Risk Assessment Standards and the PPC Audit Process

GRAT10

SELF�STUDY CONTINUING PROFESSIONAL EDUCATION

Companion to PPC's Guide to

Risk Assessment Standardsand the

PPC Audit Process

Fort Worth, Texas(800) 431�9025trainingcpe.thomson.com

GRAT10

ii

Copyright 2010 Thomson Reuters/PPCAll Rights Reserved

This material, or parts thereof, may not be reproduced in another document or manuscriptin any form without the permission of the publisher.

This publication is designed to provide accurate and authoritative information in regard to the subjectmatter covered. It is sold with the understanding that the publisher is not engaged in rendering legal,accounting, or other professional service. If legal advice or other expert assistance is required, theservices of a competent professional person should be sought.From a Declaration of Principles

jointly adopted by a Committee of the American Bar Association and a Committee of Publishers andAssociations.

The following are registered trademarks filed with the United States Patent and Trademark Office:

Checkpoint� ToolsPPC's Practice Aids�

PPC's Workpapers�

PPC's Engagement Letter Generator�PPC's Interactive Disclosure Libraries�

PPC's SMART Practice Aids�

Practitioners Publishing Company is registered with the NationalAssociation of State Boards of Accountancy (NASBA) as a sponsor ofcontinuing professional education on the National Registry of CPESponsors. State boards of accountancy have final authority on theacceptance of individual courses for CPE credit. Complaints regardingregistered sponsors may be addressed to the National Registry of CPESponsors, 150 Fourth Avenue North, Suite 700, Nashville, TN37219�2417. Website: www.nasba.org.

Practitioners Publishing Company is registered with the NationalAssociation of State Boards of Accountancy (NASBA) as a QualityAssurance Service (QAS) sponsor of continuing professionaleducation. State boards of accountancy have final authority onacceptance of individual courses for CPE credit. Complaints regardingQAS program sponsors may be addressed to NASBA, 150 FourthAvenue North, Suite 700, Nashville, TN 37219�2417. Website:www.nasba.org.

Registration Numbers

Texas 001615

New York 001076

NASBA Registry 103166

NASBA QAS 006

GRAT10

iii

Interactive Self�study CPE

Companion to PPC's Guide to Audit Risk Assessment

TABLE OF CONTENTS

Page

COURSE 1: RISK ASSESSMENT STANDARDS AND THE PPC AUDIT PROCESS

Overview 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Lesson 1: Risk Assessment Standards and the PPC Audit Process 3. . . . . . . . . . . . . . . . . . . . . . . . .

Lesson 2: Tests of Controls and Making a Control Risk Assessment 29. . . . . . . . . . . . . . . . . . . . . . . .

Glossary 105. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Index 107. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

To enhance your learning experience, the examination questions are located throughoutthe course reading materials. Please look for the exam questions following each lesson.

EXAMINATION INSTRUCTIONS, ANSWER SHEETS, AND EVALUATIONS

Course 1: Testing Instructions for Examination for CPE Credit 109. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Course 1: Examination for CPE Credit Answer Sheet 111. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Course 1: Self�study Course Evaluation 112. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

GRAT10

iv

INTRODUCTION

Risk Assessment Standards and the PPC Audit Process consists of one interactive self�study CPE course. This isa companion course to PPC's Guide to Audit Risk Assessment designed by our editors to enhance yourunderstanding of the latest issues in the field. To obtain credit, you must complete the learning process by loggingon to our Online Grading System at OnlineGrading.Thomson.com or by mailing or faxing your completedExamination for CPE Credit Answer Sheet for print grading by June 30, 2011. Complete instructions areincluded below and in the Test Instructions preceding the Examination for CPE Credit Answer Sheet.

Taking the Course

This course is divided into lessons. Each lesson addresses an aspect of risk assessment standards and the PPCaudit process. You are asked to read the material and, during the course, to test your comprehension of each of thelearning objectives by answering self�study quiz questions. After completing each quiz, you can evaluate yourprogress by comparing your answers to both the correct and incorrect answers and the reason for each.References are also cited so you can go back to the text where the topic is discussed in detail. Once you aresatisfied that you understand the material, answer the examination questions which follow each lesson. Youmay either record your answer choices on the printed Examination for CPE Credit Answer Sheet or by loggingon to our Online Grading System.

Qualifying Credit HoursQAS or Registry

PPC is registered with the National Association of State Boards of Accountancy as a sponsor of continuingprofessional education on the National Registry of CPE Sponsors (Registry) and as a Quality Assurance Service(QAS) sponsor. Part of the requirements for both Registry and QAS membership include conforming to theStatement on Standards of Continuing Professional Education (CPE) Programs (the standards). The standards weredeveloped jointly by NASBA and the AICPA. As of this date, not all boards of public accountancy have adopted thestandards. Each course is designed to comply with the standards. For states adopting the standards, recognizingQAS hours or Registry hours, credit hours are measured in 50�minute contact hours. Some states, however, require100�minute contact hours for self study. Your state licensing board has final authority on accepting Registry hours,QAS hours, or hours under the standards. Check with the state board of accountancy in the state in which you arelicensed to determine if they participate in the QAS program or have adopted the standards and allow QAS CPEcredit hours. Alternatively, you may visit the NASBA website at www.nasba.org for a listing of states that acceptQAS hours or have adopted the standards. Credit hours for CPE courses vary in length. Credit hours for eachcourse are listed on the �Overview" page before each course.

CPE requirements are established by each state. You should check with your state board of accountancy todetermine the acceptability of this course. We have been informed by the North Carolina State Board of CertifiedPublic Accountant Examiners and the Mississippi State Board of Public Accountancy that they will not allow creditfor courses included in books or periodicals.

Obtaining CPE Credit

Online Grading. Log onto our Online Grading Center at OnlineGrading.Thomson.com to receive instant CPEcredit. Click the purchase link and a list of exams will appear. You may search for the exam using wildcards.Payment for the exam is accepted over a secure site using your credit card. For further instructions regarding theOnline Grading Center, please refer to the Test Instructions preceding the Examination for CPE Credit AnswerSheet. A certificate documenting the CPE credits will be issued for each examination score of 70% or higher.

Print Grading. You can receive CPE credit by mailing or faxing your completed Examination for CPE Credit AnswerSheet to the Tax & Accounting business of Thomson Reuters for grading. Answer sheets are located at the end ofall course materials. Answer sheets may be printed from electronic products. The answer sheet is identified with thecourse acronym. Please ensure you use the correct answer sheet for each course. Payment of $79 (by check orcredit card) must accompany each answer sheet submitted. We cannot process answer sheets that do not includepayment. Please take a few minutes to complete the Course Evaluation so that we can provide you with the bestpossible CPE.

GRAT10

v

You may fax your completed Examination for CPE Credit Answer Sheet to the Tax & Accounting business ofThomson Reuters at (817) 252�4021, along with your credit card information.

If more than one person wants to complete this self�study course, each person should complete a separateExamination for CPE Credit Answer Sheet. Payment of $79 must accompany each answer sheet submitted. Wewould also appreciate a separate Course Evaluation from each person who completes an examination.

Express Grading. An express grading service is available for an additional $24.95 per examination. Courseresults will be faxed to you by 5 p.m. CST of the business day following receipt of your Examination for CPE CreditAnswer Sheet. Expedited grading requests will be accepted by fax only if accompanied with credit cardinformation. Please fax express grading to the Tax & Accounting business of Thomson Reuters at (817) 252�4021.

Retaining CPE Records

For all scores of 70% or higher, you will receive a Certificate of Completion. You should retain it and a copy of thesematerials for at least five years.

PPC In�House Training

A number of in�house training classes are available that provide up to eight hours of CPE credit. Please call ourSales Department at (800) 431�9025 for more information.

GRAT10

vi

GRAT10 Companion to PPC's Guide to Audit Risk Assessment

1

COMPANION TO PPC'S GUIDE TO AUDIT RISK ASSESSMENT

COURSE 1

RISK ASSESSMENT STANDARDS ANDTHE PPC AUDIT PROCESS (GRATG101)

OVERVIEW

COURSE DESCRIPTION: This interactive self�study course explains the risk assessment audit process anddetails changes to the Statements on Auditing Standards (SAS) that influence thatprocess. In addition, this course covers audit procedures including tests of controls,making a control risk assessment, and substantive procedures.

PUBLICATION/REVISIONDATE:

June 2010

RECOMMENDED FOR: Users of PPC's Guide to Audit Risk Assessment

PREREQUISITE/ADVANCEPREPARATION:

Basic knowledge of auditing

CPE CREDIT: 5 QAS Hours, 5 Registry Hours

Check with the state board of accountancy in the state in which you are licensed todetermine if they participate in the QAS program and allow QAS CPE credit hours.This course is based on one CPE credit for each 50 minutes of study time inaccordance with standards issued by NASBA. Note that some states require100�minute contact hours for self study. You may also visit the NASBA website atwww.nasba.org for a listing of states that accept QAS hours.

FIELD OF STUDY: Auditing

EXPIRATION DATE: Postmark by June 30, 2011

KNOWLEDGE LEVEL: Basic

Learning Objectives:

Lesson 1Risk Assessment Standards and the PPC Audit Process

Completion of this lesson will enable you to:

� Identify changes to the audit process and terminology as a result of the risk assessment standards.

� Recognize the eight steps included in the PPC audit approach.

Lesson 2Tests of Controls and Making a Control Risk Assessment

Completion of this lesson will enable you to:� Determine when tests of controls should be performed and identify efficiency opportunities in testing controls.

� Identify the factors involved in determining a a control risk assessment.

� Recognize appropriate substantive procedures.

GRAT10Companion to PPC's Guide to Audit Risk Assessment

2

TO COMPLETE THIS LEARNING PROCESS:

Send your completed Examination for CPE Credit Answer Sheet, Course Evaluation, and payment to:

Thomson ReutersTax & AccountingR&GGRATG101 Self�study CPE36786 Treasury CenterChicago, IL 60694�6700

See the test instructions included with the course materials for more information.

ADMINISTRATIVE POLICIES:

For information regarding refunds and complaint resolutions, dial (800) 323�8724 for Customer Service and your

questions or concerns will be promptly addressed.


3

Lesson 1:�Risk Assessment Standards and the PPCAudit Process

INTRODUCTION

The Auditing Standards Board's eight auditing standards, collectively referred to as the risk assessment standardsalong with SAS No. 99 (AU 316), Consideration of Fraud in a Financial Statement Audit, require the assessment of

audit risk (the risk of material misstatement of the financial statements due to error or fraud) in audit engagements.

PPC's Guide to Audit Risk Assessment (Implementing the Risk Assessment Standards) provides the comprehensivetools and guidance that auditors need to effectively and efficiently apply risk assessment in their audit engage�

ments. Risk assessment is an integral part of every audit and can significantly affect both audit efficiency and audit

effectiveness. The Guide provides a complete package of risk assessment tools to assist in that process, including:

� detailed analysis of the risk assessment process and related standards requirements;

� practice aids for performing and documenting risk assessment; and

� practical guidance on applying risk assessment, including case studies and illustrated practice aids, all

aligned with the PPC audit approach.

Overall, risk assessment is focused towards ensuring the effectiveness of financial statement audits. In applying

risk assessment, auditors explicitly consider higher risk areas by focusing on what is most likely to go wrong thatcould affect the financial statements. Auditors assess the risk that the financial statements are materially misstated

due to error or fraud and design and perform audit procedures to respond to those identified risks. The result is a

targeted effort that considers the unique circumstances of each client.

Learning Objectives:

Completion of this lesson will enable you to:

� Identify changes to the audit process and terminology as a result of the risk assessment standards.� Recognize the eight steps included in the PPC audit approach.

What Is Risk Assessment?

The term risk assessment in this course refers to an audit approach in which the auditor:

� Obtains a sufficient understanding of the client and its environment to identify and assess the risks of

material misstatement of the financial statements both at the assertion level and on an overall basis.

� Concentrates audit effort in areas of the financial statements where there is a higher risk of material

misstatement. Such areas may have a high risk because either inherent or control risk, or both, is higher.

� Provides linkage between the identified risks and the resulting audit procedures.

� Identifies lower�risk areas in which to perform less extensive procedures.

An audit approach based on risk assessment provides methods to identify higher�risk areas and assertions so that

audit effort can be focused on those areas. By focusing efforts in higher�risk areas and limiting procedures in

lower�risk areas, the auditor is performing a more effective and focused audit. The risk assessment approach usedin this lesson is illustrated in Exhibit 1�1.


4

Exhibit 1�1

The Risk Assessment Audit Approach

* * *

Planning Is the Key. The key to successful risk assessment is planning. In general, the risk assessment process

requires significant time spent in up�front planning. During the planning process, the auditor gains sufficientknowledge of the client to identify the risky audit areas and assertions and determine the procedures necessary to

address identified risks. For lower�risk areas, the auditor determines what limited procedures will be necessary inlight of the low assessed level of risk. The time spent during the planning process should ordinarily provide

efficiencies from limiting procedures in lower�risk areas. And because the auditor is focusing his or her efforts on

higher�risk areas, the audit approach is more effective. Also, the auditor's increased knowledge of the client'sbusiness and operations can add value to client service. The auditor may be able to provide the client with more

insightful and practical comments and recommendations about matters that might benefit the client's business.

Because of the increased emphasis on obtaining an understanding of the entity and the design and implementa�tion of internal control as a basis for the auditor's assessment of risks, the auditor may identify control deficiencies

that are required to be reported to management and those charged with governance.

Because risk assessments require significant judgment, normally it is more effective and efficient to have anexperienced auditor make the risk assessments and prepare the planning documents. However, all levels of the

engagement team should be involved in the risk assessment process.

Integration of SAS No. 99. The risk assessment standards stress that the auditor's consideration of fraud under

the requirements of SAS No. 99 (AU 316) is not separate from consideration of audit risk but is integrated into theoverall audit risk assessment process. The risk assessment standards provide more specific guidance on assess�

ing audit risk. Although the requirements and guidance presented in the risk assessment standards may suggesta sequential process, the audit is a continuous process of gathering, updating, and analyzing information about the

fairness of presentation of amounts and disclosures in the financial statements in conformity with the applicable

financial reporting framework that is used by the entity. The applicable financial reporting framework is the set ofaccounting principles used by the entity to prepare its financial statements. This course assumes that entities are


5

following U.S. generally accepted accounting principles. Therefore, risk assessment procedures are performed

concurrently with other procedures, and the evaluation of risks, including fraud risks, should occur continuouslythroughout the audit. The PPC audit approach integrates the requirements of SAS No. 99 (AU 316) within the overall

risk assessment process by addressing those requirements at relevant points throughout the process.

Risk Assessment Standards

The overall objective of the risk assessment standards is to promote the auditor's use of the audit risk model by

requiring

� A greater understanding of the entity and its environment, including internal controls, to identify the risks

of material misstatement in the financial statements, along with the entity's actions to mitigate those risks.

� A heightened assessment of the risks of material misstatement based on the auditor's understanding.

� Better linkage between the identified risks and the resulting audit procedures.

Key Provisions of the Standards. The following list presents some of the key elements of the risk assessment

standards:

� Emphasis on the Quality and Depth of the Required Understanding of the Entity and Its Environment. In

addition to the components of internal control, the standards specify aspects of the entity and its

environment about which the auditor should obtain an understanding to identify and assess where materialmisstatements could occur.

� Requirement to Assess Risks. The risk assessment standards do not permit assessing control risk �at themaximum" without support. Risk assessment, at whatever level, should be supported by the auditor's

understanding of the entity and its environment, including internal control. Auditors are required to identify

significant risks that need special audit consideration, as well as other risks where the application ofsubstantive procedures alone will not sufficiently reduce detection risk.

� Emphasis on Evaluating and Testing Controls. SAS No. 109 (AU 314.54) notes that �obtaining anunderstanding of internal control involves evaluating the design of a control and determining whether it has

been implemented." In addition, control risk cannot be assessed at the maximum level without

documenting the basis for that conclusion. As a result of the increased emphasis on understandingcontrols, testing of controls may frequently be considered. However, testing of controls is not required

unless the auditor intends to rely on the operating effectiveness of controls to alter the nature, timing, orextent of substantive procedures, or the auditor concludes that substantive procedures alone will not

sufficiently reduce detection risk.

� Emphasis on the Linkage between Assessed Risks and Resulting Audit Procedures. Auditors are requiredto develop overall responses that address risks of material misstatement at the financial statement level as

well as procedures that are clearly linked to assessed risks of material misstatement at the relevantassertion level. The risk assessment standards stress the importance of the nature of audit procedures in

responding to assessed risks.

� Guidance on Substantive Procedures. The risk assessment standards indicate that substantive proceduresshould be applied to all relevant assertions related to each material class of transactions, account balance,

and disclosure to detect material misstatements at the assertion level, regardless of the assessed risk ofmaterial misstatement. The standards also require the auditor to reconcile financial statements (and the

accompanying notes) with supporting records, and to examine material journal entries and other

adjustments that were made when preparing financial statements.

� Emphasis on Testing of Disclosures. Assertions about presentation and disclosure include completeness

and understandability to users. The risk assessment standards emphasize that risks of materialmisstatement should be considered for disclosures.


6

� Documentation Requirements. Among other items, auditors are required to document overall responses

to address the assessed risk of material misstatement at the financial statement level; the risk assessmentat the relevant assertion level; the nature, timing, and extent of the further audit procedures; the linkage of

audit procedures to assessed risks; and the results of the audit procedures.

Exhibit 1�2 lists each risk assessment standard and provides a brief summary.

Exhibit 1�2

Summary of Risk Assessment Standards

SAS Title Brief Summary

SAS No. 104 (AU 230.10), Amendment to Statement on Auditing

Standards No. 1, Codification of Auditing Standards and Proce�dures, (�Due Professional Care in the Performance of Work")

Expands the definition of reasonable

assurance.

SAS No. 105 (AU 150), Amendment to Statement on Auditing

Standards No. 95, Generally Accepted Auditing Standards

Among other things, amends the second

and third standards of field work by� Expanding the purpose and scope of

the auditor's understanding of the

entity and its environment, includinginternal control.

� Eliminating references to specific

audit procedures.

SAS No. 106 (AU 326), Audit Evidence Provides guidance on matters such as

� Definition of audit evidence.� Sufficiency and appropriateness of

audit evidence.

� The use of assertions, includingproviding an expanded and recatego�

rized list of assertions for classes of

transactions, account balances, andpresentation and disclosure.

� Audit procedures for obtaining auditevidence.

SAS No. 107 (AU 312), Audit Risk and Materiality in Conducting an

Audit

Discusses matters such as

� Consideration of audit risks at thefinancial statement and individual

account balance, class of transac�

tions, or disclosure levels.� Defining materiality for the financial

statements as a whole when plan�

ning.� Identifying items for which materiality

should be assessed at a lower level.� The use of tolerable misstatement.

� Reassessment of materiality during

the audit.� Evaluating audit findings and whether

financial statements as a whole are

free of material misstatements.� Communication of misstatements to

management.� Documentation requirements.


7

SAS No. 108 (AU 311), Planning and Supervision Addresses planning the engagement,

including topics such as� Appointment of the auditor.

� Establishing an understanding with

the client.� Preliminary engagement activities.

� Overall audit strategy.

� The audit plan.� Involvement of professionals with

specialized skills.� Initial audit engagement consider�

ations.

Also includes guidance on supervision of

assistants.

SAS No. 109 (AU 314), Understanding the Entity and Its Environ�

ment and Assessing the Risks of Material Misstatement

Provides guidance on

� Risk assessment procedures andsources of information.

� Understanding the entity and its

environment, including internalcontrol.

� Assessing the risks of material

misstatement.� Documentation requirements.

SAS No. 110 (AU 318), Performing Audit Procedures in Response

to Assessed Risks and Evaluating the Audit Evidence Obtained

Discusses matters such as

� Overall responses to address therisks of material misstatement at the

financial statement level.

� Audit procedures that are responsiveto risks at the relevant assertion level.

� Evaluating the sufficiency and

appropriateness of evidenceobtained.

� Documentation requirements.

SAS No. 111 (AU 350), Amendment to Statement on Auditing

Standards No. 39, Audit Sampling

Amends SAS No. 39 to:

� Move guidance from the existingappendix to SAS No. 107.

� Incorporate certain guidance from

SAS No. 110.� Incorporate certain guidance from

SAS No. 99, Consideration of Fraud in

a Financial Statement Audit.� Modify guidance pertaining to the

auditor's judgment about the estab�lishment of tolerable misstatement for

a specific audit procedure and the

application of sampling to tests ofcontrols.

* * *


8

Terminology

The risk assessment standards use specific terminology to describe the auditor's responsibility for planning andperforming an audit. Some of those terms, which are significant in the risk assessment process, are discussed in

the following paragraphs.

Audit Strategy. The audit strategy is the auditor's operational approach to achieving the objectives of the audit. It

is a high�level determination of the audit approach by audit area. It includes the identification of audit areas with a

higher risk of material misstatement, the overall responses to those higher risks, and the general approach to eachaudit area as being substantive procedures or a combined approach of substantive procedures and tests of

controls. As part of risk assessment, the auditor should establish an overall strategy for the audit.

Audit Plan. The audit plan is more detailed than the audit strategy and includes the nature, timing, and extent of

audit procedures to be performed by audit team members to obtain sufficient appropriate evidence. The audit plan

is commonly referred to as the audit program.

Relevant Assertions. One of the terms of central importance in risk assessment is relevant assertions. The

assertions that are relevant for a particular class of transactions, account balance, or disclosure are those that havea meaningful bearing on whether the item is fairly stated. A routine example is that the valuation assertion is usually

not relevant to the cash account unless currency translation is involved. Another example is that the valuation

assertion is usually not relevant to the gross amount of the accounts receivable balance, but is usually relevant tothe related allowance for doubtful accounts.

The risk assessment standards give prominent recognition to the idea of relevant assertions. References to�decisions made at the relevant assertion level" mean decisions made about the relevant assertions within a class

of transactions, account balance, or disclosure. The auditor assesses risks of material misstatement at the relevant

assertion level and designs audit procedures to mitigate that assessed risk.

Significant Risks. Another term of importance in risk assessment is significant risks. The full term significant risks

that require special audit consideration indicates the basic idea. A risk is a significant risk if an analysis of inherentrisk indicates that the likely magnitude of the potential misstatement and the likelihood of the misstatement

occurring are such that they require special audit consideration. The determination of whether a risk requires

special audit consideration is based on an assessment of inherent risk and does not include consideration ofcontrols. Significant risks generally relate to nonroutine transactions (i.e., transactions that are unusual due to their

size or nature) and complex or judgmental matters. Transactions that are routine, noncomplex, and subject to

systematic processing have lower inherent risks and are less likely to involve significant risks. Identified fraud risksare always significant risks.

Risk Assessment Procedures. According to SAS No. 106 (AU 326.20), risk assessment procedures are a definedcategory of audit procedures performed near the beginning of an audit to obtain an understanding of the entity and

its environment, including its internal control, for the purpose of assessing the risks of material misstatement at the

financial statement and relevant assertion levels. The auditor should use the risk assessment to determine thenature, timing, and extent of further audit procedures. Risk assessment procedures consist of inquiry, observation,

inspection, and analytical procedures.

Risk of Material Misstatement. The risk of material misstatement is the likelihood of a misstatement of the financial

statements of a material amount. When considering audit risk at the overall financial statement level, the auditor

should consider risks of material misstatement that relate pervasively to the financial statements taken as a wholeand that potentially affect many relevant assertions. The auditor should also assess the risk of material misstate�

ment at the relevant assertion level for classes of transactions, account balances, and disclosures. At the relevantassertion level, the assessment of risk of material misstatement is the combination of the auditor's assessment of

inherent risk and control risk. The auditor can make a combined assessment of inherent and control risk or assess

the component risks separately and then combine them.

Further Audit Procedures. Further audit procedures are procedures an auditor performs in response to the

assessed risks to reduce the overall audit risk to an appropriately low level. They consist of substantive procedures,tests of controls, and other procedures, sometimes referred to as general procedures.


9

Other Terms. Some other terminology in the risk assessment standards that is worth noting includes

� Audit evidence.

� Reasonable assurance.

� Those charged with governance.

Audit Evidence. SAS No. 106 (AU 326.02) states:

Audit evidence is all the information used by the auditor in arriving at the conclusions on which the audit opinion isbased and includes the information contained in the accounting records underlying the financial statements and

other information.

The results of the auditor's risk assessment procedures provide evidence that contributes to forming an opinion onthe financial statements.

Reasonable Assurance. The scope paragraph of the auditor's report includes a statement that generally acceptedauditing standards (GAAS) require audits to be planned and performed to obtain reasonable assurance about

whether the financial statements are free of material misstatement. That statement introduces the concept ofmateriality to the audit report and the auditor's responsibility for detecting errors or fraud. SAS No. 104 (AU 230.10)

clarifies that reasonable assurance is a high, but not absolute, level of audit assurance.

Those Charged with Governance. The reference to those charged with governance encompasses those situations

in which an entity does not have an audit committee, but has a group responsible for oversight of the entity'sstrategic direction and obligations related to accountability.

Unconditional and Presumptively Mandatory Requirements

SAS No. 102 (AU 120), Defining Professional Requirements in Statements on Auditing Standards, clarifies the

meaning of certain terms used in SASs and defines the terminology that the Auditing Standards Board uses to

describe the degrees of responsibility that professional requirements impose on auditors and practitioners.

The contents of the SASs contain professional requirements along with explanatory material. The auditor's degreeof responsibility in complying with professional requirements can be identified through two categories.

� Unconditional Requirements. Unconditional requirements are those that an auditor must follow in all cases

if the circumstances apply to the requirement. Those requirements are noted in the SASs by use of the

words �must" or �is required."

� Presumptively Mandatory Requirements. Auditors are also expected to comply with presumptivelymandatory requirements if the circumstances apply to the requirement; however, in rare situations, a

departure from the requirement is allowed if the auditor documents the justification and how alternative

procedures that were performed were sufficient to achieve the objectives of the requirement. Presumptivelymandatory requirements are identified by the word �should." If a SAS uses the words �should consider"

for a procedure, the consideration of the procedure is presumptively required.

Explanatory material represents material that provides additional guidance on professional requirements or identi�

fies other procedures or actions. An auditor is not required to perform other procedures or actions that are identifiedthrough explanatory material. Those items require understanding and professional judgment regarding their

applicability. Explanatory material is identified through the words �may," �might," and �could."

Unconditional Requirements for Risk Assessment. The following summarizes the auditor's unconditional

requirements when performing risk assessment:

� �While exercising due professional care, the auditor must plan and perform the audit to obtain sufficientappropriate audit evidence so that audit risk will be limited to a low level that is, in his or her professional


10

judgment, appropriate for expressing an opinion on the financial statements." This is the definition of

reasonable assurance from SAS No. 104 (AU230.10).

� �The auditor must have adequate technical training and proficiency to perform the audit." This is the firstgeneral standard as revised by SAS No. 105 (AU 150.02).

� �The auditor must adequately plan the work and must properly supervise any assistants." This is a standard

of field work as revised by SAS No. 105 (AU 150.02).

� �The auditor must obtain a sufficient understanding of the entity and its environment, including its internal

control, to assess the risk of material misstatement of the financial statements whether due to error or fraud,and to design the nature, timing, and extent of further audit procedures." This is a standard of field work

as revised by SAS No. 105 (AU 150.02).

� �The auditor must obtain sufficient appropriate audit evidence by performing audit procedures to afford a

reasonable basis for an opinion regarding the financial statements under audit." This is a standard of fieldwork as revised by SAS No. 105 (AU 150.02).

� The auditor must plan the audit so that it is responsive to the assessment of the risk of material misstatement

based on the auditor's understanding of the entity and its environment, including its internal control.

� The auditor must obtain persuasive audit evidence.

� The auditor must perform risk assessment procedures and further audit procedures.

� The auditor must consider audit risk and determine audit materiality when designing audit procedures and

evaluating the fairness of the financial statements.

� The auditor must perform the audit to obtain reasonable assurance of detecting misstatements that theauditor believes could be material to the financial statements.

� Regarding evaluating misstatements and their impact on the auditor's report, the auditor must:

�� Accumulate all known and likely misstatements identified during the audit, other than those that are

trivial, and communicate them to the appropriate level of management.

�� Consider the effects, both individually and in the aggregate, of misstatements (known and likely) that

are not corrected by the entity.

�� Evaluate whether the financial statements taken as a whole are free of material misstatement.

�� Determine the implications for the auditor's report if management refuses to make the corrections theauditor believes are necessary to keep the financial statements from being materially misstated.

�� Determine the implications for the auditor's report if the auditor concludes, or is unable to conclude,

whether the financial statements are materially misstated.

� The auditor must develop an audit plan.

� When an auditor uses audit evidence obtained in a prior audit as substantive audit evidence in the current

audit, the audit evidence and the related subject matter must not have fundamentally changed.

� For significant risks, the auditor is required to evaluate the design of the entity's internal controls over thoserisks, including its control activities, and determine if they have been implemented.

� When the auditor believes substantive procedures alone will not reduce detection risk at the relevant

assertion level to an acceptably low level with audit evidence obtained only from substantive procedures,testing of internal controls is required.


11

The PPC audit approach helps the auditor effectively and efficiently comply with those requirements.

Presumptively Mandatory Requirements for Risk Assessment. Over 250 �should" and over 100 �should

consider" statements are included in the risk assessment standards.

In addition, SAS No. 99 (AU 316), Consideration of Fraud in a Financial Statement Audit, includes a number ofpresumptively mandatory requirements that also affect the auditor's risk assessment process. The key require�

ments for risk assessment related to fraud are as follows:

� Hold a discussion among the audit team members to consider how and where the entity's financialstatements might be susceptible to material misstatement due to fraud and to reinforce the importance of

adopting an appropriate attitude of professional skepticism.

� Gather information necessary to identify risks of material misstatement due to fraud by making inquiriesof management and others about fraud risks, considering the results of preliminary analytical procedures,

considering fraud risk factors, and considering certain other information.

� Use the information gathered to identify risks that may result in a material misstatement due to fraud.

� Evaluate the entity's programs and controls that address identified risks of material misstatement due tofraud and assess the risks, taking into account that evaluation.

� Respond to the results of the risk assessment using (a) overall responses, (b) specific responses involving

the nature, timing, and extent of auditing procedures, and (c) responses to address the risk of material

misstatement due to management override of controls.

� Assess the risk of material misstatement due to fraud throughout the audit and evaluate (at the completion

of the audit) whether the accumulated results of auditing procedures and other observations affect the

assessment made previously. Also consider whether identified misstatements may be indicative of fraudand, if so, evaluate their implications.

AU 316 also includes requirements for communicating to management, those charged with governance, and

others about fraud, and for documenting the auditor's consideration of fraud. All of those requirements areincorporated in the auditor's overall risk assessment process, using the PPC audit approach.

Related AICPA Guidance and Projects

Other Standards. The following standards are designed to work together with the risk assessment standards to

increase the effectiveness of financial statement audits:

� SAS No. 99 (AU 316), Consideration of Fraud in a Financial Statement Audit;

� SAS No. 102 (AU 120), Defining Professional Requirements in Statements on Auditing Standards;

� SAS No. 103 (AU 339), Audit Documentation; and

� SAS No. 115 (AU 325), Communicating Internal Control Related Matters Identified in an Audit.

SAS No. 103 (AU 339), Audit Documentation, requires the auditor to document the work performed, the audit

evidence obtained and its source, and the conclusions reached. In addition, it establishes other documentationrequirements that need to be considered when designing audit programs.

SAS No. 115 (AU 325), Communicating Internal Control Matters Identified in an Audit, supersedes SAS No. 112 of

the same name and is effective for audits of financial statements for periods ending on or after December 15, 2009

with earlier implementation permitted. Some of the key provisions in SAS No. 115 include the following:

� Provides revised definitions for significant deficiencies and material weaknesses.


12

� Provides guidance on which, and to whom, internal control related matters should be communicated.

� Requires a written communication to management and those charged with governance of any significantdeficiencies and material weaknesses in internal control, even if they were communicated in a previous

audit. This communication must be made within 60 days of the report release date.

� Identifies certain control deficiencies that are indicators of a material weakness in internal controls.

Because of the increased emphasis in the risk assessment standards on obtaining an understanding of the design

and implementation of internal control as a basis for the auditor's assessment of risks, auditors will identify more

internal control related matters that should be reported under SAS No. 115.

Audit Risk Alert. The AICPA Audit Risk Alert, Understanding the New Auditing Standards Relating to Risk Assess�

ment, provides a summary of the risk assessment standards and guidance on the standards' provisions.

