Auditing & Attestation (AUD)

Types of Audit Opinions

The type of opinion issued depends on the materiality and pervasiveness of any misstatements (GAAP issues) or scope limitations (GAAS issues).

Examples of Issues

• GAAP Issues: Inappropriate accounting principles, inadequate disclosures, unreasonable accounting estimates
• GAAS Issues: Cannot determine if material, suspected illegal bribes not proven, scope limitations

Professional Standards & Guidelines

Auditor Responsibilities for Subsequent Events

The auditor has an active responsibility to inquire about events occurring between the balance sheet date and the date of the auditor's report.

• Representation Letter from management
• Review post-balance sheet transactions
• Inquiry of legal counsel, management, those charged with governance
• Review minutes of shareholders, directors, other meetings
• Examine most recent interim F/S and compare with audited F/S

Types of Subsequent Events

• Type 1: Conditions existed at balance sheet date → Recognize journal entry AND disclosure
• Type 2: Happened after balance sheet date → Disclosure only

Report Modifications by Section

Note: SDGC = Substantial Doubt about Going Concern, EOM = Emphasis of Matter, OM = Other Matter, KAM = Key Audit Matters (Private), CAM = Critical Audit Matters (Public)

Successor Auditor Requirements

When successor auditor's report is NOT presented on comparative financial statements, the successor must indicate:

• Prior-period F/S was audited by a predecessor auditor (unnamed unless merged/acquired audit firms)
• Type of opinion expressed & reason for modification, if modified
• Nature of any EOM, OM, or explanatory paragraphs
• Date of predecessor audit report

Documentation Requirements

Partner Rotation Requirements (SEC Required)

Subsequent Events: Reissuance vs Revised F/S

Statements Included in Basis for Opinion (Issuer)

• Responsibility of management
• Responsibility of auditors
• Audit is conducted in accordance with PCAOB
• Plan and perform
• Free of material misstatement
• Examining evidence
• Evaluating estimates
• Evaluating overall presentation

To Obtain Reasonable Level of Assurance

1. Plan the work and properly supervise any assistants
2. Determine and apply appropriate materiality levels
3. Identify and assess risks of material misstatement
4. Obtain sufficient appropriate audit evidence

Changes in Auditors & Report Modifications

Before Reissuing Prior-Period Report, Predecessor Should:

• Read the current year financial statements
• Compare the prior-period vs current year financial statements
• Obtain letter of representation from successor auditor
• Obtain letter of representation from management

Change in Opinion? Additional Paragraph Must Include:

• Date of previous audit report
• Previously issued opinion
• Reason for prior opinion
• Changes that have occurred
• Statement that "opinion is different"

If Client Refuses to Make Necessary Adjustments

If the auditor concludes that the financial statements are materially misstated and the client refuses to make the necessary corrections, the auditor should:

• Modify the audit opinion (Qualified or Adverse).
• Consider withdrawing from the engagement ("disassociating").
• After withdrawing, consult with legal counsel to determine any further professional or legal responsibilities to inform regulatory agencies or other third parties.

Communication with Those Charged with Governance

Required Communications

• Planned scope and timing of audit.
• Significant audit findings (estimates, policies, difficulties).
• Material weaknesses and significant deficiencies in ICFR.
• Corrected and uncorrected misstatements.
• Disagreements with management.

Timing

Must be communicated in writing and typically by report release date or within 60 days.

Group Engagements

Must always be satisfied with Component Auditor's reputation & independence. Group Engagement Auditor decides whether to:

Note: If other auditor's opinion is qualified but not material to group, group partner doesn't need to make reference to the qualification.

Dodd-Frank Act & Integrated Audit Requirements

Integrated Audit Exemption: If less than $75 million outstanding common equity held by non-affiliates, then exempt from integrated audit requirement.

This means smaller public companies may not need to have their internal control over financial reporting audited as part of their financial statement audit.

