, or financial reports. These factors may be thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. either financial or nonfinancial. [5323] Key relationships usually tie the key factors to account balances or disclosures within
Page 96 / 133

the audit evidence obtained. [5319] Identify key factors and key We develop expectations Workbook (Interntional Audit Workbook)the key factors and key International Audit based on our understanding of relationships impacting an relationships that impact an account balance or disclosure. [5322] account/disclosure and set Key factors are often the common drivers of a number of the relationships in the expectation(s) financial statements and are frequently the same factors that management may consider in preparing budgets, forecasts, or financial reports. These factors may be either financial or nonfinancial. [5323] Key relationships usually tie the key factors to account balances or disclosures within the financial statements or represent interrelationships between financial statement captions. [5324] For example, the number of employees is the key factor and the average salary per employee the key relationship underlying an entity's annual salary expense. When information produced by the entity is used in setting the expectation, we obtain audit evidence about the accuracy and completeness of that information. This may be obtained by either evaluating the design and operating effectiveness of controls over the production and maintenance of both financial and nonfinancial information used in the substantive analytical procedure, or by performing other procedures to support the completeness and accuracy of the underlying information. [5328] When considering management information such as budgets or forecasts in developing our expectation(s), we obtain an understanding of the process used by management in producing these budgets/forecasts. [5329] Where our expectation(s) is developed based on the results of inquiries of management, we corroborate this information prior to relying on the results of substantive analytical procedures. [5330] Set acceptable difference

We design each substantive analytical procedure so that its precision results in

an acceptable difference of not more than the significant misstatement threshold. [5336] We consider using an acceptable difference that is lower than the significant misstatement threshold when we have a moderate or high level of risk of significant misstatement. [5337] We use our judgment to adjust the precision of the substantive analytical procedure such that the acceptable difference is a reasonable percentage of the total balance that is subject to the substantive analytical procedure. [5338] For example, where the balance of the significant account is only just above the significant misstatement threshold we may use our judgment and set an acceptable difference lower than the significant misstatement threshold. Compare recorded amount We evaluate the results of the substantive analytical procedure by comparing the with expectation entity's recorded amount to our expectation. When the entity's recorded amount falls within the acceptable difference around our expectation, the procedure is complete and we have obtained the audit evidence we planned to obtain from the procedure. [5342.1] Investigate difference that falls outside range of acceptable difference When the entity's recorded amount falls outside the range of acceptable difference around our expectation, we investigate the reason for the difference. [5342.2] The investigation of a difference that falls outside the range of acceptable difference around our expectation ordinarily consists of the following: inquiries of management

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG corroborating managements explanation, and International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

where appropriate, redesign the substantive analytical procedure to take into account additional information. [5343.1]

Page 97 / 133

falls outside range of acceptable difference

around our expectation, we investigate the reason for the difference. [5342.2] The investigation of a difference that falls outside the range of acceptable difference around ourInternational Audit Workbook (Interntional Audit Workbook) expectation ordinarily consists of the following: inquiries of management corroborating managements explanation, and where appropriate, redesign the substantive analytical procedure to take into account additional information. [5343.1]

Where investigation of the difference identifies that all or a portion of the difference is due to client error and we can quantify this error, we include the error on the Summary of Audit Differences, where this equals or exceeds the audit difference posting threshold. Where management provides a reasonable and valid explanation for any difference remaining after identification of an error, we corroborate management's explanation and where appropriate, redesign the substantive analytical procedure to take into account this additional information. [5344.1] Where management is unable to provide a reasonable and valid explanation for all or a portion of the difference or management's explanation cannot be corroborated, we reconsider our audit approach as we have not been able to obtain the audit evidence we planned from the substantive analytical procedure. [5344.2] Revise expectation and acceptable difference, if appropriate, and compare revised expectation with recorded amount. Where reasonable and valid explanations have been provided by management as to why the recorded amount falls outside the range of acceptable difference and we have been able to corroborate the explanation, we consider revising our expectation and acceptable difference, where appropriate, to take into consideration the additional information provided by management. [5345.1]

We document the performance of substantive analytical procedures and our conclusion in the Substantive Analytical Procedure Template or in the working papers. [5353.1/5354] Example substantive analytical procedures as well as example completed Substantive Analytical Procedures Templates and spreadsheets supporting the completed templates for interest expense, depreciation expense, and payroll expense are available on ARO and can also be accessed from the Global Assurance Practice Page.

Substantive analytical procedures - fraud


Substantive analytical procedures alone do not provide sufficient appropriate audit evidence where a risk of management override of controls has been identified. Where a risk of management override exists, management may have allowed adjustments outside the normal period-end financial reporting process to have been made to the financial statements. Such adjustments might have resulted in artificial changes to the financial statement relationships being analyzed, causing us to draw erroneous conclusions. For this reason, substantive analytical procedures alone are not well suited to detecting fraud, and we perform tests of journal entries. The tests of journal entries are documented in the audit objectives 3 and 5 of the Financial Reporting Audit Program. [5313] Possible fraud indicators Difference is higher than the acceptable difference Circumstances

Where a significant account balance is inherently predictable and we are able to develop a precise expectation, therefore our acceptable difference is small, regardless of the assessed RoSM, a difference higher than the acceptable difference may be indicative of fraud or error and require further investigation. [5340]

Management is unable to Where management is unable to provide a reasonable and valid explanation for all or provide a reasonable and a portion of the difference or management's explanation cannot be corroborated, we valid explanation for the reconsider our audit approach as we have not been able to obtain the audit evidence difference or we planned from the substantive analytical procedure. This situation may be 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG management's explanation indicative of fraud and require further investigation and additional procedures. International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis cannot be corroborated [5344.2] thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

5.5. Tests of Details

Page 98 / 133

Management is unable to provide a reasonable and valid explanation for the difference or management's explanation cannot be corroborated

Where management is unable to provide a reasonable and valid explanation for all or a portion of the difference or management's explanation cannot be corroborated, we International Audit Workbook (Interntional Audit Workbook) reconsider our audit approach as we have not been able to obtain the audit evidence we planned from the substantive analytical procedure. This situation may be indicative of fraud and require further investigation and additional procedures. [5344.2]

5.5. Tests of Details


Tests of details are the application of one or more various techniques, such as inspection of records or documents, inspection of tangible assets, inquiry, observation, confirmation, recalculation, or reperformance to individual items or transactions that constitute a class of transaction, account balance derived from an estimate, other account balance, or disclosure. [5010] When performing tests of details, we: [5404.1] Define the population When defining the population, we consider the following: [5407] we do not sample from a population to conclude on the completeness of that population, because omitted items have no chance of selection we define the population appropriate for the objective of the substantive sampling procedure, which will include consideration of the direction of the testing For example, if the objective is to test the completeness of accounts payable, the population is not the accounts payable listing but rather subsequent disbursements, unpaid invoices, suppliers' statements, unmatched receiving reports, or other populations that provide audit evidence of the completeness of accounts payable listing. Therefore, we select our sample from the source documents in order to test the completeness of the accounts payable listing. we may be able to advance the effectiveness of our audit procedures by subdividing and/or stratifying the population and performing different tests for each subdivision For example, inventory may include both purchased and manufactured items. It may be difficult to audit the cost of manufactured items without examining each component (material, labor, and overhead) separately, while we may audit purchased items by reference to a single unit price. the period covered is important for tests of details applied to classes of transactions. Our conclusion does not relate to the entire period unless the items for the test of details are selected from a population that covers the entire period. Define what constitutes an We define what constitutes a difference requiring investigation and follow-up. Typical audit difference requiring reasons for differences are: [5409] investigation and follow-up differences in timing of the recording of transactions For example, items included in the wrong period. differences in classification For example, maintenance expense coded to an asset account. differences in amounts for data captured or processed.

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG For example, transposed digits or other numerical errors. International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

Choose selection methods for testing

When performing tests of details, we may choose to: [5011] test the entire population

Page 99 / 133

For example, maintenance expense coded to an asset account. differences in amounts for data captured or processed. For example, transposed digits or other numerical errors. Choose selection methods for testing When performing tests of details, we may choose to: [5011] test the entire population select items with specific characteristics for testing select a sample by using KPMG Monetary Unit Sampling (MUS), the KPMG Sampling Plan, or other substantive sampling techniques with the involvement of a KPMG sampling specialist.
International Audit Workbook (Interntional Audit Workbook)

Methods of selection

Examples of when it may be appropriate to apply this method of selection For example, it may be appropriate to test everything when the population consists of a small number of large value items, when the risk of significant misstatement is high, and when other means do not provide sufficient appropriate audit evidence. For example, it may also be appropriate to test everything when the repetitive nature of a calculation or other process performed automatically by an information system makes it cost effective, for example, through the use of CAATs.

Considerations

Entire population

Specific item testing

For example, identifying items that meet Selecting specific items is likely to be more certain criteria, such as amounts that are effective when any of the following are true: greater than the significant misstatement [5415] threshold, inventory items that have not we assess the risk of moved for more than six months, or accounts significant misstatement as receivable that are older than three months. low and we already have For example, we may select items that are audit evidence from suspicious, unusual, risk prone, or that have substantive analytical a history of being misstated, for example procedures for the population foreign currency transactions. being tested the population contains a

small number of individually 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis significant items thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. the population mainly contains nonroutine
Page 100 / 133

For example, we may select items that are audit evidence from suspicious, unusual, risk prone, or that have substantive analytical a history of being misstated, for example procedures for the population foreign currencyInternational Audit Workbook (Interntional Audit Workbook) transactions. being tested the population contains a small number of individually significant items the population mainly contains nonroutine transactions or accounting estimates we identified a risk of fraud and we apply our audit procedures to items with specific characteristics.

When we select key items for testing, we still need to obtain sufficient appropriate audit evidence relevant to the remaining population when that remaining population is considered significant. We use judgment to determine whether the remaining population is considered significant. [5425] To select specific items, we may use scanning. Scanning includes searching for large or unusual items in the accounting records (for example, nonstandard journal entries), as well as in transaction data (for example, suspense accounts, adjusting journal entries) for indications of misstatements that have occurred. Since we test the items selected by scanning, we obtain audit evidence about those items. Our scanning also may provide some audit evidence about the items not selected since we have used professional judgment to determine that the items not selected are less likely to be misstated. [5421.2] Substantive sampling For example, if the population contains a Substantive sampling is likely to be more large number of items, substantive sampling effective when any of the following are true: is likely to be more effective. [5415] we assess the risk of significant misstatement as high and have no audit evidence from substantive analytical procedures the population mainly contains routine transactions.

KPMG Substantive Sampling Techniques are appropriate: [5505] for audit objectives relevant to existence and occurrence, accuracy, valuation and obligations, and rights assertions

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG when there are many items in International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis the population thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

when the expected difference in the population is less than

Page 101 / 133

for audit objectives relevant to existence and occurrence, accuracy, valuation and International Audit Workbook (Interntional Audit Workbook) obligations, and rights assertions when there are many items in the population when the expected difference in the population is less than the significant misstatement threshold.

