We are a Dallas, Texas CPA firm specializing in audit, review, compilation, and agreed upon procedures services for Texas businesses in a wide range of industries and sizes.
"If law or regulation prescribes a specific layout, form, or wording of the auditor's report that significantly differs from the requirements of GAAS, the auditor should evaluate
whether users might misunderstand the auditor's report and, if so,
whether the auditor would be permitted to reword the prescribed form to
be in accordance with the requirements of GAAS or attach a separate
report.
If the auditor determines that rewording the prescribed form or attaching a separate report would not be permitted or would not mitigate the risk of users misunderstanding the auditor's report, the auditor should not accept the audit engagement unless the auditor is required by law or regulation to do so. An audit performed in accordance with such law or regulation does not comply with GAAS. Accordingly, for such an audit, the auditor should not include any reference to the audit having been performed in accordance with GAAS within the auditor's report."
If a law or regulation prescribes the structure and wording of the auditor's report and it's not in accordance with GAAS, the Auditor needs to decide whether users might misunderstand the report; if the Auditor thinks they would, he should reword it to be in accordance with GAAS, or refuse to accept the engagement. If he does decide to issue that report, he should not reference GAAS, because the report is not in compliance with GAAS.
".14 The auditor should not agree to a change in the terms of the audit engagement when no reasonable justification for doing so exists. (Ref: par. .A35– .A37) .15 If, prior to completing the audit engagement, the auditor is requested to change the audit engagement to an engagement for which the auditor obtains a lower level of assurance, the auditor should determine whether reasonable justification for doing so exists. (Ref: par. .A38–.A39) .16 If the terms of the audit engagement are changed, the auditor and management should agree on and document the new terms of the engagement in an engagement letter or other suitable form of written agreement. .17 If the auditor concludes that no reasonable justification for a change of the terms of the audit engagement exists and is not permitted by management to continue the original audit engagement, the auditor should
withdraw from the audit engagement when possible under applicable law or regulation,
communicate the circumstances to those charged with governance, and
determine whether any obligation, either legal, contractual, or otherwise, exists to report the circumstances to other parties, such as owners, or regulators."
Management might request a change in terms of an audit engagement for the following reasons:
a change in circumstances affecting the need for the service
a misunderstanding about the nature of an audit as originally requested
a restriction on the scope of the audit engagement
The Auditor should consider the implications of a change to terms of the engagement and particularly the restriction on the scope of the audit. The above listed reasons might be acceptable, but the request to reduce the scope of the audit might not be acceptable if it's due to the Auditor finding misstatements or not being able to obtain sufficient appropriate audit evidence.
If the Auditor is requested to reduce the level of assurance of the engagement (e.g., from an audit to a review), the Auditor should assess the reasons for doing so. If the Auditor accepts the change, the Auditor should narrow his work and documentation and report to the terms of the new engagement. For example, in the final report, the Auditor should not make reference to:
the original audit engagement
any procedures that were performed in the original engagement
"On recurring audits, the auditor should assess whether circumstances require the terms of the audit engagement to be revised. If the auditor concludes that the terms of the preceding engagement need not be revised for the current engagement, the auditor should remind management of the terms of the engagement, and the reminder should be documented."
A recurring audit engagement is an audit engagement for an existing audit client for whom the auditor performed the preceding audit. Each year the Auditor performs the engagement he should determine whether the terms of the engagement should be revised. Typical factors that weigh into his decision might be:
Any indication that management misunderstands the objective and scope of the audit
Any revised or special terms of the audit engagement
A change of senior management
A significant change in ownership
A significant change in the nature or size of the entity's business
A change in legal or regulatory requirements
A change in the financial reporting framework adopted in the preparation of the financial statements
A change in other reporting requirements
If there are no changes to the terms of the engagement, the auditor should remind the client what the terms are, in either written or oral form. If orally, the Auditor should document with whom the discussion took place, when, and the significant points discussed.
