Understanding Audit Risk Assessment

Understanding Audit Risk Assessment

Objectives of This Course:
Outline the PPC audit risk assessment process Understand how to use PPC practice aids to perform and document risk assessment Key Points: This presentation will help you understand the current audit risk assessment standards (and the PPC risk assessment process) and how to implement them in your audits using the practice aids in PPC’s Guide to Audits of Nonpublic Companies and PPC’s industry audit guides. Risk assessment encompasses fraud consideration in a financial statement audit.

What is Risk Assessment?
Obtain an understanding of the client, including internal control Identify and assess risks of material misstatement of the financial statements Evaluate both overall risks and risks that affect only specific assertions Audit Procedures Concentrate audit effort in high risk areas Inherent risk Control risk Perform less extensive procedures in low risk areas Linkage Key Points: An audit approach based on risk assessment provides methods to identify higher-risk areas and assertions so that audit effort can be focused on those areas. By focusing efforts in higher-risk areas and limiting procedures in lower-risk areas, you will perform a more effective and focused audit. The standards relating to risk assessment emphasizes “linkage” between assessed risks and resulting audit procedures, that is, overall responses that address risks of material misstatement at the financial statement level as well as procedures that are clearly linked to assessed risks of material misstatement at the relevant assertion level. Presentation Tip: Assertions are mentioned several times in the presentation. Explain that assertions are representations by management, explicit or otherwise, that are embodied in the financial statements. Assertions about transaction classes relate to the entire period under audit and consist of: Occurrence. Transactions and events that have been recorded have occurred and pertain to the entity. Completeness. All transactions and events that should have been recorded have been recorded. Accuracy. Amounts and other data relating to the recorded transactions and events have been recorded appropriately. Cutoff. Transactions and events have been recorded in the correct accounting period. Classification. Transactions and events have been recorded in the appropriate accounts. Assertions about account balances relate to the period end and consist of: Existence. Assets, liabilities, and equity interests exist. Rights and Obligations. The entity holds or controls the rights to assets, and liabilities are the obligations of the entity. Completeness. All assets, liabilities, and equity interests that should have been recorded have been recorded. Valuation and Allocation. Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded. According to AU-C 315, relevant assertions are assertions that have “a reasonable possibility of containing a misstatement or misstatements that would cause the financial statements to be materially misstated.” For More Information: Financial statement assertions are discussed in section 302.

PPC Audit Approach Step Description 1 2 3 4 5 6
Perform Preliminary Engagement Activities Client acceptance/continuance Establish an understanding with the client 2 Perform Planning and Risk Assessment Procedures Hold an engagement team discussion Determine materiality Perform risk assessment procedures Understand the entity and its environment, including internal control 3 Assess Risks and Develop Responses Assess risks at the financial statement level Develop the overall audit strategy Assess risks at the relevant assertion level Develop the detailed audit plan 4 Perform Further Audit Procedures Tests of controls Substantive procedures 5 Evaluate Audit Findings 6 Issue Reports and Communications Key Points: PPC’s practical approach to the audit process addresses the requirements for risk assessment and is designed to be flexible and adaptable, allowing you to better leverage your knowledge of the client to tailor your audit procedures. This chart may suggest a sequential process, but the audit is a continuous process of gathering, updating, and analyzing information about the fairness of presentation of amounts and disclosures in the client’s financial statements. The audit process is an iterative, nonlinear process, whereby the required procedures may be performed concurrently with other procedures. Also, risks should be evaluated continuously throughout the audit. This course covers steps 1–4 of the PPC Audit Approach.

Preliminary Engagement Activities
Client acceptance/continuance Establish an understanding with the client Key Points: The next few slides address Step 1 of the PPC Audit Approach: Perform Preliminary Engagement Activities, which consists of client acceptance/continuance (including evaluating independence) and establishing an understanding with the client. Preliminary engagement activities provide important information that directly contributes to the assessment of risks and the development of an audit strategy and detailed audit plan. For More Information: Preliminary engagement activities are discussed in section 201.

Client Acceptance/Continuance
Consider: Document Nature and purpose of engagement Client’s reputation, integrity, and competence Communication with predecessor Compliance with ethical requirements, including independence Adequacy of accounting records Firm resources and competence Engagement economics Other risk concerns CX-1.1: “Engagement Acceptance and Continuance Form” CX-7.1: “Risk Assessment Summary Form” (if risks are identified) Key Points: The engagement acceptance or continuance decision generally focuses on factors that increase overall financial statement risk, such as increased risks due to indications of pressures, opportunities, or incentives for fraudulent financial reporting on the part of management, the company’s precarious financial position that creates a likelihood of bankruptcy, etc. Consideration of this information might cause the firm to decline to accept the engagement; terminate the client relationship; or plan and perform the audit in a different manner, such as by using more experienced personnel. Agreeing on the terms of an audit includes establishing preconditions for an audit, that is, the use by management of an acceptable financial reporting framework in the preparation and fair presentation of the financial statements and the agreement of management and, when appropriate, those charged with governance, to the premise on which an audit is conducted. If the preconditions for an audit are not met, the auditor should discuss the matter with management and not accept the engagement unless required by law or regulation to accept it. The acceptance or continuance decision is documented using CX-1.1, “Engagement Acceptance and Continuance Form.” If any risks are identified when making the acceptance or continuance decision that could result in a material misstatement of the financial statements, those risks should be added to CX-7.1, “Risk Assessment Summary Form.” Often, CX-1.1 may be completed well before the engagement begins. In that case, the form should be reviewed during risk assessment for consideration of any risks that need to be added to CX-7.1. Presentation Tips: Review a blank copy of CX-1.1 with the participants. Point out that the form is designed so that any “Yes” answers represent areas of possible concern when making the acceptance or continuance decision. Therefore, a quick review of the form for “Yes” answers will identify areas that might present risks for the engagement. When CX-7.1, “Risk Assessment Summary Form,” is first introduced, point out that this is the key form used in the PPC approach to capture identified risks, assess them, and decide and document how the engagement team plans to respond to them.

Establish an Understanding with the Client
Establish an understanding about: Objectives of the engagement Management’s responsibilities Auditor’s responsibilities Limitations of the engagement Communicate the understanding in a written engagement letter CL-1.1: “Audit Engagement Letter” Key Points: An engagement letter does not, by itself, result in the identification of risks that may result in a misstatement of the financial statements, but the issuance of the letter may reduce the firm’s business risk by clarifying responsibilities of each party and the objectives and limitations of the engagement. A written engagement letter is required for all audits. The “Audit Engagement Letter” (CL-1.1) can be used to draft an engagement letter for the audit.

Planning and Risk Assessment Procedures
Hold an engagement team discussion Determine materiality Perform risk assessment procedures Understand the entity and its environment, including internal control Perform a retrospective review of accounting estimates Key Points: The next few slides address Step 2 of the PPC Audit Approach: Perform Planning and Risk Assessment Procedures, which consists of holding an engagement team discussion, determining materiality, performing risk assessment procedures, obtaining an understanding of the entity and its environment, including internal control, and performing a retrospective review of accounting estimates. For More Information: Planning and risk assessment procedures are discussed in section 201.

Engagement Team Discussion
Discuss the susceptibility of the financial statements to material misstatement Consider fraud risks and risks of error Include: Critical issues and areas of significant audit risk Areas susceptible to management override of controls Unusual accounting practices Important control systems Materiality considerations Need to exercise professional skepticism Business risks Fraud considerations Key Points: AU-C requires key members of the audit team (including the engagement partner) to discuss the susceptibility of the entity’s financial statements to material misstatements. SAS 99 requires an open exchange of ideas, or “brainstorming” among audit team members about how and where they believe the entity’s financial statements might be susceptible to material misstatement due to fraud, how management could perpetuate and conceal fraudulent financial reporting, and how assets of the entity could be misappropriated. These discussions can be held concurrently, that is, one meeting can cover the susceptibility of the financial statements to material misstatements from both error and fraud. However, it is important to consider the susceptibility to fraud as a distinct part of this combined discussion to avoid potentially diluting that critical consideration. The focus ought to be on the individual members gaining a better understanding of the potential for material misstatements resulting from error or fraud in the specific areas assigned to them, and understanding how the results of audit procedures they perform affect other aspects of the audit. The more experienced team members can share their insights based on their cumulative knowledge of the entity, its industry, and its environment. Participants should maintain an attitude of professional skepticism throughout the discussion and should not be influenced by past favorable experience with the integrity of management. In fact, SAS 99 states that the engagement team should abandon neutrality and any preconceptions about management’s and employees’ honesty, but instead presume the possibility of dishonesty at various levels of management. Presentation Tips: Tailor the list of engagement team discussion items based on your firm’s practice for the engagement team discussion. Consider reviewing Exhibit 2-8, Sample Questions for Engagement Team Discussion, with participants. For More Information: The engagement team discussion is discussed at paragraph

Engagement Team Discussion (cont.)
Attendance: Auditor with final responsibility Key members of engagement team Document: How the discussion occurred, the subject matter, who participated, and decisions about planned responses CX-3.2: “Engagement Team Discussion” CX-7.1: “Risk Assessment Summary Form” (if risks are identified) Key Points: In addition to the audit partner and key members of the engagement team, it may be appropriate to include specialists in the discussion, such as IT specialists, assigned to the engagement team. AU-C requires that the following items be documented regarding the discussion among the audit team: How and when the discussion occurred. Subject matter discussed. Participating audit team members. Significant decisions reached concerning planned responses at the financial statement and relevant assertion levels. These requirements are similar to the documentation requirements of AU-C 240 regarding the fraud aspects of the discussion. CX-3.2, “Engagement Team Discussion,” provides for documentation of the items listed and includes a list of required discussion topics to help keep the discussion focused and ensure important topics are not overlooked. If risks are identified that could result in material misstatement of the financial statements, they should be added to CX-7.1, “Risk Assessment Summary Form.” Presentation Tips: Review a blank copy of CX-3.2 with the participants. Point out how the questions on the form match the documentation requirements of the standard. A completed CX-3.2 is illustrated in Case Study 1 at Appendix A-6. The engagement team discussion is illustrated in a memo in Case Study 2 at Appendix B-4. Consider reviewing these documents, or one of the firm’s completed practice aids, with participants.