! ! ! !

When we perform tests of details using a specific items approach, our audit findings relate only to those specific items. If we identify audit differences in auditing the specific items, those audit differences are known audit differences and are not extrapolated to, or projected over, the entire population from which the specific items were selected. [5424] The existence of differences in specific items selected for testing may be indicative of audit differences in the remainder of the population. We consider the characteristics of the audit difference identified and the characteristics of the remaining population when determining the nature, timing, and extent of any additional procedures to be performed on the remaining population. [5424] In determining which selection method to use, we may determine that items in the population with certain characteristics have a higher risk of intentional misstatement due to fraud and thus, selecting specific items to test is likely to be more effective in addressing the fraud risk than selecting a representative sample. An IRM specialist may assist the engagement team in planning and performing tests of details. These may include reperformance techniques such as CAATs or in-built report writing tools. [5404] For each relevant assertion associated with an assertion level fraud risk, we: [3743.1] evaluate the design and implementation of antifraud controls that are relevant to the identified fraud risk and consider the risk of management override of such controls test the operating effectiveness of selected assertion level controls when we plan to rely on the operating effectiveness of controls to modify the nature, timing, or extent of our substantive procedures, and perform substantive procedures including tests of details.

The use of the KPMG MUS or the KPMG Sampling Plan may not be the most effective approach when performing substantive tests of details to address the risk of fraud because misstatements due to fraud are ordinarily not distributed randomly throughout the population. Consequently, we usually perform substantive sampling techniques in combination with specific items testing. [5526.1]

5.6. Computer Assisted Audit Techniques


Using Computer Assisted Audit Techniques (CAATs) to perform audit procedures may enhance the audit process by facilitating faster and more extensive review and analysis of large data populations. CAATs provide the ability to analyze complete populations of data; to profile, extract, and summarize items based on specific characteristics; and to apply selected preprogrammed routines that can be used during Substantive Testing in the performance of: [5467] substantive analytical procedures

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG tests of details of transactions and balances International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

extracting data for audit testing, and/or

reperforming calculations performed by the entity's accounting systems.

Page 102 / 133

Using Computer Assisted Audit Techniques (CAATs) to perform audit procedures may enhance the audit process by facilitating faster and more extensive review and analysis of large data populations. CAATs provide the ability to analyze complete populations of data; to profile, extract, and summarize items based on specific characteristics; and to apply International Audit Workbook (Interntional Audit in the performance of: [5467] selected preprogrammed routines that can be used during Substantive TestingWorkbook) substantive analytical procedures tests of details of transactions and balances extracting data for audit testing, and/or reperforming calculations performed by the entity's accounting systems.

IDEAis a technology tool for applying CAATs to perform data analysis procedures. IDEAmay be used to read, display, sample, and extract data from client data files. In addition to the standard functionality of the application, KPMG has developed preprogrammed routines based on commonly employed audit procedures. IDEASmart Analyzer Routines have been developed for the areas of accounts receivable, inventory, journal entries, fixed assets, and accounts payable. KPMG Monetary Unit Sampling is also performed using the platform of IDEA. [5466] Example routines that are available in Smart Analyzer are as follows: Accounts receivable routines Journal entry routines Inventory routines Fixed assets routines Accounts payable routines Aging by due date/invoice date Debtors with total amount greater than credit limit Debtors with net credit balances Duplicate or missing journal entries Out-of-balance journal entries Journal entries by user Zero or negative unit cost Negative quantity on hand Last sales price lower than unit cost Recalculate straight line depreciation Depreciation exceeding cost Fixed assets duplicate field search Duplicate invoices or payments Invoices without purchase order numbers Creditors with net debit balances

IDEA CAATs can help make an SE or VSE engagement more effective.

5.7. Substantive Sampling Techniques


This section provides guidance on the planning, selection, and evaluation of procedures using Substantive Sampling Techniques when performing tests of details. [5502]

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.


Page 103 / 133

International Audit Workbook (Interntional Audit Workbook)

When we apply substantive sampling, we use one of the following KPMG substantive sampling techniques: [5521] KPMG Monetary Unit Sampling (KPMG MUS). KPMG MUS is a statistical sampling technique with a selection probability that is proportionate to the size of an item in the population and statistically projects audit differences discovered in sample items. KPMG Sampling Plan. The KPMG Sampling Plan is a nonstatistical sampling approach. We select samples using a haphazard method. We may use other substantive sampling techniques with the involvement of a KPMG Sampling Specialist. [5521.1] We consider the involvement of KPMG sampling specialists in the following circumstances: [5696] the engagement team plans to use MUS sample items for other than a substantive audit procedure substantive sampling is used for financial statement audits which require confidence levels that are different from those stated at KAM 5569 engagement team plans to use MUS in selecting items from complex populations such as those involving multiple locations engagement team plans to use substantive sampling techniques other than those outlined in the KAM section titled, KPMG Substantive Sampling Techniques engagement team will use specific tolerable deviation rates, expected error rates, and/or confidence levels to be achieved with an attribute sample, or engagement team plans to use substantive sample in selecting items as a basis for forming a statistical conclusion expressed in a special report, attestation engagement other than a financial statement audit, or for performing and reporting on an agreed-upon procedures engagement.

The list of scenarios above is not meant to be exhaustive. The engagement partner uses judgment as to the knowledge and experience of the engagement team to consider whether involvement of a KPMG sampling specialist is appropriate. [5697] The KPMG MUS Document and Test of Details Document, both available on ALex, have been
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG updated to incorporate the revisions to KAM relating to consultation considerations involving International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis KPMG sampling specialists. thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

The main features of the KPMG substantive sampling techniques are illustrated in the following table: [5522]

Page 104 / 133

The engagement partner uses judgment as to the knowledge and experience of the engagement team to consider whether involvement of a KPMG sampling specialist is appropriate. [5697]
International Audit Workbook (Interntional Audit Workbook)

The KPMG MUS Document and Test of Details Document, both available on ALex, have been updated to incorporate the revisions to KAM relating to consultation considerations involving KPMG sampling specialists. The main features of the KPMG substantive sampling techniques are illustrated in the following table: [5522] KPMG Monetary Unit Sampling (KPMG MUS) Type Attributes Statistical Monetary attribute selection probability proportionate to the size of an item KPMG Sampling Plan

Nonstatistical Selection is haphazard and selection probability is not proportionate to the size of an item Stratification is necessary to reduce the sample size Sample size is larger than the KPMG Monetary Unit Sampling technique KPMG Sampling Plan for tests of details is usually only efficient and effective for sample sizes greater than 5 Sample size is increased when the most likely audit difference is larger than one-sixth (1/6) but not more than one-half (1/2) of the significant misstatement threshold The KPMG Sampling Plan indicates the monetary amount above which items are individually significant. This amount may be increased not to exceed the significant misstatement threshold Haphazard selection of items KPMG Sampling Plan Excel template (plan and evaluate)

Stratification of population Sample size

Stratification is inherent in the procedure

Sample size is smaller than the KPMG Sampling Plan KPMG MUS does not have sample size limitations

Expandability of the sample size

Sample size may be expanded to increase the precision of the projected results

Significant items

The planned sampling interval indicates the monetary amount above which items are individually significant

Item selection Enabling tool

Value weighted random selection of items KPMG Monetary Unit Sampling Routine in IDEA(plan, select, and evaluate)

KPMG MUS may be more effective and efficient than the KPMG Sampling Plan. KPMG MUS provides a smaller sample size and more robust results than the KPMG Sampling Plan. Also, if we plan to apply KPMG MUS, it is not necessary to identify individually significant items. The identification of such items is embedded in the process of selection of sample items. Manual identification of significant items when using the KPMG Sampling Plan requires care as it is susceptible to manual errors.

Use of the KPMG MUS or KPMG Sampling Plan may not be the most effective approach when performing substantive tests of details to address the risk of fraud because misstatements due to fraud are not ordinarily distributed randomly throughout the population. If the KPMG MUS or the KPMG Sampling Plan is used, it is usually performed in combination with a specific items testing. [5526.1]

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG We use professional judgment to determine the appropriate criteria (e.g., specific days, number International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis of entries by user, amount) to select journal entries for further evaluation. thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. This process may

include combining results for the different selection criteria in order to determine the journal entries to be tested. [5416.6.1]

Page 105 / 133

The identification of such items is embedded in the process of selection of sample items. Manual identification of significant items when using the KPMG Sampling Plan requires care as it is susceptible to manual errors. Audit Workbook (Interntional Audit Workbook) International

Use of the KPMG MUS or KPMG Sampling Plan may not be the most effective approach when performing substantive tests of details to address the risk of fraud because misstatements due to fraud are not ordinarily distributed randomly throughout the population. If the KPMG MUS or the KPMG Sampling Plan is used, it is usually performed in combination with a specific items testing. [5526.1] We use professional judgment to determine the appropriate criteria (e.g., specific days, number of entries by user, amount) to select journal entries for further evaluation. This process may include combining results for the different selection criteria in order to determine the journal entries to be tested. [5416.6.1]

The use of the KPMG substantive sampling techniques is illustrated in the following decision tree: [5525]

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

Substantive sampling alone is inappropriate for testing completeness. Other procedures, such as substantive analytical procedures, are performed to test for completeness. [5511]

Please refer to the KPMG Monetary Unit Sampling Routines User Guide - International and the

Page 106 / 133

International Audit Workbook (Interntional Audit Workbook)

Substantive sampling alone is inappropriate for testing completeness. Other procedures, such as substantive analytical procedures, are performed to test for completeness. [5511]

Please refer to the KPMG Monetary Unit Sampling Routines User Guide - International and the KSP Practice Aide, which are available on ARO for specific guidance related to the use of these substantive sampling techniques.

KPMG Sampling Plan - sample size factors


If we have a population where many individual items are relatively large compared to the significant misstatement threshold, and a threshold of the significant misstatement threshold has been used for determining individually significant items, then it is possible that the sample size calculated may exceed the number of items in the population. This is because the KPMG Sampling Plan does not consider the number of items in a population. [5663.03] In this case, we establish the threshold for individually significant items at significant misstatement threshold divided by the sample size factor, which is referred to as the most efficient monetary amount in the KPMG Sampling Plan. [5663.03]

5.7.1 Anomalous audit differences


An anomalous audit difference is an extremely rare occurrence that arises from an isolated and nonrecurring event and therefore is not representative of the population. [5625.3.2], [5694.12] If we determine that an audit difference is an anomaly (i.e., the difference in the sample causes the sample to be unrepresentative of the population), we: [5625.3.2], [5694.12] plan and perform audit procedures to obtain additional audit evidence that provides a high degree of certainty that the audit difference does not affect the remainder of the population, exclude the anomalous audit difference from the projection, and consider whether to increase test work on the remainder of the population.

