United States丶PwC Material丶Montgomery 039;s Auditing，Twelfth Edition Chapter 6 The Audit Process

United States丶PwC Material丶Montgomery 039;s Auditing，Twelfth Edition Chapter 6 The Audit Process United States丶PwC Material丶Montgomery's Auditing，Twelfth Edition Chapter 6 The Audit Process Browse Location: United States\PwC Material\Montgomery's Auditing, Twelfth Edition\Part 2: Theory and Concepts 窗体顶部 窗体底部 PART 2: THEORY AND CONCEPTS 6 The Audit Process 6.1 Management Assertions, Audit Objectives, and Auditing Procedures? 6.2 Audit Evidence and Audit Tests (a) Types of Evidence (i) Inquiry (ii) Observation (iii) Inspection and Counting of Assets (iv) Confirmation (v) Examination of Documents and Records (vi) Reperformance (vii) Analytical Procedures (b) Competence of Evidential Matter (c) Sufficiency of Evidential Matter (d) Types of Audit Tests (e) Audit Evidence Decisions 6.3 Audit Risk? (a) Overall Audit Risk (b) The Components of Audit Risk (i) Inherent Risk (ii) Control Risk (iii) Detection Risk (iv) Sampling Risk (v) Nonsampling Risk 6.7><4 Materiality? 6.5 The Steps in an Audit (a) Engagement Planning and Management (b) Obtaining Information About the Entity (c) Understanding the Entity's Internal Control (d) Assessing Control Risk and Developing the Audit Strategy (e) Confirming the Assessment of Control Risk by Performing Tests of Controls (f) Developing the Substantive Test Audit Program (g) Performing Substantive Tests (h) Completing the Audit (i) Formulating the Audit Report and Communicating Findings Most of the auditor's work in forming an opinion on financial statements consists of obtaining and evaluating evidence about management's assertions that are embodied in those statements. To be able to express an opinion on financial statements, the auditor develops specific audit objectives related to those assertions and then designs and performs audit tests to obtain and evaluate evidence about whether the objectives have been achieved. Throughout the process, the auditor must make decisions about whether the evidence obtained is competent and sufficient for formulating an opinion. This chapter explores the concepts of audit objectives, audit evidence, audit risk, and materiality, and presents an overall framework, based on those concepts, for viewing the audit process. The framework consists of a series of systematic steps that represent the various phases of the audit work, as determined by the audit objectives and evidence decisions, resulting in an audit that meets the requirements of professional standards. The steps are usually the same in every audit, but the types of tests performed and the evidence obtained vary with each engagement. 6.1 Management Assertions, Audit Objectives, and Auditing Procedures An entity's financial statements can be thought of as embodying a set of assertions by management. Statement on Auditing Standards (SAS) No. 31, Evidential Matter, as amended by SAS No. 80 (AU Section 326), groups financial statement assertions into the following broad categories: ? Existence or occurrence ? Completeness ? Rights and obligations ? Valuation or allocation ? Presentation and disclosure The authors believe it is helpful to consider explicitly two additional categories of assertions that are implicit in the SAS No. 31 list, namely: ? Accuracy ? Cutoff Assertions about existence relate to whether assets, liabilities, and ownership interests exist at a specific date. These assertions pertain to both physical items-such as inventory, plant and equipment, and cash-and accounts without physical substance, such as accounts receivable and accounts payable. Assertions about occurrence are concerned with whether recorded transactions, such as purchases and sales, represent economic events that actually occurred during a certain period. Assertions about completeness pertain to whether all transactions and other events and circumstances that occurred during a specific period and should have been recognized in that period have in fact been recorded. For example, all purchases of goods and services should be recorded and included in the financial statements. The completeness assertion also states that all recognizable financial statement items are in fact included in the financial statements. For example, management asserts that accounts payable reported on the balance sheet include all such obligations of the entity. Assertions about rights and obligations relate to whether assets are the rights, and liabilities are the obligations, of the entity at a given date. For example, the reporting of capitalized leases in the balance sheet is an assertion that the amount capitalized is the unamortized cost of rights to leased property and that the amount of the lease liability is the unamortized obligation of the entity. Assertions about valuation or allocation pertain to whether financial statement items are recorded at appropriate amounts in conformity with generally accepted accounting principles (or another comprehensive basis of accounting). For example, the financial statements reflect an assertion that depreciation expense for the year and the carrying value of property, plant, and equipment are based on the systematic amortization of the carrying value of the assets, and that trade accounts receivable are stated at their net realizable value. Assertions about presentation and disclosure relate to the proper classification, description, and disclosure of items in the financial statements; for example, that liabilities classified as long-term will not mature within one year, and that the accounting policy note to the financial statements includes the disclosures required by generally accepted accounting principles. Assertions about accuracy relate to the mathematical correctness of recorded transactions that are reflected in the financial statements and the appropriate summarization and posting of those transactions to the general ledger. For example, the financial statements reflect an assertion that accounts payable reflect purchases of goods and services that are based on correct prices and quantities and on invoices that have been accurately computed. Assertions about cutoff relate to the recording of transactions in the proper accounting period. For example, a check to a vendor that is mailed on December 31 should be recorded in December and not, through either oversight or intent, in January. The professional literature is written in terms of financial statement assertions; auditors generally translate those assertions into audit objectives that they seek to achieve by performing auditing procedures. For each assertion embodied in each item in the financial statements, the auditor develops one or more corresponding audit objectives. Then the auditor designs procedures for obtaining sufficient competent evidential matter to either corroborate or contradict each assertion and thereby achieve the related audit objective or reveal a deficiency in the financial statements. Figure 6.1 illustrates how auditors consider these seven broad categories of assertions in formulating audit objectives and designing auditing procedures to obtain evidence supporting them. In the figure, a single auditing procedure is linked to each stated audit objective. In an actual audit, a combination of auditing procedures generally will be necessary to achieve a single objective, and some auditing procedures will relate to more than one objective. For example, in addition to observing physical inventory counts by entity personnel to obtain evidence that inventories included in the balance sheet physically exist, the auditor also may confirm the existence and amount of inventories stored in public warehouses or with other custodians at locations outside the entity's premises. Moreover, observing inventory counts also provides evidence that the inventory quantities include all products, materials, and supplies on hand (completeness objective). In addition, it provides evidence about other accounts and objectives (such as the existence of plant) and about certain aspects of the entity's internal control (such as how management operates the business, restrictions on access to storage facilities, and the competence of employees). Figure 6.1 Examples of Audit Objectives and Procedures Management??? ?Example of??? ?Example of?? Assertion??? ?Audit Objective??? Auditing Procedure Existence or occurrence???? ?Inventories in the balance sheet physically exist. ?Observe physical inventory counts by entity personnel. ? Completeness??? ?Sales revenues include all items shipped to customers. ?Review the entity's periodic accounting for the numerical sequence of shipping documents and invoices. ??? ??? ? Accuracy??? ?Accounts receivable reflect sales transactions that are based on correct prices and quantities and are accurately computed.??? ?Compare invoice prices with master price list and quantities with shipping records and customer's sales order; recalculate amounts on invoices. ??? ? Cutoff??? ?Sales transactions are reported in the proper period.???? ?Compare shipping dates with dates of journal entries for sales recorded in the last several days of the old year and the first several days of the new year. ??? ? Rights and obligations??? ?Real estate in the balance sheet is owned by the entity.??? ?Inspect deeds, purchase contracts, settlement papers, insurance policies, minutes, and related correspondence. ? ? Valuation or allocation??? ?Receivables are stated at net realizable value.? ?Review entity's aging of receivables to evaluate adequacy of allowance for uncollectible accounts. Presentation and disclosure? ?Loss contingencies not required to be recorded are appropriately disclosed.?? ?Inquire of the entity's lawyers concerning litigation, claims, and assessments and evaluate the related disclosures. ??? ?? ? Relating the evidence obtained from auditing procedures to the audit objectives is an iterative process of accumulating, analyzing, and interpreting information in light of the auditor's expectations, past experience with the entity's management, generally accepted accounting principles, good management practices, and common sense. Procedures performed to meet one audit objective for one account frequently generate information that requires further action by the auditor to achieve that particular audit objective or other audit objectives related to that particular account or other accounts. Evidence that raises questions, for example, about recorded revenues also may raise questions about the adequacy of the allowance for inventory obsolescence, which in turn will require the auditor to accumulate and analyze additional evidence. 