Académique Documents
Professionnel Documents
Culture Documents
Chapter 1 Auditing
Definition Expanded
4. Auditing is done to determine and report on the degree of correspondence between the
information and established criteria. Explain this part of the definition (information and
established criteria).
5. Auditing is the accumulation and evaluation of evidence about information. Explain this
process.
a. Evidence: any information used by the auditor to assess whether the information
being audited is stated in accordance with established criteria.
b. The quality and amount of evidence collected depends upon the risks of
misstatement.
c. Audit Strategy: a planned approach to the conduct of audit testing, taking into
account assessed risks.
i. The auditor devises this strategy to effectively plan the evidence-gathering
process.
ii. Evidence takes many different forms, including oral representation of the
auditee (client), written communication with outsiders, and observations
by the auditor.
iii. Certain evidence (from a third party) is considered more reliable than
other evidence (from the client). It is important to obtain a sufficient
quality and volume of evidence to mitigate the risks of the audit.
6. Auditing should be done by a competent, independent person. Explain what they mean by
competent and independent (third part of the definition of auditing)
a. The auditor must be qualified to understand the engagement risks and the criteria
used. This includes competence in selecting the types and amount of evidence to
accumulate and effectively evaluating evidence to reach the proper conclusion.
b. The auditor also must be independent in mind and appearance.
c. Auditors reporting on company financial statements are often called independent
auditors.
i. Even though an auditor of published financial statements is paid a fee by a
company, he or she is normally sufficiently independent to conduct audits
that can be relied on by users.
d. Internal Auditors—an auditory employed by a company to audit for the
company’s board of directors and management.
7. Explain the final stage in the definition and the auditing process, reporting.
a. The final stage in the audit process is the independent auditor’s report (the
communication of audit findings to users).
b. Reports must inform readers of the degree of correspondence between
information and established criteria.
10. As society becomes more complex, there is an increased likelihood that unreliable
information will be provided to decision makers. What are the reasons for this?
a. Remoteness of information,
b. Bias and motives of provider,
c. Voluminous data,
d. The existence of complex exchange transactions
11. Managers of businesses and the users of their financial statements may conclude that the
best way to deal with information risk is simply to have the risk remain reasonably high.
A small company may find it less expensive to pay higher interest costs than to increase
the costs of reducing information risk (e.g., by having an audit). For larger businesses, it
is usually practical to incur such costs to reduce information risk. What are the three main
ways to do so?
a. The user may go to the business premises to examine records and obtain
information about the reliability of the statements.
b. Management is responsible for providing reliable information to users. Users may
evaluate the likelihood of sharing their information risk loss with management.
c. An independent audit is performed. This is the most common way for users to
obtain more reliable information.
In addition to understanding accounting, the auditor must also possess expertise in risk
assessment processes and the accumulation and interpretation of audit evidence. It is this
expertise that distinguishes auditors from accountants. Determining the proper audit procedures
that mitigate risks, deciding the number and types of items to test, and evaluating the results are
tasks that are unique to the auditor.
Learning Objective 2
14. What are the five categories used to describe attestation services?
c. A review provides moderate assurance, with the result that the public accountant
(PA) provides a conclusion on the financial statements produced, rather than an
opinion.
d. Less work so there is less cost.
a. Management states that internal controls have been developed and implemented
following well-established criteria.
b. The Sarbanes-Oxley Act requires companies to report management’s assessment
of the effectiveness of internal control.
c. This increases user confidence about future financial reporting because effective
internal controls reduce the likelihood of future misstatements in the financial
statements.
a. The volume of real-time information available on the internet is shifting the need
for assurance from historical information at a point in time, such as financial
statements, to assurances about the privacy and reliability of processes generating
information in a real-time format.
b. As transactions and information are shared online and in real time, there is an
even greater demand for assurances about computer system controls surrounding
information transacted electronically and the security of the information related to
the transactions. Auditors can help provide assurance about these functions.
a. Accountants may also prepare special reports for clients where the auditor
provides an opinion on financial information other than financial statements or on
compliance with an agreement or regulations.
i. Compilations are also called “Notices to Readers” or NTRs, after the name
of the report issued with such engagements.
ii. No assurance is provided by a compilation, and readers are cautioned that
the financial statements may not be appropriate for their purposes.
b. Tax Services: Accounting firms prepare corporate and individual tax returns for
both audit and non-audit clients
c. Management Advisory Services: management advising includes services such as
retirement planning and personal financial planning.
d. Accounting and Bookkeeping Services: Some small clients lack the personnel or
expertise to prepare their own subsidiary records. Many small accounting firms
work with accounting software packages to help clients record their transactions.
i. When a PA conducts a review or an audit after doing bookkeeping work,
he or she must take care to ensure that independence rules are properly
followed.
Types of Audits
23. What are the strategic differences between accounting and auditing?
a. Users of financial information may need to have audits performed for one or more
of the following reasons.
b. Remoteness of the Information
i. The owners and creditors of a business do not have access to the daily
financial records of the company; therefore, they rely heavily on the
company’s financial statements about the enterprise, which are the
primary source of financial information about the organization.
c. Bias and Motives of Management
i. The management and employees of a company may have goals and
objectives that differ from those of the owners.
ii. The best way the owners have of ensuring their goals are met is to hire
independent auditors to conduct an examination of the financial statements
and accounting policies of the business.
d. Voluminous Data
i. As a company grows, so does the volume of its transactions. It is almost
impossible for users of the financial statements—even with access to all of
the accounting records—to examine the large number of transactions
recorded in the company’s accounts. It is more economical to have an
auditor examine these records and present an audit report to all users of
the data.
e. Complexity of Transactions
Public accountants perform audits in accordance with generally accepted auditing standards
of published financial statements prepared in accordance with an acceptable financial
reporting framework
Government auditors from the auditor generals (federal or provincial) perform compliance or
operational (value-for-money) audits in order to assure the Parliament that the expenditure of
public funds is in accordance with its directives and the law and is done with efficiency,
economy and effectiveness. They also do financial statement audits of Crown Corporations,
or sub-contract this work to external public accountants.
Canada Revenue Agency auditors perform compliance audits to enforce the federal tax laws
as defined by Parliament, interpreted by the courts, and regulated by the Income Tax Act.