When using KPMG Monetary Unit Sampling we also recalculate the total upper precision limit and most likely audit difference. We do not project an anomalous audit difference to the sampled population. [5625.3.1], [5694.11]

The KPMG MUS Document and Test of Details Document, both available on ALex, have been updated to incorporate the revisions to KAM relating to anomalous audit differences.

5.7.2 Substantive attribute sampling


This section provides guidance on substantive attribute sampling techniques when testing attributes for tests of details. [5694.14] The main considerations when using attribute sampling are summarized in the table below: International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG

Appropriate

Inappropriate

Page 107 / 133

5.7.2 Substantive attribute sampling


International Audit Workbook (Interntional Audit Workbook)

This section provides guidance on substantive attribute sampling techniques when testing attributes for tests of details. [5694.14] The main considerations when using attribute sampling are summarized in the table below: Appropriate Tests directed at underlying data (assumptions) Substantive testing Substantive sampling Inappropriate Tests directed at monetary values Tests of controls Monetary values are assigned to each unit within the population subject to the test to allow for a MUS or KSP sample

Substantive attribute sampling may be appropriate in those situations where non financial data is used by management to calculate or derive a financial amount that is included in the financial information of an entity and the purpose of the test is to conclude on the existence and/or accuracy of the data (i.e., the attribute). [5694.14.2] Attribute data may be provided to an external expert or included in a model for developing an estimate. Often such situations arise where management develops estimates such as pension liabilities, claim reserves, and warranties, among others. [5694.14.2] The following table illustrates the minimum sample sizes for substantive attribute sampling: [5694.18] Risk of significant misstatement Audit evidence obtained from substantive procedures other than sampling Little or None Low Moderate High 25 40 65 Moderate NA 25 50 Extensive NA NA NA

We may consider increasing the sample from the minimum sample size outlined above based on judgment considering the following factors: [5694.17] the results of audit procedures performed in previous periods relative to the attributes the sensitivity of the attribute to error, and the relationship of the attribute to the estimate or disclosure subject to testing.

We also consider the impact of an error for an attribute(s) subject to testing when designing our tests. We consult with a sampling specialist to assist in determining an appropriate sample size when an engagement team expects to achieve certain tolerable deviation rates, expected error rates, and/or confidence levels with an attribute sample. [5694.20] The sample sizes included in the table above are based on expectation that no errors will be detected in the sample. Therefore when no errors are discovered during testing, we conclude that the test objective is achieved. [5694.19] If we find an error in our sample, we: [5694.19]

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG investigate the nature and cause of the error including the impact of such International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. error(s) to the estimate or disclosure,

discuss the error(s) discovered with management and if applicable, others such as external experts and internal KPMG specialists, and

Page 108 / 133

The sample sizes included in the table above are based on expectation that no errors will be detected in the sample. Therefore when no errors are discovered during testing, we conclude that the test objective is achieved. [5694.19]
International Audit Workbook (Interntional Audit Workbook)

If we find an error in our sample, we: [5694.19] investigate the nature and cause of the error including the impact of such error(s) to the estimate or disclosure, discuss the error(s) discovered with management and if applicable, others such as external experts and internal KPMG specialists, and depending on the nature and cause of the error(s) discovered, we determine the nature and extent of additional audit procedures to perform.

When substantive attribute sampling is used in the audit examination of items, judgment may involve consideration of the relationship between the attribute being tested and the ultimate monetary errors in the financial statements, as well as the amount of monetary error that would lead to a material misstatement. The evaluation of the monetary impact may be difficult and require the client to perform further analysis of the data. [5694.16]

5.8. External Confirmations


We determine whether the use of external confirmations is necessary to obtain sufficient appropriate audit evidence at the assertion level. In making this determination, we should consider RoSM, and how the audit evidence from other planned audit procedures will reduce the RoSM to an acceptably low level. [5790.1] When designing external confirmations, we consider the following: [5714] The control we exercise We maintain control over the confirmation procedures by: [5725] over confirmation requests controlling the selection process and responses sending out the confirmation requests ourselves (for example, direct drop at the post office); we do not use the client's mail service facilities ensuring that the requests are properly addressed requesting all replies to be sent directly back to us, and considering whether replies have come from the purported senders.

Control minimizes the possibility that the results will be biased because of the interception and alteration of confirmation requests or responses. [5724] Any restrictions included in When we seek to confirm certain balances or other information, and management the response or imposed requests us not to do so, we should consider whether there are valid grounds for by management such a request and obtain audit evidence to support the validity of management's requests. If we agree to management's request not to seek external confirmation regarding a particular matter, we should apply alternative audit procedures to obtain sufficient appropriate audit evidence regarding that matter. [5745] When we consider the reasons provided by management, we apply an attitude of professional skepticism and consider whether: [5746] the request has any implications regarding management's integrity

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG management's request may indicate the possible existence of International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis fraud or error, and thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

the alternative procedures will provide sufficient appropriate audit evidence regarding this matter.

Page 109 / 133

When we consider the reasons provided by management, we apply an attitude of professional skepticism and consider whether: [5746] the request has Workbook (Interntionalregarding management's International Audit any implications Audit Workbook) integrity management's request may indicate the possible existence of fraud or error, and the alternative procedures will provide sufficient appropriate audit evidence regarding this matter.

The assertions being addressed

The assertion that is being addressed will determine the type of confirmation that is prepared. For example, if the engagement team is testing the completeness assertion with respect to a liability, then suppliers with zero or low balances may be selected and the confirmation designed for the suppliers to provide the outstanding balance. In this case, you are trying to determine if there are items missing from the liability account. We consider other audit procedures to complement confirmation procedures or to be used instead of confirmation procedures, for assertions not adequately addressed by confirmations. [5753]

The form of the request

A positive external confirmation requests the respondent to reply to the auditor in all cases, either by indicating agreement with the given information, or to fill in information. [5759] A response to a positive confirmation request is usually expected to provide reliable audit evidence. However, there is a risk that a respondent may reply to the confirmation request without verifying that the information is correct. We can reduce this risk by not stating the amount (or other information) on the confirmation request, but instead ask the respondent to fill in the amount or furnish other information. This may result in lower response rates, because additional effort is required of the respondents. [5760] A negative external confirmation requests the respondent to reply only in the event of disagreement with the information provided in the request. [5764] However, if no response has been received, there will be no explicit audit evidence that intended third parties have received the requests and verified that the information is correct. Accordingly, negative confirmation requests usually provide less reliable audit evidence than positive confirmation requests, and we usually do not use them as a primary source of audit evidence. [5765] Negative confirmation requests may reduce the risk of significant misstatement to an acceptable level when: [5767] the risk of significant misstatement is low we test a large number of small balances we do not expect a substantial number of errors, and/or there is no reason to believe that respondents will disregard the requests.

The nature of the information being confirmed

The type of information that we request may affect the response rate and nature of the evidence obtained as respondents may not always be able to confirm certain types of information. The balance of certain loans and leases may be difficult to confirm. Instead, the confirmation may be designed to confirm the original balance, monthly payment, term, etc. For suppliers or customers, it may be easier to confirm a single invoice rather than the entire amount outstanding.

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG We take appropriate follow-up action for nonresponding accounts; consider second and, International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis sometimes, third requests (oral or written); and if appropriate, perform alternative audit thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

procedures. [5727]

For example, for receivables, compare to subsequent cash receipts, if they can be specifically

Page 110 / 133

confirmation may be designed to confirm the original balance, monthly payment, term, etc. For suppliers or customers, it may be easier to confirm a single invoice rather than the entire amount outstanding.
International Audit Workbook (Interntional Audit Workbook)

We take appropriate follow-up action for nonresponding accounts; consider second and, sometimes, third requests (oral or written); and if appropriate, perform alternative audit procedures. [5727] For example, for receivables, compare to subsequent cash receipts, if they can be specifically identified to items outstanding at the confirmation date, and/or customer purchase orders and shipping documents. We ordinarily confirm the following: bank balances, including: [5782] bank balances (including those held by "licensed deposit takers" or similar financial institutions) at the period-end. the entity's "main" bank accounts and those accounts expected to have balances at periodend that are greater than the significant misstatement threshold guarantees and financial instruments (including derivatives) with banks with whom we confirm "main" bank accounts, to obtain audit evidence relevant to the appropriate disclosure and presentation of guarantees and financial instruments, and

We may confirm other guarantees and financial instruments (including derivatives) with other third parties. [5784] trade receivables balances (including balances with related parties). [5791] We ordinarily also confirm the terms of the transaction and other key information, which may affect the accounting for the transaction. [5795] For example, rights of return, allowances and rebates, special agreements, payment terms, etc. We also consider obtaining external confirmations for: [5708.1] loans from lenders related-party transactions terms of sales contracts (for revenue recognition) inventories held by third parties at bonded warehouses for processing or on consignment property title deeds held by lawyers for safe custody or as security investments purchased from stockbrokers but not delivered at the period-end date payables balances, and unusual or complex transactions.
Interntional Audit Workbook

Chapter 6 - Completion
The objective of Completion is to form an audit opinion. Before we form an audit opinion, the engagement team: [6001.2] performs and documents results of audit procedures performed during Completion evaluates on an overall basis the results of audit procedures performed and findings for audit objectives associated with significant risks, including the risk of fraud

evaluates significant findings and issues resulting from the audit, actions taken to address them (including additional evidence obtained), and the basis for the conclusions reached. Significant findings and issues are matters that are important to the procedures performed, evidence 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG obtained, or conclusions reached. International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

evaluates independence and ethical issues, and forms an audit opinion after reviewing the financial statements and evaluating all audit findings.
Page 111 / 133

evaluates on an overall basis the results of audit procedures performed and findings for audit objectives associated with significant risks, including the risk of fraud
International Audit Workbook (Interntional Audit Workbook)

evaluates significant findings and issues resulting from the audit, actions taken to address them (including additional evidence obtained), and the basis for the conclusions reached. Significant findings and issues are matters that are important to the procedures performed, evidence obtained, or conclusions reached. evaluates independence and ethical issues, and forms an audit opinion after reviewing the financial statements and evaluating all audit findings.

Completion is described in the following chart:

6.1. Performing Completion Procedures


Before our auditor's report is issued, the engagement partner, through review of the audit documentation and discussion with the engagement team, should be satisfied that sufficient appropriate audit evidence has been obtained to support the conclusions reached and the auditor's report to be issued. [6030] This is accomplished by performing the following procedures: evaluating audit evidence performing an overall review of the financial statements updating specific topic inquiries performing a final evaluation of audit results for specific topics and subsequent events, and obtaining management representations and considering any implications.

6.1.1 Evaluating Audit Evidence


Based on the audit procedures performed and the audit evidence obtained, we evaluate the following: whether the assessments of the risks of material misstatement at the assertion level (RoSM) remain appropriate whether sufficient appropriate audit evidence has been obtained to reduce to an acceptably low level the risk of material misstatement in the financial statements.