Independence & Ethics

AICPA Independence Impairments

• Direct financial interest in client (always impairs independence).
• Material indirect financial interest in client.
• Close relative with key position at client.
• Serving as trustee/executor with financial interest in client.
• Bookkeeping or management roles performed for client.

PCAOB & SEC Rules

• Lead and concurring partners: 5-year rotation, 5-year cool-off.
• Other partners: 7-year rotation, 2-year cool-off.
• Cannot audit client if unpaid fees > 1 year old.
• Prohibited services: bookkeeping, IT design, valuation, legal/expert services.

Elements of Quality Control

A CPA firm must have a system of quality control to provide reasonable assurance that the firm and its personnel comply with professional standards.

• Leadership Responsibilities
• Ethical Requirements
• Acceptance and Continuance of Client Relationships
• Human Resources
• Engagement Performance
• Monitoring

Engagement Letter Contents

The engagement letter formalizes the arrangement between the auditor and the client. It should include:

• Objective of Audit
• Responsibilities of Auditor
• Responsibilities of Management
• Financial Accounting Framework
• Statement that some material misstatements may not be detected
• Expected form/content of any reports
• Timing of Audit
• Arrangements with prior Auditor
• Management provides written representation letter
• Use of specialists or internal auditors

Five Components of Internal Control

Control Activities & Segregation of Duties

Control Activities in a Strong System

• Segregation of Duties
• Authorization and Approvals
• Documentation
• Prenumbering of Documents
• Independent Checks to maintain asset accountability
• Information Processing Controls
• Timely and appropriate financial performance reviews
• Physical Security

Segregation of Duties

A fundamental concept of internal control is that no single individual should have control over all parts of a transaction. The following functions should be separated:

• Custody of Assets
• Authorization
• Record Keeping

Integrated Audit Communication of Deficiencies

For Issuers (Public Companies):

Financial Statement Assertions

Management makes assertions about financial statement elements. The auditor's job is to use specific procedures to test these assertions. The primary relationships are shown below.

The Audit Risk Model & Fraud Triangle

Audit Risk Model

Audit Risk = Risk of Material Misstatement × Detection Risk

The risk that the auditor will issue the wrong opinion. AR should be low, RMM is assessed by auditor, DR is controlled by auditor.

There is an inverse relationship between RMM and DR. If the auditor assesses RMM as high, they must set DR to a low level to maintain an acceptably low level of overall audit risk.

The Fraud Triangle

Three conditions are generally present when fraud occurs:

• Pressure (Incentive): A reason to commit fraud (e.g., meeting financial targets).
• Opportunity: A lack of effective controls that allows fraud to be perpetrated.
• Rationalization: An attitude or mindset that justifies the fraudulent act.

Materiality in an Audit

Materiality is the magnitude of an omission or misstatement that, individually or in the aggregate, could reasonably be expected to influence the economic decisions of users. The concept is applied throughout the audit.

1. Overall Materiality (Planning Materiality)

The maximum amount by which the auditor believes the financial statements as a whole could be misstated and still not affect the decisions of users. It is typically a percentage of a benchmark, such as:

• 5-10% of Pre-tax Income
• 0.5-2% of Total Assets or Revenues

The auditor uses professional judgment to select the appropriate benchmark and percentage.

2. Performance Materiality

An amount set by the auditor at less than overall materiality for particular classes of transactions, account balances, or disclosures. Its purpose is to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds overall materiality.

• It acts as a "safety buffer" and directly affects the extent of audit testing. A lower performance materiality requires more testing.

3. Trivial Misstatements (Clearly Trivial)

A threshold far below performance materiality. Misstatements below this amount are considered inconsequential and do not need to be accumulated by the auditor. The auditor must document the amount designated as trivial.

