We are a Dallas, Texas CPA firm specializing in audit, review, compilation, and agreed upon procedures services for Texas businesses in a wide range of industries and sizes.
".25 The auditor should include in the audit documentation the following:(Ref: par. .A35)
Issues identified with respect to compliance with relevant ethical requirements and how they were resolved
Conclusions on compliance with independence requirements that apply to the audit engagement and any relevant discussions with the firm that support these conclusions
Conclusions reached regarding the acceptance and continuance of client relationships and audit engagements
The nature and scope of, and conclusions resulting from, consultations undertaken during the course of the audit engagement (Ref:par. .A36)
.26 The engagement quality control reviewer should document, for the audit engagement reviewed
that the procedures required by the firm's policies on engagement quality control review have been performed;
the date that the engagement quality control review was completed; and
that the reviewer is not aware of any unresolved matters that would cause the reviewer to believe that the significant judgments that the engagement team made and the conclusions it reached were not appropriate"
AU-C Section 230 addresses the auditor's responsibility to prepare audit documentation for an audit of financial statements. Section 230 also states that it is neither necessary nor practicable for the auditor to document every matter considered, or professional judgment made, in an audit.
Documentation of consultations with other professionals involving difficult or contentious matters that is sufficiently complete and detailed contributes to an understanding of
the issue on which consultation was sought and
the results of the consultation, including any decisions made, thebasis for those decisions, and how they were implemented.
"An effective system of quality control includes a monitoring process designed to provide the firm with reasonable assurance that its policies and procedures relating to the system of quality control are relevant, adequate, and operating effectively. The engagement partner should consider
the results of the firm's monitoring process as evidenced in the latest information circulated to the engagement partner by the firm and, if applicable, other network firms and
whether deficiencies noted in that information may affect the audit engagement. (Ref: par. .A32–.A34)"
QC section 10 requires the firm to establish a monitoring process designed to provide it with reasonable assurance that the policies and procedures relating to the system of quality control are relevant, adequate, and operating effectively.
In considering deficiencies that may affect the audit engagement, the engagement partner may consider measures the firm took to rectify the situation that the engagement partner considers sufficient in the context of that audit.
A deficiency in the firm's system of quality control does not necessarily
indicate that a particular audit engagement was not performed in accordance
with professional standards and applicable legal and regulatory requirements
or that the auditor's report was not appropriate.
.21 For those audit engagements, if any, for which the firm has determined that an engagement quality control review is required, the engagement partner should
determine that an engagement quality control reviewer has been appointed;
discuss significant findings or issues arising during the audit engagement, including those identified during the engagement quality control review, with the engagement quality control re-viewer; and
not release the auditor's report until the completion of the engagement quality control review. (Ref: par. .A23–.A25)
.22 The engagement quality control reviewer should perform an objective evaluation of the significant judgments made by the engagement team and the conclusions reached in formulating the auditor's report. This evaluation should involve
discussion of significant findings or issues with the engagement partner;
reading the financial statements and the proposed auditor's report;
review of selected audit documentation relating to the significant judgments the engagement team made and the related conclusions it reached; and
evaluation of the conclusions reached in formulating the auditor's report and consideration of whether the proposed auditor's report is appropriate. (Ref: par. .A26–.A31)
Differences of Opinion
.23 If differences of opinion arise within the engagement team; with those consulted; or, when applicable, between the engagement partner and the engagement quality control reviewer, the engagement team should follow the firm's policies and procedures for resolving differences of opinion."
An engagement quality control review is a process designed to provide an objective evaluation, before the report is released, of the significant judgments the engagement team made and the
conclusions it reached in formulating the auditor's report. The engagement quality control review process is only for those audit engagements, if any, for which the firm has determined that
an engagement quality control review is required, in accordance with its policies and procedures.
An engagement quality control reviewer is a partner, other person in the firm, suitably qualified external person, or team made up of such individuals, none of whom is part of the engagement team,
with sufficient and appropriate experience and authority to objectively evaluate the significant judgments that the engagement team made and the conclusions it reached in formulating the auditor's
report.
An engagement quality control review should be conducted in a timely manner at appropriate stages during the engagement so that significant findings or issues can be promptly resolved to the engagement quality control reviewer's satisfaction.
Documentation of the engagement quality control review may be completed after the
report release date as part of the assembly of the final audit file, as required in AU-C Section 230. However, when the engagement quality control review is completed after the auditor's report is dated and identifies instances where additional procedures or additional evidence is necessary, the date of the report should be changed to the date when the additional procedures have been satisfactorily completed or the additional evidence has been obtained, as required by AU-C Section 700.