6.2 Audit Evidence and Audit Tests The third standard of field work states: Sufficient competent evidential matter is to be obtained through inspection, observation, inquiries, and confirmations to afford a reasonable basis for an opinion regarding the financial statements under audit. (AU Section 326.01) The evidence necessary to either corroborate or contradict the assertions in the financial statements and thus provide the auditor with a reasonable basis for an opinion is obtained by designing and performing auditing procedures. This section of the chapter describes the various kinds of evidence that are available to the auditor and the types of procedures that the auditor performs to obtain it. (a) Types of Evidence Evidential matter necessary to support the assertions in the financial statements consists of underlying accounting data and all corroborating information available to the auditor. Underlying evidence for the most part is available to the auditor from within the entity. It consists of the accounting data from which the financial statements are prepared, and includes journals, ledgers, and computer files; accounting manuals; and memoranda, worksheets, and spreadsheets supporting such items as cost allocations, computations, and reconciliations. Corroborating evidence is information that supports the underlying evidence; generally it is available to the auditor from both the entity and outside sources. Entity sources include information closely related to accounting data, such as checks, electronic funds transfers, invoices, contracts, minutes of meetings, correspondence, written representations by knowledgeable employees, and information obtained by the auditor by inquiry of officers and employees and observation of employees at work. Additional types of corroborating evidence include confirmations of amounts due or assets held by third parties (such as customers and custodians), correspondence with experts such as attorneys and engineers, and physical examination or inspection of assets such as marketable securities and inventories. Increasingly, both accounting data and corroborating information are in electronic form. Moreover, in some entities, various types of information may be available in electronic form only. For example, transactions may be processed electronically using Electronic Data Interchange systems, or documents may be scanned and converted into electronic images, and source documents may not be retained. Examination of underlying accounting data, even if it is accessible to the auditor, is not sufficient by itself to meet the third standard of field work. The auditor must obtain satisfaction about the quality of the underlying evidence through corroborating evidence. For example, an auditor often finds it necessary to confirm open accounts receivable to support receivable balances in the accounts receivable subsidiary ledger. To cite another example, the auditor ordinarily should corroborate lists of inventory items counted by entity personnel, by observing the physical inventory counting procedures and making some test counts. Auditors use various methods or procedures-inquiry, observation, inspecting and counting assets, confirmation, examination of documents and records, reperformance, and analytical procedures-to obtain sufficient competent evidential matter. How the evidence is classified is not very important; what is important is the auditor's ability to evaluate each kind of evidence in terms of its relevance and reliability, as discussed later in this chapter. (i) Inquiry. Inquiry means asking questions. The questions may be oral or written and may be directed to entity personnel or to third parties. At the planning stage of the audit, the auditor needs to develop an understanding of the entity's business and its internal control. One of the easiest ways to do this initially is through inquiry. (Later in the audit, the understanding is either corroborated or contradicted by the results of other procedures.) At various stages in the audit, the auditor may ask the entity's employees specific questions about matters arising in the course of the audit work. The auditor makes inquiries of management as part of evaluating accounting principles and estimates. Requesting a representation letter from management as to the recording of all known liabilities, the existence of contingent liabilities, and the existence and carrying value of inventory is a form of inquiry. The auditor also may inquire of third parties, such as the entity's outside legal counsel regarding legal matters, on matters outside the auditor's expertise. In all instances, the auditor's evaluation of responses is an integral part of the inquiry process. ? (ii) Observation. Observation involves direct visual viewing of employees in their work environment and of other facts and events. It is a useful technique that can be employed in many phases of an audit. The auditor should consider, however, that employees may not perform in the same way when the auditor is not present. At the beginning of the audit, the auditor may tour the entity's facilities as part of gaining an understanding of the business. That tour also may provide possible indications of slow-moving or obsolete goods. Observation of employees taking a physical inventory can provide firsthand knowledge to help the auditor assess the adequacy of the inventory taking. Watching employees whose functions have accounting significance perform their assigned tasks can help the auditor assess whether specific controls are being performed effectively. ? (iii) Inspection and Counting of Assets. The auditor may obtain evidence by inspecting or counting assets. For example, the auditor may count cash or marketable securities on hand to ascertain that the assets in the accounts actually exist and are accurately recorded. ? (iv) Confirmation. Confirmation involves obtaining a representation of a fact or condition from a third party, usually (and preferably) in writing. Examples are a confirmation from a bank of the amount on deposit or of a loan outstanding, or a confirmation from a customer of the existence of a receivable balance at a certain date. Auditors most often associate confirmations with cash (confirmation from a bank) and accounts receivable (confirmation from customers). Confirmation, however, has widespread applicability. Depending on the circumstances, virtually any transaction, event, or account balance can be confirmed with a third party. For example, creditors can confirm accounts and notes payable; both customers and creditors can confirm specific transactions and their terms; custodians can confirm securities held for others; insurance companies can confirm insurance premiums paid during the year and balances due at year-end, as well as borrowings on life insurance policies; transfer agents and registrars can confirm shares of stock outstanding; and trustees can confirm balances due under long-term borrowings and payments required and made under bond sinking fund requirements. ? (v) Examination of Documents and Records. Examining documents and records includes reading, looking at supporting documentation, comparing, and reconciling. The auditor may read the minutes of the board of directors' meetings for authorization of new financing. The auditor may look at customer accounts to determine that all customers' sales invoices have been recorded, or may examine invoices, purchase orders, and receiving reports to ascertain that the charges to a particular asset or expense account are adequately supported. The auditor may look at evidence in the form of signatures or initials on a purchase invoice, indicating that the invoice has been compared, by appropriate personnel, with the corresponding purchase order and receiving report, and that the footings and extensions on the invoice have been recalculated. The auditor may compare vendor invoices with related receiving reports for evidence that merchandise has been received for bills rendered by creditors. The auditor may examine the reconciliation of accounts receivable subsidiary ledgers with control accounts. ? (vi) Reperformance. Reperformance involves repeating, either in whole or in part, the same procedures performed by employees, particularly recalculations to ensure mathematical accuracy. Reperformance may involve some of the other techniques previously mentioned, such as comparing or counting. For example, comparing a vendor's invoice with the corresponding purchase order and receiving report, where there is evidence in the form of initials on a document that an employee previously made that comparison, is reperformance. Reperformance also may involve recounting some of the entity's physical inventory counts, recalculating the extensions and footings on sales invoices and inventory listings, repeating the calculations of depreciation expense, and reconstructing a bank reconciliation prepared by an employee. In addition, in evaluating management's accounting estimates and its choice and application of accounting principles, the auditor may reperform the processes followed by management. ? (vii) Analytical Procedures. Analytical procedures are reasonableness tests of financial information made by studying and comparing relationships among data and trends in the data. Analytical procedures include scanning or scrutinizing accounting records, such as entries to an inventory control account for a period, looking for evidence of unusual amounts or unusual sources of input, which, if found, would be investigated further. Other examples of analytical procedures typically performed in an audit include fluctuation analyses, ratio analyses, comparisons of accounting data with operating data or budgets, and comparisons of recorded amounts with expectations developed by the auditor. Analytical procedures are performed early in the audit to help the auditor in planning other auditing procedures, during field work to obtain evidence about specific assertions and accounts, and at the end of the audit as an overall review of the financial statements. (b) Competence of Evidential Matter The third standard of field work requires the auditor to obtain evidential matter that is both competent and sufficient. To be competent, evidence must be both relevant and reliable. To be relevant, evidence must affect the auditor's ability to accept or reject a specific financial statement assertion. The auditor reaches a conclusion on the financial statements taken as a whole through a series of judgments made throughout the audit about specific financial statement assertions. Each piece of evidence obtained is evaluated in terms of its usefulness either in corroborating or contradicting an assertion by management or in the auditor's evaluation of evidence obtained at other stages of the audit. Evidence is relevant to the extent that it serves either of those purposes. An example or two will illustrate the concept of relevance of evidence. Confirming accounts receivable by requesting the entity's customers to inform the auditor about any differences between their records of amounts they owe the entity and the entity's records of open balances is a commonly performed auditing procedure. When considered in conjunction with other evidence, a signed confirmation returned to the auditor indicating agreement with the open balance can provide support for the management assertion that the account receivable exists and is not overstated. Confirmations, however, do not provide evidence about collectibility, completeness, or rights and obligations. A confirmed account may not be collectible because the debtor does not intend or is unable to pay; receivables may exist that have not been recorded and therefore