Wiley Practitioner's Guide to GAAS 2023: Covering All SASs, SSAEs, SSARSs, and Interpretations
()
About this ebook
The most comprehensive and up-to-date guide to critical auditing standards, practices, and procedures for 2023
The American Institute of Certified Public Accountants (AICPA) sets the Generally Accepted Auditing Standards—or GAAS—under which U. S. audits are conducted. Auditors must comply with and understand every aspect of GAAS to comply with AICPA standards. As a result, it is crucial for CPAs to be up to date on all applicable guidelines, rules, and regulations.
Wiley Practitioner’s Guide to GAAS 2023 delivers a thorough description and analysis of not only auditing standards—SASs—but also SSAEs, SSARSs, and the Interpretations necessary to fully understand all the latest professional standards. The 2023 Guide offers the most recent revisions to the standards, including those on:
- Audit evidence
- Auditing accounting estimates
- Use of pricing evidence
- Inquiries of predecessor auditors
- Quality management
- Materiality,
- SSAE direct examination engagements, and
- Practitioner’s review reports.
- Practical direction on the steps necessary to help you comply with GAAS
- Comprehensive guidance on the entire auditing process, from start to finish
- Explanations of all attestation and review, compilation, and preparation standards
- A glossary of relevant terminology for each subject
It explains the standards clearly and accurately, providing explicit information on how to conduct your engagements efficiently, effectively, and properly—all in one resource.
In addition, Wiley Practitioner’s Guide to GAAS 2023 provides readers with:
A crucial resource for accountants and auditors who are looking for a comprehensive explanation of the information used daily, Wiley Practitioner’s Guide to GAAS 2023 is an invaluable resource written to save you time and simplify your compliance with professional standards.
Related to Wiley Practitioner's Guide to GAAS 2023
Titles in the series (26)
Wiley GAAP 2015: Interpretation and Application of Generally Accepted Accounting Principles Rating: 0 out of 5 stars0 ratingsInterpretation and Application of International Standards on Auditing Rating: 0 out of 5 stars0 ratingsThe Handbook to IFRS Transition and to IFRS U.S. GAAP Dual Reporting: Interpretation, Implementation and Application to Grey Areas Rating: 0 out of 5 stars0 ratingsWiley IFRS: Practical Implementation Guide and Workbook Rating: 0 out of 5 stars0 ratingsDual Reporting for Equity and Other Comprehensive Income under IFRSs and U.S. GAAP Rating: 0 out of 5 stars0 ratingsPrinciples of Group Accounting under IFRS Rating: 3 out of 5 stars3/5IFRS Essentials Rating: 0 out of 5 stars0 ratingsWiley Not-for-Profit GAAP 2015: Interpretation and Application of Generally Accepted Accounting Principles Rating: 0 out of 5 stars0 ratingsWiley GAAP 2016: Interpretation and Application of Generally Accepted Accounting Principles Rating: 0 out of 5 stars0 ratingsInterpretation and Application of IPSAS Rating: 0 out of 5 stars0 ratingsWiley Practitioner's Guide to GAAS 2016: Covering all SASs, SSAEs, SSARSs, PCAOB Auditing Standards, and Interpretations Rating: 0 out of 5 stars0 ratingsWiley Not-for-Profit GAAP 2016: Interpretation and Application of Generally Accepted Accounting Principles Rating: 5 out of 5 stars5/5The Impact of IFRS on Industry Rating: 0 out of 5 stars0 ratingsWiley GAAP 2019: Interpretation and Application of Generally Accepted Accounting Principles Rating: 0 out of 5 stars0 ratingsWiley GAAP 2017: Interpretation and Application of Generally Accepted Accounting Principles Rating: 0 out of 5 stars0 ratingsWiley Practitioner's Guide to GAAS 2017: Covering all SASs, SSAEs, SSARSs, and Interpretations Rating: 0 out of 5 stars0 ratingsWiley Revenue Recognition: Understanding and Implementing the New Standard Rating: 0 out of 5 stars0 ratingsWiley Not-for-Profit GAAP 2017: Interpretation and Application of Generally Accepted Accounting Principles Rating: 0 out of 5 stars0 ratingsWiley Practitioner's Guide to GAAS 2023: Covering All SASs, SSAEs, SSARSs, and Interpretations Rating: 0 out of 5 stars0 ratings
