Audit Reports & Standards
Professional Standards and Guidelines
| Standard / Guideline | Abbreviation | Standard-Setting Body | Application | Description |
|---|---|---|---|---|
| Statements on Auditing Standards | SAS | AICPA | Private (nonissuer) Audits | Provide GAAS for nonissuers, and guidance for other services. |
| PCAOB Auditing Standards | PCAOB AS | PCAOB | Public (issuer) Audits | Provide GAAS for issuers and guidance for other services. |
| Generally Accepted Government Auditing Standards | GAGAS | Governmental Accountability Office (GAO) | Government Audits | Provide guidance for audits of government organizations. |
| Statements on Standards for Attestation Engagements | SSAE | AICPA | Attestation Engagements | Provide guidance for attestation engagements (Examination, review, agreed-upon procedures). |
| Statements on Standards for Accounting and Review Services | SSARS | AICPA | Private (nonissuer) Unaudited | Provide guidance for unaudited financial statements or unaudited financial info. |
Types of Audit Opinions
The type of opinion issued depends on the materiality and pervasiveness of any misstatements (GAAP issues) or scope limitations (GAAS issues).
| Issue Type | Material but NOT Pervasive | Material AND Pervasive |
|---|---|---|
| GAAP Issue (Financial Statement Problem) | Qualified Opinion | Adverse Opinion |
| GAAS Issue (Scope Limitation) | Qualified Opinion | Disclaimer of Opinion |
| No Issues | Unmodified (Unqualified) Opinion | |
Examples of Issues
- GAAP Issues: Inappropriate accounting principles, inadequate disclosures, unreasonable accounting estimates.
- GAAS Issues: Cannot determine if material, suspected illegal bribes not proven, scope limitations.
Going Concern Assessment
The auditor must evaluate whether there is substantial doubt about an entity's ability to continue as a going concern for a reasonable period (one year after the date that the financial statements are issued or available to be issued).
Factors Indicating Substantial Doubt
| Category | Examples of Adverse Conditions |
|---|---|
| Macro-environmental | Loss of a principal customer, natural disasters, new detrimental legislation. |
| Operational / Internal | Extended work stoppages, heavy dependence on a specific project, loss of key management personnel. |
| Cash Flow / Financial | Defaulting on loans, debt restructuring, denial of standard trade credit from suppliers. |
| Adverse Trends | Consecutive periods of operating losses, working capital deficiencies, negative cash flows from operations. |
graph TD
A["Identify Conditions & Events"] --> B{"Substantial Doubt Exists?"}
B -->|No| C["Standard Report
No modification needed"] B -->|Yes| D["Evaluate Management's Mitigation Plans"] D --> E{"Do plans alleviate doubt?"} E -->|Yes| F["Document conclusion & Disclose in Financial Statements"] E -->|No| G["Add Emphasis-of-Matter or Explanatory Paragraph"] class C unmodified; class F qualified; class G adverse;
No modification needed"] B -->|Yes| D["Evaluate Management's Mitigation Plans"] D --> E{"Do plans alleviate doubt?"} E -->|Yes| F["Document conclusion & Disclose in Financial Statements"] E -->|No| G["Add Emphasis-of-Matter or Explanatory Paragraph"] class C unmodified; class F qualified; class G adverse;
Predecessor & Successor Auditor Responsibilities
| Successor Auditor Requirements (When Predecessor's Report is NOT Presented) |
Predecessor Auditor Procedures (Before Reissuing Prior-Period Report) |
|---|---|
| State prior-period F/S was audited by a predecessor auditor (unnamed) | Read the current year financial statements |
| Indicate the type of opinion expressed & reason for modification | Compare the prior-period vs. current year financial statements |
| Specify the nature of any Emphasis-of-Matter or Other-Matter paragraphs | Obtain a representation letter from the successor auditor |
| State the date of the predecessor audit report | Obtain a representation letter from management |
Reporting a Change in Prior Opinion by Predecessor
If the predecessor changes their opinion on the prior-period F/S, the additional paragraph must explicitly include:
- Date of previous audit report and previously issued opinion.
- Reason for prior opinion and the changes that have occurred.
- Statement that the "opinion is different".
Client Refusal to Adjust
If the auditor concludes F/S are materially misstated and the client refuses necessary corrections: Modify the audit opinion (Qualified or Adverse), consider withdrawing ("disassociating"), and consult legal counsel regarding responsibilities to inform regulatory agencies.