Audit Guide. The AICPA Audit Guide, Assessing and Responding to Audit Risk in a Financial Statements Audit,Revised Edition as of October 1, 2009 (the AICPA Risk Assessment Audit Guide), provides implementation guid�

ance and case studies illustrating the implementation of the risk assessment standards. This course incorporatesguidance from the AICPA Risk Assessment Audit Guide.

Technical Practice Aids. The AICPA periodically issues guidance in the form of questions and answers on selected

practice matters. The Technical Practice Aids are not approved by any senior technical committee of the AICPA andare, therefore, nonauthoritative. A number of technical practice aids, address risk assessment matters.

Clarity Project. In response to growing concerns about the complexity of auditing standards and to converge U.S.

generally accepted auditing standards with International Standards on Auditing (ISAs), the Auditing StandardsBoard (ASB) began a large�scale project (the Clarity Project) to revise all existing standards and to design a format

under which all new standards will be issued. In March 2007, the ASB issued a discussion paper titled Improving

the Clarity of ASB Standards, outlining its plans to revise the format, structure, and style of the professionalstandards issued by the ASB. The discussion paper is available at

www.aicpa.org/download/auditstd/Clarity_of_ASB_Standards_Discussion_Memo.pdf.

��In response to comments received on the discussion paper and subsequent discussions, the ASB decided on

final drafting conventions. Accordingly, the clarified and converged standards include the following sections:

� Introduction. Includes matters such as the purpose and scope of the SAS, subject matter, effective date,and other relevant introductory material.

� Objectives. Establishes objectives that allow the auditor to understand what he or she should achieve

under the SAS. The auditor should use the objectives to determine whether additional procedures arenecessary for their achievement and evaluate whether sufficient appropriate audit evidence has been

obtained.

� Definitions. Where relevant, provides key definitions that are relevant to the standard.

� Requirements. States the requirements that the auditor is to follow unless the SAS is not relevant or the

requirement is conditional and the condition does not exist.

� Application and other explanatory material. Provides further guidance to the auditor in applying or

understanding the requirements. While this material does not in itself impose a requirement, auditors

should understand this guidance. How it is applied will depend on professional judgment in thecircumstances considering the objectives of the SAS. The requirements section references the applicable

application and explanatory material. Also, when appropriate, considerations relating to smaller and less

complex entities are also included in this lesson.

At the date of this course, the Auditing Standards Board had issued a number of proposed and final standards

under the Clarity Project, including the following six final standards that will supersede risk assessment SAS Nos.106 through 110:


13

� Planning an Audit.

� Materiality in Planning and Performing an Audit.

� Evaluation of Misstatements Identified During the Audit.

� Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

(Redrafted).

� Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

(Redrafted).

� Audit Evidence (Redrafted).

��In addition to addressing the objectives of the Clarity Project and converging with comparable ISAs, the six SASsmake certain organizational changes to existing risk assessment standards such as:

a. Transfer the guidance on the auditor's use of assertions from AU 326, Audit Evidence, to AU 314,Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement.

b. Separate AU 312, Audit Risk and Materiality in Conducting an Audit, into two separate standards. The SAS,

Materiality in Planning and Performing an Audit (Redrafted), addresses materiality when planning andperforming the audit. Guidance on the evaluation of misstatements identified in the audit is in a separate

standard, Evaluation of Misstatements Identified During the Audit.

c. Move the definition of audit risk and its components to another SAS, Overall Objectives of the Independent

Auditor and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards.

d. Eliminate the unconditional requirement to consider audit risk in an audit since the ASB believes that theconsideration is fundamental to the audit process making an explicit requirement unnecessary.

e. Eliminate the guidance on auditor's responsibilities for evaluating the overall effect of audit findings on theauditor's report. These requirements are included in proposed SASs, Forming an Opinion and Reporting

on Financial Statements; Modifications to the Opinion in the Independent Auditor's Report; and Emphasisof Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor's Report, which are part of

the Clarity Project.

f. Eliminate the guidance on auditor's responsibilities regarding the early appointment of the auditor and

establishing the terms of the engagement. That guidance is included in a proposed SAS, Terms of theEngagement, which is part of the Clarity Project.

g. Eliminate guidance on supervision in an audit. Those requirements are included in a proposed SAS, Quality

Control for an Audit of Financial Statements, or a proposed SQCS, A Firm's System of Quality Control

(Redrafted), which are part of the Clarity Project.

However, the Clarity Project is not expected to result in new requirements related to risk assessment.

��The ASB is working towards completing the project in 2010. When all of the standards have been clarified andconverged and are in final form, they will be issued as one SAS that will be codified in AU section format. With the

exception of six AU sections not related to risk assessment, all of the clarified AU sections will be effective on the

same date. This effective date is expected to be for audits of financial statements for periods beginning on or afterDecember 15, 2010. This date is provisional, but the effective date will not be earlier. Early adoption of the clarified

standards is not permitted unless indicated otherwise. (However, an auditor can implement aspects of the clarified

standards if he or she also complies with existing standards.)

��Given the status of the Clarity Project and that most clarified standards will be effective on one date (no earlierthan audits of 2011 calendar year ends), this course does not generally provide discussion on final or proposed


14

clarified standards. Future editions of the course will provide guidance on the clarified and converged standards.

Readers can obtain additional information on the clarity project and convergence with International AuditingStandards, including final and exposed standards, questions and answers, the convergence plan, and mapping of

existing AU sections to clarity standards, at www.aicpa.org.


15

SELF�STUDY QUIZ

Determine the best answer for each question below. Then check your answers against the correct answers in the

following section.

1. For purposes of this lesson, the term risk assessment refers to an audit approach in which the auditor:

a. Balances the audit effort equally between higher�risk and lower�risk areas of material misstatement.

b. Ensures that audit procedures resulting from identified risks are kept separate from one another and arenot linked.

c. Assesses the risks of material misstatement of the financial statements independent of any understandingof the client or the clients' environment.

d. Performs more extensive procedures in higher�risk areas.

2. John is working through the audit risk assessment process and is considering audit risk as well as fraud in afinancial statement audit. In which of the following Statements on Auditing Standards (SASs) will John find

assistance regarding these issues?

a. SAS No. 99.

b. SAS No. 106.

c. SAS No. 107.

d. SAS No. 108.

3. Under the risk assessment standards, which of the following is the definition of the audit strategy the auditor

will employ to achieve the objectives of the audit?

a. A high�level determination of the audit approach by audit area.

b. Used to determine the nature of audit procedures to be performed to obtain sufficient appropriateevidence.

c. Identifies the timing of audit procedures to be performed by audit team members.

d. Includes the extent of audit procedures necessary to obtain adequate appropriate evidence.

4. Which of the following terminology in the risk assessment standards result in no real change in what auditors

do?

a. Substantive procedures.

b. Tests of controls.

c. General procedures.

d. Reasonable assurance.


16

5. Bill is an auditor that wants to identify the documentation requirements he needs to consider when designing

an audit program. In which of the following standards, designed to work together with the risk assessmentstandards to increase the effectiveness of financial statement audits, will Bill find the information he is seeking?

a. SAS No. 102.

b. SAS No. 103.

c. SAS No. 109.

d. SAS No. 110.

6. What is the purpose of the Clarity Project?

a. To add new requirements related to risk assessment.

b. To simplify and align U. S. generally accepted auditing standards with international standards.


17

SELF�STUDY ANSWERS

This section provides the correct answers to the self�study quiz. If you answered a question incorrectly, reread theappropriate material. (References are in parentheses.)

1. For purposes of this lesson, the term risk assessment refers to an audit approach in which the auditor: (Page 3)

a. Balances the audit effort equally between higher�risk and lower�risk areas of material misstatement. [This

answer is incorrect. The auditor should focus audit effort on areas of the financial statement where there

is a higher risk of material misstatement. The auditor should perform less extensive procedures onlower�risk areas.]

b. Ensures that audit procedures resulting from identified risks are kept separate from one another and arenot linked. [This answer is incorrect. The auditor should provide linkages between the identified risks and

the resulting audit procedures when determining risk assessment.]

c. Assesses the risks of material misstatement of the financial statements independent of any understandingof the client or the clients' environment. [This answer is incorrect. The auditor should obtain a sufficient

understanding of the client and its environment sufficient to identify and assess the risks of material

misstatement of the financial statements.]

d. Performs more extensive procedures in higher�risk areas. [This answer is correct. The extent of theprocedures to be performed by the auditor should be based on the level of risk. The auditor shouldperform less extensive procedures on lower�risk areas and more extensive procedures onhigher�risk areas.]

2. John is working through the audit risk assessment process and is considering audit risk as well as fraud in a

financial statement audit. In which of the following Statements on Auditing Standards (SASs) will John find

assistance regarding these issues? (Page 4)

a. SAS No. 99. [This answer is correct. SAS No. 99 (AU 316) addresses the auditor's consideration offraud in a financial statement audit.]

b. SAS No. 106. [This answer is incorrect. SAS No. 106 (AU 326) addresses audit evidence and provides

guidance on matters such as definition of audit evidence, sufficiency and appropriateness of audit

evidence, and audit procedures for obtaining audit evidence.]

c. SAS No. 107. [This answer is incorrect. SAS No. 107 (AU 312) addresses audit risk and materiality in

conducting an audit and discusses matters such as communication of misstatements to management,communications to those in governance, and documentation requirements.]

d. SAS No. 108. [This answer is incorrect. SAS No. 108 addresses planning and supervision and includes

topics such as appointment of the auditor, overall audit strategy, and initial audit engagementconsiderations.]

3. Under the risk assessment standards, which of the following is the definition of the audit strategy the auditorwill employ to achieve the objectives of the audit? (Page 8)

a. A high�level determination of the audit approach by audit area. [This answer is correct. The auditstrategy (heretofore known as the audit plan) is the operational approach the auditor uses to achievethe objectives of the audit. The audit strategy is a high�level determination of the audit approach byaudit area. It includes the identification of audit areas with a greater risk of material misstatement,the overall responses to those greater risks, and the general approach to each audit area as beingeither substantive procedures, or a combined approach of tests of controls and substantiveprocedures.]

b. Used to determine the nature of audit procedures to be performed to obtain sufficient appropriate

evidence. [This answer is incorrect. The audit plan is used by the auditor to determine the nature of auditprocedures to be performed to obtain sufficient appropriate evidence.]


18

c. Identifies the timing of audit procedures to be performed by audit team members. [This answer is incorrect.

The auditor identifies the timing of audit procedures in the audit plan, not the audit strategy.]

d. Includes the extent of audit procedures necessary to obtain adequate appropriate evidence. [This answer

is incorrect. The audit plan is used to determine the extent of audit procedures needed to obtain adequateappropriate evidence.]

4. Which of the following is not classified as a further audit procedures in the risk assessment standards? (Page 9)

a. Substantive procedures. [This answer is incorrect. Substantive procedures are classified as one of thefurther audit procedures the auditor performs in response to the assessed risks to reduce the overall audit

risk to a low level.]

b. Tests of controls. [This answer is incorrect. Another of the further audit procedures the auditor performs

pursuant to the assessed risks to lessen the overall audit risk to an appropriately low level is test of

controls.]

c. General procedures. [This answer is incorrect. Further audit procedures the auditor performs in responseto the assessed risks to reduce the overall audit risk include other procedures sometimes referred to as

general procedures.]

d. Reasonable assurance. [This answer is correct. The risk assessment standards introduce otherterms that are not classified as further audit procedures. Those terms include reasonableassurance, audit evidence, those charged with governance, and sufficient, appropriate evidence.]

5. Bill is an auditor that wants to identify the documentation requirements he needs to consider when designing

an audit program. In which of the following standards, designed to work together with the risk assessmentstandards to increase the effectiveness of financial statement audits, will Bill find the information he is seeking?

(Page 11)

a. SAS No. 102. [This answer is incorrect. SAS No. 102 (AU 120) deals with defining professional

requirements in statements on auditing standards.]

b. SAS No. 103. [This answer is correct. SAS No. 103 (AU 339) requires the auditor to document thework performed, the audit evidence obtained and its source, and the conclusions reached.Furthermore, it establishes other documentation requirements that need to be considered whendesigning audit programs.]

c. SAS No. 109. [This answer is incorrect. SAS No. 109 (AU 314) addresses understanding the entity and itsenvironment and assessing the risks of material misstatement.]

d. SAS No. 110. [This answer is incorrect. SAS No. 110 (AU 318) covers performing audit procedures inresponse to assessed risks and evaluating the audit evidence obtained.]

6. What is the purpose of the Clarity Project? (Page 12)

a. To add new requirements related to risk assessment. [This answer is incorrect. The Clarity Project is not

expected to result in new requirements related to risk assessment.]

b. To simplify and align U. S. generally accepted auditing standards with international standards. [Thisanswer is correct. In response to growing concerns about the complexity of auditing standards andto converge U. S. generally accepted auditing standards with International Standards on Auditing(ISAs), the Auditing Standards Board (ASB) began a large scale project to revise all existingstandards and to design a format under which all new standards will be issued.]


19

THE PPC AUDIT PROCESS

Risk assessment requires auditors to use information gathered about the entity and its environment (including

internal control) to identify and assess the risks of material misstatement at both the overall financial statement andrelevant assertion levels, and to determine the nature, timing, and extent of further audit procedures needed to

respond to those risks. Further audit procedures are performed to obtain audit evidence to support the auditor's

opinion on the financial statements.

The PPC Audit Process

PPC has developed a practical approach to the audit process to address the requirements for risk assessment and

has designed practice aids to assist auditors in meeting those requirements. PPC's audit approach is designed tobe flexible and adaptable, allowing auditors to better leverage their knowledge of the client to tailor their audit

procedures. The audit approach has been divided into the broad steps illustrated in Exhibit 1�3.

Exhibit 1�3

The PPC Audit Process

* * *

Although the requirements and guidance may suggest a sequential process, the audit is a continuousprocess of gathering, updating, and analyzing information about the fairness of presentation of amounts and

disclosures in the client's financial statements. Therefore, the audit process is an iterative, nonlinear process,

whereby the required procedures may be performed concurrently with other procedures. In addition, risksshould be evaluated continuously throughout the audit.

The PPC audit process outlined in Exhibit 1�3 is incorporated in all of PPC's audit guides, including

specialized industry audit guides. Under the PPC audit approach, the auditor generally spends additionaltime on planning and risk assessment procedures to identify specific risks and develop targeted audit

procedures. However, the efficiencies obtained by using this approach should offset the additional planningtime required.


20

Applying the PPC Audit Process in Continuing Engagements

The PPC audit process illustrated in this course is based on practitioner input and is designed to helpsimplify the auditor's documentation and continued application of risk assessment. Firms should have

already applied the risk assessment standards on their audit engagements; nevertheless, auditors should

look for opportunities to modify procedures on continuing engagements to achieve greater efficiency oreffectiveness.

Auditors should carefully assess the results of their risk assessment efforts and determine how the firm'saudit process might be improved. The following paragraphs provide suggestions for improving the effi�

ciency and effectiveness of applying risk assessment on continuing engagements.

The auditor is required to perform risk assessment procedures to gain an understanding of the entity and its

environment, including internal control, to assess the risks of material misstatement. In many cases, consid�

erable effort may have been spent in performing risk assessment procedures to obtain and document thenecessary understanding during the initial year of implementation. In subsequent engagements, the auditor

is still required to perform risk assessment procedures to understand the entity and its environment;

however, the focus shifts slightly to determining whether changes have occurred that may affect the rele�vance of the information obtained in prior audits. Thus, auditors often focus their efforts in continuing

engagements on inquiries and walkthroughs to determine the extent of changes to prior year informationand the impact of those changes on their risk assessment.

The following is suggested when planning for continuing engagements:

� Consider best practices.

� Focus on changes in the entity and its environment since the prior engagement.

� Consider final risk assessments and the results of further audit procedures performed during theprior audit.

� Reconsider internal control testing.

� Look for efficiency opportunities.

Consider Best Practices. If the firm has formed a best practices team to assess practice issues andimprovement opportunities, the team should consider where the firm's audit processes might be modified

for both initial and recurring engagements. If a best practices team has not been formed, firm leadership

should consider assigning key audit personnel to perform an assessment to determine where improvementscould be made.

The team may want to consider matters such as the following:

� What inefficiencies were encountered? How can those inefficiencies be eliminated? Were extensive

risk assessment or further audit procedures performed and documented in areas that were notsignificant or had a relatively low level of inherent risk? Did teams have to modify initial risk

assessments based on the results of further audit procedures? If so, why?

� What improvements can be made in the firm's documentation process? If PPC practice aids areused by the firm without modification, do they need to be further modified to reflect firm policies?

� Did the firm take a primarily substantive approach in many of its engagements? Is that the mosteffective approach? Is it possible to design efficient tests of controls that can increase overall audit

effectiveness while reducing substantive procedures?

� What efficiencies were gained using a risk�based approach? Which of the approaches and methods

used by different engagement teams could be considered best practices for others to follow?


21

In addition, auditors may want to consider best risk assessment practices of other audit firms, for example,

by enrolling in best practices training opportunities. Thomson Reuters Tax & Accounting offers a number ofin�house training courses and conferences that focus on best practices. For more information, contact

Thomson Reuters at (800) 231�1860 or visit the website at www.trainingcpe.thomson.com.

Focus on Changes in the Entity and Its Environment. In subsequent audits where the auditor uses

information about the entity and its environment obtained during the previous audit, the auditor's focus whenperforming risk assessment procedures is on determining whether changes have occurred that may affect

the relevance of the prior information. Therefore, the auditor should consider whether the nature and extent

of risk assessment procedures should change in the subsequent period. Usually, the auditor will makeinquiries of relevant and knowledgeable key personnel and perform walkthroughs to identify and evaluate

changes. In some cases, the auditor may determine that the extent of inquiries needed in a subsequent

engagement might be less than what was needed during a prior engagement. However, the auditor shoulduse care in determining the nature and extent of risk assessment procedures in subsequent audits. There

may be new information or factors that suggest an element of change requiring the auditor to perform morerobust risk assessment procedures to obtain a sufficient understanding.

Consider Final Risk Assessments and the Results of Further Audit Procedures from the Prior Audit. Ifthe auditor's assessment of the risk of material misstatement was revised during the previous audit as

additional audit evidence was obtained, the auditor should determine what impact that may have on riskassessment procedures in the current audit. For example, if an assertion for an audit area was deemed to

have a higher level of risk of material misstatement based on the results of substantive procedures, and the

initial risk assessment was consequently revised (and documented), it may be appropriate to modify the riskassessment procedures relating to that assertion during the planning phase of the subsequent audit to

ensure an appropriate understanding of the risks. Likewise, if the final assessed risk in the prior audit waslower than initially planned, the auditor might consider reducing the extent or changing the nature of risk

assessment procedures in the current year. In other words, the extent and nature of procedures should

generally go hand�in�hand with the degree of risk for an audit area or assertion.

Reconsider Internal Control Testing. In continuing engagements, auditors should take a fresh look at theselection of further audit procedures applied in the previous audit. In some cases, the auditor might have

decided that performing substantive procedures alone was effective and more efficient than a combined

approach consisting of tests of controls and substantive procedures. For the subsequent audit, as part of theplanning process, the auditor should reevaluate that decision considering both the current year risk assess�

ment and the efficiency and effectiveness of the procedures performed in the prior audit. In some cases, as

the auditor gains more experience in understanding controls, designing efficient and effective control tests,and reducing substantive procedures based on the results of those tests, he or she may decide that internal

control testing is the most effective and efficient strategy.

Look for Efficiency Opportunities. When appropriate, some auditors ask clients to review and update thedocumented understanding of the entity and its environment, including internal control, from the previous

audit. When doing this, auditors should normally only provide the client with those portions of the workpa�

pers that reflect the documented understanding. Typically, auditors should not provide the client withsections of the workpapers that describe the auditor's risk assessment procedures and conclusions.

Auditors may wish to emphasize to their clients the importance of self�assessing their financial reporting

risks and internal control systems. Management's risk assessment is a key component of internal control. A

documented client self�assessment of risks and internal control procedures can jump�start the auditor's riskassessment process, contribute to audit efficiency, and help minimize audit fees for the client.

If the client is asked to review and update the documentation of the auditor's understanding of the entity and

its environment, including internal control, or performs and documents a self�assessment of financial report�

ing risks and the internal control system, the auditor still must perform sufficient risk assessment procedures,based on his or her judgment, to confirm any changes and to evaluate the design and implementation of

controls that the client indicates are in place.


22


23

SELF�STUDY QUIZ

Determine the best answer for each question below. Then check your answers against the correct answers in the

following section.

7. PPC has developed a practical approach to the audit process to assist auditors in meeting the requirements

of the risk assessment standards. This approach has been divided into eight broad steps. Susan is auditing

Byron Electronics Corporation and has performed procedures regarding acceptance/ continuation of the clientrelationship, evaluated compliance with ethical requirements, and established an understanding with the client

in an engagement letter (Step1). Her next step is to:

a. Gather information to understand and evaluate the design and implementation of the entity's internal

control system.

b. Synthesize pertinent information, identify risks that could result in material misstatement of the financial

statements, and develop an overall audit strategy.

c. Establish planning materiality and perform risk assessment procedures to gather information about theentity and its environment that may be relevant in identifying risks of material misstatement of the financial

statements.

8. Which of the following best describes the PPC audit process?

a. A sequential process.

b. An iterative, nonlinear process.

9. Which of the following is suggested when planning for continuing engagements following the implementation

of the risk assessment standards?

a. Focus on changes to the entity and its environment since the prior engagement.

b. Use the same audit procedures applied in the previous audit.

c. Provide the client with those portions of the workpapers that describe the auditor's risk assessmentprocedures and conclusions.

d. Rely on best practices developed during the initial implementation of the risk assessment standards.

10. Which of the following statements regarding best practices teams is considered to be accurate?

a. If a best practices team has been formed, consideration should be given to where the firm's audit

processes could possibly be modified during subsequent periods for initial engagements; however, suchaction is not recommended for recurring engagements.

b. If a best practices team has not been formed, consideration should be given to assigning key audit

personnel to perform an assessment to determine where improvements are needed.


24



7. PPC has developed a practical approach to the audit process to assist auditors in meeting the requirementsof the risk assessment standards. This approach has been divided into eight broad steps. Susan is auditing

Byron Electronics Corporation and has performed procedures regarding acceptance/ continuation of the client

relationship, evaluated compliance with ethical requirements, and established an understanding with the clientin an engagement letter (Step 1). Her next step is to: (Page 19)

a. Gather information to understand and evaluate the design and implementation of the entity's internalcontrol system. [This answer is incorrect. Gathering information to understand and evaluate the design

and implementation of the entity's internal control system is Step 3 in PPC's audit approach.]

b. Synthesize pertinent information, identify risks that could result in material misstatement of the financialstatements, and develop an overall audit strategy. [This answer is incorrect. Synthesizing pertinent

information, identifying risks that could result in material misstatement of the financial statements, anddeveloping an overall audit strategy is Step 4 in PPC's audit approach. The auditor has other decisions

to make before performing this step.]

c. Establish planning materiality and perform risk assessment procedures to gather information aboutthe entity and its environment that may be relevant in identifying risks of material misstatement ofthe financial statements. [This answer is correct. This is Step 2 in PPC's audit approach. This stepmust be performed to acquire the information needed to understand and evaluate the design andimplementation of the entity's internal control system (Step 3).]

8. Which of the following best describes the PPC audit process? (Page 19)

a. A sequential process.[This answer is incorrect. Even though the requirements and guidance may suggest

a sequential process, the PPC audit process is a continuous process of gathering, updating, and analyzinginformation about the fairness of presentation of amounts and disclosures in the client's financial

statements.]

b. An iterative, nonlinear process. [This answer is correct. The PPC audit process is an iterative,nonlinear process, whereby the required procedures may be performed concurrently with otherprocedures. Also, risks should be evaluated continuously throughout the audit.]

9. Which of the following is suggested when planning for continuing engagements following the implementation

of the risk assessment standards? (Page 21)

a. Focus on changes to the entity and its environment since the prior engagement. [This answer iscorrect. In continuing audits where the auditor uses information about the entity and its environmentobtained during the previous audit, the auditor's focus when performing risk assessmentprocedures is on determining whether changes have occurred that may affect the relevance of theprior information.]

b. Use the same audit procedures applied in the previous audit. [This answer is incorrect. When planning for

continuing engagements, the firm should consider final risk assessments and the results of further auditprocedures performed during the prior audit when planning for the current engagement.]

c. Provide the client with those portions of the workpapers that describe the auditor's risk assessment

procedures and conclusions. [This answer is incorrect. The firm should look for efficiency opportunitiesand should normally only provide the client with those portions of the workpapers that reflect the

documented understanding. In general, the firm should not provide the client with sections of theworkpapers that describe the auditor's risk assessment procedures and conclusions.]


25

d. Rely on best practices developed during the initial implementation of the risk assessment standards. [This

answer is incorrect. The firm should consider best practices and the team should consider where the firm'saudit processes might be modified during subsequent periods for both initial and recurring engagements.]

10. Which of the following statements regarding best practices teams is considered to be accurate? (Page 21)

a. If a best practices team has been formed, consideration should be given to where the firm's audit

processes could possibly be modified during subsequent periods for initial engagements; however, suchaction is not recommended for recurring engagements. [This answer is incorrect. When a best practices

team was formed during the initial period of implementation of the risk assessment standards,consideration should be given to where the firm's audit processes could possibly be modified during

subsequent periods for both initial engagements and recurring engagements.]

b. If a best practices team has not been formed, consideration should be given to assigning key auditpersonnel to perform an assessment to determine where improvements are needed. [This answeris correct. If a best practices team has not been formed, consideration should be given to assigningkey audit personnel to perform an assessment to determine where improvements could be madeas well as what went right.]


26

EXAMINATION FOR CPE CREDIT

Lesson 1 (GRATG101)

Determine the best answer for each question below. Then mark your answer choice on the Examination for CPECredit Answer Sheet located in the back of this workbook or by logging onto the Online Grading System.

1. Four auditors are performing an audit under the risk assessment standards. Sally is relying on her extensiveauditing experience to perform a successful audit. James is counting on careful planning for his success. Andy

is relying on his exceptional organizational skills. Robert is depending on his creative strengths for a successfulaudit outcome. Which auditor's approach is most important in achieving a successful audit under the risk

assessment standards?

a. Sally.

b. James.

c. Andy.

d. Robert.

2. It is normally more effective and efficient to have risk assessments and planning documents prepared by:

a. An experienced auditor on the engagement team.

b. The head of the engagement team.

c. The entire engagement team.

d. Any auditor on the engagement team.

3. Of the following standards, which one modifies guidance pertaining to the auditor's judgment about theestablishment of tolerable misstatement for a specific audit procedure and the application of sampling to tests

of controls?

a. SAS No. 108.

b. SAS No. 109.

c. SAS No. 110.

d. SAS No. 111.

4. Under the risk assessment standards, which of the following is least likely to be classified as a significant risk

requiring special audit consideration?

a. Transactions that are nonroutine.

b. Transactions involving complex matters.

c. Transactions subject to systematic processing.

d. Transactions involving judgmental matters.


27

5. According to SAS No. 106, risk assessment procedures consist of all the following except:

a. Inquiry.

b. Observation.

c. Comparison.

d. Inspection.

6. An unconditional requirement in the risk assessment standards would be indicated by which of the following

statements?

a. The auditor should perform the audit in order to obtain reasonable assurance of detecting misstatements

that could be material to the financial statements.

b. The audit must be planned by the auditor so that it is responsive to the assessment of the risk of material

misstatement based on the understanding of the entity and its environment, including its internal control.

c. Sufficient appropriate audit evidence should be obtained by the auditor by performing audit procedures

to afford a reasonable basis for an opinion regarding the financial statements under audit.

d. Audit risk and determining audit materiality should be considered by the auditor when designing audit

procedures and evaluating the fairness of the financial statements.

7. SAS No. 99 (AU 316) includes presumptive mandatory requirements that affect the auditor's risk assessmentprocess. Which of the following key requirements for risk assessment related to fraud is inaccurate?

a. Evaluate the entity's programs and controls that address identified risks of material misstatement due tofraud and base, in part, the assessment of risks on that evaluation.

b. Make inquiries of management and others concerning fraud risks to gather information necessary toidentify risk of material misstatement due to fraud.

c. Discuss with audit team members how/where the entity's financial statements could fall victim to materialmisstatement due to fraud.

d. Conduct an evaluation at the beginning of the audit and decide if the results of auditing procedures and

other observations to be performed affect the assessment of the risk of material misstatement due to fraud.

8. Curtis is performing an audit under the risk assessment standards and has synthesized the information

gathered, identified risks that could result in material misstatement of the financial statements, and developed

an overall audit strategy. What is the next step Curtis should take using PPC's audit approach to the auditprocess that addresses the requirements of the risk assessment standards?

a. Develop and perform appropriate response to the assessed risks of material misstatement of the financial

statements.

b. Evaluate audit findings and evidence.

c. Assess the risks of material misstatement of the entity's financial statements.

d. Prepare required reports and communications.


28

9. Which of the following statements is accurate regarding application of the PPC audit process in continuing

engagements?

a. The risk assessment standards do not need to be addressed on continuing engagements since they were

performed and documented on the initial engagement.

b. Even when the risk assessment standards have been applied on continuing engagements, auditors

should seek opportunities to modify procedures on continuing engagements to achieve greater efficiencyand effectiveness.

c. Do not select this answer choice.

d. Do not select this answer choice.

10. In continuing engagements where the risk assessment standards have been implemented, auditors many

times place emphasis on which of the following to determine the extent of changes to prior year informationand their impact on the current risk assessment?

a. Inquiries and walkthroughs.

b. Research and analysis.

c. Experience.

d. Professional judgment.

11. If the client performs and documents a self�assessment of financial reporting risks and the internal control

system, the auditor:

a. Is not required to perform risk assessment procedures or to confirm changes to or evaluate the design and

implementation of controls that the client indicates are in place.

b. Must still perform sufficient risk assessment procedures, based on professional judgment, to confirm any

changes and to evaluate the design and implementation of controls that the client indicates are in place.




29

Lesson 2: Tests of Controls and Making a ControlRisk Assessment

INTRODUCTION

The understanding of the entity and its environment, including its internal control, and the auditor's risk assess�ment, are used in selecting further audit procedures responsive to risks of material misstatement at the relevantassertion level. This lesson discusses further audit procedures, which include tests of controls and substantiveprocedures. Substantive procedures include tests of details and substantive analytical procedures. The lesson alsodiscusses summarization and evaluation of audit differences.

This lesson discusses tests of the operating effectiveness of controls, including circumstances when tests ofcontrols should be performed and circumstances when testing controls would be unnecessary or inefficient. Thelesson discusses the nature of tests of controls, including inquiry and observation, inspection of documents,walkthroughs, review of reconciliations and similar bookkeeping routines, and reperformance of control activities.It also discusses other considerations that are relevant when a decision is made to test controls, including the useof sampling in tests of controls, rotation of tests of controls when evidence from prior audits is used, efficiencyopportunities in testing controls, documentation requirements, and related PPC Practice Aids. The timing andextent of tests of controls is also discussed.

This lesson gives guidance on making a control risk assessment, including guidance on considering the amount ofaudit evidence necessary to support the control risk assessment and the effect of the control risk assessment onsubstantive procedures.

This lesson also discusses substantive procedures, including substantive procedures required in every audit; thenature, timing, and extent of substantive procedures; selecting appropriate substantive procedures; and choosingbetween analytical procedures and substantive tests of details.

After performing further audit procedures, the auditor summarizes and evaluates any audit differences identified bythose procedures. This lesson discusses the different types of audit differences, aggregating audit differences, andevaluating the materiality of audit differences in relation to the financial statements. This lesson also discussesdocumentation requirements related to summarization, evaluation, and communication of audit differences tomanagement. Exhibits present forms for documenting the evaluation and communication of audit differences.

LEARNING OBJECTIVES:

Completion of this lesson will enable you to:� Determine when tests of controls should be performed and identify efficiency opportunities in testing controls.� Identify the factors involved in determining a control risk assessment.� Recognize appropriate substantive procedures.

TESTS OF CONTROLS

This lesson explains that the auditor's understanding of the five components of internal control obtained as part ofthe risk assessment process, should include the entity's programs and controls that address identified fraud risksand other significant risks. It also explains that an understanding of control activities is important at the relevantassertion level for detailed planning of the nature, timing, and extent of further audit procedures. SAS No. 109 (AU314.40) states that the understanding should include an evaluation of the design of controls and a determination ofwhether they have been implemented.

