AICPA Professional Standards (AU110) states that “the objective of the ordinary audit of financial statements by the independent auditor is the expression of an opinion on the fairness with which they present, in all material respects, financial position, results of operations, and cash flows in conformity with GAAP”. The process designed to achieve that objective is complex. It involves the application of numerous procedures and the coordination of many activities.
This post tries to simplify those complex audit processes through a step by step hierarchy. The main steps will be broken down into some sub-steps [or points]. Although this is much simplified, I definitely provide extensive resources related to the audit process by posting supplement contents: auditing—related—documents examples that I am going to post shortly after this post. Enjoy!
Although those procedures and activities overlap, the audit process encompasses: (1) plan the audit (2) gather and evaluate information about the entity and its environment [including internal control] (3) assess risks of material misstatement (4) design an audit response and further audit procedures (5) perform further audit procedures (6) evaluate audit findings that we are discussing in this post.
Step-1: Plan Audit
Audit planning begins with determining the requirements for the engagement. It involves developing an overall strategy for the expected conduct of the audit. The nature, extent, and timing of planning vary with the size and complexity of the entity, experience with the entity, and knowledge of the entity and its environment. Proper planning is essential to efficient and effective auditing. Consequently, seasoned auditors ordinarily are involved in the planning process.
The auditor should establish an understanding with entity regarding the nature of the services to be provided. This understanding should include the objectives of the engagement, management’s responsibilities, the auditor’s responsibilities, and limitations of the engagement. An engagement letter reduces to writing the understanding of the arrangements concerning the services to be provided and helps eliminate potential misunderstandings that otherwise may arise. [see: Audit Engagement Letter Example as an illustration].
Step-2: Gather And Evaluate Information About The Entity And Its Environment [Including Internal Control]
The auditor must gather sufficient background information to assess the risks of material misstatement of the financial statements and to design the nature, timing, and extent of further audit procedures. This information also allows the auditor to make judgments about matters such as materiality, the appropriateness of accounting principles, and areas requiring special audit consideration.
Risk assessment procedures are used to gather the information about the entity and its environment. These procedures include inquires of management, analytical procedures, observation, inspection, and other information gathering procedures. The auditor is attempting to obtain an overall understanding of the entity’s industry; the entity’s operations, ownership, governance, methods of financing, objectives, strategies, and business risks; the manner in which management measures and reviews financial performance; and the entity’s internal control. This understanding allows the auditor to identify account balances, classes of transactions, and disclosures with a high risk of material misstatement.
Knowledge obtained about the entity’s industry encompasses an understanding of the accounting and auditing practices common to that industry and other unique aspects of the industry. Pertinent information about the industry includes trends and growth patterns; government regulation; unusual accounting, tax, or financing practices; and areas requiring special audit considerations. The auditor should be aware of the general state of the economy and its impact on the entity and its industry. Such matters as credit availability, environmental efforts, and the impact on the industry of changes in consumer disposable income can have a significant effect on the entity’s operations. For example, corporate liquidity may be affected by the level of business activity, high interest rates, and the availability of money.
In evaluating information about the entity and its environments, there are certain considerations to take as I am going to reveal on the next paragraphs. Follow on…
Internal Control Considerations
Not all of the entity’s internal controls are relevant to an audit. Controls that are relevant to a financial statement audit are those that could affect the entity’s ability to prepare financial statements that are in accordance with GAAP. Internal control is defined as a process—effected by an entity’s board of directors, management, and other personnel—to provide reasonable assurance regarding the achievement of objectives in the following categories: (1) reliability of financial reporting, (2) effectiveness and efficiency of operations, and (3) compliance with applicable laws and regulations.
Components of Internal Control – For purposes of an audit, an entity’s internal control consists of five interrelated components which are:
- Control environment. The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
- Risk assessment. Risk assessment is the entity’s identification and analysis of relevant risks to achievement of its objectives, forming a basis for determining how the risks should be managed.
Control activities. Control activities are the policies and procedures that help ensure management directives are carried out.
- Information and communication. Information and communication systems support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.
- Monitoring. Monitoring is a process that assesses the quality of internal control performance over time.
