United States丶PwC Material丶Montgomery 039;s Auditing，Twelfth Edition Chapter 4 Auditors 039; Professional Responsibility

United States丶PwC Material丶Montgomery 039;s Auditing，Twelfth Edition Chapter 4 Auditors 039; Professional Responsibility United States丶PwC Material丶Montgomery's Auditing，Twelfth Edition Chapter 4 Auditors' Professional Responsibility Browse Location: United States\PwC Material\Montgomery's Auditing, Twelfth Edition\Part 1: The Audit Environment Publish Date: 25 June, 2001 ? 窗体顶部 窗体底部 4 Auditors' Professional Responsibility 4.1 PROFESSIONAL RESPONSIBILITY VERSUS LEGAL LIABILITY??? 4.2 RESPONDING TO PUBLIC EXPECTATIONS??? 4.3 RESPONSIBILITY FOR DETECTING ERROR, FRAUD, AND ILLEGAL ACTS??? (a) AICPA Professional Requirements,??? (b) Error and Fraud and the Characteristics of Fraud,??? (c) Assessing the Risk of Fraud,??? (d) Responding to the Risk of Fraud,??? (e) Evaluation of Test Results,??? (9><>f) Documentation Requirements,??? (g) Illegal Acts by Clients,? (h) COSO Study on Fraud in Financial Reporting?? 4.4 REQUIRED AUDITOR COMMUNICATIONS??? (a) Responsibilities on Discovering an Error, Fraud, or Illegal Act,??? (b) Auditor ;Whistleblowing,;??? (c) Communicating Internal Control Deficiencies,??? (d) Other Communications with Audit Committees,?? ?? (i) Discussions About the Quality of Accounting Principles (NEW) ?? (ii) Discussions Concerning Independence (NEW) 4.5 ENGAGEMENT LETTERS??? ? 4.1 PROFESSIONAL RESPONSIBILITY VERSUS LEGAL LIABILITY The terms ;auditors' responsibility; and ;auditors' legal liability; often are confused by nonauditors. The distinction is subtle, yet it must be drawn in order for auditors and nonauditors to communicate with each other. This entire book, with the exception of Chapter 5, ;Auditors' Legal Liability,; is concerned with auditors' responsibilities. An appropriate way of viewing the relationship between responsibility and liability is to think of ;responsibilities; as synonymous with ;professional duties,; and ;legal liabilities; as relating to society's means of enforcing adherence to those professional duties-that is, compliance with professional standards-and providing compensation to victims of wrongful conduct. The concept of auditor responsibility usually arises in two related contexts: responsibility for what, and to whom? Answers to both questions are found primarily in the technical and ethical standards of the public accounting profession; occasionally they are specified in state and federal statutes and court decisions. All of these sources provide guidance to auditors on how to conduct audits with due professional care and thus meet their professional responsibilities, and on the duties that auditors owe to their clients and third parties. Chapter 3 described the various mechanisms the AICPA and state boards of accountancy have for maintaining the quality of audit practice. The legal process, discussed in Chapter 5, is another mechanism that helps ensure that auditors meet their responsibilities. Litigation and threats of litigation serve as enforcers of duties; they also help define auditors' responsibilities and, on rare occasions, create what some perceive to be new responsibilities. The Commission on Auditors' Responsibilities (Cohen Commission) noted that ;court decisions are particularly useful [in defining auditors' responsibilities] because they involve consideration of competing theories of responsibility. However, they must be considered carefully because a decision is usually closely related to the facts of a particular case. Consequently, the language used in a particular decision may not be the best expression of the technical issues involved.;1 The outcome of a specific legal case also may not be a reliable indicator of auditors' responsibilities because it is often impossible to discern the rationale of a jury verdict, and appellate decisions often are clouded by procedural rules, such as the requirement that factual determinations not be disturbed. 4.2 RESPONDING TO PUBLIC EXPECTATIONS To a great degree, auditors' responsibilities reflect the expectations of users of audited financial statements. Users expect an auditor to evaluate the accounting recognition, measurement, and disclosure decisions made by management and determine whether the financial statements are free of material misstatements, either unintentional or not. Auditors have long accepted the responsibility to design their audits to detect material unintentional misstatements in financial statements, which the auditing literature refers to as errors. After all, if that is not a purpose of an audit, what is? The auditor's responsibility for designing audits to detect deliberate misstatements in financial statements-what the auditing literature refers to as fraud-has been less clear over the years, mainly because of the difficulty, or even impossibility, of detecting skillfully contrived misstatements, particularly if any form of collusion is present. Users' expectations of financial statement audits have been a concern of the profession for many years and have been the subject of several reports. In 1978, the Cohen Commission concluded that a gap, which quickly began to be referred to as the ;expectation gap,; existed between the performance of auditors and the expectations of financial statement users, and that, with certain exceptions, the users' expectations were generally reasonable. The Commission recommended a number of ways to respond to user expectations by clarifying and tightening auditing standards and improving communication of the auditor's role and work to the public. Many of those recommendations were acted on by the accounting profession, but some were either rejected or ignored. By the mid-1980s, the expectation gap had been exacerbated by difficult economic times in certain industries and several notable bankruptcies traceable to questionable business practices or to management's lack of awareness of the risks it was incurring. Unfortunately, many investors mistakenly believe that a business failure equates with an audit failure. Also, highly publicized instances of fraudulent financial reporting and illegal corporate activities had raised questions about auditors' responsibility for detecting and reporting fraud and other illegalities, and also about the auditor's role in assessing an entity's controls that might prevent them. In addition, senior management, audit committees, and boards of directors of major corporations were expressing a desire for the independent auditor to provide them with more assistance in meeting their responsibilities for overseeing the corporate financial reporting process. In response, the National Commission on Fraudulent Financial Reporting (Treadway Commission) was established under the sponsorship of the AICPA, the American Accounting Association, the Financial Executives Institute, The Institute of Internal Auditors, and the National Association of Accountants (now, the Institute of Management Accountants). The Commission's objectives were to develop initiatives for the prevention and detection of fraud and, in particular, to determine what the role of the independent auditor should be in detecting management fraud. The Treadway Commission's recommendations were published in October 1987. The five sponsoring organizations set up a committee-the Committee of Sponsoring Organizations (COSO)-to support implementation of those recommendations. Partly in response to the Treadway recommendations, but also driven by other forces, the AICPA's Auditing Standards Board (ASB) issued a number of Statements on Auditing Standards (SASs) and Statements on Standards for Attestation Engagements (SSAEs) in the late 1980s. These pronouncements represented a major attempt to respond to the public's expectations of auditors and to the needs of senior management and corporate directors. The financial press continued to report instances of material financial statement misstatements involving fraud through the early 1990s, especially frauds involving inventory. A 1993 report of the Public Oversight Board (POB) of the AICPA Practice Section made several recommendations aimed at enhancing auditors' abilities to detect fraud and suggested that standard setters provide guidance beyond what then existed in the SASs. In 1997, the ASB issued SAS No. 82, Consideration of Fraud in a Financial Statement Audit (AU Section 316). While SAS No. 82 did not change the auditor's responsibility to detect fraud, it is likely to increase the attention given to the risk of fraud because of its more prominent use of the term ;fraud; (previously, the professional literature used the euphemism ;irregularity; instead of ;fraud;) and its specification of procedures to assess the risk of fraud. The authors of this book believe that the SASs and SSAEs that were issued to address the expectation gap, including SAS No. 82, respond in many significant respects to the needs of financial statement users, senior management and boards of directors, and the public. It is clear, however, that the issues surrounding the expectations of those groups do not simply concern auditor performance and responsibilities, but are far more complex. There are, for example, fundamental concerns about the accounting measurement and disclosure principles that enter into the preparation of financial statements, about business ethics and conduct, and about the responsibilities of corporate directors and management. The ASB can address only the auditor's performance and responsibilities. The authors believe it has done so in a way that will help to close the expectation gap and that is also responsive to many of the concerns of the Treadway Commission and the POB relating to auditors' responsibilities in performing an audit and communicating their findings. 