Wiley Practitioner's Guide to GAAS 2023: Covering All SASs, SSAEs, SSARSs, and Interpretations

By Joanne M. Flood

The most comprehensive and up-to-date guide to critical auditing standards, practices, and procedures for 2023

The American Institute of Certified Public Accountants (AICPA) sets the Generally Accepted Auditing Standards—or GAAS—under which U. S. audits are conducted. Auditors must comply with and understand every aspect of GAAS to comply with AICPA standards. As a result, it is crucial for CPAs to be up to date on all applicable guidelines, rules, and regulations.

Wiley Practitioner’s Guide to GAAS 2023 delivers a thorough description and analysis of not only auditing standards—SASs—but also SSAEs, SSARSs, and the Interpretations necessary to fully understand all the latest professional standards. The 2023 Guide offers the most recent revisions to the standards, including those on:

• Audit evidence
• Auditing accounting estimates
• Use of pricing evidence
• Inquiries of predecessor auditors
• Quality management
• Materiality,
• SSAE direct examination engagements, and
• Practitioner’s review reports.
• Practical direction on the steps necessary to help you comply with GAAS
• Comprehensive guidance on the entire auditing process, from start to finish
• Explanations of all attestation and review, compilation, and preparation standards
• A glossary of relevant terminology for each subject

It explains the standards clearly and accurately, providing explicit information on how to conduct your engagements efficiently, effectively, and properly—all in one resource.

In addition, Wiley Practitioner’s Guide to GAAS 2023 provides readers with:

A crucial resource for accountants and auditors who are looking for a comprehensive explanation of the information used daily, Wiley Practitioner’s Guide to GAAS 2023 is an invaluable resource written to save you time and simplify your compliance with professional standards.

• Language: English
• Publisher: Wiley
• Release date: Mar 28, 2023
• ISBN: 9781394152728

Book preview

2

AU-C 210 Terms of Engagement

Technical Alert

Scope

Definitions of Terms

Objectives of AU-C 210

Fundamental Requirements

Engagement Acceptance

AU-C 210 Illustration

TECHNICAL ALERT

Recently issued SAS 147 affects AU-C 210. The preface to this volume contains an overview of the SAS, and the changes are noted in this chapter.

SCOPE

This section states the requirements and provides application guidance on the auditor's responsibilities when agreeing upon terms of engagement with management and those charged with governance. It also establishes the vitally important preconditions for an audit, for which management is responsible. Engagement letters can also be the foundation of a defense in the event of a dispute with the client. AU-C 220, Quality Control for an Engagement Conducted in Accordance with Generally Accepted Auditing Standards, addresses those aspects of engagement acceptance that the auditor can control and the auditor's responsibilities regarding ethical requirements concerning acceptance of an engagement. (AU-C 210.01 and .A1)

DEFINITIONS OF TERMS

Source: AU-C 210.04. For definitions related to this standard, see Appendix A, Definitions of Terms: Preconditions for an audit, Recurring audit.

OBJECTIVES OF AU-C 210

AU-C Section 210.03 states that:

… the objective of the auditor is to accept an audit engagement for a new or existing audit client only when the basis upon which it is to be performed has been agreed upon through

establishing whether the preconditions for an audit are present and

confirming that a common understanding of the terms of the audit engagement exists between the auditor and management and, when appropriate, those charged with governance.

FUNDAMENTAL REQUIREMENTS

ENGAGEMENT ACCEPTANCE

Preconditions

Unless required to do so by law or regulation, an auditor should discuss the situation with management and not accept an engagement when the preconditions (see Appendix A, Definitions of Terms) are not met. (AU-C 210.08) To assess whether those preconditions are met, the auditor should:

determine whether the financial reporting framework¹ to be applied in the preparation of the financial statements is acceptable and

obtain the agreement of management that it acknowledges and understands its responsibility

for the preparation and fair presentation of the financial statements in accordance with the applicable financial reporting framework;

for the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error; and

to provide the auditor with

access to all information of which management is aware that is relevant to the preparation and fair presentation of the financial statements, such as records, documentation, and other matters;

additional information that the auditor may request from management for the purpose of the audit; and

unrestricted access to persons within the entity from whom the auditor determines it necessary to obtain audit evidence.

(AU-C 210.06)

In evaluating whether the financial reporting framework is acceptable, the auditor may want to consider:

The nature of the entity

The purpose and nature of the financial statements

Whether the framework is determined by law or regulator

(AU-C 210.A4)

Additional information may include other information, financial or nonfinancial, included in the entity's financial report described in AU-C 720. Examples of this other information include reports on operations, financial summaries, selected quarterly data, and more. If the auditor expects to receive such information after the date of the auditor's report, the auditor may consider including in the engagement letter actions the auditor will take if the other information contains an uncorrected material misstatement. (AU-C 210.A17)

Limitation of Scope

If management limits the scope of the auditor's work so that the auditor will have to disclaim an opinion, the auditor should not accept the engagement. The exception to this is when management is required by law or regulation to have an audit and the disclaimer of opinion is acceptable under law or regulation, for example, with audits of employee benefit plans. Then the auditor may accept the engagement, but is not required to do so. (AU-C 210.07 and .A19)

Agreement on Terms

The auditor should establish an understanding in writing with management or those charged with governance² about the services to be performed for each audit, review of a public company's financial statements, or agreed-upon procedures for engagement. (AU-C 210.09) The understanding should include:

The engagement's objectives and scope

Management's responsibilities

Auditor's responsibilities

The audit's limitations, the inherent limitations of internal control, and the risk that some misstatements may not be detected

Financial reporting framework

Expected form and content of the report

(AU-C 210.10)

In addition, the auditor may want to:

Elaborate on the scope of the audit by referencing regulations, laws, GAAS, ethical codes, and pronouncements of professional bodies, as applicable.

The communication of key audit matters.

Identify any other communications in addition to the auditor's report.

Discuss audit planning and performance, including composition of the audit team.

Remind management to provide access to all information relevant to the preparation and fair presentation of the financial statements, including information relevant to disclosures.

Remind management about the expectation of written representation, the agreement to make available draft financial statements on a timely basis, including information relevant to the preparation and fair presentation of the financial statements whether obtained from within or outside of the general and subsidiary ledgers.