".11 Before accepting an engagement for an initial audit, including a reaudit engagement, the auditor should request management to authorize the predecessor auditor to respond fully to the auditor's inquiries regarding matters that will assist the auditor in determining whether to accept the engagement. If management refuses to authorize the predecessor auditor to respond, or limits the response, the auditor should inquire about the reasons and consider the implications of that refusal in deciding whether to accept the engagement. .12 The auditor should evaluate the predecessor auditor's response, or consider the implications if the predecessor auditor provides no response or a limited response, in determining whether to accept the engagement."
When considering accepting a new audit engagement, the Auditor must speak with the predecessor auditor regarding matters that will help him decide whether to accept the client or not. Typically, the Auditor will submit a proposal to the potential client, but this proposal will include a statement that the proposal is not final until the Auditor has held discussions with and evaluated the responses of the predecessor auditor. If management refuses to allow the Auditor to hold discussions with the predecessor auditor, the Auditor should consider the implications of that refusal when deciding whether to accept the engagement.
The predecessor auditor is not required to speak to every proposing audit firm; instead the potential client should accept a single Audit firm, so that the predecessor auditor only has to speak to one Auditor regarding the engagement.
Professional standards require an Auditor to keep confidential any information about the client or the engagement unless given authorization from management. As such, the new Auditor will prepare a letter for management to sign and send to the predecessor auditor that gives the predecessor auditor permission to provide information to the new Auditor; and the new Auditor should hold those discussions in confidence.
Professional standards require auditors to cooperate with each other, which provides the basis for the predecessor auditor being expected to cooperate with the inquiries. If he is not able to because of litigation or other matters, he must specifically say that the response is limited and for what reasons.
Typical talking points of the discussion between the predecessor auditor and the new auditor include:
Information that might bear on the integrity of management
Disagreements with management about accounting policies, auditing procedures, or other similarly significant matters
Communications to those charged with governance regarding fraud and noncompliance with laws or regulations by the entity
Communications to management and those charged with governance regarding significant deficiencies and material weaknesses in internal control
The predecessor auditor's understanding about the reasons for the change of auditors
".09 The auditor should agree upon the terms of the audit engagement with management or those charged with governance, as appropriate. (Ref: par. .A20–.A21) .10 The agreed-upon terms of the audit engagement should be documented in an audit engagement letter or other suitable form of written agreement and should include the following: (Ref: par. .A22–.A26)
The objective and scope of the audit of the financial statements
The responsibilities of the auditor
The responsibilities of management
A statement that because of the inherent limitations of an audit, together with the inherent limitations of internal control, an unavoidable risk exists that some material misstatements may not be detected, even though the audit is properly planned and performed in accordance with GAAS
Identification of the applicable financial reporting framework for the preparation of the financial statements
Reference to the expected form and content of any reports to be issued by the auditor and a statement that circumstances may arise in which a report may differ from its expected form and content."
Depending on the size and complexity of the organization, the Auditor should agree on the terms of the engagement with management or those charged with governance, or both. The agreement on these terms includes the agreement by management of its responsibilities laid out in AU-C Section 210.06. This is required even if the audit is contracted by a third party.
An engagement letter or agreement should be put into place so that both parties understand their responsibilities, and it reduces the risk that management relies on the Auditor to perform the duties that are management's responsibilities.
