Auditing & Attestation (AUD) Cheat Sheet

Professional Standards and Guidelines

Types of Audit Opinions

The type of opinion issued depends on the materiality and pervasiveness of any misstatements (GAAP issues) or scope limitations (GAAS issues).

Examples of Issues

• GAAP Issues: Inappropriate accounting principles, inadequate disclosures, unreasonable accounting estimates
• GAAS Issues: Cannot determine if material, suspected illegal bribes not proven, scope limitations

Going Concern Assessment

The auditor must evaluate whether there is substantial doubt about an entity's ability to continue as a going concern for a reasonable period (one year after the date that the financial statements are issued or available to be issued).

Factors Indicating Substantial Doubt

Auditors look for specific conditions that may threaten the entity's operational viability:

• Macro-environmental and External Threats: External matters such as the loss of a principal customer, natural disasters, or new detrimental legislation.
• Operational and Internal Issues: Internal matters such as extended work stoppages, heavy dependence on a specific project, or the loss of key management personnel.
• Cash Flow and Financial Distress: Financial difficulties such as defaulting on loans, debt restructuring, or denial of standard trade credit from suppliers.
• Adverse Financial Trends: Negative trends such as consecutive periods of operating losses, working capital deficiencies, or negative cash flows from operations.

Subsequent Events: Auditor Responsibilities & Reporting

The auditor has an active responsibility to inquire about events occurring between the balance sheet date and the date of the auditor's report.

Auditor Procedures

To identify relevant subsequent events, the auditor should perform the following:

• Examine the most recent interim F/S and compare them with the audited F/S.
• Inquire of legal counsel, management, and those charged with governance.
• Review minutes of shareholders, directors, and other meetings.
• Review post-balance sheet transactions.
• Obtain a representation letter from management.

Types of Subsequent Events

Reissuance vs. Revised Financial Statements

Report Modifications by Section

Modifications differ slightly depending on whether the entity is private (nonissuer) or public (issuer).

Note: SDGC = Substantial Doubt about Going Concern, EOM = Emphasis of Matter, OM = Other Matter, KAM = Key Audit Matters (Private), CAM = Critical Audit Matters (Public).

Predecessor & Successor Auditor Responsibilities

Successor Auditor Requirements (When Predecessor's Report is NOT Presented)

When presenting comparative financial statements, the successor must indicate:

• The prior-period F/S was audited by a predecessor auditor (unnamed unless merged/acquired audit firms).
• The type of opinion expressed & reason for modification, if modified.
• The nature of any Emphasis-of-Matter, Other-Matter, or explanatory paragraphs.
• The date of the predecessor audit report.

Predecessor Auditor Procedures (Before Reissuing Prior-Period Report)

• Read the current year financial statements.
• Compare the prior-period vs. current year financial statements.
• Obtain a letter of representation from the successor auditor.
• Obtain a letter of representation from management.

Reporting a Change in Prior Opinion by Predecessor

If the predecessor changes their opinion on the prior-period F/S, the additional paragraph must include:

• Date of previous audit report.
• Previously issued opinion.
• Reason for prior opinion.
• Changes that have occurred.
• Statement that "opinion is different".

Client Refusal to Adjust

If the auditor concludes F/S are materially misstated and the client refuses necessary corrections:

• Modify the audit opinion (Qualified or Adverse).
• Consider withdrawing from the engagement ("disassociating").
• After withdrawing, consult legal counsel to determine any further professional or legal responsibilities to inform regulatory agencies or third parties.

Documentation Requirements

Partner Rotation Requirements (SEC Required)

Audit Fundamentals & The Basis for Opinion

To issue an unmodified opinion, the auditor must execute a well-planned audit to obtain a reasonable level of assurance, and clearly communicate their methodology in the report.

Achieving Reasonable Assurance

The core requirements during fieldwork include:

1. Plan the work and properly supervise any assistants.
2. Determine and apply appropriate materiality levels.
3. Identify and assess risks of material misstatement.
4. Obtain sufficient appropriate audit evidence.

Key Declarations in the Basis for Opinion (Issuer/PCAOB)

The auditor's report must explicitly state the following to define the scope and limits of the audit:

• The financial statements are the responsibility of management, while the auditor's responsibility is to express an opinion on them.
• The audit is conducted in accordance with PCAOB standards.
• The auditor must plan and perform the audit to ensure the statements are free of material misstatement.
• The procedures include examining evidence, evaluating estimates, and evaluating overall presentation.