cannot possibly be selected for confirmation; or the entity may have sold the receivables to another party and may merely be acting as a collection agent for that party. Similarly, physically inspecting and counting inventory gives the auditor evidence about its existence, but not about its valuation or about the entity's title to it. Evidence also must be reliable if it is to be useful to the auditor. The Financial Accounting Standards Board definition of reliability is also appropriate in the context of audit evidence. Reliability is ;the quality of information that assures that information is reasonably free from error and bias and faithfully represents what it purports to represent.;1 Synonyms for reliability are dependability and trustworthiness. The reliability of audit evidence is influenced by several factors. ? Independence of the source. Evidential matter obtained by the auditor from independent sources outside the entity being audited is usually more reliable than that from within the entity. Examples of evidence from independent sources include a confirmation from a state agency of the number of shares of common stock authorized to be issued, and a confirmation from a bank of a cash balance, a loan balance, or securities held as collateral. (The higher level of reliability that such evidence provides does not mean that errors in confirmations of this nature never occur.) In contrast, evidence arising from inquiries of entity personnel or from inspecting documents provided by management is usually considered less reliable from the auditor's viewpoint. ? Qualifications of the source. For audit evidence to be reliable, it must be obtained from people who are competent and have the qualifications to make the information free from error. (The independence-of-the-source criterion addresses the possibility of deliberate errors in the evidence; the qualifications-of-the-source criterion addresses the possibility of unintentional errors in the evidence.) For instance, confirmations provided by businesses are usually more reliable than confirmations provided by individuals. Answers to inquiries about pending litigation from the entity's lawyers are usually more reliable than answers from persons not working in the legal department. The auditor should not necessarily assume that the higher a person's position in the entity, the better qualified that person is to provide evidence. The accounts payable clerk probably knows the true routine in the accounts payable section of the accounting department better than the controller does. Furthermore, auditors should challenge their own qualifications when evaluating evidence they have gathered. When inspecting or counting precious gems in a jeweler's inventory, for example, the auditor is probably not qualified to distinguish between diamonds and pieces of glass. ? Internal control. Underlying accounting data developed under satisfactory internal control is more reliable than similar data developed under less effective internal control. Also, the auditor does not accept management's description of the entity's internal control without corroboration. Instead, if the auditor plans to look to internal control as a source of audit evidence about specific financial statement assertions, he or she observes the activities of entity personnel and tests other aspects of internal control to determine that controls are operating effectively. ? Nature of the evidence. Evidence varies in the extent to which it is fact-based versus opinion-based. Evidence obtained by an auditor's direct, personal knowledge through counting, observing, calculating, or examining documents may be thought of as fact-based. Evidence based on the opinions of others, such as the opinion of an appraiser about the value of an asset acquired by the entity in a nonmonetary transaction, the opinion of a lawyer about the outcome of pending litigation, or the credit manager's opinion about the collectibility of outstanding receivables, may be thought of as opinion-based. Evidence that is opinion-based often requires more judgment by both the preparer (i.e., the appraiser, the lawyer, or the credit manager) and the auditor than does evidence that is fact-based and, therefore, may be less reliable than fact-based evidence. Sometimes, however, only opinion-based evidence is available to the auditor for evaluating a particular financial statement assertion. The auditor's twofold goal in performing an audit in accordance with generally accepted auditing standards is to achieve the necessary assurance to support the audit opinion, and to perform the audit as efficiently as possible. Thus, in addition to considering the relevance and reliability of evidence, the auditor also must consider its availability, timeliness, and cost. Sometimes a desirable form of evidence is simply not available. For example, an auditor who is retained by the entity after its accounting year-end cannot be present to observe and test-count the ending inventory. Also, time constraints may not permit an auditor to consider a particular source of evidence. For example, confirming a foreign account receivable might delay the completion of the audit by weeks or even months. Different types of evidence have different costs associated with them, and the auditor must consider cost-benefit trade-offs. Fortunately, auditors usually have available more than one source or method of obtaining evidence to corroborate a particular financial statement assertion. If one source or method is not practicable to use, often another can be substituted. For example, a customer who may not be able to confirm an account receivable balance may be able to confirm specific sales transactions and cash remittances. Or a more costly source of evidence may be substituted for a less costly source that is not as reliable. For instance, a petroleum engineer who is independent of the entity could be retained instead of the auditor's relying on engineers employed by the entity for estimates of proven oil reserves. The auditor should choose the type of evidence (corroborating evidence often is sought using more than one method) that achieves the audit objectives at the lowest cost. (c) Sufficiency of Evidential Matter Determining the sufficiency of evidential matter is a question of deciding how much evidence is enough to obtain the reasonable assurance necessary to support the auditor's opinion. The sufficiency of evidence depends partly on the thoroughness of the auditor's search for it and partly on the auditor's ability to evaluate it objectively. For some auditing procedures, the amount of evidence needed corresponds precisely with the decision to use a certain procedure at all; that is, the auditor either performs or does not perform the procedure. For example, a decision to confirm the number of shares authorized by the state of incorporation is a decision to confirm all authorized shares. If the entity had numerous bank accounts, however, the auditor could confirm only some of the accounts with the banks. In that case, the question of sufficiency becomes one of determining the extent of testing. The extent of testing, including the use of sampling, is discussed in Chapters 15 and 16. (d) Types of Audit Tests The evidence that the auditor obtains and the procedures for obtaining it described previously can also be classified according to the purpose for which the evidence is gathered. Viewed in terms of their purpose, most auditing procedures are either tests of controls or substantive tests. These two types of audit tests and their respective purposes are discussed at length in Chapters 12 and 15. They are described briefly here to set the stage for the overview of an audit that is presented later in this chapter. (Some auditing procedures-for example, procedures undertaken as part of obtaining an understanding of the entity's business and internal control and other planning activities, and procedures undertaken to obtain details of account balances-do not fit into these two categories. Most of those activities do not in themselves generate audit evidence; they must be undertaken, however, before useful evidence can be gathered.)2 Tests of controls are performed to provide the auditor with evidence about the effectiveness of the operation of internal control. That evidence, if it is obtained, supports an assessment of control risk that is below the maximum or low for one or more assertions (control risk is discussed later in this chapter). To illustrate a test of controls, consider the part of an entity's internal control in which the prices on vendors' invoices are matched by computer with prices on the corresponding purchase orders and an exception report is generated of invoices for which the prices do not match. Exceptions are then resolved by communication with the vendors and the corrected invoices are reprocessed. As evidence that this control activity has been performed, the person following up on exceptions initials the exception report. To test the effectiveness of these procedures, the auditor may inspect the exception report for evidence of review and action by the employee. If that evidence is present and the invoices do not appear on the subsequent exception report, the auditor would conclude that the generation of the exception report and the subsequent follow-up operated effectively in that specific instance. If tests of controls support an assessment of control risk that is below the maximum or low for one or more assertions, the assurance needed from substantive tests can be reduced. Substantive tests consist of analytical procedures and tests of details of transactions and account balances. Their purpose is to provide the auditor with evidence supporting management's assertions that are implicit in the financial statements or, conversely, to discover misstatements in the financial statements. Analytical procedures used as substantive tests are discussed in detail in Chapter 15. An example of a test of the details of transactions is the auditor's examination of underlying documents that support purchases, sales, and retirements of property, plant, and equipment during the year. The auditor examines the documents as a means of forming a conclusion about the assertions concerning existence, rights and obligations, and accuracy that are implicit in the property, plant, and equipment account reported in the balance sheet. An example of a test of details of an account balance is the confirming of accounts receivable in order to form a conclusion about their existence. Other substantive auditing procedures include reading minutes of meetings of the board of directors and its important committees, obtaining letters from outside counsel regarding legal matters, and obtaining a letter of representation from management stating, among other matters, that it is responsible for the financial statements and that no material transactions have been omitted from the accounting records underlying the financial statements. (e) Audit Evidence Decisions The amount and kinds of evidence that the auditor decides are necessary to form an opinion on the financial statements taken as a whole, and the timing of procedures