Remind management about the agreement for management to inform the auditor of subsequent events or facts discovered after the date of the financial statements that may affect the financial statements.

Detail fees and billing arrangements.

Request management to acknowledge receipt of the engagement letter and to agree to the terms by signing the letter.

(AU-C 210.A24)

GAAS does not require auditors to communicate key audit matters. If, however, the engagement letter indicates that the auditor will do so and later it has decided not to do so, the letter should be modified. The reverse is also true. If, after the engagement letter is signed, management requests that the auditor communicate key audit matters, the auditor should consider issuing a new engagement letter or an addendum to the assigned letter. (AU-C 210.A25)

The auditor may also choose to address arrangements concerning the involvement of other auditors, specialists, internal auditors and other entity staff, and predecessor auditors; restrictions on auditor's liability, when not prohibited; audit documentation to be provided to other parties; additional services; and any other agreements with the entity. (AU-C 210.A26)

If the auditor fails to establish an understanding, the auditor should decline the engagement. (AU-C 210.08) A sample engagement letter is included at the end of this chapter.

Initial Audits, Including Reaudits

Inquiry of the predecessor auditor is critical because the predecessor may provide information that will assist the successor auditor in deciding whether to accept the engagement. The communication may be written or oral. (AU-C 210.A33) Both the predecessor and successor auditors should treat any information obtained from each other as confidential information. (AU-C 210.A31) The successor auditor should request permission from the prospective client to make an inquiry of the predecessor prior to final acceptance of the engagement. However, the successor auditor may make a proposal for an audit engagement before having permission to inquire of the predecessor auditor.

The successor auditor, for both initial and reaudit engagements, should ask the prospective client to authorize the predecessor to respond fully to the successor auditor's inquiries If a prospective client refuses to permit the predecessor auditor to respond or limits the response, the successor auditor should inquire as to the reasons and consider the implications of that refusal or limitation in deciding whether to accept the engagement. (AU-C 210.11)

An auditor authorized to make inquiries of the predecessor auditor should ask about matters that will help the auditor decide whether to accept the engagement, including

Identified or suspected fraud by management, employees with significant roles in internal control, and others when the fraud results in a material misstatement.

Unless clearly inconsequential, noncompliance, suspected or actual, with laws and regulations that came to the predecessor auditor's attention.

(AU-C 210-12)³

Before responding to inquiries, the predecessor auditor may want to obtain legal advice regarding professional or legal requirements or unusual circumstances that limit ability to respond. (AU-C 210.A33)⁴

The successor auditor should make specific and reasonable inquiries of the predecessor about the following five matters:

Information about management's integrity

Disagreements with management about accounting principles, auditing procedures, or other significant matters

Communications to management and those charged with governance and responsibility regarding significant deficiencies and material weaknesses in internal control

The predecessor auditor's understanding of the reasons for the change of auditors

The predecessor auditor's understanding of the nature of the entity's relationships and transactions with related parties and significant unusual transactions

(AU-C 210.A32)

The predecessor auditor should respond promptly, fully, and factually based on known facts. However, if the predecessor decides, because of unusual circumstances such as impending, threatened, or potential litigation; disciplinary proceedings; or other unusual circumstances, not to respond fully, he or she should indicate that the response is limited. These circumstances are expected to be rare. (AU-C 210.13) Also, if more than one auditor is considering accepting the audit, the predecessor auditor does not have to respond to inquiries until the entity selects an auditor. (AU-C 210.A34) Any information exchanged between the predecessor and successor auditors should be considered confidential. (AU-C 210.A30)

If the successor auditor receives a limited response, that auditor should consider the implications of the limited response in deciding whether to accept the engagement. (AU-C 210.14)

For governmental entities, if a law or regulation requiring an audit identifies the entities to be audited, the auditor may need to get authorization from the individuals contracting for or requesting the audit and those legislative committees that have ongoing oversight responsibilities for the entity. (AU-C 210.A36)⁵

Documentation

Once the auditor accepts an engagement, the auditor should document the predecessor auditor inquiries and the results of the inquiries. (AU-C 210-15)⁶

Recurring Audits

For a recurring audit, the auditor should evaluate whether the terms of the engagement need to be changed. The auditor should also remind the client about the existing terms of engagement. (AU-C 210.16)

Certain factors may warrant a change in the terms of engagement for a recurring engagement. For example, any indication that management misunderstands the objective and scope of the audit and changes in:

Revised or special terms of the audit engagement

Senior management or ownership,

Legal or regulatory requirements,

The nature or size of the entity, or

The financial reporting framework or other reporting requirements.

(AU-C 210.A37)

Change in Terms

If the client requests a change in the terms, the auditor must ensure that there is a reasonable justification for the change. So, too, if prior to completion of an audit, the client requests a change to an engagement with a lower level of assurance, the auditor must be satisfied that a reasonable justification for doing so exists. (AU-C 210.17 and .18)

If the terms are changed, the auditor and management should document in writing the mutually agreed-upon change. (AU-C 210.19) If, however, the auditor concludes there is no reasonable justification for a change in terms, and management does not allow the auditor to continue the original audit, the auditor must take these three steps:

Withdraw from the engagement.

Communicate the situation to those charged with governance.

Determine whether the auditor has any legal, contractual, or other obligation to report the circumstances to owners, regulators, or other parties.

(AU-C 210.20)

Report Layout Required by Law or Regulation

If the report prescribed by law or regulation does not align with GAAS in significant ways, the auditor must decide whether the format would mislead the users and if the report could be reworded to align with GAAS or alternatively whether the auditor could attach a separate report. If none of those remedies are available, the auditor should decline the engagement unless required by law or regulation not to perform the engagement. (AU-C 210.21)

AU-C 210 ILLUSTRATION

ILLUSTRATION 1. EXAMPLE OF AN AUDIT ENGAGEMENT LETTER (ADAPTED FROM AUDIT STANDARDS AU-C 210.A46)

NOTES

1Acceptable reporting frameworks contain established accounting principles promulgated by a body designated by the Council of the AICPA under Rule 203 in the AICPA Code of Professional Conduct. These bodies include FASB, FASAB, IFRS, GASB, AICPA, and PCAOB.