Understanding Internal Control – Because this knowledge is so critical to the audit process, the auditor is required to obtain an understanding of each of the five components of internal control sufficient to assess the risk of material misstatements and design further audit procedures. The auditor’s understanding of internal control should sufficient to allow the auditor to: (a) evaluate control design, and (b) determine whether the control has been implemented. As discussed above, the auditor obtains the understanding of internal control by performing risk assessment procedures, including, inquires of management, analytical procedures, observation, and inspection.
Evaluate the Information about the Entity and its Environment
Once the auditor has gathered the information about the entity and its environment, the auditor must assimilate and synthesize the information to determine how it might affect the audit. As an example, information about business risks may allow the auditor to identify financial reporting risks that will affect the way in which the auditor designs audit procedures.
Step-3: Assess Risks of Material Misstatement
Financial statements consist of a series of assertions or representations by management about accounts, transactions, and disclosures. The auditor uses the understanding of the entity and its environment to assess the risks of material misstatement both at the relevant assertion level and at the financial statement level. Financial statement level risks relate pervasively to the financial statements as a whole and potentially affect many financial statement assertions.
The auditor’s ultimate objective is to identify assertions about accounts, transactions, and disclosures that are more likely to be materially misstated. For each significant assertion, the auditor considers: (1) what could go wrong? (2) how likely is it that it will go wrong?, and (3) what are the likely amounts involved?
As a part of the risk assessment process, the audit team should have a discussion of the susceptibility of the entity’s financial statements to material misstatement. This discussion is designed to allow team members to gain a better understanding of the risks of material misstatement of the financial statements, and the audit procedures that might effectively address those risks. For efficiency purposes this discussion is often held in conjunction with the discussion among the audit team related to fraud as required by SAS No. 99, “Consideration of Fraud in a Financial Statement Audit”
The risk of material misstatement of a particular assertion is a function of both inherent and control risks. Inherent risk is the risk of material misstatement of an assertion without considering internal control, and control risk is the risk that the entity’s internal control will fail to prevent or detect and correct material misstatements. Many inherent risks arise because of business risks faced by management, including the risk of fraud. Auditing standards allow the auditor to make a separate assessment of inherent risk and control risk, or to make a combined assessment of the risk of material misstatement for each significant assertion.
The auditor’s assessment of control risk involves analyzing the design and implementation of internal control to decide whether internal control appears adequate to prevent or detect and correct material misstatements in the assertions. Individual controls often do not address a risk completely by themselves. Often, only several control activities, together with other components of internal control, for example aspects of the control environment, will be sufficient to address a risk.
Another part of the risk assessment process involves the identification of significant risks, which are risks that require special audit consideration. For example, because of the nature of the entity or its industry, the auditor may decide that revenue recognition requires special audit consideration. The special audit consideration means that the auditor should evaluate the design of controls that address the risk, and perform substantive procedures that are linked clearly to the risk.
When the auditor’s approach to the audit of the significant risk consists only of substantive procedures, he or she should perform either tests of details, or a combination of tests of details and substantive analytical procedures. In other words, the auditor cannot rely solely on substantive analytical procedures to obtain evidence about misstatement of the assertion. Also, if the auditor is relying on the effectiveness of internal controls to mitigate the significant risk, the controls must be tested in the current period. The auditor cannot rely upon tests of controls performed in prior periods.
Other Factors That Affect the Auditor’s Risk Assessment
When assessing risks, the auditor considers other factors that might require the extension or modification of audit tests, such as the possibility of fraud or the existence of related party transactions. The auditor also has responsibility for certain illegal acts that may have occurred and for assessing the entity’s ability to continue as a going concern.
Let’s discuss this factors a bit more detail. Read on…
Fraud – SAS No. 99 provides guidance on the auditor’s consideration of fraud in a financial statement audit. It is the auditor’s responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement, whether caused by error or fraud. SAS No. 99 describes two types of fraud, fraudulent financial reporting and misappropriation of assets that are relevant to the auditor’s consideration of fraud in a financial statement audit. The auditor is required by SAS No. 99 to:
- Have a discussion among the audit team members about fraud risk. Specifically, the discussion should be designed to allow the more experienced team members to share insights and exchange ideas about how and where the entity’s financial statements might be susceptible to material misstatement due to fraud and to emphasize the importance of maintaining the proper degree of professional skepticism regarding the possibility of fraud.