In developing an opinion, we consider all relevant audit evidence, regardless of whether it appears to corroborate or to contradict the assertions in the financial statements. [6042] Sufficiency is the measure of the quantity of audit evidence. The quantity of the audit evidence necessary is affected by the risk of misstatement and also by the quality of such audit evidence.

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis Appropriateness is the measure of the quality of evidence, that is, its relevance and reliability in providing support thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

for, or detecting misstatements in, the classes of transactions, account balances derived from estimates, other account balances and disclosures, and related assertion.

Page 112 / 133

In developing an opinion, we consider all relevant audit evidence, regardless of whether it appears to corroborate or to contradict the assertions in the financial statements. [6042]
International Audit Workbook (Interntional Audit Workbook)

Sufficiency is the measure of the quantity of audit evidence. The quantity of the audit evidence necessary is affected by the risk of misstatement and also by the quality of such audit evidence. Appropriateness is the measure of the quality of evidence, that is, its relevance and reliability in providing support for, or detecting misstatements in, the classes of transactions, account balances derived from estimates, other account balances and disclosures, and related assertion. Our judgment as to what constitutes sufficient appropriate audit evidence is influenced by such factors as the following: [6044] significance of the potential misstatement in the assertion and the likelihood of its having a material effect, individually or aggregated with other potential misstatements, on the financial statements effectiveness of management's responses and controls to address the risks experience gained during previous audits with respect to similar potential misstatements results of audit procedures performed, including whether such audit procedures identified specific instances of fraud or error source and reliability of the available information persuasiveness of the audit evidence, and/or understanding of the entity and its environment, including its internal control.

If we have not obtained sufficient appropriate audit evidence as to a material financial statement assertion, we should attempt to obtain further audit evidence. [6047] If we are unable to obtain sufficient appropriate audit evidence, we should express a qualified opinion or a disclaimer of opinion. [6048]

6.1.2 Overall Review of the Financial Statements


We perform audit procedures to evaluate whether the overall presentation of the financial statements, including the related disclosures, are in accordance with the applicable financial reporting framework. [6052] The results of our procedures may lead us to recommend changes in the financial statements, including presentation or disclosure, make additional inquiries, perform other procedures, or modify our opinion. [6058] In forming an opinion as to whether the financial statements give a true and fair view or are presented fairly, in all material respects, in accordance with the applicable financial reporting framework, we evaluate whether the financial statements have been prepared and presented in accordance with the specific requirements of the applicable financial reporting framework for particular classes of transactions, account balances derived from estimates, other account balances, and disclosures. This evaluation includes considering whether, in the context of the applicable financial reporting framework: [6055.1] accounting policies selected and applied are consistent with the financial reporting framework and are appropriate in the circumstances accounting estimates made by management are reasonable in the circumstances information presented in the financial statements, including accounting policies, is relevant, reliable, comparable, and understandable, and the financial statements provide sufficient disclosures to enable users to understand the effect of material transactions and events on the information conveyed in the financial statements.

Such sufficient disclosures relate to the form, arrangement, and content of the financial statements and their appended notes, including, for example, the terminology used, the amount of detail given, the classification of items in the statements, and the bases of amounts set forth. We prepare or review a reconciliation of amounts audited in the working papers to the amounts reported in the financial 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG statements to provide a trail from the financial statements to the audit procedures performed.[6056] International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

We conduct our overall review of the financial statements in the context of our understanding of the entity's applicable Page 113 / 133 financial reporting framework for accounting policies applied by the entity and within the industry. [6057]

material transactions and events on the information conveyed in the financial statements. Such sufficient disclosures relate to the form, arrangement, and content of the financial statements and their appended notes, including, for example, the terminology used, the amount(Interntional given, the classification of items in the statements, of detail Audit Workbook) International Audit Workbook and the bases of amounts set forth. We prepare or review a reconciliation of amounts audited in the working papers to the amounts reported in the financial statements to provide a trail from the financial statements to the audit procedures performed.[6056] We conduct our overall review of the financial statements in the context of our understanding of the entity's applicable financial reporting framework for accounting policies applied by the entity and within the industry. [6057] In addition to our evaluation of the audit evidence for audit objectives, we perform the following procedures:

Final analytical procedures


We perform analytical procedures at or near the completion of the audit to: [6073] determine whether there are any previously unidentified risks of material misstatement, whether due to error or fraud identify any significant accounts or disclosures that were identified as nonsignificant during Planning, and supplement our overall review of the financial statements.

If we determine that an account or disclosure initially identified as nonsignificant during Planning is significant at period-end, we obtain sufficient appropriate audit evidence to support the significant account or disclosure.[6073.1] The conclusions drawn from the results of such audit procedures are intended to corroborate conclusions formed during the audit of individual components or elements of the financial statements and assist in arriving at the overall conclusions as to the reasonableness of the financial statements. [6063]

Supplementary information and other information


Supplementary information is information that is presented together with the financial statements that is not required by the applicable financial reporting framework used to prepare the financial statements, normally presented in either supplementary schedules or as additional notes. [9260] We should be satisfied that any supplementary information presented together with the financial statements that is not covered by our opinion is clearly differentiated from the audited financial statements. [6078.1] Other information is financial or nonfinancial information (other than the financial statements or the auditor's report thereon) included-either by law or custom-in a document containing audited financial statements. An example of such a document is the annual report. Unless required by statute or contractual obligation, we have no obligation to report specifically on other information included in an annual report or similar document. [9196] We document the identification of supplementary or other information that is presented together with the audited financial statements or that is identified as other information by other jurisdictions as well as any significant matters arising from the reading of such information and other procedures required by some jurisdictions and the resolution of such matters in the Completion Document. [6077.0.1]

6.1.3 Specific Topic Inquiries


During Planning, we make inquiries of management, of those charged with governance, and of others within the entity as appropriate, regarding fraud and other specific topics. During Completion, we update these inquiries. The timing and extent of updated inquiries is determined by the engagement team based on the entity's specific circumstances. [7375]

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG For example, for a private entity audit, it may be appropriate to conduct inquiries during Planning International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis with a brief update with some or all of the client interviewees shortly before thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. the date of our audit

report.
Page 114 / 133

For example, for a public entity audit, it may be appropriate to conduct inquiries during Planning,

appropriate, regarding fraud and other specific topics. During Completion, we update these inquiries.
International Audit Workbook (Interntional Audit Workbook)

The timing and extent of updated inquiries is determined by the engagement team based on the entity's specific circumstances. [7375] For example, for a private entity audit, it may be appropriate to conduct inquiries during Planning with a brief update with some or all of the client interviewees shortly before the date of our audit report. For example, for a public entity audit, it may be appropriate to conduct inquiries during Planning, conduct additional interviews during each interim review, and update some or all of the interviews shortly before the date of our audit report.

If as a result of our inquiries, we identify new financial statement level/assertion level risks relevant to specific topics, we document these risks and how we addressed them. [6123]

6.1.4 Final Evaluation of Audit Results for Specific Topics and Subsequent Events
During Completion, we perform audit procedures, in order to evaluate the results of procedures performed in the audit, including those related to specific topics, to fraud and to subsequent events, to determine if our previous assessments of our responses to risks related to such matters should be modified. [6125] This evaluation is primarily qualitative and based on our judgment. Such an evaluation may provide further insight about the risks of significant misstatement due to fraud, other Specific Topics and subsequent events, and whether there is a need to perform additional or different audit procedures. [6126] Based on the audit procedures performed and the audit evidence obtained, we evaluate whether the assessments of the risk of significant misstatement at the assertion level remain appropriate. Such an evaluation may provide further insight about the risks of material misstatement due to fraud and whether there is a need to perform additional or different audit procedures. As part of this evaluation, we consider whether there has been appropriate communication with other engagement team members throughout the audit regarding information or conditions indicative of risk of material misstatement due to fraud.[7369.1] When we confirm that, or are unable to conclude whether, the financial statements are materially misstated as a result of fraud, we should consider the implications for the audit. [7370] We perform sufficient procedures to confirm or dispel a suspicion that the financial statements are materially misstated due to fraud. If we are not able to dispel such suspicion, we consider the effect on our report and follow applicable local consultation protocols. [7371] We specifically consider whether the following may be indicative of fraud and investigate and perform additional procedures as appropriate:[6006] conditions or information gained throughout the audit analytical procedures performed on period-end data corrected and uncorrected audit differences, as well as any omissions or other errors in presentation and disclosure summarized in the Summary of Audit Differences.

6.1.5 Management Representations


Management representations are statements management makes to us during the course of the audit concerning matters relating to the financial statements. They may be: [8171.1] oral or written formal or informal unsolicited or in response to specific inquiries. We include audit evidence of management's representations in our working papers. [8172]

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

The engagement team needs to determine that the appropriate standard management

Page 115 / 133

formal or informal unsolicited or in response to specific inquiries.


International Audit Workbook (Interntional Audit Workbook)

We include audit evidence of management's representations in our working papers. [8172]

The engagement team needs to determine that the appropriate standard management representation letter template is used and that the template is appropriately customized to the entity's circumstances.

6.2. Audit Objectives Associated with Significant Risks


We document the audit objectives that include relevant assertions associated with significant risks of error and fraud risks in the Completion Document in order to support our overall evaluation. We use the information documented in the related working papers for these audit objectives. After providing a brief description of the audit objective and the assessed risk of significant misstatement, we provide a summary of our audit approach including the findings derived from our audit procedures and our conclusions. [6144] Audit objectives associated with significant risks include all audit objectives where the inherent risk assessment for error is "significant" or where a risk of fraud has been identified for the audit objective. [6146] The engagement partner and an engagement manager review audit documentation relating to audit objectives associated with significant risks. The extent of review of such audit documentation by the engagement partner and manager is a matter of professional judgment determined by the engagement partner. [6145] We evaluate the audit evidence obtained and consider whether it is sufficient and appropriate to form our audit opinion. We consider relevant audit evidence regardless of whether it confirms or refutes assertions in the financial statements. [6149] The engagement team ensures that all audit objectives that include relevant assertions associated with significant risks of error and fraud risks that are documented in the Planning Matrix are also included in the Completion Document.

