auditing homework

gesjima02198v

AuditingText2178.pdf

Home >Business & Finance homework help >Accounting homework help >auditing homework

Auditing

James Peters, PhD, CPA

Editors: Dr. Sharon Levin Dr. Dori Lombard Dr. Larry Wolod

Table of Contents

NEED FOR AUDITING AND AUDIT REGULATION ............................................................................ 1

Preparer Incentives .............................................................................................................................................. 2 Information Asymmetry ....................................................................................................................................... 3 Information Complexity ........................................................................................................................................ 3 Summary of Economic Justification ...................................................................................................................... 3 Potential Problems with Current Auditor Selection .............................................................................................. 4

REGULATORY ENVIRONMENT ........................................................................................................................................... 6 Types of Auditors .................................................................................................................................................. 6 Regulating CPAs ................................................................................................................................................... 6

Requirements for Certification ......................................................................................................................................... 7 Forms of organization ....................................................................................................................................................... 8 Registration of Firms Auditing Public Companies ............................................................................................................. 9 Membership in the AICPA ................................................................................................................................................. 9

Auditing Standards ............................................................................................................................................. 10 Financial Reporting Standards ........................................................................................................................................ 10 Auditing Standards .......................................................................................................................................................... 11

Source of Auditing Standards .................................................................................................................................... 11 Generally Accepted Auditing Standards (GAAS) ........................................................................................................ 12 International Standards on Auditing .......................................................................................................................... 14 Human resource issues .............................................................................................................................................. 14 Additional Communications ...................................................................................................................................... 15

OTHER QUALITY CONTROLS ........................................................................................................................................... 15 EXTRACT OF KEY PROVISIONS FROM SARBANES-OXLEY ........................................................................................................ 16

AUDIT REPORTS AND PROFESSIONAL ETHICS ............................................................................ 23

SUMMARY .................................................................................................................................................................. 23 MATERIALITY .............................................................................................................................................................. 23 OVERVIEW OF AUDIT REPORTS ....................................................................................................................................... 24 STANDARD UNQUALIFIED REPORT ................................................................................................................................... 25 MODIFICATIONS TO PROVIDE ADDITIONAL EXPLANATIONS ................................................................................................... 28 CONDITIONS THAT LEAD TO MODIFIED WORDING BUT NOT MODIFIED OPINIONS .................................................................... 29

Inconsistencies in Accounting Principles Between Years ................................................................................................ 29 Going Concern Issues ...................................................................................................................................................... 30 Agreed Upon Departures from GAAP ............................................................................................................................. 31 Emphasis of Matters ....................................................................................................................................................... 31 Reliance on Other Auditors ............................................................................................................................................. 31

DEPARTURES FROM UNMODIFIED OPINIONS ON FINANCIAL STATEMENTS ............................................................................... 32 Types of Opinions ............................................................................................................................................... 32

Qualified Opinions .......................................................................................................................................................... 32 Adverse Opinion.............................................................................................................................................................. 34 Disclaimer ....................................................................................................................................................................... 35 Auditor is not Independent ............................................................................................................................................. 36

REPORTS ON INTERNAL CONTROLS .................................................................................................................................. 38 Elements of the Internal Control Report............................................................................................................. 38 Modifications to the Standard Report on the Auditee's Controls ....................................................................... 40

Modifications due to Control Deficiencies ...................................................................................................................... 41 Modifications due to Incomplete or Improper Management Report ............................................................................. 44

Modifications due to Scope Limits .................................................................................................................................. 44 OTHER MODIFICATIONS TO CONTROL REPORTS ................................................................................................................. 45 AICPA CODE OF PROFESSIONAL CONDUCT ....................................................................................................................... 46

Overview of the Role of the Code in Enforcing Professional Behavior ............................................................... 46 Structure of the Code ......................................................................................................................................... 47

Statement of Principles ................................................................................................................................................... 47 Rules................................................................................................................................................................................ 48 Independence Rule Differences with SEC and PCAOB .................................................................................................... 50

Non-audit services ..................................................................................................................................................... 50 APPENDIX - HOME DEPOT'S MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS .................................................................. 52

LEGAL LIABILITY AND AUDIT RESPONSIBILITIES AND OBJECTIVES ............................................ 53

Overview of the Legal Climate ........................................................................................................................... 53 Sources of Legal Liability .................................................................................................................................... 55 Extent of Liability ................................................................................................................................................ 57 Liability to Clients ............................................................................................................................................... 57 Liability to Third Parties under Common Law .................................................................................................... 58 Liability to Third Parties under Federal Securities Law ....................................................................................... 59

Securities Act of 1933 ..................................................................................................................................................... 59 Securities Exchange Act of 1934 ..................................................................................................................................... 59

Criminal Liability ................................................................................................................................................. 60 AUDIT RESPONSIBILITIES AND OBJECTIVES ......................................................................................................................... 60

Management's Responsibilities .......................................................................................................................... 61 Management's Certifications .......................................................................................................................................... 61 Management Assertions ................................................................................................................................................. 61

Purpose of an Audit ............................................................................................................................................ 62 Overall Purpose of an Audit ............................................................................................................................................ 62 Accounting Cycle and Transaction Processes .................................................................................................................. 62

The Accounting Cycle ................................................................................................................................................. 63 Transaction Processes................................................................................................................................................ 63

Audit Objectives .............................................................................................................................................................. 64 Transactions ............................................................................................................................................................... 65 Balances ..................................................................................................................................................................... 66 Presentation and Disclosure ...................................................................................................................................... 67

Auditor's Responsibilities ................................................................................................................................... 68 Step 1 - Plan an Audit Approach ..................................................................................................................................... 68 Step 2 - Tests of Controls and Substantive Tests of Transaction ..................................................................................... 69 Step 3 - Perform Substantive Analytical Procedures and Tests of Balances ................................................................... 69 Step 4 - Completing the Audit and Issuing a Report ....................................................................................................... 70 Other General Auditor Responsibilities .......................................................................................................................... 70

Determining Materiality ............................................................................................................................................ 70 Detecting Fraud ......................................................................................................................................................... 70 Determining the Auditee's Compliance with Laws and Regulations .......................................................................... 70 Professional Skepticism ............................................................................................................................................. 70 Professional Judgment ............................................................................................................................................... 71

EVIDENCE, DOCUMENTATION, MATERIALITY, AND AUDIT RISK ............................................... 75

Appropriateness and Sufficiency ........................................................................................................................ 75 Types of Audit Procedures .................................................................................................................................. 77

AUDIT DOCUMENTATION .............................................................................................................................................. 80 Nature and Rationale for Audit Documentation ................................................................................................ 80

iii

Structure of Audit Documentation ..................................................................................................................... 80 Examples of Audit Documentation ..................................................................................................................... 82 Ownership, Confidentiality, and Retention of Audit Documentation ................................................................. 85

SETTING MATERIALITY .................................................................................................................................................. 85 Different Levels of Materiality ............................................................................................................................ 86

Planning materiality ........................................................................................................................................................ 86 Performance materiality ................................................................................................................................................. 86 Tolerable error ................................................................................................................................................................ 86

Bases for Setting Materiality .............................................................................................................................. 87 Using Materiality to Evaluate Audit Findings. .................................................................................................... 89

AUDIT RISK ASSESSMENT............................................................................................................................................... 89 Structure and Use of the Audit Risk Model ........................................................................................................ 89

Audit Risk ........................................................................................................................................................................ 90 Inherent Risk ................................................................................................................................................................... 90 Control Risk ..................................................................................................................................................................... 90 Detection Risk ................................................................................................................................................................. 91

Risk Model Summary .......................................................................................................................................... 93

AUDIT PLANNING AND INHERENT RISK ASSESSMENT ................................................................. 94

Auditee Acceptance ............................................................................................................................................ 96 Signing the Engagement Letter .......................................................................................................................... 98 Selecting the Audit Team ................................................................................................................................. 101

Structure of the Core Audit Team ................................................................................................................................. 101 Assess the Need for Outside Experts ............................................................................................................................ 102

UNDERSTANDING THE AUDITEE .................................................................................................................................... 102 Industry and External Environment .................................................................................................................. 102 Business Operations and Processes .................................................................................................................. 103

Tour the Auditee and Interview Key Personnel ............................................................................................................ 103 Identify Related Parties ................................................................................................................................................. 103

Management and Governance ........................................................................................................................ 104 Objectives and Strategies ................................................................................................................................. 104 Performance Measurement ............................................................................................................................. 105

PRELIMINARY ANALYTICAL PROCEDURES......................................................................................................................... 106 Sources of Data ................................................................................................................................................ 107

Develop an Expectation ................................................................................................................................................ 110 Define a Tolerable Difference ....................................................................................................................................... 111 Compare Expectation to Actual and Investigate ........................................................................................................... 111 Draw Conclusions .......................................................................................................................................................... 111

Assessing the Auditee's Financial Health ......................................................................................................... 112 Analysis Strategies ........................................................................................................................................... 112

General Approach ......................................................................................................................................................... 112 Figure 1 - Causal Structure Underlying Financial Analysis ............................................................................................. 113

Indicators of Strong Auditees ........................................................................................................................... 114 Stability over time ......................................................................................................................................................... 114 Proportional growth...................................................................................................................................................... 114 Outperforming the industry .......................................................................................................................................... 114

Balanced Management .................................................................................................................................... 115 Profit and utilization ..................................................................................................................................................... 115 Financial position and operating cash flow ................................................................................................................... 115 Leverage and financial risk ............................................................................................................................................ 116

Diagnosing Change .......................................................................................................................................... 116 Profitability ................................................................................................................................................................... 116 Cash flows ..................................................................................................................................................................... 116

Overall Summary .............................................................................................................................................. 117 Substantive and Final Analytical Procedures Revisited .................................................................................... 117

INHERENT RISK ASSESSMENT ........................................................................................................................................ 118 General Sources of Inherent Risk ...................................................................................................................... 118 External Environmental Factors ....................................................................................................................... 119

Industrial Factors .......................................................................................................................................................... 119 Regulatory Factors ........................................................................................................................................................ 119 Economic Factors .......................................................................................................................................................... 120 Firm-specific Factors ..................................................................................................................................................... 121 Summary of Sources of Inherent Risk ........................................................................................................................... 123

Information Sources for Inherent Risk Assessment .......................................................................................... 123 Management and Other Key Personnel ........................................................................................................................ 123 Third Parties .................................................................................................................................................................. 124 Auditee Documents ...................................................................................................................................................... 124 Trade Publications......................................................................................................................................................... 124 Economic Data .............................................................................................................................................................. 125

Applying Analytical Procedures ........................................................................................................................ 125 Factors that Create Management Incentives ................................................................................................................ 126 Factors that affect Management's Ability to Manipulate Financial Statements ........................................................... 127

APPENDIX 1 - DETAILED ANALYTICAL PROCEDURES ........................................................................................................... 129 Structure of This Appendix ............................................................................................................................... 129

Table 1 - Summary of Ratios ......................................................................................................................................... 130 Table 1 - Continued ....................................................................................................................................................... 131

Sample Economic Data ..................................................................................................................................... 132 Operating Performance .................................................................................................................................... 132

Price to earnings ratio ................................................................................................................................................... 133 Return on assets ........................................................................................................................................................... 133 Return on owners’ equity ............................................................................................................................................. 134 Leverage ........................................................................................................................................................................ 134

Profitability ....................................................................................................................................................... 135 Gross profit percentage ................................................................................................................................................ 135 Profit margin ................................................................................................................................................................. 135 Common-sized Income statement ................................................................................................................................ 136

Utilization ......................................................................................................................................................... 136 Cash Management Analysis ............................................................................................................................. 136

Cash Conversion Cycle .................................................................................................................................................. 136 Figure 2 - Cash Conversion Cycle .................................................................................................................................. 139

Cash Flow Statement........................................................................................................................................ 140 Main Benchmarks ............................................................................................................................................ 140

Cash Flows from Operations ......................................................................................................................................... 141 Cash Flows for Investment and Depreciation ............................................................................................................... 142 Free Cash Flows ............................................................................................................................................................ 143 Balance between Short- and Long-term Sources .......................................................................................................... 144 Table 2 - Sample Patterns of Cash Flow Behavior ......................................................................................................... 145

Financial Position ............................................................................................................................................. 146 Short term ..................................................................................................................................................................... 147

Current and Quick Ratios ......................................................................................................................................... 147 Dividend yields ......................................................................................................................................................... 148 Operating cash flows ............................................................................................................................................... 149

Long term ...................................................................................................................................................................... 149 Debt to equity .......................................................................................................................................................... 149

ASSESSING AND RESPONDING TO FRAUD RISK ........................................................................... 152

Definition of Fraud ........................................................................................................................................... 152

Types of Fraud .................................................................................................................................................. 153 Corruption ..................................................................................................................................................................... 155 Asset Misappropriation ................................................................................................................................................. 155 Financial Statement Fraud ............................................................................................................................................ 156

CONDITIONS FOR FRAUD ............................................................................................................................................. 156 Fraud Triangle .................................................................................................................................................. 156

Perceived Pressure or Incentive .................................................................................................................................... 157 Opportunity .................................................................................................................................................................. 157 Rationalization .............................................................................................................................................................. 158

Fraud Elements Triangle................................................................................................................................... 158 ASSESSING THE RISK OF FRAUD ..................................................................................................................................... 159

Importance of Professional Skepticism ......................................................................................................................... 159 Sources of Information ................................................................................................................................................. 160

Discussions with Audit Team ................................................................................................................................... 160 Inquiries of Management ........................................................................................................................................ 160 Preliminary Analytical Procedures ........................................................................................................................... 161

Management's Responsibility to Minimizing Fraud Risk ............................................................................................... 161 AUDITOR RESPONSE TO FRAUD RISK .............................................................................................................................. 162

Responses to Overall Fraud Risk ................................................................................................................................... 162 Responses to Assertion/Audit Objective-level Risk ....................................................................................................... 162 Responses for Possible Management Override of Controls .......................................................................................... 163

HIGH RISK FRAUD AREAS ............................................................................................................................................ 163 Revenue recognition ..................................................................................................................................................... 163 Misappropriation of Revenue Receipts ......................................................................................................................... 164 Inventory Fraud ............................................................................................................................................................. 165 Other Risk Areas ............................................................................................................................................................ 165

FRAUD DOCUMENTATION ............................................................................................................................................ 166

ASSESSING CONTROL RISK AND DEVELOPING OVERALL AUDIT STRATEGY ............................ 167

Implementation of Internal Controls ................................................................................................................ 169 Types of Internal Controls ................................................................................................................................ 170

When the Control Functions ......................................................................................................................................... 170 Extent of the Controls Effect ......................................................................................................................................... 171

Internal Control Regulatory Environment ........................................................................................................ 171 Foreign Corrupt Practices Act (FCPA) ............................................................................................................................ 172 Sarbanes-Oxley Act (SOX) ............................................................................................................................................. 172

CONTROL EVALUATION FRAMEWORKS ........................................................................................................................... 173 COBIT ................................................................................................................................................................ 173

Operations COBIT Covers .............................................................................................................................................. 173 Classes of Risks COBIT Covers ....................................................................................................................................... 174

COSO Framework ............................................................................................................................................. 174 Management Objectives .................................................................................................................................. 176 Control Components ......................................................................................................................................... 177

Internal Environment .................................................................................................................................................... 177 Objective Setting ........................................................................................................................................................... 180 Event Identification ....................................................................................................................................................... 180 Risk Assessment and Response ..................................................................................................................................... 180 Control Activities ........................................................................................................................................................... 181

Proper authorization................................................................................................................................................ 181 Segregation of duties ............................................................................................................................................... 181 Project development, acquisition, and change controls .......................................................................................... 183 Design and use of documents and records .............................................................................................................. 184 Safeguarding assets, records, and data ................................................................................................................... 185

Independent checks on performance ...................................................................................................................... 186 Information and Communication .................................................................................................................................. 188 Monitoring .................................................................................................................................................................... 188

ROLE OF CONTROL DESIGN EVALUATION IN THE FINANCIAL STATEMENT AUDIT ...................................................................... 189 RISKS OF ERROR ........................................................................................................................................................ 189

Firm-level Threats ............................................................................................................................................. 190 Perceived Value ............................................................................................................................................................ 190 Awareness and Understanding ..................................................................................................................................... 191

Clearly Defined Lines of Authority ........................................................................................................................... 191 Formal Policies and Procedures ............................................................................................................................... 191 Adequate Personnel with Proper Incentives ........................................................................................................... 192 Levels of Awareness and Understanding ................................................................................................................. 193

Documentation ............................................................................................................................................................. 193 Monitoring .................................................................................................................................................................... 193 Management Override .................................................................................................................................................. 194

Transaction Processing Threats........................................................................................................................ 195 Matching Controls to Risks ............................................................................................................................... 195 Documenting the Auditee's Controls ................................................................................................................ 197

Internal Control Narratives ........................................................................................................................................... 197 Flowcharts ..................................................................................................................................................................... 197 Checklists ...................................................................................................................................................................... 200

Assessing Control Risk ...................................................................................................................................... 201 DETERMINING AUDIT STRATEGY ................................................................................................................................... 202

Overview of Strategy Setting ............................................................................................................................ 202 Strategic Options .............................................................................................................................................. 204

DOCUMENTING AUDIT STRATEGY .................................................................................................................................. 205

AUDITING SALES AND COLLECTIONS AND AUDIT SAMPLING FOR TESTS OF CONTROLS ......... 210

Delivery of Goods or Services ........................................................................................................................... 211 Receipt of Payment .......................................................................................................................................... 212 Revenue Recognition for Long-term Contracts ................................................................................................ 213 Revenue Recognition for Bundled Contracts .................................................................................................... 213

DESCRIPTION OF REVENUE AND COLLECTION PROCESSES ................................................................................................... 214 Major Activities and Documents ...................................................................................................................... 214

Take an order ................................................................................................................................................................ 214 Approve Credit .............................................................................................................................................................. 214 Fill Order ....................................................................................................................................................................... 215 Ship Order ..................................................................................................................................................................... 215 Bill ................................................................................................................................................................................. 215 Collect ........................................................................................................................................................................... 216

Application to Services ..................................................................................................................................... 217 SUMMARY OF NORMAL SALES PROCESSES ...................................................................................................................... 218

Common Transaction Controls for Sales .......................................................................................................... 219 TESTING CONTROLS .................................................................................................................................................... 220

Overview .......................................................................................................................................................... 220 Testing Steps .................................................................................................................................................... 222 Determine the Objective and Nature of the Test ............................................................................................. 222 Define the Population Characteristics .............................................................................................................. 223

Define the Population ................................................................................................................................................... 223 Determine the Sampling Unit ....................................................................................................................................... 223 Define a Deviation ......................................................................................................................................................... 224

Determining Sample Size .................................................................................................................................. 224

vii

Desired Confidence Level .............................................................................................................................................. 225 Tolerable Deviation Rate ............................................................................................................................................... 226 Expected Population Deviation Rate ............................................................................................................................. 226 Calculating Sample Size ................................................................................................................................................. 227

Select Sample Items ......................................................................................................................................... 228 Statistical Sampling Selection Methods ........................................................................................................................ 228 Non-statistical Sampling Selection Methods................................................................................................................. 229

Perform Tests ................................................................................................................................................... 230 Calculate Results .............................................................................................................................................. 230 Draw Conclusions ............................................................................................................................................. 232

Compare Maximum Deviation Rate to Tolerable Deviation Rate ................................................................................. 232 Evaluation Deviations.................................................................................................................................................... 232 Options if Maximum Deviation Rate exceeds Tolerable Deviation Rate ....................................................................... 232

Expand Sample Size ................................................................................................................................................. 232 Apply Alternative Procedures .................................................................................................................................. 233 Adjust Control Risk................................................................................................................................................... 233 Revise Tolerable Deviation Rate and/or Confidence Level ...................................................................................... 233 Communicate Results to the Audit Committee ....................................................................................................... 233

NON-SAMPLING RISK .................................................................................................................................................. 234 Substantive Tests of Transactions .................................................................................................................... 234

TESTS OF DETAILS AND AUDITING SAMPLING FOR TEST OF DETAILS IN SALES AND COLLECTIONS ACTIVITIES ......................................................................................................................................................... 235

Determine Planned Detection Risk ................................................................................................................... 236 Set Performance Materiality/Tolerable Misstatement .................................................................................... 236 Determine Testing Plan .................................................................................................................................... 239 Examples of Risk and Tests for Accounts Receivable ........................................................................................ 240

Tie-in ............................................................................................................................................................................. 240 Completeness ............................................................................................................................................................... 241 Existence ....................................................................................................................................................................... 241 Accuracy ........................................................................................................................................................................ 241 Rights ............................................................................................................................................................................ 241 Realizable Value ............................................................................................................................................................ 242 Cutoff ............................................................................................................................................................................ 242 Classification ................................................................................................................................................................. 243 Confirmations ............................................................................................................................................................... 243

Overview of the Issues ............................................................................................................................................. 243 Types of Confirmations ............................................................................................................................................ 244 The Confirmation Process ........................................................................................................................................ 245

DETAIL TESTS OF BALANCES ......................................................................................................................................... 246 MONETARY UNIT SAMPLING ........................................................................................................................................ 246

Relationship to Attribute Sampling .................................................................................................................. 246 Key Parameters ................................................................................................................................................ 247

STEPS IN THE TESTING PROCESS .................................................................................................................................... 249 Determine the Test Objectives ......................................................................................................................... 249 Determine the Population Characteristics ....................................................................................................... 249

Define the Population ................................................................................................................................................... 249 Define the Sampling Unit .............................................................................................................................................. 250 Define a Misstatement .................................................................................................................................................. 250

Calculate the Sample Size ................................................................................................................................. 251 Acceptable Risk of Incorrect Acceptance ...................................................................................................................... 251 Tolerable Misstatement ................................................................................................................................................ 252 Expected Misstatement Rate ........................................................................................................................................ 252

viii

Population Size .............................................................................................................................................................. 252 Select Sample Items ......................................................................................................................................... 253 Perform the Tests ............................................................................................................................................. 256 Calculate Results .............................................................................................................................................. 256

Calculate Basic Precision ............................................................................................................................................... 256 Calculate the Effect of Misstatements in the Sample ................................................................................................... 257 Compute the Upper Misstatement Bound .................................................................................................................... 258

Draw Conclusions ............................................................................................................................................. 263 Execute the Decision Rule ............................................................................................................................................. 263 Summary of MUS Assumptions ..................................................................................................................................... 264

CLASSICAL VARIABLES SAMPLING .................................................................................................................................. 264 Calculating MPUE Sample Size ......................................................................................................................... 267 Selecting the CVS Sample ................................................................................................................................. 269 Evaluating a CVS Sample .................................................................................................................................. 269 Other CVS Approaches ..................................................................................................................................... 270 Summary of Differences between CVS and MUS .............................................................................................. 271

NON-STATISTICAL SAMPLING ....................................................................................................................................... 272 AUDITOR'S OPTIONS IF SAMPLE RESULTS INDICATE REJECTION OF THE ACCOUNT ................................................................... 273

AUDITING THE ACQUISITION AND PAYMENTS CYCLE ................................................................ 276

Acquisitions ...................................................................................................................................................... 276 Description .................................................................................................................................................................... 276 Major Activities and Documents ................................................................................................................................... 277 Summary of Accounting Processes for Purchases ......................................................................................................... 280 Common Application Controls for Purchases ............................................................................................................... 280 Common Substantive Analytical Procedures for Acquisitions ...................................................................................... 283 Common Tests of Details for Accounts Payable ............................................................................................................ 283 Common Substantive Analytical Procedures for Accounts Payable .............................................................................. 284

Comparing Accounts Payable Balances to Cost Volume .......................................................................................... 284 Cash Disbursements ......................................................................................................................................... 285

Major Activities and Documents ................................................................................................................................... 285 Common Controls, Tests of Controls, and Substantive Tests of Transactions .............................................................. 286 Common Tests of Tests of Details ................................................................................................................................. 288

Property, Plant, and Equipment ....................................................................................................................... 288 Common Activity and Documents ................................................................................................................................ 288 Common Controls, Tests of Controls, and Substantive Tests of Transactions .............................................................. 288 Common Substantive Analytical Procedures for Property, Plant, and Equipment ....................................................... 289 Common Tests of Substantive Tests of Details ............................................................................................................. 289

Tests of Acquisitions ................................................................................................................................................ 289 Tests of Disposals ..................................................................................................................................................... 290 Verify the Ending Balance ........................................................................................................................................ 291 Verify Accumulated Depreciation and Depreciation Expense ................................................................................. 292 Review for Asset Impairments ................................................................................................................................. 292

Prepaid Expenses .............................................................................................................................................. 292 Common Tests of Controls ............................................................................................................................................ 292 Common Substantive Analytical Procedures ................................................................................................................ 293 Common Tests of Transactions and Detailed Tests of Balances ................................................................................... 293 Substantive Analytical Procedures ................................................................................................................................ 295

Accrued Liabilities............................................................................................................................................. 295 Common Substantive Analytical Procedures ................................................................................................................ 295

Expense Accounts ............................................................................................................................................. 295

AUDITING OF INVENTORY AND WAREHOUSING, AND COMPLETION OF THE AUDIT............ 297

SUMMARY ................................................................................................................................................................ 297

AUDITING INVENTORY ................................................................................................................................................. 297 Business Functions and Documents ................................................................................................................. 297 Controls and Tests of Controls .......................................................................................................................... 299 Substantive Tests of Transactions and Detailed Tests of Balances .................................................................. 300 Substantive Analytical Procedures ................................................................................................................... 303

COMPLETING THE AUDIT ............................................................................................................................................. 304 CONTINGENCIES ........................................................................................................................................................ 304

Definition and Classification Rules ................................................................................................................... 304 Examples .......................................................................................................................................................... 306 Audit Procedures .............................................................................................................................................. 306 Legal Representation Letters............................................................................................................................ 307 Management Representation Letters .............................................................................................................. 308

COMMITMENTS ......................................................................................................................................................... 309 SUBSEQUENT EVENTS AND DISCOVERY OF FACTS ............................................................................................................. 309

Subsequent Events ........................................................................................................................................... 310 Subsequent Discovery of Facts ......................................................................................................................... 311 Audit Procedures .............................................................................................................................................. 312

GOING CONCERN EVALUATION ..................................................................................................................................... 313 FINAL EVIDENCE EVALUATION ...................................................................................................................................... 313

Final Analytical Procedures .............................................................................................................................. 314 Working Paper Review ..................................................................................................................................... 314 Evaluate Financial Statement Presentation and Disclosure ............................................................................. 314 Obtain Independent Review ............................................................................................................................. 314

OTHER COMMUNICATIONS .......................................................................................................................................... 315 Communications to the Board of Directors ...................................................................................................... 315 Management Letter ......................................................................................................................................... 316

INDEX ................................................................................................................................................................ 317

Need for Auditing and Audit Regulation

Summary

This chapter will provide you with a broad overview of auditing and the environment in which auditors perform audits. The focus is on the audit of publicly available financial statements. After completing this chapter, you should be able to:  Define auditing and differentiate it from other assurance services provided by CPAs;

 Describe why audits are so important in modern economies;

 Describe, in general terms, the requirements for becoming a CPA and being able to perform audits of financial statements;

 Describe, in general terms, the organizations, and their interrelationships, that regulate the practice of auditing and setting of financial reporting standards in the US and around the world;

 Describe the structure and content of generally accepted auditing standards; and

 Describe how audits and auditors are regulated.

Style Conventions used in this Text

This text includes a table of contents that is hyperlinked to sections of the text. The text is provided in Word format to maintain these hyperlinks. Thus, you can click on a table of contents entry and Word will take you to that section of the text. As you read the text, you will notice bolded terms in the middle of sentences. Bolded terms are included in the index. Thus, if you look up a term in the index and go to the page indicated, you will be able to spot where the indexed term appears on that page. Some terms and phrases are in blue and underlined. These terms or phrases contain active hyperlinks to on-line resources related to the topic the text is covering.

Definition of Auditing

Let’s begin our exploration of auditing by defining auditing. There is no one standard definition of auditing so we will use the definition used by one of the most popular auditing texts in the US.

"Auditing is the accumulation and evaluation of evidence about information to determine and report on the degree of correspondence between the information and established criteria. Auditing should be done by competent, independent people."1

This definition covers a variety of different types of audits, the main ones include: 1 Arens, A. A., Randal J. E., and M. S. Beasley (2017). Auditing and Assurance Services: An Integrated Approach. Sixteenth Edition. Pearson Prentice Hall. Page 4.

 External Financial Statement Audits - The "information" in the definition is an organization's financial statements and the criteria are an accepted financial reporting framework like US Generally Accepted Accounting Standards (GAAP) or International Financial Reporting Standards (IFRS). In the US, external financial statement audits can only be done by Certified Public Accountants (CPAs). In addition, only CPAs that are registered with the Public Companies Accounting Oversight Board (PCAOB) can audit the financial statements of public, for-profit firms. "Public firms" are those that are required to register with the US Securities and Exchange Commission (SEC) because they sell stock to the public. Thus, the "competent, independent people" here are CPAs.

 Internal Audits - The "information" in the definition can be just about anything that effects the firm's financial statements or operations and the criteria vary depending on the nature of the information. There are no regulatory agencies that oversee internal auditing because it is an internal function within firms. However, the Institute of Internal Auditors (IIA) provides guidance on the execution of internal auditor.

 Tax Audits - The "information" in the definition is an organization's income tax return and the criteria are the tax laws that apply to that return.

 Compliance Audits - The "information" in the can be anything related to laws, regulations, or contracts and the criteria are the details of the laws, regulations, or contracts.

This class only covers external financial statement audits and will focus on audits of public companies. You also can find a more complete discussion of the types of audits at http://accounting-simplified.com/audit/introduction/types-of-audits.html#external.

Economic Justification for Auditing

Now let us turn to why audits exist for public financial statements. The main reasons can be summarized as information risk. Information risk is the risk that financial statements users face when they make decisions based on financial statements. The components of information risk include the following.

Preparer Incentives

A firm's management produces public financial statements, which investors and potential investors use to determine how well management is running the firm and to decide on investing in the firm. This creates a moral hazard problem. That is, the main source of information on which investors are evaluating management's running of the firm is members of the management team Obviously, management has an incentive to manipulate the financial statements so that they present the impression that management is doing a good job running the firm. Since management has sole access to information that financial statements summarize, investors have no way of knowing how accurate those financial statements are. Enter the independent, competent auditor and their report on the accuracy of the financial statements.

Auditors provide an independent report (i.e., they have no incentive to manipulate the financial statements) and they are competent to produce that report (i.e., they can use GAAP to determine if the financial statements are accurate). Because they are independent and competent, investors can trust auditors to make sure that management hasn't manipulated the financial statements and that they are accurate.

Information Asymmetry

Information asymmetry is related to moral hazard. It refers to the simple fact that managers have the information that financial statement users want and users don't. Auditors can gain access to any of the firm's information as part of the audit and can reduce information asymmetry by evaluating that information based on GAAP or IFRS and report to users.

Information Complexitys

Independence helps insure that the auditor will not bias their report in any way. However, competence is equally important because of the complexity of the information included in a set of financial statements and their footnotes. If you have ever looked at the codification of GAAP, you will find that it is thousands of pages long and includes highly technical information about the nature of a rich variety of different types of transactions in which a firm engages.

Summary of Economic Justification

To summarize: a variety of users rely on an organization's financial statements to make judgments about the organization. They rely on external financial statement audits. Some examples of users include:  Investors and potential investors - For corporations, this means stockholders or potential

stockholders. We include "potential" because people considering buying a corporation's stock need reliable financials statement information, as do existing owners to determine whether the investment is sound. For partnerships, the investors would be partners.

 Creditors and potential creditors - Any person who either lends money to an organization or is considering lending to an organization, needs reliable financial statement information to make an informed lending decision.

 Employees and unions - Employees and unions use financial statement information in negotiations with firms over salaries and benefits, as well as working conditions.

 Government regulatory bodies - Government regulatory bodies can require reliable financial information about a firm to do things like assess the effect of regulatory requirements and the firm's financial ability to comply. We exclude taxing authorities because tax laws frequently differ from GAAP or IFRS. Thus, tax returns are usually prepared on a different basis of accounting than external financial statements and audited financial statements are prepared in accordance with GAAP or GAAS, not the Internal Revenue Code.

 The firm's management - A firm's management needs reliable financial information to make business decisions. They can benefit from having an independent, competent person

review their origination's financial data. They may not require an external financial statement audit to do this, but it is a beneficial side effect of having such and audit done.

External audits reduce information risk for all these users.

Potential Problems with Current Auditor Selection

There is one problem with the current way auditors conduct external audits. While the users are the ones that benefit most, users are not directly involved in the selection or monitoring of the external auditor. The auditee (firm being audited) hires and monitors the auditor. This arrangement is practical because individual users or groups of users probably wouldn't have the resources to hire auditors. In addition, different user groups would need to hire their own auditors creating a massive duplication of effort as well as disruption to the auditee's operations. The most practical solution is to have the auditee hire the auditor and makes the results available to all users. However, this creates in inherent threat to auditor independence since the auditor is "auditing the hand that feeds them." The current model reduces this risk in a variety of ways, which you will find in detail below. These include:  Professional codes of conduct - The American Institute of Certified Public Accountants

(AICPA) maintains a Code of Conduct that all members of the AICPA are expected to abide by. The AICPA can sanction members, to include expel them from the AICPA, for violating the Code. However, the AICPA is a voluntary, private, professional organization and has no legal enforcement powers.

 Generally accepted auditing standards (GAAS) - Two organizations set detailed standards in the US on how auditors should perform a financial statement audit - the Auditing Standards Board (ASB) and the PCAOB. The ASB is a branch of the AICPA and, like the AICPA, has no legal enforcement powers. The PCAOB is a quasi- governmental organization that does have legal enforcement powers. However, the PCAOB only regulates audits of publicly traded for-profit firms. The ASB's auditing standards apply to private for-profit firms2 as well as non-profit organizations. The International Auditing and Assurance Standards Board (IAASB) set standards for audits of international organizations. The IAASB also is a private, non-profit organization with no legal enforcement powers.

 Legal liability - An auditee and certain types of users may file suit against an auditor for not executing a sound audit, i.e., one that conforms to the appropriate GAAS. Such lawsuits are the main enforcement mechanism for auditing standards because courts use them to determine whether the auditor was negligent in performing the audit.

 Sarbanes-Oxley - The US Congress passed Sarbanes-Oxley in 2002, which regulates the audit of public companies and created the PCAOB. It contains a variety of provisions that

2 "Private" means that the firm's stock is not traded on public stock exchanges and is sold privately between investors.

you will find in this chapter. It limits the non-auditing services that auditors and provide to their audit clients to help preserve auditor independence. It also requires that public companies establish auditing committees of the boards of directors and use those committees to select and monitor external auditors. It also requires that audit committees consist only of outsider directors (directors that don't work for the auditee in any other capacity) and that it be headed by an outside director with significant financial and accounting knowledge. The purpose of these provisions is to remove the auditee's management from the auditor selection and monitoring tasks to enhance auditor independence.

Most auditors and auditees believe the current system adequately regulate audits and insures auditor independence. That is, how and auditor conducts and audit is regulated and auditors can face serious consequences for doing a substandard audit because of legal liability and, in the case of public audits, serious sanctions to include being banned from auditing public companies. Some experts, however, believe that even these features of the audit environment are inadequate to preserve auditor independence. They believe that because auditors view the auditee as their client, they will defer to the auditee management's judgment to help insure that they keep the client. Auditors face a much different situation than other professionals like doctors and lawyers. The role of doctors and lawyers is clearly to serve their patients and clients; thus patients and doctors have aligned goals. However, the auditor's role is to serve the users of financial statements by reducing information risk and those users don't hire, monitor, and compensate the auditors. Thus, there is a potential mismatch of incentives between the auditor and the user. Some experts believe that this mismatch of incentives is a serious threat to auditor independence. These experts have suggested several changes to the audit environment to improve auditor independence.  Audit firm rotation - Sarbanes-Oxley requires the partner in charge of a public company

audit to rotate off the auditee every five years. Some experts believe that compelling firms to hire new auditors every five to seven years mitigates the risk of an auditor becoming too "close" to the auditee. Other experts argue that longer-term relationships increase the auditor's understanding of the auditee and lower audit costs.

 Government assignment of auditors - Some experts recommend having government agency assign auditors to auditees, but continue to have auditing done by for-profit firms.

 Government auditing - Some experts would have governmental agencies take over auditing, particularly of public firms.

 Financial statement insurance - Joshua Ronen of New York University has suggested eliminating mandatory audits and replacing them with financial statement insurance. Organizations would pay for insurance against liability of loss from financial statement errors. The insurance companies then would hire auditors to audit the firms they insured to reduce their risk of loss.

Regulatory Environment

Moving on from the basics of the regulatory environment, let us now learn the details of how audits are currently regulated. This regulatory environment consists of private, non-profit regulatory bodies that set some standards and monitor auditor's performance as well as governmental regulatory bodies that do the same. Until the Sarbanes-Oxley, governmental bodies only regulated who could be a CPA and how auditors executed governmental audits. Governmental bodies did not set auditing standards for public, non-governmental financial statements. The Government Accountability Office (GAO) sets auditing standards for all governments in the US, except the Federal Government. The GAO is a branch of the US Congress. Sarbanes-Oxley changed that by also transferring the authority to set auditing standards for publicly traded firms to the (PCAOB), which is a quasi-governmental agency under the supervision of the SEC. This chapter refers to provisions of Sarbanes-Oxley in several places where it applies to the regulatory environment of auditing. The appendix to this chapter provides an overview of the major provisions of the act. This section breaks the regulatory environment into two halves: regulations concerning who can be an auditor and regulations concerning how auditors perform audits. In all cases, the regulatory environment references audits of public financial statements where "public" means financial statements distributed by corporations outside of or external to the firm that produced them.

Types of Auditors

There are three basic types of auditors: internal, external, and governmental. This course will cover the activities of external auditors only. These auditors work in audit firms and sell their audit services to businesses, governments, and non-profit organizations. External auditors must be CPAs. They are independent of the firms they audit. Internal auditors are employees of the firm they audit. Thus, internal auditors are not independent of the firm since they are employees of the firm. Governmental auditors work for various governments and can audit both the activities of their governments and the activities of people who interact with the government. IRS auditors who may audit your tax return are an example of the later. Firms have internal audit departments because the firm's management also needs accurate information with which to manage the firm. There also is a moral hazard problem within the firm in that top-level managers use information produced by lower-level managers to judge the performance of the lower-level managers. One role of internal auditors is to provide non-biased information to top management about the activities of subordinate managers. However, internal auditors cannot provide a report on the accuracy of the financial statements to outside parties because they are not independent of the firm.

Regulating CPAs

In the US, states pass laws that regulated who can perform external audits (i.e., who can be a CPA). There is no national law that regulates who can be a CPA. However, all states and the federal government require that you be a CPA if you are going to do external audits. Thus, any

discussion about regulating auditors that produce external audits of financial statements centers on what it takes to be a CPA.

Requirements for Certification

To perform an external audit, the auditor must be a licensed CPA in the state in which the auditee (i.e., firm being audited) is based. In the U.S., each state sets its requirements for becoming a licensed CPA. Thus, if you want to be a CPA, you first need to determine the state in which you want to practice and then review that state's laws. However, most states have very similar requirements. In nearly all states, a State Board of Accountancy, which is a state agency, administers the laws. The common themes that run through all state's requirements include that CPAs:3  Have a formal education in auditing and accounting - Most states require that CPA

candidates have a bachelor's degree and 150 credit hours of college education, undergraduate or graduate, to sit for the CPA exam. The degree does not have to be in accounting, but most states specify a minimum number of credit hours that candidates must take in accounting. Since most colleges grant bachelor's degrees to students with around 120 credit hours, the 150-credit hour rule implies students have a fifth year of education. While many students get those extra 30 credit hours in master’s programs, many just take additional undergraduate classes to meet the 150-hour requirement.

 Pass the Uniform CPA exam - The CPA exam is as its name implies - uniform. The exam is developed and administered by the AICPA and is standard in all states. Currently, the AICPA administers the computerized CPA exam nine months per year. Most people who take the exam take more than one try to pass its sections.

 Have some auditing experience - Nearly all state boards of accountancy require that CPA candidates have some auditing experience before issuing a CPA license. This is the area where states vary the most. A few require little or no experience while others require up to six years of experience. Some states require the experience before you can sit for the CPA exam and others just require the experience before you can be certified and licensed to practice as a CPA.

 Be of high moral character - Again, the requirements to prove high moral character differ from state to state. However, nearly all states prohibit convicted felons from practicing as a CPA. Thus, one major requirement to prove moral character is to have a clean criminal record. Many states also require letters of recommendation from CPAs licensed to practice in the state and many require that the CPA candidate pass a separate ethics exam as well as passing the CPA exam itself.

 Maintain their education - The above requirements are necessary to obtain a CPA certificate and license to practice. However, nearly all states also required that CPAs take

3 The requirements to be a CPA in Maryland can be found at https://www.cpaexam.com/maryland-cpa-requirements/. Other state requirements are found at: https://nasba.org/stateboards/

around 40 contact hours of continuing education each year to maintain their license to practice. In addition, if a state or federal court convicts a CPA of a felony, most state boards of accountancy would revoke his/her CPA license.

Forms of organization

Another form of regulation that states use is controlling the form of organization that CPAs can use and still practice in the state. The specific details of things like liability coverage for these forms of organization can vary slightly from state to state since they are defined under state laws and not federal laws. However, the following discussion covers how most states structure each form of organization. Federal law does dictate how each type of organization is taxed at the federal level, but taxation is outside the scope of this text. The main thing that varies is whether owners can be held personally liable of the actions of the organization or their own actions as owners of the organization. The forms include:  Corporation - A corporation is a separate legal entity from its owners. Since it is a

separate legal entity, the organization can be held liable for the actions of the organization and it management. Owners are shareholders in the corporation and elect the Board of Directors that runs the corporation on behalf of the stockholders. The key issue is that stockholders cannot be held personally liable for actions of the corporation. No state allows CPA organizations to organize as corporations because of this. The reason is that the state wants to ensure that if the CPA executes an audit and does a substandard audit, the CPA can be held personally liable for their substandard work. "Personally liable" means that the CPA's plaintiffs can sue to recover from the CPA's personal assets like the home, retirement savings, and checking account balances.

 Professional Corporations (PC) - These are corporations created specifically for professionals like doctors, lawyers, engineers, and accountants. That is, they are separate legal entities from their owners and the owners are shareholders in the corporation. Thus, the organization can be held liable for the actions of the organization and its management. The main difference between them and a regular corporation is that the owners' liability is not completely limited. In a professional corporation, the owner in charge of providing services to clients can be held personally liable for their actions. However, the other owners usually cannot be held personally liable for the actions of other owners.

 Limited Liability Partnerships (LLP) and Limited Liability Companies (LLC) - These organizations are not separate entities from their owners and are either partnerships (LLP) of sole proprietorships (LLC). Since they are not separate legal entities, all the partners or owners could be held personally liable for any actions of anyone in the organization. However, states created these special forms of partnerships and sole proprietorships to provide some liability protection for the owners. In general, they don't provide full liability protection but, like PCs, shield one owner from the actions of other owners but not owners from liability for their own actions. Most major CPA firms are organized as LLPs.

 Limited Partnerships - Limited partnerships are similar to LLPs in that they are not separate legal entities, but have some differences. Limited partnerships have two classes of

partners - general partners and limited partners. The general partners run the organization and are personally liable for the actions of any other general partner. Limited partners are more like investors and put money into the organization, but don't participate in management and, therefore, are not personally liable for the actions of the organization since they don't decide on what actions the organization will take.

 General Partnerships and Sole Proprietorships - A general partnership isn't a separate legal entity and only has one class of partners - general. All partners are owners and managers of the organization. Sole proprietorships are identical except they only have one owner. In both these cases, the general partners and sole owners are fully liable, personally, for any actions of the organization. There was a time when these were the only forms of organization states allowed CPAs to use. Thus, advent of LLPs, LLCs, and PCs is a relatively recent change in the regulatory environment of CPAs.

Registration of Firms Auditing Public Companies

There is now one additional requirement for CPAs to audit publicly traded firms (i.e., firms that sell stock to the public on exchanges like the New York Stock Exchange). Sarbanes-Oxley established the PCAOB to regulate the auditing of public companies in the US. We’ll learn more about the PCAOB below. The role that is relevant to our discussion of regulating CPAs is that any CPA who wants to audit a public company must register with the PCAOB. Thus, the PCAOB also provides some regulation as to who can audit publicly traded firms. The PCAOB is not involved in licensing CPAs but they set some additional requirements that CPAs must meet if they want to audit public companies.

Membership in the AICPA

While the AICPA is a voluntary professional association of CPAs, it still has some regulatory power over CPAs. States do not require CPA’s to be a member of the AICPA to practice. However, membership in the AICPA carries a lot of weight with potential audit clients. To join the AICPA, you must be a CPA and have a license to practice in a state. The AICPA has several programs that help CPAs to do their jobs. For example, the have continuing education programs, reference libraries, and sell professional publications. The AICPA also has some regulatory powers in that they require peer reviews of larger firms and have developed a code of conduct for CPAs. The only enforcement power the AICPA has is to expel a CPA for violations. While expulsion doesn't carry with it any direct consequences (e.g., loss of your CPA license), it can be very damaging to a CPA's reputation and ability to attract clients. Before the creation of the PCAOB, the Auditing Standards Board (ASB), which the AICPA oversees, set all auditing standards. Now the PCAOB sets auditing standards for public company audits and the ASB sets auditing standards for non-public companies. This will be covered in more detail in the next section.

Auditing Standards

In this section, we will cover the existing standards for conducting a financial statement audit and the firms that set those standards in the US. Then we will briefly cover the international regulatory environment.

Financial Reporting Standards

The most common criteria auditors use to determine if financial statements are accurate is GAAP. Let’s start with who sets GAAP. Two main bodies in the US, one private and one governmental, set financial reporting standards for for-profit and non-profit organizations. The formal legal authority to set financial reporting standards for publicly traded companies rests with the Securities and Exchange Commission (SEC). Congress created it with the 1934 Securities Exchange Act in response to the stock market crash of 1929 and the Great Depression that followed. The SEC's original responsibilities were to enforce the 1933 Securities Act, but it has taken on additional responsibilities over the years. The SEC is an independent agency of the U.S. Federal government whereby he President appoints and the Senate confirms its five commissioners. At most three members of the Commission can come from one political party, thus keeping it somewhat bi-partisan. However, at the time the SEC was formed there was no body, public or private, designated to set accounting standards. In 1939, at the urging of the SEC, the AICPA established the Committee on Accounting Procedure (CAP) to deal with financial reporting issues. However, the CAP was reactionary in that it responded to problems as they arose and did not develop an overall framework for accounting standards. Thus, in 1959, the AICPA established the Accounting Principles Board (APB) that took over the responsibilities of the CAP and attempted to develop a more comprehensive framework of standards. In 1973, at the urging of the SEC, a group of professional associations with interest in accounting issues joined together to form a private, non-profit organization strictly dedicated to setting accounting standards. The main motivation was to increase the standard-setting body's credibility by taking it out from under the AICPA and putting it under an organization of several professional associations. Those associations represented the CPA community, in the form of the AICPA, but also the academic accounting community, financial executives, financial analysts, securities traders, and the public. The association was the Financial Accounting Foundation (FAF), which is an umbrella organization that oversees the Financial Accounting Standard Board (FASB) and the Governmental Accounting Standards Board (GASB). The GASB sets accounting standards for state and local governments in the US, however this will not be covered in this text. If you are interested, there is one additional accounting standard setting body in the US, the Financial Accounting Standards Advisory Board (FASAB). The FASAB is a joint effort of the US Treasury Department, the Government Accountability Office (GAO), and the Office of Management and Budget of the US federal government. It sets financial accounting standards for the US federal government only. The FASB is the key organization in that it sets US GAAP for for-profit firms, which is the core focus of this text. Like the AICPA and its boards and committees, the FASB has no direct

enforcement authority. The SEC enforces GAAP yet has delegated most of the financial accounting standard setting process to the FASB. Thus, the SEC enforces GAAP but the FASB sets GAAP. There are some exceptions in that the SEC also has some accounting standards it has established in addition to the standards set by the FASB, but they are not extensive. The discussion thus far has focused on the SEC and accounting standards for publicly traded firms. There is no enforcement mechanism that forces private firms (i.e., those who do not sell stock to the public) to follow GAAP. However, private firms frequently need to obtain bank loans or solicit outside investment other than by selling stock on the open market. When they go to banks or investors for funds, the vast majority of these banks and investors insist on GAAP financial statements as a basis for making a loan or investment. Thus, de facto, private companies must use GAAP as well. These potential investors and creditors also frequently required audited financial statements as well. Finally, everything discussed above refers to U.S. accounting standards. International GAAP is formally known as International Financial Reporting Standards (IFRS). IFRS are set by the International Accounting Standards Board (IASB), which is a non-profit body based on London. While the SEC backed off from mandating international GAAP for US firms, they still are encouraging the FASB the IASB to cooperate in conforming the two sets of standards. This effort has had mixed success. US GAAP has moved towards IFRS, but there are still differences in areas that the two bodies have not yet addressed and in areas where they failed to agree.

Auditing Standards

Source of Auditing Standards

Until the U.S. Congress passed Sarbanes-Oxley in 2002, the Auditing Standards Board (ASB) of the AICPA set generally accepted auditing standards (GAAS). As we will discuss later in this course, GAAS, and the related Statements of Auditing Standards (SAS), are the rules that govern how external auditors perform an audit of a firm's financial statements. Sarbanes-Oxley transferred the responsibility for setting auditing standards for public companies to the PCAOB (PCAOB).4 The ASB still sets auditing standards for non-public for-profit firms and non-profit organizations. The PCAOB is a private, non-profit organization5, but it has substantial enforcement powers and the SEC appoints all of its five members. Therefore many consider the PCAOB as a federal

4 The PCAOB is sometimes called "Peek-a-boo." 5 The non-profit status of the PCAOB was the basis of a court challenge that a US Appeals Court recently resolved. The plaintiffs contended that delegating enforcement powers by the SEC to the PCAOB was unconstitutional because of its non-profit status. However, the Appeals Court held that the SEC retains substantial oversight of the PCAOB and, therefore, the PCAOB is acting under the SEC's enforcement authority. (M. Cohn, "How Would the Supreme Court Rule

government agency since that is what it really acts like. The main regulatory powers of the PCAOB as established by Sarbanes-Oxley are to:  register public accounting firms that prepare audit reports for publicly traded firms;

 set auditing, quality control, ethics, independence, and other standards relating to the preparation of audit reports by publicly traded firms;

 conduct inspections of registered public accounting firms; and

 conduct investigations and disciplinary proceedings concerning CPA firms and their employees registered to audit public companies and impose appropriate sanctions were justified.

This isn't a complete list, but these are the most important powers. Refer to the appendix for a more complete list. The PCAOB did not start setting auditing standards from scratch, but, instead, adopted in their entirety, the auditing standards set by the ASB over the years. However, it has promulgated new standards (they call them rules) since its inception and will have the responsibility for setting all new standards for public companies from now on. The ASB still exists and sets auditing standards. However, any new standards that the ASB sets only apply to private companies and non-profit organizations, not public companies. Thus, there could be a divergence in auditing standards between public and private companies in the future.

Generally Accepted Auditing Standards (GAAS)

When the PCAOB came into existence, the ASB had established a rich set of auditing standards that are still in force. These standards consume well over 1,000 pages and are very detailed and extensive. Given the volume and complexity of auditing standards, we cannot cover all of them in this text. Provided for you is a broad road map of how those standards are structured here so that you may refer to them in more detail as we walk through the audit process in the balance of this text. At the top level of auditing standards are 10 generally accepted auditing standards (GAAS) including: General Standards

 The audit is to be performed by a person or persons having adequate technical training and proficiency as an auditor.

 In all matters relating to the audit, independence in mental attitude is to be maintained by the auditor or auditors.

on the PCAOB?", http://www.webcpa.com/article.cfm?articleid=28982&pg=ros, downloaded 12/3/08.)

 Due professional care is to be exercised in the planning and performance of the audit and the preparation of the report.

Standards of Field Work

 The auditor must adequately plan the work and must properly supervise any assistants.

 The auditor must obtain a sufficient understanding of the entity and its environment, including its internal controls, to assess the risk of material misstatement6 of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures.

 The auditor must obtain sufficient appropriate audit evidence by performing audit procedures to afford a reasonable basis for an opinion regarding the financial statements under audit.

Standards of Reporting

 The report shall state whether the financial statements are presented in accordance with GAAP.

 The report shall identify those circumstances in which such principles have not been consistently observed in the current period in relation to the preceding period.

 Informative disclosures7 in the financial statements are to be regarded as reasonably adequate unless otherwise stated in the report.

 The report shall either contain an expression of opinion regarding the financial statements, taken as a whole, or an assertion to the effect that an opinion cannot be expressed. When an overall opinion cannot be expressed, the reasons therefore should be stated. In all cases where an auditor's name is associated with financial statements, the report should contain a clear-cut indication of the character of the auditor's work, if any, and the degree of responsibility the auditor is taking.

Let’s briefly relate these standards to the definition of auditing. The general standards address the competency and independence of the auditor. The fieldwork standards address the way the auditor gathers evidence as to whether the financial statements being audited meet GAAP. The reporting standards address how the auditor structures his/her report on whether the financial statements meet GAAP or not. As you can see, these 10 GAAS doesn't take up over 1,000 pages. However, when reading the 10 standards, you probably realized they are very general principles requiring expansion and further explanation to be enforceable. Over the years, the ASB expanded on the 10 GAAS standards with Statements on Auditing Standards (SAS). These SAS take up over 1,000 pages. The ASB organized SAS around the 10 GAAS. However, the ASB issues SAS sequentially as topics come

6 We will define the term "material misstatement" later. It is an auditor's way of saying significant error. 7 "Informative disclosures" mean the footnotes and certain information in any management discussion that accompanies the financial statements.

up. Thus, the AICPA publishes SAS in two forms: 1) one by SAS numbered as issued and 2) a codification structured around GAAS. That is, the codification reorganized SAS by topic.

International Standards on Auditing

International Standards on Auditing (ISA) are issued by the International Auditing and Assurance Board (IAASB). The IAASB is overseen by the International Federation of Accountants (IFAC). The IFAC is a voluntary organization consisting of 159 accounting firms from 124 countries. It also sets different types of other assurance standards, but we are only focusing on auditing standards in this class. Adoption of ISA is voluntary and up to each country. The following source provides an up to date summary of the adoption of international auditing standards - http://www.iasplus.com/en/resources/ifrs-topics/adoption-of-ifrs. We will not go into ISA in any detail because they are quite similar to US standards. However, international standards have become more important with the globalization of the world economy. The percentage of publicly traded firms that do business in more than one country is quite high, and the number of firms that sell their stock in multiple stock markets around the world is growing. Firms that want to sell their stock on foreign exchanges need to produce auditing financial statements that meet international financial reporting standards (IFRS) and are auditing using ISA. Because firms that do business globally do not want to have to address multiple accounting and auditing standards, the SEC, AICPA, and other US organizations are working activity with the IASB ), which sets international accounting standards, and the IFAC to standardize accounting and auditing standards throughout the world. However, as you might expect, national pride and politics makes such an effort difficult.

Human resource issues

In additional to prohibiting certain services to help insure that auditors remain independent of their auditees, the SEC also prohibits certain interactions between the auditee and auditor personnel and places some restrictions on auditor personnel. The core theme behind these additional restrictions is to keep the auditor and auditee from becoming too close to each other. These include:  Partner rotation - The lead audit partner and the quality review partner cannot serve on

the auditee of the same client for more than five years before they must rotate off the engagement and wait five years before they can return to that client.

 Former employment - An audit firm cannot audit a client if the auditee has employed any members of the audit team within one year of when the audit engagement starts.

 Contingent fees - An auditing firm's partners, not just the lead auditor and/or quality review partner, must abstain from selling non-audit services to an auditee.

Additional Communications

Finally, the SEC requires more extensive communications between the auditor and the auditee's Board of Directors, particularly the auditee's Audit Committee. These include:  The auditor must report to the Audit Committee and consider the Auditee Committee

their client. Since Sarbanes-Oxley also requires that the Audit Committee be composed totally of outside directors and be headed by a Board member with financial background, having the auditor report to the Audit Committee enhances their independence of management.

 They must summarize the auditee's accounting policies, and GAAP alternatives to those policies, with the Audit Committee for all accounting policies that the auditor has discussed with the auditee's management and that might have a material impact on the financial statements.

 The auditee must disclose all audit and non-audit fees paid to their auditor and describe the nature of the work performed for all non-audit fees for the last two fiscal years.

Other Quality Controls

The AICPA also provides quality control standards for CPAs. We have elected not to cover them in detail in this text. We will provide you with a brief overview of both AICPA and PCAOB quality control standards. The AICPA has had a peer review program in place since 1988. The AICPA not only has individual memberships, but also firm memberships. Their peer review program applies to firms who were members of the AICPA. It provided that firms had to have a review by another AICPA member firm every three years. That review covered the firm's auditing practices and procedures and, particularly, focused on the firm's internal quality control practices. Sarbanes-Oxley transferred the responsibility for reviewing the audit practices to the PCAOB. However, as with other issues, the PCAOB has delegated to the AICPA some of that responsibility. For example, the AICPA created two organizations to execute peer reviews: the AICPA Center for Public Company Audit Firms Peer Review Program and the AICPA Peer Review Program. The PCAOB requires all audit firms that register with the PCAOB to do audits of public companies must join the first Center. However, the PCAOB carries out its own auditor inspection program as well and so the requirements established by the AICPA's Center are in addition to the PCAOB's own requirements. Audit firms that don't audit public companies can join either firm, but the AICPA does require them to join one or the other to remain AICPA members. The PCAOB performs regular inspections of audit firms registered to audit public companies. The frequency of inspection varies with the size of the firm. The results of the inspections are posted to the PCAOB website and, therefore, are publicly available. The PCAOB usually works with firms to mitigate any deficiencies they find in their inspections, but can also issue sanctions up to prohibiting the firm from auditing public companies. It also can prohibit individual auditors from participating in the audit of public companies.

Extract of Key Provisions from Sarbanes-Oxley8

Section 3: Commission Rules and Enforcement.

A violation by any person of the Sarbanes-Oxley Act, any rule or regulation of the Securities and Exchange Commission (SEC or the Commission) or any rule of the Public Company Accounting Oversight Board (PCAOB or the Board) is treated as a violation of the Securities and Exchange Act of 1934, giving rise to the same penalties that may be imposed for violations of that Act.

Section 101: Establishment of Administrative Provisions.

The Sarbanes-Oxley Act established the PCAOB to oversee audits of public companies. The Board operates with five financially-literate members, appointed for five-year terms. Two of the members must be or have been certified public accountants, and the remaining three must not be and cannot have been CPAs. A CPA member of the Board may serve as the Chair, if he or she has not practiced as a CPA for five years.

The Board's members will serve on a full-time basis.

No member may, concurrent with service on the Board, "share in any of the profits of, or receive payments from, a public accounting firm," other than "fixed continuing payments," such as retirement payments.

Members of the Board are appointed by the Commission, "after consultation with" the Chairman of the Federal Reserve Board and the Secretary of the Treasury.

The Commission “for good cause” may remove members.

Section 102: Registration with the Board.

All public accounting firms that prepare or issue, or who participate in the preparation or issuance of, any audit report with respect to an issuer, must register with the Board.

Section 103: Auditing, Quality Control, and Independence Standards and Rules.

The Board shall:

1 Register public accounting firms;

2 Establish, or adopt, by rule, "auditing, quality control, ethics, independence, and other standards relating to the preparation of audit reports for issuers;" conduct inspections of accounting firms;

8 We have extracted key provisions from the AICPA's website to create this document. Title of the page is Summary of the Provisions of the Sarbanes-Oxley Act of 2002, AICPA (2008), http://thecaq.aicpa.org/Resources/Sarbanes+Oxley/Summary+of+the+Provisions+of+the+Sarban es-Oxley+Act+of+2002.htm, downloaded 1/28/2008.

3 Conduct investigations and disciplinary proceedings, and impose appropriate sanctions;

4 Perform such other duties or functions as necessary or appropriate;

5 Enforce compliance with the Act, the rules of the Board, professional standards, and the securities laws relating to the preparation and issuance of audit reports and the obligations and liabilities of accountants with respect thereto; and

6 Set the budget and manage the operations of the Board and the staff of the Board.

Auditing standards. The Board would be required to "cooperate on an on-going basis" with designated professional groups of accountants and any advisory groups convened in connection with standard-setting, and although the Board can "to the extent that it determines appropriate" adopt standards proposed by those groups, the Board will have authority to amend, modify, repeal, and reject any standards suggested by the groups. The Board must report on its standard- setting activity to the Commission on an annual basis.

The Board must require registered public accounting firms to "prepare, and maintain for a period of not less than 7 years, audit work papers, and other information related to any audit report, in sufficient detail to support the conclusions reached in such report."

The Board must require a second partner review (concurring review) and approval of audit reports registered accounting firms must adopt quality control standards.

The Board must adopt an audit standard to implement the internal control review required by section 404(b). This standard must require the auditor to evaluate whether the internal control structure and procedures include records that accurately and fairly reflect the transactions of the issuer, provide reasonable assurance that the transactions are recorded in a manner that will permit the preparation of financial statements in accordance with GAAP, and a description of any material weaknesses in the internal controls.

Section 104: Inspections of Registered Public Accounting Firms.

The PCAOB must conduct annual quality reviews (inspections) for firms that audit more than 100 issues; the PCAOB reviews all others every 3 years. The SEC and/or the Board may order a special inspection of any firm at any time.

Section 105: Investigations and Disciplinary Proceedings.

All documents and information prepared or received by the Board shall be "confidential and privileged as an evidentiary matter (and shall not be subject to civil discovery or other legal process) in any proceeding in any Federal or State court or administrative agency, . . . unless and until presented in connection with a public proceeding or [otherwise] released" in connection with a disciplinary action. However, all such documents and information can be made available to the SEC, the U.S. Attorney General, and other federal and appropriate state agencies.

Disciplinary hearings will be closed unless the Board orders that they be public, for good cause, and with the consent of the parties.

Sanctions can be imposed by the Board to a firm if it fails to reasonably supervise any associated person with regard to auditing or quality control standards, or otherwise.

No sanctions report will be made available to the public unless and until stays pending appeal have been lifted.

Section 106: Foreign Public Accounting Firms.

The bill would subject foreign accounting firms who audit a U.S. company to registrations with the Board. This would include foreign firms that perform some audit work, such as in a foreign subsidiary of a U.S. company that is relied on by the primary auditor.

Section 107: Commission Oversight of the Board.

The SEC shall have "oversight and enforcement authority over the Board." The SEC can, by rule or order, give the Board additional responsibilities. The SEC may require the Board to keep certain records, and it has the power to inspect the Board itself, in the same manner as it can with regard to SROs such as the NASD.

The Board must notify the SEC of pending investigations involving potential violations of the securities laws, and coordinate its investigation with the SEC Division of Enforcement as necessary to protect an ongoing SEC investigation.

The Board must notify the SEC when it imposes "any final sanction" on any accounting firm or associated person. The Board's findings and sanctions are subject to review by the SEC.

The SEC may enhance, modify, cancel, reduce, or require remission of such sanction.

Section 109: Funding.

In order to audit a public company, a public accounting firm must register with the Board. The Board shall collect "a registration fee" and "an annual fee" from each registered public accounting firm, in amounts that are "sufficient" to recover the costs of processing and reviewing applications and annual reports.

The Board shall also establish by rule a reasonable "annual accounting support fee" as may be necessary or appropriate to maintain the Board. This fee will be assessed on issuers only.

Section 201: Services Outside the Scope of Practice of Auditors.

It shall be "unlawful" for a registered public accounting firm to provide any non-audit service to an issuer contemporaneously with the audit, including: (1) bookkeeping or other services related to the accounting records or financial statements of the audit client; (2) financial information systems design and implementation; (3) appraisal or valuation services, fairness opinions, or contribution-in-kind reports; (4) actuarial services; (5) internal audit outsourcing services; (6) management functions or human resources; (7) broker or dealer, investment adviser, or investment banking services; (8) legal services and expert services unrelated to the audit; (9) any other service that the Board determines, by regulation, is impermissible. The Board may, on a

case-by-case basis, exempt from these prohibitions any person, issuer, public accounting firm, or transaction, subject to review by the Commission.

Section 202: Preapproval Requirements.

An accounting firm may provide other lawful non-audit services pre-approved by the audit committee in the following manner. The bill allows an accounting firm to "engage in any non- audit service, including tax services," that is not listed above, only if the activity is pre-approved by the audit committee of the issuer. The audit committee will disclose to investors in periodic reports its decision to pre-approve non-audit services. Statutory insurance company regulatory audits are treated as an audit service, and thus do not require pre-approval.

The pre-approval requirement is waived with respect to the provision of non-audit services for an issuer if the aggregate amount of all such non-audit services provided to the issuer constitutes less than 5% of the total amount of revenues paid by the issuer to its auditor (calculated on the basis of revenues paid by the issuer during the fiscal year when the non-audit services are performed), such services were not recognized by the issuer at the time of the engagement to be non-audit services; and such services are promptly brought to the attention of the audit committee and approved prior to completion of the audit.

The authority to pre-approve services can be delegated to 1 or more members of the audit committee, but any decision by the delegate must be presented to the full audit committee.

Section 203: Audit Partner Rotation.

The lead audit or coordinating partner and the reviewing partner must rotate off the audit every 5 years.

Section 204: Auditor Reports to Audit Committees.

The accounting firm must report to the audit committee all "critical accounting policies and practices to be used; all alternative treatments of financial information within [GAAP] that have been discussed with management, ramifications of the use of such alternative disclosures and treatments, and the treatment preferred" by the firm.

Section 206: Conflicts of Interest.

The CEO, Controller, CFO, Chief Accounting Officer or person in an equivalent position cannot have been employed by the company's audit firm during the 1year period preceding the audit.

Section 207: Study of Mandatory Rotation of Registered Public Accountants.

The GAO will do a study on the potential effects of requiring the mandatory rotation of audit firms.

Section 209: Consideration by Appropriate State Regulatory Authorities.

State regulators are directed to make an independent determination as to whether the Boards standards shall be applied to small and mid-size nonregistered accounting firms.

Section 301: Public Company Audit Committees.

Each member of the audit committee shall be a member of the board of directors of the issuer, and shall otherwise be independent.

"Independent" is defined as not receiving, other than for service on the board, any consulting, advisory, or other compensatory fee from the issuer, and as not being an affiliated person of the issuer, or any subsidiary thereof.

The SEC may make exemptions for certain individuals on a case-by-case basis.

The audit committee of an issuer shall be directly responsible for the appointment, compensation, and oversight of the work of any registered public accounting firm employed by that issuer.

The audit committee shall establish procedures for the "receipt, retention, and treatment of complaints" received by the issuer regarding accounting, internal controls, and auditing.

Each audit committee shall have the authority to engage independent counsel or other advisors, as it determines necessary to carry out its duties.

Each issuer shall provide appropriate funding to the audit committee.

Section 302: Corporate Responsibility for Financial Reports.

The CEO and CFO of each issuer shall prepare a statement to accompany the audit report to certify the "appropriateness of the financial statements and disclosures contained in the periodic report, and that those financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the issuer." A violation of this section must be knowing and intentional to give rise to liability.

Section 401: Disclosures in Periodic Reports.

Each financial report that is required to be prepared in accordance with GAAP shall "reflect all material correcting adjustments . . . that have been identified by a registered accounting firm..."

"Each annual and quarterly financial report . . . shall disclose all material off-balance sheet transactions" and "other relationships" with "unconsolidated entities" that may have a material current or future effect on the financial condition of the issuer.

The SEC shall issue rules providing that pro forma financial information must be presented so as not to "contain an untrue statement" or omit to state a material fact necessary in order to make the pro forma financial information not misleading.

SEC shall study off-balance sheet disclosures to determine a) extent of off-balance sheet transactions (including assets, liabilities, leases, losses and the use of special purpose entities); and b) whether generally accepted accounting rules result in financial statements of issuers

reflecting the economics of such off-balance sheet transactions to investors in a transparent fashion and make a report containing recommendations to the Congress.

Section 402: Enhanced Conflict of Interest Provisions.

Generally, it will be unlawful for an issuer to extend credit to any director or executive officer. Consumer credit companies may make home improvement and consumer credit loans and issue credit cards to its directors and executive officers if done in the ordinary course of business on the same terms and conditions made to the general public.

Section 403: Disclosures of Transactions Involving Management and Principal Stockholders.

Directors, officers, and 10% owners must report designated transactions by the end of the second business day following the day on which the transaction was executed.

Section 404: Management Assessment of Internal Controls.

Requires each annual report of an issuer to contain an "internal control report,” which shall:

1 State the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

2 Contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

Each issuer's auditor shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this section shall be in accordance with standards for attestation engagements issued or adopted by the Board. An attestation engagement shall not be the subject of a separate engagement.

The language in the report of the Committee which accompanies the bill to explain the legislative intent states, "--- the Committee does not intend that the auditor's evaluation be the subject of a separate engagement or the basis for increased charges or fees."

Directs the SEC to require each issuer to disclose whether it has adopted a code of ethics for its senior financial officers and the contents of that code.

Directs the SEC to revise its regulations concerning prompt disclosure on Form 8K to require immediate disclosure "of any change in, or waiver of," an issuer's code of ethics.

Section 406: Code of Ethics for Senior Financial Officers.

The SEC shall issue rules that require each issuer to disclose whether or not, and if not, the reasons therefore, such issuer has adopted a code of ethics for senior financial officers.

Section 407: Disclosure of Audit Committee Financial Expert.

The SEC shall issue rules to require issuers to disclose whether at least one member of its audit committee is a "financial expert."

Section 409: Real Time Issuer Disclosures.

Issuers must disclose information on material changes in the financial condition or operations of the issuer on a rapid and current basis.

Audit Reports and Professional Ethics

Summary

This chapter describes to the types of audit reports auditors issue on financial statements and the decision rules that auditing standards require auditors to use when selecting the type of report to issue. This chapter also presents a discussion of the importance of integrity in public accounting and to discuss the AICPA's Code of Professional Conduct, which is the major statement of ethical principles that guides auditors. After completing this chapter, students should be able to:  Describe the components of an auditor's report on an auditee's financial statements.

 Describe the components of an auditor's report on an auditee's internal controls.

 Given a case scenario, determine what type of audit report an auditor should issue on the auditee's financial statements.

 Given a case scenario, determine what type of audit report an auditor should issue on the auditee management's assessment of controls as well as on the controls themselves.

 Describe the primary reasons why the AICPA, SEC, and PCAOB have created written codes of conduct for auditors.

 Describe the rules and principles included in the AICPA's Code of Professional Conduct and discuss the rationale behind those rules and principles.

 Briefly describe other efforts by the AICPA and PCAOB to help insure the quality if audits.

Materiality

Before we discuss the audit report and modifications to it, we will present the concept of materiality. The concept of materiality is based on the size of a financial statement misstatement that might alter the user's judgment of the firm. The US Supreme Court has used a definition of materiality the dictates what materiality means in audits of publicly traded firms. They have held that a fact is material if there is "a substantial likelihood that the …fact would have been viewed by the reasonable investor as having significantly altered the 'total mix' of information made available." As the Supreme Court has noted, determinations of materiality require "delicate assessments of the inferences a 'reasonable shareholder' would draw from a given set of facts and the significance of those inferences to him...."9

9 TSC Industries v. Northway, Inc., 426 U.S. 438, 449 (1976). See also Basic, Inc. v. Levinson, 485 U.S. 224 (1988).

This definition highlights how difficult materiality determinate is for auditors. It is very general and provides not specific guidance on how large a misstatement has to been in a given set of financial statements to be material. However, as you will see below, auditors must make judgments about materiality when determining whether to modify an audit report and opinion. To make matters worse, auditors need to distinguish between material misstatements and pervasively material misstatements. Pervasively material misstatements affect to impression the entire set of financial statements make. However, merely material misstatements may only affect the impression certain portions of the financial statements make on the user. For example, if an auditee's inventory is a very large part of their total assets and is materially misstated, that misstatement would also affect cost of goods sold and net income. This would probably make it pervasive. However, if the material misstatement were in the cash account, it wouldn't affect the income statement and if cash were a relatively small part of total assets, the auditor probably wouldn't consider it pervasively material. The misstatement in cash might still be large enough to justify the auditor modifying the opinion and report, but it might not affect the user's overall impression of the firm. These are difficult judgments for auditors, but auditing standards require that they make them.

Overview of Audit Reports

The ultimate result of an external audit of a firm's financial statements is the auditor's report. You can find the details of the PCAOB's reporting standards at https://pcaobus.org/Standards/Auditing/pages/au508.aspx. This chapter discusses the types of audit reports auditors issue for publicly traded firms. The reports for privately held firms are very similar. Before Sarbanes-Oxley auditors issued one report on the auditee's financial statements that stated:  what financial statements the auditor was auditing;

 that they were the responsibility of management;

 that the auditor had followed GAAS; and

 the auditor's opinion on whether the financial statements were fairly stated.

The above list is an over-simplified description of the four main points in the standard audit report, so we’ll discuss the details of each point below. For publicly traded firms, Sarbanes-Oxley added a requirement that audits issue and report and opinion on the effectiveness of the auditee's internal controls. The PCAOB allows auditors of public companies to either provide two reports, one for the financial statements and one for the internal controls, or combine them into one report. This chapter covers the two, separate reports. The contents of the report on internal controls are similar to the financial statement report and it contains the following basic information:

 the date to which the auditor's report applies;

 that they were the responsibility of management;

 the framework used to assess controls;

 that the auditor had followed PCAOB rules;

 some definitions and limitations of controls; and

 the auditor's opinion on whether management's assessment of the controls was fairly stated as well as the auditor's opinion as to whether those controls were effective as of the date of the report.

The wording of both these reports10 is standard and highly scripted. Auditors rarely change any wording from the standard format except to indicate the dates of the financial statements being audited. Thus, the main goal for students is not to memorize the specific wording of the reports, but to be able to describe the major points the reports cover and to determine when auditors should alter the wording of the reports because of findings from the audit or to emphasize important matters.