- Make inquiries of management and other personnel to identify fraud risks.
- Perform analytical procedures to identify fraud risks.
- Consider risk factors that may be indicative of fraud. SAS No. 99 provides lists of such factors organized around the three fundamental conditions necessary for the commission of fraud: (1) some type of incentive or pressure, (2) an opportunity to commit fraud, and (3) an attitude that allows the individual to rationalize the act.
- Identify fraud risks that may require an audit response. Since material misstatements due to fraudulent financial reporting often involve management override of internal controls resulting in overstatement of revenue, the auditor ordinarily should determine that there is a fraud risk related to revenue recognition.
- Address this risk of override of internal control by management regardless of whether the auditor identifies other fraud risks.
- Respond to fraud risks by (1) modifying the approach to the overall audit, (2) altering the nature, timing, or extent of procedures performed, or (3) performing procedures to further address the risk of management override of internal control. Procedures to address the risk of management override include examining journal entries and other adjustments for evidence of fraud, reviewing accounting estimates for evidence of biases, and evaluating the business rationale for significant unusual transactions.
- Evaluate the results of audit tests for evidence of fraud.
- Evaluate the implications of any fraud discovered and communicate information about fraud to the appropriate level of management.
Related Party Transactions – SAS No. 45, “Related Parties” (AU 334), provides the independent auditor with guidance on procedures to be considered to identify related parties and transactions with such parties. The statement also illustrates procedures for examining identified related party transactions and provides guidance for adequate disclosure. Parties are related when one party has the ability to influence the other(s) to the extent that the other party(s) does not fully pursue its (their) own separate interest (e.g., a parent company and its subsidiary; an entity and its principal shareholders). Many of the procedures specified in SAS No. 45 are carried out in the ordinary course of an audit. Such procedures may indicate the possible existence of related party transactions, in which case, additional procedures would be required. Other procedures are directed specifically to related party transactions.
Illegal Acts – The auditor’s responsibility for illegal acts is discussed in SAS No. 54, “Illegal Acts by Clients” (AU 317). Although an auditor is not expected to possess the legal background necessary to recognize all possible violations of laws or regulations, he or she should be familiar with those laws or regulations that directly affect the financial statements. For example, if a client violates the Internal Revenue Code, the income tax provision in its financial statements might be inadequate, which could cause the financial statements to be materially misstated. Therefore, the auditor’s responsibility to detect illegal acts that have a direct and material effect on the financial statements is the same as the auditor’s responsibility for detection of misstatements due to error or fraud—to design the audit to provide reasonable assurance that the financial statements are free of material misstatement. Many other laws and regulations (e.g., regulations of the Environmental Protection Agency and the Federal Trade Commission) are highly specialized and complex.
The auditor does not ordinarily have a sufficient legal knowledge to always recognize violations of these laws or regulations. Therefore, according to SAS No. 54, the auditor is responsible for these “indirect effect” illegal acts only when information comes to the auditor’s attention that suggests an illegal act might have taken place. If information about an illegal act that could have a material effect on the financial statements through a contingent liability comes to the auditor’s attention, the auditor must perform procedures to ascertain whether the illegal act has occurred. SAS No. 54 also requires the auditor to make sure that the audit committee or its equivalent is informed about illegal acts unless they are clearly inconsequential. Further, in certain circumstances (e.g., in response to a subpoena or in response to inquiries of a successor auditor), the auditor might have to notify persons not associated with the client about illegal acts.
Going Concern – Financial statements are ordinarily prepared on the assumption that the entity will continue in business; an auditor does not search for evidence to support this assumption. However, SAS No. 59, “The Auditor’s Consideration of an Entity’s Ability to Continue as a Going Concern” (AU 341), requires the auditor to consider whether the aggregate results of all audit procedures performed indicate that there could be substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time (not to exceed one year from the date of the audited financial statements). Conditions and events such as recurring operating losses, working capital deficiencies, defaults on loans, or the loss of a principal customer or supplier might indicate that there is a going concern problem.