used to obtain the evidence, are matters of professional judgment. The auditor makes these decisions only after carefully considering the circumstances of a particular engagement and the various risks (discussed next) related to the audit. The goal in every audit should be to perform the work in an effective and efficient manner. As discussed in Chapter 1, an auditor usually has to rely on evidence that is persuasive rather than conclusive. In deciding how much persuasive evidence is enough, by necessity the auditor must work within time constraints, considering the cost of obtaining evidence and evaluating the usefulness of the evidence obtained. In making these decisions, the auditor cannot ignore the risk of issuing an inappropriate opinion or justify omitting a particular test solely because it is difficult or expensive to perform. While an auditor is seldom convinced beyond all doubt with respect to the assertions embodied in the financial statements, he or she must achieve a high level of assurance about those assertions to support the opinion given. In deciding the nature, timing, and extent of auditing procedures to be performed, the auditor can choose from a number of alternative strategies. For example, for some audit objectives for specific accounts, the auditor might decide to perform tests of controls. The tests would be designed to provide evidence that the accounting system from which the account balances were derived and other relevant controls were operating consistently and effectively, and would be combined with limited substantive tests of the account balances themselves. For other audit objectives or accounts, the auditor might decide to obtain evidence mainly from substantive tests. These decisions will be influenced by answers to such questions as: what are the principal risks of the entity's business; what are the significant account balances in the financial statements; is internal control satisfactory; and which approach provides the needed assurance most efficiently? These questions are not all-inclusive, but are indicative of the kinds of considerations and judgments the auditor must make. 6.3 Audit Risk There is no practical way to reduce audit risk to zero. Generally accepted auditing standards, user expectations, and sound business practices require the auditor to design and perform auditing procedures that will permit expressing an opinion on the financial statements with a low risk that the opinion will be inappropriate. The complement of that risk is an expression of the level of assurance that the opinion will be appropriate. Stated another way, the auditor seeks to have a low risk that the opinion expressed is inappropriate, or a high level of assurance3 that the financial statements are free from material misstatements (the concept of materiality is discussed later in this chapter). Obtaining audit assurance and limiting audit risk are alternative ways of looking at the same process. The auditor varies the nature, timing, and extent of auditing procedures in response to his or her perception of risk. Thus, when risk is perceived to be high, more reliable evidence, procedures timed at or near the end of the period under audit, and larger sample sizes are common. Risk analysis also is used to balance the mix of tests of controls and substantive tests-both analytical procedures and tests of details-to achieve an efficient audit. (a) Overall Audit Risk The term ;overall audit risk; is used to describe the risk that the auditor will issue an inappropriate opinion. That opinion may be either that the financial statements taken as a whole are fairly stated when they are not, or that they are not fairly stated when they are.<4 For practical reasons, auditors are particularly attuned to the risk of issuing a ;clean; opinion on materially misstated financial statements. It is unlikely that auditors would issue a qualified or an adverse opinion on fairly stated financial statements because the entity's concern over the adverse consequences of such opinions normally would result in additional study and investigation that would clear up the misperception. Nevertheless, both aspects of overall audit risk have cost implications for auditors.5 It is usually impracticable to consider overall audit risk in relation to the financial statements taken as a whole because particular account balances, groups of account balances, or related classes of transactions are likely to have different patterns of risk and the auditing procedures applied to them are likely to have different relative costs. It ordinarily is practicable, however, to consider audit risk for each assertion associated with each significant account, group of accounts, or class of transactions. The various audit risks for each assertion related to each account balance or group of account balances are then combined to represent overall audit risk. The auditor's primary objective in conducting an audit is to limit audit risk in individual balances or classes of transactions so that, at the completion of the audit, overall audit risk is limited to a level sufficiently low-or conversely, that the level of assurance is sufficiently high-to permit the auditor to express an opinion on the financial statements taken as a whole. A secondary objective is to obtain the desired assurance as efficiently as possible. (b) The Components of Audit Risk Audit risk at the account balance or class of transactions level has two components: the risk that the financial statements will contain misstatements (resulting from either errors or fraud) that are material, either individually or in the aggregate, and the risk that the auditor will not detect those misstatements through the performance of substantive tests (both analytical procedures and tests of details). The former risk is not under the auditor's control. The auditor identifies the risks that are associated with the entity and assesses the risk that its internal control will not prevent misstatements from reaching the financial statements or detect any that do; however, he or she cannot reduce or otherwise change the risks. The latter risk, called detection risk, is controlled by the auditor through the selection and performance of substantive tests directed at specific assertions relating to specific transactions and account balances. The auditor's assessment of the risk of the financial statements containing misstatements determines the level of detection risk he or she can accept and still restrict audit risk to an appropriately low level. The risk that the financial statements will contain misstatements has two aspects: inherent risk and control risk. Inherent risk is the susceptibility of an account balance or a class of transactions to material misstatements, without consideration of internal control. That susceptibility may result from either conditions affecting the entity as a whole or characteristics of specific transactions or accounts. Control risk is the risk that the entity's internal control will not prevent material misstatements or detect on a timely basis any that do reach the financial statements. The auditor identifies inherent risks to determine areas where the risk of material misstatement may be high. In assessing control risk, the auditor obtains an understanding of the components of the entity's internal control and, if appropriate, tests them to determine whether, and to what extent, they are operating effectively and thus can be expected to prevent or detect misstatements. The evidence resulting from the tests of controls reduces the evidence the auditor needs from substantive tests of transactions and account balances to restrict audit risk to an acceptably low level. The auditor's assessment of control risk is the subject of Chapter 12. In seeking to limit audit risk to a sufficiently low level, the level of detection risk the auditor can accept varies inversely with his or her assessment of the risk of the financial statements containing material misstatements. That is, the higher the perceived risk of material misstatements, the more assurance the auditor needs from substantive tests (i.e., the lower the acceptable level of detection risk) to limit audit risk, and vice versa. Similarly, given the assurance desired from substantive tests, the assurance the auditor needs from tests of details will vary inversely with the assurance obtained from analytical procedures. Various combinations of audit effort devoted to risk assessment activities, analytical procedures, and tests of details can restrict audit risk to the same low level, but some combinations will be more efficient (i.e., less costly) than others. Based on his or her expectations about control risk, the auditor formulates an audit strategy that will, in a cost-effective manner, provide sufficient competent evidence to (1) confirm those expectations about control risk through the performance of tests of controls, and (2) reduce detection risk sufficiently, through the performance of substantive tests, to achieve a low level of audit risk. Before issuing an unqualified opinion, the auditor should be satisfied that overall audit risk is appropriately low. As noted earlier, in considering overall audit risk, the individual audit risks for the various account balances and assertions are combined. To date, however, no single, simple, generally agreed-on mathematical approach to combining these risks has been developed. Nor has the profession been able to agree on what an appropriately low level of overall risk is. While the auditor may at times think in quantitative terms when considering alternative audit strategies and assessing risk, risk management ultimately requires seasoned judgment based on experience, training, and business sense. The way the audit results of each component of the financial statements are combined depends on how the auditor apportions materiality and combines risk. Many attempts have been made to develop mathematically based risk assessment models, but there is no requirement that audit risk or its components be quantified. In fact, it may not be practicable to quantify the components of audit risk because of the large number of variables affecting them and the subjective nature of many of those variables. Accordingly, many auditors do not attempt to assign specific values to audit risk or its components. Normative models for apportioning materiality and combining risk for the financial statements taken as a whole have been a subject of academic research for some years, but do not seem likely to yield practical benefits in the foreseeable future. (i) Inherent Risk. Financial statements may be susceptible to misstatements because of a condition that exists at the macroeconomic, industry, or entity level, or by a characteristic of an account balance or a class of transactions. The auditor identifies those risks as a result of his or her understanding of the entity's business and industry, performing analytical procedures, studying prior years' audit results, and understanding the entity's transactions, their flow through the accounting system, and the account balances they generate. In assessing the risk that the financial statements