The evaluation of control design and implementation serves a different purpose than tests of controls. Theevaluation of control design and implementation, which is accomplished through the performance of risk assess�ment procedures, is necessary to assess the risk of material misstatement of the financial statements. The com�bined risk of material misstatement includes a control risk component. Based on that assessment, the auditor


30

determines which further audit procedures to perform. Further audit procedures may include tests of the operatingeffectiveness of controls (that is, tests of controls), as well as substantive procedures.

Unlike the evaluation of control design and implementation, which is required in every audit, tests of controls, whichare categorized as further audit procedures, are not required in every audit. Tests of controls are performed whenthe auditor plans to rely on their operating effectiveness when designing substantive procedures. In addition, whencontrol tests are performed, controls would not generally be tested for every significant class of transactions,account balance, disclosure, or relevant assertion, but only for those with respect to which the auditor plans to limitsubstantive procedures in reliance on the related controls.

In addition, as explained in SAS No. 110 (AU 318.26), testing the operating effectiveness of controls is different fromobtaining evidence that controls have been implemented. Implementation means that the controls exist and arebeing used. Operating effectiveness relates to how and by whom controls are applied and the means by which, andconsistency with which, the controls are applied.

After testing controls, the auditor evaluates the sufficiency and appropriateness of audit evidence obtained and,based on that evidence, reaches a conclusion about the operating effectiveness of the controls tested. If necessary,the auditor modifies the initial control risk assessment (and combined risk of material misstatement) and reconsid�ers the nature, timing, and extent of planned substantive procedures.

Practical Considerations for Tests of Controls

Auditors may ask the following questions with respect to tests of controls, which are answered in this lesson:

� When is it necessary or required to test controls?

� To what extent can the control risk assessment be reduced based on risk assessment proceduresperformed to understand the design and implementation of controls?

� When is it not efficient to test controls?

� How can controls be tested most efficiently?

� If controls are tested, how extensive should the tests be? Also, how much evidence is necessary to reducethe control risk assessment to �moderate" or �low" rather than �high?"

� For what periods of time should tests of controls be performed?

� Can evidence obtained from tests of controls in prior audits be used in the current audit?

� How much audit effort can be saved by reducing the control risk assessment to �moderate" rather than�high?"

� What are the documentation requirements related to tests of controls, and how can the auditor documenttests of controls?

Basic Approach to Tests of Controls

The following basic steps normally apply when considering tests of controls:

Step 1 Identify audit areas where tests of controls are necessary or efficient.

Step 2 Decide which controls to test.

Step 3 Select appropriate procedures.

Step 4 Perform tests of controls.


31

Step 5 Evaluate the results of the tests and, if necessary, revise the initial control risk assessmentand the risk of material misstatement.

Step 6 Document the tests of controls.

This approach is illustrated in Exhibit 2�1.

Exhibit 2�1

Basic Approach to Tests of Controls

* * *

These steps may overlap or be performed in a varying order. For example, based on the initial audit strategy, theauditor may decide to test operating effectiveness concurrently with evaluating design and implementation. Audi�tors often decide which controls to test (Step 2) when considering whether testing will be efficient (Step 1). Also,documentation of the tests of controls (Step 6) might be done as the work progresses. However, the step�by�stepapproach to tests of controls presents a logical framework for the considerations that are normally required. Theremainder of this lesson discusses each of those steps in further depth.

Identifying Where Tests of Controls Are Necessary or Efficient

SAS No. 110 (AU 318.23) indicates that tests of controls should be performed in the following situations:

a. When the auditor's assessed risk of material misstatement includes an expectation that controls areoperating effectively. In that case, audit evidence is obtained to support the operating effectiveness of thosecontrols. In other words, the understanding of internal control design and implementation allows theauditor to make an initial assessment that incorporates the auditor's expectations about the operatingeffectiveness of controls. When the auditor makes a reduced control risk assessment based on that initialassessment, the auditor performs tests of controls to obtain the necessary audit evidence to support thatexpectation.

b. When substantive procedures alone do not provide sufficient appropriate evidence at the relevant assertionlevel (that is, when substantive procedures alone are not effective).


32

The auditor decides whether to test controls for relevant assertions in each audit area based on the preliminaryassessment of the risk of material misstatement. In other words, the decision to test controls is made on anassertion by assertion basis for each audit area. Those decisions may result in audit responses at the relevantassertion level that consist of substantive procedures alone or a combination of substantive procedures and testsof controls.

Expectation of Operating Effectiveness. The auditor needs to know enough about internal control to assess therisk of material misstatement for relevant assertions for account balances, transaction classes, and disclosures.What exactly does it mean to say the auditor's risk assessment includes an expectation of operating effectiveness?When the auditor's risk assessment for a relevant assertion in an audit area includes an expectation of the operatingeffectiveness of controls, it means that the auditor has:

� Obtained a sufficient understanding of the specific controls that are likely to prevent or detect and correctmaterial misstatements in the relevant assertion.

� Evaluated the design of those controls and is satisfied that they are capable of preventing or detecting andcorrecting a material misstatement in the relevant assertion.

� Determined that the controls exist and are being used.

� Decided to rely on the effective operation of those controls when designing substantive procedures.

In other words, the auditor plans to reduce the control risk assessment based on the expectation that controls areoperating effectively and design substantive procedures that provide sufficient additional audit evidence to reducedetection risk to an appropriately low level. In order to reduce the control risk assessment, the auditor should obtainaudit evidence supporting his or her expectation that such controls are operating effectively. Therefore, the auditapproach consists of a combination of tests of controls and substantive procedures that provide sufficient auditevidence about the assertion being tested.

An expectation of operating effectiveness typically means that the auditor's planned control risk assessment is lessthan high. In some cases, the combined risk of material misstatement can be assessed at a moderate or low leveleven though control risk is assessed as high. That might be the case, for example, when inherent risk is low ormoderate. In that case, there is no expectation of operating effectiveness and, thus, no tests of controls would beperformed. The auditor would design substantive procedures that address the combined assessed level of riskwithout considering the effectiveness of controls.

There may be instances when the auditor is unable to identify controls in place that would prevent or detect andcorrect material misstatements in specific relevant assertions. In such cases, which may occur in very small entities,testing controls would not be a consideration. However, SAS No. 110 (AU 318.10) states that in cases involving verysmall entities where the auditor has not identified many control activities, the auditor should consider whether in theabsence of controls, it is possible to obtain sufficient appropriate audit evidence.

Without properly designed and implemented controls, the auditor does not have a basis for an expectation ofoperating effectiveness. Consequently, reliance on controls in that situation is not appropriate and control risk isnormally assessed as high.

The auditor may conclude that controls are appropriately designed and implemented, but may nevertheless decidethat additional tests of operating effectiveness are not warranted. In that case, the auditor does not include his orher expectation of operating effectiveness when making the risk assessment (that is, the auditor does not reducethe control risk assessment). Among other reasons, this decision might be based on the following:

� Materiality and inherent risk considerations.

� Feasibility of performing tests.

� Audit efficiency considerations.

Materiality and Inherent Risk Considerations. After gaining an understanding of the entity and its environment,including its internal control, the auditor first considers the materiality and inherent risk related to specific audit


33

areas or assertions when determining the appropriate response. A reduction of the extent of substantive proce�dures might be possible based on materiality considerations and the inherent risk assessment alone. In that case,no further attention to control risk or tests of controls would generally be necessary for those areas or assertions.For example, for accounts or classes of transactions that are not material, the auditor might determine, given thenature of the risks, that only limited procedures, such as the performance of preliminary and final analyticalprocedures, is the appropriate response. Also, if the inherent risk for relevant assertions for an account or class oftransactions is low, tests of controls might not be appropriate.

Feasibility of Performing Tests. In deciding whether to test controls, the auditor should consider whether the amountand persuasiveness of available evidence would be adequate to support the planned reduced control risk assess�ment. For example, based on the nature of the control, observation and inquiry may be the only procedures thatcan be used to determine effective operation. Obviously, if the auditor determines that the control needs to betested throughout the year, observing the performance of the control in past periods would not be possible. Sinceinquiry alone is not sufficient when testing controls, there may be insufficient persuasive evidence available tosupport a reduced assessment of control risk. Likewise, if the planned test of controls involves inspecting docu�ments, the auditor should be sure that such documentation is available for the entire period being audited.

Audit Efficiency Considerations. In some cases, the auditor may elect to exclude his or her expectation of operatingeffectiveness from the relevant risk assessment for efficiency reasons. That may be the case when testing theoperating effectiveness of controls would be inefficient and substantive procedures alone are considered effective.SAS No. 110 (AU 318.8) states the following:

In some cases, the auditor may determine that performing only substantive procedures isappropriate for specific relevant assertions and risks. In those circumstances, the auditor mayexclude the effect of controls from the relevant risk assessment. This may be because theauditor's risk assessment procedures have not identified any effective controls relevant to theassertion or because testing the operating effectiveness of controls would be inefficient.(Emphasis added)

Excluding the effect of controls from the relevant risk assessment would mean assessing control risk as highregardless of the auditor's expectation that controls may be operating effectively. In other words, even in situationswhere the auditor has made a preliminary assessment that controls may be operating effectively based on his orher evaluation of the design and implementation of controls that would be capable of preventing or detecting andcorrecting material misstatements, the auditor may ultimately decide to assess control risk as high for purposes ofaudit efficiency and perform only substantive procedures. In order to make that decision, however, the auditor mustbe satisfied that substantive procedures alone would be an effective response.

Even if testing the operating effectiveness of controls is deemed to be inefficient, the auditor should still performsufficient risk assessment procedures to have an appropriate basis for assessing the risk of material misstatement,including making the determination that substantive procedures alone are effective. The assessment is a focusedconsideration of what could go wrong at the assertion level. If the effect of controls is excluded from the relevant riskassessment, that means the auditor's response in substantive procedures has to be adequate to deal with all thosethings that the inherent risk assessment indicates could go wrong. Also, the risk assessment procedures per�formed have to be sufficient to obtain the understanding of the entity and its environment, including internal control,to make that decision. In other words, the assessment of the risk of material misstatement at the assertion levelcannot be made without the understanding of internal control. However, assuming substantive procedures aloneare effective, the auditor is allowed to perform substantive procedures only and not test controls even whencontrols are believed to be suitably designed and implemented.

Some auditors have traditionally adopted (or defaulted to) a strategy that focuses primarily on the use of substan�tive audit procedures based on a belief that substantive procedures alone are effective and testing controls wouldnever be efficient. The authors caution against such an attitude because it may result in overlooking opportunitiesfor greater audit efficiency and effectiveness. Since the auditor is required to obtain an understanding of internalcontrol, the auditor may identify controls that are capable of preventing or detecting and correcting materialmisstatements for relevant assertions. Even in small entities, effective controls may exist that could impact thenature, timing, or extent of substantive procedures. Auditors should thoughtfully consider the results of their


34

understanding of internal control when making a decision about the feasibility or efficiency of testing controls.Decisions about testing controls should normally be made on an assertion�by�assertion level based on thepreliminary assessment of control risk. Therefore, efficiency decisions should normally be considered at theassertion level rather than at a global level for the entity as a whole. Also, even in situations where the auditor mayinitially conclude after performing risk assessment procedures that testing controls would not be efficient for anaudit area, subsequent audit evidence might reveal that testing controls would either be more efficient or would berequired to adequately address audit risk.

The auditing standards do not provide guidance for determining when tests of controls would be efficient. (TheAICPA Risk Assessment Audit Guide does, however, provide some considerations that are incorporated into thefollowing discussion.) In practice, tests of controls (specifically, tests of transactions) ordinarily are efficient in thefollowing circumstances:

� The volume of transactions is relatively high.

� The transactions are recurring and relatively uniform within the transaction class.

� The transactions are not complex.

� The transactions are routinely processed in information systems with well�designed control activities.

� The entity's control environment, monitoring, and risk assessment processes are conducive to effectivecontrols.

In those circumstances, it may be efficient to assess the risk of material misstatement with an expectation of theoperating effectiveness of controls, that is, to assess control risk at less than high and test controls. Anothercircumstance that may lend itself to efficient tests of controls is the situation where key controls for preventing ordetecting and correcting material misstatements consist primarily of high level monitoring or other entity�levelcontrols that are easy to test.

In some cases, the auditor may determine that it is both more effective and more efficient to test controls than toperform extensive substantive procedures. The AICPA Risk Assessment Audit Guide provides two examples:

� Inventory cost methods that create layers of costs, such as LIFO and FIFO.

� Financial services firms with extensive customer trading accounts.

In situations such as these, the auditor may determine that tests of controls would permit a substantial modificationin substantive procedures, such as a change in the nature (e.g., using substantive analytical procedures in lieu ofextensive tests of details for the inventory example) or extent (e.g., reducing the number of confirmations sent forthe financial services firm example) of procedures and would result in a more effective, as well as more efficient,audit.

When considering whether tests of controls would be efficient, the auditor evaluates the following cost/benefitfactors:

� Impact on Substantive Procedures. By performing tests of the operating effectiveness of controls, theauditor may be able to alter the nature, timing, or extent of substantive procedures. For example, when theauditor uses sampling in planned substantive procedures, sample sizes will generally be lower when theauditor tests the operating effectiveness of controls. The lower level of assessed risk allows the auditor toreduce the confidence levels required in sampling applications.

� Relevant Costs. When determining a preliminary audit strategy, some auditors may mistakenly believe thata decision to not test the operating effectiveness of controls will eliminate some or much of the need toobtain a sufficient understanding of internal control. The auditor is required to obtain an understanding thatincludes an evaluation of the design of controls and determination about whether they have beenimplemented. Therefore, the relevant cost in an efficiency decision is only the incremental cost of testingthe operating effectiveness of controls.


35

� The Need to Test Indirect or Complementary Controls. When considering the cost of testing controls,auditors should not lose sight of the possible need to obtain audit evidence about information that allowsthe effective operation of those controls. For example, if the credit manager makes credit approvaldecisions on new or subsequent customer orders based on an internally developed credit approval ratingsystem, the auditor may need to understand, and possibly test, the controls over the rating system inaddition to testing the approval process. Furthermore, when testing automated application controls, theauditor would need to consider the effective functioning of general controls.

� Whether Controls Have Changed during the Audit Period. During the audit period, an entity may redesignits controls or implement new controls. SAS No. 110 (AU 318.26) indicates:

If substantially different controls were used at different times during the period underaudit, the auditor should consider each separately.

The need to design and perform control tests on controls that changed during the period may have asignificant impact on efficiency considerations. For example, the same test may not be effective both beforeand after the control change and, therefore, two or more different tests may be needed.

� The Impact on Future Audits. An auditor may be able to use audit evidence from tests of controls over athree�year period, subject to certain conditions. Therefore, auditors may not want to isolate theircost�benefit analysis to only the current audit in continuing engagements where controls are not expectedto change significantly from year to year. In those cases, the benefits from reduced substantive proceduresmay be realized for three years if controls can be rotationally tested.

� Whether Assertions Can Be Tested Using Computer�Assisted Audit Techniques. Some auditors believe thatwhen using computer�assisted audit techniques (CAATs), some account balances or transaction classescan be audited 100% more efficiently than by testing controls in order to reduce the extent of substantiveprocedures. However, where the information used to perform the substantive procedures is produced bythe entity's information system, the auditor should obtain evidence about the information's accuracy andcompleteness. Also, the auditor's use of CAATs does not eliminate the need to have an understanding ofthe controls over the system, including IT general controls and particularly the portion of the system thatgenerated the copy of the file being tested by CAATs.

� Client Expectations. An auditor might test controls for reasons other than audit purposes. For instance, theclient may specifically engage the auditor to test controls. Or the client may have expectations that controlswill be tested, and the auditor may decide to do so only to meet those expectations as a client service andto provide added value. In such cases, the auditor tests controls even though the auditor would nototherwise have done so.

Substantive Procedures Alone Do Not Provide Sufficient Audit Evidence. SAS No. 109 (AU 314.117) indicatesthat auditors should identify those risks for which it is not possible or practicable to reduce detection risk at therelevant assertion level to an acceptably low level with audit evidence obtained only from substantive procedures.That is, auditors should identify risks for which substantive procedures alone are not effective. Those risks oftenoccur in audit areas in which there is highly automated processing with little or no manual intervention. Therefore,due to the importance of effective controls over accuracy and completeness in processing, it may not be practical,or even possible, to perform only substantive procedures without testing controls.

Examples of When Testing Controls May Be Necessary. The auditor may decide that it is necessary to test controlswhen an entity's accounting data and corroborating evidence are available only in electronic form that is notretrievable after a period of time (for example, when a significant amount of information supporting one or morefinancial statement assertions is electronically initiated, authorized, recorded, processed, or reported and relatedaudit evidence exists only in electronic form). In such cases, the appropriateness and sufficiency of the auditevidence usually depend on the effectiveness of controls over their accuracy and completeness, and tests of thecontrols may be necessary. For example, it may be necessary to perform tests of controls when an entity uses thecomputer to initiate orders for goods based on predetermined rules and pays the related payables based onelectronic information in transactions concerning receipt of goods, and no other documentation of orders orreceipts is produced or maintained.


36

Some auditors believe that in small business audits, the risk of theft of cash is such that it is usually necessary to testcontrols over cash receipts and disbursements. For example, with respect to revenues received primarily in cash(such as those of some fast food restaurants or charitable organizations) it may be difficult to limit audit risk for thecompleteness assertion to an appropriate level without an assessed level of control risk at less than high. If auditorsbelieve that there is a significant risk of error or theft of cash through cash disbursements, they may test high�levelcontrols, such as the reconciliation routine, segregation of duties, and management oversight of the process. Theymay also test a selection of disbursements for those controls designed to prevent or detect theft (such as evidenceof an invoice and evidence of proper authorizations), as well as for proper account coding. If the tests of transac�tions show the controls to be operating effectively, the auditor may be able to assess control risk at less than highand reduce the extent of vouching in other audit areas. For example, an auditor might assess control risk foroccurrence and classification of expenses at less than high based on an adequate control environment and testsshowing effective controls over disbursements.

Deciding Which Controls to Test

The most efficient and effective approach to deciding which controls to test is to take a top�down approach. Beginwith the financial statements and identify the significant accounts and disclosures. Then identify the significanttransaction classes and processes that result in those accounts and disclosures. Within those transaction classesand processes, identify the controls that individually or in combination with other controls prevent, or detect andcorrect, material misstatements in the relevant assertions related to identified risks. This approach should result inemphasizing the areas in which material misstatements are most likely to occur.

It is also efficient and effective to consider company�wide or entity�level controls before testing control activities.One reason to take this approach is that if the controls at the top level are poor, it creates an environment that is notconducive to effective controls, and even well�designed and implemented control activities might not be effective.In that case, testing control activities may not be productive. Another reason is that some controls at the top mightoperate at a direct and detailed enough level to reduce the risk of material misstatement at the relevant assertionlevel. If that is the case, it might be easier and more efficient to test the entity�level controls than control activities, ortesting those controls might at least permit a reduction in the extent of testing control activities.

The remainder of this lesson discusses the following aspects of deciding which controls to test:

� Test only those controls that are suitably designed and implemented.

� Test controls within significant processes, but do not test process steps independently of those controls.

� Test controls relevant to the risks of material misstatement of relevant assertions.

� Test the key controls that are relevant to the identified risks.

� Consider the need to test indirect or complimentary controls that support the effective operation of controlactivities being tested.

� If several controls yield equivalent evidence, test the easy�to�test controls.

Improperly Designed Controls or Controls Not Implemented. SAS No. 110 (AU 318.25) emphasizes that onlyeffectively designed controls should be tested for operating effectiveness. Specifically, it states:

Tests of operating effectiveness of controls are performed only on those controls that the auditorhas determined are suitably designed to prevent or detect a material misstatement in a relevantassertion.

There is no benefit to testing the operating effectiveness of a control that is inappropriately designed to prevent ordetect a material misstatement in a relevant assertion. Even if an improperly designed control could be found to beconsistently applied and operating as designed throughout the year, no amount of testing will transform it into acontrol that is capable of preventing or detecting misstatements.


37

Also, there is no benefit in testing a control that has not been properly implemented. For example, an auditor mightconclude that the documentation of controls in the client's accounting procedures manual indicates that controlsare effectively designed to address risks of material misstatement and satisfy relevant control objectives. However,when determining whether the controls are implemented by performing various risk assessment procedures, theauditor finds that the controls, as designed, are not properly communicated or followed. In that case, tests of thosecontrols would not be performed.

Tests of Controls versus Processes. When designing and performing tests of controls, auditors should ensurethat the item being tested is, in fact, a control and not a processing step. A process is best described by example.A process would be the coding of an invoice by the accounts payable clerk and the subsequent input to thepayable system. A control, however, addresses the risk of what could go wrong in the process, and by doing so iteither prevents or detects and corrects misstatements that could occur as a result of processing the transaction. Inthe accounts payable area, examples of controls include supervisory review of the amounts input and accountcoding, the use of programmed restrictions in the accounts payable system that limit which accounts are eligible forcoding, or programmed edit routines that detect input amounts that do not agree to underlying purchase orders.While this concern is more appropriately addressed when evaluating the design and implementation of controls,auditors should take care that their control tests do not incorporate a process without a corresponding control.

Controls Relevant to Identified Risks. The focus of control testing should be on controls that are relevant to risksthe auditor has identified (that is, the risk that the assertion is misstated). The auditor does not always have to testall the control activities relating to an assertion to assess control risk at less than high. For fraud risks or othersignificant risks, as well as risks for which substantive procedures alone are not adequate, the auditor should obtainan understanding of the design and implementation of the related controls, which can serve as a basis fordetermining which controls to test.

Key Controls. The auditor should focus on those controls that are key in preventing or detecting material misstate�ments in the financial statements. Key controls often include actions of supervisors and senior management andmay include documentation of supervision, budgeting, reporting, review, etc., that can be easily tested by inquiry,observation, and inspection of reports and documents. Not only are such controls easier and more efficient to test(such as by reviewing the client's investigation and variance reports) than are detailed tests of transactions, but thetests may provide more assurance about the controls than tests of transactions. For example, management mayprepare budgets, periodically compare them to actual results, and investigate significant variations in a timelymanner, or management may compare financial statement results to relevant operational data, such as comparingunits or hours billed to units shipped or hours charged. Reports of the variations, investigative actions, explanationsof the variations resulting from the investigations, and corrective actions taken may provide evidence of the effectiveoperation of the control. Such a control may be a key one with respect to the reasonableness of revenues orexpenses.

Control Activities and Complementary Controls. When considering which controls to test for an audit area, theauditor generally focuses on control activities. Paragraph 6.10 of the AICPA Risk Assessment Audit Guide indicates:

When designing tests of controls, typically you will focus first on testing control activities, sincethe control activities component of internal control is the one most directly related to theassertion. For example, physically counting goods that have been received and comparing thequantity and description to the vendor's packing slip is directly related to both the existence andvaluation of inventory.

In addition to the direct test of a control activity, SAS No. 110 (AU 318.31) indicates the following:

In designing tests of controls, the auditor should consider the need to obtain audit evidencesupporting the effective operation of controls directly related to the relevant assertion as well asindirect controls on which these controls depend.

Paragraph 2.59 of the AICPA Risk Assessment Audit Guide refers to these indirect controls as complementary

controls. It explains that each complementary control has a direct but limited effect on achieving a control objective,but in combination achieve the control objective. That is, complementary controls do not directly address a control


38

objective but rather, enable the effective functioning of the controls that do directly address a control objective.Thus, both controls need to be tested.

Indirect or complementary controls may include:

� Controls over the accuracy and completeness of information used in the performance of the direct control.

� IT general controls.

� Segregation of duties.

� The control environment.

Determining whether to test complementary controls and the nature and extent of those tests requires judgment.Some of the factors that might be considered when making such decisions are:

� Significance of the Complementary Control to the Effective Functioning of the Direct Control. Thesignificance of a complementary control to the effective functioning of the related direct control may varygreatly depending on the situation. Obviously, as the degree of significance increases, the need for auditevidence about the complementary control also increases. In some situations, such as for IT applicationand general controls, the conclusion reached on the operating effectiveness of the direct (application)control may be based primarily on the audit evidence related to the complementary (general) control.

� Degree of Assurance Required from Tests of Operating Effectiveness. If the auditor requires a greaterdegree of reliability or assurance from the tests of operating effectiveness, the degree of audit evidenceneeded about complementary controls should also increase.

� Evidence Obtained through Risk Assessment Procedures. When the auditor performs risk assessmentprocedures to understand the direct control, evidence about the operating effectiveness of complementarycontrols might also be obtained. In certain situations, the auditor might possibly determine that sufficientevidence about the complementary controls has been obtained from risk assessment procedures aloneafter considering the factors previously discussed.

When evaluating whether to test a control activity from an efficiency perspective, the auditor should consider theadditional costs of testing complementary controls to determine if testing is cost effective. For example, the auditordetermines that the client's cash reconciliation is a key control that, if operating effectively, will allow a modificationin the nature of substantive procedures for cash. The reconciliation, research, and resolution of identified issues isthe key control, but the effective operation of the control is also dependent on proper segregation of duties. If thereconciliation was performed by individuals that have the ability to post cash receipts and disbursement activity tothe general ledger, the effectiveness of the control may be compromised. Therefore, as part of testing the operationof the control, the auditor also would want to ensure that proper segregation of duties was maintained forindividuals performing the control.

Easy�to�test Controls. Some controls may be easier to test than other controls and yet yield equivalent evidenceto support a risk assessment. Naturally, if there is a choice, the auditor should test the control that is easier to test,considering the availability of evidence. The auditor should not, however, test controls that are not relevant to theaudit just because the controls are easy to test.

Selecting Appropriate Procedures

Tests of controls are further audit procedures that are performed with the objective of obtaining assurance about theoperating effectiveness of controls. Auditors may perform one or a combination of tests to obtain the level ofassurance needed to support the assessed level of control risk. When selecting control tests, auditors consider thecumulative evidence about operating effectiveness that is obtained from various sources.

This lesson discusses the nature or types of tests of controls. The time frame for testing controls, the extent of suchtests, efficiency opportunities when testing controls, and other matters related to performing tests of controls arediscussed, as well as tests of IT related controls.


39

While evidence about the operating effectiveness of controls is generally obtained through tests of controls, theauditor should be mindful that evidence about operating effectiveness may be derived from a variety of sources asnoted in Exhibit 2�2:

Exhibit 2�2

Sources of Evidence about Operating Effectiveness of Controls.

* * *

The sources of evidence about operating effectiveness other than direct tests of controls are further explained asfollows:

� Pre�engagement Activities. Procedures and conclusions reached regarding client acceptance orcontinuance may provide evidence regarding management's ethical values, operating philosophy,integrity and competence.

� The Understanding of Controls Obtained as Part of the Risk Assessment Process. Many of the procedurescommonly used in the risk assessment process to gain an understanding of internal control also mayprovide evidence about the controls' operating effectiveness.

� Prior Audits. SAS No. 110 explicitly recognizes that the auditor may be able to use audit evidence aboutthe operating effectiveness of controls obtained in prior audits.

� Type 2 SAS No. 70 Reports. A service auditor may apply tests of controls at a service organization and reporton whether specified policies and procedures are operating with sufficient effectiveness to achievespecified control objectives. This type of report, also known as a �Type 2 SAS No. 70 report," may be helpfulin determining whether controls have been implemented and assessing control risk at either a low ormoderate level when relevant controls are applied only at the service organization.

Substantive procedures may provide additional evidence that is consistent with the auditor's conclusion about theoperating effectiveness of controls or that creates the need to reevaluate the prior assessment of control risk.However, auditors should be aware that a lack of misstatements as a result of substantive procedures does notprovide audit evidence about the operating effectiveness of controls. On the other hand, SAS No. 110 (AU 318.34)


40

indicates that a material misstatement detected through the performance of substantive procedures �that was notidentified by the entity is evidence of a deficiency in internal control and may be a significant deficiency or a materialweakness in internal control."

Understanding the potential sources of evidence is important to the auditor when designing tests of controls,considering the extent and timing of those tests, and evaluating the effect on the control risk assessment. The auditevidence provided from various sources should be considered in a cumulative manner when deciding whethersufficient evidence has been obtained to support the auditor's evaluation of operating effectiveness and the finalassessment of control risk. In choosing procedures to test a control, consider the degree of assurance provided bythe procedure in relation to the degree needed. If there is a choice, choose the procedure that is most efficient inproviding the needed degree of assurance.

Nature and Types of Tests. Tests of controls (either manual or automated) ordinarily include procedures such asthose shown in Exhibit 2�3:

Exhibit 2�3

Test of Controls Procedures.

* * *

The information and evidence typically sought from tests of controls include the following:

� What the control activity is.

� Who performs it, including the person's name and job title.

� How it is performed.

� The consistency with which it was performed during the period.


41

� What reports, files, or other documents are used in performing the control.

� What reports, files, or other documents, if any, are produced as evidence of the performance of the control.

� What action is taken if the control activity reveals an error, discrepancy, or unusual item.

� How supervisory and managerial personnel satisfy themselves that the control is operating as planned toprevent or detect errors.

The auditor often obtains evidence about the operating effectiveness of controls by performing a combination ofthe procedures listed above, as well as from the understanding of controls and prior audits. The procedures andsources of information complement and supplement one another. For example, an auditor may inquire about theexistence and nature of a control activity, have the person who performs it demonstrate or walk through the stepsinvolved, and inspect the documents or electronic files used or reports produced. In this example, the auditorwould have used inquiry, observation, inspection, and a walkthrough. These procedures would not only provide theauditor with an understanding of the control activity, but would also constitute a test of the control.

According to SAS No. 110 (AU 318.29), inquiry alone is not sufficient to obtain reasonable assurance of operatingeffectiveness. Thus, the auditor should perform other procedures in combination with inquiry. According to theSAS, however, �those controls subject to testing by performing inquiry combined with inspection or reperformanceordinarily provide more assurance than those controls for which audit evidence consists solely of inquiry andobservation." For example, the auditor might inquire about and observe the procedures for opening mail andprocessing cash receipts. To obtain greater assurance, the auditor could supplement those inquiries and observa�tions with procedures such as inspecting documents (for example, prelists of cash receipts) and, possibly, reperfor�mance procedures (for example, reperforming the comparison of amounts on prelists to accounting records andbank deposits).

SAS No. 110 (AU 318.30) notes that the nature of a particular control will influence the type of audit procedurenecessary to collect audit evidence about operating effectiveness. For example, a control in which a managerreviews the clerical accuracy of the coding of invoices over $1,000 may be evidenced by the manager's initials onthe invoice. The nature of this control would generally dictate the auditor's procedures to be inspection of theinvoice for documentation of the manager's initials combined with reperformance of the control activity (that is, acheck of the clerical accuracy). Reperformance alone, inquiry, or observation of the control being performed wouldgenerally not provide the quality of audit evidence normally required by the auditor. However, efficiency is also aconsideration when selecting audit procedures. If there is a choice, choose the procedure that is most efficient inproviding the needed degree of assurance. The following paragraphs discuss the procedures commonly used totest controls.

Inquiry and Observation. Inquiry and observations are often used in the general planning and risk assessmentphase of the audit to obtain an understanding of controls and whether they have been implemented. Also, whilemaking inquiries and observations for that purpose, the auditor may also gain evidence about the controls'operating effectiveness. Inquiry and observation are typically used to test controls that do not produce documen�tary evidence of performance, such as separation of duties, controls over access to assets and records, certainentity�level controls, or some control activities performed by a computer. Inquiry and observation often complementor supplement each other. For example, the auditor might inquire about the existence of a particular control activityand then observe the activity being performed to determine that it is in fact in operation and perhaps also to assessits effectiveness. Similarly, observation is often supplemented by inquiry, since observation is only pertinent at thepoint in time at which it is made.

The auditor may be able to conveniently document inquiries and observations using the �Test of Controls Form."Some auditors may prefer to document the inquiries and observations in a memo that identifies the purpose of theinquiries and observations, the types of transactions covered by the control, the date of the inquiry or observation,the person(s) interviewed or observed and their position(s), the questions asked and the replies received, oractivities observed.