Subsequent Events: Auditor Responsibilities & Reporting
The auditor has an active responsibility to inquire about events occurring between the balance sheet date and the date of the auditor's report.
Auditor Procedures
- Examine the most recent interim F/S and compare them with the audited F/S.
- Inquire of legal counsel, management, and those charged with governance.
- Review minutes of shareholders, directors, and other meetings.
- Review post-balance sheet transactions.
- Obtain a representation letter from management.
Types of Subsequent Events
graph TD
A["Subsequent Event Identified (Between B/S Date & Report Date)"] --> B{"Did the condition exist at the Balance Sheet date?"}
B -->|Yes| C["Type 1 Event"]
B -->|No| D["Type 2 Event"]
C --> E["Recognize Journal Entry & Disclose"]
D --> F["Disclosure Only (No Adjustment)"]
Example: Type 1 Event Adjustment
If a lawsuit originating before the balance sheet date is settled for a different amount before the report release date, the F/S must be adjusted:
Settlement of Litigation (Type 1 Event)
Loss on Litigation$X,XXX
Estimated Liability for Litigation$X,XXX
To adjust liability for post-balance sheet settlement originating from a pre-balance sheet condition.
Reissuance vs. Revised Financial Statements
| Item | SEC Filers | Non-SEC Filers |
|---|---|---|
| Cutoff Date | Issue Date | Available-for-issue Date |
| Disclose Cutoff Date? | No | Yes |
| Reissuance of F/S | Do not recognize events that occurred between the original issue date and the reissue date | |
Report Modifications by Section
Modifications differ slightly depending on whether the entity is private (nonissuer) or public (issuer).
| Section | Unmodified (Private) / Unqualified (Public) | Qualified | Adverse | Disclaimer |
|---|---|---|---|---|
| Title | Included | Included | Included | Included |
| Addressee | Included | Included | Included | Included |
| Opinion | No change | Modified (Δ) | Modified (Δ) | Modified (Δ) |
| Additional Paragraphs | EOM/OM/SDGC only if needed | Add EOM if needed | Add explanatory | Add explanatory |
| Basis for Opinion (Private) | No change | Modified (Δ) | Modified (Δ) | Modified (Δ) |
| Basis for Opinion (Public) | No change | Same (No Change) | Same (No Change) | Modified / Omitted (Δ) |
| KAM/CAM | Include | Include | Include | Exclude |
| Responsibilities of MGMT | No change | No change | No change | No change |
| Responsibilities of Auditor | No change | No change | No change | Modified (Δ) |
| Legal & Regulatory | Included | Included | Included | Included |
| Signature, Address, & Date | Included | Included | Included | Included |
SDGC = Substantial Doubt about Going Concern
EOM = Emphasis of Matter
OM = Other Matter
KAM = Key Audit Matters (Private)
CAM = Critical Audit Matters (Public)
PCAOB Form AP (Issuer Audits)
For audits of public companies (issuers), the auditor is required to file Form AP (Auditor Reporting of Certain Audit Participants) to increase transparency regarding who performed the audit.
| Standard Filing Deadline | Within 35 days after the audit report is filed in a document with the SEC. |
| Registration Statement Deadline | Within 10 days if the audit report is included in a registration statement. |
| Required Disclosures | Name of the engagement partner, and the names, locations, and extent of participation of other accounting firms that participated in the audit. |
Professional Skepticism & Unconscious Biases
Professional skepticism requires a questioning mind and a critical assessment of audit evidence. Auditors must actively mitigate unconscious biases that can impair professional judgment.
| Bias Type | Description & Audit Implication |
|---|---|
| Anchoring Bias | Relying too heavily on an initial piece of information (the "anchor"). Example: An auditor anchoring on management's initial estimate without developing their own independent expectation. |
| Confirmation Bias | Seeking or interpreting evidence in a way that confirms preexisting beliefs or expectations, while unconsciously ignoring contradictory evidence. |
| Overconfidence Bias | Overestimating one's own ability to make accurate assessments of risk or complex accounting judgments. |
| Availability Bias | Giving undue weight to information that is readily available or easily recalled from memory rather than gathering comprehensive data. |
Independence & Ethics
AICPA Independence Impairments
- Direct financial interest in client (always impairs independence).
- Material indirect financial interest in client.