may contain material misstatements, the auditor considers the inherent risks he or she has identified. Some aspects of inherent risk are not limited to specific transactions or accounts but stem from factors that are more broadly related to the entity's business environment. These risks usually cannot be controlled by management; they include changes in general business conditions, new governmental regulations, and other economic factors such as a declining industry characterized by bankruptcies, other indications of financial distress, and a lack of financial flexibility, which might affect the realization of assets or incurrence of liabilities, or might influence entity management or other personnel to deliberately misstate financial statements. Conversely, overly rapid expansion (with or without concomitant demand) can create quality failures resulting in potential sales returns or unsalable inventory. The audit objectives most likely to be affected by inherent risks relating to such macroeconomic, industry, or entity-wide factors are valuation or allocation, rights and obligations, and presentation and disclosure. Certain risks might have such a pervasive effect on the entity's financial statements as a whole as to warrant special audit attention. For example, a severe recession might lead to substantial doubt about an entity's ability to continue to operate as a going concern. The auditor's responsibility in this situation is described in Chapter 26 [Section 26.8(b), Going Concern Uncertainties]. While inherent risks stemming from external and entity-wide conditions cannot be controlled by the entity, the control environment set by management (the ;tone at the top;) and its monitoring of internal control to identify changes in circumstances affecting the entity can help ensure that the financial statements reflect the underlying economic realities that those conditions create. In addition, management may establish special control activities or perform special year-end procedures in response to inherent risks. Examples include special reviews of inventory obsolescence or of the provision for uncollectible accounts receivable. Other aspects of inherent risk are peculiar to a specific class of transactions or account. The risk of misstatements is greater for some classes of transactions or accounts than for others. In general, transactions that require considerable accounting judgment by entity management are more likely than other transactions to produce errors. Similarly, some assets are more susceptible to theft than others; cash is more prone to misappropriation than are steel beams. Account balances derived from accounting estimates are more likely to be misstated than account balances composed of more factual data. The characteristics of accounts with generic titles differ from one entity to another and even within an entity. For example, not all inventories are the same. Consequently, in assessing risk, the auditor considers the characteristics of the specific items underlying the particular account. In some instances, the risks relate to whether the inventory exists; in other situations, the risks relate to its valuation. Inherent risks related to specific transactions and accounts should be, and usually are, addressed by the entity's internal control. If so, and if based on efficiency considerations, the auditor plans to test the effectiveness of controls, then those inherent risks are considered in conjunction with the assessment of control risk relating to the transactions and accounts. For example, the auditor may determine in planning the audit that an asset (such as cash) with characteristics (liquidity and transferability) that make it extremely prone to theft, is nevertheless subject to extremely effective controls. In effect, management has designed specific controls in light of the asset's characteristics. In this environment the auditor may find it efficient to test how effectively the controls are operating. If they are effective, the auditor may be able to assess the risk of misappropriation-and thus the risk of a financial statement misstatement-as relatively low. (ii) Control Risk. There are likely to be errors in the financial reporting process that management does not detect because no affordable system of internal control can be 100 percent effective. In addition, it is not always practicable to subject all transactions to detailed scrutiny, and not all assertions are addressed to the same extent-either intentionally or otherwise-by controls. For example, discretionary bonuses and unusual transactions may not be subject to control activities; in addition, management override of established controls is always possible. Therefore, some risk normally is associated with every entity's internal control; entities with effective controls carry a relatively lower risk, those with less effective controls, a relatively higher risk. The auditor may be able to obtain evidence-by testing the controls an entity applies to transactions and balances-that those controls are operating effectively. To the extent that such evidence is available and can be obtained efficiently, the auditor will be able to conclude that the risk of the financial statements containing misstatements is correspondingly lowered. For accounts and assertions that are not specifically addressed by controls, or if the auditor does not plan, for reasons of efficiency or otherwise, to test the effectiveness of controls, he or she will have to obtain all audit assurance for relevant accounts and assertions from substantive tests. (iii) Detection Risk. Detection risk is the possibility that misstatements in a material amount, either individually or cumulatively, will go undetected by substantive tests-both analytical procedures and tests of details. The auditor can perform different combinations of substantive tests to reduce detection risk related to a particular account and assertion. For example, the auditor may perform analytical procedures, tests of details, or a combination of the two; perform tests at year-end or at an interim date; test 100 percent of the items in an account balance or less than 100 percent by using sampling or other methods of testing less than an entire account balance. In deciding which procedures to perform, when to perform them, and the extent of testing, the auditor considers the competence and sufficiency of the evidence that can be obtained from various procedures. Using a combination of tests directed at a specific assertion for a specific account balance is generally more effective than using a single test, because analytical procedures and tests of details complement each other and thus are more powerful in combination. Furthermore, since the two types of substantive tests are complementary, the assurance derived from one reduces proportionately the assurance the auditor needs from the other to reduce detection risk. For example, as a conceptual exercise-since generally accepted auditing standards require that some substantive tests be performed on all audits, regardless of the level of detection risk-suppose an auditor performs no tests of details or analytical procedures. If there is a misstatement in the financial statements, there is a 100 percent chance that it will not be detected (detection risk is 100 percent). Performing either tests of details or analytical procedures will reduce the likelihood that the misstatement will go undetected (detection risk). If both tests of details and analytical procedures are performed, the likelihood that neither procedure will detect the misstatement is less than if only one type of test is performed, because for the misstatement to go undetected by the auditor, both tests of details and analytical procedures must fail to detect it. (iv) Sampling Risk. In the context of drawing conclusions from performing auditing procedures, risks may be classified as either sampling or nonsampling risks, depending on whether sampling is used in determining the extent of testing. Sampling risk is the risk that, when an audit test is restricted to a sample, the conclusion reached from the test will differ from the conclusion that would have been reached if the same test had been applied to all items in the population. Sampling risk is discussed in Chapter 16. (v) Nonsampling Risk. Nonsampling risk encompasses all risks that are not specifically the result of sampling. Thus, nonsampling risk is the risk that any factor other than the size of the sample selected will cause the auditor to draw an incorrect conclusion about an account balance or about the operating effectiveness of a control. Examples of nonsampling risk are: ? Omitting necessary auditing procedures (e.g., failing to review board minutes) ? Applying auditing procedures improperly (e.g., giving confirmation requests to entity personnel for mailing) Applying auditing procedures to an inappropriate or incomplete ? population (e.g., excluding an entire class of purchases from the process of selecting a sample for substantive tests of the accuracy of recorded transactions and then concluding that all purchase transactions have been accurately recorded) ? Failing to recognize a deviation in a control when it is encountered in a test of controls ? Failing to detect that accounting recognition, measurement, or disclosure principles have been improperly selected or applied ? Failing to take action either in response to audit findings or because factors requiring attention have been overlooked Analyses of past alleged audit failures indicate that such nonsampling risk factors as failure to understand the entity's business processes or risks, errors in interpreting accounting principles, mistakes in interpreting and applying auditing standards, and misstatements caused by management or employee fraud are among the most significant audit risk factors and sources of auditor liability. Nonsampling risk can be controlled by carefully planning the audit and maintaining high standards of audit quality. Quality standards address matters such as independence and professional development of staff, independent review of working papers, and supervision of the performance of auditing procedures. These are covered in detail in Chapter 3. 6.