The engagement partner should be alert for changes in circumstances in which an engagement quality control review is necessary, even though at the start of the engagement such a review was not required. The extent of the engagement quality control review may depend, among other things, on the complexity of the audit engagement and the risk that the auditor's report might not be appropriate in the circumstances. The performance of an engagement quality control review does not reduce the responsibilities of the engagement partner for the audit engagement and its performance.
Matters that may be considered in an engagement quality control review include the following:
Significant risks identified during the engagement in accordance with AU-C Section 315 and the responses to those risks in accordance with AU-C Section 330, including the engagement team's assessment of, and response to, the risk of fraud in accordance with AU-C Section 240
Judgments made with respect to materiality and significant risks
The significance and disposition of corrected and uncorrected misstatements identified during the audit
The matters to be communicated to management and those charged with governance and,when applicable, other parties, such as regulatory bodies
The engagement quality control reviewer may also consider the following:
The evaluation of the firm's independence with regard to the audit engagement
Whether appropriate consultation has taken place on matters involving differences of opinion or other difficult or contentious matters and the related conclusions arising from those consultations
Whether audit documentation selected for review reflects the work performed regarding the significant judgments and supports the conclusions reached
take responsibility for the engagement team undertaking appropriate consultation on difficult or contentious matters;
be satisfied that members of the engagement team have under-taken appropriate consultation during the course of the engagement, both within the engagement team and between the engagement team and others at the appropriate level within or outside the firm;
be satisfied that the nature and scope of such consultations are agreed with, and conclusions resulting from such consultations are understood by, the party consulted; and
determine that conclusions resulting from such consultations have been implemented. (Ref: par. .A20–.A22)"
Members of the engagement team have a responsibility to bring to the attention of appropriate personnel matters that, in their professional judgment, are difficult or contentious and may require consultation.
Effective consultation on significant technical, ethical, and other matters within the firm or, when applicable, outside the firm can be achieved when those consulted
are given all the relevant facts that will enable them to provide informed advice and
have appropriate knowledge, authority, and experience.
The engagement team may consult outside the firm (for example, when the firm lacks appropriate internal resources).The engagement team may take advantage of advisory services provided by other firms, professional and regulatory bodies, or commercial organizations that provide relevant quality
control services.
"The engagement partner should take responsibility for the following:
The direction, supervision, and performance of the audit engagement in compliance with professional standards, applicable legal and regulatory requirements, and the firm's policies and procedures (Ref: par. .A12–.A14 and .A19)
The auditor's report being appropriate in the circumstances"
The engagement partner should inform the engagement team about their responsibilities to comply with relevant ethical requirements and plan and perform the audit with professional skepticism, as required by AU-C Section 200.
A discussion with the engagement team should involve:
The objectives of the work to be performed
The nature of the entity's business
Risk-related issues
Problems that may arise
The detailed approach to the performance of the engagement
Supervision of the engagement team should include the following:
Tracking the progress of the audit engagement
Considering the competence and capabilities of individual members of the engagement team
Addressing significant findings or issues arising during the audit engagement
Identifying matters for consultation or consideration by qualified engagement team members during the audit engagement
".16 The engagement partner should be satisfied that the engagement team and any auditor's external specialists, collectively, have the appropriate competence and capabilities to
perform the audit engagement in accordance with professional standards and applicable legal and regulatory requirements and
enable an auditor's report that is appropriate in the circumstances to be issued. (Ref: par. .A9–.A11)"
The engagement partner has a responsibility to ensure that the engagement team members are competent and experienced enough to perform the audit engagement and issue an appropriate audit report.
In order to determine whether he has selected the appropriate engagement team, the engagement partner should make sure the engagement team has
understanding of, and practical experience with, audit engagements of a similar nature and complexity through appropriate training and participation.
understanding of professional standards and applicable legal and regulatory requirements.
technical expertise, including expertise with relevant IT and specialized areas of accounting or auditing.
knowledge of relevant industries in which the entity operates.
ability to apply professional judgment.
understanding of the firm's quality control policies and procedures.
".18 The engagement partner should take responsibility for reviews being performed in accordance with the firm's review policies and procedures. (Ref: par. .A15–.A16 and .A19) .19 On or before the date of the auditor's report, the engagement partner should, through a review of the audit documentation and discussion with the engagement team, be satisfied that sufficient appropriate audit evidence has been obtained to support the conclusions reached and for the auditor's report to be issued. (Ref: par. .A17–.A19)"
QC Section 10 recommends that suitably experienced team members review the work of other team members. As such, the engagement partner may delegate part of the review responsibility to other members of the engagement team.
A review consists of consideration of whether, for example
the work has been performed in accordance with professional standards and applicable legal and regulatory requirements;
significant findings or issues have been raised for further consideration;
appropriate consultations have taken place and the resulting conclusions have been documented and implemented;
the nature, timing, and extent of the work performed is appropriate and without need for revision;
the work performed supports the conclusions reached and is appropriately documented;
the evidence obtained is sufficient and appropriate to support the auditor's report; and
the objectives of the engagement procedures have been achieved.
