Review of Introduction to Auditing Lynn Kingston, CPA Adjunct Faculty Portland State University

Definition of Auditing Auditing is a systematic process of 1) obtaining and evaluating evidence regarding assertions about economic actions and events 2) ascertaining the degree of correspondence between assertions and established criteria 3) Communicating the results to interested users

Audit Evidence “Audit evidence is all the information used by the auditor in arriving at the conclusions on which the audit opinion is based.”

Why are assertions important?

Overview of Three Classes of Assertions Class of Transactions Account Balances Presentation & Disclosure Occurrence Existence Occurrence/Rights Completeness Cutoff Accuracy Valuation/Allocation Accuracy/Valuation Classification Classification/ Understandability Rights/Obligations

Being Alert for Misstatements Misstatements can result from either errors or fraud and may consist of any misstatement of an assertion What is the difference between known misstatements and likely misstatements? What is the auditor’s responsibility for immaterial misstatements? What is the auditor’s responsibility to communicate misstatements to management?

Understanding the Entity and Its Environment

Goal: Assessing the Risk of Material Misstatement Develop a knowledgeable perspective about the entity Relate risks to what can go wrong and the F/S level of assertion level Consider the magnitude of risks that could result (Material?) Consider the likelihood of risks that could result

Inherent Risk at the Financial Statement Level (Pervasive Risks) Examples: Management turnover, reputation, or accounting skills Liquidity and going concern problems Pressure to meet debt covenants Changing industry conditions, etc. Responses Increased knowledge, skill, and ability of personnel assigned significant engagement responsibilities Involvement of a specialist Appropriate level of supervision of assistants

Inherent Risk at the Assertion Level Examples: Difficult to audit accounts or transactions Contentious or difficult accounting issues Susceptibility to misappropriation Complexity of calculations Significant volume of transactions Responses Choices about nature, timing and extent of substantive tests depends on internal controls

Fraud Defined Acts Resulting in Material Misstatements Intentional or Unintentional 2 Types of Misstatements Relevant to Fraud Fraudulent Financial Reporting Misappropriation of Assets

The Fraud Triangle

Significant risks that require special audit consideration Significant risks are often derived from business risks that may result in a material misstatement. Whether the risk is a risk of fraud Whether the risk is related to recent significant economic, accounting, or other developments and, therefore, requires specific attention The complexity of transactions Whether the risk involves significant transactions with related parties The degree of subjectivity in measurement Whether the risk involves significant nonroutine transactions

Significant risks Understand whether the entity has developed internal controls Communicate significant deficiency or material weakness Analytical procedures should not be the primary substantive test

Internal Control The auditor should obtain an understanding of the five components of internal control The auditor should obtain a sufficient understanding by performing risk assessment procedures to evaluate the design of controls relevant to an audit of financial statements and to determine whether they have been implemented

Internal Control The auditor should know enough to: Identify types of potential misstatements. Consider factors that affect the risks of material misstatement. Design tests of controls, when applicable, and substantive procedures.

Components of Internal Control Control Environment Risk Assessment Information and Communication Monitoring Control Activities Understand in Every Audit Depth of Understanding Depends on Audit strategy

Control Environment Tone at the top that influences control consciousness Integrity and Ethical Values Commitment to Competence Board of Directors and Audit Committee Management’s Philosophy and Operating Style Organizational Structure Assignment of Authority and Responsibility Human Resource Policies and Practices

Risk Assessment Process

Information and Communication Transactions Audit Trail or Transaction Trail Documents Records Communication

Information and Communication Authorize Execute Risk of Misstatement Risk of Misstatement Report Record Risk when you change the content of information about at transaction or you change the form of information Consideration

Monitoring Ongoing monitoring programs Separate evaluations Element of reporting deficiencies to the management / governance

Control Activities Authorization Segregation of Duties Information Processing Controls Computer General Controls Computer Application Controls Controls over the Financial Reporting Process Physical Controls Performance Reviews Controls over Mgmt. Discretion in Financial Reporting

Segregation of Duties

Overview of Computer Controls And Strategies for Test of Controls

Computer General Controls Organizational and operational controls System development and documentation controls Hardware and system controls Access Controls Data and Procedural Controls

Application Controls Programmed controls that identify and report possible misstatements in assertions

How to identify key controls Completeness Start Here Authorize / Initiate Execute Record Start Here For Occurrence, Accuracy, and Classification Consideration

Controls over the Financial Reporting Process Spreadsheets Accounting Database SQL Financial Statements Strong Controls Weak or No Controls Weak or No Controls

Control Activities Authorization Segregation of Duties Information Processing Controls Computer General Controls Computer Application Controls Controls over the Financial Reporting Process Physical Controls Performance Reviews Controls over Mgmt. Discretion in Financial Reporting

Overall Conclusion about Internal Controls What is the cumulative effect of all five components of internal control for each assertion?

PCAOB Auditing Standard #5 A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. Note: There is a reasonable possibility of an event, as used in this standard, when the likelihood of the event is either "reasonably possible" or "probable," as those terms are used in Financial Accounting Standards Board Statement No. 5, Accounting for Contingencies ("FAS 5").3/

PCAOB Auditing Standard #5 A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting.