Inspection of Documents, Reports, or Electronic Files. This procedure includes inspection of source documents(such as invoices, bills of lading, and receiving reports), log books (such as shipping and receiving logs), reports


42

(such as internal auditors' reports and exception reports), accounting procedures manuals, or (for operatingeffectiveness) electronic files. Documents are inspected for an indication that the control activity was performed (forexample, initials of the person who approved a transaction or a clerk's checkmark indicating that a total was footedor an extension checked). Reports, which may include internally produced financial or operational reports orexternally produced reports of financial institutions, regulatory agencies, service organization auditors, etc., arereviewed for a description of the activity or investigation performed, the resulting findings, and the client's responseto problems detected.

Audit sampling is sometimes used in tests of controls that involve inspection of documents. However, tests ofcontrols involving document inspection do not necessarily require sampling, for example, inspection of documentsin conjunction with inquiries and observations, walkthroughs, or reviews of reconciliations.

Walkthroughs. Walkthroughs are commonly used in gaining an understanding (or further understanding) of con�trols. A walkthrough can also serve as a test of operating effectiveness and in some cases, along with otherprocedures that test operating effectiveness (such as inquiry, observation, document inspection, and reperfor�mance), can provide a valid basis for assessing control risk at less than high. However, this approach generally byitself does not provide a sufficient basis for assessing control risk as low. As explained later in this lesson and inparagraph 6.65 of the AICPA Risk Assessment Audit Guide, the auditor needs to consider whether the walkthroughand other procedures performed are adequate to provide evidence about the operating effectiveness of the control.The adequacy would depend on the nature of the control (for example, automated versus manual) and the natureof the procedures performed (for example, inquiry about the entire year and observation versus examination ofdocuments or reperformance). The walkthrough may provide evidence to reduce but not eliminate other controltesting, and it may be necessary to test other instances of the operation of the control to reach a conclusion aboutoperating effectiveness.

Review of Reconciliations and Similar Bookkeeping Routines. Reviews of reconciliations and similar bookkeepingroutines can be very efficient tests of controls. They may include review of the following:

� Accounting for the numerical sequence of documents.

� Follow�up of unmatched items.

� Reconciliation of a subsidiary ledger to the control account.

� Reconciliation of third�party information to the accounting records (for example, bank reconciliation orvendor statement).

� Reconciliation of related nonaccounting data (for example, units shipped to units billed).

The auditor should ensure, however, that a control rather than just a process is being tested.

The auditor's approach to testing these routines is generally as follows:

� Inspect evidence that the routine was performed throughout the period (for example, reports of unmatcheditems or written bank reconciliations).

� Inspect examples of the routine having been performed.

� Investigate the resolution of significant misstatements or exceptions disclosed by the routine, or investigatea few if none are significant.

In this approach, the auditor's objective is to confirm that the routine is being performed throughout the period andthat misstatements and exceptions are being appropriately investigated and resolved. Thus, this approach doesnot involve audit sampling, even though there is documentary evidence of performance of the routines.

Reperformance of the Control Activity. Examples of reperformance tests of controls include recomputing exten�sions and totals on sales invoices, tracing units billed from an invoice to a shipping document, or recomputing


43

gross pay. Reperformance tests are commonly performed along with inspection of documents. For example, theauditor may test the clerical accuracy of a sales invoice and inspect supporting documents for evidence of properapproval. Audit sampling is sometimes used in tests of controls that involve reperformance of control activitiesapplied to documented transactions.

An advantage of reperformance is that it usually provides substantive audit evidence about the transaction as wellas about the control activity (that is, it is a dual�purpose test). For example, the auditor will obtain evidence that thetransaction is recorded in the proper account at the proper amount as well as that it was properly approved.

Reperformance tests can be very time�consuming. Thus, reperformance tests should be avoided to the extentpossible. However, such tests may be necessary (instead of or in addition to other tests such as inquiry orobservation) if the control is particularly significant or if controls are tested when the control environment is notstrong.

Performing Tests of Controls

Testing controls includes obtaining evidence about:

� How controls were applied at relevant times during the audit period.

� The consistency of application.

� Who applied the controls or the means of their application.

The objective of performing tests of controls is to obtain assurance about their operating effectiveness to supportthe auditor's assessment of control risk.

This lesson discusses the timing of tests of controls, the extent of such tests, efficiency opportunities when testingcontrols, tests of IT�related controls, and other matters related to performing tests of controls.

Timing of Tests of Controls. Tests of controls can be performed at a point in time or for a period of time. Theappropriate timing depends upon the auditor's objective and for what period of time reliance is needed about theoperating effectiveness of controls. When a control is tested at a point in time, the audit evidence can only supporta conclusion about operating effectiveness at that point in time. Conversely, when a control is tested over a periodof time, the audit evidence can be used to form a conclusion about operating effectiveness over that period.

In some cases, the control being tested need only be tested at a point in time. For example, for controls over theobservation of the annual physical inventory, testing would only be relevant at that point in time since the controlsare only applied once. Other controls, however, may operate throughout the audit period, requiring the auditor tocollect evidence about operating effectiveness for the entire period. For an automated control that operatesthroughout the period, the auditor might be able to test the operation of the control at a point in time and collectevidence about its continued operation through tests of general controls.

Other considerations related to the timing of control tests include the following:

� Whether to perform the tests at an interim date or at period end.

� Whether to use audit evidence about the operating effectiveness of controls obtained in prior audits.

Interim Testing of Controls. Based on the audit strategy, the auditor might decide to perform tests of controlsthrough an interim date prior to the balance sheet date. SAS No. 110 (AU 318.37 and .38) requires the followingwhen auditors perform tests of controls through an interim date:

� Auditors should determine what additional audit evidence should be obtained for the remaining periodconsidering factors such as:

�� Significance of the assessed risks of material misstatement at the relevant assertion level.


44

�� Specific controls tested during the interim period.

�� Degree to which audit evidence about operating effectiveness was obtained.

�� Length of the remaining period.

�� Extent to which further substantive procedures will be reduced based on control reliance.

�� Control environment.

� Auditors should obtain audit evidence about the nature and extent of any significant changes in internalcontrol, including changes in the information system, processes, and personnel that occur during theremaining period.

Additional audit evidence about the operating effectiveness of controls over the remaining period of time can beobtained by extending the tests of controls over the remaining period or testing the entity's monitoring of controls.

Using Audit Evidence Obtained in Prior Audits. SAS No. 110 explicitly recognizes that the auditor may be able touse audit evidence about the operating effectiveness of controls obtained in prior audits subject to certain definedrestrictions. If these restrictions are met, the audit practice of rotating tests of controls over a three year cycle mightbe used. SAS No. 110 explains the following guidelines for rotating tests of controls:

� The auditor should obtain audit evidence about whether changes in those specific controls have occurredsubsequent to the prior audit (AU 318.40). Rotation of testing is not appropriate if there have been changes.

� The evidence about whether changes in specific controls have occurred should include a combination ofobservation, inquiry, and inspection to confirm the understanding of those specific controls (AU 318.40).Inquiry alone is not enough.

� If a control has changed since it was last tested and the auditor plans to rely on the control, it should betested in the current audit (AU 318.41).

� The auditor should test a control at least once in every third year in an annual audit (AU 318.42).

� If a number of controls are rotationally tested, the auditor should perform some tests of controls each year(AU 318.44). It is not acceptable to test all controls in a single audit period with no testing in the subsequenttwo audit periods.

� Rotation of testing is not permitted if the auditor plans to rely on those controls to mitigate a fraud risk orother significant risk (AU 318.45). For controls related to significant risks that require special auditconsideration, the tests of controls should be performed in the current period.

� In considering whether rotation is appropriate and the time elapsed before retesting, the auditor shouldconsider the factors in Exhibit 2�4 (AU 318.43).


45

Exhibit 2�4

Factors to Consider Regarding Rotation of Control Tests

Factor ExamplesImpact on Decision to

Rotate Control Tests

Impact on Time Elapsed

Before Retesting

Effectiveness of otherelements of internalcontrol, including theentity's controlenvironment, monitoring,and risk assessmentprocess.

� Design effectivenessand implementationof monitoring overrelevant controls hasimproved.

� Rotation would gen�erally be appropri�ate.

� Consider retestingevery third year.

� Deterioration in thedesign effectivenessand implementationof control environ�ment or monitoringelements.

� Question theappropriateness ofrotating tests.

� Consider shorteningthe time elapsedbefore retesting.

Whether the control ismanual or automated.

� Control is automatedand general IT con�trols are effective.



� A manual controlrequires intricatesteps and judgmenton the part of theindividual who per�forms it.


� Consider retestingeach year.

Effectiveness of ITgeneral controls.

� IT general controlsare not designed oroperating effectively.

� Depending on thesignificance of thegeneral controls tothe application con�trol, rotation wouldgenerally not beappropriate.

� Consider retestingpertinent applicationcontrols each year(or consider theappropriateness oftesting).

How the control isapplied, including thenature and extent ofdeviations detected inprior audits.

� Testing of control inprior audits did notreveal any devi�ations.



� Testing of control inprior year revealedone or more unre�solved deviations.

� Question theappropriateness ofrotating tests,depending on thenature of the devi�ation.

� Consider retestingeach year, depend�ing on the nature ofthe deviation.

� New personnel inthe current year withless experience andbackground whoapply the control.


� Consider retesting inthe current year.


46

FactorImpact on Time Elapsed

Before Retesting

Impact on Decision to

Rotate Control TestsExamples

Whether the controlshould have changed inresponse to changingcircumstances but didnot.

� Control remainsunchanged fromprior audits, but thechanged circum�stance does notimpact the nature ofthe risk the control isaddressing.


� Consider retestingevery third year con�tingent upon thestatus of thechanged circum�stances.

� Control remainsunchanged fromprior audits, and thechanged circum�stance directlyimpacts the risk thecontrol is address�ing.

� Consider whethercontrol remainsappropriatelydesigned prior torotating control tests.

� If the control remainsappropriatelydesigned, considerthe status of thechanged circum�stances when decid�ing how often toretest.

Risk of materialmisstatement and theextent of reliance on thecontrol.

� Control risk is pre�liminarily assessedat moderate andplanned substantiveprocedures will notbe substantiallymodified.



� Control risk is pre�liminarily assessedat low and plannedsubstantive proce�dures will be exten�sively modifiedbased on theplanned reliance onthe operating effec�tiveness.


� Consider retestingeach year or everyother year.

* * *

Rotation of tests of controls on a cyclical basis over three years is, thus, permitted, but the auditor has to obtainpersuasive evidence that the controls have not changed in the current period and evaluate the appropriateness ofrelying on prior tests in the particular circumstances of the current period's audit. In other words, the auditor is stillobligated to evaluate design effectiveness and determine whether the controls have been implemented each year.

Extent of Tests. The extent of the tests of controls is related to the level of assurance that the auditor requiresregarding operating effectiveness. SAS No. 110 (AU 318.46) indicates:

The auditor should design sufficient tests of controls to obtain sufficient appropriate auditevidence that the controls are operating effectively throughout the period of reliance.

Thus, the extent of tests of controls necessary in particular circumstances is affected by the degree of assuranceprovided by a test procedure in relation to the degree of assurance needed to support a control risk assessment.

Factors that may be considered by the auditor when determining the extent of tests of controls include:

� Frequency of the operation of the control.


47

� Length of time during the audit period that reliance on operating effectiveness is required.

� Extent of tests of other controls (including entity�level controls) that are related to the relevant assertion.

� Relevance and reliability of the audit evidence to support that the control prevents, or detects and correctsmaterial misstatements.

� Expected deviation from the control.

� Extent of the planned reliance on operating effectiveness of the control in the assessment of risk.

Use of Audit Sampling in Tests of Controls. Risk assessment procedures performed to obtain an understanding ofinternal control (such as a walkthrough) do not involve sampling. Also, sampling ordinarily does not apply to thefollowing types of tests of controls:

� Tests of automated application controls when effective IT general controls are present.

� Analyses of controls for determining the appropriate segregation of duties or other analyses that do notexamine documentary evidence of performance.

� Analyses of the effectiveness of security and access controls.

� Tests directed toward obtaining audit evidence about the operation of the control environment, for example,inquiry or observation of the explanation of variances from budgets when the auditor does not plan toestimate the rate of deviation from the prescribed control.

� Examining actions of directors for assessing their effectiveness, for example, evaluating whether the auditcommittee is appropriately involved in the financial reporting process. (SAS No. 111, AU 350.32)

� Tests of automated controls where no record of the control performance is retained.

Also, paragraph 6.65 of the AICPA Risk Assessment Audit Guide states that �a walkthrough of a transaction processdoes not involve audit sampling." (However, paragraph 6.68 of the AICPA Risk Assessment Audit Guide notes thatif a walkthrough is performed in a test of repeated instances of operation of a control using audit sampling, eachitem walked through the system is considered to be a sample size of one, and the evidence obtained from thewalkthrough generally is insufficient to reach a conclusion about operating effectiveness.)

Generally, the auditor should consider using audit sampling for tests of controls in the following circumstances(SAS No. 110, paragraph 46):

� The control is applied on a transaction basis, for example, matching approved purchase orders to supplierinvoices.

� The control operates frequently.

In these circumstances, the auditor can select a sample of transactions and reperform the related control activitiesto see whether compliance with the control procedures is acceptable. According to SAS No. 111 (AU 350.32),�sampling applies when the auditor needs to decide whether the rate of deviation from a prescribed procedure isno greater than the tolerable rate, for example, in testing a matching process or an approval process." When acontrol is applied less frequently, the auditor would ordinarily take a nonsampling approach applicable to infre�quently operating controls. For example, for a monthly reconciliation of the accounts receivable subsidiary ledger,the auditor might reperform the reconciliation for two to four months and inspect evidence showing the reconcilia�tion was performed in other months.

Concurrent Test of Controls and Substantive Procedure. SAS No. 110 (AU 318.33) states that the auditor mayperform a test of controls concurrently with a substantive test of details on the same transaction. Such a dualpurpose test has two objectivesto obtain evidence about the control's operating effectiveness and to detect


48

material misstatements in the account balance or transaction class. For example, while inspecting an invoice andrecalculating amounts as a substantive procedure to detect material misstatements, the auditor might also deter�mine from notations on the invoice that client personnel performed control activities such as checking the mathe�matical accuracy, approval, etc. These procedures would confirm information obtained about control activities frominquiry of an employee.

SAS No. 110 (AU 318.33) states, �the absence of misstatements detected by a substantive procedure [that is, asingle�purpose test] does not provide evidence that controls related to the relevant assertion being tested areeffective." However, detection of a misstatement by a substantive procedure should be considered in assessing theoperating effectiveness of controls. In other words, the auditor should not assume that controls are effective justbecause a substantive procedure does not detect a misstatement. That means it is not appropriate to consider asubstantive procedure as a dual purpose test merely because no misstatements are detected.

Tests of IT Related Controls. The auditor's approach to testing IT controls is not fundamentally different thantesting other control activities. The auditor's primary consideration is whether and how a specific control activity,individually or in combination with others, prevents, or detects and corrects, material misstatements in classes oftransactions, account balances, or disclosures. The auditor focuses on those control activities that address areasin which the auditor believes material misstatements are likely to occur.

SAS No. 109 (AU 314.92) indicates that the auditor should obtain an understanding of how IT affects controlactivities that are relevant to the audit. The SAS further discusses two types of computer control activities asillustrated in Exhibit 2�5:

Exhibit 2�5

Types of Computer Control Activities

* * *

Application Controls. Application controls apply to the processing of individual transaction applications (such assales, accounts receivable, and inventory) and relate to the use of IT to initiate, authorize, record, process, and


49

report transactions or other financial data. Application controls help ensure that transactions occurred, are autho�rized, and are completely and accurately recorded and processed. Examples include edit checks of input data andnumerical sequence checks.

Application controls include both programmed controls embedded in the computer program used in the financialreporting system (such as programmed edit controls for verifying customers' account numbers and credit limits)and manual follow�up procedures on computer�produced exception reports. For example, a computerized billingsystem that produces invoices from shipping data and a master price list might check the numerical sequence ofthe prenumbered shipping documents and produce a report listing any breaks in the sequence. The follow�upactivity would be the investigation of the shipping documents listed in the exception report to find out whether theitems were actually shipped and, if they were, why they were not billed, as well as taking any necessary correctiveaction.

Application controls may be performed by IT, referred to as automated controls, or by individuals, referred to as usercontrols.

Because IT processing is inherently consistent, the auditor may be able to limit the testing of automated applicationcontrols to one or a few instances of the control application. Generally, an automated control will function consis�tently unless the program or related stored data are changed. Consequently, the auditor needs to perform tests ofcontrols to determine that an automated control is functioning effectively and also perform tests of controls todetermine that the control continues to function effectively. The continued effective functioning of applicationcontrols depends on general controls.

General Controls. General controls are policies and procedures that relate to many applications. General controlsare directed at ensuring the continued proper operation of information systems, thereby supporting the effectivefunctioning of application controls. General controls include the following types of controls:

� Controls over data center and network operations.

� Access security.

� System software acquisition, change, and maintenance.

� Application system acquisition, development, and maintenance.

General controls are important, but unless the auditor pays careful attention to their relation to the risks of materialmisstatement, the time spent on general controls can be unproductive.

The auditor should view general controls in relation to their effect on applications and data that become part of thefinancial statements. This means that the auditor first focuses on identifying applications that are significant to thefinancial statements. Then the auditor assesses whether there are general controls that if ineffective would permitapplication controls to operate improperly and allow misstatements to occur and not to be detected. The auditorcan then perform tests of those general controls that are important to the effectiveness of application controls onwhich the auditor plans to rely.

Efficiency Opportunities in Testing Controls. Audit efficiencies can be achieved by testing controls if the testsand resulting control risk assessment provide a basis for reducing the extent of substantive procedures. Theauditor may decide that the time spent testing controls in order to support a lower control risk assessment andreduction in substantive procedures will result in even greater time savings in substantive testing. Nevertheless,tests of controls, particularly tests involving reperformance and document inspection, can be time consuming.Testing controls is often associated with time�consuming detail testing of documents and transactions, perhapsusing sampling. However, testing controls need not necessarily include such detail testing. There are other, moreefficient ways of testing controls that may provide sufficient evidence. Also, many auditors erroneously assume thatif a transaction is tested, all controls related to the transaction must be tested.

Exhibit 2�6 presents a summary of the efficiency opportunities in testing controls that are discussed in this lesson.The items in the list are presented in order of importance in achieving efficiency. The parenthetical references areto paragraphs that begin a discussion of the item.


50

Exhibit 2�6

Efficiency Opportunities in Testing Controls

1. In deciding how much attention to give to controls, first consider the materiality and inherent risk for the auditarea. It may be possible to reduce the extent of substantive procedures based on materiality and theassessment of inherent risk even if control risk is assessed as high. Then, no further attention to control risk ortests of controls would be necessary for the area.

2. Do not attempt to assess control risk as low if an assessment as moderate will support the planned extent ofsubstantive procedures. An assessment of control risk as low will require obtaining more evidence than will anassessment of moderate.

3. Before testing controls, consider whether the understanding of controls obtained indicates that controls appearto be suitably designed and implemented. Do not test controls that do not appear to be effective.

4. Consider whether procedures performed to obtain an understanding of the design and implementation ofcontrols, such as inquiry, observation, or walkthroughs, can also serve as a test of controls and provide evidenceabout operating effectiveness. If such procedures are not sufficient to support a reduced assessment of controlrisk, the auditor should only consider the incremental costs of performing additional testing procedures(compared to the costs already incurred to evaluate design and implementation) when making a decisionwhether to test the controls from an efficiency perspective.

5. Consider evidence provided by tests of controls performed in prior audits. Consider whether there have beenany changes in the controls, and if not, consider performing tests over a three�year cycle, as permitted by SASNo. 110. Also, when making decisions about the efficiency of testing a control not previously tested in prioryears, consider the costs of testing from the perspective of a potential benefit for three engagements, especiallyif controls are not expected to change.

6. Consider whether substantive testing of the account balance or transaction class may provide evidence aboutthe control risk related to the account or transaction class. (Where material misstatements could exist,substantive procedures can never be eliminated entirely based on inherent and control risk assessments; thus,the auditor will expect to perform some substantive procedures.) If so, the nature or extent of tests of controlsmay be limited.

7. Consider whether it is more efficient to test IT general and application controls rather than substantively testingcertain computer�produced reports used in the audit. If so, consider reducing the extent of testing of aprogrammed application control if relevant IT general controls have been tested and found to be effective.

8. Do not test the operation of processing procedures unless the test provides evidence as part of a dual�purposeprocedure. Instead, test only controls that are relevant in preventing or detecting misstatements in the financialstatements. Do not test operational or efficiency controls that are not relevant to preventing or detectingmisstatements. In addition, the auditor does not have to seek a reduced control risk assessment for allassertions related to an account balance or transaction class. Rather, only test controls related to the assertionsor risks of misstatement of the account balance or transaction class that concern the auditor.

9. Use inquiry, observation, and walkthroughs to the maximum extent possible as tests of controls.

10. Use reviews of reconciliations and similar bookkeeping routines to the extent appropriate. This is a moreefficient, nonsampling test of controls than inspection of documents or reperformance of control procedures.

11. To save time where there is the expectation that tests of controls will be necessary or efficient, consider planningto perform tests of controls at the same time as performing procedures to obtain an understanding of controlsor performing a substantive test of transactions. SAS No. 110 (AU 318.26) states that it may be efficient to testthe operating effectiveness of controls at the same time as evaluating their design and obtaining audit evidenceof their implementation, and SAS No. 110 (AU 318.33) states that the auditor may design a test of controls tobe performed concurrently with a test of details of the same transaction. For example, instead of trying to gain


51

an understanding of an activity by having an employee describe a control activity performed and documentsused, consider testing it by simultaneously examining the documents and observing the employee performingthe activity. Also, SAS No. 110 (AU 318.33) gives the example of examining an invoice to determine whether ithas been approved and to obtain substantive evidence of a transaction.

12. Consider which controls, if effective, would provide a basis for reducing the extent of the substantive proceduresthe auditor plans to perform, then test those controls.

13. In choosing procedures to test a control, consider the degree of assurance provided by the procedure in relationto the degree needed. If there is a choice, choose the procedure that is most efficient in providing the neededdegree of assurance.

14. If a test of transactions is planned for a high�risk area (such as a test of cash disbursements because ofincreased risk of theft of cash), obtain maximum benefit by combining the test of details with a test of controls.This may allow the auditor to limit vouching in other areas.

* * *

Documentation Requirements

The auditor should prepare documentation of the following matters related to tests of controls: (SAS No. 110, AU318.77)

� The Nature, Timing, and Extent of Further Audit Procedures. According to SAS No. 110 (AU 318.11), furtheraudit procedures include tests of controls and substantive procedures. Therefore, the nature, timing, andextent of tests of controls should be documented.

� The Linkage of Further Audit Procedures (Tests of Controls) With the Assessed Risks (Control Risk

Assessment) at the Relevant Assertion Level.

� The Results of the Audit Procedures. Since tests of controls are further audit procedures, the results of testsof controls should be documented.

� The Conclusions Reached with Respect to the Use in the Current Audit of Audit Evidence About the

Operating Effectiveness of Controls That Was Obtained in a Prior Audit.

SAS No. 110 (AU 339) notes that the manner in which these matters are documented is based on professionaljudgment and that SAS No. 103, Audit Documentation, provides standards and guidance on documentation.

SAS No. 108 (AU 311.21) indicates that the audit plan should include a description of the nature, timing, and extentof planned further audit procedures at the relevant assertion level for each material class of transactions, accountbalance, and disclosure. Since tests of controls are further audit procedures, planned tests of controls should bedocumented as part of the detailed audit plan.

�Test of Controls Form." The �Test of Controls Form" documents controls tested and the related assertion(s),testing procedures performed, results of the test (the conclusion about whether the controls are operating effec�tively), and the effect of the test results on the control risk assessment, �Risk Assessment Summary Form" (that is,whether the test results confirm the planned control risk assessment or support a different control risk assessment)and on substantive procedures. A revised control risk assessment can be documented by revising the �RiskAssessment Summary Form." SAS No. 110 states that tests of controls may be rotated over a three�year cycle, andthe SAS provides guidelines for rotating tests. The �Test of Controls Form" provides space for the auditor todocument that a control was tested in a prior year and to add comments about the consideration of whetherconditions relevant to the control have changed. The form can be carried forward for three years.

�Activity and Entity�level Control Forms." The �Activity and Entity�level Control Forms" are optional source lists ofcontrols that may be used in various ways. They may be used in identifying controls to test when the auditor has


52

decided that it is necessary or beneficial to test controls but has not identified specific controls to test. The formshelp the auditor decide which controls to test by identifying the assertions relevant to each control activity. Theforms provide controls for each COSO component of internal control, including those at the entity�level. Space isprovided to identify controls the auditor plans to test and to document relevant comments.

Memo. The auditor may choose to document the test of controls and resulting control risk assessment in memoform rather than using the preceding practice aids. A memo would describe the control activity tested, the assertionand audit area to which the control relates, the nature, timing, and extent of the procedures used to test the control'soperating effectiveness, and the results of the test. The control risk assessment based on the test would bedocumented, as would the effect of the assessment on planned substantive procedures.

Summary of Key Audit Requirements

Exhibit 2�7 summarizes key audit requirements related to tests of controls.

Exhibit 2�7

Key Audit Requirements Related to Tests of Controls

Key Requirement Using the PPC Approach

� Tests of controls should be performedwhen the auditor's risk assessmentincludes an expectation of the operatingeffectiveness of controls or when substan�tive procedures alone do not providesufficient evidence at the relevant assertionlevel.

� The audit areas and assertions for whichcontrols will be tested for operating effec�tiveness can be documented on �Under�standing the Design and Implementationof Internal Control."

� The procedures performed to test controlscan be documented on the �Test of Con�trols Form."

� As the planned level of assurance from theoperating effectiveness of controlsincreases, more reliable or more extensiveaudit evidence should be sought.


� Inquiry alone is not sufficient to test theoperating effectiveness of controls.Therefore, the auditor should use acombination of audit procedures toobtain sufficient appropriate auditevidence.

� The procedures performed to testcontrols can be documented on the �Testof Controls Form."

� In designing tests of controls, consideraudit evidence supporting the effectiveoperation of controls that is directly relatedto the relevant assertions and other indirectcontrols on which the controls depend.

� The audit areas and assertions for whichcontrols will be tested for operating effec�tiveness can be documented on �Under�standing the Design and Implementationof Internal Control".



53


� Controls should be tested for the particulartime, or throughout the period, for whichthe auditor intends to rely on those con�trols.


� When testing the operating effectivenessof controls during an interim period, theauditor should determine what additionalaudit evidence should be obtained duringthe remaining period.

� The �Test of Controls Form" providesspace to document the additional evi�dence obtained for the remaining period.

� If the auditor plans to rely on the operat�ing effectiveness of controls tested in aprior audit, audit evidence should beobtained about whether the controls havechanged since the prior audit. If thecontrols have not changed since theywere last tested, the auditor should testthe operating effectiveness of suchcontrols at least once in every third yearin an annual audit. When a number ofcontrols are rotationally tested, somecontrols should be tested each year. Inaddition, auditors should not rely on testsof controls performed in prior audits forcontrols related to fraud risks or othersignificant risks, but should test thosecontrols in the current audit. If thecontrols have changed since they werelast tested, the auditor is required to testtheir operating effectiveness in thecurrent audit if he or she intends to relyon such controls.

� The �Test of Controls Form" provides fordocumentation of procedures performedto determine that controls tested in aprior year have not changed, andguidance on the form indicates that (1)controls should be retested at least onceevery three years; (2) when a number ofcontrols are rotationally tested, somecontrols should be tested each year; and(3) controls related to fraud risks or othersignificant risks should be tested eachyear.


54


� Auditors should design sufficient tests ofcontrols to obtain audit evidence that thecontrols are operating throughout theperiod of reliance. As reliance on thecontrol or the rate of expected deviationincreases, the extent of testing of thecontrol should increase.


� The auditor should document�� The nature, timing, and extent of

tests of controls.�� The linkage of further audit proce�

dures (tests of controls) with theassessed risks (control risk assess�ment) at the relevant assertion level.

�� The results of tests of controls.�� The conclusions reached with

respect to the use in the currentaudit of audit evidence about theoperating effectiveness of controlsthat was obtained in a prior audit.

� Tests of controls can be documentedusing the �Test of Controls Form." The�Test of Controls Form" also provides fordocumentation of the auditor's conclu�sion about using audit evidence fromtests of controls performed in a prioraudit.

* * *


55

SELF�STUDY QUIZ

Determine the best answer for each question below. Then check your answers against the correct answers in thefollowing section.

11. Arlie, the auditor, has determined that controls exist and are being used. Has Arlie tested the operatingeffectiveness of controls or has she obtained evidence of implementation?

a. Implementation.

b. Operating effectiveness.

12. According to SAS No. 110, in which of the following situations should tests of controls be performed?

a. When substantive procedures themselves are effective in providing sufficient appropriate evidence at therelevant assertion level.

b. When an expectation that controls are operating effectively is included in the auditor's assessed risk ofmaterial misstatement.

13. Tests of controls would be more efficient than substantive procedures from a cost/benefit standpoint when:

a. New controls have been implemented during the audit period.

b. Audit evidence from tests of controls may be used over a three�year period.

c. Account balances can be tested using computer�assisted audit techniques (CAATs).

d. Application controls are automated.

14. Which of the following statements regarding testing for operating effectiveness is accurate?

a. All controls should be tested for operating effectiveness.

b. Only effectively designed controls should be tested for operating effectiveness.

15. The AICPA Risk Assessment Audit Guide indicates complementary (indirect) controls may include which of thefollowing?

a. The control environment.

b. Combining of duties.

c. IT�specific controls.

16. Which of the following accurately describes walkthroughs?

a. They are used frequently in gaining an understanding of controls.

b. They cannot serve as tests of operating effectiveness.

c. They can independently always provide a sufficient basis for assessing control risk as low.


56

17. Reperformance of the control activity is characterized by all of the following except:

a. Recomputing gross pay is an example of reperformance tests of controls.

b. Reperformance tests are always performed independent from inspection of documents.

c. When reperformance of control activities are applied to documented transactions, audit sampling issometimes used in tests of controls.

d. Reperformance tests should be used if controls are tested when the control environment is not strong.

18. Which of the following statements regarding the testing of controls is accurate?

a. Testing of controls is rarely efficient.

b. Substantive procedures can always be performed without testing controls.

c. Tests of controls are not required to only be performed at a particular point in time.

d. The auditor cannot use audit evidence about the operating effectiveness of controls obtained in prioraudits.

19. Application controls include which of the following?

a. Controls over network and data center operations.

b. Acquisition, development, and maintenance of application systems.

c. Acquisition, change, and maintenance of system software.

d. Reporting financial data using IT.

20. Which of the efficiency opportunities in testing controls listed below is more important in achieving efficiency?

a. Consider whether it is more efficient to test IT general and application controls rather than substantivelytesting certain computer�produced reports used in the audit.

b. Consider which controls, if effective, would provide a basis for reducing the extent of the substantiveprocedures the auditor plans to perform, then test those controls.


57



11. Arlie, the auditor, has determined that controls exist and are being used. Has Arlie tested the operatingeffectiveness of controls or has she obtained evidence of implementation? (Page 30)

a. Implementation. [This answer is correct. Implementation means that controls exist and are being

used as explained in SAS No. 110 (AU 318.26).]

b. Operating effectiveness. [This answer is incorrect. Operating effectiveness relates to how and by whomcontrols are applied and the means by which, and consistency with which, the controls are applied.]

12. According to SAS No. 110, in which of the following situations should tests of controls be performed? (Page 31)

a. When substantive procedures themselves are effective in providing sufficient appropriate evidence at therelevant assertion level. [This answer is incorrect. Tests of controls should be performed when substantiveprocedures alone are not effective and do not provide sufficient appropriate evidence at the relevantassertion level.]

b. When an expectation that controls are operating effectively is included in the auditor's assessed riskof material misstatement. [This answer is correct. Tests of controls should be performed when the

auditor's assessed risk of material misstatement includes an expectation that controls are operating

effectively.]

13. Tests of controls would be more efficient than substantive procedures from a cost/benefit standpoint when:(Page 34)

a. New controls have been implemented during the audit period. [This answer is incorrect. A significantimpact to efficiency considerations may result from the need to design and perform control tests oncontrols that changed during the period. As a result, the same test may not be effective both before andafter the control change, and may require two or more different tests and result in lower efficiency.]

b. Audit evidence from tests of controls may be used over a three�year period. [This answer is correct.