Related ebooks
Understanding IFRS Fundamentals: International Financial Reporting Standards Rating: 0 out of 5 stars0 ratingsWiley GAAP Codification Enhanced Rating: 0 out of 5 stars0 ratingsWiley Not-for-Profit GAAP 2017: Interpretation and Application of Generally Accepted Accounting Principles Rating: 0 out of 5 stars0 ratingsA Fast Track to Structured Finance Modeling, Monitoring, and Valuation: Jump Start VBA Rating: 3 out of 5 stars3/5Audit and Accounting Guide: Entities With Oil and Gas Producing Activities, 2018 Rating: 0 out of 5 stars0 ratingsThe Vest Pocket Guide to IFRS Rating: 0 out of 5 stars0 ratingsMastering Financial Accounting Essentials: The Critical Nuts and Bolts Rating: 0 out of 5 stars0 ratingsPrinciples of Group Accounting under IFRS Rating: 3 out of 5 stars3/5Investing in Renewable Energy: Making Money on Green Chip Stocks Rating: 0 out of 5 stars0 ratingsValuing Early Stage and Venture-Backed Companies Rating: 0 out of 5 stars0 ratingsAccess 2010 Bible Rating: 5 out of 5 stars5/5Accountants' New World: The Essential Guide to Being a Valued Business Partner Rating: 0 out of 5 stars0 ratingsSAP BI Accelerator A Complete Guide Rating: 0 out of 5 stars0 ratingsSoftware Industry Accounting Rating: 0 out of 5 stars0 ratingsCost Accounting Standards Standard Requirements Rating: 0 out of 5 stars0 ratingsFinancial Consolidation and Reporting A Complete Guide Rating: 0 out of 5 stars0 ratingsAccounts Receivable Management Best Practices Rating: 0 out of 5 stars0 ratingsSuccessful Investing Is a Process: Structuring Efficient Portfolios for Outperformance Rating: 4 out of 5 stars4/5The Vest Pocket Controller Rating: 0 out of 5 stars0 ratingsThe Handbook to IFRS Transition and to IFRS U.S. GAAP Dual Reporting: Interpretation, Implementation and Application to Grey Areas Rating: 0 out of 5 stars0 ratingsAlternative Assets: Investments for a Post-Crisis World Rating: 0 out of 5 stars0 ratingsBudget process A Complete Guide Rating: 0 out of 5 stars0 ratingsManagement Accounting: Decision-Making by Numbers: Business Strategy & Competitive Advantage Rating: 5 out of 5 stars5/5The Stakeholder Balance Sheet: Profiting from Really Understanding Your Market Rating: 0 out of 5 stars0 ratingsAccounting and Finance Policies and Procedures Rating: 4 out of 5 stars4/5Free Cash Flow: Seeing Through the Accounting Fog Machine to Find Great Stocks Rating: 4 out of 5 stars4/5Wiley Practitioner's Guide to GAAS 2017: Covering all SASs, SSAEs, SSARSs, and Interpretations Rating: 0 out of 5 stars0 ratingsWiley Practitioner's Guide to GAAS 2016: Covering all SASs, SSAEs, SSARSs, PCAOB Auditing Standards, and Interpretations Rating: 0 out of 5 stars0 ratingsCodification of Statements on Auditing Standards: Numbers 122 to 133, January 2018 Rating: 0 out of 5 stars0 ratings
Auditing For You