4.3 RESPONSIBILITY FOR DETECTING ERROR, FRAUD, AND ILLEGAL ACTS The authoritative auditing literature for many years reflected the 6><#00aa00'>view that auditors were not responsible for detecting financial statement misstatements (particularly fraud) unless the application of generally accepted auditing standards (GAAS) would result in such detection. Many financial statement users, however, believe that one of the primary purposes of an audit is to detect intentional misstatements in all circumstances. The Securities and Exchange Commission (SEC) has long taken the position that an audit can be expected to detect certain kinds of fraud, stating in Accounting Series Release (ASR) No. 19, ;In the Matter of McKesson & Robbins, Inc.,; issued in 1940: Moreover, we believe that, even in balance sheet examinations for corporations whose securities are held by the public, accountants can be expected to detect gross overstatements of assets and profits whether resulting from collusive fraud or otherwise. . . . We feel that the discovery of gross overstatements in the accounts is a major purpose of such an audit even though it be conceded that it might not disclose every minor defalcation. (a) AICPA Professional Requirements Many commentators both inside and outside the accounting profession believe that until fairly recently, official pronouncements on auditors' responsibilities were broad, vague, and sometimes overly defensive and self-serving. However, the authoritative pronouncement on the auditor's responsibility to detect financial statement misstatements now explicitly states: The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. (AU Section 110.02) Accordingly, the auditor is responsible for detecting material error and fraud, not all error and fraud. Moreover, materiality, which is discussed in Chapter 6, is measured in terms of the financial statements taken as a whole. The auditor's responsibility for detecting error and fraud thus acknowledges the context in which an audit is conducted, that is, that the purpose of an audit is to enable the auditor to express an opinion on the financial statements taken as a whole. A CPA also may be engaged specifically to determine whether a known misstatement is the result of fraud, or to determine whether an immaterial fraud exists. Those engagements are referred to as fraud examinations and are not covered by the professional auditing literature. The responsibilities discussed in this chapter relate solely to responsibilities to detect error and fraud in a financial statement audit. SAS No. 47, Audit Risk and Materiality in Conducting an Audit (AU Section 312), which is discussed in Chapter 6, provides guidance to auditors in considering the risk that the financial statements are materially misstated because of either error or fraud. SAS No. 82 provides further guidance to auditors in discharging their professional responsibility related to fraud. Specifically, SAS No. 82: ? Describes the types of fraud pertinent to an audit and their characteristics ? ? Requires the auditor to specifically assess the risk of fraud that could result in a material misstatement of the financial statements, and provides categories of fraud risk factors that should be considered in the auditor's assessment ? ? Provides guidance on the effect that the auditor's fraud risk assessment should have on the auditing procedures to be performed ? ? Provides guidance on the evaluation of audit test results as they relate to the risk of fraud ?? ? Requires the auditor to document in the working papers, when planning the audit, the assessment of the risk of fraud and how that assessment affects the auditing procedures, as well as any fraud risk factors identified during the audit and the auditor's response ? ? Provides guidance regarding the auditor's communication about fraud to management, the audit committee, and others Generally accepted auditing standards require the auditor to plan and perform his or her work with due professional care. Due professional care, in turn, requires the auditor to exercise professional skepticism. (Due professional care and professional skepticism are discussed in Chapter 3.) The exercise of due care allows the auditor to obtain reasonable assurance that the financial statements are free of material misstatement. Absolute assurance is not attainable, in part because of the nature of audit evidence (which is discussed in Chapter 6) and in part because of the characteristics of fraud (discussed below). As a result, the due care standard makes it clear that the auditor is not an insurer or guarantor that the financial statements are free of material misstatement. Since the auditor's opinion on the financial statements is based on the concept of obtaining reasonable assurance, the auditor is not an insurer and his or her report does not constitute a guarantee. Therefore, the subsequent discovery that a material misstatement, whether from error or fraud, exists in the financial statements does not, in and of itself, evidence (a) failure to obtain reasonable assurance, (b) inadequate planning, performance, or judgment, (c) the absence of due professional care, or (d) a failure to comply with generally accepted auditing standards. (AU Section 230.13) A principal reason for this is that even a properly designed and executed audit may not detect material frauds, because of their multifaceted characteristics. For example, fraud may be concealed through forged or otherwise falsified documents. Auditors are not trained to authenticate signatures or documents, and as a result audits conducted in accordance with GAAS rarely involve authenticating signatures or documents. Fraud also may be concealed through collusion among management, employees, or third parties. Collusion may allow the creation of evidence that appears persuasive to the auditor, but that in fact is false, thereby making otherwise appropriate auditing procedures totally ineffective. As a result, auditing procedures that are effective for detecting an unintentional misstatement may be ineffective when the same misstatement is intentional, cleverly executed, or concealed through collusion. (b) Error and Fraud and the Characteristics of Fraud The terms ;errors; and ;fraud; are described in the professional literature. The term errors refers to unintentional misstatements or omissions of amounts or disclosures in financial statements. Errors may involve- ? Mistakes in gathering or processing data from which financial statements are prepared. ? ? Unreasonable accounting estimates arising from oversight or misinterpretation of facts. ? ? Mistakes in the application of accounting principles relating to amount, classification, manner of presentation, or disclosure. (AU Section 312.06) Fraud can cause two types of misstatements-misstatements arising from fraudulent financial reporting and misstatements arising from misappropriation of assets. The primary factor that distinguishes fraud from error is that the underlying action that results in the financial statement misstatement is intentional in the case of fraud and unintentional in the case of error. Misstatements arising from fraudulent financial reporting are intentional misstatements or omissions of amounts or disclosures in financial statements to deceive financial statement users. Fraudulent financial reporting may involve acts such as the following: ? Manipulation, falsification, or alteration of accounting records or supporting documents from which financial statements are prepared. ? ? Misrepresentation in, or intentional omission from, the financial statements of events, transactions, or other significant information. ? ? Intentional misapplication of accounting principles relating to amounts, classification, manner of presentation, or disclosure. (AU Section 316.04) Misstatements arising from misappropriation of assets (sometimes referred to as defalcation) involve the theft of an entity's assets where the effect of the theft causes the financial statements not to be presented in conformity with generally accepted accounting principles. Misappropriation can be accomplished in various ways, including embezzling receipts, stealing assets, or causing an entity to pay for goods or services not received. Misappropriation of assets may be accompanied by false or misleading records or documents and may involve one or more individuals among management, employees, or third parties. (AU Section 316.05) Fraudulent financial reporting often is done to further a management goal, such as higher reported earnings, rather than for direct personal enrichment, although inappropriate bonuses and other forms of compensation may result from the misstated earnings. Fraudulent financial reporting is likely to have a significant effect on financial statements. It often involves the deliberate misapplication of accounting principles, such as premature revenue recognition, failure to provide for uncollectible accounts receivable, overstatement of inventory, failure to record liabilities, inadequate financial statement disclosures, and shifting expenses to future periods by capitalizing costs that should have been expensed. Misappropriation of assets can take the form of the theft of cash, inventory, or other assets or the unauthorized use or sale of entity resources. This type of fraud is generally less significant to the financial statements than is fraudulent financial reporting. The concealment of defalcations can, of course, result in overstatements of assets (paid receivables reported as still due) or understatements of liabilities (cash misappropriated and reported as payments made). In many instances of defalcation, however, the financial statement misstatement is limited to the misclassification of expenses on the income statement; the balance sheet will not be misstated if the asset that has been misappropriated has been removed from the statement. (For example, inventory that was stolen may have been properly removed from the balance sheet but charged to cost of sales rather than to a loss account.) Fraud usually involves the perception of some pressure or incentive by one or more individuals who are in a position to perpetrate fraud and a belief that an opportunity exists to commit fraud. An incentive to misappropriate assets may arise because of financial stress or an adverse relationship between the individual and the entity. Management may have an incentive to engage in fraudulent financial reporting to maintain reported levels of performance in the face of a declining market, the loss of significant customers, or obsolete inventory in order to maintain the price of the entity's stock or to avoid violating restrictive debt covenants. Opportunities to commit fraud include the absence of controls to prevent fraud or to detect it on a timely basis, and the ability to override or circumvent controls that do exist. There is no important distinction between error and fraud in the auditor's responsibility to obtain reasonable assurance that the