Standard Unqualified Report

The following is a template for an audit report of a public company where the audited financial statements present more than one year's results. This is the most common case since the SEC requires public companies to include two years of balance sheets and three years of income and cash flow statements in SEC annual filings.

10 Although these are not official terms, We will refer to the auditor's report on the auditee's financial statements as the financial statement report and the auditor's report on the auditee's controls as the control report.

Independent Auditor's Report

We have audited the accompanying balance sheets of X Company as of December 31, 20X2 and 20X1, and the related statements of income, retained earnings, and cash flows for the years then ended. These financial statements are the responsibility of the Company's management. Our responsibility is to express an opinion on these financial statements based on our audits.

We conducted our audits in accordance with auditing standards generally accepted in the United States of America. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also includes assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation. We believe that our audits provide a reasonable basis for our opinion.

In our opinion, the financial statements referred to above present fairly, in all material respects, the financial position of X Company as of [at] December 31, 20X2 and 20X1, and the results of its operations and its cash flows for the years then ended in conformity with accounting principles generally accepted in the United States of America.

We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States), the effectiveness of X Company's internal control over financial reporting as of December 31, 20X3, based on [identify control criteria] and our report dated [date of report, which should be the same as the date of the report on the financial statements] expressed [include nature of opinions].

[Signature]

[Date]11 Each of the elements or paragraphs of the report that are highlighted above contain:

11 PCAOB, https://pcaobus.org/Standards/Auditing/pages/au508.aspx, downloaded 7-9-16

Title

Introduction

Scope

Reference to report on internal controls.

Signature

Date

 Title - The title emphasizes that an independent, qualified auditor prepared the audit.

 Introduction - This paragraph contains the dates and names of the financial statements being audited and a statement of the responsibility of management to produce them and the responsibility of the auditor to audit them. Note that all four financial statements are included and that the dates of the balance sheets are as of the fiscal year end date. The dates for the flow statements (i.e., Statements of Income, Retained Earnings, and Cash flows) are for the periods ending as of the fiscal year end date.

 Scope - The scope paragraph states that the auditor conducted the audit according to standards generally accepted in the US. Recall that these include GAAS, the former SAS's, as well as the new PCAOB rules. This paragraph also includes a brief statement of what an audit entails and a statement that the auditor believes their work constitutes a reasonable basis for their opinion on the financial statements. Finally, this paragraph contains a reminder to the reader that an audit can only provide reasonable assurance that the financial statements do not contain a material misstatement.

 Opinion - The opinion paragraph is the "meat" of the report and contains a statement that the financial statements, in the auditor's opinion, are fairly presented in all material aspects. It also contains a restatement of the financial statements being audit. The wording in this template indicates that the auditor believes the financial statements are fairly presented in all material aspects. Auditors call this a clean opinion.

 Reference to Report on Internal Controls - This paragraph states that the auditor also has audited the auditee's internal controls in accordance with the standard set by the PCAOB and states what the opinion the auditor issued on the auditee's controls was. The placeholder for [Control Criteria] will refer to whatever criteria the auditor used to assess controls. Recall that the definition of auditing refers to comparing information to criteria. For a financial state audit, the most common criteria in the US are US GAAP. For internal controls, the most common criteria are those set out by the Committee of Sponsoring Organizations (COSO). These criteria will be discussed in more detail in the chapter on internal controls.

 Signature and Date - Finally, the audit firm signs and dates the report. Note that the partner in charge does not personally sign the report. The firm signs it. The main reason is to recognize that audit quality is a firm responsibility, not just an individual audit partner responsibility.

The PCAOB recently adopted a rule that requires that the audit firm disclose the name of the partner in charge of the engagement (engagement partner) as well as the names of any other audit firms that also participate in the audit. For example, in audits of firms with subsidiaries, the lead firm on the audit may rely on the work of firms that audited one or more subsidiaries of the auditee. This rule requires that the name(s) of any audit firm that lead audit firm relied on be disclosed. These disclosures are not part of the audit report, but are made in a separate filing with the SEC.

Modifications to Provide Additional Explanations

The following diagram contains an overview of the auditor's options for developing audit reports on financial statements. The rules and issues are covered behind the diagram below.

12 Figure 12-1 - Financial Statement Report Modification Rules

By far the most common type of report that auditors issue on an auditee's financial statements is a standard, unmodified opinion and unmodified report. Well over 90% of all audit reports fit this model. However, auditors also issue reports that contain modified opinions or modified wording. These modifications fall into two classes: unmodified opinions with modified wording or explanatory paragraph and modified opinion reports that also, but now always, contain

12 Taken from W. F. Messier, Jr., S. M. Glover, and D. F. Prawitt (2008), Auditing & Assurance Services: A Systematic Approach, McGraw-Hill Irwin.

modifications to the wording of other paragraphs in the report and the addition of explanatory paragraphs. This section walks you through the sections of a standard, unqualified, unmodified report on a set of financial statements. In subsequent sections, we will discuss the conditions that cause an auditor to modify their report or fail to issue any report at all as well as the conditions that cause the auditor to modify their report but not their opinion. Auditors may add additional explanations to their audit report to bring key issues to the attention of the reader. They only do so when the matter needing explanation has a material effect on the financial statements. These additional explanations do not affect the opinion that the financial statements are fairly stated. They just flag key issues. These additional explanations may be in separate paragraphs, as in the Home Depot example, or may just be included as additional sentences in other paragraphs. In addition, auditors nearly always require that the auditee include a footnote that discusses the reasons for, and in effect of, the item being explained in more detail. The explanations auditors provide in the audit report tend to be very brief (a couple of sentences) and usually refer the reader to the explanatory footnote for a more detailed explanation.

Conditions that Lead to Modified Wording but not Modified Opinions

Inconsistencies in Accounting Principles Between Years

Auditor reports nearly always cover financial statements for more than one year. The SEC requires all publicly traded companies to file two balance sheets and three income statements, cash flow statements, and statements of retained earnings in their 10-K filings. This means that there may have been changes in the auditee's use of GAAP between the different years thus affecting comparability between those years. These changes can be legitimate and do not mean that the differences have led to a material misstatement of any of the audit years. However, the auditor must include an explanatory paragraph after the opinion paragraph that contains a brief discussion of the change. This paragraph also refers to an explanatory footnote that discloses the nature and effect of these changes. All this assumes that the auditor concurs with the change. If not, then the change represents a GAAP violation and, if material, would lead to a modified audit opinion. There are three basic reasons that a firm might change the application of accounting principles between the audit years that would require an explanatory paragraph. These include:  Change in accounting principal - Firms have choices under GAAP and are free to alter

those choices. If they do, they have to disclose the change and the effect on the financial statements. An example would be changing from LIFO to FIFO or changing from straight- line to declining balance depreciation.

 Change in the reporting entity - The main change that can occur in the reporting entity is because of change in the status of a subsidiary firm. If the auditee increases or decreases their holdings in a subsidiary such that the subsidiary either needs to be consolidate or is

no longer consolidated, the auditor needs to add an explanatory paragraph, referring to a footnote disclosure, of the change and its effect on the financial statements.

 Correction of an error in principle - If the auditee misapplied a GAAP principle in one of the prior year's financial statements covered by the auditor's report but corrects the error by changing to an acceptable principle; this change needs to be disclosed in an explanatory paragraph that refers to a footnote explanation.

Auditors classify all these changes and changes in comparability. Firms can also make changes that auditors classify as changes in consistency. Changes in consistency involve:

 Changes in account estimates, such as a change in a fixed assets useful life.

 Error corrections not involving and error in accounting principle, such as correction of a mathematical error in the prior year.

 Variation in the format or presentation of financial information.

 Changes due to new types of transactions or major events such as major change in product lines or purchases of subsidiaries.

The auditee needs to report changes in consistency in the footnotes. However, if the auditor believes that the footnote disclosure is adequate, then the auditor would not modify the report or opinion. If the auditee's disclosures are inadequate, then there is a GAAP violation and the auditor would need to deal with that just like any other GAAP violation.

Going Concern Issues

If the auditor believes that there is a significant chance that the auditee will not being a going concern13 for a reasonable period of time in the future, they need to require that the auditee disclose the situation in a footnote and to include an explanatory paragraph after the opinion paragraph that presents the auditor's conclusions on the matter. The following is an example of such an explanatory paragraph:

"The accompanying financial statements have been prepared assuming that the Company will continue as a going concern. As discussed in Note 6 to the financial statements, the Company has suffered recurring losses from operations and has a net capital deficiency that raises substantial doubt about its ability to continue as a going concern. Management's plans concerning these matters are also described in Note 6. The financial statements do not include any adjustments that might result from the outcome of this uncertainty."

This explanatory paragraph also refers the reader to the footnote that describes the going concern issues and the management's plans to address them in more detail.

13 Going concern means continuing to operate as a normal firm. Firms can be losing money and continue to operate. Therefore, going concern usually involves things like declaring bankruptcy or just ceasing operations.

While it is rare, if the auditor believes the risk of the firm failing to be a going concern is severe, they can decide to disclaim an opinion. The logic for these going concern issues is that most of the valuation rules in GAAP assume that the assets and liabilities of the auditee are part of a working business. When an auditee sells assets separately when they are dissolving is usually worth a lot less that assets used in a going business. That is, the markets value assets based on their future cash flow generating capability. If the auditor believes that the auditee will go out of business shortly, then all the asset values are suspect and they can disclaim an opinion on the firm.

Agreed Upon Departures from GAAP

Occasionally, but very rarely, the auditor may believe that strict use of GAAP in the auditee's financial statements would be misleading and agrees with the auditee to allow them to use some non-GAAP methods in their financial statements. If so, the auditor will include an explanatory paragraph disclosing the departure from GAAP and the reasons for it. In addition, they also will require that the auditee include a footnote providing a more detailed explanation. This situation is so rare that we don't have a wording example. We’ll consider an example from a school district. Their fixed assets were very old and they had lost much of the documentation for their original costs. Thus, the valued them on the balance sheet as insurable value. This is a GAAP violation because GAAP requires historical cost valuation for fixed assets. However, our auditor concurred with our use of insurable value because the insurance company was a knowledgeable expert in asset valuation and insurable value was a more accurate measure of what the assets were really worth.

Emphasis of Matters

Occasionally auditors may want to bring a significant matter to the attention of the reader of the financial statements. Some examples include a significant subsequent event or a significant related party transaction. Auditors will use an explanatory paragraph to do so. However, the SAS's also caution auditors about overuse of this type of explanatory paragraph since including explanatory paragraphs might overemphasize the importance of the event or matter.

Reliance on Other Auditors

Sometimes auditors rely on the audit opinions and audit work of other audit firms in issuing their reports. The most common example is when the auditee owns subsidiary firms where the auditee consolidates the subsidiary's results into their financial statements. These subsidiary firms may have their own auditors and the auditor for the parent firm (referred to as the principal auditor) will not re-audit the subsidiary, but will rely on the subsidiary's auditor for accuracy of the financial results of the subsidiary. Here is an example of wording that an auditor might include in the introductory paragraph when they have relied on a subsidiary firm's auditors.

We have audited the consolidated balance sheets of ABC Company and subsidiaries as of December 31, 20X2 and 20X1, and the related consolidated statements of income, retained earnings, and cash flows for the years then ended. These financial statements are the responsibility of the Company's management. Our responsibility is to express an opinion

on these financial statements based on our audits. We did not audit the financial statements of B Company, a wholly-owned subsidiary, which statements reflect total assets of $_______ and $________ as of December 31, 20X2 and 20X1, respectively, and total revenues of $_______ and $_______ for the years then ended. Those statements were audited by other auditors whose report has been furnished to us, and our opinion, insofar as it relates to the amounts included for B Company, is based solely on the report of the other auditors.

The principle auditor also needs to refer to the other auditor in the opinion paragraph.

In our opinion, based on our audits and the report of other auditors, the consolidated financial statements referred to above, present fairly, in all material respects, the financial position of ABC Company and subsidiaries as of December 31, 20X2 and 20X1, and the results of their operations and their cash flows for the years then ended in conformity with accounting principles generally accepted in the United States of America.

By including this language, the principal auditor is sharing responsibility for the audit with the subsidiary's audit firm. Auditors do not share this responsibility lightly because they could be held liable for the work of the subsidiary auditor. Thus, auditors will check out the reputation of the subsidiary's auditor before deciding to rely on their work and may even review portions of their working papers.

Departures from Unmodified Opinions on Financial Statements

The auditor qualifies his/her opinion when they believe that the financial statements contain a material misstatement under GAAP. This is rare since the auditor would first work with the auditee to try to resolve the matter and would consider modifying the opinion as a last resort.

Types of Opinions

Auditors have three choices when modifying audit opinions from the standard opinion presented above: qualified, disclaimer, or adverse. Note that the focus here is just on the opinion paragraph of the audit report. However, in most cases when the auditor modifies their opinion, they must include an explanatory paragraph before the opinion paragraph describing the reason for the modification of the audit opinion as well, thus creating a modified wording in the report.

Qualified Opinions

Auditors issue qualified opinions when the financial statements contain a material misstatement that is not pervasive to the financial statements taken as a whole. When the auditor qualifies an audit opinion, (s)he will include qualifying language in the opinion paragraph such as "except for." The opinion paragraph will read like the "clean" opinion, but will include a description the exception where the auditor found a material misstatement. In the example above, the exception would be for the material misstatement in the cash account. Whenever the auditor qualifies an opinion, they must include an explanatory paragraph before the opinion paragraph describing the material misstatement. Thus, auditors can refer to that

paragraph in their opinion paragraph to describe the material misstatement and not repeat the details in the opinion paragraph. Auditors also may qualify the opinion for scope limitations. Scope limitations are when the auditor has not been able to gather sufficient information to support an opinion so they don't know if there are material misstatements or not. The following is an example of a qualification based on a scope limitation. As discussed below, scope limitations arise when the auditor can't gather all the evidence (s)he believes is necessary to form an opinion on the financial statements. Either the auditee or circumstances outside the control of the auditor or the auditee can cause scope limitations. The auditor must judge whether the scope limitation is severe enough such that they might have missed a material misstatement or are so severe that they could have caused the auditor to miss a pervasively material misstatement. The distinction between material and pervasively material is the same for scope limitations as it is form misstatements. However, instead of actually finding a misstatement, the auditor is saying they couldn't determine if such a misstatement existed or not because they couldn't gather sufficient evidence. If the missing evidence relates to an area where the misstatement would only be material, they the auditor issues a qualified opinion. Here is an example of an audit report with a material, but not pervasively material, scope limitation. Note the auditor must include an explanatory paragraph between the scope paragraph and the opinion paragraph.

"[Standard wording for the introductory paragraph] Except as discussed in the following paragraph, we conducted our audits in accordance with auditing standards generally accepted in the United States of America. Those standards require that ... [same wording as for the remainder of the standard scope paragraph]. We were unable to obtain audited financial statements supporting the Company's investment in a foreign affiliate stated at $12,500,000 and $11,700,000 at December 31, 2006 and 2005, respectively, or its equity in earnings of that affiliate of $1,200,000 and $1,050,000, which is included in net income for the years then ended as described in Note 10 to the financial statements; nor were we able to satisfy ourselves as to the carrying value of the investment in the foreign affiliate or the equity in its earnings by other auditing procedures. In our opinion, except for the effects of such adjustments, if any, as might have been determined to be necessary had we been able to examine evidence regarding the foreign affiliate and earnings, the financial statements referred to ... [same wording as for the remainder of the standard opinion paragraph]."

When issuing a qualified opinion, the auditor must provide an explanatory paragraph that discusses the reason for the qualification and refer to the footnote that covers the issue in more detail. Then state the specific nature and extent of the qualification in their opinion paragraph.

The scope paragraph in the above example also contains a reference to the exception because this example illustrates a qualification due to a scope limitation. If the qualification was due to a departure from GAAP, the auditor would not have to modify the scope paragraph. If the item(s) that are not fairly stated were not just material, but pervasively material, the auditor would have to either disclaim an opinion or issue an adverse opinion. We’ll discuss these types of reports below. The main point here is that, for the auditor to issue a qualified opinion as opposed to the more severe disclaimer or adverse opinion, the auditor would have to be able to isolate the effect of the departure from GAAP or scope limitation to a section of the financial statements. In addition, the magnitude of the effect of the GAAP departure or scope limitation was not large enough to make the financial statements deceiving. If the problem is so pervasive that it affects large sections of the financial statements, then the auditor must "go to the next level" and either disclaim an opinion or issue an adverse opinion. Auditors have tools to mitigate scope limitations. Just because they couldn't perform a standard procedure doesn't automatically lead to a scope limitation. If they can find an alternative procedure or combination of procedures that will provide them sufficient competent evidence, then that eliminates the scope limitation. However, the alternative procedure must provide the same level of assurance for the same issues as the missing procedure.

Adverse Opinion

Now we’ll go back to material misstatements. Auditors issue adverse opinions when the financial statements, due to GAAP departures, do not fairly presents the results of the firm's operations, cash flows, and/or financial position. That is, the material misstatement is pervasive. The following in an example of an adverse opinion:

"[Standard wording for the introductory and scope paragraphs] As discussed in Note 6 to the financial statements, the Company carries its property, plant, and equipment accounts at appraisal values and determines depreciation based on such values. Generally accepted accounting principles require that property, plant, and equipment be stated at an amount not in excess of cost, reduced by depreciation based on such amount. Because of the departures from generally accepted accounting principles identified above, as of December 31, 2006 and 2005, respectively, inventories have been increased $1,500,000 and $1,340,000 by inclusion in manufacturing overhead of depreciation in excess of that based on cost, property, plant, and equipment, less accumulated depreciation, is carried at $13,475,000 and $12,950,000 in excess of an amount based on the cost to the Company. For the years ended December 31, 2006 and 2005, cost of goods sold has been increased $4,200,000 and $3,600,000, respectively, because of the effects of the depreciation accounting referred to above, resulting in a decrease in net income of $2,520,000 and $2,160,000, respectively. In our opinion, because of the effects of the matters discussed in the preceding paragraph, the financial statements referred to above do not present fairly, in conformity with accounting principles generally accepted in the United States of America, the financial

position of Morton Company as of December 31, 2006 and 2005, or the results of its operation or its cash flows for the years then ended."

Again, the auditor explains the reason for the departure from a clean opinion in a paragraph preceding the opinion paragraph and then states that the financial statements do not fairly present the firm's results. Adverse opinions are the most severe departure from a clean opinion because they, in essence, state that the financial statements are wrong. A disclaimer (discussed next), the next more severe departure from a clean opinion, states that, in essence, the auditor doesn't know if the financial statements are wrong or not.

Disclaimer

If the scope limitation on the audit raises above material to pervasively material, then the auditor must disclaim an opinion on the financial statements. Essentially, the auditor is saying that the limitation to their work was so extensive that they cannot express an opinion on the financial statements at all. This situation occurs when the auditor cannot limit the effect of the scope limitation to an identifiable, and therefore isolated, section of the financial statements or footnotes; or the magnitude of the problem is sufficiently large to affect the overall impression that the financial statements would present to the user. The following is an example of a disclaimer:

"We were engaged to audit the accompanying balance sheet of Kosar Company as of December 31, 2003 and 2005, and the related statements of income, retained earnings, and cash flows for the years then ended. These financial statements are the responsibility of the Company's management. [Scope paragraph of standard report should be omitted] We were unable to observe the taking of physical inventories stated in the accompanying financial statements at $4,550,000 as of December 31, 2006, and at $4,275,000 as of December 31, 2005, since those dates were prior to the time we were engaged as auditors for the Company. The Company's records do not permit the application of other auditing procedures regarding the existence of inventories. Since we did not observe physical inventories and we were not able to apply other auditing procedures to satisfy ourselves as to inventory quantities, the scope of our work was not sufficient to enable us to express, and we do not express, an opinion on these financial statements."

Since disclaimers only arise from scope limitations that are pervasive, the scope paragraph is omitted altogether. As with other alterations to the clean opinion, the auditor is required to provide an explanatory paragraph that describes the nature and extent of the scope limitation. Since this is a disclaimer, the opinion paragraph states that the auditor cannot express an opinion on the financial statements.

Auditor is not Independent

This final condition is extremely rare, but auditing standards cover it anyway. Auditors who are independent of the auditee to help assure that the auditor is objective in assessing the auditee's financial statements and controls must do audits. If the auditor is not independent, then they must disclaim any opinion on the financial statements. One situation that could arise that would lead to this type of disclaimer is if the auditor completed the audit and then learned that a member of the audit team was not independent of the auditee. In such a case, the auditor would issue a very short disclaimer as illustrated below. Note that auditing standards prohibit the auditor from adding any explanations for why they were not independent or that describe any of the audit work they performed. The reason is to prevent the auditor from attempting to minimize the effect of their lack of independence. The title of the report is also eliminated since it is not a report of an independent auditor.

"We are not independent with respect to Jordan Company, Inc., and the accompanying balance sheet as of December 31, 2006, and the related statements of earnings, retained earnings, and cash flows for the year then ended were not audited by us; accordingly, we do not express an opinion on them."

Obviously, the auditee would need to engage another auditor to redo the audit in order to obtain a clean opinion in this case. Thus, we might wonder what purpose is served by having the first auditor even issuing a report in the first place. However, the auditor would insist on having their report attached to the financial statements until another auditor redid the audit to prevent the auditee from misrepresenting them. The table on the following page summarizes all these possible changes to the audit report.

The following table summarizes the points we will cover next. In all cases, the issue requiring modification of either the opinion or other sections of the audit report must be material in the auditor's judgment.

Conditions that don't change the opinion, but change other areas of the report Condition Modification

The financial statements don't apply accounting principles consistently from prior years when the report covers multiple years

Add an explanatory paragraph after the opinion paragraph if the auditor agrees with the inconsistency.

Substantial doubt about going concern Add an explanatory after the opinion paragraph The financial statements contain a justified departure from GAAP.

Add an explanatory after the opinion paragraph

Emphasis of other matters. Add an explanatory after the opinion paragraph Use of another auditor Revised wording to disclose the other auditor's role.

Conditions that require modification of the opinion as well as wording of other sections of the report. Not pervasively material to the

financial statements taken as a whole Pervasively material to the financial

statements taken as a whole Scope restrictions by client or other conditions

Qualified opinion preceded by a paragraph explaining the restriction

Disclaimer of an opinion preceded by a paragraph explaining the reason for the disclaimer. Modify the introduction and scope paragraphs.

Financial statements not prepared in accordance with GAAP

Qualified opinion preceded by a paragraph explaining the restriction

Adverse opinion preceded by a paragraph explaining the reason for the disclaimer

Auditor is not independent Special single-paragraph disclaimer regardless of materiality.

Reports on Internal Controls

This section covers the audit report that auditors issue on the auditee's internal controls. Sarbanes-Oxley added a requirement that auditors audit an auditee's internal controls as well as their financial statements for major publicly traded firms. Auditors can combine the report on controls with the report on the financial statements or present it separately. Let’s take a look at the separate report to highlight the key information it must contain.

Elements of the Internal Control Report

These choices are covered in more detail below. First, a description of the basic sections of the auditor's internal control report and then we’ll look at the conditions that lead to a departure from clean opinions on management’s internal control report and/or the auditor’s own assessment of internal controls. The following is a prototype report from the AICPA:

Independent Auditor's Report [Introductory paragraph] We have examined W Company's internal control over financial reporting as of December 31, 20XX, based on criteria established in Internal Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). W Company's management is responsible for maintaining effective internal control over financial reporting, and for its assertion about the effectiveness of internal control over financial reporting, included in the accompanying [title of management's report]14. Our responsibility is to express an opinion on W Company's internal control over financial reporting based on our examination. [Scope paragraph] We conducted our examination in accordance with standards of the Public Company Accounting Oversight Board (United States). Those standards require that we plan and perform the examination to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects. Our examination included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal control based on the assessed risk. Our examination also included performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion.

14 Included is a copy of Home Depot's management assessment of internal controls in the Appendix for your reference.

[Definition paragraph] An entity's internal control over financial reporting is a process effected by those charged with governance, management, and other personnel, designed to provide reasonable assurance regarding the preparation of reliable financial statements in accordance with accounting principles generally accepted in the United States of America. An entity's internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the entity; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with accounting principles generally accepted in the United States of America, and that receipts and expenditures of the entity are being made only in accordance with authorizations of management and those charged with governance; and (3) provide reasonable assurance regarding prevention, or timely detection and correction of unauthorized acquisition, use, or disposition of the entity's assets that could have a material effect on the financial statements. [Inherent limitations paragraph] Because of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. [Opinion paragraph] In our opinion, W Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 20XX, based on the Internal Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). [Audit of financial statements paragraph] We also have audited, in accordance with auditing standards generally accepted in the United States of America, the [identify financial statements] of W Company and our report dated [date of report, which should be the same as the date of the report on the examination of internal control] expressed [include nature of opinion]. [Signature] [Date]15 The following is a description of the contents of each paragraph of this report.

15 AICPA, 2015. AT Section 510 - An Examination of an Entity's Internal Control over Financial Reporting that is Integrated with an Audit of its Financial Statements. Downloaded 7- 15-16.

 Title - The title is identical to the title of the auditor's report on the financial statements.

 Introduction - This paragraph is similar to the introductory paragraph of the financial statement report. It differs by stating that the auditor is auditing management's report on the controls and not the auditee's financial statements. It also mentions the Committee of Sponsoring Organizations (COSO) framework as a basis for that audit. PCAOB rules require that auditors base audits of controls on some comprehensive framework that describes controls. The most commonly used framework is the COSO framework. Similar to the introductory paragraph for the financial statement report, this paragraph describes management's and the auditor's responsibilities for controls.

 Scope - The scope paragraph also is similar to the financial statement report paragraph. However, since this is a public company example the scope paragraph only refers to PCAOB rules. The AICPA also has standards for auditing internal controls for private companies.

 Definition - The definition paragraph presents definitions of key concepts and terms used to describe internal controls. This paragraph is included because this type of audit is new and the PCAOB believed that the readers of this report might benefit from some definitions of terms and concepts.

 Inherent limitations - This presents a short paragraph that informs the reader that controls are inherently imperfect. It also points out that conditions can change and controls that were effective for the current period might not continue to be so.

 Opinion - The opinion paragraph, again, is the "meat" of the report. It states the auditor's opinion on whether the auditee maintained effective controls as of the end of the fiscal year. Note the term "material" is included. When discussing controls, the issue is whether the controls are sufficiently strong such that there isn't a reasonable possibility that they will allow a material misstatement in the financial statements. We’ll look at what this means in more detail below.

 Audits of Financial Statements - This paragraph refers the reader to the auditor's report on the financial statements and states their opinion on those statements. The two audit reports must have the same date since these reports both come from an integrated audit of the financial statements and internal controls.

 Signature and Date - These are the same as the report on the financial statements.

Modifications to the Standard Report on the Auditee's Controls

The auditor should modify his/her report on internal controls if (s)he determines that the auditee's system of internal controls contains a material weakness. The auditor should also modify his or her report if any of the following conditions exist.

a. Elements of management's annual report on internal control are incomplete or improperly presented,

b. There is a restriction on the scope of the engagement,

c. The auditor decides to refer to the report of other auditors as the basis, in part, for the auditor's own report,

d. There is other information contained in management's annual report on internal control over financial reporting, or

e. Management's annual certification pursuant to Section 302 of the Sarbanes-Oxley Act is misstated.16

Modifications due to Control Deficiencies

Auditors determine whether to depart from a clean opinion in their control report due to control deficiencies based on either the severity of any control deficiencies effect on the financial statements or the severity of any scope limitations. The severity of the effect of any deficiency depends on the magnitude of the deficiency and the likelihood that the deficiency will have a material effect on the financial statements. These two concepts are related in that the larger the magnitude of the control deficiency, the greater the likelihood that the deficiency will lead to a material misstatement in the financial statements. However, they do address two different dimensions of a control's potential effect on the financial statements. Magnitude issues address the effects of the control deficiency on the firm's ability to process information while likelihood addresses the chance that those limitations on the firm's abilities will affect the financial statements. PCAOB standards define three levels of control deficiencies: deficiency (usually called control deficiency), significant deficiency, and material weakness. Here are simplifications of the PCAOB's definitions of each:  Control deficiency - A control deficiency is a weakness in a control(s), either in its design

or in its operation, that does not allow the firm to eliminate17 material misstatements from the financial statements in a timely manner. Note that this definition does not address the likelihood that the deficiency would create a material misstatement in the financial statements. Thus, the concept of a control deficiency is general and includes both significant and material deficiencies. That is, control deficiencies come in three degrees of severity: inconsequential, significant, and material.

 Inconsequential deficiency - An inconsequential control deficiency is one that would only create an inconsequential misstatement in the financial statements. That is, there is only a

16 PCAOB. Auditing Standard No 5 - An audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial statements - Appendix C. https://pcaobus.org/Standards/Auditing/Pages/Auditing_Standard_5_Appendix_C.aspx. Downloaded 7-15-16. 17 We continue to use the term "eliminate" to mean both prevent and detect and correct material misstatements.

remote likelihood that the control deficiency would create a material misstatement in the financial statements.

 Significant deficiency - A significant deficiency is a control deficiency that is severe enough to create more than a remote likelihood that a consequential misstatement will occur in the financial statements.

 Material weakness - A material weakness is a control deficiency that is severe enough to create a reasonable possibility that a material misstatement will occur in the financial statements. Material weaknesses can be a single deficiency or a combination of deficiencies that lead to the reasonable possibility of a material misstatement.

These definitions include qualifiers for likelihood (remote and more than remote) and magnitude (inconsequential, consequential, and material). "Remote" is defined as only a slight chance that the event will occur, where the event here is the misstatement in the financial statements. Obviously, reasonable possibility is any likelihood greater than remote. Inconsequential misstatements are ones that are clearly immaterial even after considering the possibility of additional undetected misstatements. Consequential misstatements are all misstatements that are more severe than inconsequential and, therefore, may be material. Material misstatements here are defined the same as covered above. As you can see, there is some ambiguity in these definitions, particularly between consequential misstatements and material misstatements. The problem is that the auditor needs to consider the effect of a control deficiency on the financial statements and is not just considering a direct misstatement that (s)he has detected in the financial statements. Inconsequential misstatements are clearly immaterial and material misstatements are clearly material. Consequential misstatements fall in the middle such that they may be material, but the auditor isn't sure. The following figure summarizes the above issues and how they relate to determine whether a control deficiency is a material weakness, significant deficiency, or just an inconsequential deficiency. Keep in mind that both magnitude and likelihood refer to the potential misstatement the control deficiency might cause in the financial statements.

18 Figure 12-3 - Levels of Control Deficiencies

Once the auditor has determined the level of the control deficiency, (s)he needs to determine how to alter their report because of those control deficiencies. Auditors only have one option if a material weakness exists - issue an adverse opinion. There is no qualified opinion and auditors only issue adverse opinions if a material deficiency exists. If they issue an adverse opinion, they much include an explanatory paragraph before the opinion paragraph describing the material weakness that led to the adverse opinion. The following is an example19 of how the auditor would modify their control report if they found a material weakness in the auditee's controls.

18 Taken from W. F. Messier, Jr., S. M. Glover, and D. F. Prawitt (2008), Auditing & Assurance Services: A Systematic Approach, McGraw-Hill Irwin. 19 Taken from W. F. Messier, Jr., S. M. Glover, and D. F. Prawitt (2008), Auditing & Assurance Services: A Systematic Approach, McGraw-Hill Irwin.

"Report of Independent Registered Public Accounting Firm [Standard Wording for the Introductory, Scope, Definition, and Inherent Limitations Paragraphs] [Explanatory Paragraph] A material weakness is a control deficiency, or combination of control deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected. The following material weakness has been identified and included in management's assessment. Treadron had an inadequate system for recording cash receipts, which could have prevented the Company from recording cash receipts on accounts receivable completely and properly. Therefore, cash received could have been diverted for unauthorized use, lost, or otherwise not properly recorded to accounts receivable. This material weakness was considered in determining the nature, timing, and extent of audit tests applied in our audit of the 2006 financial statements, and this report does not affect our report dated February 15, 2007, on those financial statements. [Opinion Paragraph] In our opinion, because of the effect of the material weakness described above on the achievement of the objectives of the control criteria, Treadron Company has not maintained effective internal control over financial reporting as of December 31, 2006, based on criteria established in Internal Control-Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). No change to the [Audit of financial statements paragraph]

Mortensen & Mortensen Houston, Texas February 15, 2007"

Modifications due to Incomplete or Improper Management Report

If the auditor determines that management's report on internal controls is incomplete or inaccurate, they need to include an explanatory paragraph after the opinion paragraph describing the reasons for their determination. If the auditor decides that the deficiencies in management's report do not present the required disclosures about a material weakness, then they should issue an adverse opinion, which we’ll discuss further below. Thus, if the deficiencies fall short of failure to disclose a material weakness, the auditor's opinion isn't altered and only an explanatory paragraph is included.

Modifications due to Scope Limits

Auditors have two choices if a scope they encounter a material scope limitation: disclaim an opinion or withdrawal from the engagement. "When disclaiming an opinion because of a scope limitation, the auditor should state [in the scope paragraph] that the scope of the audit was not

sufficient to warrant the expression of an opinion and, in a separate paragraph or paragraphs, the substantive reasons for the disclaimer. The auditor should not identify the procedures that were performed nor include the statements describing the characteristics of an audit of internal control over financial reporting."20 The explanatory paragraph or paragraphs need(s) to precede the opinion paragraph. The auditor also needs to modify the introductory paragraph to state that "we were engaged to audit..." the relevant financial statements and eliminate the scope paragraph. Here is a summary of these revisions:  Introductory paragraph - Change wording to "We were engaged to examine..."

 Scope paragraph - Change to state that the scope of the audit was not sufficient to provide an opinion on the auditee's internal controls.

 Explanatory paragraph(s) - Add a paragraphs(s) before the opinion paragraph to describe the scope limitation that prevented you from providing an opinion.

 Opinion paragraph - Reword the opinion to state that you are not providing an opinion on the auditee's internal controls due to the reasons stated in the explanatory paragraph.

Other Modifications to Control Reports

An auditor would modify their report on an auditee's controls or the auditee's management assessment of those controls under a few conditions. These include:  If they rely on another auditor as part of their audit - They modify their report in the

same way as they would for a report on the auditee's financial statements.

 Management's report contains additional information - Management may include information beyond that required to present their assessment of their controls. In this case, the auditors must modify their opinion to disclaim any information that management may include beyond what is required to present assessment of their controls. In this case, the auditors must modify their opinion to disclaim any opinion on that additional information. For example, if the management provides cost and benefit information about improvements they have made to their controls (i.e., does a little bragging), this information is not relevant to their assertion that the controls work. Thus, the auditor would disclaim any opinion on that information. Some example wording in his/her opinion paragraph for this case might be:

"We do not express an opinion or any other form of assurance on management's statement referring to the costs and related benefits of implementing new controls."

The following table summarizes the situations that require modification to the auditor's report on internal controls. 20 PCAOB. Auditing Standard No. 5 - An Audit of Internal Controls Over Financial Reporting that is Integrated with an Audit of Financial Statements - Appendix C. https://pcaobus.org/Standards/Auditing/Pages/Auditing_Standard_5_Appendix_C.aspx. Downloaded 7-15-16.

Conditions that don't change the opinion, but change other areas of the report

Condition Modification Management's report is incomplete or inaccurate, but disclosures about a material weakness are adequate, if needed

Include an explanatory paragraph after the opinion.

Use of another auditor Revised wording to disclose the other auditor's role.

Conditions that require modification of the opinion as well as wording of other sections of the report.

Auditee's controls contain a material weakness Adverse opinion preceded by an explanatory paragraph

Management's report does not include required material weakness disclosures

Adverse opinion preceded by an explanatory paragraph

Material scope limitations Disclaim opinion, modify introduction and scope paragraphs, add explanatory paragraph before the opinion paragraph

Management's internal control report contains information not required by the SEC.

Add a sentence or two to the opinion paragraph disclaiming an opinion on the additional information.

AICPA Code of Professional Conduct

Overview of the Role of the Code in Enforcing Professional Behavior

One of the most important documents that helps define professionalism and ethical behavior for all members of the AICPA is the AICPA's Code of Professional Conduct. While the code only applies to members of the AICPA and the only enforcement power the AICPA has to is sanction or expel a member that violates the Code, the PCAOB requires registered auditors to follow it. In addition, courts use the Code to determine if an auditor has acted negligently in performing an audit and many states require that CPAs follow the Code to retain their license to practice. The PCAOB and the SEC have added restrictions on auditors of public companies in addition to those in the Code, particularly regarding issues that affect auditor independence. Thus, although the only power the AICPA has to enforce their Code of Conduct is to sanction or expel the CPA, state and federal agencies insist that external auditors follow the code. Note that this situation is very similar to how auditing standards are set and enforced. As with auditing standards, auditors of private companies only need to conform to AICPA rules while auditors of publicly-traded companies need to conform to both AICPA rules and PCAOB and SEC rules regarding professional conduct. As with auditing standards, the PCAOB has the ultimate authority to set standards for professional conduct for auditors of publicly traded firms and so the rules for professional conduct for auditors of private versus public companies may diverge in the future. Finally, auditors of international firms also need to conform to the international standards of professional conduct.

While this text focuses on external audits of public company's financial statements and controls, the AICPA's Code of Professional Conduct applies to all CPAs regardless of whether they audit organizations, public or private, or not. For example, for a member of the AICPA the Code would apply to actions of a professor as well.

Structure of the Code

This section provides a brief overview of the AICPA's Code of Professional Conduct (the Code). You can find the complete text of the Code at http://www.aicpa.org/research/standards/codeofconduct/Pages/default.aspx.

Statement of Principles

The Code is based on six principles of professional behavior that guide the rules that actually are enforceable. This structure is similar to GAAS, which lays out broad principles for executing an audit. However, broad principles are rarely specific enough to be enforceable and, therefore, the AICPA added specific rules to provide enforceable specifics. The six principles are:  Responsibilities - In carrying out their responsibilities as professionals, members should

exercise sensitive professional and moral judgments in all their activities.

21 Taken from W. F. Messier, Jr., S. M. Glover, and D. F. Prawitt (2008), Auditing & Assurance Services: A Systematic Approach, McGraw-Hill Irwin.

 The Public Interest - Members should accept the obligation to act in a way that will serve the public interest, honor the public trust, and demonstrate commitment to professionalism.

 Integrity - To maintain and broaden public confidence, members should perform all professional responsibilities with the highest sense of integrity.

 Objectivity and Independence - A member should maintain objectivity and be free of conflicts of interest in discharging professional responsibilities. A member in public practice should be independent in fact and appearance when providing auditing and other attestation services.

 Due Care - A member should observe the profession's technical and ethical standards, strive continually to improve competence and the quality of services, and discharge professional responsibility to the best of the member's ability.

 Scope and Nature of Services - A member in public practice should observe the Principles of the Code of Professional Conduct in determining the scope and nature of services to be provided.22

Rules

The rules that the AICPA created to flesh out the above principles are extensive, as are the interpretations and rulings. The AICPA has broken their Code into two parts - one that applies to members in public practice and one that applies to members working business and governmental agencies. The following table summarizes the rules that apply to members in public practice and apply to members who audit financial statements.

22 AICPA. 2016. Code of Professional Conduct. http://pub.aicpa.org/codeofconduct/Ethics.aspx#. Downloaded 7-15-16.

Paragraph Number and Rule Name

Brief Description23

1.100 Integrity and Objectivity

In the performance of any professional service, a member shall maintain objectivity and integrity, shall be free of conflicts of interest, and shall not knowingly misrepresent facts or subordinate his or her judgment to others.

1.200 Independence A member in public practice shall be independent in the performance of professional services as required by standards promulgated by bodies designated by Council.

1.300 General Standards

A member shall comply with the following standards and with any interpretations thereof by bodies designated by Council: a. Professional Competence. Undertake only those professional services that the member or the member’s firm can reasonably expect to be completed with professional competence. b. Due Professional Care. Exercise due professional care in the performance of professional services. c. Planning and Supervision. Adequately plan and supervise the performance of professional services. d. Sufficient Relevant Data. Obtain sufficient relevant data to afford a reasonable basis for conclusions or recommendations in relation to any professional services performed.

1.400 Acts Discreditable

A member shall not commit an act discreditable to the profession.

1.500 Fees and Other Types of Remuneration

A member in public practice shall not a. Perform for a contingent fee any professional services for, or receive such a fee from a client for whom the member or the member’s firm performs, i. an audit or review of a financial statement; or ii. a compilation of a financial statement when the member expects, or reasonably might expect, that a third party will use the financial statement and the member’s compilation report does not disclose a lack of independence; or iii. an examination of prospective financial information; or b. Prepare an original or amended tax return or claim for a tax refund for a contingent fee for any client.

1.600 Advertising and Other Forms of Solicitation

A member in public practice shall not seek to obtain clients by advertising or other forms of solicitation in a manner that is false, misleading, or deceptive. Solicitation by the use of coercion, over-reaching, or harassing conduct is prohibited.

1.700 Confidential Information

A member in public practice shall not disclose any confidential client information without the specific consent of the client or to comply with laws, court orders, and regulatory requirements.

1.800 Form of Organization and Name

A member may practice public accounting only in a form of organization permitted by law or regulation whose characteristics conform to resolutions of Council. A member shall not practice public accounting under an organization name that is misleading. Names of one or more past owners may be included in the organization name of a successor organization. A firm may not designate itself as “Members of the American Institute of Certified Public Accountants” unless all its CPA owners are members of the AICPA.

23 AICPA. 2016. Code of Professional Conduct. http://pub.aicpa.org/codeofconduct/Ethics.aspx#. Downloaded 7-15-16.

Independence Rule Differences with SEC and PCAOB

The PCAOB has established more stringent rules in some areas than the AICPA does. In these cases, auditors of public companies must follow the PCAOB and SEC rules as well as the AICPA rules. The following subsections discuss some of the major areas where PCAOB and SEC rules differ.

Non-audit services

The AICPA code allows auditors to provide a variety of non-audit services to their audit clients, to include:  bookkeeping,

 systems implementation (but not design),

 internal audit outsourcing,

 tax preparation, and

 general consulting.

The AICPA does put some limitations on these services when the provision of these services might affect the financial statements being audited. For example, under general consulting, the auditor cannot provide valuation services if those valuations involve judgment and would affect the values the auditee used on their financial statements. However, SEC rules are more stringent and based on three principles:  auditors should not audit their own work;

 auditors should not act in a management capacity for the auditee; and

 auditors should not be advocates for their auditees.

Under these principles, the SEC has specified nine types of services that auditors of public companies are not allowed to perform for auditees:  bookkeeping and other financial statement preparation,

 financial information systems design and implementation,

 appraisals and valuation services,

 actuarial services,

 internal audit outsourcing,

 management or human resource functions,

 broker or dealer, investment advisor, or investment banking,

 legal services, and

 expert services.

This above list comes with a caveat that auditors may be allowed to perform some of these services if the results of these services will not be subject to audit procedures during the audit of the client's financial statements or controls.

Appendix - Home Depot's Management Assessment of Internal Controls

Legal Liability and Audit Responsibilities and Objectives

Summary

This chapter covers the ways that clients and users can hold auditors legally accountable for the quality of their audit work and the auditor's and management's responsibilities for the quality of the audit. The main sources of legal liability for auditors are:  Civil liability to the client and users for various levels of negligence of fraud in conducting

the audit.

 Statutory requirements under US Federal Securities laws.

The auditor's primary responsibility is to perform the audit in conformance with GAAS. Some of the key tools they use to do so are:  Exercise of sound professional judgment and skepticism.

 Decomposing the audit process in to more management components by isolating transaction processes and audit objectives.

Legal Liability

Overview of the Legal Climate

This chapter will focus on auditor's legal liability arising from the audits of financial statements because very few legal cases involve audits of internal controls. Legal liability is one of the few ways clients and third parties can hold auditors accountable for the quality of their audits and the only way auditees and third parties can gain redress for audit failures. An audit failure occurs when an auditor provides a clean opinion on a set of financial statements that contain a material misstatement. Audit failures can occur because of auditor negligence, by chance because no audit can be 100% accurate, of because the client kept things from the auditor. Auditors usually are only found liable if they are negligent, but the legal process isn't 100% perfect either. The AICPA can expel auditors for violations of the Code of Conduct, which may hurt the auditor's reputation. The PCAOB can sanction auditors, to include eliminating them as registered accountants and denying them the ability to audit public companies. However, neither of these actions provides redress to parties harmed by audit failures. Auditors also face challenges as defendants in lawsuits. Some of these include:

 Deep pockets effect - Frequently audit failures occur when around the same time as the auditee gets into financial trouble and investors or creditors lose money. These stakeholders want to recover their losses but the auditee may not have many assets left to cover the stakeholder's losses. Thus, the stakeholders will sue the auditor because they have resources to pay the losses, i.e., deep pockets. Juries also can be motivated to try to gain some redress for the stakeholders that lost money.

 Increasing Accounting Complexity - Business processes and models are becoming more complex and globalized. This increases the complexity of accounting making audits harder to execute and more dependent on domain experts. Increase complexity increases audit risk and the chance of an audit failure.

 Lack of Accounting Knowledge by Juries and Judges - Even not considering the increase in accounting complexity, accounting rules and auditing standards have always been complex and technical. Many areas of GAAP require management judgment (e.g., allowance for doubtful accounts determination) and these judgments don't have clear right and wrong answers. While some judges tend to build reasonable knowledge over time, juries usually can't.

 Slowing Economic Growth - The global economy has only slowly recovered from the effects of the "Great Recession" of 2008 and 2009. Economic growth rates have not returned to pre-recession levels. Slow economic growth puts pressure on management to boost reported results through accounting manipulation. Management manipulations can be hard for auditors to detect, thus increasing the risk of audit failure.

 CPA Firms and Malpractice Insurance Carriers Settling - Regardless of whether the CPA firm is at fault, many audit firms and their insurance companies tend to settle lawsuits out of court. The legal system is imperfect and costly. There is never a guarantee that a jury won't find an auditor liable even if they did an excellent job. Thus, many auditors and their insurance carriers will settle the case for a lower amount rather than risking a trial and a higher payout if they lose. Insurance companies can absorb the losses by raising premiums. However, settling cases tends to increase the incentive of clients and third parties to sue because it lowers their risk of loss since they face the same risks in going to trial as the auditor does.

The above description implies that the legal environment is weighted against auditors. However, auditors have tools to counter these forces. Large CPA firms have the resources to lobby for legislation that would reduce their risks. The AICPA also spends millions lobbying for causes it believes support CPAs. These lobbying efforts have been fairly successful. For example, Congress passed the Private Securities Litigation Reform Act in 1995 that significantly reduced auditor liability. This act tightened rules for filing class action lawsuits against auditors under Federal Securities law. The issue of what level of liability auditors should face is highly controversial. On one hand, society has legitimate reason to protect auditors for frivolous lawsuits that divert time and resources from their core function. On the other hand, lawsuits are the only way parties harmed by audit failures can recover some of their losses. "Frivolous" tends to be in the eye of the beholder.

While the PCAOB's inspection program appears to be reducing the number of audit deficiencies in audits of public companies, deficiency rates remain relatively high. Thus, society still depends, at least in part, on litigation to help maintain high quality audits in addition to providing redress for harmed users of financial statements.

Sources of Legal Liability

There are four sources of auditor liability: 1. Liability to clients under contract law

2. Liability to third parties under common law

3. Liability to third parties under federal securities laws

4. Criminal liability

The next sections of this chapter will cover each of these in turn. However, the discussion in these sections will involve technical legal terms. The following table defines the main terms you will need to know to understand that discussion.

24 Three issues apply to all three types of civil liabilities covered next. These issues apply differently to each type of civil liability, but all three are relevant to each. These issues are things that the plaintiff25 must prove to prevail against the auditor. Consequently, they also are issues auditors can use to defend themselves. That is, auditors may be able to prevail by showing that the plaintiff didn't prove these points.  Duty to perform - Plaintiffs must show that auditor had a duty to them to perform the

audit. Duty to perform differs depending on whether the plaintiff is the client or a third party and the jurisdiction in which the plaintiff filed the lawsuit. These differences are discussed below. State law covers civil suits and each state may have different rules on the class of third parties to whom the auditor has a duty to perform.

 Negligence or fraud - Plaintiffs much show that the financial statements were materially misstated and the auditor was negligent at some level or fraudulent in executing the audit

24 Arens, A.A., Elder, R.J., Beasley, M.S., and Hogan, C.E. 2017, Auditing and Assurance Services: An Integrated Approach. pg. 119. 25 A plaintiff is the person or firm bringing the lawsuit against the auditor. It can be either the client or a third party.

and not reporting the material misstatement. The level of negligence the plaintiff must prove depends on type of plaintiff and the state in which the plaintiff filed the lawsuit. As noted in the table above, auditors aren't expected to be perfect. They are only expected to follow auditing standards at the level that a competent auditor would have done on the same audit.

 Causal connection - The plaintiff must show that they incurred a loss because of the materially misstated financial statements and the auditor's negligence or fraud.

Extent of Liability

The three issues just listed determine if the auditors will be held liable or not to the plaintiff. The court or jury also needs to determine the extent of the auditor's liability is other parties also were liable. With the exception of liability under federal securities laws, states set criterial for determining the extent of an auditor's liability if they are found liable. There are two levels - proportionate and joint and several. Proportionate liability limits the auditor's liability to that portion of the plaintiff's loss caused by the auditor's actions. Joint and several liability allows the plaintiff to recover their full amount of their loss from the auditor regardless of the auditor's proportionate contribution to the plaintiff's loss. Joint and several liability can become a serious problem for auditors if they are the only defendant in the case with any assets left to pay the plaintiff's damages. For example, a common case is where a stockholder or bank has suffered a loss due to materially misstated financial statements and has sued both the auditor and the firm that issued the financial statements. If the firm that issued the financial statements is bankrupt, the plaintiff usually tries to recover the full amount of their loss from the auditor because the auditor has the resources to pay. All but two states limit the auditor's liability to proportionate, as do the federal securities laws. However, there still are two states where the auditor can be held liable for the full amount of the plaintiff's losses regardless of their proportionate contribution to those losses.

Liability to Clients

The relationship between the client and the auditor is unique because there is a contract stating the expectations for the audit26. Auditors have clients sign engagement letters laying out specifics of the audit engagement and the responsibilities of both the auditor and management. This text will cover engagement letters in more detail later. Because of the existence of a contract (i.e., engagement letter), contract law covers the auditor's duty to perform for client.

26 Use of engagement letters was not universal until 1967 when a court found an auditor liable for failing to detect fraud even though they were not engaged to do an audit. The auditor didn't use and engagement letter and had done some audit procedures. The court held that was enough to imply an audit contract. Since that case, auditors have documented the scope of their engagements with an engagement letter.

Because of this direct duty to perform, clients only need to show auditor negligence to prevail. However, they still must show a causal connection between the auditor's negligence and their loss. Contract law also provides the auditor with one defense that usually isn't available to third parties - contributory negligence. If the auditor can show that the client's loss was caused by their own negligence or because they did not fulfill their obligations under the contract, they the client won't prevail.

Liability to Third Parties under Common Law

An auditor's duty to perform for third parties is much more complicated because there is no formal contract between the auditor and third parties. Duty to perform is control by state law and so can vary from state to state. The following table summarizes the three current levels of duty to perform covered by state laws in the US. If a third party falls into one of these categories, then they have the same rights to sue for negligence as the client.

Third Party Ability to Show Duty to Perform Definition of Third Party Example

Primary beneficiary or identified user - The Auditor knows that they third party will rely on the financial statements at the beginning of the audit.

The auditor knows that the client will use the audited financial statements as the basis for securing a loan or that the client has an existing loan agreement where the bank requires audited financial statements each year to continue the loan.

Foreseen user - A reasonably limited group of users that are known to regular rely on the financial statements but may not be specifically identified at the beginning of the audit.

Banks or trade creditors if the auditor is aware that the client has provided audited financial statements to these third parties in the past. Could also include labor unions that use audited financial statements as part of wage negotiations.

Foreseeable user - An unlimited group of potential users that the auditor should reasonably be expected to know would use the audited financial statements.

Banks and trade creditors that have not done business with the client before or that have not required financial statements from the client in the past.

All states would allow primary beneficiaries, identified users, and foreseen third party plaintiffs to prevail if they could prove negligence and a causal connection between their losses and materially misstated financial statements. A few states go further and would allow foreseeable third parties to prevail for negligence and causal connection. The logic behind this broader protection for third parties goes back to the auditor's rule in reducing information risk in capital markets. Because broad segments of society depend on reliable financial statements, some states take the position that auditors should be held liable to anyone who relies on audited financial statements to make economic decisions. All states also allow any third party to prevail against the auditor for fraud. Most states also allow any third party to prevail for gross negligence and constructive fraud.

Liability to Third Parties under Federal Securities Law

The Securities Act of 1933 and Securities Exchange Act of 1934 cover an auditor's liability to purchasers of publicly traded stock. Thus, these laws don't apply to creditors or other third party users like labor unions. Stockholders can use under common law as well, but these securities acts provide some advantages. They provide more strict liability standards on auditors and they allow for class action lawsuits. Class action lawsuits merge a group of similar plaintiffs (i.e., the class) join together, pool their resources, and sue the auditor as a group. Any litigation is expensive and a group plaintiff has more resources to invest in the process and see it through to a conclusion. A common defensive tactic when a small plaintiff is suing a larger firm is for the firm to drag the litigation out until plaintiff runs out of money and has to either settle for much less than they could get from a favorable verdict or drop the case altogether. However, the Private Securities Litigation Reform Act of 1995 placed increase restrictions on class action lawsuits against auditors.

Securities Act of 1933

The Securities Act of 1933 only applies to stock sold directly by a firm to the stockholder and not stock that the stockholder bought in the open market. This includes both initial public offerings (IPOs) as well as subsequent stock issuances by the firm. An IPO occurs when a firm first sells stock to the public. Most firms will also sell stock directly to the public over the years to increase their invested capital. The key provisions of the 1933 Act are:  Any third party who buys the stock in a public offering by a firm can sue the auditor for

material misstatements or omissions in the financial statements associated with the public offering. Public offerings require a registration statement with the SEC that includes audited financial statements. Thus, the auditor has a duty to perform to any stockholder who purchased the stock associated with the registration statement.

 The plaintiff stockholder does not have to prove negligence or causal connection to prevail. They just have to show that the financial statements were materially misstated.

 Unlike civil suits, the auditor's liability extends past the date the financial statements were issued and extends to date the registration statement becomes effective, which can be months after the financial statements were issued.

 The auditors can defend themselves by proving they were not negligent or that none of the stockholder's loss was caused by reliance on the financial statements. However, unlike civil law, the burden of proof is on the auditor to prove the issues and not the plaintiff.

Securities Exchange Act of 1934

The Securities and Exchange Act of 1934 applies any set of financial statements filed with the SEC. Firms that trade stock on public stock exchanges are required for file and annual 10-K report with the SEC that must contain audited financial statements. Thus, the 1934 act applies to any stockholder who purchased stock from the issuing firm or in the open markets. Auditors can

also face liability for the financial statements in 10-Q (quarterly) reports or 8-K (annual event reports) filed by their clients with the SEC. The provision the 1934 Act that applies to auditors is Rule 10-B, which is referred to as its anti- fraud provision. While the Act focuses on the firm issuing the financial statements, auditors are considered secondary defendants and can also be held liable for making false statements or misleading statements in their audit reports. The interpretation of the Act is ongoing, but here is a summary of the current status of the law as it relates to auditor liability:  Any stockholder who purchased the stock meets the duty to perform requirements and can

sue the auditor.

 Plaintiffs need to show a causal connection between their loss and reliance on a false statement in the auditor's report.

 In many jurisdictions27, the plaintiff needs to prove fraud (i.e., the auditor knowingly made a false statement with intent to deceive).

 In some jurisdictions, plaintiffs only need to prove gross negligence or constructive fraud to prevail. However, in no jurisdiction is simple negligence sufficient.

Criminal Liability

In addition to potential liability to clients and third parties, auditors can be charged with crimes under various state and federal laws for fraud. These laws make it a crime to defraud others by knowingly being involved with a false set of financial statements. Thus, if an auditor commits fraud, they can end up paying fines or doing jail time in addition to paying damages to plaintiffs. However, criminal fraud doesn't include gross negligence or constructive fraud. The prosecutor must prove the auditor knowingly issued a materially false audit report.

Audit Responsibilities and Objectives

This section begins a more detailed discussion about the audit process by covering the responsibilities auditors assume when they take on an audit engagement and the objectives they seek to accomplish during the audit. However, management has the primary responsibility for insuring that the financial statements are properly prepared and free of material misstatement. Thus, this section we begin by covering management's responsibilities and then move on to the auditor's responsibilities and objectives. This section will only cover the financial statement audit and not the audit of internal controls.

27 The US Federal court system is broken into 11 circuits with an appeal court at the top of the chain of lower courts. Different appeals courts have issued different rulings. These different rulings hold within their circuit unless the US Supreme Court overrides them. Thus, only the US Supreme Court can set legal precedents that apply to the entire US.

Management's Responsibilities

Management's Certifications

Sarbanes-Oxley requires management to sign a statement that is included in their 10-K filings accepting responsibility for the financial statements and certifying that they are properly prepared. The Chief Executive Officer (CEO) and Chief Financial Officer (CFO) of the corporation must sign the statement. The following is a copy of the statement included in Home Depot's 2010 10-K filing:

This statement covers both the financial statements and the internal controls and mentions the auditor and their responsibilities. It is required for both quarterly and annual financial statements filed with the SEC, but we’ll focus on the annual financial statements throughout this class.

Management Assertions

This statement is very general and the PCAOB provides a list of financial statement assertions that are implied by the fair presentation of financial data.

In representing that the financial statements are presented fairly in conformity with the applicable financial reporting framework, management implicitly or explicitly makes

assertions regarding the recognition, measurement, presentation, and disclosure of the various elements of financial statements and related disclosures. Those assertions can be classified into the following categories:

Existence or occurrence – Assets or liabilities of the company exist at a given date, and recorded transactions have occurred during a given period.

Completeness – All transactions and accounts that should be presented in the financial statements are so included.

Valuation or allocation – Asset, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts.

Rights and obligations – The company holds or controls rights to the assets, and liabilities are obligations of the company at a given date.

Presentation and disclosure – The components of the financial statements are properly classified, described, and disclosed.28

The purpose of stating these assertions is to cover every threat to a fair presentation of financial statement data. If you review them carefully, to do just that.

Purpose of an Audit

Overall Purpose of an Audit

The AICPA states that the overall purpose of an audit is ...

...to provide financial statement users with an opinion by the auditor on whether the financial statements are presented fairly, in all material respects, in accordance with the application financial accounting framework. An auditor's opinion enhances the degree of confidence that intended users can plan in the financial statements.29

This statement only covers the purpose of financial statement audits, which is the primary focus of this section. Audit objectives are grouped by the steps in the accounting cycle and apply to all transaction processes. However, the specific tests that are used to meet audit objectives will vary depending on the transaction process involved.

Accounting Cycle and Transaction Processes

Audits are very complex processes and auditors need to decompose the process into manageable components to execute an audit effectively. They do so in a several ways. Three of these are

28 PCABO. 2010. Auditing Standard No. 15. https://pcaobus.org/Standards/Auditing/pages/auditing_standard_15.aspx. Downloaded 7/23/2016. 29 AICPA Professional Standards. U.S. Auditing Standards AICPA (Clarified). 2015. Copyright by the American Institute of Certified Public Accountants.

described next - by 1) steps in the accounting cycle, 2) different types of transaction processes, and 3) audit objectives.

The Accounting Cycle

Auditors build much of their audit work around the basic accounting cycle. The accounting cycle starts with the recording of transactions in journals, also known as the books of original entry. The firm then classifies transactions in journals and summarized into ledger accounts. The general ledger lists all the accounts in the firm's chart of accounts and their balances. The firm prepares financial statements by organizing the account balances in the general ledger into the appropriate sections of the major financial statements. Finally, the firm adds the footnote disclosures required by GAAP to complete the financial statements. We’ll look at different audit objectives related to these steps in the accounting cycle below.

Transaction Processes

Another way auditors decompose the audit is by groups of related transactions called transaction processes. There is no fixed set of transaction processes, but the following is a list of typical processes for a retail or wholesale firm.  Sales and collections

 Acquisitions and payment

 Payroll and personnel

 Inventory and warehousing

 Capital acquisition and repayment

These processes break all the economic activity of a typical wholesaler or retailer into groups of related transactions. The following figure provides more details about the journals, ledgers, and general ledger accounts involved in each process.

30 Manufacturing auditees would probably also have a conversion and production process that covers how raw materials, labor, and overhead are combined to produce finished goods. This could be a separate process or an expansion of the inventory and warehousing process described in the figure.

Audit Objectives

Auditors use management assertions as one way to decompose the audit. They use management assertions as a guide to what they need to look for to certify that the financial statements are fairly stated.

30 Arens, A.A., Elder, R.J., Beasley, M.S., and Hogan, C.E. 2017, Auditing and Assurance Services: An Integrated Approach. pg. 155.

The PCAOB gives auditors some discretion in auditing for the above management assertions. They state:

The auditor may base his or her work on financial statement assertions that differ from those in this standard if the assertions are sufficient for the auditor to identify the types of potential misstatements and to respond appropriately to the risks of material misstatement in each significant account and disclosure that has a reasonable possibility of containing misstatements that would cause the financial statements to be materially misstated, individually or in combination with other misstatements.31

Auditor convert these management assertions into parallel audit objectives to help them guide their audit work. Since they tend to use different audit procedures to audit transactions, balances, and disclosures, auditors have broken these assertions into three categories. Auditors have added some detail, but the same basic concepts behind the assertions are included in each category. The following table lists the objectives auditors' use to when executing an audit:

The following discussion presents brief definitions of each of these 18 objectives. Students need to be very familiar with all these objectives because they drive the auditor process and will come up repeatedly in this class. They are the core of what auditors test during the audit because they cover all the threats to fair presentation of financial statements. Thus, auditors need to gather evidence that provides reasonable assurance that the financial statements and the transactions that led to the financial statement balances meet all these objectives.

Transactions

Transaction objectives refer to transactions that the auditee has recorded in its journals.

31 PCABO. 2010. Auditing Standard No. 15. https://pcaobus.org/Standards/Auditing/pages/auditing_standard_15.aspx. Downloaded 7/23/2016.

 Occurrence - All transactions recorded in the journals actually occurred. This objective insures there are no non-existence transactions recorded in the journal. That is that every transaction that is in a journal should be in the journal.

 Completeness - All transactions that should be recorded in journals have been. This is the complement of occurrence. That is, every transaction that should be there is there. Both occurrence and completeness refer to whole transactions. A common error students make is to consider that recording incomplete information about a transaction is a completeness violation. It is not. Incomplete recording of the details of a given transaction is an accuracy violation not a completeness violation.

 Accuracy - The transactions that have been recorded in the journals are accurately and completely. Students need to keep accuracy separate from occurrence and completeness. Occurrence and completeness address whether the set of transactions recorded in the journal is the right set. Accuracy address whether each transaction in that set were recorded accurately and completely.

 Classification - The recorded transactions were classified into the correct general ledger account.

 Timing - The recorded transactions were recording in the right accounting period. This objective is redundant, but auditors included it as a reminder to check for the recording date. It is redundant because if a transaction is recorded in the wrong period, that would be a completeness violation in the period where it should have been recorded and an occurrence violation in the period where it was recorded.

 Posting and Summarization - The original recordings in the journals were properly transferred to the appropriate ledgers. The other objectives assure that the transactions were properly recorded in journals. This objective covers whether that information was transferred to the ledgers correctly.

Balances

Balance objectives applies to test of general ledger account balances. Normally auditors think of balance objectives as applying to balance sheet accounts because income statement accounts are just totals of transactions. Balance sheet account balances also result from transaction, but those transactions can both increase or decrease the account balance and those transactions usually relate to some item (e.g., accounts receivable customer account, fixed asset, accounts payable vendor account balance). Thus, if all the transaction objectives hold for all transactions, then the only balance objectives that could be violated would be rights and objectives and realizable value. However, auditors use a different set of objectives that cover how the items that make up the balance sheet account balance were recorded because they have different sets of tests that can test the items in the balance separately from the transactions that created them. For example, a customer accounts receivable balance results from their prior purchase and payment transactions. However, auditors can test a customer's account balance by confirming it directly with the customer and bypassing testing all the transactions that resulted in the customer's balance. Here is a summary of the balance audit objectives.

 Existence - Similar to occurrence but the items that make up the balance sheet accounts exist or not, they don't occur like transactions. However, this objective focuses on the same underlying concept - that there is something real behind the balance or transaction.

 Completeness - Very similar to transaction completeness but focuses on items. That is, all the items that should be included in the balance sheet account are included.

 Accuracy - Also very similar to transaction objectives. Completeness and existence address whether all the items that should be include have been and no item is included that shouldn't be. Accuracy addresses whether the amount of the item is correct. While it is very rare, accuracy also would address whether all the required information about the item was included.

 Classification - Same as the transaction objective of classification - that the items are in the right account.

 Cutoff - A version of the timing objective - transactions around the balance sheet date are recorded in the correct period. Cutoff is redundant for the same reason timing is redundant, but auditors include it because timing of transactions around year end are particularly sensitive to manipulation and timing errors and because they have test that specifically address transaction timing around the balance sheet date.

 Detail tie-in - Similar to the posting and summarization transaction objective, but refers to the step between the subsidiary ledgers and their related general ledger account the general ledger and the financial statements. Thus, it also transfers the assurance that auditors have achieved about posting and summarization on step further in the accounting cycle.

 Realizable value - This objective addresses whether assets are worth the value shown on the balance sheet and liabilities will have to be paid for the amount shown on the balance sheet.

 Rights and obligations - Also doesn't have a direct parallel in transaction objectives. It addresses whether the auditee has to right to (i.e., owns) the asset or is obligated to pay the liability. It has an indirect relationship to transaction objectives. For example, if all fixed assets result from purchase transactions that occurred, then the auditee should have a right to the asset.

Presentation and Disclosure

Presentation and disclosure objectives address issues with the financial statements. Balance and transactions objectives insure that the general ledger balances and transactions that led to them are correct. Presentation and disclosure objectives address whether the auditee has converted the general ledger to financial statements correctly and has included all required additional disclosures in the financial statements. The bulk of those additional disclosure is the required footnote disclosures that GAAP requires.  Occurrence and rights and obligations - References to specific items in the footnotes

exist and are either rights or obligations of the auditee. Most of the items mentioned in the footnotes provide additional information about balance sheet or income statement accounts and so the main purpose here is to ensure that the footnote information also meets these

objectives. However, some items like contingent liabilities are disclosed in footnotes and not on the balance sheet so there are items that need to be reviewed separately from tests of transactions and balances.

 Completeness - All disclosures required by GAAP are included in the footnotes.

 Accuracy and valuation - The information that is included in the footnotes is accurate.

 Classification and understandability - Many footnote disclosures require details about how information is classified. For example, the income tax footnote requires that the auditee classify its deferred tax assets and liabilities into short and long-term. This objective would test to see that the auditee has made all such classifications are properly. In addition, the auditor needs to review the wording of the footnotes to ensure that they are understandable. The basis for this review usually would be a knowledgeable user. GAAP specifies that significant technical details be included in footnotes. Auditees cannot be expected to make all those technical details understandable to a user without an accounting background.

Auditor's Responsibilities

Auditors meet their audit objectives with a properly planned and executed audit. The balance of the course will cover how auditors executed an audit in detail. However, the following is an overview of the steps in the process.

Step 1 - Plan an Audit Approach

Auditors have a rich variety of tools they can use to gather sufficiently competent evidences to support their opinion. The first step in the audit process is to gain an understanding of the specific auditee and specific risks of material misstatement in that auditee's financial statements. These risks flow from two main areas:  The auditee and their environment - This is a broad category that addresses things like

the business model and processes the auditee uses, their strategies, the nature of their industry and their competitive position in that industry, the nature of the regional, national, and global economy, and their legal environment. These are just a few examples. The general idea is that these factors affect things like to complexity of the auditee's accounting and recording systems, which, in turn, affects the risk that transactions and balances won't be recorded properly.

 The auditee's internal controls - The nature of the auditee and its environment can create risks that the auditee won't record transactions and items properly. The auditee's internal controls should be designed to prevent and detect such misstatements so they can be eliminated from the information stream. Since the nature of the controls is linked to the nature of the risk of improper recording, the auditor assesses the risk associate with how the auditee does business and their environment first and then assesses whether the auditee has appropriate controls in place. At this point in the audit, the auditor can only review the structure and design of the auditee's controls. The auditor will have to wait until the next step to test the controls to determine whether they are working as designed. However, if the auditee hasn't designed the controls properly, then the auditor has little reason to test

them since even if they are working as designed, the design is inadequate and so the controls probably won't be adequate in preventing and detecting material misstatements.

Auditors combine the risks from these two steps to determine an initial assessment of the risk of material statement in the auditee's financial statements. However, they develop these risks at a detailed level by transaction process and account and by audit objective. This level of detail is necessary because auditors will test different objectives for different stages of the accounting cycle and within different transaction processes in different ways. The ultimate goal of the audit planning process is to develop a detailed audit program that lists all the tests they auditor intends to execute.

Step 2 - Tests of Controls and Substantive Tests of Transaction

Auditors assess the strength of the design of the auditee's controls and control environment in step 1. However, to determine how effective controls are, they auditor needs to test them to determine if the controls are working as designed. Since many control procedures function on transactions, auditors will also test the accuracy of the monetary amounts of the transactions at the same time. Tests of controls only determine if a control is working or not and they don't test the accuracy of the amounts recorded for the transaction directly. Testing the amount of the transaction is called a substantive test of a transaction. Substantive tests test audit objectives for transactions and balances directly. Tests of controls test whether the control procedures designed to support management assertions are functioning and do not test those assertions directly.

Step 3 - Perform Substantive Analytical Procedures and Tests of Balances

Substantive analytical procedures are procedures that act as reasonability checks on account balances. They include things like comparing account balances year to year, comparing ratios and other top-level data year to year and to industrial data. We’ve labeled them "reasonability checks" because they are not very precise and can only provide limited evidence of the existence of a specific material misstatement. However, auditors also use more focused substantive analytical procedures as well. They can use an understanding of how the auditee's business to develop expectations about specific account balances. For example, an auditor auditing a cable television client might develop an expectation of what the ending accounts receivable balance should be by multiplying the average monthly fee paid by customers times the number of customers and adjusting for the time lapse from the last billing to the date the auditor performs the analysis. Most customers will pay the balance due within 30 days of being billed and so the auditor can estimate what the accounts receivable balance should be by looking at the average payment pattern, the average monthly charge, and the number of days since the last billing cycle. Substantive tests of balances are test the auditor runs directly on the items that make up the account balance. One common example is confirming customer accounts receivable balances with the customer. Another is observing and testing a physical inventory count, verifying the costs per item, and comparing to the auditee's perpetual inventory amount in the general ledger.

Step 4 - Completing the Audit and Issuing a Report

We’ll look at specific steps in completing the audit near the end of the text. These steps involve things like pulling all the audit evidence together, possibly asked the auditee to adjust some account balances, and determining the type of report to issue. However, there are also audit procedures that tend to be run after the auditor completes substantive testing like checking with the auditee's attorney to see if there are any lawsuits pending that might lead to a contingent liability.

Other General Auditor Responsibilities

The above discussion has focused on meeting specific objectives for transactions and account balances. Auditors also have some general responsibilities in executing the audit, which we’ll discuss next.

Determining Materiality

The audit report states that the financial statements are free of material misstatement. Auditors need to determine what size a misstatement has to be to be material. This text has mentioned materiality several times because it is a core feature of audits. We’ll define it and discuss it in more detail later in the text. The concept is simple - how big of a misstatement would matter to users. Making that determination for each audit is complex and highly judgmental. However, the auditor must do so to determine if a given misstatement is material as well as whether the combination of all misstatements is material to the financial statements taken as a whole.

Detecting Fraud

Frauds typically cause material misstatements in financial statements. Thus, detecting fraud is a natural side effect of the audit process. However, frauds are different from unintentional errors because the fraudster is actively trying to hide them from the auditor. Thus, auditing standards require that auditors execute a few procedures designed specifically to detect fraud.

Determining the Auditee's Compliance with Laws and Regulations

The auditor's main focus is on whether auditees are complying with laws and regulations that directly affect the financial statements. They are not "police." Some examples of such laws are tax and pension laws and regulations since compliance with these laws would have a direct effect on tax liability and deferred tax accounts as well as pension expense, asset, and liability accounts.

Professional Skepticism

Auditing standards require that auditors maintain professional skepticism throughout the audit. Two old sayings that capture the essence of professional skepticism are "never trust what the first person tells you" and "trust but verify." More formally, it means that auditors maintain a questioning mind regardless of their prior experience with the auditee and critically assess all audit evidence.

One academic study identified six aspects of professional skepticism:32 1. Questioning mind set - a disposition to inquire with some sense of doubt.

2. Suspending judgment - withholding judgment until appropriate evidence is obtained.

3. Search for knowledge - a desire to investigate beyond the obvious and to corroborate evidence.

4. Interpersonal understanding - recognition that people's motivations and perceptions can lead them to provide biased and misleading information.

5. Autonomy - the self-direction, moral independence and conviction to decide for oneself rather than accepting the claims of others.

6. Self-esteem - the self-confidence to resist persuasion and to challenge assumptions or conclusions.

Professional skepticism is a balanced concept. It doesn't mean questioning everything but it does mean making sure you have evidence to support your conclusions and recognizing that the final decision rests with you, the auditor, not the auditee.

Professional Judgment

On the surface, professional judgment is a simple concept - auditors should use all their experience and training to make judgment calls during the audit. As the course proceeds, the term professional judgment will be a constant companion. Just about everything an auditor does requires professional judgment. One example presented above - setting materiality. However, additional examples include in setting risk levels, determine what tests to run, setting sample sizes, and deciding whether the financial statements are materially misstated. This is far from a complete list. To illustrate how important and complete the topic is, the AICPA's Center for Audit Quality has produced a 28-page document discussing professional judgment in audits. The following diagram summarizes the major elements of professional judgment the Center identified.