An auditor may be able to use audit evidence from tests of controls over a three�year period if certainconditions are met. As a result, auditors may choose not to isolate their cost�benefit analysis to only

the current audit in continuing engagements where controls are not expected to change significantly

from year to year.]

c. Account balances can be tested using computer�assisted audit techniques (CAATs). [This answer isincorrect. When the information used to perform the substantive procedures is produced by the entity'sinformation system, the auditor should acquire evidence concerning the information's accuracy andcompleteness. The auditor must also obtain an understanding of the controls over the system, includingIT general controls and particularly the portion of the system that generated the copy of the file being testedby CAATs.]]

d. Application controls are automated. [This answer is incorrect. Included in the cost of testing controls is theneed to obtain audit evidence about information that allows the effective operation of those controls, aswell as the need to consider the effective functioning of general controls.]

14. Which of the following statements regarding testing for operating effectiveness is accurate? (Page 36)

a. All controls should be tested for operating effectiveness. [This answer is incorrect. SAS No. 110 (AU318.25) makes it clear that it is not necessary that all controls be tested for operating effectiveness. Thereis no benefit to testing the operating effectiveness of a control that is inappropriately designed to preventor detect a material misstatement in a relevant assertion. Even in cases where an improperly designed


58

control could be found to be consistently applied and operating as designed throughout the year, noamount of testing will cause it to become a control that is able to prevent or detect misstatements.]

b. Only effectively designed controls should be tested for operating effectiveness. [This answer is

correct. As detailed in SAS No. 110 (AU 318.25), only effectively designed controls should be tested

for operating effectiveness, that is, only on controls that the auditor has determined are properlydesigned to prevent or detect a material misstatement in a relevant assertion.]

15. The AICPA Risk Assessment Audit Guide indicates complementary (indirect) controls may include which of thefollowing? (Page 38)

a. The control environment. [This answer is correct. One of several controls considered as indirect or

complementary controls by the AICPA Risk Assessment Audit Guide is the control environment.]

b. Combining of duties. [This answer is incorrect. Complementary controls may include the segregation ofduties, not the combining of duties.]

c. IT�specific controls. [This answer is incorrect. According to the AICPA Risk Assessment Audit Guide,indirect or complementary controls may include IT general controls, not IT specific controls.]

16. Which of the following accurately describes walkthroughs? (Page 42)

a. They are used frequently in gaining an understanding of controls. [This answer is correct.Walkthroughs are commonly used in gaining an understanding, or further understanding, of

controls. It is a technique used to identify the steps in a process in order to identify risks and

associated controls.]

b. They cannot serve as tests of operating effectiveness. [This answer is incorrect. Walkthroughs can serveas a test of operating effectiveness and in certain cases, along with other procedures that test operatingeffectiveness, can provide a valid basis for assessing control risk at less than high.]

c. They can independently always provide a sufficient basis for assessing control risk as low. [This answeris incorrect. Walkthroughs, along with other procedures that test operating effectiveness (such as inquiry,observation, document inspection and reperformance), can provide a valid basis for assessing control riskat less than high. However, this approach generally by itself does not provide a sufficient basis forassessing control risk as low.]

17. Reperformance of the control activity is characterized by all of the following except: (Page 42)

a. Recomputing gross pay is an example of reperformance tests of controls. [This answer is incorrect.Examples of reperformance tests of controls include recomputing gross pay, tracing units billed from aninvoice to a shipping document, or recomputing extensions and totals on sales invoices for the purposeof providing substantive audit evidence about the transaction and the control activity.]

b. Reperformance tests are always performed independent from inspection of documents. [Thisanswer is correct. Reperformance tests are commonly performed along with inspection of

documents and may be necessary if the control is particularly significant. Reperformance tests insuch cases will not be as reliable if inspection of documents has not occurred.]

c. When reperformance of control activities are applied to documented transactions, audit sampling issometimes used in tests of controls. [This answer is incorrect. Tests of controls that involve reperformanceof control activities applied to documented transactions sometimes involve audit sampling if the controlsare tested when the control environment is not strong.]

d. Reperformance tests should be used if controls are tested when the control environment is not strong.[This answer is incorrect. Because they can be very time�consuming, reperformance tests should beavoided to whatever extent possible. Sometimes reperformance tests may be necessary if the control isparticularly significant or if controls are tested when the control environment is not strong.]


59

18. Which of the following statements regarding the testing of controls is accurate? (Page 43)

a. Testing of controls is rarely efficient. [This answer is incorrect. Testing of controls is generally efficient butsometimes may be inefficient. For example, testing controls if the evaluation of their design indicates thatthey are not suitably designed or implemented would not be efficient.]

b. Substantive procedures can always be performed without testing controls. [This answer is incorrect.Because of the importance of effective controls over accuracy and completeness in processing, it may beimpractical or impossible to perform only substantive procedures without testing controls.]

c. Tests of controls are not required to only be performed at a particular point in time. [This answer is

correct. In accordance with SAS No. 110, tests of controls can be performed at a particular point in

time, or for a period of time. The appropriate timing depends upon the auditor's objective and forwhat period of time reliance is needed about the operating effectiveness of controls.]

d. The auditor cannot use audit evidence about the operating effectiveness of controls obtained in prioraudits. [This answer is incorrect. The risk assessment standards permit the auditor to use audit evidenceabout the operating effectiveness of controls obtained in prior audits subject to certain definedrestrictions.]

19. Application controls include which of the following? (Page 48)

a. Controls over network and data center operations. [This answer is incorrect. Controls over network anddata center operations are classified as general controls.]

b. Acquisition, development, and maintenance of application systems. [This answer is incorrect. Generalcontrols, not application controls, include the acquisition, development, and maintenance of applicationsystems.]

c. Acquisition, change, and maintenance of system software. [This answer is incorrect. System softwareacquisition, change, and maintenance are examples of general controls.]

d. Reporting financial data using IT. [This answer is correct. Application controls relate to the use of

IT to initiate, authorize, record, process, and report transactions or other financial data and help

ensure that transactions occurred, are authorized, and are accurately and completely recorded andprocessed.]

20. Which of the efficiency opportunities in testing controls listed below is more important in achieving efficiency?(Page 49)

a. Deciding whether it is more efficient to test IT general and application controls or substantively

testing certain computer�produced reports used in the audit. [This answer is correct. Considering

whether it is more efficient to test IT general and application controls rather than substantivelytesting certain computer�produced reports used in the audit is the seventh most important efficiency

opportunity to consider out of fourteen opportunities when deciding how much attention to give tocontrols.]

b. Consider which controls, if determined to be effective, would provide a basis for reducing the magnitudeof the substantive procedures the auditor plans to perform, then test those controls. [This answer isincorrect. There are 14 efficiency opportunities listed in order of importance when testing controls.Considering which controls would provide a basis for reducing the extent of the substantive proceduresthe auditor plans to perform and testing those controls is the twelfth most important efficiency opportunityto consider when deciding how much attention to give to controls.]


60

EVALUATING TESTS OF CONTROLS AND ASSESSING CONTROL RISK

After performing tests of controls, the auditor evaluates the results of the tests and the persuasiveness of theevidence obtained in reaching a control risk assessment for a particular audit area and assertion. The control riskassessment can be at high for some or all assertions and at less than high for others. It is not necessary to attemptto assess control risk as low if an assessment as moderate will support the planned extent of substantive proce�dures. An assessment of low control risk will require obtaining more audit evidence than will an assessment ofmoderate control risk.

The results of control tests may support a planned control risk assessment of moderate or low, or the results maycause the auditor to reconsider the planned control risk assessment. SAS No. 109 (AU 314.121) states:

When the auditor obtains audit evidence from performing further audit procedures that tends tocontradict the audit evidence on which the auditor originally based the assessment, the auditorshould revise the assessment and should further modify planned audit procedures accordingly.

If the actual assessment supported by the control tests differs from the planned risk assessment, the auditor shouldconsider adjusting the planned extent of substantive procedures. The adjustment of substantive procedures is anecessary matter of audit effectiveness (to prevent underauditing) if the actual control risk assessment is higherthan the planned risk assessment but is only a matter of audit efficiency (to prevent overauditing) if the actualcontrol risk assessment is lower than the planned assessment. As the audit progresses, the auditor shouldcontinue to evaluate whether audit evidence from performing substantive procedures suggests a need to recon�sider the control risk assessment. The remainder of this lesson addresses the auditor's evaluation of evidence fromtests of controls, the amount of evidence needed to support a reduced control risk assessment, and the effect of thecontrol risk assessment on substantive procedures.

Evaluating the Evidence about Operating Effectiveness

Test of controls may detect deviations from prescribed procedures. SAS No. 110 (AU 318.72) indicates:

The concept of effectiveness of the operation of controls recognizes that some deviations in theway controls are applied by the entity may occur.

Deviations might be caused by the following factors:

� Changes in personnel.

� Misunderstanding of instructions.

� Human error or carelessness.

� Significant fluctuations in the volume of transactions.

� Fraud.

It is important for the auditor to not draw an immediate conclusion about the operating effectiveness of a controlwhen a deviation is detected. Instead, the auditor should understand the nature and cause of the deviation and itsimplications for other phases of the audit by making specific inquiries. In some cases, a deviation in a controlactivity might result from the ineffective operation of an indirect control, for example, related to the control environ�ment or IT general controls. In such cases, to understand the deviation, the auditor may need to make additionalinquires or perform other tests related to indirect controls. The auditor should not assume that a deviation or minorweakness necessarily means that control risk is high. The controls should be evaluated as a group. Other strong oreffectively operating controls might compensate for the weak or ineffectively operating one. However, SAS No. 110(AU 318.73) indicates that an auditor should not assume that an instance of fraud or error is an isolated instance;again, careful analysis should be made to determine how it may impact the assessed risk of material misstatement.According to The AICPA Risk Assessment Audit Guide (paragraph 6.85), if fraud is the cause of the deviation, the


61

severity of the control deficiency related to the deviation is elevated, and a broader analysis is ordinarily requiredthan if error is the cause.

Based on the test results, the auditor should determine whether:

� Tests results provide an appropriate basis for reliance on controls.

� Additional tests of controls are necessary.

� Potential risks of misstatement need to be addressed using substantive procedures.

For example, if the tests of controls result in deviations, the auditor may be able to support a reduced control riskassessment by expanding the test of controls after first understanding and isolating the nature of the deviation andits potential implication, or by testing other controls that accomplish the same objective as those being tested. If theauditor determines that the tests indicate that reliance cannot be placed upon the controls, no further testing wouldbe performed. At that point, the auditor would reassess the risk of material misstatement and the response throughsubstantive procedures. However, even if the results of the tests support an assessment of control risk at a lowerlevel, the auditing standards require auditors to design and perform substantive procedures for all relevantassertions related to each material class of transactions, account balance, and disclosure. Thus, some substantiveprocedures are always necessary.

Sampling in Tests of Controls. If sampling is used in tests of controls, the auditor compares the number ofdeviations detected to the number of allowable deviations.

Evaluating the Operating Effectiveness of Controls at a Service Organization. In situations where an entityuses a service organization, the auditor may decide to rely on controls that are maintained and implemented by theservice organization. In such cases, the auditor should obtain evidence about the operating effectiveness ofrelevant service organization controls.

Considering Evidence from Substantive Procedures. Substantive procedures may provide additional evidencethat either supports the auditor's conclusion about the operating effectiveness of controls or creates the need toreevaluate the prior assessment of control risk. Auditors should be aware, however, that a lack of misstatements asa result of substantive procedures does not provide audit evidence about the operating effectiveness of controls.On the other hand, SAS No. 110 (AU 318.34) indicates that a material misstatement detected through the perfor�mance of substantive procedures �that was not identified by the entity is evidence of a deficiency in internal controland may be a significant deficiency or a material weakness in internal control."

Deviations and the Auditor's Responsibility to Communicate Internal Control Matters. SAS No. 115, Commu�nicating Internal Control Related Matters Identified in an Audit, (AU 325) provides guidance on the auditor'sresponsibility to communicate significant deficiencies and material weaknesses in internal control to managementand those charged with governance. The results of control testing, as well as the evaluation of design andimplementation required in understanding internal control, are potential sources of identified control deficiencies.Identified deficiencies should be evaluated as to whether they represent, individually or in combination with otherdeficiencies, significant deficiencies or material weaknesses that are required to be communicated.

Considering the Amount of Audit Evidence Necessary to Support a Control Risk Assessment

SAS No. 110 (AU 318.46) states that �the auditor should design sufficient tests of controls to obtain sufficientappropriate audit evidence that the controls are operating effectively throughout the period of reliance." SAS No.110 (AU 318.28) states:

As the planned level of assurance increases, the auditor should seek more reliable or moreextensive audit evidence. In circumstances in which the auditor adopts an approach consistingprimarily of tests of controls, in particular related to those risks where it is not possible orpracticable to obtain sufficient appropriate audit evidence only from substantive procedures, theauditor should perform tests of controls to obtain a higher level of assurance about their operatingeffectiveness.


62

Thus, in choosing procedures to test a control activity, the auditor should consider the degree of assuranceprovided by the procedure in relation to the degree of assurance needed to support a control risk assessment andreduction of substantive procedures. If there is a choice, the auditor should choose the available testing proce�dure(s) that is (are) most efficient in providing the needed degree of assurance. The following paragraphs discussfactors that affect the assurance provided by particular tests of controls.

The lower the assessed level of control risk, the greater the quantity of audit evidence that should be obtained andthe greater the assurance the evidence must provide in support of the assessment. SAS No. 110 (AU 318.47 and318.48) states that �to reduce the extent of substantive procedures in a audit, the tests of controls performed by theauditor need to be sufficient to determine the operating effectiveness of the controls at the relevant assertion leveland the level of planned reliance.... The auditor should increase the extent of tests of controls the more the auditorrelies on the operating effectiveness of controls in the assessment of risk."

Audit evidence varies substantially in the assurance it provides the auditor in developing an assessment of the levelof control risk. The risk assessment standards do not specify the amount of audit evidence needed to assesscontrol risk at less than high. The quantity and persuasiveness of audit evidence that is sufficient to support aspecific risk assessment is a matter of professional judgment. In reaching this judgment, the following factorsshould be considered:

a. The type of evidence obtained.

b. The source of the evidence.

c. The timeliness of the evidence.

d. Whether other evidence related to the risk assessment exists and supports or contradicts the sameconclusion. This includes the following:

(1) Evidence that may have been obtained about another control component, since the five controlcomponents are interrelated. For example, the control environment is pervasive, and a good (or poor)control environment may positively (or negatively) affect the effectiveness of other controlcomponents.

(2) Evidence that may have been obtained about the entity and its environment or while gaining anunderstanding of the design and implementation of controls.

These factors are discussed beginning in the following paragraphs.

Type of Evidence. SAS No. 110 (AU 318.30) notes that �the nature of the particular control influences the type ofaudit procedures necessary to obtain audit evidence about whether the control was operating effectively...." Forsome controls, evidence about their design or operation may exist in documented form that the auditor mayinspect. Usually, the knowledge and objectivity of the person who performed the control activity being tested bydocument inspection or reperformance are less critical to the auditor because there is objective evidence of theperformance of the control activity and its result. This is in contrast to inquiry as a testing procedure where therespondent's knowledge or objectivity may affect the reliability of the response.

However, document inspection and reperformance of the control activity are not always foolproof. Just because theauditor inspects a notation purporting to evidence performance of a control activity, or reperforms a control with noerrors or exceptions being found, does not necessarily mean that the person who made the notation actuallyperformed the control activity. For example, suppose the auditor inspects a clerk's initials on invoices purporting toindicate that the clerk traced the quantities billed to shipping reports. The auditor traces the quantities from theinvoices to shippers and finds no exceptions. Still, the initialed invoices and auditor's successful tracing of thequantities to the shippers does not necessarily mean that the clerk had in fact examined the shippers.

Another problem with document inspection is that employees may perform a control activity but may not initial orplace another identifying mark on documents to indicate that they did perform the activity. In such a situation, eventhough the control activity was performed, there is no documentation of that fact for the auditor to examine. In sucha situation, document inspection cannot be counted as a source of evidence.


63

For some controls, there is no documentation of design or operation. For example, there may be no documenta�tion of segregation of duties or control activities performed by the IT system. In such cases, the auditor may haveto use inquiry, observation, or computer�assisted audit techniques (CAATs) to obtain evidence about the design oroperation. For example, the auditor might observe the receptionist opening the mail and listing cash receipts beforesending the receipts to the accounting clerk.

Exhibit 2�8 summarizes key considerations for evaluating the types of evidence obtained from the control testingprocedures.

Exhibit 2�8

Types of Evidence Considered in Assessing Control Risk

Types of Evidence Common Uses LimitationsExamples of Controls

Being Tested

Inquiry and observation Especially useful inassessing the effective�ness of controls that donot leave a documen�tary trail of their perfor�mance.

Persuasiveness issometimes limitedbecause the evidencemay only apply to theperiod of time the audi�tor is present.

� Segregation ofduties, especiallywhere there is nodocumented orother system evi�dence of perfor�mance.

� Controls overcounts of physicalinventory.

(Inspection of docu�ments might also beused.)

Inspection of clientdocuments (includingreconciliations andother routines)

Can provide strongevidence about operat�ing effectiveness, espe�cially for controls relat�ing to reconciliationsand other documentedroutines.

Degree of persuasive�ness depends on theextent of procedures(sample sizes, numberof months reviewed,etc.). Primarily used totest controls that leavea documentary trail oftheir performance.

� Review of cashaccount reconcili�ations.

� Independentreview andapproval of journalentries and sup�porting documen�tation prior toposting.

(Reperformance mightalso be used in eachexample.)


64

Types of EvidenceExamples of Controls

Being TestedLimitationsCommon Uses

Reperformance Can provide strongevidence about operat�ing effectiveness, espe�cially when used withdocument inspectiontests.

Degree of persuasive�ness depends on theextent of procedures(sample sizes, numberof months reviewed,etc.). Can be very time�consuming.

� Controls over thematching ofinvoices, receivingreports, and pur�chase orders.

� Managementreview andapproval overanalyses of A/Rallowances, otherreserves, and esti�mates.

(Inspection of docu�ments would also beused in each example.)

Walkthroughs May be useful in evalu�ating the design andimplementation of con�trols.

The degree of persua�siveness depends onthe extent of other evi�dence obtained aboutoperating effective�ness.

� When obtainingan understandingof internal control,a walkthrough of acredit sales trans�action is per�formed from thereceipt of the cus�tomer orderthrough recordingin the general led�ger; that involvesthe use of inquiry,observation,inspection of doc�uments, andreperformance,where applicable,of key controlactivities.


65

Types of EvidenceExamples of Controls

Being TestedLimitationsCommon Uses

Prior audits Tests of controls fromprior audits may pro�vide some evidenceabout the operatingeffectiveness of con�trols.

Persuasiveness issometimes limitedbecause controls'effectiveness may havechanged since theprior audit.

� For the 20X1engagement, theauditor testedcontrols over thereview of inventorystandard costsand variances. For20X2, the auditordecides to rely onthat evidenceabout operatingeffectiveness tosupport a reducedcontrol riskassessment andmodify the natureand extent of sub�stantive proce�dures relating toinventory (assum�ing there are nosignificant or fraudrisks). The auditorobtains appropri�ate audit evidenceregarding whetherchanges haveoccurred in thosespecific controlsand the surround�ing circum�stances.

* * *

Source of the Evidence. Evidence about controls obtained directly by the auditor generally provides moreassurance than evidence obtained indirectly. For example, evidence obtained by observation generally providesmore assurance than evidence obtained by inquiry. In the first case, the auditor observes a control procedure beingperformed; in the second case, the auditor is merely told that it was performed.

Although observation is generally superior to inquiry, the auditor should keep in mind that the observed controlactivity might not be performed in the same manner when the auditor is not present. Generally, the stronger thecontrol environment is, the more likely it is that the observed activity is performed consistently at times when it is notobserved. Thus, the stronger is the control environment, the more persuasive is evidence provided by observation.Also, more evidence can be obtained by performing the observation several times during the period. Similarly, thestrength of inquiry as a source of audit evidence can be increased by asking more than one person about the samecontrol activity.

Evidence obtained from externally produced documents, records, or reports is more persuasive than evidencefrom ones produced internally. The internally produced documents, records, or reports may have a greaterpotential for being biased than externally produced ones. However, operational data and reports produced inter�nally but apart from the accounting and financial reporting function, such as an inventory manager's reports of units


66

shipped or reports of internal auditors, can have a �quasi�independent" nature. Also, evidence from internallyproduced documents is more persuasive if the control environment is strong.

��Considering Evidence about the Operation of Entity�level Controls. Considering evidence about the opera�tion of properly designed and implemented entity�level controls may contribute to the auditor's control risk assess�ment and in some cases affect the extent of detail control tests that are needed. This is either because theentity�level control sufficiently addresses the risk related to the relevant assertion, or because the entity level controlprovides some assurance so that the testing of other controls related to that assertion can either be reduced or canbe supplemented to further reduce the control risk assessment. In short, the consideration of entity�level controlscan result in increasing or decreasing the testing the auditor otherwise would have performed on other controls. Forexample:

� The auditor might be able to further reduce the control risk assessment for an assertion by consideringevidence about the operation of entity�level controls in addition to other control tests.

� In order to achieve a planned control risk assessment, the auditor might be able reduce the extent of testsof key control activities by considering evidence about the operation of the control environment ormonitoring controls.

� The auditor might be able to reduce the control risk assessment based solely on evidence about theoperation of entity�level controls. For that to be appropriate, the entity�level controls need to operate at alevel of precision that, without the need for other controls, sufficiently addresses the risk of materialmisstatement to a relevant assertion.

However, in some situations where a control activity and an entity�level control function together to prevent, ordetect and correct, material misstatements, the auditor may consider it necessary to obtain evidence about theoperating effectiveness of both controls. For example, a key control activity for completeness might be provided bya reconciliation routine that includes investigation and resolution of items that were not posted to the general ledgeraccount. Due to the inherent risks for the account and the volume and complexity of reconciliations being per�formed by accounting personnel, a monitoring control consisting of management review over the timely and propercompletion of the reconciliation is important to minimize risk relating to completeness. In this case, the auditor mayconclude that both controls should be tested because they function together to achieve the control objectives forcompleteness.

��When evidence about the operation of an entity�level control contributes to achieving a lower control riskassessment, determining the extent of tests of key control activities that also is needed to support the assessmentis a matter of auditor judgment. Likewise, judgment is necessary in determining the extent of tests if the auditorconcludes that both a control activity and an entity�level control should be tested to support a planned controlassessment. In making these determinations, the auditor would normally consider factors such as:

� How directly the entity�level control contributes to the achievement of the control objective related to theassertion.

� The availability of audit evidence about the effective operation of entity�level controls.

� The evidence obtained during the performance of risk assessment procedures and its persuasiveness.

� The planned control risk assessment desired.

��Example Using Evidence from Entity�level Controls. Assume that a key control over the accuracy of accountsreceivable is provided by the daily review and resolution of a suspense account representing cash collections thatcould not be posted to the receivables subsidiary ledger due to missing or incorrect remittance information. Foreach day, the collection resolution clerk (a) reviews the suspense account, (b) investigates outstanding items, (c)makes appropriate corrections resulting in the clearing of the suspense account and posting to the subsidiaryledger (or reclassification of the receipt), and (d) documents the work performed. A monitoring control also existswhere, at the end of each month, the cash collections controller ensures that the daily resolution control operatesby reviewing the documentation of the daily resolution activity. The controller takes appropriate corrective action if


67

the control was not properly and completely performed and documents the results of the review. The auditor has aplanned expectation of operating effectiveness of the activity�level control and wishes to support a low control riskassessment.

��When planning the tests of controls, the auditor notes that to support a low control risk assessment a sample of40 items would be required for the key suspense resolution control if no deviations were expected. However, theauditor might conclude that a low control risk assessment could also be supported if the auditor tests a sample of25 items for the key control activity and also tests three months of the controller's monthly monitoring review. Asample of 25 items with no expected deviations would normally support a moderate planned control risk assess�ment. However, with the evidence regarding the effective operation of the monthly monitoring control, the auditormight conclude that the low control risk assessment is supported.

Assessing Control Risk at Reduced Levels Based on Risk Assessment Procedures. Many of the procedurescommonly used in the risk assessment process to gain an understanding of internal control (such as inquiry,observation and inspection, and walkthroughs) also may provide evidence about the controls' operating effective�ness. SAS No. 110 (AU 318.27) states the following:

Although some risk assessment procedures that the auditor performs to evaluate the design ofcontrols and to determine that they have been implemented may not have been specificallydesigned as tests of controls, they may nevertheless provide audit evidence about the operatingeffectiveness of the controls, and consequently, serve as tests of controls.

According to SAS No. 109 (AU 314.56), obtaining an understanding of controls is not sufficient to serve as testingoperating effectiveness unless there are effective IT general controls and some automation that provides for theconsistent application of the control. In other words, tests of controls need to be performed to support operatingeffectiveness. And those tests need to provide audit evidence about how controls were applied throughout theperiod under audit and the consistency with which they were applied. The authors believe, however, there may becircumstances when procedures performed to understand the design and implementation of controls may supporta reduced control risk assessment even in the absence of automation. The following examples illustrate the use ofrisk assessment procedures to support a reduced control risk assessment.

Some procedures performed to obtain an understanding of the control environment, such as inquiring aboutmanagement's use of budgets, observation of management's comparison of actual and budgeted expenses, andinspection of reports about the investigation of and response to variances from the budget throughout the periodunder audit, may not only provide evidence about the design and use of budgets as a control, but also may provideevidence that the budget policies and procedures are operating effectively enough (that is, applied at a sufficientlydetailed level) to prevent or detect misstatements in the financial reporting of expenses. This evidence may supporta reduced control risk assessment for certain assertions related to expenses based on the auditor's considerationof whether the audit evidence provided by the procedures is sufficient.

As another example, in gaining an understanding of the monitoring component, the auditor might review reconcilia�tions to determine whether they have annotations documenting that they were reviewed. This would constitute atest of that control during the period under audit. Similarly, procedures performed to gain an understanding of theinformation and communication process, such as questioning employees involved in accounting and computerprocessing and examining source documents and computer output at various stages in the accounting processthroughout the period under audit, might constitute tests of the information and communication control compo�nent.

As a final example, because of the inherent consistency of IT processing, performing risk assessment proceduresto gain an understanding of an automated control (that is, to determine whether the control has been implemented)may serve as a test of the control's operating effectiveness, depending on the auditor's assessment and testing ofIT general controls such as computer security and program change controls.

What does all of this mean for the auditor's control risk assessment? The auditing standards do not specify theamount of audit evidence needed to assess control risk at less than high. The quantity and persuasiveness of auditevidence that is sufficient to support a specific risk assessment is a matter of professional judgment. However, it isbelieved it may be possible to support a control risk assessment of moderate based on procedures performed to


68

evaluate the design of controls and determine that they have been implemented. For example, a walkthrough canserve as a test of controls and, in some cases, along with other risk assessment procedures that serve as tests ofcontrols, can provide a valid basis for assessing control risk at less than high. However, it is believed such tests willnot support a control risk assessment of low unless there is some automation that provides for the consistentapplication of the control. Consideration should be given to the nature of the control (and overall control objective),the frequency of its operation, and whether sufficient evidence has been obtained about how the control wasapplied throughout the period under audit when determining whether risk assessment procedures alone aresufficient to support a reduced control risk assessment.

Effect of the Control Risk Assessment on Substantive Procedures

All else being equal, the lower the assessed level of control risk with respect to an audit area, the less rigorous auditprocedures can be without increasing audit risk for the area. This means that the extent of substantive procedurescan be reduced without increasing audit risk. For example, on the �Risk Assessment Summary Form," the auditordocuments the control risk assessment and the assessed risk of material misstatement, of which control risk is apart. The assessed risk of material misstatement affects the auditor's response. If control risk and the risk ofmaterial misstatement are assessed as high for a particular audit area or assertion, generally the auditor woulddocument on the �Risk Assessment Summary Form" the plan to select procedures from the Extended Procedures(Procedures for Additional Assurance) section of the audit program to obtain additional assurance and address thehigher risk level. If, on the other hand, risk of material misstatement is assessed as moderate, for example, becauseaudit evidence supports a reduced control risk assessment, the auditor might decide (and document on �RiskAssessment Summary Form") that the Basic Procedures section of the audit program will suffice.

When the control risk assessment (and, consequently, the combined risk of material misstatement) is reduced byperforming tests of controls, reductions of the extent of substantive procedures might include the following:

� Applying an analytical procedure as a substantive procedure instead of a test of details. In some cases,substantive procedures might be limited to substantive analytical procedures.)

� Using a less effective analytical procedure, such as one based on data developed by the client internallyrather than on data developed from external sources.

� Examining fewer items in a test of details, such as using a smaller sample size if sampling is used.

� Sending fewer accounts receivable confirmations or observing a physical inventory at fewer locations.

The practical implication of being able to use less rigorous audit procedures or reduce the extent of substantiveprocedures is increased audit efficiency.

Note that although a lowered control risk assessment may be a basis for reducing the extent of substantiveprocedures, substantive procedures cannot be omitted entirely where material misstatements could exist. SAS No.110 (AU 318.57) states the following:

Regardless of the assessed risk of material misstatement, the auditor should design and performsubstantive procedures for all relevant assertions related to each material class of transactions,account balance, and disclosure. This reflects the fact that the auditor's assessment of risk isjudgmental and may not be sufficiently precise to identify all risks of material misstatement.Further, there are inherent limitations to internal control, including management override, andeven effective internal controls generally reduce, but do not eliminate, the risk of materialmisstatement.

Using the PPC Approach. Using the �Risk Assessment Summary Form" the auditor selects an audit approachconsisting of Limited Procedures, Basic Procedures, or Extended Procedures (Procedures for Additional Assur�ance) based on the assessed risk of material misstatement at the relevant assertion level. Reductions in the controlrisk assessment (and, consequently, in the assessed risk of material misstatement) may enable the auditor to selectan audit approach that is effective and more efficient to respond to the assessed level of risk. How much reductionin the control risk assessment is needed, however, to enable the auditor to choose Limited Procedures rather than


69

Basic Procedures or Basic Procedures rather than Extended Procedures? The answer is a matter of professionaljudgment, but the authors have developed some guidelines in Exhibit 2�9 that auditors may find useful. As indicatedin Exhibit 2�9, a control risk assessment of moderate ordinarily does not affect the choice of audit approach asbetween Limited, Basic, or Extended Procedures. However, it may allow the auditor to alter the extent of substantiveprocedures within a given audit approach. Only a control risk assessment of low can ordinarily change the auditor'schosen approach from Extended Procedures to Basic Procedures.

Exhibit 2�9

Guidelines for Reducing Substantive Procedures Based on a Reduced Control Risk Assessment

Characteristics of the

Audit Area

Inherent

Risk Control Risk

Risk of

Material Misstate�

ment Comments

Significant audit area thatdoes not contain fraudrisks or other significantrisks.

High High or Moderate

Low

High

Moderate

When inherent risk is high with nofraud risks or other significantrisks, the Extended Procedures(Procedures for Additional Assur�ance) approach is recommendedunless the control risk assessmentcan be reduced to low. A controlrisk assessment of low, whichreduces the overall risk of materialmisstatement to moderate, maypermit the auditor to respondusing Basic Procedures.

Significant audit area thatdoes not contain fraudrisks or other significantrisks.

Moderate High

Moderate orLow

Moderate

Low

Regardless of the control riskassessment, the authors recom�mend performing at least the BasicProcedures for this level of inher�ent risk in significant audit areas,with no fraud risks or other signifi�cant risks.

Significant audit area thatcontains fraud risks orother significant risks.

High High or Moderate

Low

High

Moderate

Regardless of the control riskassessment, the authors recom�mend performing ExtendedProcedures (Procedures forAdditional Assurance) for auditareas or assertions that containfraud risks or other significantrisks. That is, even if the overallrisk of material misstatement couldbe reduced to moderate by testingcontrols, tests of details orextended analytical proceduresare ordinarily still necessary torespond to fraud risks or othersignificant risks. (Fraud risks andother significant risks ordinarilyinvolve high inherent risk.)

* * *


70


71

SELF�STUDY QUIZ


21. Of the following statements, which one is accurate regarding detecting deviations from prescribed proceduresthrough test of controls?

a. The ineffective operation of an indirect control might cause a deviation in a control activity.

b. An isolated deviation or minor weakness generally means that control risk is high.

c. Controls should be evaluated individually.

d. An auditor should assume that an instance of fraud or error is an isolated instance.

