There comes a time in the lives of most growing businesses when audited financial statements become necessary or desirable. Here are 10 things to consider as you prepare your business for its first audit. Show
1. What is an audit? An audit is the highest level of financial statement service CPAs offer. An unqualified (“clean”) audit opinion provides financial statement users with a high — though not absolute — level of assurance that a company’s financial statements and related disclosures are presented fairly and conform, in all material respects, to generally-accepted accounting principles (GAAP). 2. Who needs one? An audit may be required by a third-party user of your company’s financial statements, such as a lender, investor (or other funding source) or government regulator. Public companies are required to provide audited financial statements to their shareholders and file them with the Security and Exchange Commission. Even if not required, many companies choose to have audits performed anyway because they can yield valuable benefits. For example, an audit can help a company ensure the accuracy of its financial information, and can help identify weaknesses in internal controls and ways to improve internal controls. 3. What types of evidence does an auditor examine to verify the accuracy of your financial statements? Typically, auditors obtain evidence through inspection (of documents or tangible assets, for example), inquiries, observation, third-party confirmations, testing of selected transactions and other procedures. 4. Is the auditor required to examine all transactions underlying the financial statements? No. The purpose of an audit is to provide reasonable, but not absolute, assurance that the financial statements are free of material misstatements. The auditor exercises professional judgment in determining whether the magnitude of a misstatement or misstatements is sufficient to be material to financial statement users — that is, whether it could influence users’ economic decisions. Practically speaking, an auditor can’t test every transaction, but he or she will conduct more extensive testing in areas that present a greater risk of material misstatement. 5. Does the auditor review your company’s internal controls? Yes. The auditor gains an understanding of internal controls over financial reporting in order to understand your business, assess risk and design appropriate audit procedures. For example, if the auditor discovers internal control weaknesses in certain areas, he or she may conduct more rigorous testing in those areas. The auditor does not, however, express an opinion on the effectiveness of the company’s internal controls. 6. Are there options short of an audit that will satisfy lenders or other financial statement users? CPAs also provide review and compilation services, which may be acceptable to some financial statement users. A review provides limited assurance, based primarily on analytical procedures and inquiries, that the CPA is not aware of any material modifications necessary for the financial statements to conform to GAAP. It does not involve gaining an understanding of the company’s internal controls or any testing of the underlying data. Reviewed financial statements include the same disclosures as audited financial statements. In a compilation, the CPA simply assists management in presenting financial information in financial statement format, without offering any assurance as to its reliability. 7. Do all CPAs perform audits? No. It’s important to work with a CPA firm that has significant auditing expertise as well as experience auditing companies in your industry and size range. 8. How should you prepare for your first audit? Ensure that your financial documents and accounting software are in order. This includes ensuring that all account balances are reconciled with supporting documentation. Work closely with the audit firm to define mutual expectations regarding time commitments and deliverables. 9. Can your auditor prepare your company’s tax returns or financial statements? Yes. Care must be taken, however, to ensure that the auditor does not impair his or her independence, as CPAs must be independent of the companies that they audit. 10. What are the most important criteria in selecting an audit firm? Make sure the firm you choose has a solid reputation in the financial community and the qualifications, staffing, and industry experience to perform the audit. Identifying and Assessing Risks of Material MisstatementEffective Date: For audits of fiscal years beginning on or after Dec. 15, 2010Final Rule: PCAOB Release No. 2010-004Summary Table of ContentsIntroduction1. This standard establishes requirements regarding the process of identifying and assessing risks of material misstatement1/ of the financial statements. 