Materiality Materiality for the financial statements as a whole
Materiality for particular items of lesser amounts Performance materiality Key Points: The preliminary judgment about materiality for the financial statements as a whole is generally referred to as planning materiality. The need to establish planning materiality is directly related to the audit objective of obtaining reasonable assurance of detecting misstatements that could be large enough, individually or in the aggregate, to be quantitatively material to the financial statements. AU-C indicates that the auditor should consider whether, in the specific circumstances of the entity, misstatements of particular items of lesser amounts than planning materiality could be expected to influence economic decisions of users. In other words, in addition to determining materiality at the financial statement level, you determine whether there are particular account balances, transaction classes, or disclosures for which a lower planning materiality amount is appropriate based on user perceptions of the particular items. Performance materiality is the amount or amounts set by the auditor at less than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole. AU-C states that the auditor should determine performance materiality for purposes of assessing the risks of material misstatement and determining the nature, timing, and extent of further audit procedures. Performance materiality is distinguishable from tolerable misstatement. As explained in AU-C 320.A2, the application of performance materiality to a particular audit sampling procedure is called tolerable misstatement. In other words, performance materiality should be lower than the materiality level for the financial statements taken as a whole. If you need a lower planning materiality amount for particular financial statement items, you should also determine a separate performance materiality level for those items. Performance materiality is ordinarily set at 50–75% of the related planning materiality to allow for the possibility of uncorrected detected misstatements. Presentation Tips: Consider reviewing Example 2-3 of the Guide with participants, which illustrates determining planning materiality for particular items of lesser amounts. Consider reviewing Example 2-4 of the Guide with participants, which illustrates determining planning materiality and performance materiality. For More Information: Planning materiality is discussed in section 206. Performance materiality is discussed in section 301.

Materiality Apply professional judgment
Consider decisions that users make Use appropriate benchmarks, such as % of assets or revenue Re-evaluate materiality as the audit progresses. If lower, reconsider: Level of performance materiality Adequacy of procedures Key Points: It is important to use professional judgment when determining planning materiality—the calculation should not be rote. The reference to “decisions that users make” is based on the definition of materiality in FASB Statement of Financial Accounting Concepts 8 as: “Information is material if omitting it or misstating it could influence decisions that users make on the basis of the financial information of a specific reporting entity.” Conceptually, materiality should be established based on the auditor’s perception of users’ needs and expectations since an item is material if it would have influenced users’ judgments. For many nonpublic companies, total assets or revenue often provide a sound benchmark for determining materiality because they are stable, predictable, and representative of entity size. Base amounts (such as assets or revenues) used in the benchmark come from the financial statements to be audited or the trial balance from which those financial statements will be prepared. If those amounts are not available, annualized amounts from the most recent interim financial statements are used. For revenue, an annualized amount is used even if the audit period is shorter than a year. When current amounts are unavailable, significant audit adjustments are expected, or significant changes in the entity's circumstances indicate that current amounts are not representative of the entity's results of operations or financial position, historical averages based on the past two or three years can be used. Planning materiality judgments might need to be reconsidered as the audit progresses. AU-C states that you should revise materiality levels if you become aware of information during the audit that would have caused you to determine a different amount(s) initially. Because the calculation made during initial planning often uses interim financial information, the amounts in the annual audited financial statements might differ. If planning materiality based on interim amounts is too large, then audit scope might not have been sufficient. If planning materiality based on interim amounts was too small, then the audit would be less efficient than would have been possible because the auditor will have done more audit work than was necessary. Thus, if you become aware of changes that would have affected the determination of planning materiality, adjustments are made. AU-C indicates that if you conclude that a lower materiality than initially determined is appropriate, you should determine whether performance materiality has to be revised and whether the nature, timing, and extent of further audit procedures remain appropriate.

Materiality Document: Materiality at the financial statement level
If applicable, materiality level(s) for particular transaction classes, account balances, or disclosures Performance materiality Factors considered in their determination Any revisions made during the audit CX-2: “Financial Statement Materiality Worksheet for Planning Purposes” Key Points: Document the levels of planning materiality and performance materiality (for the financial statements as a whole as well as for particular items of lesser amounts), the factors considered in their determination (for example, the benchmark and why it is considered appropriate), and any revisions in materiality as the audit progresses. CX-2.1, “Financial Statement Materiality Worksheet for Planning Purposes,” is used to document materiality. Presentation Tips: Review a blank copy of CX-2.1 with the participants. Point out how the questions on the form match the requirements of the standard. Point out that CX-2.1 is also used to document that amount of a misstatement that is considered trivial (one that does not require posting to the misstatement summary). Be careful to remind participants that any misstatement greater than the trivial amount should be posted to the misstatement schedule. It is not appropriate to dispose of misstatements at the workpaper level unless they are below the trivial amount. Discuss any firm policies for computing materiality or the amount that is considered trivial. A completed CX-2.1 is illustrated in Case Study 1 at Appendix A-4. Consider reviewing that document, or one of the firm’s completed practice aids, with participants.

Risk Assessment Procedures
Two categories of audit procedures: Risk assessment procedures Further audit procedures Risk Assessment Procedures Key Points: AU-C explains that the auditor should perform risk assessment procedures to provide a satisfactory basis for the identification and assessment of risks of material misstatement at both the financial statement and relevant assertion levels. Risk assessment procedures are performed to obtain an understanding of the entity and its environment, including its internal control. The understanding obtained and assessed risks are used to design and perform further audit procedures. Further audit procedures include substantive procedures and tests of controls performed in response to the assessed risks to reduce the overall audit risk to an appropriately low level, as well as other procedures sometimes referred to as general procedures. Risk assessment procedures do not provide sufficient appropriate audit evidence on which to base the auditor’s opinion on the financial statements. Both Provide Audit Evidence Further Audit Procedures

Inquiry Observation and Inspection Analytical Procedures Key Points: Types of risk assessment procedures include: Inquiries of management and others within the entity and those charged with governance. Observation and inspection. Analytical procedures.

Performed to obtain an understanding of the entity and its environment, including internal control, for the purpose of assessing risks All of the procedures should be performed Inquiry alone is not sufficient to understand internal control Provide audit evidence Key Points: Risk assessment procedures are performed to obtain an understanding of the entity and its environment, including its internal control, for the purpose of assessing the risks of material misstatement at the financial statement and relevant assertion levels. All of the risk assessment procedures (that is, inquiry, observation and inspection, and analytical procedures) are performed when obtaining an understanding of the entity and its environment. However, each of those procedures need not be performed for every component of the required understanding. Performing all of the risk assessment procedures is usually accomplished by: Making inquiries of client personnel to update information in the PPC planning forms. Observing and inspecting documents and records, including performing walkthroughs of transaction processing systems, to corroborate responses to inquiries. Performing preliminary analytical procedures. The standards explicitly indicate that inquiry alone is not sufficient to evaluate the design and implementation of internal control. Therefore, observation and inspection will most likely be coupled with inquiry procedures when obtaining the understanding of internal control. The standards view risk assessment procedures as part of a process that provides audit evidence that ultimately supports the auditor’s opinion on the financial statements. This is the notion that the assessed level of risk itself provides audit evidence, rather than being only a means of determining the audit evidence that is necessary.

Inquiries Management Other employees External parties (maybe)
Key Points: Inquiry of management and others is used extensively throughout the audit planning process. In many cases, it serves as a foundation for the performance of other risk assessment procedures in that the responses obtained drive the need for additional or corroborating procedures. Inquiry consists of: Posing a question or requesting information on a matter, Evaluating the response, and Following up to obtain additional information as needed. Inquiry can be an extremely effective procedure in identifying risks. For example, an auditor might ask management about the level of technology for the entity’s products as compared to the industry. The auditor would then evaluate the response obtained and determine if a potential risk exists. In this case, the auditor might be concerned about potential inventory obsolescence and, if so, a possible writedown. If the auditor deems that there is an indication of this risk, additional inquiries might be posed to further identify the risk and determine whether other risk assessment procedures are necessary. Inquiries of parties outside the entity are not required, but are identified as procedures that might be helpful. For More Information: Parties that might be subject to inquiry are discussed in paragraphs –.25.

Required Inquiries Inquire about: Document the inquiries: Fraud
Related parties Accounting estimates Compliance with laws and regulations Service organizations Document the inquiries: CX-3.3, “Fraud Risk Inquiries Form” CX-7.1, “Risk Assessment Summary Form” (if risks are identified) Key Points: AU-C 240 requires auditors to make fraud-related inquiries of management or the owner/manager, other employees, internal auditors (if applicable), and those charged with governance (if separate from management) to identify whether anyone has suspicions or actual knowledge of fraud. These include inquiries about: Whether they have knowledge of any actual, suspected, or alleged fraud. Management's process for identifying, responding to, and monitoring the risks of fraud in the entity. The nature, extent, and frequency of management's assessment of fraud risk and the results of those assessments. Any specific risks of fraud that management has identified or that have been brought to its attention. The classes of transactions, account balances, or disclosures for which a fraud risk is likely to exist. Management's communications, if any, to (1) those charged with governance on its process for identifying and responding to fraud risks and (2) employees on its views on business practices and ethical behavior. AU-C requires the auditor to make specific inquiries of management and others regarding related parties, including: Identity of related parties, including changes from the prior period. Nature of related-party relationships. Whether there were any transactions with those related parties during the period and, if so, the transaction types and purposes. AU-C states that the auditor should make inquiries of management about whether any changes in circumstances have occurred that may give rise to new accounting estimates or the need to revise existing estimates. Inquiries may include matters such as whether: The entity has entered into new types of transactions that may give rise to accounting estimates. Transaction terms that affect accounting estimates have changed. Accounting policies relating to accounting estimates have changed as a result of changes to GAAP. Regulatory or other changes have occurred that may require the revision of existing accounting estimates or new estimates to be made. New conditions or events have occurred that may give rise to new or revised estimates. AU-C requires the auditor to inquire of management and those charged with governance about whether the entity is in compliance with laws and regulations that may have a material indirect effect on the financial statements and to inspect relevant correspondence with licensing and regulatory authorities. AU-C requires the auditor to inquire of management about whether a service organization has reported to it, or whether it is otherwise aware of, any fraud, noncompliance with laws and regulations, or uncorrected misstatements at the service organization that affect the financial statements of the user entity. There are no specific documentation requirements for inquiries made as risk assessment procedures, but AU-C 230 provides pertinent guidance. AU-C states that in documenting the nature, timing, and extent of audit procedures, the auditor should record the identifying characteristics of the items or matters tested. AU-C 230.A14 suggests that, for a procedure involving inquiries of entity personnel, the auditor records the inquiries made, the dates of inquiries, and the names and job designations of the personnel. CX-3.3, “Fraud Risk Inquiries Form,” provides for documentation of fraud inquiries and includes a list of required inquiries to ensure important topics are not overlooked. If risks are identified that could result in material misstatement of the financial statements, they should be added to CX-7.1, “Risk Assessment Summary Form.” Presentation Tips: Review a blank copy of CX-3.3 with the participants. Point out how the questions on the form match the requirements of the standard. Also point out that this form is also used to document required inquiries about illegal acts and inquiries about unusual or improper journal entry activity. A completed CX-3.3 is illustrated in Case Study 1 at Appendix A-7 and in Case Study 2 at Appendix B-5. Consider reviewing one of these documents, or one of the firm’s completed practice aids, with participants.