<4 Materiality A concept of materiality is a practical necessity in both auditing and accounting. Allowing immaterial items to complicate and clutter the auditing process or financial statements is uneconomical and diverts users' attention from significant matters in the financial statements. Materiality judgments influence audit planning and, in the evaluation of audit results, are critical to determining whether the financial statements are fairly presented. Inherent in rendering an audit opinion is the recognition that financial statements cannot precisely or exactly present financial position, results of operations, and cash flows. Such precision is unattainable because of limitations in the accounting measurement process and constraints imposed by the audit process and auditing technology, as discussed in Chapter 1. The wording of the standard auditor's report explicitly recognizes this by stating that the financial statements are presented fairly in all material respects. For the auditor, the consideration of materiality is a professional judgment made largely according to his or her perception of the needs of the users of the financial statements. In terms of users' needs, materiality is defined as ;the magnitude of an omission or misstatement of accounting information that, in the light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement.;6 Ultimately, the users of financial statements determine what is material. There are many users, however, including shareholders, investors, creditors, regulators, financial analysts, labor unions, audit committees, and entity management, and each may have a different 6><#00aa00'>view of what is important. For example, investors rely on information to assess long-term prospects such as trends of cash flows and income; short-term creditors focus more on asset liquidity in the immediate future. SEC Regulation S-X (Rule 1-02) defines materiality as follows: The term ;material,; when used to qualify a requirement for the furnishing of information as to any subject, limits the information required to those matters about which an average prudent investor ought reasonably to be informed. This definition has been reinforced by court decisions such as the BarChris case7 in which the judge clearly indicated that the materiality issue involved amounts he believed would motivate the ;average prudent investor,; not the average banker or security analyst. In developing a standard of materiality for a particular situation, other court cases refer to the ;reasonable shareholder;8; FASB Concepts Statement No. 2, to the ;reasonable person;; and an American Accounting Association publication, to the ;informed investor.;9 Thus, the consensus seems to be that materiality is influenced by the user, who may be informed, but is not necessarily sophisticated, about financial statements. Materiality has both qualitative and quantitative aspects. A financial statement misstatement may be quantitatively immaterial, but may nevertheless have a material effect on the financial statements. SAS No. <47 (AU Section 312.11) cites as an example, ;an illegal payment of an otherwise immaterial amount [that] could be material if there is a reasonable possibility that it could lead to a material contingent liability or a material loss of revenue.; Moreover, such matters may have broad implications regarding the integrity of management, and thus may warrant further investigation. The auditor may need to assess the possible pervasiveness of the problem, reassess the effectiveness of internal control, and report the findings to an appropriate level of management. Similarly, qualitatively innocuous mistakes in the form of small unintentional errors can add up to quantitatively material dollar misstatements that would cause the auditor to qualify the opinion if adjustments were not made to the accounts. Materiality judgments also influence items that are or should be disclosed without directly affecting the financial statement amounts. Because of the dual influence of qualitative and quantitative factors in determining materiality, the concept is difficult to operationalize. It is not surprising that the profession has not been able to establish a single, agreed-on quantitative standard. The assessment of materiality takes place throughout an audit, particularly during planning and when evaluating the results of auditing procedures. SAS No. <47 (AU Section 312.1<4) requires the auditor, in planning an engagement, to consider a ;preliminary judgment about materiality levels for audit purposes.; That preliminary judgment may include assessments of what constitutes materiality for significant captions in the balance sheet, income statement, and statement of cash flows individually, and for the financial statements taken as a whole. One purpose of this preliminary materiality judgment is to focus the auditor's attention on the more significant financial statement items while he or she is determining the audit strategy. The materiality levels established for a particular account balance or class of transactions are generally more stringent, in a quantitative sense, than overall materiality levels established for the financial statements taken as a whole. As a practical matter, SAS No. <47 indicates that the preliminary judgment about materiality for the financial statements taken as a whole is generally the smallest aggregate level of errors that could be considered material to any one of the financial statements (AU Section 312.19). As an example of how an auditor might set materiality levels in planning the audit, he or she may consider misstatements aggregating less than $100,000 not to be material to net income, but may establish a higher materiality threshold for misstatements that affect only the balance sheet (such as misclassifications). This would be because the relatively higher magnitude of the balance sheet components might cause the $100,000 to be even less material to the balance sheet. Similarly, when planning procedures at the line item level (such as receivables or inventories), the auditor must consider that immaterial misstatements in separate line items might aggregate to a material amount. Thus, auditing procedures in one area-for example, receivables-might have to be designed to detect income statement misstatements of much less than $100,000, because of possible misstatements in other areas of the balance sheet. To perform an effective and efficient audit, the auditor must continually assess the results of procedures performed and repeatedly reevaluate whether, based on those results, the scope of procedures planned for the various accounts is adequate, or possibly excessive. For example, individually immaterial misstatements of certain expenses may aggregate to a material amount. As audit work progresses, the auditor may find that the individually immaterial misstatements do not offset each other but cause income to be overstated. In these circumstances, the auditor may need to adjust the scope of procedures for the expenses remaining to be examined in order to gain assurance that a material aggregate misstatement will be detected if it exists. It also may be necessary to apply additional procedures to areas that have already been audited. New facts and circumstances also may change the amount the auditor considers material to individual financial statement line items or to the financial statements taken as a whole. For example, if adjustments are made to the accounts during the course of the audit, the parameters the auditor used to determine materiality in the planning stage (e.g., amounts for net income, revenues, and shareholders' equity) may change. By the end of the audit, materiality may be different than at the planning stage. An auditor who does not continually reassess materiality and audit scope as the engagement progresses assumes a greater risk of performing an inefficient or ineffective audit. Materiality assessments and audit planning should be viewed as dynamic, rather than static, auditing concepts. To keep track of misstatements discovered through the various tests and other procedures performed during an audit and to help in drawing conclusions about their effect on the financial statements, the auditor often maintains a summary of potential audit adjustments. This summary assists the auditor in accumulating known misstatements found through audit tests, misstatements based on projections developed from sampling procedures, and misstatements relating to management's accounting estimates that the auditor believes are unreasonable. Ordinarily, management adjusts the records for many of the known misstatements. The auditor then considers the effect of the remaining unadjusted items on the financial statements. Sometimes the auditor believes that further adjustments are necessary for an unqualified opinion to be given. The summary also assists in ascertaining which financial statement is affected by the misstatements. The summary of adjustments is discussed in further detail and illustrated in Chapter 27 (Section 27.5, Summarizing Misstatements and Evaluating the Audit Findings). 6.5 The Steps in an Audit The audit process can be viewed as depicted in Figure 6.2. The activities in the figure can be summarized as follows: 1. Carrying out engagement planning and management activities, including decisions to accept (or retain) the client and organizational and planning decisions 2. Obtaining information about the entity 3. Understanding internal control <4. Assessing control risk and developing the audit strategy 5. Confirming the assessment of control risk by performing tests of controls 6. Developing the substantive test audit program 7. Performing substantive tests 8. Completing the audit, including performing final analytical and other procedures, and reviewing and evaluating the audit findings 9. Formulating the audit report and communicating findings These steps are elaborated on below. The work undertaken in each step varies from one audit to another and may vary from year to year for a given entity. Moreover, these phases of the audit seldom appear as separate, isolated, specifically identifiable activities. With the exception of the reporting phase of the audit process, all the steps involve activities that affect strategy decisions. Broadly speaking, the audit strategy is the approach to obtaining the necessary assurance, in relation to key audit areas, from tests of controls and substantive tests. Strategy considerations are most intense during the risk assessment activities and when the auditor evaluates the results of those activities and develops the audit program. The key strategy decision made is the extent to which tests of controls will be performed to reduce the assurance needed from substantive tests. (a) Engagement Planning and Management Before a new or recurring engagement is accepted, appropriate information is gathered and evaluated as a basis for deciding whether to accept or retain the client. Once the engagement has been accepted, the engagement terms and goals are established and agreed to. An important element of this is to understand the client's expectations so that the auditor can plan to meet or exceed them, within the context of the auditor's professional responsibilities. A number of timing considerations need to be discussed and settled, among them: ? Dates by which entity personnel will have assembled the data, records, and documents required by the auditor ? Date or dates on which the entity plans to physically count inventories or other assets ? Deadlines for issuing the report on the financial statements and any other audit-related reports ? Dates of the auditor's meetings with the audit committee of the board of directors A number of organizational and planning decisions also need to be made, for example, decisions about using the work of internal auditors and specialists (such as actuaries and appraisers), using the work and reports of other auditing firms that have been engaged to audit one or more components of the entity, assigning staff, preparing time budgets, and other similar scheduling and administrative