Factors that influence judgments about likelihood The nature of the financial statement accounts, disclosures, and assertions involved. For example, suspense accounts and related party transactions involve greater risk. The susceptibility of the related assets or liabilities to loss or fraud. The subjectivity and complexity of the amount involved, and the extent of judgment needed to determine that amount. The cause and frequency of any known or detected exceptions related to the operating effectiveness of a control. The interaction or relationship of the control with other controls. The interaction of the control deficiency with other control deficiencies. The possible future consequences of the deficiency.

Factors that influence judgments about magnitude The financial statement amounts or total of transactions exposed to the deficiency. The volume of activity in the account balance or class of transactions exposed to the deficiency in the current period or expected in future periods.

Analytical Procedures

Effective Analytical Procedures

Responses to risk at the assertion level Nature The nature of the audit procedures is of most importance in responding to the assessed risks. Timing Good internal controls are required to modify the timing of audit procedures Extent Directly related to test of details risk in the audit risk model The auditor also needs to consider other factors related to sample size

Nature and Timing of Test of Controls

General Categories of Substantive Tests Initial Procedures Analytical Procedures Tests of Details of Transactions Tests of Details of Balances Tests of Details of Accounting Estimates Tests of Details of Disclosures

Factors that influence performing substantive tests at an interim date The control environment and other relevant controls The availability of information at a later date that is necessary for the auditor’s procedures The objective of the substantive procedure The assessed risk of material misstatement The nature of the class of transactions or account balance and relevant assertions The ability of the auditor to reduce the risk that misstatements that exist at the period end are not detected by performing appropriate substantive procedures or substantive procedures combined with tests of controls to cover the remaining period in order to reduce the risk that misstatements that exist at period end are not detected

Evaluating the sufficiency and appropriateness of evidence At the end of the audit the auditor should cycle back through risk assessments made and evidence obtained to evaluate the effectiveness of the audit. Significance of the potential misstatement in the relevant assertion and the likelihood of its having a material effect, individually or aggregated with other potential misstatements, on the financial statements. Effectiveness of management’s responses and controls to address the risks. Experience gained during previous audits with respect to similar potential misstatements. Results of audit procedures performed, including whether such audit procedures identified specific instances of fraud or error. Source and reliability of available information. Persuasiveness of the audit evidence. Understanding of the entity and its environment, including its internal control.

Final Consideration Evaluate known and likely misstatements Consider material overstatement and understatements The effect of misstatements in prior periods

The Assurance Bucket Accounting 493/593 – Spring 2009 I’d like to introduce our “Assurance Bucket” analogy. This analogy will be expanded on during the course of the training. Essentially, the auditor’s goal is the fill the bucket with appropriate audit evidence to gain the level of desired assurance (high level of assurance for audits). Explain this over the next few slides: Risk Assessment Procedures form the base layer in the bucket – you do those first. Once you have assessed risk and planned audit responses to the risks of the entity, then you have the base of a level of assurance required (this is not enough assurance to render an opinion). Next is tests of controls (if applicable), substantial analytical procedures and finally substantive tests of details (last resort). Accounting 493/593 – Spring 2009

Filling the Assurance Bucket Risk Assessment Procedures Risk Assessment Procedures

Filling the Assurance Bucket Test of Controls Tests of Controls Risk Assessment Procedures 46

Filling the Assurance Bucket Substantive Analytical Procedures Substantive Analytical Procedures Tests of Controls Risk Assessment Procedures

Filling the Assurance Bucket Substantive Test of Details Substantive Tests of Details Substantive Analytical Procedures Tests of Controls Risk Assessment Procedures Emphasize that this top down approach illustrated in the assurance hierarchy is not about “avoiding detail testing” at all costs. Rather, it is about effectively leveraging the power of controls testing and substantive analytical procedures to direct attention to high risk areas as we go about obtaining sufficient appropriate evidence.

Filling the Financial Statement Assertion “Buckets” Tests of Controls Substantive Analytical Procedures Substantive Tests of Details Risk Assessment Procedures Display PowerPoint slide “Filling Financial Statement Assertion Buckets”. Our risk assessment procedures help us determine how big the bucket is for each assertion. Obviously, there are assertions that are more important or present bigger risks for some accounts than for others. For instance, existence or validity is typically more important for accounts receivable than it is for accounts payable. After we determine the risks associated with accounts, we can determine the size of our assurance buckets and then begin filling our buckets as we move through the assurance hierarchy. As depicted on the slide, most buckets will be filled with a combination of audit tests. In some instances our assurance buckets will be nearly full after we conduct tests of controls and analytical procedures. In other instances we will need to fill a significant portion of the bucket with our tests of details. For example, we may choose to fill the bucket largely through tests of details when an account contains a few large transactions. Obviously, if we are conducting an audit of internal control over financial reporting we will also gather evidence on the design and operating effectiveness of important controls over significant accounts. Currently, some of our buckets runneth over and some of our buckets are not full. Our goal, and that of our peer reviewers and the regulators who review our work papers, is to see nice, even, full buckets. Completeness Cut-Off Existence Valuation 49

Questions?