The engagement letter must make reference to the following items:
Elaboration of the scope of the audit, including reference to applicable legislation, regulations, GAAS, and ethical and other pronouncements of professional bodies to which the auditor adheres
The form of any other communication of results of the audit engagement
Arrangements regarding the planning and performance of the audit, including the composition of the audit team
The expectation that management will provide written representations
The agreement of management to make available to the auditor draft financial statements and any accompanying other information in time to allow the auditor to complete the audit in accordance with the proposed timetable
The agreement of management to inform the auditor of events occurring or facts discovered subsequent to the date of the financial statements, of which management may become aware, that may affect the financial statements
The basis on which fees are computed and any billing arrangements
A request for management to acknowledge receipt of the audit engagement letter and to agree to the terms of the engagement outlined therein, as may be evidenced by their signature on the engagement letter
The engagement letter should also include the following items when relevant:
Arrangements concerning the involvement of other auditors and specialists in some aspects of the audit
Arrangements concerning the involvement of internal auditors and other staff of the entity
Arrangements to be made with the predecessor auditor, if any, in the case of an initial audit
Any restriction of the auditor's liability when not prohibited
Any obligations of the auditor to provide audit documentation to other parties
Additional services to be provided, such as those relating to regulatory requirements
A reference to any further agreements between the auditor and the entity
If the entity under audit includes both a parent and a component, the Auditor might need to get a separate engagement letter from the component if:
the component engaged the auditor
if a separate auditor's report is being issued on the component
it's is required for legal reasons
if the parent doesn't own a substantial piece of it
if the parent's management is generally independent of the management of the component
"If management or those charged with governance of an entity that is not required by law or regulation to have an audit impose a limitation on the scope of the auditor's work in the terms of a proposed audit engagement, such that the auditor believes the limitation will result in the auditor disclaiming an opinion on the financial statements as a whole, the auditor should not accept such a limited engagement as an audit engagement. If management or those charged with governance of an entity that is required by law or regulation to have an audit imposes such a scope limitation and a disclaimer of opinion is acceptable under the applicable law or to the regulator, the auditor is permitted, but not required, to accept the engagement."
As such, if the Auditor expects to disclaim an opinion on the audit, there is no use accepting the audit in the first place. Some scope limitations that would not preclude the Auditor from accepting the engagement include:
a management-imposed restriction that results in only a qualified opinion (i.e., not a disclaimer)
a restriction beyond management's control
Audits of employee benefit plans are those that require a disclaimer of opinion due to a scope limitation, but the law/regulation requires them and accepts them. As such, the Auditor can decide whether or not to accept this type of engagement.
AU-C Section 210.06b says: "The auditor should...obtain the agreement of management that it acknowledges and understands its responsibility:
for the preparation and fair presentation of the financial statements in accordance with the applicable financial reporting framework;
for the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error; and
to provide the auditor with
access to all information of which management is aware that is relevant to the preparation and fair presentation of the financial statements, such as records, documentation, and other matters;
additional information that the auditor may request from management for the purpose of the audit; and
unrestricted access to persons within the entity from whom the auditor determines it necessary to obtain audit evidence."
An audit is conducted under the premise that management has the responsibility to prepare its own financial statements, design and implement its own internal control, and provide the Auditor with access to all information and personnel he needs to conduct his audit.
The Auditor can assist in preparing the financial statements using information provided by management (e.g., the trial balance, schedules, contracts, etc.); however, management must take full responsibility for the preparation of those financial statements as well as its internal controls. There are different levels of responsibility between management and those charged with governance over the financial statements and internal controls, depending on the size or complexity of the entity (e.g., the execution and review/oversight functions).
The Auditor will request written representations from management that it has fulfilled its responsibilities according to the premise. If management will not acknowledge its responsibilities, the Auditor will be unable to obtain sufficient appropriate evidence, and should consider not accepting the engagement.
Management must maintain appropriate internal control to ensure the financial statements are free from material misstatement, but internal controls will not prevent all misstatements (because of the limitations of an audit). An audit under GAAS should not be used as a substitute for proper internal controls; as such, the Auditor is required to obtain from management an agreement that it has acknowledges and understands it has responsibility to design, implement, and maintain appropriate internal controls. The internal control of the entity will reflect its needs, and need not be overly complex or costly.
"the auditor should...determine whether the financial reporting framework to be applied in the preparation of the financial statements is acceptable"
An applicable financial reporting framework gives management a criteria to use when preparing its financial statements, and it gives the Auditor a criteria to use when auditing those financial statements. Without a financial reporting framework, there is no basis against which to compare the financial statements to.