Timely reviews by the engagement partner should the following items are appropriately addressed:
Critical areas of judgment
Significant risks
Other areas that the engagement partner considers important
The engagement partner need not review all audit documentation; however, he must document
the extent and timing of the reviews as required by AU-C Section 230.
An engagement partner taking over an audit during the engagement may review the work performed to the date of the change in order to assume the responsibilities of an engagement partner.
These direction, supervision, and review responsibilities are also required when the engagement team includes a member with expertise in a specialized area of accounting or auditing. For example the engagement partner might
Agree with that member upon the nature, scope, and objectives of that member's work and the respective roles of, and the nature, timing, and extent of communication between, that member and other members of the engagement team
Evaluate the adequacy of that member's work, including the relevance and reasonableness of that member's findings or conclusions and the consistency of those findings or conclusions with other audit evidence
".14 The engagement partner should be satisfied that appropriate procedures regarding the acceptance and continuance of client relationships and audit engagements have been followed and should determine that conclusions reached in this regard are appropriate. (Ref: par. .A7–.A8) .15 If the engagement partner obtains information that would have caused the firm to decline the audit engagement had that information been available earlier, the engagement partner should communicate that information promptly to the firm so that the firm and the engagement partner can take the necessary action. (Ref: par. .A8)"
The engagement partner is responsible for ensuring that the acceptance and continuance procedures are followed in accordance with AU-C Section 210. And if he later obtains information that would have caused the firm to decline the audit engagement, he should communicate that information to the firm so they can take the appropriate action.
According to QC Section 10, The following information is helpful for the engagement partner to access whether to accept or decline an audit engagement:
The integrity of the principal owners, key management, and those charged with governance of the entity
Whether the engagement team is competent to perform the audit engagement and has the necessary capabilities, including time and resources
Whether the firm and the engagement team can comply with relevant ethical requirements
Significant findings or issues that have arisen during the current or previous audit engagement and their implications for continuing the relationship
".11 Throughout the audit engagement, the engagement partner and other members of the engagement team should remain alert for evidence of noncompliance with relevant ethical requirements by members of the engagement team. (Ref: par. .A4) .12 If matters come to the engagement partner's attention, through the firm's system of quality control or otherwise, that indicate that members of the engagement team have not complied with relevant ethical requirements, the engagement partner, in consultation with others in the firm as appropriate, should determine that appropriate action has been taken.
Independence
.13 The engagement partner should form a conclusion on compliance with independence requirements that apply to the audit engagement. In doing so, the engagement partner should
obtain relevant information from the firm and, when applicable,
network firms to identify and evaluate circumstances and relationships
that create threats to independence;
evaluate information on identified breaches, if any, of the firm's
independence policies and procedures to determine whether they create a
threat to independence for the audit engagement; and
take appropriate action to eliminate such threats or reduce them to
an acceptable level by applying safeguards or, if considered
appropriate, to withdraw from the audit engagement when withdrawal is
possible under applicable law or regulation.The engagement partner
should promptly report to the firm any inability to resolve the matter
so that the firm may take appropriate action. (Ref: par. .A5–.A6)"
The engagement partner should constantly be on alert that the firm's ethical requirements are being met. This includes the engagement team's duty to
Fulfill its responsibilities
act in the public interest
act with integrity
be objective and independent;
and act with due care
A more detailed discussion of relevant ethics requirements were included in AU-C Section 200.16. If a member of the engagement team has not complied with a relevant ethical requirement, the engagement partner should take appropriate action.
The engagement partner should also determine whether the engagement is in compliance with independence rules by doing the following:
obtain information from the firm in order to identify relationships and threats to independence
identify any breaches to independence policies, if any, that would impair the independence of the engagement
take actions to eliminate threats to independence or reduce them to an acceptable level
A more detailed discussion of independence requirements were included in AU-C Section 200.15.
"The engagement partner should take responsibility for the overall quality on each audit engagement to which that partner is assigned. In fulfilling this responsibility, the engagement partner may delegate the performance of certain procedures to, and use the work of, other members of the engagement team and may rely upon the firm's system of quality control."
First, let's define a few terms noted in this requirement:
The engagement partner is the partner or other person in the firm who is responsible for the audit engagement and its performance and for the auditor's report that is issued on behalf of the firm and who, when required, has the appropriate authority from a professional, legal, or regulatory body.
A partner is any individual with authority to bind the firm with respect to the performance of a professional services engagement. For purposes of this definition, partner may include an employee with
this authority who has not assumed the risks and benefits of ownership.