Internal auditors perform compliance or operational audits in order to assure management or
the board of directors that controls and policies are properly and consistently developed,
applied and evaluated
1. What are the four size categories that can be used to describe public accounting firms?
2. The organization and structure of public accounting firms can vary depending on the
nature and range of services offered by the firm. Three main factors influence the
organizational structure of all firms:
The need for independence from clients. Independence permits auditors to remain
unbiased in drawing conclusions about their clients’ financial statements.
The importance of a structure to encourage competence. The ability of the
structure to encourage competence permits auditors to conduct audits and perform
other services efficiently and effectively.
The increased litigation risk faced by auditors. Firms continue to experience
increases in litigation-related costs. Some organizational structures afford a
degree of protection from lawsuits to individual firm members.
Canadian auditing and assurance standards are issued by the Auditing and
Assurance Standards Board (AASB), which is composed of volunteers appointed
by the Auditing and Assurance Standards Oversight Board (AASOB) and from
the business community.
Canadian auditing and assurance standards are based upon standards originally
developed and released by IFAC’s IAASB.
Assurance Standards—a framework for the auditor to use to assist him or her in
the conduct of an audit engagement;
The authority underlying the audits and related services activities carried on by
public accountants;
The Requirements sections of CASs and the italicized portions of Other Canadian
Standards in the CICA Handbook.
8. What are the Overall Objectives of the Independent Auditor and the Conduct of an
Audit?
ii. Professional judgement should be used by the auditor during the planning
process and during the conduct of the financial statement audit.
iii. The audit shall be conducted using a risk-based approach.
iv. There needs to be enough evidence to show the quality to allow the
auditor to reduce audit risk to a good level.
Category 3: Reporting the results
i. Provide a report on the statements that matches the auditors report.
ii. Findings and modifications must be in accordance with the CASs
This standard stresses the important qualities the auditor should possess.
Practical experience and continuing professional education are aspects of
competence.
The auditor must be technically qualified and experienced in those industries in
which the auditor has clients.
The requirement involves due care in the performance of all aspects of auditing
This means that the auditor is a professional, responsible for fulfilling his or her
duties diligently and carefully.
As a professional, the auditor must act in good faith, but he or she is not expected
to make perfect judgments in every instance.
To conduct the audit effectively, the auditor must be free of bias.
The rules of conduct of CGAAC also stress the need for independence of CGAs
engaged in public accounting.
Public accounting firms are required to follow several practices to increase the
likelihood of independence of all personnel. For example, the internal and
external auditors usually report to the audit committee. An audit committee is a
subcommittee of the board of directors of a company. So that the audit committee
can provide effective oversight, the audit committee members must be
independent, that is, be composed of directors not belonging to management, also
strengthening audit independence.
10. Explain the second category in detail, Examination: performance of the audit
These standards require that the auditor conduct the audit using a risk-based
approach, being skeptical about the potential for material misstatement (which
includes errors or fraud) in the financial statements.
A strategic and risk-based approach means that the client must be assessed in the
context of the business environment, the corporate governance process, and the
quality of internal controls.
12. Canadian Auditing Standards require that the audit be conducted using a risk assessment
approach. What are the steps for conducting the Financial Statement audit using a Risk
Assessment Approach?
Quality Control
Policies and procedures used by a public accounting firm to make sure that the
firm meets its professional responsibilities.
These policies and procedures include the organizational structure of the public
accounting firm and the procedures the firm sets up.
A public accounting firm must make sure that generally accepted auditing
standards are followed on every audit.
Quality controls represent the mechanisms used by the firm that help it meet those
standards consistently on every engagement.
Quality controls are therefore established for the entire public accounting firm and
all the activities in which the firm is involved; GAAS require that these standards
15. What is one of the ways in which the PA profession in Canada has dealt with quality
control?
In July of 2002, the Sarbanes-Oxley Act (SOX) was legislated in The Unites States, as a result of
bankruptcies and alleged audit failures involving Enron and WorldCom. In the United States,
one impact of SOX was the establishment of the Public Company Accounting Oversight Board
(PCAOB), appointed and overseen by the Securities and Exchange Commission (SEC). The
PCAOB is responsible for establishing auditing and quality control standards for public company
audits and for inspecting the quality controls at audit firms responsible for performing public
company audits.
These events have caused the accounting profession in Canada to take a long look at, and to
reassess, the processes and standards used in audits. In Canada effective December 1, 2005, the
CICA adopted quality control standards for audits. As a result, massive revisions of the CICA
Handbook in 2005 reflect a more risk-assessment approach to auditing. Another outcome was the
formation of the Canadian Public Accountability Board (CPAB). The CICA Handbook -
Assurance,Section CSQC 1 lists the “Canadian Standard on Quality Control 1." These general
standards of quality controls apply to public accounting firms that perform audits and reviews of
financial statements, and other assurance engagements. These standards list the policies and
procedures that the audit firms should have in place. A summary of these standards is presented
in Table 2-2 on page 39 of your textbook. The impact of these standards will be discussed in
more detail in subsequent lessons. The CPAB performs regular inspections of the public
accounting firms that audit Canadian public companies.
A major difference between the PCAOB (US) and the CPAB (Cdn) is that the PCAOB is also
responsible for developing auditing standards for public companies (formerly done by AICPA),
while in Canada that responsibility still lies with the CICA.
Describe the ethical behaviour required of auditors and apply the components of the professional
rules of conduct.
1. Define Ethics?
3. What are the two primary reasons why people act unethically?
The person’s ethical standards are different from those of society as a whole
i. Extreme examples of people whose behaviour violates almost everyone’s
ethical standards are drug dealers, bank robbers, and larcenists.
The person chooses to act selfishly.
i. unethical behaviour often results from selfish motives.
ii. Political scandals result from the desire for political power. Cheating on
tax returns and expense reports is motivated by financial greed.
iii. In each case, the person knows that the behaviour is inappropriate but
chooses to do it anyway because of the apparent personal sacrifice needed
to act ethically.
5. What are some commonly employed rationalization methods that can easily result in
unethical conduct?
6. Formal frameworks have been developed to help people resolve ethical dilemmas. The
purpose of such frameworks is to help a person identify the ethical issues and decide on
an appropriate course of action based on the person’s own values. What is this six-step
approach to resolving ethical dilemmas?
Provides a framework for dealing with ethical issues in a proactive way, with the
assumption that the organization is willing to work to resolve ethical dilemmas
and the person at the centre of the dilemma is willing to take action.