Communication with Those Charged with Governance

Required Communications

• Planned scope and timing of audit.
• Significant audit findings (estimates, policies, difficulties).
• Material weaknesses and significant deficiencies in ICFR.
• Corrected and uncorrected misstatements.
• Disagreements with management.

Timing

Must be communicated in writing and typically by report release date or within 60 days.

Group Engagements

Must always be satisfied with Component Auditor's reputation & independence. Group Engagement Auditor decides whether to:

Note: If other auditor's opinion is qualified but not material to group, group partner doesn't need to make reference to the qualification.

Dodd-Frank Act & Integrated Audit Requirements

Integrated Audit Exemption: If less than $75 million outstanding common equity held by non-affiliates, then exempt from integrated audit requirement.

This means smaller public companies may not need to have their internal control over financial reporting audited as part of their financial statement audit.

Independence & Ethics

AICPA Independence Impairments

• Direct financial interest in client (always impairs independence).
• Material indirect financial interest in client.
• Close relative with key position at client.
• Serving as trustee/executor with financial interest in client.
• Bookkeeping or management roles performed for client.

PCAOB & SEC Rules

• Lead and concurring partners: 5-year rotation, 5-year cool-off.
• Other partners: 7-year rotation, 2-year cool-off.
• Cannot audit client if unpaid fees > 1 year old.
• Prohibited services: bookkeeping, IT design, valuation, legal/expert services.

System of Quality Management (SQMS)

A CPA firm must have a system of quality management to provide reasonable assurance that the firm and its personnel comply with professional standards and issue appropriate reports.

8 Components of SQMS

• Risk Assessment Process: Identify and assess quality risks.
• Governance and Leadership: "Tone at the top" and accountability.
• Relevant Ethical Requirements: Independence and integrity.
• Acceptance and Continuance: Client relationships and engagements.
• Engagement Performance: Supervision, review, and consultation.
• Resources: Human, technological, and intellectual resources.
• Information and Communication: Internal and external.
• Monitoring and Remediation Process: Ongoing evaluation and fixing deficiencies.

Note: Replaces the previous 6 elements of Quality Control (SQCS).

Engagement Letter Contents

The engagement letter formalizes the arrangement between the auditor and the client. It should include:

• Objective of Audit
• Responsibilities of Auditor
• Responsibilities of Management
• Financial Accounting Framework
• Statement that some material misstatements may not be detected
• Expected form/content of any reports
• Timing of Audit
• Arrangements with prior Auditor
• Management provides written representation letter
• Use of specialists or internal auditors

Internal Control Framework & Control Activities

Five Components of Internal Control

Detailed Control Activities

• Segregation of Duties: A fundamental concept that no single individual should have control over all parts of a transaction. Specifically, separate: Authorization, Record Keeping, and Custody of Assets.
  
  IT Segregation of Duties: In an IT system, duties must be strictly segregated among the following roles:
  • Control group/team
  • Operators
  • Programmers
  • Analyst (system)
  • Librarian
  Identify the Weakness: A critical control weakness exists if anyone is doing or supervising another area.
• Authorization and Approvals: Ensures transactions are valid.
• Independent Checks: Maintains asset accountability.
• Information Processing Controls: Secures and manages data flow.
• Documentation: Proper prenumbering and tracking of documents.
• Physical Security: Safeguarding of assets.
• Performance Reviews: Timely financial performance checks.

Communication of Internal Control Deficiencies

1. Financial Statement Audit ONLY

2. Integrated Audits

Financial Statement Assertions

Management makes assertions about financial statement elements. The core assertions include:

• Completeness
• Cutoff
• Valuation, allocation, and accuracy
• Existence and occurrence
• Rights and obligations
• Understandability of Presentation and classification

Testing Assertions

The auditor's job is to use specific procedures to test these assertions. The primary relationships are shown below.

The Audit Risk Model & Fraud Triangle

Audit Risk Model

Audit Risk = Risk of Material Misstatement × Detection Risk

The risk that the auditor will issue the wrong opinion. AR should be low, RMM is assessed by auditor, DR is controlled by auditor.

There is an inverse relationship between RMM and DR. If the auditor assesses RMM as high, they must set DR to a low level to maintain an acceptably low level of overall audit risk.