- Close relative with a key position at the client.
- Serving as trustee/executor with a financial interest in the client.
- Bookkeeping or management roles performed for the client.
Regulatory Independence Rules
| Regulatory Body | Key Independence Rules & Prohibitions |
|---|---|
| PCAOB & SEC | Prohibited services include bookkeeping, IT design, valuation, and legal/expert services. Tax services require Audit Committee pre-approval. Lead/Concurring partners rotate every 5 years (5-year cool-off); other partners every 7 years (2-year cool-off). |
| GAO (Yellow Book) | Threats to independence evaluated using a conceptual framework. Structural threats arise if the audit organization is located within the audited entity. Non-audit services must not involve performing management responsibilities. |
| DOL (ERISA) | Independence is impaired if the auditor has any direct financial interest or material indirect financial interest in the plan or the plan sponsor, or if the auditor maintains financial records for the employee benefit plan. |
Documentation Requirements
Audit documentation should be sufficient to enable an experienced auditor with no previous connection to the engagement to understand the nature, timing, extent, and results of the procedures performed.
| Requirement | Private (Nonissuer) | Public (Issuer / PCAOB) |
|---|---|---|
| Keep Working Papers | 5 years | 7 years |
| Complete WPs within ___ from report release date | 60 days | 45 days |
The Basis for Opinion
To issue an unmodified opinion, the auditor must execute a well-planned audit to obtain a reasonable level of assurance, and clearly communicate their methodology in the report.
Key Declarations in the Basis for Opinion (Issuer/PCAOB)
| Responsibility | The financial statements are the responsibility of management; the auditor's responsibility is to express an opinion. |
| Standards | The audit was conducted in accordance with PCAOB standards. |
| Objective | The auditor must plan and perform the audit to ensure the statements are free of material misstatement. |
Communication with Those Charged with Governance
| Communication Matter | Form & Timing Requirement |
|---|---|
| Planned scope and timing of audit | Oral or Written (During the planning phase) |
| Significant audit findings (estimates, policies, difficulties) | Oral or Written (Typically before report issuance) |
| Disagreements with management & uncorrected misstatements | Oral or Written (Before report issuance) |
| Material weaknesses and significant deficiencies in ICFR | In Writing (Within 60 days of the report release date) |
Using the Work of Others
The auditor must determine the extent to which they can rely on the work of others to obtain sufficient appropriate audit evidence.
Component / Referred-to Auditors
graph TD
A["Group Engagement Partner Evaluates Component Auditor"] --> B{"Assume responsibility for Component Auditor's work?"}
B -->|Yes| C["Do NOT make reference in the report"]
B -->|No| D["Make reference to Referred-to Auditor"]
C --> E["Standard Unmodified Opinion"]
D --> F["Modify OPINION and BASIS FOR OPINION sections"]
class E unmodified;
class F qualified;
Internal Auditors & Specialists
| Role | Evaluation Requirements | Allowed Reliance |
|---|---|---|
| Internal Audit Function | Assess Competence, Objectivity, and application of a Systematic/Disciplined Approach. | Can be used for direct assistance or to rely on their work. Cannot be used for areas requiring high professional judgment. |
| Auditor's Specialist | Assess Competence, Capabilities, and Objectivity (CCO). | Used to obtain evidence in complex areas (e.g., valuation). Do NOT refer to the specialist in an unmodified opinion. |
| Management's Specialist | Assess CCO, obtain an understanding of their work, and evaluate the appropriateness of their work as audit evidence. | Treat their work as audit evidence, not as an extension of the audit team. |
Quality & Internal Control
System of Quality Management (SQMS)
A CPA firm must have a system of quality management to provide reasonable assurance that the firm and its personnel comply with professional standards and issue appropriate reports.