Identification: Identifying the ethical issue, the values underpinning the different
positions in this value conflict and the possibilities for action
Purpose and choice: Considering your personal and professional purpose and
choices.
Stakeholder analysis: Who is affected, what is at stake for them, and how do you
connect with them?
Powerful response: Craft a useful, powerful response that you could use, taking
into account multiple options, the need for additional information, working with
allies, and who your audience would be.
Scripting and coaching: Further develop and practise your response (scripting)
and get help (coaching).
i. The firm or member owns shares in or has made a loan to the client. The
client fees are significant in relation to the total fee base of the PA or of
the firm.
Self-review threat—when the PA is placed in the position of having to audit his or
her own work or systems during the audit.
i. The reasons for this could be that the PA prepared original data or records
for the client as part of a bookkeeping engagement or was an employee or
officer of the organization. The PA could also have designed and
implemented an accounting information system used to process client
records.
Advocacy threat—when the firm or member is perceived to promote (or actually
does promote) the client’s position; that is, the client’s judgment is perceived to
direct the actions of the PA.
i. The PA is acting as an advocate in resolving a dispute with a major
creditor of the client. The firm or PA is promoting the sale of shares or
other securities for the client or is receiving a commission for such sales.
Familiarity threat—occurs when it is difficult to behave with professional
skepticism during the engagement due to a belief that one knows the client well.
i. There is a long association between senior staff and the client (e.g., being
on the engagement for 10 years). A former partner of the firm is now the
chief financial officer of the client.
Intimidation threat—the client personnel intimidate the firm or its staff with
respect to the content of the financial statements or with respect to the conduct of
the audit, preventing objective completion of field work.
i. The client threatens to replace the audit firm over a disclosure
disagreement. The client places a maximum upon the audit fee that is
unrealistic with respect to the amount of work that needs to be completed.
15.
Ethics are the backbone of the practice of public accounting and auditing. They are a set of moral
principles that include honesty, integrity, and fairness. Ethics are needed for society to function
in an orderly manner.
Society has attached a special meaning to the term “professional” and, therefore, expects
professionals to act with a high level of ethical behaviour.
maintaining independence
acting in a manner that serves to enhance the image of the profession and the public’s
confidence in the profession
To read an extensive and detailed code of professional conduct, go to the website for one of the
professional accounting organizations. The textbook refers to the rules of conduct for CGA
Association of Canada and the CPA Ontario.
On the CGA (Canada) site, click Standards in the left-hand menu; this will bring you to the
Professional and Practice Standards.
On the CPA Ontario site, enter "member’s handbook" in the Search field and select the first
result.
There are differences in the codes between provinces, but all professional accounting
organizations have developed codes of professional conduct that are based on certain principles.
The most important of these principles are summarized in the following paragraphs.
Independence
Professional independence ensures that the auditor has an unbiased viewpoint, which is critical to
the credibility of the audit opinion. Independence is the most important characteristic of the
auditor. Auditors take steps to ensure that they are not just independent “in fact” but are also
independent “in appearance.”
When evaluating the acceptance of an audit, the public accountant must examine the following
five facets of independence and document the safeguards used to eliminate or reduce them to
acceptable levels.
Advocacy threat—when the firm or public accountant seems to be promoting the client or acting
as its representative.
Self-review threat—when any of the audit staff are auditing their own work.
Familiarity threat—when audit staff conduct a company’s audit for many years, they may take
some aspects of the company for granted.
Intimidation threat—when the client is trying to impose some conditions on the audit.
Independence is maintained by
GAAS
Confidentiality
Accounting professionals are not allowed to disclose confidential information about their clients
or employer. However, this rule does not apply to information demanded by a court. As well, this
rule does not apply when the member’s professional association will be conducting a practice
review or when there is a disciplinary process. Consequently, an auditor must be very careful
when placing information in a file and should not release that information to anyone (except a
court) without the client’s permission.
This principle prohibits public criticism of professional colleagues. Accountants should never do
anything that diminishes the reputation of their profession.
Integrity refers to the accountant’s honesty and fairness, which must be above question. Failure
to exercise due care results in negligence, which may lead to legal liability.
Competence
Professional accountants cannot associate themselves with false or misleading information or fail
to reveal material omissions. GAAP and GAAS are the means by which accountants determine
their professional actions.
Other Rules
A member of a professional organization who becomes aware of a breach of the rules of conduct
by another member has a duty to report this breach to the discipline committee of that profession.
The professions are self-policing, and public pressure has forced many professional
organizations to include non-members on their discipline committees. The formation of the
CPAB is another self-policing measure. Punishment can result in fines, loss of designation for an
Communication with predecessor auditors is required before the new audit engagement is
accepted. This consultation ensures that the new auditor does not risk accepting unethical clients
without obtaining a reference from the predecessor auditor.
Audit Committees
Under the Canada Business Corporations Act, public companies are required to have an audit
committee, although provision is made for a waiver in some circumstances. The audit committee
is required to review the company’s financial statements before they are issued. The committee
must comprise at least three members of the company’s board of directors, the majority of whom
must be outside directors. The directors have an obligation to inform the auditor and audit
committee of any wrongdoing or misstatements that come to their attention.
Legal Liability
2. What are the conditions that must be present for a fiduciary duty to arise?
It is extremely rare
A criminal conviction against an auditor can result only when it is demonstrated
that the auditor acted with criminal intent.
Fiduciary duty—a party (such as an accountant) has an obligation to act for the
benefit of another, and that obligation includes discretionary power.
The situations where an accountant is making payments on the client’s behalf to a
tax authority or is appointed as a trustee for an estate are examples where
fiduciary duty could arise.
A professional accountant acting as an officer or director of an organization
would have a fiduciary duty to shareholders.
5. Show how the responsibilities of auditors are layered upon the basic transaction
processing of an organization.
Many accounting and legal professionals believe that a major cause of lawsuits against public
accounting firms is the lack of understanding by financial statement users of the difference
between a business failure and an audit failure and between an audit failure and audit risk.
Audit failure—a situation in which the auditor issues an erroneous audit opinion
as the result of an underlying failure to comply with the requirements of generally
accepted auditing standards.
For example, the auditor may have assigned unqualified assistants to perform
audit tasks, and because of their lack of competence and inappropriate
supervision, they fail to find material misstatements that qualified auditors would
have discovered.