Firms may use different titles to refer to individuals with this
authority.
A firm is a form of organization permitted by law or regulation whose
characteristics conform to resolutions of the Council of the AICPA and
that is engaged in public practice.
The engagement team is all partners and staff performing the engagement and any individuals engaged by the firm or a network firm who perform audit procedures on the engagement. This excludes an auditor's external specialist engaged by the firm or a network firm. The term engagement team
also excludes individuals within the client's internal audit function
who provide direct assistance on an audit engagement when the external
auditor complies with the requirements of section 610, Using the Work of
Internal Auditors.
Staff are professionals, other than partners, including any specialists that the firm employs.
A network firm is a firm or other entity that belongs to a network, as defined in ET section 0.400. A network is an association of entities, as defined in ET section 0.400, Definitions.
Leadership responsibilities are the tone at the top; for example, the engagement partner's communications and actions should emphasize:
the importance to audit quality of
performing work that complies with professional standards and applicable legal and regulatory requirements;
complying with the firm's applicable quality control policies and procedures;
issuing auditor's reports that are appropriate in the circumstances; and
the engagement team's ability to raise concerns without fear of reprisals and
the fact that quality is essential in performing audit engagements.
.01 This section addresses the specific responsibilities of the auditor regarding quality control procedures for an audit of financial statements. It also addresses, when applicable, the responsibilities of the engagement quality control reviewer. This section also applies, adapted as necessary, to other engagements conducted in accordance with generally accepted auditing standards (GAAS) (for example, a review of interim financial information conducted in accordance with section 930, Interim Financial Information). This section is to be read in conjunction with the AICPA Code of Professional Conduct and other relevant ethical requirements.
.02 Although Statements on Quality Control Standards are not applicable to auditors in government audit organizations, this section is applicable to auditors in government audit organizations who perform financial audits in accordance with GAAS.
System of Quality Control and the Role of the Engagement Teams
.03 Quality control systems, policies, and procedures are the responsibility of the audit firm. Under QC section 10, A Firm's System of Quality Control, the firm has an obligation to establish and maintain a system of quality control to provide it with reasonable assurance that
the firm and its personnel comply with professional standards and applicable legal and regulatory requirements and
reports issued by the firm are appropriate in the circumstances.
.04 Within the context of the firm's system of quality control, engagement teams have a responsibility to implement quality control procedures that are applicable to the audit engagement and provide the firm with relevant information to enable the functioning of that part of the firm's system of quality control relating to independence.
.05 Engagement teams are entitled to rely on the firm's system of quality control, unless the engagement partner determines that it is inappropriate to do so based on information provided by the firm or other parties.
.06 The engagement partner may use the assistance of other members of the engagement team or other personnel within the firm in meeting the requirements of this section. The requirements imposed by this section on engagement partners do not relieve other members of the engagement team of any of their professional responsibilities.
Effective Date
.07 This section is effective for engagements conducted in accordance with GAAS for periods ending on or after December 15, 2012.
Objective
.08 The objective of the auditor3 is to implement quality control procedures at the engagement level that provide the auditor with reasonable assurance that
the audit complies with professional standards and applicable legal and regulatory requirements and
the auditor's report issued is appropriate in the circumstances."
AU-C Section 220 provides the requirements for Quality Control in the audit of financial statements. It also discusses the requirements of the quality control review, if applicable, and should be read in conjunction with the AICPA Code of Professional Conduct.
Best practices for quality control policies are discussed in QC Section 10 "A Firm's System of Quality Control", which can be found at this link: https://www.aicpa.org/content/dam/aicpa/research/standards/auditattest/downloadabledocuments/qc-00010.pdf
QC Section 10 requires that the audit firm establish and maintain a system of quality control that provides reasonable assurance that the firm and its personnel comply with professional standards and legal and regulatory requirements, and the reports issued by the firm are appropriate in the circumstances. To fulfill that responsibility, QC Section 10 addresses the following topics:
Leadership responsibilities for quality within the firm
Relevant ethical requirements
Acceptance and continuance of client relationships and specific engagements
Human resources
Engagement performance
Monitoring
Engagement teams have a responsibility to comply with the quality control policies implemented by the audit firm, especially those related to independence. In addition, the engagement team is entitled to rely on the firm's system of quality control, for example:
competence of personnel through their recruitment and formal training.
independence through the accumulation and communication of relevant independence information.
maintenance of client relationships through acceptance and continuance systems.
adherence to applicable legal and regulatory requirements through the monitoring process.
Many of the requirements in this section are addressed to the engagement partner; but the engagement partner may delegate some of the duties to others within the firm. In turn, the duties imposed on engagement partners in this section does not relieve other engagement team members of their duties.