financial statements are free from material misstatement. There is a distinction, however, in how the auditor should respond to the two kinds of misstatements when they have been detected. Isolated, immaterial errors in processing data or applying GAAP are not significant to the audit. When fraud is detected, however, even if the dollar amount is immaterial to the financial statements, the auditor needs to consider the implications for the integrity of the entity's employees (and particularly the integrity of management) and the possible effect on other aspects of the audit. (c) Assessing the Risk of Fraud Risk factors or other conditions may alert the auditor to the possibility that fraud may exist. Those factors may be related to particular account balances or classes of transactions, or they may have effects that are pervasive to the financial statements taken as a whole. As an example of the former, management that places undue emphasis on increased earnings may be disinclined to provide adequate allowances for uncollectible accounts receivable or unsalable inventory. To illustrate the latter, pressure on divisional executives to meet unrealistic budgets, or a downturn in the economy, may lead to recording sales in advance of shipments, nonrecognition of expenses, unreasonably low estimates of annual depreciation, or other means of artificially inflating income. SAS No. 82 requires the auditor to assess the risk that the financial statements may be materially misstated due to fraud and to consider that assessment in designing the audit. (This assessment is necessary even if the auditor otherwise plans to assess control risk at maximum.2) The auditor should consider risk factors related to both fraudulent financial reporting and misappropriation of assets. Risk factors that relate to fraudulent financial reporting may be grouped into three categories: ? Risk factors relating to management's characteristics and influence over the control environment. These factors pertain to management's abilities, pressures, and style, and its attitude toward internal control and the financial reporting process. Examples include: ?? ? A motivation to engage in fraudulent financial reporting because bonuses, stock options, or other incentives are tied to unduly aggressive earnings targets ? ? Ineffective or inappropriate communication and support of values or ethics ? ? High management or director turnover ? ? Strained relationships with current or prior auditors ? ? A history of securities law violations ? ? Risk factors relating to industry conditions. These factors involve the economic and regulatory environment in which the entity operates. Examples include: ? ? A high level of competition, market saturation, or declining profits ? ? Rapid changes in technology or rapid product obsolescence ? ? New accounting, statutory, or regulatory requirements affecting financial stability or profitability ? ? Risk factors relating to the entity's operating characteristics and financial stability. These factors are related to the nature and complexity of the entity and its transactions, financial condition, and profitability. Examples include: ? ? Inability to generate cash flows from operations along with high reported earnings ? ? Pressure for additional capital ? ? Significant accounting estimates involving unusually subjective judgments or uncertainties or that may change in the near term and in a way that would be financially disruptive ? ? Significant related party transactions ? ? An overly complex organizational structure ? ? High vulnerability to interest rate changes ? ? Threat of imminent bankruptcy or hostile takeover Risk factors that relate to misappropriation of assets may be grouped into two categories: ? Risk factors relating to the susceptibility of assets to misappropriation. These are related to the nature of the entity's assets and the degree to which they are susceptible to theft. Examples include: ? ? Large amounts of cash on hand ? ? Small-size, high-value inventory ? ? Easily marketable assets, such as bearer bonds or diamonds ? ? Risk factors relating to controls. These are related to the lack of controls designed to prevent or detect misappropriations. Examples include: ? ? Inadequate supervision or management oversight ? ? Deficient record keeping ? ? Inappropriate segregation of duties ? ? Poor physical safeguards over assets susceptible to misappropriation ? ? Lack of mandatory vacations for key employees The auditor may identify these risk factors at several stages during the audit: when performing client acceptance and retention procedures, during engagement planning, while obtaining an understanding of the entity's internal control, or while conducting field work. Also, the auditor's cumulative assessment of the risk of fraud may be affected by the identification of various conditions during the course of the audit, such as: ? Discrepancies in the accounting records because of unrecorded or unsupported transactions or last-minute significant ;adjustments; ? ? Conflicting or missing documents ? ? Problems that arise in dealing with management, such as denial of access to records or employees, undue time pressures, and tips or complaints to the auditor about fraud (d) Responding to the Risk of Fraud The presence of one or more of these risk factors or conditions does not necessarily mean that material fraud is probable. However, when factors or conditions are pres-ent that increase the risk of material fraud, the auditor should respond to that higher risk. In some cases, the auditor's risk assessment might call for an overall response. For example, more experienced personnel could be assigned to the audit, the extent of procedures applied in particular areas (for example, the size of the sample in a particular test) could be increased, the type of procedure used could be changed to obtain evidence that is more persuasive than otherwise would have been appropriate (for example, confirming transactions with independent sources outside the entity instead of examining entity documentation), or the timing of certain tests could be changed to be closer to or at year-end. A higher risk also may call for changes in how the auditor exercises professional skepticism in conducting the audit, for example, when the auditor considers management's selection and application of accounting principles and when he or she determines whether control risk can be assessed below the maximum. (Professional skepticism is discussed in Chapter 3; the auditor's assessment of control risk is discussed in Chapter 12.) The auditor also should consider how the presence of fraud risk factors and conditions may affect the audit of specific accounts, transactions, and assertions. For example, if there is a risk of fraudulent financial reporting involving improper revenue recognition, the auditor might confirm with customers the terms of contracts and the absence of side agreements that could affect the appropriate accounting, rather than confirming only the balances in customers' accounts, which otherwise might be the appropriate auditing procedure. As another example, the nature of the entity's business and the absence of appropriate controls may lead the auditor to conclude that there is a risk of misappropriation of material amounts of cash. In that situation, the auditor might determine that it is appropriate to count cash and other assets that can easily be converted into cash, such as securities, at year-end. (e) Evaluation of Test Results Before the audit has been completed, the auditor should consider whether the accumulated results of all auditing procedures performed and conditions noted change the assessment of the risk of fraud that was made in planning the audit. If the risk assessment does change, the auditor should consider whether there is a need to perform additional or different procedures. Chapter 27 (Section 27.5, Summarizing Misstatements and Evaluating the Audit Findings) discusses how the auditor processes and evaluates misstatements found during the audit, regardless of whether they are intentional (fraud) or unintentional (error). If a misstatement is or may be3 the result of fraud, the auditor should: ? Consider the implications for other aspects of the audit-for example, the need to reconsider the effectiveness of the entity's internal control ? ? Discuss the matter and the approach to further investigation with a level of management that is above those involved, and with senior management ? ? Attempt to obtain further evidence to determine whether material fraud has occurred and, if it has, the effect on the financial statements ? ? Report to the audit committee fraud that involves senior management and fraud (even if not on the part of senior management) that causes the financial statements to be materially misstated ? ? Consider suggesting that management consult with legal counsel ? ? Consider withdrawing from the engagement (<>f) Documentation Requirements Chapter 7 discusses the purpose of audit working papers and provides guidance on what matters generally should be documented in working papers. SAS No. 82 specifies the required documentation of the auditor's assessment of the risk of fraud and the response to that assessment. The following matters should be documented in the working papers: ? Evidence of the performance of the risk assessment ? ? Specific risk factors identified as being present during the planning phase ? ? The response to those risk factors, individually or in combination ? ? Additional risk factors or other conditions identified during the course of the audit and any further responses to those risk factors and conditions (g) Illegal Acts by Clients Independent auditors have been responsible, to a certain extent, for the detection and disclosure of illegal or questionable acts by clients since 1977, when SAS No. 17, Illegal Acts by Clients, was issued. SAS No. 17 resulted, at least in part, from attention on the part of various government bodies, particularly the SEC, to illegal or questionable corporate acts, such as bribes, political payoffs, and kickbacks-usually made at least ostensibly for the benefit of the entity. In the 1980s, public attention once again focused on auditors' responsibilities with respect to clients that were alleged to have committed illegal acts; that attention led to the issuance in 1988 of SAS No. 54 (AU Section 317), which superseded