2. Paragraphs 4-58 of this standard discuss the auditor's responsibilities for performing risk assessment procedures.2/ Paragraphs 59–73 of this standard discuss identifying and assessing the risks of material misstatement using information obtained from performing risk assessment procedures. Objective3. The objective of the auditor is to identify and appropriately assess the risks of material misstatement, thereby providing a basis for designing and implementing responses to the risks of material misstatement. Performing Risk Assessment Procedures4. The auditor should perform risk assessment procedures that are sufficient to provide a reasonable basis for identifying and assessing the risks of material misstatement, whether due to error or fraud,3/ and designing further audit procedures.4/ 5. Risks of material misstatement can arise from a variety of sources, including external factors, such as conditions in the company's industry and environment, and company-specific factors, such as the nature of the company, its activities, and internal control over financial reporting. For example, external or company-specific factors can affect the judgments involved in determining accounting estimates or create pressures to manipulate the financial statements to achieve certain financial targets. Also, risks of material misstatement may relate to, e.g., personnel who lack the necessary financial reporting competencies, information systems that fail to accurately capture business transactions, or financial reporting processes that are not adequately aligned with the requirements in the applicable financial reporting framework. Thus, the audit procedures that are necessary to identify and appropriately assess the risks of material misstatement include consideration of both external factors and company-specific factors. This standard discusses the following risk assessment procedures:
6. In an integrated audit, the risks of material misstatement of the financial statements are the same for both the audit of internal control over financial reporting and the audit of financial statements. The auditor's risk assessment procedures should apply to both the audit of internal control over financial reporting and the audit of financial statements. Obtaining an Understanding of the Company and Its Environment7. The auditor should obtain an understanding of the company and its environment ("understanding of the company") to understand the events, conditions, and company activities that might reasonably be expected to have a significant effect on the risks of material misstatement. Obtaining an understanding of the company includes understanding:
8. In obtaining an understanding of the company, the auditor should evaluate whether significant changes in the company from prior periods, including changes in its internal control over financial reporting, affect the risks of material misstatement. Industry, Regulatory, and Other External Factors9. Obtaining an understanding of relevant industry, regulatory, and other external factors encompasses industry factors, including the competitive environment and technological developments; the regulatory environment, including the applicable financial reporting framework6/ and the legal and political environment;7/ and external factors, including general economic conditions. Nature of the Company10. Obtaining an understanding of the nature of the company includes understanding:
[Note deleted, effective for audits of fiscal years beginning on or after December 15, 2014. See PCAOB Release No. 2014-002. For audits of fiscal years beginning before December 15, 2014, click here.] [The following paragraph is effective for audits of fiscal years beginning on or after December 15, 2014. See PCAOB Release No. 2014-002.] 10A. To assist in obtaining information for identifying and assessing risks of material misstatement of the financial statements associated with a company's financial relationships and transactions with its executive officers (e.g., executive compensation, including perquisites, and any other arrangements), the auditor should perform procedures to obtain an understanding of the company's financial relationships and transactions with its executive officers. The procedures should be designed to identify risks of material misstatement and should include, but not be limited to (1) reading the employment and compensation contracts between the company and its executive officers and (2) reading the proxy statements and other relevant company filings with the Securities and Exchange Commission and other regulatory agencies that relate to the company's financial relationships and transactions with its executive officers. [The following paragraph is effective for audits of fiscal years beginning on or after December 15, 2014. See PCAOB Release No. 2014-002. For audits of fiscal years beginning before December 15, 2014, click here.] 11. As part of obtaining an understanding of the company as required by paragraph 7, the auditor should consider performing the following procedures and the extent to which the procedures should be performed:
Selection and Application of Accounting Principles, Including Related Disclosures12. As part of obtaining an understanding of the company's selection and application of accounting principles, including related disclosures, the auditor should evaluate whether the company's selection and application of accounting principles are appropriate for its business and consistent with the applicable financial reporting framework and accounting principles used in the relevant industry. Also, to identify and assess risks of material misstatement related to omitted, incomplete, or inaccurate disclosures, the auditor should develop expectations about the disclosures that are necessary for the company's financial statements to be presented fairly in conformity with the applicable financial reporting framework. 13. The following matters, if present, are relevant to the necessary understanding of the company's selection and application of accounting principles, including related disclosures:
Company Objectives, Strategies, and Related Business Risks14. The purpose of obtaining an understanding of the company's objectives, strategies, and related business risks is to identify business risks that could reasonably be expected to result in material misstatement of the financial statements.