"If law or regulation prescribes a specific layout, form, or wording of the auditor's report that significantly differs from the requirements of GAAS, the auditor should evaluate
whether users might misunderstand the auditor's report and, if so,
whether the auditor would be permitted to reword the prescribed form to
be in accordance with the requirements of GAAS or attach a separate
report.
If the auditor determines that rewording the prescribed form or attaching a separate report would not be permitted or would not mitigate the risk of users misunderstanding the auditor's report, the auditor should not accept the audit engagement unless the auditor is required by law or regulation to do so. An audit performed in accordance with such law or regulation does not comply with GAAS. Accordingly, for such an audit, the auditor should not include any reference to the audit having been performed in accordance with GAAS within the auditor's report."
If a law or regulation prescribes the structure and wording of the auditor's report and it's not in accordance with GAAS, the Auditor needs to decide whether users might misunderstand the report; if the Auditor thinks they would, he should reword it to be in accordance with GAAS, or refuse to accept the engagement. If he does decide to issue that report, he should not reference GAAS, because the report is not in compliance with GAAS.
".14 The auditor should not agree to a change in the terms of the audit engagement when no reasonable justification for doing so exists. (Ref: par. .A35– .A37) .15 If, prior to completing the audit engagement, the auditor is requested to change the audit engagement to an engagement for which the auditor obtains a lower level of assurance, the auditor should determine whether reasonable justification for doing so exists. (Ref: par. .A38–.A39) .16 If the terms of the audit engagement are changed, the auditor and management should agree on and document the new terms of the engagement in an engagement letter or other suitable form of written agreement. .17 If the auditor concludes that no reasonable justification for a change of the terms of the audit engagement exists and is not permitted by management to continue the original audit engagement, the auditor should
withdraw from the audit engagement when possible under applicable law or regulation,
communicate the circumstances to those charged with governance, and
determine whether any obligation, either legal, contractual, or otherwise, exists to report the circumstances to other parties, such as owners, or regulators."
Management might request a change in terms of an audit engagement for the following reasons:
a change in circumstances affecting the need for the service
a misunderstanding about the nature of an audit as originally requested
a restriction on the scope of the audit engagement
The Auditor should consider the implications of a change to terms of the engagement and particularly the restriction on the scope of the audit. The above listed reasons might be acceptable, but the request to reduce the scope of the audit might not be acceptable if it's due to the Auditor finding misstatements or not being able to obtain sufficient appropriate audit evidence.
If the Auditor is requested to reduce the level of assurance of the engagement (e.g., from an audit to a review), the Auditor should assess the reasons for doing so. If the Auditor accepts the change, the Auditor should narrow his work and documentation and report to the terms of the new engagement. For example, in the final report, the Auditor should not make reference to:
the original audit engagement
any procedures that were performed in the original engagement
"On recurring audits, the auditor should assess whether circumstances require the terms of the audit engagement to be revised. If the auditor concludes that the terms of the preceding engagement need not be revised for the current engagement, the auditor should remind management of the terms of the engagement, and the reminder should be documented."
A recurring audit engagement is an audit engagement for an existing audit client for whom the auditor performed the preceding audit. Each year the Auditor performs the engagement he should determine whether the terms of the engagement should be revised. Typical factors that weigh into his decision might be:
Any indication that management misunderstands the objective and scope of the audit
Any revised or special terms of the audit engagement
A change of senior management
A significant change in ownership
A significant change in the nature or size of the entity's business
A change in legal or regulatory requirements
A change in the financial reporting framework adopted in the preparation of the financial statements
A change in other reporting requirements
If there are no changes to the terms of the engagement, the auditor should remind the client what the terms are, in either written or oral form. If orally, the Auditor should document with whom the discussion took place, when, and the significant points discussed.
".11 Before accepting an engagement for an initial audit, including a reaudit engagement, the auditor should request management to authorize the predecessor auditor to respond fully to the auditor's inquiries regarding matters that will assist the auditor in determining whether to accept the engagement. If management refuses to authorize the predecessor auditor to respond, or limits the response, the auditor should inquire about the reasons and consider the implications of that refusal in deciding whether to accept the engagement. .12 The auditor should evaluate the predecessor auditor's response, or consider the implications if the predecessor auditor provides no response or a limited response, in determining whether to accept the engagement."
When considering accepting a new audit engagement, the Auditor must speak with the predecessor auditor regarding matters that will help him decide whether to accept the client or not. Typically, the Auditor will submit a proposal to the potential client, but this proposal will include a statement that the proposal is not final until the Auditor has held discussions with and evaluated the responses of the predecessor auditor. If management refuses to allow the Auditor to hold discussions with the predecessor auditor, the Auditor should consider the implications of that refusal when deciding whether to accept the engagement.