32 Hurtt, R. K. (2010). Development of a Scale to Measure Professional Skepticism." Auditing: A Journal of Practice & Theory. May 2010.

33 The process stars at the top and flows clockwise around the figure. Identify and Define the Issue - Yogi Berra says "If you don't know where you are going, you will end up somewhere else." Any judgement process must start with a goal and specific issue to research and draw conclusions about. Auditors need to determine how the issue relates to the audit process to ensure that they gather the right evidence and come to the best conclusion. Gather Facts and Information - Once the issue is defined, the auditor can start researching it by looking for facts and information relevant to the issue. Most auditing issues are complex and involve a variety of sources of facts and information. For example, the auditor needs to understand the financial reporting and auditing standards that determine how the issue would

33 Center for Audit Quality. (2014). Professional Judgment Resource.

affect the audit and the financial statements. The auditor also needs a solid understanding of the client and their environment to determine how the issue would affect the financial statements. Perform the Analysis and Identify Alternatives - This step involves pulling all the facts and information together and identifying alternative courses of action. The auditor might also identify missing facts or pieces of information during the analysis and may need to gather more facts and information. Thus, this could be an iterative process. Professional skepticism is important here as well and facts should be corroborated to make sure they are reliable. Make a Decision - This is where the "rubber hits the road." Auditors must choice a single outcome or decision that they believe is best given their analysis of the facts and information. However, the auditor should step back once (s)he has made the decision and review the process once more to help insure that they haven't missed anything. Actually, this can be a dangerous step because once the auditor makes a decision, they will be focused on the consequences of the decision. For example, the decision may lead to increased audit testing, which will be costly. The auditor may be averse to running up higher costs for the auditee and, consequently, his/her review of the decision process could become biased towards cost reduction and away from audit quality. This is a risk, but still the auditor should review the decision once before moving. Document the Decision and Rational for it - Documentation is the name of the game in auditing. Every action, conclusion, test, judgment, and piece of evidence needs to be documented in the working papers. Keep in mind that any audit could end up in court where the auditor may need documentation to show the executed the audit with due professional care and in conformance with auditing standards. In addition, when the auditor writes up the decision and basis for it, (s)he may notice inconsistencies or missing justification for the conclusions and may need to go back, gather more data and information and revisit the decision. The above process sounds rigorous and objective. The problem is that it must be carried out by a human being and research in psychology has identified several biases that all human exhibit in making judgments. These biases are subconscious and, therefore, very hard for humans to control. In most cases, they aren't even aware of them while making decisions. The Center for Audit Quality's report also covers some of the most common human judgment biases. The hope is that if auditors are aware of these biases, they can watch for them and take steps to mitigate their effects. The following figure summarizes these biases.

34 Arens, A.A., Elder, R.J., Beasley, M.S., and Hogan, C.E. 2017, Auditing and Assurance Services: An Integrated Approach. pg. 152.

Evidence, Documentation, Materiality, and Audit Risk

Summary

This chapter covers several topics that are basic to the audit and students need to understand before we get into the process of planning and executing an audit. The topics covered include:  The need for, persuasiveness, and sources of audit evidence to include need for both

quantity and quality of evidence and types of procedures auditors use to gather evidence.

 Why and how auditors need to document audit work and conclusions thoroughly.

 How auditors set and apply different levels of materiality.

 How auditors use the audit risk model to decompose the sources for risk of material misstatement in financial statements into major categories and use the risk model to plan an audit.

Audit Evidence

"The objective of the auditor is to plan and perform the audit to obtain appropriate audit evidence that is sufficient to support the opinion expressed in the auditor's report."35 This section addresses what it means to be appropriate and sufficient as well as the types of procedures that auditors use to gather audit evidence. You can find further details in AICPA guidance on audit evidence.

Appropriateness and Sufficiency

The preceding statement highlights two aspects of evidence that auditors must consider - sufficiency and appropriateness. Sufficiency measures the quantity of evidence while appropriate measures the quality of the evidence. The two are related. As the quality of evidence increases, the quantity needed declines because of a reduced need to corroborate the evidence. Appropriateness has two characteristics - relevance and reliability. For evidence to be relevant, it needs to be relevant to an audit objective and provide support for the auditor's opinion decision, and relate to the period covered by the financial statements. The reliability of evidence is more complex and depends on a variety of considerations.  Evidence obtained from a knowledgeable source that is independent of the company is

more reliable than evidence obtained only from internal company sources.

35 PCAOB. 2014. Auditing Standard No. 15 - Audit Evidence. https://pcaobus.org/Standards/Auditing/pages/auditing_standard_15.aspx. Downloaded 7-25-16.

 The reliability of information generated internally by the company is increased when the company's controls over that information are effective.

 Evidence obtained directly by the auditor is more reliable than evidence obtained indirectly.

 Evidence provided by original documents is more reliable than evidence provided by photocopies or facsimiles, or documents that have been filmed, digitized, or otherwise converted into electronic form, the reliability of which depends on the controls over the conversion and maintenance of those documents.36

A large percentage, if not vast majority of evidence that an auditor gathers comes from the auditee. The auditor needs to apply "trust but verify" to this evidence and should test the accuracy and completeness of the information. These tests can be direct verification from independent sources and/or tests of the auditee's controls over the generation of the evidence. The auditee could alter even third-party documents like invoices and banks statements that are obtained from the auditee since they were in the auditee's possession. Let’s look more closely at some points from the PCAOB quote above.  Independence of the provider - Auditors cannot consider any information coming

directly from the auditee as independent. Evidence that comes directly to the auditor from third parties and evidence auditors generate through their own direct knowledge is independent unless the auditor is aware of a close relationship between the auditee and the third party (e.g., the third party is related to the auditee in some way). Evidence based on the auditor's direct observations and knowledge would be the most independent type of evidence.

 Qualifications of the information provider - This is different from independence and speaks to the qualification of the provider to provide the type of evidence the auditor is seeking. For example, third party confirmations are independent, but the auditor may not be able to determine if the third-party employee that provided the evidence was qualified to do so since they can't control whom third parties assign to the task of providing the auditor with evidence. Providing evidence to auditors may not be a top priority for third parties. For example, auditors would probably consider confirming evidence from attorney's and banks to be more reliable than confirming evidence from customers particularly if the customers were individuals and not businesses.

However, this issue also applies to auditors as well. The auditor may not be competent to gather the evidence directly. For example, an auditor trying to verify the value of an auditee's diamond inventory may need to hire and outside expert to value the diamonds.

 Objectivity - Objectivity is related to independence since independent parties tend to provide assessments that are more objective. However, objectivity also refers to how the nature of the evidence as well. Some evidence, like the amount of an account balance, can be objectively determined in that it doesn't involve a subjective judgment. Other evidence, like the likelihood of losing a lawsuit, inherently involves a subjective judgment.

36 PCAOB. 2014. Auditing Standard No. 15 - Audit Evidence. https://pcaobus.org/Standards/Auditing/pages/auditing_standard_15.aspx. Downloaded 7-25-16.

In the end, the issue of whether the evidence the auditor gathers is appropriate and sufficient to support their opinion is a judgment call by the auditor. Auditors gather a lot of evidence of various types and from various sources. They pull all of that evidence together and make a judgment call on whether it is enough. They do so from the bottom up. That is, they typically assess the sufficiency and appropriateness of the evidence for each audit objective for each account and then combine that into an overall opinion. They need to be sure that they have covered all the audit objectives for all accounts to ensure that the risk of a material misstatement in each account is below the level of risk they are willing to accept that they will miss a material misstatement.

Types of Audit Procedures

Auditors use a variety of procedures to meet the requirement for sufficient appropriate evidence to support their opinions. While the type of procedures and issues of appropriateness and sufficiency are separate, some procedures tend to provide more appropriate evidence than others do. The following is a list of the major types of audit evidence gathering procedures, quoted from the AICPA codification of auditing standards, that mentions some relationships between the type of procedure and the appropriateness of the evidence gathered.

Inspection of records and documents - Inspection consists of examining records or documents, whether internal or external, in paper form, electronic form, or other media. Inspection of records and documents provides audit evidence of varying degrees of reliability, depending on their nature and source and, in the case of internal records and documents, on the effectiveness of the controls over their production. An example of inspection used as a test of controls is inspection of records or documents for evidence of authorization. Some documents represent direct audit evidence of the existence of an asset, for example, a document constituting a financial instrument such as a stock or bond. Inspection of such documents may not necessarily provide audit evidence about ownership or value. In addition, inspecting a n executed contract may provide audit evidence relevant to the entity's application of accounting principles, such as revenue recognition. Inspection of tangible assets - Inspection of tangible assets consists of physical examination of the assets. Inspection of tangible assets may provide appropriate audit evidence with respect to their existence, but not necessarily about the entity's rights and obligations or the valuation of the assets. Inspection of individual inventory items ordinarily accompanies the observation of inventory counting. For example, when observing an inventory count, the auditor may inspect individual inventory items (such as opening containers included in the inventory count to ensure that they are not empty) to verify their existence. Observation - Observation consists of looking at a process or procedure being performed by others. Examples include observation of the counting of inventories by the entity's personnel and observation of the performance of control activities. Observation provides audit evidence about the performance of a process or procedure but is limited to the point

in time at which the observation takes place and by the fact that the act of being observed may affect how the process or procedure is performed. Inquiry - Inquiry consists of seeking information of knowledgeable persons, both financial and nonfinancial, inside or outside the entity. Inquiry is an audit procedure that is used extensively throughout the audit and often is complementary to performing other audit procedures. Inquiries may range from formal written inquiries to informal oral inquiries. Evaluating responses to inquiries is an integral part of the inquiry process. Inquiry normally involves:

 Considering the knowledge, objectivity, experience, responsibility, and qualifications of the individual to be questioned.

 Asking clear, concise, and relevant questions.

 Using open or closed questions appropriately.

 Listening actively and effectively.

 Considering the reactions and responses and asking follow-up questions.

 Evaluating the response.

In some cases, the auditor should obtain replies to inquiries in the form of written representations from management. For example, when obtaining oral responses to inquiries, the nature of the response may be so significant that it warrants obtaining written representation from the source. Responses to inquiries may provide the auditor with information not previously possessed or with corroborative audit evidence. Alternatively, responses might provide information that differs significantly from other information that the auditor has obtained, for example, information regarding the possibility of management override of controls. In some cases, responses to inquiries provide a basis for the auditor to modify or perform additional audit procedures. The auditor should resolve any significant inconsistencies in the information obtained. The auditor should perform audit procedures in addition to the use of inquiry to obtain sufficient appropriate audit evidence. Inquiry alone ordinarily does not provide sufficient appropriate audit evidence to detect a material misstatement at the relevant assertion level. Moreover, inquiry alone is not sufficient to test the operating effectiveness of controls. Although corroboration of evidence obtained through inquiry is often of particular importance, in the case of inquiries about management's intent, the information available to support management's intent may be limited. In these cases, understanding management's past history of carrying out its stated intentions with respect to assets or liabilities, management's stated reasons for choosing a particular course of action, and management's

ability to pursue a specific course of action may provide relevant information about management's intent. Confirmation - Confirmation, which is a specific type of inquiry, is the process of obtaining a representation of information or of an existing condition directly from a third party. For example, the auditor may seek direct confirmation of receivables by communication with debtors. Confirmations are frequently used in relation to account balances and their components but need not be restricted to these items. A confirmation request can be designed to ask if any modifications have been made to the agreement, and if so, what the relevant details are. For example, the auditor may request confirmation of the terms of agreements or transactions an entity has with third parties. Confirmations also are used to obtain audit evidence about the absence of certain conditions, for example, the absence of an undisclosed agreement that may influence revenue recognition. Recalculation - Recalculation consists of checking the mathematical accuracy of documents or records. Recalculation can be performed using information technology, for example, by obtaining an electronic file from the entity and using Computer Assisted Audit Techniques (CAATs) to check the accuracy of the summarization of the file. Reperformance - Reperformance is the auditor's independent execution of procedures or controls that were originally performed as part of the entity's internal control, either manually or with CAATs, for example, reperforming the aging of accounts receivable. Analytical procedures - Analytical procedures consist of evaluations of financial information made by a study of plausible relationships among both financial and nonfinancial data. Analytical procedures also encompass the investigation of identified fluctuations and relationships that are inconsistent with other relevant information or deviate significantly from predicted amounts. An analytical procedure might be scanning, which is the auditor's use of professional judgment to review accounting data to identify significant or unusual items and then to test those items. This includes the identification of anomalous individual items within account balances or other data through the reading or analysis of entries in transaction listings, subsidiary ledgers, general ledger control accounts, adjusting entries, suspense accounts, reconciliations, and other detailed reports. Scanning includes searching for large or unusual items in the accounting records (for example, nonstandard journal entries), as well as in transaction data (for example, suspense accounts, adjusting journal entries) for indications of misstatements that have occurred. CAATs may assist an auditor in identifying anomalies. Since the auditor tests the items selected by scanning, the auditor obtains audit evidence about those items. The auditor's scanning also may provide some audit evidence about the items not selected since the auditor has used professional judgment to determine that the items not selected are less likely to be misstated.37

37 AICPA (2006) AU Section 326 - Audit Evidence. https://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AU- 00326.pdf. Downloaded 7/26/2016.

Audit Documentation

Nature and Rationale for Audit Documentation

As part of the audit process, auditors need to set up a documentation plan for the audit as well. Documentation is a critical feature of any audit. Thorough and accurate documentation of every audit step is critical to maintain quality control and to demonstrate to outside parties how the audit was executed. Audits are "team sports" and the audit firm and its partners are liable to any user of audited financial statements for the accuracy and completeness of the audit. Because of the auditor's social responsibility as well as their liability exposure, auditors need to both be able to insure they properly executed the audit and be able to demonstrate that fact to third parties. Audits are "team sports" and so auditors need a complete record of what various team members did, when they did it, what they did, and what they concluded from what they did. The final decision on whether to sign off on the audited financial statements rests with the partner in charge of the audit. However, that partner needs to be able to verify that his team members did their jobs and, therefore, needs documentation of what the team did. In addition, auditors may be subject to several sources of outside review. These include:  The AICPA peer review process where audit firms must be reviewed every three years by

other audit firms if the firms want to remain as members of the AICPA.

 Review by the PCAOB that is required if the audit firm wants to maintain its registration with the PCAOB to perform audits of public companies

 Lawsuits where a third party sues the audit firm for damages by claiming they relied on an inaccurate set of audited financial statements and incurred a financial loss because of that reliance.

Auditors need to maintain detailed documentation of all the steps they take during the audit and all conclusions reached to include:  which audit team member executed each step

 when the step was completed

 who reviewed the work for each step

 when the review was done

 what evidence was gathered for each step, and

 what conclusions were drawn from that evidence.

Structure of Audit Documentation

Auditors develop a file for each audit client that includes all the documentation for that client. Since most audits are repeat engagements, the auditors split audit files into permanent and

current components. The permanent component includes information about the client that does not change much from year to year. The current portion will include the detailed documentation that supports the current year's audit. Examples of items that would appear in the permanent portion of an audit file include copies of the auditee's:  corporate charter or partnership agreement

 chart of accounts

 organization chart

 policies and procedures manuals, particularly their accounting manual

 important contracts like pension plans, union contracts, debt instruments and covenants, stock issuances, and leases

 documentation of internal controls and process flowcharts

Examples of documentation in the current portion of the audit file would include:  copies of the financial statements and audit report

 all the original working papers to include the audit plan itself

 copies of minutes of important auditee Board of Directors and Committee meetings

The most extensive and detailed portion of the current audit file are the working papers. Audit working papers typically include:  The audit plan and program - Audit plans tend to be higher-level series of steps the

auditor plans to take, whereas the audit program is a detailed list of specific procedures the auditor intents to execute.

 A working trial balance - Typically a spreadsheet file that begins with the auditee's unaudited general ledger balances, records any adjustments the auditors recommend based on their audit, and reports the adjusted general ledger balances used in the final financial statements.

 Accounting listings and analysis - This is the largest section. It contains listings of items in account balances, listing of items that were tested, the nature of the tests, the results of the tests, and the conclusions the auditor drew based on the tests.

 Any internal memos related to the audit

 Adjusting and reclassification entries - Auditors also document the journal entries the auditor recommends to the auditee based on their audit work in the working trial balance.

Examples of Audit Documentation38

The following is an example of how a working trail balance is constructed. As described above, it starts on the left-hand side with the auditee's unaudited general ledger account balances and includes columns to post adjusting and reclassification entries and columns to record the adjusted/reclassified account balances that will tie to the final financial statements. In addition, it contains a column for working paper reference. This column illustrates the role of an audit trail in audit documentation. The auditor must be able to tie every component of the audit documentation to a final general ledger account balance and line item on the audited financial statements. Thus, all components must refer to other components in some logical sequence to provide a complete trail through the audit documentation.

The next example is of a working paper. This example shows information related to the auditee's legal and auditing expense account. In this example, the auditor is listing transactions in the account and indicating what audit procedures audit staff performed on those transactions. The auditor documents which step was performed on which transaction with tick marks. The working paper always includes a legend that reports what the tick mark means. Most firms establish standard tick marks that always refer to the same type of audit procedure to standardize and simplify their audit documentation. In the upper right-hand corner of the working paper is the working paper number, the initials of the person who prepared it, and the date it was prepared. Later when audit managers and partners are reviewing the working papers, they will add their initials and dates. Auditors number working papers carefully so that the numbering scheme provides information on where the working paper fits in with the rest of the working papers.

38 All these examples were taken from Auditing & Assurance Services: A Systematic Approach, by William F. Messier, Jr., Steven M. Glover, and Douglas F. Prawitt, McGraw-Hill, 2008.

This last example illustrates how working papers fit together. Auditors organize them hierarchically with the auditee's financial statements at the top level of the organization scheme. Then working papers that are more detailed are included underneath the higher-level working papers. The following example shows the auditee's balance sheet at the top of the hierarchy. Beneath, is the working trial balance, as described above. Then comes a cash lead schedule that lists all the auditee's cash accounts that make up the cash balance on the working trial balance. Below, are the bank reconciliations for each cash account followed by supporting documentation for those bank reconciliations like bank confirmations and lists of outstanding checks.

The above examples should give you a basic idea of how audit working papers are organized and how auditors use numbering schemes and cross references to build a trail through their documentation. They use the audit trail to either drill down into the details behind a line item on the auditee's financial statements or drill up to insure a particularly transaction was properly included in the auditee's financial statements.

Ownership, Confidentiality, and Retention of Audit Documentation

This test covered ownership and confidentiality issues for audit documentation in the prior chapter that included the Code of Conduct. Auditing standards require that auditors maintain the originals of their documentation on their premises. A summary of the details here. Auditors own the working papers and only have to make copies available when courts, government agencies, or the AICPA peer review process requires that they do so. They can provide the auditee with copies at their discretion. However, they need to be cautious about doing so since auditing, to a degree is a game between the auditee and the auditor and the auditor doesn't want to give away details of their audit strategy to the auditee. If the auditee knows too much about the auditor's strategy and tactics, they can use that information to hide things from the auditor. When Congress passed Sarbanes-Oxley, they include a provision on how long audit auditors much retain audit documentation. The reason they included this provision is that Arthur Andersen was charged with a federal crime for destroying documents related the Enron audit. Arthur Andersen's position was that they were merely destroying documents that they did no use to support their audit conclusions to protect Enron's confidentiality. The US Supreme Court upheld Arthur Andersen's position and over turned a lower court verdict that had found the audit firm guilty of obstruction of justice. This case illustrates that the issue of how long auditors needed to retain the audit documentation was a little vague until the passage of Sarbanes-Oxley. Sarbanes-Oxley mandated that auditors retain their audit documentation for seven years after the audit report date. As the text will cover towards the end of the class, auditors may need to do additional audit work after the report is issued. In that case, Sarbanes-Oxley requires that auditors retain that documentation as well. It also requires that auditors document who added the material, when it was added, and why it was added.

Setting Materiality

Materiality has come up repeatedly in the text thus far. The size of a misstatement that auditors care about drives audit planning and execution. This section covers how auditors determine what level of materiality they will apply to a given audit. Auditors must develop a single number that measures the size, in terms of dollars, that a misstatement needs to be before auditors call it a material misstatement. Auditors mostly ignore misstatements that are not large enough for the auditor to consider material. In some cases, auditors may research the cause of immaterial misstatements if the auditor believes the misstatement may indicate a larger problem like fraud. While their audit opinion states that the financial statements are free of material misstatement, auditors may choose to set separate materiality levels for different financial statements. Materiality is a quantitative measure of the magnitude of a misstatement in a set of financial statements that would affect the user's perceptions of the firm. As you can imagine, this is a conceptually appealing statement, but this definition is very hard to implement. There are many types of users of financial statements that may be affected by different levels of misstatements in different accounts. For example, a potential investor in the firm may be more interested in the firm's trend in earnings per share and a potential lender may be more interested in the firm's current debt to equity ratio. We don't want to overstate the case, however. Bankers are also interested in the firm's earnings trends. The point is that different users will be sensitive to

different misstatement levels in different statistics and the auditor needs to develop one materiality level for the financial statements.

Different Levels of Materiality

While auditors need a financial statement level materiality amount to support their statement in the audit, they don't audit the financial statements taken as a whole. They audit individual accounts and objectives. Thus, they need to break materiality down to the account and assertion level to guide their tests.

The concept of materiality is applied by the auditor both in planning and performing the audit; evaluating the effect of identified misstatements on the audit and the effect of uncorrected misstatements, if any, on the financial statements; and in forming the opinion in the auditor's report.39

Thus, auditors set different versions of materiality.

Planning materiality

The level of materiality the auditor will use to plan the audit. It measures the size of a material misstatement in the financial statements taken as a whole that the auditor believes will affect the users' judgment of the firm.

Performance materiality

The amount or amounts set by the auditor at less than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole."40 In effect, auditors build in a "fudge factor" by lowering the materiality level they will use when evaluating tests of different accounts to help insure that when the audit is complete, all the misstatements, when combined, don't exceed planning materiality.

Tolerable error

Tolerable error is the lowest level of materiality. Auditors use it when determining sample sizes for tests of balances, which the text will cover. It is the level of misstatement that the auditor will accept for a specific test of an audit objective and account balance before asserting that the object is violated for that account balance. One use of tolerable misstatement is to determine whether the account is sufficiently misstated to require that the auditee restate it.

39 AICPA. (2012). Au-C Section 320 - Materiality in Planning and Performing an Audit. https://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AU-C- 00320.pdf. Downloaded 7/26/2016. 40 AICPA. (2012). Au-C Section 320 - Materiality in Planning and Performing an Audit. https://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AU-C- 00320.pdf. Downloaded 7/26/2016.

Since all these levels of materiality are based on planning materiality, auditors need to have a systematic way to use their planning materiality to set tolerable error rates for individual accounts and audit objectives. While many audit textbooks use the term "allocate" to discuss how auditors use financial statement materiality to determine tolerable error, we will avoid using the term because "allocate" normally means taking an amount and spreading it out over items such that the amounts allocated to the items equals the total. This is not how auditors use planning or performance materiality to determine tolerable error. Misstatements in accounts don't normally simply add up to a misstatement in a key statistic. For example, sometimes misstatements offset each other. However, the auditor may be concerned about the very existence of these individual errors even though the offset each other in a key statistic. In addition, some misstatements may be additive and a series of small misstatements in enough accounts might add up to a material misstatement in a key statistic. Because of the complexities involved in using planning materiality to set tolerable error levels for the accounts, most audit firms develop conservative rules of thumb that allocate more than the planning or performance materiality to accounts. For example, one firm assigned 50% of the performance materiality to every account balance, but then allowed auditors to adjust individual accounts based on qualitative factors. However, such conservative rules of thumb also could lead to over-auditing and a more expensive than necessary audit. That is, it might lead to auditors rejecting accounts that auditors rejected because of misstatements that, when combined, didn't rise to planning or performance materiality.

Bases for Setting Materiality

Auditors need to determine two factors to set financial statement materiality: the statistic on which to measure materiality and the percentage of that statistic to use. For example, two common statistic auditors use in setting financial statement materiality are net income or operating income, probably because readers of financial statements focus so much on net and operating income and trends in them when evaluating firms. The most common percentage of net or operating income auditors use to set materiality is 5%. However, using 5% of income has several problems. First, it means that the materiality level for the firm will be affected by how well the firm is doing. For example, if the firm is very profitable, then materiality levels will rise and the auditor will assert that larger misstatements are not material. However, if the firm is just breaking even, then materiality levels will be very small and the auditor will have to test for small misstatements to assert that the financial statements are free of material misstatement. However, just because a firm is breaking even doesn't mean a very small misstatement will affect the users' perceptions of the firm. Another problem illustrated by the use of income is that trends are as critical to users of financial statements as one year's result is. For example, the fact that a firm has a low net income this year will carry a different meaning for the users of the financial statements depending on whether the firm lost money last year or made a higher net income than this year. That is, users will be very sensitive to the trend in the firm's income as well as what the income was this year.

Because of some of these issues, many auditors that use income to set financial statement materiality will use an average income over the last few years rather than the income for the current year. This approach also helps if the current year's income for the auditee is unusual and doesn't appear to represent a stable measure of the firm's performance over time. Even though income is an important statistic for most users of financial statements, many audit firms prefer to base financial statement materiality assessments on statistics that tend to be less volatile, like total sales or total assets. The idea here is that the overall size of the firm will affect the size of a misstatement that will affect a user. For example, a $1 million misstatement in UMUC's checking account balance would be a major issue while users won't notice a $1 million misstatement in Apple's checking account.41 Since the size of the firm is such an important issue, many audit firms will use statistics that measure overall firm size, like sales and total assets. They might avoid statistics like net income because they vary with performance and not just size. Finally, auditors consider the nature of the firm when setting planning materiality. For example, auditors of banks and other financial institutions commonly use a percentage of net assets to set materiality. Net assets are the same as owner's equity and the level of a bank's net assets is critical to assessing the banks financial health. Because the issue of how the size and location of a misstatement might affect the judgment of a user of the financial statements, materiality determination is inherently judgmental and based on many qualitative considerations. Some of these include:  Whether a small misstatement will affect a trend in a key statistic (e.g., change a

decreasing trend into an increasing one)

 Whether a small misstatement will trigger a covenant violation or affect a performance- based compensation contract (e.g., if the auditee is very close to a cutoff net income value that will trigger a bonus payment to management).

 Whether a small misstatement will affect whether the firm meets or exceeds analysts' expectations for earnings per share. For those of you who are not that familiar with how the stock markets work, a firm's stock price can be affected by whether or not the firm's reported earnings per share fails to meet the expectations that financial analysts have developed by as little as a penny. This hypersensitivity to small differences between actual and expected earnings data can make relative small misstatements very meaningful to a large block of users.

To sum up, the auditor needs to consider a substantial number of contextual factors when setting financial statement materiality levels. An auditor's starting point would always be the materiality used in last year's audits for continuing clients, which most clients are. However, the auditor needs to be very careful to analyze the firm's current situation for changes that might affect the auditor's materiality judgment and not just accept the prior year's value. In addition, some audit firms set a materiality formula (e.g., 5% of operating income) for all their audits that auditors can use as a starting point and then adjust that base value for qualitative considerations.

41 Apple's cash balance is well over $100 billion.

Using Materiality to Evaluate Audit Findings.

We’ll discuss this topic in more depth in the chapter on completing the audit. For the purposes of this chapter, We’ll merely point out that the auditor uses tolerable error to determine if an account balance is materially misstated as the auditor executes tests. However, the auditor also needs to aggregate all the misstatements (s)he finds while executing his/her tests to determine the overall effect on the financial statements as well. Thus, when evaluating the results of audit tests, the auditor must not only consider a misstatement's effect on an individual account balance, but also that misstatement's effect, in conjunction with other misstatements, on the overall impression the financial statements leave on the user.

Audit Risk Assessment

The purpose of this section is to present the audit risk model that expresses the core goal of all audits. Auditors use the risk model as a core planning tool for all audits. The text will refer to the audit risk model in future chapters to illustrate auditors apply it as the audit progresses. The audit risk model addresses the changes of a material misstatement in the financial statements from various sources. Materiality addresses how large a misstatement needs to be to matter. The audit risk model addresses the likelihood or probability of that happening.

Structure and Use of the Audit Risk Model

The audit definition, and our discussion of it thus far, implies that auditors live in a certain world and can come to a yes or no conclusion about whether the auditee has prepared their financial statements in conformance with GAAP. This is an inaccurate characterization. Auditors can only reduce the probability that the financial statements contain a material misstatement to an acceptably low level. That is, auditing is all about using and evaluating evidence to reduce the probability that the financial statements contain an undetected material misstatement to a sufficiently low enough level so that the auditor is willing to state that they don't contain a material misstatement. Thus, you can think of an audit as a highly informed gamble. Auditors developed the risk model as an equation that expresses the risk the auditor is willing to accept that the financial statements contain a material misstatement the auditor didn't catch. That is, an undetected misstatement can exist in the financial statements because:  of general factors (e.g., high turnover in employees responsible for preparing the financial

statements), which is called inherent risk;

 of the failure of the auditee's internal controls to catch a misstatement generate by general factors, which is called control risk; or

 the auditor's tests didn't find the misstatement, which is called detection risk.

The audit risk model contains components for each of these factors. The audit risk model is:

Acceptable Audit Risk = Inherent Risk * Control Risk * Detection Risk

AR = IR * CR * DR

Audit Risk

Acceptable audit risk (AAR) is the risk the auditor is willing to live with that the financial statements contain a material misstatement that neither the auditor nor the auditee caught. The inclusion "acceptable" in the definition is critical. AAR isn't the risk of material misstatement that ends up in the financial statements at the end of the audit. It is the risk the auditor is willing to accept that a material misstatement will end up in the financial statements. This distinction highlights the use of the audit risk model as a planning tool, not an evaluation tool. We’ll address this issue in more detail below.

Inherent Risk

Inherent risk is the risk that the auditee's financial reporting process will produce a material misstatement regardless of the controls the auditee has in place to eliminate (i.e., prevent or detect/correct)42 the misstatement. Thus, inherent risk measures the quality of the auditee's financial reporting system separate from the internal controls embedded in that system. Inherent risk exists independent of the audit and so auditors assess an auditee's inherent risk. That is, auditors and their audit procedures cannot alter an auditee's inherent risk and so auditors can only assess its level and cannot influence its level. We’ll discuss the factors auditors consider in setting inherent risk in more detail as part of the audit planning process. However, the factors that influence an auditee's inherent risk are broad and range from environmental factors like the complexity of the auditee's production process and level of competition in the auditee's markets to auditee-specific factors like the level of training and monitoring the auditee provides for its employees and how well designed their financial reporting process is.

Control Risk

Control risk is the risk that the auditee's internal controls will not eliminate a material misstatement from the financial reporting process given that a material misstatement exists in the information stream created by the accounting system. Thus, control risk measures the effectiveness of the auditee's internal controls in eliminating inherent risk material misstatements. Internal controls are the policies and procedures an auditee puts in place to eliminate material misstatements from its financial reporting process and to safeguard its assets. We’ll take a look at the nature and components of internal controls later in the text. In short,

42 A firm's internal control system can eliminate errors from financial statements either by preventing them from entering into the information stream that produces the financial statements or by detecting and correcting them after they have entered the information stream. The process that this text discusses related to internal controls does not differentiate between prevention and detection/correction and so we will use the term "eliminated."

control risk is the risk that the auditee's internal controls will not eliminate a material misstatement created by the auditee's inherent risk. Mathematically, control risk is a conditional probability. That is, it is the risk that the auditee's internal controls will not eliminate a material misstatement given that (i.e., conditioned on) the fact that the material misstatement was created by that financial reporting process. As with inherent risk, auditors cannot control an auditee's control risk. Thus, auditors also must assess control risk; they cannot control it or alter it in any way.

Detection Risk

Detection risk is the risk that the auditee's financial reporting process will contain material misstatement that the auditor's procedures don't detect. This is the only component of the right- hand side of the audit risk model that auditors control. That is, auditors set their acceptable audit risk, assess inherent and control risk, and then plan audit tests and procedures to drive detection risk to a level low enough to ensure that their acceptable audit risk level isn't exceeded. Thus, we can restate the audit risk model to illustrate the way auditors actually view it:

DR = AAR / (IR * CR) In this presentation of the risk model, the factors that the auditor assesses or sets are on the right- hand side and the factor that the auditor controls through the extent of their audit work are on the left-hand side. Auditors make one simplification of this model in practice as well. Since both IR and CR are independent of the audit and are assessed by the auditor, auditors frequently combine them and refer to them jointly as the risk of material misstatement (RMM). That is, combined IR and CR represent the risk that the auditee's financial reporting system will contain a material misstatement and the auditor's job is to use audit procedures to reduce RMM to their acceptable level of AR. Thus, the auditors also state the risk formula as:

DR = AAR / RMM We can use this formulation to illustrate some intuitions about the audit process. Keep in mind that all the components of the risk model are probabilities and are expressed as fractions between 0 and 1. Thus, if you hold AAR constant, DR moves in the opposite direction as RMM. As the RMM increases (i.e., the auditee's financial reporting system is weaker), the denominator of the fraction gets larger and approaches 1. As the denominator of the fraction becomes larger, the right-hand side of the equation becomes smaller (i.e., since we have set AAR, dividing by a larger number will reduce the value of the right-hand side of the equation). If the auditee's financial reporting process is weak and the RMM is high, then auditors need to engineer their procedures and test to achieve a lower level of DR in order to achieve their desired AAR. To lower their detection risk, the auditors have to do more work. That is, to lower the probability that their auditor procedures will miss a material misstatement, they need to do more, or more extensive, procedures. This should seem logical to you because what we are saying is

that to achieve a certain probability that the auditor won't miss a material misstatement; they have to do more work if the auditee's systems are weak. Another important intuition illustrated by this model is that there are limits to how low DR can go. For example, if we hold RMM constant, DR risk varies with AAR. That is, the lower the AR (i.e., the more certain the auditor wants to be that they didn't miss a material misstatement), the lower the detection risk must be (i.e., the more work the auditor must do). Keep in mind that DR is the risk that the auditor will miss a material misstatement and so the lower DR; the more work the auditor has to do. Now what happens if the auditee's financial reporting system is very weak but the auditor wants to be sure that the financial statements don't contain a material misstatement? This situation may mean that the auditee's systems are so weak that they are unauditable (i.e., the auditor can't do enough work to get the AAR down to an acceptable level). Let’s plug in some numbers to illustrate the point. Let's assume that the auditee's reporting process is so bad that there is a 40% chance that it will produce at least one material misstatement. Let's also assume that the auditee has very few control procedures in place such that there is an 100% chance that their controls won't eliminate the material misstatement.43 This means that RMM is 40% (i.e., there is a 40% chance of a material misstatement in the auditee's financial statements). Finally, let's assume that the auditor wants to achieve an AAR of 5% (i.e., the auditor will tolerate only a 5% chance that the financial statements contain material misstatement his/her audit procedures didn't detect). Plugging the numbers into the formula, we get a DR equal to 12.5% (12.5% = 0.05 / (0.40 * 1.00)). While this number might not mean much to you, it means that the auditors will have to do enough work to create only a 12.5% chance that a material misstatement will slip through their audit procedures anywhere in the financial statements. This really is a lot of work and the auditor and auditee may believe that the audit would be too expensive to execute. Keep in mind that the lower the DR risk, the more work the auditor has to do to reduce the risk that their audit procedures will miss a material misstatement to that level. A higher DR means the auditor can accept more risk that their auditor procedures won't detect a material misstatement. We can turn this example around and demonstrate that if the auditee's financial reporting process is very strong, the auditor may not have to do any work at all, other than the work they need to do to assess IR and CR. That is, if RMM is equal to or lower than AR, DR is greater than equal to 1, which means that auditor's tests can be so weak that there is a 100% chance they will miss a material misstatement. Since the auditee's management relies on the same financial reporting system that produces financial statements to run the firm, most auditees have very strong financial reporting processes because management needs accurate data to run their business. Thus, auditors frequently are auditing auditees with very low RMM. However, given the

43 While this might seem extreme, auditors can set control risk to maximum or 100% if they feel that the auditee's controls are so poorly designed that they don't want to rely on them to provide any assurance that a material misstatement doesn't exist in the financial statements.

uncertainties involved in assessing RMM, audit standards do not allow auditors to eliminate audit tests altogether regardless of how low the auditor assess RMM.

Risk Model Summary

The core issues that to internalize at this point are that auditors set a level of AAR, assess the auditee's RMM by assessing IR and CR and combining them, and then determine how much testing they have to do to generate a DR low enough to achieve their AAR. Auditors control AAR and the amount of testing they do (DR), but only assess the strength of the auditee's financial reporting process (RMM = IR * CR). One final issue we need to address is how auditors actually apply the risk model in practice. One of the benefits of the risk model is that it allows auditors to make quantitative assessments of risk and combine them precisely, however, auditors rarely use the model quantitatively. Typically, auditors assess risk qualitatively and then use audit firm-based rules to combine the qualitative assessments. For example, auditors might assess inherent or control risk at three or four levels, high, moderate, low, or very low, and then set audit risk using the same terms. Then, they will use a set of decision rules to determine detection risk. Some examples of those decision rules include:

Example Audit Risk RMM (Inherent * Control)

Detection Risk

1 Very Low High Low 2 Low Moderate Moderate 3 Moderate Moderate Moderate

The rationale for not assigning probabilities to these risks is that probabilities are too hard to determine and auditors do not have a good sense for how to think probabilistically. This is a major weakness in current audit practice and it undermines the usefulness of the audit risk model. Also, when we get to using statistical testing approaches, auditors will need to state the detection risk level for each audit procedure for which they will use statistical testing as a percentage to calculate a sample size.

Audit Planning and Inherent Risk Assessment

Summary

The chapter presents a high-level overview of the major steps in the audit process and how auditors plan audits. The specific topics covered include:  An overview of the audit process from client acceptance to the final report.

 The issues that auditors consider before accepting or retaining an audit client and the sources of information they use to make that decision.

 The information auditors gather to gain a basic understanding of the auditee and their environment

 How auditors use preliminary analytical procedures to help gain an overall understanding of the auditee and begin to identify potential risk areas.

 The types and sources of information auditors use to assess inherent risk.

The following diagram displays the major steps in an external audit of financial statements.

44 Arens, A.A., Elder, R.J., Beasley, M.S., and Hogan, C.E. 2017, Auditing and Assurance Services: An Integrated Approach.

This chapter covers the steps in Phase 1 through assessing inherent risk except for setting planning and performance materiality, which the text discussed in the last chapter. The risk model the text presented in the last chapter captures the essence of the audit process, which are the steps auditors take to set audit risk, assess inherent and control risk, and develop a plan to execute the tests needed to reduce detection risk to an acceptable level.

Auditee Acceptance and Initial Audit Planning45

Auditee Acceptance

The first step in the audit process is for the auditor to determine if they want to take on the audit or not, or, if the auditee is a continuing auditee, whether they want to keep the auditee or not. Auditing standards contain significant details on the auditee acceptance process and how auditee acceptance is document. Audit firms need to be selective about the auditees that they accept because of the risk of incorrectly certifying the auditee's financial statements as being accurate when they aren't. In addition, the example in the prior chapter of how the audit risk model is used and what happens to detection risk when an auditee has a weak financial reporting process also illustrate that getting involved with auditees whose systems are so weak that the audit becomes prohibitively expensive. Keep in mind that auditors are for-profit businesses and attempting to audit a weak auditee can become a money-losing proposition. Auditors are required to gather enough evidence to support their opinion regardless of the cost. They can select from less expensive procedures, but they cannot use cost as a reason to gather insufficient evidence to support their conclusions. For example, Sarbanes-Oxley increased the amount of audit work that auditors had to do to execute an audit and, therefore, increased the fees auditors charged. After Sarbanes-Oxley, audit fees of the major firms jumped about 35% in one year. However, since auditors face a substantial risk if they do a sloppy job of auditing, audit firms couldn't just hire enough new, untrained staff to meet the new demand. Thus, the four largest audit firms (Big 4 - PricewaterhouseCoopers (PWC), Deloitte Touche Tohmatsu, Ernst and Young, and KPMG Peat Marwick) turned away new business and resigned from existing auditees. PWC resigned from 20% of their existing auditees because they could not handle the increase in demand for their services. As you might expect, they resigned from the 20% that were their weakest auditees and kept the strong ones. Our point is that taking on, or keeping, an auditee is a serious decision that audit firms carefully consider. Some of factors that the auditor will consider are:  Financial health of the potential client - auditees that are in financial distress represent a

much higher inherent risk for material misstatements than healthy auditees because some material misstatements may result from the intentional efforts by the auditee's management to hide the true financial state of the auditee from the investors and potential investors. In

45 The auditing literature uses the term "client" when describing the "client acceptance" process. We use the term "auditee" to remind us that we are only focused on audit clients in this course and no other type of clients.

addition, the client is less likely to pay the auditors if the client is having financial problems.

 Nature of the potential client's industry - Different industries have different special accounting and business issues that affect the auditor's ability to perform a good audit. If the auditor has no experience with the potential auditee's industry and the industry has some unique features, the auditor may decline the auditee as opposed to spending time training himself or herself in that industry. This criterion may not apply to continuing auditees and to a large firm, like the Big 4, since large firms have enough experience to do business in most industries.

 Integrity of the potential auditee's management - While auditors are supposed to provide an opinion on the auditee's financial statements based on objective evidence, they inherently must rely on the auditee's management to provide them with information for the audit. However, the auditee's management has control over the auditee's financial reporting process and, therefore, the quality of information in it. Therefore, if the auditee's management were intent on deceiving the auditor, an auditor would have a very difficult time detecting the deception. If the auditor feels that the prospective auditee's management is dishonest, that would greatly increase the inherent risk associated with the audit and undermine the auditor's ability to do a competent audit.

 Whether there is a conflict of interest in auditing the auditee - Auditors must remain independent of their auditees and so, if the audit firm has a relationship with the prospective auditee that would impair their independence, they should not take on the auditee. For example, if a senior partner in the audit firm owned stock in the prospective auditee, the auditor probably should decline the auditee.

The auditor would use a variety of information sources to determine whether to take on the auditee. Some of these include:  The prospective auditee's prior auditor. Auditing standards require that a new auditor

communicate with the prior auditor. However, due to confidentiality requirements in the Code of Conduct, the new auditors can't contract the old auditor without the auditee's permission. Auditors are always required to contact the prior auditor before taking on a new auditee. A previous auditor is a good source of information about unique features of the auditee as well as the integrity of the auditee's management.

 Trade business publications for stories about the prospective auditee. These sorts of publications can provide information about the status of the auditee's industry and their competitive position in it as well as the integrity of the auditee's management.

 The prospective auditee's prior financial statements. Financial statements will indicate the current financial status of the auditee and may highlight particular risk areas. For example, an auditee that is struggling to make profits and cash flows would present a greater risk of management manipulation of the financial statements.

 Third parties like the prospective auditee's vendors, bankers, lawyers, and customers. Note that the auditor may need to get the prospective auditee's permission to talk to some of these people because of privacy and confidentiality concerns.

 An internal review within the audit firm to ensure that the auditee has the necessary technical skills to audit the prospective auditee. Normally, audit firms have strong skills in the basic steps of auditing, but may lack knowledge of the prospective auditee's industry or other special circumstances that might undermine their ability to complete a good audit.

 An internal review within the audit firm to determine if they are independent of the prospective auditee. Not all employees of the audit firm need to be independent of the auditee. However, the audit firm needs to determine if they can assemble an audit team that is qualified to execute the audit that consists of employees that are independent of the auditee.

Signing the Engagement Letter

Auditors refer to an audit as an engagement. Like most service providers, auditors want a signed agreement before they begin work. Auditors call the agreement an engagement letter. Auditors use engagement letters for all types of engagements, not just audits. The audit engagement letter's purpose is to clarify with the auditee what work the auditor is going to do; what auditee management's responsibilities are in regards to the audit; and what the auditor is going to charge. Audit engagement letters usually include the following sections:  Services the auditor will provide - This section lists the periods the auditors will audit

and clarifies the objectives and scope of the audit.

 The auditor's responsibilities and limitations - This section discusses the obvious - that an audit isn't perfect and that the auditor's job is to follow generally accepted audit standards and execute due professional care in executing the audit. Thus, this section usually states that the auditor will execute due professional care, but cannot guarantee that they will find all the material misstatements.

 Management's responsibilities - This section reminds management that they are responsible for turning out accurate financial statements and maintaining adequate internal controls. It also states that management is responsible for providing auditors with the documents and other information they need to perform the audit and to do so on a timely basis. This section also states that if the auditee publishes or files the financial statements that include the auditor's report, they must notify the auditor so that the auditor can review those documents or filings. This is a new requirement under Sarbanes-Oxley. Auditors now are required to review any document or electronic filing that contains their opinion to ensure that the opinion is still valid and the auditee is not misusing the report. Management is required to tell the auditor whenever they use the audit opinion so that the auditor can fulfill this responsibility.

 Identification of applicable financial reporting framework - In most cases, audits of US registered firms will use US GAAP as the framework. However, for international firms it could be International GAAP. There are other financial reporting frameworks as well, but this text focuses on US GAAP.

 Description of the form and content of the report - In most cases, the form and content of the report will conform to the standards discussed previously in this text. Auditors can also issue other specialized reports. However, this text's coverage is limited to the basic

types of reports covered above. This section also includes a statement that the auditor cannot guarantee the nature of the report or opinion will eventually issue.

 Timing and fees - This section discusses the timeline the auditor intends to use to complete the audit and how they will calculate their fees.

The auditors prepare the engagement letter and signs it. They then present the engagement letter to the auditee for the auditee's signature. Once signed, the engagement letter represents a contract between the two parties.

The following is an example of an audit engagement letter for an audit of general purpose financial statements prepared in accordance with accounting principles generally accepted in the United States of America, as promulgated by the Financial Accounting Standards Board. This letter is an example and not authoritative. It is intended to be a guide that may be used in conjunction with the considerations outlined in this Statement on Auditing Standards. The letter will vary according to individual requirements and circumstances and is drafted to refer to the audit of financial statements for a single reporting period. The auditor may seek legal advice about whether a proposed letter is suitable. To the appropriate representative of those charged with governance of ABC Company: [The objective and scope of the audit] You have requested that we audit the financial statements of ABC Company, which comprise the balance sheet as of December 31, 20XX, and the related statements of income, changes in stockholders' equity, and cash flows for the year then ended, and the related notes to the financial statements. We are pleased to confirm our acceptance and our understanding of this audit engagement by means of this letter. Our audit will be conducted with the objective of our expressing an opinion on the financial statements. [The responsibilities of the auditor] We will conduct our audit in accordance with auditing standards generally accepted in the United States of America (GAAS). Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement. An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on the auditor's judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluating the overall presentation of the financial statements. Because of the inherent limitations of an audit, together with the inherent limitations of internal control, an unavoidable risk that some material misstatements may not be detected exists, even though the audit is properly planned and performed in accordance with GAAS. In making our risk assessments, we consider internal control relevant to the entity's preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances but not for the purpose of expressing an opinion on the effectiveness of the entity's internal control. However, we will communicate to you in writing concerning any significant deficiencies or material weaknesses in internal control relevant to the audit of the financial statements that we have identified during the audit.

100

[The responsibilities of management and identification of the applicable financial reporting framework] Our audit will be conducted on the basis that [management and, when appropriate, those charged with governance]46 acknowledge and understand that they have responsibility

a. for the preparation and fair presentation of the financial statements in accordance with accounting principles generally accepted in the United States of America; b. for the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error; and c. to provide us with

i. access to all information of which [management] is aware that is relevant to the preparation and fair presentation of the financial statements such as records, documentation, and other matters; ii. additional information that we may request from [management] for the purpose of the audit; and iii. unrestricted access to persons within the entity from whom we determine it necessary to obtain audit evidence.

As part of our audit process, we will request from [management and, when appropriate, those charged with governance], written confirmation concerning representations made to us in connection with the audit. [Other relevant information] [Insert other information, such as fee arrangements, billings, and other specific terms, as appropriate.] [Reporting] [Insert appropriate reference to the expected form and content of the auditor's report. Example follows:] We will issue a written report upon completion of our audit of ABC Company's financial statements. Our report will be addressed to the board of directors of ABC Company. We cannot provide assurance that an unmodified opinion will be expressed. Circumstances may arise in which it is necessary for us to modify our opinion, add an emphasis-of-matter or other-matter paragraph(s), or withdraw from the engagement. We also will issue a written report on [Insert appropriate reference to other auditor's reports expected to be issued.] upon completion of our audit.

46 "Those charged with governance" usually means the audit committee of board of directors.

101

Please sign and return the attached copy of this letter to indicate your acknowledgment of, and agreement with, the arrangements for our audit of the financial statements including our respective responsibilities.47

Selecting the Audit Team

Structure of the Core Audit Team

Once the auditor and auditee have signed the engagement letter, the auditor begins the process of planning the audit. The first step is to assemble an audit team to perform the audit. The audit team needs a balance of more experienced and less experienced personnel. Most audit firms are partnerships and so the most senior members of the audit team will be the partner in charge of the audit. While a large audit team may have more than one partner, it will only have one partner in charge. The audit firm may bring other partners on to the engagement, but they normally just provide technical support. States historically have required that audit firms structure themselves as partnerships where the partners are the owners of the firm and are individually liable for the actions of the firm. When you know that you are putting your house and all your personal assets on the line when you sign an audit report, you attend to the details. In the last decade or two, states have allowed audit firms to be structured as limited liability partnerships (LLPs). LLPs limit a partner's liability a little. In an LLP, the audit partners are still personally liability for the jobs on which they are the partner in charge, but are not liable for the actions of other partners within the firm. In a general partnership, all partners are personally liable for the actions of all the other partners on all the audit firm's jobs. In an LLP, they are only liable for their own jobs. The point of this discussion is to highlight that the partner in charge of the engagement has many responsibilities and has the ultimate say over how the engagement is run, largely because they are personally liable for the results. Thus, each engagement only has one partner in charge. Below the partners are the audit managers. The managers are in charge most of the audit planning and execution and usually have five to ten years of experience. While the audit partner usually negotiates with the auditee; signs the engagement letter; makes key decisions during the audit; and signs off, for the firm, on the audit report, the manager runs the engagement. Large engagements may involve more than one manager, but usually only one senior manager who reports to the partner. The audit managers supervise audit seniors and juniors. Audit juniors are new hires with less than three years of experience and audit seniors usually have two to five years of experience.

47 AICPA. 2012. AU-C Section 210 - Terms of Engagement. https://www.aicpa.org/research/standards/auditattest/downloadabledocuments/au-c-00210.pdf. Downloaded 7/26/2016.

102

Audit seniors supervise portions of the audit work in the field, but juniors and seniors are the audit team members that do most of evidence gathering and initial evidence evaluation for the audit. When audit firms select the audit team, they need to screen for any independence problems and look for team members that are familiar with the auditee's industry or other special circumstances. The text discussed independency issues in a prior chapter on the Code of Conduct. Audit firms need to review the financial holdings and relationships of each member of the audit team to ensure that the Code's and PCAOB independence standards apply to all members of the team.

Assess the Need for Outside Experts

Finally, the audit team also may contain technical specialists for specific portions of the audit. These experts may come from within the firm or involve bringing in outside experts. One common technical specialist would be a computer and information systems expert to assist the audit team in assessing the auditee's electronic information systems. For example, a high percentage of firms today have websites that they use to make sales. Most audit teams would include someone with experience and training in auditing the security of websites. Most larger audit firms have technology experts within the firm that support the core audit team. Audit firms sometimes need to go outside the firm to hire outside experts in technical areas to assist them with the audit. For example, a smaller audit firm may not have an information technology expert on its staff. Another example would be an audit firm that was auditing an oil and gas company. The firm probably would not have a geologist on its staff and would need to hire an outside geologist to help verify the value of the auditee's oil and gas reserves that were still in the ground.

Understanding the Auditee

Auditors need a thorough understanding of the auditee and its environment to assess various audit risks and plan the audit properly. There is some overlap between the material in this section and the material in the client acceptance section. The issues auditors review to accept an auditee are very similar to those they review as part of the audit planning process. However, once they have accepted the auditee, they will have far more access to information because of the engagement letter and the responsibility that the letter places on management to cooperate with the auditor. The main issues the auditor considers when developing an understanding of the auditee are its industry and external environment, business operations and processes, management and governance, objectives and strategies, and how it measures performance. The following sections will cover each of these in turn.

Industry and External Environment

There are three main reasons and auditor needs to understand the auditee's industrial and external environment.

103

 Some industries involve greater risks of litigation and other consequences for an audit

failure, which affects the auditor's assessment of acceptable audit risk. For example, firms in the financial services and health insurance industries are subject to significant scrutiny by regulatory agencies and financial statement users. The increased scrutiny could increase risk and consequences of an audit failure requiring the auditor to lower the acceptable audit risk.

 Industries have risks that are unique to their industry and common to firms within the industry that affect the auditee's business risks. Although an auditor's main concern are material misstatements in the financial statements, when an auditee faces business risk that make it harder to compete and be profitable this puts pressure on management to manipulate the financial statements to show users that they are succeeding in their industry. In addition, different industries face risks directly related to the financial statements. For example, some industries face more rapid inventory obsolesces or tend to serve customers with weaker credit worthiness. These factors affect the valuation of inventory and accounts receivable, respectively, on the financial statements, which would affect the auditor's assessment of inherent and control risks for those account.

 Many industries have accounting principles that are unique to that industry. For example, construction companies tend to use percentage of completion methods to value work in progress much more extensively than most other industries. Thus, the auditor of a construction contractor would need to have a thorough understanding of the application of percentage of completion accounting to revenue recognition and costing.

Business Operations and Processes

Auditors need to understand the auditee's unique way of business. That is how they produce their goods or services and how their accounting system captures the specifics of transactions. There are two general tools auditors use to gain an understanding of auditee-specific issues like this.

Tour the Auditee and Interview Key Personnel

Touring the auditee's facilities and interviewing key personnel is an excellent tool to understand the auditee. This gives the auditor first-hand knowledge of auditee's business processes and information flows. Along the way, the auditor can interview key personnel to enhance their understanding of the specifics and the rationale behind how the auditee has structured their operations. Auditors usually spot risks to material misstatement along the way that they can use to develop specific inherent and controls risk assessments for individual accounts and transaction processes as well as develop possible testing methods appropriate to the specifics of the auditee's operations.

Identify Related Parties

GAAP requires that firms disclose related party transactions in their financial statements. Related parties are other firms and their management that might be able to influence the actions of the auditee or who the auditee might influence. Related parties can be unconsolidated subsidiaries of the auditee, large customers or vendors, and firms with overlapping ownership or

104

members of the board of directors. Related parties also can be individuals like major stockholders in the auditee. Because of the close relationship between the auditee and related parties, any transaction between the auditee and related party may not be "arm's length" and therefore may differ from how that transaction would be valued and structured if the parties were independent of each other. For example, an auditee may be able to purchase inventory from a related vendor more cheaply than from an independent vendor or may be willing to pay a higher price to benefit the related vendor. Identification of related parties can be difficult. However, auditors might gain some information from their tour and interview process. In addition, auditors review the auditee's holdings in other firms as well as the holdings of key management personnel. They might also gain some insights by reviewing board of director's meeting minutes and correspondence files.

Management and Governance

The text will come back to issues of management and governance in more detail when it discusses assessing the auditee's internal control environment. The key issue is that firms are hierarchies with a board of directors at the top followed by top management personnel. Firms establish corporate structures involving lines of authority and policies and procedures to ensure that the employees of the firm carry out the directions of the board and management. The board's and management's operating styles and risk preferences can have a strong effect on the risk of material misstatement. For example, if management has a high tolerance for risk, they may have the firm engage in risky transactions that could be hard to value or that could put pressure on employees to manipulate financial results to show that the risks were worth the rewards. Two major sources of information about the auditee's management and governance are.  Code of conduct or ethics. Most firms have written codes of conduct or ethics. These

statements make clear to the employees what management's attitudes are about how they and employees are to act. The content of these codes tells the auditor a lot about management integrity. However, they also can be shams that are not enforced or followed by top management. Auditors can gain some insights on management's attitudes toward the code while interviewing auditee personnel.

 Board of director's minutes. The Board of director's minutes contain summaries of the board's discussions, often with top management, about major transactions and initiatives. Auditor should review these minutes to help determine things like management's risk appetite and attitude towards ethical issues.

Objectives and Strategies

Top management and the board set the major objectives for the firm to accomplish and identify the strategies they want the firm to follow to achieve those goals. Auditors should understand these objectives and strategies in three main areas.

105

 Reliability of financial reporting - This is fairly obvious. The auditor needs to understand how management tries to achieve reliable financial reporting to help identify both inherent and controls risks that might threaten the reliability of the financial statements.

 Effective and efficient business operations - The effectiveness and efficiency of the auditee's business operations are of concern to the auditor to the extent they can create risks of material misstatement. Inefficient and ineffective business operations can put pressure on management to alter the financial statements to compensate for them so they can present a more favorable impression on financial statements users. In addition, these issues can have a more direct effect on valuation of assets and liabilities. For example, a firm's quality control standards and processes can have a significant effect on how much they should set aside for warrantee claims. In the extreme, the efficiency and effectiveness of business operations can create going concern issues that the auditor may need to include in their audit reports.

 Compliance with laws, regulations, and contracts - The audit needs to become familiar with the laws and regulations that govern the auditee's activities as well as the provisions of contracts in which the auditee engages. Violations of any of these laws, regulations, or contracts can lead to possible liabilities or contingent liabilities that need to be valued and reported properly in the financial statements. For example, the auditors will need to understand the detailed provisions of an auditee's defined benefit pension plan to assess the accuracy of the auditee's reporting of pension liabilities and expenses.

Performance Measurement

How the auditee measures its performance, can affect the risk of material misstatement, as well as provide additional information on the firm's objectives and strategies. These performance indicators frequently involve non-financial measures that have an indirect effect on the risk of material misstatement in the financial statements as well as direct measures like net income and earnings per share. The auditor needs to understand how these performance measures are used and how realistic they are. Some examples of how performance measures include:  Emphasis on meeting financial analyst's expectations. This is a very common source of

risk of material misstatement. If the board of directors puts pressure on management to keep stock prices high by meeting financial analysts' expectations, this will increase pressure on management to alter the financial statements to meet those expectations. The popular business press regularly contains many stories about how a firm used aggressive or inaccurate accounting to raise their earnings per share by as little as one penny.

However, assessing management's incentives here can be very tricky. Most analysts like to see reliably trends in statistics like earnings per share. Many of the tools that management can use to boost earnings per share in the short-term reverse in future periods. For example, if a firm is overly optimistic about the collection of receivables in year 1 it can experience increased bad debt losses in year 2 when auditee doesn't collect those receivables. Sometimes a firm will either experience an unusually bad year or a firm will expect an unusually good year next year. In such cases a firm may want to reduce earnings per share in year 1 by being overly pessimistic about accounts receivable collections; this would then show increased earning in year two when more accounts receivable is collected

106

than expected. This second approach is called setting up "cookie jar reserves." Thus, auditors need to be careful when assessing management's incentives to meet analysts' expectations because those incentives can span more than one year and lead to understated earnings in the audit year.

 Use in compensation contracts - Firms face a dilemma in structuring performance-based contracts for management. They want to align management's incentives with the stockholder's incentives and benefits. One way to do this is to tie management compensation to performance measures that benefit stockholders. For example, reporting earnings usually has a strong effect on stock price and stockholders benefit from higher stock prices. Thus, the firm might link top management's compensation to net income performance. However, management can improve net income with accounting manipulation as well as by making the firm more efficient and effective. Thus, performance-based contracts can create dysfunctional incentives for management and auditors need to be aware of those incentives since they can increase the risk of material misstatement.

Similar issues can arise with non-financial measures as well. For example, if management is compensated based in maintaining or increasing market share, they could have an incentive to engage in activities that lead to premature recognition of sales. The existence of a compensation package linked market share might increase the auditors inherent risk assessment for the sales account.

Preliminary Analytical Procedures

This section presents a broad overview of how auditors use analytical procedures in an audit with particular emphasis on preliminary analytical procedures. Students in this class have differing backgrounds in financial statement analysis thus we have included an appendix to this chapter that provides a detailed approach that builds on a set of common ratios and other analytical tools. This section just presents a top-level summary of an approach to executing preliminary analytical procedures. Students may need to refer to the appendix when answering problems and case analysis questions about specific cases. Auditors use analytical procedures in three ways during the audit.  Preliminary analytical procedures - Auditors employ these at the beginning of the audit

to spot possible risks of material misstatement so they can target those risks with more specific audit procedures.

 Substantive analytical procedures - Auditors use more targeted analytical procedures to provide evidence about specific audit objectives in specific accounts as part of their detailed tests of balances.

 Final analytical procedures - Auditors redo analytical procedures similar to the preliminary analytical procedures at the end of the audit to help spot risk areas the audit might not have addressed. Auditors refer to these procedures as the "smell test."

Preliminary and final analytical procedures tend to be broad and cover all areas of the financial statements. They do not provide direct evidence of material misstatement but are attention-

107

directing tools that help auditors spot risk areas that need further scrutiny. These types of analytical procedures analyze things like changes in ratios from year to year, comparison of ratios to industrial benchmarks, and unusual changes in account balances. Substantive analytical procedures are more focused on specific accounts and provide direct evidence of a possible material misstatement. However, since analytical procedures don't involve direct tests of transactions or items in account balances, they do not provide sufficient evidence by themselves to accept or reject an account balance. Auditors use preliminary analytical procedures to assess the overall financial health of the auditee during the audit planning process. Auditors employ preliminary analytical procedures at two broad levels.  Access the overall health of the auditee - The overall health of the auditee can affect

management's incentives to manipulate the financial statements to alter the picture presented by the financial statements. Firms that are doing well tend to have less risk of financial statement manipulation. However, auditors need to be careful about over generalizing. Firms that are doing well may be more inclined to attempt to set up "cookie jar" reserves to boost future performance. "Cookie jar" reverse understates assets, sales, and/or income in the year firms establish them and overstate the same items in the year they reverse. Excessive "cookie jar" reserves are just as much a violation of GAAP as manipulations that over state things like assets, sales, and income.

 Identify specific risk areas - Auditors also use specific ratios and changes in account balances to identify potential risks in specific accounts. These are attention directing mechanisms and do not provide direct evidence of a misstatement. Auditors use them to build more targeted tests into their audit plans. For example, if a firm's collection period (also known as days sales in receivables) is getting longer but their allowance for doubtful accounts as a percentage of gross accounts receivable is getting smaller, there is a mismatch the auditor should explore.

Sources of Data

In addition to the auditee's basic financial statements, auditors use the following tools to execute a preliminary analytical review of an auditee.  Ratio analysis - Ratios compare two items to each other. They are more powerful tools for

analysis because of this comparison. For example, the fact that a firm's accounts receivable balance has increase significantly from last year doesn't tell the auditor much. However, the collection period or days sales in accounts receivable ratio provides better information because it considers the increase in sales that might have caused the increase in accounts receivable. If accounts receivable is increasing simply because sales are increasing, that is normal and not an audit concern. If accounts receivable is increasing and sales aren't, then the collection period would increase and indicate to the firm that the reason accounts receivable is increasing, is weaker collections not increased sales.

 Common-size and percentage change financial statements - These tools convert the raw numbers on financial statements to ratios. Common-sized financial statements divide all

108

the line item amounts on the financial statements by an overall measure of size (total assets for the balance sheet and sales for the income statement and cash flow statement). Converting raw numbers to ratios has the same advantage as using other ratios does - it eliminates changes in size from the analysis so auditors can identify changes not driven simply by a change in size. When a healthy firm grows or shrinks, it tends to do so proportionately across the board. These statements allow auditors to identify areas that are not changing in proportion to the size of the firm or where the rate of change is changing from year to year.

 Trend analysis - Firms tend to implement multiple- years strategies that produce multiple year trends. While auditors are interested in simple changes from the prior year, they also look at multiple year trends to put one-year’s changes into a broader perspective. The percentage change financial statements are useful for doing trend analysis because they quantify the rates of change from year to year. Common-size financial statements also are useful for trend analysis because the show shifts in item balances over time that are relative to size changes.

 Industrial data - Every industry has its unique features. Thus, auditors need to consider how the industry is changing when attempting to identify unusual changes in a firm's financial statements are ratios. To do so, they will compare the auditee's ratios, common- sized financial statements, and percentage change financial statements to either industrial averages or major competitors in the industry. This is not as simple as it sounds. Defining an industry or finding a direct competitor is very tricky when you have firms that have multiple product lines. For example, Microsoft produces hardware, software, and computing services. No other firm has quite the same balance of these three major product lines as Microsoft does. Microsoft competes with Apple for hardware, with Google for search services, and with firms like Adobe for software.

 General economic data - changes in the general US and global economies have a profound effect on any firm's financial statements and financial health. Academic research has shown that, on average, changes in a firm's performance are 50% caused by changes in the economy, 30% by changes in their industry, and only 20% because of individual actions of the firm. Since the auditor is looking for material misstatements that can only be caused by individual actions of the firm, comparing to general economic data and industrial data can help them isolated firm-specific changes from broader changes in the industry and economy.

 Auditee's budget - Auditors frequently compare a firm's financial statements to the auditee's budget. The budget is the auditee's plan for the year and indicates what the auditee expected to accomplish during the year. If the auditee misses their budget targets, this could indicate a possible misstatement in the actual amounts or inaccurate expectations by the auditee. Auditors would tend to investigate material differences to determine which was the cause of the difference.

 Ad hoc calculations - Auditors can apply the calculations described thus far to any account in any auditee's financial statements. In addition to these general tools, auditors can do ad hoc calculations that help develop expectations for specific accounts for specific auditees. For example, if an auditor were auditing a cable television company and wanted to verify the cable company’s accounts receivable, they probably would not try to confirm

109

accounts receivable balances with the cable firm's customers because there may be millions of customers, each of whom only owes the cable company a small amount. The auditor could do a reasonability check on the accounts receivable balance by calculating the average monthly bill for the cable firm's customers and multiplying that times the number of customers to determine what the cable firm's accounts receivable balance would be if customers, on average, owed one month's fees to the cable company. Since ad hoc analytical procedures are focused on single accounts or groups of related accounts, auditors tend to use them more for substantive analytical procedures.

The bulk of this section covers each of these tools in depth and presents a strategy for using these tools to perform a preliminary analytical review of an auditee's financial statements. The following diagram presents the process auditors use to implement all levels of analytical procedures. Its wording focuses more on substantive analytical procedures, but auditors use the same approach for preliminary and final analytical procedures. For these two types, the result is not acceptance or rejection of an account, but developing additional tests or not.

110

Develop an Expectation

Since a rich variety of factors can affect how an account balance will vary over time and because of economic conditions, auditors use a variety of tools to develop an expected account balance. One key issue for developing expectations is to build them independently of the auditee's unaudited account balance. That is, auditors should develop their expectations without peeking at the auditee's current balances. Otherwise, the auditor's expectations will naturally tend towards the auditee's balance and, thus, bias the auditor's expectations in favor of not spotting problems. Since all the tools used for analytical procedures are based on the auditee's financial statements, this is hard to do. However, focusing on ratios, common-sized financial statements, and

111

percentage change financial statements hides the underlying balances and reduces the tendency to confirm the auditee's results. To develop an expectation, the auditor would review all the sources of information mentioned above to try to isolate trends or other differences that (s)he believes would lead to the current year's account balance. Developing these expectations is a complex task that requires experience and judgment. Auditors can use more advanced statistical tools, like regression analysis, to help develop expectations, but there is no substitute for auditor judgment based on a rich understanding of how the auditee's business runs to develop good expectations.

Define a Tolerable Difference

Next, the auditor needs to determine how big a difference between the expected balance (s)he has developed and the auditee's actual balance matters. Auditors do not have unlimited resources and so they need to focus on material misstatements and not all possible misstatements. The term "tolerable difference" is virtually identical to tolerable error except that auditors use "tolerable difference" when referring to substantive analytical procedures and "tolerable error" to refer to statistical sampling techniques, which is another form of substantive tests. They also develop tolerable differences for preliminary and final analytical procedures to set a cutoff level for additional investigation.

Compare Expectation to Actual and Investigate

Once the auditor has an expectation and a tolerable difference, (s)he needs to compare the expectation to the auditee's unaudited balance and determine if the difference is larger than their tolerable difference. If it isn't, then the auditor can move on to other accounts. If the difference is larger than his/her tolerable difference, (s)he needs to investigate further. If the difference is larger than the tolerable difference, the auditor needs to determine if his/her expectation is at fault or whether the auditee's balance is at fault. Thus, (s)he would need to review their expected balance and how they built it to determine how much confidence, they have in their expectation. If (s)he remains confident in his/her expectation, the auditor would perform some audit procedures on the auditee's balance to determine if it contains a material misstatement. In practice, the auditor's first step would be to ask the auditee about the difference and then perform audit procedures to determine if the auditee's evidence supports the auditee's explanation.

Draw Conclusions

Finally, the auditor needs to pull all the evidence together and decide whether the original expectation was flawed in some way, probably due to lack of evidence, or the auditee's balance is flawed and needs to be adjusted. As you can see, these types of analytical procedures are imprecise, but cheap and easy to perform. They provide a reasonability check for the auditee's account balances. For example, if the auditor used the ad hoc calculation as described above and found that the cable firm's reported accounts receivable balance was much higher than the auditor estimated, the auditor

112

probably would test some of the individual balances that make up the cable firm's accounts receivable balance to try to determine why the reported balance was much different than the estimated balance the auditor had calculated.

Assessing the Auditee's Financial Health

This section presents a broad overview of the major factors that contribute to a firm's operating and financial health: operating performance, cash management, and financial position. Since students may vary in their background in financial statement analysis, we have included an appendix with this chapter that covers common ratios and other financial analysis tools in detail for students to use to refresh their memories (See the appendix to this chapter). Operating performance analysis focuses on how well the auditee is using its resources to generate return on the owners' investment. For example, several of the operating performance ratios relate the amount of profit generated by the production function to the size of the auditee's investment in productive assets or the amount of inputs used to generate those profits. The most common of these is return on investment, which relates net income to the amount of the owners' investment. Financial position analysis focuses on how well the auditee is managing its financial function. This usually means how well it is able to meet its financial obligations (i.e., pay its bills) and how it is raising outside capital. Financial position analysis also includes a judgment of the auditee’s effectiveness in generating the cash it needs to finance its operations. Cash flow analysis is the "bridge" between operating performance and financial position. Over time, auditees must generate profits from operations to generate cash to pay their bills and so a strong financial position ultimately depends on a strong operating performance. Just generating strong profits, however, is not enough. Auditees need to be able to convert those profits to cash in a timely manner to create a strong financial position from a strong operating position. Conversely, auditees can use short-term strategies, like selling off their inventories that will generate positive cash flows in the short term even though they are not making profits. If, however, they reduce their inventory levels too much, they could end up losing sales and making their operating performance even worse, thus eventually leading to a weak financial position.

Analysis Strategies

General Approach

The trick to a good analytical review of an auditee is to understand what the ratios and other statistics mean about how the auditee is functioning as a whole. The following figure organizes the indicators described in detail in the appendix into a causal structure that presents how they fit together. A high-level review of that material is presented here. If you are not familiar with the ratios and other data included in this section, you can review the appendix for more details.

113

Figure 1 - Causal Structure Underlying Financial Analysis ROE

Net Income Owners' Equity

ROA Net Income Total Assets

Profit Margin Net Income

Total Revenues

Gross Profit Margin

Gross Profit Total Revenues

S., G., & A. and Other Stuff

Total Revenues

Asset Turnover Total Revenues

Total Assets

Leverage 1

Owners' Equity Total Assets

Financial Position

Long-term Long-term Debt/Equity Total Debt/Equity

Short-term Current Ratio Quick Ratio

Major Sources and Uses of Cash

Operating Cash Flows

Cash Conversion Cycle

Direct, mathematical relationship between

Indirect influence

114

Return on equity (ROE) is at the top level of an analysis because it represents the ultimate goal of a for-profit auditee. ROE is determined, however, by both the auditee's use of leverage and its return on assets (ROA). ROA measures how effectively it generates profits from its assets and leverage measures the proportion of those assets provided by the owners. ROA is determined by the auditee's profit margin and asset turnover. Profit margin, in turn, is determined by how effective the auditee is in its core production function (Gross Profit) as well as controlling its other expenses (S., G., & A. and Other Stuff). These operating performance relationships are also mathematical. That is, you can directly calculate one statistic given the statistics that determine it. The financial position relationships on the right-hand side of the figure are not mathematical, but still represent strong, causal relationships. The arrow from Profit Margin and Asset Turnover to the Cash Conversion Cycle represents the fact that, ultimately, strong cash flows start with strong profits. The Cash Conversion Cycle measures how well profits are converted to cash and flow into operating cash flows. Operating cash flows are a major source of cash, but not the only source or use. Therefore, to determine what drives an auditee's financial position, both short and long-term, the auditor needs to review all of the auditee's major sources and uses of cash. How the auditee manages its cash ultimately determines what its financial position will be, and one major component of that financial position is the extent of leverage, thus the circle is complete.

Indicators of Strong Auditees

Stability over time

Stability over time in a variety of ratios and statistics indicates that the auditee has reached a balance in its operations and can maintain that balance through good planning and management. This observation is true under two conditions: the balance is at a high level of performance and the industry in which the auditee functions is stable. Stability at a low level of performance indicates failure to rectify poor practices and usually is not observed for more than a few years because the auditee will usually go out of business. Lack of stability in a volatile industry may not indicate bad management because even a well-managed auditee is heavily influenced by what is happening in its industry.

Proportional growth

"Stability," as discussed in the item above, does not mean lack of growth; it means stability in the ratios that relate components of the auditee's financial statements to each other. Since healthy growth is usually proportional, ratios that relate components will be stable. For example, if sales and inventories are both growing rapidly, but proportionally to each other, days inventory will remain the same.