SAS No. 17. Illegal acts by clients are violations of laws or government regulations, perpetrated by an entity or by management or employees acting on behalf of the entity; they do not include personal misconduct unrelated to the entity's business. Some laws and regulations have a direct and material effect on the determination of amounts in financial statement line items. For example, tax laws affect the provision for income taxes and the related tax liability; federal laws and regulations may affect the amount of revenue that should be recognized under a government contract. The auditor, however, considers such laws and regulations from the perspective of their known relation to audit objectives and the corresponding financial statement assertions, rather than from the perspective of legality per se. The auditor's responsibility to detect misstatements resulting from illegal acts that have a direct and material effect on financial statement amounts is the same as for errors and fraud. SAS No. 54 (AU Section 317.06) explains, however, that there is another class of illegal acts for which the auditor has far less detection responsibility. Entities may be affected by many other laws or regulations, including those related to securities trading, occupational safety and health, food and drug administration, environmental protection, equal employment, and price-fixing or other antitrust violations. Generally, these laws and regulations relate more to an entity's operating aspects than to its financial and accounting aspects, and their financial statement effect is indirect. An auditor ordinarily does not have sufficient basis for recognizing possible violations of such laws and regulations. Their indirect effect is normally the result of the need to disclose a contingent liability because of the allegation or determination of illegality. For example, securities may be purchased or sold based on inside information. While the direct effects of the purchase or sale may be recorded appropriately, their indirect effect, the possible contingent liability for violating securities laws, may not be appropriately disclosed. Even when violations of such laws and regulations can have consequences material to the financial statements, the auditor may not become aware of the existence of the illegal act unless he is informed by the client, or there is evidence of a governmental agency investigation or enforcement proceeding in the records, documents, or other information normally inspected in an audit of financial statements. The auditor should be aware of the possibility that these kinds of illegal acts may have occurred. Normally, an audit performed in accordance with generally accepted auditing standards does not include procedures specifically designed to detect these illegal acts. Only if specific information comes to the auditor's attention indicating that such acts might exist and might need to be disclosed in the financial statements, should the auditor apply procedures specifically directed to ascertaining whether such an illegal act has occurred. An audit conducted in accordance with generally accepted auditing standards provides no assurance that this type of illegal act will be detected or that any resultant contingent liabilities will be disclosed. Procedures that otherwise would be applied, however, for the purpose of forming an opinion on the financial statements, may bring possible illegal acts to the auditor's attention. Such procedures include reading minutes of directors' meetings; inquiring of the entity's management and legal counsel concerning litigation, claims, and assessments; and performing tests of the various account balances. The auditor also may make inquiries of management concerning the entity's: ? Compliance with laws and regulations ? ? Policies relating to the prevention of illegal acts ? ? Communications to, and the receipt of representations from, its own management at appropriate levels of authority concerning compliance with laws and regulations. Those representations often include statements, signed annually by all levels of management, that they have not violated entity policy-which usually is defined to cover all of the actions proscribed by the Foreign Corrupt Practices Act (discussed in Chapter 9), as well as conflicts of interest-and that they are not aware of any such violations. Finally, through the performance of procedures (including communication with attorneys) to determine the existence of loss contingencies, the auditor may uncover violations of laws. Distinguishing between illegal acts that have a direct and material effect on financial statements and illegal acts whose financial statement effect is indirect can be difficult. Although SAS No. 54 gives examples of both types of illegal acts, it does not provide explicit guidance on determining which category an illegal act falls into. Direct-effect illegal acts relate to violations of laws and regulations that affect a line-item financial statement amount. An example of such laws and regulations is the tax code provisions that determine how an entity's tax liability is measured and presented in its financial statements. In contrast, failure to comply with tax code provisions relating to the filing of information has only an indirect effect on financial statements, namely, the requirement to disclose the contingent liability for tax penalties. Another example of a direct-effect illegal act would be violations of state usury laws when related regulations provide for the remedy of refunding excess interest charged. Staff Accounting Bulletin (SAB) No. 99, which was issued in August 1999, discusses whether intentional immaterial misstatements to financial statements by management constitute illegal acts. The SEC has concluded that in certain circumstances such misstatements may be violations of the securities laws, which require registrants to maintain records and internal accounting controls adequate to allow the preparation of financial statements that are in conformity with generally accepted accounting principles. SAB No. 99 also discusses the auditor's responsibilities when an intentional misstatement is detected, which are not affected by the immateriality of the misstatement and are discussed in SAS No. 82 and Chapter 4 of the main volume. The SAB states that ;the clear implication of SAS 82 is that immaterial misstatements may be fraudulent financial reporting.; (h)??COSO Study on Fraud in Financial Reporting (NEW) In March 1999, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released a report entitled Fraudulent Financial Reporting: 1987-1997. The report analyzes approximately 200 cases of alleged fraudulent financial reporting investigated by the SEC since the issuance of the 1987 Report of the National Commission on Fraudulent Financial Reporting, which is discussed in the main volume, primarily in Chapter 3. In the study reported on in 1999, COSO examined certain key entity and management characteristics for the companies involved as a basis for developing recommendations to improve corporate financial reporting. The key findings of the study, along with their implications, are summarized below. Nature of companies involved-Companies committing financial statement fraud were relatively small, with a typical size well below $100 million in total assets in the year preceding the fraud. Some of the companies were experiencing net losses or were in near-breakeven positions in periods before the fraud, suggesting that pressures of financial strain or distress may have provided incentives for fraudulent activities. Some companies were experiencing downward trends in net income preceding the fraud, while other companies were experiencing upward trends. Thus, the fraudulent activities may have been designed to reverse downward spirals in some instances and to maintain upward trends in others. The relatively small size of these companies suggests that the inability or unwillingness to implement cost-effective internal control may affect the likelihood of financial statement fraud. Attention should be paid to companies' ability to continue as a going concern, particularly as auditors consider whether to accept new engagements. In addition, these findings highlight the importance of effective communications with predecessor auditors, in light of the observation that several instances of auditor changes were noted during the time of the frauds. Nature of the control environment-In 83 percent of the cases, the CEO, the CFO, or both, were named as being associated with the financial statement fraud. Other individuals named included controllers, chief operating officers, other senior vice presidents, and board members. Most audit committees met only about once a year; 25 percent of the companies did not have an audit committee. The majority of audit committee members (65 percent) did not appear to have expertise in accounting or finance. Only 35 percent were CPAs or CFAs or had current or prior experience in key accounting or finance positions. Approximately 60 percent of the directors were insiders or ;gray; directors (i.e., outsiders with special ties to the company or its management) with significant equity ownership and apparently little experience serving on other boards. Family relationships existed among directors and/or officers in nearly 40 percent of the companies. In more than 20 percent, officers held incompatible job functions (e.g., CEO and CFO). The concentration of fraud among smaller companies with generally weak audit committees highlights the importance of effective audit committees for companies of all sizes.3.1 The number of audit committee meetings per year and the financial expertise of the committee members may be particularly important. In addition, audit committee members need access to reliable information to assist them in monitoring the financial reporting process. 