15. The following are examples of situations in which business risks might result in material misstatement of the financial statements:
Company Performance Measures16. The purpose of obtaining an understanding of the company's performance measures is to identify performance measures, whether external or internal, that affect the risks of material misstatement. 17. The following are examples of performance measures that might affect the risks of material misstatement:
Obtaining an Understanding of Internal Control Over Financial Reporting18. The auditor should obtain a sufficient understanding of each component8/ of internal control over financial reporting ("understanding of internal control") to (a) identify the types of potential misstatements, (b) assess the factors that affect the risks of material misstatement, and (c) design further audit procedures. 19. The nature, timing, and extent of procedures that are necessary to obtain an understanding of internal control depend on the size and complexity of the company;9/ the auditor's existing knowledge of the company's internal control over financial reporting; the nature of the company's controls, including the company's use of IT; the nature and extent of changes in systems and operations; and the nature of the company's documentation of its internal control over financial reporting.
20. Obtaining an understanding of internal control includes evaluating the design of controls that are relevant to the audit and determining whether the controls have been implemented.
21. Internal control over financial reporting can be described as consisting of the following components:11/
22. Management might use an internal control framework with components that differ from the components identified in the preceding paragraph when establishing and maintaining the company's internal control over financial reporting. In evaluating the design of controls and determining whether they have been implemented in an audit of financial statements only, the auditor may use the framework used by management or another suitable, recognized framework. 12/ For integrated audits, Auditing Standard No. 5, states, "The auditor should use the same suitable, recognized control framework to perform his or her audit of internal control over financial reporting as management uses for its annual evaluation of the effectiveness of the company's internal control over financial reporting."13/ If the auditor uses a suitable, recognized internal control framework with components that differ from those listed in the preceding paragraph, the auditor should adapt the requirements in paragraphs 23–36 of this standard to conform to the components in the framework used. Control Environment23. The auditor should obtain an understanding of the company's control environment, including the policies and actions of management, the board, and the audit committee concerning the company's control environment. 24. Obtaining an understanding of the control environment includes assessing:
25. If the auditor identifies a control deficiency15/ in the company's control environment, the auditor should evaluate the extent to which this control deficiency is indicative of a fraud risk factor, as discussed in paragraphs 65-66 of this standard. The Company's Risk Assessment Process26. The auditor should obtain an understanding of management's process for:
27. Obtaining an understanding of the company's risk assessment process includes obtaining an understanding of the risks of material misstatement identified and assessed by management and the actions taken to address those risks. Information and Communication28. Information System Relevant to Financial Reporting. The auditor should obtain an understanding of the information system, including the related business processes, relevant to financial reporting, including:
29. The auditor also should obtain an understanding of how IT affects the company's flow of transactions. (See Appendix B.)
30. A company's business processes are the activities designed to:
31. Obtaining an understanding of the company's business processes assists the auditor in obtaining an understanding of how transactions are initiated, authorized, processed, and recorded. 32. A company's period-end financial reporting process, as referred to in paragraph 28.e., includes the following:
33. Communication. The auditor should obtain an understanding of how the company communicates financial reporting roles and responsibilities and significant matters relating to financial reporting to relevant company personnel and others, including:
Control Activities34. The auditor should obtain an understanding of control activities that is sufficient to assess the factors that affect the risks of material misstatement and to design further audit procedures, as described in paragraph 18 of this standard.18/ As the auditor obtains an understanding of the other components of internal control over financial reporting, he or she is also likely to obtain knowledge about some control activities. The auditor should use his or her knowledge about the presence or absence of control activities obtained from the understanding of the other components of internal control over financial reporting in determining the extent to which it is necessary to devote additional attention to obtaining an understanding of control activities to assess the factors that affect the risks of material misstatement and to design further audit procedures.
Monitoring of Controls35. The auditor should obtain an understanding of the major types of activities that the company uses to monitor the effectiveness of its internal control over financial reporting and how the company initiates corrective actions related to its controls.19/ 36. An understanding of the company's monitoring activities includes understanding the source of the information used in the monitoring activities. Performing Walkthroughs37. As discussed in paragraph 20, the auditor may perform walkthroughs as part of obtaining an understanding of internal control over financial reporting. For example, the auditor may perform walkthroughs in connection with understanding the flow of transactions in the information system relevant to financial reporting, evaluating the design of controls relevant to the audit, and determining whether those controls have been implemented. In performing a walkthrough, the auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records, using the same documents and IT that company personnel use. Walkthrough procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and re-performance of controls.
