Becker CPA Review Auditing 3 Class Notes

AUDITING 3 CLASS NOTES

I.

AUDITING 3
Auditing 3 primarily deals with two key areas on the exam, planning (which includes consideration
of fraud/illegal acts) and risk assessment (which includes consideration of internal control).
A.

B.

PRE-ENGAGEMENT ACCEPTANCE ACTIVITIES

1.

You must be familiar with the specific procedures an auditor performs before
deciding to accept a client.

2.

You must separate these procedures from the procedures that are performed after
acceptance.

3.

Pre-acceptance activities:
Make inquiries of the predecessor auditor.

b.

Assess the auditablity of the client.

(1)

Evaluate management's integrity.

(2)

Consider the availability and adequacy of the client's accounting records.

(3)

Determine whether the audit firm is capable of performing the audit

(knowledge, staffing, etc.).

(4)

Consider whether an audit is the most appropriate form of engagement.

c.

Assess the client's business risk and the CPA's business risk.

d.

Evaluate compliance with ethical requirements (i.e., independence; quality

control procedures).

ESTABLISH AN UNDERSTANDING WITH THE CLIENT

1.

C.

a.

The auditor must establish an understanding with the client regarding the services to
be performed.
a.

Be aware of the general contents of the letter.

b.

An engagement letter is required in most circumstances.

PLANNING PHASE OF THE AUDIT

1.

The objective of this phase is to develop an overall strategy for the audit.

2.

The following are required during the planning stage of the audit:
a.

Obtain a sufficient understanding of the entity and its environment, including its
internal control.

b.

Obtain knowledge of the client's industry and business (tour facilities, review
financial history, etc.).

c.

Perform analytical procedures.

d.

Develop an overall audit strategy, and develop and document a written audit
plan.

e.

Consider materiality and audit risk so that an overall low level of audit risk is
attained.

1
2009 DeVry/Becker Educational Development Corp. All rights reserved.

Becker CPA Review Auditing 3 Class Notes

D.

DEVELOPING THE AUDIT PLAN

1.

2.

An audit plan is a list of procedures to be performed. The audit plan must be in

writing and should include the nature, extent, and timing of:
a.

Risk assessment procedures, to assess the risk of material misstatement.

b.

Planned further audit procedures (i.e., tests of controls, substantive tests).

c.

Other required procedures.

The auditor should consider the need to utilize other professionals.

a.

b.

c.

Internal Auditor The auditor may choose to make use of the client's internal
auditor.
(1)

The internal auditor must be objective and competent.

(2)

The auditor cannot share responsibility with the internal auditor.

Specialist The auditor may need to utilize a specialist.

(1)

The specialist must be competent and objective.

(2)

If the specialist is related to the client, additional procedures may be

necessary.

(3)

A specialist is not mentioned in the auditor's report unless a report

modification relates to the work of the specialist.

Service Organization A service organization used by the client may, in

effect, form part of the client's information system.
(1)

E.

F.

The client's auditor (user auditor) may utilize the service auditor's report
in this situation.

MATERIALITY
1.

Know the terms known misstatement (specifically identified during the audit), likely
misstatement (an estimate of the misstatement that is likely to exist), and tolerable
misstatement (maximum error the auditor will accept).

2.

Know the definition of materiality (reasonable person standard).

3.

A preliminary level of materiality is typically based on historical or interim financial

statements, and may be revised during the audit.

4.

Materiality may be assessed in quantitative or qualitative terms.

5.

The auditor should document planned levels of materiality and tolerable

misstatement, changes in these amounts, and known and likely misstatements
(whether corrected or uncorrected).

AUDIT RISK
1.

You must know the definition of audit risk: financial statements are materially
misstated but the opinion is not appropriately modified.

2.

You must know the two elements of audit risk.

a.

Risk of Material Misstatement risk that the financial statements are

materially misstated. This risk is itself composed of two risks.
(1)

Inherent Risk based on the nature of the financial statement assertion.

(2)

Control Risk risk that controls fail to prevent/detect a material

misstatement in a financial statement assertion.

2
2009 DeVry/Becker Educational Development Corp. All rights reserved.

Becker CPA Review Auditing 3 Class Notes

b.

Detection Risk risk that the auditor does not detect a material misstatement
in a financial statement assertion.
(1)

3.

It is imperative that you understand that audit risk needs to stay relatively low.
a.

G.

H.

This is the only element that the auditor can control, by varying the
nature, extent, or timing of audit procedures.

If the auditor's assessment of the risk of material misstatement increases

(usually through an increase in inherent risk or control risk), then the auditor
must reduce detection risk to keep overall audit risk low. The auditor may:
(1)

Change the nature of substantive tests from a less effective to a more

effective procedure.