An Auditor should understand the following areas in order to determine whether the financial reporting framework is appropriate:
the nature of the entity (e.g., whether it is a for-profit, governmental, or non-profit entity)
the purpose of the financial statements (e.g., how do the users prefer to see the financial information)
the nature of the financial statements (e.g., whether they are a complete set or a single statement)
whether law or regulation prescribes the appropriate framework
In some cases, there are a wide range of users of the financial statements; therefore, a general purpose framework (such as Generally Accepted Accounting Principles) is appropriate. In some cases, the needs of the financial statement users may be more specific and may require a special purpose framework (.e.g, tax basis).
"The auditor should...establish whether the preconditions for an audit are present..."
The preconditions for an audit are the use by management of an acceptable financial reporting framework in the preparation and fair presentation of the financial statements and the agreement of
management and, when appropriate, those charged with governance, to the premise on which an audit is conducted.
The premise is that the management and those charged with governance acknowledge and understand their responsibility:
for the preparation and fair presentation of the financial statements in accordance with the applicable financial reporting framework;
for the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error; and
to provide the auditor with
access to all information of which management and, when appropriate, those charged with governance are aware that is relevant to the preparation and fair presentation of the financial statements, such as records, documentation, and other matters;
additional information that the auditor may request from management and, when appropriate, those charged with governance for the purpose of the audit; and
unrestricted access to persons within the entity from whom the auditor determines it necessary to obtain audit evidence.
AU-C Section 210.01-03 says: "Scope of This Section
.01 This section addresses the auditor's responsibilities in agreeing upon the terms of the audit engagement with management and, when appropriate, those charged with governance. This includes establishing that certain preconditions for an audit, for which management and, when appropriate, those charged with governance are responsible, are present.Section 220, Quality Control for an Engagement Conducted in Accordance With Generally Accepted Auditing Standards, addresses those aspects of engagement acceptance that are within the control of the auditor. (Ref: par. .A1)
Effective Date
.02 This section is effective for audits of financial statements for periods ending on or after December 15, 2012.
Objective
.03 The objective of the auditor is to accept an audit engagement for a new or existing audit client only when the basis upon which it is to be performed has been agreed upon through
establishing whether the preconditions for an audit are present and
confirming that a common understanding of the terms of the audit engagement exists between the auditor and management and, when appropriate, those charged with governance."
In the subsequent blog posts and videos related to AU-C Section 210, Terms of Engagement, we will gain an understanding of the Auditor's responsibilities for agreeing upon the terms of the audit engagement with management and those charged with governance. This includes the determination of whether we are able to perform the engagement, as well as the responsibilities of the client's management.
AU-C Section 210 is effective for financial statements with periods ending on or after December 15, 2012, and it includes the requirements laid out in SAS 122.
The objective of the Auditor in complying with AU-C Section 210 is that the Auditor only accepts an audit engagement when an agreement is in place establishing the preconditions for the audit and confirming the terms of the engagement between the entity's management and the Auditor's firm.
Subsequent blog posts and videos will address the requirements necessary to achieve these objectives.
"If an objective in a relevant AU-C section cannot be achieved, the auditor should evaluate whether this prevents the auditor from achieving the over-all objectives of the auditor and thereby requires the auditor, in accordance with GAAS, to modify the auditor's opinion or withdraw from the engagement (when withdrawal is possible under applicable law or regulation). Failure to achieve an objective represents a significant finding or issue requiring documentation in accordance with section 230, Audit Documentation."
Whether or not an audit objective has been achieved depends on the Auditor's professional judgment, and might include an analysis of
the results of audit procedures performed in complying with the requirements of GAAS;
the auditor's evaluation of whether sufficient appropriate audit evidence has been obtained; and
whether more needs to be done in the particular circumstances of the audit to achieve the objectives stated in GAAS.