If substantial doubt exists, SAS No. 59 directs the auditor to consider management’s plans for dealing with the adverse condition. In considering management’s plans, the auditor should obtain evidence about whether the adverse condition or event will be mitigated within a reasonable period of time. If, after considering management’s plans, the auditor still concludes that there is substantial doubt, he or she should include an explanatory paragraph in the audit report that describes that doubt. The auditor should note that SAS No. 64, “Omnibus Statement on Auditing Standards—1990,” amended SAS No. 59 to require the auditor to use the phrase “substantial doubt about its (the entity’s) ability to continue as a going concern” or similar wording that includes the term substantial doubt and going concern when the auditor decides an explanatory paragraph is necessary.
SAS No. 59 recognizes that the auditor is not responsible for predicting the future, and the absence of a reference to substantial doubt in an auditor’s report should not be construed as providing assurances about the entity’s continued existence.
Substantive tests may be accomplished through inspection, observation, inquiry, confirmation, and computation. The selection of evidence to be obtained and evaluated—hence the audit procedures to be applied—depends on a variety of factors including the appropriateness, sufficiency, and availability of evidence. The reliability of evidence varies. Evidence obtained from independent sources outside the organization generally is reliable. The degree of reliability of evidence obtained from within the organization generally depends on the system developed by management to produce information. Furthermore, evidence obtained by the auditor through physical examination observation, computation, and inspection is more persuasive than information obtained indirectly (e.g., from internal control matters). Evidence also must be sufficient to form a reasonable basis for the auditor’s opinion.
The auditor selects the most readily available audit evidence, provided it is appropriate and sufficient for audit purposes. In some circumstances, appropriate and sufficient evidence may be difficult to obtain. Nevertheless, the independent auditor cannot substitute inappropriate evidence merely because such evidence happens to be readily available.
Judgment is necessary in choosing the evidence to obtain and evaluate. However, judgment cannot be applied without a thorough knowledge of the entity being audited and the relative importance (materiality) of the specific assertions under study.
Step-4: Design Audit Response and Further Audit Procedures
The results of the auditor’s risk assessment provide a basis for designing further audit procedures. Further audit procedures are performed to obtain the audit evidence necessary to support the audit opinion. Such procedures include tests of controls and substantive tests. Tests of controls must be designed when the auditor’s strategy includes an assumption that the controls are operating effectively, and when substantive procedures alone cannot provide sufficient audit evidence about a particular assertion.
Step-5: Perform Further Audit Procedures
After the auditor has designed the further audit procedures he or she performs the tests of controls and substantive procedures.
Tests of Controls
Tests of controls provide evidence about the design and operating effectiveness of internal controls in preventing or detecting material misstatements. Tests of controls include inquiries of appropriate management, supervisory and other personnel, inspection of documents, observation of the entity’s operations, and re-performance.
The assessed level of control risk or the risk of material misstatement relates directly to the substantive tests the auditor performs. The more effective the entity’s internal control, the lower the risk of material misstatement in the financial statements. Lower the risk of misstatement, the less evidence the auditor needs from substantive audit procedures to form an opinion on the financial statements.
SAS No. 56, “Analytical Procedures” (AU 329), defines analytical procedures as comparisons of recorded amounts, or ratios developed from recorded amounts, to expectations developed by the auditor. It requires the auditor to use analytical procedures in the planning and overall review stages of all audits. The nature and extent of procedures performed, however, are up to the auditor.
In the planning stage, an auditor uses analytical procedures to gain an understanding of the client’s business and the events and transactions that have occurred since the prior audit. They also help him or her identify areas in which the risk of material misstatement is high. In the overall review stage, auditors use analytical procedures to ensure that they have obtained explanations for all significant fluctuations in financial statement amounts, that all amounts make sense based on the audit results, and that they are satisfied with the sufficiency of the audit procedures performed.
SAS No. 56 also encourages, but does not require, auditors to use analytical procedures as substantive tests. For some accounts, analytical procedures can be more effective than tests of details in detecting material misstatements in the financial statements. For example, an analytical procedure comparing salaries paid to the total number of employees in a division might indicate unauthorized payments; a test of details might not have uncovered this. In deciding whether to perform analytical procedures or tests of details, the auditor considers factors such as the nature of the assertion and the reliability of and availability of information used to develop the expectation.