Audit Evidence

Hierarchy of Evidence

The reliability of audit evidence varies. The hierarchy from most to least reliable is:

1. Auditor's direct observation
2. External evidence
3. Internal evidence
4. Oral evidence

Procedures to Obtain Evidence

• Inquiry
• Observation
• Walk-through
• Analytical Procedures
• Examination & Inspection
• Vouching
• Tracing
• Footing, Cross-footing, Recalculation
• Reperformance
• Confirmation
• Reconciliation
• Cutoff Review
• Auditing Related Accounts Simultaneously
• Subsequent Events Review
• Representation Letter

Sampling Concepts & Risk

Types of Sampling

• Attribute Sampling: Estimates rate of occurrence of specific characteristic (Tests of Controls)
• Variable Sampling: Estimates dollar value of population (Substantive Testing)

Sampling Risks

• Alpha Risk: Risk of incorrect rejection of good sample results, risk of assessing control risk too high (efficiency - TOC)
• Beta Risk: Risk of incorrect acceptance of bad sample results, risk of assessing control risk too low (effectiveness - TOC)
• Incorrect Acceptance: Accepting a test that is materially misstated (Substantive Testing)
• Incorrect Rejection: Rejecting a test that is not materially misstated (Substantive Testing)

Sampling Rules

1. Assume population is normal/bell-shaped
2. Sample must be unrestricted and randomly selected
3. Sample must be large enough to have same statistical characteristics as population
4. Standard Deviation is a measure of variability which refers to a range in the population

Sampling Calculations

Key Formulas for Variable Sampling

Misstatement Projection Calculations

• Mean-Per-Unit Estimation: Avg Audited Value × Population
• Ratio Estimation: (Audited BV / BV of Sample) × Total BV
• Difference Estimation:
  1. Projected Error = ((BV of Sample - AV of Sample) / # of items audited) × Population
  2. Sample Size = BV of Population - Projected Error

Sample Size Relationships

📈Increases Sample Size: ↑CR, ↓DR, ↑Test of Details, ↑Assurance

📉Decreases Sample Size: ↓CR, ↑DR, ↓Test of Details, ↓Assurance

Year-End vs Interim: Year-end substantive testing is less effective to more effective. Interim substantive testing is more effective to less effective.

Audit Data Analytics (ADAs)

ADAs are the science and art of discovering and analyzing patterns, identifying anomalies, and extracting other useful information in data underlying or related to the subject matter of an audit through analysis, modeling, and visualization for the purpose of planning or performing the audit.

Purpose in the Audit

• Risk Assessment: Identify areas of heightened risk by analyzing entire populations of data to find unusual trends or transactions.
• Test of Controls: Test the effectiveness of controls over a large volume of transactions (e.g., testing all user access logs for appropriate authorization).
• Substantive Procedures: Use as a substantive analytical procedure or a test of details. Can provide more persuasive evidence by testing 100% of a population instead of a sample.

Common ADA Techniques

• Anomaly Detection: Identifying items that do not conform to an expected pattern (e.g., duplicate payments, weekend journal entries, amounts just below an authorization threshold).
• Sequence Check: Verifying the numerical continuity of a series of documents (e.g., checks, invoices) to identify gaps or duplicates.
• Regression Analysis: Evaluating the relationship between variables to develop an expectation for a balance or transaction amount.
• Visualization: Using charts and graphs to identify patterns or outliers that may not be apparent in raw data.

Transaction Cycles: Risks & Procedures

Lapping involves stealing today's cash receipts to cover yesterday's theft. Kiting involves overstating the cash balance by transferring cash between banks and recording the deposit in the current period and the disbursement in the next period.

Communication of Internal Control Matters (Nonissuer)

Deficiencies must be communicated within 60 days of the report release date.

Going Concern Assessment

Factors Indicating Substantial Doubt

The auditor must evaluate whether there is substantial doubt about an entity's ability to continue as a going concern for a reasonable period (usually one year beyond the F/S date).

• Financial Difficulties (e.g., loan defaults, debt restructuring)
• Negative Trends (e.g., recurrent losses, negative cash flows)
• Internal Matters (e.g., work stoppages, loss of key personnel)
• External Matters (e.g., new legislation, loss of a major customer)

If substantial doubt exists, the auditor must determine if management's plans alleviate the doubt. The conclusion must be documented, and if doubt remains, an Emphasis-of-Matter (or Explanatory) paragraph is added to the report.