Outperforming the industry

Since industrial averages are averages of all auditees in the industry, not just the good ones, a strong auditee should usually outperform the industry on key indicators for operating performance and financial position. Return on equity is a broad measure of performance and can be compared across industries as well as within an industry. Industrial data needs to be

115

considered in light of several drawbacks. First, auditees in the same industry can adopt different strategies that are equally successful. For example, one auditee may target high profit, low volume business while another auditee may target the opposite. In addition, one auditee may decide to use leverage to a greater extent than another in financing its activities, thus incurring greater risk but also greater returns to its owners. Finally, auditees can organize themselves in other ways that differ. For example, McDonald's does most of its business via franchising arrangements while the bulk of the industry it is in does business through ownership arrangements. Second, modern auditees tend to be diversified and yet are only classified in one industry. For example, McDonald's is not in the same industry as defined by its SIC code48 as Burger King because Burger King is a wholly own subsidiary of Pepsi and the results of Burger King's activities are consolidated with Pepsi's and reported in the same industry with Coca Cola. These problems aside, comparisons to industrial averages can still provide valuable information in assessing the performance of an auditee. These comparisons, however, need to be taken in the context of the rest of a total analysis.

Balanced Management

Profit and utilization

Strong return on assets can be achieved through two opposite strategies: high volume and low profit or low volume and high profit, or somewhere in between. This is why there are no fixed benchmarks for either profit margin or asset turnover statistics. Analysis of these two statistics should be done within the context of the ROA they generate.

Financial position and operating cash flow

Auditees can insure that they have the resources to pay their bills in two general ways: by having sufficient assets on hand to cover their liabilities or by having a strong operating cash flow from which to draw the funds needed to pay their bills. Since the health of their operating cash flows ultimately depends on net income, any analysis of financial position must also include a general assessment of the strength and stability of the auditee's operating cash flows and, ultimately, operating performance. Although an auditee may not have a strong current or quick ratio, or even debt-to-equity ratio, if they are profitable and have strong operating cash flows, their financial position may be quite strong. Auditees normally try to minimize their current assets because these assets do not produce income. What produces income is using their property, plant, and equipment to produce 48 SIC stands for Standard Industrial Classification. It is the scheme used by the US Securities and Exchange Commission to classify auditees into different industries. An SIC code is hierarchical and can contain up to four digits. That is, the first digit represents the broadest classification level and the second through fourth digits further refine auditees within the categories represented by the higher-level digits. We use four digit SIC codes to select the industrial data presented in the course.

116

things that sell at a profit. Having large amounts of assets in cash, short-term investments, accounts receivable, and prepaid expenses may provide resources to pay their bills, but these assets don't generate profits. The one exception is inventory. Most auditees need a certain level of inventory to ensure that they have the goods customers want when the customer wants them so too low an inventory level may lead to lost sales.

Leverage and financial risk

Since the owners of the auditee own the net income of the auditee and since producing things at a profit with the auditee's assets generates net income, the larger proportion of those assets that can be financed with borrowed money, the greater the amount net income that will be left over for the owners. The example earlier in the chapter illustrated how increasing leverage can increase ROE given the same ROA and net income, but it also illustrated that to do so, the auditee must incur higher levels of debt, thus increasing the risk that that debt may not be paid.

Diagnosing Change

The causal relationships in Figure 3 also are helpful in diagnosing cause of change in operating performance and financial position indicators. The following discussion illustrates that point.

Profitability

Since one key attribute of a healthy auditee is stability at strong levels of performance, volatility may be a sign of problems. Weak or volatile profit margins (gross and total) are best diagnosed with the common-sized income statement and the percentage change income statement. The common-sized income statement helps diagnose why profit margins are changing. A scan of the relative percentages of the major expenses should tell you what is causing declines or variations in profit margins. Just look for the expenses that are increasing or fluctuating. That is, auditors can use the common-sized income statement to identify which income statement components contributed to the any changes in the profit margin and how much they contributed in percentage points. One key observation from the percentage change income statement is the rate of growth or decline in total revenues, sales, or net sales, whichever number is being used at the top of the statement. Revenue declines are usually a sign of problems.

Cash flows

A key link between operations and financial position is cash flow from operations. Like all components, cash flow from operations should grow in proportion to the size of the auditee. Because the indirect method cash flow statement does not have any good measure of auditee size, the best way to determine how operating cash flows are tracking is to compare them with net income. Operating cash flows should roughly approximate net income plus depreciation. If they do not or there is significant volatility in operating cash flow, then you should scan the adjustments between net income and operating cash flows to determine the source of the variation.

117

In addition to reviewing operating cash flows, auditors should usually scan for an auditee's major sources and uses of cash over time. The largest source should be operating cash flows. Beyond that, the other major sources tend to come from financing: either stock sales or borrowings. Since stock sales and major borrowings usually do not occur every year, many auditees use short-term investments as a temporary storage location for cash (i.e., parking cash) that is raised from major financing sources (stock or borrowing) until it is needed for investment in property, plant, and equipment. New net investment in productive capacity should be the largest use of cash for a healthy auditee.

Overall Summary

This chapter presents the evaluation of an auditee in a systematic flow. It starts with overall operations, looks at the components of those operations, and then moves on to financial position and cash management. The logic is that, over the long term, auditees must be profitable to survive. Profitability, however, is not enough. They must also be able to turn profits into cash to use as a major source of financing for new property, plant, and equipment purchases. Healthy operations and healthy cash management should lead to strong financial position, although as noted in the section about balancing financial position and operating cash flows above, an auditee can have a strong financial position without having strong financial position ratios.

Substantive and Final Analytical Procedures Revisited

The bulk of this section has presented analytical tools for assessing an auditee's operating performance, cash management, and financial position. The focus of this discussion was to uses the tools presented to "tell a story" about how well the auditee was doing on each of these dimensions and why. This sort of analysis is what auditors use to do preliminary and final analytical procedures. These goals of preliminary and final analytical procedures are to assess any high-level risk that the financial statements may be misstated when taken as a whole. Auditors also use the same tools to develop expectations for account balances when performing substantive analytical procedures. Auditors use substantive analytical procedures to develop expected account balances that they use to compare against the auditee's unaudited account balances. For example, if an auditee's profit margin jumps suddenly from the prior year, an auditor would use the common-sized income statement to determine if the change was caused by a sudden change in one of the line items of the income statement. If one of the line items did change suddenly and that change accounts for a significant portion of the change in the profit margin, then the auditor would probably investigate that line item to determine why it changed so suddenly by asking management for an explanation and/or doing some targeted auditor procedures on that account. However, auditors also perform ad hoc calculations on individual accounts to establish expectations. We have illustrated one of these in the discussion above. We did not attempt to provide further examples and discussion of these procedures because they are so specific to the account and auditee's individual circumstances that general rules are hard to develop and present. Auditors develop ad hoc calculations by studying the processes the auditee uses to develop an

118

account balance and determining how to calculate a reasonable expected balance for that account given the auditee's processes.

Inherent Risk Assessment

General Sources of Inherent Risk

Assessing inherent risk is inherently judgmental. There is no standard rule or algorithm that can take a listing of relevant factors from an auditee and convert that to an inherent risk assessment. This is probably the major reason why auditors don't try to assess inherent risk in terms of a percentage likelihood that the auditee's information system will produce a material misstatement irrespective of the auditee's internal controls. Instead, auditors will classify the firm's inherent risk into a category; usually high, medium, low, or very low. Nor have auditors attempted to assign probability ranges to these categories to facilitate creating a probability to plug into the audit risk formula. However, auditors can look for inherent risk factors for the auditee and build a body of evidence that supports their categorization of the auditee's inherent risk. Auditors also need to assess inherent risk at two different levels: firm-level and account and audit objective level. This chapter only covers firm-level inherent risk. The text will present account/audit objective-level inherent risk issue in the chapters devoted to different transaction processes. Firm-level inherent risk factors have a broad, but indirect, effect on the risk of material misstatement in a particular account balance. That is, the presence of firm-level inherent risk factors creates an increased likelihood that several account balances affected by more than one class of business processes may contain a material misstatement. For example, if the firm's management is under extensive pressure from the capital markets to meet analysts’ expectations for their year-end earnings per share statistic, this pressure will increase the likelihood of material misstatement in any account that would increase earnings per share, which would include things like asset valuation, revenue recognition, and expense recognition. An example of an account-level inherent risk would be an economic collapse in the auditee's customer's markets. Such a collapse would increase the risk of a material misstatement in the allowance for doubtful accounts balance due to an understatement of the risk that the auditee's customers might not be able to pay their bills. The line between a firm-level risk and an account-level risk can be fuzzy. While the distinction is useful to help auditors be complete in their consideration of factors that affect inherent risk, it isn't critical to assessing inherent risk. That is, the auditor ultimately will apply the audit risk model to individual accounts or groups of related accounts because they will use their inherent risk assessment to determine detection risk. In turn, auditors achieve their desired level of detection risk by running tests on account balances. Thus, auditors manipulate detection risk at the account level and, therefore, need to assess inherent risk at the account level. However, both firm-level and account-level factors affect an account's inherent risk level. The following sections present annotated checklists of factors that can create firm-level inherent risk for an auditee. Following is a list of factors and a sentence or two on each one that explains

119

how it can create inherent risk. The factors are broken into two categories: external and internal. External factors are factors in the auditee's environment that they cannot control that create potential risk of material misstatement. Firms can control these factors in the sense that they can alter their activities to adjust for these risk factors. However, they usually can't directly alter the existence or magnitude of the risk factor. Internal factors are factors that the auditee can control because they are based on how the auditee has chosen to do business.

External Environmental Factors

Industrial Factors

 Level of competition in the auditee's industry - high levels of competition, either for customers or for suppliers, put pressure on the firm in two ways. First, by increasing pressure on management to manipulate the firm's financial statements to improve the impression they leave on investors and, thus, keep the firm's stock price higher. Second, competitive pressures can alter management's focus on operating issues rather than financial reporting and controls issues. Management may redirect the firm's resources away from accounting and control activities to operating activities in a short-term attempt to boost the firm's performance. Managers may perceive accounting and control issues as "overhead" to be minimized and they may not appreciate the effect inaccurate financial information may have on the firm's longer-term performance.

These competitive pressures can come from either the customer side or the supplier side. That is, most firms compete for customers. However, some firms also have to compete for limited supplies of raw materials or labor. For example, high-tech firms, like bioengineering firms, need to complete for highly skilled workers. Competition for supplies of materials and labor places management under pressure in the same way as competition for customers does.

 Seasonal or cyclical activity - Firms in industries with strong seasonal or business cycles need to adjust their activities accordingly. Failure to do so may increase the risk of material misstatement in the financial statements. For example, retailers normally generate 40% of their annual revenues in the month between Thanksgiving and Christmas. If the firm doesn't increase staffing to handle the increased need to process these sales transactions, it could face increased risk of material misstatement due to understaffing in key financial reporting and transaction processing activities.

 High tech production processes or products - Complex production processes inherently create complex accounting issues. In addition, new types of production processes require time for the firm's accounting system to develop appropriate accounting procedures and valuation methods. Thus, there are two factors at play here: complexity and change. Both of these factors increase the inherent risk of material misstatement.

Regulatory Factors

 Complex or judgmental accounting practices - This point is related to the industrial factors discussed in the above paragraph. Complexity and change in the way an industry functions can create complex accounting procedures and GAAP rules that are specifically targeted at

120

an industry. Also included here is the requirement for management judgment, usually in valuing transactions. The nature of products and other assets employed by some industries makes valuing those products or assets more difficult and can create the need for management judgment. For example, inventory values in an industry that is rapidly changing may be more sensitive to the lower of cost of market rule and may require substantial management judgment to determine if the net realizable value of the inventory is lower than the cost. Again, the level of complexity and the need for judgment both increase the inherent risk of material misstatement in the financial statements.

 Specific governmental regulation in for the industry - Some industries are more heavily regulated by governmental agencies than others are. For example, public accounting is heavily regulated by state governments who determine who may practice as a certified public accountant. The Federal government and state governments also heavily regulate the banking and savings industries to help insure the safety of people's savings and investments. Some of these regulations are straightforward and easy to follow while others are quite complex.

Since there are serious penalties associated with violating these regulations and since these penalties frequently are assessed against management personnel, the existence of government regulation can create incentives for managers to circumvent them. Auditing standards do require that auditors insure that their auditees are not violating regulations. The reason is that violating regulations can create financial penalties and potential future liabilities that the auditee should disclose in their financial statements and footnotes. In addition, the more complex and extensive the regulation, the more difficult it is for the auditee to comply with them, thus increasing inherent risk.

 Governmental fiscal and tax policies - In addition to regulation, governments provide tax incentives, subsidies, and other forms of financial support for selected industries. To the degree that value of these provisions depends on financial information provided by the auditee, the existence of these provisions can create incentives on management to manipulate the firm's financial results. In addition, the more complex and extensive these provisions are, the more difficult it is for the firm to comply with them properly, thus increasing the inherent risk of financial statement material misstatements.

Economic Factors

 Health of the general economy - If the economy is strong, then pressure on management to perform is reduced because achieving strong performance is easier. When the economy begins to turn down, managers are under increasing pressure to maintain the firm's performance in spite of the economic downturn. Many of the recent cases where firms have run into accounting problems occurred just as the recession of 2008 was starting. Historically, this is very common. Whenever the economy softens, the incidence of accounting and financial reporting problems tends to increase.

 Interest rates - Changes in the market rates of interest can have a significant impact on a firm's ability to afford to raise capital by borrowing money. Thus, rising interest rates can put pressure on a firm to maintain performance in the face of rising costs, which can increase pressure on management and increase inherent risk.

121

 Inflation - Low levels of inflation make it much easier for firms to budget and forecast. High levels of inflation create uncertainty and put pressure on managers to insure their prices keep pace with their increased costs. Thus, high levels of inflation can increase pressure on managers and, thus, increase inherent risk.

 Changes in foreign exchange rates - Today most firms do business internationally. This means that many of their transactions are executed in a foreign currency and must be translated into a local currency to produce financial statements. Rapid changes in exchange rates make it harder to make those conversions correctly. In addition, changes in exchange rates can affect the demand for a firm's products or the costs of their labor and raw materials.

For example, the US dollar has increased in value over the last few years against just about all the other major currencies in the world because the US is now the most rapidly growing developed economy in the world. This means that US firms have tended to sell fewer products overseas because their products' prices are stated in US dollars and, thus, become more expensive as the dollar rises. However, the rise of the US dollar also has decreased the costs to firms who purchase products from overseas. These changes are outside the control of management and can put pressure on management to maintain the firm's performance in the face of potentially adverse market conditions, which can increase the inherent risk of material misstatement.

Firm-specific Factors

 Financial condition of the firm - Firms that are successful and profitable tend to have lower inherent risk of material misstatement because of the reduced pressure on management than firms that are struggling. Auditors always perform an analysis of an auditee's recent operating, cash management, and financial results to determine if the auditee is struggling or not.

 History of material misstatement - If the auditee has a history of poor audit results where the auditor, either current or prior, has had to ask the auditee to make audit adjustments, this increases the likelihood that there will be material misstatements in the current audit. To be precise, prior audit adjustments could have been caused by weak internal controls, which would be a control risk issue. However, the auditee's control system couldn't have failed to eliminate a material misstatement in the auditee's financial records if the material misstatement didn't exist in the first place. Thus, prior material misstatements are evidence of both prior inherent and control risk.

 Complex or innovative financial arrangements - The same logic applies to the types of financial arrangements a firm uses to generate cash from outside sources. Modern finance theory has developed a long list of hybrid financial products that have features of both debt and equity and/or whose values are derived from other financial instruments, assets, or liabilities. For example, mandatorily redeemable cumulative preferred stock has many features of debt and, under GAAP, is reported as debt even though it legally is preferred stock, which is equity.

Other examples include hedging arrangements that match a financial instrument with an asset, liability, or future cash flow and the use of leases. Again, the complexity of these

122

arrangements and the fact that some of them are hard to classify on a balance sheet increase the risk that the firm will generate a material misstatement when accounting for them. In addition, firms that have a significant amount of these non-traditional financial instruments normally are in financial trouble, which also increases inherent risk of material misstatement.

Finally, many firms use leases to "purchase" property, plant, and equipment rather than buying it outright. The GAAP rules that determine whether the auditee accounts for these as leases or as purchases (i.e., a capital lease) involve management judgment and estimation. Since many firms use lease arrangements not because of any direct economic benefit to doing so but for the accounting treatment that comes with leases, extensive use of leases can increase inherent risk of material misstatement because management may push the boundaries of the GAAP rules to achieve a desired accounting outcome.

 Debt covenants - Some lenders build covenants into their debt instruments that require that the debtor maintain things like certain levels of working capital, dividend payments, or debt levels or the creditor can call the debt. The existence of these covenants places pressure on managers to maintain the statistics covered in the covenants at levels that do not violate the covenants. This increased pressure on management can increase the inherent risk of material misstatement.

 Management compensation contracts - Some firms reward management if the firm's performance exceeds certain levels as measured by accounting data. For example, a firm's management might receive a bonus if the firm's profit margin increases by a percentage point over the prior year's profit margin. These types of incentive contracts increase the pressure on management to perform and can increase the inherent risk of material misstatement.

 Management strategies - Different firms may adopt different strategies to achieving success in their industry. Differences in these strategies can create increased inherent risk. For example, a firm whose strategy is to rapidly increase market share would be at greater inherent risk because of the additional pressure rapid growth places on both management's incentives and the firm's information systems.

 Specific customer or supplier arrangements - Firms can differ on how they structure arrangements with their customers and suppliers. Some firms in the same industry may sell directly to the ultimate consumer while others may user resellers. The use of resellers can increase the inherent risk of material misstatement because it complicates the revenue recognition process.

In addition, some firms depend on a few, large suppliers or customers while others use a variety of suppliers and sell to a variety of customers. Concentration in the firm's supplier market increases the power the suppliers have over the firm and can increase the inherent risk of material misstatement if the suppliers change their pricing or other supply arrangements and the auditee's information system isn't flexible enough to adjust. In addition, concentration in the supplier markets can put pressure on the auditee's management to maintain low production costs because of the supplier's market power and ability to raise prices. Thus, inherent risk also can increase due to increased pressure on management to maintain performance.

123

 Other special arrangements - There are a variety of other special arrangements firms can engage in that can create additional inherent risk of material misstatement. Some examples include joint ventures, partnerships, off-balance sheet financing arrangements, and related party transactions. To the degree that these arrangements create complex accounting issues or place increased pressure on managers, they can increase inherent risk.

 Doing business in multiple industries - Some firms focus on one industry (e.g., Home Depot) and other firms do business in a variety of industries (e.g., General Electric). The more different industries in which a firm does business, the more complex their accounting becomes because each industry probably has some industry-specific accounting rules to follow. This increased complexity increases inherent risk of material misstatement.

 Doing business in multiple locations - The more geographically dispersed the auditee's operations are, the greater the difficulty in coordinating the accounting for diverse locations and conforming to local accounting and financial reporting rules. Obviously, the latter point applies mostly to firms that do business in several countries. However, there also are differences in state laws that affect firm's operations as well. The need for increased coordination and the need to comply with all local laws and rules both increase the complexity of the auditee's accounting challenges and, thus, the inherent risk of material misstatement.

Summary of Sources of Inherent Risk

In summary, financial statements and account balances can contain material misstatements from two broad sources: unintentional and intentional. Intentional material misstatements can be fraudulent, but also can merely involve overly aggressive management judgments, typically involving valuation decisions. The inherent risk of unintentional material misstatements increases with the complexity of the accounting involved, the volume of activity the firm's information system has to process, and the rate of change in the nature, volume, and complexity of the transactions the firm's information system records and processes. The inherent risk of intentional material misstatements increases with any factor that places increased pressure on management to meet performance expectations that are measured in terms of accounting numbers. All of the sources of inherent risk discussed above create increased risk by increasing the complexity, volume, or rate of change in the firm's environment or by increasing pressure on management.

Information Sources for Inherent Risk Assessment

This section presents a few major sources of information auditors use to assess inherent risk. As the extensive list of factors that affect inherent risk illustrate, sources of inherent risk are diverse and extensive. Thus, the auditor needs to look at a variety of sources to ensure that their inherent risk assessment process is thorough.

Management and Other Key Personnel

One of the best sources of information about an auditee's inherent risk is interviews with the auditee's management. We have included "other key personnel" because auditors have found that interviewing the "troops in the field" was an invaluable source of information as well. Lower

124

level employees have less of an incentive to "spin" their answers to auditors and can be a valuable source of information. The key point is that the auditee's employees usually know more about the firm specific factors listed above than any other source of information. However, the main drawback of using the auditee's personnel as a source of inherent risk information is that those employees, particularly upper management, have an incentive to "spin" their responses in a way that will lower the auditor's assessment of inherent risk. Thus, auditors need to be careful to gather information from multiple sources within the firm and compare them.

Third Parties

Third parties include vendors, customers, the client's attorneys and consultants, and others who have some ongoing relationship with the auditee. These sorts of third parties may have significant knowledge about the factors that contribute to inherent risk and may have less of an incentive to "spin" their responses to the auditor. The auditor does need to get the auditee's permission to talk to many of these third parties; particularly attorneys who would have to protect their client's confidentiality. However, auditors usually build this sort of permission into their engagement letters and, if the auditee balks; that alone can be a sign of increased inherent risk.

Auditee Documents

Access to the auditee's documents also is something that auditors regularly build into their engagement letters since the auditee's documents are the primary source of data for all audit tests. For inherent risk assessment, the auditor usually focuses on documents that cover broad policy issues and operating procedures. Some examples would include the auditee's policy and procedures manuals, minutes of the Board of Directors meetings, and correspondence with key third parties. Keep in mind that the goal of inherent risk assessment is to identify characteristics of the auditee and its operating and regulatory environment that might increase the likelihood that the firm's information system would create a material misstatement or that would increase the pressure on the firm's management to manipulate the firm's financial results. At this point, the auditor is not executing specific tests of transactions and balances or of the information processes that process those transactions.

Trade Publications

Auditors regularly read the popular and business press for stories about their auditees and their auditee's industry as well as about the economy. For example, if we were auditing an airline, which inherently is heavily affected by crude oil prices, we would want to be sure we knew how crude oil prices had changed recently and would read articles by oil analysts regarding the future of oil prices (which currently is that they will only go higher from their current record levels). In addition, publications like the Wall Street Journal, Barrons, Inc. Magazine, CFO magazine, and CIO magazine frequently contain articles on individual firms that can be very enlightening. Finally, nearly every industry has an industry association designed to support and grow the industry. These associations normally have industry-specific publications that can provide an auditor with valuable information, such as, the history and direction of the industry as well as changes in produces and production methods and technologies.

125

Economic Data

The US government is an excellent source of general economic data for the US. For example, the website of the Federal Reserve Bank of St. Louis has historical data on interest and inflation rates and the Department of Labor's website has a variety of data on the US economy. The US government also publishes some information about the global economy as well. In addition, the United Nations publishes a rich variety of global economic data, as do several international magazines, like the Economist, which is published in London. Inherent risk is the risk that the auditee's information system will create a material misstatement in their financial statements without regard for the auditee's internal controls. Many factors affect a firm's inherent risk. Auditors classify these factors into three broad categories: factors that affect management's incentives to manipulate the financial statements, factors that affect the complexity of the firm's accounting and reporting, and the quality of the firm's information system. The factors that affect the management's incentives relate to the firm's business risks. That is, the risks that affect the firm's operating and financial success. Since the financial community judges a firm's management by how well the firm performs, factors that make it more difficult for the firm to succeed increase the incentives on management to improve the firm's apparent success by manipulating their financial statements. The firm's business risks also affect the complexity of their accounting and reporting. For example, firms that sell to customers in a declining market will have a more difficult time estimating their allowance for doubtful accounts. In addition, firm's whose products or services are inherently complex also face more difficult accounting issues. For example, firms that buy and sell complex investment instruments like securitized mortgages face difficult issues when determining how to classify these instruments on their balance sheets and how to calculate changes in their market value for financial statement presentation. There also are varieties of factors that affect the quality of a firm's information system. The main factors are those related to the design of the information system and the quality of the people who run it. We define "information system" broadly to include the policies and procedures the firm uses to process information as well as the quality of the staff who execute those processes. Thus, a critical issue for inherent risk assessment is the experience, training, and monitoring of an auditee's employees as well as their attitude and incentives to do a good job. For employees to do a good job they need to have the resources, including knowledge, to do the job and the incentive to do it well.

Applying Analytical Procedures

This section reviews some basic ways that auditors use analytical procedures to identify inherent risk issues. Some of this material was alluded to when we covered preliminary analytical procedures, but now we will review it in the context of identifying inherent risk.

126

Factors that Create Management Incentives

Auditors assess the degree to which management has an incentive to manipulate the firm's financial statements in a variety of ways. However, they usually start with an analysis of the firm's current operating performance and financial position by applying basic ratio analysis to the firm's unaudited financial statements. Auditors use the term "preliminary analytical procedures" to refer to this sort of analysis. One problem in determining management's incentives to manipulate financial statements is defining what "look good" means. In most cases, the goal of management is to have the financial statements report stable earnings growth over time and significant excesses of assets over liabilities. These are the key factors that make the operating performance and financial position analyses covered in the beginning of the class lead to a positive assessment of the firm's performance. "Stable earnings" does not mean flat in this context. It means low variability around an increasing trend (i.e., growth). If a firm's reported Net Income increases, on average, over time but changes significantly from year to year, then reported net income is less reliable in predicting future net income. That is, variability in historical trends increases the difficulty of predicting future trends. Reducing the variability in earnings is commonly referred to as income smoothing. Because investors and potential investors are interested in predicting an auditee's future earnings, higher levels of variability in historic earnings will make it more difficult for investors to predict future earnings and, thus, they will not be willing to pay as much for a share of the auditee's stock. Thus, there is an incentive for the auditee's management to manipulate earnings to reduce variability in reported earnings. Managers benefit in a variety of ways from reporting results that "look good." These include:  Manager's pay and bonuses often are tied to reported numbers.

 Managers frequently are granted stock options that only become valuable to the managers if the stock price goes up.

 Better performance increases stock price, which makes raising new funds from the stock markets easier.

 Many of the firm's long-term debts come with covenants that set limits on reported numbers. If the reported numbers go outside these limits, the creditor can force the firm to repay the debt immediately.

In some cases, however, managers have an incentive to make the firm's results "look bad," or at least not so "good." The management of not-so-healthy firms may have an incentive to reduce reported earnings even further. As discussed more completely in the next section, many of the tools available to management to manage earnings will reverse in future years. Sometimes when a firm obviously is doing poorly in one year, management may increase the loss in that year (i.e., "take a bath") to create "reserves" that can be used to increase future earnings. These "reserves" usually are valuation accounts that management may increase to allow for future losses. However, nearly all the activity that involves the use of these valuation allowances will eventually "settle up" or reverse in the future. If management is overly conservative in setting a

127

valuation allowance, when the transactions involve "settle up" and the expected loss is not incurred, the firm's net income will get a boost as the prior valuation allowance is reversed. The incentive to reduce reported earnings also can occur in highly successful companies that tend to dominate their markets and risk regulatory intervention or increased competition. For example, the fact that Microsoft dominates the world's personal computer operating system market has lead the U.S. and European Union to attempt to force Microsoft to unbundle some of its software and make the source code for Windows™ open to other firms. If Microsoft were not as profitable or as dominant as it is, this regulatory pressure probably would be lower. In addition, if firms become too successful, they invite other firms to move into their markets, which increases competition. Therefore, sometimes management will attempt to manage their earnings downward to avoid looking too "good."

Factors that affect Management's Ability to Manipulate Financial Statements

GAAP includes several areas where it moves away from historical cost as a basis for valuation or requires interperiod cost allocations and relies on management judgment for both. The main areas covered in this course where management judgment is required are:  determining the useful lives and depreciation methods for fixed assets;

 setting allowances for doubtful accounts;

 determining when asset values have been impaired (e.g., available for sale securities, fixed assets, and goodwill);

 determining the net realizable value of inventories for the lower of cost or market rule;

 setting the income tax asset valuation account;

 designating securities as "available for sale" instead of "trading;"

 valuing employee stock options, particularly setting the parameters for the Black-Scholes model, or the assumptions management uses for the binomial model;

 determining the parameters used to estimate future pension or other post-retirement benefit liabilities; and

 structuring transactions to take advantage of the boundaries of accounting rules. Some examples include:

 leases to avoid capitalization

 special purpose entities to create off-balance sheet liabilities

 resale agreements with distributors and resellers to circumvent revenue recognition rules.

Some of these items are harder to use to manipulate earnings than others are. For example, items like determining useful lives for fixed assets cannot be changed every year to manipulate earnings. Similarly, classification of securities as available for sale cannot be changed frequently without sending out "red flags." Finally, asset impairment decisions cannot be reversed and are permanent once they have been made. Other items can be changed every year, but changing

128

them too frequently also sends out "red flags." For example, the parameters used for calculating annual pension expense or for valuing stock options may change frequently due to changes in economic conditions. However, changes in these parameters that do not seem to parallel changes in economic conditions also can send out "red flags." If you did not recognize many of the issues just raised, most are covered in intermediate accounting classes and so if you have not taken intermediate accounting, they may not be familiar. However, to be a good auditor, you need to have a strong grasp of these sorts of accounting issues. We will not cover these accounting issues in this class and only referred to the accounting issues above as examples of some of the areas within GAAP where managers are required to make judgments and, therefore, have the ability to use their judgments to manipulate earnings. Since management typically is biased toward making the firm "look good" by making judgments and choices that increase assets and net income, most GAAP valuation rules tend to be biased in the opposite direction. A good example of this bias is in the lower of cost or market rule for valuing inventory and the requirement to write down the value of fixed assets whose value has been impaired . Both these rules only allow management to reduce asset values if market conditions change, not increase them. This is the main reason for the conservatism principle in accounting. In summary, auditors use analytical procedures like basic ratio analysis to attempt to determine where the firm stands financially and what management's incentives might be to affect the perception that the firm's financial statements leave on the readers of those financial statements. This assessment not only leads to an assessment of inherent risk, but also helps the auditor create targeted expectations about where, within the financial statements, the incentives on management might come together with areas where management judgment inherently is required and, thus, where management has some ability to manipulate the financial statements. Auditors will use these targeted expectations to help generate specific audit tests and procedures to determine if the financial statements are actually misstated due to management manipulation.

129

Appendix 1 - Detailed Analytical Procedures

This appendix provides an overview of some of the major analytical procedures that auditors use to assess the inherent risk of an auditee as well as to audit individual account balances. Auditors use these procedures both to assess firm-level inherent risk as well as to assess account-specific inherent risk. This appendix covers both these uses. Students who study this appendix in its entirety should be able to:  Evaluate an auditee's operating performance, cash management effectiveness, and financial

position.

 Develop a comprehensive, but high-level, description of how an auditee is raising and spending cash.

 Use the above evaluations and descriptions to identify areas of auditee-level inherent risk.

 Identify specific accounts that show unusual fluctuations for further review during the audit process.

Structure of This Appendix

This appendix contains the following sections and appendices:  Discussion of the three main components of an auditee's operation that a financial analysis

targets: operating performance, cash management, and financial position.

 Presentation of some general strategies for assessing an auditee's performance.

 Figures and tables that provide a high-level summary of financial statement analysis.

 An outline of a comprehensive financial statement analysis.

 Discussion some additional ratios found in the financial literature that are not covered in this main body of the appendix.

The following Table 1 presents the name, formulas, and benchmarks used in this appendix to do preliminary analytical procedures. There isn't one standardized approach to preliminary analytical procedures so we have selected a small set of ratios that cover the basic activities that contribute to a firm's financial success. The benchmark column present standard benchmarks for some of the ratios. Many do not have standard benchmarks of good performance because they can vary significantly from industry to industry or depend on a firm's strategy. Thus, students should use these benchmarks with care since they are very general and might need to be altered for a specific case. The text presents a detailed discussion of how to apply these ratios following the table.

130

Table 1 - Summary of Ratios

Name of Ratio Formula Results Benchmark

Operating Performance: Overall Performance - Price to earnings ratio Market share price/earnings per share Ratio > Market P/E

Return on Assets (limited data) Net income Percent Interest Total assets Rates

Return on owners' equity Net income - Preferred Dividends Percent Interest Owners' equity Rates

Profitability and Utlilaztion -

Gross profit percentage Gross profit Percent Higher Sales or Revenues

Profit margin Net income Percent Higher Sales or Revenues

Asset turnover Sales or Revenues Ratio Two-sided Total assets

Cash Flow Analysis:

Cash conversion cycle

Days cash in receivables Accounts receivable Days Industry Sales/365 Two-sided

Days cash in inventory Inventory Days Industry Cost of goods sold/365 Two-sided

Days cash in payables Accounts and Expenses Payable Days Industry Operating expenses/365 Two-sided

131

Table 1 - Continued

Name of Ratio Formula Results Benchmark

Cash Flow Statement Operating Cash Flows Positive and trend

Relationship to Net Income Compare to dividends and fixed assets

Investing Cash Flows Fixed asset investment to depreciation Major sources and uses

Financing Cash Flows Dividend amount and history Major sources and uses over time

Financial Position: Short-term -

Current ratio Current assets Ratio 2.00 Current liabilities Two-sided

Quick or Acid-test ratio Current assets - (inventory + prepaids) Ratio 1.00 Current liabilities Two-sided

Dividend payout Dividends Percent Two-sided Cash flows from operations

Long-term -

Total debt to equity Total liabilities Ratio or 1.00 Owners' equity Percent Two-sided

Long-term debt to equity Long-term liabilities Ratio or 0.8 - 1.0 Owners' equity Percent Two-sided

Item in bold type indicate ratios that are emphasized in the text. A Higher benchmark entry means higher is almost always better. Two-sided means that values that are too high or too low are unfavorable.

132

Sample Economic Data

The above table and the following analysis occasionally refer to general economic benchmarks like market-wide interest rates and the S & P average P/E ratio. The following table contains several years of data for these statistics.

Operating Performance

Operating performance analysis focuses on determining how well the auditee is generating returns on the owners' investments. The magnitude of these returns depends on three key factors: leverage, profitability, and utilization. Profitability ratios show the ability of various aspects of the auditee's production function to generate profit on each unit the auditee produces. Utilization ratios show the volume of activity (i.e., how many units it sells) the auditee generates with the assets it has. Leverage ratios show what portion of the total profits the auditee generates were generated with the owners' investments as opposed to the creditors' investments. Higher leverage means that the auditee is generating profits to the owners by using more borrowed money and less of the owners' investment. This generates higher return for the owners. "Return" measures the rate of profits generated as a percentage of the owners' investments. All of the overall performance ratios are one-sided because higher values are nearly always better than lower ones. The goal of for-profit auditees is to maximize these measures, and so higher is usually better.

Year

Inflation 10 Year Prime Rate 10 Year Prime Rate S & P

Rate T-note T-note P/E

1997 1.7 6.4 8.4 4.7 6.8 24.3

1998 1.1 5.3 8.4 4.2 7.2 32.9 1999 1.4 5.6 8.0 4.2 6.6 29.0 2000 2.2 6.0 9.2 3.9 7.1 27.6 2001 2.4 5.0 6.9 2.6 4.5 16.2 2002 2.2 4.6 5.0 2.4 2.8 31.4 2003 2.2 4.0 4.1 1.8 1.9 22.7 2004 3.3 4.3 4.3 1.0 1.0 20.0 2005 3.3 4.3 6.2 1.0 2.9 18.1 2006 3.3 4.8 7.9 1.5 4.6 17.4 2007 2.1 4.6 8.1 2.5 6.0 21.5 2008 2.0 3.7 5.1 1.7 3.1 70.9 2009 0.6 3.3 3.3 2.7 2.7 20.7 2010 1.8 3.2 3.3 1.4 1.5 16.3 2011 2.0 2.8 3.3 0.8 1.3 15.0

1 Inflation Statistics are the percentage change in prices from the prior year.

2 Real interest rates are nominal rates less inflation as measured by the GNP Price Deflator

General Economic Data Interest Rates

Nominal Real 2

133

Price to earnings ratio

The price to earnings ratio, or P/E ratio, as it is commonly called, tells the auditor how the stock market perceives the auditee's operating performance. It measures how many years' worth of earnings per share (EPS) the stock market is willing to pay for each share of stock. The market will pay a higher premium (i.e., a higher P/E ratio) for stocks in a company that the market expects to become more profitable since it expects earnings to rise and a share of stock is a claim against future earnings. If the market is pessimistic, the P/E ratio will fall because the market anticipates that earnings will fall. In short, you can think of the P/E ratio as the future divided by the past. Thus, a higher P/E means a brighter future compared to the past and a lower P/E means the opposite. The financial press typically refers to the above definition of the P/E as a "backward looking" P/E because it divides the current market price by the last year's EPS. Financial analysts also use a "forward looking" P/E that divides the current stock price by analysts expected EPS for the next year. We do not use the forward-looking P/E for three reasons. First, it replaces a historical audited number (historical EPS) with a forecast, which creates more uncertainty about the accuracy of the ratio. Second, analysts’ forecasts are not available as part of published financial statements and can be difficult to track down. In addition, different analysts will make different forecasts and selecting which forecast to use injects additional uncertainty into the calculation. Finally, market-wide P/E ratios are regularly published in the financial press that are calculated using the average historical EPS for the market divided by the average market price for stocks traded in the market. The table of economic data in this appendix includes these statistics for the stocks included in Standard and Poor’s Index. The following two ratios measure how well an auditee is generating profit given the resources at its disposal. They merely use different measures of those resources based on who has claims against the assets. They all measure return on investment (ROI). They just differ in their definition of investment. In the popular press, when the term return on investment or ROI is used, it generally means return on owners’ equity.

Return on assets

Return on assets (ROA) uses the broadest definition of investment. It calculates the rate at which the auditee produces net income based on all its assets, regardless of whom has claims on them. Therefore, it measures how well the auditee is using all the economic resources at its disposal. Frequently in the popular press, after-tax interest expense is added back to net income to calculate this ratio. Thus, it also ignores differences in financing strategy between auditees and focuses directly on the effectiveness of the production function. However, auditors also can calculate the ratio without adjusting for interest expense if they consider an auditee's use of debt as just another operating decision. This appendix calculates ROA as net income over average assets and does not adjust for interest expense because it is simpler; because the interest adjustment usually doesn't change the ROA much; and because industrial averages usually do not adjust for interest expense. The simplified version of ROA looks directly at how effectively

134

the auditee is using its assets to produce profits regardless of how those assets were financed, i.e. purchased with borrowed or invested money.

Return on owners’ equity

Return on owners’ equity (ROE) uses the narrowest, and the most common, definition of investment. It defines investment as the owners' claims against the auditee's assets. Since the owners have the residual claim to all the auditee's earnings, return on owners’ equity is the primary overall measure of an auditee's operating performance. A crude benchmark for evaluating ROE is the current market rates of interest. People who buy stock in an auditee expect a return on that investment in excess of what they could have gotten by just putting the money in an insured savings account or other safe investment. They expect a higher return because they are taking a greater risk of loss by buying the stock. Therefore, the market rates of interest for relatively safe investments (e.g., insured savings accounts, certificates of deposit, high-grade bonds, US Treasury securities) represent a lower bound on what the owner should expect for a ROE. Because an investment in stock is usually considered a long-term investment, this text uses nominal49 10-year US Federal Treasury Bill rates as a basis benchmark for evaluating ROE (see Economic Data above)50.

Leverage

The difference between an auditee's ROA and ROE indicates how effectively the auditee is using leverage to maintain higher returns to their owners. ROE must always be higher than ROA if the auditee has any debt at all. The more debt the auditee has compared to equity, the more ROE exceeds ROA. By using more borrowed funds to finance their assets, an auditee is "making money from other people's money" and, since the owners have the claims against all the net income, the more money the auditee can make from borrowed funds instead of the owners' equity, the higher the owners' return on equity or ROE. Extensive use of leverage, however, means the auditee is heavily in debt, thus increasing its risk of financial problems like failing to pay its bills. An auditee's debt to equity ratio, which is covered below, measures the extent to which an auditee is using leverage. To make the concepts clearer, consider a simple company with $100 in assets and $10 net income. Their ROA is 10% ($10/$100). If they have no debt, then their equity must be $100 and their ROE is also10%. What if the same company had a $50 of debt and $50 of equity (or a debt to equity ratio of 1.0)? The ROA is still 10%, but the ROE is now 20% ($10/$50). If they increased their debt to $75 and reduced equity to $25 (debt to equity rises to 3.0), then their ROE becomes 40% ($10/$25). Holding net income constant, ROE goes up relative to ROA as the debt

49 "Nominal" means the rates that these securities are currently earning in the open market. The economic data in this chapter also includes a "real" rate, which is the nominal rate less inflation. It is called "real" since it represents the actual return the investor will receive once the reduction in the purchasing power of future dollars due to inflation is factored out of the market return. 50 Since the US government currently is considered the world's best credit risk, US Treasury bill rates are used worldwide as a measure of a risk-free rate of return.

135

increases in proportion to equity because the owners have the residual claims to all the net income.

Profitability

Profitability measures also tend to be one-sided because higher profit margins are usually, though not always, considered better than lower ones. Increasing profit margins by raising prices can reduce sales volume. If the higher prices produce a sufficiently large reduction in the number of units sold, then the auditee may be worse off than if they maintained lower profit margins. Therefore, even though higher profit margins are generally better than lower ones, auditors cannot make a final determination of the appropriateness of a profit margin exclusive of an analysis of the utilization ratios, which measure volume of units sold. Both of the profitability ratios included in Table 1 are very common and this appendix will use both.

Gross profit percentage

For manufacturing and distribution (i.e., wholesale and retail) auditees, the gross profit percentage or gross profit margin is a key indicator of operating performance. The gross profit margin is an auditee's gross profit divided by its revenues and is a percentage. An auditee's gross profits are its revenues less its cost of goods sold. The gross profit margin measures how well the core production function of the auditee generates profits. These auditees need to make enough gross profits on their sales to cover administrative and other expenses, or they will be in trouble. Service auditees and financial institutions rarely report a cost of goods sold figure in the income statements and so you can't calculate a gross profit margin for these types of auditees.

Profit margin

The profit margin indicates the overall profitability of the auditee. Profit margins can differ significantly among auditees in different industries. As previously mentioned, auditees can follow two broad strategies for attaining high return on investment: high profitability and low utilization or low profitability and high utilization. Distribution auditees tend to rely on low profitability and high utilization, while manufacturing and service auditees tend to make higher profits with lower utilization. Note, however, that there are many auditees that fall somewhere in between these two broad strategies. For example, fast food outlets do not have waiters and servers and their prices are low compared to a full-service restaurant. Their profit margin on each meal served is lower than in a full- service restaurant, but fast food restaurants can attain a higher return on investment by selling more meals per hour through more rapid turnover of customers. A full-service restaurant would serve fewer customers per hour, but would make more profit on each meal by charging a price that leads to a higher gross margin on each meal. The return on investment statistics help auditors compare the relative profitability of auditees that use different operating strategies because those statistics relate profit to investment.

136

Common-sized Income statement

The common-sized Income Statement complements the above profitability ratios by showing the auditor where the auditee incurs most of its expenses. For example, it shows the relative proportion of expenses that are going for operating and for administration. The common-sized Income Statement is a very useful tool for diagnosing how an auditee achieved a particular profit margin because the auditor can see how each line item on the Income Statement contributed to the final profit margin. That is, in a common-sized income statement, every line item is a percentage of revenues. Since the profit margin states net income as a percentage of revenues as well, the common-sized income statement shows how many percentage points of revenue each line item contributed to the profit margin.

Utilization

Like profitability ratios, utilization ratios (or rates) are mostly one-sided measures. Getting more production from the same asset or investment base is usually a good thing. As with profitability measures, this may not always be the case. Auditees can push up their utilization rates by dropping prices, increasing sales, and lowering profit margins. The net effect of these changes may not be higher return on investment. In addition, most assets have natural limits to their productivity. For example, an auditee can maintain a high utilization rate by not replacing old equipment in a timely fashion. The key to understanding this statement is realizing that a utilization rate is merely the total sales divided by the book value of the assets. As assets age, their book values decline. In addition, their maintenance costs increase. Therefore, if an auditee held on to its equipment to the point where they were spending large sums in maintenance, the utilization rate would be high because of the assets’ low book value. However, net income could fall because of the high maintenance charges. Asset Turnover is the key measure of an auditee's utilization. It compares sales volume to the value of all assets of the auditee. The analyses in this text are based on the asset turnover ratio because this is the most common and broadest measure of an auditee's utilization. The total asset turnover ratio can be interpreted as how often the assets of the auditee are capable of generating their own value in sales or revenues.

Cash Management Analysis

Cash Conversion Cycle

All for-profit auditees are cash conversion machines. They use cash to purchase the inputs they need to produce goods or services; they produce those goods or services; they inventory goods; sell goods or services; and collect cash from the sale. This process is illustrated in Figure 2. The problem is that they usually have to pay out cash for the purchase of inputs well before they receive cash from the sale of their outputs. This process is called the cash conversion cycle. Firms must have a reservoir of cash available to finance this timing difference. The following Figure 2 presents a graphic overview of the cash conversion cycle. The amount of economic resources invested in the cash conversion cycle at any point in time is closely approximated by working capital. Formally, working capital is current assets minus

137

current liabilities, so it includes things like cash and short-term investments that are not part of the cash conversion cycle. However, the components of the cash conversion cycle (i.e., inventory, accounts receivable, accounts payable, and expenses payable) make up the bulk of working capital, which is why working capital closely approximates the amount of economic resources tied up in the cash conversion cycle. Financing the cash conversion cycle is a long- term need because it represents a permanent difference in current assets and liabilities that is inherent in the production process of the auditee. Therefore, financing it is usually done with long-term debt or equity. The amount of resources tied up in the cash conversion cycle depends on its length and the volume of activity it contains. Its length is calculated in days. For example, if it takes an auditee, on average, 30 days to produce a good, 30 days to sell it, and 30 days to collect for the sale, then the auditee needs to finance 90 days of activity. Part of this financing comes from accounts and expenses payable. If this same auditee can delay paying its suppliers for 30 days, then its cash conversion cycle has a length of 60 days (i.e., 90 less 30). The total amount of funding needed to finance the cash conversion cycle equals its length in days times the average daily volume of activity. If this auditee processes $1,000,000 worth of goods per day, then it would need $60,000,000 to finance its cash conversion cycle. The lengths of each of the three components of the cash conversion cycle are calculated using a different denominator, as the formulas in Table 1 show. Days Receivable is calculated using average daily sales (i.e., annual sales divided by 365) because both sales and receivables are stated in terms of selling prices, not costs. Days Inventory is calculated using average daily cost of sales (i.e., annual cost of sales divided by 365) because both are stated in terms of the cost of the units sold. However, both Days Receivable and Days Inventory should be calculated using an auditee's gross accounts receivable and inventory, respectively. Auditees are only required to report their net accounts receivable (i.e., gross accounts receivable less allowances for doubtful accounts) and net inventory (gross inventory less any lower of cost or market adjustment). Since both these valuation accounts are disclosed in an auditee's footnotes, we have calculated the cash conversion cycles in this class's cases using gross accounts receivable and gross inventory. The problem with using net amounts for these calculations is that the valuation allowances distort the true days receivable and payables. For example, when an auditee records an allowance for doubtful accounts, this reduces the net receivable balance and, thus, shortens the collection period. Thus, if you use the net accounts receivable balance, an auditee with a large allowance for doubtful accounts will look as if they are collecting their receivables as fast as an auditee that has not allowance but does collect their receivables rapidly. The calculation of Days Payables is more complex. The goal of the days payable statistic is to relate the average current liabilities or payables associated with operating expense with the average daily level of those operating expenses (i.e., operating expenses divided by 365). Both these amounts are stated in terms of costs, and accounts payable and expenses payable are used to directly finance operating expenses. The specific way days payables are calculated may vary

138

from auditee to auditee depending on how detailed the current liability section of the auditee's balance sheet and the operating expense section of the income statement is. If you have looked at the formulas in Table 1 carefully, you may have noticed that each of these items has a counterpart that is stated in terms of a turnover. These counterparts are the mathematical inverse of the cash conversion cycle ratios, except for the division by 365. For example, days receivables ratio is the inverse of receivable turnover. This relationship makes some sense. Conceptually, the faster something turns over, the less time it will be around. Therefore, the current turnover ratios tell auditors virtually the same thing as the cash conversion cycle analysis except that the cash conversion cycle components can be combined into a more holistic picture of how the auditee is managing its working capital.

139

Figure 2 - Cash Conversion Cycle

Purchase Materials, Supplies, Services, and Labor

Convert Materials and Labor to Finished Goods

Store Finished Goods in Inventory

Collect Cash from Customer

Sell Finished Goods to Customer

Pay Cash for Materials, Supplies, Services, and Labor

Days Payables

Length of Cash Conversion Cycle (Days Inventory + Days Receivables - Days Payables)

Days Inventory Days Receivables

140

Cash Flow Statement

In addition to ratio-based analysis presented above, cash flow statement analysis can provide insights on how the auditee is financing its operations and managing its cash flows. Since production activities are an auditee's major source and use of cash, cash flow analysis forms a bridge between operating performance and financial position analysis. Its focus, however, is tracking the details of where an auditee is generating the cash it needs to finance its activities and how it is spending that cash. The cash flow statement is divided into three sections for a reason. Most healthy firms finance their operations with a balance of internally generated cash (i.e., cash flow from operations) and externally generated funds (i.e., cash flows from financing). These funds are used to invest in the productive capacity of the firm (i.e., cash flows for investing). Therefore, in a healthy, moderately growing firm, the auditor would expect to see a positive cash flow from operations and financing, and a negative cash flow from investing. Such a firm is generating cash from its operating and financing activities and investing that cash in more plant and equipment to expand the firm. Not all auditees are healthy and moderately growing. A quick analysis of their cash flow statements can reveal problems. For example, an auditee with a negative cash flow from operations is probably in trouble since operating cash flows must ultimately provide the cash to fund the auditee's activities. That is, an auditee needs positive operating cash flows to invest in new productive assets as the old wear out and pay dividends. In the short run, however, a rapidly growing auditee may experience negative cash flows from operations because of things like inventory buildup without incurring substantial problems. Table 3 illustrates some patterns from hypothetical cash flow statements and some possible interpretations. Further analysis would be needed to determine the complete explanation for each pattern and some patterns have more than one explanation. Table 3 is presented to illustrate the general approach, not to provide hard rules of interpretation. One valuable piece of information missing from Table 3 is historical data. One year's cash flows can reflect temporary situations or unusual events. In fact, cash flows generally tend to be more volatile than net income or revenues. For example, the interpretation of Firm A in Table 3 would change significantly if the auditor knew that the firm had been in operation for ten years and had been running a negative cash flow from operations for the last three. This signals some real problems. If, on the other hand, Firm A is in its first year of operations, then its cash flow pattern is normal.

Main Benchmarks

The following are a few simple cash management benchmarks that auditors like to see in a healthy auditee. These are very general rules of thumb and need to be interpreted in the context of an overall analysis of the auditee.

141

Cash Flows from Operations

Ultimately, an auditee must generate its cash from operations. Since cash flows from operations do not include any cash paid to replace the auditee's fixed assets, an auditee needs to use operating cash to invest in replacement of fixed assets as their fixed assets age. If they don't, they are disinvesting in productive capacity, which will eventually lead to drops in revenues and profits. Auditees should not borrow or sell stock to finance the replacement of fixed assets consumed during the year and should limit the use of financing cash flows to expand their productive capacity. That is, healthy auditees should generate enough cash from operations to replace the productive capacity (i.e., property, plant, and equipment) that they have consumed during the year and only borrow or sell stock to expand productive capacity. In addition, investors may expect to get cash back as dividends. Therefore, a healthy auditee needs to have a positive, stable cash flow from operations that is large enough to replace its productive capacity and pay dividends. There can be legitimate reasons for an auditee's cash flow from operations to be negative for short periods of time, particularly if it is a new firm. Negative cash flows from operations for more than a few years, however, are a sign of serious trouble. Operating cash flows need to be more than just positive, however. They should be large enough to pay all the dividends and have enough left to replace the productive capacity the firm consumed during the year. The free cash flow statistic discussed below is an approximation of this measurement. Normally, free cash flows are equal to operating cash flows less net, new investment in fixed assets, which represent the change in the auditee's productive capacity. Thus, free cash normally is not reduced by dividend payouts. A problem with free cash flows is that it cannot differentiate between the cash used to maintain the auditee's current productive capacity and the cash used to expand it. While the cash needed to maintain the auditee's productive capacity (i.e., replaced fixed assets as the wear out) should come from operating cash, the cash needed to expand the auditee should not always come from operating cash or the auditee may not be taking advantage of leverage. That is, growth should normally be financed by a combination of debt and equity financing, where operating cash is one form of equity financing. Since depreciation is a significant expense for most auditees but is not a cash flow, most auditees will also have cash flows from operations that are larger than net income. When an auditee's cash flows from operations fall below net income, it is usually a sign of problems in the cash conversion cycle. It may be helpful to think of cash flows from operations as the output of the cash conversion cycle. This illustrates the tight linkage between cash flows from operations, the cash conversion cycle, and the current ratio (i.e., current assets divided by current liabilities). In the following discussion on the current and quick ratios, the appendix points out that these ratios were two- sided because having excess current assets could suppress profitability. The relationship between the cash conversion cycle, current ratio, and cash flows from operations reinforces that point. The components of the cash conversion cycle (accounts receivable, inventory, and accounts payable) are also the major components of current assets and current liabilities. Since the "needs" part of the cash conversion cycle (receivables and inventory) is current assets and the sources

142

(accounts payable) are liabilities, the length of the cash conversion cycle is directly related to the current ratio. The fewer needs compared to sources, the lower the current ratio. This relationship means that having a short cash conversion cycle, which is good because production and collection activities are generating cash faster, would also mean having a low current ratio, which signals a weak financial position. These seemingly inconsistent statements can be reconciled by realizing that the cash conversion cycle measures how fast assets are turned into cash while the current ratio measures how many assets, relative to liabilities, are still around. An auditee can pay its short-term liabilities either by liquidating current assets or by drawing on operating cash flows. Therefore, in evaluating whether an auditee will have the cash it needs to pay its bills in the short term (i.e., short-term financial position) the auditor needs to look not only at the level of current assets available to pay current liabilities (i.e., the current ratio) but also the speed (length of the cash conversion cycle) and reliability (historical trends in cash flows from operations) with which the auditee generates cash. An auditee may have a high current ratio merely because they are unable to turn over their inventory or collect their receivables rapidly. This discussion highlights the fact that, over time, an auditee's cash flow from operations should be roughly equal to its net income plus depreciation. If the length of the cash conversion cycle is stable, then the changes in the current assets and liabilities that are used to adjust net income to get operating cash flows should more or less cancel out, leaving depreciation and amortization as the major difference between net income and operating cash flows. If an auditee is using increases in accounts payable or decreases in inventories and receivables to "prop up" its operating cash flows for more than a year or two, this is a sign the auditee is having trouble stabilizing its cash conversion cycle or making profits.

Cash Flows for Investment and Depreciation

Auditees need to maintain their level of fixed assets over time. The auditor can determine if it is doing this by comparing the amount of depreciation incurred in a given year to the cash invested in new fixed assets in that year (i.e., CAPEX). Depreciation represents a rough approximation of the amount of fixed assets used up in a given year. Therefore, the auditee should reinvest in new assets at the same rate as it depreciates them if it is to maintain its production capacity. Because depreciation is based on historical costs and new fixed assets are purchased at current (probably higher) market prices, the cash invested in new fixed assets should actually be higher than depreciation to account for inflation. Investment in new fixed assets (i.e., property, plant, and equipment) is usually the major investing cash flow. Some auditees, however, will invest money in temporary investments to earn some income while waiting to use the money to buy new productive assets.51 Therefore, the auditor may find large investment outflows in one year followed by a year or two of inflows as those investments are cashed in to purchase productive assets. If the amounts of the cash used to purchase new investments and the cash used to retire old investments is substantial, this indicates that the auditee is actively managing its investments.

51 We refer to this as "parking cash."

143

Free Cash Flows

A very common statistic used by financial analysts to judge the health of an auditee is free cash flows. Free cash flows are operating cash flows less the cash flows needed to replace a firm's productive capacity consumed during the year. That is, the cash that is left over after the firm has paid all their operating expense and replaced the productive capacity the firm used during the year. Free cash flows can be calculated in a variety of ways, but the most common is to subtract net cash invested in property, plant, and equipment (also known as capital expenditures or CAPEX) from operating cash flows to get free cash flows. The idea is that free cash flows are the operating cash flows left over after the auditee has reinvested enough cash to maintain its productive capacity. Thus, the cash is free to grow the auditee’s productive capacity, pay dividends, and/or repurchase stock. Depending on the auditee's commitment to maintaining regular dividends, sometime dividends also are subtracted from operating cash flows to calculate free cash flow. Calculating free cash flows is very difficult because determining how much cash the auditee should have invested in CAPEX to maintain its productive capacity is very difficult. The cash flow statement shows how much cash the auditee actually invested in new CAPEX, but nothing in the cash flow statement states whether that amount of investment in CAPEX was enough to maintain the auditee's productive capacity, grow it, or was insufficient to maintain productive capacity. That is, the theoretical definition of free cash flows focuses on the CAPEX needed to maintain existing capacity in order to determine how much cash is free to grow the auditee's productive capacity. However, financial statements don't separate CAPEX into a "maintenance" component and a "growth" component. They just present the total CAPEX spent in the investing section of the cash flow statement. Analyzing free cash flows can be tricky because of leverage. If an auditee finances all of its capital expenditures from operations, it may be losing return on investment because it could finance some of those capital expenditures with cheaper borrowed funds instead of more expensive equity investment, which is what operating cash flows represent. Particularly for rapidly growing auditees, management would be unwise to limit CAPEX only to the amount generated by operating cash flows just to maintain free cash flows. Most auditees use a balance of internally generated funds (i.e., cash flow from operations) and externally generated funds (i.e., cash flows from financing) to finance new investments. This balance reflects the discussion above about leverage and solvency. Internally generated funds come from the profits that belong to the owners. They are expensive in the sense that the owners tend to expect higher returns on this cash than creditors do. Therefore, a healthy auditee usually does not finance all its investment with operating cash flows, but uses some outside financing as well. Thus, a healthy, rapidly growing auditee will normally have a negative free cash flow. An equal balance of debt and equity implies that not all investment in capital assets like property, plant, and equipment will come from operating cash flows that, in turn, implies as negative free cash flow. We have added a "free cash flow" line to all the Cash Flow Statements used in this course because it is such a commonly used statistic. However, GAAP does not require that free cash

144

flows be shown on published Cash Flow Statements and so the free cash flow line is rarely presented in published Cash Flow Statements.

Balance between Short- and Long-term Sources

Auditees also try to balance between short- and long-term sources of financing. They try to match the length of the repayment period on debt with the life of the asset the proceeds of the debt will purchase. For example, they would finance the purchase of a long-lived asset like a building with a 30-year mortgage. Normally if an auditee finances long-term needs with short- term loans or other short-term financing like accounts payable that is a sign of financial trouble. Creditors consider short-term loans less risky because they will be paid back in a shorter period and, therefore, short-term debt normally comes with a lower interest rate. If an auditee is drawing on these short-term sources to finance long-term needs it implies that creditors are unwilling to extend the longer-term credit the auditee really needs.52 One seeming exception to this rule is financing the cash conversion cycle (or working capital). Even though the components of the cash conversion cycle are all short-term assets and liabilities, financing the cash conversion cycle is a long-term need. The timing differences between cash disbursements and cash receipts that create the cash conversion cycle are permanent parts of an auditee's operations and require long-term financing. The following table presents some common cash flow patterns and their interpretation.

52 The difference between short and long-term interest rates in the debt markets is referred to as the "yield curve." If you follow the financial press, you may have heard recent discussion of how the yield curve became flat in the period between 2001 and 2006. This means that short- term rates rose to closely approximate long-term rates. The major cause of this anomaly is the growing impact of the global capital markets on the US economy. During this period, the US Federal Reserve Board kept raising short-term rates in the US, which is all they control. However, because of a global "capital glut," long-term rates remained low.

145

Table 2 - Sample Patterns of Cash Flow Behavior

Cash Flows From: Auditee A Auditee B Auditee C Auditee D Auditee E Operations Negative Positive Positive Negative Positive Investing Negative Negative Negative Positive Small negative Financing Positive Positive Negative Positive Negative Net Cash Flows Zero Zero Zero Negative Positive Interpretation Probably a start-up

company. Most new companies cannot generate positive operating cash flows but need to invest in fixed assets

Probably a healthy, growing auditee that is investing its cash in growth.

Probably a mature, stable auditee. It generates enough operating cash flows to both cover its investment and pay dividends.

Probably an auditee in serious trouble. It is disinvesting in fixed assets, reducing its cash balance and still has to rely on outside financing to cover negative cash flows from operations

Possibly an auditee preparing to restructure or beginning a decline. It seems to be maintaining, but not expanding, fixed assets and accumulating cash.

146

Financial Position

The purpose of financial position analysis is to determine how well the auditee is managing its financing function and how well positioned it is to pay its debts. The auditee's financial position is the result of its operating performance and cash management effectiveness. Auditees get money from two main sources: creditors and owners. Creditors can lend money to an auditee in three ways. Creditors that provide goods and services to an auditee and then wait to be paid are called trade creditors. Creditors also can lend the auditee money directly (e.g., a bank loan) or purchase the auditee's debt securities in an open capital market (e.g., purchase the auditee's bonds in an open bond market). Owners invest in auditees in two ways: by buying shares of stock or by leaving earnings in the auditee. Since owners own the auditee's net income, leaving income in the auditee (i.e., retained earnings) and not taking earnings out as dividends is a form of investment. Owners can buy stock directly from the auditee, but they more commonly purchase those shares in a stock market, which also is referred to as a capital market. When either an owner buys stock in an auditee or a creditor lends money to it, the creditor or owner is said to have made an investment. Investment decision, either lending or ownership, are driven by the risk/return tradeoff. The risk/return tradeoff refers to the simple fact that investments that are riskier must yield a higher return to compensate the investor for the risk. Since creditors' claims against the auditee's assets take precedence over the owners' claims, debt investments are usually less risky than equity. Therefore, as mentioned above, an auditee's return on owners' equity usually must be higher than the average interest rate it pays on its debt to compensate the owners for the increased risk they are taking. The discussion thus far has focused on the investor. Auditees need to be sensitive to some basic rules of finance when developing a financing strategy as well. A financing strategy merely refers to how auditees balance between short-term and long-term sources of money and between debt and equity sources of financing. The issues involved in the balance between debt and equity were introduced above in the section on leverage and are discussed in more detail below in the long-term financial position section. In determining a balance between short and long-term sources, auditees should match the source to the use. Matching sources to uses means that auditees should not use short-term sources of funds to purchase fixed assets and should not use long-term funds (i.e., long-term debt and equity) to finance current assets or expenses. The major exception to this rule is financing working capital. Working capital is the difference between an auditee's current assets and current liabilities. For most auditees, it is positive. There are two reasons why auditees need a positive amount of working capital (i.e., current assets greater than current liabilities). First, the valuation of current liabilities is more certain than the valuation of current assets. An auditee must pay its debts at book value, but may not be able to collect its receivables or sell its inventory at their book values. Therefore, a financially sound auditee needs to have an excess of current assets over current liabilities to compensate for the greater uncertainty associated with current asset valuation.

147

Second, most auditees buy the inputs to their production processes first, then produce the good or service, possibly inventory it, sell it, and finally collect the cash from the sale. This timing difference means that an auditee must have an excess of current assets on hand to finance purchases while they wait for their collections. This timing difference is referred to as the cash conversion cycle and will be discussed in more detail below.

Short term

Short-term financial position analysis focuses on whether an auditee can pay its current liabilities as they fall due. It is also referred to as liquidity analysis since assets that can be readily converted to cash are referred to as liquid assets. These ratios are mostly two-sided. High ratios tend to indicate high liquidity and the ability to pay current debts easily, but, since liquid assets also are less risky, they tend to generate lower returns. Therefore, an auditee with too many liquid assets is probably losing profitability.

Current and Quick Ratios

The current ratio, along with its close relative the quick ratio, or acid-test ratio, as it is also called, are the most common measures of an auditee's short-term financial position. The current ratio is total current assets divided by total current liabilities. It measures whether there are sufficient current assets on hand to pay current liabilities. The quick ratio differs from the current ratio because less liquid current assets, like inventory and prepaid expenses, are excluded from the numerator of the ratio. This leaves assets like accounts receivable, cash, and short-term investments that can be converted to cash fairly quickly, thus the name for the ratio. These assets are also called monetary assets because of the relative ease in converting them to cash. This statement may not seem obvious for accounts receivable. Auditees, however, do not have to collect an account receivable to get the cash. They can sell the receivable (commonly referred to as factoring). The auditee will, of course, receive less than full face value for the receivables they factor (i.e. sell), but they can get most of the cash. A common benchmark for the current ratio is 2.0 and for the quick is 1.0. A current ratio of 2.0 may seem high because it means the auditee has twice as many current assets as current liabilities. A ratio of 2.0 is desirable because of the risk that the inventory and receivables may not generate their book values in cash. The current and quick ratios measure the auditee's ability to pay their short-term or current debts from the auditee's short-term or current assets. If the value of the auditee's short-term assets is overstated because of potential collection and realization problems, then the auditee needs to have extra value in the current assets to compensate for this potential valuation problem. Since the auditee almost always must pay the full value of their current liabilities, the current ratio benchmark of 2.0 builds in a cushion to allow for valuation problems with the current assets. Auditors like to see that the auditee has sufficient monetary assets on hand to pay all current liabilities, thus a benchmark quick, or acid-test, ratio of 1.0. These benchmarks are more valid for manufacturing and distribution firms (wholesalers and retailers) because these types of firms carry substantial inventories. For service auditees and financial institutions, the current ratio is usually lower than 2.0 because of the lack of substantial inventories.

148

The current and quick ratios are two-sided because current assets usually do not produce a high return on investment. Therefore, auditees that have too high a level of current or monetary assets compared to their current liabilities may be losing profitability even though the existence of excess current or monetary assets provides greater liquidity. For example, an auditee can increase its current assets by increasing its inventory. Although this means that there are more assets available to pay creditors, inventory needs to be purchased; it costs money to be stored; and it tends to be perishable, due to either physical age or changes in market demand. Therefore, having too high a level of inventory depresses profits and return on investment while increasing the auditee's current ratio. The benchmarks for both the current and quick ratios are very conservative in that they are assessing the short-term financial position of the auditee based solely on whether then have enough current assets as of the balance sheet date to pay off their current liabilities. However, auditees generate more cash every day through operations and can use this cash flow to pay their current liabilities as well. Thus, they don't need to have more current assets than liabilities to have a sound short-term financial position. For example, Dell computer, the second largest personal computer manufacturer in the world, has a very low current ratio (around 1.0) and a moderately low quick ratio (around 0.9). However, they have a strong current financial position because of their business model. Dell sells on-line and assembles computers as they are ordered. Thus, they don't need to carry much of an inventory, which depresses their current ratio. They also sell a substantial proportion of their computers to consumers and do not extend credit. Thus, they have low accounts receivable. However, they do delay payment to their creditors, which creates a negative cash conversion cycle. That is, they get the money from their sales before they need to pay their creditors. This lack of inventory and quick collection means that they have plenty of cash flow to pay their creditors when those bills come due and, therefore, their low current and quick ratios do not signal a weak short-term financial position.

Dividend yields

Dividend yield and Dividend payout measure the amount of earnings the auditee is returning to its owners as dividends. Dividend yield normally is calculated by dividing dividends by net income and is expressed as a percentage. Dividend payout, which is used in this text, is calculated by dividing dividends by operating cash flows and is expressed as a percentage. High dividend payouts may be good for owners because it increases the cash they get from the auditee. However, because most dividends are paid in cash, high dividend payouts could indicate that management is draining too much cash from the auditee. In addition, the stockholders may not be able to reinvest the cash they receive as dividends in investments that produce the same return on investment they could have received if they just left the cash in the auditee so it could invest in expanded capacity. High dividend payouts are a particular concern when management also owns significant stock in the auditee since management usually controls the amount of dividend payout and may be using that power to take large amounts of cash out of the auditee. Therefore, dividend yields and payouts are two-sided measures. A higher dividend yield or payout can mean that the auditee has strong profits and cash flows, or it can mean that the auditee is paying out too much cash to

149

owners. This text includes dividend payout in the short-term financial position analysis because it uses the statistic primarily to determine how much dividends are draining cash flows.

Operating cash flows

As the Dell example above illustrates, auditees can pay their short-term liabilities in two ways: by liquidating current assets or by tapping the auditee's cash flows. That is, they can pay debts with assets or with cash flows. Therefore, a complete assessment of an auditee's current financial position is not complete without a review of the strength of an auditee's operating cash flows, their cash conversion cycle, and their overall cash management performance. These issues were discussed in the cash flow section above.

Long term

The purpose of long-term financial position analysis is similar to that of short-term analysis. The auditor also wants to measure the auditee’s ability to pay its bills over a longer period of time or solvency. Another purpose of long-term analysis of an auditee's financial position is to determine what type of long-term financing strategy it is using. Because different long-term financial strategies can equally beneficial to the auditee, long-term financial ratios are all two-sided. These ratios are considered weak if they are either too high or too low. For example, most creditors would like to see a total debt/equity ratio of somewhere around 1.0, meaning that the owners have at least as many claims against the auditee's assets as the creditors. If the owners have more claims against the auditee's assets than the creditors, then the creditors are more certain that the auditee can pay them back if the auditee got into financial trouble. However, a lower ratio might mean that the auditee is not taking advantage of leverage and instead is depending on equity financing, thus reducing return on owners' equity. Therefore, low debt-to-equity ratios are generally good for creditors and high debt-to-equity ratios are generally good for investors. However, if debt-to-equity ratios become too high, they can be bad for investors, too. Many credit agreements come with covenants that require the auditee to maintain certain levels in their ratios or restrict the level of dividends they can pay to help protect the creditors. For example, if a debt covenant states that the auditee's debt/equity ratio cannot go above 1.2 and the auditee's debt/equity raises above this level, the creditor could force the auditee to pay the full amount of the debt immediately, which probably would create serious problems for the auditee.

Debt to equity

The main long-term financing strategy decision an auditee has to make is the balance between debt and equity financing. This relationship is known as leverage and was discussed earlier in the appendix. Debt financing tends to be cheaper than equity financing because it is less risky for the investor. The terms "equity financing" and "debt financing" refer to who has claims against the auditee's assets: the creditors or the owners. Since both creditors and owners create claims against the auditee's assets by giving the auditee assets in some form, the liability and equity side of the Balance Sheet also reflects an auditee's sources of financing. Most long-term debt is secured by claims against specific assets or at least comes with a fixed repayment schedule. Equity investment has neither of these features. The benefit to the investor

150

is that equity usually has a higher return per dollar invested than debt, which is why it costs the auditee more. The advantage of equity financing is that it usually requires a lower cash flow to maintain. Much of the return that investors receive on their dollar comes as higher stock prices, not cash paid out in dividends. In addition, many companies pay dividends as additional stock and not cash, thus further reducing the cash flow requirements associated with equity. Therefore, much of the higher expense associated with equity comes as pressure on management to achieve a high return on investment, not in demands for cash outflows. Paying dividends as stock, and not cash, does have an indirect cash flow effect, however. The auditee could have sold that additional stock in the stock markets and received cash instead of giving that stock to its owners. By giving up the ability to sell the stock, the auditee has incurred what economists call an opportunity cost or opportunity cash flow. While an opportunity cash flow isn't "real" because no cash goes out of the auditee, it is really just as "real" as an actual cash flow because the auditee gave up the ability to receive a cash inflow. An auditee that relies too heavily on debt financing is running an increased risk of insolvency (i.e., the inability to pay its debts). A high debt-to-equity ratio means that an auditee necessarily has a low equity balance compared to total assets since the bulk of the claims against those assets are held by creditors. A low equity balance means that the auditee cannot lose too much money before its equity goes to zero or negative, which means the book value of the assets is not sufficient to cover the auditee's debts. Therefore, an increase in debt-to-equity means that creditors are carrying an increasing risk of losing their money. Under these circumstances, they will demand higher interest rates or force the auditee to pay off the loans because of violations of debt covenants. If, however, the debt-to-equity ratio is too low, this means that the auditee is not taking full advantage of less expensive borrowed funds. Leverage , then, is the use of lower cost debt to finance the auditee, or making money with other people's money. For example, if an auditee is making a 10% return on total assets and paying 8% interest on long-term debt, then it would increase its return to the owners if it borrowed more money and invested it in more assets, assuming the new assets also would yield a 10% return. The 2% difference between what the auditee pays its creditors for the cash to invest in more assets and the 10% the auditee earns on its assets belongs to the owners. Therefore, they are earning 2% on the creditors' money. However, the owners also are assuming the risk that the auditee's return on the new assets it purchases with the creditors' money may not return 10%, or even the 8% needed to pay interest to the creditors. The two debt-to-equity ratios measure the relative emphasis the auditee places on debt and equity financing. The Total Debt-to-Equity ratio is the broadest gauge, taking into account both short and long-term debt. The Long-term Debt-to-Equity ratio is a narrower measure because it only considers long-term debt. However, it may represent the tradeoffs between investors more accurately.53 As mentioned earlier, the broad interpretation of the term "investor" includes everyone with some form of long-term stake in the auditee, either creditor or owner.

53 The discussion of the return on invested capital statistic in Appendix B provides an alternative view of what constitutes a long-term stakeholder in an auditee.

151

The common-sized Balance Sheet can be used to analyze an auditee's relative debt and equity position. Auditors can look at the various liability and equity components as percentages of total assets and gain the same insights as looking at debt-to-equity ratios. This text uses both total and long-term debt-to-equity, as well as the common-sized balance sheet, for long-term financial position analyses.

152

Assessing and Responding to Fraud Risk

Summary

This chapter provides an overview of how auditors address fraud risk in a financial statement audit. After completion this chapter, students should be able to:  Define fraud and describe different categories of fraud.

 Describe the conditions that lead to fraud and identify those factors in fraud cases.