Observation and Inspection
Inspect documents and records Read internal reports and minutes Read external information Visit premises and plant facilities Trace transactions through the system (walkthroughs) Key Points: Observation and inspection may include inspecting documents and records, reading internal reports and minutes, reading external information, visiting premises and plant facilities, or tracing transactions through the system (walkthroughs). Performance of observation and inspection procedures is required when obtaining an understanding of the entity and its environment, including its internal control, to assess risk. The standards effectively mandate the performance of observation and inspection when obtaining an understanding of internal control by explicitly stating that inquiry alone is not sufficient to understand the design of controls and determine that they have been implemented. One of the best ways to supplement inquiry is to perform a walkthrough of significant transaction processing systems. Observation and inspection are frequently used to corroborate or follow-up on the results of inquires made of management and others. For example, when evaluating the design and implementation of the entity’s system of internal control, members of management might tell you that they communicate the importance of ethical values to employees through a written code of conduct and by example. You might corroborate this response by examining the written code. When obtaining an understanding of the entity and its environment, observation or inspection might be the key procedure that enables the auditor to fully obtain pertinent information and identify related risks. For example, in order to gain an understanding of the client’s financing arrangements and underlying covenants, the auditor might decide to review the client’s loan agreements and other related documents. That procedure, coupled with a review of the client’s financial statements, might be the key procedure that helps the auditor identify risks related to potential noncompliance with loan covenants. Presentation Tips: Consider discussing some examples of the use of observation and inspection procedures, such as: Inspecting documents and records (business plans and strategies, internal control manuals, etc.)—Recent business plan might reveal a shift in marketing and sales strategy during the year to concentrate on one industry dominated by three competitors, which indicates increased risk related to unrecognized sales discounts and rebates. Reading internal reports and minutes—Internal audit reports might cite significant deficiencies in controls over revenue recognition, which indicates increased risk of revenues recorded in incorrect periods or at improper amounts. Reading external information—Trade journals might indicate that one of the client’s key products will soon be outdated due to the recent introduction of a technologically superior product by a competitor, which indicates an increased risk of improper inventory valuation. Visiting premises and plant facilities—While touring client production facilities, you might observe significant damage to uninsured machinery and equipment due to a recent storm, which indicates an increased risk of impairment. Performing walkthroughs—A walkthrough of the billing cycle might reveal that control procedures to follow-up on unbilled transactions have not been implemented, which indicates an increased risk of unrecorded revenues and receivables.

Analytical Procedures
Preliminary analytical procedures Analytical procedures related to revenue required by AU-C 240 To enhance understanding of the business and identify potential risk areas Documented by completing a step on AP-1, “Audit Program for General Planning Procedures” Add risks to CX-7.1, “Risk Assessment Summary Form” Key Points: AU-C specifies that risk assessment procedures should include analytical procedures. Other than the analytical procedures performed to comply with SAS 99, analytical procedures used in the planning stage only need to be designed to point out audit areas that may be indicative of potential risks and, thus, need special emphasis. Professional standards do not require the use of any particular analytical procedures. Analytical procedures may consist of reviewing changes in account balances from the prior year to the current year using the general ledger or the preliminary or unadjusted working trial balance. Other preliminary analytical procedures may consist primarily of analysis of ratios or trends related to profitability, liquidity, solvency, and activity combined with inquiries of financial and operating management. In the audit of a small business, simple comparisons and ratios are ordinarily effective. AU-C 240 requires performance of preliminary analytical procedures relating to revenue in order to identify unusual or unexpected relationships that may indicate fraudulent financial reporting (that is, improper revenue recognition). Comparison of current and prior-period account balances for revenue accounts ordinarily will not be sufficient to identify potential fraudulent financial reporting. Preliminary analytical procedures related to revenue should typically be performed at a more disaggregated level than other preliminary analytics, such as by comparing sales by month or by location to comparable prior-year sales. Those procedures should be updated during the final review stage of the audit, that is, they should be performed through the end of the reporting period. Documentation of preliminary analytical procedures can be limited, but it should be sufficient to provide support for the auditor's risk assessment. The results of the preliminary analytical review ordinarily are documented using a narrative memorandum, comparative carryforward schedule, or other form of workpaper referenced from a step on the planning program. If risks are identified, they should be added to CX-7.1, “Risk Assessment Summary Form.” Presentation Tip: Consider reviewing Exhibit 2-6, “Unusual or Unexpected Relationships and Potential Risks,” with participants. For More Information: Preliminary analytical procedures are discussed at paragraph

Document the procedures performed AU-C 230provides guidance on documenting procedures For inquiries, document the date, name and title of individual, inquiry, and response For observation, document what was observed, where, when, and entity personnel involved For inspection, document the identifying characteristics, for example, document name or number and date Key Points: As previously discussed, CX-3.3, “Fraud Risk Inquiries Form,” is used to document fraud inquiries, and a step on AP-1, “Audit Program for General Planning Procedures,” is used to document preliminary analytical procedures. The following PPC practice aids used for documenting the understanding of the entity and its environment, including internal control, provide space to document procedures performed to obtain or update that understanding: CX-3.1—“Understanding the Entity and Identifying Risks” CX-4.1—“Understanding the Design and Implementation of Internal Control” CX-4.2.1—“Financial Reporting System Documentation Form—Significant Transaction Classes” CX-4.2.2—“Financial Reporting System Documentation Form—IT Environment and General Computer Controls” CX-4.3—“Walkthrough Documentation Table” Presentation Tips: Review blank copies of the listed forms with the participants. Point out the questions on the forms that are used to document procedures performed. Completed versions of the listed forms are illustrated in Case Study 1 at Appendixes A-5, A-8, A-9, A10, and A-11; in Case Study 2 at Appendix B-3; and in Case Study 3 at Appendixes C-2, C-4, C-5, C-7, C-8, and C-10. Consider reviewing documentation of the procedures performed on one of these documents, or one of the firm’s completed practice aids, with participants.

Understanding the Entity and Its Environment
Perform risk assessment procedures (inquiry, analytics, observation, and inspection) to gather information about: Industry, regulatory, and other external factors Nature of the entity Objectives, strategies, and related business risks Measurement and review of the entity’s financial performance Selection and application of accounting policies Key Points: Matters relating to industry, regulatory, or other external factors include: Industry conditions Legal and regulatory environment Government policies General economic conditions Matters relating to the nature of the entity include: Structure, ownership, and governance Business operations—revenues, products or services, and markets Major assets and liabilities Expenses Workforce considerations Investments Financing Financial reporting Matters relating to objectives, strategies, and related business risks include future trends, expectations, objectives, and strategies in areas such as: Products and services Marketing and sales Research and development Technology Business expansion or restructuring Workforce or compensation Information used by management for measurement and review of the entity’s financial performance might include: Key financial and nonfinancial performance indicators Trends Key ratios and other operating and financial statistics Forecasts, budgets, and variance analyses Period-on-period financial performance Comparisons to competitors’ performance (i.e., benchmarking) Information prepared by external parties, such as analyst reports and credit rating agency reports For More Information: Understanding the entity and its environment is discussed in section 202.

Obtain an understanding of the client’s selection and application of accounting policies Are accounting policies appropriate for the entity and consistent with the industry? Are there any changes in accounting policies? Key Points: Accounting policies include the accounting principles as prescribed by relevant accounting pronouncements as well as the methods adopted to apply those principles in the circumstances. When an accounting pronouncement permits an alternative in the way an accounting principle is applied or does not dictate a specific method of application, management has to adopt a method that is most appropriate in the circumstances. Obtain an understanding of management’s selection and application of accounting policies and evaluate whether the policies are appropriate for the entity’s business and consistent with policies used in the industry. This understanding is important for considering the risks of material misstatement at both the financial statement and relevant assertion levels, including both misstatements due to fraud and those due to error. It is an important element in determining what can go wrong in the preparation of financial statements and, hence, in assessing risks of material misstatement. An understanding of management’s selection and application of accounting policies also includes: Changes in the entity’s policies, including the reasons for changes and whether they are appropriate and consistent with GAAP (or an OCBOA). Financial reporting standards and regulations that are new to the entity and management’s plans to adopt those requirements, including new accounting standards. Presentation Tip: Consider reviewing Exhibit 2-21, “Matters to Consider When Evaluating Accounting Policies,” with participants. For More Information: The selection and application of accounting policies is discussed at paragraph

Consider the presence of fraud risk factors Update information obtained in prior years by performing risk assessment procedures to determine if the information has changed Key Points: AU-C states that the auditor should evaluate whether the information obtained from risk assessment procedures indicates that one or more fraud risk factors are present. Fraud risk factors are conditions or events that indicate: Incentives/pressure to perpetrate fraud (such as conditions that indicate excessive pressure on management or the owner/manager to meet the requirements or expectations of third parties), Opportunities to carry out the fraud (such as deficiencies in internal control or ineffective monitoring of management), or Attitudes/rationalizations to justify a fraudulent action (such as dissatisfaction with the entity on the part of employees with access to assets susceptible to theft). Fraud risk factors may be related to fraudulent financial reporting or misappropriation of assets. Previous experience with the entity contributes to the understanding of the entity and its environment. Audit procedures performed in previous audits typically provide useful audit evidence about: The entity’s organizational structure, business, and controls. Past misstatements and whether they were corrected on a timely basis, which assists the auditor in assessing risks of material misstatement in the current audit. However, before using information obtained in prior periods, determine whether changes have occurred that may affect its relevance in the current audit. According to AU-C 315, “The auditor should make inquiries and perform other appropriate audit procedures, such as walkthroughs of systems, to determine whether changes have occurred that may affect the relevance of such information.” Changes may change the client’s inherent or business risk or the auditor’s assessment of risks of material misstatement.