Audit risk—the risk that the auditor will conclude that the financial statements are
fairly stated and an unqualified opinion can therefore be issued when, in fact, they
are materially misstated
There is always some risk that the audit will not uncover a material financial
statement misstatement, even when the auditor has complied with GAAS.
Due care (during an audit)—completing the audit with care, diligence, and skill.
If the auditor failed to use due care in the conduct of the audit, then there is an
audit failure.
Then, the law often allows parties who suffered losses as a result of the auditor’s
breach of duty of care to recover some or all of the losses linked to the audit
failure.
Expectation gap—the conflict between what some users expect from an auditor’s
report and what the auditor’s report is designed to deliver; some users believe that
an auditor’s report is a guarantee for the accuracy of the financial statements,
although the report is, in fact, an opinion based on an audit conducted according
to GAAS.
The standard of due care to which the auditor is expected to be held is often
referred to as the prudent person concept.
This is the legal concept that a person has a duty to exercise reasonable care and
diligence in the performance of his or her obligations to another.
Each partner may be held liable in a civil action for the tort or negligent actions of
each of the other partners and employees in the partnership.
Limited liability partnership (LLP)—an organizational structure whereby only the
person who does the work, those who supervise that person, and the firm itself are
Public accountants do not have the right under common law to withhold
information from the courts on the grounds that the information is privileged.
A court can subpoena information in an auditor’s working papers. Confidential
discussions between the client and auditor cannot be withheld from the courts.
A legal action taken by an injured party against the party whose negligence
resulted in the injury.
A typical negligence action against a PA is a bank’s claim that an auditor had a
duty to uncover material errors in financial statements that had been relied on in
making a loan.
Lack of even slight care that can be expected of a person, tantamount to reckless
behaviour.
When a person injured by a PA’s negligence has also been negligent, and this
negligence has also caused or contributed to the person’s loss or injuries.
A common example of such negligence is failure to give a PA information
requested during the preparation of a tax return.
The client later sues the accountant for improper preparation of the return. The
court may hold that there was contributory negligence on the part of the client,
and any damages that the client is awarded would be reduced in proportion to the
amount that the client’s own negligence was responsible for the loss.
This defence is also used to reduce the effects of joint and several liability.
A false assertion that has been made knowingly, without belief in its truth, or
recklessly without caring whether or not it is true.
An example is an auditor giving a standard (unqualified) opinion on financial
statements that will be used to obtain a loan when the auditor knows the financial
statements contain a material misstatement.
A third party who does not have privity of contract but is known to the
contracting parties and is intended to have certain rights and benefits under the
contract.
A common example is a bank that has a large loan outstanding at the balance
sheet date and requires an audit as a part of its loan agreement.
Theft of assets
23. What are the six auditor defences against client suits for negligence?
The lack of duty to perform the service is a legal defence under which the professional
claims that no contract existed with the plaintiff; therefore, no duty existed to perform the
disputed service.
For example, the public accounting firm might claim that errors were not uncovered
because the firm did a review engagement, not an audit.
A common way for a public accounting firm to demonstrate a lack of duty to perform is
by use of an engagement letter.
Prior to addressing negligence, the defendant accountants could provide evidence that the
financial statements were in accordance with accounting standards (no material errors).
So even if the auditors had been negligent, the appropriate financial statements would not
have differed materially from those on which the plaintiff relied.
Then no grounds exist for suing the auditors.
Absence of misstatement—the financial statements appropriately portray the financial
situation of the organization.
Two types of letters that are commonly used by auditors to reduce potential liability to
clients are an engagement letter and a management representation letter.
o Engagement letter is a signed agreement between the public accounting firm and
the client identifying such items as whether an audit is to be done, other services
to be provided, the date by which the work is to be completed, and the fees.
o The representation letter documents oral communication between auditors and
management and states management’s responsibilities for fair presentation in the
financial statements.
It is possible that the financial statements were materially misstated and that the audit was
negligently performed but that the plaintiff did not suffer any damages.
A third party, the shareholders, claimed damages, but the Supreme Court stated that the
damages were suffered by the corporate entity itself rather than by the shareholders.
Thus, those plaintiffs (the shareholders) had no standing in law to claim the damages.
Absence of negligence—a legal defence under which the professional claims that the
disputed service was properly performed;
o an auditor would claim that the audit was performed according to GAAS.
Even if there were undiscovered unintentional material misstatements (errors), intentional
misstatements, or misrepresentations (fraud and other irregularities), the auditors would
argue that they were not responsible if the audit was properly conducted.
This occurs because there was an absence of negligence. The public accounting firm is
not expected to be infallible.
To succeed in an action against the auditor, the client must be able to show that there is a
close causal connection between the auditor’s breach of the standard of due care and the
damages suffered by the client.
For example, assume an auditor failed to complete an audit on the agreed-upon date. The
client alleges that this caused a bank not to renew an outstanding loan, which caused
damages.
A potential auditor defence is that the bank refused to renew the loan for other reasons,
such as the weakening financial condition of the client.
Here the auditor must prove that the client was negligent, by not acting on some of the
auditor’s recommendations or by providing false information to the auditor.
Under common law, the audit profession has the obligation to fulfill implied or
expressed contracts with clients.
If auditors fail to do this they can be sued for negligence and/or breach of
contract.
2. Under the provincial securities acts, what is the obligation of the audit profession?
Under the provincial securities acts, auditors are also legally responsible to third
parties, in certain circumstances.
According to the SCC, the auditor is held accountable for duty of care to third
parties—those people the auditor knows will use and rely on the financial
statements and audits.
3. The auditor must accumulate evidence to prove assertions about the components of the
financial statements. What are the assertions they are trying to prove?
Occurrence. Assets and liabilities included in the financial statements exist and
the transactions actually took place.
Completeness. There are no unrecorded items.
Valuation. Assets and liabilities are properly valued.
Accuracy. Revenues and expenses are recorded in the proper amount. The general
ledger agrees to supporting records (such as subsidiary ledgers).
Classification. Transactions in the company records are properly classified.
Timing. Transactions should be recorded when they occur.
Posting and summarization. The transactions have been properly transferred from
subsidiary records to general ledger.