22. Substantive procedures may result in all of the following except:

a. Additional evidence that supports the auditor's conclusion about the operating effectiveness of controls.

b. The need to reevaluate the prior assessment of control risk.

c. The detection of a material misstatement which should be regarded as a minor deficiency and not anindication that a material weakness in internal control exists.

23. Jim is an auditor considering reperformance evidence in assessing control risk. Which of the following wouldbe a common way for Jim to use such evidence in his control risk assessment?

a. Assessing the effectiveness of controls that do not leave a documentary trail of their performance.

b. Assessing operating effectiveness, especially for controls relating to reconciliations and other docu�mented routines.

c. Providing evidence about operating effectiveness, especially when used with document inspection tests.

d. Evaluating the design and implementation of controls.

24. If the degree of persuasiveness depends on the extent of other evidence obtained about operatingeffectiveness, this type of limitation in assessing control risk is associated with which of the following types ofevidence?

a. Inquiry and observation.

b. Inspection of client documents.

c. Reperformance.

d. Walkthroughs.

25. Which of the following statements regarding the source of the evidence about controls is accurate?

a. Evidence obtained indirectly by the auditor generally provides more assurance than evidence obtaineddirectly.

b. Evidence obtained by observation is always superior to evidence obtained by inquiry.

c. The stronger the control environment is, the more persuasive is evidence provided by observation.

d. Evidence obtained from internally produced documents, records, or reports is more persuasive thanevidence from ones produced externally.


72



21. Of the following statements, which one is accurate regarding detecting deviations from prescribed proceduresthrough test of controls? (Page 60)

a. The ineffective operation of an indirect control might cause a deviation in a control activity. [This

answer is correct. In some instances, a deviation in a control activity might result from the ineffectiveoperation of an indirect control, for example, related to the control environment or IT general

controls. This information is needed to determine its impact on the assessed risk of material

misstatement.]

b. An isolated deviation or minor weakness generally means that control risk is high. [This answer is incorrect.The auditor should not assume that an isolated deviation or minor weakness necessarily means thatcontrol risk is high because the controls should be evaluated as a group.]

c. Controls should be evaluated individually. [This answer is incorrect. Controls should be evaluated as agroup rather than individually because an effectively operating control might compensate for one that isoperating ineffectively.]

d. An auditor should assume that an instance of fraud or error is an isolated instance. [This answer isincorrect. An auditor should not assume that an instance of fraud or error is an isolated instance. Carefulanalysis should be made to determine how it may impact the assessed risk of material misstatement.]

22. Substantive procedures may result in all of the following except: (Page 61)

a. Additional evidence that supports the auditor's conclusion about the operating effectiveness of controls.[This answer is incorrect. One of the results of substantive procedures is that they may provide additionalevidence that supports the auditor's conclusion about the operating effectiveness of controls.]

b. The need to reevaluate the prior assessment of control risk. [This answer is incorrect. Substantiveprocedures may provide additional evidence that creates the need to reevaluate the prior assessment ofcontrol risk.]

c. The detection of a material misstatement which should be regarded as a minor deficiency and notan indication that a material weakness in internal control exists. [This answer is correct. A material

misstatement detected through the performance of substantive procedures should be regarded, at

a minimum, as a significant deficiency and a strong indicator that a material weakness in internalcontrol exists and should be communicated to management and those responsible for governance,

as indicated in SAS No. 110.]

23. Jim is an auditor considering reperformance evidence in assessing control risk. Which of the following wouldbe a common way for Jim to use such evidence in his control risk assessment? (Page 63)

a. Assessing the effectiveness of controls that do not leave a documentary trail of their performance. [Thisanswer is incorrect. Inquiry and observation evidence is especially useful in assessing the effectivenessof controls that do not leave a documentary trail of their performance.]

b. Assessing operating effectiveness, especially for controls relating to reconciliations and other docu�mented routines. [This answer is incorrect. Inspection of client documents (including reconciliations andother routines) can provide strong evidence about operating effectiveness, especially for controls relatingto reconciliations and other documented routines.]


73

c. Providing evidence about operating effectiveness, especially when used with document inspection

tests. [This answer is correct. One of the common uses of reperformance evidence is to providestrong evidence about operating effectiveness, especially when used with document inspection

tests.]

d. Evaluating the design and implementation of controls. [This answer is incorrect. Evidence fromwalkthroughs may be useful in evaluating the design and implementation of controls.]

24. If the degree of persuasiveness depends on the extent of other evidence obtained about operatingeffectiveness, this type of limitation in assessing control risk is associated with which of the following types ofevidence? (Page 63)

a. Inquiry and observation. [This answer is incorrect. The limitation associated with evidence involving inquiryand observation is that persuasiveness is sometimes limited because the evidence may only apply to theperiod of time the auditor is present.]

b. Inspection of client documents. [This answer is incorrect. The limitation associated with evidence involvinginspection of client documents is that the degree of persuasiveness depends on the extent of proceduresand is primarily used to test controls that leave a documentary trail of their performance.]

c. Reperformance. [This answer is incorrect. The limitation on reperformance evidence is similar to thelimitation on evidence in inspection of client documents but the limitations on reperformance can also bevery time�consuming.]

d. Walkthroughs. [This answer is correct. When the type of evidence being considered in assessing

control risk is walkthroughs, the limitation is that the degree of persuasiveness depends on theextent of other evidence obtained about operating effectiveness.]

25. Which of the following statements regarding the source of the evidence about controls is accurate? (Page 65)

a. Evidence obtained indirectly by the auditor generally provides more assurance than evidence obtaineddirectly. [This answer is incorrect. Evidence about controls obtained directly by the auditor generallyprovides more assurance than evidence obtained indirectly.]

b. Evidence obtained by observation is always superior to evidence obtained by inquiry. [This answer isincorrect. Evidence obtained by observation is generally, but not always, superior to inquiry due to the factthat the observed control activity might not be performed in the same manner when the auditor is notpresent.]

c. The stronger the control environment is, the more persuasive is evidence provided by observation.[This answer is correct. Generally, the stronger the control environment is, the more likely it is that

the observed activity is performed consistently at times when it is not observed. Thus, the stronger

the control environment, the more persuasive is evidence provided by observation.]

d. Evidence obtained from internally produced documents, records, or reports is more persuasive thanevidence from ones produced externally. [This answer is incorrect. Evidence obtained from externally

produced documents, records, or reports is more persuasive than evidence from those producedinternally because those produced internally may have a greater potential for being biased.]


74

SUBSTANTIVE PROCEDURES

Further audit procedures performed for the purpose of detecting material misstatement at the relevant assertionlevel are referred to as substantive procedures. For each relevant assertion within an account balance, class oftransactions, or disclosure, the auditor needs to determine the nature, timing, and extent of substantive proceduresnecessary to obtain sufficient, appropriate audit evidence to express an opinion on the financial statements.Substantive procedures consist of tests of details and substantive analytical procedures as illustrated in Exhibit2�10:

Exhibit 2�10

Substantive Procedures

* * *

Risk assessment procedures and tests of controls contribute to the formation of the auditor's opinion, but do not bythemselves provide sufficient, appropriate audit evidence. According to SAS No. 110 (AU 318.51), �regardless ofthe assessed risk of material misstatement, the auditor should design and perform substantive procedures for allrelevant assertions related to each material class of transactions, account balance, and disclosure." The reasonsfor this requirement are as follows:

� The auditor's assessment of risk is judgmental and might not be sufficiently precise to identify all risks ofmaterial misstatement.

� There are inherent limitations to internal control, including management override, and even effectiveinternal controls generally reduce but do not eliminate, the risk of material misstatement.

In other words, even if the auditor concludes that the risk of material misstatement is low for a particular assertionrelated to a material account balance, transaction class, or disclosure, based on performing risk assessmentprocedures and tests of controls, some substantive procedures are still required.


75

Certain substantive procedures should be performed in every audit. The additional substantive procedures that areneeded in particular circumstances depend on the auditor's judgment about the sufficiency and appropriatenessof audit evidence in the circumstances.

Substantive Procedures Required in Every Audit

Because of the judgmental nature of the auditor's risk assessments and the inherent limitations of internal control,particularly the risk of management override, the auditing standards prescribe certain substantive procedures thatshould be performed in every audit.

Financial Reporting System and Fraud Procedures. Specifically, SAS No. 110 (AU 318.52) requires that theauditor perform the following substantive procedures in every audit:

� Agreeing the financial statements, including the accompanying notes, to the underlying accountingrecords.

� Examining material journal entries and other adjustments made during the course of preparing the financialstatements.

These requirements are related to the financial reporting process.

SAS No. 99 also requires certain substantive procedures in all audits to address the risk of management overrideof controls. These required procedures are as follows:

� Examining journal entries and other adjustments for evidence of possible material misstatement due tofraud (AU 316.58�.62).

� Reviewing accounting estimates for bias that could result in material misstatement due to fraud (AU316.63�.65).

� Evaluating the business rationale for significant unusual transactions (AU 316.66).

Both SAS No. 110 and No. 99 require examining journal entries and other adjustments, but the requirement of SASNo. 99 is focused on identifying fraudulent journal entries. As discussed in paragraph 6.94 of the AICPA RiskAssessment Audit Guide, the nature, timing, and extent of procedures required by SAS No. 99 are different fromthose required by SAS No. 110. SAS No. 110 focuses on journal entries made during the course of preparing thefinancial statements and SAS No. 99 requires the auditor to consider reviewing journal entries made throughout theyear. This distinction is also emphasized in a nonauthoritative AICPA Technical Practice Aid, Examining Journal

Entries (TIS 8200.16). Auditors should ensure that their audit procedures satisfy both requirements.

Significant Risks. Significant risks are risks that require special audit attention. When the audit approach tosignificant risks consists only of substantive procedures (that is, the auditor does not plan to rely on controls), thesubstantive procedures should be tests of details only or a combination of tests of details and substantive analyticalprocedures. The use of only substantive analytical procedures is not permitted. (AU 318.54)

Other Required Audit Procedures. There are also other SASs that impose presumptively mandatory require�ments for substantive procedures for particular account balances. Examples include the following:

� Confirmation of accounts receivable. (SAS No. 67, AU 330)

� Inventory observation, that is, being present at the time of the count and, by suitable observation, tests, andinquiries being satisfied about the effectiveness of the methods of inventory taking. (SAS No. 1, AU 331)

In addition, there are other specific requirements to perform procedures, typically called general procedures, thatdo not relate to particular account balances, such as sending a letter of audit inquiry to the client's lawyer andreading minutes of meetings of directors. Those general procedures are included in the audit program for GeneralAuditing and Completion Procedures (AP�2). The requirement to confirm accounts receivable is a basic procedure


76

in the Audit Program for Accounts Receivable and Sales (AP�4). The requirement to observe inventory is a basicprocedure in the Audit Program for Inventory and Cost of Sales (AP�5).

Sufficiency and Appropriateness of Audit Evidence

The additional substantive procedures that are needed in particular circumstances depend on the auditor'sjudgment about the sufficiency and appropriateness of audit evidence in the circumstances. Therefore, the auditorshould consider the sufficiency and appropriateness of audit evidence to be obtained when assessing risks anddesigning further audit procedures. SAS No. 106 (AU 326.06) describes these characteristics of audit evidence asfollows:

� Sufficiency is the measure of the quantity of audit evidence.

� Appropriateness is the measure of the quality of audit evidence, that is, its relevance and its reliability inproviding support for, or detecting misstatements in, the classes of transactions, account balances, anddisclosures and related assertions.

The quantity and quality of audit evidence needed are interrelated and are dependent on the risk of materialmisstatement.

The auditor performs risk assessment procedures to obtain an understanding of the entity and its environment,including its internal control, to assess the risks of material misstatement. This assessment includes considerationof the effectiveness of management's responses and controls to address risks. The auditor evaluates the qualityand quantity of the evidence obtained from the risk assessment procedures and, if applicable, tests of controls todetermine the further audit procedures necessary to obtain sufficient, appropriate evidence to afford a reasonablebasis for an opinion of the financial statements under audit.

An important quality of audit evidence is its reliability, which is affected by both the nature and source of theevidence. SAS No. 106 (AU 326.08) provides the following generalizations about the reliability of audit evidence:

a. Audit evidence is more reliable when it is obtained from knowledgeable independent sources outside theentity.

b. Audit evidence that is generated internally is more reliable when the related controls imposed by the entityare effective.

c. Audit evidence obtained directly by the auditor (for example, observation of the application of a control)is more reliable than audit evidence obtained indirectly or by inference (for example, inquiry about theapplication of a control).

d. Audit evidence is more reliable when it exists in documentary form, whether paper, electronic, or othermedium. For example, a contemporaneously written record of a meeting is more reliable than a subsequentoral representation of the matters discussed.

e. Audit evidence provided by original documents is more reliable than audit evidence provided byphotocopies or facsimiles.

Recent fraud cases indicate that the auditor should be wary about the information in documents generated in apoorly controlled environment or in copies of documents when originals should be readily available.

Authoritative literature views audit evidence as being obtained from a variety of sources, including the auditor'sassessment of risk. SAS No. 106 (AU 326.02) defines audit evidence as �all the information used by the auditor inarriving at the conclusions on which the audit opinion is based and includes the information contained in theaccounting records underlying the financial statements and other information." Audit evidence includes evidenceobtained from procedures performed during the current audit as well as previous audits. Use of audit evidence fromprevious audits is discussed previously, but one common form of such evidence is experience gained in previousaudits with respect to potential misstatements. Misstatements detected in previous audits are an important indica�


77

tor of likely misstatements in the current audit. Generally, however, previous misstatements are a more reliableindicator of error than fraud.

SAS No. 106 notes that audit evidence includes the information contained in the accounting records underlying thefinancial statements and other information. SAS No. 109 (AU 314) observes that control activities relevant to theaudit include �reconciliation of the general ledger to the detailed records" and state that �the auditor should obtainan understanding of the process of reconciling detail to the general ledger for significant accounts." Further,agreeing the financial statements to the underlying accounting records is a required procedure in every audit. Thus,without adequate attention to the propriety and accuracy of underlying accounting data, an opinion of the financialstatements is not warranted.

Nature, Timing, and Extent of Substantive Procedures

As the residual risk of material misstatement increases, the quantity and quality of necessary audit evidence fromsubstantive procedures also should increase. SAS No. 110 (AU 318.12) states that �the higher the auditor'sassessment of risk, the more reliable and relevant is the audit evidence sought by the auditor from substantiveprocedures. This may affect both the types of audit procedures to be performed and their combination."

Generally, the auditor will have decided whether audit procedures will be performed at an interim date or at periodend as part of establishing the overall audit strategy. Therefore, in designing further audit procedures, the focus willbe on the nature and extent of substantive procedures rather than their timing. SAS No. 110 (AU 318.07) states that�the nature of audit procedures is of most importance in responding to the assessed risks." SAS No. 110 (AU318.19) explains that �increasing the extent of an audit procedure is effective only if the audit procedure itself isrelevant to the specific risk and reliable; therefore, the nature of the audit procedure is the most importantconsideration."

Selecting Appropriate Substantive Procedures

The selection of specific substantive procedures needed to respond to the risk assessment is a matter of auditorjudgment. This involves consideration of all the relevant factors, including the following:

� Characteristics of the related account (or transaction class).

� Financial statement assertion(s) being tested.

� Nature of risks identified.

� Degree of the risk involved.

� Type and persuasiveness of the available audit evidence.

� Efficiency and effectiveness of the substantive procedures.

Considering the Account Being Tested. Some types of accounts lend themselves better to particular procedures.For example, some accounts, such as accounts receivable, can generally be tested by applying procedures tobalances. Other accounts, such as property accounts, are often tested most effectively by examining transactionsduring the period. As another example, many types of accrued liabilities are based on financial relationships thatcan be effectively tested through properly designed analytical procedures.

Considering the Financial Statement Assertion. Similarly, the financial statement assertion being tested can alsosignificantly affect the choice of procedures. For example, tests of existence are generally aimed at examining theitems comprising the account balance. Tests of completeness often involve (a) performing predictive tests ofaccount balances or (b) identifying items that should be included in the account and determining whether they areincluded. Tests of valuation normally relate to assessing the reasonableness of computed or estimated amounts(such as inventory costing or allowance for doubtful accounts).

The financial statement assertion being considered can also provide indications of the types of misstatements thatmight occur in the financial statements. For example, misstatements of the existence assertion generally result in


78

overstatement of the account balance, and misstatements of the completeness assertion generally result inunderstatement.

Considering the Nature of Risks Identified. On the �Risk Assessment Summary Form", the auditor documentsspecific risks relating to each significant audit area and related assertion, including fraud risks and other significantrisks. Sometimes the identified risk will suggest the appropriate additional procedure needed. For example, if therisk for receivables is that sales cutoff errors are likely to occur, the auditor may simply choose to apply moreprocedures to test sales cutoff. However, in other cases, the appropriate procedure may be less clear. In thosecases, the auditor should consider the risks in terms of the types (or direction) and causes of potential misstate�ments to decide what steps may be appropriate. Exhibit 2�11 lists the basic types (or direction) and causes ofmisstatements that might affect a particular account and result in material misstatement of the financial statements.

Exhibit 2�11

Types (Direction) and Causes of Misstatements

Types (Direction) of Misstatement

� Understatement of account balance

� Overstatement of account balance

Causes of Misstatement

� Error

� Fraudulent financial reporting

� Theft

* * *

Determining the type of misstatement can help the auditor determine the direction of the testing procedures. Toillustrate this process, consider how types of misstatement could affect the testing of inventory quantities. If theauditor is concerned about understatement of inventory quantities, the focus should be on tracing from externaldocuments (purchase records, physical inventory counts, etc.) to the inventory records and testing to assure thatall inventory was counted. On the other hand, if the auditor is concerned about overstatement of quantities, thefocus would be on (a) vouching recorded quantities to physical count sheets or other relevant documentation, (b)testing to assure that inventory counts were not duplicated, and (c) determining whether purchased inventory intransit was recorded in the proper period.

The auditor should also consider whether the likely cause of misstatements will tend to result in understatement oroverstatement of the account balance and design procedures accordingly. For example, if fraud risk indicatorspoint to a risk of overstatement of revenue, one possibility is an increased risk of improper cutoff to inflate revenue.Thus, the auditor might design procedures to compare sales recorded near year end to merchandise shipmentswith the emphasis on whether shipments after year end were incorrectly recorded as sales in the period underaudit.

Consideration of the cause of misstatements becomes especially important if the auditor believes there is asignificant risk of material misstatement due to fraud. In that case, the auditor should carefully consider how fraudmight result in misstatement of the financial statements and then design appropriate procedures to detect thosemisstatements.

Considering the Degree of Risk. On the �Risk Assessment Summary Form," the auditor documents the assess�ment of the risk of material misstatement for each significant audit area or assertion. Generally, the higher the risk,


79

the greater the degree of assurance needed from substantive procedures. Even without testing controls, thedegree of assurance can be increased through one or more of the following means:

� Nature. The auditor can change the nature of the procedures. This normally involves adding moreprocedures or choosing more persuasive procedures, that is, using more precise procedures, performingmore independent verifications, etc. (The nature of procedures is the most important consideration.)

� Extent. The auditor can increase the extent of testing. This can be done by testing more items, changingthe design of the test to focus on more items that are prone to misstatement, or increasing the precisionof analytical procedures.

� Timing. The auditor can change the timing of the procedures to do more work at the balance�sheet date.

Because audit programs deal primarily with the nature of procedures, an auditor's first response to a high risk ofmaterial misstatement will normally be to consider adding more procedures. Before doing so, the auditor shouldconsider whether or not he or she is performing the most effective or the correct procedures. Then, the auditorshould consider whether changing the extent or timing of the procedures might be as effective as, and moreefficient than, adding more audit procedures. If the auditor responds to a high risk of material misstatement byaltering the extent or timing of the procedures, he or she can document that response in the �Comments" columnof the �Risk Assessment Summary Form."

Considering the Available Evidence. When planning the audit, the auditor should consider the audit evidenceneeded and the evidence available. The evidence sought should be commensurate with the assessed level of risk.Generally, the higher the assessed risk of material misstatement for an area or assertion, the more reliable theevidence needs to be.

The availability of audit evidence is another key consideration. This is critical when much of that evidence iselectronic. In many entities, vast amounts of information are transmitted, processed, maintained, or accessedelectronically. In some industries, purchase and sale transactions and related payments occur electronically, suchas through electronic data interchange (EDI). When information technology systems are used extensively, someaudit evidence may be available only in electronic form and only for a period of time. In those situations, the auditormust apply the audit procedures when the evidence is available and might need to use technology to do so.Sometimes, the auditor might conclude that it is not possible or practical to reduce detection risk at the relevantassertion level to an acceptable low level with audit evidence obtained by performing only substantive procedures.In those cases, the auditor should test controls relating to those assertions.

Considering the Effectiveness and Efficiency of Substantive Procedures. As previously noted, the auditorshould consider the degree of assurance needed from substantive procedures and select procedures that aresufficiently effective. To be cost�effective, the auditor should also consider efficiency of the substantive procedures.

Substantive procedures include tests of details and substantive analytical procedures. Therefore, designing thenature of substantive procedures involves deciding between the two. In some cases, substantive procedures mightbe limited to substantive analytical procedures. Substantive analytical procedures alone are more likely to beappropriate in the following circumstances:

� The risks of material misstatement, including particular risks due to fraud, are relatively low.

� The account balance, transaction class, or disclosure relates to large volumes of transactions that tend tobe predictable over time.

� The account balance, transaction class, or disclosure is not affected by a significant degree of subjectivity.

A more detailed discussion of choosing between substantive analytical procedure and tests of details follows.

According to SAS No. 110 (AU 318.57), in designing substantive analytical procedures, the auditor should considermatters such as the following:

� The suitability of using substantive analytical procedures, given the assertions.


80

� The reliability of the data, whether internal or external, from which the expectation of recorded amounts orratios is developed.

� Whether the expectation is sufficiently precise to identify the possibility of material misstatement at thedesired level of assurance.

� The amount of any difference in recorded amounts from expected values that is acceptable.

In addition, the auditor should obtain audit evidence about the accuracy and completeness of information (bothfinancial and nonfinancial) used in performing substantive analytical procedures.

Choosing between Analytical Procedures and Substantive Tests of Details

The authoritative literature does not explain how to apportion reliance on substantive procedures between tests ofdetails and analytical procedures except when testing significant risks. Analytical procedures may be used toreinforce conclusions based on the results of other substantive procedures or as the sole source of evidence. Thatdecision is primarily based on the effectiveness of the procedures. Efficiency also may be a factor in decidingbetween analytical procedures and substantive tests of details. That is, given two procedures of equal effective�ness, the auditor chooses the one that is most efficient. Therefore, the auditor would ordinarily use an analyticalprocedure rather than a test of details if the analytical procedure is at least as effective in reducing detection risk tothe desired level as the test of details and is easier to apply.

Generally, the higher the assessed risk of material misstatement, the more effective analytical procedures need tobe before they can be relied on instead of tests of details. Accordingly, auditors tend to use tests of details moreextensively in high risk audit areas (such as areas containing fraud risks or other significant risks) and analyticalprocedures more often in low risk areas or as secondary rather than primary auditing procedures. However, if theauditor has highly effective analytical procedures, it may be possible to reduce the extent of detail testing neededeven in areas where significant risks exist. The effectiveness of analytical procedures in reducing detection risk incomparison with the effectiveness of tests of details generally depends on the facts and circumstances. However,the following are some general observations:

a. Analytical procedures are generally not effective in testing assertions about rights or obligations orassertions related to presentation and disclosure because those assertions do not lend themselves totesting through comparisons with expectations. Therefore, analytical procedures would not be effectiveresponses for risks related to matters such as parties to transactions lacking in economic substance orintentional ambiguity in financial statement disclosures.

b. Relationships involving transactions over a period of time (that is, income statement accounts) tend to bemore predictable than relationships at a point in time (that is, balance sheet accounts). Because of thedifficulty in developing expectations about a balance at a point in time with sufficient precision, analyticalprocedures are often not as effective as tests of details for assertions about the existence of assets andliabilities. Therefore, analytical procedures would not be as effective as tests of details when respondingto risks such as recording false receivables or including items in inventory that are false or mislabeled.

c. Analytical procedures are often equally or more effective than tests of details for assertions about thecompleteness of assets, liabilities, revenues, and expenses. When testing for completeness, misstate�ments would often not be apparent from inspecting detailed evidence in the accounting records. Forexample, the analytical procedure of comparing the change in inventory to recorded sales may be equallyor more effective than testing daily sales reports in detecting a material misappropriation of cash salesreceipts in a retail organization.

d. Analytical procedures are often equally or more effective than tests of details for assertions about theoccurrence of revenues. For example, comparing recorded sales with the amount expected, based on areliable record of units sold and average prices, especially if comparisons are made by product line, maybe as likely to detect a material misstatement of assertions about the occurrence of revenues as inspectingsupporting documentation for a sample of recorded sales. Analytical procedures are more reliable if theyare based on reliable data produced outside the accounting system (for example, operating data used tomanage the entity).


81

e. Analytical procedures are often equally or more effective than tests of details for assertions about theoccurrence of certain expenses. For example, comparing recorded production labor costs with the amountexpected, based on the number of people required for the volume sustained during the year, may be aslikely to detect a material misstatement as looking at supporting documentation for a sample of recordedcompensation expense. However, if fraud is a concern, analytical procedures may not be effective. Forexample, if management is able to manipulate expense accounts so that ratios appear reasonable, ratioanalysis would not be an effective analytical procedure for detecting material misstatements.

f. Analytical procedures may be as effective as tests of details for assertions about the valuation of someassets and liabilities but not for others. Generally, whether an analytical procedure is as effective as a testof details for a valuation assertion depends on whether an expectation can be developed. For example

(1) An analytical procedure may be as effective as a test of details for assertions about the valuation ofcustomer accounts receivable that are made up of a large number of relatively small balances.However, a test of details may be more effective when some account balances are disproportionatelylarge. In that situation, failure to record an allowance for uncollectible amounts resulting from adeterioration in the financial condition of one of those customers either before or after year�end wouldmost likely not be detected by an analytical procedure.

(2) An analytical procedure may be as effective for valuation assertions about an entity's obligation undera continuing warranty program, but a test of details may be more effective for a new warranty program.In that situation, the newness of the program makes developing an expectation with the requiredprecision more difficult.

g. Substantive tests of details may be more effective for valuation assertions in an unstable environment. Theability to develop an expectation that approximates the recorded amount is greater when the environmentis stable. For example, when interest rates are fluctuating widely, it is difficult to develop a preciseexpectation about interest expense. Similarly, when transactions involve management discretion, such asthe choice of repairing versus replacing existing assets, there is also less predictability in expectedrelationships.

Timing of Substantive Procedures

As part of audit planning, the auditor considers whether any substantive procedures should be applied before thebalance sheet date. When substantive procedures are performed at an interim date, SAS No. 110 (AU 318.58),requires the performance of further substantive procedures (or substantive procedures combined with tests ofcontrols) for the remaining period. Generally, the most efficient approach for audits of small and midsize nonpublicentities is to perform the audit tests as of the balance sheet date. However, the auditor may wish to perform auditprocedures before the balance sheet date in the following situations:

� Convenience. If the auditor has several clients with the same year end, interim procedures may be usedto spread the auditor's workload more evenly.

� Deadline. If the client has a tight deadline for issuing its financial statements, the auditor may need toperform some procedures at an interim date to meet that deadline.

� Issue Identification. Interim audit work allows the auditor to identify and address critical audit issues as soonin the engagement as possible. Then the auditor and client can more easily deal with issues withoutdeadline pressures arising near year end, which in turn can enhance audit efficiency and client relations.

� Assessed Risks of Material Misstatement. Modifying the timing of substantive procedures is one responseto the assessed risks of material misstatement due to error or fraud. In general terms, the higher theassessed risk of material misstatement, the more likely it is that the auditor will determine that it is moreeffective (or necessary due to certain fraud risks) to perform substantive procedures near the period end.However, as the assessed risks diminish, the auditor may determine that an appropriate response wouldinclude the performance of certain substantive procedures at an interim date. Also, as SAS No. 99 pointsout (AU 316.52), a response to some identified fraud risks, such as fraudulent revenue recognition, might


82

be to apply substantive procedures to transactions occurring earlier in or throughout the reporting period.SAS Nos. 99 and 110 also suggests that an overall response to identified risks might be to add an elementof unpredictability in the timing of audit procedures from year to year, such as by performing tests at a timeother than expected.

Many auditors find that the benefits of interim audit procedures outweigh the disadvantages. In many cases, thereis simply no way to meet the audit firm's and clients' needs without some interim work. Thus, the issue oftenbecomes not whether to do interim work but how to do it to maximize audit efficiency and effectiveness.

There are generally two types of substantive procedures that may be performed before the balance sheet date

a. Flexible Timing Procedures. Flexible timing substantive procedures can be applied at any time, includingan interim date. These procedures generally consist of examining transactions or gathering informationwithout attempting to reach a conclusion about an entire account balance as of an interim date. Theprocedures can be performed through an interim date and later extended to the balance sheet date. Theauditor can then reach one conclusion covering the balance for the entire year. Examples of suchprocedures include:

(1) Tests of transactions in balance sheet accounts with a low turnover or activity rate, such as property,long�term debt, lease obligations, investments, and owners' equity.

(2) Tests of transactions that affect revenues and expenses, such as tests of sales of significant assets.

(3) Analytical procedures for revenues and expenses, such as analysis of sales or gross profit by month.

b. Interim Audit Procedures. Interim audit procedures are performed to arrive at a conclusion about anaccount balance as of an interim date. Additional procedures are then performed to extend the interimconclusion to the balance sheet date. The following are examples of procedures that may be performedat an interim date, depending on the circumstances:

(1) Confirmation of accounts receivable.

(2) Inventory observation.

(3) Inventory price testing.

Interim audit procedures involve additional considerations, which are discussed in the following paragraphs.

Interim Audit Procedures. When evaluating whether it is practical to perform interim audit procedures, the auditorshould consider the following factors:

a. Feasibility. SAS No. 110 (AU 318.17) lists several factors that should be considered before applyingsubstantive procedures at an interim date. Also, there are practical considerations such as the availabilityof sufficient information to effectively test the remaining period (that is, the period from the interim date tothe balance sheet date).

b. Efficiency. Interim substantive tests of details of asset and liability account balances may not becost�effective unless substantive procedures covering the remaining period can be restricted. If testing ofthe remaining period cannot be restricted, the auditor may have to reperform the interim procedures as ofthe balance sheet date, which could result in a substantial increase in audit time and cost.

Exhibit 2�12 is a list of specific considerations in deciding whether to perform interim audit procedures.


83

Exhibit 2�12

Timing Considerations for Interim Audit Procedures

1. Risk factors

a. Assessed risk of material misstatement. (SAS No. 110 indicates the higher theassessed risk of material misstatement, the more likely it is that the auditor willdetermine that it is more effective to perform substantive procedures near the periodend or at unannounced or unpredictable times. SAS No. 99 indicates that responseto some identified fraud risks may cause the auditor to perform substantiveprocedures at the balance�sheet date while response to other identified fraud risksmay cause the auditor to apply substantive procedures to transactions occurringearlier in or throughout the reporting period.)

b. Length of the remaining period.

c. Control environment and other relevant controls.

2. Account characteristics

a. The relevant assertions for which audit evidence will be obtained.

b. The predictability of the composition or amount of the account balance from theinterim date to the balance�sheet date.

c. The probability of transactions or events occurring between the interim date and thebalance�sheet date that could significantly affect the conclusions at the interim dateor require the reperformance of interim audit procedures.

d. Client policies and procedures regarding the account (specifically, whether the clientanalyzes and adjusts the account balance regularly and establishes proper cutoffs).

3. Financial reporting system

a. Reliability of the financial reporting system (for example, whether it is characterized byinaccuracy or delay that creates audit risks that would undermine the effectiveness ofinterim testing).

b. Ability of the financial reporting system to provide sufficient information about thefollowing matters:

(1) Composition of the account balance at the interim date.

(2) Composition of the account balance at the balance�sheet date.

(3) Transactions occurring and journal entries recorded during the remaining period.

(4) Reasons for significant differences arising from analytical procedures.

* * *

Choosing an Interim Date. When interim audit procedures are performed, the risk that misstatement may exist in therelated audit area and not be detected by the auditor generally increases as the length of the remaining periodincreases. Thus, the selection of an interim date (which determines the length of the remaining period) cansignificantly affect the nature and extent of audit procedures for the remaining period. SAS No. 110 does notspecifically address selection of interim audit dates. Many auditors believe that the interim date should not be morethan three months before the balance sheet date. Generally, an interim date of one month before the balance sheetdate is preferable. However, the ultimate choice of interim dates is a matter of auditor judgment based on thecircumstances.