The predecessor auditor is not required to speak to every proposing audit firm; instead the potential client should accept a single Audit firm, so that the predecessor auditor only has to speak to one Auditor regarding the engagement.
Professional standards require an Auditor to keep confidential any information about the client or the engagement unless given authorization from management. As such, the new Auditor will prepare a letter for management to sign and send to the predecessor auditor that gives the predecessor auditor permission to provide information to the new Auditor; and the new Auditor should hold those discussions in confidence.
Professional standards require auditors to cooperate with each other, which provides the basis for the predecessor auditor being expected to cooperate with the inquiries. If he is not able to because of litigation or other matters, he must specifically say that the response is limited and for what reasons.
Typical talking points of the discussion between the predecessor auditor and the new auditor include:
Information that might bear on the integrity of management
Disagreements with management about accounting policies, auditing procedures, or other similarly significant matters
Communications to those charged with governance regarding fraud and noncompliance with laws or regulations by the entity
Communications to management and those charged with governance regarding significant deficiencies and material weaknesses in internal control
The predecessor auditor's understanding about the reasons for the change of auditors
".09 The auditor should agree upon the terms of the audit engagement with management or those charged with governance, as appropriate. (Ref: par. .A20–.A21) .10 The agreed-upon terms of the audit engagement should be documented in an audit engagement letter or other suitable form of written agreement and should include the following: (Ref: par. .A22–.A26)
The objective and scope of the audit of the financial statements
The responsibilities of the auditor
The responsibilities of management
A statement that because of the inherent limitations of an audit, together with the inherent limitations of internal control, an unavoidable risk exists that some material misstatements may not be detected, even though the audit is properly planned and performed in accordance with GAAS
Identification of the applicable financial reporting framework for the preparation of the financial statements
Reference to the expected form and content of any reports to be issued by the auditor and a statement that circumstances may arise in which a report may differ from its expected form and content."
Depending on the size and complexity of the organization, the Auditor should agree on the terms of the engagement with management or those charged with governance, or both. The agreement on these terms includes the agreement by management of its responsibilities laid out in AU-C Section 210.06. This is required even if the audit is contracted by a third party.
An engagement letter or agreement should be put into place so that both parties understand their responsibilities, and it reduces the risk that management relies on the Auditor to perform the duties that are management's responsibilities.
The engagement letter must make reference to the following items:
Elaboration of the scope of the audit, including reference to applicable legislation, regulations, GAAS, and ethical and other pronouncements of professional bodies to which the auditor adheres
The form of any other communication of results of the audit engagement
Arrangements regarding the planning and performance of the audit, including the composition of the audit team
The expectation that management will provide written representations
The agreement of management to make available to the auditor draft financial statements and any accompanying other information in time to allow the auditor to complete the audit in accordance with the proposed timetable
The agreement of management to inform the auditor of events occurring or facts discovered subsequent to the date of the financial statements, of which management may become aware, that may affect the financial statements
The basis on which fees are computed and any billing arrangements
A request for management to acknowledge receipt of the audit engagement letter and to agree to the terms of the engagement outlined therein, as may be evidenced by their signature on the engagement letter
The engagement letter should also include the following items when relevant:
Arrangements concerning the involvement of other auditors and specialists in some aspects of the audit
Arrangements concerning the involvement of internal auditors and other staff of the entity
Arrangements to be made with the predecessor auditor, if any, in the case of an initial audit
Any restriction of the auditor's liability when not prohibited
Any obligations of the auditor to provide audit documentation to other parties
Additional services to be provided, such as those relating to regulatory requirements
A reference to any further agreements between the auditor and the entity
If the entity under audit includes both a parent and a component, the Auditor might need to get a separate engagement letter from the component if:
the component engaged the auditor
if a separate auditor's report is being issued on the component
it's is required for legal reasons
if the parent doesn't own a substantial piece of it
if the parent's management is generally independent of the management of the component
"If management or those charged with governance of an entity that is not required by law or regulation to have an audit impose a limitation on the scope of the auditor's work in the terms of a proposed audit engagement, such that the auditor believes the limitation will result in the auditor disclaiming an opinion on the financial statements as a whole, the auditor should not accept such a limited engagement as an audit engagement. If management or those charged with governance of an entity that is required by law or regulation to have an audit imposes such a scope limitation and a disclaimer of opinion is acceptable under the applicable law or to the regulator, the auditor is permitted, but not required, to accept the engagement."
As such, if the Auditor expects to disclaim an opinion on the audit, there is no use accepting the audit in the first place. Some scope limitations that would not preclude the Auditor from accepting the engagement include:
a management-imposed restriction that results in only a qualified opinion (i.e., not a disclaimer)
a restriction beyond management's control
Audits of employee benefit plans are those that require a disclaimer of opinion due to a scope limitation, but the law/regulation requires them and accepts them. As such, the Auditor can decide whether or not to accept this type of engagement.