 Describe the auditor's responsibility for finding and documenting fraud in a financial statement audit.

Types of Fraud

Definition of Fraud

There is a variety of definitions of fraud depending on the context. For example, the common dictionary definition of fraud is:

Fraud is a generic term, and embraces all the multifarious means which human ingenuity can devise, which are resorted to by one individual, to get an advantage over another by false misrepresentations. No definitive and invariable rule can be laid down as a general proposition in defining fraud, as it includes surprise, trickery, cunning and unfair ways by which another is cheated. The only boundaries defining it are those which limit human knavery.54

This definition isn't too practical in that it would be hard to apply to a specific situation to reach a definitive conclusion about whether certain actions constitute fraud. However, it does capture the breadth of the concept. Fraud is also illegal and there is a legal definition of fraud.

A knowing misrepresentation of the truth or concealment of a material fact to induce another to act to his or her detriment.55

Common law breaks fraud down into nine elements. These include:  a representation of fact;

54 Webster's New World Dictionary (1964). College Edition. New World Publishing. Cleveland and New York. Page 380. 55 Bryan Garner, Ed. (2004). Black's Law Dictionary. 8th Edition.

153

 its falsity;

 its materiality;

 the representor's knowledge of its falsity or ignorance of its truth;

 the representor's intent that it should be acted upon by the person in the manner reasonably contemplated;

 the injured party’s ignorance of its falsity;

 the injured party’s reliance on its truth;

 the injured party’s right to rely thereon; and

 the injured party’s consequent and proximate injury.56

Types of Fraud

There are several of types of fraud. This chapter will focus fraud perpetrated by or against an organization that would be a concern to auditors. The Association of Certified Fraud Examiners (ACFE) breaks different frauds down into multiple categories. The top-level breakdown is between internal and external fraud.

Internal Fraud Internal fraud, also called occupational fraud, can be defined as: “the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the organization’s resources or assets.” Simply stated, this type of fraud occurs when an employee, manager, or executive commits fraud against his or her employer. External Fraud External fraud against a company covers a broad range of schemes. Dishonest vendors might engage in bid-rigging schemes, bill the company for goods or services not provided, or demand bribes from employees. Likewise, dishonest customers might submit bad checks or falsified account information for payment, or might attempt to return stolen or knock-off products for a refund. In addition, organizations also face threats of security breaches and thefts of intellectual property perpetrated by unknown third parties. Other examples of frauds committed by external third parties include hacking, theft of proprietary information, tax fraud, bankruptcy fraud, insurance fraud, healthcare fraud, and loan fraud.57

The main type of fraud that auditors need to focus on is occupational fraud. Occupational fraud are types of fraud associated with running a business. The following diagram presents the various types of occupational fraud.

56 Robert D. Mitchell (2016). http://www.mitchell-attorneys.com/legal-articles/common-law- fraud/. Downloaded 8/6/2016. 57 ACFE (2016). What is Fraud? http://www.acfe.com/fraud-101.aspx. Downloaded 8-11-16.

154

58 Occupational fraud contains three main types:

58 ACFE (2016). The Fraud Tree. http://www.acfe.com/fraud-tree.aspx. Downloaded 8-11-16.

155

Corruption

Corruption occurs when an individual wrongfully uses their influence or knowledge in a transaction in order to procure some benefit for themselves or another person in a way that is contrary to their duty to their employer or rights of another person. It involves some interaction between an employee, to include management, of an organization and a third party. Either the employee or the third party can initiate the interaction, both benefit because the employee uses his/her inside knowledge or influence to create a transaction that harms the organization to the benefit of the two parties. The following table provides some examples of the four main types of corruption.

Asset Misappropriation

Asset misappropriation is the most common type of fraud.60 It involves an employee of an organization either stealing assets or using them for unauthorized purposes. As the Fraud Tree illustrates, there are a rich variety of types of asset misappropriation fraud schemes that can be broken down by type of asset misappropriated. Cash has the largest number of examples in the Fraud Tree because fraudsters can use the cash immediately and don't have to convert it to a more liquid asset to benefit from taking it. Asset misappropriate fraud is really a secondary concern for auditors. Asset misappropriate fraud may be more common, but it also involves less money and the amount of the theft may not be

59 Albrecht, W.S., C.O. Albrecht, C.C. Albrecht, and M.F. Zimbelman (2016). Fraud Examination. Fifth Edition. Cengage Learning. Page322. 60 ACFE (2014). Report to the Nations on Occupational Fraud and Abuse. Page 11.

156

material to the financial statements. It still is a concern for auditors, but may not involve enough funds to make it over the auditor's materiality threshold.

Financial Statement Fraud

Financial statement fraud is the rarest type of fraud in terms of the number of cases, but involves the largest amounts.61 Top management usually perpetrates financial statement fraud because they are in a position to override internal controls and alter the financial statements and because they are in a position to benefit. Financial statement fraud involves management manipulating the financial statements to alter the impress those statements leave on investors. Examples include such high profile cases as Enron and WorldCom, two frauds that ended in the bankruptcy of the firm and lead to the passage of Sarbanes-Oxley. Financial statement fraud clearly is a major concern for auditors. However, auditors face a significant problem in differentiating between aggressive, but accepted accounting treatments and fraud. From the auditor's viewpoint, the scheme must involve a clear violation of GAAP as well as evidence of intent to deceive to be fraud. For example, if management is trying to reduce expenses and raise assets by being overly optimistic about the proportion of accounts receivable they collect, this probably wouldn't constitute fraud. It might just be a legitimate difference of opinion on the collectability of the accounts, which is inherently a judgment call. However, including accounts receivables that don't exist on the balance sheet would clearly be fraud.

Conditions for Fraud

Fraud Triangle

The most common view of conditions that lead to fraud is the Fraud Triangle. The fraud triangle covers the conditions that normally have to exist for fraud to occur. The professional literature also refers to it as the Fraud Motivation Triangle to differentiate it from the Fraud Elements Triangle presented below.

61 ACFE (2014). Report to the Nations on Occupational Fraud and Abuse. Page 11.

157

Perceived Pressure or Incentive

The first condition that must exist for fraud to occur is a reason the fraudster needs to benefit from the fraud. The term "perceived" is used to emphasize that the pressure is in the mind of the fraudster. The following items are common sources of fraud pressure. Many, but not all, of them involve increasing the fraudster's financial position.  Living beyond one's means

 Being heavily in debt, possible due to attempting to live beyond one's means

 Compensating for unexpected financial losses

 Need to support a vice like drug, gambling, or sexual additions

 Desire to get even with one's employer

 Desire to build one’s reputation or stature, which is a common motivation for financial statement fraud

Opportunity

Just having a motive to commit fraud isn't enough. The fraudster also needs to have an opportunity to do so. A key opportunity for most frauds is a weakness in a firm's internal controls; particularly a lack of internal segregation of duties, which will be discussed further in the next chapter. For example, it is hard for an employee to steal cash if don't have physical access to the cash and access to the accounting for the cash. If they have access to the cash, but not the accounting, then the firm will rapidly discover the theft.

158

Other opportunities exist when assets or performance measures are hard to value or the fraudster has access to information they can use to perpetrate or cover up the fraud. When judgement is involved is assessing either the value of an asset or the fraudster's contribution to the firm, this creates an opportunity for the fraudster to manipulate such values to their benefit. In addition, a fraudster may take advantage of information only they possess to perpetrate a fraud.

Rationalization

The last element of the fraud triangle is the ability of the fraudster to rationalize their actions. Students frequently wonder why this is important and why just pressure and opportunity isn't adequate. A major reason rationalization is present is because most fraudsters are not pathological personalities but normal people faced with pressure and opportunity. Over 80% of detected fraudsters have no prior record of fraud or any form of disciplinary action and are first time offenders.62 Generally, fraud is perpetrated by good people put in bad situations and, consequently, they need to be able to justify their actions. Some common rationalizations include:  I deserve it or the firm owes me

 I am only borrowing the money and will pay it back

 It is a big firm and the amount I am taking won't hurt anyone

 It is for a good purpose

 We will fix the books later after the immediate crisis of over

Fraud Elements Triangle

The Fraud or Fraud Motivation Triangle covers the preconditions that lead to fraud. The Fraud Elements Triangle covers conditions that need to exist to carry out a fraud. This triangle is important to auditors because it helps focus the auditor's attention on methods to detect a fraud. The Fraud Elements Triangle is close related to the opportunity component of the Fraud Triangle because it covers the conditions that need to exist for the fraudster to get away with the fraud.

62 ACFE (2014). Report to the Nations on Occupational Fraud and Abuse. Page 58.

159

Fraud Triangle or Fraud Motivation Triangle

The components of the Fraud Elements Triangle include:  Theft act - The activity the fraudster used to execute the fraud. "Theft" is a little limited

here because frauds can also include things like manipulating the financial statements that don't involve outright theft of assets. A better term might be fraud act, but we are presenting the triangle as the professional literature typically presents it.

 Concealment - The fraudster needs to be able to conceal the fraud to carry it out without detection. Concealment usually involves the fraudster having access to accounting records so they can alter or destroy those records to hide the theft/fraud act.

 Conversation - The fraudster needs some method to benefit from the fraud. This usually means converting assets or information to a form the fraudster can use for personal benefit. As mentioned above, cash thefts usually don't require conversion because cash is so liquid. However, some cash thefts involve writing checks to the fraudster and the fraudster needs a way to convert those checks to personal use. Even financial statement fraud involves a form of conversion. The perpetrator needs to be able to convert accounting entries and values into a pattern that alters the financial statements in the desired way.

Assessing the Risk of Fraud

Importance of Professional Skepticism

Auditing standards require that auditors assess the risk of fraud on all audits. Those standards emphasize the importance of maintaining professional skepticism in assess fraud risk. This text discussed the concept of professional skepticism in Chapter 1. Two key features of professional skepticism are a questioning mind and critical evaluation of audit evidence.  Questioning Mind - When related to fraud risk assessment, auditors auditing standards

require that auditors consider the auditee's susceptibility to fraud regardless of the auditor's

160

beliefs about the likelihood of fraud or their assessment of management's honesty and integrity.

 Evaluation of Audit Evidence - If an auditor discovers information that a material misstatement might have occurred due to fraud, auditing standards require that they thoroughly probe the issue, gather additional evidence as needed, and consult with other audit team members. Auditors should not assume the incident is isolated and should engage in follow up procedures to determine the extent of the potential fraud risk. Follow up procedures are necessary to differentiate an unintentional error from fraud and assess the risk that other, similar errors exist.

Sources of Information

Discussions with Audit Team

Auditing standards require that auditors have discussions within the audit team, to include the lead partner, to share experience and insights on the level and source of fraud risk on the audit. These sessions are referred to as "brainstorming" sessions. Standards require that such sessions cover:  The inherent and control risk factors that might provide pressures and opportunities for the

auditee's management to create fraudulent material misstatements in the financial statements. The text covered inherent risk issues in Chapter 5. Pressures include external pressures due to the auditee's position in their industry and analysts’ expectations; opportunities for management to create fraudulent material misstatements in the financial statements include internal pressures such as compensation linked to accounting measures. Control risk factors would provide opportunities for management to perpetrate the fraud by doing things like overriding controls. A weak control environment also increases the ability of management to rationalize their actions.

 The nature of the auditee's accounting and control systems and how they might create opportunities for management to both perpetrate and conceal fraud as well as opportunities for employees, to include management, to misappropriate assets.

 Possible procedures the auditor could use to respond to the audit team's assessment of possible fraud risk.

Inquiries of Management

Auditing standards require that auditors ask management about any possible fraud risks as well as their process for assessing fraud risk. These inquiries must include the audit committee as well as the auditee's management. Another key resource is the auditee's internal audit department, if they have one. However, these inquiries also need to extend to lower-level management and supervisors as well. These broad-based inquiries are designed to help auditors gain a comprehensive understanding of audit risk from the auditee's perspective. However, for these inquiries to be successful, auditors need to exercise professional skepticism during the process.

161

Preliminary Analytical Procedures

Auditors are required to perform preliminary analytical procedures on every audit. These procedures are tools for directing the auditor's attention to unusual fluctuations and relationships in the auditee's financial statements. However, they only provide high-level indicators of possible problems and auditors always need to do follow up procedures to determine the cause of unexpected fluctuations or relationships. Auditors need to do follow-up procedures to determine whether legitimate changes in operations, unintentional error, or fraud caused the unexpected fluctuations.

Management's Responsibility to Minimizing Fraud Risk

Management is responsible for minimizing fraud risk within a firm and the auditor is responsible for assessing the risk of a material misstatement in the financial statements caused by fraud. The text will cover the main tools managers can use in the next chapter. They involve creating a strong control environment and governance structure within the firm. Some of the key features of a strong control environment that will help prevent and detect fraud are:  Setting a strong and visible example for the rest of the firm. The professional literature

refers to this as setting a strong "tone at the top."

 Creating a positive work environment. Happy employees who feel appreciated and a critical part of the firm are less likely to be able to rationalize committing fraud and probably would have less incentive to do so.

 Hiring and promoting strong employees - People are the key to any control environment. Firms should employee rigorous hiring practices to include reference and background checks to help insure that the employees they hire have the skills to carry out their assignments and are of strong moral character. Employees who are hired into positions they are not equipped to handle are more likely to feel pressure to commit fraud or be able to rationalize fraud. The same logic applies to promotions within the firm.

 Train and monitor employees - Firms should help insure that their employees have the tools to carry out their responsibilities with on-going training. This training also should include coverage of the firm's policies and procedures and ethical standards. Firms should also evaluate an employee's performance periodically and provide the employee with feedback designed to help them improve their performance. If the employee doesn't respond to positive feedback, the firm may need to take disciplinary action. Employees that know what the rules are; are rewarded for following them; and are disciplined for not following them are more likely not to commit fraud. If employees see that the firm is serious about fraud and strongly disciplines employees caught perpetrating fraud, this will reduce the perceived opportunity to commit fraud and the ability to rationalize doing so.

 Develop fraud risk assessment procedures - Management should develop regular procedures for assess fraud risk within the firm and structuring controls to prevent and detect it. Since a firm's activities usually change over time, these procedures need to be reviewed and updated periodically.

162

 Fraud reporting programs - Sarbanes-Oxley requires that publicly traded firms set up whistle blowing hot lines or other similar reporting mechanisms employees can use to report suspected fraud to upper management. The higher the level of management that monitors these hot lines, but more effective they tend to be. The board's audit committee should be heavily involved in establishing and monitoring these hotlines. Tips are the single most common way firms uncover fraud.63

Auditor Response to Fraud Risk

Auditing standards require that, if auditors identify material fraud risk for an auditee, they are required to structure responses at three levels: overall, assertion/audit objective level, and management override risk.

Responses to Overall Fraud Risk

The first step when and auditor identifies a material fraud risk is to discuss it with management and assess management's procedures for mitigating the risk. If the auditor continues to believe that a material fraud risk exists, they should:  Consider putting more experienced personnel on the audit who may have seen more fraud

cases.

 Increase emphasis on professional skepticism, particularly verifying management explanations.

 Consider management's choices of accounting principles, particularly in sensitive areas like those requiring management judgment in valuing assets and revenue recognition policies.

 Deviate from prior audit procedures so they are less predictable. Fraud perpetrators are often knowledgeable in the procedures the auditor uses since most audits are repeat engagements. This is particularly true if top management may be involved in the fraud.

Responses to Assertion/Audit Objective-level Risk

Auditors also need to respond to identified fraud risk based on the account and management assertion/audit object that is most at risk. Auditors can respond to these risks by:  Increasing extent of audit procedures by doing things like increasing sample sizes or

testing all items in the population.

 Altering the timing of audit tests by executing them closer to year-end.

 Altering the nature of audit test to select more powerful or focused procedures. For example, replacing substantive analytical procedures with tests.

63 ACFE (2014). Report to the Nations on Occupational Fraud and Abuse. Page 21

163

Responses for Possible Management Override of Controls

Top management is in a unique position to override the controls they were responsible for establishing. Auditing standards require that auditors perform three categories of procedures on every audit since the risk of management override exists on all audits. However, if the auditor has identified a material risk of fraud, then the auditor should extend and enhance these procedures. These procedures include:  Review journal entries and other adjustments for evidence of possible fraud. Journal

entries our powerful tools to manipulate financial statements because they don't go through standard journals and don't result from recurring process like sales and purchases. They can represent arbitrary changes to the financial statement accounts. Auditors need to understand the auditee's control procedures over journal entries and review the documentation and rationale for any that appear to be unusual.

 Review accounting estimates for biases. There are significant areas in GAAP where management must use judgment to value assets and liabilities or to recognize revenues and expenses. Some common examples are the allowance for doubtful accounts, the application of the lower of cost of market rule, setting useful lives and salvage values, classifying short-term securities as available for sale or trading, setting parameters used to value pension liabilities and stock option values, and deciding when to impair fixed assets and goodwill, to name a few. These are gray areas because they require management judgment and management is in a better position than auditors are to make those judgments. However, auditors need review management's decisions and question the rationale behind them. For example, they can review historical collection patterns and an accounts receivable aging to evaluate the size of the allowance for doubtful accounts.

 Evaluate the business rationale for unusual transactions. This approach might have helped Arthur Andersen evaluate Enron's use of variable interest entities. Enron used these types of entities to hide significant debt off their balance sheet. Related party transactions also represent high-risk areas. Auditors need to consider both the auditee's accounting treatment and the level of footnote disclosure for these types of transactions.

Auditors' responses to fraud risk assessment is an on-going process. Auditors need to constantly step back and review the information from their reviews and what evidence that provides that either raises or lowers their assessment of fraud risk.

High Risk Fraud Areas

Auditors and auditing standard setters have identified several areas that tend to have higher fraud risk in most audits. The main factors that drive these assessments are the importance to the overall financial position of the firm and the materiality of the assets involved as well as the role management judgment plays in the accounting for these items.

Revenue recognition

Auditing standards require that audits assume revenue recognition is a fraud risk area on every audit. Revenues a critical to the assessment of any firm and so attempts to manipulate revenues

164

are common. Analytical procedures can be a powerful tool to spot revenue manipulations. Revenues drive many aspects of the business-like receivable and inventory levels. As a firm's revenues increase or decrease, inventories and accounts receivable balances tend to change proportionately. Thus, ratios like days receivables or days inventory can help spot revenue recognition problems. Revenue manipulation attempts cover three areas:  Recognizing fictitious revenues - Fictitious revenue transactions are not accompanied by

changes in receivables and inventory. Thus, changes in the relationship between these accounts as measured by ratios like days receivables and days inventory can signal the existence of fictitious revenues. In addition, unexpected increases in revenues based on historical trends, industrial trends that are not explained by changes in things like credit terms or marketing strategies can signal fictitious revenues. Auditors can follow up on these signals by reviewing documentation support for sales transactions for incomplete or suspicious documentation.

 Premature recognition of revenue - Premature revenue recognition generates signals that are similar to fictitious revenue recognition for similar reasons - there isn't a matching change in inventory and, possibly, receivable accounts and premature recognition can create patterns inconsistent with the industry or past performance.

Revenue recognition rules can be quite complex in many industries. For example, construction firms frequently use percentage of completion rules to recognize revenues and these rules involve significant management judgment. Some industry's business modal may involve bundling several types of goods and services in one transaction and different revenue recognition rules may apply to the different components of the transaction.

In addition, many firms sell through wholesalers and other third-party intermediaries. Auditors need to review the agreements between the auditee and these third parties to determine if all requirements for revenue recognition have been met. For example, if the auditee sells to a third party but offers an unlimited return policy even if the third party has paid for the item and taking title to it, revenue recognition rules are not satisfied because the third party can void the sale at any time.

 Manipulation of adjustments to revenues - The main manipulation involves sales returns and allowances. If the auditee hides sales returns from the auditor, the returned items will end up in inventory, which will reduce cost of goods sold and increase income. Thus, there is a compounding effect since failure to recognize the return also increases net sales.

Misappropriation of Revenue Receipts

Capturing transactions at the boundary of the firm (i.e., when they first occur) is a classic control problem. Thus, one of the most difficult frauds to detect is when a sale isn't recorded and the cash payment is stolen. Unrecorded sales have the opposite effect as recording a fictitious sale, but they also create a disconnect between sales and other accounts like inventory and accounts receivable and so auditors can use the same analytical tools as mentioned above to spot them and follow up by reviewing shipping documentation compared to sales recorded sales transactions.

165

Cash receipts from sales also can be stolen after the sale is recorded, but it is harder to hide these since there is a record in the accounting system for the sale. Frauds are easier to detect once information about the transaction has been recorded in the accounting system. For example, the fraudster would need to reduce a customer's account balance for the payment they stole or the accounts receivable billing process would rapidly uncover the fraud. There are three main ways the fraudster can do reduce a customer's account balance. All three involve manipulating accounts outside of sales. The three are:  Record a sales return or allowance for the customer

 Record a direct write-off to the customer's account

 Apply the payment from another customer to the first customer's account balance. This is known as lapping and is hard to maintain for very long because it takes constant management.

Inventory Fraud

Inventory is usually a major asset for manufacturers, wholesalers, and retailers. In most cases, inventory is readily saleable making it easy to convert to cash. These factors make it a high risk for misappropriation. However, changes in inventory also have a significant effect on cost of goods sold and net income. A common financial statement fraud is to overstate inventory, which reduces cost of goods sold and increases net income. Since changes in inventory should be closely related to changes in sales, ratios like days costs or days sales in inventory are good tools for spotting inventory fraud. Most firms manage their inventories very tightly because inventory costs money to maintain but reducing inventory too far can risk lost sales. Thus, most firms will have stable days inventory over time. An unexpected increase in days inventory could signal fictitious inventories.

Other Risk Areas

The above are the three most common sources of fraud. However, fraud can be perpetrated in just about any area of the financial statements. Here is a short list of some of those areas:  Understating liabilities, particularly accounts payable since changes directly affect

expenses.

 Miss-valuation of or theft of fixed assets - Some smaller fixed assets like office equipment is readily saleable and, therefore, subject to theft risk. Fixed asset valuations also involve management judgment is setting useful lives and salvage values as well as determining impairments, making them a tool for financial statement manipulation. Fix asset values also should include determination of an expenditure doesn't improve that and is expensed versus expenditure that do improve the asset and are capitalize. Capitalizing expenses reduces expenses, raises net income, and increases assets.

 Intangible asset valuation - Valuation of intangible assets usually involves management judgment and can be a useful tool for financial statement manipulation. Goodwill is a classic example because it arises from purchase of business transactions that involve

166

several different types of valuation judgments. Firms don't systematically write off goodwill and it is subjected to annual impairment decisions that can be quite subjective.

Fraud Documentation

Auditors need to document everything associated with an audit to support their audit opinion and to provide a defense in case of a lawsuit. However, auditors’ standards require that auditors document the following specific issues regarding their fraud risk assessment and fraud detection activities.  Significant conclusions reached during audit team "brainstorming" sessions to include any

conclusions reach, when the meetings were held, and now participated.

 Any procedures used to assess fraud risk and detect fraud.

 Any specific fraud risks the auditor identified either at the overall level or the assertion/audit objective level and how the auditor responded to those risks.

 Reasons supporting an assessment of low or non-existent fraud risk.

 Results of procedures performed to assess risk of management override of controls.

 Other conditions or analytical procedure results that lead to additional audit procedures and the actions taken by the auditors in response to those results.

 The communications about fraud with management, the audit committee, and others like regulatory bodies.

167

Assessing Control Risk and Developing Overall Audit Strategy

Summary

 Controls are policies and procedures that firms implement to insure effective and efficient operating, accurate financial statements, and compliance with laws and regulations.

 A firm's control system contains several components that range from firm-wide factors that create a control environment to the design and implementation of specific control procedures. Auditors can use the COSO and COBIT frameworks to help understand these factors and their interrelationships.

 Auditors assess control risk at the transaction process and transaction/account levels to link control risks to their plan for substantive testing of transactions and accounts.

 Auditors document their control risk assessments with narratives, flowcharts, and checklists. They link their control assessments to audit plans with control risk matrices.

 Auditors document their audit plans with audit programs

Definition of Internal Controls

This chapter will present the Committee of Sponsoring Organizations (COSO) coverage of internal controls. This is the primary source of high-level guidance auditors use when evaluating control risk and testing controls. The following is a summary of COSO's history.

COSO was organized in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private-sector initiative that studied the causal factors that can lead to fraudulent financial reporting. It also developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions. The National Commission was sponsored jointly by five major professional associations headquartered in the United States: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National Association of Accountants (now the Institute of Management Accountants [IMA]). Wholly independent of each of the sponsoring organizations, the Commission included representatives from industry, public accounting, investment firms, and the New York Stock Exchange. The first chairman of the National Commission was James C. Treadway, Jr., Executive Vice President and General Counsel, Paine Webber Incorporated and a former

168

Commissioner of the U.S. Securities and Exchange Commission. Hence, the popular name "Treadway Commission." Currently, the COSO Chairman is Robert Hirth. COSO’s goal is to provide thought leadership dealing with three interrelated subjects: enterprise risk management (ERM), internal control, and fraud deterrence.64

There are varieties of definitions of internal control. However, this section will use COSO's definition:

It defines and describes internal control to:

1. Establish a common definition serving the needs of different parties. 2. Provide a standard against which business and other entities--large or small, in the public or private sector, for profit or not--can assess their control systems and determine how to improve them.

Internal control is broadly defined as a process, affected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

1. Effectiveness and efficiency of operations. 2. Reliability of financial reporting. 3. Compliance with applicable laws and regulations.

The first category addresses an entity's basic business objectives, including performance and profitability goals and safeguarding of resources. The second relates to the preparation of reliable published financial statements, including interim and condensed financial statements and selected financial data derived from such statements, such as earnings releases, reported publicly. The third deals with complying with those laws and regulations to which the entity is subject. These distinct but overlapping categories address different needs and allow a directed focus to meet the separate needs.65

The auditor's main concern is the second objective - the reliability of financial statements - because their main goal is providing an audit opinion on the financial statements. Their secondary concern is compliance with laws and regulations because failure to do so can lead to material misstatements in the financial statements. The effectiveness and efficiency of operations also is a secondary concern because weak performance can put pressure on management to 64 Committee of Sponsoring Organizations (2016). About Us. http://www.coso.org/aboutus.htm. Downloaded 8/23/2016. 65 Committee of Sponsoring Organizations (2016). Internal Control - Integrated Framework. http://www.coso.org/documents/internal%20control-integrated%20framework.pdf. Downloaded 8/23/2016.

169

manipulate the financial statements. However, the auditor's focus is on insuring that the financial statements are free of material misstatement and not on acting as a business consultant for the auditee. Thus, auditors need to link issues of operating efficiency and failure to follow laws and regulations need to risks of material misstatement in financial statements.

Overview of Risk and Control Concepts

Implementation of Internal Controls

All organizations employ hierarchical management structures to set and achieve the organization's goals. These hierarchies have a board of directors, or other governing board, at the top level of the hierarchy. These boards have the ultimate authority and responsibility to set goals for the firm and insure that the firm achieves those goals. However, most boards do not have the time and resources to monitor all aspects of the firm directly. Therefore, they hire managers, usually several levels of managers, to direct and monitor employees to insure they achieve the firm's goals. Internal controls are policies and procedures that an organization uses to ensure that the firm's management and employees meet the firm's goals. One important aspect of controls is that they check on things and do not, themselves, record things or process information. Thus, when you are reviewing a case to identify the control procedures, they are not the procedures that record, process, or report information. They are the procedures that check on the recording, processing, and reporting of information, and insure that the proper employees authorize transactions. Thus, controls cannot inject errors into the system. Only information processes can. Firms' design controls to achieve the following control objectives. That is, the firm:  Safeguards assets by insuring that their acquisition, use, and disposal are authorized.

 Maintains records in sufficient detail to report company assets, liabilities, and transactions accurately and fairly.

 Provides accurate and reliable information.

 Prepares financial statements and other reports in accordance with established criteria.

 Promotes and improves operating efficiency.

 Encourages adherence to prescribed management policies and procedures by employees.

 Complies with applicable laws and regulations.

No internal control, nor even a comprehensive set of internal controls, can provide 100% assurance that the firm achieves all these control objectives. Thus, the definition of internal controls uses "reasonable assurance" and not absolute assurance. This discussion highlights the importance of controlling risk in running firms. Life is all about probabilities and risk; where risk is merely the probability that an event will occur. Thus, firms design controls systems to help them identify and control risks to achieving a firm's goals.

170

In addition, the implementation of controls must be cost/benefit justified because increasing the power of internal controls usually increases costs. At some point, it is more economical to allow some failures in achieving control objectives rather than trying to increase the power of the firm's controls. Making these cost/benefit decisions can be very challenging for management because, normally, the cost of a new control is easy to estimate while the amount of the potential loss from not having the control is not. To estimate the amount of a loss that a firm might incur because of the lack of a control management must estimate the expected value of the losses that might be incurred without the control in place. The expected value of any potential event (e.g. a loss due to lack of a control) is the probability the loss will occur times the amount of the loss if it does occur. Thus, estimating costs of controls is much easier than estimating their benefits (i.e., loss avoided if they are in place). Building internal control systems is challenging and requires a thorough understanding of how the firm functions because of the complexity of modern firms. This complexity also makes it difficult for auditors, both internal and external, to verify the effectiveness of internal controls. Thus, designers and auditors have developed classification schemes to break controls into categories based on when they are executed and how comprehensive they are. Designers and auditors also have developed frameworks (i.e., comprehensive checklists) that help designers and auditors insure that internal controls cover all the major threats to the firm's goals. We will discuss these concepts next to help you appreciate the issues involved in building a strong internal control system.

Types of Internal Controls

There are many potential ways to classify internal controls. Two ways that are helpful are by when the control functions and how comprehensive it is. "When" is defined by whether the control works on risks before or after the effect on the firm. "Comprehensive" refers to how many different functions within the firm an internal control covers.

When the Control Functions

Internal controls are classified by whether they prevent risks from damaging the firm, detect the damage after it has occurred, or correct damage that has occurred. Preventative Controls - prevent risk from damaging the firm before it occurs. Recall the old adage "On ounce of prevention is worth a pound of cure." Preventative controls can be very cost- effective because, normally, damage is costlier to correct than to prevent. However, risks can be hard to anticipate and, therefore, preventative controls can rarely cover all risks to the firm. Some examples of preventative controls are hiring qualified personnel and requiring a responsible employee authorizes all transactions prior to execution.

Detective Controls - detect damage after it has occurred. You use a detective control when you balance your checking account to a bank statement.

Corrective Controls - correct damage after it has occurred. An example of a corrective control would be maintaining backup copies of data to recover from a loss of data.

171

Normally, firms pair detective and corrective controls together. Detecting damage doesn't do much good if the firm doesn't correct it and the firm can't correct damage it hasn't detected. Even preventative and detective/corrective controls tend to relate to each other in that firms implement detective/corrective controls to detect/correct damage done by risks that preventative controls didn't prevent. Because the core focus of this chapter is on evaluating the design of controls system that reduce risks for a firm, from this point on, We use "mitigate risk" to refer to what controls do. "Mitigate risk" highlights the core goal of all controls, whether preventative or detective/corrective, which is to reduce the damage caused by risks to the firm. Use of the term "mitigate" also helps to reinforce the point that no controls are perfect and firms can rarely eliminate all risks.

Extent of the Controls Effect

Some controls, either preventative or detective/corrective, are very focused on specific transactions or groups of related transactions while others focus on broad areas of the firm's operations. Accountants group controls into two categories, general and application based the breadth of the controls coverage. General Controls - or firm-level focus on the firm's control environment. A firm's control environment includes such things as management's attitude towards controls, human resources policies, the existence of audit committees and internal audit departments, and computer security policies and procedures. These types of controls provide some assurance that controls are mitigating risks across most or all of the major operations of the firm (e.g., buying things, selling things, reporting financial result). For example, if a firm regularly performs background checks on all new hires, this control procedure will help insure that all employees act ethically in whatever job they perform.

The strength of general controls is the breadth of their coverage. Their weakness is that they are less effective at mitigating risk because they are "broad" but not "deep." That is, they can mitigate many risks, but they only weakly mitigate those risks. For example, trusted employees commit the most frauds. Thus, while background checks help, they are not a guarantee that an employee with a clean record won't turn to fraud given enough pressure to do so.

Transaction controls - focus on classes of transactions and mitigate risks in transaction streams. When these controls are embedded in software, they are called application controls . Because transaction controls focus on a single class of transactions, they are much narrower that general controls. However, because they are more focused on specific risks to specific transactions, they can be more powerful (i.e., deeper).

Internal Control Regulatory Environment

Our discussion thus far is based on the proposition that firms build controls systems to improve the firm's performance by mitigating the damage from risks. However, many firms sell stock to the public and, therefore, are subject to regulations to ensure that the information they provide potential investors is accurate and complete. The US Congress, to protect potential or current investors from false data, has passed laws that regulate how firms build and implement internal

172

controls. These acts cover other areas as well, but we will focus on their provisions that regulate control systems in the chapter. The two main acts that affect control systems are the Foreign Corrupt Practices and Sarbanes-Oxley acts.

Foreign Corrupt Practices Act (FCPA)

Congress designed the FCPA, passed in 1977, to prevent companies from bribing foreign officials to obtain business. However, to help accomplish this goal, the law includes language that requires firms to maintain good internal control systems. The logic was that one goal of a good control system is to help the firm stay in compliance with applicable laws and regulations. Thus, firms needed to have strong internal controls to mitigate the risk that some employee of the firm would bribe a foreign official to secure more business.

Sarbanes-Oxley Act (SOX)

The FCPA was not as effective as Congress intended. In the late 1990s, the economy was booming. However, around 2000, the economic growth started to slow, particularly in the technology sector, which suffered from the "dot.com bust" in 2000 and the 9/11 attacks in 2001. As the economy slowed, firms fought harder to maintain the earnings growth they had experience in the late 1990s, sometimes by manipulating their financial results and deceiving investors. These deceptive techniques eventually failed and several large firms went bankrupt (e.g., Enron, WorldCom, which were the two largest bankruptcies if US history, at least before the latest recession in 2008). Congress acted to protect investors by passing SOX. The main provisions of SOX were to:  Establish the Public Company Accounting Oversight Board (PCAOB) to regulate the

external audit profession by setting and enforcing auditing and audit related standards and by monitoring audit firms.

 Increase the role of Audit Committees of a firm's Board of Directors and define how those committees work with external auditors. Under SOX, all Boards of Directors must have audit committees consisting of all outside directors that hire, fire, compensate, and monitor the external auditor. Outside directors are directors that are not also employed by the firm. In many cases, firm employees like the CEO or CFO also serve as directors. In addition, a person with strong accounting and finance expertise must head these audit committees. 66

66 Enron had an audit committee that met all these SOX requirements before SOX was passed and still went bankrupt and triggered passage of SOX. In fact, 15 or Enron's 17 directors were outside directors. Requiring outside directors helps make boards of directors more independent of the firm's management. However, the benefits of this independence are limited when the board of directors receives all its information from the firm's management, which is normally the case.

173

 Require a firm's Chief Executive Officer (CEO) and Chief Financial Officer (CFO) to certify that management has reviewed the financial statements all related disclosures and they are accurate67 and not misleading.

 Require that the firm's management include a statement with their financial statements that they take responsibility for the effectiveness of the firm's internal controls and to report on management's assessment of how effective the control system is.

However, SOX only affects publicly traded, for-profit corporations. It does not regulate small businesses, privately held businesses, governments, or not-for-profit organizations.

Control Evaluation Frameworks

The classification schemes discussed help decompose a very large problem, i.e., building control system for a firm, into more manageable parts, but these schemes address how controls function and not the potential sources of risk. Accountants and information systems developers have created frameworks (something like a comprehensive checklist) to help describe all the possible sources of risks firms face. Since these frameworks were developed by accountants and information systems professionals, they tend to focus on risks to information and assets. In addition, auditing standards allow auditors to use either of these two frameworks when auditing internal controls.

COBIT

The Information Systems Audit and Control Association (ISACA) developed the Control Objectives for Information and Related Technology (COBIT) framework. The ISACA designed this framework for systems designers, users, and auditors to assist these stakeholder groups in insuring that the control systems surrounding information technology are effective. Thus, COBIT focuses on electronic data processing systems and their development and implementation. However, since the bulk of firms in our society use electronic information systems, COBIT is useful for just about any firm. The COBIT framework is too extensive to cover it in any detail in this text. However, we will give you a quick overview.

Operations COBIT Covers

The COBIT framework has sections that discuss risks associated with:  planning and organizing systems implementation plans,

 designing, building, and acquiring systems,

 implementing and supporting systems,

 monitoring and evaluating system performance, and

67 The word "accurate" is never used in the legislation. It uses "fairly presents" to avoid the certainty that the word "accurate" implies. We use "accurate" because it fits with student's intuitions more effectively.

174

 evaluating the effectives of the information a system produces in achieving management's goals.

Each of these steps in an information system's life cycle can create different types of risks, which is why COBIT addresses them separately.

Classes of Risks COBIT Covers

While the COBIT framework covers different steps in the systems development and use lifecycle, the main goal of the framework is to ensure that certain characteristics of the information produced by the system are present. The information characteristics that COBIT addresses include:  effectiveness - the information product supports management decision-making

 efficiency - the costs of producing information is minimized

 confidentiality - information is controlled so that only authorized parties have access to the information they need and no more

 integrity - the information is internally consistent and based on valid input data

 availability - the information is available to all that need it when they need it (without violating confidentiality)

 compliance - that information is produced in compliance with both firm policies and procedures and with external laws and regulations

 reliability - the system meets the above objectives consistently over time.

Some of these concepts overlap. However, that overlap insures that the goals listed cover all key management and organizational needs. In designing and evaluating control systems, classifying risks into one category or another is not nearly as important is making sure you have addressed all significant risk.

COSO Framework

GAAP provides auditors with a framework to assess the accuracy and fairness of financial statements. However, they need a comparable framework to use to assess the strength of internal controls and identify control risks. The most commonly accepted framework auditors use for evaluating the design of a control system is the COSO. The basics of COSO are covered above. The formal title today is Enterprise Risk Management - Integrated Framework (ERM). In the discussion below, we refer to the COSO framework, which includes the modifications made to create the ERM. We have elected to continue to refer to the COSO framework to help you remember who developed it and to differentiate from the COBIT framework more clearly. The key insight that comes from the Integrated Framework is its list of components of a control system: These include:

175

 The control environment - attitudes, awareness, policies, and actions of management and

the Board of Directors concerning the firm's internal control and its importance to the firm.

 The firm's risk assessment process - how management identifies risks relevant to the preparation of financial statements that meet GAAP, estimates their significance, assesses the likelihood of their occurrence, and decides on actions to manage them.

 The firm's information system and related processes related to financial reporting - the firm's information system consists of procedures, automated or manual, and records established to initiate, record, process, and report transactions and to maintain accountability for the firm's assets, liabilities, and equity.

 Control activities - procedures the firm uses to prevent or detect and correct errors (i.e., eliminate)68 in the information system and to insure the security of assets.

 Control monitoring - if management does not regularly review the effectiveness of the firm's control system, its effectiveness can deteriorate.

In this chapter, the focus is on firm-level controls that auditors focus on to assess the effectiveness of a firm's control environment and on transaction-level controls that are the firm's control activities, which are embedded in the firm's information system to eliminate errors. The ERM approach links control systems to risk management more effectively than it original did. The risk management approach is the dominant viewpoint for designing and evaluating controls today. Adding risk to the discussion of controls helps put that discussion in a context of threats to the firm and expands it beyond just evaluating the effectiveness of controls. Adding risk considerations also makes the framework more flexible in that a risk viewpoint emphasizes that risk change with time and, therefore, controls systems need to be adaptive. The COSO framework is presented as a three-dimensional cube. One dimension of the cube represents the various units within a firm. Its purpose is merely to ensure that firms develop and evaluate controls for all units within the firm. The other two dimensions look at risks from the standpoint of the components of a control system and objectives of control systems. Each of these are covered in more detail because they present a comprehensive discussion of the issues involved with internal controls.

68 From this point on, We will use the term "eliminate" to cover both preventing and detecting and correcting errors to simplify my presentation. While there are differences in control design and effectiveness between preventative and detective/corrective controls, these differences are beyond the scope of this text (and, actually, rarely important in practice).

176

Management Objectives

One dimension of the COSO cube is management objectives. Controls are policies and procedures firms develop to insure meets their management's goals. Thus, management goals need to be one dimension of the framework. The COSO framework breaks management objectives into four main categories.  Strategic - Strategic objectives refer to the longer-term goals of the firm and how to

achieve them. Strategic planning normally covers where management wants the firm to be in three to ten years from now. Strategic decisions involve things like what products to produce, what consumers to target, how to increase market share, and how to insure continuity in management over the years.

 Operational - Operational goals are the day-to-day goals management sets. For example, Facebook has mentioned a strategic goal of attracting children younger than 13 to its website. Operational goals related to that strategic goal might be developing parental controls and appropriate pre-teen content. Operational goals also cover common activities like paying employees and vendors, collecting receivables, and evaluating marketing campaigns.

 Reporting - All information systems need to produce reports for management to use to run the firm and to meet external reporting requirements. Having a strong information system with good controls is useless unless you can get information out of it efficiently, effectively, and timely.

177

 Compliance - All firms, indeed all individuals, are regulated in some way, usually by multiple governmental or professional entities. For example, we all have to file income tax returns and, therefore, we all need accounting systems that we can use to identify taxable income, exemptions, and deductions. Obviously, firms face much more extensive reporting requirements than individuals do. However, a firm doesn't have to be big to have extensive reporting requirements.

For example, in the case of a small, community water system, the total budget is less than $50,000 per year. However, they file state and federal income tax returns, state and federal employer tax returns and employee payroll summaries (e.g., W-2's), state sales tax returns, and file annual reports with the New Mexico Department of Finance and State Engineers Office. They also pay worker's compensation insurance and unemployment insurance, both of which have annual reporting requirements. They also prepare grant and loan proposals for various state and federal funding agencies and need to comply with the different reporting and compliance rules for each one. Finally, they need to comply with a recent executive order by our governor to certify that they have controls in place to safeguard any tax monies they get.

COSO includes consideration of these goals because each category of goals highlights a different source of risk to the firm. However, the real "meat" of the COSO framework is its description of the main components of a control system, which we will cover next.

Control Components

Another dimension of the COSO framework breaks a firm's risk management and control activities into components so that the framework is more manageable. These components normally are present in an order that begins with firm-wide issues and then focuses on activities that are more detailed. Next, each component is discussed and explained how they relate to each other.

Internal Environment

A firm's internal environment or control environment consists of a variety of factors that determine how the firm functions. These include:  Management's philosophy, operating style, and risk appetite - These issues describe a

firm's corporate culture since it is management's job to implement the Board of Directors goals for the firm. Thus, management sets the tone and culture for the firm. Some managers tend to favor more delegation of authority and some are more controlling. Some managers are willing to accept more risks when achieving the firm's goals while others are more conservative. There is no right or wrong organizational culture and cultures tend to differ from firm to firm. Thus, a control system should reinforce the firm's corporate culture and insure that employees are conforming to things like the level of risk they take in making decisions.

 Board of Directors - As mentioned above, the Board of Directors in the top authoritative body within any firm and the firm needs to design and implement its control system to insure the firm follows the Board's directives. Boards delegate the authority to

178

management to run the firm, but they retain the authority and responsibility to monitor management's actions to insure management is following the Board's directives. Thus, a control system is more effective if the Board actively monitors management's activities. However, many Board members are also managers, which reduces the Board's independence. Therefore, SOX required all Boards of publicly traded firms to have Audit Committee of the Board that do not contain any managers (i.e., audit committees must consist of outside directors).

 Commitment to Integrity, Ethical Values, and Competence - This component is referred to as the "tone at the top." Actually, Institute of Internal Auditors' (IIA) titled its regular newsletter to its members the Tone at the Top. The idea is simple. If top management puts emphasis on ethical, competent behavior, then the rest of the employees will be more likely to exhibit that behavior. This component may be the most important of all the COSO components since top management perpetrates the largest dollar amount of corporate fraud. Top management's unethical and illegal activities caused all the corporate failures that led to the passage of SOX.

 Organizational Structure - A firm's structure consists of how the firm delegates authority and responsibility and how it regulates employees and management's actions with written policies and procedures. To maintain a strong control system, firms need clearly specified lines of authority (i.e., chain of command if you have military experience) and clearly defined (i.e., written) policies and procedures. Control systems also are more effective if the firm's information system provides different levels of the chain of command with the information they need to manage the firm but does not provide information to those that don't need it.

 Human Resources Standards - People are at the heart of any control system. People develop the controls and people implement them. However, people need the skills, the incentives, and the resources to implement controls properly. Each of these components is critical.

Employees need to have the skills to understand and implement controls. No policy or procedure can ever completely anticipate all possible risks to the firm. Employees will need to adapt policies and procedures to specific cases and use judgment. Employees develop sound judgment through adequate training and experience and so firms need to ensure that their employees have the required training and experience to implement the policies and procedures.

Organizations can help guarantee that people have the appropriate skills through carefully designed and implemented hiring practices and on-going training programs. A thorough screening of a prospective employee's resume and references is a good preventive control

179

that helps insure that the employee will have the skills to do his/her job properly. Criminal background checks are also helpful.69 Hiring good employees is a good preventive control, but it is only a start. Control problems frequently arise because firms ask employees to perform tasks for which they do not have the required training and experience. Most firms live in changing environments where the types of risks change over time. Therefore, firms need to invest in continuing education and training to help insure that the employees who are executing control procedures have skills that reflect the current environment.

In addition, employees need to have a reason to implement controls (i.e., incentives). There is a rich literature on how firms can help insure that employees have the incentive (i.e., are motivated) to carry out top management's goals. In general, employee's incentives are effective by rewards ("carrots") and punishments ("sticks") coupled with the knowledge that management will monitor their actions in some way. However, some research has shown that explicit incentives may not work for very long and that the best way to incentivize employees is to integrate them into the corporate culture and make they feel like they are part of a team. If the firm does not implement some form of reward or punishment structure that emphasizes maintaining controls and backs it up with some form of monitoring and review process, the firm's control system probably will be ineffective.

Finally, even if the employee is well qualified and knowledgeable, and has the right incentives, they cannot execute their control responsibilities unless they have the resources to do so. While skill is a key resource, they also need time, equipment, and information to execute control activities. Without adequate resources, employees cannot maintain strong controls even if they know how to and want to. This major factor contributes to the costs of implementing controls and why management needs to make hard choices about whether controls are cost/benefit justified.

This discussion of human resources has been quite long, but humans execute control systems, make errors, and execute fraud. Thus, humans are at the heart of any control system. In summary, for a control system to be effective, the employees need:  Skills that they bring with them to the job and that are enhanced and kept current

through training;

 Incentives to do the right thing; and

 the resources to do the right thing.

69 Twenty-four states and several municipalities in the US don't allow employers to do criminal background checks on prospective employees. These entities are concerned that allowing employers to do criminal background checks will make it harder for former inmates to gain employment and, therefore, be more likely to commit more crimes. See The Economist, August 13, 2016, page 56.

180

Objective Setting

This component has been mentioned before in this chapter. The Board and top management need top set clear objectives for the firm so that the control system can be designed and implement to help insure those objectives are met. To quote the philosopher, Yogi Berra, "If you don't know where you're going, you'll wind up somewhere else."

Event Identification

Event identification is another straightforward component of a control system. Events are just about anything that happens and many events lead to transactions. A firm's control system needs to monitor both the firm's internal and external environments to spot events that might affect the firm's goals so management can take action to mitigate the event's potentially damaging effects on a firm's goals. However, events may also be positive and support the firm's goals. Thus, a good control system also helps management identify events that might be good for the firm as well, so management can take advantage of them.

Risk Assessment and Response

COSO identifies four potential management responses to risk; all of which focus on reducing the effect of the risk on the firm. These include:  Reduce the risk - either by reducing the probability that the event will occur or by

reducing the effect on the firm should the event occur.

 Accept the risk - if management believes the cost of reducing the risk outweigh the potential loss from the event.

 Share the risk - by buying insurance, outsourcing activities that are generating the risk, or engaging in hedging transactions.70

 Avoid the risk - by avoiding the event that is triggering the risk. For example, if the firm expects a major competitor to enter a new market that will threaten the firm's sales, the firm can sell the division that makes that product and focus on other product lines.

Management should not consider which of these actions to take until they have worked through a risk assessment process. That process includes:  Estimating the effect of the risk - by estimating both the probability the risky event will

occur and by estimating the size of the effect on the firm should the risk occur.

 Identifying the controls and their costs - that are in place to mitigate the effect of the risk. As mentioned above, controls must be cost/benefit justified. Thus, management needs

70 A hedge transaction is where a firm makes two, matched investments, usually one of which is a financial derivative instrument, where the market values of the two investments tend to change in opposite directions. Thus, if one of the two matched investments falls in value, the other tends to increase by the same amount.

181

to consider the costs of executing controls to mitigate the risks as well as the potential loss to the firm from the risk.

 Implement the control or accept, share or avoid the risk - based on management's cost benefit assessment.

Control Activities

There are rich varieties of ways that controls can mitigate risk. Here are the main categories of controls mentioned in the COSO framework:

Proper authorization

Authorizing transactions and activities is a key control because it is preventative and because it implements the firm's chain of command. By requiring a responsible employee authorize all transactions and important decisions, the firm's is requiring employees to screen each transaction and decision for potential risks and avoid the risk before it occurs.

Segregation of duties

Having more than one person involved in a transaction reduces the risk of error or misappropriation. The key accounting activities firms should always segregate (i.e., assigned to different people) are:  Authorization - approving transactions and decisions.

 Recording - information about all transactions in the information system.

 Custody of assets - assets (e.g., cash, inventory, equipment) should be controlled by (under the custody of) employees within the firm.

The reason firms should segregate these three activities is because the three individuals involved can crosscheck each other. For example, the employee who has custody of the cash would have a hard time stealing cash if someone else does the accounting for cash (e.g., reconciles the checking account to the bank statement) because the employee doing the accounting would always know how much cash should be in the account. Employees that authorize transactions could prevent anyone from executing a transaction. Employees that do the recording and authorization can't steal assets because they don't have access to them. In addition, firms should segregate the activities of operating departments from accounting departments. If operating departments or divisions generate their own reports, they might try to bias them to make themselves look better. This principle is an extension of keeping accounting separate from custody of assets since the accounting department has not access to assets and operating departments do. This applies to keeping information processing duties and departments separate from user departments. Information processing departments, like accounting departments, don't usually have access to assets and user departments do. In addition, the use of technology tends to blur the lines between the three functions covered above as computer programs take over some

182

responsibilities for authorizing transactions as well as recording them. Thus, firms need their information processing activities separate from operating activities as well. There are also key information systems duties that firms need to segregate as well. These include:

 System and Network Administration - insuring that the all the information systems and

networks are functioning smoothly and efficiently.

 Security Management - insuring that the systems and networks are protected from internal and external threats.

 Change Management - insuring that changes to the system are done smoothly and efficiently and that they do not compromise the effectiveness, efficiency, or security of the information system and networks.

 Users - the employees that record, process, and report information with the system.

 Systems Analysis - work with users to design systems that meet the users' needs.

 Programming - building and implementing a system based on the systems analysts’ design.

 Computer Operations - run the firm's software and insure that data are imputed properly, processed correctly, and the results reported as needed. Note that users also run software, but "computer operations" refers to those individuals within the firm that are responsible for the overall systems. This distinct can become fuzzy in today's distributed computing environment.

 Information Systems Library - maintain custody of databases, files, and programs in a separate storage area.

 Data Control - ensures that source data have been approved, monitors the flow of data through the system, reconciles input to output, maintains records in input and processing errors to insure they are corrected, and ensures reports get to the right people at the right time.

There are many duties here and we don't have the space to discuss all possible segregation of duties issues between all nine of these duties. In addition, with so many different duties, firms may find it more difficult to segregate all of these. Thus, we will present a couple of examples of the more critical duties that firms need to segregate.  Programming from operations, analysis and design, and change management -

Programmers should never have access to a live system and should do all their work on copies of programs and data. If programmers have access to the live system the firm uses, they could easily manipulate the program to alter data and perpetrate fraud or vandalism. Programmers also should not design the system. By having a separate person designing the system, there always will be a second party that knows what the system should do and can spot manipulation by the programmer.

183

A classic example (i.e., war story) is when a programmer who was responsible for a payroll system was fired; then when the firm ran its payroll for the first time after the programmer was fired, the payroll system "self-destructed" (program and data were erased). The programmer had embedded code into the payroll system that merely checked to see if the programmer was listed and, if not, issued commands to erase all data as well as the program itself.

If there had been a separate person who designed the system, they could have done periodic reviews to determine if the programmer had altered the program. In addition, if there had been a separate person responsible for approving all changes to the program, the programmer's changes might have been detected before they harmed the firm. The same logic explains why firms need to segregate analysis and design and change management from programming and each other as well. However, in this case, the changes were so small (one "if" statement in thousands of lines of code that said, in effect, if this ID isn't in the payroll, then delete all the files) that even good controls may not have detected it.

 Computer Operations from Information Systems Library, Data Control, and Users -

Computer operators must have access to both programs and data to do their job. Thus, operators have an opportunity to manipulate data for their own gain. They might also be able to manipulate the program, but that is much harder to do since the version of the program they are running is usually complied (i.e., in a state that only a computer can read). By keeping operations separate from these other functions, there will always be someone who can cross check input to output to ensure that the operators didn't alter anything. In addition, there always will be backup copies of data and programs from which to recover if the operators do change something.

Segregation of all these duties also is complicated by the use of distributed systems where users become limited operators. For example, many users run applications on their own computers and, therefore, become operators as well as users. These users may also have custody over the data they input, process, and report as well as be responsible for the completeness and accuracy of the data the enter. Thus, a user can have some operator, library, and data control responsibilities as well as user responsibilities. Under these conditions, the firm should maintain backups of user data as well as have some form of cross checks on the data and output.

Project development, acquisition, and change controls

Organizations frequently purchase capital assets and information systems that involve substantial funds and take months or years to complete. These major projects require their own controls to reduce the risk of lost from the acquisition. To manage these large projects, a firm should:  Establish a steering committee - Large projects usually involve multiple departments or

units within the firm. Having a committee with representatives from all affected areas, helps insure that the risks of not meeting all the unit's objectives are reduced. In addition, large projects required oversight and this committee could perform that function as well.

 Develop a plan - Large projects tend to take a long time and tend to be quite complex. Thus, having a detailed plan on how the project will proceed is necessary to insure the firm takes all the steps needed to reduce risks during the acquisition. This plan also should

184

include a time line of activities. Large projects tend to involve many different activities, some of which cannot start until others are completed. Thus, to coordinate the project properly, firms need to develop a detailed time line to insure the steering committee and management know how all the activities fit together and depend on each other.

 Establish performance measures - Typically, the firm will build intermediate deliverables71 into their plan so they can evaluate how well the project is progressing. They also set quality standards for each deliverable. Once the firm had specified these intermediate deliverables and quality standards, they can evaluate how the project is progressing as it progresses and take remedial action if the project isn't proceeding as planned. For example, firms frequently contract with outside parties to complete these projects. If a contractor lags behind the time line or does not deliver quality intermediate deliverables, the firm can terminate the contract and hire another contractor.

 Post-completion review - Once the project is completed, the firm needs to step back and evaluate it to insure the implementation team met the goals the firm set for the project.

We have described these steps and control procedures from the standpoint of a firm acquiring a new asset or system. However, firms should use the same approach whenever major changes are made to systems or modifications are made to assets. For example, if a firm is going to do a major remodel of a building or implement a major upgrade to an information system, they should follow the same steps as if there were purchasing a building or new system from scratch.

Design and use of documents and records

Organizations should document all transactions that affect the firm. The physical layout and content of the documents should be designed to minimize the possibility of errors and omissions in recording data. Electronic documents also should be programmed with as many accuracy and reasonability checks as possible. Where possible, documents should also be pre-numbered and accounted for so that firms can determine if any have been lost. Finally, documents that relate to each other should have cross-references to each other to maintain an audit trail. An audit trail is a complete record or trail from a summary number (e.g., a general ledger balance) back to the detail transactions or events that make-up that summary number. For example, when the firm purchases something, they should note the purchase order number on the receiving report they fill out when the merchandise comes in to ensure that they are getting what they ordered and only what they ordered. They also should reference the purchase order and receiving report when processing the invoice for payment so that there is a trail from the payment back to the original order. Auditors can use an audit trail to go both ways, i.e., from the general ledger to source documents (vouching) or from transactions to the general ledger (tracing). Auditors need to go both ways to cover all audit objectives. For example, tracing can check for completeness (that all the

71 "Deliverables" are just parts of the overall project the implementation team completes as the project progresses. That is, large projects have stages and firms need to specify what an outcome should be at the end of each stage.

185

transactions were recorded) but vouching can't. Vouching can check for occurrence (i.e., that the recorded transaction occurred) but tracing can't.

Safeguarding assets, records, and data

Safeguarding assets, records, and data normally involves access controls that limit access to authorized personnel. That is the main preventative control firms use. However, access can be either physical (i.e., stealing cash from an unlocked drawer) or virtual (i.e., hacking into the firm's information system and stealing confidential data). In addition, some breaches can occur accidently (i.e., an employee accidently erases key data). Thus, firms also need detective/corrective controls in addition to preventative controls to safeguard their assets, records, and data. The key types of controls firms use to safeguard assets, records, and data are:  Creating and enforcing policies and procedures - These should cover who is authorized

to have access to assets, records, and data; who can record or alter records and data and who can use assets; and how access to and changes to assets, records, and data are recorded and tracked. That is, in addition to limited access, the firm should also log and review access to be able to employ detective/corrective controls in case there is unauthorized access.

 Maintain records of all assets – We covered this issue when discussing segregation of duties above. Custody of the assets and recording transactions related to the assets should always be segregated so that the records can be reconciled and a count of the physical assets can be done to verify that the assets have been safeguarded. The classic example of this issue is reconciling a firm's perpetual inventory system (i.e., a record of all inventory purchases and sales) with a periodic physical count of the inventory to detect if any inventory is missing and/or to detect errors in the perpetual inventory system.

 Restrict access to assets, documents, and data – We alluded to this above when we discussed policies and procedures. However, we raised the issue again to cover some ways to accomplish access control and protection. For physical assets, the best way to control access is through locks on doors, filing cabinets, etc. Card ID readers are good for this because they not only limit access, but also keep a record of all accesses. The cost of biometric technology (e.g., finger print or retinal scanners) has come down to the point that these tools are becoming more broadly available and practical.

The most common way to restrict access to electronic data is through user names and passwords. However, the firm needs to monitor these to ensure that as an employee changes jobs, their access changes as well. Passwords also need to meet certain requirements so that they are hard to break. Organizations also back up records and data regularly in case they are either intentionally or accidently damaged or lost. Finally, firms also should protect their assets, records, and data from damage from fire, flood, or other environmental threat.

 Backup and contingency planning - Another way to safeguard information and processing capability is to maintain regular backups of all programs and data. However, firms also need to maintain backups for processing capability as well. Programs need to

186

run on computers and so just having backups of programs and data may not be sufficient if the firm's processing capability is impaired.

Firms can provide different levels of processing capacity backups. Some steps like maintaining backup batteries and generators will help in cases of electrical failure. However, they also need to have backup for the hardware as well if that fails. Maintaining duplicate hardware can be expensive and firms can contract with third party service providers for backup processing capacity. The newest form of this sort of backup is using Internet services (i.e., cloud computing).72

Independent checks on performance

This last category of control activities is also one of the most common. Independent checks involve comparing two pieces of information that should be the same to determine if they are the same. Someone other than the employee who originally recorded the data should make the comparison. Comparing a physical inventory count to a perpetual inventory system is a good example. Some examples of independent check of controls include:  Top-level reviews - These include comparison of actual results with budgets, historical

data from a different period, or competitor's results. Usually, these comparisons are on high-level data like financial statement line items. This means that unexpected differences will be evident, but further research will always be needed to determine if the actual data are incorrect or the basis of comparison is not valid (i.e., the budget was off).

 Analytical reviews - These are extensions of the ratio analysis techniques presented in Chapter 5. Most accounting-related items have regular relationships with other elements. For example, accounts receivable balance changes normally track closely with credit sales unless the firm changes its credit policies. Many, but not all, of these relationships are strictly due to double entry bookkeeping, which automatically creates two sides to every transaction. However, there are other regular relationships as well. For example, there should be a positive relationship between advertising expenses and sales. A very common control procedure is to review financial data periodically to determine if these expected relationships are remaining stable of changing. If they were changing, management would need to determine if the changes were due to changes in operating policies or signs of potential errors.

 Reconciliation of independently maintained records physical quantities - The classic example here is reconciling a checking account to a bank statement. Reconciling the perpetual to the physical inventory is another example. Some texts list this as a separate category because the comparison is being made to physical quantities and not a second perpetual inventory, but we feel the concept is the same. The key, however, is that the records, including physical quantities, need to be independently maintained (i.e., segregation of duties).

 Double entry bookkeeping - This is the oldest known control, being that it has been around at least 2,000 years. The first known documentation of the technique was over 500

72 Don't let flowery terms fool you. The "cloud" is just the internet and isn't anything new.

187

years ago. The simple idea is that all transactions have two aspects - where it came from and where it went, or what it is and what it is for. For example, the normal journal entry to record a payment of accounts payable shows what came out of cash to reduce a payable. As noted above, having an accounting system that automatically records two aspects of a transaction that must always equal each other (debits must always equal credits, no exceptions) creates many opportunities to compare two totals that should reconcile to each other (e.g., total reductions in cash due to payments on account must always equal the total reduction in accounts payable for the same time period).

 Independent review or reperformance - This is another very common control activity. It differs from comparisons to independent sources of information in that the comparison is between two executions of the same process. Double footing is a classic example. Double footing merely means adding up something twice to ensure that the two totals are the same. This is what reperformance means - do it at least twice and insure the two answers are the same. However, independent review can still be helpful control procedures even if the review isn't a 100% reperformance of the activity. Things like reperforming an activity on a sample basis also provides risk mitigation.

 Electronic independent checks - Electronic environments can contain a variety of automated independent checks on performance. Most of these controls are incomplete in that they can only limit the range of input data, but cannot determine if it is correct. For example, when entering an invoice date, computer software can limit the range of dates the user can enter and insure that the data entered represent a valid date, but can't determine if the date is correct for a given invoice. The major ones include:

Input Controls

 Adequate design of input screens - Data entry can be more efficient and effective if the entry screens are well structure, clear, and simple.

 Pull down menus - These can limit the user's responses to only valid entries.

 Validation checks - These insure that data like dates, social security numbers, and phone numbers have a valid format. They also can compare customer and vendor identification information matches information in master files.

 Error logs - Systems can keep a record of common errors for follow-up by data entry personnel and by systems designers for later follow up and suggestions for changes in the software.

 Completeness tests - These determine if all the data elements in an input are present.

 Access controls - These are applied to networked systems and include things like firewalls to limit access, encryption to prevent corruption of data transmitted over the network, and digital signatures to verify the validity of the input data.

Processing Controls

 Batch processing - When data entries are batched into groups before processing, the software can run totals on the data entries and compare those totals to the data output to ensure that the system didn't allow anything to be added, lost, or altered. For examples, software programs can produce control totals on the total amount of the input or hash totals on things like invoice numbers that don't produce meaningful

188

totals. They can also do record counts to ensure that whole records weren't added or deleted.

 Validation tests - These determine if the input record is appropriate for the process to which the user submitted it.

 Sequence tests- These ensure that transactions that the system should process in a particular order are submitted in that order.

 Arithmetic accuracy tests - These help ensure that arithmetic calculations the system does during processing are accurate and the results don't exceed reasonability bounds.

Output Controls

 Manual comparison - The systems output is compared to manual input documents and or control totals to check for errors.

 Sequence checks - These compare the dates and times that the system processed transactions to determine if nothing is out of order.

Information and Communication

Control activities make up a substantial portion of any description of control systems because there is such a rich variety of control activities. However, control activities exist within the larger control framework described and we now turn back to describing additional components of the control system. The information and communication component highlights the need for the control system to not only process data and create information, but also to communicate that information to the appropriate parties in a timely manner. These recording and reporting functions are what provide the audit trail defined above.

Monitoring

Control systems need to evolve over time and they also can "deteriorate" in their effectiveness if they are not monitored regularly to determine if they are still functioning as designed. Organizations can use a variety of monitoring techniques, to include:  Perform periodic evaluations and audits, which involve an explicit review of the all

components of the control system.

 Properly supervise employees to include not only monitoring their activities, but also insuring they have the training and resources to do their jobs. One extension of this monitoring activity is for the firm to appoint a chief security officer or chief compliance officer whose job it is to monitor information systems use and security.

 Use responsibility accounting systems like budgets, schedules, quotas, and standard costs and quality measures.

 Monitor information electronic system activities with software packages that log computer and systems use and use report things like unauthorized access to the system. The logs should include who accessed data, when, and through what application. The activities monitored go beyond just access to accounting data, but include monitoring all

189

use by employees of the firm's computer resources and systems. For example, employers have detected extensive use of the firm's resources by employees to read personal e-mail and access pornographic Internet sites. In some cases, firms have disabled or strictly limited Internet access by employees who do not need it improve productivity. Many firms have found that productivity dropped when they provided Internet access to employees.

 Employ outside experts like forensic accountants and fraud experts to review and critique the firm control systems, particularly their electronic systems. Critiquing electronic systems and their controls is a highly specialized field and some firms may not be large enough to afford to have in-house personal that are qualified to perform these reviews.

 Implement a "whistle blower" hotline as mandated by SOX. Actually, SOX mandates that firms maintain a mechanism for employees to report fraud and abuse. However, hotlines are a common way firms do this.

Role of Control Design Evaluation in the Financial Statement Audit

Auditors assess control risk in a two-stage process. First, they assess the strength of the design of the firm's control system. If they believe the design is sufficiently strong, then they will proceed to test the controls to insure they are functioning as designed. The point is that if the control system's design is too weak to function properly, the auditor doesn't want to waste a lot of time testing the controls to see if they are actually working. If, however, the design of the firm's controls system is strong enough to reduce control risk below 100%, the auditor must determine if the control system is actually functioning as designed by testing controls. This section focuses on the first step - evaluating the design of the auditee's control system. The text will discuss testing controls in a future chapter. Since SOX, auditors of public companies are required to assess and report on the effectiveness of the auditee's internal controls. Thus, they must execute both steps - evaluate the design and test the controls. However, auditors of non-public companies can choose not to test controls if they don't plan to rely on them to support their audit opinion. Auditors call this type of audit a balance sheet audit because they set control risk to 100% and reduced detection risk to compensate. By reducing detection risk, they are relying on substantive testing to support their opinion. However, this may be an appropriate approach for small firms that don't have the resources to build strong control environments and procedures. For example, small firms with limited employees can have difficulties segregating duties.

Risks of Error

The first step in evaluating the design of the auditee's control system is identifying the specific threats that would prevent the information system from operating reliably and securely. Different threats typically require different controls to mitigate the risk that the threat would compromise the assurance of the information system. While there are a variety of ways these potential threats could be classified, separating them by how general or specific they are can be useful in decomposing the overall problem of identifying all significant threats to information assurance. This section discusses two broad categories of threats: firm-level threats and transaction-level threats. Firm-level threats are broad-based and tend to affect most or all of the processes and subsystems of the information system. Transaction-level threats are more localized and target

190

one, or a few, processes or subsystems of the information system. You may also think of transaction-level risks as transaction risks because they tend to be targeted at specific groups or related transactions.

Firm-level Threats

Firm-level threats to an information system flow from weak corporate culture and/or weak corporate governance. "Corporate culture" refers to the tone and attitude of top management, which usually flows down to the rest of the firm. Top management determines corporate culture by what they chose to emphasize or de-emphasize in setting the goals for the firm and going about their daily activities. "Corporate governance" generally refers to how the firm's Board of Directors oversees the activities of top management. A board of directors’ controls nearly all corporations, including not-for-profit corporations. These boards should represent the owners, or in the case of not-for-profits, the major stakeholders, of the organization. Their purpose is to set broad guidelines and goals for top management, who run the day-to-day activities of the firm. Boards of directors set goals and develop or approve strategies for achieving those goals; monitor management's achievement of goals and compensate them accordingly; and oversee the internal and external audit processes. Firm-level threats to corporate culture and governance tend to be abstract and, therefore, developing a framework to use to assess them is challenging. One framework that was initially developed to assess controls over information technology has been adopted for this purpose.73 That framework focuses on five key attributes of a firm's control environment: Perceived Value, Awareness and Understanding, Documentation, Control Procedures, and Monitoring. We’ll briefly describe and provide some general guidance on evaluation criteria for each of these below.

Perceived Value

All organizations are hierarchical structures with a board of directors or owner(s) at the top of the hierarchy and levels of management beneath the board or owner(s). The board and top-level managers establish the goals and strategies for a firm and identify its priorities. In doing so, they tend to set the tone or culture for the firm. If top management places little emphasis on information assurance, then the firm cannot expect its employees to place much emphasis on information assurance either. Therefore, the broadest and most pervasive threat to information assurance is ambivalence or lack of concern by the upper levels of the firm's management hierarchy. Management can communicate the priorities concerning information assurance to the firm by how they write policies and procedures, through memos and newsletters, by how they structure job descriptions, and through their daily actions in running the firm. The lowest level of perceived value would be a total lack of emphasis on any firm-level controls by management. Strong levels of perceived value are achieved as management implements control procedures that are separate from business operations and elevates them to an integral

73 Ramos, M. 2004. Evaluate the Control Environment, Journal of Accountancy, May 2004: pp. 75 - 78.

191

part of the firm's strategy. The highest level of value comes when management adds a commitment to continuous improvement in controls.

Awareness and Understanding

Once top management has determined the emphasis they will place on control within the firm, they need to communicate that to all employees. Two common mechanisms for doing so are through the firm's chain of command or lines of authority and through formal policies and procedures.

Clearly Defined Lines of Authority

Assuming that top management has placed a proper level of emphasis on information assurance, the firm should have a management structure that provides clear lines of authority and responsibility for carrying out top management's intentions for information assurance. The firm's structure should make clear who is responsible for the assurance of various components of the information system. For example, line management (e.g., sales and production managers) tends to oversee the firm's interactions with customers and vendors. Therefore, they must have the primary responsibility for insuring that data entered into the information system is complete, valid, accurate, and timely. However, most firms have information technology (IT) or information processing departments that oversee the design, implementation, and maintenance of the firm's information system. Therefore, IT management should be responsible for maintaining the assurance of the data and information once it has been entered into the information system by the line departments. Clearly, there is an overlap between assuring the data entered into the information system and assuring the data processed by the information system. One common way to assure the accuracy of processing is to compare input data to processed data to make sure the processing was correct. Firms should clearly specify different responsibilities to ensure that someone is responsible for information assurance in all aspects of the firm's information system and that there are no overlapping responsibilities (i.e., more than one department responsible for the same thing) that may lead to inefficiencies and firm-level conflicts. However, they also should specify areas of overlap where there may be joint responsibilities for information assurance. Firms structure these responsibilities and relationships through formal organization charts that specify lines of authority and job descriptions that define each employee’s responsibilities and authority.

Formal Policies and Procedures

Making sure that the firm carries out top management's goals involves more than just specifying who is responsible for achieving those goals. Typically, management also needs to provide guidance on how employees are to carry out these goals. Management normally implements this guidance as formal policies and procedures. These policies and procedures are also structured hierarchically. Policies and procedures that govern top management's behavior tend to be general and focused more on goals, policies, and principles than specific procedures. Policies and procedures for lower levels of the firm tend to become more specific and focused on detailed procedures that implement firm policies. Procedures are detailed, often step-by-step, specifications about how a task is to be done.

192

There is a delicate balance to be struck in formalizing policies and procedures. The more specific they are, the greater the level of control top management can exercise limiting an employee's authority to take independent action. However, the more specific they are, the less room lower- level management has to adapt to changing conditions or to use their own judgment and expertise. Since it is virtually impossible for top management to anticipate every threat to the firm, policies and procedures need to allow lower-level managers and employees some latitude to use their judgment based on their expertise to fine-tune the policies and procedures to specific circumstances. However, some level of formalization is required to help top management ensure the firm carries out their goals effectively and efficiently. The right balance is difficult to strike. Overly restrictive controls can lead to rigid organizations that are slow to adapt to changing conditions, which can cause them to lose their competitive advantage. Overly loose controls can undermine management's control and cause the firm to lose direction. Generally, the more stable a firm's environment, the tighter controls can be without causing problems. "Stability in the environment" includes such things as the rate of technological change in the firm's industry, the rate of competitive change and level of competition, and the rate of change in the regulatory environment. Policies and procedures also need to specify both who is responsible for controlling various aspects of information assurance and who is not. The main point here is access to various aspects of an information system needs to be restricted to those who are responsible for that aspect of the system and all other employees should not have access. The greater the number of people who have access to the information system, the greater the risk problems. However, the usefulness of the information system can be compromised severely if employees can't access the information they need when they need it. Again, striking the right balance will depend on the specific needs of the firm.

Adequate Personnel with Proper Incentives

Assuming a firm's top management set clear goals, established clear lines of authority and responsibility, and formalized the policies and procedures needed for implementing that emphasis, the next step is to make sure that the employees who ultimately will be responsible for information assurance have the appropriate training, resources, and incentives to carry out their responsibilities. Each of these components is critical. Employees need to have the skills to understand and implement controls and the resources (e.g., time and technology) to do so. As noted above, no policy or procedure can ever completely anticipate all possible threats. Employees will need to adapt policies and procedures to specific cases and use judgment. People develop sound judgment through adequate training and experience and so firms need to ensure that their employees have the required training and experience to implement the policies and procedures. In addition, employees need to have a reason to assure information. There is a rich literature on how firms can help insure that employees have the incentive (i.e., are motivated) to carry out top management's goals. In general, employee's incentives are effective by rewards ("carrots") and punishments ("sticks") coupled with the knowledge that management will monitor their actions

193

in some way. If the firm does not implement some form of reward or punishment structure that emphasizes maintaining information assurance and backs it up with some form of monitoring and review process, all of the above-mentioned factors probably will be ineffective.