| SQMS Component | Description |
|---|---|
| Risk Assessment Process | Identify and assess quality risks within the firm. |
| Governance and Leadership | Establish the "tone at the top" and organizational accountability. |
| Relevant Ethical Requirements | Ensure independence, integrity, and objectivity across engagements. |
| Acceptance and Continuance | Evaluate the integrity of client relationships and engagement risks. |
| Engagement Performance | Maintain standards for supervision, review, and professional consultation. |
| Resources | Provide necessary human, technological, and intellectual resources. |
| Information and Communication | Facilitate reliable internal and external communication pipelines. |
| Monitoring and Remediation | Perform ongoing evaluations and fix identified deficiencies. |
Engagement Letter Contents
The engagement letter formalizes the arrangement between the auditor and the client. It must include:
| Category | Required Elements |
|---|---|
| Core Objectives | Objective of the audit, Financial Accounting Framework. |
| Responsibilities | Responsibilities of the Auditor, Responsibilities of Management. |
| Limitations & Output | Statement that some material misstatements may not be detected, Expected form/content of any reports. |
| Logistics & Support | Timing of the audit, Arrangements with prior auditor, Use of specialists or internal auditors, Management written representation letter. |
Internal Control Framework & Control Activities
Five Components of Internal Control
| Component | Description | Key Points |
|---|---|---|
| Control Environment | Sets the tone of the organization and encompasses entity-level controls. | Integrity, competence, governance participation, assignment of responsibility, organizational structure, management philosophy, and HR policies. |
| Risk Assessment | Management's identification of risks relevant to F/S preparation. | Risks generally related to changes, lying, cheating, stealing. |
| Information & Communication | Methods used to classify and report transactions. | Initiating, authorizing, recording, processing, and reporting transactions. Communicating roles and responsibilities. |
| Monitoring | Procedures to assess the quality of internal control over time. | Internal audit function, management and supervisory activities, ensuring controls are present and functioning, and other procedures such as mailing customer statements. |
| Control Activities | Policies and procedures to ensure management objectives are met. | Authorization, segregation of duties, physical security, asset accountability. Designed to prevent/detect errors. |
Detailed Control Activities
| Control Activity | Description & Application |
|---|---|
| Segregation of Duties | Ensure no single individual controls all phases of a transaction. Specifically, separate: Authorization, Record Keeping, and Custody of Assets. |
| IT General Controls (ITGCs) | Policies and procedures that relate to many applications and support the effective functioning of application controls. Includes controls over Program Change Management, Logical/Physical Access, and IT Operations. |
| IT Segregation of Duties | Duties must be strictly segregated among: Control group, Operators, Programmers, System Analysts, and Librarian. Critical Weakness: Anyone performing or supervising multiple conflicting IT areas. |
| Authorization & Approvals | Ensures transactions are valid and executed by appropriate personnel. |
| Independent Checks & Physical Security | Safeguarding of physical assets, prenumbering of documents, and routine performance reviews to maintain accountability. |
Compliance with Laws and Regulations (NOCLAR)
The auditor's responsibility for detecting noncompliance depends on whether the law or regulation has a direct or indirect effect on the financial statements.
| Type of Effect | Auditor's Responsibility | Examples |
|---|---|---|
| Direct Effect | Must obtain sufficient appropriate evidence regarding material amounts and disclosures. (Same responsibility as for errors/fraud). | Tax laws, pension laws. |
| Indirect Effect | Must perform specified procedures (inquiry of management and inspection of correspondence) to identify noncompliance that may have a material effect. | Environmental regulations, FDA compliance, antitrust laws, OSHA. |
Action Required: If noncompliance is suspected, the auditor must discuss the matter with management at least one level above those involved, and if necessary, those charged with governance.
Communication of Internal Control Deficiencies
1. Financial Statement Audit ONLY
| Deficiency Type | Communicate to Management | Communicate to Governance (TCWG) | Timing |
|---|---|---|---|
| Control Deficiency | Yes (orally or in writing) | No | Within 60 days of the report release date |
| Significant Deficiency | Yes (in writing) | Yes (in writing) | |
| Material Weakness | Yes (in writing) | Yes (in writing) |
2. Integrated Audits
| Entity / Deficiency | Communicate to Management | Communicate to Audit Committee / TCWG | Timing |
|---|---|---|---|
| Nonissuers | |||
| Control Deficiency | Yes (in writing) | No | Within 60 days of report release date |
| SD / MW | Yes (in writing) | Yes (in writing) | By the report release date |
| Issuers | |||
| Control Deficiency | Yes, in writing (inform audit committee this was done) | No | Prior to the issuance of the auditor's report on internal control |
| SD / MW | Yes, in writing (inform audit committee this was done) | Yes (in writing) | |
The Top-Down Approach (ICFR Audits)
When performing an integrated audit of internal control over financial reporting (ICFR), the auditor must use a top-down approach to select which controls to test.