Circumstances that might prevent the Auditor from achieving an objective include those that:
prevent the auditor from complying with the relevant requirements of an AU-C section.
result in it not being practicable or possible for the auditor to carryout the additional audit procedures or obtain further audit evidence (e.g., due to a limitation in the available audit evidence)
The Auditor doesn't necessarily have to document that he achieved the objectives (e.g., in a separate checklist), but his documentation of conclusions in various audit areas should provide evidence that the objectives were achieved.
".27 The auditor should consider applicable interpretive publications in planning and performing the audit.
.28 In applying the auditing guidance included in an other auditing publication, the auditor should, exercising professional judgment, assess the relevance and appropriateness of such guidance to the circumstances of the audit."
Interpretive Publications are issued under the approval of the ASB and are included in AU-C Sections; they are not auditing standards, but they provide recommendations on how to apply GAAS in special circumstances (e.g., for entities in specialized industries). Examples of Interpretive Publications are AICPA Audit and Accounting Guides and Statements of Position.
Other auditing publications have no authoritative status; however,they may help the auditor understand and apply GAAS. The auditor is not expected to be aware of the full body of other auditing publications. We can assume that anything published by the AICPA is appropriate for use by the Auditor, but the auditor must assess the relevance of other such publications based on their reputation as a credible source of information. An example of an Other Auditing Publication might be the Journal of Accountancy.
".24 Subject to paragraph .26, the auditor should comply with each requirement of an AU-C section unless, in the circumstances of the audit,
the entire AU-C section is not relevant; or
the requirement is not relevant because it is conditional and the condition does not exist.
.25 GAAS use the following two categories of professional requirements,identified by specific terms, to describe the degree of responsibility it imposes on auditors:
Unconditional requirements.The auditor must comply with an unconditional requirement in all cases in which such requirement is relevant. GAAS use the word "must" to indicate an unconditional requirement.
Presumptively mandatory requirements. The auditor must comply with a presumptively mandatory requirement in all cases in which such a requirement is relevant except in rare circumstances discussed in paragraph .26. GAAS use the word "should" to indicate a presumptively mandatory requirement.
.26 In rare circumstances, the auditor may judge it necessary to depart from a relevant presumptively mandatory requirement. In such circumstances,the auditor should perform alternative audit procedures to achieve the intent of that requirement. The need for the auditor to depart from a relevant presumptively mandatory requirement is expected to arise only when the requirement is for a specific procedure to be performed and, in the specific circumstances of the audit, that procedure would be ineffective in achieving the intent of the requirement."
As such, the Auditor must follow all requirements in GAAS unless
an entire AU-C Section is not relevant (e.g., if the entity under audit does not have an internal audit function, the Auditor does not have to comply with any of the requirements in AU-C Section 610 "Using the Work of Internal Auditors") or
a requirement within an AU-C Section is not relevant (e.g., if there is no limited scope on the audit, then the auditor is not required to modify the auditor's opinion due to a scope limitation; or if there are no internal control deficiencies, the auditor is not required to internal control deficiencies to management or those charged with governance).
There are two types of requirements:
unconditional requirements: these are characterized with a "must" statement; the Auditor has to comply with these requirements unless irrelevant.
presumptively mandatory: these are characterized with a "should" statement; whether or not the auditor complies with these requirements depends on his professional judgment. Section 230 establishes documentation requirements for when an auditor departs from a relevant requirement. If a requirement would likely not achieve its intent, the Auditor can depart from that requirement, but he should perform alternative procedures that achieve that intent.
"To achieve the overall objectives of the auditor, the auditor should use the objectives stated in individual AU-C sections in planning and performing the audit considering the interrelationships within GAAS to
determine whether any audit procedures in addition to those required by individual AU-C sections are necessary in pursuance of the objectives stated in each AU-C section; and
evaluate whether sufficient appropriate audit evidence has been obtained."
The objectives in each AU-C section help the auditor to link the requirements to the overarching goal of complying with the AU-C section and to focus the auditor on the desired outcome of the AU-C section. This will help the auditor to:
understand what needs to be accomplished and, when necessary, the appropriate means of doing so; and
decide whether more needs to be done to achieve the objectives in the particular circumstances of the audit.