Levels of Awareness and Understanding

The firm's level of awareness and understanding can range from none to highly formalized control procedures for which all employees have received comprehensive training and have strong incentives to execute control activities. Management can achieve awareness and understanding through informal and formal communications. The more formal the communication, the greater impact it tends to have on awareness and understanding. However, communication alone is insufficient to achieve understanding. Understanding usually requires training and incentives to carry out the control activities.

Documentation

For controls to be effective, they need to be documented. Part of documentation is having formal policies and procedures. However, the control activities themselves also need to be documented. Documentation includes recording the specifics of what the control activity involves; who is responsible for implementing the control; how often the control should be done; and the results of applying the control. Documentation can range from none (highly unusual) or very limited to comprehensive and consistent. "Comprehensive" means that the documentation covers all the attributes of the controls mentioned in the previous paragraph. "Consistent" means that all controls receive the same level of documentation and that things like the format used to document the controls is the same for all controls.

Monitoring

There is an old saying about the "best laid plans of mice and men" going wrong. This rule applies to controls as well. No matter how thoroughly the firm addresses the above issues, things change and mistakes happen. Therefore, the firm needs to have mechanisms in place to monitor the effectiveness of its controls. Two common monitoring mechanisms are internal audit departments and external audits. Section 404 of the Sarbanes-Oxley Act puts heavy pressure on a firm's management and external auditors to monitor and test the effectiveness of controls. Section 404 requires that management formally certify the effectiveness of their controls and that the external auditor sign off on management's certification. We’ll discuss these reporting issues in more detail in the chapter on audit reports. Firms can implement periodic monitoring through regular audits, both by the internal audit department and external auditors. Firms also can implement real-time or continuous monitoring through techniques like regular error and exception reports and real-time reporting of key statistics. Error and exception reports need to be produced as errors or exceptions occur, and someone needs to be responsible for reviewing the errors and exceptions to determine if they are random or represent a systematic pattern that indicates a control weakness. Management can use real-time reporting of key statistics to perform analysis on the information coming from an

194

information system to determine if there may be control problems. One common example is regular comparison of actual to budgeted amounts and following up with an investigation of major differences. Firms also are beginning to embed special monitoring modules in their systems to implement continuous auditing and monitoring. External auditors also are gaining permission from their auditees to embed their own monitoring modules in the auditee's information system. These continuous monitoring modules provide real time telemetry to the firm and its auditors that allow both to detect problems early and thus limit the damage. Levels of monitoring can range from none to frequent and systematic. Effective monitoring also requires that the results of the monitoring have an impact on employees since employees are responsible for executing controls. Therefore, management needs to link monitoring activities to employee incentives in some way, usually through the performance review process. The first step in evaluating the design of the auditee's control system is identifying the specific risks that would prevent the information system from operating reliably and securely. Different risks typically require different controls to mitigate the risk that would compromise the reliability of the information system.

Management Override

Management override is one of the biggest risks that auditors must assess when evaluating an auditee's control system. A firm's management uses the information from the firm's information system to manage the firm. Thus, management has an incentive to ensure that the information system produces accurate information on which they can base decisions, which means that they have an incentive to design, implement, and monitor strong controls over their information systems. Thus, auditors rarely find significant unintentional errors in an auditee's control system, particularly in large firms. In practice, the material errors, either in balances or in the execution of controls, are the result of management or employee intervention into the control system. For example, both the Enron and WorldCom cases were, to a degree, internal control failures instituted by top levels of corporate management. In the Enron case, their financial statements did not accurately report liabilities to which the firm was exposed. In the WorldCom case, the firm classified billions of dollars of expenses as assets, again by top levels of management. You can well imagine that if the boss is "cooking the books," it will be hard to "keep the troops in line." These cases illustrate that the ultimate responsibility for control rests with an informed and active Board of Directors. However, Directors, just like employees, need the ability, resources, and incentive to maintain a strong control environment. When top management dominates the Board, the incentive to monitor and control top management's actions is lacking. The "fox" truly runs the "hen house." As of this writing, Congress, the SEC, and the accounting profession are all working on finding ways to make Boards more accountable and insure that auditors are truly independent of the management they audit. The footnote comment on the composition of Enron's Board of directors above illustrates how hard it is to create effective Boards. Having a truly independent, knowledgeable party (e.g., an auditor) review an information system and the reports

195

it produces is a very powerful control if the auditor has the proper incentives (i.e., is truly independent of management and is paid a reasonable fee for his/her services) and the training and experience to perform the audit.

Transaction Processing Threats

The best framework to use to identify classes of transaction processing threats is the assertions and audit objectives used in the accounting and auditing literature that were presented in Chapter 3. That is, auditors can best assess transaction-level risk by insuring that the auditee hasn't violated any audit objectives for any transaction process or account balance. Audit objectives provide a complete framework for thinking about information reliability in recording information about transactions and balances.

Matching Controls to Risks

The prior sections have presented a significant number of concepts and terms within an overall framework of threats to internal control and controls to mitigate those risks. This section provides a general summary of those sections that provides better links between controls and risks. The following table summarizes how controls relate to risks, as discussed above. A brief summary of the primary principles that the table summarizes follows the table.

196

Risks Controls Firm-level People Skills - training and continuing education

Goals - clear policies and direction from management Resources Time - to implement controls

Equipment& supplies - needed to implement controls Procedures - clearly defined control procedures to implement Authority - to implement the controls

Incentives Management example - top management cares and acts that way Monitoring & evaluation - someone is watching and there are consequences

Lack of Segregation of Duties

Authorization, recording, and physical access should be done by separate people

Contingency Planning & Insurance

Backups - data and software Excess capacity - for equipment and software Regular maintenance - to prevent problems Insurance - to fill in gaps in controls

Management Override Active and knowledgeable boards of directors and audit committees

Transaction-level Input Input edit checks in software and accuracy checks on manual

inputs Authorization - to prevent invalid entries, supported by segregation of duties

Process and output Reperformance - double checks, reconciliations, supported by segregation of duties Audit trails - clear links from output back to input Analytical procedures - reasonability comparisons to expectations Error and exception reports - flag possible errors for review, look for patterns over time Report distribution - limit information to "need to know"

Access and transmission

Accounts, passwords, firewalls and proxy servers - to limit virtual access Locks and biometrics - to limit physical access Virus checkers - to limit vandalism Data encryption and electronic signatures - to limit transmission threats.

The focus of firm-wide threats and controls is to develop an organizational culture, implemented by management action as well as formal policies, procedures, and personnel practices that give employees clear direction on how to maintain internal control, the resources they need to carry out that direction, and the incentives to do so. One frequently used principle that helps limit an employee's ability to undermine internal control is segregation of duties. Segregating key duties insures that more than one person is involved in transactions and/or data processing. Segregation of duties increases control strength because different employees act as cross checks on each other.

197

The focus of transaction controls is to ensure that data and information are complete, valid, accurate, and secure as the information system captures, processes, and reports information. Every time an information system captures or transforms information, there is a risk that information could be lost, invalid information could be injected into the information system, information could be altered so that it is no longer valid, or unauthorized personnel could access information. Therefore, transaction-processing controls should be in place at any point where the firm's information system captures, transforms, transmits, or reports information.

Documenting the Auditee's Controls

Auditors use three methods to document their understanding of internal controls: narratives, flowcharts, and checklists.

Internal Control Narratives

Internal control narratives provide verbal descriptions of the following four items:  The origin of ever document in the auditee's information system. For example, the

narrative should describe who generates purchase orders and what information that person uses to generate them.

 All the processing that takes place. For example, the narrative should cover how prices are determined on purchase orders and how the responsible employee selects vendors.

 What happens to all the documents and electronic record in the system. For example, how many copies of the purchase order the responsible employee generates, where they are sent, and where and how they are filed.

 A description of all controls in place. For example, how the auditee segregates purchasing duties, how it authorizes purchasing transactions, and how it checks the accuracy, validity, and completeness of purchases orders and their recording.

Narratives can be hard to follow since they are just semi-structured text thus most auditors pair them with one of the other forms of documentation.

Flowcharts

Flowcharts are graphical representations of the same types of information captured by narratives. They can be easier to follow because they are graphic summaries that show things like the flow of documents and information through the auditee's systems. However, since they are graphic summaries, they can eliminate key details that narratives provide. Thus, some audit firms use both narratives and flowcharts together to provide a more thorough description of an auditee's systems and controls. The following is an example of a flowchart that an auditor might use to document internal controls for sales processing. The WCGW stands for "what could go wrong." The RRs refer to controls in place. This is an example of the flowchart only. It needs to be accompanied by verbal descriptions of each WCGW and RR included in the diagram. This is an example of a

198

combination of verbal narrative and flowchart. The flowchart provides a better overview of the auditee's processes and controls, but needs to have some verbal descriptions included to help the reader interpret it.

199

74 KPMG (2014). Better Understanding the Process through Flowcharting. http://www.execed.kpmg.com/content/PDF/Flowcharting-Implementation-Guide.pdf. Page 16. Downloaded 8/23/2016.

200

Checklists

Checklists are a list of questions, usually that require yes or no answers, about various processes and controls within the auditee's systems. A good checklist will block the questions by transaction process and audit objective to make the purpose of the question clear to the auditor. Checklists are useful tools for identifying specific control risks, but they do not include any overall description of the auditee's processes and controls. For example, a checklist would not provide any information about the first three bullets in the list above, but would provide information about the controls the client has in place. Here is an example of part of a control environment checklist: ETHICAL ENVIRONMENT

Do board members and senior executives set a day-in, day-out example of high integrity

and ethical behavior?

Is there a written code of conduct for employees? Is it reinforced by training, top-down

communications and periodic written statements of compliance from key employees?

Are performance and incentive compensation targets reasonable and realistic, or do they

create undue pressure for short-term results?

Is it clear that fraudulent financial reporting at any level and in any form will not be

tolerated?

Are ethics woven into criteria used to evaluate individual and business unit performance?

Does management react appropriately when receiving bad news from subordinates and

business units?

Does a process exist to resolve close ethical calls?

Are business risks identified and candidly discussed with the board of directors?75

The advantage of checklists is that they are easy to implement and use to gather information. Their disadvantage is that they don't always provide the rationale for why the question was included in the first place and how the answers to questions should affect the assessment of control risk.

75 AICPA (1997). Internal Control Checklist. Journal of Accountancy, August 31, 1997. http://www.journalofaccountancy.com/issues/1997/sep/check.html. Downloaded 8/24/2016.

201

Assessing Control Risk

Auditors need to take the descriptive information in narratives, flowcharts, and questionnaires and convert it to a preliminary control risk assessment. Some auditors do this by building control risk matrices. The following is an example of a control risk matrix for one firm's sales processing.

The columns lay out the transaction audit objectives and the rows indicate what controls the auditee has in place. The "C" entries indicate what audit objective(s) each control covers. The

202

"Deficiencies" section what controls the auditor believes are missing and, consequently, what audit objectives the auditee's control system doesn't cover. The last row indicates the auditors control risk assessment for that audit objective. Auditors would develop matrices like this for every transaction process. This matrix illustrates that auditors assess control risk by audit objective for each transaction process. It also illustrates that most auditors do not assess control risk using probabilities, but categorize risk into categories like high, medium, and low. Since the matrix is based on the design of the auditee's control system, it is a preliminary assessment of control risk. Auditors will need to test the controls to refine their control risk assessments. Well-designed controls don't provide much protection against control risk if they are not working as designed.

Determining Audit Strategy

Overview of Strategy Setting

We are repeating the following diagram of the audit process because the text has discussed the basic principles that drive auditing and the balance of the text will walk through the audit process so you can see how an audit progresses.

203

76 Arens, A.A., Elder, R.J., Beasley, M.S., and Hogan, C.E. 2017, Auditing and Assurance Services: An Integrated Approach.

204

To this point, we have covered Phase 1 to the step on Understanding internal control and assess control risk. This chapter has covered the concepts of internal control that auditors use to understand the auditee's control risk. However, the auditor needs to develop a plan to test controls and balances to assess the likelihood of material misstatement in the financial statements. The audit risk model provided captures this process. They would use the following formulation of the audit risk model develop their plan:

DR = AAR / (IR * CR) At this point, the auditor has used their overall understanding of the auditee and its environment to set their acceptable audit risk (AAR). They also would have used the tools presented in earlier chapters on inherent risk (IR) assessment to set an inherent risk level for the auditee and the tools presented in this chapter to make a preliminary assessment of control risk (CR). Thus, they auditor has values for all the values on the right-hand side of the equation. These values may be probabilities or categorical levels. In addition, as the control matrix illustrated, the auditor has assessed inherent and control risk at the transaction process/account and audit objective levels. AAR risk is only set for the audit as a whole and the same level is applied to all transaction processes/accounts and objectives. Thus, the goal of the planning process is to use the resulting detection risk (DR) levels to determine how much substantive testing to do. "Substantive testing" means tests auditors run on transactions and balances to ensure that the auditee's financial statement account balances meet the audit objectives. While auditors differentiate between transaction audit objectives and balance audit objectives, their ultimate goal is to certify the balances. Transaction objectives support this goal because account balances result from transactions. "Control testing" tests the control procedures the auditee has implemented to help insure that the auditee's financial statement account balances meet assertions/audit objectives. This is where audit planning gets tricky. They tend to do tests of controls and substantive tests of transactions and account balances simultaneously. Thus, their testing plans need to be flexible so they can adapt their DR assessments and substantive testing plans if their tests of controls lead them to alter their preliminary CR assessment.

Strategic Options

The auditor has several options when determining how to achieve the detection risks that result from the above analysis. They can:  Increase the magnitude of their tests by testing more items (i.e., transactions or items

that make up an account balance).

 Alter the timing of their tests so they are closer to year-end. Auditors certify ending balances and that controls are working at year-end. However, it is usually more efficient to spread testing out over the year. If IR and CR are low, then the auditor can spread the tests out. If IR and CR are high, they need to focus more of their tests near year-end. Even if they spread their tests out over the year, they still need to update the results to year-end. However, if IR and CR are low, this update process usually takes less time and effort.

205

 Change the nature of their tests to use stronger tests. For example, analytical procedures tests are cheap, but weak in that they don't identify specific misstatements. Reperformance tests are much stronger, but more expensive. This text covered the different types of audit tests auditors can use in a prior chapter that discussed the types of audit evidence auditors gather. That is, different tests create different types of evidence.

Auditors need to exercise substantial judgment in making these choices. They can gain substantial guidance from their prior year's audit work for continuing engagements because they can learn from experience. They also can use auditors of similar auditees for new engagements. However, determining the specific tests, timing, and extent requires a deep understanding of the auditee and its processes. Thus, there are not a lot of general rules auditors can follow.

Documenting Audit Strategy

One key documentation tool auditors use to document their audit strategies is the audit program. The following is an example of an audit program.

206

207

208

77 Slide Share. http://www.slideshare.net/wijdan79/payment-verification-audit-program. Downloaded 8/24/2016

209

The key features of the audit program are that it identifies the risks that the audit procedures address and provide a link to the working paper references that contain the results of the tests. The text covered working papers and how auditors structure and use them in a prior chapter.

210

Auditing Sales and Collections and Audit Sampling for Tests of Controls

Summary

The purpose of this chapter is to give students an overview of the basic procedures firms use to record and process sales and collection78 transactions and to present an overview of how auditors test controls with an example from the sales and collection processes. The specific nature of these procedures will differ depending on the type of firm and the type of good or service the firm produces. However, the basic information processing needs are similar. After completing this chapter, students should be able to:  Describe GAAP rules for revenue recognition and apply them to simple cases.

 Describe the basic processes involved in generating and documenting revenue transactions and in collecting for revenue transactions.

 Describe the documents sellers use to document the details of revenue transactions to include the purpose each document serves and the information it typically contains.

 Describe the steps auditors use to test controls.

 Within each testing step, describe the key issues and concepts, and apply them to a simplified audit case such that you can plan, execute, and interpret a test of a given control.

 Differentiate between statistical and non-statistical sampling techniques and describe the strengths and weaknesses of each approach.

 Execute a simple statistical test of a control and properly interpret the results.

Sales and Collection Processes

Sales and collection processes contain activities designed to market and sell products and services, as well as collect for those revenues. Therefore, it contains activities involved in marketing and sales, sales transaction processing, delivery of merchandise, and collection of payments. It also includes activities involved in processing returned merchandise, dealing with customer complaints, and managing bad debts and other collection problems. However, because we use the sales and collection processes as an example to illustrate auditing internal controls and balances, we will not cover the processes and documents associated with sales returns and allowances. The key economic goals of these activities are to maximize revenues and the cash flow generated by the collection of revenues. 78 We will sometimes use the terms "revenue" and "sales" interchangeably in this chapter. This is common in practice because the two terms are virtually identical. Some authors consider "revenue" to be more general, but, in my opinion, all revenue comes from selling something. Even interest income comes from selling the use of money. Thus, we don't see any significant difference between these terms.

211

Revenue Recognition

Before we get into the details of how sales and related transactions are processed, we need to cover the GAAP rules on when a sale is recognized. The FASB has recently updated its revenue recognition standard to bring in into conformance with the IASB's standard. The FASB states that the core principle behind the new standard is"

Recognize revenue to depict the transfer of promised goods or services to customers in an amount that reflects the consideration to which entity expects to be entitled in exchange for those goods or services.79

The key aspects of this definition are that the firm has delivered a good or services as a part of its core operations and is entitled to something of economic value in return. The firm receives economic value by either receiving an asset or being relieved of a liability. However, this is just a statement of principle and is incomplete. Consider a typical credit sale where a firm delivers a product in exchange for a promise to pay (e.g., account receivable). Should the firm recognize the revenue from this transaction if there is only a low probability that the purchaser will actually pay for the goods or services? To address this issue, the SEC, in Staff Accounting Bulletin (SAB) No. 101, includes the following additional criteria for recognizing revenues:  Persuasive evidence of an arrangement exists.

 Delivery has occurred or services have been rendered.

 The seller's price to the buyer is fixed or determinable.

 Collectability is reasonably assured.80

Next, we will work through the major issues involved in recognizing revenues and provide some examples.

Delivery of Goods or Services

This issue is not as simple as it sounds. One key element, particularly for goods, is that legal title to the good has transferred. Since services are not a tangible item, the passage of title is not clear. However, passage of title to services normally means the purchaser has the right to use or apply the results of the service to their operations at their discretion.

79 FASB (ND). Revenue Recognition. http://www.fasb.org/jsp/FASB/Page/BridgePage&cid=1351027207987#section_2. Downloaded 8/24/2016. 80 SEC (1999). SEC Staff Accounting Bullletin: 101 - Revenue Recognition in Financial Statements. https://www.sec.gov/interps/account/sab101.htm. Downloaded 8/24/2016.

212

For goods, "delivery" may require more than the physical transfer of the good to the purchaser. There are two, common exceptions where physical delivery from the seller to the purchaser does not constitute "delivery" for the purposes of revenue recognition under GAAP: goods on consignment and transactions where an unlimited right of return exists. When a seller delivers goods to a purchaser on consignment this means that title to the goods has not transferred to the purchaser even though physical possession has. Under consignment arrangements, the purchaser intends to resell the goods to another purchaser, typically the ultimate consumer. In this case, the initial purchaser is a reseller because they intend to resell the goods and not consume them themselves. In a consignment transaction, the reseller takes possession of, but not title to, the goods and, if the initial purchaser cannot sell the goods, the reseller returns them to the seller without any cost or penalty to the reseller. The key feature of a consignment is that the seller retains title to the goods. This means that the seller retains the risks and rights of ownership. In a consignment arrangement, the seller cannot record any revenue until the reseller sells the good to the consumer, which creates an accounts receivable for the seller. Sellers can create other forms of agreements with purchasers other than consignment arrangements. In general, sellers and purchasers can negotiate the conditions under which the purchaser can return the merchandise to the seller without cost to the purchaser. In most sales transactions, the purchaser can return defective merchandise without cost. This is a basic warrantee arrangement. The existence of a warrantee normally does not preclude the seller from recognizing revenue when the seller delivers the good. Most firms treat warrantees like setting up an allowance for uncollectable accounts against accounts receivable. They estimate the cost of delivering on the warrantee at the point of sale to match the warrantee cost against the revenue they recognize from the sale. However, they recognize the revenue when the good they deliver the goods or services. There are additional features that sellers and purchasers can build into sales agreements. For example, the purchaser may have the right to return the good if the purchaser cannot resell it within a stated period. If this feature exists in the sales agreement, then the seller may not be able to recognize revenues until the purchaser resells the good. SAB No. 101 is referring to these sorts of agreements when it referred to "persuasive evidence that an arrangement exits." An agreement between the seller and purchaser must exist that clearly specifies the conditions under which title will transfer to the purchaser and the conditions under which the purchaser can return the good to the seller without cost to the purchaser.

Receipt of Payment

The seller cannot recognize revenue from a sales transaction until the purchaser pays them. "Pay" means that they have received some economic resource from the purchaser. That economic resource does not have to be cash; it can be a promise to pay (i.e., accounts receivable), some other asset, or a relief of a liability from the seller to the purchaser. This is why SAB No. 101 includes a provision that "collectability is reasonably assured." The seller should not be able to recognize revenue from a sale transaction unless there is a very good chance they will receive some economic benefit from the sale. In addition, the value of that economic benefit should be

213

the selling price of the good. Thus, SAB No. 101 also includes a provision that "the seller's price to the buyer is fixed or determinable." The term "reasonably assured" is ambiguous. Most firms that sell on credit rather than cash do not receive 100% of the selling price from all their credit sales. Some customers will not pay the full price or not pay at all. However, firms are not required to review each individual sale to determine if they can recognize revenues. They can establish revenue recognition polices for a class of sales transactions and address the issue of "reasonable assurance" for that class of transactions. For example, most firms recognize the revenue from all credit sales at the point they deliver the good and receive a promise to pay from the purchaser. Then, they establish an allowance for doubtful accounts as an estimate of the proportion, on average, of those credit sales that they will not collect to match the potential bad debt expense with the revenue that created the potential bad debt. However, they do recognize the revenue at the point of sale. In extreme cases, where a significant proportion of the revenue may not be collectable, the seller may not be able to recognize revenue until they receive payment. In summary, sellers cannot recognize revenue from a sales transaction if they retain significant rights and risks of ownership to the good or service (i.e., "delivery" isn't complete), or there is a significant chance that they won't be paid. Given the strong incentives for firms to recognize revenue as soon as possible and the rich variety of sales agreements that they can negotiate with purchasers, revenue recognition can be a very tricky issue for an auditor.

Revenue Recognition for Long-term Contracts

The above discussion of revenue recognition assumes a transaction that takes place more or less all at once. However, some long-term construction and service contracts may span several reporting periods (e.g., quarters or years). This raises the issue of how much revenue the seller should record in a single reporting period. Under certain conditions, GAAP allows firms that sell these sorts of goods and services using the percentage of completion method. The idea is simple. The seller recognizes the percentage of total expected revenue that matches the percentage of the total goods or services that they delivered during the reporting period. The complexity arises in determining what percentage of goods or services they delivered during the period. Normally, this requires management judgment, which means that management has an opportunity either to push GAAP to the limit or to engage in fraud. Thus, auditors must review the seller's assumptions for recording revenue under the percentage of completion method to insure they are reasonable.

Revenue Recognition for Bundled Contracts

Firms also can sell a bundle of goods and services to purchases where some of the components would have different timing of the recognition of the revenue. The new FASB standard addresses this issue and requires the seller to unbundle the contract for the purposes of revenue recognition. That is, different components for the bundled contract may lead to revenue at different times.

214

Description of Revenue and Collection Processes

This section presents the major activities that make up the revenue and collection process and the documents firms use to document the key aspects of a revenue transaction. A diagram of these processes and the way they are documented is included below.

Major Activities and Documents

Take an order

Revenue transactions normally begin with some form of agreement between the seller and purchaser on the nature of the good or service the seller is selling and the amount and form of the payment the purchaser will make. In addition, these agreements also cover who will pay the transportation charges for goods and what right of return the purchaser has. To help insure the firm accurately and completely understands the customer's desires; the order is usually documented with either a sales order or a customer-generated purchase order. Sales orders should include information about the customer, the products they are ordering, and other details about the transaction. A typical sales order would include:  Name, billing address, shipping address, and contact information (e.g., telephone, fax

number, and/or e-mail address) for the customer.

 List of merchandise ordered to include name, quantity, and price.

 Delivery terms such as expected delivery dates, shipping terms (e.g., who is responsible for delivery and who pays for delivery).

 Payment terms that specify how long after delivery they need to make full payment and whether the purchaser can receive any discounts for early payment.

 Date the purchaser placed the order and who took the order for the seller.

The customer may take the responsibility for documenting the revenue transaction by generating a purchase order, which would contain the same data elements as a sales order. The main point is that the selling firm should document the sale information listed above in some way. If the customer has done that in the form of a purchase order, then the selling firm may not need to duplicate that documentation with a sales order and just use the customer's purchase order in lieu of a sales order.

Approve Credit

If the organization sells on credit, the seller should establish the creditworthiness of the customer before executing the sale transaction. Accounting or finance departments usually deal with credit approval and document credit approval either through a separate credit approval form or by indicating that the customer's credit has been approved on the sales or purchase order.

215

Fill Order

Sellers can use the sales or purchase order as a checklist to determine what items of merchandise are required to fill the order. The contents of a shipment are frequently documented with a packing slip. A packing slip lists the items that have been included in a specific shipment. Usually a copy of the packing slip is included with the shipment so that the purchaser can use it to make sure the shipment is complete when it arrives. If the seller cannot fill the entire order for some reason, they usually produce backorder document. Backorder documents are very similar to sales order because their main function is, in effect, to reorder the merchandise that was not available. However, the seller should link backorders in some way to the original order to document the fact that the merchandise is being reordered because it was not available when the main order was processed.

Ship Order

Once the seller has filled the order and prepared it for shipment, they need to ship the good. If the firm uses its own employees and equipment to ship merchandise, a copy of the sales order may be sufficient to document shipment since the sales order contains all the information needed to move the goods from the seller's location to the customer's location. If the seller uses a shipping firm (sometimes referred to as a common carrier), then they produce a bill of lading. They use the bill of lading to give the shipper the information they need to deliver the goods, but no more than that. For example, the shipper does not need to know the details of what is in the shipment. They do need to know where the shipment is going, when it should arrive, who is paying for the shipment, and general information about the contents of the shipment (e.g., size, weight, number of packages, and general nature of the contents such as whether they need refrigeration or are flammable). One shipping issue that complicates revenue recognition is the shipping terms that determine who pays for the shipping costs, the seller or the buyer. The terminology is Free on Board (FOB). FOB shipping point means that the buyer is responsible for paying the freight from the seller's shipping point to the buyer's location. In this case, title to the goods passes at the shipping point and the seller can recognize revenue at that point. If the goods are shipped FOB destination, then the seller is responsible for paying the freight and title doesn't pass until the buyer receives the goods. This means the seller can't recognize revenue until the buyer receives the goods. FOB terms complicate inventory calculations as well because either the buyer or seller, depending on the terms, should include the in-transit items in their inventory.

Bill

Once the purchaser receives the shipment, the seller normally can recognize the revenue from the sale under GAAP. The most common way to bill the purchaser is by preparing an invoice and sending it to the customer. The generation of the invoice indicates that the selling firm has completed their part of the transaction; can recognize the revenue; and has a right to receive payment. The invoice is the seller's way of requesting payment from the purchaser. Invoices usually contain the same information as the sales order with the addition of information about shipping and delivery dates. The seller's accounting department usually handles billing activities.

216

The seller normally also will provide a periodic statement of account for the purchasers that make repeated purchases from the seller. These statements usually list all the transactions between the seller and the purchaser for a period as well as the balance the purchaser owed the seller at the beginning of the period and the ending balance due. Most firms recognize revenues when they send an invoice to the purchaser. Technically, the seller can recognize revenues when they deliver the goods. Practically, they tend to calculate the amount of the sale as part of the invoicing process and so it is simpler just to record the sale when they generate the invoice. The sale usually is recorded in the seller's Sales Journal. When the seller is ready to produce a financial statement, they post a summary of the sales activities from the sales journal to the general ledger. In addition, the seller will make an entry to an accounts receivable subsidiary ledger as the offset81 to the entry to the sales journal. The accounts receivable subsidiary journal maintains a listing of all sales and collection transactions for each customer. It is a subsidiary ledger because it contains customer-by-customer detail that supports the accounts receivable totals recorded in the accounts receivable ledger.

Collect

The seller's accounting department also usually handles collection activities. Collection activities include:  tracking payments as they are received and linking them back to invoices;

 following up on late payments; possibly turning unpaid bills over to a collection agency; or selling them to a collection agency; and

 documenting the receipt of payments and depositing the payments in the selling firm's bank account.

A critical feature of the collection process is linking the payments back to invoices to make sure the purchaser ultimately pays all invoices in full. Sellers frequently provide the purchaser with a remittance advice to indicate the invoices for which they are paying. A remittance advice can be a stub attached to an invoice that contains the invoice number and amount due. It also can be a duplicate copy of the invoice. Since the purchaser also has an interest in accurate accounting for payments and since purchasers may split payments for an invoice into several payments or combine several invoices into one payment, purchases also can create their own remittance advices by attaching a stub to their checks that identifies the invoices and amounts covered by the check. One problem with remittance advices is that the seller can't require them and must accept a payment that doesn't include one, which can complicate matching payments to invoices.

81 This is basic double entry bookkeeping. "Offset" means the account(s) needed to balance the journal entry. In this example, the entry to the Sales Journal is a credit to sales and the offset would be a debit to accounts receivable. The Accounts Receivable Subsidiary Ledger records separate accounts for each customer. The total of the Subsidiary Ledger must total the balance in the Accounts Receivable General Ledger Account.

217

A key tool that sellers use to facilitate collections and support estimates of bad debts is an accounts receivable aging report. An accounts receivable aging merely lists all the past due accounts by their age, i.e. how long they have been outstanding. It is a key report on which sellers base their allowance for doubtful accounts amount. The idea is that the longer an account is overdue, the less likely the seller will be able to collect it at all. Auditors usually get the client's accounts receivable aging report when evaluating the auditee's allowance for doubtful accounts balance. Another tool sellers use to support their collection activities is a write-off authorization. The person in the firm that management has given the authority to approve writing off overdue accounts signs this document, which provides proof of the approval.

Application to Services

The above discussion focuses on processing revenue transactions for goods. The processes for services are very similar since the same basic goals apply: documenting the sales agreement, delivering the services, and collecting. Since each sale of a service tends to have several unique characteristics, the seller has a need to develop detailed documentation of the sale agreement. The engagement letter provides this role in an audit. However, not all service providers document the nature of the services they will provide prior to delivery. For example, when you go to a doctor, you don't get a written contract prior to any diagnosis or treatment. There is an implicit contract that the doctor will use his/her expertise to fix whatever is wrong with you. Once the sales arrangement is agreed to, either implicitly or explicitly, the seller must deliver (i.e., provide) the agreed upon services before the seller can recognize any revenue. Since sellers tend to deliver most services over time, they tend to raise more percentage of completion issues than goods. Once the seller has performed the services, they need to collect to complete the revenue process. The point here is that the revenue processes for services include the same steps as the revenue processes for goods does. However, there are some differences in emphasis and documentation methods because of the different nature of services compared to goods.

218

Summary of Normal Sales Processes

Document Customer Needs - Customer places

an order

Use either customer's purchase order or seller's sales order to document: Customer contact information (e.g., name, address, phone number) Price, quantity, and description of items the purchase is ordering Date purchaser placed the order Delivery date, shipping, and payment terms

Approve Customer's Credit Document who approved credit and when. Form may vary with firm.

Fill Customer's Order

Generate packing slip that documents: Customer contact information (e.g., name, address, phone number) Quantity and description of items being ordered (note packing slips rarely contain prices) Date the seller shipped the order and who packed the order Delivery date and either customer purchase order number or seller's sales order number

Ship Customer's Order

If shipped by common carrier, document shipment with bill of lading that Contains the following. Seller could recognize the sale at this point if shipped FOB shipping point. Name of common carrier shipping the products Count of packages in the shipment Customer contact information (e.g., name, address, phone number) Date or shipment Shipping terms (e.g., FOB destination or shipping point)

Bill Customer

Generate invoice to document requirement for payment to include the following items. Sale frequently recognized at this point for simplicity. Customer contact information (e.g., name, address, phone number) Sales or purchase order number and packing slip number Date of invoice and date of shipment Payment due date and terms (e.g., 2/10 net 30) Description, price, and quantities of all items ordered and shipped.

Collect from Customer Engage in follow-up activities to insure payment. Match payment to invoice

based on customer's remittance advice or by matching to seller's invoice.

219

The following is a flowchart of a normal sales and collection process that provides more detail on how the seller does the accounting.

Common Transaction Controls for Sales

The following figure presents some of the most common transaction controls for the sales cycle. We have excluded collections because they usually are considered when discussing cash receipts and disbursements, which we are not covering in any detail in this class. The controls are

82 Timothy J. Louwers, Robert J. Ramsey, David H Sinason, Jerry R. Strawser, and Jay C. Thibodeau. 2013. Accounting & Assurance Services (5th Edition) by McGraw-Hill Irwin, page 275.

220

organized by financial statement assertions as developed by the Auditing Standards Board. The figure also describes what these assertions mean in the sales cycle. It also includes tests auditors normally perform when testing controls over the sales cycle.

Testing Controls

Overview

Auditors can test controls if a variety of ways. The major ones include:  Inspection of documents and records - Many controls are executed on documents and

records and the execution of the control by the auditee also is documented. Thus, auditors

83 From Accounting & Assurance Services (5th Edition) by Timothy J. Louwers, Robert J. Ramsey, David H Sinason, Jerry R. Strawser, and Jay C. Thibodeau, 2013, McGraw-Hill Irwin, page 281.

221

can test controls by reviewing documents and records to determine if the auditee properly applied the control.

 Observation - Auditors can observe auditee personnel executing a control procedure to determine if it is being done properly.

 Inquiries of Management and Auditee Personnel - Auditors can ask management or employees how they execute control procedures to determine if they know how to execute the control properly.

 Reperformance - Auditors can execute the control themselves and compare their results with the auditee's results to determine if the auditee is executing the control properly.

Observation and inquiry tend to be cheaper but less powerful tests. It is hard to observe someone without them knowing and so the employees the auditor is observing can alter their behavior while being observed. Inquiries also provide weak evidence because of the incentives of the auditee's management and personnel to present a positive image to the auditor. Reperformance and inspection are more expensive because they involve detailed reviews of times auditee personnel executed the control and usually involve testing attributes of a transaction. However, they tend to provide evidence that is more powerful. The remained of this chapter will cover the application of inspection and reperformance tests because these types of test raise the issue of how many transactions to test. For most controls, testing all the transactions processed by the control is far too costly and unnecessary. One exception would be for account balances that result from a few, large transactions like long-term debt, which normally results from a very few, very large transactions. When an account balance results from a few large transactions, the auditor may decide to test all the transactions for the audit period (usually one year). However, there are very few accounts like this. Thus, the auditor needs to determine the number of transactions to test; which transactions to test (i.e., the sample); and what tests to run. (S)he wants to select his/her sample, both the number and set of specific transactions, so that (s)he can be confident that the results (s)he obtains from his/her test of the sample transactions will represent the results (s)he would have observed if (s)he had tested all the transactions (i.e., the population). The risk that the sample results won't be representative of the population is called sampling risk. The following subsections present the steps auditors use in developing and executing tests of controls. The steps are similar regardless of whether the auditor chooses to use statistical sampling or non-statistical sampling,. The main advantage of statistical over non-statistical sampling is that, with statistical sampling techniques, the auditor can quantify the level of sampling risk for each test but with non-statistical sampling (s)he cannot. The main advantage of non-statistical sampling techniques over statistical is that they auditor can target high-risk items to test. Most auditing texts also state the non-statistical sampling is cheaper and easier to implement. However, that is not always the case, particularly with the computer technology currently available to draw statistical samples. We will cover the differences between statistical and non-statistical sampling in more detail as we discuss the steps to control testing.

222

Testing Steps

To design and execute a test of a control, the auditor goes through the following steps. These steps cover tests based on samples, but most the steps apply to 100% tests as well. Auditing fieldwork standards require that auditors plan audits so that they obtain sufficient appropriate evidence to support their opinion on the auditee's financial statements. The following steps are necessary to help insure that the results of an auditor's tests of controls provide sufficient appropriate evidence to support the auditor's control risk assessment.  Determine the objective of the test and select a testing procedure,

 define key characteristics of the transaction in the population (s)he is testing,

 determine the sampling procedure and sample size (if sampling),

 select the sample (if sampling),

 execute the test,

 calculate the results of the test, and

 draw conclusions about the population from the sample results.

We will discuss each of these steps in more detail next. In that discussion, we will introduce formal statistical terms and concepts as they relate to each step and, where appropriate, discuss the tradeoffs between statistical and non-statistical sampling methods. We will use a common control procedure where accounting department staff compares a copy of a purchase order and a packing slip to an invoice before issuing the invoice as an example. The control also requires that the accounting department staff initial the face of a copy of the invoice to certify that they performed the comparison. The purpose of the control is to have a person not involved in the sales process or with access to inventory confirm that what the items on the invoice is the same as what the purchaser ordered and the seller shipped before they bill the purchaser. To simplify the text a bit, we will refer to this as the Invoice Control below.

Determine the Objective and Nature of the Test

The object of the auditor's test normally is to ensure that the control the auditor is testing is working as designed. Since the auditor determined which controls achieve which audit objectives when documenting the auditee's control system, they know which risks each control mitigates. Thus, their main goal is to select tests that are designed to mitigate those risks. For example, tests of the Invoice Control would focus on insuring that the purchaser order the merchandise; the seller authorized the sale; and the merchandise was shipped. All these tests contribute to the occurrence objective. The control also helps verify that the quantity, prices, payment terms, and other details of the invoice are accurate. This control, however, could not test to determine whether the auditee recorded the transaction in their accounting records (completeness). It also can't test classification, timing, or posting and summarization since those also apply to the way the auditee recorded the transaction and recording isn't covered by this control. Auditors would need to test different controls to determine the likelihood of these types of errors.

223

In addition, auditors need to select the types of tests to run. The auditor probably would test the Invoice Control with reperformance. That is, by rerunning the comparison to make sure everything matches. However, the auditor also could test it by reviewing the invoice copy to insure the staff member initialed it. Most likely, the auditor would run both tests since (s)he on the same documents.

Define the Population Characteristics

The next step for auditors is to define the characteristics of the population containing the transactions. The auditor works through three steps to define the critical characteristics of the population: defining the population, defining the sampling unit, and defining deviations84.

Define the Population

This step involves the auditor defining the set of all transactions that will make up the population from which they draw their sample. In many cases, this step is straightforward and the population would include all transactions processed by the control in the period the auditor is auditing. However, the auditor needs to be clear about how that population fits into their overall testing plan. For example, the population for a test of the Invoice Control would include all invoices the auditee created during the audit period. However, while this population is fine for testing the Invoice Control, it isn't adequate for testing for completeness errors in accounting for the invoices. Ideally, the period should be the fiscal year the auditor is auditing. However, frequently it isn't since the auditor may run their control tests prior to the end of the auditee's fiscal year. Thus, the population of transactions may be all transactions that have occurred from the beginning of the fiscal year to the date of the test. Auditors would need to perform other procedures or limited additional tests to ensure that the effectiveness of the control didn't change from the time they ran their test until the end of the period they are auditing. Defining the population isn't sufficient. The auditor needs to determine the physical representation (referred to as the frame) for the items in the population. That is, the auditor needs some form of listing that includes all the elements of the population from which (s)he will select their sample. For example, to test the Invoice Control, the auditor will need to get a complete listing of all invoices the auditee has generated. The accuracy of the auditor's tests depends on the completeness and accuracy of the frame or listing. Thus, the auditor needs to ensure that the frame is complete and accurate because they will need to select their transactions from the frame.

Determine the Sampling Unit

In most cases, the sampling unit is a transaction or document that records the information about a transaction. In the Invoice Control example, the sampling unit would be one invoice. A

84 A deviation is where the control didn't function as designed.

224

sampling unit defines what "one of" is for the sample, which is important for determining sample size.

Define a Deviation

In the auditing literature, an error in a test of controls is called a control deviation, or just deviation. For most tests of controls, the auditor will define more than one deviation. Drawing samples and reviewing documents is costly and the auditor wants to get the most from the process. Therefore, they will define deviations that cover, to the degree possible, all types of errors that can occur (i.e., all assertion violations). For example, in testing the Invoice Control, the auditor might consider the absences of copies of the relevant documents, an inconsistency between the information on the documents; or the absence of the accounting staff member's initials on the invoice all as deviations to the control procedure. In this example, these deviations could lead to occurrence and/or accuracy violations.

Determining Sample Size

Sample size selection for statistical sampling techniques is a systematic, rigorous process that is based on three parameters the auditor must determine: the auditor's desired confidence level, the level of error the auditor can tolerate in the population (i.e., tolerable deviation rate), and the expected population deviation rate. We will discuss the intuition behind each of these parameters and the techniques auditors use to set them next. For non-statistical sampling, auditors use pure judgment to determine the sample size. However, many auditors will use statistical sampling tables and math to calculate a sample size. This is risky because statistical sampling size calculations assume that the auditor will select the sample randomly and non-statistical sampling doesn't do this. If auditors use statistical sampling tables to calculate sample sizes for non-statistical samples, they are probably under sampling and should expand their sample sizes to allow for the fact that they will not be randomly sampling from the population. These parameters are used for attribute sampling. Attribute sampling is a form of statistical sampling where the goal is to determine whether the sampling unit has some attribute and not. That is, whether a deviation exists in the control for the transaction being tested or not. The term used for statistical sampling techniques that focus on the value of a transaction is variable sampling and we will discuss that approach when we talk about testing balances in the next chapter. The two sampling approaches differ in that attribute sampling is based on mathematics appropriate for a population that either has an attribute or doesn't (i.e., binomial distribution because there are only two possible outcomes) and variable sampling is based on mathematics appropriate for sampling units whose values vary continuously (i.e., normal distribution). Since auditors are testing whether or not the control contains their defined deviation, auditors apply attribute sampling to tests of controls.

225

Desired Confidence Level

Keep in mind that the goal of control testing is to assess control risk, which is the likelihood that the auditee's controls missed a deviation that might create a material misstatement in the financial statements. However, the auditor at this point is not assessing control risk for the financial statements taken as a whole, but the control risk for a specific audit objective or objectives within a specific account or accounts. The auditor's desired confidence level is the degree to which they want to be confident that their sample results will hold up for the population. Thus, the complement of the desired confidence level (1 - confidence level) is the risk that the sample results will not match the population's results, which is sampling risk. The intuition here is that the auditor needs to determine how confident they want to be that the results of their sample tests of some transactions are representative of the population of all transactions. Because confidence can never be 100% and sampling risk can never be 0%, the deviation rate that the auditor projects to the population will always be higher than the deviation rate they find in the sample because of sampling risk. In setting the desired confidence level, the auditor will consider how important the account and audit objective involved in the test are to the overall audit. Factors that they consider include the size or other measure of significance of the account, the importance of the audit objective, as well as the degree they plan to rely on the control when concluding about the financial statement balances. Given that the auditor plans to rely on the control (i.e., use the results of testing controls to lower their control risk below 100%), they usually set their desired confidence level at 90% or 95%. Since the confidence level is the complement of the sampling risk, these confidence levels mean the auditor is willing to accept a 10% or 5% risk, respectively, that their tests will indicate the control is working when it isn't or that their sample tests will indicate the control isn't working when it is. Auditors refer to the risk of over-reliance and the risk of under reliance. Over-reliance would occur if their sample shows that the control is working but it isn't; they will falsely rely on that control to support their conclusion about the relevant account balances. Under-reliance would occur if their sample shows that the control isn't working but it is, they will falsely fail to rely on the control to support the relevant account balances; this under-reliance on the control could lead to auditors having to do more work if their sample results indicate the control isn't working when it is. Over-reliance exposes the auditor to increased audit risk and under-reliance exposes the auditor to unnecessary waste of resources. When setting their confidence level, the auditor needs to consider the practical tradeoffs involved. The higher the confidence level they want to achieve, the larger the sample size must be. That is, the greater the number of items you sample, the lower the risk that the sample results won't reflect the control's actual effectiveness.

226

Tolerable Deviation Rate

The tolerable deviation rate refers to the maximum rate of deviation they are willing allow in the population and still conclude the control is working. No control is perfect and auditors will nearly always find deviations in the tests of controls. Thus, they need to decide how many deviations they are willing to accept in the population of all transactions over which the control functions and still rely on the control to mitigate risks in that population. Tolerable deviation rate applies to the population, not the sample even though it is used to calculate sample size. As discussed below, the auditor will project their sample deviation rates to the population by considering sampling risk and then compare the projected population deviation rate to the tolerable deviation rate to accept or reject the control. The difference between their desired confidence level and their tolerable deviation rate is that the confidence level refers to how confident they want to be that the deviation rate for the sample is the same as the deviation in the population and the tolerable deviation rate refers to how many deviations the control can have and the auditor will still conclude that it is working. In other words, confidence refers to how effectively the test predicts reality and tolerable deviation refers to how bad a control can be in reality and still be considered to be working. The auditor can never know how many deviations occur in the population because they only test the sample, but they can project the error rate the find in the sample to the population and then decided whether to accept the control or not. Again, there are practical tradeoffs here. The fewer deviations the auditor is willing to accept and still concluded the control is working, the larger the sample size. The intuition is if the auditor is not willing to accept many deviations, they have to look harder for deviations (i.e., increase their sample size).

Expected Population Deviation Rate

This parameter may seem a bit strange to students. The expected population deviation rate is the deviation rate the auditor expects from the control before they test it. Students sometimes ask why auditors need to guess at a deviation rate when they are about to find out what it is with their tests. Recall that these parameters will determine the sample size for the test. Thus, the intuition is that the size of the sample that the auditor would use to satisfy their desired confidence level and their tolerable deviation rate depends on how deviation prone the population really is. The higher the expected deviation rate, the more testing they will need to do to achieve their target confidence level and tolerable deviation rate. Auditors can develop estimates of the expected population deviation rate using several methods. The most common is to use the actual deviation rate they observed in the prior year's audit since most audits are continuing engagements. For new auditees, or when the auditee has made significant changes to the controls, the auditor might take an initial sample just to estimate the population deviation rate and then take a second sample to use to support their control risk conclusions. Auditors also can use judgment. For example, if the auditor feels that the firm's control environment (e.g., training and supervision for the employees executing the control is high) is strong, they might use deviation rates they experienced with other clients that also had strong control environments.

227

If the auditor's expected population deviation rate is higher than their tolerable deviation rate, then they shouldn't perform the test. You will notice when we present an example of calculating a sample size below that the tables from the AICPA Audit Sampling guide do not include sample sizes for cases where the expected deviation rate is more than tolerable deviation rate. If they expect to find more deviations than they are willing to tolerate, they should find alternative controls to test that would meet their testing goals. Again, there are practical consequences to estimating the population's deviation rate. The greater the expected deviation rate, the larger the sample size. That is, the messier the population, the more work the auditor will need to do to ensure that it isn't messier than they can tolerate. The following table summarizes the effects of the three parameters on sample size:

Parameter Effect on sample size Confidence level Direct - higher confidence requires a larger sample. Note, sampling

risk is the inverse of confidence so the relationship between sampling risk and sample size is inverse - the higher the sampling risk the auditor is willing to accept, the lower the sample size.

Tolerable deviation rate

Inverse - the higher the number of deviations the auditor is willing to accept in the population, the smaller the sample size

Expected deviation rate

Direct - the more deviations the auditor expects in the population, the larger the sample size.

Calculating Sample Size

Once the auditor has determined values for the three parameters, all they need to do is look up their sample size in a standard statistical table or use a sampling computer program. The following is a table for a 95% confidence level. Auditors have access to a variety of tables like this for different confidence levels. However, as noted above, 95% and 90% are the most common levels. The tables use the same mathematical formulas included in sampling packages and are a bit dated in that most auditors use sampling software today. They also need to be simplified into ranges. However, we used them in the text to simplify the discussion. In the table as the expected deviation rate increases, so does the sample size. In addition, as the tolerable deviation rate increases, the sample size goes down. The numbers in parentheses next to the sample sizes indicate how many deviations the auditor can find in a sample of that size and meet their sampling goals. We have not mentioned the size of the population. This seems counter intuitive in that you would think that you would need to sample fewer items if there were only 10 transactions than if there were 2,000. In fact, this is the case to a degree. However, because of the nature of the statistics involved, the effect of population on sample size falls rapidly as the population size grows. Since tests of controls normally involve large populations of transactions, auditors ignore population size when calculating sample size.

228

Statistical Sample Sizes for Attribute Sampling - 95% Confidence Level

Select Sample Items

Statistical Sampling Selection Methods

For statistical sampling techniques, the process that auditors use to select sampling units from the population must be random or closely approximate random. Random sampling is the best way to guarantee that the items selected in the sample represent the items in the population because every item in the population has an equal chance of being selected for the sample. Pure random sampling requires numbering every unit in the population such that the auditor can use a random number table or random number generator85 to select a random number and use that number to select a unique sampling unit from the population. Systematic sampling is a quasi-random sampling technique that closely approximates random sampling and is easier to apply. In systematic sampling, the auditors use their frame (list of all items in the population) and choose a random starting point in the frame. They then select every

85 Excel has a RAND function that creates random numbers, for example.

229

Nth item in the frame from that starting point, which is the sampling interval. They calculate N by dividing the population count by the sample size. For example, assume that an auditor wanted to take a sample of 100 from a population of 1,000,000 items. (S)he would select a random starting point in the first 10,000 (i.e., 1,000,000 / 100) in a list of the 1,000,000 items and then move sequentially through the list selecting every 10,000th item for their sample. We refer to systematic sampling as quasi-random because it is close to random, but not quite perfectly random. There could circumstances, usually highly unusual, where there is a sequential pattern in the items in the frame. For example, if, because of the way the auditor built the frame, the same person processed every 10,000th item in the above example, then the sample would not be random since it would only test how that one person processed the transactions through the control. It is highly unusual, but still possible, and auditors need to be aware of the limitation. However, barring any weird pattern in the frame, auditors can use systematic sampling in place of pure random sampling. As you might have realized, systematic sampling is a lot easier than random sampling if you are selecting samples manually. However, most auditors today use software packages that allow them to access the auditee's client files directly and select truly random samples electronically. These software packages eliminate benefits of systematic sampling.

Non-statistical Sampling Selection Methods

If the auditor is using non-statistical sampling, they don't need to take random samples. However, the accuracy of their sampling usually would benefit if they did so. One non-random sampling technique auditors frequently use in non-statistical sampling is called haphazard sampling. Haphazard sampling can approximate random. Haphazard sampling is self- explanatory to a degree. To take a haphazard sample, auditors select items from the frame in a haphazard manner. The more haphazard they are, the more random the sample. For example (and this is a bit extreme), auditors could take a listing of the items in the population, tape them to the wall, and through darts at the listing. Assuming they didn't aim at the same part of the list each time, the results would be close to random. As with systematic sampling, if the selection process is sufficiently haphazard, auditors could treat it as random and quantify their sampling risk anyway. Haphazard sampling is the most common sampling technique use in audit practice. Some auditors that use it treat it as random and use statistical methods to quantify their sampling risk. This is a risky approach that probably understates sampling risk because of human judgment biases they can never be sure how random their haphazard selection was. Another benefit of using non-statistical sampling techniques is that auditors can use judgment in selecting items to sample. With statistical sampling techniques, sample selection is very mechanical and the auditor has no say in what sampling unit they select. With judgmental sampling, auditors have the ability to use their experience and judgment is selecting items to sample. For example, they may target large transactions, problematic transactions, or transactions processed by new personnel to test. In effect, they are loading their sample in favor of finding deviations using their judgment as to where the deviations might be. This way, they may be able to justify a smaller sample size since the sample is biased toward finding errors. However, they

230

also risk overstating the error rate in the population and ending up doing more tests of balances to achieve their target audit risk. Judgmental sampling does not approximate random. Thus, if the auditor uses judgmental sampling, they cannot assess their sampling risk. Judgment sampling makes more sense when the population of transactions is small and heterogeneous rather than large and homogeneous.

Perform Tests

This step may seem simple. Just execute the tests you have decided to do on the items in your sample and count the errors. However, there are complications the auditor needs to consider. For example, what if the sample item isn't available because it was voided, destroyed, or lost, or is inappropriate for the test selected? Whenever the auditor encounters a situation where they cannot examine a sampling unit in their sample, they need to evaluate the reason for the problem and consider how they should respond. For example, if the item was just voided, this is a normal situation and the auditor would probably just select another unit to sample. If the item is unavailable, lost, destroyed, or inappropriate, the auditor may just count the item as a deviation and move on. Another complication can arise if the auditor is partially through their sample and already has accumulated more than the tolerable number of errors. The auditor can just terminate the sampling process and conclude the control isn't working. However, depending on how close they are to finishing their sample and other factors, they may elect to increase their sample size to compensate. The risk of increasing their sample size is that they may end up doing more work and still have to conclude that the control isn't working. Thus, usually auditors won't extend their sample sizes unless they believe there is a reasonable chance that the results they have observed thus far are not representative of the population. Obviously, this is a judgment call and a gamble.

Calculate Results

For statistical sampling, calculating the result is easy. Auditors just take the number of deviations they find (i.e., their sample deviation rate or SDR) and look up the maximum upper deviation rate in a table (or software package). The term used in the auditing literature is upper limit rate of deviation or ULRD. To try to keep the text simpler to understand, we will use maximum deviation rate from now on. The maximum deviation rate is the maximum deviation rate that the auditor can expect in the population given the deviations they found in their sample and the sample size they used. The maximum deviation rate is a percentage and auditors can compare their maximum deviation rate to their tolerable deviation rate. If the maximum deviation rate is higher than the tolerable deviation rate, the auditor should conclude the control isn't working. The word "maximum" comes into the discussion because of sampling risk. The sample has a determined rate of deviations, but, because of sampling risk, the auditor can only set a range of possible error rates for the population. Since sampling risk is two sided - the population rate may be either more or less than the sample deviation rate, a sample result creates an upper and lower limit to the population deviation rate. Since auditors tend to be a bit conservative, they focus on making sure the maximum deviation rate is less than their tolerable rate, not the minimum deviation rate.

231

The table below is a companion to the sample size table presented earlier. It computes the maximum deviation rates, at a 95% confidence level, given the number of deviations the auditor found in the sample and the sample size. The cell entries are percentages. For example, if an auditor found 1 error in a sample of 100, they can say that the maximum deviation rate would be 4.7% with a 95% confidence. However, the sample deviation rate was only 1% (or 1 / 100). The reason the maximum deviation rate, which is for the population, is always higher than the sample deviation rate is due to sampling risk. Notice that as the sample size increases, the difference between the sample deviation rate and the maximum deviation rate declines. For example, with a sample size of 100 and 1 error, the difference was 3.7 percentage points (4.7% - 1.0%). For a sample size of 200 and 1 error, the difference is 1.9 percentage points (2.4% - 0.5%). This makes sense since the larger the sample, the greater the likelihood that the sample accurately represents the population and the lower the sampling risk. Thus, the difference between the sample deviation rate and the maximum deviation rate as calculated in the table measures the sampling risk for that sample size, sample deviation rate, and confidence level. If the auditor uses non-statistical sampling, they must use judgment in projecting their sample results to the population. That is, they must set an arbitrary amount that their sample deviation rate needs to be below their tolerable deviation rate to decide whether they will accept the population based on the sample or not. This is a major drawback of non-statistical sampling - the auditor needs to guess at the sampling risk because they have no way to calculate it.

Maximum Deviation rates for Attribute Samples - 95% Confidence Level

232

Draw Conclusions

Drawing conclusions has two major components: projecting the population deviation rate and comparing to the tolerable rate (i.e., calculate the results) and evaluating the deviations. The first step is very mechanical with statistical sampling techniques.

Compare Maximum Deviation Rate to Tolerable Deviation Rate

The auditor calculates their maximum deviation rate and compares it to their tolerable deviation rate. If the maximum deviation rate is lower than or equal to their tolerable deviation rate, they can conclude the control works. If the control works as designed, then the auditor has a basis for stating that their preliminary assessment of control risk for the account and objective affected by the control is valid. If the auditor finds a lower than expected deviation rate, they may have a reason to lower their control risk and, subsequently, the magnitude of their tests of balances.

Evaluation Deviations

Regardless of whether the maximum deviation rate exceeds the tolerable, auditors should review the deviations to try to determine what caused them. For example, if the deviations appear to be random then they could simple be due to periodic human error. However, if they appear to be systematic (e.g., isolated to one employee), then the auditor may decide to recommend remedial action to the auditee. In addition, systematic deviations may signal a weakness in the way the control is executed and may signal problems with the way it is structured and described to the employees charged with executing it.

Options if Maximum Deviation Rate exceeds Tolerable Deviation Rate

The auditor has several options if the maximum deviation rate exceeds the tolerable deviation rate. We have listed the following roughly in order of the severity of the effect on the audit. However, they are not mutually exclusive and auditors may decide to apply several of them. We discuss the auditor's options if the sample deviation rate exceeded the tolerable deviate rate before the sample is completed in the section above on performing the tests. If the sample deviation rate exceeds the tolerable deviation rate, then the maximum deviation rate must also exceed the tolerable deviation rate because the maximum deviation rate is always higher than the sample deviation rate because of sampling risk. Thus, auditors may face the decisions outlined above during the testing process if the sample deviation rate exceeds the tolerable deviation rate before all the items in the sample are tested. Since the auditor won't calculate the maximum deviation rate until they have finished their sample, they must decide what to do after the sample is completed and they find their maximum deviation rate (i.e., sample deviation rate increased for sampling risk) exceeds their tolerable deviation rate once they complete the sample.

Expand Sample Size

Auditors can increase the sample size and rerun their tests on the new items. Increasing sample size will reduce sampling risk and, thus, the difference between the sample deviation rate and maximum deviation rate. This reduction in sampling risk may lower the maximum deviation rate

233

below their tolerable deviation rate so that they can accept the control. However, if the problem is that the control really isn't working properly, the sample deviation rate for the sample may increase as they find new deviations in the newly sampled items. Thus, they may end up doing more work and still end up with a maximum deviation rate above their tolerable deviation rate. Auditors should be able to gains some insights on what will happen if they increase their sample size after they analyze why the deviations occurred in the original sample. For example, if the deviations in the original sample appear to be systematic, there would a greater chance that they will show up in the newly sampled items as well.

Apply Alternative Procedures

Another option is for auditors to execute different tests of the same control and objective. They may be able to use the additional evidence from these additional tests to determine that the control is working and be able to accept the control and move on. The risks of taking this action are similar to expanding the sample size. If the control isn't working, they may end up doing more work and still end up rejecting the control. Their analysis of the reason for the deviations may help them make a better judgment about what the outcome might be here just like it would for expanding the sample size.

Adjust Control Risk

Auditors may just increase their control risk assessment for the account and audit objective that the control test targeted. If they take either or both of the actions above and they fail, this is the next logical option. If they increase their control risk assessment, this will mean that they will need to lower their detection risk for the same account and objective, thus they will need to do more substantive testing of the transactions and items that affect the account balance to gather enough evidence to accept the account balance.

Revise Tolerable Deviation Rate and/or Confidence Level

We left this until last because it is extremely dangerous to do. However, auditors can use hindsight based on the sample results to adjust their initial valued for tolerable deviation rate and or confidence level. That is, they can look at the sample results and decide they really can live with more deviations in the population or lower confidence (i.e., higher sampling risk). This is very dangerous because the auditor would need solid justification as to why the sample results should change these judgments that they made when planning the sample. If they were ever in a courtroom defending their work, this might appear to a jury that they were just "cooking the books" to accept the auditee's controls.

Communicate Results to the Audit Committee

If the auditor was able to accept the control by either increasing sample size or running additional tests, then can conclude the control is working and move on because the additional evidence justifies their acceptance of the control. However, if they either adjust control risk or alter their assumptions, they should communicate this to the audit committee because both decisions imply that there may be problems with the auditee's controls.

234

Non-sampling Risk

The discussion thus far has focused on sampling risk, which is the risk that sample won't be representative of the population. However, there are non-sampling risks that might also undermine the effectiveness of the auditor's test of controls. Non-sampling risk is the risk that the sample won't be an accurate test of the control for reasons other than sampling risk. Some of these risks include:  Not executing the test properly.

 Running the wrong test (e.g., the test doesn't test the right objective for the transaction).

 Errors defining the population, frame, and sampling unit.

 Selecting the wrong item when drawing the sample.

 Miscalculating the number of deviations in the sample.

This is just a short list of examples. You can go back through the steps covered in this chapter for executing a test of controls and identify other things that can go wrong other than sampling risk. The concept of non-sampling risk is broad.

Substantive Tests of Transactions

Tests of controls that use sampling procedures nearly always involve testing controls over specific transactions. Auditors also run substantive tests of transactions. The difference between the two is that tests of controls do not test the amount of the transaction directly, but test the controls designed to in insure the amount is accurate. However, while the auditor is reviewing the documentation of the transaction to determine whether the control is working, they may also run tests on the accuracy of the amount recorded for that transaction, which is a substantive test of the transaction. That is, any test that tests the accuracy of a recorded amount is a substantive test. For example, if the auditor testing the Invoice Control that was used as an example above also traced the amount of the invoice in their sampled invoice to the sales journal to verify that the auditee accurately recorded it, that would be a substantive test of the transaction. We raise this issue here because auditors frequently run substantive tests of transactions simultaneously with tests of controls. However, since a substantive test tests an amount that can be in error by a variable amount and not just right or wrong, the statistical testing techniques used for testing controls don't apply to substantive tests of transactions. We will cover these tests in the next chapter that covers tests of balances because the statistics to calculate sample size and evaluate the sample are the same for both substantive tests of balances and substantive tests of transactions.86

86 In short, "substantive" means testing an amount and how much the amount is in error not merely whether it was right or wrong.

235

Tests of Details and Auditing Sampling for Test of Details in Sales and Collections Activities

Summary

This chapter presents a description of how auditors plan tests of details for accounts in the sales and collection cycle, to include examples of specific audit tests for each audit object. It also presents two alternative statistical sampling methods auditors use to test details for accounts receivable, which also can be used for substantive tests of transactions and tests of other balances. After completing this chapter, student should be able to:  describe the steps auditors use to plan and execute a test of details

 describe examples of audit tests for different audit objectives for accounts receivable

 describe monetary unit sampling (MUS) and discuss its strengths and weaknesses;

 execute an MUS on a simplified example;

 discuss how to evaluate the results of an MUS and issues that auditors should address before concluding that the auditee's balances are misstated;

 describe the advantages and disadvantages of MUS versus classical variables sampling;

 execute and evaluate a classical variable sample (CVS); and

 describe the options auditors have in responding to sample results that indicate that auditee's balances are misstated.

Substantive Tests of Transactions

Since income statement accounts, like sales, are a total of transaction amounts during a period, auditors really don't test the balance directly, but test the transactions that create the balance. While balance sheet accounts also result from transactions, those transactions involve items like an individual accounts receivable balance, vendor account payable balance, or value of an item in inventory. Thus, auditors can test balance sheet accounts by testing the items that make up the balance as well as testing the transactions that created those items. However, they can only test income statement account balances by testing the individual transactions that make up the balance. Auditors execute substantive tests of sales transactions in a manner similar to testing controls over sales transaction. The tests usually involve documents supporting the transaction and tracing amounts to the sales journal as well as vouching transactions on the sales journal back to source documents. Auditors must evaluate substantive test of transactions that test accuracy using the same statistical approaches covered later in this chapter. The attribute-based testing methods used to test controls can only answer yes/no questions and cannot determine how far off an amount is. Auditors use statistical methods designed to determine how far an amount is to test account

236

balances, but they need to apply these same statistical tools to test whether transactions are accurate as well.

Designing Tests of Balances

Determine Planned Detection Risk

Auditors use tests of balances to cover their planned detection risk. Thus, it is important to review how auditors determine planned detection risk. Since audit tests differ by account and audit objective, auditors apply the audit risk model at the audit objective/account level. Here is the appropriate formulation of the audit risk model that auditors use to determine planned detection risk:

DR = AAR / (IR * CR) Auditors set their acceptable audit risk for the entire audit and not for individual accounts and objectives because the factors that determine audit risk arise from the risk of falsely certifying an entire set of financial statements are being free of material misstatement when they aren't. However, they assess inherent and control risk at the objective/account level to determine their planned detection risk for each object/account combination because inherent and control risks can vary significantly depending on the objective and account involved. This text has covered the issued that affect inherent and control risk in previous chapters. This chapter will illustrate the process auditors use to achieve their planned detection risk by using accounts receivable as an example.

Set Performance Materiality/Tolerable Misstatement

Risk is only one of two major determinations auditors make before building a testing plan to achieve their planned detection risk. The other factor is performance materiality, which the auditing standards call tolerable misstatement. . That is, planned detection risk is the risk that auditors are willing to accept that their testing plan misses a material misstatement. Thus, they need to determine how large a misstatement must be to be material. The term "tolerable misstatement" captures this concept best because performance materiality is the size of an error that auditors can tolerate in a given account before concluding that that account is materially misstated. As covered earlier in this text, auditors make a preliminary judgment about materiality for the financial statements taken as a whole and then allocate that overall materiality level to individual accounts. Since materiality applies to an account balance, it really can't be broken down by audit objective. While there have been some academic studies that attempt to develop algorithmic methods for allocating preliminary materiality to accounts, auditors haven't adopted any of these in practice. Thus, allocating preliminary materiality to accounts remains highly judgmental. Attempting to use an algorithmic approach to allocating preliminary materiality to tolerable misstatements for each account is complicated because errors in accounts don't normally simply add up to an error

237

in a key statistic or account balance. For example, sometimes errors offset each other. However, the auditor may be concerned about the very existence of these individual errors even though the offset each other in a key statistic or account balance. In addition, some errors may be additive and a series of small errors in enough accounts might add up to a material error in a key statistic such as the current ratio. Because of the complexities involved in using financial statement materiality to set tolerable error levels for the accounts, most audit firms develop conservative rules of thumb that allocate more than the financial statement materiality to accounts. As an example, one firm assigned 50% of the financial statement materiality to every account balance, but then allowed auditors to adjust individual accounts based on qualitative factors. However, if a firm has, for example, 50 accounts or line items on their balance sheet and income statement and the firm allocates 50% of the financial statement materiality to each account, the total tolerable misstatement for all accounts will be 25 times the financial statement materiality. This situation could create a risk of materially misstatement financial statements even though none of the account's misstatements exceeded tolerable misstatement. One quantitative factor that auditors always consider is the size of the account balance. When auditors set preliminary materiality, they usually do so as a percentage of some top-level measure like total asset, sales, or operating income. Auditors also consider the size of the account balance to set tolerable misstatement for an account balance. The list of qualitative factors auditors use to set tolerable misstatement for each account are long. Here is the list included in the ASB's auditing standards:

Qualitative considerations also influence the auditor in reaching a conclusion about whether misstatements are material. Qualitative factors that the auditor may consider relevant to his or her consideration of whether misstatements are material include the following: a. The potential effect of the misstatement on trends, especially trends in profitability. b. A misstatement that changes a loss into income or vice versa. c. The potential effect of the misstatement on the entity's compliance with loan covenants, other contractual agreements, and regulatory provisions. d. The existence of statutory or regulatory reporting requirements that affect materiality thresholds. e. The misstatement masks a change in earnings or other trends, especially in the context of general economic and industry conditions. f. A misstatement that has the effect of increasing management's compensation, for example, by satisfying the requirements for the award of bonuses or other forms of incentive compensation.

238

g. The sensitivity of the circumstances surrounding the misstatement, for example, the implications of misstatements involving fraud and possible illegal acts, violations of contractual provisions, and conflicts of interest. h. The significance of the financial statement element affected by the misstatement, for example, a misstatement affecting recurring earnings as contrasted to one involving a nonrecurring charge or credit, such as an extraordinary item. i. The effects of misclassifications, for example, misclassification between operating and nonoperating income or recurring and nonrecurring income items or a misclassification between fundraising costs and program activity costs in a not-for-profit organization. j. The significance of the misstatement relative to reasonable user needs, for example:

• Earnings to investors and the equity amounts to creditors. • The magnifying effects of a misstatement on the calculation of purchase price in a transfer of interests (buy-sell agreement). • The effect of misstatements of earnings when contrasted with expectations.

Obtaining the views and expectations of those charged with governance and management may be helpful in gaining or corroborating an understanding of user needs, such as those illustrated above. k. The definitive character of the misstatement, for example, the precision of an error that is objectively determinable as contrasted with a misstatement that unavoidably involves a degree of subjectivity through estimation, allocation, or uncertainty. l. The motivation of management with respect to the misstatement, for example, (i) an indication of a possible pattern of bias by management when developing and accumulating accounting estimates, (ii) a misstatement precipitated by management's continued unwillingness to correct weaknesses in the financial reporting process, or (iii) intentional decision not to follow generally accepted accounting principles. m. The existence of offsetting effects of individually significant but different misstatements. n. The likelihood that a misstatement that is currently immaterial may have a material effect in future periods because of a cumulative effect, for example, that builds over several periods. o. The cost of making the correction. It may not be cost-beneficial for the client to develop a system to calculate a basis to record the effect of an immaterial misstatement. On the other hand, if management appears to have developed a system to calculate an amount that

239

represents an immaterial misstatement, it may reflect a motivation of management as noted in item l above. p. The risk that possible additional undetected misstatements would affect the auditor's evaluation. These circumstances are only examples; not all are likely to be present in all audits, nor is the list necessarily complete. The existence of any circumstances such as these does not necessarily lead to a conclusion that the misstatement is material.87

This list applies to both setting preliminary materiality for the financial statements taken as a whole as well as tolerable misstatement for an account. At the account level, auditors consider how much of an effect the individual account balance could have on each of these factors.

Determine Testing Plan

Determine a testing plan for account balances is tricky because auditors do not tend to complete all their tests of controls before they start testing balances. Waiting until all tests of controls were complete before starting to test balances would extend the time needed to complete the audit significantly. Thus, the auditor's planned detection risk can change as the tests of controls are completed. Note that one of the options auditors have if tests of controls fail is to increase control risk and adjust planned detection risk accordingly. However, auditors base their planned detection risks on their best judgment of control and inherent risk at the time they are planning their tests with the understanding they may need to modify their testing plan. Auditors have two categories of tests that can be used to test balances: substantive analytical procedures and tests of details. A test of details involves testing the individual components of an account balance (e.g., individual items in inventory or individual sales transactions). Substantive analytical procedures are much cheaper than tests of details, but are much less powerful. Analytical procedures that involve things like evaluating year-to-year changes in accounts and ratios and/or comparing ratios to industrial norms can only signal a possible material misstatement and do not provide definitive evidence that such a misstatement exists. Thus, normally, auditors cannot rely on substantive analytical procedures alone to conclude on an account balance. However, there are other forms of substantive analytical procedures that can be more focused and provide stronger evidence that a material misstatement exists in the account. For example, consider a cable television provider and the audit of its accounts receivable balance. Their accounts receivable balance consists of a large number of small balances due at any point in time. However, those balances result from predictable monthly charges and billing periods. Thus, the auditor could calculate what an average customer balance would be for a specific point in the

87 Auditing Standards Board. (2006). AU Section 312 - Audit Risk and Materiality in Conducting an Audit. pages 1660 - 1662. http://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AU-00312.pdf. Downloaded 9/17/2016.

240

billing cycle and multiply that average balance times the number of customers. This calculation would give the auditor a good reasonability check on the cable company's accounts receivable balance at any point in time. However, even these types of analytical procedures only signal a possible issue and don't identify a specific misstatement. Tests of details identify specific misstatement in specific balance components and, therefore, provide more solid evidence of an actual misstatement. Determining a testing plan, therefore, involves selecting a package of substantive analytical procedures and tests of details for each account balance such that if the tests are successful, the auditor's planned detection risk will be met. For accounts with high planned detection risk, the auditor may be able to rely on substantive analytical procedures and reduce the amount of detail testing. For accounts with low planned detection risk, the opposite would be true. They would need to emphasize the more powerful tests of details to achieve their planned detection risk. In addition, auditors need to select specific testing procedures. For example, specific ratios to review or specific tests of details to run. The following section provides examples of these specific tests for the accounts receivable balance. The examples are broken down by audit objective since different tests test different objectives.

Examples of Risk and Tests for Accounts Receivable

Tie-in

The detail tie in objective for accounts receivable means that the summation of the individual customer balances agrees with the general ledger balance, which is usually the accounts receivable master file total in the auditee's information system. Since auditors also test the allowance account balance as well, they usually test detail tie in using the auditee's aged trail balance. An aged trial balance lists each customer account broken down by how old each receivable is; usually in 30-day increments. That is, it will list the portion of each customer balance that is current, up to 30 days old, between 30 and 60 days old, etc. Auditors trace the total to the general ledger to determine if the gross accounts receivable balance (the balance before the allowance is netted out) ties. They use the aging to do a reasonability check on the allowance account. Accounts that are older tend to be at a higher risk of default and so an auditor can make a judgment call on what percentage of each category (e.g., between 30 and 60 days old) might be uncollectable; sum up the estimated uncollectable accounts in each category; and estimate the total allowance account. However, the auditor needs to consider the auditee's collection policy. If the auditee allows customers to take 120 days to pay without charging interest or late payment penalties, then the bulk of the auditee's accounts between 0 and 120 days old are probably collectable. If the auditee requires payment within 30 days of billing, then the bulk of the accounts that are approaching 120 days old are probably not collectable. Auditors would start by verifying the mathematical accuracy of the aging by retotaling it and then tracing it to the general ledger account. Since they will probably draw a sample of the individual account balances on which the aging is based to do detail tests of accounts receivable,

241

they also would probably perform this test first to verify that the listing from which they draw their sample was complete.