Although many users typically see accounting as exact and precise, the truth is accounting estimates are pervasive in a set of financial statements. Because of the fundamental importance of these estimates and the risks associated with their preparation and evaluation, SAS No. 57, “Auditing Accounting Estimates” (AU 342), requires the auditor to obtain sufficient evidence to provide reasonable assurance that all accounting estimates that could be material to the financial statements have been developed, that those estimates are reasonable, and that the estimates conform to GAAP.
Other Required Auditing Procedures
Although the nature, timing, and extent of auditing procedures are matters of judgment, certain procedures are required to be applied on all audit engagements. They include communication with predecessor auditors, confirmation of receivables, observation of inventories, obtaining management’s written representations, and inquiry of a client’s lawyer concerning litigation, claims, and assessments. Independent auditors who do not employ these procedures have the burden of justifying the opinion expressed.
Communication with Predecessor Auditors
SAS No. 84, “Communications Between Predecessor and Successor Auditors” (AU 315), explains:
Inquiry of the predecessor auditor is a necessary procedure because the predecessor auditor may be able to provide information that will assist the successor auditor in determining whether to accept the engagement.
Those inquiries, which should be made with the prospective client’s authorization, should address (1) matters that may bear on the integrity of management, (2) disagreements with management about accounting principles, auditing procedures, or other similarly significant matters, and (3) communications to audit committees or others with equivalent authority and responsibility regarding fraud, illegal acts by clients, and internal control–related matters and on the predecessor auditor’s understanding of why a change of auditors is being made. If a prospective client refuses to permit such communication, the reasons should be determined and consideration should be given to whether acceptance of the engagement is appropriate. Other communications, although not required, may be made to facilitate the current audit.
Confirmation of Receivables
SAS No. 67, “The Confirmation Process” (AU 330), states:
Confirmation of accounts receivable is a generally accepted auditing procedure…
It is generally presumed that evidence obtained from third parties will provide the auditor with higher-quality audit evidence than is typically available from within the entity.
Thus, there is a presumption that the auditor will request the confirmation of accounts receivable during an audit unless one of the following is true:
- Accounts receivable are immaterial to the financial statements.
- The use of confirmations would be ineffective.
- The auditor’s combined assessed level of inherent and control risk is low, and the assessed level, in conjunction with the evidence expected to be provided by analytical procedures or other substantive tests of details is sufficient to reduce audit risk to an acceptably low level for the applicable financial statement assertions.
An auditor who has not requested confirmations in the examination of accounts receivable should document how he or she overcame this presumption. SAS No. 67 defines accounts receivable as (1) the entity’s claims against customers that have arisen from the sale of goods or services in the normal course of business, and (2) a financial institution’s loans.
Two forms of confirmations are used in practice: positive (i.e., the debtor is asked to respond in all cases) and negative (i.e., a response is requested only if there is disagreement). If no response is received to a positive reply, the auditor ordinarily applies alternative procedures such as examining evidence of subsequent cash receipts and sales and shipping records.
SAS No. 67 establishes three specific conditions that must exist before the auditor may use negative confirmation requests. These conditions are:
- The combined assessed level of inherent and control risk (risk of material misstatement) is low.
- A large number of small balances is involved.
- The auditor has no reason to believe that the recipients of the requests are unlikely to give them consideration.
Observation of Inventories
AICPA Professional Standards (AU 331) states:
When inventory quantities are determined solely by means of a physical count, and all counts are made as of the balance-sheet date or as of a single date within a reasonable time before or after the balance-sheet date, it is ordinarily necessary for the independent auditor to be present at the time of count and, by suitable observation, tests, and inquiries, satisfy himself or herself respecting the effectiveness of the methods of inventory-taking and the measure of reliance which may be placed upon the client’s representations about the quantities and physical condition of the inventories.
When the well-kept perpetual inventory records are checked by the client periodically by comparisons with physical counts, the auditor’s observation procedures usually can be performed either during or after the end of the period under audit.
Auditors may become satisfied as to inventory quantities when statistical sampling methods are used to determine those quantities. Except when inventories are held in public warehouses or by other outside custodians (in which case direct confirmation in writing may be acceptable), it will always be necessary for the auditor to make or observe some physical inventory counts.