In using the objectives, the auditor is required to consider the inter-relationships among the AU-C sections. This is because the AU-C sections in some cases address general responsibilities that apply to other sections and to the audit overall (e.g., the requirement for professional skepticism is included in this section and applies to all areas of the audit and to other sections, but is not included as a requirement in other sections).
The achievement of the objectives in each AU-C Section should be the ultimate goal of the auditor. And in cases where the requirements of an AU-C Section do not achieve the objectives (e.g., in an unusual circumstance or engagement), the auditor should perform additional procedures necessary to achieve the objectives. This might require the auditor to:
Evaluate whether further relevant audit evidence has been, orwill be, obtained as a result of complying with other AU-C sections;
Extend the work performed in applying one or more requirements; and/or
Perform other procedures judged by the auditor to be necessary inthe circumstances.
If the objectives have not been met, and none of the above additional considerations are practical or possible, the auditor should the auditor will not be able to obtain sufficient appropriate auditevidence and is required by GAAS to determine the effect on the auditor's reportor on the auditor's ability to complete the engagement.
https://www.aicpa.org/content/dam/aicpa/research/standards/auditattest/downloadabledocuments/au-c-00200.pdf
AU-C Section 200.20-22 says: ".20 The auditor should comply with all AU-C sections relevant to the audit. An AU-C section is relevant to the audit when the AU-C section is in effect and the circumstances addressed by the AU-C section exist. (Ref: par. .A57–.A62) .21 The auditor should have an understanding of the entire text of an AU-C section, including its application and other explanatory material, to understand its objectives and to apply its requirements properly. (Ref: par. .A63–.A71)
.22 The auditor should not represent compliance with GAAS in the auditor's report unless the auditor has complied with the requirements of this section and all other AU-C sections relevant to the audit."
The "Compliance With Standards Rule" (ET sec. 1.310.001) of the AICPA Code of Professional Conduct requires an auditor to comply with standards promulgated by the Auditing Standards Board (i.e., with GAAS). The Accounting Standards Board (i.e., the ASB) publishes auditing standards in Statements on Auditing Standards (i.e., SASs), which are then codified into AU-C Sections.
GAAS:
provide standards for fulfilling the overall objectives of the audit;
address general responsibilities of the auditor;
address those responsibilities for specific audit areas/topics; and
provide the scope, effective dates, and any limitations of applying the standards.
The audit may also be conducted in accordance with both GAAS and:
auditing standards promulgated by the Public Company Accounting Oversight Board (i.e., the PCAOB);
International Standards on Auditing;
Government Auditing Standards; or
auditing standards of a specific jurisdiction or country.
As such, it might be necessary for the auditor to perform additional procedures to comply with both GAAS and other standards. To comply with GAAS, the auditor must comply with the entire AU-C Sections that are relevant, which include:
Introductory Material: discusses the scope of the section; might include:
the purpose and scope of the AU-C Section
the subject matter of the AU-C Section
the responsibilities of the auditor and others in applying the AU-C Section
the context in which the AU-C Section is set
Definitions: a description of certain terms used in AU-C Sections.
Objectives: gives the overarching goal of applying the section
Requirements: gives the specific duties of the auditor in achieving the objectives
Application and other explanatory material: supports the requirements with additional tips for achieving the requirements.
Appendices: additional guidance to support the application and other explanatory material.
AU-C Section 200.19 says: "To obtain reasonable assurance, the auditor should obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level and thereby enable the auditor to draw reasonable conclusions on which to base the auditor's opinion."