The Fraud Triangle

Three conditions are generally present when fraud occurs:

• Pressure (Incentive): A reason to commit fraud (e.g., meeting financial targets).
• Opportunity: A lack of effective controls that allows fraud to be perpetrated.
• Rationalization: An attitude or mindset that justifies the fraudulent act.

Materiality in an Audit

Materiality is the magnitude of an omission or misstatement that, individually or in the aggregate, could reasonably be expected to influence the economic decisions of users. The concept is applied throughout the audit.

1. Overall Materiality (Planning Materiality)

The maximum amount by which the auditor believes the financial statements as a whole could be misstated and still not affect the decisions of users. It is typically a percentage of a benchmark, such as:

• 5-10% of Pre-tax Income
• 0.5-2% of Total Assets or Revenues

The auditor uses professional judgment to select the appropriate benchmark and percentage.

2. Performance Materiality

An amount set by the auditor at less than overall materiality for particular classes of transactions, account balances, or disclosures. Its purpose is to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds overall materiality.

• It acts as a "safety buffer" and directly affects the extent of audit testing. A lower performance materiality requires more testing.

3. Trivial Misstatements (Clearly Trivial)

A threshold far below performance materiality. Misstatements below this amount are considered inconsequential and do not need to be accumulated by the auditor. The auditor must document the amount designated as trivial.

Audit Evidence

Hierarchy of Evidence

The reliability of audit evidence varies. The hierarchy from most to least reliable is:

1. Auditor's direct observation
2. External evidence
3. Internal evidence
4. Oral evidence

Procedures to Obtain Evidence

Auditors utilize various procedures depending on the assertion being tested:

• Testing Balances & Transactions: Vouching, Tracing, Confirmation, and Cutoff Review.
• Mathematical Accuracy: Recalculation, Reperformance, Footing, Cross-footing, and Reconciliation.
• Understanding & Observation: Inquiry, Observation, Examination & Inspection, and Walk-through.
• High-Level Analysis: Analytical Procedures, Auditing Related Accounts Simultaneously, and Subsequent Events Review.
• Documentation: Representation Letter.

Sampling Concepts & Risk

Types of Sampling

• Attribute Sampling: Estimates rate of occurrence of specific characteristic (Tests of Controls)
• Variable Sampling: Estimates dollar value of population (Substantive Testing)

Sampling Risks

• Alpha Risk: Risk of incorrect rejection of good sample results, risk of assessing control risk too high (efficiency - TOC)
• Beta Risk: Risk of incorrect acceptance of bad sample results, risk of assessing control risk too low (effectiveness - TOC)
• Incorrect Acceptance: Accepting a test that is materially misstated (Substantive Testing)
• Incorrect Rejection: Rejecting a test that is not materially misstated (Substantive Testing)

Sampling Rules

1. Assume population is normal/bell-shaped
2. Sample must be unrestricted and randomly selected
3. Sample must be large enough to have same statistical characteristics as population
4. Standard Deviation is a measure of variability which refers to a range in the population

Sampling Calculations

Key Formulas for Variable Sampling

Misstatement Projection Calculations

• Mean-Per-Unit Estimation:
  $$ \text{Avg Audited Value} \times \text{Population} $$
• Ratio Estimation:
  $$ \left( \frac{\text{Audited BV}}{\text{BV of Sample}} \right) \times \text{Total BV} $$
• Difference Estimation:
  $$\text{Projected Error} = \left( \frac{\text{BV of Sample} - \text{AV of Sample}}{\text{Number of items audited}} \right) \times \text{Population}$$
  $$ \text{Point Estimate} = \text{BV of Population} \; - \; \text{Projected Error} $$

Sample Size Relationships

Increases Sample Size: ↑CR, ↓DR, ↑Test of Details, ↑Assurance

Decreases Sample Size: ↓CR, ↑DR, ↓Test of Details, ↓Assurance

Year-End vs Interim: Year-end substantive testing is less effective to more effective. Interim substantive testing is more effective to less effective.

Audit Data Analytics (ADAs)

ADAs are the science and art of discovering and analyzing patterns, identifying anomalies, and extracting other useful information in data underlying or related to the subject matter of an audit through analysis, modeling, and visualization for the purpose of planning or performing the audit.