2In this chapter, references to management should be read as management and, when appropriate, those charged with governance, unless the context suggests otherwise. Those charged with governance are those with responsibility for overseeing the strategic direction of the entity and obligations related to the accountability of the entity, including the financial reporting process. (AU-C Glossary of Terms)

3This paragraph is effective upon implementation of SAS 147.

4Ibid.

5Ibid.

6Ibid.

3

AU-C 220 Quality Control for an Engagement Conducted in Accordance with Generally Accepted Auditing Standards

Technical Alert

Scope

Definitions of Terms

Objectives of AU-C 220

Requirements

Quality Control Standards

Role of the Engagement Team

System of Quality Control

Elements of Quality Control

Independence

Acceptance and Continuance of Client Relationships

Assignment of Engagement Teams

Direction, Supervision, and Performance

Engagement Performance

Documentation

TECHNICAL ALERT

See the preface to this volume for information on SAS 146. SAS 146 will replace SAS 122 as the basis of the guidance for AU-C 220. It is effective for engagements conducted under GAAS for periods beginning on or after December 15, 2025.

SCOPE

AU-C 220 addresses:

Specific responsibilities of the auditor regarding quality control standards for an audit of financial statements

Responsibilities of the engagement quality control reviewer

Supervision of an audit

Quality control is the responsibility of the audit firm. (AU-C 220.01)

DEFINITIONS OF TERMS

Source: AU-C 220.09. For definitions related to this standard, see Appendix A, Definitions of Terms: Engagement partner, Engagement quality control review, Engagement quality control reviewer, Engagement team, Firm, Monitoring, Network, Network firm, Partner, Personnel, Professional standards, Relevant ethical requirements, Staff, Suitably qualified external person.

OBJECTIVES OF AU-C 220

AU-C Section 220.08 states that:

The objective of the auditor is to implement quality control procedures at the engagement level that provide the auditor with reasonable assurance that:

the audit complies with professional standards and applicable legal and regulatory requirements and

the auditor's report issued is appropriate in the circumstances.

(AU-C Section 220.08)

REQUIREMENTS

QUALITY CONTROL STANDARDS

The engagement partner is responsible for the overall quality of the engagements to which the partner is assigned. An audit firm should establish a quality control system to provide it with reasonable assurance that its staff meets the requirements of professional standards and applicable legal and regulatory requirements and that reports are appropriate. (AU-C 220.03) The proper staff can make the difference between an effective, efficient audit and one that is wasteful and has poor results.

ROLE OF THE ENGAGEMENT TEAM

Engagement teams are responsible for:

Implementing quality control procedures and

Giving the firm information relevant to independence

(AU-C 220.04)

The engagement partner should be able to rely on the firm's quality control system unless the engagement partner determines based on circumstances it is not appropriate. (AU-C 220.05) In complying with the quality control requirements, the engagement partner may use other firm members. (AU-C 220.06)

SYSTEM OF QUALITY CONTROL

The nature and extent of a firm's quality control policies and procedures depend on the following five factors:

Firm size and the number of its offices

The degree of autonomy of personnel and practice offices

The knowledge and experience of its personnel

The nature and complexity of the firm's practice

The cost of developing and implementing quality control policies and procedures in relation to the benefits provided

(QC 20.04)

When a firm establishes quality control policies and procedures, it should:

Assign responsibilities to qualified personnel to implement quality control policies and procedures.

Communicate quality control policies and procedures to personnel (see below).

Monitor the effectiveness of the quality control system. The purpose is to determine that policies and procedures and the methods of implementing and communicating them are still appropriate.

(QC 20.22–.23 and 20.20)

NOTE: Flaws in, or a violation of, a firm's quality control do not necessarily indicate that an audit was not performed in accordance with GAAS.

ELEMENTS OF QUALITY CONTROL

When establishing its quality control policies and procedures, a firm should consider the elements of quality control:

Leadership responsibilities for quality

Ethical requirements

Acceptance and continuance of clients

Human resources

Engagement performance

Monitoring

(AU-C 220.A1)

NOTE: CPA firms or individuals enrolled in an AICPA-approved practice-monitoring program must adhere to quality control standards. In addition, the Principles of Professional Conduct indicate that members should practice in firms that have in place quality control procedures to provide reasonable assurance that services are competently delivered and adequately supervised. The Statements on Quality Control apply to a CPA firm's accounting, auditing, and attest practices.

INDEPENDENCE

The engagement partner is responsible for the independence requirements for each audit and ensuring that these requirements are met. The engagement partner should:

Evaluate the threats to independence,

Evaluate any breaches, and

Take appropriate action to eliminate or reduce threats to an appropriate level. If that cannot be done, the firm may have to withdraw from the engagement.

(AU-C 220.13)

To be independent, auditors must be intellectually honest; to be recognized as independent, they must be free from any obligation to or interest in the client, its management, or its owners. For specific guidance, the auditor should look to AICPA and the state society codes of conduct and, if relevant, the requirements of the Securities and Exchange Commission (SEC) and the U.S. Department of Labor. (QC 20.FN6)

ACCEPTANCE AND CONTINUANCE OF CLIENT RELATIONSHIPS

The engagement partner must be satisfied that appropriate procedures regarding acceptance and continuance of clients have been performed and that appropriate conclusions were reached. (AU-C 220.14)

Policies and procedures should provide reasonable assurance that the firm will not be associated with clients whose management lacks integrity. A firm should:

Undertake only engagements that can be completed with professional competence,

Consider the client's integrity,

Ensure that ethical requirements can be met, and

Evaluate significant issues during current or previous audits and their implications for continuance.