Completeness

Completeness for accounts receivable means that all customer accounts that the customer owes to the auditee have been recorded. Testing accounts receivable for completeness can be difficult. Since auditors determine which customer account balances to confirm from the auditee's listing of customer accounts, confirmation can't detect if that listing was incomplete. The chapter presents a more thorough discussion of the confirmation process and its challenges below. One test auditors can run is to trace shipping documents to the sales journal to insure the sale was recorded. Then they can test the detail tie in between the sale journal entries and accounts receivable postings to insure the accounts receivable balance is complete. However, since failing to record a legitimate accounts receivable would understate assets and sales (since it implies the sale transaction wasn't recorded either), auditors are less concerned about completeness misstatements in accounts receivable because managers tend to be more sensitive about things that understate assets and sales than things that over statement them. However, auditors need to keep in mind that they certifying the account is free of material misstatements, not just material overstatements.

Existence

Accounts receivable existence means that the individual customer accounts that make up the general ledger balance actually exist. The two main existence tests auditors use are confirmation of customer accounts and vouching the customer accounts to supporting documents like shipping documents and cash receipts transactions. They can also test collectability to evaluate the allowance account by reviewing subsequent transactions to see if the account was paid. Vouching to subsequent transactions also tests the existence of the customer account since customers usually don't pay things they don’t owe.

Accuracy

The accuracy objective for accounts receivable is straightforward - the amounts that have been recorded are accurate. Completeness means that ever item that should be included was and existence means that no item that should be included was. Accuracy means that the items that were recorded were recorded for the right amount. Confirmation of account balances with the customer is a common audit test for accuracy. However, auditors also can vouch the debits and credits in the customer's account to supporting documents and recalculate the balance to test accuracy.

Rights

Rights as applied to accounts receivable states that the auditee has a right to collect the receivable. Normally, auditors test rights and existence the same way. However, sometimes the auditee could have pledged the receivable as collateral, factored them with or without recourse, or sold them at a discount. The customer would not know of any of these transactions and so confirmations would detect a restriction on the auditee's right to collect the receivable. Vouching

242

receivables transactions to source documents also wouldn't detect a transfer of rights. Thus, auditors need to:  Review the Board of Directors minutes for authorization to sell or pledge receivables.

 Review correspondence files for evidence of agreements that might impair the auditee's collection rights.

 Confirm with the auditee's banks that the auditee has not pledge accounts receivable as collateral for a loan.

 Examine debt contracts for evidence that accounts receivable has been pledged as collateral.

Realizable Value

The realizable value objective for accounts receivable focuses on the collectability of the receivable. The main tool the auditor uses is the aged trail balance of receivable that we discussed in the detail tie in section. One more point - the auditor also needs to review the auditee's credit policies to determine how well they are followed (as part of tests of controls) and whether they have changed from the prior year. When the auditor reviews how the client translates the information in the aging to an allowance balance, the auditor will look for difference from the prior year. The auditor needs to determine if any differences were due to changes in collectability or changes in the auditee's credit policy. For example, if the auditee extended the time the customer has to pay an invoice, then older accounts might be more collectable.

Cutoff

The cutoff object for accounts receivable means that the receivable was recorded in the same period as it was created. Cutoff is supported by the auditor's completeness and existence tests since a receivable that was reported in a subsequent period violates completeness in the current period and one that was recorded in the current period but not created until the subsequent period violates the existence objective in the current period. However, because completeness and expense tests span the entire year and because timing difference have a greater effect near year end, auditors typically focus tests specifically on period-end cutoff. The same procedures apply to cutoff tests. For example, auditors can trace shipping documents to the sales journal to determine if the shipment was recorded in the right period. They also can vouch sales journal entries to the shipping documents to determine the same thing. A complete cutoff test would require doing both of these. Because of the tight connection between receivables and sales, cutoff tests usually involve determining if the sale transaction that created the receivable was recorded in the right period. However, determining when a sale transaction should be recorded can be complex depending on the nature of the sale. Thus, auditors apply the revenue recognition rules that the text covered in Chapter 8 to determine when a sale and associated receivable should be recorded. However, this only covers half the issue since auditors also need to verify the timing of cash transactions to cover the credit entries to accounts receivable. This text will cover auditing cash in the next

243

chapter. However, testing the timing of cash transactions is fairly simple because there usually isn't any ambiguity in recording when cash is received. Auditors can also use confirmations to test for cutoff. However, auditors usually need to do follow-up tests because confirmations can be effected by normal timing differences (e.g., the check is in the mail or the invoice was in the mail around year-end.) The auditee's use of FOB destination shipping terms also can create normal timing differences that affect confirmations.

Classification

The classification objective for accounts receivable focuses on whether the auditee has separated and classified accounts receivable on the balance sheet. The main classification issues are:  Receivables not required to be paid in less than a year are classified as long-term assets.

 Receivables from related parties are separated and disclosed in the footnotes.

 Significant credit balances in accounts receivable are reclassified as liabilities.

Auditors can review the aged trail balance or other accounts receivable listing to identify receivables from related parties and also identify receivables not due within one year. However, auditors also may have to review Board of Directors minutes and correspondents as well as question management to determine which parties are related to the auditee.

Confirmations

Overview of the Issues

We have mentioned confirmations in several places above. They are a very common auditor procedure for not only accounts receivable, but also accounts payable. They are not as frequently used for accounts payable because auditors are more concerned about the completeness objective for liabilities and confirmations are not very effective in testing completeness. In addition, auditing standards require that auditors use confirmations for accounts receivable but not for accounts payable. Confirmations tend to be expensive and time consuming. In addition, response rates can be low because the customer (or vendor for accounts payable) may not have a great incentive to take the time to reply to a confirmation request. Thus, there are three conditions where confirmations may not be appropriate:  The account is immaterial. For example, retailers usually sell on a cash basis and may not

have a significant accounts receivable balance.

 Based on past experience, the auditor believes that the response rates will be low. This is more problematic when the auditee sells to individual consumers and not to other businesses.

 The auditor has assessed the risk of material misstatement for the account (a combination of inherent and control risk) as low and there are cheaper procedures (s)he can use to meet their planned detection risk goals.

244

Types of Confirmations

There are two types of confirmations: positive and negative. Positive confirmations of accounts receivable ask the customer to confirm that their balance is either correct or incorrect to the auditor. One form of positive confirmations includes the balance shown on the auditee's books and asks the customer to confirm it. A blank confirmation will not tell the customer what the auditee shows for their balance and asks them to report that balance. Auditors also use positive confirmations to confirm invoices instead of balances. In some cases, it is easier for the customer to confirm an individual invoice than an entire account balance and so invoice confirmations tend to have higher response rates. However, they only confirm a specific transaction and so are an incomplete test of the balance. That is, they only test debits to accounts receivable. If the sales transaction is more complex and may involve special terms or side agreements, the auditor will include a request to confirm this information in the confirmation request as well. Thus, confirmation requests may include the details of the sales transactions involve and not just the balance or invoice amount. Negative confirmations present the customer with the amount shown on the auditee's books and only ask them to respond if the amount differs from what they have in their records. Negative confirmations are easy for the customer to respond to, but provide weaker evidence since the auditor cannot differentiate between a non-response and a positive confirmation of the balance. They also are cheaper for the auditor because the auditor doesn't have to follow-up on non- responses. Because positive confirmations ask the customer to respond whether they agree with the balance or not, auditors need to follow-up on non-responses to gain accurate information on the account balance. Auditing standards only allow auditors to rely solely on negative confirmations when:  The auditor has assessed that the risk of material misstatement is low and the controls over

the account balance and objective the auditor is testing with the confirmation are strong and working properly.

 The population the auditor is confirming consists of a large number of small, homogenous items or transactions.

 The auditor expects a low exception rate based on strong controls or prior experience, or both. Auditors also can create a low expected exception rate using analytical procedures. If the auditor's analytical procedures don't indicate unexpected fluctuations in the account balance, then the auditor has a basis to assume a low exception rate.

 The auditor believes that the customer will give the confirmation requests adequate consideration. This is a tough judgment call, but auditors can use prior experience with the auditee's customers or customers of similar auditees to make this call. For example, if the auditor has used positive confirmations in the past and experience high response rates, they might switch to negative confirmations to save time and money.

245

This list highlights the factors that auditors use to determine whether to use positive or negative confirmations in that if these conditions don't exist, they would tend to use positive confirmations. However, auditors also can use a combination of positive and negative confirmations. For example, they may use positive confirmations for large balances and negative confirmations for smaller ones within the same account. Auditors tend to use negative confirmations for receivables from the general public, but this strategy risks violating the last criterion above. The general public usually is less willing to take the time to carefully consider the request than a business would. Confirmations also tend to work better for assets than liabilities because the customer is usually more willing to report an overstated balance than an understated one and auditors tend to be more concerned with overstatement than understatement misstatements in assets. However, again, auditors need to keep in mind that they are responsible for auditing "both sides of the coin." Their audit opinion doesn't state that the financial statements are free of material overstatements; it states the financial statements are free of all material misstatements.

The Confirmation Process

Auditors need to maintain control of the confirmation requests from the beginning through the end of the process. They have to rely on the auditee to give them the addresses and balances of the customers, but they should take steps to verify the addresses. For example, they should consider doing some follow up work if the address is a PO Box because these are frequently used in fraud schemes involving fictitious customers. E-mail confirmations are more common now and if the customer is a business with a website, the auditor should perform follow-up procedures if the e-mail address is inconsistent with the website's URL. Finally, the auditor should provide the customer with a self-addressed return envelope to help insure that the response is sent directly to the auditor and not routed through the auditee. If the auditor uses positive confirmations, auditing standards require that they perform follow-up procedures for non-responses. The first step is usually a second or third request. However, if that doesn't work, the auditor may need to use alternative procedures. The major alterative procedures include:  Reviewing subsequent cash receipts. If the customer pays the bill after the auditor sent

out the confirmation request, then this provides evidence that the balance existed and was accurate at the point the auditor sent out the confirmation.

 Document reviews. The auditor can review invoices and shipping documents as well as cash receipts transactions to reconstruct the customer's account balance. Such a review may also help resolve normal timing differences that led to a difference in the confirmed balance and the book balance.

 Correspondence reviews. This is fairly rare, but auditors can review correspondence between the auditee and the customer. This review may turn up disputed or questionable receivables that might not show up with other tests.

246

The choice of which alternative procedures to use and how extensive to use them depends on the size of the customer account involved and the level of misstatement found in the confirmations that were received.

Detail Tests of Balances

The remainder of the chapter will cover how auditors execute detailed tests of balances. 88 The basic steps auditors go through are very similar to those discussed in the prior chapter. That is, they:  Determine the objectives and nature of the tests

 Define the population characteristics

 Determine sample size

 Select sampling items

 Perform the tests

 Calculate the results

 Draw conclusions

Like the prior chapter, this chapter will focus on statistical sampling. The modifications that auditors need to make when they use non-statistical sampling are the same for detail tests of balances as they were for tests of controls. Auditors also have a choice between two statistical approaches for detail tests of balances: monetary unit sampling89 (MUS) and classical variables sampling (CVS). The chapter will cover both alternatives. Classical variables sampling merely applies standard statistical sampling techniques normally taught in statistics classes to the audit test. MUS was developed by auditors to perform detailed tests of balances and substantive tests of transactions and, therefore, is unique to auditing.

Monetary Unit Sampling

Relationship to Attribute Sampling

Monetary unit sampling (MUS) is a modification of the attribute sampling method auditors use to test controls that is designed to test monetary (i.e., dollars in the US) amounts. Clearly, attribute sampling, which assumes the items in the population can be right or wrong, but not by how much, isn't appropriate for testing a balance where "how much" is critical. Thus, auditors had to modify things and make assumptions to make attribute sampling work for testing

88 The audit literature uses several terms that apply to testing account balances to include substantive tests, test of details, detail tests of balances, or direct tests of balances. We will detail tests of balances in this chapter. 89 Also referred to as dollar unit sampling.

247

balances. We’ll cover these details later in this chapter, but the bottom line is that the assumptions create some problems and complexities in assessing the results of an MUS and projecting those results to the population. CVS is designed for testing amounts and needs no modifications or assumptions to apply to testing balances. However, MUS also has some advantages over classical variable sampling for testing transactions and account balances or auditors wouldn't use it. Auditors modify attribute sampling by treating each dollar in the account balance as the sampling unit. That is, they use underlying statistic formula designed to test yes or no questions to test balances by treating a dollar as a sampling unit and ask whether that dollar is correct or not. This is the first major assumption. MUS assumes if the dollar is incorrect, it is incorrect by 100%, which clearly is not the case in practice. The most obvious problem is that auditors can't test whether an individual dollar is misstated or not; they can only test whether an individual item (e.g., customer's account receivable, item of inventory) is misstated and by how much. Thus, there are other assumptions that auditors must make to convert statistical tests designed for yes/no answers to generate estimates of the dollar amount an account is misstated in addition to assuming the dollar is 100% misstated if it is misstated at all. We’ll cover these assumptions as they arise in the sample process that is described next. One other challenge in teaching MUS is that there is no one generally accepted approach to making the adjustments necessary to apply attribute sampling techniques to dollar balances. The approach that we present in this chapter is based on the approach presented in A.A. Arens, R.J. Elder, and M.S. Beasley, Auditing and Assurance Services: An Integrated Approach.90 and in one of the original classics on the topic, D. A. Leslie, A. D. Teitlebaum, and R. J. Anderson, Dollar Unit Sampling: A Practical Guide for Auditors.91 However, we’ll also point out some alternatives where auditors use different approaches as well.

Key Parameters

Since MUS is based on attribute sampling, the key parameters are the same as the previous chapter presented. However, since the purpose of the test is different, auditors use different terms. Here is the mapping:

90 A.A. Arens, R.J. Elder, and M.S. Beasley (2008), Auditing and Assurance Services: An Integrated Approach, Pearson Prentice Hall. 91 D. A. Leslie, A. D. Teitlebaum, and R. J. Anderson (1979), Dollar Unit Sampling: A Practical Guide for Auditors, Toronto, Copp, Clark, and Pitman.

248

Mapping of Attribute Sampling Terms to MUS Attribute Parameter MUS Parameter Concept

Confidence level = 1 - sampling risk or risk of either over or under reliance

Confidence level = 1 - sampling risk or risk of either incorrect acceptance

The two concepts are identical. Both measure sampling risk, or its complement confidence, that the sample will or will not be representative of the population.

Tolerable deviation rate

Tolerable misstatement rate

The misstatement rate that the auditor can tolerate in the population and still conclude either the control is working or the balance is accurate. It is the same as performance materiality for an account/objective combination.

Expected deviation rate

Expected population misstatement

The level of deviation the auditor expects in the transactions process by the control or the level of misstatement in the account balance.

N/A Population size The total dollar value of the population. This is needed to convert misstatements that are measured in dollars to percentages. However, as with control testing, the population size has no effect on the sample size in MUS. By "no effect" we mean that it isn't included in the formula for sample size calculation in either attribute sampling or MUS. It is included in the sample size formula for CVS.

E Maximum deviation rate

Upper misstatement bound and lower misstatement bound

The maximum deviation rate and the upper misstatement bound are conceptually identical. They are the maximum misstatement the auditor can expect in the population given their tolerable misstatement rate and confidence level, where misstatement is a deviation for testing controls and a misstatement for testing balances. Auditors also calculate a lower misstatement bound for MUS samples, which will be explained below. Finally, auditors use the term "bound" and not limit because calculation of the bounds requires assumptions.

249

Steps in the Testing Process

The steps auditors follow to execute an MUS are the same as they use for attribute sampling. We’ll illustrate how these steps apply to substantive testing using the following example.92 We can audit the accounts receivable balance of a firm by sending confirmations to the customers. This test can detect accuracy and existence violations, but not completeness. A test for completeness would focus on determining whether the firm had recorded all valid accounts receivable balances. Since we must draw our sample from the firm's accounts receivable listing, the test cannot determine if that list is missing an account. If the auditor were concerned about completeness misstatements in the accounts receivable balance, (s)he would need to draw the sample from sales data or from accounts receivable balances with zero or negative balances. We will expand on this last point below when we discuss how to draw an MUS sample, which will MUS show why zero and negative balances cannot be sampled with MUS. However, since auditors usually are concerned with overstatement errors for assets and not understatement errors, the fact that confirmations can't test completeness isn't a major weakness in the test. Completeness violations for assets lead to understatements. This test may also provide some evidence for realizable value. We have established the following statistics about the firm's accounts receivable balance.  The book or reported value of their accounts receivable is $2,500,000

 We have established a tolerable misstatement for this account of $125,000

 We desire a 95% confidence level

 We expect a misstatement of $25,000

Determine the Test Objectives

The primary goal of MUS is to determine if an account balance is misstated and, if so, by how much. However, since the test cannot test for completeness misstatements, the objective of the test is to determine whether the accounts receivable balance is misstated due to existence and accuracy misstatements.

Determine the Population Characteristics

Define the Population

Auditors need to ensure that the population fits the goals of their tests. Tests can have more general goals (e.g., in the example, we tested for the amount of misstatement due to existence and accuracy misstatements). However, auditors also can focus tests on different assertions. For example, if the auditor were testing to make sure that all the goods that the example firm shipped were billed to a customer (completeness assertion), then the population for his/her sample would

92 This example was adapted from W. F. Messier, Jr., S. M. Glover, and D. F. Prawitt (2008), Auditing & Assurance Services: A Systematic Approach, McGraw-Hill Irwin.

250

be the shipping documents and not the accounts receivable balances. In our example, we want to test the balance itself and we are going to confirm those balances with the customer. For an MUS sample, the population is all the individual dollars in the accounts receivable balance. This is a critical point. The population is not all the customer accounts in the balance, but all the dollars in the balance because, with MUS, the sampling unit is an individual dollar. However, we cover this issue in more detail below. Part of the definition of the population also must include a frame or mechanism for identifying all the dollars in the balance. Since all the dollars in the accounts receivable balance must belong to some customer, the frame will be a list of each individual customer's account balance. Since the conclusions we can draw from any sample based on this frame only can be extended to the frame, we need to make sure that the frame captures all the items in the target population, which is the accounts receivable balance. In this example, we can verify that the frame and the population match merely by totaling the individual customer accounts in the customer listing and comparing it to the accounts receivable general ledger balance. If the two numbers are the same, we know that the frame includes all the items in the balance.

Define the Sampling Unit

Defining the sampling unit in MUS is complex and can be confusing. The sampling unit is a dollar. However, all dollars in the sample belong to an item in the account balance and auditors review the items, not the individual dollars. For example, the running example involves auditing an accounts receivable balance, which is the total of individual account balances. With MUS, the auditor selects individual dollars to sample, but then determines which account those individual dollars belong to and then audits that account balance. This process can be hard to "get your brain around," but we shall defer providing a concrete example until we discuss "selecting sample items" below. The key point is that MUS has two types of sampling units. The sampling unit is a single dollar that auditors use to select a customer balance to test. However, the customer balance is the logical unit because it is what the auditor tests. It is physically impossible to test a single dollar because it is impossible to isolate a single dollar in a customer's account balance.

Define a Misstatement

For an MUS sample, a misstatement is a difference between the recorded or book amount for an individual item in the account balance and the amount the auditor, based on their audit evidence, believes that amount should be. Again, note the auditor is auditing an individual item from the account balance and not an individual dollar. An MUS sample just uses individual dollars to as a tool to select the individual customer account to audit. Auditors need to be careful about their definitions of misstatement because differences can arise from circumstances that do not constitute a misstatement. For example, we illustrate MUS in this chapter with an example that involves confirming accounts receivable with customers. The customer's response would be the auditor's best evidence of the correct balance amount. However, the customer's response could be different from the book amount because of normal timing differences. Thus, auditors need to review carefully their audit evidence to determine if

251

any differences are truly misstatements. If there is a difference between an expectation and an observation, the auditor must determine whether the expectation or the observation are wrong.

Calculate the Sample Size

Auditors calculate sample sizes for MUS in the same manner that they do for attribute sampling, with one exception. For MUS, they also need to calculate or estimate the population size to determine misstatement rates. That is, auditors tend to set expected and tolerable misstatement in terms of dollars, but the formulas need percentages and the auditor uses the population size to convert dollars to percentages. Thus, auditors use the population size only to convert dollars to percentages or rates and it has no direct effect on the sample size. Thus, auditors set or estimate the same three parameters needed by attribute sampling and look up the sample size in a table.93 Next, we walk through the process of calculating a sample size for the example data listed above by discussing each of the three parameters you need to estimate as well as population amount. Since MUS is merely a modification of attributes sampling, calculating the sample size for an MUS sample is identical to calculating the sample size for an attribute sample. However, auditors use different terms for the three parameters used to calculate sample size. You should refer to the "Mapping of Attribute Sampling Terms to MUS" table above to determine which MUS parameter used to calculate sample size is equivalent to which attribute sampling term used in the "Statistical Sample Sizes for Attribute Sampling" table used below to calculate an MUS sample size.

Acceptable Risk of Incorrect Acceptance

In MUS, the term "Acceptable Risk of Incorrect Acceptance" really refers to sampling risk.94 Thus, acceptable risk of incorrect acceptance is the complement of the confidence level. As auditors increase their desired confidence level, the sample size increases. The intuition is that if they want to be more confident that their sample is representative of the population, they need to do more work. In addition, the acceptable risk of incorrect acceptance is one factor that affects detection risk for the accounting and assertion the auditor is testing. That is, detection risk is the risk that the auditor's tests will not detect a material misstatement in the balance. Sampling risk is one reason that the test might not detect a material misstatement in the balance. However, detect risk is also affected by non-sampling risks as well.

93 Actually, the tables are calculated with formulas and so auditors can use formulas to calculate sample sizes. In addition, most audit firms now have audit software they use for sampling and that software calculates their sample sizes for them. 94 This term can be a bit deceptive because it implies the risk the auditor is willing to accept that their conclusion about the account will be wrong when the parameter itself only addresses sampling risk and not non-sampling risk, which can also cause the auditor to incorrectly accept the balance.

252

Tolerable Misstatement

Tolerable misstatement is the maximum misstatement the account balance can contain and the auditor will still be willing to certify it as accurate. One part of the audit planning process is to set a planning materiality level for the audit. Auditors then need to allocate the planning materiality level to each account balance. This allocation step is usually done judgmentally or with rules of thumb. There is no established algorithm of systematically applying planning materiality to an account balance. However, conceptually, tolerable misstatement is the materiality level for that account or assertion within an account.

Expected Misstatement Rate

This is the rate of misstatement, stated as a percentage of the population amount, that the auditor expects in the account balance. Auditors set expected misstatement using the same sorts of tools they use to set expected deviation rates for attribute sampling because these two concepts are virtually identical. The key observation here is that the expected misstatement rate must be below the tolerable misstatement rate or auditors cannot test the balance. One reason is that auditors need to allow for sampling risk. For example, if the auditor expects the account balance to be off by 10%, then, assuming their sampling was representative of the population, they should end up with 10% misstatement in their sample. However, when they project the sample results to the population, they need to add sampling risk, which would drive their maximum calculated misstatement rate for the population above their tolerable misstatement rate. Finally, the higher the expected misstatement rate, the larger the sample size. Actually, this is a slight oversimplification. The more their tolerable misstatement rate exceeds their expected misstatement rate; the lower will be the sample size. The intuition here is that auditors need to allow some room between their tolerable misstatement rate and expected misstatement rate to allow for sampling risk. Thus, the greater this difference, the more sampling risk they can tolerable and the lower their sample size.

Population Size

Intuitively, you would expect population size to be directly related to the sample size in that the larger the population, the larger the sample needs to be to ensure that it is representative of the population. This is true to a point. Note that MUS and attribute sampling are based on the same statistical theory and mathematics. However, in the attribute sampling chapter we did not include population in the discussion of sample size calculations. In addition, many approaches to MUS also exclude population from the sample size calculation. The reason for the seeming inconsistency is that, when the population becomes large, differences in population size no longer matter for sample size calculations. The intuition is that the population has some misstatement rate in it. That misstatement rate is an average of all the items in the population. If you add more items to the population that were generated by the same information system and control structure, the likelihood is that these new items would also have the same misstatement rate. Thus, the increasing size of the population

253

doesn't have a significant effect on the population's misstatement rate. Using the same logic, you can see why increasing the sample size beyond a certain point will no longer reduce sampling risk by much. In general, regardless of the population size, samples sizes above about 200 no longer reduce sampling risk by a significant amount over a sample of around 200. The sample size for the example presented above is 93. We used the same Table used in Chapter 8 (page 229) to calculate the sample size because the confidence level in the example also is 95%. We have duplicated the table below. However, we need to make some calculations to fit the example into the table's requirements. First, we need to state the tolerable misstatement as a percentage of the account balance. Thus, the tolerable misstatement rate (which is the same as the tolerable deviation rate in the table) is $125,000 / $2,500,000 or 5%. We need to do the same thing for the expected misstatement rate (which is the same as the expected population deviation rate in the table). The expected misstatement rate is $25,000 / $2,500,000 or 1%. Then all we had to do was look up the sample size, which is 93.

Statistical Sample Sizes for Attribute Sampling - 95% Confidence Level

Select Sample Items

Now life gets interesting. Since the sampling unit for MUS is an individual dollar, we need to find a way to select 93 individual dollars from a balance of $2,500,000. However, we won't be auditing an individual dollar (the sampling unit), so we need to associate the individual dollars we select with a specific customer’s accounts receivable balance. Auditors refer to the customer account they actually will audit as the logical unit. Thus, in the example, an individual dollar in the accounts receivable balance (the population) is the sampling unit, but an individual customer account balance is the logical unit. We will use the sampling unit to select logical units, but will audit the logical units.

254

Mechanically, we need to create a list of all the individual dollars in the account balance that keeps the link between an individual dollar and a customer's account balance. We do this by listing all the customer's account balances, in any order, and running a cumulative total within the listing. The following figure presents this listing for the accounts in the example company.

95 Now we need a mechanism to select a sample of 93 dollars from the 2,500,000 dollars in the balance. Auditors can use either pure random sampling or systematic sampling here. That is, they can draw a random sample using random numbers between 1 and 2,500,000 to select the 93 dollars or they can use systematic sampling. We covered systematic sampling in Chapter 8. Recall that is there is no underlying pattern to the data, systematic sampling so closely approximates random sampling that auditors can evaluate the results of a systematic sample as if it were pure random. Since auditors tend to use systematic sampling in MUS, that is what we’ll illustrate in here. In reality, most audit firms use computer programs to select samples and so you may not know which approach is being use. Recall from the previous chapter that auditors take a systematic sample by finding a random starting point and then sampling every nth item from that starting point on. They calculate the number to use for n by dividing the population by the sample size. The approach is the same for MUS and the term for "nth" is the sampling interval. In the example, the sampling interval is $26,882 ($2,500,000 / 93, rounded up to the even dollar). Now we are ready to draw the sample. We can use a random number generator or random number table to find a random number between 1 and 26,882 for the starting point. That is, we need a random number within the first sampling interval. Then we sample every 26,882th dollar from then on. In this case, the random number table yielded 3,997 as a starting point and the sampling procedure selected the accounts that are bolded in the figure above. Thus, Admington

95 All three of the figures in this chapter were taken from W. F. Messier, Jr., S. M. Glover, and D. F. Prawitt (2008), Auditing & Assurance Services: A Systematic Approach, McGraw-Hill Irwin.

255

Hospital was the first item selected because its account balance contained the 3,977th dollar in the accounts receivable balance. To select the next item, we add the sampling interval (26,882) to the starting number (3,977) and get 30,859. Since Good Hospital Corporation's balance contained the 30,859th dollar, we select it as our second sample item. Then, we just keep adding the sampling interval to the prior number and select 93 items for our sample. Using dollars at the sampling unit and items in the account balance as the logical unit results in a sampling approach where the probability of an item being selected is proportionate to the size of the item (probability proportionate to size (PPS)) . Since the sampling unit is a dollar and since larger balances have more dollars, larger balances are more likely to be included in the sample. Auditors like this feature because it weights their sample toward larger items that will increase the power of their tests because larger items have a greater effect on the account balance. However, it is more useful in testing assets where overstatement errors are a larger concern because larger items are more likely to be overstated. It is less useful for testing liabilities where auditors are more concerned with understatement errors because smaller balances are more likely to be understated. This PPS feature is a function of MUS sampling and not the systematic method we are illustrating for sample selection. Using pure random sampling also would be PPS for an MUS sample. Systematic sampling has some features that we want to cover as well. Any item in the population that has an amount that is greater than the sampling interval will always be included in the sample. In addition, items with balances larger than the sampling interval may also be included twice in the sample. While it doesn't come up in this example, if a firm's balance is large enough to include two sampling units, the results of the test of that balance would be included twice when the auditor reviews the sample results. Thus, the number of logical units (accounts audited) can be less than the sample size. Another feature of MUS sampling is that accounts with zero balances cannot be selected using MUS sampling techniques because they cannot contain any sampling units. In addition, any customers with negative balances would be excluded from the sample. Customers with negative balances include customers with credit balances in accounts receivable. The reason for this is not quite as obvious. Consider what effect a negative balance would have on the cumulative total the auditors were using to select their MUS. It would lower the cumulative balance to a level that was less than the cumulative balance at the end of the logical unit that preceded the credit balance and, in effect, create a sort of loop in the sample selection procedure. Here is a summary of the key features of MUS sampling:  The likelihood of an individual item being selected in an MUS sample is proportionate to

the size of the balance

 Items whose amount is greater than the sampling internal always will be selected in the sample.

 Items whose amount is greater than the sampling internal may be included more than once.

 Zero and negative balances cannot be included in an MUS sample.

256

Perform the Tests

This step is straightforward. The auditors merely execute their planned test, which is confirming the accounts receivable balance with the customer in this case.

Calculate Results

Calculating the sample results is quite complex96. The first step, which is calculating the misstatement rate in the sample, is simple. However, the auditor needs to project the sample results to the population and calculate the upper and lower misstatement bounds to conclude on the account balance. The upper misstatement bound is the likely maximum overstatement error in the population given the sample size and sampling results. The lower misstatement bound is the likely maximum understatement error in the population given the sample size and sampling results. We say "likely" here because of the confidence level or inverse of sampling risk. That is, we can only say that the calculated upper and lower misstatement bounds are the maximum over and under misstatement with the confidence level we used to calculate the sample size and not with 100% certainty. Assuming the sample finds overstatement errors, the upper misstatement bound is the overstatement level of the sample plus an amount that captures the sampling risk. Note that the auditor is not trying to estimate the misstatement rate in the population, but the maximum level of misstatement in the population based on the sample results and sampling error. There always will be uncertainty in any general ledger account balance that the auditor projects from the sample results and (s)he wants to ensure that the misstatement in the population balance does not exceed the tolerable misstatement. (S)he is not trying to estimate what the balance should be, just determine that it isn't too far off from the balance reported in the auditee's books. Assuming the sample finds understatement errors, the lower misstatement bound is the understatement level of the sample plus the same amount that captures sampling risk. However, to calculate the final upper and lower misstatement bounds, the auditor will need to offset understatement errors against overstatement errors and vice versa, which we’ll illustrate below.

Calculate Basic Precision

Auditors calculate the misstatement bounds by adding a sampling risk factor to the misstatement rate detected in the sample. They call this sampling risk factor the basic precision because it is the result of the basic assumptions they used to calculate the sample size. The basic precision is the misstatement bound, upper or lower, that would result from a sample that found no misstatements and represents the effect of sampling risk. For this example, we will use the 95% confidence table from Chapter 8 that calculates the upper deviation rate. Note that the upper deviation rate and the misstatement rate are the same thing. Auditors just use the term "deviations" when testing controls and "misstatement" when testing balances. Both represent the maximum misstatement rate in the population given the sample results and the sampling risk.

96 Not only is it complex, but there isn't one standard approach. We have selected a commonly used calculation method that makes the most sense to me, but it isn't the only one in use.

257

Upper Deviation Rates for Attribute Samples - 95% Confidence Level97

Keep in mind that the entries in this table are the estimated number of deviations in the population. Since the table has no entry for a sample size of 93, we rounded the sample size down to 90 to be conservative and calculated the basic precision. This approach yields a basic precision for the sample of 3.3%, which calculates the sample risk for a sample of 90 items given a confidence level of 95%. A confidence level of 95% is identical to a tolerable misstatement rate of 5% (e.g., 1 - 5% = 95%). In reality, most firms do not use tables, but use software to evaluate the results of a sample and so you would not need to do any rounding.

Calculate the Effect of Misstatements in the Sample

The following table contains the results from the sample of the example company's customer accounts receivable balances. Assume that auditors have performed follow-up procedures to verify the amount of the differences shown and the differences appear to be real and not the result of timing differences.

Example Sample Results Customer Book Value Audited

Value Difference Sample Unit

Misstatement Rate

(Difference / Book Value)

Good Hospital $21,893 $18,609 $3,284 0.15 Marva Medical Supply 6,705 4,023 2,682 0.40 Learn Heart Centers 15,000 0 15,000 1.00 Axa Corp. 32,549 30,049 2,500 0.08 Wayne County Medical 2,000 2,200 -200 -0.10

97 Recall that this table was developed for attribute sampling where the sampling unit is either right or wrong and not for MUS. For MUS, "deviations" are "misstatements."

258

Our goal at this point is to calculate a sample misstatement rate to which we will add the 3.3% basic precision, which will yield the upper misstatement bound. We also need to calculate the lower misstatement bound as well. This example had an understatement error, but even in samples without understatement errors, you still need to calculate a lower misstatement bound to allow for sampling risk on both sides of your sample results. Finally, we’ll need to adjust the upper misstatement bound for understatement errors and adjust the lower misstatement bound for overstatement errors. MUS requires that we calculate the initial upper and lower bounds separately and not combine over and understatements into one calculation. Recall that the upper bound is based on overstatements and the lower bound is based on understatements. Once we have calculated these two bounds, we will combine the results by using the overstatement results to adjust the lower bound and the understatement results to adjust the upper bound. That is, we will offset overstatements and understatements.

Compute the Upper Misstatement Bound

To compute the upper misstatement bound, we need to project the misstatements from the sample to the population and we need to add sampling risk using the basic precision percentage calculated above. The following table presents the calculations for our sample, which we’ll explain in detail right after the table.

259

Calculation of Initial Upper and Lower Misstatement Bounds

The first step is to calculate the basic precision, which represents the sampling risk. That is, we need to calculate the upper misstatement bound given that we found no misstatements in the sample. Let’s look up this percentage in the "Upper Deviation Rates" table above. We have highlighted the 3.3% (0.033) rate in the "0 Deviation" column and "90 sample size" row. The "basic precision" misstatement rate means that, due to sampling error, you can only be 95% sure (the confidence level for the table) that the population contains no more than 3.3% misstatements, either over or under, even if you found no misstatements in your sample. However, to complete the basic precision calculation, we need to make an assumption about how badly misstated a misstatement is. That is, the 3.3% upper misstatement rate is saying that up to 3.3% of the customer account balances can be misstated in the population even in our sample of 90 found no misstatements but it doesn't say by how much each account can be misstated. This modification that MUS makes requires an assumption. The tables we are using are based on

Misstatements Upper Precision Bound Portion

Recorded Population

Value

Sample Unit Error Rate

Misstatement Bound Portion

1 2 3 4 (2 * 3 * 4)

Basic Precision 0.033 $2,500,000 1.00 $82,500 0.019

(0.052 - 0.033)

0.017 (0.069 - 0.052)

0.015 (0.084 - 0.069)

0.015 (0.099 - 0.084)

Initial Upper Misstatement Bound

$155,625

Basic Precision 0.033 $2,500,000 1.00 $82,500 0.019

(0.052 - 0.033)

Initial Lower Misstatement Bound

$87,250

Understatements

Wayne County Medical $2,500,000 0.10 4,750

Good Hospital

$2,500,000 0.08 3,000

5,625

Axa Corp.

Marva Medical $2,500,000

Overstatements

Learn Heart Centers $2,500,000 1.00 47,500

$2,500,000 0.15

0.40 17,000

260

yes/no errors and not the size of the error. Thus, the basic precision is stated in terms of the proportion of account balances that are misstated, but not by how much. The example assumes a 100% misstatement rate for basic precision. For items in this sample, we know what the misstatement rate was. However, basic precision is about misstatement rates that would occur in account balances not in the sample and is measuring sampling risk. Thus, we need to make an assumption about the rate of misstatement in items in the population that may be misstated but were not in the sample. 100% is the most common assumption used by auditors. It is conservative because most account balances that are misstated are probably misstated by less than 100% of their balance. However, auditors who use lower misstatement rate assumptions for basic precision have to justify these lower levels and that is hard to do. One alternative to making such a general assumption would be to use the average misstatement rate in the sample. That is, the assumption auditors are making is how much an account is misstated given it is misstated. They could average the misstatement rates for their sample and use that average in their basic precision calculations, which would give their assumption some empirical basis. It still is an assumption since the auditor would be assuming that the misstatement rates in the misstated items in the sample were the same as the misstatement rates for any misstated customer accounts in the population. However, the assumption would at least be based on observed data and not just a general assumption as the 100% assumption is. In this example if we average the misstatement rates, both over and understatement, from the sample, we would get 30% [(1.00 + 0.40 + 0.15 + 0.10 + 0.08) / 5 =0.346]. However, the auditor also could calculate the average misstatement rates for over and understatements separately if (s)he believed that the misstatement rates for these two types of misstatements differed. In addition, if the auditor wanted to weight the misstatement rates by the dollar amount of the misstatements, that approach also is acceptable. Weighting the misstatements assumes that misstatement rates in the population are proportional to the dollar amount of the balance. That is, misstatement is large accounts aren't just larger; they are larger as a percentage of the account balance. While using the misstatement rates from the sample appears to have some logical appeal, we can't find examples in the audit literature where it was used in practice. Thus, for this example, we will use the most common assumption of 100%. The second step is to rank order the misstatements that are found from largest misstatement rate to smallest. The "Example Sample Results" table calculates the misstatement rate from each logical unit in the sample for which we find a misstatement. We’ll enter the misstatement rates for each item in this table into the "Calculation of Initial Upper and Lower Misstatement Bounds" table from top to bottom in with the highest misstatement rate first. Since Learn Heart Centers had the highest misstatement rate of 100%, it is listed first. We’ll also list the overstatement misstatements separately from the understatement misstatements. Note that if a customer account balances was large enough to be included twice in the sample and contained a misstatement, its results would be listed twice in this table.

261

The next step is to assign each misstatement with an "Upper Precision Limit Portion." This is the increase to our upper and lower precision limits that we need to add because we found a misstatement in the sample. To calculate this amount, we need to go to the "Upper Deviation Rate" table above to calculate the incremental percentage points we need to add based on finding one more misstatements in the sample. This is the calculation shown in Column 2 of the "Calculation of Initial Upper and Lower Misstatement Bounds" above. Since Learn Heart Centers is the first misstatement in the table, we subtracted the basic precision from the misstatement rate we would expect given one misstatement in the sample, which is 4.7%. This yields an increment of 1.7 percentage points98. Since the amount of the increment declines as the number of misstatements increases, this approach also is conservative. Since Learn Heart Centers misstatement rate was the highest, it is assigned the first upper precision limit increment of 1.9 percentage points. The next highest misstatement rate was found in the Marva Medical account and its increment is only 1.7 percentage points. The increment continues to decline for each additional misstatement. The last three are the same due to rounding. Thus, larger misstatement rates are assigned larger upper precision limit portions or increments, which is a conservative assumption. Next, we need to project the misstatement rate from the sample item to the population. This is done by multiplying the incremental contribution to sampling risk (i.e., Upper Precision Limit Portion in Column 2) times the population amount (i.e., the general ledger account balance) in Column 3 times the misstatement rate in the sampled item (Column 4). We proceed with the same process for each misstated logical unit in the sample. Once we have completed that process, we sum all the contributions to the misstatement bound to get an initial misstatement bound. The same calculations are performed for all over- and understatement errors separately. For the example, the Initial Upper Misstatement Bound is $155,625 and the Initial Lower Misstatement Bound is $87,250. What the Upper Misstatement Bound means is that if we only consider the overstatement errors in the sample, we can be 95% confident that the auditee's accounts receivable balance will overstated by no more than $155,625. The Lower Misstatement Bound means that if we only consider the understatement errors in the sample, we can be 95% confident that the auditee's accounts receivable balance will be understated by no more than $87,250. Finally, we need to combine the over and understatement errors into one set of upper and lower misstatement bounds. These misstatements came from the same general ledger account and we need to conclude on the account balance. The following table presents these calculations for the sample.

98 Students frequently get "percentage" and "percentage points" confused. The correct concept here is "percentage points."

262

Adjusted Misstatement Bounds Calculations

The first step in combining the over and understatement errors is to calculate a point estimate of how the misstatements would affect the population balance. The point estimate is a different concept than the contribution of each item to the misstatement bounds (i.e., misstatement bound portion) because the misstatement bounds consider sampling error and the point estimate does not. In addition, auditors calculate the point estimate for the entire sample, not each logical unit in the sample. That is, the point estimate is an estimate of how the population balance would change assuming all items in the population were in error at the average misstatement rate of all the items in the sample. Auditors calculate the point estimate for the over and understatement errors separately and then adjust the opposite bound by that point estimate. That is, they would calculate a point estimate for overstatement error and use that point estimate to adjust the lower misstatement bound. They also would calculate a point estimate for the understatement errors and use that point estimate to adjust the upper misstatement bound. In the above example, we only find one understatement error so we use the misstatement rate for that item to calculate an average understatement error rate for the sample. Since we only had one understatement error of 10% in a sample of 90 items, the average understatement error rate for the sample is 0.11111% (10% / 90 = 0.11%). We estimate the population understatement error

Misstatements Sample Unit Error

Rate

Sample Size

Recorded Population

Value

Point Estimate

Adjustments to Bounds

5 (2 / 3 * 4)

Initial Upper Misstatement Bound

$ 155,625

Wayne County Medical 0.10 90 $2,500,000 $ 2,778 (2,778)

Adjusted Upper Misstatement Bound

$ 152,847

Initial Lower Misstatement Bound

$ 87,250

Learn Heart Centers 1.00 Marva Medical 0.40 Good Hospital 0.15 Axa Corp. 0.08

Total Error Rates 1.63 90 $2,500,000 $ 45,278 (45,278)

Adjusted Lower Misstatement Bound

$ 41,972

Adjustments to Upper Misstatement Bound

Adjustments to Lower Misstatement Bound

1 2 3 4 6

263

rate by multiplying the average sample error rate times the population balance (0.11111% * $2,500,000 = $2,778). Note that this calculation assumes that all items in the population are understated by the same percentage as the average understatement percentage in the sample and there is no consideration for sampling error. To make the final adjustment to the upper misstatement bound we lower it by the point estimate for understatement errors. This is a very complex calculation, but the intuition is that the upper misstatement bound was calculated only using the overstatement errors (i.e., the auditee's book value was higher than the confirmed value for an account) in the sample and the sample also found understatement errors (i.e., the auditee's recorded book value was lower than the confirmed value for the account). Thus, we need to lower the upper misstatement bound to account for the understatement errors before we use that bound to determine if the account balances are misstated. Thus, the adjusted upper misstatement bound for the sample is $152,847. Since the sample produced four overstatement errors and we need to calculate an average overstatement error rate for the sample, we need to total the misstatement rates for the overstatement errors and divide by the sample size to get an average misstatement rate for the sample. In the above example, the total misstatement rate for the overstatement errors was 163% (or 1.63). Dividing this total by the 90 items in the sample yields an average misstatement rate for the 90 items of 1.63% or 0.018. Multiplying this average misstatement rate times the population yields an adjustment to the lower misstatement bound of $45,278 (1.8% * $2,500,000 = $45,278). Finally, we’ll lower the lower misstatement bound by the adjustment to get an adjusted lower misstatement bound of $41,972. Again, the intuition that calculated the initial lower misstatement bounds using only the understatement errors from the sample and the sample also found overstatement errors. Thus, we need to reduce the lower statement bound to consider those overstatement errors.

Draw Conclusions

Execute the Decision Rule

The decision rule auditors use to conclude on the account balances includes both upper and lower misstatement bounds. The rule is "If both the lower misstatement bound and upper misstatement bound fall between the under misstatement and over misstatement tolerable misstatement amounts, accept the account balance." Thus, based on the sample results, we can conclude with 95% confidence (i.e., with a sampling risk of 5%) that the accounts receivable balance is overstated by no more than $152,847 and understated by no more than $41,972. Stated another way, we can conclude with 95% confidence that the actual account balance lies between $2,347,153 (the $2,500,000 recorded or book value less the adjusted upper misstatement bound or $2,500,000 - $152,847) and $2,541,972 (the $2,500,000 recorded or book value plus the adjusted lower misstatement bound or $2,500,000 + $41,972). Thus, for the example, we must reject the balance since the upper misstatement bound is larger than the tolerable misstatement amount set for the example (i.e., $125,000). However, the MUS process contains several simplifying assumptions and so auditors rarely just rigidly execute the decision rule and move on. Rejecting an account balance creates problems for

264

both the auditor and the auditee and so auditors usually want to do additional work before rejecting a balance. The next section discusses the simplifying assumptions that MUS uses to help you appreciate why the results should be reviewed before the auditor concludes on the account. The section after that discusses the options available to the auditor if their sample results indicate that the account balance should be rejected.

Summary of MUS Assumptions

The above discussion of MUS has only made limited references to the assumptions auditors use in executing an MUS sample and interpreting the results as well as other biases and problems that arise from using MUS. MUS is a modification of attribution sampling and all those modifications involve some assumptions about the sample misstatements and the population being sampled. The mathematics behind attribute sampling, and the tables used in the above MUS example, assumes that the sampled item can be either right or wrong and do not consider how right or how wrong. This assumption fits the types of errors that occur when auditors audit controls because either the control eliminated an error or it didn't. However, the misstatements that auditors detect when testing account balances vary in size. Thus, the math for attribute sampling doesn't fit the population auditors sample when testing account balances. MUS has made a series of assumptions to compensate for this mismatch between the math used to calculate sample sizes and interpret results for attribute samples and MUS samples. The main assumption and issues are:  MUS is biased towards overstatement errors and against understatement errors. The reason

is the probability proportion to size feature of MUS sampling. Since an overstatement raises the book balance of an account and an understatement lowers the balance, overstated balances are more likely to be sampled than understatement errors. Thus, MUS is rarely applied to general ledger accounts where auditors are more concerned about understatement (e.g., liabilities) than overstatements (e.g., assets).

 MUS requires that auditors make an assumption about the misstatement rate for misstated items in a balance when calculation basic precision because the statistical techniques used by MUS are built on yes/no errors and not the amount of a misstatement. The results of an MUS can vary depending on what assumptions the auditor makes.

 Because of the way auditors select sampling units with MUS, accounts with zero and negative balances are never selected and must be audited separately.

 Auditors must rank order the misstatements they find in an MUS. This rank ordering means that the item with the largest misstatement rate in the sample creates the highest incremental increase in the upper or lower precision bound. This also is a conservative assumption that increases the size of the misstatement bounds.

Classical Variables Sampling

MUS is the most common variables sampling approach used by auditors, but they also can use classical variables sampling (CVS). The differences between the two focus on how the sample size is calculated and how the sample results are interpreted. These differences arise because the underlying distributions used are different. As noted above, MUS is based on the same binomial

265

distribution as attribute sampling. CVS is based on a normal distribution designed for continuously varying numbers.99 Thus, CVS is based on a mathematical distribution that actually matches the underlying data and MUS is not. After discussing classical variables sampling, We will review the main differences between the two and conditions where one is preferable to the other. The goal of classical variable sampling is a little different from MUS. The goal of MUS is to estimate the misstatement rate in the population. Generally, the goal of CVS is to estimate the account balance and then compare the estimated account balance to recorded balance to determine if the account balance is materially misstated. However, CVS also can be used to estimate the misstatement rate as well. Note MUS ends up in the same place, but has to go through some calculations that involve several assumptions to get there. CVS is designed to more directly estimate misstatement ranges and account balance ranges. There are three main applications of CVS based on what the sample is designed to estimate. One is termed mean-per-unit estimation (MPUE). MPUE estimates the total amount of the general ledger account balance by determining an average amount for each item based on a sample and multiplying that average times the number of items in the population. It addresses sampling risk by placing confidence intervals around that estimate. The width of these intervals varies with the auditors chosen confidence level. That is, the more confident the auditor wants to be, the smaller the intervals around the projected general ledger balance. Of course, to achieve smaller intervals, they auditor must increase their sample size. Since sample risk is 1 - confidence level, if the auditor wants to be more confident in the projected population balance, they must reduce sampling risk by increases sample size. CVS also can be used to estimate the misstatements in the population based on the misstatements in the sample. This approach is called mean misstatements. It is more similar to MUS in that the attribute of the population that is being estimated is the misstatements not the balance. CVS also can be used to estimate the ratio of the audited to book balances of items in the account. That is, the auditor would calculate the ratio of the audited balance to the book balance for items in the sample and then apply this ratio to the population book balance to calculate a projected account balance. In all three cases, the auditor ends up in the same place as they do with MUS, but the come at it from different directions. Since ratios and misstatements tend to vary over a smaller range than the item balances, the sample sizes for the ratio and misstatement approaches tend to be a little lower because their standard deviations tend to be a little lower. However, the MPUE approach directly estimates the item amounts and, therefore, can be done in (admittedly extreme) cases where there aren't reliable book balances for each item in the sample. Finally, both difference and ratio approaches need enough differences and ratios on which to base their estimate. The

99 Hopefully you recognize the normal distribution or "bell curve" from your basic statistics class.

266

AICPA Audit Sampling Guide100 recommends against using ratio or difference approaches if you have fewer than 20 differences in your sample. One issue for CVS is what items to include in the population to be sampled. This issue arises if the auditee's balances are made up of items that vary dramatically in size. For example, if the auditee's balances contain a few, large balances that exceed the auditor's tolerable misstatement, these balances are called individually significant because if one of them is misstated by 100%, then the auditor would have to reject the entire population. Intuitively, auditors probably would want to insure these large balances were included in their samples, which the use of MUS would help guarantee. In addition, the sample size in CVS is partially driven by the variability of the items in the population. Auditors can reduce variability, and thus lower the sample size, by stratifying the population in the subgroups, or strata, of like sized balances. That is, they would run separate tests on each stratum and then combine the results. Since stratification would reduce the variability within the population used for the different tests within each stratum, it would reduce the sample size within each stratum and, consequently, the overall sample size while still providing the same sampling risk. In CVS sampling, the logical unit is the same as the sampling unit - an individual item in the population. Samples are selected by taking a random sample of the items. Thus, every item, regardless of its size, has an equal chance of being in the sample. Since larger balances have a greater chance of creating material misstatements in the population, auditors tend to want to sample larger items with a greater frequency than smaller balances. Stratifying a CVS sample helps accomplish this. However, stratification creates problems as well. It involves running samples on separate sub populations and then combining the results for the overall population. The results of the subsamples cannot just be added together and their combination creates distortions in the projection of the subsamples to the overall population and requires some assumptions. Stratification also assumes that likelihood of misstatements in large items is the same as for small items. If the large items are, for example, for large customers that have sound accounting practices and tight internal controls, the smaller items may have greater misstatement rates. Thus, the overall general ledger account balance may be materially misstated not because of a few misstatements in large customer balances, but an accumulation of many smaller misstatements in smaller customer balances because the larger customers caught errors in their accounts while smaller customers did not. The point is that auditors commonly use stratification when they use CVS because they are targeting larger items. However, its use does require additional assumptions that CVS does not and, consequently, is not without risks.

100 AICPA. (2014). Auditing Sampling - Audit Guide.

267

Calculating MPUE Sample Size

The formula for calculating the sample size for a MPUE sample is:

There are three different parameters not included in the MUS sample size calculation that we need to cover.  Confidence factors - These are how CVS incorporates sampling risk into the sample size

calculation. How they are determined is beyond the scope of the text. A table of common confidence factors are presented below. They are comparable to the confidence level in MUS. However, the formula includes two different confidence factors, one for incorrect rejection and one for incorrect acceptance. Thus, when auditors use CVS, they can set different confidence levels for these two effects of sampling risk if they are more concerned about accepting a misstated balance (risk of incorrect acceptance) versus rejecting a correct balance (risk of incorrect rejection).

MUS only considers the risk of incorrect acceptance of the account balance. However, auditors also face a risk of incorrect rejection, which is rejecting a correctly stated balance. Risk of incorrect acceptance means that the auditor would falsely certify a set of financial statements are fairly stated when they are not. This is audit risk in the audit risk model. We’ll use the term risk of incorrect rejection as business risk because the consequences are things like doing excess audit work or, in the extreme, losing the client. Auditing texts and the auditing literature assumes that auditors tend to be willing to accept more business risk than audit risk and so the risk of incorrect rejection is usually set lower than the risk of incorrect acceptance. Risk of incorrect acceptance is sampling risk associated with incorrect acceptance and, therefore, the lower the risk of incorrect acceptance, the higher the sample size, i.e., the less risk the auditor is willing to accept, the higher the sample size.

 Standard deviation - This is the same as what you were taught in your basic statistic classes and is a measure of the variability in the dollar amount of the individual items in the population. Standard deviation is directly related to sample size. The more variable the population, the larger the sample has to be to reduce sampling risk.

268

Auditors estimate standard deviation in the same way they estimate the expected deviation rate. They can rely on prior years' experience with the auditee; experience with similar auditees if the auditee is new; or run a small, initial sample and calculate their estimate based on that sample. As mentioned above, auditors can reduce the effect of the standard deviation on sample size by stratifying the sample, which reduces the standard deviation (i.e., variability) in each subsample and then combine the results.

Here is a table to use to convert risk levels to confidence factors for the sample size equation:

101 Note that these tables come from the AICPA and use lower factors (i.e., willingness to accept less risk) for incorrect acceptance compared to incorrect rejection for each risk level. We’ll use a risk of incorrect acceptance for the example MUS of 5% and we’ll assign a risk of incorrect rejection of 10% to show you how to use the formula to calculate the sample size for CVS. That is, in addition to the bias built into the AICPA table, auditors can also set different basic risk levels for each type of risk. Finally, we’re going to use an estimated standard deviation of $310 based on prior audit experience. Here are the parameter values for the formula:

N = 1,215 R(IR) = 1.65 - from above table for 10% risk R(IA) = 1.65 - from above table for 5% risk SD = $310 TM = $125,000 EM = $25,000

Entering these amounts into the sample size equation gives us a sample size of 154.49, which we should round up to 155. You should always round up to insure you meet your sampling risk. Note that this is much higher than the MUS sample size, which is a feature of MUS compared to CVS. However, this only holds when the expected misstatement rates are relatively low. As expected misstatement rates increase, the sample size for MUS goes up sharply and can exceed the CVS sample size. However, high expected misstatement rates are usually associated with weak clients that the auditor may have eliminated from consideration during the client acceptance process.

101AICPA. (2014). Auditing Sampling - Audit Guide.

269

Selecting the CVS Sample

Auditors can use either pure random sampling or systematic sampling for CVS. However, for CVS, the sampling unit is the same as the logical unit. That is, when the auditor uses CVS, they sample items like customer accounts and, therefore, would need to assign sequential numbers to each customer account and then randomly select accounts using these numbers. Recall that with MUS, they sample dollars and then audit accounts containing those dollars. Thus, CVS is not probability proportionate to size sampling.

Evaluating a CVS Sample

Evaluating a CVS sample using the math associated with it is easier than evaluating an MUS sample. Auditors determine the audited balance for each item in their sample. They then calculate the average balance for these items and multiply that times the number of items in the population to estimate the population balance. In addition, they calculate the actual standard deviation for the sampled items. Stating that executing or evaluating either a CVS or MUS sample is easier than the other is a bit of a "red herring." If the auditor had to use the basic math and formulas, CVS is easier because of the lack of assumptions and adjustments. However, auditors use software for to calculate sample sizes and evaluate results. Thus, there isn't any significant difference in the ease of using either approach. The AICPA Sampling Guide102 also provides some short cuts and guidance to make sampling easier for auditors. Regardless, auditors need to understand the math and assumptions behind each approach to select which approach may be better in a given situation. Just plugging numbers into a "black box" piece of software can be very dangerous. We’ll illustrate evaluating the example with some assumed data. Let's assume that we sampled 155 items from the accounts receivable balance represented in the example. The first step is to calculate the average item value for the items in the sample. The values auditors find in their sample are called the audited values. When we totaled the audited values for those 155 items, we got $305,000. We also calculated the standard deviation of the sample at $250. We’ll divide the total of the sampled items by the number of sampled items to get an average value per sampled item of $1,968 ($305,000 / 155). To complete the evaluation of the account balance, the auditor needs to estimate the population balance from the values in the sample (i.e., calculate a point estimate of the balance). Then (s)he needs to confidence interval around that point estimate to allow for sampling risk based on the auditor’s risks of incorrect acceptance and rejection called a precision interval. After calculating the average item value for the sample, the next step is to determine the point estimate for the account balance based on the sample results. To do this, the auditor multiplies the average value of each sample item times the number of items in the balance. For the example, this would be $2,391,120 ($1,968 * 1,215).

102 AICPA. (2014). Auditing Sampling - Audit Guide.

270

Next, the auditor needs to calculate the precision of the sample based on the following formula:

If we plug in our numbers into this formula, we get a precision of $40,256. If we add and subtract this precision from the point estimate, we get a precision interval of $2,350,864 ($2,391,120 - $40,256) to $2,431,376 ($2,391,120 + $40,256). If the recorded balance falls within the precision interval, then the auditor can accept the populations. If the recorded balance falls outside the precision interval, the auditor needs to determine if it is outside the more than their tolerable error. That is, the precision interval accounts for sampling risk and the auditor knows that the actual balance is within the precision interval with the confidence (s)he set at the beginning. However, the recorded balance is outside the precision interval, then they auditor knows with that same confidence level that the actual balance differs from the recorded balance. However, they need to determine if that difference exceeds their tolerable misstatement. Thus, if the recorded balance is outside the precision interval by more than tolerable misstatement, they auditor must cannot accept the population. Auditors make the comparison by looking at the difference between the recorded balance and the boundary of the precision interval that is farthest from the recorded balance. The recoded balance in the example was $2,500,000 and the farthest boundary of the precision interval is $2,350,864. The difference between these two is $149,136 and the tolerable misstatement was $125,000. Therefore, we cannot accept this balance.

Other CVS Approaches

The approach illustrated was mean-per-unit in that we used the mean (average) sample values to estimate the balance from the sample. Auditors can also use CVS to estimate the difference between the audited and book values or the ratio of audited to book values to assess the accuracy of the balance. That is, they can use the difference or ratio of book to audit value of their sampled items to estimate the difference between the actual and book balance in the account where "actual" is projected from the results of the sample. Both these approaches lead to smaller sample sizes because differences and ratios tend to have lower standard deviations that the raw numbers. However, both these approaches need a reliable book value on which to base the differences and ratios. Mean-per-unit does not rely on the book values.

271

Summary of Differences between CVS and MUS

The fundamental difference between CVS and MUS is that they are based on different assumptions about the distribution of items in the population. The assumptions each method makes about the underlying distribution is critical to any statistical technique and drives sample size calculations and interpretation of sample results. MUS assumes the items in the population can be either right or wrong and models the population with a binomial distribution. Since the values in the population can only take one of two values, there is inherently less variance in the population, and if there is less variance in the population, the sample can be much small to achieve the same level of sampling risk. MUS uses a dollar as a sampling unit and assumes that the dollar is either right or wrong. However, even a dollar can be misstated by a wide range of values. This underlying assumption of right or wrong dollars is what created all the adjustment needed to interpret the MUS sample results. CVS assumes the values in the population can take any value but that those values form a normal distribution around the mean of the population. While this assumption may not match some general ledger balances very well because some balances may have a few large accounts and many small ones, it still is closer to "reality" than the right or wrong assumption of MUS. However, since CVS is assuming a wide range of possible values in the population, the underlying distribution will inherently be more variable, which is why CVS sample sizes are larger. Auditors need to understand these differences when choosing a method. Failure to understand the assumptions and limitations of each method can lead to false conclusions about account balances. Here is a summary of the main differences between the two approaches that are driven by the fundamental differences just discussed:  Compared to classical variable sampling, MUS yields lower sample sizes for populations

with low expected misstatement rates. Audit implications - MUS is more efficient than CVS for populations with low expected misstatement rates.

 The assumption of right or wrong answers for MUS isn't too far off for populations with low expected misstatement rates. However, this leads to interpretation problems for samples with more than a few misstatements. If there are more than a few misstatements in the sample, the MUS results overstate the amount of misstatement in the population. Audit implications - MUS should be avoided for populations where misstatement rates are not expected to be minimal. CVS works regardless of the underlying misstatement rate.

 MUS automatically uses a probability proportion to size sample selection process that insures large items will be sampled. CVS gives each item an equal chance of being in the sample regardless of the size of the item. Audit implications - MUS is appropriate for accounts that have a few large balances that dominate the overall account balance. If the population consists of items that are close to the same size, this advantage for MUS goes away and CVS may be more appropriate. Note that is the population is more homogenous,

272

its standard deviation will be smaller, and CVS sample sizes will fall to more closely approximate MUS sample sizes.

 Probability proportionate to size samplings under samples small items and will not select zero or negative items. CVS doesn't have this problem because all items have an equal chance of being in the sample. Audit implications - Auditors should use MUS only for accounts where overstatement error is the primary concern; usually asset balances. CVS should be used for liabilities where understatement is the primary concern.

 CVS requires an estimation of the population's standard deviation, and MUS does not. Audit implication - Use MUS when it is hard to estimate the standard deviation of the population. The vast majority of audits are continuing audits and auditors can estimate the standard deviation from the prior year's balances. For new engagements, auditors can estimate the standard deviation from a small subsample of the current balances or from audits of similar firms. With current computer aided audit tools, calculating a standard deviation is trivial.

 In general, MUS requires more adjustments and assumptions than CVS because MUS's assumption about the underlying distribution is not as realistic and CVS's are. Generally, auditors tend to make conservative assumptions with MUS when MUS requires assumptions. Thus, MUS tends to overstate the actual amount of misstatement in most populations. In addition, there are a variety of approaches for making the assumptions needed in MUS and not all auditors use the same approach. CVS does not require such assumptions. Audit implications - know your methods and don't just blindly apply formulas. Be aware of each approaches assumptions, strengths, and weaknesses and make sure you understand what they mean for each sample you plan to run to insure you use the right method.

Non-statistical Sampling

We will not cover non-statistical sampling in much detail in this chapter because the main issues were discussed in the previous chapter and the issues are the same for substantive testing as they are for control testing. However, we will discuss how auditors can execute a non-statistical test of balances. The distinction between non-statistical and statistical sampling rests with the procedure the auditor uses to select the sample. If it is random, or closely approximates random (e.g., the systematic approach MUS usually uses or even haphazard sampling), then the auditor is using statistical sampling and can use attribute sampling mathematics to make precise estimates of sampling risk to use to project the sample results to the population. However, as mentioned in the discussion of MUS assumptions above, the precision of the auditor's conclusions for MUS are lower than for attribute sampling because of the assumption auditors have to make to execute an MUS. If auditors do not use some form of random sampling approach, then they cannot make precise estimates of sampling risk because they cannot assume their sample is representative of the population and have to make a judgment call on how large their sampling risk is. However, auditors frequently want to target large or problem accounts or transactions when auditing account balances and, therefore, do not use random sampling procedures. Most audit

273

firms finesse this issue by building specific guidelines for estimating sampling risk for non- statistical samples. Nearly all these guidelines assume that the sample is close to random and draw on statistical tables to provide specific adjustments for sampling risk. However, some auditors also use stratified sampling techniques where they audit all, or a higher proportion of, individual items in the account balance over a certain amount and then randomly sample the rest. If they sample all items for a subset of the population, they would project sample results to the population by including any misstatements found in those accounts without a sampling risk factor. Then they would project any misstatements found in the smaller accounts using some estimate of sampling risk. If auditors chose to use non-statistical sampling, they can still estimate the level of misstatement in an account balance. They can estimate the population balance from a sample by projecting the misstatement rate they find in the sample to the population directly without consideration of sampling error. That is, they can divide the total audited values in the sample by the total recorded balances in the sample to get a misstatement rate. Then they can multiply that misstatement rate to the population and compare the result to the recorded balance. However, they need to add in consideration for sampling risk, which inherently is a judgment call. If auditors use truly haphazard selection procedures, then their sample should be representative of the population and use of statistical sampling tables is allowable. Auditing standards classify haphazard sampling as random. However, doing so can be dangerous since auditor conscious or unconscious biases can affect the random nature of a haphazard sample.

Auditor's Options if Sample Results Indicate Rejection of the Account

Based on the results of the sample, we could conclude that the auditee's accounts receivable was overstated because the upper limit of misstatement was higher than the tolerable misstatement. However, we worded the conclusion as "cannot accept" instead to emphasize that the auditor would rarely just reject the populations based on the sample results without follow-up analysis. We don't want to press forward blindly based just on the math, but would want to make sure that we understood what caused the misstatements in the customer accounts. Below we list several follow-up actions that we can take when the sample indicates a misstatement in the auditee's account. However, we want to emphasize that auditors need to look at the data thoroughly and understand why the misstatements occurred in their sample. The general point here is that an auditor should never just blindly execute a test; plug the numbers into a formula or software package; conclude; and move on. Auditors should review any misstatements and try to determine why they occurred to make sure your conclusions are informed by context. Here are additional options if your sample indicates you should reject the balance. We covered several of these in Chapter 8, but have repeated them here along with some additional options. Some options differ because this is a test of a balance and not a control.

274

 Expand the sample size and hope that the reduction in sampling risk offsets any additional misstatements that we might find. This option will add cost to the audit with no guarantee that the additional items won't just confirm the prior findings. However, if the auditor has reviewed the misstatements in the sample and believes they are unusual, this approach with be the simplest and probably cheapest.

 Do other audit work using other types of substantive testing procedures to confirm the balance. In the example, we relied on confirmations to verify the accounts receivable balance. Since customers' records can be faulty, this option probably would be the best one for the example. We could do a detailed review of the auditee's supporting documents for the account balances that weren't confirmed to try to determine if the auditee’s or the customers' balances were correct. That is, the confirmation process assumes that the customer is right and considers the customer's amount the audited amount. Auditors may be able to use additional procedures to "correct" the customer's amount and eliminate the difference from the book value.

 Take no action until the audit is completed and then determine if the misstatement in the accounts receivable balance would create a material misstatement in the financial statements taken as a whole when combined with other misstatements the auditor found in other accounts. The auditor's goal is to certify that the financial statements are not materially misstated, not to certify each account balance individually. Thus, the auditor could just wait until the end of the audit and see how the misstatement in accounts receivable affected the financial statements when any other account misstatements were considered before deciding whether to do anything about the accounts receivable misstatement amount.

 Ask the auditee to restate their balance to bring it in line with the sample projections. This is a difficult option for the auditee because, other than the misstatements we found in the sample, they would have no way of knowing which customer's balances were in misstatement. Thus, they would have to make some sort of general adjustment to accounts receivable that wouldn't tie to their accounts receivable subsidiary ledger. Recall that the accounts receivable balance is just a total of individual customer's accounts. If we ask the auditee to adjust the total, they face a dilemma of how to do that and still keep the total accounts receivable balance equal to the sum of the individual customer account balances when they don't know which customer's balances are in misstatement.

 Ask the auditee to correct all items in the population. This is an extreme request for account balances that have a significant number of items in them. Typically, accounts receivable balances consist of many individual accounts, none of which is very large. If this is the case, having the auditee review every individual balance in accounts receivable and correct them would probably be too costly for the auditee. However, for account balances that contain a few, large individual items, this option may be reasonable.

 The last, and most extreme, option is to qualify the audit opinion. This option is extreme in that very few audit reports are every qualified in any manner. Roughly 97% of all audit reports are "clean." Thus, giving an auditee a qualified audit opinion is a very strong signal to the capital markets that the auditee has some serious problems.

275

276

Auditing the Acquisition and Payments Cycle

Summary

This chapter covers the basic business processes and documents associated with the acquisition and payment cycle as well as the procedures auditors use to audit the account balances that result from acquisition and payment activity. After completing this chapter, students should be able to:  Describe the normal business process in the acquisition and payment cycle and the

documents firms use to record activities in that cycle.

 Describe control procedures firms commonly use for acquisition and payment activities and suggest appropriate controls and tests of controls for specific situations.

 Describe common substantive analytical procedures used for account balances related to acquisition and payment activities and apply them to specific cases.

 Describe common substantive tests of transactions and account details and suggestion procedures for specific cases.

Business Processes and Documents Common to Acquisitions

Acquisitions

While personnel are "purchased" like goods and services, the payroll cycle is usually considered separate because of the unique characteristics that payroll accounting and reporting has. Thus, this section only discusses the purchase of goods and services from non-employees.

Description

The purpose of the purchase and payment cycle is to secure economic resources that the firm uses to produce goods and services. These economic resources include things like raw materials directly used in the production process, supplies that are indirectly used in the production process or for administration, outside services (e.g., accounting, legal, utilities, telephone, rental of space), and capital assets (e.g., buildings, machinery, and equipment). The purchase of capital assets also has some unique features that may warrant separating those activities into a separate cycle as well, but we have chosen not to do so here. The main goal of the acquisitions cycle is to secure economic resources of sufficient quality and quantity to meet the needs of the organization at the lowest possible cost and to pay for them on time. The major activities of the purchase and acquisition cycle parallel those of the sales and collection cycle because they present the view of the sales transaction from the standpoint for the purchaser instead of the seller.

277

Major Activities and Documents

 Recognize Need - The purchase and payment cycle is triggered when the firm recognizes a need for some good or services. Need recognition can be based on periodic monitoring such as taking a physical inventory, continuous monitoring such as maintaining a perpetual inventory, or systematic monitoring such as renewing an insurance policy every year. Need recognition often involves forecasting future needs rather than identifying needs after they arise. Since purchasing and receiving goods and services takes time, most firms try to anticipate their needs ahead of time to help insure that their production operations are not interrupted because of lack of needed resources. Maintaining significant inventories, however, is costly for the firm. The real goal is to have needed goods and services arriving at the firm just in time for the firm to put them to use in the production process, thus eliminating the need for inventories.

Needs are documented with purchase requisitions. For control purposes, most firms separate purchasing activities from production activities. Production personnel usually identify the need, document it with a purchase requisition, and sent that requisition to the purchasing department to purchase the good or service. Therefore, the purchase requisition should include all the information the purchasing department needs to purchase the right good or service in the right quality and quantity and have it delivered in time. Purchase requisitions usually include the list of goods or services needed and the quantity, specific characteristics of those goods and services (e.g., size, color, and quality specifications), the name of the person or department making the request, and the date by which the goods or services are needed. For control purposes, most purchase requisitions need to have management approval to help insure that goods and services are really needed, and the correct resources are being requested.

 Purchase Goods or Services - Purchasing activities usually include selecting a vendor or

supplier for the requested goods or services, determining the best price, documenting the details of the purchase transaction, and, possibly, obtaining additional approval to actually place the order. Purchase transactions are documented with purchase orders or, if the resource being purchased is large and complex, a purchase contract. Purchase orders contain the very similar information to a sales order because they merely represent the other side of the transaction. This information includes:

 Name, billing address, shipping address, and contact information (e.g., telephone, fax number, and/or e-mail address) of purchaser.

 List of merchandise ordered to include name, quantity, and price.

 Delivery terms such as delivery dates, shipping terms (e.g., who is responsible for delivery and who pays for delivery).

 Payment terms that specify how long after delivery the payment is expected and whether any discounts are allowed for early payment.

 Date the order was placed and who took the order for the organization.

278

 Receive Goods and Services - When merchandise that has been ordered is received, it needs to be checked against the order to make sure what was received was the same as what was ordered. A receiving department that stores the merchandise in the purchasing firm's inventory once the check is complete usually performs this check. Receiving personnel use the packing slip, as well as a bill of lading if a common carrier was used, to verify what the selling firm intended to ship and a copy of the purchase order to verify what the purchasing firm intended to order. Any discrepancies are noted and usually turned over to the accounting department to reconcile to the invoice when it arrives.

A packing slip is a document that they shipper includes in the package or shipment that lists all the items included in the shipment. If you have ever received a shipment from places like Amazon.com, you have received a packing slip inside the package. A bill of lading is a document the seller gives to the shipper that list the seller, customer, number of packages in the shipment, and a general description of the merchandise included in the shipment. Bills of ladings are contracts between the seller and the shipper that determine the terms of the shipment. They usually do not include a complete list of the items in the shipment and only contain a package count and a general description of the type of merchandise in the shipment.

The receiving department documents the receipt of a shipment with a receiving report. Firms may require that these reports be filled out in a blind receiving process. A blind receiving process occurs when the receiving department knows what items should be in the shipment, but not the quantity of each item. The goal of a blind receiving is to force the receiving department to count the items in the shipment in order to record the amount received. If the receiving department knows the quantity of each item that should be in the shipment, they might get lazy and not count the items in the shipment to see what was actually there. If they don't know what to expect, they must develop a complete listing of what was in the shipment to fill out the receiving report. However, many firms do not use blind receiving because doing so limits the receiving department's ability to reject the order or note deficiencies in the order at the point of receipt. If the receiving department doesn't know how many items should be in the shipment, they can only inspect the shipment for damage and then accept it if it is undamaged. The can't reject the shipment if it has too many or too few items in it.

 Make Payment - Once the firm has documented the contents of the shipment, they need to

pay for it. The ordering firm's accounting department usually makes payments after they receive the invoice from the selling firm. The accounting department's job is to compare the purchase order, packing slips, receiving reports, bills of lading, and invoices to make sure that everything matches up. That is, what was ordered was received and the selling firm hasn't changed the shipping and payment terms.

Once the accounting department has determined that everything matches, they generate a check to make the payment or create a payment voucher. A payment voucher is a request to cut a check to pay for the invoice and takes the form of a cover sheet that is supported by copies of the invoice, purchase order, receiving report, and bill of lading. If a voucher not used, the check must be approved and signed by someone outside the accounting department, or by some higher-level manager within the accounting department, before it

279

is sent to the vendor. In this case, copies of the supporting documents to verify the validity of the check should also accompany the unsigned check. Thus, the unsigned check can function as a payment voucher. However, since signatures can be forged, using an unsigned check as a payment voucher is riskier than using a payment voucher and letting the approving authority cut the check.