Cutting Edge Internal Auditing Rating: 3 out of 5 stars3/5(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide Rating: 3 out of 5 stars3/5Executive's Guide to COSO Internal Controls: Understanding and Implementing the New Framework Rating: 0 out of 5 stars0 ratings2022 Best Ways To Make Money Online Rating: 4 out of 5 stars4/5Auditing Your Human Resources Department: A Step-by-Step Guide to Assessing the Key Areas of Your Program Rating: 0 out of 5 stars0 ratingsInternal Audit Quality: Developing a Quality Assurance and Improvement Program Rating: 0 out of 5 stars0 ratingsAuditing For Dummies Rating: 4 out of 5 stars4/5Brink's Modern Internal Auditing Rating: 0 out of 5 stars0 ratingsTrafficking and the Traffickers: JUSTICE Rating: 0 out of 5 stars0 ratingsThe Internal Auditing Pocket Guide: Preparing, Performing, Reporting and Follow-up Rating: 0 out of 5 stars0 ratingsTax Cuts and Jobs Act: The Complete Bill Rating: 0 out of 5 stars0 ratingsFraud Casebook: Lessons from the Bad Side of Business Rating: 0 out of 5 stars0 ratingsThe Prosperity Bible Rating: 5 out of 5 stars5/5Auditing Cloud Computing: A Security and Privacy Guide Rating: 3 out of 5 stars3/5Construction Contractors: Advanced Issues Rating: 0 out of 5 stars0 ratingsExposing Fraud: Skills, Process and Practicalities Rating: 4 out of 5 stars4/5Bribery and Corruption Casebook: The View from Under the Table Rating: 0 out of 5 stars0 ratingsLean Auditing: Driving Added Value and Efficiency in Internal Audit Rating: 5 out of 5 stars5/5Breaking Into Risk Management In Banks Rating: 4 out of 5 stars4/5Amazon Echo: The Ultimate Guide to Setting up and Maximizing Your Smart Home hub Rating: 0 out of 5 stars0 ratingsDick Kinzel: Roller Coaster King of Cedar Point Amusement Point Rating: 0 out of 5 stars0 ratingsTrade-Based Money Laundering: The Next Frontier in International Money Laundering Enforcement Rating: 0 out of 5 stars0 ratingsA Guide to Forensic Accounting Investigation Rating: 4 out of 5 stars4/5Budgeting - The Right Way Rating: 0 out of 5 stars0 ratingsDetecting Accounting Fraud Before It's Too Late Rating: 0 out of 5 stars0 ratingsFinancial Statement Fraud: Prevention and Detection Rating: 0 out of 5 stars0 ratingsCorporate Fraud: The Danger Within Rating: 4 out of 5 stars4/5The Internal Auditing Handbook Rating: 0 out of 5 stars0 ratings
Reviews for Wiley Practitioner's Guide to GAAS 2023
0 ratings0 reviews
Book preview
Wiley Practitioner's Guide to GAAS 2023 - Joanne M. Flood
2
AU-C 210 Terms of Engagement
Technical Alert
Scope
Definitions of Terms
Objectives of AU-C 210
Fundamental Requirements
Engagement Acceptance
AU-C 210 Illustration
TECHNICAL ALERT
Recently issued SAS 147 affects AU-C 210. The preface to this volume contains an overview of the SAS, and the changes are noted in this chapter.
SCOPE
This section states the requirements and provides application guidance on the auditor's responsibilities when agreeing upon terms of engagement with management and those charged with governance. It also establishes the vitally important preconditions for an audit, for which management is responsible. Engagement letters can also be the foundation of a defense in the event of a dispute with the client. AU-C 220, Quality Control for an Engagement Conducted in Accordance with Generally Accepted Auditing Standards, addresses those aspects of engagement acceptance that the auditor can control and the auditor's responsibilities regarding ethical requirements concerning acceptance of an engagement. (AU-C 210.01 and .A1)
DEFINITIONS OF TERMS
Source: AU-C 210.04. For definitions related to this standard, see Appendix A, Definitions of Terms
: Preconditions for an audit, Recurring audit.
OBJECTIVES OF AU-C 210
AU-C Section 210.03 states that:
… the objective of the auditor is to accept an audit engagement for a new or existing audit client only when the basis upon which it is to be performed has been agreed upon through
establishing whether the preconditions for an audit are present and
confirming that a common understanding of the terms of the audit engagement exists between the auditor and management and, when appropriate, those charged with governance.