(AU-C 220.A7)

If information comes to the engagement partner's attention that would have caused the firm to decline the engagement, the partner should share that information with the firm so that the partner can take action. (AU-C 220.15)

ASSIGNMENT OF ENGAGEMENT TEAMS

The engagement partner must be comfortable that the engagement team and external specialists are capable and have the appropriate competencies to perform the engagement and issue an appropriate report. (AU-C 220.16)

When evaluating the competence of the engagement team, the engagement partner may consider:

Understanding of and experience with audits of a similar nature

Understanding of professional standards

Understanding of regulatory requirements

Knowledge of relevant IT and specialized areas of accounting and auditing

The firm's quality control policies and procedures

Ability to apply professional judgment

The industry environment

(AU-C 220.A10)

Personnel should have experience in similar engagements through training and participation. Policies and procedures should also provide reasonable assurance that personnel refer to authoritative literature and consult, on a timely basis, with appropriate individuals when dealing with complex, unusual, or unfamiliar issues.

DIRECTION, SUPERVISION, AND PERFORMANCE

The engagement partner is responsible for the direction, supervision, and performance of the engagement in compliance with GAAS, legal and regulatory requirements, and firm policies. The partner is also responsible for the appropriateness of the report, performance of reviews, and that sufficient appropriate evidence has been obtained. (AU-C220.17–.19)

The auditor with final responsibility for the audit should inform members of the engagement team about:

Their responsibilities

The responsibilities of the partners

The objectives of the procedures they are to perform

Nature of the entity's business

Risk-related issues

Problems that may arise

Details of the approach to the engagement

(AU-C 220.A12)

Supervision includes:

Tracking the engagement progress

Considering the competence of engagement team members

Addressing significant findings or issues

Identifying matters for consultation or referral to other team members

(AU-C 220.A14)

ENGAGEMENT PERFORMANCE

Reviewing Work

The engagement partner is responsible for reviews that follow the firm's policies and procedures. In order to be sure he or she is satisfied that the audit evidence is sufficient and appropriate to support the conclusion, the engagement partner should review the audit documentation and discuss the engagement with the auditor. This should be done on or before the date of the auditor's report. (AU-C 220.18–.19) It is important that the partner review the documentation and not just rely on staff opinions.

The suitably experienced auditors should review the work of each team member and consider if

The work was performed in accordance with professional standards and legal and regulatory requirements.

Significant issues were raised and considered.

Consultations, if necessary, took place and were documented.

The nature, timing, and extent of the work were appropriate.

Work performed supports the conclusion and is documented, and the evidence supports the auditor's report.

Objectives were achieved.

(AU-C 220.A16)

The engagement partner's review should allow time to resolve issues. (AU-C 220.A17) If the engagement partner's review is completed after the date of the auditor's report and the review calls for additional procedures or evidence, the auditor should change the date of the report until the reviewer's comments are satisfied in accordance with AU-C 700 or AU-C 703. (AU-C 220.A25)

Consultation

The engagement partner is also responsible for ensuring that team members undertake consultation on matters outside of their expertise. This consultation may be with other team members, other audit firm staff, or experts outside the firm. The partner must be satisfied with the consultations in terms of nature and scope and that the conclusions are understood and have been implemented. (AU-C 220.20)

Engagement Quality Control Review

If the firm requires a quality control review, the engagement partner should determine that a reviewer has been appointed in a timely manner and that the engagement partner discusses with the reviewer any significant findings or issues. The audit report should not be released until the quality control review is completed. (AU-C 220.21) If the quality control review report is completed after the audit report is dated, and the auditor determines that additional procedures or evidence is needed, the auditor should change the date of the report to the date when the auditor is satisfied. Also, see AU-C 700 and 703. (AU-C 220.25)

As part of the review, the reviewer should:

Discuss the significant findings with the engagement partner

Read the financial statements

Read the draft audit report

Select and review audit documents related to significant judgments

Evaluate conclusions

Consider whether the report is appropriate

(AU-C 220.22)

When AU-C 701 applies, the engagement team's conclusions include:

Key audit matters to be communicated

Key audit matters not communicated in the auditor's report

If applicable, that there are no key audit matters to communicate in the auditor's report

When reading the proposed auditor's report as part of the quality control review, the auditor should consider the description of key audit matters. (AU-C 220.A28)

Difference of Opinion

If differences of opinion arise among firm personnel about accounting or auditing issues in an audit, the engagement team should follow the firm's policies and procedures. (AU-C 220.23) Procedures to consider may include:

Consultation to attempt resolution

Documentation of an assistant's disagreement, if he or she wants to be disassociated from the final resolution

Documentation of the basis for the final resolution

Monitoring

The audit firm must establish a monitoring process. Policies and procedures should provide reasonable assurance that the above elements of quality control are suitably designed and effectively applied. (AU-C 220.24) Monitoring involves:

Relevant and adequate policies and procedures that are complied with by members of the firm

Appropriate guidance and practice aids

Effective professional development activities

DOCUMENTATION

Audit documentation should include:

Compliance and ethical issues identified

How those issues were resolved

Conclusions on independence compliance

Discussions that support those conclusions

Conclusions reached regarding the acceptance and continuance of audit engagements

Nature and scope of consultations undertaken during the audit engagement

Conclusions resulting from those consultations

(AU-C 220.25)

In addition, the engagement quality control reviewer should document:

That the firm's engagement quality control procedures were performed

The date the engagement quality control review was completed

An affirmation that the reviewer is not aware of any unresolved matters that would cause the reviewer to believe that the judgment and conclusions of the engagement team were inappropriate.

(AU-C 220.26)

This documentation may be made after the report release date. (AU-C 220.A24)

4

AU-C 230 Audit Documentation

Scope

Definitions of Terms

Objectives of AU-C 230

Requirements

Requirement for Audit Documentation

Form, Content, and Extent of Audit Documentation

Ownership and Confidentiality

Standardization of Audit Documentation

Preparation of Audit Documentation

Quality of Audit Documentation

Audit Documentation Deficiencies

Documentation Requirements in Other Sections

Interpretations

Providing Access to or Copies of Audit Documentation to a Regulator

AU-C 230 Illustrations

SCOPE

AU-C 230 concerns the audit documentation the auditor is expected to prepare. See also other standards, laws, or regulations. (AU-C 230.01)

DEFINITIONS OF TERMS

Source: AU-C 230.06. For definitions related to this standard, see Appendix A, Definitions of Terms: Audit documentation, Audit file, Documentation completion date, Experienced auditor, Report release date.