Using the PPC Approach CX-3.1: “Understanding the Entity and Identifying Risks” Key elements of the understanding The consideration of fraud risk factors Sources of information Risk assessment procedures performed CX-7.1: “Risk Assessment Summary Form” (if risks are identified) CX-6.1: “Entity Risk Factors” and CX-6.2: “Fraud Risk Factors” (memory joggers) Key Points: In addition to documentation of the discussion among the engagement team, AU-C indicates that the auditor should include the following in the audit documentation: Key elements of the understanding obtained regarding each aspect of the entity and its environment. The sources of the information from which the understanding was obtained. The risk assessment procedures performed. The practice aid, “Understanding the Entity and Identifying Risks” (CX-3.1), can be used to document the auditor's understanding of the entity. Part I of the form is divided into the following sections for obtaining the understanding: Structure, ownership, and governance Industry, regulatory, and other external factors Nature of the entity Objectives and strategies and related business risks Measurement and review of the entity’s financial performance Other considerations and risks, including the consideration of fraud risk factors Within each section of Part I, space is provided to document risk considerations. Part II of the form is used to document the sources of information used and procedures performed to obtain or update the understanding of the entity and its environment. Part III of the form is used to “synthesize” the risk considerations documented throughout the form, that is, to consider the potential risks both individually and in combination to identify matters that represent risks of material misstatement of the financial statements. If risks are identified that could result in material misstatement of the financial statements, they should be added to CX-7.1, “Risk Assessment Summary Form.” CX-6.1, “Entity Risk Factors,” and CX-6.2, “Fraud Risk Factors,” provide lists of risk factors to consider when identifying financial statement risks. However, the risk factors listed are only examples and may serve as memory joggers to spark the consideration of additional or different risks relevant to the client. These forms are not intended to be included in the final audit documentation. Presentation Tips: Review a blank copy of CX-3.1 with the participants. Point out how the headings on the form match the requirements of the standard. Point out the places on the form that can be used to document risk considerations. Remind participants that it is not important how they categorize a risk (for example, whether it relates to the regulatory environment or the nature of the entity); it is more important that they get it documented if they think it is important for the audit. Also, there is no need to document a risk consideration in more than one place on the form. Review and discuss the synthesis of risks in Part III of CX-3.1. A completed CX-3.1 is illustrated in Case Study 1 at Appendix A-5. Case Study 2 illustrates the process of understanding the entity and risk identification in a memo at Appendix B-3. Consider reviewing these documents, or one of the firm’s completed practice aids, with participants. Review a copy of CX-6.1 (“Entity Risk Factors”) and CX-6.2 (“Fraud Risk Factors”) with the participants. Encourage them to use these forms as memory joggers to help translate the information they obtain about the entity and its environment into potential risks that could affect the financial statements.

Understanding Internal Control
Control Environment Risk Assessment Information and Communication Monitoring Control Activities Key Points: Auditors should obtain an understanding of the five components of internal control that is sufficient to assess the risks of material misstatement of the financial statements due to error or fraud and design the nature, timing, and extent of further audit procedures. The control environment sets the tone of an entity and influences the control consciousness of its people. The control environment is the foundation for all other components of internal control and provides structure and discipline. Among the important elements of the control environment are attitudes, awareness, and actions of management, as well as those charged with governance, concerning internal control. The integrity of management or the owner/manager often plays a significant role in establishing a strong control environment. Risk assessment is the process of setting objectives; prioritizing and linking those objectives; and identifying, analyzing, and managing risks relevant to achieving those objectives. With respect to the objective of reliable financial reporting, the entity’s risk assessment process involves the identification, analysis, and management of the risks of material misstatement of the financial statements. Information refers to the financial reporting system, which includes the accounting system, and encompasses the procedures and records established to initiate, authorize, record, process, and report the entity’s transactions. It also includes the accountability over assets, liabilities, and equity. Communication is the process of providing an understanding of roles and responsibilities to individuals within the organization regarding internal control over financial reporting. The monitoring is a process by which an entity assesses the quality of its internal control over time. Monitoring involves assessing the design and operation of controls on a timely basis, capturing and reporting identified control deficiencies, and taking actions as necessary. Monitoring activities can also reveal evidence or symptoms of fraud. Effective monitoring ensures that internal controls are modified as changes in conditions occur in the business. Control activities are the policies and procedures that help ensure that management directives are carried out. That is, control activities are those actions that are taken to address risks that threaten the entity’s ability to achieve its objectives, one of which is reliable financial reporting. Control activities usually involve two elements: (a) a policy that establishes what should be done and (b) the procedure that implements the policy. Auditors generally begin by obtaining an understanding of the control environment, risk assessment, information and communication, and monitoring components, typically obtaining an understanding of the control environment first. The understanding of control activities is not needed until planning the nature, timing, and extent of further audit procedures at the assertion level. As a practical matter, however, auditors often obtain an understanding of control activities while obtaining an understanding of the other control components. For More Information: Obtaining an understanding of internal control is discussed in section 203.

Understand design and implementation Perform inquiry, observation, and inspection Inquiry alone is not sufficient to understand the design and implementation of controls Key Points: AU-C 315 requires auditors to perform risk assessment procedures to evaluate the design of controls that are relevant to the audit and determine whether they have been implemented. A key consideration is whether and how the entity’s internal control prevents, or detects and corrects, material misstatements in relevant assertions related to transaction classes, account balances, or disclosures. It is not enough to simply determine whether a control as described or documented is effective in design. Implementation means determining that the control, as documented or described, actually exists and the entity is using it. This involves performing observation and inspection in addition to inquiry. Inquiry alone is not sufficient to evaluate the design and implementation of internal control. Generally, observation and inspection procedures are performed in addition to inquiry.

Evaluate the design and implementation of controls— Related to significant risks Related to risks that cannot be tested effectively using substantive procedures alone Understand— How the incorrect processing of transactions is resolved How detail is reconciled to the general ledger for material accounts Key Points: Significant risks generally relate to nonroutine transactions and complex or judgmental matters. Examples of matters that often involve significant risks include: Significant nonroutine transactions, that is, transactions that are unusual due to their size or nature. Accounting estimates for which there is significant measurement uncertainty, such as certain fair value estimates. Transactions that involve complex calculations or the application of complex accounting principles, such as self-constructed property with capitalized interest or revenue recognition for software that is tailored for the customer. Significant related-party transactions. Transactions that require a large degree of manual intervention in data collection and processing. Unusual or infrequent transactions that by their nature make effective controls difficult to implement, such as major litigation. Transactions that involve a relatively large degree of management intervention in specifying the accounting treatment. Fraud risks are always considered to be significant risks. After completing your risk assessment procedures to evaluate internal control design and implementation, you should consider whether a sufficient understanding has been obtained of controls that would prevent, or detect and correct, material misstatements related to fraud risks or other significant risks. If not, you should perform additional risk assessment procedures directed at gaining an understanding of controls relating to those risks. When you believe substantive procedures alone will not be sufficient, testing of internal controls is required. This tends to occur in highly automated processing environments in which a significant amount of information is initiated, authorized, recorded, processed, or reported electronically. If you have not obtained a sufficient understanding of controls related to risks that cannot be addressed with substantive procedures alone, you should perform additional risk assessment procedures directed at gaining an understanding of controls relating to those risks. You should obtain an understanding of how the incorrect processing of transactions is resolved. For example, some systems use suspense accounts or files to capture failed transactions. For such situations, the auditor would understand the procedures for suspense accounting including how suspended transactions are researched and cleared. Another specific requirement of the auditing standards is to understand the process for reconciling detail records to the general ledger. For example, for the accounts receivable general ledger account, you should understand the process of reconciling the account to the subsidiary accounts receivable ledger. This understanding is typically obtained when obtaining an understanding of significant transaction processing systems and the financial close and reporting process.

Document the following: Understanding of internal control components Sources of information Procedures performed Controls evaluated related to significant risks and risks for which substantive procedures alone are not effective Key Points: Au-C requires documentation of the understanding of internal control. The auditor is required to document the understanding obtained for the five components of internal control, the sources of information used and risk assessment procedures performed to obtain the understanding, and the controls related to significant risks and risks for which substantive procedures alone will not be sufficient. Professional standards permit flexibility in the manner of documentation. Possible documentation methods include: Narratives or memorandum documents. Internal control questionnaires. Checklists. Flowcharts. The form and extent of documentation is influenced by factors such as the complexity, size, and nature of the entity and the use of technology. Some auditors supplement their documentation with existing documentation of control systems prepared by the entity. Consider inquiring of the client about the existence of such documentation along with any supporting evaluation of the effectiveness of controls. When client documentation is available, the auditor may gain additional audit efficiencies and a better understanding of the client's internal control.