AU-C Section 210.06b says: "The auditor should...obtain the agreement of management that it acknowledges and understands its responsibility:
for the preparation and fair presentation of the financial statements in accordance with the applicable financial reporting framework;
for the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error; and
to provide the auditor with
access to all information of which management is aware that is relevant to the preparation and fair presentation of the financial statements, such as records, documentation, and other matters;
additional information that the auditor may request from management for the purpose of the audit; and
unrestricted access to persons within the entity from whom the auditor determines it necessary to obtain audit evidence."
An audit is conducted under the premise that management has the responsibility to prepare its own financial statements, design and implement its own internal control, and provide the Auditor with access to all information and personnel he needs to conduct his audit.
The Auditor can assist in preparing the financial statements using information provided by management (e.g., the trial balance, schedules, contracts, etc.); however, management must take full responsibility for the preparation of those financial statements as well as its internal controls. There are different levels of responsibility between management and those charged with governance over the financial statements and internal controls, depending on the size or complexity of the entity (e.g., the execution and review/oversight functions).
The Auditor will request written representations from management that it has fulfilled its responsibilities according to the premise. If management will not acknowledge its responsibilities, the Auditor will be unable to obtain sufficient appropriate evidence, and should consider not accepting the engagement.
Management must maintain appropriate internal control to ensure the financial statements are free from material misstatement, but internal controls will not prevent all misstatements (because of the limitations of an audit). An audit under GAAS should not be used as a substitute for proper internal controls; as such, the Auditor is required to obtain from management an agreement that it has acknowledges and understands it has responsibility to design, implement, and maintain appropriate internal controls. The internal control of the entity will reflect its needs, and need not be overly complex or costly.
"the auditor should...determine whether the financial reporting framework to be applied in the preparation of the financial statements is acceptable"
An applicable financial reporting framework gives management a criteria to use when preparing its financial statements, and it gives the Auditor a criteria to use when auditing those financial statements. Without a financial reporting framework, there is no basis against which to compare the financial statements to.
An Auditor should understand the following areas in order to determine whether the financial reporting framework is appropriate:
the nature of the entity (e.g., whether it is a for-profit, governmental, or non-profit entity)
the purpose of the financial statements (e.g., how do the users prefer to see the financial information)
the nature of the financial statements (e.g., whether they are a complete set or a single statement)
whether law or regulation prescribes the appropriate framework
In some cases, there are a wide range of users of the financial statements; therefore, a general purpose framework (such as Generally Accepted Accounting Principles) is appropriate. In some cases, the needs of the financial statement users may be more specific and may require a special purpose framework (.e.g, tax basis).
"The auditor should...establish whether the preconditions for an audit are present..."
The preconditions for an audit are the use by management of an acceptable financial reporting framework in the preparation and fair presentation of the financial statements and the agreement of
management and, when appropriate, those charged with governance, to the premise on which an audit is conducted.
The premise is that the management and those charged with governance acknowledge and understand their responsibility:
for the preparation and fair presentation of the financial statements in accordance with the applicable financial reporting framework;
for the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error; and
to provide the auditor with
access to all information of which management and, when appropriate, those charged with governance are aware that is relevant to the preparation and fair presentation of the financial statements, such as records, documentation, and other matters;
additional information that the auditor may request from management and, when appropriate, those charged with governance for the purpose of the audit; and
unrestricted access to persons within the entity from whom the auditor determines it necessary to obtain audit evidence.
AU-C Section 210.01-03 says: "Scope of This Section
.01 This section addresses the auditor's responsibilities in agreeing upon the terms of the audit engagement with management and, when appropriate, those charged with governance. This includes establishing that certain preconditions for an audit, for which management and, when appropriate, those charged with governance are responsible, are present.Section 220, Quality Control for an Engagement Conducted in Accordance With Generally Accepted Auditing Standards, addresses those aspects of engagement acceptance that are within the control of the auditor. (Ref: par. .A1)
Effective Date
.02 This section is effective for audits of financial statements for periods ending on or after December 15, 2012.
Objective
.03 The objective of the auditor is to accept an audit engagement for a new or existing audit client only when the basis upon which it is to be performed has been agreed upon through
establishing whether the preconditions for an audit are present and
confirming that a common understanding of the terms of the audit engagement exists between the auditor and management and, when appropriate, those charged with governance."
In the subsequent blog posts and videos related to AU-C Section 210, Terms of Engagement, we will gain an understanding of the Auditor's responsibilities for agreeing upon the terms of the audit engagement with management and those charged with governance. This includes the determination of whether we are able to perform the engagement, as well as the responsibilities of the client's management.