Management’s Written Representations
SAS No. 85, “Management Representations” (AU 333), requires that the auditor obtain written representations from management. Management’s refusal to furnish a written representation constitutes a limitation on the scope of his or her audit sufficient to preclude an unqualified opinion and is ordinarily sufficient to cause an auditor to disclaim an opinion or withdraw from the engagement [see: Management Representation Letter Example].
Inquiry of a Client’s Lawyer
With respect to litigation, claims, and assessments, auditors obtain evidential matter relevant to the existence of uncertainties that may result in a loss, the period involved, the degree of probability of unfavorable outcome, and the amount or range of potential loss. Gain contingencies also are addressed. Such information is obtained from management and corroborated through a written response by the client’s lawyer to the auditor’s letter of audit inquiry.
SAS No. 12, “Inquiry of a Client’s Lawyer Concerning Litigation, Claims, and Assessments” (AU 337), provides auditors with detailed guidance related to these matters.
Step-6: Review Of Audit Work
Auditing Standards require the review of work performed by assistants. This review is a critical evaluation of the work carried out on the engagement. In general, it should include a review of work papers to see that they clearly indicate work performed and that they support conclusions to be expressed in the auditor’s report.
Step-7: Required Auditor Communications
As a by-product of an audit, the auditor is required to communicate certain matters to an audit committee or others with equivalent authority. SAS No. 60, “Communication of Internal Control Related Matters Noted in an Audit” (AU 325), requires the auditor to communicate significant deficiencies. Significant deficiencies are matters coming to the auditor’s attention that, in his or her judgment, should be communicated (to the audit committee or others, including the board of directors, owners in owner-managed entities, etc.) because they could adversely affect the entity’s ability to prepare financial statements. Such deficiencies can occur in any of the five components of internal control: the control environment, risk assessment, control activities, information and communication, and monitoring.
Under SAS No. 60, the auditor can communicate significant deficiencies either orally or in writing, although a written communication is preferable. If the auditor communicates in a written report, that report should:
- State that the purpose of the audit is to report on the financial statements and not to provide assurance on internal control.
- Include the definition of a significant deficiency.
- Include a statement that restricts the distribution of the report to the audit committee, board of directors, or owner-manager.
The auditor is not required to search for significant deficiencies; rather, he or she is obligated to report those that come to his or her attention during the audit.
SAS No. 61, “Communication with Audit Committees” (AU 380), requires an auditor to ensure that the audit committee (or its equivalent) is informed about the following matters:
- The scope of the audit and the level of assurance (reasonable, not absolute) that the auditor provides in an audit of financial statements.
- The auditor’s responsibility for internal control matters.
- Management’s initial selection of accounting policies and changes in significant accounting policies or their application.
- The process management uses to formulate sensitive accounting estimates and the basis for the auditor’s conclusions about the reasonableness of those estimates.
- Any audit adjustments that could have a significant effect on the entity’s financial reporting process.
- Any uncorrected misstatements aggregated by the auditor that pertain to the latest period presented and were determined by management to be immaterial.
- The auditor’s judgments about the quality, not just the acceptability, of the company’s accounting principles, including such matters as the consistency of application of the entity’s accounting policies and their application and the clarity and completeness of the entity’s financial statements, which include related disclosures as well as certain items that have a significant impact on the representational faithfulness, verifiability, neutrality, and consistency of the accounting information included in the financial statements.
- The auditor’s responsibility for other information in documents containing audited financial statements.
- Disagreements with management about matters that could be significant to the entity’s financial statements.
- The auditor’s views on significant matters about which management consulted with other accountants.
- Major issues discussed by the auditor with management in connection with his or her retention.
- Serious difficulties encountered with management in performing the audit (e.g., management setting unreasonable timetables or not providing information required by the auditor).
Unlike SAS No. 60, however, the auditor is only required to make these communications to a public company (as defined in the statement) or to entities that either have an audit committee or have formally designated oversight of the financial reporting process to a group equivalent to an audit committee. This means that, in audits of most smaller companies that only have a board of directors, the auditor may, but is not required to, make these communications.