FUNDAMENTAL REQUIREMENTS
ENGAGEMENT ACCEPTANCE
Preconditions
Unless required to do so by law or regulation, an auditor should discuss the situation with management and not accept an engagement when the preconditions (see Appendix A, Definitions of Terms
) are not met. (AU-C 210.08) To assess whether those preconditions are met, the auditor should:
determine whether the financial reporting framework¹ to be applied in the preparation of the financial statements is acceptable and
obtain the agreement of management that it acknowledges and understands its responsibility
for the preparation and fair presentation of the financial statements in accordance with the applicable financial reporting framework;
for the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error; and
to provide the auditor with
access to all information of which management is aware that is relevant to the preparation and fair presentation of the financial statements, such as records, documentation, and other matters;
additional information that the auditor may request from management for the purpose of the audit; and
unrestricted access to persons within the entity from whom the auditor determines it necessary to obtain audit evidence.
(AU-C 210.06)
In evaluating whether the financial reporting framework is acceptable, the auditor may want to consider:
The nature of the entity
The purpose and nature of the financial statements
Whether the framework is determined by law or regulator
(AU-C 210.A4)
Additional information may include other information, financial or nonfinancial, included in the entity's financial report described in AU-C 720. Examples of this other information include reports on operations, financial summaries, selected quarterly data, and more. If the auditor expects to receive such information after the date of the auditor's report, the auditor may consider including in the engagement letter actions the auditor will take if the other information contains an uncorrected material misstatement. (AU-C 210.A17)
Limitation of Scope
If management limits the scope of the auditor's work so that the auditor will have to disclaim an opinion, the auditor should not accept the engagement. The exception to this is when management is required by law or regulation to have an audit and the disclaimer of opinion is acceptable under law or regulation, for example, with audits of employee benefit plans. Then the auditor may accept the engagement, but is not required to do so. (AU-C 210.07 and .A19)
Agreement on Terms
The auditor should establish an understanding in writing with management or those charged with governance² about the services to be performed for each audit, review of a public company's financial statements, or agreed-upon procedures for engagement. (AU-C 210.09) The understanding should include:
The engagement's objectives and scope
Management's responsibilities
Auditor's responsibilities
The audit's limitations, the inherent limitations of internal control, and the risk that some misstatements may not be detected
Financial reporting framework
Expected form and content of the report
(AU-C 210.10)
In addition, the auditor may want to:
Elaborate on the scope of the audit by referencing regulations, laws, GAAS, ethical codes, and pronouncements of professional bodies, as applicable.
The communication of key audit matters.
Identify any other communications in addition to the auditor's report.
Discuss audit planning and performance, including composition of the audit team.
Remind management to provide access to all information relevant to the preparation and fair presentation of the financial statements, including information relevant to disclosures.
Remind management about the expectation of written representation, the agreement to make available draft financial statements on a timely basis, including information relevant to the preparation and fair presentation of the financial statements whether obtained from within or outside of the general and subsidiary ledgers.
Remind management about the agreement for management to inform the auditor of subsequent events or facts discovered after the date of the financial statements that may affect the financial statements.
Detail fees and billing arrangements.
Request management to acknowledge receipt of the engagement letter and to agree to the terms by signing the letter.
(AU-C 210.A24)
GAAS does not require auditors to communicate key audit matters. If, however, the engagement letter indicates that the auditor will do so and later it has decided not to do so, the letter should be modified. The reverse is also true. If, after the engagement letter is signed, management requests that the auditor communicate key audit matters, the auditor should consider issuing a new engagement letter or an addendum to the assigned letter. (AU-C 210.A25)
The auditor may also choose to address arrangements concerning the involvement of other auditors, specialists, internal auditors and other entity staff, and predecessor auditors; restrictions on auditor's liability, when not prohibited; audit documentation to be provided to other parties; additional services; and any other agreements with the entity. (AU-C 210.A26)
If the auditor fails to establish an understanding, the auditor should decline the engagement. (AU-C 210.08) A sample engagement letter is included at the end of this chapter.
Initial Audits, Including Reaudits
Inquiry of the predecessor auditor is critical because the predecessor may provide information that will assist the successor auditor in deciding whether to accept the engagement. The communication may be written or oral. (AU-C 210.A33) Both the predecessor and successor auditors should treat any information obtained from each other as confidential information. (AU-C 210.A31) The successor auditor should request permission from the prospective client to make an inquiry of the predecessor prior to final acceptance of the engagement. However, the successor auditor may make a proposal for an audit engagement before having permission to inquire of the predecessor auditor.