Using the PPC Approach Entity-level controls Activity-level controls
Control environment Risk assessment Information and communication Monitoring Activity-level controls Financial reporting system Control activities IT environment and general computer controls Key Points: Using the PPC approach, the internal control components of the control environment, risk assessment, information and communication (excluding the financial reporting system), and monitoring are referred to as “entity-level” controls. These controls typically have a pervasive effect on the entity's system of internal control. The internal control component of control activities, along with the detailed aspects of the financial reporting system, are referred to as “activity-level” controls. Activity-level controls and processes operate at the assertion level rather than at the overall financial statement level. Activity-level controls are directly related to initiating, authorizing, recording, processing, and reporting the entity's transactions. Consequently, the understanding of activity-level controls directly supports the auditor's risk assessment at the relevant assertion level for account balances, transaction classes, and disclosures. Controls throughout the system may be either manual or automated and may be significantly affected by IT. Therefore, the auditor should also obtain an understanding of the entity's IT environment and general computer controls The auditor ordinarily obtains an understanding of entity-level controls first because the pervasive nature of those controls can potentially influence the design and operating effectiveness of other controls. Also, the auditor generally accumulates a significant amount of knowledge about activity-level controls through the understanding of entity-level controls. After obtaining an understanding of entity-level controls, the auditor focuses on obtaining an understanding of the financial reporting system, which is part of the information and communication component of internal control. Obtaining an understanding about how the entity initiates, authorizes, records, processes, and reports transactions through the financial reporting system typically also provides a significant amount of information about control activities. After obtaining an understanding of those aspects of transaction processing, the auditor considers whether it is necessary to devote additional attention to obtaining an understanding of control activities. Devoting additional attention to obtaining an understanding of control activities would typically only be necessary if: The auditor does not understand what controls, if any, the entity has implemented to prevent, or detect and correct, material misstatements related to fraud risks or other significant risks. The auditor plans or is required to test controls for one or more assertions but has not identified which controls to test (that is, which manual or automated controls are most likely to prevent or detect and correct material misstatements in that assertion). For More Information: Obtaining an understanding of entity-level controls is discussed in section Obtaining an understanding of activity-level controls is discussed in section 205.

Using the PPC Approach CX-4.1: “Understanding the Design and Implementation of Internal Control” Evaluate entity-level controls Identify significant transaction classes CX-4.2.1: “Financial Reporting System Documentation Form—Significant Transaction Classes” Document the processing of transactions for each significant transaction class Document the financial close and reporting process Key Points: Using the PPC approach, the following forms are used to document the understanding of internal control, including the evaluation of design and implementation: “Understanding the Design and Implementation of Internal Control” (CX-4.1). This form is used to document the understanding of entity-level controls, along with the sources of information used and procedures performed to obtain or update the understanding, and to evaluate the design and implementation of those controls. This form is also used to identify significant transaction classes that will be documented using CX “Financial Reporting System Documentation Form—Significant Transaction Classes” (CX-4.2.1). This form is used to document the processing of transactions for significant transaction classes, evaluate whether the controls are properly designed and implemented, and document the sources of information used and procedures performed to obtain or update the understanding. This form is also used to document the financial close and reporting process. A narrative is prepared and documented on CX for each significant transaction class identified on CX-4.1. Presentation Tips: Review a blank copy of CX-4.1 with the participants. Point out how the control objectives listed on the form for each entity-level control component match COSO. Remind participants that they may document their responses for each objective or document their responses in the first blank provided for all of the objectives combined. Review a blank copy of CX with the participants. Point out that a narrative should be written on CX for each significant transaction class identified on CX A narrative should also be written for the financial close and reporting process. A completed CX-4.1 is illustrated in Case Study 1 at Appendix A-8 and in Case Study 3 at Appendix C-2. Case Study 2 illustrates the process of understanding the design and implementation of internal control in a memo at Appendix B-6. Consider reviewing these documents, or one of the firm’s completed practice aids, with participants. A completed CX is illustrated in Case Study 1 at Appendix A-9 and in Case Study 3 at Appendixes C-4 and C-7. Consider reviewing these documents, or one of the firm’s completed practice aids, with participants.

Using the PPC Approach CX-4.2.2: “Financial Reporting System Documentation Form—IT Environment and General Computer Controls” Understand the effect of IT CX-4.3: “Walkthrough Documentation Table” For each walkthrough CX-5: “Activity and Entity-level Control Forms” (optional) Key Points: “Financial Reporting System Documentation Form—IT Environment and General Computer Controls” (CX-4.2.2). This form is used to document the understanding of the entity’s IT environment (including consideration of controls at a service organization) and general computer controls, as well as the decision about whether to use an IT specialist. It is also used to evaluate whether general controls are properly designed and implemented and document the sources of information used and procedures performed to obtain or update the understanding. “Walkthrough Documentation Table” (CX-4.3). This form is used to document the performance of a walkthrough. A walkthrough confirms the understanding of the design and implementation of controls by tracing a transaction through the entity’s system from its initiation to inclusion in the general ledger and financial statements. A separate CX-4.3 is prepared for each walkthrough performed. “Activity and Entity-level Control Forms” (CX-5). These forms are optional source lists of control activities and entity-level controls by transaction class (for each audit area) or by objective (for entity-level controls). The forms provide a list of common key controls that are applicable for many nonpublic entities. The forms can be used as a memory jogger to assist in identifying and describing the entity’s controls or as a supplement to narratives or flowcharts to further document the understanding of controls and to indicate which controls are being tested. Presentation Tips: Review a blank copy of CX with the participants. Review a blank copy of CX-4.3 with the participants. Point out that a walkthrough documentation table should be completed for each walkthrough performed. Review a blank copy of a CX-5 form. Discuss the firm’s approach for using these forms. A completed CX is illustrated in Case Study 1 at Appendix A-10 and in Case Study 3 at Appendix C-10. Consider reviewing these documents, or one of the firm’s completed practice aids, with participants. A completed CX-4.3 is illustrated in Case Study 1 at Appendix A-11 and in Case Study 3 at Appendixes C-5 and C-8. Consider reviewing these documents, or one of the firm’s completed practice aids, with participants. A completed CX-5 is illustrated in Case Study 3 at Appendixes C-3, C-6, and C-9. Consider reviewing these documents, or one of the firm’s completed practice aids, with participants.

Identifying Significant Transaction Classes
Transaction classes that present a reasonable possibility of material misstatement of the financial statements or disclosures based on: Volume of activity Size and composition of accounts Types of transactions Presence of fraud risks or other significant risks Changes from the prior period Key Points: The auditor should identify significant transaction classes and obtain an understanding of the flow of information (including electronic information) through the entity's financial reporting system for each of those classes. That is, the auditor should obtain an understanding of how transactions are processed from initiation through inclusion in the general ledger. Significant transaction classes are identified and listed on CX-4.1, “Understanding the Design and Implementation of Internal Control.” Significant transaction classes are those classes of transactions in the entity's operations that are significant to the financial statements, generally because of the volume or risk characteristics of transactions processed. When identifying significant transaction classes, focus on transaction classes that present a reasonable possibility of material misstatement of the financial statements or disclosures, including those that involve significant or fraud risks. Qualitative and quantitative factors such as the following should be considered: Volume of activity. Size and composition of the related accounts. Susceptibility to misstatement due to errors or fraud. Nature of the transactions, related account balances, or disclosures. Accounting and reporting complexities. Exposure to losses in the related accounts. Possibility of significant contingent liabilities arising from the activities being processed. Existence of related party transactions. Changes from the prior period in the characteristics of the transactions, related account balances, or disclosures. Presentation Tip: Review the list of transaction classes provided at Exhibit 2-41, and discuss which are generally significant for the firm’s clients. For More Information: Identifying significant transaction classes is discussed at paragraph

Understanding Significant Transaction Classes
How are transactions initiated and authorized? How are transactions recorded and processed? How are transactions reconciled? What reports are generated and how are they used? Key Points: The following questions are related to understanding how transactions are initiated and authorized: How and by whom are transactions initiated and authorized? What source documents (or electronic means) are used to capture information for entry in the accounting system? How and by whom are transactions originally entered in the accounting system for processing? The following questions are related to understanding how transactions are recorded and processed: What are the accounting processing steps, both automated and manual, from original entry to inclusion in the general ledger and who performs them? What accounting records and supporting documents are used or created when processing transactions? What subsidiary journals or ledgers are involved? How is the incorrect processing of transactions resolved? The following questions are related to understanding how transactions are reconciled: What procedures are used to enter transaction totals into the general ledger? What is the entity’s process for reconciling account detail to the general ledger for material accounts? How does IT affect the entity’s control activities? Consider what management reports or other information are generated from the system and how they are used by management or the owner/manager in managing and controlling the entity’s activities. Throughout the process of obtaining the understanding, consider the effect of IT on the way the entity's control activities are designed and implemented. Also identify and evaluate the controls, if any, the entity has implemented to prevent or detect and correct material misstatements related to fraud risks or other significant risks. And be alert for areas where controls must be tested because substantive procedures alone will not be sufficient to address assessed risks.

Understanding Significant Transaction Classes
Consider control objectives: Completeness: All transactions are recorded Occurrence: All recorded transactions occurred and pertain to the entity Accuracy: Transactions are recorded in the proper amount Classification: Transactions are recorded in the proper account Cutoff: Transactions are recorded in the proper period Key Points: When obtaining an understanding of internal control, many auditors consider control objectives during the process of identifying controls and evaluating their design and implementation. A control objective states the purpose of a control in relation to risks and “what could go wrong” in the financial statements. For example, “All property, plant, and equipment additions are recorded,” might be a control objective that addresses a risk of fixed asset transactions not being properly tracked and recorded (i.e., completeness). Failure to achieve that control objective could potentially result in understatement of fixed assets and depreciation expense, as well as misstatements in other income statement accounts. Control objectives for transaction processing typically relate to the assertions of completeness (all transactions are recorded), occurrence (all recorded transactions occurred and pertain to the entity), accuracy (transactions are recorded in the proper amount), classification (transactions are recorded in the proper account), and cutoff (transactions are recorded in the proper period). By considering control objectives and how they relate to risks and what can go wrong at the relevant assertion level, an auditor might find it easier to identify existing controls and evaluate their design effectiveness. For example, an auditor might tailor inquiries of client personnel to focus on how certain control objectives are achieved within the entity when trying to identify the controls that address a particular risk of material misstatement. Likewise, when existing controls are identified, the auditor can evaluate whether those controls, if operating effectively, would fully achieve the objective or whether deficiencies exist because of improper design or missing controls. The auditor is not required to understand all controls and control activities that might exist in an entity. The auditor typically focuses attention on those controls that are most important in achieving particular control objectives related to identified risks. Often, an entity has multiple controls that contribute to achieving its control objectives. However, certain of those controls, referred to as key controls, are considered primary to achieving the objectives. When identifying controls, evaluating design effectiveness, determining implementation, and testing operating effectiveness, it is often most efficient and effective for the auditor to focus on key controls. Many times, these are the controls that the client believes are the most effective and reliable in operation to fully address a control objective.