In performing the audit, we can never gain absolute assurance that the financial statements as a whole are free from material misstatement; and that is because there are inherent limitations of an audit. These inherent limitations stem from:
the nature of financial reporting: many facets of the financial reporting framework require judgments and subjective decisions; therefore, some financial statement items contain inherent variability that can't be eliminated by performing more audit procedures (e.g., accounting estimates depending on future events).
the nature of audit procedures: there are several practical and legal limitations to performing the audit:
management might not provide all information that is relevant to the preparation and fair presentation of the financial statements; as such, the auditor can't be certain of the completeness of information provided to him.
fraud may be sophisticated and concealed; as such, the auditor's procedures may be ineffective in detecting intentional misstatements supported by falsified documents or information.
the audit is not a legal investigation; as such, he does not have the authority to search the entity.
the cost/benefit balance of the audit: the audit opinion and financial statements need to be issued within a reasonable period of time after the entity's fiscal year, thereby being relevant to the financial statement users. However, this turnaround might not be enough time for the auditor to exhaustively test every assumption of fraud or error until proved otherwise. As such, the auditor must strike a balance between the reliability of information and its cost; this can be achieved through proper planning .
As such, the auditor should:
plan the audit so that it will be performed in an effective manner;
direct audit effort to areas most expected to contain risks of material misstatement, whether due to fraud or error,with correspondingly less effort directed at other areas; and
use testing and other means of examining populations for misstatements.
Other areas that are susceptible to the inherent limitations of the audit:
Fraud (see AU-C Section 240)
Related party relationships (see AU-C Section 550)
Noncompliance with laws and regulations (see AU-C Section 250)
Going concern (see AU-C Section 570)
These inherent limitations are not an excuse for the auditor to be satisfied with less persuasive audit evidence. He still needs to obtain sufficient appropriate audit evidence that supports the auditor's opinion.
"To obtain reasonable assurance, the auditor should obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level and thereby enable the auditor to draw reasonable conclusions on which to base the auditor's opinion."
The AICPA defines audit risk as the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of the risks of material misstatement and detection risk.
Risk of Material Misstatement
The risk of material misstatement is the risk that the financial statements are materially misstated prior to the audit, and they exist at two levels:
The overall financial statement level: these are risks that relate pervasively to the financial statements as a whole and potentially affect many assertions (e.g., the risk of fraud or the management override of controls)
The assertion level: these are risks that relate to classes of transactions, account balances,and disclosures. The assessment of risk at this level allows the auditor to determine the nature, timing, and extent of audit procedures. The assertion level risks are composed of:
inherent risk: The susceptibility of an assertion about a class of transaction, account balance, or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls. Inherent risks might be higher for some accounts due to:
complex calculations (e.g., the value of derivatives)
significant estimation uncertainty (e.g., the allowance for doubtful accounts)
business risks (e.g., obsolete inventory in technology companies)
industry risks (e.g., a declining industry challenging the going-concern assumption)
control risk: The risk that a misstatement that could occur in an assertion about a class of transaction, account balance, or disclosure and that could be material, either individually or when aggregated with other misstatements,will not be prevented, or detected and corrected, on a timely basis by the entity's internal control. Proper internal controls can never eliminate the risk of material misstatement due to the inherent limitations of an audit, for example:
human error
collusion
management override of controls
AU-C Section 315 lays out requirements for assessing the risk of material misstatement at the overall financial statement level and the assertion level.
Detection Risk
Detection risk is the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements.
Detection risk bears an inverse relationship to the risk of material misstatement; for example, the higher the risk of material misstatement, the more evidence that needs to be obtained to mitigate the risk that potential misstatements go undetected.
The following steps in an audit help the auditor to develop the nature, timing, and extent of his audit procedures to reduce detection risk to an appropriate level:
Adequate planning
Proper assignment of personnel to the engagement team
The application of professional skepticism
Supervision and review of the audit work performed
AU-C Section 300 establishes requirements and provides guidance on planning an audit of financial statements and the auditor's responses to assessed risks. Detection risk, however, can only be reduced, not eliminated, because of the inherent limitations of an audit. Accordingly, some detection risk will always exist.
"To obtain reasonable assurance, the auditor should obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level and thereby enable the auditor to draw reasonable conclusions on which to base the auditor's opinion."