The successor auditor, for both initial and reaudit engagements, should ask the prospective client to authorize the predecessor to respond fully to the successor auditor's inquiries If a prospective client refuses to permit the predecessor auditor to respond or limits the response, the successor auditor should inquire as to the reasons and consider the implications of that refusal or limitation in deciding whether to accept the engagement. (AU-C 210.11)
An auditor authorized to make inquiries of the predecessor auditor should ask about matters that will help the auditor decide whether to accept the engagement, including
Identified or suspected fraud by management, employees with significant roles in internal control, and others when the fraud results in a material misstatement.
Unless clearly inconsequential, noncompliance, suspected or actual, with laws and regulations that came to the predecessor auditor's attention.
(AU-C 210-12)³
Before responding to inquiries, the predecessor auditor may want to obtain legal advice regarding professional or legal requirements or unusual circumstances that limit ability to respond. (AU-C 210.A33)⁴
The successor auditor should make specific and reasonable inquiries of the predecessor about the following five matters:
Information about management's integrity
Disagreements with management about accounting principles, auditing procedures, or other significant matters
Communications to management and those charged with governance and responsibility regarding significant deficiencies and material weaknesses in internal control
The predecessor auditor's understanding of the reasons for the change of auditors
The predecessor auditor's understanding of the nature of the entity's relationships and transactions with related parties and significant unusual transactions
(AU-C 210.A32)
The predecessor auditor should respond promptly, fully, and factually based on known facts. However, if the predecessor decides, because of unusual circumstances such as impending, threatened, or potential litigation; disciplinary proceedings; or other unusual circumstances, not to respond fully, he or she should indicate that the response is limited. These circumstances are expected to be rare. (AU-C 210.13) Also, if more than one auditor is considering accepting the audit, the predecessor auditor does not have to respond to inquiries until the entity selects an auditor. (AU-C 210.A34) Any information exchanged between the predecessor and successor auditors should be considered confidential. (AU-C 210.A30)
If the successor auditor receives a limited response, that auditor should consider the implications of the limited response in deciding whether to accept the engagement. (AU-C 210.14)
For governmental entities, if a law or regulation requiring an audit identifies the entities to be audited, the auditor may need to get authorization from the individuals contracting for or requesting the audit and those legislative committees that have ongoing oversight responsibilities for the entity. (AU-C 210.A36)⁵
Documentation
Once the auditor accepts an engagement, the auditor should document the predecessor auditor inquiries and the results of the inquiries. (AU-C 210-15)⁶
Recurring Audits
For a recurring audit, the auditor should evaluate whether the terms of the engagement need to be changed. The auditor should also remind the client about the existing terms of engagement. (AU-C 210.16)
Certain factors may warrant a change in the terms of engagement for a recurring engagement. For example, any indication that management misunderstands the objective and scope of the audit and changes in:
Revised or special terms of the audit engagement
Senior management or ownership,
Legal or regulatory requirements,
The nature or size of the entity, or
The financial reporting framework or other reporting requirements.
(AU-C 210.A37)
Change in Terms
If the client requests a change in the terms, the auditor must ensure that there is a reasonable justification for the change. So, too, if prior to completion of an audit, the client requests a change to an engagement with a lower level of assurance, the auditor must be satisfied that a reasonable justification for doing so exists. (AU-C 210.17 and .18)
If the terms are changed, the auditor and management should document in writing the mutually agreed-upon change. (AU-C 210.19) If, however, the auditor concludes there is no reasonable justification for a change in terms, and management does not allow the auditor to continue the original audit, the auditor must take these three steps:
Withdraw from the engagement.
Communicate the situation to those charged with governance.
Determine whether the auditor has any legal, contractual, or other obligation to report the circumstances to owners, regulators, or other parties.
(AU-C 210.20)
Report Layout Required by Law or Regulation
If the report prescribed by law or regulation does not align with GAAS in significant ways, the auditor must decide whether the format would mislead the users and if the report could be reworded to align with GAAS or alternatively whether the auditor could attach a separate report. If none of those remedies are available, the auditor should decline the engagement unless required by law or regulation not to perform the engagement. (AU-C 210.21)
AU-C 210 ILLUSTRATION
ILLUSTRATION 1. EXAMPLE OF AN AUDIT ENGAGEMENT LETTER (ADAPTED FROM AUDIT STANDARDS AU-C 210.A46)
NOTES
1Acceptable reporting frameworks contain established accounting principles promulgated by a body designated by the Council of the AICPA under Rule 203 in the AICPA Code of Professional Conduct. These bodies include FASB, FASAB, IFRS, GASB, AICPA, and PCAOB.