AU-C Section 210 is effective for financial statements with periods ending on or after December 15, 2012, and it includes the requirements laid out in SAS 122.
The objective of the Auditor in complying with AU-C Section 210 is that the Auditor only accepts an audit engagement when an agreement is in place establishing the preconditions for the audit and confirming the terms of the engagement between the entity's management and the Auditor's firm.
Subsequent blog posts and videos will address the requirements necessary to achieve these objectives.
"If an objective in a relevant AU-C section cannot be achieved, the auditor should evaluate whether this prevents the auditor from achieving the over-all objectives of the auditor and thereby requires the auditor, in accordance with GAAS, to modify the auditor's opinion or withdraw from the engagement (when withdrawal is possible under applicable law or regulation). Failure to achieve an objective represents a significant finding or issue requiring documentation in accordance with section 230, Audit Documentation."
Whether or not an audit objective has been achieved depends on the Auditor's professional judgment, and might include an analysis of
the results of audit procedures performed in complying with the requirements of GAAS;
the auditor's evaluation of whether sufficient appropriate audit evidence has been obtained; and
whether more needs to be done in the particular circumstances of the audit to achieve the objectives stated in GAAS.
Circumstances that might prevent the Auditor from achieving an objective include those that:
prevent the auditor from complying with the relevant requirements of an AU-C section.
result in it not being practicable or possible for the auditor to carryout the additional audit procedures or obtain further audit evidence (e.g., due to a limitation in the available audit evidence)
The Auditor doesn't necessarily have to document that he achieved the objectives (e.g., in a separate checklist), but his documentation of conclusions in various audit areas should provide evidence that the objectives were achieved.
".27 The auditor should consider applicable interpretive publications in planning and performing the audit.
.28 In applying the auditing guidance included in an other auditing publication, the auditor should, exercising professional judgment, assess the relevance and appropriateness of such guidance to the circumstances of the audit."
Interpretive Publications are issued under the approval of the ASB and are included in AU-C Sections; they are not auditing standards, but they provide recommendations on how to apply GAAS in special circumstances (e.g., for entities in specialized industries). Examples of Interpretive Publications are AICPA Audit and Accounting Guides and Statements of Position.
Other auditing publications have no authoritative status; however,they may help the auditor understand and apply GAAS. The auditor is not expected to be aware of the full body of other auditing publications. We can assume that anything published by the AICPA is appropriate for use by the Auditor, but the auditor must assess the relevance of other such publications based on their reputation as a credible source of information. An example of an Other Auditing Publication might be the Journal of Accountancy.
".24 Subject to paragraph .26, the auditor should comply with each requirement of an AU-C section unless, in the circumstances of the audit,
the entire AU-C section is not relevant; or
the requirement is not relevant because it is conditional and the condition does not exist.
.25 GAAS use the following two categories of professional requirements,identified by specific terms, to describe the degree of responsibility it imposes on auditors:
Unconditional requirements.The auditor must comply with an unconditional requirement in all cases in which such requirement is relevant. GAAS use the word "must" to indicate an unconditional requirement.
Presumptively mandatory requirements. The auditor must comply with a presumptively mandatory requirement in all cases in which such a requirement is relevant except in rare circumstances discussed in paragraph .26. GAAS use the word "should" to indicate a presumptively mandatory requirement.
.26 In rare circumstances, the auditor may judge it necessary to depart from a relevant presumptively mandatory requirement. In such circumstances,the auditor should perform alternative audit procedures to achieve the intent of that requirement. The need for the auditor to depart from a relevant presumptively mandatory requirement is expected to arise only when the requirement is for a specific procedure to be performed and, in the specific circumstances of the audit, that procedure would be ineffective in achieving the intent of the requirement."
As such, the Auditor must follow all requirements in GAAS unless
an entire AU-C Section is not relevant (e.g., if the entity under audit does not have an internal audit function, the Auditor does not have to comply with any of the requirements in AU-C Section 610 "Using the Work of Internal Auditors") or
a requirement within an AU-C Section is not relevant (e.g., if there is no limited scope on the audit, then the auditor is not required to modify the auditor's opinion due to a scope limitation; or if there are no internal control deficiencies, the auditor is not required to internal control deficiencies to management or those charged with governance).
There are two types of requirements:
unconditional requirements: these are characterized with a "must" statement; the Auditor has to comply with these requirements unless irrelevant.
presumptively mandatory: these are characterized with a "should" statement; whether or not the auditor complies with these requirements depends on his professional judgment. Section 230 establishes documentation requirements for when an auditor departs from a relevant requirement. If a requirement would likely not achieve its intent, the Auditor can depart from that requirement, but he should perform alternative procedures that achieve that intent.