Documenting Significant Transaction Classes
Narrative description Focus on key controls and control objectives related to identified risks How are control objectives achieved? What controls are in place to address significant or fraud risks? Are controls properly designed and implemented? Key Points: Using the PPC approach, the auditor writes a narrative description on CX-4.2.1, “Financial Reporting System Documentation Form—Significant Transaction Classes,” about how transactions are processed for each significant transaction class and for the financial close and reporting process. When preparing the narratives, attention should be focused on the control objectives and key controls related to the relevant assertions and risks that were identified when performing other risk assessment procedures. Before writing the narrative, review your identified risks related to the transaction class and consider the related control objectives. For example, if the transaction class is sales order processing, and you identified a risk related to the completeness of sales transactions, address in your narrative the controls that are in place to ensure that all sales transactions are processed (completeness). Be sure the narrative specifically addresses controls the entity has implemented to prevent or detect and correct material misstatements related to fraud risks, other significant risks, and risks for which substantive procedures alone are not sufficient. For example, if you identify a risk related to fraudulent cash disbursements, make sure your narrative describing the processing of cash disbursements addresses the controls that are in place to prevent or detect fraudulent disbursements. The narrative should enable you to conclude whether controls over the transaction class are properly designed and implemented to achieve the significant control objectives. The narrative is intended to assist in assessing the magnitude of identified risks and deciding whether to respond to them with substantive procedures alone or a combination of substantive procedures and tests of controls.

Performing Walkthroughs
Select one or a few transactions Trace from initial creation of the source document to final posting in the general ledger Inspect documents and records used in processing, make inquiries, and observe procedures being performed Key Points: A common method of obtaining an understanding of the processing of transactions for a significant transaction class is to trace a transaction through the various processing steps from initiation to inclusion in the general ledger. This is commonly referred to as a “walkthrough.” Walkthroughs may be used to confirm information obtained by inquiry or from prior years' audits. Walkthroughs are also commonly used in gaining an understanding of control activities. Walkthroughs of transactions usually involve document inspection, inquiry, and observation. The auditor judgmentally selects one or a few transactions from each of the major classes of transactions and walks those transactions and related controls through the system from cradle to grave, that is, from initial creation of a source document to final posting in the general ledger and inclusion in the financial statements. The auditor inspects the documents and accounting records used in processing, talks to the personnel involved, and observes the handling of records and related assets. In performing a walkthrough, the auditor should follow the same transaction through all of the processing steps in the system. A walkthrough may not be effective if a different transaction is used to test each control or processing step separately rather than walking a single transaction through the entire process or if the auditor does not use the same documents and IT that client personnel use. Even though AU-C 315 allows the auditor to rely on audit evidence obtained in prior periods, the auditor is still required to perform audit procedures to determine the continued relevance of that evidence. In many cases, the auditor can establish the continued relevance of information about internal control through the performance of a walkthrough. Indeed, a walkthrough may be helpful in determining whether and how internal control design and implementation have changed since the prior period. Thus, walkthroughs are ordinarily performed in each audit period for significant transaction classes. For More Information: Walkthroughs are discussed at paragraph

Retrospective Review of Accounting Estimates
Performed to evaluate: Effectiveness of management’s estimation process Information relevant to current year estimates The need for disclosure The existence of possible management bias AP-1: “Audit Program for General Planning Procedures” Key Points: AU-C 540 requires a retrospective review during risk assessment of the outcome of accounting estimates that were included in the prior period's financial statements. Generally, the outcome of an accounting estimate will differ from the amount that was recognized in the prior period. By identifying and understanding the reasons for differences, the auditor may obtain information about the effectiveness of management's prior period estimation process, audit evidence that is pertinent to re-estimation of estimates in the current period, or evidence of matters requiring disclosure in the financial statements such as estimation uncertainty. The retrospective review includes reviewing information available in the current year and comparing that information to significant estimates recorded in the prior year. AU-C also requires a retrospective review of significant prior-year accounting estimates. The intent of the review is to determine, with the benefit of hindsight, whether the underlying assumptions in the prior year might indicate possible bias on the part of management. The review may provide additional information about whether the current year's estimates could be biased. Significant estimates selected for retrospective testing should include those that are highly subjective or may change significantly based on the underlying assumptions and judgments. If possible bias on the part of management in making accounting estimates is identified, the auditor considers whether the bias indicates a risk of material misstatement due to fraud, that is, intentional manipulation of the financial statements, and develops an appropriate response. The retrospective review for risk assessment purposes may be performed concurrently with the review for possible management bias. Using the PPC approach, the retrospective review is performed by completing a step on AP-1, 'Audit Program for General Planning Procedures."

Assessing Risks and Developing Responses
Assess risks at the financial statement level Develop the overall audit strategy Assess risks at the relevant assertion level Develop the detailed audit plan Key Point: The next few slides address Step 3 of the PPC Audit Approach: Assess Risks and Develop Responses, which consists of assessing risks at the financial statement level, developing the overall audit strategy, assessing risks at the relevant assertion level, and developing the detailed audit plan. For More Information: Assessing risks and developing responses is discussed in Chapter 3.

Assess Risks at the Financial Statement Level
Identify risks that are pervasive to the financial statements and potentially affect many assertions Assess the risk of material misstatement at the financial statement level Develop overall responses Document the risk assessment and the responses CX-7.1: “Risk Assessment Summary Form” (Part I) Key Points: AU-C states that the auditor’s objective is to identify and assess the risks of material misstatement, whether due to error or fraud, at the financial statement and relevant assertion levels. These risks are identified and assessed by obtaining an understanding of the entity and its environment, including its internal control, and this understanding provides a basis for designing and implementing responses to the assessed risks of material misstatement. Risks of material misstatement at the financial statement level often relate to the entity’s control environment and are not necessarily identifiable with specific relevant assertions at the class of transaction, account balance, or disclosure level. These overall risks are often especially relevant to the auditor’s consideration of the risks of material misstatement arising from fraud, for example, through management override of internal control. Overall responses to address risks of material misstatement at the financial statement level may include: Emphasis to the audit team to use professional skepticism. Assigning staff with higher experience levels or specialized skills. Increasing the level of supervision. Using a greater degree of unpredictability in selecting audit procedures. Changing the nature, timing, and extent of substantive procedures (for example, instead of interim testing shift testing to period end or modify the nature of the audit procedures to obtain more persuasive evidence). AU-C requires documentation of the assessment of risks of material misstatement at the financial statement level and the basis for the assessment, and AU-C requires the auditor to document the overall responses to address the assessed risks of material misstatement at the financial statement level. Auditors can document the overall risks and responses on Part I of the “Risk Assessment Summary Form” (CX-7.1). Presentation Tips: Review a blank copy of CX-7.1 (Part I) with the participants. A completed CX-7.1 is illustrated in Case Study 1 at Appendix A-12 and in Case Study 2 at Appendix B-7. Consider reviewing these documents, or one of the firm’s completed practice aids, with participants.

Develop the Overall Audit Strategy
Characteristics of the engagement that define its scope Reporting objectives of the engagement Important factors that determine audit focus Resources needed to perform the audit Key Points: The overall audit strategy is the operational approach to achieving the objectives of the audit. It is a high level determination of the audit approach. It includes the identification of overall risks, the overall responses to those risks, and the general approach to each audit area as being substantive procedures or a combination of substantive procedures and tests of controls. AU-C provides that in establishing the overall audit strategy the auditor should: Determine the characteristics of the engagement that define its scope. Ascertain the reporting objectives of the engagement to plan the timing of the audit and the nature of communications required. Consider the significant factors that will determine the focus of the audit team’s efforts. Consider the results of preliminary engagement activities. Consider, if applicable, the knowledge from other engagements performed for the entity. Determine the nature, timing, and extent of resources needed to perform the audit. The scope of the engagement may be defined by the following types of characteristics: The basis of reporting, for example, GAAP or an OCBOA. Industry-specific, statutory, or regulatory reporting requirements. The availability of the work of internal auditors and the auditor’s potential reliance on that work. Planned reliance on the work of other auditors. The entity’s use of service organizations. The number of entity locations and nature of procedures to be performed at each. Whether it is an initial versus a continuing engagement. Reporting objectives include: Deadlines for interim and final reporting. Key dates for expected communications with management and those charged with governance, for example, concerning internal control related matters. The expected nature and timing of communications among audit team members, including the nature and timing of review of work performed.

Factors That Determine Audit Focus
Materiality levels Overall risks and responses Preliminary identification of high risk audit areas Preliminary identification of material locations and accounts Whether you plan to test controls Composition and deployment of the audit team Key Points: The overall audit strategy includes and is significantly influenced by the auditor’s judgments about materiality and the risks of material misstatement at the financial statement level. Factors that determine the focus of the audit team’s efforts generally include: Materiality considerations, including planning materiality and materiality for auditors of other locations. Overall risks and responses at the financial statement level. Preliminary identification of areas where there may be higher risks of material misstatement, including those due to fraud. Preliminary identification of material locations and account balances. Plans to obtain audit evidence about the operating effectiveness of controls, i.e., whether the auditor plans to use substantive procedures alone or a combination of substantive procedures and tests of controls, and whether control tests will be performed in the current year or reliance placed on tests performed in a prior year. Composition of the audit team and assignment of work to audit team members. Professional standards do not necessarily require all of the matters that affect audit strategy to be documented in one place, such as in a separate audit strategy memo. However, AU-C requires that the auditor document the overall audit strategy, the audit plan, and any significant changes made to them during the audit and the reasons. One efficient approach to documenting the audit strategy in the audit of a small, noncomplex, nonpublic company is to prepare a brief memo that outlines key components of the audit strategy as the basis for planning the current engagement. Subsequent changes in the strategy, if any, can be documented on the original memo, which satisfies the requirement to document changes in the audit strategy. Establishing the overall audit strategy for an entity need not be complex or time consuming. Many of the matters that relate to the overall audit strategy are document in the normal course of completing the audit planning program and related practice aids.