Summary of Engagements

Prospective Financial Statements & AUP

Prospective Financial Statements

• Financial Forecast: Reflects an entity's expected financial results based on expected conditions. Appropriate for general use.
• Financial Projection: Based on hypothetical, "what-if" assumptions. Use is restricted/limited.

Conditions for Agreed-Upon Procedures

• Independence of the practitioner
• Agreement of the parties
• Client's Responsibility for the subject matter
• Sufficiency of the procedures (client's responsibility)
• Measurability and Consistency
• Use of the report is restricted
• Engagements on prospective F/S must include a summary of significant assumptions

Service Organization Control (SOC) Reports

Reports on the controls at a service organization that are relevant to a user entity's financial reporting.

• SOC 1 Report: Focuses on controls over financial reporting (ICFR).
• SOC 2 Report: Focuses on a broader range of controls related to the Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy).

Report Types

• Type 1: Reports on the design and implementation of controls at a specific point in time.
• Type 2: Reports on the design, implementation, AND operating effectiveness of controls over a period of time.

Governmental Audits (GAGAS)

Audits conducted under Government Auditing Standards require additional reporting beyond a standard GAAS audit.

Required Reports

1. An audit report on the financial statements (GAAS report).
2. A report on internal control over financial reporting and on compliance with laws, regulations, contracts, etc. (no opinion).

Single Audit Act

Required for entities that expend $750,000 or more in federal financial assistance in a year. It expands on GAGAS requirements and includes additional reports on compliance for each major federal program and on internal control over compliance.

Attestation Service Reporting Options

Note: Preparations and compilations are also allowed for prospective financial statements (governed by SSARS)

Detailed Engagement Comparison

Government Audit Reports Summary

GAAS Reports

• Opinion on all financial statements

GAGAS (Yellow Book) Reports

• Compliance report (no opinion)
• Internal control over financial reporting report (no opinion)

Single Audit Reports

• Opinion (or disclaimer) on financial statements and supplementary schedule of expenditures of federal awards
• Report on internal control and compliance with provisions of laws, regulations, contracts, and grant agreements
• Report on compliance and internal control over compliance applicable to each major program (must include opinion or disclaimer on compliance)
• Schedule of findings and questioned costs

Prospective Financial Statements - Detailed Comparison

Required Report Elements

Single Audit Act (2 CFR 200) Requirements

Threshold: Required for entities expending $750,000 or more in federal financial assistance in a year.

Required Reports Based on Federal Programs

1. Compliance: Opinion required
2. Internal control over compliance applicable to each major program: Report required (no opinion)
3. Schedule of findings and questioned costs: Required

Flow of Engagement Procedures

This table illustrates the cumulative procedures required for Preparation, Compilation, and Review engagements, with each subsequent engagement type including the procedures of the one before it.

Note: Preparation is a non-attest service with no assurance. Compilation is an attest service with no assurance. Review is an attest service that provides limited assurance.

Review Service Types Comparison

Detailed Procedures by Engagement Type

Error Detection Capabilities by Engagement

GAAP Disclosure Requirements

Financial Statement Scope Requirements

Attestation Engagements (SSAE)

Types of Engagements

• Examination: High assurance, opinion given (like an audit).
• Review: Limited assurance, conclusion given (like review of F/S).
• Agreed-Upon Procedures: No assurance, only factual findings.

Key Notes

• Restricted use report unless general criteria are used (e.g., GAAP, GHG protocol).
• Must comply with AICPA attestation standards.
• Management’s assertion is usually required in writing.

Knowledge Requirements and Period Coverage

Knowledge Required by Engagement Type

• Preparation/Compilation: Knowledge of accounting principles and industry practices; general understanding of client’s business
• Review: Same as compilation PLUS increased knowledge of client’s business
• Audit: Extensive knowledge of economy, industry, and client’s business

Period Coverage

Basic Summary of All Engagements