(2)

Change the extent of substantive tests (i.e., use a larger sample size)

(3)

Change the timing of substantive tests (i.e., perform substantive tests at

year-end rather than at interim)

b.

The risk of material misstatement (inherent risk and control risk) has an inverse
relationship to detection risk if you don't understand this, memorize it.

c.

Remember that the auditor can change his or her assessment of the risk of
material misstatement (inherent and control risks), but cannot change the
actual risks.

AUDIT RISK AND MATERIALITY

1.

Audit risk and materiality must be considered together in designing audit procedures.

2.

Audit risk and materiality must be considered at both the financial statement level and
at the individual account balance, transaction class, or disclosure item level.

3.

There is an inverse relationship between materiality and audit risk.

FINANCIAL STATEMENT ASSERTIONS

1.

There are three categories of financial statement assertions and thirteen assertions
within those categories (CPA CO CARE CURV).
a.

b.

Assertions related to transactions and events:

(1)

Completeness

(2)

Cutoff (proper period)

(3)

Accuracy

(4)

Classification

(5)

Occurrence

Assertions related to account balances:

(1)

Completeness

(2)

Allocation and valuation

(3)

Rights and obligations

(4)

Existence

3
2009 DeVry/Becker Educational Development Corp. All rights reserved.

Becker CPA Review Auditing 3 Class Notes

c.

2.
I.

Assertions related to presentation and disclosure:

(1)

Completeness

(2)

Understandability and classification

(3)

Rights and obligations, and occurrence

(4)

Valuation and accuracy

You need to know the assertions and what they mean, and understand how relevant
assertions may be used by the auditor to develop audit procedures.

SUPERVISION
Proper supervision of assistants is required; disagreements among staff should be
documented.

J.

FRAUD
1.

2.

3.

There are two types of fraud:

a.

Fraudulent Financial Reporting Intentional misstatements or omission of

amounts and disclosures in the financial statements

b.

Misappropriation of Assets theft of an entity's assets

There are three fraud risk factors their presence indicates a greater possibility of
fraud.
a.

Incentives/Pressures (e.g., trying to meet an EPS target to receive stock

options)

b.

Opportunity (e.g., the ability to steal from the company due to a lack of
controls)

c.

Rationalization/Attitude (e.g., employees who steal from the company

because they believe they are not paid enough)

You must understand management's responsibility with respect to fraud versus the
auditor's responsibility.
a.

It is management's responsibility to design and implement programs and

controls to prevent, detect, and deter fraud.

b.

The auditor has a responsibility to obtain reasonable assurance about whether

the financial statements are free of material misstatement. The auditor must:
(1)

Exercise professional skepticism.

(2)

Discuss fraud risk with engagement personnel.

(3)

Obtain information regarding fraud risk (inquiry, analytical procedures,

etc.).

(4)

Assess fraud risk and develop an appropriate response.

(5)

(a)

Improper revenue recognition and management override are

presumed to exist.

(b)

Both a general (overall) response and a response to specific areas

of risk are required.

Evaluate evidence.

4
2009 DeVry/Becker Educational Development Corp. All rights reserved.

Becker CPA Review Auditing 3 Class Notes

(6)

K.

L.

(a)

Discuss fraud with management one level above those involved.

(b)

Fraud causing material misstatement or involving senior

management should be reported to the audit committee/those
charged with governance.

(c)

Know when it is acceptable to communicate fraud to outside

parties.

(d)

Know the specific documentation requirements for fraud.

ILLEGAL ACTS
1.

If the illegal act has a direct and material effect on the financial statements, the
auditor has a reasonable responsibility to detect it.

2.

The auditor has no responsibility to detect indirect effect illegal acts, but cannot
ignore such acts that come to his or her attention.

3.

You should understand the implications of illegal acts on the evaluation of

management integrity, the auditor's report, etc.

4.

You should also know when it is acceptable to communicate illegal acts to outside
parties.

RISK ASSESSMENT
1.

The auditor must obtain an understanding of the entity and its environment, including
its internal control, and assess the risk of material misstatement.
a.

Inquiry, analytical procedures, observation, inspection, and discussion among

the audit team are some procedures used to assess risk.

b.

The auditor must obtain an understanding of industry, regulatory, and other

external factors, the nature of the entity, the entity's objectives, strategies, and
risks, the entity's financial performance, and the entity's internal control.

c.

A significant risk requires special audit consideration. Be familiar with the

factors indicative of significant risks.

d.

The auditor should obtain an understanding of controls and determine whether

they have been implemented.
(1)

2.

If the auditor's risk assessment is based on the effective operation of

controls, the operating effectiveness of those controls will also need to
be tested.

Know the documentation requirements surrounding the auditor's risk assessment.

a.