Assess Risks at the Relevant Assertion Level
Identify risks of material misstatement (due to error or fraud) for specific— Account balances Transaction classes Disclosures Consider what can go wrong at the relevant assertion level Key Points: In addition to being required to assess the risk of material misstatement at the financial statement level, the auditor is also required to assess the risk of material misstatement of the financial statements whether due to error or fraud at the assertion level for specific account balances, transaction classes, and disclosures. For the purpose of assessing the risks of material misstatement at the relevant assertion level, AU-C indicates that the auditor should do the following: Identify risks throughout the process of obtaining an understanding of the entity and its environment, including relevant controls that relate to the risks. Relate the identified risks to what can go wrong at the relevant assertion level. The auditor uses information gathered to identify risks that may result in material misstatement of the financial statements. The auditor's identification of risks is a matter of professional judgment. It is more than reviewing a checklist of risk factors or red flags. It encompasses all of the auditor's knowledge of the client, including knowledge obtained about the entity and its environment, its management, the industry in which it operates, its internal control, and risk factors. Risks are articulated in terms of what can go wrong in the financial statements at the assertion level. This is done, in part, because the presence of risks may only become evident when information from different sources is combined. That is, when analyzed in combination or as a whole, seemingly unrelated information might indicate a potential risk. In addition, it is difficult to link risks with responses unless the risks are stated in terms of their potential effects on the financial statements. For More Information: Identifying risks of material misstatement at the relevant assertion level is discussed in section 303.

Account Balances, Transaction Classes, Disclosures Existence or Occurrence Completeness Rights or Obligations Valuation or Allocation Accuracy or Classification Cutoff Key Points: AU-C 315.A115 states that the auditor may use the relevant assertions as they are described in the auditing standards or may express them differently provided aspects described therein have been covered. For example, the auditor may choose to combine the assertions about transactions and events with the assertions about account balances. Using the PPC approach, the following combined categories of assertions are used to facilitate the assessment of risks at the assertion level: Existence or Occurrence Completeness Rights or Obligations Valuation or Allocation Accuracy or Classification Cutoff These categories cover all of the assertions for transactions and events and account balances provided in the auditing standards, as well as those aspects of presentation and disclosure that are considered in the audit programs for individual audit areas. PPC uses the following audit objective in the general audit program to encompass the remaining assertions about presentation and disclosure that are generally considered in the process of preparing the financial statements: “Financial statements are presented in accordance with GAAP. Required disclosures are complete, clearly expressed and understandable, and contain financial and other information that is fairly disclosed at appropriate amounts.”

Assessing risks at the assertion level Are the risks of a magnitude that could result in material misstatement? What is the likelihood that the risks could result in material misstatement? Likelihood is a function of: Inherent risk Control risk Need a basis for the assessment Key Points: After identifying risks and relating them to what can go wrong in the financial statements at the relevant assertion level, the auditor should: Consider whether the risks are of a magnitude that could result in a material misstatement of the financial statements. Consider the likelihood that the risks could result in a material misstatement of the financial statements. Inherent risk is the susceptibility of a relevant assertion to a misstatement that could be material, either individually or when aggregated with other misstatements, assuming that there are no related controls. Control risk is the risk that a misstatement that could occur in a relevant assertion and that could be material, either individually or when aggregated with other misstatements, will be not prevented or detected on a timely basis by the entity’s internal control. The risk assessment procedures performed to obtain an understanding of the entity and its environment, including internal control, provide a basis for making the risk assessment. For More Information: Assessing risks of material misstatement at the relevant assertion level is discussed in section 304.

Identify significant risks that require special audit consideration Fraud risks Other significant risks Significant risks often relate to: Significant economic, accounting, or other developments Complex, nonroutine, or judgmental matters Transactions with related parties Key Points: AU-C states that the auditor should determine which of the risks identified by risk assessment procedures are risks that require special audit consideration, that is, significant risks. One or more significant risks normally arise on most audits. Furthermore, significant risks are likely to exist even when there are no new or unusual circumstances at the client. The determination of significant risks should be based primarily on the consideration of inherent risk, that is, it should be before consideration of the effect of identified controls related to the risk. A significant risk is generally one where the inherent risk is higher than the usual 'high' and therefore it requires special audit consideration. The auditor should determine whether the risk is such that it requires special audit consideration by focusing on the following: The nature of the risk. The magnitude of the potential misstatement, including the possibility of multiple misstatements. The likelihood of the risk occurring. Each of these aspects of the auditor's consideration need attention in determining whether special audit consideration is required, but the nature of the risk is particularly important. The nature of the risk should be evaluated by considering the following: Is the risk a risk of fraud or theft? Is the risk related to recent significant economic, accounting, or other developments? Are the transactions complex? Does the risk involve significant transactions with related parties? Is there a relatively large degree of subjectivity in the measurement of the financial information related to the risk? Does the risk involve significant nonroutine transactions outside the normal course of business or that otherwise appear unusual? An affirmative answer to any of these questions is likely to indicate the need for a specific audit response and, thus, a determination that the risk is a significant risk because it requires special audit consideration. Fraud risks are always considered to be significant risks.

Identify risks for which substantive procedures alone are not adequate Revise the risk assessment and reconsider planned audit procedures if audit evidence contradicts the original risk assessment Key Points: When substantive procedures alone are not adequate, you will need to evaluate the design and implementation of controls and perform tests of controls, and also document the risks and related controls. An audit is a continuous process of gathering, updating, and analyzing information about the fairness of presentation of amounts and disclosures in the client’s financial statements, and thus, risks should be evaluated continuously throughout the audit. The “Audit Program for General Auditing and Completion Procedures” (AP-2) includes a step to evaluate whether the risk assessments made during planning remain appropriate and, where necessary, to revise the assessment and related responses documented on the “Risk Assessment Summary Form” (CX-7.1).

Document the following: Risk assessment at the relevant assertion level Basis for the assessment Significant risks Risks for which substantive procedures alone are not adequate CX-7.1: “Risk Assessment Summary Form” (Part II) Key Points: Part II of the “Risk Assessment Summary Form” (CX-7.1) has been designed to assist the auditor in documenting the specific risk assessment at the assertion level and the planned response. The steps to be performed to complete Part II of the form are as follows: Identify any general risk assessment factors from CX-3.1, “Understanding the Entity and Identifying Risks” (including consideration of the “Entity Risk Factors” at CX-6.1 and “Fraud Risk Factors” at CX-6.2), and Part I of the “Risk Assessment Summary Form” at CX-7.1, that affect the risk of material misstatement for particular account balances, transaction classes, or disclosures. Determine the audit areas that are significant. Describe the specific risks of material misstatement that affect the account balance, transaction class, or disclosure; identify the financial statement assertion affected; and consider the significance of the risks. Determine the documentation approach to be used when assessing the risk of material misstatement (that is, by audit area or by assertion). Make a qualitative assessment of inherent risk as high, moderate, or low. Make a qualitative evaluation of control risk as high, moderate, or low. Make a qualitative assessment of the remaining or combined risk of material misstatement as high, moderate, or low based on the prior evaluations of inherent risk and control risk. Determine the response to the risk assessment by selecting an audit approach that includes sufficient further audit procedures to adequately respond to the risk assessment. Provide any relevant comments on audit approach, including any modifications of audit procedures made in response to fraud risks or other significant risks. Presentation Tips: Review a blank copy of CX-7.1 (Part II) with the participants. Point out that the form lists common audit areas and provides additional space to add audit areas unique to the particular client. A completed CX-7.1 is illustrated in Case Study 1 at Appendix A-12 and in Case Study 2 at Appendix B-7. Consider reviewing these documents, or one of the firm’s completed practice aids, with participants. For More Information: Documenting the risk assessment using CX-7.1 is discussed in section 305.

The Detailed Audit Plan
The nature, timing, and extent of further audit procedures to respond to the risk assessment (i.e., the audit program) Provides linkage between the risk assessment and the responses at the assertion level Key Points: The objective of the risk assessment at the relevant assertion level is the development of a detailed audit plan (including the nature, timing, and extent of planned further audit procedures) that adequately responds to the identified risks. The detailed audit plan is also referred to as the audit program. The individual audit programs in the PPC approach list each audit procedure and the related assertions. The assessment of the risk of material misstatement by assertion assists the auditor when deciding on an appropriate audit response by providing linkage between the risks and related audit program procedures. Linkage means developing procedures that are clearly linked to assessed risks of material misstatement at the relevant assertion level.