OBJECTIVES OF AU-C 230

AU-C Section 230.05 states that:

The objective of the auditor is to prepare documentation that provides

applicable legal and regulatory requirements.

(AU-C Section 230.05)

REQUIREMENTS

REQUIREMENT FOR AUDIT DOCUMENTATION

The auditor must prepare audit documentation, on a timely basis, in sufficient detail to provide evidence:

About the conclusions reached; and

That the audit was planned and performed under GAAS and relevant legal and regulatory requirements.

(AU-C 230.02)

The form and content of the audit documentation should be designed for the specific engagement.

Audit documentation also:

Helps the team plan the audit

Provides information for supervisors to direct the audit

Provides documentation for review responsibilities in accordance with SAS 146

Supplies backup that the team performed as required by standards

Provides files to be used on future audits

Provides documentation for quality reviews, other types of reviews, and monitoring activities under the firm's system of quality management

Provides documentation for successor auditors

Helps auditors understand prior year works

(AU-C 230.03)

FORM, CONTENT, AND EXTENT OF AUDIT DOCUMENTATION

The quantity, type, and content of the audit documentation are based on the auditor's professional judgment and vary with the engagement. Factors to consider in determining the content of audit documentation are discussed in the following paragraphs.

Sufficiency of Audit Documentation

The auditor should prepare audit documentation on a timely basis that would allow an experienced auditor¹ having no previous connection with the audit to understand:

The nature, timing, and extent of auditing procedures performed to comply with GAAS and applicable legal and regulatory requirements;

The results of the audit procedures performed and the audit evidence obtained; and

The significant findings for issues that arose during the audit, the conclusions reached on those significant matters, and professional judgments made in reaching those conclusions.

(AU-C 230.08)

Examples of documentation of professional judgment include significant findings, issues, and judgments related to:

The consideration of certain information contextually significant

The auditor's conclusion on the reasonableness of subjective judgments made by management

The evaluation of whether an accounting estimate or related disclosures are contextually reasonable or are misstated

The authenticity of a document when the document is further investigated, such as by using a specialist or confirmations

The determination of key audit matters

The decision under extremely rare circumstances not to include key audit matters in the audit report because of adverse consequences

(AU-C 230.A12)

NOTE: Auditors should bear in mind that the presence of an audit document shows compliance with a requirement. For example, a well-documented audit plan shows the auditor has planned the audit. So, too, a signed engagement letter is proof that an agreement has been reached. Compliance with more subjective requirements, such as professional skepticism, may be less straightforward. Nonetheless, the practice of professional skepticism may be seen through such things as documentation of:

evidence contradicting management's assertions regarding accounting estimates or

how the auditor evaluated evidence that both corroborates and contradicts management's assertion, including judgments about the evidence's sufficiency and appropriateness.

(AU-C 230.A9)

Audit documentation should include:

Who reviewed specific audit work and the date and extent of the review

Who performed the audit work and the date the work was completed

Identifying characteristics of specific items tested

(AU-C 230.09)

Audit documentation should also include abstracts or copies of significant contracts or agreements that involved audit procedure. (AU-C 230.10)

Documentation of Significant Findings

The auditor should document significant audit findings or issues, actions taken to address them (including additional evidence obtained), and the basis of the conclusions reached. (AU-C 230.11) Significant audit findings or issues include:

Matters that are both significant and involve the appropriate selection, application, and consistency of accounting principles with regard to the financial statements, including related disclosures. Such matters often relate to (1) accounting for complex or unusual transactions or (2) estimates and uncertainties, and the related management assumptions, if applicable.

Results of auditing procedures that indicate that the financial statements or disclosures could be materially misstated or that the auditing procedures need to be significantly modified.

Circumstances that cause significant difficulty in applying necessary auditing procedures.

Other findings that could result in a modified auditor's report.

(AU-C 230.A10)

The auditor should document discussions with management and those charged with governance, including when and with whom, about significant findings. (AU-C 230.11)

Departures from a Relevant Requirement

The auditor may find it necessary to not perform a required procedure. If so, the auditor should document the reason for the departure and how alternative procedures enabled the auditor to fulfill the objectives of the audit. (AU-C 230.13)

This documentation is required only if the required procedure is relevant to the audit. For example, if the entity does not have an internal audit function, procedures in AU-C 610 would not be relevant.

Factors to Consider in Determining Audit Documentation

The auditor should consider the following factors in determining the nature and extent of the documentation for an audit area or auditing procedure:

The size and complexity of the entity

The risk of material misstatement associated with the assertion, or account or class of transactions

The extent of judgment involved in performing the work and evaluating results

The nature of the auditing procedure

The significance of evidence obtained to the tested assertion

The nature and extent of identified exceptions

The need to document a conclusion or basis for a conclusion not readily determinable from the documentation of the work performed

The methodologies or tools used

(AU-C 230.A4)

Documentation of Matters Arising After the Date of the Auditor's Report

If, after the date of the auditor's report, the auditor performs additional procedures or changes conclusions, the auditor should document:

Circumstances,

Additional procedures performed, evidence obtained, conclusions reached, and their effect on the report,

When the changes were made, and

By whom the resulting changes were made.

(AU-C 230.14)

Documentation of Report Release Date and Revisions

The auditor should document the report release date and complete the assembly of the final audit file on a timely basis, but no later than 60 days following the report release date. (AU-C 230.15–.16) After this date, the auditor must not delete or discard existing audit documentation before the end of the specified retention period, not less than five years from the report release date. If changes are made to the audit documentation after the documentation completion date, the auditor should document when and by whom the changes were made, the specific reasons for the changes, and the effect of the changes, if any, on the auditor's previous conclusions. (AU-C 230.17 and .18)

OWNERSHIP AND CONFIDENTIALITY

The auditor owns the audit documentation, but his or her ownership rights are limited by ethical and legal rules on confidential relationships with clients. The auditor should adopt reasonable procedures to protect the confidentiality of client information. (AU-C 230.19) The auditor should also adopt reasonable procedures to prevent unauthorized access to the audit documentation. Sometimes audit documentation may serve as a source of reference for the client, but it should not be considered a part of, or a substitute for, the client's accounting records.