Let us illustrate these assertions with an example. Suppose you are auditing the inventory of a
particular company. To ensure that the inventory existed, you would observe your client
counting the inventory. To ensure that the inventory is complete, you would examine accounting
records for evidence of any shipments in transit. This examination would also reveal if the cost
of the inventory was lower than market (a test of valuation), if the company actually owned the
inventory, if the inventory transactions were recorded in the proper period (measurement), and if
the financial statements had appropriate note disclosure on the types of inventory and their
costing methods. If the auditor cannot prove each of these assertions for every material item in
the financial statements, then a reservation to the audit report is warranted.
Adopt sound accounting policies. Conduct the audit using a risk-based approach.
5. What is an error?
6. What is fraud?
Illegal acts.
8. What should the auditor do when they have discovered fraud or an illegal act?
Audit Phases
In these phases the auditor finds out about the client and the client’s industry and business
environment. A phrase that describes risks is “what could go wrong”? The auditor needs to know
“what could go wrong” in the financial statements, the client industry, or business, before
tailoring the risk response to those assessed risks.
There are three phases of risk assessment.
The auditor must develop a strategic audit approach (which is influenced by the
findings from the two preceding phases). The audit plan may be modified as
needed during the audit process.
The concept of risk response refers to the fact that the audit is designed to respond to identified
risks with audit programs and tests addressing those risks.
There are four risk response phases.
The auditor considers different types of tests in dealing with the specific risks and
materiality.
The tests are conducted in relationship to the materiality levels determined,
dealing with specific risks such as the potential for management bias or override,
fraud risks, or complex transactions identified.
Where the auditor has decided to rely upon internal controls, the auditor must test
the effectiveness of the controls or rely upon tests of controls conducted in one of
the prior two years if the control has characteristics that permit extended reliance.
Tests of controls—audit procedures to test the effectiveness of control policies
and procedures in support of a reduced assessed control risk.
As the tests are completed, the results are evaluated to determine if there should
be any changes in assessed risks or in the design of the audit procedures.
Tests of control involve inquiry, observation, reperformance, and inspection of
controls and transactions.
Objective Four: Describe the nature of substantive testing and the audit objectives that
this type of testing attempts to prove.
At this stage, tests are done to substantiate the balance in an account at a certain
date.
These tests satisfy the third examination standard of GAAS.
They consist of:
i. Analytical procedures
1. Analytical procedures are those that assess the overall
reasonableness of transactions and balances using comparisons and
relationships. .
ii. Tests of details of balance
1. Tests of details of balances—an auditor’s tests for monetary errors
or fraud and other irregularities in the details of balance sheet and
income statement accounts.
iii. Tests of key items.
1. Tests of key items—audit tests that focus on specific transactions
that could be at risk of material error.
2. For example, the purchase of shares in a subsidiary company may
be at risk of incorrect valuation. Similarly, the auditor may choose
to examine the activity between the company and a related party to
ensure that the amounts have been recorded correctly.
17. Explain Phase 7: Ongoing evaluation, quality control, and final evidence gathering.
As the result of the audit work is compiled, there is ongoing supervision from the
supervisor, manager, and partner.
Together they assess the impact upon the risks and decide if further procedures
have to be designed.
After the auditor has completed all the procedures for each audit objective and for
each financial statement account, it is necessary to combine the information
obtained into an audit summary memorandum to reach an overall conclusion as to
whether the financial statements are fairly presented.
18. Explain Phase 8: Completing quality control and issuing the report.
The auditor must consider not only events that have occurred before the audit
report date but also those that have occurred subsequent to the year end, and the
auditor must determine whether these events affect the financial statements.
The audit report represents a conclusion about the financial statements taken as a
whole.
1. CAS 300 (par. 9) states that the auditor must develop an audit plan that includes which
following components?
The nature, timing, and extent of audit procedures for the purpose of risk
assessment.
The nature, timing, and extent of additional audit procedures, linked to the
individual audit assertions.
Any other audit procedures that are needed for the audit to be conducted in
accordance with GAAS (the exact wording is to state that the audit is conducted
in compliance with the CASs).
To enable the auditor to obtain sufficient appropriate audit evidence for the
circumstances
i. Allows you to minimize legal liability and maintain a good reputation
To help keep audit costs reasonable
i. Helps the firm remain competitive and retain its clients
To avoid misunderstandings with the client.
i. Important for good client relations and for facilitating quality work.
Planning is essential if the auditor expects to meet the requirements of the first
examination standard of GAAS.
Proper audit planning must be done to ensure that sufficient, appropriate audit
evidence is obtained in a cost-effective manner.
Proper planning will help identify information for the auditor to use in assessing
audit risk and inherent risk of the client.
Assessing these risks will help the auditor make decisions about accepting a
client, continuing with a client, gathering evidence, staffing, and formulating the
engagement letter.
5. Explain the first phase of the planning process, performing client acceptance procedures.
6. Explain the second phase in the planning process, preparing a client risk profile.
This will affect the auditor’s assessment of the audit risk, the inherent risk, and
the risk of fraud or error.
7. Explain item one, industry and external environment. There are the three primary reasons
for obtaining a good understanding of the client’s industry.
Risks associated with specific industries may affect the auditor’s assessment of
client business risk and acceptable audit risk
i. It may even influence auditors against accepting engagements in riskier
industries, such as high technology.
Knowing about inherent risks helps the auditor in assessing their relevance to the
client.
i. An example is potential inventory obsolescence in the fashion clothing
industry.
Many industries have unique accounting requirements that the auditor must
understand to know if their statements are in accordance with the applicable
financial reporting framework.
i. For example, if the auditor is doing an audit of a city government, the
auditor must understand governmental accounting and auditing
requirements.
8. What are the different types of business operations and processes that should be
evaluated?
reviewing trade magazines and economic publications to learn about the economy
and industry in which the client operates
reviewing the prior year’s audit files and discussing anything of significance with
the predecessor auditor
consulting with co-workers or colleagues who have similar engagements
touring the client’s facilities and meeting with key personnel to discuss business
conditions and outlook
conferencing with the client’s personnel, including internal auditors
identifying related parties, major suppliers, and customers
consulting with specialists
evaluating current financial and accounting policies
reviewing organization charts and the most recent financial statements
meeting with the audit committee, senior management, and corporate governance
reviewing with the client the nature of any contractual obligations and loan
conditions
reading articles of incorporation, corporate bylaws, and major legal agreements
reading the minutes from the meetings of the audit committee, directors,
shareholders, and key management committees.
stock the corporation is authorized to issue, and the types of business activities the
corporation is authorized to conduct.