84

Audit Risk Considerations. When interim audit procedures are performed, there is a risk that the conclusionsreached at the interim date are not extended properly to the balance�sheet date. This remaining period risk tendsto rise with increases in the following factors:

� Assessed risk of material misstatement from either error or fraud.

� Length of the remaining period (that is, the period from the interim date to the balance�sheet date).

Generally, the greater the remaining period risk, the greater the assurance needed from tests of the remainingperiod. For example, if the remaining period risk is low, the auditor can generally test the remaining period throughlimited analytical procedures. However, if the remaining period risk is high, the auditor would generally need toapply more reliable procedures, such as tests of details. In some high�risk cases, the auditor might even need toreapply some of the interim procedures to period�end balances. When deciding whether to perform substantiveprocedures at an interim period, the auditor should consider whether the tests that would be performed for theremaining period will adequately reduce the risk that misstatements that exist at period end are not detected.

Consequently, it may be more efficient to apply interim audit procedures to lower�risk areas or assertions. Forexample, if the client had a high risk relating to the allowance for doubtful accounts but moderate or low risk forexistence, the auditor might decide to test existence at an interim date and valuation at the balance sheet date.

The auditor should also consider other factors that contribute to audit risk when determining whether to performinterim procedures, such as the control environment or the specific nature of the risk that applies to the audit areasor assertions. For example, if there is a risk of overstated revenues due to earnings pressures, the auditor maydetermine that the relevant assertions of existence and cutoff can only be effectively tested at period�end since therisk may be greater at the end of the reporting period.

Account Considerations. The characteristics of the accounts should be considered in deciding whether it ispractical to audit an area or assertion at an interim date. For some account assertions, it may be more effectiveand/or efficient to perform the substantive testing at period�end. In many cases, especially when substantiveanalytical procedures will be applied for the remaining period, the accounts that are best suited to interim testinghave predictable balances and consistent activity levels. This makes it easier to develop more precise estimates ofending balances. Also, the accounts should be regularly analyzed and adjusted and subjected to appropriatecutoff procedures. It is inefficient to test an account before the client has attempted to accurately determine whatthe balance should be.

Financial Reporting System Considerations. The auditor should also consider the financial reporting system whenselecting audit areas for interim testing. The system for the area to be tested should be capable of generatingsufficient reliable data to allow the auditor to apply the planned procedures.

Testing the Remaining Period. The auditor should perform sufficient tests of the remaining period to extend theconclusion from the interim date to the balance sheet date. SAS No. 110 (AU 318.59) states that, although theauditor is not required to test controls to have a reasonable basis for extending audit conclusions from an interimdate to the period�end, the auditor should consider whether performing only substantive procedures to cover theremaining period is sufficient. If the auditor concludes that substantive procedures alone would not be sufficient tocover the remaining period, the auditor should perform tests of controls or should perform substantive proceduresas of the period�end. If, on the other hand, the auditor decides that substantive tests of the remaining period will besufficient, SAS No. 110 states that those tests should include

a. Comparison or reconciliation of information regarding the balance at the interim date with correspondinginformation at the balance sheet date (and investigation of unusual amounts).

b. Analytical procedures and/or tests of details.

The auditor should determine the specific procedures to be performed based on the assessed risk associated withthe remaining period. Tests of details should be used instead of (or in addition to) analytical procedures asconsidered necessary to obtain sufficient audit evidence.


85

Evaluating Audit Results. When interim audit procedures are performed, the auditor forms a conclusion at aninterim date and then extends that conclusion to the balance sheet date. If interim procedures reveal misstate�ments, SAS No. 110 indicates that the auditor should assess the risk of misstatement related to those classes oftransactions or account balances. Depending on that assessment, the auditor may be required to either (a) modifythe nature, timing, or extent of tests of the remaining period or (b) reperform or extend the interim procedures at thebalance sheet date. The assessment should be based on consideration of the following factors:

� The possible implications of the nature and cause of the misstatements detected at the interim date. Forexample, if interim procedures revealed that the cost of certain types of inventory items wasrecalculated�incorrectly, the auditor may need to perform additional procedures to determine whether theerrors are likely to exist at year�end.

� The possible relationship to other areas of the audit. The nature and amount of misstatements detectedin interim testing may lead the auditor to reconsider the original assessment of the risk of materialmisstatement.

� The correcting entries subsequently recorded by the client. If the misstatements that were detected at theinterim date were corrected before year�end, the auditor does not need to record an audit adjustment oraudit difference for those misstatements. However, the auditor should consider whether similaradjustments are required at year�end, and adjustments or audit differences should be recorded foruncorrected misstatements that remain in the account.

� The results of audit procedures relating to the remaining period, especially those that might provideevidence regarding possible misstatements. If planned procedures for the remaining period are sufficientlyeffective, no specific additional procedures may be necessary. However, additional procedures willnormally be necessary if there is a significant risk of material misstatement of the year�end balance.

The Use of Audit Evidence from Prior Periods

The ability to use audit evidence from the performance of substantive procedures in a prior audit is highlyrestricted. SAS No. 110 (AU 318.68) states that this evidence �is not sufficient to reduce detection risk to anacceptably low level in the current period" and observes that in most cases it �provides little or no evidence for thecurrent period." SAS No. 110 provides one example of an instance in which audit evidence obtained from theperformance of substantive procedures in a prior period may be relevant in the current period: prior audit evidencesubstantiating the purchase cost of a building or building addition. This example is the common audit approach toauditing property by substantiating the changes to the beginning balanceadditions and retirementsto reach aconclusion about the ending balance. Before using audit evidence obtained from the performance of substantiveprocedures in a prior audit, the auditor should perform audit procedures during the current period to establish thecontinuing relevance of the audit evidence. (SAS No. 106, AU 326.24)

Documentation

��SAS No. 110 (AU 318.77) requires the auditor to document the following items relating to substantive proce�dures:

� The nature, timing, and extent of substantive procedures.

� The linkage of those procedures with the assessed risks at the relevant assertion level.

� The results of the procedures.


Exhibit 2�13 summarizes key audit requirements related to substantive procedures.


86

Exhibit 2�13

Key Audit Requirements Related to Substantive Procedures


� Auditors should plan and perform substan�tive procedures that are responsive to therelated assessment of the risk of materialmisstatement.

� The �Risk Assessment Summary Form"allows the auditor to indicate the assessedrisk of material misstatement for each auditarea or assertion and the audit approachthat is responsive to the assessed risk.

� Regardless of the assessed risk ofmaterial misstatement, the auditor shouldperform substantive procedures for allrelevant assertions related to eachmaterial class of transactions, accountbalance, and disclosure.

� Audit procedures in PPC's audit programsare linked to assertions to provideassurance that all relevant assertionshave been tested.

� The following substantive proceduresshould be performed in every audit:�� Agreeing the financial statements,

including the accompanying notes,to the underlying accountingrecords.

�� Examining material journal entriesand other adjustments made duringthe course of preparing the financialstatements.

� These procedures are included in theAudit Program for General Auditing andCompletion Procedures.

� When an assessed risk of materialmisstatement at the relevant assertionlevel is a significant risk, the auditorshould perform substantive proceduresthat are specifically responsive to thatrisk.

� When the approach to significant risksconsists of only substantive procedures,tests of details or a combination of tests ofdetails and substantive analytical proce�dures should be used.

� The auditor indicates on the �RiskAssessment Summary Form" whether arisk is a fraud risk or other significant riskand tailors the audit approach to respondto that risk.

� When performing substantive proceduresat an interim date, the auditor shouldperform further substantive procedures tocover the remaining period. If substantiveprocedures alone would not be sufficientfor the remaining period, tests of controlsshould be performed or the substantiveprocedures should be performed at period�end.

� The auditor can document the plannedtiming of substantive procedures in the�Comments" section of the �Risk Assess�ment Summary Form," on the audit pro�gram, or in the detailed workpapers.


87


� If the auditor plans to use audit evidenceobtained in a prior audit, the continuingrelevance of the evidence should be estab�lished by performing audit procedures inthe current period.

� The auditor can document the audit proce�dures performed in the current periodrelating to the relevance of audit evidencefrom prior periods in the audit program forindividual audit areas.

� The auditor should document:�� The nature, timing, and extent of

substantive procedures.�� The linkage of substantive proce�

dures with the assessed risks at therelevant assertion level.

�� The results of substantiveprocedures.

� The nature, timing, extent, and results ofsubstantive procedures are documentedusing an audit program. In addition, the�Risk Assessment Summary Form"(CX�7.1) combined with the audit pro�grams provides documentation of thelinkage of substantive procedures withassessed risks at the assertion level.

* * *

SUMMARIZATION AND EVALUATION

One of the final steps near completion of the engagement is evaluation of the misstatements discovered infieldwork. SAS No. 107 (AU 312.50) requires that the individual and combined effects of all uncorrected misstate�ments (both known and likely) be considered to determine whether they are material to the financial statementstaken as a whole. To evaluate the combined effect of various uncorrected misstatements, it is necessary tosummarize them in one place in the workpapers.

SAS No. 107 (AU 312.07) states that a misstatement can result from errors or fraud and occurs in the followingcircumstances:

� An inaccuracy occurs in gathering or processing data for inclusion in the financial statements.

� A difference exists between the amount, classification, or presentation of a financial statement element,account, or item and the amount, classification, or presentation that would be reported under GAAP.

� A financial statement element, account, or item is omitted.

� Financial statement disclosures are not in accordance with GAAP.

� Financial statement disclosures required by GAAP are omitted.

� An incorrect accounting estimate arises, such as from an oversight or misinterpretation of facts.

� Management makes unreasonable or inappropriate judgments concerning an accounting estimate or theselection or application of accounting policies.

The difference between errors and fraud is intent. Errors are unintentional misstatements of amounts or disclosuresin the financial statements. SAS No. 107 (AU 312.09) defines fraud as �an intentional act, by one or more individualsamong management, those charged with governance, employees, or third parties, involving the use of deceptionto obtain an unjust or illegal advantage." Two types of financial statement misstatement may result from fraud:misstatements resulting from fraudulent financial reporting and misstatements resulting from misappropriation ofassets. If the auditor detects evidence of fraudeven in immaterial amountsthe auditor should consider itsimplications about the integrity of management or employees and the possible effect on other aspects of the audit.


88

Categories for Evaluation

The categories of misstatements and the format used to summarize them are matters of individual firm preference.The following classifications are used in this lesson:

a. Normal Closing Entries. These are routine entries, such as adjustments of accruals or depreciation, that aremade to help the client close out the books for the year. If normal closing entries are booked, they are not

misstatements and should not be included in the summary of audit differences. The authors also believethat normal closing entries ordinarily are not significant findings or issues that would be subject to thedocumentation requirements of SAS No. 103, Audit Documentation. Normally, the entries are prepared ineach audit area as the fieldwork for a financial statement component is completed. However, it is oftenuseful to group all those entries in one place. Grouping closing entries in one place is more convenient forsupervisory review and discussion with the client. The client must agree with booking these entries andaccept responsibility for them because the financial statements are the client's responsibility.

b. Audit Differences. These are any differences noted between the accounting records and the evidenceobtained during the audit, other than closing entries. An audit difference could be any of the following:

(1) Passed adjustment for a specifically identified misstatement.

(2) Projected misstatement from a substantive audit sampling application.

(3) Significant unexplained difference from an analytical procedure that is treated like a misstatement.

(4) Difference between the client's accounting estimate and the relevant end of the auditor's acceptablerange for that estimate.

Audit Differences

In discussing summarization and evaluation, the authors use the term audit differences to refer to misstatements ofamounts and classification. This term was adopted because, as a practical matter, the auditor can only summarizequantitative misstatements. Other misstatements, primarily those relating to presentation and disclosure asser�tions, are usually judged qualitatively on an individual basis.

Known and Likely Misstatements. In analyzing audit differences, a distinction is sometimes drawn betweenknown and likely misstatements. These terms are defined in SAS No. 107 (AU 312.08) as follows:

a. Known Misstatement. A specific misstatement that the auditor identifies by performing audit procedures.A known misstatement arises from the incorrect selection or misapplication of accounting principles ormisstatements of facts identified, such as mistakes in gathering or processing data and the overlookingor misinterpretation of facts.

b. Likely Misstatement. Misstatements that:

(1) Arise from differences between management's and the auditor's judgments concerning accountingestimates that the auditor considers unreasonable or inappropriate (for example, because an estimateincluded in the financial statements by management is outside of the range of reasonable outcomesthe auditor had determined).

(2) The auditor considers likely to exist based on an extrapolation from audit evidence obtained (forexample, the amount obtained by projecting known misstatements identified in an audit sample to theentire population from which the sample was drawn).

Known misstatements are observed directly by the auditor when performing audit procedures. For example, a salestransaction recorded in the wrong accounting period is a known misstatement. Likely misstatements are theauditor's best estimate or projection, as a result of applying audit procedures, of the misstatement for a balance orclass of transactions. Likely misstatements are not actually observed by the auditor, but are based on the results ofaudit tests, such as the projected misstatement from a sampling application.


89

Likely misstatements arise when an auditor assesses the reasonableness of certain accounting estimates or usesaudit sampling or certain analytical procedures, including extrapolating from the tested to the untested portion ofthe account balance when a dollar coverage approach is used. SAS No. 107 (AU 312.54) states that if a substantiveanalytical procedure indicates that a misstatement might exist, but not its approximate amount, the auditor should,if necessary, apply additional procedures to determine whether a misstatement exists in the account balance orclass of transactions.

Communication of Misstatements to Management. SAS No. 107 (AU 312.42) requires the auditor to communi�cate to management on a timely basis all known and likely misstatements identified during the audit, other thantrivial ones. SAS No. 107 (AU 312.44) requires the communication to distinguish between known and likelymisstatements. (This is one reason why the auditor's documentation of uncorrected misstatements should allow forseparate consideration of known and likely misstatements.) SAS No. 107 also requires the auditor to ask manage�ment to do the following with respect to misstatements the auditor has identified:

� Correct all known misstatements, other than trivial ones. (AU 312.45)

� Examine the account balance, transaction class, or disclosure in which the auditor identified a materiallikely misstatement from a sample in order to identify and correct misstatements in the account balance,transaction class, or disclosure. For example, if the auditor identified a misstatement while testing the costprices of raw materials inventory and extrapolated the misstatement as an amount material to the rawmaterials account balance, the auditor should ask management to examine the entire raw materialsaccount balance to identify and correct any additional misstatements. (AU 312.46)

� When the auditor has identified a likely misstatement involving a difference in an estimate, SAS No. 107(AU 312.47�.48) states that the auditor should ask management to review the assumptions and methodsused in developing its (management's) estimate. After management has reviewed and challenged theassumptions and methods, the auditor should reevaluate the amount of likely misstatement and, ifnecessary, perform further audit procedures.

If management decides not to correct some or all of the known or likely misstatements, the auditor should obtainan understanding of management's reasons for not correcting the misstatements and take that into account whenmaking qualitative considerations. The auditor should also consider the implications for the audit report. In addi�tion, uncorrected misstatements are significant audit findings under SAS No. 114, The Auditor's Communication

With Those Charged With Governance, and, as such, are required to be communicated.

Evaluating Audit Differences

SAS No. 107 (AU 312.62) states that the auditor must evaluate whether the financial statements taken as a wholeare free of material misstatement. SAS No. 107 (AU 312.50) requires that both the individual and aggregate effectsof all uncorrected misstatements (known and likely) be considered to evaluate whether the financial statements arefairly stated. In making that evaluation, the auditor should consider both quantitative and qualitative factors. Thesummarization and evaluation of audit differences can be complex. It should include consideration of the followingfactors:

� Nature. For example, goods shipped but not billed, accounts payable not recorded, and assets expensedinstead of capitalized.

� Cause. For example, arithmetic or mechanical mistake, inappropriate application of an accountingprinciple because of misunderstanding, intentional use of an accounting principle that is not generallyaccepted, and whether misstatements are isolated or related to a common cause.

� Amount. The dollar amount of the difference and whether the difference is an overstatement orunderstatement.

� Effect. The financial statement components affected by the difference (for example, income before taxesand working capital). (Also, consider the effect on compliance with loan covenants, such as maintainingcertain operating ratios, or similar issues.)


90

According to SAS No. 107 (AU 312.51), misstatements should be combined in a way that enables the auditor toconsider whether, in relation to individual amounts, subtotals, or totals in the financial statements, the misstate�ments materially misstate the financial statements taken as a whole. That simply means the auditor needs toconsider not only the materiality of individual misstatements, but also their combined effect on important financialstatement totals or subtotals (for example, current assets, current liabilities, or gross profit).

SAS No. 107 (AU 312.52) states that before considering the combined effect of uncorrected misstatements, theauditor should consider each misstatement separately to evaluate the following matters:

� Its effect in relation to the relevant individual classes of transactions, account balances, or disclosures,including whether materiality levels for particular items of lesser amounts than the materiality level for thefinancial statements taken as a whole, have been exceeded.

� Whether, in considering the effect of the individual misstatement on the financial statements taken as awhole, it is appropriate to offset misstatements. For example, it may be appropriate to offset misstatementsof items within the same account balance in the financial statements.

� The effect of misstatements related to prior periods. SAS No. 107 (AU 312.52) states that in prior�periods,misstatements may not have been corrected by the entity because they did not cause the financialstatements for those periods to be materially misstated. Those misstatements might also affect the currentperiod's financial statements. SAS No. 107 (AU 312.53) states that in aggregating uncorrectedmisstatements, the auditor should include the effect on the current period's financial statements of thoseprior�period misstatements. However, neither SAS No. 107 nor this lesson address the measurement of theeffect, if any, on the current period's financial statements of misstatements uncorrected in the prior�period.The reason, as footnote 21 of AU 312.52 notes, is that such measurement involves accountingconsiderations. Either of the two main approaches used in the past for considering the effect of prior periodmisstatements (that is, the rollover or iron curtain method) are still acceptable.

Offsetting of Misstatements. If the misstatement of an individual financial statement amount causes the financialstatements as a whole to be materially misstated, auditors should exercise caution before aggregating thatmisstatement with misstatements in other financial statement components. The effect of an individually materialmisstatement should not be offset against other misstatements that diminish its effect on important financialstatement totals or subtotals in order to justify that, as a whole, the financial statements are not materially misstated.For example, a material misstatement of revenue should not be netted against an offsetting misstatement ofexpenses, even though the effect on net income is not material.

Trivial Misstatements. Some auditors set an amount below which detected misstatements need not be accumu�lated on the summary of audit differences (often referred to as adjustments passed at the workpaper level). SAS No.107 (AU 312.42) states that �the auditor must accumulate all known and likely misstatements identified during theaudit, other than those that the auditor believes are trivial." (Emphasis added.) Footnote 17 to AU 312.42 states that�trivial" matters �are amounts designated by the auditor below which misstatements need not be accumulated.This amount is set so that any such misstatements either individually or when aggregated with other such misstate�ments, would not be material to the financial statements, after the possibility of further undetected misstatements isconsidered."

When determining whether the amount of a misstatement is below the amount that should be accumulated on thesummary of audit differences, the auditor should be careful not to net proposed adjustments at the workpaper level.For example, assume the auditor has determined that only misstatements greater than $500 need to be accumu�lated on the summary of audit differences. If the auditor has a known misstatement that overstates income by$10,000 and a likely misstatement that understates income by $10,500, both misstatements should be included onthe summary of audit differences.

Evaluating Estimates. The usual result of auditing an accounting estimate is an acceptable range in the auditor'smind for the estimate. SAS No. 107 (AU 312.56�.57) states that an accounting estimate may be evaluated bycomparing it with the closest reasonable estimate, which may be either a range estimate or a point estimate. If theclient's estimate is unreasonable based on the auditor's evaluation, then the difference between the client's


91

estimate and the closest reasonable estimate (ordinarily the closest end of the auditor's range) should be consid�ered a likely misstatement.

SAS No. 107 (AU 312.58) states that the auditor should also consider whether differences between estimates bestsupported by the audit evidence, and the estimates included in the financial statements that are individuallyreasonable, indicate (in the aggregate) a possible bias on the part of management. If management, for example,always chooses estimated amounts for the valuation of assets that are at the low end of the auditor's range ofacceptable amounts, the combined effect could result in a material misstatement of income. In that case, theauditor should consider whether other recorded estimates reflect a similar bias and perform additional proceduresto address those estimates taken as a whole. The auditor should also consider whether management's estimateswere clustered at one end of the auditor's range of acceptable amounts in the prior year and at the other end in thecurrent year. That could indicate the possibility that management is using accounting estimates to manageearnings. If the auditor believes that is the case, he or she should consider communicating the matter to thosecharged with governance.

Different Levels for Different Amounts, Subtotals, or Totals. For planning purposes, a judgment is made abouta single materiality amount for the financial statements taken as a whole. This is done because, in planning, theauditor does not know whether misstatements will affect the balance sheet only, the income statement only, or bothstatements. Thus, the use of several levels of materiality for the financial statements as a whole is impractical inplanning. Also, the auditor needs to use a specific amount in planning the extent of audit procedures. The auditormay determine more than one level of planning materiality for particular items in the financial statements if there areitems for which a lesser amount is more appropriate.) However, in evaluation, an auditor is considering the effect ofmisstatements on specific amounts, subtotals, or totals in financial statements. In this case, it is possible to use alarger amount in evaluating the effect on certain amounts, subtotals, or totals than on others. For example, anauditor might conclude that the combined effect of misstatements on pretax income was material at $10,000, butthat the combined effect of misstatements might reach $20,000 before being material to equity. The �Audit Differ�ence Evaluation Form" is designed to accumulate audit differences by various financial statement subtotals toaccommodate the auditor's consideration of the effect of misstatements noted. However, exclusive reliance on aquantitative amount or percentage relationship for determining materiality is not appropriate. Qualitative factorsalso should be considered. SAS No. 107 (AU 312.04) states that �materiality judgments are made in light ofsurrounding circumstances and necessarily involve both quantitative and qualitative considerations." If, as theaudit progresses or when evaluating audit findings, the auditor concludes that a lower materiality level than theamount determined during audit planning is appropriate, the auditor should reconsider the related levels oftolerable misstatement and the sufficiency of the further audit procedures that were performed.

Qualitative Considerations. Establishing a quantitative threshold for materiality is only the starting point for anoverall evaluation of materiality. Quantitative thresholds, such as dollar amounts or percentages of financialstatement components, are useful for making a preliminary determination that misstatements below that amountprobably are not material to the financial statements taken as a whole. However, an auditor's overall judgmentabout whether a misstatement is material may be influenced by qualitative considerations as well as quantitativeconsiderations. The consideration of qualitative factors may cause the auditor to conclude that a quantitativelysmall misstatement is material to the financial statements. SAS No. 107 (AU 312.59) states that �as a result of theinteraction of quantitative and qualitative considerations in materiality judgments, misstatements of relatively smallamounts that come to the auditor's attention could have a material effect on the financial statements." In addition,according to AU 312.60, �qualitative considerations also influence the auditor in reaching a conclusion aboutwhether misstatements are material." The following are examples of qualitative factors that might be considered:

a. Effect on Other Financial Statement Components. Some misstatements may not be significant bythemselves but could result in events or conditions that materially affect the financial statements. Forexample, an illegal payment of an otherwise immaterial amount could be material if it could lead to amaterial contingent liability or a material loss of revenue. (This is the example given in SAS No. 107, AU312.59.) In addition, some misstatements, although not individually significant, may be pervasive to thefinancial statements (that is, affecting numerous financial statement amounts, subtotals, or totals).

b. Effect on Trends, Especially Trends in Profitability. A misstatement might be immaterial to net income forthe current period but material to the overall trend of earnings, such as a misstatement that reverses a


92

downward trend of earnings or changes a loss into income. Also, a misstatement might mask a changein earnings or other trends, especially in the context of general economic and industry conditions.

c. Significance of the Financial Statement Element or Portion of the Entity's Business Affected by the

Misstatement. For example, a misstatement affecting recurring earnings might be considered materialwhereas a misstatement of the same amount involving a nonrecurring charge or credit, such as anextraordinary item, might not be considered material. Similarly, a misstatement affecting a portion of theclient's business that has been represented as significant to the entity's future operations or profitabilitymight be more material than a misstatement of the same amount affecting another portion of the business.

d. Effect on Compliance. A misstatement might affect the entity's compliance with loan covenants, othercontractual agreements, or regulatory provisions. For example, a small misstatement affecting workingcapital might be material if correcting it would reveal a default under a debt covenant.

e. The Existence of Statutory or Regulatory Requirements Affecting Materiality Thresholds. Deficiencies indisclosures of related�party transactions or those required by statute or regulatory authority might beconsidered material even though similar amounts for more routine items might be considered immaterial.

f. Effect on Management's Compensation. A misstatement might affect management's compensation (forexample, meeting an earnings target might trigger a bonus).

g. Sensitivity of the Circumstances. For example, implications of misstatements involving fraud, possibleillegal acts, violations of contractual provisions, or conflicts of interest could be significant.

h. The Effects of Misclassifications. The effects of misclassifications could be significant to the financialstatement users, for example, a misclassification between operating or recurring income and nonoperatingor nonrecurring income.

i. Significance of the Misstatement or Disclosures in Relation to Reasonable User Needs. For example, amisstatement that affects equity amounts could be material to creditors of a private company, or amisstatement could have a significant effect on the calculation of purchase price if the entity is beingacquired.

j. Character of the Misstatement. Audit differences are often determined with varying degrees of precisionand objectivity. Some differences, such as known misstatements, can be precisely quantified. Othersinvolve a degree of subjectivity through estimation, allocation, or uncertainty. The auditor should becautious about offsetting very precise differences (sometimes referred to as �hard" differences) with muchless precise differences (sometimes referred to as �soft" differences). For example, a large sales cutoff errormight be individually material even if it could be offset by an estimated overage in the allowance forinventory obsolescence. In that situation, the auditor may recommend that the client book an adjustmentfor the cutoff error and not book an adjustment for the other audit difference.

k. Motivation of Management. Misstatements may indicate a possible pattern of bias by management in thedevelopment of accounting estimates. Misstatements may also be caused by management's continuedunwillingness to correct weaknesses in the entity's internal control system or intentional decision not tofollow GAAP or an OCBOA.

l. Offsetting Misstatements. An individually significant misstatement may be offset by a different misstatementthat is also individually significant. Auditors should use caution when aggregating individually significantmisstatements with misstatements in other financial statement components.

m. Potential Effect on Future Periods. A misstatement that is currently immaterial may have a material effectin future periods because, for example, of a cumulative effect or a favorable (or unfavorable) turnaroundeffect.

n. Cost of Making the Correction. On one hand, it may not be cost�beneficial for management to develop asystem to calculate and correct small misstatements. On the other hand, if there is little cost to calculate


93

and record immaterial corrections, failure to do so may be an indication of management motivation tomanage earnings, as discussed in item k.

o. Risk That Possible Additional Undetected Misstatement Would Affect the Evaluation.

If the auditor believes a misstatement is, or may be, the result of fraud, the auditor should consider the implicationsof the misstatement in relation to other aspects of the audit, even if the effect of the misstatement is not material tothe financial statements.

Overall Evaluation. If the auditor believes the financial statements are materially misstated, the auditor shouldrequest that management make the necessary corrections. If management refuses, the auditor must determine theimplication for the auditor's report.

Even if the auditor believes that the effects of uncorrected misstatements do not cause the financial statements tobe materially misstated, the auditor should consider the risk of further misstatement before reaching a finalconclusion. According to SAS No. 107 (AU 312.65), even if the auditor concludes that the effects of uncorrectedmisstatements, individually or in the aggregate, do not cause the financial statements to be materially misstated,the auditor recognizes that there is a risk that the financial statements may be materially misstated due to furthermisstatement remaining undetected. If combined uncorrected misstatement is very close to the amount an auditorconsiders material to the financial statements taken as a whole, the risk of further misstatement may be consideredunacceptable. For example, if an auditor considers $20,000 material and uncorrected misstatement is $5,000, therisk of further misstatement of $15,000 may be considered acceptably low. If combined uncorrected misstatementis very close to $20,000, the risk may be considered unacceptably high. In that case, the auditor should performadditional procedures or determine that the entity appropriately adjusts the financial statements.

Documentation Requirements

In order to evaluate the combined effect of various uncorrected misstatements, it is necessary to summarize themin one place in the workpapers. SAS No. 107 (AU 312.69) states that the auditor should prepare documentation ofthe following:

� A summary of uncorrected misstatements, other than trivial ones, related to known and likelymisstatements.

� The auditor's conclusion as to whether uncorrected misstatements, individually or in the aggregate, do ordo not cause the financial statements to be materially misstated, and the basis for that conclusion.

� All known and likely misstatements identified by the auditor during the audit, other than trivial ones, thathave been corrected by management. The �Closing Entry and Audit Adjustment Form" provides fordocumentation of audit adjustments, whether they relate to known or likely misstatements, discussion withthe client, and whether the client has booked the adjustment.

SAS No. 107 (AU 312.70) states that the documentation of uncorrected misstatements should allow the auditor todo the following:

� Separately consider the effects of known and likely misstatements, including uncorrected misstatementsidentified in prior periods.

� Consider the aggregate effect of misstatements on the financial statements.

� Consider the qualitative factors that are relevant to the auditor's consideration of whether misstatementsare material.

A variety of workpaper formats could be used to summarize audit differences for consideration of their combinedeffect on the financial statements. The summary should allow for the materiality of misstatements to be evaluatedboth individually and in combination. The auditor should combine individually immaterial misstatements to evalu�ate the materiality of the effect on the financial statements taken as a whole.


94


Exhibit 2�14 summarizes key audit requirements related to summarization and evaluation of audit differences.

Exhibit 2�14

Key Audit Requirements Related to Summarization and Evaluation


� Before considering the combined effect ofuncorrected misstatements, the auditorshould consider each misstatementseparately to evaluate whether materialitylevels for particular items of lesseramounts than the materiality level for thefinancial statements taken as a wholehave been exceeded.

� The �Audit Difference Evaluation Form" isdesigned to list individual misstatementsso that each can be evaluated separatelyand to accumulate audit differences byvarious financial statement subtotals toaccommodate the auditor's considerationof the effects of misstatements noted.

� The auditor must accumulate andcommunicate to management on a timelybasis all known and likely misstatementsidentified during the audit, other thantrivial ones.

� The �Closing Entry and Audit AdjustmentForm" provides for documentation ofaudit adjustments, whether they relate toknown or likely misstatements, anddiscussion with the client. Also, the AuditProgram for General Auditing andCompletion Procedures (AP�2) includes astep on auditor communication ofmisstatements to management.

� The auditor should ask management tocorrect all known misstatements, otherthan trivial ones, the auditor has identified,and to examine the account balance,transaction class, or disclosure in whichthe auditor identified a material likelymisstatement from a sample in order toidentify and correct misstatements.

� The �Closing Entry and Audit AdjustmentForm" provides for documentation ofknown and likely audit adjustments andtheir disposition by the client. Also, theAudit Program for General Auditing andCompletion Procedures (AP�2) includes astep for requesting management follow�up related to misstatements.

� When the auditor has identified a likelymisstatement involving a difference in anestimate, the auditor should ask manage�ment to review the assumptions andmethods used in developing its (manage�ment's) estimate. After management hasreviewed and challenged the assumptionsand methods, the auditor should reevalu�ate the amount of likely misstatement and,if necessary, perform further auditprocedures.

� The Audit Program for General Auditingand Completion Procedures (AP�2)includes a step for requesting manage�ment follow�up related to misstatements.

� If management does not correct some or allof the known or likely misstatements thatwere identified, the auditor should obtainan understanding of the reasons andimplications for the audit report. The auditormust consider the effects, both individuallyand in the aggregate, of misstatements thatare not corrected.

� The Audit Program for General Auditingand Completion Procedures includes astep for considering misstatements thatwere not corrected by management.


95


� Misstatements should be aggregated in amanner that allows consideration of therelationship to individual amounts, subto�tals, or totals in the financial statements indetermining whether they misstate thefinancial statements taken as a whole. Theauditor should consider the nature andamount of the misstatements in relationshipto the nature and amount of items in thefinancial statements.

� The effect of prior period misstatements onthe current financial statements should beconsidered when evaluating the effect ofuncorrected misstatements.

� When evaluating whether the financialstatements taken as a whole are free ofmaterial misstatement, the auditor shouldconsider both uncorrected misstatementsand qualitative considerations.