6.3. Significant Findings and Issues


Significant findings or issues are substantive matters that are important to the procedures performed, evidence obtained, or conclusions reached. [9240] We document significant findings and issues; actions taken to address them, including additional evidence obtained; and the basis for the conclusions reached in connection with each audit engagement. [6152] The engagement partner determines which findings and issues are significant to our audit. Such findings and issues are documented in the Completion Document. [6155] By summarizing the results of our audit work and conclusions for all significant findings and issues by topic rather than by audit objectives, we have an opportunity to identify trends and management bias that may be indicated by these findings and issues. The engagement partner and an engagement manager review all audit documentation relating to significant findings and issues. [6154] Significant findings and issues include, but are not limited to, the matters described below. [6153]

6.3.1 Significant Findings and Issues Identified During a Review of Interim Financial 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG Information International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

We document significant findings and issues identified during the review of interim financial information and the effect on Page 116 / 133 our audit approach in the annual audit. [6157]

The engagement partner and an engagement manager review all audit documentation relating to significant findings and issues. [6154]
International limited to, the matters described below. [6153] Significant findings and issues include, but are not Audit Workbook (Interntional Audit Workbook)

6.3.1 Significant Findings and Issues Identified During a Review of Interim Financial Information
We document significant findings and issues identified during the review of interim financial information and the effect on our audit approach in the annual audit. [6157]

6.3.2 Significant Matters Involving the Selection, Application, and Consistency of Accounting Principles, Including Related Disclosures
Significant matters involving the selection, application, and consistency of accounting principles, including related disclosures, include, but are not limited to, accounting for complex or unusual transactions, accounting estimates, and uncertainties as well as related management assumptions. [6160]

6.3.3 Disagreements within the Engagement Team and with Those Consulted
Where differences of opinion arise within the engagement team, with those consulted and, where applicable, between the engagement partner and the engagement quality control reviewer, the engagement team should follow the firm's policies and procedures for dealing with and resolving differences of opinion. [6286] If a difference of opinion is initially identified, but is later resolved to the satisfaction of all parties involved, such as through additional discussion, research, or consultation or through new or revised facts, it is not necessary to document the initially identified matter as a difference of opinion. However, it may be appropriate to document the conclusions reached on the matter elsewhere in the working papers. [6288.1] In the event of differences of opinion, we do not release the report until the matter is resolved and documented. [2811.1]

6.3.4 Significant Difficulties in Applying Audit Procedures


Difficulties in applying audit procedures may arise when: [6296] we receive an inadequate number of responses to our external confirmations and to our followup requests the reliability of the entity's IT systems is questionable the entity has limited documentation of internal controls over its financial reporting processes limited information is available to perform substantive tests on certain audit objectives, such as accounting estimates there are problems in obtaining timely information from the client, and/or access to client personnel is limited or client personnel are not cooperative in facilitating the audit process.

If we encounter significant difficulties in applying our audit procedures, we resolve the difficulties and document the rationale used to resolve those significant difficulties. In resolving such difficulties, we consider modifying our audit strategy and the planned audit procedures, which may include increasing our assessment of the risk of significant misstatement for certain audit objectives. [6297] If we are not able to overcome such difficulties by performing alternative audit procedures and we do not obtain sufficient appropriate audit evidence, we consider the impact on our audit report and modify the report accordingly. Further guidance on modifications to our report is included in the International Standards Report Manual. [6299]

6.3.5 Matters That Resulted in or Could Have Resulted in a Modification of Our Report
We document the significant matters that resulted in or could have resulted in the modification of our report in the Completion Document. We also document, if applicable, how we have resolved the matter(s) that could have resulted in a modification to our report, as well as the rationale for modifying or for not modifying our report. [6302] Our report is considered to be modified in the following situations: [6302.1] 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG
International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis matters that do not affect our audit opinion (unless local laws, regulations, and professional thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

standards do not enable the auditor to modify the auditor's report)


Page 117 / 133

unqualified opinion with an emphasis of matter paragraph (in some countries these matters

We document the significant matters that resulted in or could have resulted in the modification of our report in the Completion Document. We also document, if applicable, how we have resolved the matter(s) that could have resulted in a International Audit Workbook (Interntional Audit Workbook) modification to our report, as well as the rationale for modifying or for not modifying our report. [6302] Our report is considered to be modified in the following situations: [6302.1] matters that do not affect our audit opinion (unless local laws, regulations, and professional standards do not enable the auditor to modify the auditor's report) unqualified opinion with an emphasis of matter paragraph (in some countries these matters are not considered as a modification of the auditor's report)

matters that affect our audit opinion qualified opinion disclaimer of opinion, and adverse opinion.

Guidance regarding modifications of our report is included in the International Standards Reports Manual, which can be found on ARO. [6302.2]

6.3.6 Consultation within KPMG and with Others Outside KPMG


During the audit, we may encounter situations that require consultation, both formal and informal, with other professionals within KPMG. [6304] Consultation may include consultation within the KPMG member firm, with other KPMG member firms, or other KPMG resources. If the issue has not been satisfactorily resolved after consultation with all relevant KPMG resources, KPMG member firms may determine that it is necessary to consult with others outside of KPMG. Before any such consultation, member firms satisfy themselves that all KPMG resources have been consulted. The approval of an appropriate partner or their designees within the KPMG member firm, such as the risk management partner, the local professional practice partner, or the member firm's senior partner is obtained. A record of such consultation and approval is maintained. [6310.3] The engagement partner should: [6305] be responsible for the engagement team undertaking appropriate consultation on difficult or contentious matters be satisfied that members of the engagement team have undertaken appropriate consultation during the course of the engagement, both within the engagement team and between the engagement team and others at the appropriate level within or outside the firm be satisfied that the nature and scope of, and conclusions resulting from, such consultations are documented and agreed with the party consulted, and determine that conclusions resulting from consultations have been implemented.

The engagement team documents consultations with other KPMG professionals that involve difficult or contentious matters to enable an understanding of: [6309] the issue on which consultation was sought; and the results of the consultation, including any decisions taken, the basis for those decisions, and how they were implemented.

We provide relevant documentation of the consultation to the professionals we have consulted and ask them to: [6310] indicate that they concur with the conclusions reached by the engagement team, and confirm that documentation includes a factual representation of the matters considered and the conclusions reached.

6.3.7 Discussion of Significant Findings and Issues (Including Significant Risks) with Management and Others
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis When we discuss significant findings or issues (including matters that give rise to significant risks) with management and thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. others, we document on a timely basis the discussions in our working papers. [6313.5]
Page Others with whom we may discuss significant findings or issues include those charged with governance, other personnel 118 / 133

confirm that documentation includes a factual representation of the matters considered and the conclusions reached.
International Audit Workbook (Interntional Audit Workbook)

6.3.7 Discussion of Significant Findings and Issues (Including Significant Risks) with Management and Others
When we discuss significant findings or issues (including matters that give rise to significant risks) with management and others, we document on a timely basis the discussions in our working papers. [6313.5] Others with whom we may discuss significant findings or issues include those charged with governance, other personnel within the entity, and external parties, such as persons providing professional advice to the entity. [6313.6]

6.3.8 Contradictory of Inconsistent Information with Our Final Conclusion


If we have identified information that contradicts or is inconsistent with our final conclusion regarding a significant matter, we should document how we addressed the contradiction or inconsistency in forming the final conclusion. [6313.10] We do not retain documentation that is incorrect or superseded (except pursuant to the local firm's document retention policy). [6313.12]

6.3.9 Disagreements with Management


We document disagreements with management about matters that, individually or in the aggregate, could be significant to the entity's financial statements or our report. [6313.14]

6.4. Results of Audit Procedures


We document the results of audit procedures performed, including: [6162] a need for revisions, if any, to materiality for planning purposes significant modifications of audit strategy and planned audit procedures, including significant changes in the assessed level of the risk of significant misstatement for audit objectives material weaknesses and other deficiencies in internal control over financial reporting that had a significant effect on our audit approach, and the existence of material misstatements or omissions in the financial statements, including related disclosures, and other audit adjustments. Our determination of MPP often is based on estimates of the entity's financial results, because the actual financial results may not yet be known. Therefore, prior to evaluating the sufficiency and appropriateness of audit evidence and the effect of uncorrected misstatements on our audit, it may be necessary to revise MPP based on actual financial results. We would, however, expect MPP used in planning and performing our audit to be no greater than materiality used in evaluating the effect of misstatements on the financial statements. [3154] Additionally, MPP is revised during the course of conducting the audit in the event we become aware of information that would have significantly modified MPP determined during planning. When such events cause a significant revision of MPP, we consider whether further audit procedures need to be performed in order to obtain sufficient appropriate audit evidence on which to base our opinion. [3152] [3153] When a change in circumstances causes us to revise MPP downward from the amount determined during planning, we: [3177] revise downward the related SMT(s) determine whether further audit procedures need to be performed to obtain sufficient appropriate audit evidence, and

Materiality for planning purposes

revise the audit difference posting threshold accordingly, or document why it is not necessary to revise the audit difference 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG posting threshold. International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

We document the revised MPP, SMT, and ADPT in the Completion Document.
Page 119 / 133

Significant modifications of Significant modifications to our audit strategy may result from: [6179]

revise downward the related SMT(s) determine whether further audit procedures need to be International to obtain sufficient appropriate audit performed Audit Workbook (Interntional Audit Workbook) evidence, and revise the audit difference posting threshold accordingly, or document why it is not necessary to revise the audit difference posting threshold.

We document the revised MPP, SMT, and ADPT in the Completion Document. Significant modifications of Significant modifications to our audit strategy may result from: [6179] audit strategy and planned unexpected events, changes in conditions, or audit evidence audit procedures obtained during the course of the audit the identification of financial statement level risks that occurred after we determined our audit strategy during Planning the identification of significant accounts and disclosures that were initially identified as nonsignificant during Planning revisions to materiality for planning purposes changes in the timing of our audit procedures changes in responsibilities of engagement team members, including KPMG specialists, and/or changes in the involvement of others.

As a result of unexpected events, changes in conditions, or evidence obtained from our audit procedures, we may modify our audit plan and thereby the resulting planned nature, timing, and extent of further audit procedures. Information may come to our attention that differs significantly from the information available when we planned the audit procedures. [6183] For example, we may obtain audit evidence through the performance of substantive procedures that contradicts the audit evidence obtained with respect to the testing of the operating effectiveness of controls. In such circumstances, we reevaluate the planned audit procedures based on the revised consideration of assessed risks at the assertion level for all or some of the classes of transactions, account balances derived from estimates, other account balances, or disclosures. [6184] Material weaknesses and other deficiencies in internal control over financial reporting We analyze and evaluate all exceptions discovered in internal control over financial reporting to determine whether they represent deficiencies. [4793.3] A control deficiency may consist of either a design or an operating deficiency. A design deficiency exists when either a necessary control is missing or an existing control is not properly designed so that even when the control is operating as designed, the control objective is not always met. An operating deficiency exists when a properly designed control either is not operating as designed or the person performing the control does not possess the necessary authority or qualifications to perform the control effectively. [6189] Material weaknesses in internal control are control deficiencies that could have a material effect on the financial statements. [6191] When we identify deficiencies in internal control over financial reporting, we make a determination as to whether these control deficiencies, individually or in combination, represent material weaknesses. [6191.1] We document the material weaknesses and other deficiencies in internal control over financial reporting that have a significant effect on our audit approach in the Completion Document. For each material weakness or other deficiency, we describe the deficiency, the related audit objective, and the effect on our audit approach. 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis Additionally, we document the specific members of management and/or those thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. charged with governance to whom the deficiency was communicated and the form of communication, whether in writing or orally. [6201] Page 120 / 133

determination as to whether these control deficiencies, individually or in combination, represent material weaknesses. [6191.1] We document the material weaknesses andAudit Workbook) International Audit Workbook (Interntional other deficiencies in internal control over financial reporting that have a significant effect on our audit approach in the Completion Document. For each material weakness or other deficiency, we describe the deficiency, the related audit objective, and the effect on our audit approach. Additionally, we document the specific members of management and/or those charged with governance to whom the deficiency was communicated and the form of communication, whether in writing or orally. [6201] Material misstatements or omissions in the financial statements Misstatements in the financial statements can arise from error or fraud. The primary factor that distinguishes fraud from error is whether the underlying cause (action that results in the audit difference) is intentional or unintentional. [6204] Misstatements may include: [6204.2] unrecorded audit differences, audit differences corrected by the entity, or uncorrected and corrected omissions or other errors in financial statement presentation and disclosure.