STANDARDIZATION OF AUDIT DOCUMENTATION

Audit documentation should be designed for the specific engagement; however, audit documentation supporting certain accounting records may be standardized.

The auditor should analyze the nature of his or her clients and the complexity of their accounting systems. This analysis will indicate accounts for which audit documentation may be standardized. An auditor ordinarily may be able to standardize audit documentation for a small-business client as follows:

Cash, including cash on hand

Short-term investments

Trade accounts receivable

Notes receivable

Other receivables

Prepaid expenses

Property, plant, and equipment

Long-term investments

Intangible assets

Deposits

Accrued expenses

Taxes payable

Long-term debt

Stockholders’ equity accounts

PREPARATION OF AUDIT DOCUMENTATION

All audit documentation should have certain basic information, such as the following:

Heading

Name of client

Description of audit documentation, such as

Proof of cash—Fishkill Bank & Trust Company

Accounts receivable—confirmation statistics

Period covered by engagement

For the year ended …

An index number

All audit documentation should be numbered for easy reference. Audit documentation is identified using various systems, such as the following:

Alphabetical

Numbers

Roman numerals

General ledger account numbers

A combination of the preceding

Preparer and reviewer identification

Identification of the person who prepared audit documentation and date of preparation:

If the client prepared the audit documentation, this should be noted. Person who checked papers also should be identified.

Identification of the person who reviewed the audit documentation and date of review.

Explanation of symbols

Symbols used in the audit documentation should be explained. Symbols show matters such as:

Columns were footed.

Columns were cross-footed.

Data were traced to original sources.

Source of information

The audit documentation should indicate source of information:

Client records

Client personnel

Related Accounts

One page of audit documentation may provide documentation for more than one account. Many balance sheet accounts are related to income statement accounts. In these circumstances, the audit work on the accounts should be documented in one page of audit documentation. Examples of related accounts are the following:

Notes receivable and interest income

Depreciable assets, depreciation expense, and accumulated depreciation

Prepaid expenses and the related income statement expenses, such as insurance, interest, and supplies

Long-term debt and interest expense

Deferred income taxes and income tax expense

Client Preparation of Audit Documentation

It is advisable to have the client's employees prepare as much as possible of the auditor's audit documentation. This increases the efficiency of the audit. The auditor should identify the audit documentation as Prepared by the Client (PBC) and note the auditor who reviewed the client-prepared audit documentation. The preparation of audit documentation by the client does not impair the auditor's independence. However, the auditor should test the information in client-prepared audit documentation.

Considerations for Smaller, Less Complex Entities

The auditor of a smaller or less complex entity may find it useful to record some items in a single document with references to supporting workpapers. For instance, the auditor might document together:

The understanding of the entity,

The environment,

The applicable financial reporting framework,

The system of internal control,

The overall audit strategy and plan,

Materiality,

Assessed risks,

Significant findings or issues, and

Conclusions.

(AU-C 230.A20)

QUALITY OF AUDIT DOCUMENTATION

Audit documentation aids the execution and supervision of the current year's engagement. Also, such documentation helps the auditor in planning and executing the following year's audit. In addition, audit documentation serves as the auditor's reference for answering questions from the client. For example, a bank or a credit agency may want information that the auditor can provide to the client for submission to the third party from the audit documentation.

In case of litigation against the client, the auditor's audit documentation may be subpoenaed. In litigation against the auditor, the audit documentation will be used as evidence. Therefore, audit documentation should be accurate, complete, and understandable. After audit documentation is reviewed, additional work, if any, is done, and modifications are made to the audit documentation, superseded drafts, corrected documents, duplicate documents, review notes, and all to-do points should be discarded because the issues they addressed have been appropriately responded to in the audit documentation. (AU-C 230.A6)

Likewise, miscellaneous notes, memoranda, e-mails, and other communications among members of the audit engagement team created during the audit should be included or summarized in the audit documentation when needed to identify issues or support audit conclusions; otherwise, they should be discarded. Any information added after completion of fieldwork should be dated at the date added.

Oral Explanations

Oral explanations on their own do not represent sufficient support for the work the auditor performed or conclusions the auditor reached but may be used by the auditor to clarify or explain information in the audit documentation. (AU-C 230.A7)

NOTE: For example, if the auditing standards state that the auditor should obtain an understanding of the entity's control environment, but there is no evidence that he or she obtained such an understanding, then the auditor cannot make a plausible claim that the understanding was obtained but just not documented.

AUDIT DOCUMENTATION DEFICIENCIES

Some of the more common audit documentation deficiencies are failure to:

Express a conclusion on the account being analyzed.

Explain exceptions noted.

Get sufficient information for note disclosure.

Reference information.

Update and revise permanent file.

Post adjusting and reclassification journal entries to appropriate audit documentation.

Indicate source of information.

Promptly review audit documentation prepared by assistants.

Sign or date audit documentation.

Foot client-prepared schedules.

Explain tick marks.

DOCUMENTATION REQUIREMENTS IN OTHER SECTIONS

Certain other sections require documentation of specific matters. These requirements are presented in Illustration 4 at the end of this chapter. In addition, other standards, such as government auditing standards, laws, or regulations, may also contain specific documentation requirements.

INTERPRETATIONS

PROVIDING ACCESS TO OR COPIES OF AUDIT DOCUMENTATION TO A REGULATOR

A regulator may request access to an auditor's audit documentation to fulfill a quality review requirement or to help establish the scope of a regulatory examination. In making the request, the regulator may ask to make photocopies and may also make such copies available to others. (AU-C 9230.01) When regulators make a request for access, the auditor should:

Consider advising the client about the request and indicating that he or she intends to comply. In some cases the auditor may wish or be required to confirm in writing the requirements to provide access (see Illustration 1).

Make arrangements with the regulator for the review.

Maintain control over the original audit documentation.

Consider submitting a letter to the regulator (see Illustration 2). (AU-C 9230.02)

Obtain the client's consent, preferably in writing, to provide access when not required to provide access (see Illustration 3).

NOTE: The guidance in this interpretation applies to requests from regulators, specifically federal, state, and local government officials with legal oversight authority over the entity. The guidance does not apply to requests from:

The IRS,

Practice monitoring programs,

Proceedings related to alleged ethics indicators, or

Subpoenas.