Purpose in the Audit

• Risk Assessment: Identify areas of heightened risk by analyzing entire populations of data to find unusual trends or transactions.
• Test of Controls: Test the effectiveness of controls over a large volume of transactions (e.g., testing all user access logs for appropriate authorization).
• Substantive Procedures: Use as a substantive analytical procedure or a test of details. Can provide more persuasive evidence by testing 100% of a population instead of a sample.

Common ADA Techniques

• Anomaly Detection: Identifying items that do not conform to an expected pattern (e.g., duplicate payments, weekend journal entries, amounts just below an authorization threshold).
• Sequence Check: Verifying the numerical continuity of a series of documents (e.g., checks, invoices) to identify gaps or duplicates.
• Regression Analysis: Evaluating the relationship between variables to develop an expectation for a balance or transaction amount.
• Visualization: Using charts and graphs to identify patterns or outliers that may not be apparent in raw data.

Transaction Cycles: Risks & Procedures

Lapping involves stealing today's cash receipts to cover yesterday's theft. Kiting involves overstating the cash balance by transferring cash between banks and recording the deposit in the current period and the disbursement in the next period.

Summary of Engagements

Prospective Financial Statements & Agreed-Upon Procedures

Types of Prospective Financial Statements

• Financial Forecast: Reflects an entity's expected financial results based on expected conditions. Appropriate for general use.
• Financial Projection: Based on hypothetical, "what-if" assumptions. Use is restricted/limited.

Conditions for Agreed-Upon Procedures

• Independence of the practitioner
• Agreement of the parties
• Client's Responsibility for the subject matter
• Sufficiency of the procedures (client's responsibility)
• Measurability and Consistency
• Use of the report is restricted
• Engagements on prospective financial statements must include a summary of significant assumptions

General Procedures & Results

Required Report Elements

Service Organization Control (SOC) Reports

Reports on the controls at a service organization that are relevant to a user entity's financial reporting.

• SOC 1 Report: Focuses on controls over financial reporting (ICFR).
• SOC 2 Report: Focuses on a broader range of controls related to the Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy).

Report Types

• Type 1: Reports on the design and implementation of controls at a specific point in time.
• Type 2: Reports on the design, implementation, AND operating effectiveness of controls over a period of time.

Governmental and Single Audits

Audits conducted under Government Auditing Standards require additional reporting beyond a standard GAAS audit.

Required Reports by Audit Type

• Opinion on all financial statements.

• An audit report on the financial statements.
• A report on internal control over financial reporting and on compliance with laws, regulations, contracts, etc. (no opinion).

Threshold: Required for entities expending $1,000,000 or more in federal financial assistance in a year. It expands on GAGAS requirements.

• Opinion (or disclaimer) on financial statements and supplementary schedule of expenditures of federal awards.
• Report on internal control and compliance with provisions of laws, regulations, contracts, and grant agreements.
• Report on compliance and internal control over compliance applicable to each major program (must include opinion or disclaimer on compliance).
• Schedule of findings and questioned costs (Required).

Attestation Service Reporting Options

Note: Preparations and compilations are also allowed for prospective financial statements (governed by SSARS).

Detailed Engagement Comparison

Flow of Engagement Procedures

This table illustrates the cumulative procedures required for Preparation, Compilation, and Review engagements, with each subsequent engagement type including the procedures of the one before it.

Note: Preparation is a non-attest service with no assurance. Compilation is an attest service with no assurance. Review is an attest service that provides limited assurance.

Review Service Types Comparison

Detailed Procedures: SSARS (Prep, Comp, Review) vs. SAS (Audit)

Error Detection Capabilities by Engagement

GAAP Disclosure Requirements

Financial Statement Scope Requirements

Attestation Engagements (SSAE)

Types of Engagements

• Examination: High assurance, opinion given (like an audit).
• Review: Limited assurance, conclusion given (like review of F/S).
• Agreed-Upon Procedures: No assurance, only factual findings.

Engagement Summary Comparison

Key Notes

• Restricted use report unless general criteria are used (e.g., GAAP, GHG protocol).
• Must comply with AICPA attestation standards.
• Management's assertion is usually required in writing.

Knowledge Requirements and Period Coverage

Knowledge Required by Engagement Type

• Preparation/Compilation: Knowledge of accounting principles and industry practices; general understanding of client's business
• Review: Same as compilation PLUS increased knowledge of client's business
• Audit: Extensive knowledge of economy, industry, and client's business

Period Coverage