Bylaws—the rules and procedures adopted by a corporation’s shareholders, including the
corporation’s fiscal year and the duties and powers of its officers.
Corporate minutes—the official record of the meetings of a corporation’s board of
directors and shareholders in which corporate issues such as the declaration of dividends
and the approval of contracts are documented.
Strategies are approaches followed by the entity to achieve organizational objectives. Auditors
should understand client objectives related to:
Reliability of financial reporting
Effectiveness and efficiency of operations.
Compliance with laws and regulations.
9. During the risk assessment process, the auditor uses primarily four of types of evidence
The auditor can estimate the results by using both financial and non-financial information.
Generally, analytical procedures are used to assess the reasonableness of amounts shown in the
financial statements. The quality of the procedure is largely determined by the appropriateness
and reliability of the data used. For example, it would be difficult to assess the reasonableness of
interest expense if the client or the bank gave you an incorrect interest rate on the bank loan
balance.
Auditors often find differences between the amounts that they estimated and the amounts shown
in the financial statements. Before performing the analytical procedure, an acceptable level of
difference should be determined on the basis of materiality.
When analyzing the results of analytical procedures, the auditor may have to perform additional
work. For example, if the reasonableness of interest expense was analyzed by taking the average
interest rate on a bank loan and multiplying it by the average balance of the loan during the
period, and this calculation yielded a result considerably different from that shown in the
financial statements, additional work (such as the examination of monthly bank debit memos for
loan interest) would be performed.
The CICA requires that the auditor maintain written or electronic records—that is, working
papers of the procedures performed that support the conclusions reached in performing the audit.
The working papers may be contained in computerized files. The purpose of working papers is to
assist the auditor in preparing the audit report and the financial statements (as well as
tax returns and reports for regulatory agencies)
serve as a basis for review by senior members of the auditing firm (managers and
partners).
Note 6: Working Paper Organization
Permanent Files
Permanent files contain any ongoing legal and planning information about the client, such as
copies of important legal documents, details on the accounting policies used, descriptions of the
systems of internal controls, and financial statement analyses from previous years. All
information about the client that is of continuing interest from year to year is filed in the
permanent file.
Current Files
Current files document the work performed in the current year and may include any or all the
following items:
documents supporting reasons and conclusions for materiality, audit risk, inherent risk,
control risks, and the resulting overall audit approach
memos to the audit committee and to the client about recommendations for
improvement in the system of internal controls
letters from the company’s lawyers informing the auditor about the status of any
lawsuits, so as to assess the need for the accrual or disclosure of contingent liabilities
audit programs (questionnaires completed by audit staff members documenting that the
compliance and substantive audit procedures have been performed)
unadjusted journal entries for immaterial errors discovered by the auditor. Individually,
these entries do not warrant adjustment to the financial statements. They are listed and it
is later determined whether, in total, they are material. If they are material, an adjustment
would be required.
reclassification entries that are made to the financial statements but not to the records
of the company
evidence gathered to prove the audit objectives (refer to Figure 8-4 on p. 258 of the
textbook for an example)
These working papers are owned by the auditor and are generally not shown to anyone without
the permission of the client; exceptions include regulatory authorities and members of the
profession conducting a peer review of the auditor’s practice. Working papers contain sensitive
information about the client’s business and must be protected at all times. As more of this
information is held in electronic form, it becomes important that working papers be stored on
secure systems.
Working papers should be properly identified with the name of the company, initials of the
auditor, and date of preparation on all pages. They should also include conclusions for each
component on the financial statements. The conclusion would state that the balance of the
component was fairly stated in accordance with GAAP.
What working papers does the auditor retain to document the planning and risk profile
process?
The auditor will document observations of the client’s business, relevant industry and
environment characteristics, as well as information gathered about the client’s business (e.g.,
related parties, extracts from articles of incorporation, bylaws, minutes), and conduct preliminary
analytical review. Supported conclusions for each of the risk factors will be included.
They are a written record (in either paper or electronic form) providing information collected
during the audit, supporting the conclusions reached in the audit opinion, and demonstrating that
the audit was conducted in accordance with Canadian GAAS.
The design will reflect clarity of purpose, allowing others to clearly see the work that the auditor
has completed so that it can be reperformed if necessary. They will also demonstrate that
adequate supervision and review were completed during the audit.
Chapter 7 Auditing—Lesson 4
1. Define Risk
2. The overall audit approach designed by most firms is strategic—overview tactical plans
are developed that take into account the client’s objectives and strategies considering the
broader business environment within which the client operates.
Audit risk model—a formal model reflecting the relationships among audit risk
(AR), inherent risk (IR), control risk (CR), and planned detection risk (PDR); AR
= IR × CR × PDR.
The audit risk model is used primarily for planning purposes in deciding how
much evidence to accumulate in each cycle.
Audit risk—a measure of the level of risk the auditor is willing to accept that the
financial statements may be materially misstated after the audit is completed and
an unqualified audit opinion has been issued; see also Audit assurance.
Audit assurance—a complement to audit risk; an audit risk of 2 percent is the
same as audit assurance of 98 percent; also called “overall assurance” and “level
of assurance.”
Inherent risk—a measure of the auditor’s assessment of the likelihood that there
are material misstatements in a segment before considering the effectiveness of
internal controls.
Internal controls are ignored in setting inherent risk because they are considered
separately in the audit risk model as control risk.
Inherent risk is normally assessed at the account balance assertion (audit
objective) level.
Planned detection risk—a measure of the risk that audit evidence for a segment
will fail to detect misstatements exceeding materiality, should such misstatements
exist; PDR = AR / (IR × CR).
8. The audit risk desired affects the amount of evidence to be gathered. As audit risk
decreases, assurance required increases and more evidence must be gathered, making the
audit more costly.
Engagement risk or auditor business risk—the risk that the auditor or audit firm
will suffer harm after the audit is finished.
10. Business risk—includes auditor business risk and client business risk
11. Which factors are good indicators of the degree to which financial statements are relied
on by external users?
Client’s size.
i. The larger the operations, the more widely its statements will be used.
ii. The client’s size, measured by total assets or total revenues, will have an
effect on audit risk.