An audit difference is an audit finding in which we do not agree with the amount or classification of items or totals in the income statement or balance sheet. [9029]

6.4.1 Materiality of Misstatements


We consider whether uncorrected audit differences are material, individually or in the aggregate, to the financial statements taken as a whole. [6212] In evaluating the effect of uncorrected audit differences, we consider the following factors: [6215] the significance of an item to the financial statements of a particular entity, such as inventories to a manufacturing company the relative size of the misstatement compared with the financial statements taken as a whole

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG and the factual context in which the user of the financial statements would view the financial International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis statement item containing the misstatement thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

the number of financial statement captions affected, such as whether the potential misstatement affects the amounts and presentation of many financial statement captions

Page 121 / 133

In evaluating the effect of uncorrected audit differences, we consider the following factors: [6215] the significance of an item to the financial statements of a particular entity, such as inventories to International Audit Workbook (Interntional Audit Workbook) a manufacturing company the relative size of the misstatement compared with the financial statements taken as a whole and the factual context in which the user of the financial statements would view the financial statement item containing the misstatement the number of financial statement captions affected, such as whether the potential misstatement affects the amounts and presentation of many financial statement captions the likelihood that undetected misstatements, when considered with the aggregate uncorrected misstatements, could exceed materiality the nature and cause of each misstatement, including a consideration of whether the misstatement may indicate the possible existence of fraud whether the misstatements indicate a pattern. If a pattern appears to exist, we consider whether to apply audit procedures specifically to detect other similar differences.

In making materiality judgments, individually and in the aggregate, we consider: [6213] both quantitative and qualitative factors, and the results of our assessment of the risk of material misstatements due to fraud and error.

6.4.2 Methods Used in Evaluating Uncorrected Audit Differences


There are three general methods that have developed in practice that can be used to evaluate the effect of uncorrected audit differences. These three methods are the income statement method (also referred to as the "rollover method"), the balance sheet method (also referred to as the "iron curtain method"), and the dual method, which entails the quantification of uncorrected misstatements using both the income statement and balance sheet methods with adjustments required if either method results in an error that is material. [6223.1] We document the method used in evaluating uncorrected audit differences in the Summary of Audit Differences. [6223.2] The income statement method (rollover method) considers the effect of uncorrected prior-period audit differences primarily from an income statement perspective. Under the income statement method, uncorrected audit differences are quantified as the amount by which the current period income statement is misstated after considering the reversing and correcting effects of uncorrected prior-period audit differences. Uncorrected audit differences are classified into two types: (1) those uncorrected audit differences that originated in a prior period and reverse or are corrected in the current period and (2) those uncorrected audit differences that originated in the current period. The effect of uncorrected prior-period audit differences that reverse or that are corrected by management in the current period are considered in evaluating the effect on the current period's operating results when determining whether the uncorrected audit differences materially misstate the current period's operating results. That is, the reversing or correcting impact of uncorrected prior-period audit differences adjusted in the current period is aggregated with uncorrected audit differences that originated in the current period. [6227] The balance sheet method (iron curtain method) considers the effect of uncorrected prior-period audit differences primarily from a balance sheet perspective. Under the balance sheet method, uncorrected audit differences are quantified as the amount that would have to be recorded to correct the error in the period-end balance sheet. Uncorrected prior-period audit differences that reverse or are corrected by management in the current period are not considered in quantifying the amount by which the current period's financial statements are misstated. The aggregate uncorrected audit differences for the current period include uncorrected prior period audit differences that either have not been corrected by management or have not reversed in the current period as well as uncorrected audit differences that originated in the current period. Again, the emphasis is from a balance sheet perspective; the uncorrected audit differences comprise those adjustments that would be required to properly reflect the balance sheet at period-end. [6229] Under the dual method, the quantification of each individual uncorrected misstatement is evaluated under both the income statement ("rollover") and balance sheet ("iron curtain") methods. [6229.2] In most cases, the more significant misstatement identified, when assessed under the balance sheet and the income statement methods, requires a more detailed evaluation and consideration. However, in some instances, because of qualitative factors to be considered, the lesser of the two methods may be more important when evaluating materiality. [6229.3] Quantification under both methods is to be determined, and consideration given to relevant quantitative and qualitative International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. factors in reaching a conclusion on the materiality of the misstatements. [6229.4] Once we have considered each individual error, we evaluate the effect of uncorrected errors in the aggregate. Under Page 122 / 133 the dual method, we evaluate the total error using the balance sheet method ("iron curtain") and the total error using the
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG

statement ("rollover") and balance sheet ("iron curtain") methods. [6229.2] In most cases, the more significant misstatement identified, when assessed under the balance sheet and the income statement methods, requires a more detailed evaluation and consideration. However, in some instances, because of International Audit Workbook (Interntional Audit Workbook) qualitative factors to be considered, the lesser of the two methods may be more important when evaluating materiality. [6229.3] Quantification under both methods is to be determined, and consideration given to relevant quantitative and qualitative factors in reaching a conclusion on the materiality of the misstatements. [6229.4] Once we have considered each individual error, we evaluate the effect of uncorrected errors in the aggregate. Under the dual method, we evaluate the total error using the balance sheet method ("iron curtain") and the total error using the income statement method ("rollover") not by combining the "higher of" amount associated with each individual uncorrected misstatement. [6229.7]

Change in methods
We use a consistent method from period to period when evaluating uncorrected audit differences for all accounts and for all periods subject to our audit. [6231] The following table summarizes the alternatives available when the engagement team is considering a change in methods of evaluating uncorrected audit differences. [6231.1, 6231.2, 6231.3] Current period proposed method Method used in prior period IS method Income statement (IS) method Balance sheet (BS) method Not appropriate Dual method Not appropriate Not appropriate BS method May use Dual method May use

May use

We consult the risk management partner when a change in methods for evaluating uncorrected audit differences is contemplated, and the change affects our conclusion on the materiality of audit differences. [6232] The method used may be predetermined by local auditing standards. Communication in the interoffice instructions of the method to be used facilitates consistent use of a single method by all participating offices in a multilocation engagement.

6.4.3 Consider the Fraud and Earnings Management Implications of Audit Differences
When we identify a misstatement, we should consider whether such a misstatement may be indicative of fraud, and if there is such an indication, we should consider the implications of the misstatement in relation to other aspects of the audit, particularly the reliability of management representations. [6236] If our audit findings indicate possible fraud, we also consider the potential effect, including whether the audit differences resulted from an attempt to manage earnings. [6241] Earnings management includes the recording of accounting entries, without any event to justify the accounting, to alter results if the perceived motivation is to conform to the user's expectations. Earnings management may also include the failure to record or correctly record transactions for that same purpose. [6242] We consider all corrected and uncorrected misstatements arising from the audit to determine if they occurred as a result of one or more control deficiencies. [6243.1]

6.4.4 The Summary of Audit Differences


We accumulate in the Summary of Audit Differences identified misstatements, including audit differences and omissions and other errors. We include all corrected and uncorrected audit differences when such misstatements are equal to or greater 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG than the audit difference posting threshold. If an audit difference is qualitatively significant but is below the audit difference International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis posting threshold, it is included in the Summary of Audit Differences. [6245] thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. These misstatements are reflected in the Summary of Audit Differences as follows: [6204.3]
Page 123 / 133

6.4.4 The Summary of Audit Differences


International Audit Workbook (Interntional Audit Workbook)

We accumulate in the Summary of Audit Differences identified misstatements, including audit differences and omissions and other errors. We include all corrected and uncorrected audit differences when such misstatements are equal to or greater than the audit difference posting threshold. If an audit difference is qualitatively significant but is below the audit difference posting threshold, it is included in the Summary of Audit Differences. [6245] These misstatements are reflected in the Summary of Audit Differences as follows: [6204.3] Schedule 1 - Summary of Uncorrected Audit Differences Schedule 2 - Summary of Corrected Audit Differences, and Schedule 3 - Summary of Omissions and Other Errors in Presentation and Disclosure.

We complete either Schedule 1A, Schedule 1B or Schedule 1C based on the method used in evaluating uncorrected audit differences as follows: [6247.1] Schedule 1A - Dual method Schedule 1B - Rollover (income statement) method Schedule 1C - Iron curtain (balance sheet) method.

6.4.5 Audit Differences and Audit Difference Posting Thresholds


The audit difference posting threshold (ADPT) is determined during Planning and documented in the Planning Document. When a change in circumstances causes us to revise MPP downward from the amount determined at planning, we revise the ADPT accordingly, or document why it is not necessary to revise the ADPT. We document the revised ADPT, or the rationale for not revising the ADPT when MPP is revised downward, in the Completion Document. Audit differences detected below the audit difference posting threshold need not be summarized in the Summary of Audit Differences, and the relevant working paper is annotated to indicate that the difference is considered clearly trivial. However, we consider their qualitative aspects. The qualitative consideration of such clearly trivial audit differences is usually limited to a consideration of whether such audit differences: relate to a related party or transactions with a related party may indicate the possible existence of fraud, or individually or in the aggregate may be indicators of control deficiencies. If an amount is considered qualitatively significant but is below the audit difference posting threshold, it is included in the Summary of Audit Differences as an audit difference.