activities. In addition, opportunities to improve relations with management and the board of directors and to maximize the quality of client services may be identified at this stage of the audit. Engagement planning and management is discussed in Chapter 7. (b) Obtaining Information About the Entity At an early stage in the audit, the auditor obtains (or updates) information about the entity. This information is used to identify inherent risks and make preliminary materiality judgments as a basis, in part, for developing the audit strategy. Among other things, the auditor gathers information about: ? The nature, size, and organization of the entity and its operations ? Matters affecting the entity's business and industry, such as ? The business environment ? Legal and regulatory constraints and requirements ? Results of prior years' audits ? Significant accounts or groups of accounts and the interrelationships among significant financial and operating data ? Accounting and auditing standards of particular relevance to the entity The information is obtained in a number of ways. The auditor may begin by consulting such materials as the entity's recent annual reports and interim earnings or other news releases; general business or industry publications; industry audit and accounting guides developed by the AICPA, the auditor's firm, and others; and trade association materials. Prior years' working papers and current correspondence files are also valuable sources of information. (For an initial engagement, the auditor may make inquiries and review preceding years' working papers of the predecessor auditor, if the entity has been audited in the past.) The auditor supplements this knowledge by interviewing officers and employees and others knowledgeable about and experienced in the industry. Additionally, the auditor typically reviews the entity's policy and procedures manuals; tours its major plants and offices; reads the minutes of recent meetings of the board of directors, its important committees, and the stockholders; reads relevant contracts and other agreements; and performs preliminary analytical procedures such as comparing the entity's significant financial and operating data with that of its competitors and analyzing relationships and trends in the data. Obtaining information about the entity is the topic of Chapter 8. (c) Understanding the Entity's Internal Control Generally accepted auditing standards require the auditor to obtain and document an understanding of the entity's internal control sufficient to plan the audit. Internal control consists of five components: control environment, risk assessment, control activities, information and communication, and monitoring. On a recurring engagement, the auditor focuses on aspects of internal control that have been added, have changed, or have assumed increased importance since the previous audit. The understanding must be sufficient for planning the audit, that is, for the auditor to identify and react to the risk of material misstatements in the financial statements and design appropriate substantive tests to detect them. In obtaining the understanding of the entity's internal control, the auditor identifies the critical points where significant misstatements could occur and determines whether controls to prevent or detect such misstatements have been designed and placed in operation. As a practical matter, especially on recurring engagements, the auditor often performs tests of controls concurrently with updating the understanding of the internal control components. The auditor obtains (or updates) the understanding of the entity's internal control mainly through observing and inquiring of entity personnel, referring to relevant policy and procedures manuals, and inspecting books, records, forms, and reports. As a practical matter, the auditor generally does not ;relearn; or redocument the entity's internal control each year. Most audits are recurring engagements, for which the auditor carries forward the knowledge and documentation developed in prior years and updates them for significant changes since the preceding year's audit. Most (if not all) of those changes generally come to the auditor's attention through continuing contact with the entity between one year's audit and the next. To plan and control the audit and document his or her compliance with generally accepted auditing standards, the auditor needs a record of the information obtained. Some auditors document all the information in narrative form; others prefer to use narratives for general information about the control environment and risk assessment activities, and flowcharts, questionnaires, or other types of practice aids to describe the information system relevant to financial reporting and various controls. The extent to which the auditor documents the understanding of the various internal control components depends on whether there have been significant changes in matters affecting the entity, its business, or internal control since the preceding audit, as well as the planned assessment of control risk and the audit strategy contemplated. If the auditor is concerned that the documented understanding of the accounting system may be incorrect or incomplete, perhaps because of changes since the preceding audit, it may be efficient to trace one or a few representative transactions through the system (sometimes called a transaction review or walkthrough). Often, in documenting the understanding of the internal control components, the auditor records information that is useful in subsequent stages of the audit, especially for performing tests of controls. Chapter 9 presents an overview of internal control. Detailed discussions of the various components and of how the auditor obtains and documents an understanding of them are contained in Chapters 10 and 11. (d) Assessing Control Risk and Developing the Audit Strategy The auditor uses the information gathered so far-about the entity, including identified inherent risks, and about internal control-to evaluate whether controls have been properly designed to prevent errors or detect them on a timely basis, make a preliminary assessment of control risk, and develop, or refine, the audit strategy. Frequently, particularly on recurring engagements, the auditor formulates a major part of the audit strategy based on a presumption about the assessment of control risk, before the documentation and tests of controls have been completed for the current year. It often is practical and efficient to anticipate the control risk assessment and audit strategy early in the audit because the auditor then can document the understanding of internal control in a way that will facilitate the performance of tests of controls, if such tests are planned. In formulating the audit strategy before completing the documentation and testing of controls, the auditor assumes that he or she already has an adequate understanding of the design (and its effectiveness) and the operation of the internal control components. On a new engagement, the basis for that assumption generally is derived from knowledge (which may be limited in scope) obtained through inquiries, observation, and inspection of documents, records, and reports undertaken in the course of developing the understanding of internal control, from any tests of controls performed at that time, and from review of the predecessor auditor's working papers. On a recurring engagement, that assumption is further supported by the prior year's audit experience, inquiries of knowledgeable entity personnel, and the general information gathered or updated about the entity and its industry. If the auditor assesses control risk at maximum, no further internal control work is done, and the auditor designs substantive tests to gain all the assurance needed for all relevant audit objectives and account balances. If, on the other hand, the assessment is that control risk is below the maximum or low, the auditor considers whether, based on the work done so far, he or she believes it will be efficient to limit substantive tests of specific accounts directed to certain audit objectives. Ordinarily, the auditor concludes that substantive tests can be limited and formulates an audit strategy that calls for confirming the control risk assessment by performing tests of controls. The basic audit strategy alternatives are either to perform tests of controls and thus limit substantive tests, or to perform substantive tests without significant restriction based on tests of controls. Usually, different strategies are adopted for different audit areas. That is, the auditor will plan to achieve one or more audit objectives for an account or a group of accounts principally by performing tests of controls and restricting substantive tests, while achieving other audit objectives principally or entirely by performing substantive tests. This flexibility also applies to different locations, subsidiaries, and components of business activities. The auditor's aim is to choose an audit strategy that will most efficiently limit audit risk-that is, the risk that he or she will unknowingly fail to modify the opinion appropriately if the financial statements are materially misstated-to a low level. For a multilocation audit, the audit strategy also includes decisions about whether to limit the number of locations where auditing procedures are performed in a specific engagement. Based on the preliminary control risk assessment, the quality of the internal audit function, the materiality of various locations, and other factors, the auditor may decide to rotate the audit emphasis from year to year. This strategy may enhance audit efficiency and make a complex engagement less costly. The way to accomplish this varies with the circumstances of the engagement. Subject to audit risk considerations, the auditor may vary both the locations visited and the strategies employed at various locations. In a large multilocation engagement, often only a few, if any, locations are individually material to a specific account balance or class of transactions. The auditor must ensure, however, that each year's audit work is adequate to support the opinion on the financial statements for that year. Regardless of the audit strategy chosen, auditors traditionally have focused more on audit objectives related to balance sheet accounts than on their income statement counterparts, since that is frequently the most efficient way to conduct an audit. Emphasizing balance sheet accounts is also conceptually sound: Balance sheet accounts represent the entity's economic resources and claims to those resources at a point in time, reflecting the cumulative effects of transactions and other events and circumstances on the entity. Income statement accounts reflect the entity's performance during a period between two points in time, measuring its revenues, expenses, gains, and losses that occurred during that period. Many income statement accounts are logically related to one or more balance sheet accounts. Often, evidence that helps achieve audit objectives for a balance sheet account also helps achieve corresponding audit objectives for an