1. Financial Statement Level
Begin by evaluating overall risks that are pervasive to the financial statements as a whole.
2. Entity-Level Controls
Evaluate controls that affect the overall environment (e.g., control environment, management override, centralized processing, risk assessment process).
3. Significant Accounts & Assertions
Direct testing to significant accounts, disclosures, and their relevant assertions where a material weakness is reasonably possible.
Evidence & Sampling
Financial Statement Assertions & Testing
Management makes assertions about financial statement elements. The auditor's job is to use specific procedures to test these assertions.
| Assertion | Common Audit Procedure | Procedure Example |
|---|---|---|
| Existence / Occurrence | Vouching / Physical Inspection | Vouching from the accounting journal back to the original source document, or inspecting physical assets. |
| Completeness | Tracing | Tracing from the original source document forward to the accounting journal. |
| Valuation, Allocation & Accuracy | Recalculation / Analytical | Testing mathematical accuracy, evaluating management's estimates, or running depreciation recalculations. |
| Rights and Obligations | Confirmation / Inspection | Confirming with third parties (e.g., banks) or inspecting deeds/contracts to verify ownership. |
| Cutoff | Cutoff Procedures | Testing transactions occurring immediately before and after year-end to ensure proper period recognition. |
| Classification & Understandability | Review / Inquiry | Reviewing F/S drafts to ensure debt is properly split between short and long-term. |
Directional Testing: Tracing vs. Vouching
A critical concept for gathering audit evidence. The direction of the test determines which financial statement assertion is being validated.
graph LR
A[Source Documents
(e.g., POs, Invoices, Shipping Docs)] -->|Tracing Forward
Tests COMPLETENESS| B[Accounting Records
(e.g., Journals, Ledgers)] B -->|Vouching Backward
Tests EXISTENCE / OCCURRENCE| A
(e.g., POs, Invoices, Shipping Docs)] -->|Tracing Forward
Tests COMPLETENESS| B[Accounting Records
(e.g., Journals, Ledgers)] B -->|Vouching Backward
Tests EXISTENCE / OCCURRENCE| A
| Tracing (Source → Record) | Ensures that all transactions that should have been recorded actually were recorded. Primarily guards against understatement of liabilities and expenses. |
| Vouching (Record → Source) | Ensures that all recorded transactions actually occurred and are valid. Primarily guards against overstatement of assets and revenues. |
The Audit Risk Model & Fraud Triangle
Audit Risk Model
The risk that the auditor will issue an unmodified opinion on materially misstated financial statements.
$$\text{AR} = \text{RMM} \times \text{DR}$$
$$\text{RMM} = \text{IR} \times \text{CR}$$
| Component | Definition | Determined By |
|---|---|---|
| Inherent Risk (IR) | Susceptibility of an assertion to material misstatement assuming no related controls. | Client / Environment |
| Control Risk (CR) | Risk that a material misstatement could occur and not be prevented/detected by internal controls. | Client's Internal Controls |
| Detection Risk (DR) | Risk that the auditor's procedures will fail to detect a material misstatement. | Auditor (Nature, Timing, Extent of procedures) |
Inverse Relationship: If assessed RMM is HIGH, acceptable DR must be LOW (requires more substantive testing).
The Fraud Triangle
graph TD
A["The Fraud Triangle"]
A --- B["Incentive / Pressure (Reason to commit fraud)"]
A --- C["Opportunity (Lack of effective controls)"]
A --- D["Rationalization (Justification of the act)"]
Materiality in an Audit
Materiality is the magnitude of an omission or misstatement that could reasonably influence the economic decisions of users. The concept is applied throughout the audit phases.
1. Overall (Planning) Materiality
The maximum amount by which the F/S as a whole could be misstated without affecting user decisions. Typically a percentage of a benchmark (e.g., 5-10% of Pre-tax Income, or 0.5-2% of Total Assets/Revenues).
2. Performance Materiality
Set at less than overall materiality for specific transactions, balances, or disclosures. Acts as a safety buffer to reduce the probability of aggregate undetected misstatements. A lower performance materiality requires more testing.
3. Trivial Misstatements
A threshold far below performance materiality. Misstatements below this amount are considered inconsequential and do not need to be accumulated by the auditor. The designated trivial amount must be documented.