6.4.6 Omissions or Other Errors in Financial Statement Presentation and Disclosure


An omission or other error is an audit finding in which we do not agree with the presentation or disclosure (or omission) of an item in the financial statements, including the related notes. [9189] Schedule 3 includes omissions or other errors in the notes to the financial statements and in the statement of shareholders' equity. Schedule 3 may also include other omissions and errors such as nonquantitative errors or omissions in the income statement, balance sheet, or statement of cash flows, such as erroneous descriptions. [6271.1] In an SE or VSE engagement, the engagement team often works closely with the entity in determining the presentation and disclosure in the financial statements. In such cases, all omissions and other errors in financial statement presentation and disclosure that have not been corrected and are not "de miminis" are included in Schedule 3. The engagement team uses its judgment as to whether corrected omissions and errors are also 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis included on Schedule 3.
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

6.4.7 Consider How Management Deals with Misstatements

Page 124 / 133

statement, balance sheet, or statement of cash flows, such as erroneous descriptions. [6271.1] In an SE or VSE engagement, the engagement team often works closely Audit Workbook) in determining the International Audit Workbook (Interntional with the entity presentation and disclosure in the financial statements. In such cases, all omissions and other errors in financial statement presentation and disclosure that have not been corrected and are not "de miminis" are included in Schedule 3. The engagement team uses its judgment as to whether corrected omissions and errors are also included on Schedule 3.

6.4.7 Consider How Management Deals with Misstatements


We discuss identified misstatements with management. We expect management to correct the financial statements for identified material misstatements, including known audit differences and most likely audit differences. [6275] Management may be reluctant to correct most likely audit differences, such as projected audit differences arising from the use of sampling methods. In such instances, we may consider obtaining additional audit evidence from further audit procedures to encourage management to correct those audit differences. [6276] If management refuses to adjust the financial statements and the results of extended audit procedures do not enable us to conclude that the aggregate of uncorrected misstatements is not material, we should consider the appropriate modification to our report in accordance with ISA 701, "Modifications to the Independent Auditor's Report" [6277] If after our discussions with management, there remain uncorrected audit differences on Schedule 1 or uncorrected omissions or other errors in presentation and disclosure on Schedule 3 of the Summary of Audit Differences, we document on such schedule(s) the member of management with whom we discussed such uncorrected items. [6279.1]

6.4.8 Communicating Misstatements


We communicate misstatements-whether or not they are recorded by the entity-that have, or could have, a significant effect on the entity's financial statements to the relevant persons who are charged with governance. This communication includes the misstatements as documented in Schedules 1, 2, and 3 of the Summary of Audit Differences. [6282] We may communicate Schedules 1, 2, and 3 as follows: [6282.0.1] provide a copy of the Schedules that are included in our working papers provide a written summary of the information on the Schedules (e.g., aggregate numerous small audit differences), or orally communicate the substance of the information included on the schedules.

We document how the communication was accomplished.

6.4.9 Other Significant Findings and Issues


Other significant matters are those specific findings and issues that are considered significant to the audit that are not otherwise addressed above.

6.5. Independence and Ethical Issues


We initially address independence and ethical requirements during the client/engagement acceptance/continuance process. In the Completion Document, we document all independence and ethical issues that may have arisen in connection with the engagement and how such issues were resolved. The engagement partner should form a conclusion on compliance with independence requirements that apply to the audit engagement. In doing so, the engagement partner should: [6315] obtain relevant information from the firm and, where applicable, network firms to identify and evaluate circumstances and relationships that create threats to independence

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG evaluate information on identified breaches, if any, of the firm's independence policies and International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. engagement procedures to determine whether they create a threat to independence for the audit

take appropriate action to eliminate such threats or reduce them to an acceptable level by applying safeguards. The engagement partner should promptly report to the firm any failure to

Page 125 / 133

The engagement partner should form a conclusion on compliance with independence requirements that apply to the audit engagement. In doing so, the engagement partner should: [6315]
International Audit Workbook (Interntional Audit Workbook)

obtain relevant information from the firm and, where applicable, network firms to identify and evaluate circumstances and relationships that create threats to independence evaluate information on identified breaches, if any, of the firm's independence policies and procedures to determine whether they create a threat to independence for the audit engagement take appropriate action to eliminate such threats or reduce them to an acceptable level by applying safeguards. The engagement partner should promptly report to the firm any failure to resolve the matter for appropriate action, and document conclusions on independence and any relevant discussions with the firm that support these conclusions.

The engagement partner should consider whether members of the engagement team have complied with ethical requirements. [6316]

6.5.1 Forming Our Audit Opinion


We evaluate the audit evidence obtained and consider whether it is sufficient and appropriate to form an audit opinion. We consider relevant audit evidence regardless of whether it confirms or refutes assertions in the financial statements. [6330] If we conclude that the audit evidence is sufficient and appropriate to form an opinion, we evaluate whether the financial statements are free of a material misstatement. [6331] The International Standards Reports Manual, available on ARO, contains guidance on reporting in conformity with and example reports prepared in accordance with International Standards on Auditing. [6335]
Interntional Audit Workbook

Chapter 7 - Specific Topics

The Specific Topics chapter of KAM, Chapter 7, has been rewritten consistent with the Audit Program for Specific Topics (Revised) (APST (Revised)) and the Specific Topics Inquiries Document (STID). The Specific Topics chapter of KAM should be read in conjunction with the Audit Program for Specific Topics (Revised) and the Specific Topics Inquiries Document. The chapter is designed to support and provide additional guidance on the procedures included in the Audit Program for Specific Topics (Revised) and the inquiries in the Specific Topics Inquiries Document to the extent that procedures are not already supported by Guidance Attachments that accompany the Audit Program for Specific Topics (Revised).

The following table indicates the applicability of the Audit Program for Specific Topics (Revised) (APST (Revised)) and the Specific Topics Inquiries Document (STID) for each audit workflow:

Chapter 8 - Engagements to Review Interim Financial Information of an Audit Client

Interntional Audit Workbook 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.


Page 126 / 133

International Audit Workbook (Interntional Audit Workbook)

Interntional Audit Workbook

Chapter 8 - Engagements to Review Interim Financial Information of an Audit Client

This section provides guidance in relation to an existing audit client for which we conduct an audit of its financial statements and therefore have an understanding of the entity and its environment, including its internal control on which to base our review procedures. If we were recently appointed as the entity's auditor, and therefore have not audited the most recent annual financial statements, we apply additional procedures as described in the section titled, "KPMG was not the auditor of the most recent annual financial statements" in the Other Engagement chapter of KAM International. [8901.3.2]

If we are engaged to perform a review of interim financial information (by an entity to which we are the appointed independent auditor) we should perform the review in accordance with International Standards on Review Engagements (ISRE) 2410. [8902.1] If we are engaged to perform a review of interim financial information, and we are not the auditor of the entity, or if we are engaged to review other financial information, we perform the review in accordance with ISRE 2400, "Engagements to Review Financial Statements." [8903]

The objective of an engagement to review interim financial information is to enable us to express a conclusion whether, on the basis of the review, anything has come to our attention that causes us to believe that the interim financial information is not prepared, in all material respects, in accordance with an applicable financial reporting framework. This objective differs significantly from that of an audit conducted in accordance with International Standards on Auditing. A review of interim financial information does not provide a basis for expressing an opinion whether the interim financial information gives a true and fair view, or is presented fairly, in all material respects, in accordance with an applicable financial reporting framework. [8903.1] A review, in contrast to an audit, is not designed to obtain reasonable assurance that the interim financial information is free from material misstatement. A review may bring significant matters affecting the interim financial information to our attention, but it does not provide all of the audit evidence that would be required in an audit. [8905] The following Global Work Papers are applicable to an engagement to conduct a review of interim financial information in accordance with ISRE 2410: [8954.4] Interim Review Checklist Interim Review Program Summary of Review Differences.

We make inquiries, primarily of persons responsible for financial and accounting matters, and perform analytical and other review procedures in order to reduce to a moderate level the risk of expressing an inappropriate conclusion when the interim financial information is materially misstated. [8905.1]

8.1 Obtain an Understanding of the Entity and Its Environment, Including Its Internal Control
When performing a review of interim financial information, we should have an understanding of the entity and its environment, including its internal control, as it relates to the preparation of both annual and interim financial information, sufficient to plan and conduct the engagement so as to be able to: [8929] identify the types of potential material misstatement and consider the likelihood of their
2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG occurrence, and International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. a basis for select the inquiries, analytical, and other review procedures that will provide us with

reporting whether anything has come to our attention that causes us to believe that the interim financial information is not prepared, in all material respects, in accordance with the applicable

Page 127 / 133

When performing a review of interim financial information, we should have an understanding of the entity and its environment, including its internal control, as it relates to the preparation of both annual and interim financial information, International Audit be able (Interntional sufficient to plan and conduct the engagement so as to Workbook to: [8929]Audit Workbook) identify the types of potential material misstatement and consider the likelihood of their occurrence, and select the inquiries, analytical, and other review procedures that will provide us with a basis for reporting whether anything has come to our attention that causes us to believe that the interim financial information is not prepared, in all material respects, in accordance with the applicable financial reporting framework.

When we have audited the entity's financial statements for one or more annual periods and have obtained an understanding of the entity and its environment, including its internal control, as it relates to the preparation of annual financial information, which is sufficient to conduct the audit, we: [8930] update our understanding of the entity as discussed in the section titled "Understanding the entity" of the Planning chapter, and obtain a sufficient understanding of internal control as it relates to the preparation of interim financial information, as it may differ from internal control as it relates to annual financial information. The procedures we perform to update our understanding of the entity and its environment, including its internal control, are included in the Interim Review Program. [8930.1] Although we perform these procedures to update our understanding of internal control over the preparation of annual financial information and to obtain a sufficient understanding of internal control as it relates to the preparation of interim financial information. Our review procedures may lead us to come across matters that cause us to conclude that there are deficiencies in the design or implementation of internal controls over financial reporting. These procedures may also lead us to conclude that deficiencies in internal control which were identified during the most recent audit are of continuing significance. We document such deficiencies in the Interim Review Program and consider whether communication with management and those charged with governance is appropriate. [8934]

8.2 Inquiries, Analytical Procedures, and Other Review Procedures


We should make inquiries, primarily of persons responsible for financial and accounting matters, and perform analytical and other review procedures to enable us to conclude whether, on the basis of the procedures performed, anything has come to our attention that causes us to believe that the interim financial information is not prepared, in all material respects, in accordance with the applicable financial reporting framework. [8936] The analytical procedures, inquiries, other procedures that we perform are included in the Interim Review Program. [8930.1] Additional guidance regarding such procedures is included below.