The auditor should document the audit team's discussion, key elements of the
understanding of the entity and its environment, including its internal control,
the risk assessment procedures performed, the basis for the risk assessment,
and the identified risks and related controls evaluated by the auditor.

b.

Flowcharts, internal control questionnaires/checklists, narratives, or decision

tables may be used.
(1)

M.

Communicate and document conclusions.

Occasional exam questions require knowledge of flowcharting symbols.

CONSIDERATION OF INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT

1.

As part of the auditor's risk assessment process, the auditor must obtain an
understanding of the entity's internal control.

5
2009 DeVry/Becker Educational Development Corp. All rights reserved.

Becker CPA Review Auditing 3 Class Notes

2.

The purpose of internal control is to help a company meet its objectives (reliable
financial statements, effective/efficient operations, compliance).

3.

There are five components of internal control (CRIME). Know the basic definition of
each, and be familiar with the factors included in each component.
Control environment.

b.

Risk assessment (this is the company's assessment, not the auditor's).

c.

Information and communication systems.

d.

Monitoring.

e.

Existing control activities.

3.

The auditor studies internal control to assess the risk of material misstatement and to
determine the nature, extent, and timing of further audit procedures.

4.

The auditor should:

5.
N.

a.

a.

Evaluate the design of controls.

b.

Determine whether controls have been implemented (i.e., are being used).

Be familiar with the inherent limitations of internal control (i.e., the reasons why
errors may occur in spite of an effective system of internal control).

CONTROL ACTIVITIES
When there is a strong system of internal control, control activities implemented by the
client might include (PAID TIPS):

O.

P.

1.

Prenumbering of documents.

2.

Authorization of transactions.

3.

Independent checks to maintain asset accountability.

4.

Documentation.

5.

Timely and appropriate performance reviews.

6.

Information processing controls.

7.

Physical controls for safeguarding assets.

8.

Segregation of duties (ARC: separate authorization, recordkeeping, and custodial

functions).

INFORMATION TECHNOLOGY (IT)

1.

Use of information technology may impact any of the five components of internal
control.

2.

There are both benefits (faster processing, improved consistency) and risks
(unauthorized access to data or programs) associated with the use of information
technology.

3.

Segregation of duties within the IT department is important. (Know the specific

breakout of duties for an IT department.)

RESPONDING TO ASSESSED RISKS

1.

The auditor must respond to the assessed level of risk at two levels:
a.

The financial statement level an overall response is required, such as

assigning more experienced staff or increasing the level of supervision.

6
2009 DeVry/Becker Educational Development Corp. All rights reserved.

Becker CPA Review Auditing 3 Class Notes

b.
2.

The relevant assertion level the nature, extent, and timing of specific audit
procedures is based on the assessed level of risk for the relevant assertions.

The auditor may choose between two audit approaches:

a.

A substantive approach only substantive procedures will be performed

(controls are nonexistent or it would be inefficient to test them).
(1)

b.

A combined approach tests of controls are performed, in the hope that

effective controls will allow a reduction in substantive testing.
(1)

3.

Even if controls are effective, substantive tests are always required to

some extent for each material transaction class, account balance, or
disclosure item.

Tests of Controls
a.

Tests of controls are used to evaluate the operating effectiveness of controls.

(1)

4.

Tests of controls may be required when there is extensive use of

technology, even if a completely substantive approach would otherwise
have been utilized.

The auditor may, purposefully or incidentally, obtain evidence regarding

the operating effectiveness of controls while obtaining an understanding
of the entity and its environment.

b.

Inquiry, inspection, observation, and reperformance are used to test the

operating effectiveness of controls. (Note that inquiry alone is insufficient, and
observation relates only to a specific point in time.)

c.

Be familiar with the factors that affect the nature, extent, and timing of tests of
controls.

d.

Evidence from prior years about operating effectiveness may be used as long
as it is still relevant and it is not too old (tests should be reperformed at least
once every three years).

Substantive Tests
a.

Substantive tests include tests of details and analytical procedures.

b.

The financial statements should be agreed to the underlying accounting

records, and material journal entries or adjustments should be examined.

c.

Be familiar with the factors that affect the nature, extent, and timing of
substantive tests.
(1)

In particular, understand that the extent of substantive testing is affected

by the risk of material misstatement (which in turn is affected by inherent
and control risks).

(2)

Be familiar with the factors affecting a decision to perform substantive

tests at interim instead of year-end.

5.

In responding to the assessed level of risk, the auditor may discover that the initial
risk assessment needs to be modified, and the audit plan should be revised
accordingly.

6.

The auditor must use judgment to evaluate the sufficiency and appropriateness of
audit evidence.

7.

Be familiar with the documentation requirements, especially the need to demonstrate

how audit procedures are linked in some way to the assessed level of risk.

7
2009 DeVry/Becker Educational Development Corp. All rights reserved.