income statement account. For example, evidence about the completeness, accuracy, and existence of trade accounts receivable at the beginning and end of a period is also a source of assurance about the completeness, accuracy, and occurrence of sales transactions during the period. The audit strategy selected for each audit area should be documented, including significant inherent risks identified and the audit implications of the control risk assessment. That documentation also should reflect certain other planning decisions, such as analyses to be prepared by entity personnel, the need to use the work of other auditing firms or specialists, and the effects of an internal audit function on the audit strategy. The audit strategy as initially determined should be reviewed, and revised if necessary, as the audit progresses and new information becomes available. As noted earlier, the auditor may design the substantive test audit program and plan and schedule the work before performing tests of controls. If tests of controls then indicate that aspects of internal control have not operated effectively throughout the period, the auditor may have to reassess the risk that account balances could be materially misstated, and revise the audit strategy accordingly. Control risk assessment and its effect on the audit strategy are discussed in Chapter 12. Determining and implementing the audit strategy for specific transaction cycles and account balances and disclosures is presented in Chapters 13, 1<4, and 17-26. (e) Confirming the Assessment of Control Risk by Performing Tests of Controls The auditor confirms a preliminary below-the-maximum or low control risk assessment by performing tests of controls designed to provide evidence about whether certain controls have operated effectively and continuously. The lower the assessed level of control risk, the less assurance is needed from substantive tests and the more they are restricted. The more substantive tests are restricted, the greater the auditor's need for evidence that misstatements that might be caused by control deficiencies or breakdowns will be prevented or detected in a timely manner. The auditor seeks that evidence by performing tests of controls and evaluating the results. In performing tests of controls, the auditor is concerned about how activities were carried out, the consistency with which they were performed, and by whom they were carried out. Tests of controls may include inquiring of entity personnel who carry out activities, as well as others in a position to be aware of control breakdowns; observing how the activities are performed; examining records and documents for evidence that they have been carried out; and reperforming control activities by duplicating the actions of the entity's personnel. Performing tests of controls is efficient only if the audit time and effort saved by limiting substantive testing exceed the time and effort spent in performing the tests of controls. Therefore, tests of controls generally are performed only when achieving the relevant audit objectives solely by substantive testing would require significant audit time and effort. The auditor should not automatically decide to perform tests of controls, even if it appears that they will provide the necessary evidence, without considering whether performing them will be efficient. After performing tests of controls, the auditor considers whether controls operated as he or she previously understood. If they did not, but the assessment of control risk was nevertheless confirmed, the auditor amends the recorded understanding of internal control. If the control risk assessment was not confirmed by the tests of controls, the auditor amends the assessment and considers the implications for the audit strategy and the audit program, including how any deficiencies and breakdowns noted affect the risk that account balances could be materially misstated. The auditor also should discuss with appropriate entity personnel any significant deficiencies in the design of controls and any significant breakdowns in their operation. Performing tests of controls is discussed in Chapter 12. Tests of controls related to the revenue and purchasing cycles and to production transactions also are described in Chapters 13, 1<4, and 19, respectively. (f) Developing the Substantive Test Audit Program The audit program reflects the audit strategy and sets out details about the nature, timing, and extent of substantive tests for each account or group of accounts in the financial statements. Decisions about those tests are based primarily on the auditor's assessment of the risk of material misstatement associated with the audit objectives relevant to each account balance and class of transactions. Those assessments, in turn, are based on the auditor's judgments about materiality, inherent risk, and control risk. Risk assessment decisions and materiality judgments should be reevaluated as the audit progresses to take account of any significant changes in facts or circumstances. As explained in Chapter 1, the auditor typically tests less than 100 percent of the items in an account balance or class of transactions. Most auditors start with the presumption that it will not be necessary to perform substantive tests on every item that supports an account balance in the financial statements. From the understanding of internal control and from any tests of controls performed, the auditor usually has some evidence that management has established controls that reduce the risk of material misstatement, either in particular accounts or groups of accounts or in the financial statements as a whole, and that the controls are operating effectively. That evidence reduces the assurance needed from substantive tests. Substantive tests are the topic of Chapter 15, supplemented by the discussion of sampling in Chapter 16. Chapters 17-26 discuss substantive tests applicable to specific account balances and disclosures. (g) Performing Substantive Tests In performing substantive tests, the auditor obtains, evaluates, and documents evidence to corroborate management's assertions embodied in the accounts and other information in the financial statements and related notes. The auditor's purpose in performing substantive tests is to gain assurance about whether the audit objectives corresponding to management's assertions have been achieved for account balances and classes of transactions. As discussed earlier in this chapter, substantive tests include analytical procedures and tests of details of account balances and transactions, with the assurance obtained from one reducing the assurance needed from the other. Substantive tests also may provide evidence about internal control. For example, a misstatement discovered through a substantive test may, upon further investigation, be found to have resulted from a deficiency in internal control. In that situation, the auditor may have to reassess prior conclusions about internal control. Performing substantive tests of individual account balances and disclosures is discussed in Chapters 17-26. (h) Completing the Audit After all the previous steps in the audit have been performed, the auditor performs final analytical and certain other procedures, such as reading minutes of recent board and committee meetings and obtaining representation letters. Then he or she makes final materiality judgments, summarizes misstatements and evaluates the audit findings, reviews the working papers, reviews the financial statement presentation and disclosures for adequacy, and considers events occurring after the balance sheet date. Those procedures require the exercise of considerable professional judgment and thus generally are performed by the senior members of the engagement team. Completing the audit is the topic of Chapter 27. (i) Formulating the Audit Report and Communicating Findings Finally, the auditor prepares the audit report expressing an opinion on the financial statements and generally also communicates to management and the audit committee significant internal control deficiencies and other findings noted during the course of the audit. Some of these communications are required by professional standards, and others, reported to management in what often is called a ;management letter,; are provided as a service that adds further value to the audit engagement. In addition to this more formal reporting, at key stages throughout the audit, the auditor should contact management to discuss mutual expectations, as well as engagement planning and organizational issues. Audit reporting is covered in Chapters 28 and 29; other auditor communications are discussed in Chapter <4. 1 Statement of Financial Accounting Concepts No. 2, ;Glossary of Terms.; 2 In this book, the word ;test; is restricted to the two types of tests mentioned above. The word ;procedure; is used more broadly to describe any of the wide variety of activities performed on an audit, including tests of controls and substantive tests. 3 The required high level of assurance is referred to in the professional literature as ;reasonable assurance.; Chapter <4 of this book discusses the concept of reasonable assurance. <4 SAS No. <47 (AU Section 312.02) defines audit risk as ;the risk that the auditor may unknowingly fail to appropriately modify his or her opinion on financial statements that are materially misstated.; Even though this definition does not include the risk that the auditor might erroneously conclude that the financial statements are materially misstated when they are not, it logically follows that the auditor should obtain sufficient evidence to give the proper opinion in all circumstances. 5 SAS No. <47 (footnote to AU Section 312.02) notes that ;in addition to audit risk, the auditor is also exposed to loss or injury to his or her professional practice from litigation, adverse publicity, or other events arising in connection with financial statements audited and reported on. This exposure is present even though the auditor has performed the audit in accordance with generally accepted auditing standards and has reported appropriately on those financial statements. Even if an auditor assesses this exposure as low, the auditor should not perform less extensive procedures than would otherwise be appropriate under generally accepted auditing standards.; This exposure is one aspect of the risk an accountant faces in accepting any engagement to perform professional services. As indicated above, the auditor is required to assess audit risk independently of his or her evaluation of the exposure presented by an engagement to perform professional services. 6 Statement of Financial Accounting Concepts No. 2, Qualitative Characteristics of Accounting Information. 7 Escott v. BarChris Construction Corp., 283 F. Supp. 6<43 (S.D.N.Y. 1968). 8 For example, TSC Industries v. Northway, Inc., <4<4 U.S.L.W. <4852 (1976). 9 Accounting and Reporting Standards for Corporate Financial Statements (Evanston, IL: American Accounting Association, 1957). PAGE 2 _1521<461792.unknown _1521<461793.unknown _1521<461790.unknown _1521<461791.unknown _1521<461788.unknown _1521<461789.unknown _1521<461787.unknown