Audit evidence is required to support the auditor's opinion, and is comprised of information (or a lack of information) that supports or contradicts management's assertions; this evidence can come from several places:
procedures performed over the course of the audit;
previous audits;
a firm's quality control procedures;
the entity's accounting records; or
information provided by a specialist employed by the entity.
The auditor should seek to obtain evidence that is sufficient and appropriate to support his opinion. Sufficiency (i.e., quantity) and appropriateness (i.e., quality) of evidence are inversely related. For example, if the quality of the evidence is high, the auditor might determine he doesn't need as much evidence to support the assertion. Whether or not sufficient appropriate audit evidence has been obtained is a matter of professional judgment and explained more in detail at AU-C Section 500.
"The auditor should exercise professional judgment in planning and performing an audit of financial statements."
Professional judgment is defined as the application of relevant training, knowledge, and experience, within the context provided by auditing, accounting, and ethical standards, in making informed decisions about the courses of action that are appropriate in the circumstances of the audit engagement.
Since the requirements of GAAS, ethical standards, and accounting principles are frameworks and do not specifically reference every situation the auditor might encounter, the auditor has to leverage his knowledge and experience in planning, performing, and reporting on the audit.
Areas where the auditor is required to use his professional judgment include his assessment of:
materiality and audit risk;
the nature, timing, and extent of audit procedures used to meet the requirements of GAAS and gather audit evidence;
whether sufficient appropriate audit evidence has been obtained, and whether more needs to be done to achieve the objectives of GAAS and thereby, the overall objectives of the auditor;
the evaluation of management's judgments in applying the entity's applicable financial reporting framework; and
the drawing of conclusions based on the audit evidence obtained.
The level of professional judgement required of the auditor is obtained through relevant training, knowledge, and experience. In cases where the auditor does not have the knowledge or experience to exercise sound professional judgement, he should consult with others within and/or outside of the audit firm to assist him in making reasonable judgments.
The professional judgement exercised by the auditor should reflect a competent application of auditing standards and accounting principals under the facts and circumstances known by the auditor up to the auditor's report date. It also should be exercised and documented throughout the audit; this means the auditor is required to prepare audit documentation sufficient to enable an experienced auditor, having no previous connection with the audit, to understand the significant professional judgments made in reaching conclusions on significant findings or issues arising during the audit. Professional judgment should not be used as a scapegoat for decisions that are not otherwise supported by the facts and circumstances of the engagement or by sufficient appropriate audit evidence.
"The auditor should plan and perform an audit with professional skepticism, recognizing that circumstances may exist that cause the financial statements to be materially misstated."
Professional skepticism is defined as an attitude that includes a questioning mind, being alert to conditions that may indicate possible misstatement due to fraud or error, and a critical assessment of audit evidence.
Throughout the audit, the auditor should be alert to the following:
Audit evidence that contradicts other audit evidence obtained.
Information that brings into question the reliability of documents and responses to inquiries to be used as audit evidence.
Conditions that may indicate possible fraud.
Circumstances that suggest the need for audit procedures in addition to those required by GAAS.
In doing so, the auditor hopes to prevent:
overlooking unusual circumstances.
over-generalizing when drawing conclusions from audit observations.
using inappropriate assumptions in determining the nature, timing, and extent of the audit procedures and evaluating the results thereof.
In regard to the critical assessment of audit evidence, the auditor should:
question contradictory audit evidence and the reliability of documents and responses to inquiries and other information obtained from management and those charged with governance.
consider the sufficiency and appropriateness of audit evidence obtained in light of the circumstances.
The auditor may accept records and documents as genuine unless the auditor has reason to believe the contrary. In such a case, the auditor should investigate further and determine what modifications or additions to audit procedures are necessary to resolve the matter.
The auditor neither assumes that management is dishonest nor assumes unquestioned honesty. The belief that management is honest and has integrity does not relieve the auditor of his duty to obtain sufficient and appropriate evidence when obtaining reasonable assurance.