38. In performing a walkthrough, at the points at which important processing procedures occur, the auditor questions the company's personnel about their understanding of what is required by the company's prescribed procedures and controls. These probing questions, combined with the other walkthrough procedures, allow the auditor to gain a sufficient understanding of the process and to be able to identify important points at which a necessary control is missing or not designed effectively. Additionally, probing questions that go beyond a narrow focus on the single transaction used as the basis for the walkthrough allow the auditor to gain an understanding of the different types of significant transactions handled by the process. Relationship of Understanding of Internal Control to Tests of Controls39. The objective of obtaining an understanding of internal control, as discussed in paragraph 18 of this standard, is different from testing controls for the purpose of assessing control risk21/ or for the purpose of expressing an opinion on internal control over financial reporting in the audit of internal control over financial reporting.22/ The auditor may obtain an understanding of internal control concurrently with performing tests of controls if he or she obtains sufficient appropriate evidence to achieve the objectives of both procedures. Also, the auditor should take into account the evidence obtained from understanding internal control when assessing control risk and, in the audit of internal control over financial reporting, forming an opinion about the effectiveness of internal control over financial reporting. 40. Relationship of Understanding of Internal Control to Evaluating Entity-Level Controls in an Audit of Internal Control Over Financial Reporting. Auditing Standard No. 5 states, "The auditor must test those entity-level controls that are important to the auditor's conclusion about whether the company has effective internal control over financial reporting."23/ The procedures performed to obtain an understanding of certain components of internal control in accordance with this standard, e.g., the control environment, the company's risk assessment process, information and communication, and monitoring of controls, might provide evidence that is relevant to the auditor's evaluation of entity-level controls.24/ The auditor should take into account the evidence obtained from understanding internal control when determining the nature, timing, and extent of procedures necessary to support the auditor's conclusions about the effectiveness of entity-level controls in the audit of internal control over financial reporting. Considering Information from the Client Acceptance and Retention Evaluation, Audit Planning Activities, Past Audits, and Other Engagements41. Client Acceptance and Retention and Audit Planning Activities. The auditor should evaluate whether information obtained from the client acceptance and retention evaluation process or audit planning activities is relevant to identifying risks of material misstatement. Risks of material misstatement identified during those activities should be assessed as discussed beginning in paragraph 59 of this standard. 42. Past Audits. In subsequent years, the auditor should incorporate knowledge obtained during past audits into the auditor's process for identifying risks of material misstatement, including when identifying significant ongoing matters that affect the risks of material misstatement or determining how changes in the company or its environment affect the risks of material misstatement, as discussed in paragraph 8 of this standard. 43. If the auditor plans to limit the nature, timing, or extent of his or her risk assessment procedures by relying on information from past audits, the auditor should evaluate whether the prior years' information remains relevant and reliable. 44. Other Engagements. When the auditor has performed a review of interim financial information in accordance with AU sec. 722, Interim Financial Information, the auditor should evaluate whether information obtained during the review is relevant to identifying risks of material misstatement in the year-end audit. 45. The auditor should obtain an understanding of the nature of the services that have been performed for the company by the auditor or affiliates of the firm25/ and should take into account relevant information obtained from those engagements in identifying risks of material misstatement.26/ Performing Analytical Procedures46. The auditor should perform analytical procedures that are designed to:
47. In applying analytical procedures as risk assessment procedures, the auditor should perform analytical procedures relating to revenue with the objective of identifying unusual or unexpected relationships involving revenue accounts that might indicate a material misstatement, including material misstatement due to fraud. Also, when the auditor has performed a review of interim financial information in accordance with AU sec. 722, he or she should take into account the analytical procedures applied in that review when designing and applying analytical procedures as risk assessment procedures. 48. When performing an analytical procedure, the auditor should use his or her understanding of the company to develop expectations about plausible relationships among the data to be used in the procedure.27/ When comparison of those expectations with relationships derived from recorded amounts yields unusual or unexpected results, the auditor should take into account those results in identifying the risks of material misstatement.
Conducting a Discussion among Engagement Team Members Regarding Risks of Material Misstatement49. The key engagement team members should discuss (1) the company's selection and application of accounting principles, including related disclosure requirements, and (2) the susceptibility of the company's financial statements to material misstatement due to error or fraud.