3.1 Audit committees have been the focus of much attention over the past two years, notably because of the recommendations of the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees and the responses of the SEC and stock exchanges to those recommendations. See Chapter 3 of this Supplement. The existence of family relationships and of officers and directors who hold significant power or incompatible job functions poses risks of fraudulent activities. Nature of the frauds--The amounts involved in the frauds were relatively large in light of the sizes of the companies. Most of the frauds were not limited to a single fiscal period; the average fraud period was close to two years. More than half the frauds involved overstating revenues by recording amounts before they were realized or recording fictitious revenues. About half the frauds also involved overstating assets by understating allowances, directly overstating the value of assets, and recording fictitious assets. The frauds often began with the misstatement of interim financial statements, suggesting the importance of interim reviews of quarterly financial statements and the related interim controls over financial statement preparation. The fact that misstatements affected revenues and assets recorded close to or as of the period-end highlights the importance of controls related to cutoff and valuation. Based on the assessment of control risk, auditors should evaluate the need for substantive tests directed at those assertions to reduce audit risk to an acceptable level. Issues related to the external auditor-Audit firms of all sizes were associated with companies that committed financial statement frauds. Fifty-six percent of the companies were audited by a Big Eight/Six auditor. All types of audit reports were issued during the fraud period. A majority (55 percent) of the audit reports issued in the last year of the fraud contained standard unqualified opinions; the remainder departed from the standard unqualified opinion because of issues related to the auditor's substantial doubt about going concern, litigation and other uncertainties, changes in accounting principles, and changes in auditors between years comparatively reported. Only 3 percent of the audit reports were qualified because of a GAAP departure during the fraud period. External auditors were explicitly named in 56 of the 195 cases (29 percent) where individuals were explicitly named. They were named either for alleged involvement in the fraud (30 of 56 cases) or for negligent auditing (26 of 56 cases). Most of the auditors explicitly named (46 of 56) were non-Big Eight/Six auditors. A little over 25 percent of the companies changed auditors during the time frame beginning with the last period when they received an unqualified opinion and ending with the last fraud period, with a majority of the auditor changes occurring during the fraud period. Most involved changes from one non-Big Eight/Six auditor to another non-Big Eight/Six auditor. Auditors need to understand the risks particular to an entity's industry, any motivations management may have toward aggressive reporting, and the entity's internal control, especially the control environment. Auditors should be alert to the potential for increased audit risk where an entity has a weak board and audit committee. ? 4.4 REQUIRED AUDITOR COMMUNICATIONS Auditors have responsibilities to communicate certain information or events in connection with their audit work. Some of those responsibilities are specified by professional standards; others are specified by statute. For example, various Statements on Auditing Standards require the auditor to communicate certain matters to the audit committee, or to determine that management has appropriately reported them. Those matters include material errors, frauds, and illegal acts, and significant deficiencies in the design or operation of internal control that the auditor becomes aware of in the course of the audit, including deficiencies related to the preparation of interim financial information. The SEC Practice Section of the AICPA Division for CPA Firms requires the auditor to communicate to the audit committee fees received for management advisory services. In addition, auditors usually acquire information in the course of an audit that may be helpful to the audit committee in meeting its responsibility for overseeing the entity's financial reporting process, including the audit itself, or to management in operating the business. Lastly, the Private Securities Litigation Reform Act of 1995 requires the auditor to notify the SEC of material illegal acts in certain circumstances. (a) Responsibilities on Discovering an Error, Fraud, or Illegal Act An auditor who becomes aware of an error or a possible fraud or illegal act should determine the potential effect on the financial statements being audited. The auditor should be aware of the sensitivity of these matters and the need for substantial evidence before making any allegations of fraud or illegal acts. If the auditor concludes that the financial statements are materially misstated, because of either errors or possible frauds or illegal acts, or that loss contingencies or the potential effects of an illegal act on the entity's operations are inadequately disclosed, he or she should insist that the statements be revised. If they are not, the auditor should express a qualified or an adverse opinion on the financial statements. In addition, whenever the auditor has determined that there is evidence that a fraud may exist, he or she should bring the matter to the attention of management at a level high enough to be able to deal appropriately with it, including further investigation if considered necessary. This level should be at least one level above those involved. Fraud involving senior management and fraud that causes a material misstatement of the financial statements (whether involving senior management or others) should be reported to the audit committee. (The audit committee also may want to be informed about misappropriations perpetrated by lower-level employees.) The auditor also should determine that the audit committee has been informed about all illegal acts of which the auditor becomes aware, unless they are clearly inconsequential. If the auditor has identified fraud risk factors that represent deficiencies in the entity's internal control, those deficiencies also should be reported to senior management and the audit committee, as discussed later in the chapter. Disclosure of frauds or illegal acts to parties other than the entity's senior management and its audit committee, however, ordinarily is not part of the auditor's responsibility (unless the matter affects the opinion on the financial statements), and would be precluded by the auditor's ethical and legal obligation of confidentiality. There are several circumstances, however, in which a duty to notify parties outside the entity may exist: (a) disclosure to the SEC when an auditor change is reported,4 (b) disclosure to a successor auditor upon appropriate inquiry, (c) disclosure in response to a subpoena, (d) disclosure to a governmental agency in accordance with requirements for audits of entities that receive financial assistance from a governmental agency, and (e) disclosure to the SEC under the Private Securities Litigation Reform Act of 1995. Potential conflicts with the auditor's ethical and legal obligations for confidentiality may be complex. As a result, the auditor may wish to consult with legal counsel before discussing fraud or illegal acts with parties other than the client. The auditor may not be able to determine the extent of a possible fraud and its effects on the financial statements. If the auditor is precluded by management from applying necessary procedures or is otherwise unable to conclude whether fraud may materially affect the financial statements, an opinion qualified because of a scope limitation or a disclaimer of opinion should be issued. The auditor also could be precluded by management from evaluating whether a possible illegal act is, in fact, illegal and material to the financial statements. In those instances, the auditor generally should disclaim an opinion on the financial statements. If, however, the auditor's inability to determine whether an act is illegal does not result from client-imposed restrictions, a scope qualification may be appropriate. If the client refuses to accept the auditor's report as modified for the reasons described above, the auditor should withdraw from the engagement and indicate the reasons for withdrawal to the audit committee or board of directors. Withdrawal also might be appropriate in other circumstances, such as when the entity continues to retain a known perpetrator of fraud in a position with a significant role in the entity's internal control, or when it refuses to take remedial action the auditor considers appropriate when an illegal act has occurred. Withdrawal from an engagement would cause a change of auditors, which, for a publicly traded company, would trigger the SEC Form 8-K filing discussed in Chapter 3, thereby publicizing the reasons for the withdrawal. (b) Auditor ;Whistleblowing; In large part because of several well-publicized business failures, some of which required bailouts by the federal government, Congress and regulators became increasingly concerned about auditors' responsibilities with respect to their clients' compliance with laws and regulations and about how instances of noncompliance were reported. Those concerns led to inclusion in the Private Securities Litigation Reform Act of 1995 (the Act) of a requirement for auditors of public companies to notify the SEC of material illegal acts when an entity's management and board of directors have failed to take timely and appropriate remedial action and have failed to comply with a requirement to notify the SEC of such inaction. In addition, the Act requires the auditor to use procedures in accordance with GAAS (as may be modified or supplemented by the SEC) that would provide reasonable assurance of detecting illegal acts that have a direct and material effect on an entity's financial statements, thereby codifying into law the requirements of SAS No. 54. It also codifies into law current professional requirements that the auditor identify related party transactions that either are material to the financial statements or require disclosure (see Chapters 8 and 26), and that the auditor evaluate whether there is substantial doubt about the entity's ability to continue as a going concern over the ensuing fiscal year (see Chapter 26). The Act requires that if the auditor determines it is likely that an illegal act has occurred, he or she is required to: ? Determine and consider the possible effect of the illegal act on the entity's financial statements, including any contingent monetary effects, such as