Procedures Perform analytical procedures

Additional guidance regarding this procedure We apply analytical procedures to interim financial information to identify and provide a basis for inquiry about the relationships and individual items that appear to be unusual and that may indicate a material misstatement. Analytical procedures may include ratio analysis and statistical techniques such as trend analysis and may be performed manually or with the use of computer-assisted techniques. [8939.0.2]

Professional judgment is used to determine which members of management we need to direct our inquiries to and we also consider whether direct inquiries to other, nonmanagement members of the entity are necessary (e.g., production and internal 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis audit personnel). [8938]
thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.
Page 128 / 133

Make inquiries

A review ordinarily does not require tests of accounting records through inspection, observation,

include ratio analysis and statistical techniques such as trend analysis and may be performed manually or with the use of computer-assisted techniques. [8939.0.2]
International Audit Workbook (Interntional Audit Workbook)

Make inquiries

Professional judgment is used to determine which members of management we need to direct our inquiries to and we also consider whether direct inquiries to other, nonmanagement members of the entity are necessary (e.g., production and internal audit personnel). [8938]

A review ordinarily does not require tests of accounting records through inspection, observation, or confirmation procedures. Procedures for performing a review of interim financial information are ordinarily limited to making inquiries, primarily of persons responsible for financial and accounting matters, and applying analytical and other review procedures, rather than corroborating information obtained concerning significant accounting matters relating to the interim financial information. Our understanding of the entity and its environment, including its internal control, the results of the risk assessments relating to the preceding audit, and our consideration of materiality as it relates to the interim financial information, affects the nature and extent of the procedures applied. [8937]

8.3 Evaluate the Results of Our Review


Results Significant findings and issues Additional guidance regarding these results We document significant findings and issues and actions taken to address them in the Interim Review Program. [8950.1] Significant findings and issues are the same as for an annual audit. Uncorrected misstatements We should evaluate, individually and in the aggregate, whether uncorrected misstatements that have come to our attention are material to the interim financial information. [8951] We prepare a Summary of Review Differences in order to aggregate corrected and uncorrected misstatements and omissions or other errors in presentation or disclosure. [SRD] A misstatement that originates in the current interim period (including the year-todate period) is to be evaluated relative to the materiality measure for that interim period (including the year-to-date period), while the total misstatement, inclusive of prior period effects, is evaluated relative to the materiality measure for the full fiscal year. [8953.1]

We use the same method for evaluating uncorrected audit differences for the review of interim financial information as we use during the annual audit.

8.4 Other Considerations


We may decide to perform certain audit procedures relevant for the purpose of the audit of the annual financial statements concurrently with the review of interim financial information for convenience and efficiency. [8921] For example, information gained from reading the minutes of meetings of the board of directors in connection with the review of the interim financial information also may be used for the annual audit. For example, performing audit procedures on significant or unusual transactions that occurred during the period, such as business combinations, restructurings, or significant revenue transactions. To the extent these interim review procedures are used or referenced to in the period-end audit, we may retain the interim documentation in the interim review file and include a reference from the audit file to the interim review file. However, 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG certain jurisdictions may require a separate set of work papers for each engagement. In these cases, relevant work papers International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved. would need to be copied and placed in both the interim review file and the period-end audit file. [8954.6]

8.5 Obtain Management Representation Letters

Page 129 / 133

review of the interim financial information also may be used for the annual audit. For example, performing audit procedures on significant or unusual transactions that occurred during the period, such as business combinations, restructurings, orInternational Audit Workbook (Interntional Audit Workbook) significant revenue transactions. To the extent these interim review procedures are used or referenced to in the period-end audit, we may retain the interim documentation in the interim review file and include a reference from the audit file to the interim review file. However, certain jurisdictions may require a separate set of work papers for each engagement. In these cases, relevant work papers would need to be copied and placed in both the interim review file and the period-end audit file. [8954.6]

8.5 Obtain Management Representation Letters


An example Management Representation Letter for Review of Interim Financial Information is available on ARO. [8957] We may obtain additional representations related to matters specific to the entity's business or industry. [8957]

8.6 Other Information That Accompanies the Interim Financial Information


We should read the other information that accompanies the interim financial information to consider whether any such information is materially inconsistent with the interim financial information. [8959] We consult with the risk management partner when we read other information in documents containing interim financial information and we: identify a material inconsistency for which an amendment is necessary in the interim financial information or in the other information but the entity refuses to make the amendment. [8959.1] we conclude that there is a material misstatement of fact in the other information which management refuses to correct. [8961.1] The terms of the engagement include management's agreement that where any document containing interim financial information indicates that such information has been reviewed by us, the review report will also be included in the document. If management has not included the review report in the document, we consult with the risk management partner and consider seeking legal advice to assist in determining the reasonable course of action in the circumstances. [8984]

8.7 Communication with Management and Those Charged with Governance


We should communicate relevant matters of governance interest arising from the review of interim financial information to those charged with governance. [8964.1] When, as a result of performing the review of interim financial information, a matter comes to our attention that causes us to believe that it is necessary to make a material adjustment to the interim financial information for it to be prepared, in all material respects, in accordance with the applicable financial reporting framework, we should communicate this matter as soon as practicable to the appropriate level of management. [8965] We communicate such matters to management and/or to those charged with governance, in writing. [8965.1] When, in our judgment, management does not respond appropriately within a reasonable period of time, we should inform those charged with governance. [8966] When, in our judgment, those charged with governance do not respond appropriately within a reasonable period of time, we should consider: [8968] whether to modify the report, or the possibility of withdrawing from the engagement, and

the possibility of resigning from the appointment to audit the annual financial statements. 2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis Our communications of fraud or noncompliance are consistent with our communication during the annual audit. thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

8.8 Reporting

Page 130 / 133

we should consider: [8968] whether to modify the report, or the possibility of withdrawing from the engagement, and
International Audit Workbook (Interntional Audit Workbook)

the possibility of resigning from the appointment to audit the annual financial statements.

Our communications of fraud or noncompliance are consistent with our communication during the annual audit.

8.8 Reporting
Chapter 41, "Reporting on Interim Financial Information" of the International Standards Reports Manual contains guidance on reporting in conformity with, and example reports prepared in accordance with, International Standards on Review Engagements. [8973]
Interntional Audit Workbook

Chapter 9 - Group Audits


A group audit is an audit of financial statements that include the financial information of more than one component or combined financial statements aggregating the financial information prepared by components that have no parent but are under common control. [9122.2], [9122.7] The chapter titled, Audits of Group Financial Statements (group audits) chapter, in KAM, provides policies and guidance related to performing group audits. In addition, the policies and guidance throughout KAM apply when we act as group auditor or when we are the component auditor. Auditors from non-KPMG member firms (i.e., non-KPMG component auditors or non-KPMG group engagement teams) are not subject to the policies and guidance in the group audits chapter. Non-KPMG component auditors should however be required to follow International Standards on Auditing as requested by the KPMG group engagement team, if applicable. [8510] Although written primarily for group audits, the guidance in the group audits chapter, adapted as necessary in the circumstances, also may be useful when we involve other KPMG locations or auditors from non-KPMG member firms in the audit of financial statements that are not group financial statements. [8504] For example, we may involve another auditor to observe the inventory count or inspect physical fixed assets at a remote location.

The Group Audit Instructions, available on ALex, contain additional guidance on preparing audit instructions for group audit engagements. [8511] The Financial Shared Services Centres Audit Workbook provides guidance on special considerations when we are engaged to perform a group audit and/or statutory audit engagement where all or some of the financial reporting activities of the group are centralized at an intra-group financial shared services centre. The Financial Shared Services Centres Audit Workbook is available on ALex. [8512] In addition to the policies, requirements and guidance set out in the group audits chapter in KAM, we comply with the policies, requirements and guidance set out in the Risk Management Manual - Global relevant to group audits, including those in Chapter 24 for multi-firm engagements. [8503.1] The following table indicates the applicability of Group Audit Global Work Papers for each audit workflow:

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.


Page 131 / 133

International Audit Workbook (Interntional Audit Workbook)

Interntional Audit Workbook

Appendix A - Audit Workbook Supplement 2009


Introduction and Contents
The 2009 Audit Workbook Supplement (Supplement) is intended to update the 2008 Audit Workbook and serves as a summary of the key updates that have been made to the KPMG Audit Manual (KAM) in July 2008 and April 2009. Some of the topics which are addressed in the Supplement are also covered in the 2008 Audit Workbook; and if so, the information in the Supplement is to be read in conjunction with such guidance. KAM explains that KPMG has policies relating to the way its audits are carried out, and that compliance with those policies is mandatory. In addition to policies, KAM contains bold type paragraphs and guidance in the form of explanatory and other material as to how policies and bold type paragraphs may be implemented. The bold type paragraphs describe basic principles and essential procedures in International Standards on Auditing (ISAs) issued by the International Auditing and Assurance Standards Board ("bold type paragraphs") and are to be understood and applied in the context of the KPMG audit policies and explanatory and other material that provide guidance for their application. KAM continues to be the primary source of KPMG policy and guidance related to the performance of a KPMG audit. [1005], [1005.1], [1011] Reporting guidance for engagements conducted in accordance with International Standards on Quality Control, Auditing, Assurance and Related Services issued by the International Auditing and Assurance Standards Board (International Standards) is included in the International Standards Reports Manual and is beyond the scope of KAM and the Supplement. The way in which KAM is applied to the circumstances of the particular audit is a matter of judgment for the engagement partner and the engagement team. This Supplement is intended to provide information relating to the interpretation of KAM. Section number Section Title Ref. to 2008 Audit Workbook Superseded content / new content

Control Evaluation and Substantive Testing 2.1 Use of audit evidence obtained in prior periods regarding the operating effectiveness of controls Reliability of underlying Control Evaluation 4.4 Supersedes content in the section titled, "Using Audit Evidence Gained in Prior Periods" Supersedes content in the

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG data section titled, "Reliability of International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis underlying data" thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.

2.2

Control Evaluation 4.4

2.3

Substantive attribute

N/A

New content

Page 132 / 133

obtained in prior periods section titled, "Using Audit regarding the operating Evidence Gained in Prior effectiveness of controls Workbook (Interntional Audit Workbook) Periods" International Audit 2.2 Reliability of underlying data Control Evaluation 4.4 Supersedes content in the section titled, "Reliability of underlying data" New content

2.3

Substantive attribute sampling Substantive analytical procedures - set acceptable difference KPMG Sampling Plan sample size factors Anomalous audit differences Involvement of KPMG sampling specialists

N/A

2.4

Substantive Testing 5.4

Supersedes content regarding setting the acceptable difference New content

2.5

Substantive Testing 5.7

2.6

N/A

New content

2.7

Substantive Testing 5.7

Supersedes content regarding involvement of a KPMG Sampling Specialist

Other Key Updates 3.1 Criteria for use of LCE working papers Engagement Management 2.4.2 Supersedes content regarding LCE New content

3.2

Consideration of omitted N/A documentation and other procedures identified after the date of auditor's report Concurrence from EQCR in Planning 3.4.1 relation to materiality

3.3

Supersedes content regarding concurrence from the engagement quality control reviewer New content Supersedes all content in this section

3.4 3.5

Group audits Specific Topics

N/A Specific Topics 7

2010KPMGInternationalCooperative("KPMGInternational"),aSwissentity.MemberfirmsoftheKPMGnetworkofindependentfirmsareaffiliatedwithKPMG International.KPMGInternationalprovidesnoclientservices.NomemberfirmhasanyauthoritytoobligateorbindKPMGInternationaloranyothermemberfirmvisvis thirdparties,nordoesKPMGInternationalhaveanysuchauthoritytoobligateorbindanymemberfirm.Allrightsreserved.


Page 133 / 133