50. Key engagement team members include all engagement team members who have significant engagement responsibilities, including the engagement partner. The manner in which the discussion is conducted depends on the individuals involved and the circumstances of the engagement. For example, if the audit involves more than one location, there could be multiple discussions with team members in differing locations. The engagement partner or other key engagement team members should communicate the important matters from the discussion to engagement team members who are not involved in the discussion.
51. Communication among the engagement team members about significant matters affecting the risks of material misstatement should continue throughout the audit, including when conditions change.29/ Discussion of the Potential for Material Misstatement Due to Fraud52. The discussion among the key engagement team members about the potential for material misstatement due to fraud should occur with an attitude that includes a questioning mind, and the key engagement team members should set aside any prior beliefs they might have that management is honest and has integrity. The discussion among the key engagement team members should include:
53. The auditor should emphasize the following matters to all engagement team members:
Inquiring of the Audit Committee, Management, and Otherswithin the Company about the Risks of Material Misstatement54. The auditor should inquire of the audit committee, or equivalent (or its chair), management, the internal audit function, and others within the company who might reasonably be expected to have information that is important to the identification and assessment of risks of material misstatement. Note: The auditor's inquiries about risks of material misstatement should include inquiries regarding fraud risks. 55. The auditor should use his or her knowledge of the company and its environment, as well as information from other risk assessment procedures, to determine the nature of the inquiries about risks of material misstatement. Inquiries Regarding Fraud Risks[The following paragraph is effective for audits of fiscal years beginning on or after December 15, 2014. See PCAOB Release No. 2014-002. For audits of fiscal years beginning before December 15, 2014, click here.] 56. The auditor's inquiries regarding fraud risks should include the following:
[The following paragraph is effective for audits of fiscal years beginning on or after December 15, 2014. See PCAOB Release No. 2014-002. For audits of fiscal years beginning before December 15, 2014, click here.] 57. In addition to the inquiries outlined in the preceding paragraph, the auditor should inquire of others within the company about their views regarding fraud risks, including, in particular, whether they have knowledge of fraud, alleged fraud, or suspected fraud. The auditor should identify other individuals within the company to whom inquiries should be directed and determine the extent of such inquiries by considering whether others in the company might have additional knowledge about fraud, alleged fraud, or suspected fraud or might be able to corroborate fraud risks identified in discussions with management or the audit committee. Examples of other individuals within the company to whom inquiries might be directed include:
58. When evaluating management's responses to inquiries about fraud risks and determining when it is necessary to corroborate management's responses, the auditor should take into account the fact that management is often in the best position to commit fraud. Also, the auditor should obtain evidence to address inconsistencies in responses to the inquiries. Identifying and Assessing the Risks of Material Misstatement59. The auditor should identify and assess the risks of material misstatement at the financial statement level and the assertion level. In identifying and assessing risks of material misstatement, the auditor should:
Identifying Significant Accounts and Disclosures and Their Relevant Assertions60. To identify significant accounts and disclosures and their relevant assertions in accordance with paragraph 59.e., the auditor should evaluate the qualitative and quantitative risk factors related to the financial statement line items and disclosures. Risk factors relevant to the identification of significant accounts and disclosures and their relevant assertions include:
61. As part of identifying significant accounts and disclosures and their relevant assertions, the auditor also should determine the likely sources of potential misstatements that would cause the financial statements to be materially misstated. The auditor might determine the likely sources of potential misstatements by asking himself or herself "what could go wrong?" within a given significant account or disclosure. 62. The risk factors that the auditor should evaluate in the identification of significant accounts and disclosures and their relevant assertions are the same in the audit of internal control over financial reporting as in the audit of the financial statements; accordingly, significant accounts and disclosures and their relevant assertions are the same for both audits.
63. The components of a potential significant account or disclosure might be subject to significantly differing risks. 64. When a company has multiple locations or business units, the auditor should identify significant accounts and disclosures and their relevant assertions based on the consolidated financial statements. Factors Relevant to Identifying Fraud Risks65. The auditor should evaluate whether the information gathered from the risk assessment procedures indicates that one or more fraud risk factors are present and should be taken into account in identifying and assessing fraud risks. Fraud risk factors are events or conditions that indicate (1) an incentive or pressure to perpetrate fraud, (2) an opportunity to carry out the fraud, or (3) an attitude or rationalization that justifies the fraudulent action. Fraud risk factors do not necessarily indicate the existence of fraud; however, they often are present in circumstances in which fraud exists. Examples of fraud risk factors related to fraudulent financial reporting and misappropriation of assets are listed in AU sec. 316.85. These illustrative risk factors are classified based on the three conditions discussed in this paragraph, which generally are present when fraud exists.