fines, penalties, and damages ? ? As soon as practicable, inform the appropriate level of the entity's management and ensure that the audit committee (or board of directors in the absence of an audit committee) is informed of the illegal act, unless it is clearly inconsequential The auditor also is required to report, as soon as practicable, his or her conclusions directly to the entity's board of directors in circumstances where: ? The illegal act has a material effect on the financial statements ? ? Senior management has not taken, and the board of directors has not caused senior management to take, timely and appropriate remedial action with respect to the illegal act ? ? The failure to take remedial action is reasonably expected to warrant departure from a standard auditor's report or the auditor's resignation On receipt of such a report by the board of directors, the entity is required to notify the SEC within one business day, with a copy of the notification sent to the auditor. If the auditor fails to receive such a notice within one day, he or she should either: ? Furnish the SEC with a copy of his or her report on the next business day following the failure to receive notice ? ? Resign from the engagement and furnish the SEC with a copy of his or her report (or the documentation of any oral report given) within one business day With respect to the report made to the SEC, the Act specifies that no auditor will be held liable in a private action for any finding, conclusion, or statement made pursuant to its direct reporting provisions. Willful violations, however, are subject to SEC civil action. (c) Communicating Internal Control Deficiencies While management has primary responsibility for reliable financial reporting, the board of directors, generally acting through its audit committee (if there is one), is responsible for overseeing the financial reporting process. That responsibility can be carried out most effectively if the board or audit committee is informed of deficiencies in internal control that the auditor becomes aware of. Management also is usually interested in the auditor's observations about internal control deficiencies and ways of remedying them, and in suggestions the auditor may have for improving the entity's operations and profitability. SAS No. 60, Communication of Internal Control Related Matters Noted in an Audit (AU Section 325.02), requires the auditor to communicate to the audit committee of the board of directors, or its equivalent, matters coming to his or her attention in the course of the audit that represent ;significant deficiencies; in the design or operation of any of the components of internal control that could adversely affect the entity's ability to ;record, process, summarize, and report financial data consistent with the assertions of management in the financial statements.; The SAS refers to these matters as ;reportable conditions,; and expresses a preference that they be communicated in writing rather than orally. The SAS explicitly permits the auditor to comment on other matters that do not meet the criteria of reportable conditions but that the auditor deems to be of value to the audit committee, and those comments may be segregated from observations about reportable conditions. Although the auditor is required to communicate reportable conditions only to the audit committee or its equivalent, the authors believe it is good practice to communicate such matters to management as well. If there is no audit committee or board of directors or the equivalent, the communication would be made only to management (which is likely to be an owner-manager) or to the party that engaged the auditor. The auditor may come across matters other than reportable conditions in the course of an audit that would be helpful to management in carrying out its duties. These are matters that either may be below the threshold of significance for reporting to the audit committee, or may be financial and business suggestions that would enhance operational efficiency and profitability. The auditor usually discusses such matters with management and also may communicate them in writing. It is good practice for the auditor to discuss all comments on internal control with management before drafting a written communication. If the auditor's understanding of controls was mistaken in some respect, discussing the comments will clarify the misunderstanding and save the auditor the embarrassment of discovering it later. In many instances, management's responses to the auditor's suggestions are included in the communication. The best time to discuss deficiencies in controls and related problems and to draft a written communication is at the conclusion of tests of controls. Ideally, that point occurs when both auditor and management have time to consider the auditor's findings. Preferably it should take place far enough before year-end to permit corrective action that could affect the auditor's remaining work. The auditor has no obligation to extend the work that he or she otherwise would do in an audit in order to search for reportable conditions; there is merely an obligation to report those coming to his or her attention as a result of procedures that were performed. Many practitioners believe that reports on internal control that are based solely on what the auditor learns in the course of an audit are likely to be misunderstood or misinterpreted by the public at large, who may read into them a greater degree of assurance than is warranted. Accordingly, the SAS specifies that ;the report should state that the communication is intended solely for the information and the use of the audit committee, management, and others within the organization; (AU Section 325.10). The report also may discuss the inherent limitations of internal control in general and the specific nature and extent of the auditor's consideration of controls. A reportable condition may be of such magnitude as to be considered a material weakness in internal control. A material weakness is ;a reportable condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that errors or . . . [fraud] in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions; (AU Section 325.15). Although not required to do so, an auditor may choose to separately identify those reportable conditions that meet this definition. Or, if it is appropriate to do so, the auditor may state that none of the reportable conditions communicated were believed to be material weaknesses. However, the auditor should not issue a written representation that no reportable conditions were noted during the audit, because of the potential for misinterpretation of the limited degree of assurance that such a report would provide. Figure 4.1 presents an example of a report to an audit committee on internal control related matters. The client may already be aware of the existence of reportable conditions related to the design or operation of controls, and may have decided to accept the accompanying degree of risk because of cost or other considerations. If the audit committee has acknowledged that it understands and has considered a deficiency and the related risks, the auditor need not continue to report the matter after it has been initially reported to the committee. Nevertheless, changes in management or in the audit committee, or merely the passage of time, may make repeated reporting of such matters appropriate and timely. Many auditors believe that all recommendations for improvements in internal control that are communicated to any level of management should be brought to the attention of the audit committee. One way to do this would be to include a statement in the report to the audit committee that the auditor has, in a separate communication to management, made suggestions for internal control improvements that do not involve reportable conditions. A copy of that communication could also be sent to the audit committee. As discussed previously, the auditor may report conditions noted during the audit that he or she believes will be helpful to management, but that do not reach the threshold level of a reportable condition. Similarly, management may request the auditor to be alert to certain matters that might not be considered reportable conditions and to submit a report on the findings. These agreed-upon arrangements, which may be particularly useful to the client, do not relieve the auditor of the basic responsibility to communicate reportable conditions. Figure 4.1 Report on Internal Control Related Matters April 12, 19XY Audit Committee of the Board of Directors ABC Manufacturing Co., Inc. 123 Industrial Road Anytown, U.S.A. 12345 Members of the Audit Committee: In planning and performing our audit of the financial statements of the ABC Manufacturing Co., Inc., for the year ended December 31, 19XX, we considered its internal control in order to determine our auditing procedures for the purpose of expressing our opinion on the financial statements and not to provide assurance on internal control. However, we noted certain matters involving internal control and its operation that we consider to be reportable conditions under standards established by the American Institute of Certified Public Accountants. Reportable conditions involve matters coming to our attention relating to significant deficiencies in the design or operation of controls that, in our judgment, could adversely affect the company's ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements. Access Controls to Data by Terminals Can Be Bypassed At the present time, there is a critical ;file protect; system that prohibits the access of production data by remote terminal users. Our review disclosed a method (special coding of a control card) by which this system can be bypassed and remote terminal users can access and/or alter financial data in computer files. Unauthorized access to data files can result in inaccurate financial data being reported by the systems or confidential data being available to unauthorized personnel. Management is currently studying various means of correcting this situation. The Director of Internal Audit Reports to the Controller The objectivity of the internal audit function is enhanced when the director of internal audit reports to an individual or group in the company with sufficient authority to promote independence, provide adequate consideration of