Distribution of ownership.
i. The statements of publicly held corporations are normally relied on by
many more users than those of private or closely held corporations
Nature and amount of liabilities.
i. When statements include a large number of liabilities, they are more likely
to be used extensively by actual and potential creditors than when there
are few liabilities.
12. What are the factors involved in indicating if a company will experience financial failure
after an audit?
Liquidity position.
i. If a client is constantly short of cash and working capital, it indicates a
future problem in paying bills
Profits (losses) in previous years.
i. When a company has rapidly declining profits or increasing losses for
several years, the auditor should recognize the future solvency problems
the client is likely to encounter.
Method of financing growth.
i. The more a client relies on debt as a means of financing, the greater the
risk of financial difficulty if the client’s operations become less successful.
Nature of the client’s operations.
i. Certain types of businesses are inherently riskier than others.
ii. For example, other things being equal, there is a much greater likelihood
of bankruptcy of a start-up technology company dependent on one product
than of a diversified food manufacturer.
Extent of reliance upon technology and quality of support strategies.
i. The more a client relies upon technology, the more important it is that the
client has an adequate backup and disaster recovery plan in the event of
hardware or software failure.
Competence of management.
i. Competent management is constantly alert for potential financing
difficulties and modifies its operating methods to minimize the effects of
short-run problems.
the judgment of a reasonable person relying on the information would have been
changed or influenced by the omission or misstatement.
15. CAS 450 suggests that an auditor be concerned with several levels of misstatement in
assessing whether or not there is a material misstatement:
The reason for setting materiality is to help the auditor plan the appropriate
evidence to accumulate. If the auditor sets a low dollar amount, more evidence is
required than for a high amount.
Several factors affect setting materiality for a given set of financial statements.
i. Materiality is a relative rather than an absolute concept
ii. Bases with a percentage applied are needed for evaluating materiality
Applications of Materiality
Early in the audit, a preliminary estimate of materiality should be made on the basis of the
auditor’s professional judgment. This estimate helps the auditor determine how much audit
evidence should be gathered.
Materiality is relative, not absolute. What is material for one company or purpose may not be
material for another. To determine a measure of materiality, most auditors use factors such as
percentage of net income, gross profit, total assets, shareholders’ equity, revenue, or a
combination thereof. Qualitative factors must also be considered when determining materiality.
For example, if fraud is suspected in a certain area, materiality will be lowered for the work
conducted in that area.
Risk is the uncertainty an auditor accepts when performing an engagement. Audit risk (AR) is
the risk that the auditor will fail to express a reservation in the opinion on financial statements
that are materially misstated. A lower audit risk means the auditor is less willing to live with the
uncertainty of misstatements in the financial statements and, therefore, will increase the amount
of evidence testing in the audit, and/or assign more experienced staff, and/or have an additional
independent review of their working papers.
The CICA (CICA Handbook - Assurance, CAS 200) has developed a risk model that defines the
component types of risk:
Audit risk (AR) = Inherent risk (IR) x Control risk (CR) x Detection risk (DR)
Note that audit risk is described in percentage terms or, more frequently, through the use of such
adjectives as low, moderate, or high. Audit risk can also be described as a measure of the
willingness of the auditor to accept a material misstatement in the financial statements. The
lower this measure is, the lower the auditor’s tolerance to error (zero is absolute certainty that no
errors exist). Absolute certainty is not economically feasible.
Inherent risk (IR) is the measure of the auditor’s assessment of the likelihood that a material
misstatement might occur in the first place, without considering the effect of internal controls. A
thorough understanding of the business is needed to assess inherent risk.
Control risk (CR) is the measure of an auditor’s assessment of the likelihood that a material
misstatement will not be prevented or detected by the system of internal control. However, for
the auditor to assess a control risk, an understanding of the control system must first be obtained.
For control risk to be assessed at less than maximum, two tasks must be carried out:
Detection risk (DR) is the measure of the risk that the audit evidence gathered will fail to detect
material errors or fraud and other irregularities, should such errors or fraud exist. The auditor can
control the level of this risk by increasing the amounts of audit evidence gathered.
Audit risk and the level of audit evidence required are inversely related. As audit risk increases,
the amount of acceptable tolerable misstatements also increases, and therefore, the amount of
audit evidence accumulated can be reduced.
In planning an audit, the auditor must attempt to predict where misstatements are most, and least,
likely to occur. The auditor can do little to reduce inherent risk. However, the effect of inherent
risk on audit risk can be reduced by decreasing other risk factors, such as detection risk.
the nature of the business, including the nature of the products and services
the nature and use of data-processing systems and data communications (textbook,
Chapter 11)
client motivation
related parties
non-routine transactions
make-up of the population (e.g., age of inventory, age of accounts receivable, foreign
currency items)
Remember that inherent risk and other forms of risk are assessed not just on an overall basis but
also for each cycle and account to be audited. Risk can also be assessed for each assertion or
audit objective.
When a client engages an auditor, the auditor must obtain an understanding of the client’s
business to assess inherent risk. At the same time, overall audit risk is assessed. Next, control
risk is assessed on the basis of the procedures performed by the auditor to understand the system
of internal controls. If inherent risk and control risk are high enough to make audit risk greater
than the auditor can accept, then steps are taken to reduce detection risk and, indirectly, audit
risk. These steps include the accumulation of more audit evidence.
Audit risk is generally held to be the same for each cycle and account because the audit opinion
is expressed on the financial statements as a whole. Inherent and control risk, however, usually
vary from cycle to cycle or from account to account. For a constant audit risk to be maintained,
the levels of audit evidence and detection risk also vary from cycle to cycle or from account to
account.
Risk assessment is an ongoing process. For example, in the initial stages of an audit, control risk
over inventories may be assessed as low. On conducting limited tests on these inventories, it may
later be determined that controls are very poor. If all other risk components are to remain
unchanged, the amount of audit evidence required must be increased.
There is a relationship between evidence, materiality, and the risk of an error occurring.
If audit evidence remains unchanged and materiality is increased, then audit risk is decreased.
Audit risk is decreased because, given the change in the materiality level, the level of audit
evidence has not been reduced.
If materiality remains unchanged and audit evidence is increased, then audit risk is also
decreased. Audit risk is decreased because additional evidence has been obtained, which reduces
detection risk and, therefore, audit risk.
If audit risk remains unchanged and materiality is decreased, the amount of audit evidence
needed is increased. Given the lower level of materiality, additional audit evidence is needed to
ensure that no material errors occur in the financial statements.