Evaluation of Identified Misstatements
During the audit, misstatements are accumulated and categorized to determine their impact on the financial statements and the required audit opinion.
| Type | Definition & Characteristics |
|---|---|
| Factual Misstatements | Misstatements about which there is no doubt. The exact amount is known (e.g., a mathematical error or a misapplied pricing formula). |
| Judgmental Misstatements | Differences arising from management's judgments concerning accounting estimates that the auditor considers unreasonable, or the selection of accounting policies that the auditor considers inappropriate. |
| Projected Misstatements | The auditor's best estimate of misstatements in populations, derived from projecting the misstatements identified in an audit sample to the entire population. |
Audit Evidence
Hierarchy of Evidence (Reliability)
1. Auditor's Direct Knowledge
Observation, physical inspection, and independent recalculation.
2. External Evidence
Confirmations and bank statements received directly from third parties.
3. Internal Evidence
Client-prepared invoices, ledgers, and reports (reliability depends entirely on internal controls).
4. Oral Evidence
Inquiries and management representations (least reliable, requires corroboration).
Procedures to Obtain Evidence
| Category | Specific Procedures |
|---|---|
| Testing Balances & Transactions | Vouching, Tracing, Confirmation, Cutoff Review |
| Mathematical Accuracy | Recalculation, Reperformance, Footing, Cross-footing, Reconciliation |
| Understanding & Observation | Observation, Examination & Inspection, Walk-through, and Inquiry (including structured interviews with non-financial management to understand perspectives and motivations). |
| High-Level Analysis | Analytical Procedures, Auditing Related Accounts Simultaneously, Subsequent Events Review |
Audit Sampling & Risk
Sampling Risk Matrix
| Test Type | Risk of Incorrect Acceptance (Beta) Impacts Effectiveness |
Risk of Incorrect Rejection (Alpha) Impacts Efficiency |
|---|---|---|
| Tests of Controls (Attribute) | Assessing Control Risk too LOW | Assessing Control Risk too HIGH |
| Substantive Testing (Variable) | Incorrect Acceptance of Material Misstatement | Incorrect Rejection of Fairly Stated Balance |
Factors Affecting Sample Size
| Factor Increasing | Effect on Sample Size |
|---|---|
| Desired level of Assurance / Confidence Level | Increase |
| Expected Misstatement / Expected Deviation Rate | Increase |
| Tolerable Misstatement / Tolerable Deviation Rate | Decrease |
| Acceptable Risk of Incorrect Acceptance | Decrease |
PPS (Probability-Proportional-to-Size) Calculations
Sampling Interval
$$\frac{\text{Tolerable Misstatement}}{\text{Reliability Factor}}$$
Sample Size
$$\frac{\text{Population Book Value}}{\text{Sampling Interval}}$$
Tainting Percentage
$$\frac{\text{Book Value} - \text{Audited Value}}{\text{Book Value}}$$
Projected Error
$$\text{Sampling Interval} \times \text{Tainting } \%$$
Data Structures & Measurement Scales
A foundational understanding of how data is structured and measured is required before extracting data or performing audit data analytics (ADAs).
Relational Database Components
| Component | Definition & Application |
|---|---|
| Tables (Entities) | Collections of related data organized in rows and columns. |
| Records & Fields | Records (Rows): Individual data entries. Fields (Columns/Attributes): Specific data categories within a record. |
| Primary Key | A unique identifier for each record in a table (e.g., Invoice Number or Employee ID). |
| Foreign Key | A field in one table that links to the primary key of another table, establishing a relational connection. |
Data Measurement Scales
| Scale Type | Characteristics & Examples |
|---|---|
| Nominal | Categorical data with no inherent order (e.g., zip codes, gender, department names). Cannot perform mathematical operations. |
| Ordinal | Categorical data with a meaningful order or ranking, but intervals between ranks are not equal (e.g., risk ratings: High, Medium, Low). |
| Interval | Numerical data with equal intervals but no true zero point (e.g., temperature, calendar dates). |
| Ratio | Numerical data with equal intervals and a true zero point, allowing for all mathematical operations (e.g., account balances, physical inventory counts, salaries). |
| Continuous | Data that can take any value within a range, including decimals or fractions (e.g., exact transaction timestamps, exact weight of a commodity). |
| Discrete | Data that can only take distinct, whole-number values (e.g., number of outstanding checks, number of employees). |
Data, Technology & Audit Data Analytics (ADAs)
ADAs are the science and art of discovering and analyzing patterns, identifying anomalies, and extracting useful information in data underlying the subject matter of an audit.