� If the aggregate uncorrected misstate�ments approach materiality, the auditorshould consider the effect of undetectedmisstatements.

� The �Audit Difference Evaluation Form" isdesigned to summarize and identify knownand likely uncorrected misstatements,including the effects on totals and subtotalsin the financial statements. The form pro�vides for consideration of the effects of priorperiod unadjusted differences using eitherthe rollover or iron curtain method. It alsoprovides space for the auditor's conclusionabout uncorrected misstatements. Qualita�tive considerations are provided on theform.

� The Audit Program for General Auditingand Completion Procedures includes stepsfor evaluating unadjusted known and likelymisstatements.

� The auditor should prepare documenta�tion of the following:�� A summary of uncorrected misstate�

ments, other then trivial ones, relatedto known and likely misstatements.The misstatements should bedocumented in a manner that allowsconsideration of known and likelymisstatements separately, misstate�ments identified in prior periods, theaggregate effect of misstatements,and relevant qualitative factors.

�� The auditor's conclusion as towhether uncorrected misstatements,individually or in the aggregate, door do not cause the financial state�ments to be materially misstated,and the basis for that conclusion.

�� All known and likely misstatementsidentified by the auditor during theaudit, other than trivial ones, thathave been corrected by manage�ment.

� The �Audit Difference Evaluation Form" isdesigned to summarize and identifyknown and likely uncorrected misstate�ments, including the effects of prior periodmisstatements. It also provides space forthe auditor's conclusion about uncor�rected misstatements. Qualitative consid�erations are provided on the form.

� The �Closing Entry and Audit AdjustmentForm" provides for documentation ofaudit adjustments, whether they relate toknown or likely misstatements, discussionwith the client, and the client's dispositionof them.

� The �Financial Statement Materiality Work�sheet for Planning Purposes" provides fordocumentation of the threshold belowwhich misstatements are considered trivial.

* * *


96


97

SELF�STUDY QUIZ


26. The basic types and causes of misstatements that might affect a particular account and result in materialmisstatement of the financial statements include all of the following except:

a. Error.

b. Inexperience.

c. Fraudulent financial reporting.

d. Theft.

27. Auditors tend to use tests of details more extensively than analytical procedures in which of the following areas?

a. Low risk audit areas.

b. High risk audit areas.

28. Which of the following substantive procedures is generally performed to arrive at a conclusion about an accountbalance as of an interim date?

a. Tests of sales of significant assets.

b. Confirmation of accounts receivable.

c. Tests of long�term debt transactions.

d. Analysis of sales by month.

29. SAS No. 99 indicates which of the following regarding the assessed risk of material misstatement for interimaudit procedures?

a. Responses to some identified fraud risks may cause the auditor to perform substantive procedures at thebalance�sheet date.

b. The higher the assessed risk of material misstatement, the more likely it is that the auditor will determinethat it is more effective to perform substantive procedures near the period end or at unannounced orunpredictable times.

30. Likely misstatements arise from which of the following?

a. The incorrect selection, or the incorrect misapplication, of misstatements of facts identified or ofaccounting principles.

b. Differences between the auditor's and management's judgments regarding accounting estimates that areconsidered by the auditor to be unreasonable or inappropriate.


98



26. The basic causes of misstatements that might affect a particular account and result in material misstatementof the financial statements include all of the following except: (Page 78)

a. Error. [This answer is incorrect. Any auditor can be guilty of errors that could result in material misstatementof the financial statements.]

b. Inexperience. [This answer is correct. Generally the client has the experience to properly prepare

the financial statements. Other than human error that anyone can be guilty of, intentional actsaccount for most misstatements.]

c. Fraudulent financial reporting. [This answer is incorrect. Fraudulent financial reporting is an intentionaleffort on the part of the auditee to alter financial reports and is one of the basic causes of misstatements.]

d. Theft. [This answer is incorrect. Unfortunately, some individuals engage in theft for their own personal gainand such action causes misstatements that may affect a particular account and result in misstatement ofthe financial statements.]

27. Auditors tend to use tests of details more extensively than analytical procedures in which of the following areas?(Page 80)

a. Low risk audit areas. [This answer is incorrect. Auditors tend to use analytical procedures in low risk auditareas or as secondary rather than primary auditing procedures since the analytical procedure is at leastas effective in reducing detection risk to the desired level as the test of details, and is easier to apply.]

b. High risk audit areas. [This answer is correct. Auditors tend to use tests of details more extensively

in high risk audit areas, such as areas containing fraud risks or other significant risks because thehigher the assessed risk of material misstatement, the more effective analytical procedures need

to be before they can be relied on instead of tests of details.]

28. Which of the following substantive procedures is generally performed to arrive at a conclusion about an accountbalance as of an interim date? (Page 82)

a. Tests of sales of significant assets. [This answer is incorrect. Flexible timing substantive procedures canbe applied at any time, including an interim date and generally consist of examining transactions orgathering information without attempting to reach a conclusion about an entire account balance as of aninterim date. Tests of sales of significant assets is an example of a flexible timing procedure. Theseprocedures normally consist of examining transactions or gathering information without attempting toreach a conclusion about an entire account balance as of an interim date.]

b. Confirmation of accounts receivable. [This answer is correct. Confirmation of accounts receivable

is an example of an interim audit procedure performed to arrive at a conclusion about an accountbalance as of an interim date. Additional procedures are subsequently performed to extend the

interim conclusion to the balance sheet date.]

c. Tests of long�term debt transactions. [This answer is incorrect. Tests of transactions in balance sheetaccounts with a low turnover or activity rate such as long�term debt, investments, property, leaseobligations, and owners' equity are examples of flexible timing procedures, one of two types of substantiveprocedures that may be performed before the balance sheet date. These procedures normally consist ofexamining transactions or gathering information without attempting to reach a conclusion about an entireaccount balance as of an interim date.]

d. Analysis of sales by month. [This answer is incorrect. Analysis of sales by month and analysis of gross profitby month are analytical procedures for revenues and expenses, and another example of flexible timing


99

procedures, one of two types of substantive procedures that may be performed prior to the balance sheetdate.]

29. SAS No. 99 indicates which of the following regarding the assessed risk of material misstatement for interimaudit procedures? (Page 84)

a. Responses to some identified fraud risks may cause the auditor to perform substantive procedures

at the balance�sheet date. [This answer is correct. SAS No. 99 indicates that responses to someidentified fraud risks may cause the auditor to perform substantive procedures at the balance�sheet

date while responses to other identified fraud risks may cause the auditor to apply substantiveprocedures to transactions occurring earlier in or throughout the reporting period.]

b. The higher the assessed risk of material misstatement, the more likely it is that the auditor will determinethat it is more effective to perform substantive procedures near the period end or at unannounced orunpredictable times. [This answer is incorrect. SAS No. 110, not SAS No. 99 indicates the higher theassessed risk of material misstatement, the more likely it is that the auditor will determine that it is moreeffective to perform substantive procedures near the period end or at unannounced or unpredictabletimes.]

30. Likely misstatements arise from which of the following? (Page 88)

a. The incorrect selection, or the incorrect misapplication, of misstatements of facts identified or ofaccounting principles. [This answer is incorrect. According to SAS No. 107 (AU312.08), known

misstatements arise from the incorrect selection or misapplication of accounting principles ormisstatements of facts identified, such as mistakes in gathering or processing data and the overlookingor misinterpretation of facts.]

b. Differences between the auditor's and management's judgments regarding accounting estimates

that are considered by the auditor to be unreasonable or inappropriate. [This answer is correct. Asdefined in SAS No. 107 (AU 312.08), likely misstatements arise from differences between the

auditor's and management's judgments concerning accounting estimates that the auditor

considers unreasonable or inappropriate, such as when an estimate included in the financialstatements by management is outside of the range of reasonable outcomes the auditor has

determined. Likely misstatements are also misstatements that the auditor considers likely to exist

based on an extrapolation from audit evidence obtained, such as the amount obtained by projectingknow misstatements identified in an audit sample to the entire population from which the sample

was drawn.]


100


Lesson 2 (GRATG091)

Determine the best answer for each question below. Then mark your answer choice on the Examination for CPECredit Answer Sheet located in the back of this workbook or by logging onto the Online Grading System.

12. Which of the following procedures are required in every audit?

a. Tests of controls.

b. Evaluation of control design and implementation.



13. It is generally more effective and more efficient for the auditor to test controls than to perform extensivesubstantive procedures in certain cases. Which of the following is not cited in the text as being one of thosecases?

a. First in first out (FIFO) inventory method.

b. Financial service firms having minimal customer trading accounts.

c. Last in first out (LIFO) inventory method.

d. Specific identification inventory method.

14. Tests of controls are efficient when a number of circumstances exist for a given audit area. Which of the followingis not one of those circumstances?

a. The volume of transactions is relatively low.

b. Within the class, the transactions are recurring and relatively uniform.

c. The transactions are commonly processed in information systems with control activities that arewell�designed.

d. There is no complexity in the transactions.

15. Which of the actions below is an example of a process rather than a control?

a. Invoice coding by the accounts payable clerk and input to the payable system.

b. Supervisory review of the amounts input and account coding.

c. Use of programmed restrictions in the accounts payable limiting accounts eligible for coding.

d. Use of programmed edit routines that detect discrepancies between input amounts and underlyingpurchase orders.


101

16. Evidence about operating effectiveness may be derived from a wide array of sources including:

a. Prior audits.

b. Type 1 SAS No. 70 Reports.



17. Which of the following is true regarding inquiry and observation?

a. They are rarely used in the risk assessment phase of the audit.

b. They are not used to test controls that do not produce documentary evidence of performance.

c. Observation is many times supplemented by inquiry.

d. They do not make it possible for the auditor to gain evidence about the controls' operating effectiveness.

18. Which of the following is an example of a source document?

a. Bill of lading.

b. Shipping log.

c. Internal auditor's report.

d. Receiving log.

19. Examples of efficient tests of controls may include review of reconciliations and similar bookkeeping routines.They may include review of any of the following except:

a. Accounting for the numerical sequence of documents.

b. Confirming a count from a physical inventory.

c. Follow�up of unmatched items.

d. Reconciliation of related nonaccounting data.

20. SAS No. 110 indicates that, generally, the auditor should consider using audit sampling for tests of controls inwhich of the following circumstances?

a. Tests of automated application controls when effective IT general controls are present.

b. Analyses of the effectiveness of security and access controls.

c. The control is applied on a transaction basis.

d. Examining actions of directors for assessing their effectiveness.


102

21. Regarding efficiency opportunities in testing controls, the first thing to consider when deciding how muchattention to give to controls is:

a. Whether the understanding of controls obtained indicates that controls appear to be suitably designed andimplemented.

b. The materiality and inherent risk for the audit area.

c. Evidence provided by tests of controls performed in prior audits.

d. Whether substantive testing of the account balance or transaction class may provide evidence about thecontrol risk related to the account or transaction class.

22. Obtaining more audit evidence will be required for an assessment of which of the following?

a. Low control risk.

b. Moderate control risk.



23. Based on the results of the tests of controls concerning operating effectiveness, the auditor should do all of thefollowing except:

a. Determine whether test results provide an appropriate basis for reliance on controls.

b. Rely on controls maintained by a service organization with a Type 1 SAS 70 report.

c. Decide if additional tests of controls are necessary.

d. Consider using substantive procedures to address the potential risks of misstatement.

24. Review of cash account reconciliations is an example of controls being tested with which type of evidence?

a. Inquiry and observation.

b. Inspection of client documents.

c. Reperformance.

d. Walkthroughs.

25. Reductions of the extent of substantive procedures might include which of the following when the control riskassessment and, thus, the combined risk of material misstatement is reduced by performing tests of controls?

a. Applying an analytical procedure as a substantive procedure instead of a test of details.

b. Using a more effective analytical procedure, such as one based on data developed from external sources.

c. Examining more items in a test of details, such as using a larger sample size if sampling is used.

d. Sending more accounts receivable confirmations or observing a physical inventory at more locations.


103

26. Of the following factors, which one generally would not be relevant when selecting specific substantiveprocedures needed to respond to the risk assessment?

a. Financial statement assertions being tested.

b. Amount of audit evidence.

c. Nature of risks identified.

d. Degree of the risk involved.

27. Tests of valuation normally involve which of the following procedures?

a. Examining the items comprising the account balance.

b. Performing predictive tests of account balances.

c. Identifying items that should be included in the account and determining whether they are included.

d. Assessing the reasonableness of computed or estimated amounts.

28. When the auditor assesses the risk of material misstatement for an audit area or assertion, he or she canincrease the degree of assurance from substantive procedures through any of the following means except:

a. Repeat the same procedures.

b. Change the nature of the procedures.

c. Increase the extent of testing.

d. Change the timing of the procedures.

29. Which of the following observations regarding analytical procedures is correct?

a. They are usually less effective than tests of details for assertions about the completeness of assets,liabilities, revenues, and expenses.

b. They are less effective than tests of details for assertions about the occurrence of revenues.

c. They are normally less effective than tests of details for assertions about the occurrence of certainexpenses.

d. They are generally not effective in testing assertions about rights or obligations or assertions related topresentation and disclosure.

30. Which of the following statements is accurate regarding the use of audit evidence from the performance ofsubstantive procedures in a prior period?

a. Prior period audit evidence is adequate to reduce detection risk to an acceptably low level in the currentperiod.

b. Use of prior period audit evidence is highly recommended in most cases.

c. Evidence obtained in a prior period audit may be relevant in substantiating the purchase cost of a buildingor building addition.

d. Evidence from a prior period provides significant evidence for the current period.


104


105

GLOSSARY

Audit evidence: The term evidential matter has been replaced by audit evidence. Auditing theorists drew a distinc�tion between the things the auditor obtained, such as supporting source documents and confirmation responses,which were evidential matter, and their significance to the auditor's judgment. Evidential matter became evidenceafter being evaluated by the auditor. This theoretical distinction has been discarded. SAS No. 106, paragraph 2,states:

Audit evidence is all the information used by the auditor in arriving at the conclusions on which the auditopinion is based and includes the information contained in the accounting records underlying thefinancial statements and other information.

Audit plan: The audit plan is more detailed than the audit strategy and includes the nature, timing, and extent of auditprocedures to be performed by audit team members to obtain sufficient appropriate evidence. The audit plan is com�monly referred to as the audit program.

Audit strategy: The audit strategy (previously called the audit plan) is the auditor's operational approach to achiev�ing the objectives of the audit. It is a high�level determination of the audit approach by audit area. It includes the identi�fication of audit areas with a higher risk of material misstatement, the overall responses to those higher risks, and thegeneral approach to each audit area as being substantive procedures or a combined approach of substantive proce�dures and tests of controls. The risk assessment standards require that the auditor establish the overall strategy forthe audit.

Further audit procedures: Further audit procedures are procedures an auditor performs in response to theassessed risks to reduce the overall audit risk to an appropriately low level. They consist of substantive procedures,tests of controls, and other procedures, sometimes referred to as general procedures.

Reasonable assurance: The scope paragraph of the auditor's report includes a statement that generally acceptedauditing standards (GAAS) require audits to be planned and performed to obtain reasonable assurance aboutwhether the financial statements are free of material misstatement. That statement introduces the concept of materi�ality to the audit report and the auditor's responsibility for detecting errors or fraud. SAS No. 104 amends paragraph10 of SAS No. 1 to expand the definition of reasonable assurance. SAS No. 104 clarifies that reasonable assurance isa high, but not absolute, level of audit assurance.

Relevant assertions: The assertions that are relevant for a particular class of transactions, account balance, or dis�closure, are those that have a meaningful bearing on whether the item is fairly stated. A routine example is that thevaluation assertion is usually not relevant to the cash account unless currency translation is involved. Another exam�ple is that the valuation assertion is usually not relevant to the gross amount of the accounts receivable balance, but isusually relevant to the related allowance for doubtful accounts. Auditors have generally focused on those assertionsthat have some realistic chance of being misstated for a particular item. The risk assessment standards give promi�nent recognition to the idea of relevant assertions. References to �decisions made at the relevant assertion level"mean decisions made about the relevant assertions within a class of transactions, account balance, or disclosure.Under the risk assessment standards, the auditor assesses risks of material misstatement at the relevant assertionlevel and designs audit procedures to mitigate that assessed risk.

Risk assessment procedures: According to SAS No. 106, paragraph 20, risk assessment procedures are a definedcategory of audit procedures performed near the beginning of an audit to obtain an understanding of the entity and itsenvironment, including its internal control, for the purpose of assessing the risks of material misstatement at the finan�cial statement and relevant assertion levels. The auditor should use the risk assessment to determine the nature,timing, and extent of further audit procedures. Risk assessment procedures consist of inquiry, observation, inspec�tion, and analytical procedures.


106

Risk of material misstatement: The risk of material misstatement is the likelihood of a misstatement of the financialstatements of a material amount. The auditor should assess this risk at both the financial statement level and at therelevant assertion level. At the financial statement level, it is an overall assessment. At the relevant assertion level, it isthe combination of the auditor's assessment of inherent risk and control risk. The auditor can make a combinedassessment of inherent and control risk or assess the component risks separately and then combine them.

Significant risks; A risk is a significant risk if an analysis of inherent risk indicates that the likely magnitude of thepotential misstatement and the likelihood of the misstatement occurring are such that they require special audit con�sideration. The determination of whether a risk requires special audit consideration is based on an assessment ofinherent risk and does not include consideration of controls. Significant risks generally relate to nonroutine transac�tions (i.e., transactions that are unusual due to their size or nature) and complex or judgmental matters. Transactionsthat are routine, noncomplex, and subject to systematic processing, have lower inherent risks and are less likely toinvolve significant risks. Identified fraud risks are significant risks.

Sufficient, appropriate evidence: The term sufficient, competent evidence has been replaced by sufficient,appropriate evidence. Appropriate has essentially the same meaning as competent, and the change was made onlyto achieve compatibility with International Standards of Auditing (ISA) issued by the International Auditing and Assur�ance Standards Board. ISAs use the term sufficient, appropriate evidence. Similarly, ISAs use the term substantiveprocedures rather than substantive tests, and this convention has been adopted in the risk assessment standards.

Those charged with governance: Another change made to achieve compatibility with the terms used in ISAs is thechange from audit committee to those charged with governance. The reference to those charged with governance ismore general and encompasses those situations in which an entity does not have an audit committee, but has agroup responsible for oversight of financial reporting.

Walkthrough: A technique used to identify the steps in a process in order to identify risks and associated controls.


107

INDEX

A

AUDITING STANDARDS� Clarity Project 12. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � Key provisions of the risk assessment standards 5. . . . . . . . . . . . � Other AICPA guidance

�� Audit guide 12. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . �� Audit risk alert 12. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . �� Technical practice aids 12. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

� Other standards 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � Related auditing standards 9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � SAS No. 102 9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

�� Presumptively mandatory requirements 11. . . . . . . . . . . . . . . �� Unconditional requirements 9. . . . . . . . . . . . . . . . . . . . . . . . . .

� SAS No. 103 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � SAS No. 112 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � SAS No. 99 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

AUDIT PLAN� Definition 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

AUDIT PROCESS� Client presentations 21. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � PPC audit process 19. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

AUDIT STRATEGY� Definition 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

D

DOCUMENTATION� Summarization and evaluation 93. . . . . . . . . . . . . . . . . . . . . . . . . . � Tests of controls 51. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F

FURTHER AUDIT PROCEDURES� Definition 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � Substantive procedures 85. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � Tests of controls (rotation of tests of controls) 44. . . . . . . . . . . . . � Use of audit evidence from prior periods 41, 85. . . . . . . . . . . . . .

I

INTERIM TESTING 81. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � Assessing control risk

�� Effect of the control risk assessment on substantive tests 68�� Evaluating the evidence about operating effectiveness 60. . �� Reducing control risk based on risk assessment procedures

67�� Sampling in tests of controls 61. . . . . . . . . . . . . . . . . . . . . . . . . �� Service organization controls 61. . . . . . . . . . . . . . . . . . . . . . . . �� Source of the evidence 65. . . . . . . . . . . . . . . . . . . . . . . . . . . . . �� The amount of audit evidence necessary to support a

control risk assessment 61. . . . . . . . . . . . . . . . . . . . . . . . . . . . . �� Type of evidence 62. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . �� Using the PPC approach 68. . . . . . . . . . . . . . . . . . . . . . . . . . . .

� Deviations and communicating internal control matters 61. . . . . � Evaluating tests of controls

�� Evaluating evidence 60. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � Selecting appropriate procedures

�� Deciding which controls to test 36. . . . . . . . . . . . . . . . . . . . . . . � Testing controls decisions

�� Expectation of operating effectiveness 32. . . . . . . . . . . . . . . . � Tests of controls

�� Basic approach 30. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . �� Deciding whether to perform tests of controls 31. . . . . . . . . . �� Deciding which controls to test 36. . . . . . . . . . . . . . . . . . . . . . . �� Documentation requirements 51. . . . . . . . . . . . . . . . . . . . . . . . �� Efficiency opportunities in testing controls 49. . . . . . . . . . . . . �� Extent of tests 46. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . �� Key audit requirements 52. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

�� Nature and types of tests 40. . . . . . . . . . . . . . . . . . . . . . . . . . . . �� Practical considerations 30. . . . . . . . . . . . . . . . . . . . . . . . . . . . . �� Tests of IT related controls 48. . . . . . . . . . . . . . . . . . . . . . . . . . . �� Timing of tests of controls 43. . . . . . . . . . . . . . . . . . . . . . . . . . . �� Use of audit sampling in tests of controls 47. . . . . . . . . . . . . .

K

KEY AUDIT REQUIREMENTS� Internal control 52. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � Substantive procedures 85. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � Summarization and evaluation 94. . . . . . . . . . . . . . . . . . . . . . . . . .

R

RISK ASSESSMENT PROCEDURES� Definition 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

RISK ASSESSMENT PROCESS� Applying the PPC audit process using this Guide 20. . . . . . . . . . � Evaluating the firm's process

�� Consider best practices 20. . . . . . . . . . . . . . . . . . . . . . . . . . . . . �� Consider prior year results 21. . . . . . . . . . . . . . . . . . . . . . . . . . �� Efficiency opportunities 21. . . . . . . . . . . . . . . . . . . . . . . . . . . . . �� Focus on changes 21. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . �� Reconsider control testing 21. . . . . . . . . . . . . . . . . . . . . . . . . . .

RISK ASSESSMENT STANDARDS� Integration of SAS No. 99 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � Introduction 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � Key provisions of the standards 5. . . . . . . . . . . . . . . . . . . . . . . . . . � Overall objective 5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � Planning is the key 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � Presumptively mandatory requirements 11. . . . . . . . . . . . . . . . . . � Unconditional requirements 9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . � What is risk assessment? 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

RISK OF MATERIAL MISSTATEMENT (RMM)� Definition 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

S

SAS No. 99 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SIGNIFICANT RISKS� Definition 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

STATEMENTS ON AUDITING STANDARDSSAS� SAS No. 1 9, 75. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � SAS No. 102 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � SAS No. 103 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � SAS No. 104 6, 9, 9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � SAS No. 105 6, 9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � SAS No. 106 6, 8, 9, 76, 77, 85. . . . . . . . . . . . . . . . . . . . . . . . . . . . � SAS No. 107 6, 87, 88, 89, 90, 91, 93. . . . . . . . . . . . . . . . . . . . . . . . � SAS No. 108 6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � SAS No. 109 6, , 29, 60, 77. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � SAS No. 110 6, 29, 30, 31, 33, 34, 43, 44, 46,. . . . . . . . . . . . . . . . .

47, 48, 49, 51, 60, 61, 62,. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68, 74, 75, 77, 79, 82, 84, 85. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

� SAS No. 111 6, 47. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � SAS No. 112 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � SAS No. 114 89. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � SAS No. 67 75. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � SAS No. 99 4, 11, 75. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SUBSTANTIVE PROCEDURES� Choosing between analytical procedures and substantive tests

of details 80. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � Key audit requirements 85. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � Nature, timing, and extent of substantive procedures 77. . . . . . . � Procedures required in every audit 75. . . . . . . . . . . . . . . . . . . . . . � Selecting appropriate substantive procedures 77. . . . . . . . . . . . . � Sufficiency and appropriateness of audit evidence 76. . . . . . . . . � Timing of substantive procedures 81. . . . . . . . . . . . . . . . . . . . . . . .


108

SUMMARIZATION AND EVALUATION� Audit differences 88. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

�� Communication of misstatements to management 89. . . . . . �� Known and likely misstatements 88. . . . . . . . . . . . . . . . . . . . .

� Categories for evaluation 88. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � Categories of misstatements 88. . . . . . . . . . . . . . . . . . . . . . . . . . . .

�� Audit differences 88. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . �� Normal closing entries 88. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

� Changes from previous standards 94. . . . . . . . . . . . . . . . . . . . . . . � Documentation 93. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � Evaluating audit differences 89. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

�� Different levels for different amounts, subtotals,or totals 91. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

�� Evaluating estimates 90. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . �� Offsetting of misstatements 90. . . . . . . . . . . . . . . . . . . . . . . . . .

�� Qualitative considerations 91. . . . . . . . . . . . . . . . . . . . . . . . . . . �� Trivial misstatements 90. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

� Key audit requirements 94. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

T

TERMINOLOGYNEW AND REVISED 8. . . . . . . . . . . . . . . . . . . . . � Audit plan 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � Audit strategy 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � Further audit procedures 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � Other terms 9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � Relevant assertions 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � Risk assessment procedures 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . � Risk of material misstatement 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . � Significant risks 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


109

TESTING INSTRUCTIONS FOR EXAMINATION FOR CPE CREDIT

Companion to PPC'S Guide to Audit Risk AssessmentRisk Assessment Standardsand the PPC Audit Process (GRATG101)

1. Following these instructions is information regarding the location of the CPE CREDIT EXAMINATIONQUESTIONS and an EXAMINATION FOR CPE CREDIT ANSWER SHEET. You may use the answer sheet tocomplete the examination consisting of multiple choice questions.

ONLINE GRADING. Log onto our Online Grading Center at OnlineGrading.Thomson.com to receive instantCPE credit. Click the purchase link and a list of exams will appear. Search for an exam using wildcards. Paymentfor the exam is accepted over a secure site using your credit card. Once you purchase an exam, you may takethe exam three times. On the third unsuccessful attempt, the system will request another payment. Once yousuccessfully score 70% on an exam, you may print your completion certificate from the site. The site will retainyour exam completion history. If you lose your certificate, you may return to the site and reprint your certificate.

PRINT GRADING. If you prefer, you may mail or fax your completed answer sheet to the address or numberbelow. In the print product, the answer sheets are bound with the course materials. Answer sheets may beprinted from electronic products. The answer sheets are identified with the course acronym. Please ensure youuse the correct answer sheet. Indicate the best answer to the exam questions by completely filling in the circlefor the correct answer. The bubbled answer should correspond with the correct answer letter at the top of thecircle's column and with the question number.

Send your completed Examination for CPE Credit Answer Sheet, Course Evaluation, and payment to:

Thomson ReutersTax & AccountingR&GGRATG101 Self�study CPE36786 Treasury CenterChicago, IL 60694�6700

You may fax your completed Examination for CPE Credit Answer Sheet and Course Evaluation to the Tax& Accounting business of Thomson Reuters at (817) 252�4021, along with your credit card information.

Please allow a minimum of three weeks for grading.

Note:�The answer sheet has four bubbles for each question. However, not every examination question hasfour valid answer choices. If there are only two or three valid answer choices, �Do not select this answer choice"will appear next to the invalid answer choices on the examination.

2. If you change your answer, remove your previous mark completely. Any stray marks on the answer sheet maybe misinterpreted.

3. Copies of the answer sheet are acceptable. However, each answer sheet must be accompanied by a paymentof $79. Discounts apply for 3 or more courses submitted for grading at the same time by a single participant.If you complete three courses, the price for grading all three is $225 (a 5% discount on all three courses). If youcomplete four courses, the price for grading all four is $284 (a 10% discount on all four courses). Finally, if youcomplete five courses, the price for grading all five is $336 (a 15% discount on all five courses or more).

4. To receive CPE credit, completed answer sheets must be postmarked by June 30, 2011. CPE credit will be givenfor examination scores of 70% or higher. An express grading service is available for an additional $24.95 perexamination. Course results will be faxed to you by 5 p.m. CST of the business day following receipt of yourexamination for CPE Credit Answer Sheet.

5. Only the Examination for CPE Credit Answer Sheet should be submitted for grading. DO NOT SEND YOURSELF�STUDY COURSE MATERIALS. Be sure to keep a completed copy for your records.

6. Please direct any questions or comments to our Customer Service department at (800) 431�9025.


110


To enhance your learning experience, examination questions are located immediately following each lesson. Eachset of examination questions can be located on the page numbers listed below. The course is designed so theparticipant reads the course materials, answers a series of self�study questions, and evaluates progress bycomparing answers to both the correct and incorrect answers and the reasons for each. At the end of each lesson,the participant then answers the examination questions and records answers to the examination questions oneither the printed EXAMINATION FOR CPE CREDIT ANSWER SHEET or by logging onto the Online GradingSystem. The EXAMINATION FOR CPE CREDIT ANSWER SHEET and SELF�STUDY COURSE EVALUATIONFORM for each course are located at the end of all course materials.

Page

CPE Examination Questions (Lesson 1) 26. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

CPE Examination Questions (Lesson 2) 100. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Companion to PPC's Guide to Audit Risk AssessmentGRAT10

111

EXAMINATION FOR CPE CREDIT ANSWER SHEET

Companion to PPC'S Guide to Audit Risk AssessmentRisk Assessment Standards and the PPC AuditProcess (GRATG101)

Price $79

First Name:��

Last Name:��

Firm Name:��

Firm Address:��

City:�� State /ZIP:��

Firm Phone:��

Firm Fax No.:��

Firm Email:��

Express Grading Requested:��Add $24.95

Signature:��

Credit Card Number:�� Expiration Date:� �

Birth Month:�� Licensing State:� �

ANSWERS:

Please indicate your answer by filling in the appropriate circle as shown: Fill in like this not like this .

a b c d a b c d a b c d a b c d

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

15.

16.

17.

18.

19.

20.

21.

22.

23.

24.

25.

26.

27.

28.

29.

30.

You may complete the exam online by logging onto our online grading system at OnlineGrading.Thomson.com , or you may faxcompleted Examination for CPE Credit Answer Sheet and Course Evaluation to Thomson Reuters at (817) 252�4021, along with yourcredit card information.

Expiration Date:�June 30, 2011

Please Print LegiblyThank you for your feedback!

Companion to PPC's Guide to Audit Risk Assessment GRAT10

112

Self�study Course Evaluation

Course Title:��Companion to PPC's Guide to Audit Risk AssessmentRisk AssessmentStandards and the PPC Audit Process

Course Acronym:��GRATG101

Your Name (optional):�� Date:��

Email:��

Please indicate your answers by filling in the appropriate circle as shown:Fill in like this�� not like this��.

Low (1) . . . to . . . High (10)

Satisfaction Level: 1 2 3 4 5 6 7 8 9 10

1. Rate the appropriateness of the materials for your experience level:

2. How would you rate the examination related to the course material?

3. Does the examination consist of clear and unambiguous questionsand statements?

4. Were the stated learning objectives met?

5. Were the course materials accurate and useful?

6. Were the course materials relevant and did they contribute to theachievement of the learning objectives?

7. Was the time allotted to the learning activity appropriate?

8. If applicable, was the technological equipment appropriate?

9. If applicable, were handout or advance preparation materials andprerequisites satisfactory?

10. If applicable, how well did the audio/visuals contribute to theprogram?

Please provide any constructive criticism you may have about the course materials, such as particularly difficult parts, hard to understand areas, unclear

instructions, appropriateness of subjects, educational value, and ways to make it more fun. Please be as specific as you can. � � � � � � � �

(Please print legibly):

Additional Comments:

1. What did you find most helpful? 2. What did you find least helpful?

3. What other courses or subject areas would you like for us to offer?

4. Do you work in a Corporate (C), Professional Accounting (PA), Legal (L), or Government (G) setting? �

5. How many employees are in your company? �

6. May we contact you for survey purposes (Y/N)? If yes, please fill out contact info at the top of the page. Yes/No

For more information on our CPE & Training solutions, visit trainingcpe.thomson.com. Comments may be quoted or paraphrasedfor marketing purposes, including first initial, last name, and city/state, if provided. If you prefer we do not publish your name,write in �no" and initial here __________

Date post:	16-Oct-2021
Category:	Documents
Upload:	others
View:	5 times
Download:	0 times