Example
For the company described in the following paragraph, assess audit risk, inherent risk, control
risk, detection risk, and the amount of audit evidence that will have to be obtained. Describe your
assessment using terms such as low, moderate, or high.
ABC Company is a new public company that develops computer parts for export to
developing countries. All accounting functions are performed by one accountant. The
company’s bank loans have a working capital covenant that is close to being violated.
Answer
Audit risk is assessed as low. You would not be very tolerant of errors in the financial
statements, given the public ownership of the company and the bank’s concern with the loan
covenant. Inherent risk is high because of the complexity of the transactions (foreign currency
effects) and the potential inventory valuation problems prevalent in this industry. Control risk is
also assessed as high because no segregation of duties exists. Consequently, to lower detection
risk as much as possible, a large amount of audit evidence must be gathered.
Answer the following questions from your textbook and then compare your answers with the
Suggested Solutions.
7-17 You are the auditor in charge of the audit of the municipality of Sackville, New Brunswick.
The municipality has a budget of about $65 million and has had a balanced budget for the last
three years. There are about 10 people in the accounting office and the rest of the employees are
operational, dealing with supervision of roadwork, garbage collection, and similar matters. Many
services are outsourced, minimizing the need for employees. The municipality has a chief
executive officer and a controller and reports to the council of elected representatives.
For each of the following situations, state a preliminary conclusion for audit risk, inherent risk,
control risk, and detection risk. Justify your conclusions. State any assumptions that are
necessary for you to reach your conclusions.
This is the first year that you have been auditing Sackville. There has been extensive
turnover after the recent election. Costs are out of control, and it looks like it may be
necessary to raise realty taxes by as much as 15 percent.
For four years now, you have been auditing Sackville. The employees are experienced,
and any control recommendations that you have suggested have been discussed and,
where feasible, implemented. There is a tiny budget surplus this year, and it looks as if a
balanced budget is in sight again for next year.
Sackville is being hit by bad press. It seems that one of the purchasing agents set up a
fictitious company and was billing the municipality for goods that had not been received.
To make it worse, the purchasing agent’s wife was the assistant accountant. The office of
the provincial Auditor General has sent a letter to the controller of Sack-ville stating that
the municipality has been selected for audit by the provincial Auditor General’s Office
based on a random sample and that the provincial auditors will be arriving within two
weeks of the completion of your audit
Solution:
Which risks could result in a risk of material misstatement (RMM) at the assertion level.
Whi h audit pro edures to use their ature .
What sa ple size to sele t for a gi e pro edure the e te t of a test .
Which particular items to select from the population.
Whe to perfor the pro edures the ti i g .
For each major class of transactions and material general ledger account, the auditor
looks at the potential for RMM
Need knowledge of the business, industry, and operating procedures.
Once an audit procedure is determined, it is possible to vary the sample size from one to
all the items in the population being tested
The decision as to how many items to test must be made by the auditor for each audit
procedure
After sample size has been decided, the auditor still needs to decide what items they
will use in that sample.
Selecting them randomly, selecting them based on a particular week, or selecting them
based on highest risk for error.
An audit of financial statements usually covers a period such as a year, and an audit is
often not completed until several weeks or months after the end of the fiscal period.
The timing of audit procedures can vary from early in the accounting period to long after
it has ended.
Normal is one to three months after year end.
Audit program—detailed instructions for the entire collection of evidence for an audit
area or an entire audit; always includes audit procedures and may also include sample
sizes, items to select, and timing of the tests.
9. Explain sufficiency
Relevant evidence—the pertinence of the evidence to the audit objective being tested.
Relevance can be considered only in terms of specific audit objectives.
Timeliness—the timing of audit evidence in relation to the period covered by the audit.
Evidence is usually more persuasive for balance sheet accounts when it is obtained as
close to the balance sheet date as possible.
For income statement accounts, evidence is more persuasive if there is a sample from
the entire period under audit rather than from only a part of the period.
The CICA Handbook specifies that audit evidence may be obtained through the methods of inspection,
observation, external confirmation, recalculation, reperformance, and analytical procedures and
inquiry.
One. Inspection
Two. Observation
Four. Recalculation
Five. Reperformance
An example is o pariso of the urre t period’s total repair e pe se ith pre ious ears’ a d
investigation of the difference, if it is significant, to determine the cause of the increase or
decrease.
Seven. Inquiry
Inquiry of the client—the obtaining of written or oral information from the client in response to
questions during the audit.
Inquiry cannot be regarded as conclusive because it is not from an independent source and may
e iased i the lie t’s fa our.
As a illustratio , he the auditor a ts to o tai i for atio a out the lie t’s ethod of
recording and controlling accounting transactions, he or she usually begins by asking the client
how internal controls operate. Later, the auditor performs a walk-through and tests of controls
to determine if the controls function as described.
Note 8: Analysis
The CICA issued CAS 520, Analytical Procedures, to expand on guidance regarding the use of analysis as
an audit procedure. The section emphasizes that analysis can be used at all phases of audit planning, as
a substantive procedure, and in the overall evaluation phase.
Along with knowledge of the client’s usi ess, the auditor a use a al ti al pro edures to
help ake the assess e t of a o pa ’s a ilit to o ti ue as a goi g o er
possibly indicate misstatements that require further investigation (through unusual fluctuations in
accounts)
After identifying the risk associated with audit objectives (1), the auditor needs to select audit
procedures (2), choose sample size (3), decide on items to select (4), and determine the timing of the
actual conduct of the procedures (5).
What does the auditor ea y the phrase suffi ie t appropriate audit evide e ?
The auditor needs to have enough evidence that is relevant to the financial statement accounts to state
an opinion on the financial statements.
The auditor uses criteria such as the independence of the provider, the effectiveness of internal
controls, the qualifications of the provider (including the auditor), and the objectivity of the evidence in
the context of the specific financial statement assertions that are being examined, as well as the overall
risk of the engagement and the materiality of the account or balance.
Describe the times when particular types of evidence collection are mandated.
The auditor needs to evaluate and test internal controls when substantive procedures are not sufficient,
conduct tests of the financial statement closing process, and perform tests of detail when the risk of
material misstatement for an account or transaction stream is high.
Client data can be compared with industry data, prior-period data, client-determined expected results,
auditor-determined expected results, or non-financial data.