Tailoring the PPC Audit Programs
Limited No audit program Used for insignificant audit areas with low RMM Basic Primarily substantive analytics Some tests of details (required by SASs) Basic + Extended Tests of details and extended analytics For audit areas or assertions with higher risk Key Points: The PPC audit programs for individual audit areas include the following sections: Basic Procedures, which include primarily substantive analytical procedures and certain tests of details, most of which are required by the SASs (such as confirmation of receivables, inventory observation, and tests to address the risk of improper revenue recognition). Extended Procedures (Procedures for Additional Assurance), which include procedures from which the auditor can choose one or more steps as necessary to supplement the basic procedures in response to the auditor's risk assessment at the relevant assertion level. Other Audit Procedures, which include procedures that may be warranted due to the specific circumstances of the engagement. (Other audit procedures are considered Extended Procedures when completing the “Risk Assessment Summary Form.”) The purpose of the risk assessment is to determine the nature, timing, and extent of further audit procedures to be performed. PPC refers to the overall decision of which further audit procedures to perform as the selection of an “audit approach.” The approach may consist of one of the following: Limited: Perform only limited procedures and do not develop a separate audit program Basic: Perform basic procedures from the audit program Basic + Extended: Perform basic procedures plus certain extended procedures from the audit program When no separate specific audit program is needed for an audit area because the procedures for preliminary analytics, other risk assessment procedures, and final analytics are sufficient, that approach is referred to as the Limited approach. The Limited approach is generally appropriate only for audit areas that are not significant and have a low combined risk of material misstatement. Auditors decide whether to apply a Basic or Basic + Extended approach based on the risk assessment at the relevant assertion level. Usually, a low or moderate risk of material misstatement in a significant audit area means that a Basic approach may be appropriate for those assertions. If risk is higher, a Basic + Extended approach may be chosen. The decision about whether to use a Basic + Extended approach considers the following factors: Whether the audit area is significant. Whether the audit area contains any specifically identified risks. Whether an identified risk is considered to be a fraud risk or other significant risk. The assessed level of the risk of material misstatement. The extended procedures section of the audit programs provides a source list of possible audit procedures. The auditor selects procedures from the list that are needed to supplement the basic procedures to adequately respond to the risk assessment. The particular tests selected, whether they are basic or extended, should be tailored to the nature, cause, and direction of potential misstatements at the relevant assertion level. It may also be appropriate to alter the extent or timing of the procedures to adequately respond to the risk assessment. When a Basic + Extended approach is used, extended procedures will normally be performed only for those assertions that are of concern to the auditor based on the risk assessment. Presentation Tip: Review a PPC audit program with the participants and point out the sections of basic, extended, and other procedures. Also point out how the assertions for each procedure provide linkage to the risk assessment. For More Information: Selecting an audit approach and tailoring the PPC audit programs are discussed in section 305.

Performing Further Audit Procedures
Tests of Controls Substantive Procedures Tests of Details Substantive Analytical Procedures Key Points: The next few slides address Step 4 of the PPC Audit Approach: Perform Further Audit Procedures. Further audit procedures include tests of controls and substantive procedures. Substantive procedures include tests of details and substantive analytical procedures. For More Information: Performing further audit procedures is discussed in Chapter 4.

Tests of Controls Perform tests of controls if:
Relying on them to reduce the risk assessment Substantive tests alone are not adequate Inquiry alone is not sufficient for testing controls Key Points: Unlike the evaluation of control design and implementation (which is required in every audit), tests of controls, which are categorized as further audit procedures, are not required in every audit. Tests of controls are performed when the auditor plans to rely on their operating effectiveness when designing substantive procedures. Tests of controls are also performed when substantive procedures alone are not effective, such as when an entity’s accounting data and corroborating evidence are available only in electronic form that is not retrievable after a period of time. Also, some auditors believe that in small business audits, the risk of theft of cash is such that it is usually necessary to test controls over cash receipts and disbursements. When controls are tested, controls would not generally be tested for every significant class of transactions, account balance, disclosure, or relevant assertion, but only for those with respect to which you plan to limit substantive procedures in reliance on the related controls. In some circumstances, testing controls would be unnecessary or inefficient. Only effectively designed controls should be tested for operating effectiveness. There is no benefit to testing the operating effectiveness of a control that is inappropriately designed to prevent, or detect and correct, a material misstatement in a relevant assertion or that has not been properly implemented. Since inquiry alone is not sufficient, you need to use a combination of procedures, such as: Inquiries of appropriate personnel Observation of the control being performed Inspection of documents, reports, or electronic files Walkthroughs Reperformance of the control Review of reconciliations/bookkeeping routines Presentation Tip: Consider reviewing Exhibit 4-8, ”Efficiency Opportunities in Testing Controls,” with participants.

Tests of Controls Rotational tests of controls are permitted:
Obtain evidence about whether the controls have changed using inquiry, observation, and inspection If controls have changed, rotation is not appropriate Test a control at least once every three years If several controls are rotationally tested, test some controls each year If relying on controls for significant risks, controls must be tested in the current year CX-10.1: “Test of Controls Form” Key Point: Au-C 330 allows the use audit evidence about the operating effectiveness of controls obtained in prior audits subject to the conditions listed on this slide. If these conditions are met, the audit practice of rotating tests of controls over a three year cycle might be used. Presentation Tips: Review a blank copy of CX-10.1, “Test of Controls Form,” with the participants. Point out how it allows for rotational control tests. A completed CX-10.1 is illustrated in Case Study 1 at Appendix A-13. Consider reviewing that document, or one of the firm’s completed practice aids, with participants.

Substantive Procedures
Test all relevant assertions for material account balances, transaction classes, and disclosures Perform procedures specifically to address significant risks Substantive analytical procedures alone are not sufficient for significant risks Key Points: AU-C requires performance of substantive procedures for all relevant assertions related to each material class of transactions, account balance, and disclosure because: The assessment of risk is judgmental and might not be sufficiently precise to identify all risks of material misstatement. There are inherent limitations to internal control, including management override, and even effective internal controls generally reduce, but do not eliminate, the risk of material misstatement. In other words, even if you conclude that the risk of material misstatement is low for a particular assertion related to a material account balance, transaction class, or disclosure, based on performing risk assessment procedures and tests of controls, some substantive procedures are still required. Audit procedures in PPC’s audit programs are linked to assertions to provide assurance that all relevant assertions have been tested. Significant risks are risks that require special audit attention in the form of substantive procedures. When the audit approach to significant risks consists only of substantive procedures (that is, you do not plan to rely on controls), the substantive procedures should be tests of details only or a combination of tests of details and substantive analytical procedures. The use of only substantive analytical procedures is not permitted. For More Information: Substantive procedures are discussed in section 403.

Substantive Procedures
Perform the following substantive procedures in all audits: Agree the financial statements and notes to the accounting records Examine material journal entries and other adjustments made when preparing the financial statements Procedures required by AU-C 240 to address the risk of management override of controls Required procedures are on AP-2, “Audit Program for General Auditing and Completion Procedures” Key Points: Because of the judgmental nature of the auditor's risk assessments and the inherent limitations of internal control, particularly the risk of management override, the auditing standards prescribe certain substantive procedures that should be performed in every audit. AU-C requires that the auditor perform the following substantive procedures in every audit: Agreeing the financial statements, including the accompanying notes, to the underlying accounting records. Examining material journal entries and other adjustments made during the course of preparing the financial statements. AC-C also requires certain substantive procedures in all audits to address the risk of management override of controls. These required procedures are as follows: Examining journal entries and other adjustments for evidence of possible material misstatement due to fraud. Reviewing accounting estimates for bias that could result in material misstatement due to fraud. Evaluating the business rationale for significant unusual transactions. Both AU-C and AC-C require examining journal entries and other adjustments, but the requirement of AC-C is focused on identifying fraudulent journal entries. Thus, the nature, timing, and extent of procedures required by AU-C 240 are different from those required by AU-C 330. AU-C 330 focuses on journal entries made during the course of preparing the financial statements and AU-C 240 requires the auditor to consider reviewing journal entries made throughout the year. Auditors should ensure that their audit procedures satisfy both requirements. Using the PPC approach, these procedures are included in the “Audit Program for General Auditing and Completion Procedures” (AP-2).

Documenting Further Audit Procedures
Document the following: Nature, timing, and extent Linkage Results Conclusion about relying on tests of controls performed in a prior audit Key Points: The nature, timing, extent, and results of substantive procedures are documented using an audit program. In addition, the “Risk Assessment Summary Form” (CX-7.1) combined with the audit programs provides documentation of the linkage of substantive procedures with assessed risks at the assertion level. The “Test of Controls Form” (CX-10.1) provides for documentation of procedures performed to determine that controls tested in a prior audit have not changed, and guidance on the form indicates that (1) controls should be retested at least once every three years; (2) when a number of controls are rotationally tested, some controls should be tested each year; and (3) controls related to fraud risks or other significant risks should be tested each year.

Summary Completed risk assessment consists of:
AP-1: “Audit Program for General Planning Procedures” CX-1.1: “Engagement Acceptance and Continuance Form” CX-2: “Financial Statement Materiality Worksheet for Planning Purposes” CX-3.1: “Understanding the Entity and Identifying Risks” CX-3.2: “Engagement Team Discussion” CX-3.3: “Fraud Risk Inquiries Form” Key Points: The next two slides summarize the PPC practice aids that constitute a completed risk assessment. Ask participants if they have any questions about the use of these forms. If the firm uses alternative methods of documentation instead of using one or more of these forms, audit team members need to make sure that the requirements of the practice aids are addressed in the alternative documentation.

Summary Completed risk assessment (cont.)
CX-4.1: “Understanding the Design and Implementation of Internal Control” CX-4.2.1: “Financial Reporting System Documentation Form—Significant Transaction Classes” (for each significant transaction class and financial close and reporting) CX-4.2.2: “Financial Reporting System Documentation Form—IT Environment and General Computer Controls” CX-4.3: “Walkthrough Documentation Table” (for each walkthrough) CX-7.1: “Risk Assessment Summary Form”

Summary Other PPC practice aids related to risk assessment
CX-5: “Activity and Entity-level Control Forms” (optional) CX-6.1: “Entity Risk Factors” (memory jogger) CX-6.2: “Fraud Risk Factors” (memory jogger) CX-10.1: “Test of Controls Form” (if controls are tested) CX-12.2: “Audit Difference Evaluation Form” AP-2: “Audit Program for General Auditing and Completion Procedures” Tailored audit programs for individual audit areas Key Point: This slide lists other practice aids discussed in this course. Ask participants if they have any questions about the use of these forms.

Questions?

Understanding Audit Risk Assessment

Similar presentations

Presentation on theme: "Understanding Audit Risk Assessment"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Understanding Audit Risk Assessment

Similar presentations

Presentation on theme: "Understanding Audit Risk Assessment"— Presentation transcript:

Similar presentations

About project

Feedback