findings and recommendations in audit reports, ensure that appropriate action is taken on audit recommendations, and resolve conflicts between internal auditors and various levels of management. At ABC Manufacturing Co., Inc., the director of internal audit for each subsidiary reports to the subsidiary controller; the corporate director of internal audit reports to the corporate controller. We believe that the directors' objectivity would be enhanced if they reported to the vice-president and treasurer of each subsidiary and the corporate vice-president and treasurer, respectively, with summaries of all internal audit reports presented to the audit committee of the board of directors. Inadequate Systems for Preparing Consolidated Statements The accounting department presently does not have sufficient staff to prepare consolidated reports of worldwide operations in time to meet the company's requirements for preparing quarterly and year-end financial information. Those requirements presently are met, in part, through the assistance of both the internal auditors and ourselves. Preparing consolidated financial statements is not an appropriate service for either the internal or external auditors to provide. Financial management agrees with our reviews and is currently undertaking to add sufficient competent personnel and appropriate computer software to the accounting department to enable it to prepare consolidated quarterly and year-end financial statements on a timely basis. This report is intended solely for the information and use of the audit committee, management, and others within the company. ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????? Very truly yours, ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????? Smith and Jones, CPAs ? (d) Other Communications with Audit Committees SAS No. 61, Communication With Audit Committees (AU Section 380), requires the auditor to determine that certain additional matters related to the conduct of an audit are communicated-either by the auditor or by management-to those who have responsibility for financial reporting; this means the audit committee. The required communications generally, are applicable to all SEC engagements (as defined in Chapter 3) and to other entities that have an audit committee or equivalent group with formally designated oversight of the financial reporting process. Among the items that should be communicated are: ? The level of responsibility the auditor assumes under GAAS for the financial statements and for considering the entity's internal control (This is usually communicated in the engagement letter, discussed later.) ? ? Significant accounting policies that the entity has selected for new or unusual transactions, and changes in those policies ? ? The process management used to formulate particularly sensitive accounting estimates, and the basis for the auditor's conclusion that they were reasonable (see Chapter 15) ? ? Significant adjustments to the financial statements that resulted from the audit and that have a significant effect on the entity's financial reporting process (discussed in Chapter 27) ? ? The auditor's responsibility for other information in documents, such as annual reports to shareholders, containing audited financial statements [see the discussion in Chapter 28, Section 28.3(d), Material Inconsistency Between Financial Statements and Other Information Reported by Management] ? ? Disagreements with management over the application of accounting principles, the scope of the audit, and the wording of the auditor's report (discussed in Chapter 3) ? ? The auditor's views on auditing and accounting matters that management consulted other auditors about (see the discussions in Chapters 3 and 29) ? ? Major issues regarding the application of accounting principles and auditing standards that the auditor and management discussed in connection with the auditor's initial or recurring retention ? ? Serious difficulties encountered in dealing with management related to the performance of the audit, such as unreasonable delays in permitting the start of the audit or in providing needed information, unreasonable timetables, or not making needed entity personnel available Some of these matters should be discussed with the audit committee before the auditor's report is drafted, because the discussion may help the auditor form the appropriate conclusion about the financial statements. Others could occur after the report has been issued. The communication of recurring matters need not be repeated every year. As noted on page 4?19 of the main volume, auditors are required by SAS No. 61, Communication With Audit Committees (AU Section 380), to report to the committee significant financial statement adjustments resulting from the audit. SAS No. 89, Audit Adjustments, issued in 1999, adds a requirement to notify the committee of uncorrected misstatements brought to management's attention that management determined to be immaterial, both individually and in the aggregate, to the financial statements. (i)?Discussions About the Quality of Accounting Principles (NEW).??SAS No. 90, Audit Committee Communications, was issued in December 1999, in response to a recommendation in the report of the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees, which is discussed in Chapter 3 of this Supplement. SAS No. 90, which amends SAS No. 61, requires auditors on SEC engagements to discuss with the entity's audit committee the auditor's judgments about the quality, not just the acceptability, of the accounting principles and underlying estimates reflected in the financial statements. SAS No. 90 states that management generally would be an active participant in this discussion, since responsibility for the accounting principles used by the entity in its financial statements rests with management. SAS No. 90 establishes the expectation that the discussion will be open and candid and will encompass the consistency of accounting policies and their application, and the clarity and completeness of the entity's financial statements, including disclosures. Furthermore, SAS No. 90 states that items that affect the ;representational faithfulness, verifiability, and neutrality; of accounting information should be covered in the discussion. Examples of such items, as listed in the SAS, are decisions to begin using or to change accounting policies; items involving estimates, judgments, or uncertainties; unusual transactions; and the accounting for items with a significant financial statement impact, including the timing of transactions and of their recording in the financial statements. SAS No. 90 notes that objective criteria have not been developed for evaluating the quality of accounting principles used in financial statements. Consequently, the required discussion should be tailored to the circumstances of the entity and should encompass practices and applications that are not explicitly addressed in the professional literature, such as industry-specific practices. (ii)?Discussions Concerning Independence (NEW).??In January 1999, the Independence Standards Board (ISB) adopted Independence Standard No. 1, Independence Discussions with Audit Committees. The standard requires an auditor to (1) disclose annually, in writing, to an entity's audit committee (or board of directors if there is no audit committee) relationships between the auditor and the entity that in the auditor's professional judgment may reasonably be thought to bear on independence; (2) confirm in writing that he or she is independent of the entity within the meaning of the federal securities acts; and (3) discuss his or her independence with the audit committee. In May 1999, the Professional Issues Task Force of the AICPA SEC Practice Section issued, in Practice Alert 99-1, guidance to assist auditors in determining the types of matters that may affect independence and thus be required to be reported to the audit committee. The Practice Alert states that an auditor's conclusion that a relationship does not impair independence is not sufficient reason not to disclose the relationship. Instead, the auditor should consider whether knowledge of the relationship would be beneficial to the audit committee in understanding auditor independence as it relates to the specific entity. The Practice Alert notes that auditors should consider communicating nonaudit services that they have agreed to perform for the client. An exhibit presents examples of relationships that typically may be considered relevant to auditor independence, along with related safeguards that may reduce risks to the auditor's independence. 4.5 ENGAGEMENT LETTERS SAS No. 83, Establishing an Understanding With the Client (AU Section 310), requires the auditor to establish an understanding with the client and document the understanding in the working papers, preferably in the form of a written communication with the client. Most auditors followed this practice before SAS No. 83, which was issued in October 1997, made it mandatory, recognizing the value of a mutual understanding regarding the objectives of the engagement, the responsibilities of both management and the auditor, and the limitations of the engagement. The understanding usually is documented in an ;engagement letter; (sometimes referred to as a ;letter of arrangement;). Engagement letters typically include statements that document an understanding between the entity and the auditor that: ? The objective of the audit is an opinion on the financial statements ? ? Management is responsible for the financial statements ? ? Management is responsible for establishing and maintaining effective internal control over financial reporting ? ? Management is responsible for the entity's compliance with laws and regulations applicable to the entity's activities ? ? Management is responsible for making all financial records and related information available to the auditor ? ? Management will provide the auditor with a representation letter at the end of the audit (see Chapter 27) ? Management is responsible for adjusting the financial statements to correct material misstatements and for including in the representation letter that any uncorrected misstatements brought to its attention by the auditor are not material.6 ? ? The auditor is responsible for conducting an audit in accordance with GAAS ? ? GAAS require the auditor to obtain reasonable, rather