(AU-C 9230 footnotes 1 and 2)

AU-C 230 ILLUSTRATIONS

Illustrations 1, 2, and 3 are adapted from AICPA Interpretations of AU-230 (AU-C 9230).

An auditor's written communication to client when wishing to or required to provide access

An auditor's letter to a regulator

A written communication to the client when regulator may request access to audit documentation when not required by law or regulation

Illustration 4, which lists audit documentation requirements in other sections, is adapted from the application guidance in AU-C 230.

ILLUSTRATION 1. AUDITOR'S WRITTEN COMMUNICATION TO CLIENT WHEN THE AUDITOR MAY WISH AND IN SOME CASES MAY BE REQUIRED TO PROVIDE ACCESS (ADAPTED FROM AU-C 9230.02 AND FOOTNOTE 4)

The audit documentation for this engagement is the property of Guy & Co. and constitutes confidential information. However, we may be requested to make certain audit documentation available to [name of regulator] pursuant to authority given to it by law or regulation. If requested, access to such audit documentation will be provided under the supervision of [name of auditor]. Furthermore, upon request, we may provide copies of selected audit documentation to [name of regulator]. The [name of regulator] may intend or may decide to distribute the copies of information contained therein to others, including other government agencies.

You have authorized Guy & Co. to allow [name of regulator] access to the audit documentation in the manner discussed above. Please confirm your agreement to the above by signing below and returning it to [name of auditor, address].

Firm signature

_____________________________

Agreed and acknowledged:

_____________________________

[Name and title]

_____________________________

[Date]

_____________________________

ILLUSTRATION 2. AUDITOR'S LETTER TO REGULATOR (FROM AU-C 9230.06)

[Date]

_________________

[Name and address of regulatory agency]

_______________________________________

_______________________________________

_______________________________________

Your representatives have requested access to our audit documentation in connection with our audit of December 31, 20X1, financial statements of Widget Company. It is our understanding that the purpose of your request is [state purpose: for example, to facilitate your regulatory examination].

Our audit of Widget Company December 31, 20X1, financial statements was conducted in accordance with auditing standards generally accepted in the United States of America, the objective of which is to form an opinion as to whether the financial statements, which are the responsibility and representations of management, present fairly, in all material respects, the financial position, results of operations, and cash flows in conformity with generally accepted accounting principles. Under generally accepted auditing standards, we have the responsibility, within the inherent limitations of the auditing process, to design our audit to provide reasonable assurance that errors and fraud that have a material effect on the financial statements will be detected, and to exercise due care in the conduct of our audit. The concept of selective testing of the data being audited, which involves judgment both as to the number of transactions to be audited and as to the areas to be tested, has been generally accepted as a valid and sufficient basis for any auditor to express an opinion on financial statements. Thus, our audit, based on the concept of selective testing, is subject to the inherent risk that material errors or fraud, if they exist, would not be detected. In addition, an audit does not address the possibility that material errors or fraud may occur in the future. Also, our use of professional judgment and the assessment of materiality for the purpose of our audit means that matters may have existed that would have been assessed differently by you.

The audit documentation was prepared for the purpose of providing principal support for our report on Widget Company December 31, 20X1, financial statements and to aid in the conduct and supervision of our audit. The audit documentation is the principal record of the auditing procedures performed, the evidence obtained, and the conclusions reached in the engagement. The auditing procedures that we performed were limited to those we considered necessary under generally accepted auditing standards to enable us to formulate and express an opinion on the financial statements taken as a whole. Accordingly, we make no representation as to the sufficiency or appropriateness, for your purposes, of either the information contained in our audit documentation or our audit procedures. In addition, any notations, comments, and individual conclusions appearing on any of the audit documentation do not stand alone, and should not be read as an opinion on any individual amounts, accounts, balances, or transactions.

Our audit of Widget Company December 31, 20X1, financial statements was performed for the purpose stated above and has not been planned or conducted in contemplation of your [state purpose: for example, regulatory examination] or for the purpose of assessing Widget Company compliance with laws and regulations. Therefore, items of possible interest to you may not have been specifically addressed. Accordingly, our audit and the audit documentation prepared in connection therewith should not supplant other inquiries and procedures that should be undertaken by the [name of regulatory agency] for the purpose of monitoring and regulating statements of Widget Company. In addition, we have not audited any financial statements of Widget Company since [date of audited balance sheet referred to in the first paragraph above], nor have we performed any audit procedures since [date], the date of our auditor's report, and significant events or circumstances may have occurred since that date.

The audit documentation constitutes and reflects work performed or evidence obtained by [name of auditor] in its capacity as independent auditor for Widget Company. The documents contain trade secrets and confidential commercial and financial information of our firms and Widget Company that are privileged and confidential, and we expressly reserve all rights with respect to disclosures to third parties. Accordingly, we request confidential treatment under the Freedom of Information Act or similar laws and regulations when requests are made for the audit documentation or information contained therein or any documents created by the [name of regulatory agency] containing information derived therefrom. We further request that written notice be given to our firm before distribution of the information in the audit documentation (or photocopies thereof) to others, including other government agencies, except when such distribution is required by law or regulation.

[If it is expected that photocopies will be requested, add:]

Any photocopies of our audit documentation we agree to provide you will be identified as Confidential Treatment Requested by [name of auditor, address, telephone number].

Firm signature

________________________

ILLUSTRATION 3. WRITTEN COMMUNICATION TO THE CLIENT WHEN REGULATOR MAY REQUEST ACCESS TO AUDIT DOCUMENTATION WHEN NOT REQUIRED BY LAW OR REGULATION (FROM AU-C 9230.13)

The audit documentation for this engagement is the property of [name of auditor] and constitutes confidential information. However, we may be requested to make certain audit documentation available to [name of regulator] for [describe the regulator's basis for its request]. If requested, access to such audit documentation will be provided under the supervision of [name of auditor] personnel. Furthermore, upon request, we may provide photocopies of selected audit documentation to [name of regulator]. The [name of regulator] may intend or decide to distribute the copies of information contained therein to others, including other government agencies.