Data Extraction & Transformation
Before performing analytics, the auditor must ensure data reliability:
- Extraction: Requesting specific attribute structures, formats, and sources.
- Transformation: Cleaning and scrubbing unstructured data to make it useful.
- Reliability Verification: Assessing completeness, accuracy, and authenticity of data obtained from internal/external sources (including third-party artificial intelligence tools).
Common ADA Techniques
| Technique | Application |
|---|---|
| Anomaly Detection | Identifying items that do not conform to an expected pattern (e.g., duplicate payments, weekend journal entries, amounts just below an authorization threshold). |
| Sequence Check | Verifying the numerical continuity of a series of documents (e.g., checks, invoices) to identify gaps or duplicates. |
| Regression Analysis | Evaluating the relationship between variables to develop a data-driven expectation for a balance or transaction amount. |
Purpose in the Audit Phases
- Risk Assessment: Analyze entire populations to find unusual trends, replacing sample-based assumptions.
- Test of Controls: Test the effectiveness of controls over massive transaction volumes (e.g., testing 100% of user access logs).
- Substantive Procedures: Provide more persuasive evidence by testing entire populations instead of representative samples.
Written Representations (Management Rep Letter)
Obtained at the conclusion of the audit and dated the same date as the auditor's report. It is a mandatory piece of audit evidence. Refusal by management to provide this letter results in a disclaimer of opinion or withdrawal from the engagement.
| Category | Key Representations Required |
|---|---|
| Financial Statements | Management acknowledges their responsibility for the fair presentation of the F/S and the design, implementation, and maintenance of internal controls. |
| Completeness of Information | All financial records, data, and minutes of meetings have been made available to the auditor. All transactions have been recorded. |
| Fraud & Noncompliance | Disclosure of known or suspected fraud involving management or employees with significant internal control roles. Disclosure of all known instances of NOCLAR. |
| Specific Assertions | Confirmation of uncorrected misstatements (a summary must be attached), related party transactions, the reasonableness of accounting estimates, and subsequent events. |
Cycles & Key Topics
Transaction Cycles: Risks & Procedures
| Cycle | Primary Risk | Key Assertions | Primary Procedure | Notes |
|---|---|---|---|---|
| Revenue | Overstatement | Existence/Occurrence, Cutoff | Vouching | Fictitious sales, hold sales journal open, ship goods not ordered |
| Expenditure | Understatement | Completeness, Valuation/Allocation/Accuracy | Tracing | Match: Receiving Report, Vendor Invoice, Purchase Order |
| Cash | Overstatement | Cutoff | Bank Reconciliation | Kiting: Cash in two places at once Lapping: Today's CR covers yesterday's theft |
| Inventory | Various | Completeness, Existence, Accuracy, R/O | Observation | Physical count observation |
| Investment | Valuation | Completeness, Existence, Valuation/Alloc., R/O | Various | Complex because measured at FV |
Lapping involves stealing today's cash receipts to cover yesterday's theft. Kiting involves overstating the cash balance by transferring cash between banks and recording the deposit in the current period and the disbursement in the next period.
Economics & Business Cycles
Understanding internal and external economic factors is critical for assessing the inherent risk of material misstatement.
Supply, Demand, & Elasticity
| Economic Concept | Definition & Audit Implications |
|---|---|
| Price Elasticity of Demand | Measures how quantity demanded responds to price changes. Elastic: Demand highly responsive to price (luxury goods). Inelastic: Demand unresponsive (essential goods). Implication: Affects revenue projections and inventory obsolescence risks. |
| Profit Maximization | Occurs where Marginal Cost (MC) equals Marginal Revenue (MR). Implication: Understanding cost structures helps auditors evaluate management's strategy and the reasonableness of accounting estimates. |
Business Cycles & Indicators
| Cycle Phase | Characteristics | Audit Implications (Risks) |
|---|---|---|
| Expansion / Peak | Increasing economic activity, rising demand, higher inflation. | Potential overstatement of assets; capacity constraints; aggressive revenue recognition. |
| Recession / Trough | Decreasing economic activity, falling demand, higher unemployment. | Going concern risks; inventory obsolescence; asset valuation impairments; increased pressure to commit fraud. |
- Leading: Predict future economic activity (e.g., bond yields, building permits, stock market indices).