2In this chapter, references to management should be read as management and, when appropriate, those charged with governance,
unless the context suggests otherwise. Those charged with governance are those with responsibility for overseeing the strategic direction of the entity and obligations related to the accountability of the entity,
including the financial reporting process. (AU-C Glossary of Terms)
3This paragraph is effective upon implementation of SAS 147.
4Ibid.
5Ibid.
6Ibid.
3
AU-C 220 Quality Control for an Engagement Conducted in Accordance with Generally Accepted Auditing Standards
Technical Alert
Scope
Definitions of Terms
Objectives of AU-C 220
Requirements
Quality Control Standards
Role of the Engagement Team
System of Quality Control
Elements of Quality Control
Independence
Acceptance and Continuance of Client Relationships
Assignment of Engagement Teams
Direction, Supervision, and Performance
Engagement Performance
Documentation
TECHNICAL ALERT
See the preface to this volume for information on SAS 146. SAS 146 will replace SAS 122 as the basis of the guidance for AU-C 220. It is effective for engagements conducted under GAAS for periods beginning on or after December 15, 2025.
SCOPE
AU-C 220 addresses:
Specific responsibilities of the auditor regarding quality control standards for an audit of financial statements
Responsibilities of the engagement quality control reviewer
Supervision of an audit
Quality control is the responsibility of the audit firm. (AU-C 220.01)
DEFINITIONS OF TERMS
Source: AU-C 220.09. For definitions related to this standard, see Appendix A, Definitions of Terms
: Engagement partner, Engagement quality control review, Engagement quality control reviewer, Engagement team, Firm, Monitoring, Network, Network firm, Partner, Personnel, Professional standards, Relevant ethical requirements, Staff, Suitably qualified external person.
OBJECTIVES OF AU-C 220
AU-C Section 220.08 states that:
The objective of the auditor is to implement quality control procedures at the engagement level that provide the auditor with reasonable assurance that:
the audit complies with professional standards and applicable legal and regulatory requirements and
the auditor's report issued is appropriate in the circumstances.
(AU-C Section 220.08)
REQUIREMENTS
QUALITY CONTROL STANDARDS
The engagement partner is responsible for the overall quality of the engagements to which the partner is assigned. An audit firm should establish a quality control system to provide it with reasonable assurance that its staff meets the requirements of professional standards and applicable legal and regulatory requirements and that reports are appropriate. (AU-C 220.03) The proper staff can make the difference between an effective, efficient audit and one that is wasteful and has poor results.
ROLE OF THE ENGAGEMENT TEAM
Engagement teams are responsible for:
Implementing quality control procedures and
Giving the firm information relevant to independence
(AU-C 220.04)
The engagement partner should be able to rely on the firm's quality control system unless the engagement partner determines based on circumstances it is not appropriate. (AU-C 220.05) In complying with the quality control requirements, the engagement partner may use other firm members. (AU-C 220.06)
SYSTEM OF QUALITY CONTROL
The nature and extent of a firm's quality control policies and procedures depend on the following five factors:
Firm size and the number of its offices
The degree of autonomy of personnel and practice offices
The knowledge and experience of its personnel
The nature and complexity of the firm's practice
The cost of developing and implementing quality control policies and procedures in relation to the benefits provided
(QC 20.04)
When a firm establishes quality control policies and procedures, it should:
Assign responsibilities to qualified personnel to implement quality control policies and procedures.
Communicate quality control policies and procedures to personnel (see below).
Monitor the effectiveness of the quality control system. The purpose is to determine that policies and procedures and the methods of implementing and communicating them are still appropriate.
(QC 20.22–.23 and 20.20)
NOTE: Flaws in, or a violation of, a firm's quality control do not necessarily indicate that an audit was not performed in accordance with GAAS.