66. All three conditions discussed in the preceding paragraph are not required to be observed or evident to conclude that a fraud risk exists. The auditor might conclude that a fraud risk exists even when only one of these three conditions is present. 67. Consideration of the Risk of Omitted, Incomplete, or Inaccurate Disclosures. The auditor's evaluation of fraud risk factors in accordance with paragraph 65 should include evaluation of how fraud could be perpetrated or concealed by presenting incomplete or inaccurate disclosures or by omitting disclosures that are necessary for the financial statements to be presented fairly in conformity with the applicable financial reporting framework. 68. Presumption of Fraud Risk Involving Improper Revenue Recognition. The auditor should presume that there is a fraud risk involving improper revenue recognition and evaluate which types of revenue, revenue transactions, or assertions may give rise to such risks. 69. Consideration of the Risk of Management Override of Controls. The auditor's identification of fraud risks should include the risk of management override of controls.
Factors Relevant to Identifying Significant Risks70. To determine whether an identified and assessed risk is a significant risk, the auditor should evaluate whether the risk requires special audit consideration because of the nature of the risk or the likelihood and potential magnitude of misstatement related to the risk.
71. Factors that should be evaluated in determining which risks are significant risks include:
[The following subparagraph g. is effective for audits of fiscal years beginning on or after December 15, 2014. See PCAOB Release No. 2014-002. For audits of fiscal years beginning before December 15, 2014, click here.] Further Consideration of Controls72. When the auditor has determined that a significant risk, including a fraud risk, exists, the auditor should evaluate the design of the company's controls that are intended to address fraud risks and other significant risks and determine whether those controls have been implemented, if the auditor has not already done so when obtaining an understanding of internal control, as described in paragraphs 18-40 of this standard.36/ 73. Controls that address fraud risks include (a) specific controls designed to mitigate specific risks of fraud, e.g., controls to address risks of intentional misstatement of specific accounts and (b) controls designed to prevent, deter, and detect fraud, e.g., controls to promote a culture of honesty and ethical behavior.37/ Such controls also include those that address the risk of management override of other controls. [The following paragraph is effective for audits of fiscal years beginning on or after December 15, 2014. See PCAOB Release No. 2014-002.] 73A. The auditor should obtain an understanding of the controls that management has established to identify, authorize and approve, and account for and disclose significant unusual transactions in the financial statements, if the auditor has not already done so when obtaining an understanding of internal control, as described in paragraphs 18–40 and 72–73 of this standard. Revision of Risk Assessment74. The auditor's assessment of the risks of material misstatement, including fraud risks, should continue throughout the audit. When the auditor obtains audit evidence during the course of the audit that contradicts the audit evidence on which the auditor originally based his or her risk assessment, the auditor should revise the risk assessment and modify planned audit procedures or perform additional procedures in response to the revised risk assessments. 38/ Why do auditors need to have knowledge of a client's business?The auditor should obtain an understanding of the company and its environment ("understanding of the company") to understand the events, conditions, and company activities that might reasonably be expected to have a significant effect on the risks of material misstatement.
What should an auditor know about a client?Recognising errors in the financial statements. Asking the right questions and evaluating the reasonableness of the answers we receive. Making judgements about the appropriateness of the client's accounting principles, policies and procedures. Identifying unusual or unexpected transactions and related party ...
What factors should an auditor consider before accepting a company as an audit client?EVALUATION OF PROSPECTIVE AUDITING CLIENTS
Client acceptance evaluation should include General Considerations, Management Integrity, Management Commitment to GAAP, Management Internal Control Consciousness, Financial Strength of the Client, and Other Risk Factors.
What information sources are commonly used by auditors to learn about the client's industry?What info sources do auditors commonly use to learn the industry? Industry and external environment - industry trade publications, AICPA guides, regulatory requirements. Business operations and processes - tour facilities, identify related parties, and inquire about management.
|