- Coincident: Move concurrently with the economy (e.g., GDP, industrial production, retail sales).
- Lagging: Confirm past economic trends (e.g., unemployment rate, consumer price index).
Other Engagements (SSARS, SSAE, GAGAS)
SSARS vs. SAS Master Comparison
A definitive comparison of non-audit services for nonissuers (SSARS) versus standard audits (SAS).
| Engagement Requirement | Preparation (SSARS) |
Compilation (SSARS) |
Review (SSARS/SAS) |
Audit (SAS/PCAOB) |
|---|---|---|---|---|
| Level of Assurance | None | None | Limited (Negative) | Reasonable (Positive) |
| Independence Required? | No | No (Must disclose if not) |
Yes | Yes |
| Engagement Letter | Yes | Yes | Yes | Yes |
| Management Rep Letter | No | No | Yes | Yes |
| Primary Procedures | Assist in preparing F/S | Read F/S for obvious errors | Inquiry & Analytical Procedures | Risk Assessment, Tests of Controls, Substantive Testing |
| Understand Internal Controls? | No | No | No | Yes |
| GAAP Departures / Disclosures | May omit disclosures. Must disclose departures on F/S. | May omit disclosures. Modify report for departures. | All disclosures required. Modify report for departures. | All disclosures required. Modify opinion (Qualified/Adverse). |
| Report Output | No Report ("No assurance provided" on each page) |
Compilation Report | Review Report | Auditor's Report |
Attestation Engagements (SSAE)
Engagements where a practitioner is engaged to issue a report on subject matter, or an assertion about subject matter, that is the responsibility of another party.
| Engagement Type | Assurance Level | Output/Result | Restriction |
|---|---|---|---|
| Examination | Reasonable (Positive) | Opinion | General use (usually) |
| Review | Limited (Negative) | Conclusion | General use (usually) |
| Agreed-Upon Procedures (AUP) | None | List of Findings | Restricted Use |
Prospective Financial Statements
- Financial Forecast: Based on expected conditions. Available for General Use. (Can be Examined, Compiled, or AUP. Cannot be Reviewed).
- Financial Projection: Based on hypothetical "what-if" assumptions. Restricted Use Only.
Service Organization Control (SOC) Reports
Reports issued by a service auditor regarding the controls at a service organization (e.g., payroll processor, cloud host) used by user entities.
| Report | Focus Area | Primary Audience |
|---|---|---|
| SOC 1 | Internal Controls over Financial Reporting (ICFR). | User entity auditors evaluating financial statement risks. |
| SOC 2 | Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). | Stakeholders needing assurance over IT/data controls. |
Report Types & Auditor Reliance
- Type 1 Report: Reports on the design and implementation of controls at a specific point in time. Does not allow the user auditor to reduce assessed control risk.
- Type 2 Report: Reports on the design, implementation, and operating effectiveness of controls over a specified period. Allows the user auditor to reduce assessed control risk.
Governmental and Single Audits
Governmental audits stack reporting requirements based on the funding and regulations involved.
| Audit Standard | Requirements & Outputs |
|---|---|
| GAAS (Base) | Standard auditor's opinion on the financial statements. |
| GAGAS (Yellow Book) | Includes GAAS requirements PLUS a written report on internal control over financial reporting and on compliance with laws/regulations. (Does not require an opinion on internal controls). |
| Single Audit (2 CFR 200) | Required if expending ≥ $1,000,000 in federal awards. Includes GAGAS requirements PLUS:
|
ERISA Employee Benefit Plan Audits
Audits of employee benefit plans subject to the Employee Retirement Income Security Act of 1974 (ERISA) have specialized reporting and risk assessment requirements heavily emphasized in the blueprints.
| Key Area | Audit Considerations & Procedures |
|---|---|
| Risk Assessment | Evaluate risks related to plan investments, participant data, and employer/employee contributions. Assess controls at third-party administrators (relying heavily on SOC 1 reports). |
| Key Procedures | Test participant eligibility, benefit payments, allocation of investment income, and strict compliance with the plan document. |
| ERISA Section 103(a)(3)(C) Audits | When management elects this audit (formerly known as a "limited-scope audit"), the auditor does not audit investment information certified by a qualified institution (e.g., bank or trust company). The audit opinion must explicitly state this limitation, but it is not considered a scope limitation that requires a disclaimer. |