You have authorized [name of auditor] to allow [name of regulator] access to the audit documentation in the manner discussed above. Please confirm your agreement to the above by signing below and returning to [name of auditor, address].

Firm signature

_____________________________

Agreed and acknowledged:

_____________________________

[Name and title]

_____________________________

[Date]

_____________________________

ILLUSTRATION 4. AUDIT DOCUMENTATION REQUIREMENTS IN OTHER AU-C SECTIONS (FROM AU-C 230.A30)

The following lists the main paragraphs in other AU-C sections that contain specific documentation requirements. See the related chapters in this book for additional information.

NOTE

1See Definitions of Terms section.

5

AU-C 240 Consideration of Fraud in a Financial Statement Audit

Technical Alert

Scope

Definitions of Terms

Objectives of AU-C 240

Requirements

Description and Characteristics of Fraud

Responsibilities of the Auditor

Professional Skepticism

Engagement Team Discussion about Fraud (Brainstorming)

Obtaining Information Needed to Identify Fraud Risks

Inquiries of Internal Auditors

Inquiries of Others within the Organization

Inquiries of Those Charged with Governance

Considering the Results of Analytical Procedures

Considering Fraud Risk Factors

Identifying Fraud Risks

Assessing Identified Risks

Responding to the Results of the Assessment of Risk of Material Misstatement

Evaluating Audit Evidence

Communication about Possible Fraud to Management and Those Charged with Governance

Documentation

Antifraud Programs and Controls

AU-C 240 Illustrations

TECHNICAL ALERT

Although the Public Accounting Oversight Board (PCAOB) is focused on guidance for public companies and broker dealers, it offers information that can be valuable on audits of other entities. In June 2022, the PCAOB issued areas of focus for its inspections. Its alert emphasized current threats regarding fraud risk. See the preface to this volume for more information.

SCOPE

AU-C 240 focuses on the auditor's responsibility for fraud in a financial statement audit. AU-C 240 complements and expands on guidance in AU-C 315 and 330 regarding risks of material misstatements. (AU-C 240.01)

DEFINITIONS OF TERMS

Source: AU-C 240.11. For definitions related to this standard, see Appendix A, Definitions of Terms: Fraud, Fraud risk factors, Significant unusual transactions.

OBJECTIVES OF AU-C 240

The objectives of the auditor under AU-C Section 240 are to:

Identify and assess the risks of material misstatement of the financial statements due to fraud;

Obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud, through designing and implementing appropriate responses; and

Respond appropriately to fraud or suspected fraud identified during the audit.

(AU-C 240.10)

REQUIREMENTS

DESCRIPTION AND CHARACTERISTICS OF FRAUD

Although fraud is a broad legal concept, the auditor's interest specifically relates to fraudulent acts that cause a material misstatement of financial statements. Two types of misstatements are relevant to the auditor's consideration in a financial statement audit.

Misstatements arising from fraudulent financial reporting

Misstatements arising from misappropriation of assets

(AU-C 240.02–.03)

Fraudulent financial reporting does not need to involve a grand plan or conspiracy. Management may rationalize that a misstatement is appropriate because it is an aggressive interpretation of accounting rules, or that it is a temporary misstatement that will be corrected later.

Fraudulent financial reporting and misappropriation of assets differ in that fraudulent financial reporting is committed, usually by management, to deceive financial statement users, whereas misappropriation of assets is committed against an entity, most often by employees.

Fraud Risk Factors

Fraud generally involves the following three conditions:

A pressure or an incentive to commit fraud

A perceived opportunity to do so

Rationalization of the fraud by the individual(s) committing it

(AU-C 240.A1)

However, not all three conditions must be observed to conclude that there is an identified risk. It is particularly difficult to observe that the correct environment for rationalizing fraud is present.

Although fraud usually is concealed, the presence of risk factors or other conditions may alert the auditor to its possible existence.

The auditor should be aware that the presence of each of the three conditions may vary, and is influenced by factors such as the size, complexity, and ownership of the entity. These three conditions usually are present for both types of fraud.

The typical fraudster. KPMG released a study of 750 fraudsters in 81 countries, Global Profile of a Fraudster: Technology Enables and Weak Controls Fuel the Fraud,¹ regarding characteristics of people who commit fraud: They

are often experienced employees in a position to collude with people inside and outside the entity.

usually hold management or senior positions.

do not have a prior history of criminal activity.

are highly respected.

appear trustworthy.

are predominantly male between the ages of 36 and 55.

Most (61%) fraudsters are employed by the entity.

In 2010, several organizations (the Center for Audit Quality Financial Executives International, the Institute of Internal Auditors, and the National Association of Corporate Directors) formed the Anti-Fraud Collaboration. The organization's website at antifraudcollaboration.org contains resources for audits in the form of case studies, reports, videos, articles, and free CPE.

Management's Override of Controls

The auditor should also be alert to the fact that fraudulent financial reporting often involves the override of controls, and that management's override of controls can occur in unpredictable ways. Also, fraud may be concealed through collusion, making it particularly difficult to detect.

In recent years, one international company paid a multimillion-dollar fine to the SEC for inflating its fiscal year results to meet earnings expectations and committing other accounting-related violations over a first-year period.² Another international company paid penalties because it was overstating revenues and assets.³ Both companies improperly accounted for write-downs under ASC 450. One company also failed to amortize properly intangible assets under ASC 350.

Responsibilities for the Prevention and Detection of Fraud

Management and those charged with governance have the primary responsibility for the prevention and detection of fraud. Management should create an atmosphere that makes fraud prevention a priority by creating a culture of ethical behavior supported by oversight. Management should consider potential inappropriate influence over the financial reporting process, such as managing earnings. Management is responsible for designing and implementing programs to prevent, deter, and detect fraud. When management and others, such as the audit committee and board of directors, set the proper tone of ethical conduct, the opportunities for fraud are significantly reduced. (AU-C 240.04)

RESPONSIBILITIES OF THE AUDITOR

In every audit, the auditor is obligated to plan and perform the audit to obtain reasonable assurance about whether the financial statements as a whole are free of material misstatements, whether caused by error or by fraud. (AU-C