The payment is documented with the check as well as with a remittance advice attached to the check. A buyer generated remittance advice includes a listing of all the vendor invoices that the purchaser is paying with the check. The buying firm creates them to help insure that the vendor applies their payment to their account and to the correct invoices. The seller may also include a remittance advice with their invoice, which is sometimes just a second copy of the invoice that the seller wants returned with the check. However, the buyer, not the seller, controls the use of remittance advices because they can fail to return them with the check. Thus, the seller can't rely on having one available when recording payments they receive.103

The above description covers the basic flow of acquisition transactions and how firms document them. The following is list of additional documents and records firms use.  Debit memo - A debit memo is a document, similar to an invoice, that sellers use to reduce

the amount owed by the purchaser. The information it contains is similar to an invoice. Some common reasons sellers generate debit memos if for returned goods or billing errors on the original invoice.

 Purchases or acquisition transaction files and purchases or acquisitions journals - Purchases transaction files (also known as acquisition transactions files) are computer files that list all the purchases transactions in chronological order and includes the details of the transaction, to include the account the firm charges it to. A purchases journal (also known as an acquisition journal) merely reports the items in the transaction file.

 Accounts payable master file - An accounts payable master file is a computerized version of accounts payable subsidiary ledger. The accounts payable subsidiary ledger is similar to the accounts receivable subsidiary ledger. It lists all the purchase-related transactions and payments by vendor. The ending balances in each vendor's account must add to the total in the accounts payable general ledger account. Firms periodically print an accounts payable trail balance, which is a summarized version of the accounts payable subsidiary ledger showing just the balance due for each vendor at a point in time.

 Vendor statements - Vendors may prepare statements, usually monthly, that document the purchaser's beginning balance, transactions, and ending balance. The activity on vendor statements should match the auditee's activities for that vendor in the auditee's subsidiary accounts payable ledger unless there are disputed items.

103 We use an electronic payment system that doesn't allow for the inclusion of remittance advices with checks. Thus a memo field is included on the check that references the invoice or account number the check applies to.

280

Summary of Accounting Processes for Purchases

The following diagram summarizes the activity flow, documents, and recording mechanisms used in a typical, computerized accounting system to record purchases activities.

104

Common Application Controls for Purchases

The following figure presents some of the most common transaction controls for the purchases cycle. We have excluded cash disbursements because the text covers them in a separate section below. The figure organizes these controls by financial statement assertions, which parallel the major audit objectives for transactions

104 Diagram taken from Accounting & Assurance Services (5th Edition) by Timothy J. Louwers, Robert J. Ramsey, David H Sinason, Jerry R. Strawser, and Jay C. Thibodeau, 2013, McGraw- Hill Irwin, page 321.

281

105

282

105 From Accounting & Assurance Services (5th Edition) by Timothy J. Louwers, Robert J. Ramsey, David H Sinason, Jerry R. Strawser, and Jay C. Thibodeau, 2013, McGraw-Hill Irwin, page 327.

283

Common Substantive Analytical Procedures for Acquisitions

Auditors normally compare changes in account balances from year to year for all accounts looking for unexpected changes and they normally would do this for both the asset, liability, and expense accounts associated with the acquisition cycle. Thus, this text will not repeat these comparisons for each specific type of activity covered below and will only discuss additional substantive analytical procedures specific to that type of activity below. This text covered some basics about analytical procedures in Chapter 5 that apply here. A main point to keep in mind is the basic procedures auditors use to perform an analytical procedure. This procedure includes:  Developing an expectation - Normally, a firm has a stable business model that means that

account balances tend to change in proportionate to the size of the firm. While comparing to a prior year's balance is a good starting point, auditors usually can gain more insights by comparing asset and liabilities as a percentage of total assets and income and expense accounts as a percentage of sales from year to year. "Common sizing" the account balances removes changes is size as a possible cause of a change in the account balance and thus helps auditors focus more on unexpected changes. One key issue here is developing the expectation before they look at the current year's balance. They want their expectation to be as independent as possible from the recorded balance to avoid prejudicing their expectation.

 Define a tolerable difference - Account balances always change due to a list of factors, including random chance. Thus, auditors need to determine how much of a change should be investigated to focus their attention on differences that could indicate material misstatement.

 Compare expectation balances to actual balances and investigating - This step is straightforward. The auditor compares their expected balance to the actual balance and it the differences exceeds their tolerable difference, they should perform additional procedures to determine if the difference indicates a material misstatement or not. All differences audits may find could be a problem with their expectations (e.g., the auditee change a key business process from last year the auditor didn't take into consideration) or a problem with the actual balance. Analytical procedure results are just too imprecise for auditors to rely solely on them to reject and account balance. One follow-up procedure auditors should always use is discussing the difference with management. However, they should be cautious about merely accepting management's explanations and, in most cases, should gather more powerful evidence as well.

 Draw conclusions - Once the auditor has performed their follow-up procedures, then can conclude whether the account is materially misstated or not.

Common Tests of Details for Accounts Payable

The following table lists some common tests of details auditors use to test accounts payable by audit objective:

284

Audit Objective Common Test of Details Occurrence - transaction Review all acquisition records for large or unusual transactions.

Review underlying documents for authenticity and reasonableness.

Review subsidiary ledger or master file for unusual vendors.

Examine fixed assets acquired.

Existence - balance Vouch purchase journal entries to supporting documents.

Confirm vendor accounts with the vendor. Completeness - transaction

Trace receiving documents and invoices to the purchases journal.

Completeness - balance Confirm vendor accounts with zero balances with vendor. Trace cash disbursements to accounts payable subsidiary ledger.

Accuracy - transaction Vouch transactions in the purchases journal to supporting documents and compare amounts.

Recomputed the accuracy of the vendor's invoice.

Accuracy - balance Confirm accounts vendor balances in the subsidiary ledger with vendors.

Classification - transaction

Review account coding in purchases journal for accuracy.

Classification - balance Review account classification to insure current and long-term liabilities are separated.

Timing - transaction Trace dates on receiving documents to dates in the purchases journal.

Cutoff - balance Review subsequent payments and compare to dates of payment transactions in the accounts payable subsidiary ledger.

Posting and summarization - transaction

Recalculate clerical accuracy of the purchases journal and trace amounts to accounts payable subsidiary ledger and general ledger.

Detail tie in - balance Reconcile totals in the accounts payable subsidiary ledger to the accounts payable general ledger account. Trace general ledger account to the financial statements.

Common Substantive Analytical Procedures for Accounts Payable

Comparing Accounts Payable Balances to Cost Volume

Since changes in the accounts payable balance should track with changes in purchasing and expense activity, auditors should look at ratios that make this sort of comparison. Three common ones are:

285

 Days Costs in Accounts Payable - This statistic calculates the average daily expenses related to accounts payable and divides them into the average accounts payable balance for the year. Unless the auditee's vendors have changed their collection policies or the auditee has changed its payment policies, this relationship should be stable over time. Thus, changes in this relationship may signal a material misstatement. If the auditor has difficulty determining the expenses relate to accounts payable, (s)he can use purchases, cost of goods sold, or sales as well.

 Accounts Payable Turnover - This ratio is the mathematical equivalent of days costs in accounts payable. It divides the accounts payable balance into the costs associated with accounts payable, purchases, cost of goods sold, or sales depending on the auditor's judgment and data availability.

 Compare individual payables balances with the prior year - This procedure would focus on specific accounts that may have changed in unexpected ways, but also is more costly and time consuming. The auditor should also consider "common sizing" the individual accounts by dividing by purchases, costs of goods sold, or accounts payable related expenses to take general size changes out of the analysis.

Cash Disbursements

Major Activities and Documents

Auditors normally audit cash disbursements at the same time as they audit purchases since the transactions are tightly related. For example, they may review cancelled checks at the same time they are tracing receiving reports to the purchases journal. The major activities involved are simple. The firm writes a check or makes an electronic funds transfer to pay a vendor's invoice(s). However, the firm also reconciles their cash activity with their bank's statements, either manually or electronically, which also supports the cash receipts processes. Assuming that you all know what checks and cancelled checks are we will focus our discussion on some of the other documents, journals, and ledgers with which you may not be as familiar.  Cash Disbursements Journal - Larger firms maintain both cash disbursements and cash

receipts journals. The cash disbursements journal lists all cash disbursements in chronological order, usually by check number, which also tends to be chronological. However, smaller firms may just maintain a check register like most of us to that combines cash receipts and disbursements in one journal.

 Proof of Cash - A proof of cash is like a bank reconciliation, but more complex. In a bank reconciliation, the auditee normally only reconciles the ending balance in their books to the ending balance on their bank statement at the end of a period. Auditors use proofs of cash to reconcile all four components of the checking account between the books and bank statement - beginning balance, deposits and other additions to the account, checks and other reductions in the account, and the ending balance. This more thorough bank reconciliation can detect more errors in the checking account than a simple bank reconciliation can.

286

Common Controls, Tests of Controls, and Substantive Tests of Transactions

The following table presents the common controls, tests of controls, and tests of transactions auditors use for cash disbursements.

287

106

106 Arens, A.A., Elder, R.J., Beasley, M.S., and Hogan, C.E. 2017, Auditing and Assurance Services: An Integrated Approach. Page 615.

288

Since cash is so liquid and easy to convert to personal use, controls over cash should be well- established and complete. The accounts payable department should never issue checks. That function should be segregated and in a different department. The department that issues checks should always have copies of the documentation so they can verify the accuracy and validity of the check before the issue it. The person who signs the checks should also distribute them to vendors to ensure that the checks are not lost or altered after they were signed. In addition, while prenumbering of checks is a good start on a completeness control, it isn't effective unless there is a person that is responsible for accounting for all the check numbers.

Common Tests of Tests of Details

Auditors also confirm the account balance directly. One tool for this is getting cutoff bank statements from the banks involved. A cutoff bank statement is a special bank statement that bank sends directly to the auditor on request by the auditee. Banks can't release confidential information to an auditor without the auditee's permission and the auditor doesn't want the cutoff statement going through the auditee, which would reduce the strength of the statement as audit evidence. Auditors usually request cutoff statements after the auditee's year end. Auditors would perform their own bank reconciliation of proof of cash on the cutoff statement. Cutoff bank statements are useful in spotting outstanding checks or deposits in transit that the auditee might have missed on their year-end bank reconciliations. Auditors also might request that the auditee ask the banks to confirm balances directly with the auditor. These documents are called bank confirmations and, again, the auditee requests that the bank send them directly to the auditor. Auditors will ask the auditee to include requests for information in addition to the ending account balance. These additional items might include confirmation of loans, pledged assets, lines of credit, or any other normal transaction that a firm might have with their banks.

Property, Plant, and Equipment

Common Activity and Documents

The acquisition of property, plant, and equipment is very similar to the acquisition of other goods and services. However, these types of assets usually involve large transactions and also may involve a formal transfer of title from the seller to the buyer. They also can involve long-term construction contracts such that the full value of the asset may not be recognized in one year, which creates the need for the auditee to maintain a construction in progress balance sheet account.

Common Controls, Tests of Controls, and Substantive Tests of Transactions

There are few controls, tests of controls, and substantive tests of transactions that are specific to fixed assets. Thus, the same issues raised by the audit of accounts payable and cash receipts and disbursements apply to fixed acquisitions as well.

289

Common Substantive Analytical Procedures for Property, Plant, and Equipment

 Expense balance comparisons - Auditors should not limit their year-to-year balance comparison to just the asset and depreciation accounts. They also should include repair and maintenance expense accounts to look for possible items that should have been capitalized because they added value to the asset or items that should have been expenses because they didn't.

 Relate depreciation to changes in gross property, plant, and equipment - Accumulated depreciation and depreciation expense should change proportionately to changes in the gross property, plant, and equipment amounts. Gross amounts are not offset by accumulated depreciation. Auditors can make this comparison by calculating ratios that compare depreciation expense and/or changes in accumulated depreciation to changes in gross property, plant, and equipment. They also can make these comparisons based on the ending balance in gross property, plant, and equipment.

Common Tests of Substantive Tests of Details

Tests of Acquisitions

Auditors focus on tests of balances when auditing property, plant, and equipment because most of the transactions involved are automatically tested when testing acquisition and cash transactions. The following table presents the main tests of balances auditors use in testing

290

107

Tests of Disposals

Disposals can include trade-ins, sales, abandonment, or theft of these assets. Firms normally maintain lists of all property, plant, and equipment disposals that the auditor can use to test these transactions. Firms also normally maintain a subsidiary ledger/master file of fixed assets. Thus, auditors can trace asset disposal transactions to the subsidiary ledger/master file to determine if the auditee recorded all disposals and for the correct amount. This would test the existence and accuracy objectives. That is, if an asset was disposed of, it should no longer exist in the auditee's records. Auditors also need to test for unrecorded disposals, which can be more difficult. Some of the common tests auditors use to look for unrecorded disposals include: 107 Arens, A.A., Elder, R.J., Beasley, M.S., and Hogan, C.E. 2017, Auditing and Assurance Services: An Integrated Approach. Page 640.

291

 Review asset acquisitions to determine if they replaced existing assets and insure that the

auditee recorded the disposal of the replaced asset.

 Analyze gains and losses on the disposal of assets and miscellaneous income for receipts from asset disposals.

 Review modifications to property, plant, and equipment, property tax records, and insurance policies for indications of deleted assets.

 Make inquiries of management and production personnel about any possible disposals.

Verify the Ending Balance

Most audits are repeat engagements and so a complete audit of the property, plant, and equipment may not be necessary since the auditor tested the beginning balance and can use the above tests for acquisitions and disposals. However, auditors may want to test the ending balance directly as well, particularly in new engagements or if the auditee's controls over these transactions are weak. Some of the common direct tests of property, plant, and equipment balances include:  Detailed Tie In - Foot the property, plant, and equipment subsidiary ledger/master file and

trace the total to the general ledger account.

 Completeness - Tour the auditee's facilities and trace any property, plant, and equipment to the subsidiary ledger/master file. Because they are long-lived and have significant value, auditee's usually tag these types of assets with unique identifying numbers that should also be recorded in the subsidiary ledger/master file. This helps the auditor trace specific assets to these records.

 Existence - Vouch entries in the auditee's subsidiary ledger/master file back to physical assets to confirm that they exist. Again, the unique IDs help auditors identify the correct asset.

 Accuracy and Classification - Auditors usually don't need to test these directly because the objectives for assets that existed at the beginning of the year were tested in last year's audit and these objectives would be tested as part of tests of acquisitions and disposals in this year's audit. One critical classification that involves complex accounting rules is whether leased assets should be recorded as if they were purchased, i.e., the leases are capital leases, or whether they should not be recorded as an asset because they are being leases using an operating lease.

 Presentation and Disclosure - In addition to the above balance-related objectives, auditors should determine if any of these assets have been pledged as collateral for a loan. A bank confirmation might disclose such pledges. In addition, the auditor can review loan and other credit agreements for evidence of pledged assets. Finally, they can ask management about such pledges and/or have the auditee include a request for this type of information in an attorney letter. The chapter discusses attorney letters and their use in more detail in the next chapter.

292

Verify Accumulated Depreciation and Depreciation Expense

The most important balance-related audit objective for depreciation is accuracy. Auditors can:  Review useful lives, depreciation method, and salvage value estimates to ensure that they

are reasonable and were determined based on the policies the auditee had in place for making these determinations (Accuracy).

 Reperform depreciation expense calculations and trace to the general journal. Most firms do not maintain specific journals for depreciation calculations and make a general journal entry to record depreciation expenses and increases to accumulated depreciation (Accuracy).

 Total the depreciation expenses calculates for individual assets and trace to the general ledger account (Detail Tie-in)

 Verify that the footnote disclosures of the auditee's depreciation method match those the auditee used to calculate depreciation expense (Presentation and Disclosure Accuracy).

Review for Asset Impairments

GAAP requires that firms write down the book value of their fixed assets to the estimated market value of the auditee's management determines that the market or resale value of the asset is less that the book value, where book value is historical cost less accumulated depreciation. Clearly, determining the fair market value of fixed assets is a judgment call. However, auditors can review the physical condition of the assets and research market prices of similar assets to do a reasonability check on management's fixed asset impairment decisions.

Prepaid Expenses

There are a variety of accounts in this category, but we will only cover prepaid insurance as an example since the tests of controls, transactions, and balances are similar for different prepaid expense and deferred charge accounts. The account processes are similar as well. Cash payments for future services trigger increases to the account. Consumption of the future services creates a reduction in the account balance. The classification of the asset depends on when the firm expects to consume the future service. Firms consume most prepaid expenses within a year and firms classify them as current assets, but the firm may consume some over several years and it should classify this portion as a long-term or fixed asset.

Common Tests of Controls

Most of the main controls and tests of controls for prepaid insurance are covered by controls on the acquisitions. However, there are a few features of prepaid insurance that differ from inventory. One key feature is the recording of consumption of insurance. Firms consume goods like inventory as they physically transfer those goods so the no longer have title to them or they no longer exist. This means that consumption is based on an event-driven transaction. Firms consume insurance as time passes. Thus, firms need to actively track the appropriate passage of

293

time and record the consumption of insurance. Thus, firms need to implement, and auditors need to test, controls over the recording of journal entries that record the consumption of insurance. Firms track insurance policies with insurance registers. Insurance registers are nearly identical to subsidiary ledgers and master files. They list all the policies in force along with the details of the carrier and coverage involved. They also maintain a history of additions and reductions for each policy that should add to the total in the general ledger prepaid insurance account. Thus, firms should establish, and auditors should audit, controls that tie these registers to the general ledger account. Auditors should also test the firm's controls that the firm properly authorizes new policies and their terms.

Common Substantive Analytical Procedures

In addition to the basic analytical procedures that apply to nearly all accounts, auditors can compare insurance expense amounts to the prepaid insurance balance from year to year. Most firms maintain standard coverages over time and so the relationship between the expense recorded each year to the outstanding balance should remain stable. Comparing the expense to the balance factors out changes in expenses due simply to changes in the size of the organization thus helping to focus the auditor's attention on changes due to other factors, including misstatements.

Common Tests of Transactions and Detailed Tests of Balances

The follow table lists the major substantive tests auditors use for prepaid insurance and insurance expense. Since the two are tightly related, tests of one tend to provide support for the other. That is, the account balance results from the beginning balance less write-offs plus payments. Since the auditor normally has tested the beginning balance as part of the prior year's audit and since the ending balance is merely the mathematical result of the other three components, the auditor's tests focus on additions and reductions. Auditors can test the additions as part of their cash disbursements audit. Thus, the main focus unique to the account is on the reductions, which also account for the expense amount.

294

Audit Objective Common Tests Completeness - all the policies in the insurance register are included in the ending balance

Trace insurance invoices and policies to the insurance register.

Existence - all the policies included on the insurance schedule exist.

Vouch entries on the insurance register to insurance policies and invoices. Confirm insurance policies with the auditee's insurance agent.

Rights - the auditee has the right to the coverage provided by the policies on the insurance register.

Review insurance policies listed on the insurance register for additional named claimants or beneficiaries.

Accuracy - the ending balances are the insurance register are accurate

Review insurance policies listed on the insurance registry for timing, extent of coverage, and premiums. Vouch amounts on registry to invoices Confirm premium amounts and coverage details with the insurance agent. Recalculate expense amounts after the provisions above have been verified.

Detail Tie-in - the total amounts on the insurance register tie to the general ledger account balance.

Foot the insurance register and trace totals to the general ledger account.

Classification - the expense amounts for different insurance expense accounts match the coverage of the policies on the insurance register.

Review policies for coverage and then trace expense amounts by policy to the correct expense accounts. For policies that have multiple types of coverage, verify the correct allocation to different expense accounts. Review classifications from prior years and follow up on any classifications that have changed.

Cutoff - insurance expenses are recorded in the correct period.

The major concern here is the timing of acquisitions and the auditor tested cutoff for those as part of the cash disbursements audit. However, auditors may also review the expense journal entries to insure the auditee recorded them in the right period.

295

Substantive Analytical Procedures

Auditors can also do reasonability checks on insurance expense transactions by reviewing the policies listed on the insurance registry and recalculating the implied expense amounts. This is considered an analytical procedure because it isn't a detailed test of each expense calculation.

Accrued Liabilities

Auditing accrued liabilities are similar to auditing purchases activity except that additions result from the passage of and not a specific transaction while the reductions normally result from a cash payment. Thus, they are the mirror image of prepaid expenses. We will use property taxes payable as an example of types of accrued liabilities because the controls and audit procedures are similar for all of them. While all audit objects except realizable value are relevant, We will only cover the two that auditors tend to consider the most significant: completeness and accuracy. We will not cover control procedures because those are so similar to controls that the text has covered elsewhere. Auditees tend to create property tax schedules that list all the real or personal properties they own that are subject to property taxation. That schedule should list all the properties and include the details of how it calculated property taxes for each property. Auditors base most of their tests on this schedule.

Audit Objective Audit Procedure Completeness - the listing of properties on the schedule contains all the taxable properties owned by the auditee and all expense accruals have been recorded in the expense accounts.

Review property ownership records and trace the properties listed to the property tax schedule. Auditors normally create property listing as part of their property, plant, and equipment audit that they use for this test. Compare current year's expense transactions to last years to determine if the auditee has eliminated any expense entries for any property.

Accuracy - property tax expense amounts and ending accrued balances due are accurate.

Usually, the number of property tax payments is small, but each amount can be material. Thus, auditors tend to use recalculation of each transaction to test accuracy.

Common Substantive Analytical Procedures

Auditors can total the value of taxable properties and divide that into the tax expense for each year. If tax rates don't change, the expense per dollar of property value shouldn't change from year to year.

Expense Accounts

This text covered auditing of revenue accounts in the prior chapter that covered the sales and collection cycle. It also has covered the auditing of many expense accounts as part of its coverage of related asset and liability accounts. These tests included tests of controls,

296

transactions, balances, and substantive analytical procedures. Auditors will use different records and perform different types of expense analyses for different types of expense accounts, but the general approach is the same. For example, auditors would test legal expenses by reviewing litigation activity and correspondence with the auditee's attorneys, note the amounts due, and trace those amounts to the legal expense account. This is not fundamentally different from how they audit insurance expenses.

297

Auditing of Inventory and Warehousing, and Completion of the Audit

Summary

This chapter also covers a list of activities that auditors perform after they have completed their fieldwork, which includes all their tests of controls and balances as well as inherent risk and control risk reviews. After completing this chapter, students should be able to:  Define contingent liabilities; describe the types of events that might create a contingent

liability; and describe some places auditors look for contingent liabilities.

 Describe how auditors treat events that occur after the end of the fiscal year being audited, but before the audit opinion has been issued and that have a material impact on the audited financial statements, and describe steps auditors use to identify these events.

 Describe other steps the auditor takes at the end of the audit to ensure that the audit is complete.

 Describe the going concern issue and how auditors address it in an audit report.

 Describe the communications, in addition to the audit reports, auditors are required to make to the auditee's governing body and the communications they normally make to management at the end of the audit.

Auditing Inventory

Business Functions and Documents

The acquisition cycle ended once the firm moved items to the warehouse. The inventory and warehousing cycle begins at that point and ends when finished goods are shipped from the warehouse, which is where the sales and collection cycle begins. This doesn't exist for some classes of firms like in the service and financial industry. These types of firms may inventory minor supplies, but the amounts involved are usually immaterial to an audit. These types of firms don't include a cost of goods sold item on their income statements because they don't sell goods. Wholesalers, retailers, and manufacturers are the types of businesses that usually have material inventories. Wholesalers and Retailers have simple warehousing and production functions and so auditing their inventory is simple compared to a manufacturer. They only have one inventory - goods for resale. Manufacturers have three: raw materials, work in progress, and finished goods. A manufacturer’s cost of inventory also is complex because it consists of raw materials, direct labor, and direct overhead while a retailer or wholesaler's inventory costs are mostly the purchase price of the goods plus some freight in. Thus, costing a manufacturer's inventory is complex and requires significant audit work. However, inventory auditing is important and complicated for all three types of firms because:

298

 It tends to be one of the larger assets on the balance sheet.

 Firms of any size usually store inventory in multiple locations complicating control and counting.

 Inventory items can be unique to a specific industry requiring specialized expertise to value (e.g., diamonds and other jewelry, oil and gas reserves).

 There are several acceptable inventory costing techniques (e.g., LIFO, FIFO, Average Cost, Specific Identification) and firms are not required to use the same technique on all their inventory items.

 Inventory costing for manufacturing firms is further complicated by the need to assign labor costs and allocate direct overhead to specific products.

 Valuating inventory is complicated by the need to apply the lower of cost or market rule, which requires judgment.

There are a few additional documents and records in the inventory cycle that weren't mentioned in the acquisition and sales cycle. However, three items are unique to this cycle:  Materials requisitions - These are internal documents used in manufacturing firms to

document requests for raw materials or components by the production line from the warehouse. Thus, they document the flow of raw materials and basic components from the warehouse to the production line, which is the transition point from raw materials inventory to work in progress.

 Job costing documents - These are used by manufacturers that employ job order costing instead of process costing to accumulate cost to specific jobs. They usually record direct labor time, raw material volumes, and machine time related to a specific job.

 Perpetual inventory records - For wholesalers and retailers, a perpetual inventory system slows from receiving reports and shipping documents. That is, receiving reports for received shipments add to the perpetual inventory and shipping documents subtract from it. Perpetual inventory systems only track the number of items involved and rarely include costs. Firms need to assign costs to the items in the perpetual inventory when they produce financial statements. Firms implement perpetual inventory records in master files and subsidiary ledgers just like they do for accounts receivable and payable. The individual items in the records are items in inventory rather than customer or vendor account balances.

 Cost accounting records - These are a variety of files, spreadsheets, reports, and other records that accumulate costs for jobs and processes. As mentioned above, the perpetual inventory system tracks units, but not costs, and so firms maintain accounting additional account records to assign costs to units. Cost accounting records are far more extensive for manufacturers than wholesalers and retailers.

Auditors usually break the inventory cycle into distinct types of processes that have unique characteristics. These include the physical movement of items and the accumulation of costs, and

299

assignment of costs to units to complete inventory valuation. We will break the following discussion of controls and tests into these categories.

Controls and Tests of Controls

The controls firms use for inventory, and the types of tests auditors run on controls, are similar to other cycles. The following table presents some controls that are specific to inventory.

300

Process or Action Control Movement of physical units

Access controls like locks to keep inventory secure, which supports existence (i.e., a recorded item isn't lost or stolen).

Materials requisitions that are approved to document and control the movement of inventory. These are prenumbered and accounted for to support completeness.

Reconciliation of physical to perpetual inventory, which helps support completeness, existence, and accuracy.

Segregation of duties between custody of inventory (i.e., warehouse personnel) and accounting, which helps support completeness, existence, and accuracy.

Costing the inventory

Many of these controls derive from the acquisition and payroll cycles since the costs flow from those cycles. However, here are a few specific to inventory costing.

Sequential numbering and control of job order costing documents to insure completeness.

Approval of work schedules and comparison of time cards to schedules, job cost records, and other documents supporting the assignment of workers to jobs and processes.

Access controls over cost records to prevent tampering. Compilation of final inventory values

Clear instructions and supervision of physical counts.

Independent verification of physical counts (e.g., test counts by internal audit).

Reconciliation of physical to perpetual inventories by an independent party, usually in the accounting department.

Use of standard cost records108 and comparison of standard costs with assigned costs.

Formal reviews of slow moving items to identify obsolete inventory that may need to be written down under the lower of cost or market rule.

Recalculation and other controls to insure costs have been properly applied to items and totals posted to the correct account in the general ledger.

Substantive Tests of Transactions and Detailed Tests of Balances

The following table presents some common tests of details for inventory auditors use. We have broken it down slightly differently than the three categories used for controls, but the same

108 Manufacturers use standard cost records to determine what an item in inventory should cost to produce. Firms perform engineering studies of the production process to determine how much

301

processes are involved. The procedures in the table mention documents that firms use in the inventory counting and costing process. These include:  Inventory tags - When firms count their inventory, they tag the items as they are counted

and record the amount of each item on the tag. Count teams leave the tags numbers or copies of tags with the item of inventory and the tags themselves are forward to accounting personnel to record in the account records. The tags include a description of the item of inventory, its classification (e.g., raw material, work in process, and finished goods), and whether the item is owned or on consignment as well as the number of items counted.

 Inventory count sheets - Sheets that record the information on the tags. They are listings of the tag numbers, item name, and count. Firms produce separate sheets for each class of inventory.

 Inventory listings - Firms use inventory listings to compile inventory counts and cost. They include a listing of all items in inventory and the costs assigned to them. They are broken down by raw materials, work in process, and finished goods.

Audit Objective Audit Procedure

Production and Costing Accuracy - costs recorded on the inventory listing are accurate

Auditors normally test the costs of raw materials, direct labor, and direct overhead as part of their audit of acquisitions and payroll. We have covered how they test application of these costs to inventory in the Compilation section below.

Completeness, accuracy, timing, cutoff - the auditee records all material transfers accurately

Trace material transfer documents to the perpetual inventory records to ensure that the auditee recorded all transfers from different types of inventory and recorded for the correct amount and on the correct date.

Occurrence, accuracy, timing, cutoff - all recorded transfers occurred

Vouch material transfers in the perpetual inventory system to transfer documents. Compare amounts and dates.

raw materials, direct labor, and direct overhead (e.g., machine time) should be needed to produce a finished good.

302

Audit Objective Audit Procedure Physical Count

Completeness - Inventory items are tagged as they are counted and all tags are accounted for.

Examine physical inventory to insure all items are tagged.

Inquire to ensure that all inventory locations are accounted for.

Account for all tags. Existence - Inventory recorded on the physical count exists

Vouch selected items on tags and count sheets to physical items in inventory.

Monitor count to determine if any physical movement of inventory occurs during the count.

Accuracy - Inventory count is accurate

Recount items and compare to the auditee's records.

Compare counts to the perpetual inventory system.

Classification - inventory items are properly classified by type.

Review classification on tags and compare to physical inventory to insure items have been properly classified as raw materials, work in process, and finished goods.

Review percentage of completion notations for work in process tags for reasonableness.

Cutoff - all and only inventory items present at year end were counted

Review shipping documents near the end of the year to insure items were not counted inventory.

Review shipping area for items set aside for shipment to insure they were counted.

Review receiving reports just before year end to insure items received were counted.

Review receiving area to insure items received by not moved to the warehouse were counted.

Rights - counted items belong to the auditee and are not on consignment

Inquire about consigned items.

Review purchase documents and receiving reports for indications of consigned merchandise.

Review items set aside and inquire if they are on consignment. Realizable value - counted items are not obsolete or unsalable.

Inquire of factory employees and management about obsolete items.

Tour inventory looking for rusted, dusty, and damaged merchandise that the auditee counted.

303

Audit Objective Audit Procedure Compilation

Tie in - totals on the inventory listing match the count, items have been accurately costed, and totals tie to the general ledger.

Foot inventory count sheet and trace to quantities on inventory listing.

Foot the inventory listings and trace to the general ledger.

Existence - items on the inventory listing exist

Vouch items on the inventory listing to the count sheet and to tags.

Account for all tag numbers to insure none have been added. Completeness - all inventory items are included on the inventory listing

Trace tag numbers to the inventory listing to insure all have been included.

Account for all tag numbers to insure none have been eliminated.

Accuracy - totals costs on the inventory listing for each item are accurate

Trace quantities on the tags to the count sheets and inventory listings to insure the count for each item listed on the inventory listing are accurate.

Test cost times quantity extensions on the inventory listing to insure accuracy.

Vouch prices on inventory listing to invoices and other cost accounting records, or to the auditee's perpetual inventory records if those contain costs.

Verify that the proper cost flow assumptions (LIFO, FIFO, Average Cost, Specific Identification) were used to assign costs on inventory listing.

Classification - items on the inventory listing are properly classified into raw materials, work in process, and finished goods

Trace classification on tags to the inventory count sheets and then to the inventory listing.

Realizable value - items on inventory listing can be sold for more than their assigned cost

Trace inventory tags for items identified as obsolete or damaged to inventory listing and review cost information for reasonableness.

Rights - the auditee owns the items in inventory

Trace tags mark as on consignment to inventory listing to insure they weren't included.

Review contracts with suppliers and customers and inquiry of management to identified items on consignment.

Substantive Analytical Procedures

The following table presents some of the more common substantive analytical procedures auditors use for the inventory cycle. Most substantive analytical procedures are general in nature and merely provide attention-directing information that need to research to obtain more powerful evidence of material misstatement. Thus, we have not associated these procedures with specific audit objectives.

304

Procedure Possible Misstatement Compare gross profit percentages year to year and to industrial averages

Most firms tightly control their gross profit percentages and most industries have sufficiently similar production functions that firms in the industry will have similar gross profit percentages. Thus, significant changes in the auditee's gross profit percentage could signal inventory count or costing errors that would also create cost of goods sold errors.

Compare inventory turnover or days sales or costs in inventory ratios year to year and to industrial averages

Most firms maintain tight inventory controls because, on one hand, maintaining inventory is costly but, on the other, having low inventory levels will mean lost sales. Thus, inventory levels tend to track close with sales activities. Also, firms in the same industry tend to have similar inventory management policies. Any significant change in these statistics could indicate errors in counting and costing inventory or fraudulent inventory amounts. Also, increases in days inventory or reductions in inventory turnover could indicate obsolete inventory

Compare unit costs for items in inventory year to year

Inflation will create some increases in costs, but increases in costs that exceed inflation or unexplained reductions in costs could signal errors in allocating and calculating unit costs.

Compare inventory and manufacturing costs year to year

Unexpected changes could signal calculation or counting errors. However, comparing days inventory or inventory turnover are better statistics to use because they factor out changes in volume that will affect changes in total costs.

Completing the Audit

This section presents a description of audit activities that typically occur after the auditor has completed their testing of controls and account balances. These activities normally do not lead to any changes in the financial statements, but do related to footnote disclosures as well as potential qualifications of the audit opinion. They also include communications the auditor is required to make to the auditee's management and Board of Directors regarding audit findings. These communications are in addition to the audit reports covered in Chapter 2.

Contingencies

Definition and Classification Rules

GAAP defines a contingency as an existing condition, situation, or set of circumstances involving uncertainty as to possible loss or gain to an entity that will ultimately be resolved when some future event occurs or fails to occur. A contingency is an incomplete transaction where part of the transaction has occurred, but the transaction won't be complete until some future event, or lack of event, occurs. Conceptually, GAAP is concerned with how complete the transaction is and whether it will lead to a gain or loss for the firm. The literature refers to contingent liabilities and losses as well as contingent gains and assets. Losses create a liability the firm needs to pay and gains create assets the firm can claim.

305

GAAP looks at two criteria for determining whether a firm needs to disclose contingency on the balance sheet, disclose it in footnotes, or ignored it: likelihood that the transaction will ultimate be completed and measurability of the value of the transaction when it is completed. GAAP applies conservatism and uses different criteria for a potential gain versus a potential loss. The probability categories GAAP to the likelihood criteria are:  Probable - the event that will close the transaction is likely to occur.

 Reasonably possible - the chance the transaction will close is more than remote but less than probable.

 Remote - the chance that the transaction will close is slight.

GAAP also considers whether the value of the transaction, should it close, is estimable or not. We have included a summary of the classification rules in the diagram below. There are three possible outcomes: the firm accrues the contingency in the balance sheet, discloses it in the footnotes, or ignores it (as far as the financial statements are concerned).109 Here is a short statement of the classification rules: For contingent losses or liabilities -  If the event is probably and the value is estimable - accrue it as a liability on the balance

sheet.

109 A discussion of both gains and losses for contingencies is included because GAAP includes rules for both. Auditors are heavily prejudiced towards conservatism and do not look for missing assets nearly as rigorously as missing liabilities but we have included them because it is an auditor's responsibility is to determine if the financial statements are fairly stated, not conservatively stated.

Probability of Occurrence

Accounting Treatment

Event Contingent

Loss/liability Contingent Gain/asset

Probable Reasonable Remote Probable Reasonable or Remote

Estimable?

Yes No

Accrue Disclose Disclose Ignore Ignore Disclose

306

 If the event is probable but the value is not estimable or the event is reasonably possible and the value is estimable, then disclose information about the event in the footnotes. Note that since the value is not estimable, or the event is only reasonably possible, the firm does not disclose the amount for the potential loss.

 If the probability is remote, then the auditee doesn't accrue or disclose anything.

For contingent gains or assets -  Disclose probably events

 Ignore all others

Examples

Contingent liabilities can be created by any of the following types of activities:  Pending or threatened lawsuits

 Other types of actual or possible claims or assessments (e.g., property tax valuation disputes)

 Income tax disputes

 Product warranties or defects

 Guarantees or obligations to others (e.g., co-signing on a note for another party)

 Agreements to repurchase receivables that a firm has sold but are subsequently not paid. The common example is selling or factoring accounts receivable with recourse.

Some of these events systematically lead to different types of classifications. For example, lawsuits tend not to lead to accruals because each case is unique and the uncertainties of litigation are substantial. However, product warrantee claims usually lead to accruals because they are an ongoing part of business and firms usually have substantial experience on which to base the probability that claims, on average, will occur and when they do, how much they will cost. The above list assumes that third parties have potential claims against the auditee. However, when the auditee has similar claims against others (i.e., are on the other side of the potential transaction), then a potential contingent gain or asset can occur.

Audit Procedures

The auditor's goal concerning contingencies is to ensure that the auditee has identified all of them (completeness); has properly classified them into their reporting category (classification); and has properly valued them if required by GAAP (accuracy). Auditors use a variety of procedures to look for contingencies. Some of the more common include:  Reading Board of Directors and Committee minutes

 Review contracts and other such agreements

307

 Review income, sales, property, and payroll tax returns

 Reviewing and confirming letters of credit, loan guarantees, and other such arrangements

 Reviewing the general correspondence files of key corporate officers

 Interviewing the members of the Board of Directors and key corporate officers

 Obtaining attorney representation letters and reviewing expense accounts containing attorney's fees. The text covers attorney representation letters next.

 Obtaining a written statement from management concerning pending legal and other types of claims. The text also covers these management representation letters below.

Legal Representation Letters

Two of the above bullets require additional explanation. The first is the legal representation letter. Auditors ask the auditee's management to request certain information from their attorneys. Because of attorney client privilege, the auditee's attorney cannot directly respond to the auditor's requests for information. The request must come from the auditee. The auditor will review the auditee's payments to attorneys to identify the attorneys with which the auditee has done business and then ask the auditee's management to request legal representation letters from those attorneys. In addition, the auditor will ask the auditee's management for a list of attorneys as well. However, they will confirm the list by checking payments to attorneys. The legal representation letters ask attorneys to provide the following information:  List and description of any pending or threatened lawsuits or other claims against the

auditee along with the attorney's assessment of the likely outcome of each.

 If management has provided the auditor with a list of the types of items mentioned above, then the letter will ask the attorney for any additions that (s)he may be aware of.

 A statement from the attorney about whether his/her response has been limited in anyway and, if so, how and why.

 A statement about any materiality levels that the attorney and auditee have agreed upon for the purposes of responding to the auditor's inquiries.

Attorneys are required to provide information about items to which they have devoted substantial attention. The request also informs the attorney of the GAAP disclosure requirements and that they are not required to provide estimates of the outcome of events that are either inestimable or remote. However, they are required to respond to the letter. If the attorney doesn't respond, the auditor may have to qualify their opinion on the auditee's financial statements. Requests for attorney letters can place the attorney in a difficult situation. Attorneys represent clients and, therefore, need to address the client's best interests. The need to be cautious about disclosing information in an attorney letter that might undermine their client's case is the representation letter becomes evidence in the case. One common example is unasserted claims, i.e., threatened but not filed lawsuits. If such unasserted claims were to end up in a footnote, it might trigger a lawsuit. If the attorney refuses to provide full disclosures, then their refusal

308

constitutes a scope limitation and the auditor may be required to qualify their opinion or disclaim an opinion depending on the materiality level of the missing information. Since the attorney knows this, they tend to cooperate with the auditor. However, as we said to start with, the process places them in a difficult situation.

Management Representation Letters

In addition to the legal representation letters, auditors ask management to confirm, in writing, that statements they have made to the auditors during the audit have been accurate and complete. While legal representation letters focus mainly on contingencies, management representation letters are much broader. Management representation letters are one of the tools auditors use to detect contingencies. However, the letter covers all statements management has made to the auditors during the audit. Management representation letters are very important to the audit because the audit is so heavily dependent on information provided by management. Recall our discussion at the beginning of the class on moral hazard and the need for auditing. The audit in essence is an assessment of management's performance. However, management controls the bulk of the information on which the audit is based. Thus, there is a moral hazard problem. Auditors do many tests of records and gather information from third parties while conducting an audit. However, they still are heavily dependent on the accuracy and completeness of the information that management provides. Thus, auditors require management to sign a statement that management has been complete and accurate in making statements to the auditors. Some specific items included in a typical management representation letter include:  The financial statements are fairly stated under GAAP and all required footnote disclosures

have been included

 That all financial records, Board of Directors meeting minutes, and other key documents and correspondence have been supplied to the auditor

 That all communications with regulatory agencies regarding financial reporting have been disclosed

 All material transactions have been reported and/or disclosed

 The effects of uncorrected audit findings are immaterial

 Management recognizes their responsibility to establish and maintain an effect system of internal control and that they monitor the effectiveness of that control system

 They have no knowledge of any fraud

 They are not aware of any violations of the law

 They have no plans for future events that would affect the current valuation of liabilities and assets

 The firm is in compliance with all contracts and commitments

 Regulatory filings are complete and accurate

309

This is a highly condensed list and most management representation letters contain a lot more detail. For example, We included one bullet for "compliance with GAAP." Most management representation letters would include detailed statements about accounts receivable, inventory, and other asset and liability valuations even though those are contained within GAAP. This is letter "butt covering" on the part of the auditor. If there is a problem with the financial statements that auditors don't catch, they want to be able to document that management misrepresented something to them to limit their liability.

Commitments

Commitments are similar to contingencies in that they involve incomplete transactions and, if material, the firm needs to disclose or, in some cases, accrued them. Firms engage in a variety of long-term, non-cancellable contracts that create commitments for the firm. In most cases, these commitments do not rise to the level of a liability because the transaction isn't complete. However, they may be significant in size and GAAP requires that the firm disclose them. The two most common classes of commitments are long-term, non-cancellable leases and purchase contracts. We will not go into the details of lease accounting in this course. Financial accounting classes cover lease accounting. However, the auditor needs to review the auditee's leases and insure that they have been capitalized where required by GAAP. For operating leases that are not required to be capitalized, auditors need to ensure that the required disclosures are included in the footnotes. Long-term, non-cancellable purchase contracts are similar to long-term non-cancellable leases in that a lease is a commitment to purchase the use of an asset over time at a predetermined price while a purchase contract is a commitment to purchase an asset at a pre-determined price. If the size of these purchase commitments is material, the firm must disclose the details of the purchase contract in the footnotes. Under certain circumstances, these purchase contracts may require that the auditee record a loss on their financial statements. For example, if the auditee has signed a non-cancellable purchase contract to purchase a raw material that is traded openly and the contract price is higher than the market price as of the balance sheet date, the auditee would need to record a loss.

Subsequent Events and Discovery of Facts

While the auditor is certifying financial statements for a specific period and as of a specific date, they also are required to look for major events or facts that occur after the fiscal year close and balance sheet date that might have a significant effect on how the reader of the financial statement would view the audited financial statements. In addition, the auditor may discover facts relevant to their audit opinion after they issue the opinion. This section discusses the rules auditors apply for determining whether these subsequent events and subsequent discovery of facts require either an alteration to the audit report. The following figure presents the time line involved.

310

As the figure illustrates, generating an audit report and publishing financial statements takes time. Auditors have work they must do after the close of the fiscal year because they are certifying ending balances. However, once the auditor issues his/her report to the auditee, it takes time for the auditee to actually make the financial statements public and file them with the SEC. The auditor's responsibility for those financial statements doesn't end after the end of the fiscal year, nor after they issue their audit report. They are required to monitor the auditee even after the financial statements and audit reports are issued to determine if something happened that is relevant to those financial statements.

Subsequent Events

Subsequent events are events that occur after the end of the fiscal year up to the time when the auditor completes their work and issues their report to the auditee. Some of these subsequent events can have a material effect on the financial statements for the fiscal year. There are two types of subsequent events: type 1 and type 2. The definition of these two types of events, and the auditor's responsibility for them, is very similar for both the auditor's responsibility for the financial statements as well as for the reports they now are required to issue on the auditee's internal controls. Thus, although the examples focus on matters that effect the financial statements and footnotes, the same logic and procedures apply to subsequent events that might affect the auditor's assessment of the auditee's internal controls as well.  Type 1 subsequent event - events that occur after the fiscal year end and before the

auditor completed his/her report but that provide evidence about conditions that existed at or before the balance sheet date that materially affect the financial statements. An example would be the bankruptcy of a customer who owed the auditee money. In this case, the Auditors consider the bankruptcy as evidence that the customer's account, at the balance sheet date, might be uncollectable even though the bankruptcy occurred after the balance sheet date. Bankruptcies result from deteriorating financial conditions over time so a bankruptcy shortly after the end of the auditee's fiscal year probably provides evidence that the account wasn't collectable at year end either.

Another example would be settling a lawsuit where the amount of the settlement is different from the estimate shown in the auditee's footnotes or that was accrued as a liability. Type 1 subsequent events, if material, require that the auditee restate the financial statements before issuing them.

Financial Statement

Date - 12/31

Audit Report Date - 2/15

Date Financial Statements are

Issued - 3/15

Subsequent Event Period

Dual Dating Period

Subsequent Discovery of Facts

311

 Type 2 subsequent event - events that occur after the end of the fiscal year and before the auditor complete his/her report, but might alter the fairness of the presentation of the financial statements as of the end of the fiscal year. However, they don't provide additional evidence about conditions that existed at year end. These events tend to be large transactions, like the sale of subsidiary, merger with another firm, large stock or bond issuance, and major casualty loss (e.g., fire or flood). The auditee must be disclosed these events in the footnotes before the financial statements are issued.

Subsequent Discovery of Facts

A subsequent event is one that occurred after the balance sheet date but before the auditor completed his/her audit report. Thus, information about these events can be included in the financial statements and audit reports before the auditee makes the report public. Auditors are not required to conduct any audit procedures after they complete their work and audit report. However, they are required to perform audit procedures on information they obtain after they have completed their audit report but before it is made public if, like a subsequent event, the information has a material effect on the financial statements. If the facts relate to events that occurred after the audit report was issued but before the financial statements were issued and don't have a material effect on the financial statements; the auditor is not required to do anything. This event is called a subsequent discovery of fact. An example would be that the client notifies the auditor after the auditor complete the audit report that they had discovered a major bug in their inventory software and that their ending inventory for the audit year was materially misstated. If the misstatement indicated by the subsequent discovery of fact is material, the audit needs to work with the client to reissue the financial statements and audit report. However, the auditor has a choice of either reissuing the entire report or dual dating the report. Dual dating means that the audit report will have two dates, one for the bulk of the financial statement information and one strictly for the subsequent discovered fact. Refer to the dates in the figure above to follow this example. Assume that the auditee notified the auditor on 3/1 that they found a bug in their inventory system and their ending inventory as of 12/31 was materially misstated. The auditor would need to audit the revised inventory balance and modify his/her report to include that information. However, if (s)he re-dated their entire audit report to 3/1 to indicate the date on which (s)he completed his/her audit work, (s)he now would be liable for all activity affecting the financial statements up to 3/1, not just for activity that occurred up to 2/15. To limit his/her liability, the auditor would leave the audit report date at 2/15, but include a statement in the report that they had audited the inventory as of 3/1. By dual dating the audit report, auditors are limiting their liability for other activity that might have occurred between 2/15 and 3/1. If the auditee notifies the auditor of a material event after the auditee made the financial statements and report public, the auditor would need to require that the auditee withdraw and reissue the report. For example, if the auditee notified the auditor of the inventory system bug after 3/15, the auditor would need to do additional auditor procedures on the inventory as before

312

and require that the auditee withdraw and reissue the financial statements and the auditor's revised report. The auditor would need to reissue their report after the client corrected the financial statements. In addition, the auditor would have to ensure that the auditee disclosed circumstances surrounding the re-issuances of the financial statements and the details of the reason for the re-issuances in the footnotes of the re-issued financials statement. The auditor can still dual date that report. Since the auditee made the financial statements and audit report public before it reported the event to the auditor, users may be relying on them. Thus, the auditee also needs to attempt to contact all parties whom they believe might be relying on the original financial statements and notify them of the error. If the auditee refuses, the auditor must do so. Obviously, the auditee and auditor cannot personally contact every person or institution that might be using the auditee's original financial statements. However, for publicly traded companies, they are required to contact the SEC, the stock exchanges on which the auditee's stock trades, and any other regulatory agency with which the auditee filed the original financial statements. In addition, if the audit used the financial statements to apply for a loan, for example, they would have to notify the lending institution. If the client refuses to restate their financial statements, the auditor is required, if possible, to:  notify the auditee to remove the auditor's report from their financial statements;

 notify regulatory agencies that the auditor's report is no long valid; and

 notify any persons the auditor knows are relying on the financial statements that the audit report is no long valid (e.g., the auditee's bank).

The auditor should include the details of the error and how it would have affected the financial statements and the auditor's report in each of these notifications.

Audit Procedures

Auditors are not required to execute any audit procedures to detect subsequent discovery of facts. However, they are required to execute some audit procedures to detect subsequent events. Some examples include:  Asking management

 Reviewing any interim financial statements, usually quarterly, that might have been issued for the subsequent fiscal year

 Examining the auditee’s records for transaction that occurred after the fiscal year end that might qualify as a subsequent event

 Review Board of Directors minutes and other documents after the fiscal year end

 Reviewing the management representation letter and legal representation letters for any evidence of subsequent events

313

Going Concern Evaluation

An audit is essentially an historical exercise since the auditor is certifying the accuracy of historical information. However, they have one major forward-looking responsibility, which is to assess the auditee's viability for the immediate future. Auditing standards define "immediate future" as up to one year past the date of the financial statements being audited. That is, the auditor must consider whether the auditee will still be a going concern up to a year after the balance sheet date of the financial statements they are auditing. The reason for this requirement is that most of the valuation rules GAAP applies to assets assume that those assets are part of a viable business and not just a group of un-related assets. Consider what the assets of a firm would be worth if they were sold off individually, possibly because of a bankruptcy, versus how much they would be worth as part of a viable firm. Thus, if the auditor believes that the auditee might not be viable over the next year, then the financial statements might not fairly present the value of the firm's assets. Auditors use the following steps to determine whether the auditee will be a going concern for the next year:  Determine whether the audit evidence indicates a substantial doubt that the auditee will be

a going concern.

 If the audit evidence creates a substantial doubt, review management’s plan to mitigate the factors that are creating the doubt. That is, the auditee might be struggling at the end of the year, but the auditee's management would be aware of the problems and have a plan to correct it. Auditors need to assess the viability of those plans before they conclude that there is substantial risk of a going concern problem.

 Evaluate the evidence and management's plans and conclude whether the auditee adequately discloses the factors creating the risk in the financial statement footnotes. In addition, auditors are required to include an explanatory paragraph in their audit opinion that refers to the issues that create the risk of a going concern problem. This text discussed the specifics of how auditors need to modify their report in Chapter 2.

Final Evidence Evaluation

After the auditors have completed their fieldwork but before they issue their final report, they are required to step back and look holistically at the audit evidence. The vast majority of the procedures that auditors use is focused on audit objective and account balance issues. However, they must certify that the financial statements, taken as a whole, are fairly stated. They also have to certify that the auditee's controls, taken as a whole, are effective. Thus, they need to consider the interactions between all the audit procedures they have run and the results they have obtained. The following subsections discuss a few of the major steps auditors execute to provide this level of overview.

314

Final Analytical Procedures

Earlier in this text, we discussed analytical procedures that auditors perform as part of their inherent risk assessment process. Auditors perform these procedures on the auditee's unaudited balances. Once the auditors have completed their fieldwork and the client has made any required adjustments to their account balances, the auditors rerun their analytical procedures to assess the overall fairness of the adjusted financial statements. Old auditors call this the "smell test" because they step back and try to determine if the final product "smells right."

Working Paper Review

Auditors must document everything they do thoroughly in their working papers, which have been prepared by all members of the audit team. However, the partner in charge of the audit ultimately is responsible for signing off on the auditee's financial statements and internal controls. Thus, the partner in charge would perform a detailed review of the audit working papers to insure him/herself that the audit reports (s)he intends to issue are supported by the evidence gather during the audit. In fact, audit firms review working papers at several levels. For example, audit seniors would review the working papers prepared by audit juniors under their supervision and audit managers would review the working papers of the audit seniors under their supervision. A part of this working paper review is to review the results of all the audit tests to determine how the results of those tests interact to affect the financial statements taken as a whole. For example, different audit procedures executed by different team members might contain information about a misstatement. These results might complement each other (add to the misstatement) or they might contradict each other (reduce the amount of the misstatement). Thus, auditors need to pull all the evidence together and organize it by objective and account balance to develop their final conclusions on the financial statements and controls.

Evaluate Financial Statement Presentation and Disclosure

The above discussion focuses on making sure the account balances are correct or that the auditor's conclusions about controls are supported. In addition, the auditor needs to review the financial statements in their final form to ensure that they are presented properly (e.g., current assets are properly shown in the right place on the balance sheet and properly labeled) and that all the disclosures required by GAAP are included in the footnotes.

Obtain Independent Review

Because of the risks involved in auditing, most firms require that a partner not associated with the audit review the audit results before the firm issues the audit reports. SOX and PCAOB

315

regulation require a second review by an engagement quality reviewer for firms that file with the SEC.110 Note that we referred to the engagement partner "signing off" on the audit above. This really is a colloquialism because individual auditors don't sign audit reports, the firm does. While the engagement partner does have legal liability for the audit, the firm has the primary responsibility and would be the first entity sued in case of an audit failure. Thus, to protect the firm, most audit firms required an independent review of the audit results before the firm issues the audit report even if it isn't required by the SEC. This process also is referred to as second partner review, concurring partner review, or engagement quality review. The PCAOB recently adopted a new standard that requires that audit firms disclose the name of the engagement partner is a separate form filed with the SEC. This new rule applies to all audit reports issued on or after June 30, 2017. The purpose of the new rule to provide users of financial statements with more information about who was in charge of the audit so they can evaluation individual audit partner performance.

Other Communications

In addition to the audit report, auditors generate two additional types of reports or communications. The first is to the auditee's board of directors and/or audit committee and the second is to management. The first is required; the second is normally done but not required.

Communications to the Board of Directors

Auditing standards require communications to "those individuals responsible for oversight of the entity's strategic direction and its financial reporting process, sometimes referred to as 'those charged with governance.'"111 Since that was a mouthful and since, for corporations and non- profit organizations, those charged with governance is the Board of Directors, We refer to the Board of Directors in this subsection. However, the Boards of Directors for most corporations include an Audit Committee. In that case, the auditors most likely would communicate these matters to the Audit Committee. The purpose of these communications is to ensure that the auditor has informed the Board of Directors fully about the conduct of the audit and the results of the audit. The items that auditors are required to communicate include:  The auditor's responsibility under GAAS

110 PCAOB (2009). Auditing Standard No. 7 - Engagement Quality Review. https://pcaobus.org/Standards/Auditing/pages/auditing_standard_7.aspx. Downloaded 9/24/2016. 111 W. F. Messier, Jr., S. M. Glover, and D. F. Prawitt (2008), Auditing & Assurance Services: A Systematic Approach, McGraw-Hill Irwin, page 607.

316

 The auditee's significant account policies and the auditor's judgment about the quality of those policies

 The existence of management judgments and estimates

 Any significant audit adjustments

 Any disagreements with management

 Any consultations with other accounting firms

 Any discussions with management prior to the auditor accepting the engagement

 Any difficulties encountered during the audit.

 Any evidence of fraud by senior management or that has a material effect on the financial statements.

 Any significant deficiencies and material weaknesses in the auditee's internal controls (We discuss these terms in more detail in the chapter on audit reports)

As you might expect, all these communications must be in writing so that they are properly documented.

Management Letter

This communication isn't required, but auditors usually generate a management letter at the end of the audit. This letter is a private communication between the auditor and the auditee's senior management and it may contain issues that are not included in the auditor's communications with the Board of Directors. Auditors use the management letter to communicate advice to senior management on how to improve their controls and financial reporting process. In addition, they may make operating recommendations on how the auditee can improve its profitability and financial position. Thus, it may not be limited to just financial reporting issues. The auditee pays a significant fee for the audit and would like to get a little more for their money that just opinions attached to their financial statements. In addition, auditors work with a variety of firms over time and gain a substantial amount of solid business management knowledge. By sharing their opinions and knowledge with the auditee, they help insure that the auditee will rehire them. They may also pick up some consulting work. However, SOX limits the types of consulting work they can do for the auditee.

317

Index

AAR ................................................................................... 91 Acceptable audit risk ........................................................ 91 Accounting listings and analysis ........................................ 82 Accounting Principles Board ............................................. 10 Accounts payable master file .......................................... 281 Accounts payable subsidiary ledger ................................ 281 Accounts payable trail balance, ...................................... 281 Accounts Payable Turnover ............................................ 286 Accounts receivable aging .............................................. 218 Accounts receivable subsidiary ledger ............................ 217 Accuracy - balance ............................................................ 68 Accuracy - transaction ...................................................... 67 Accuracy and valuation ..................................................... 69 ACFE ................................................................................ 154 acid-test ratio .................................................................. 148 Acquisition transaction files ............................................ 281 Acquisitions journals ....................................................... 281 Ad hoc calculations ......................................................... 110 Adjusting and reclassification entries ............................... 82 AICPA .................................................................................. 9 AICPA's Code of Professional Conduct .............................. 47 Analytical procedures ....................................................... 80 APB ................................................................................... 10 Application Controls ....................................................... 172 ASB ................................................................................ 9, 11 asset impairment ............................................................ 129 Asset misappropriation ................................................... 156 Asset Turnover ................................................................ 137 Association of Certified Fraud Examiners ....................... 154 Attribute sampling .......................................................... 225 audit committee ............................................................... 15 Audit Committees ........................................................... 173 audit failure ...................................................................... 54 audit juniors .................................................................... 103 audit managers ............................................................... 102 Audit plan ......................................................................... 82 Audit program ........................................................... 82, 206 audit risk ......................................................................... 269 audit risk model ................................................................ 90 audit seniors ................................................................... 103 audit trail ................................................................ 185, 189 Audit trail .......................................................................... 83 audited values ................................................................. 271 Auditee's budget ............................................................. 109 auditing ............................................................................... 1 Auditing Standards Board ............................................. 9, 11

Backorder ....................................................................... 216 backward looking ........................................................... 134 Balance objectives ........................................................... 67 Bank confirmations ........................................................ 289 basic precision ........................................................ 258, 261 Bill of lading ............................................................ 216, 280 Blank confirmation ......................................................... 246 Blind receiving ................................................................ 280 Board of director's minutes ............................................ 105 Brainstorming ................................................................. 161 business risk ................................................................... 269

CAP ................................................................................... 10 CAPEX ..................................................................... 143, 144 capital expenditures ....................................................... 144 capital market ................................................................ 147 cash conversion cycle ............................................. 137, 148 Cash Disbursements Journal .......................................... 286 Cash flow analysis .......................................................... 113 chain of command .................................................. 179, 192 change in accounting principal ......................................... 30 change in the reporting entity .......................................... 30 Changes due to new types of transactions or major events

.................................................................................... 31 Changes in account estimates .......................................... 31 Changes in comparability ................................................. 31 Changes in consistency..................................................... 31 class action lawsuits ......................................................... 60 classical variables sampling ............................................ 266 Classification - balance ..................................................... 68 Classification - transaction ............................................... 67 Classification and understandability ................................ 69 clean opinion .................................................................... 28 cloud computing............................................................. 187 COBIT) ............................................................................ 174 Code of conduct ............................................................. 105 Code of Conduct summary ............................................... 50 Committee of Sponsoring Organizations........................ 168 Committee on Accounting Procedure .............................. 10 Common carrier ............................................................. 216 Common-size financial statements ................................ 109 Completeness - balance ................................................... 68 Completeness - presentation and disclosure ................... 69 Completeness - transaction .............................................. 67 Concealment .................................................................. 160 Concurring partner review ............................................. 315 Confidence factors ......................................................... 269

318

Confidence level ............................................................. 228 Confirmation ..................................................................... 80 Confirmations ................................................................. 245 consequential ................................................................... 43 conservatism principle .................................................... 129 Consignment ................................................................... 213 contingency .................................................................... 304 contingent assets ............................................................ 304 contingent fees ................................................................. 14 contingent gains ............................................................. 304 contingent liabilities ....................................................... 304 contingent losses ............................................................ 304 continuing education ...................................................... 180 Contributory negligence ................................................... 59 control deficiency ............................................................. 42 Control deviation ............................................................ 225 control environment ....................................................... 172 Control environment ...................................................... 178 Control Objectives for Information and Related Technology

................................................................................... 174 control risk ........................................................................ 91 Control totals .................................................................. 188 Conversation ................................................................... 160 cookie jar reserves .......................................................... 107 Cookie jar reserves.......................................................... 108 corporate culture ............................................................ 191 corporate governance .................................................... 191 Corporation ......................................................................... 8 correction of an error in principle ..................................... 30 Corrective Controls ......................................................... 171 Corruption ...................................................................... 156 COSO ............................................................................... 168 Cost accounting records ................................................. 298 credit sales ...................................................................... 214 current audit file ............................................................... 82 current ratio .................................................................... 148 Customer statement ....................................................... 217 Cutoff ................................................................................ 68 Cutoff bank statements .................................................. 289 CVS .................................................................................. 266

Days Costs in Accounts Payable ...................................... 286 Days Inventory ................................................................ 138 Days Payables ................................................................. 138 Days Receivable .............................................................. 138 Debit memo .................................................................... 281 debt covenants ............................................................... 150 Deep pockets effect .......................................................... 55 definition .......................................................................... 41 Desired confidence level ................................................. 225 Detail tie-in ....................................................................... 68 detection risk ............................................................ 92, 253 Detective Controls .......................................................... 171 Dividend payout .............................................................. 149 Dividend Yield ................................................................. 149

Dual dating ..................................................................... 311 due care............................................................................ 49

engagement letter............................................................ 99 Engagement quality review ............................................ 315 Enterprise Risk Management - Integrated Framework .. 175 EPS .................................................................................. 134 ERM ................................................................................ 175 error and exception reports ........................................... 194 Error corrections not involving and error in accounting

principle ...................................................................... 31 Evidence appropriateness ................................................ 76 Evidence relevance ........................................................... 76 Evidence reliability ........................................................... 76 Evidence sufficiency ......................................................... 76 Existence .......................................................................... 68 Expected deviation rate ................................................. 228 Expected population deviation rate ....................... 225, 227 Expected population misstatement ............................... 250 expected value ............................................................... 171 external auditors ................................................................ 6

factoring ......................................................................... 148 FAF.................................................................................... 10 FASAB ............................................................................... 10 FASB ................................................................................. 10 FCPA ............................................................................... 173 Final analytical procedures ............................................. 108 Financial Accounting Foundation ..................................... 10 Financial Accounting Standard Board............................... 10 Financial Accounting Standards Advisory Board .............. 10 financial position ............................................................ 113 Financial statement fraud .............................................. 157 financing strategy ........................................................... 147 Firm-level threats ........................................................... 191 FOB ................................................................................. 216 Foreign Corrupt Practices Act ......................................... 173 Foreseeable user .............................................................. 59 Foreseen user ................................................................... 59 Formal Policies and Procedures .................................... 192 former employment ......................................................... 14 forward looking .............................................................. 134 Frame ............................................................................. 224 Fraud Elements Triangle ................................................. 157 Fraud Motivation Triangle .............................................. 157 Fraud Triangle ................................................................ 157 free cash flows ....................................................... 142, 144 Free on Board ................................................................. 216

319

GAAS ........................................................................... 11, 12 GASB ................................................................................. 10 General Controls ............................................................. 172 General economic data ................................................... 109 General Partnerships .......................................................... 9 generally accepted auditing standards ....................... 11, 12 Going concern ................................................................. 313 Governmental Accounting Standards Board..................... 10 Governmental auditors ....................................................... 6 gross profit margin.......................................................... 136 gross profit percentage ................................................... 136

haphazard sampling ........................................................ 230 Hash totals ...................................................................... 188 Hedging transactions ...................................................... 181 hiring practices ............................................................... 179

IAASB ................................................................................ 14 IASB ............................................................................. 11, 14 Identified user ................................................................... 59 IFAC ................................................................................... 14 IFRS ............................................................................. 11, 14 inadequate personnel .................................................... 193 incentives ....................................................................... 193 income smoothing .......................................................... 127 inconsequential ................................................................ 43 Inconsequential deficiency ............................................... 42 independent review ........................................................ 314 individually significant .................................................... 268 Industrial data ................................................................. 109 Information Asymmetry ...................................................... 3 Information risk .................................................................. 2 Information Systems Audit and Control Association ...... 174 inherent limitations .......................................................... 41 inherent risk ...................................................................... 91 initial public offerings ....................................................... 60 Inquiry ............................................................................... 79 insolvency ....................................................................... 151 Inspection of records and documents .............................. 78 Inspection of tangible assets ............................................ 78 Insurance registers.......................................................... 294 integrity ............................................................................ 49 Internal auditors ................................................................. 6 internal controls ............................................................... 91 Internal controls ............................................................. 170 Internal environment ...................................................... 178 Internal memos ................................................................. 82 International Accounting Standards Board ....................... 11 International Auditing and Assurance Board .................... 14

International Federation of Accountants ......................... 14 International Financial Reporting Standards .................... 11 International Standards on Auditing ................................ 14 introduction ............................................................... 28, 41 Inventory count sheets................................................... 301 Inventory listings ............................................................ 301 Inventory tags ................................................................ 301 Invoice ............................................................................ 216 Invoice confirmations ..................................................... 246 IPO .................................................................................... 60 ISA 14 ISACA .............................................................................. 174

Job costing documents ................................................... 298 job descriptions .............................................................. 192 joint and several liability .................................................. 58 Judgmental sampling...................................................... 230

leases .............................................................................. 309 legal representation letter ............................................. 307 leverage .......................................................... 135, 150, 151 Liability Companies ............................................................ 8 limited liability partnerships ........................................... 102 Limited Liability Partnerships ............................................. 8 Limited Partnerships .......................................................... 8 lines of authority ............................................................ 192 liquid assets .................................................................... 148 liquidity .......................................................................... 148 LLC ...................................................................................... 8 LLP .............................................................................. 8, 102 logical unit ...................................................................... 255 Logical unit ..................................................................... 252 Long-term Debt to Equity ............................................... 151 lower misstatement bound ............................................ 250 Lower misstatement bound ........................................... 258 lower of cost or market rule ........................................... 129

Management ambivalence ............................................. 191 Management letter ........................................................ 316 management override .................................................... 195 management representation letters .............................. 308 mandatorily redeemable, cumulative preferred stock ... 122 matching sources to uses ............................................... 147 material ............................................................................ 43 material weakness............................................................ 43 Materiality ........................................................................ 24 Materials requisitions ..................................................... 298 Maximum deviation rate ................................................ 231 Maximum upper deviation rate ..................................... 231

320

mean misstatements ...................................................... 267 mean-per-unit estimation ............................................... 267 Modified opinion reports .................................................. 29 monetary assets .............................................................. 148 Monetary unit sampling.................................................. 248 moral hazard ............................................................... 2, 308 MPUE .............................................................................. 267 MUS ................................................................................ 248

Negative confirmations................................................... 246 non-audit fees ................................................................... 15 Non-sampling risk ........................................................... 235 Non-statistical sampling.................................................. 222

objectivity and independence .......................................... 49 Observation ...................................................................... 78 Occurrence ....................................................................... 67 Occurrence and rights and obligations ............................. 68 operating performance ................................................... 113 opinion ........................................................................ 28, 41 opportunity cash flow ..................................................... 151 opportunity cost ............................................................. 151 organization charts ......................................................... 192 outside directors ............................................................. 173

P/E ratio .......................................................................... 134 Packing slip ............................................................. 216, 280 parking cash .................................................................... 118 partner in charge ............................................................ 102 partner rotation ................................................................ 14 payment voucher ............................................................ 280 PC 8 PCAOB ............................................................... 6, 9, 11, 173 peer review ....................................................................... 15 Perceived Value .............................................................. 191 Percentage change financial statements ........................ 109 Percentage of completion method ................................. 214 Performance materiality ........................................... 87, 238 permanent audit file ......................................................... 82 Perpetual inventory records ........................................... 298 Pervasive materiality ........................................................ 35 Pervasive materiality ........................................................ 25 Pervasive materiality ........................................................ 33 Physical examination ........................................................ 78 Physical representation .................................................. 224 Planning materiality .......................................................... 87 point estimate................................................................. 272 Point estimate of population misstatement ................... 264 population ...................................................................... 224

Population size ............................................................... 250 Positive confirmations .................................................... 246 Posting and Summarization .............................................. 67 PPS.................................................................................. 257 precision interval ............................................................ 272 preliminary analytical procedures .......................... 108, 127 Preliminary analytical procedures .................................. 107 Preparer incentives ............................................................. 2 Preventative Controls ..................................................... 171 price to earnings ratio .................................................... 134 Primary beneficiary .......................................................... 59 principal auditor ............................................................... 32 Probability proportionate to size ................................... 257 Professional Corporations .................................................. 8 Professional skepticism .................................................... 71 profit margin .................................................................. 136 profitability ..................................................................... 133 Proof of Cash .................................................................. 286 proportionate liability ...................................................... 58 Public Companies Accounting Oversight Board ........... 6, 11 Public Company Accounting Oversight Board ................ 173 public interest .................................................................. 49 purchase contract .......................................................... 279 purchase contracts ......................................................... 309 purchase order ............................................................... 279 Purchase order ............................................................... 215 purchase requisitions ..................................................... 279 Purchases journals ......................................................... 281 Purchases transaction files ............................................. 281

quick ratio ...................................................................... 148

Random sampling ........................................................... 229 ratio analysis .................................................................. 108 ratio of the audited to book balances ............................ 267 Realizable value ................................................................ 68 real-time reporting ......................................................... 194 reasonable possibility ....................................................... 43 Recalculation .................................................................... 80 Receiving report ............................................................. 280 Record counts ................................................................ 188 Related party .................................................................. 105 remittance advice ........................................................... 281 Remittance advice .......................................................... 217 remote likelihood ............................................................. 43 Reperformance ................................................................ 80 responsibilities ................................................................. 48 retained earnings ........................................................... 147 return on assets ............................................................. 115 Return on assets ............................................................. 134 Return on equity ............................................................ 115 return on investment ..................................................... 134

321

Return on owner's equity ............................................... 135 Rights and obligations ....................................................... 68 risk of incorrect acceptance ............................................ 250 risk of material misstatement ........................................... 92 Risk of overreliance......................................................... 226 risk/return tradeoff ......................................................... 147 RMM ................................................................................. 92 ROA ................................................................................. 134 ROE ................................................................................. 135 ROI .................................................................................. 134

Sales and collection processes ........................................ 211 Sales Journal ................................................................... 217 Sales order ...................................................................... 215 Sample deviation rate ..................................................... 231 sampling interval ............................................................ 230 Sampling interval ............................................................ 256 Sampling risk ................................................... 222, 226, 232 sampling unit .................................................................. 255 Sampling unit .................................................................. 224 Sarbanes-Oxley Act ......................................................... 173 SAS .............................................................................. 11, 13 scope ........................................................................... 28, 41 scope and nature of services ............................................ 49 Scope limitations .............................................................. 34 SDR .................................................................................. 231 SEC .................................................................................... 10 Second partner review .................................................... 315 Securities Act of 1933 ....................................................... 60 Securities and Exchange Commission ............................... 10 Securities Exchange Act of 1934 ................................. 10, 60 SIC code .......................................................................... 116 signature and date ...................................................... 28, 41 significant deficiency ........................................................ 43 Sole Proprietorships............................................................ 9 solvency .......................................................................... 150 SOX ................................................................................. 173 Standard deviation.......................................................... 270 Statements of Auditing Standards .................................... 11 Statements on Auditing Standards ................................... 13 statistical sampling ......................................................... 222 strata ............................................................................... 268 stratification.................................................................... 268 stratifying ........................................................................ 268 subsequent discovery of fact .......................................... 311 Subsequent events ......................................................... 310 Substantive analytical procedures .................................. 108 Systematic sampling ....................................................... 229

The Fraud Elements Triangle .......................................... 159 Theft act .......................................................................... 160 Timing ............................................................................... 67

title ............................................................................. 27, 41 Tolerable deviation rate ......................................... 225, 228 Tolerable difference ....................................................... 112 Tolerable error ................................................................. 87 tolerable misstatement .................................................. 238 Tolerable misstatement rate .......................................... 250 tone at the top ....................................................... 162, 179 Total Debt to Equity ....................................................... 151 tracing ............................................................................ 185 trade creditors ................................................................ 147 training ........................................................................... 180 training programs ........................................................... 179 Transaction controls ....................................................... 172 Transactions objectives ................................................... 66 Type 1 subsequent event ............................................... 310 Type 2 subsequent event ............................................... 311

ULRD ............................................................................... 231 Underreliance ................................................................. 226 Unlimited right of return ................................................ 213 Unmodified opinions with modified wording or

explanatory paragraph ................................................ 29 Upper limit rate of deviation .......................................... 231 upper misstatement bound............................................ 250 Upper misstatement bound ........................................... 258 utilization ....................................................................... 133

Variable sampling ........................................................... 225 Variation in the format or presentation of financial

information ................................................................. 31 vendor ............................................................................ 279 Vendor statements ......................................................... 281 vouching ......................................................................... 185

Warrantee ...................................................................... 213 working capital ....................................................... 137, 147 Working paper.................................................................. 83 working papers ................................................................. 82 Working trail balance ....................................................... 83 Working trial balance ....................................................... 82 Write-off authorization .................................................. 218 written policies and procedures ..................................... 192

yield curve ...................................................................... 145

322

This page was left blank intentionally.