than absolute, assurance about whether the financial statements are free of material misstatement; as a result, a material misstatement may remain undetected ? ? If the auditor is unable to complete the audit, he or she may decline to express an opinion or issue a report ? ? The auditor is required to understand the entity's internal control sufficiently to plan the audit, but the audit is not designed to provide assurance on internal control or to identify deficiencies in internal control ? ? The auditor is responsible for communicating deficiencies in internal control of which he or she becomes aware; additional communications are required by GAAS Sometimes engagement letters also include the following: ? Arrangements regarding the conduct of the audit, such as its timing, the entity's assistance in the preparation of schedules, and the availability of documents ? ? Arrangements concerning the involvement of specialists and internal auditors ? ? Arrangements to be made with a predecessor auditor ? ? Fees and billing arrangements ? ? Limitations or other arrangements regarding the liability of the auditor or the client ? ? Conditions under which access to the auditor's working papers may be granted to others A typical engagement letter is shown in Figure 4.2. Figure 4.2 Typical Engagement Letter [Date] [Chief Financial Officer] [Name of Entity] Dear _______________: This letter of arrangement between [entity] and [auditor] sets forth the nature and scope of the services we will provide, [entity's] required involvement and assistance in support of our services, the related fee arrangements, and other terms and conditions designed to ensure that our professional services are performed to achieve the mutually agreed upon objectives of [entity] Summary of Services We will audit the [consolidated] financial statements of [entity] as of and for the period ending _____, in accordance with generally accepted auditing standards. The objective of an audit is the expression of our opinion concerning whether the financial statements present fairly, in all material respects, the financial position, results of operations, and cash flows of the [entity] in conformity with generally accepted accounting principles [other comprehensive basis of accounting]. We expect to deliver our report on or about _______. If, for any reason, we are unable to complete the audit, we may decline to issue a report as a result of this engagement. In conjunction with your annual audit, we will perform a review of [entity's] unaudited [consolidated] quarterly financial statements and related data for each of the first three quarters in the year ending ______, before they are released. This review, which is substantially less in scope than an audit, will be conducted in accordance with standards established by the American Institute of Certified Public Accountants. We will report to you in writing each quarter on the results of our review. From time to time, we also will report any additional observations arising from our reviews that we believe are appropriate for your consideration. [Where applicable, add: We also will read the other information included in the annual report to shareholders and consider whether such information, including the manner of its presentation, is materially inconsistent with information appearing in the financial statements.] Any additional services that you may request, and that we agree to provide, will be the subject of separate written arrangements. [Details regarding terms and conditions of engagement and fee arrangements would be included here] LIMITATIONS OF THE AUDITING PROCESS Our audit will include procedures designed to obtain reasonable assurance of detecting misstatements due to errors or fraud that are material to the financial statements. As you are aware, however, there are inherent limitations in the auditing process. For example, audits are based on the concept of selective testing of the data being examined and are, therefore, subject to the limitation that misstatements due to errors or fraud, if they exist, may not be detected. Also, because of the characteristics of fraud, including attempts at concealment through collusion and forgery, a properly designed and executed audit may not detect a material misstatement due to fraud. Similarly, in performing our audit we will be aware of the possibility that illegal acts may have occurred. However, it should be recognized that our audit provides no assurance that illegal acts generally will be detected, and only reasonable assurance that illegal acts having a direct and material effect on the determination of financial statement amounts will be detected. We will inform you with respect to material errors and fraud, or illegal acts that come to our attention during the course of our audit. RESPONSIBILITIES AS TO INTERNAL CONTROL As a part of our audit, we will consider [entity's] internal control, as required by generally accepted auditing standards, sufficient to plan the audit and to determine the nature, timing, and extent of auditing procedures necessary for expressing our opinion concerning the financial statements. You recognize that the financial statements and the establishment and maintenance of effective internal control over financial reporting are the responsibility of management. Appropriate supervisory review procedures are necessary to provide reasonable assurance that adopted policies and prescribed procedures are adhered to and to identify errors and fraud or illegal acts. An audit is not designed to provide assurance on internal control. As part of our consideration of [entity's] internal control, however, we will inform you of matters that come to our attention that represent significant deficiencies in the design or operation of internal control. REPRESENTATION FROM MANAGEMENT Management is responsible for the fair presentation of the financial statements in conformity with generally accepted accounting principles, for making all financial records and related information available to us, and for identifying and ensuring that the entity complies with the laws and regulations applicable to its activities. At the conclusion of the engagement, [entity's] management will provide to us a representation letter that, among other things, addresses these matters and confirms certain representations made during the audit, including, to the best of their knowledge and belief, the absence of fraud involving management or those employees who have significant roles in the entity's internal control, or others where it could have a material effect on the financial statements. COMMUNICATIONS At the conclusion of the engagement, we will provide management [and the audit committee or others so designated], in a mutually agreeable format, our recommendations designed to help [entity] make improvements in its internal control and operations, and other matters that may come to our attention (see ;Responsibilities as to Internal Control; above). As part of this engagement we will ensure that certain additional matters are communicated to the appropriate members of management and the audit committee [or others with equivalent authority]. Such matters include (1) the initial selection of and changes in significant accounting policies and their application; (2) the process used by management in formulating particularly sensitive accounting estimates and the basis for our conclusions regarding the reasonableness of those estimates; (3) audit adjustments that could, in our judgment, either individually or in the aggregate, have a significant effect on your financial reporting process; (4) any disagreements with management, whether or not satisfactorily resolved, about matters that individually or in the aggregate could be significant to the financial statements or our report; (5) our views about matters that were the subject of management's consultation with other accountants about auditing and accounting matters; (6) major issues that were discussed with management in connection with the retention of our services, including, among other matters, any discussions regarding the application of accounting principles and auditing standards; and (7) serious difficulties that we encountered in dealing with management related to the performance of the audit. ACCESS TO WORKING PAPERS The working papers for this engagement are the property of [auditor] and constitute confidential information. Any requests for access to our working papers will be discussed with you prior to making them available to requesting parties. SUBPOENAS In the event we are requested or authorized by you or required by government regulation, subpoena, or other legal process to produce our working papers or our personnel as witnesses with respect to our engagement for you, you will, so long as we are not a party to the proceeding in which the information is sought, reimburse us for our professional time and expenses, as well as the fees and expenses of our counsel, incurred in responding to such a request. *???? *???? *???? *???? *???? *???? *???? * If the foregoing is in accordance with your understanding, please sign the copy of this letter in the space provided and return it to us. If you have any questions, please call ______ at _______. Very truly yours, 1 Report, Conclusions, and Recommendations, 1978, p. 2. 2 Control risk is discussed in Chapter 6. 3 SAS No. 82 notes that ;intent is often difficult to determine, particularly in matters involving accounting estimates and the application of accounting principles.; The may be threshold does not require the auditor to determine that fraud is probable before the responsibilities described in this section apply. 4 As noted in Chapter 3, CPA firms that are members of the AICPA's SEC Practice Section have an obligation to notify the SEC when a firm has resigned, declined to stand for reelection, or been dismissed. 5 At the time of this writing, the ASB has issued an exposure draft of an SAS that would require the auditor to establish an understanding with the client and document the understanding in the working papers, preferably through a written communication with the client. 6? This item was added by SAS No. 89, Audit Adjustments, which amended AU Section 310 in 1999. ? PAGE 2 _1521461725.unknown _1521461726.unknown _1521461723.unknown _1521461724.unknown _1521461721.unknown _1521461722.unknown _1521461720.unknown