ELEMENTS OF QUALITY CONTROL
When establishing its quality control policies and procedures, a firm should consider the elements of quality control:
Leadership responsibilities for quality
Ethical requirements
Acceptance and continuance of clients
Human resources
Engagement performance
Monitoring
(AU-C 220.A1)
NOTE: CPA firms or individuals enrolled in an AICPA-approved practice-monitoring program must adhere to quality control standards. In addition, the Principles of Professional Conduct indicate that members should practice in firms that have in place quality control procedures to provide reasonable assurance that services are competently delivered and adequately supervised. The Statements on Quality Control apply to a CPA firm's accounting, auditing, and attest practices.
INDEPENDENCE
The engagement partner is responsible for the independence requirements for each audit and ensuring that these requirements are met. The engagement partner should:
Evaluate the threats to independence,
Evaluate any breaches, and
Take appropriate action to eliminate or reduce threats to an appropriate level. If that cannot be done, the firm may have to withdraw from the engagement.
(AU-C 220.13)
To be independent, auditors must be intellectually honest; to be recognized as independent, they must be free from any obligation to or interest in the client, its management, or its owners. For specific guidance, the auditor should look to AICPA and the state society codes of conduct and, if relevant, the requirements of the Securities and Exchange Commission (SEC) and the U.S. Department of Labor. (QC 20.FN6)
ACCEPTANCE AND CONTINUANCE OF CLIENT RELATIONSHIPS
The engagement partner must be satisfied that appropriate procedures regarding acceptance and continuance of clients have been performed and that appropriate conclusions were reached. (AU-C 220.14)
Policies and procedures should provide reasonable assurance that the firm will not be associated with clients whose management lacks integrity. A firm should:
Undertake only engagements that can be completed with professional competence,
Consider the client's integrity,
Ensure that ethical requirements can be met, and
Evaluate significant issues during current or previous audits and their implications for continuance.
(AU-C 220.A7)
If information comes to the engagement partner's attention that would have caused the firm to decline the engagement, the partner should share that information with the firm so that the partner can take action. (AU-C 220.15)
ASSIGNMENT OF ENGAGEMENT TEAMS
The engagement partner must be comfortable that the engagement team and external specialists are capable and have the appropriate competencies to perform the engagement and issue an appropriate report. (AU-C 220.16)
When evaluating the competence of the engagement team, the engagement partner may consider:
Understanding of and experience with audits of a similar nature
Understanding of professional standards
Understanding of regulatory requirements
Knowledge of relevant IT and specialized areas of accounting and auditing
The firm's quality control policies and procedures
Ability to apply professional judgment
The industry environment
(AU-C 220.A10)
Personnel should have experience in similar engagements through training and participation. Policies and procedures should also provide reasonable assurance that personnel refer to authoritative literature and consult, on a timely basis, with appropriate individuals when dealing with complex, unusual, or unfamiliar issues.
DIRECTION, SUPERVISION, AND PERFORMANCE
The engagement partner is responsible for the direction, supervision, and performance of the engagement in compliance with GAAS, legal and regulatory requirements, and firm policies. The partner is also responsible for the appropriateness of the report, performance of reviews, and that sufficient appropriate evidence has been obtained. (AU-C220.17–.19)
The auditor with final responsibility for the audit should inform members of the engagement team about:
Their responsibilities
The responsibilities of the partners
The objectives of the procedures they are to perform
Nature of the entity's business
Risk-related issues
Problems that may arise
Details of the approach to the engagement
(AU-C 220.A12)
Supervision includes:
Tracking the engagement progress
Considering the competence of engagement team members
Addressing significant findings or issues
Identifying matters for consultation or referral to other team members
(AU-C 220.A14)
ENGAGEMENT PERFORMANCE
Reviewing Work
The engagement partner is responsible for reviews that follow the firm's policies and procedures. In order to be sure he or she is satisfied that the audit evidence is sufficient and appropriate to support the conclusion, the engagement partner should review the audit documentation and discuss the engagement with the auditor. This should be done on or before the date of the auditor's report. (AU-C 220.18–.19) It is important that the partner review the documentation and not just rely on staff opinions.
The suitably experienced auditors should review the work of each team member and consider if
The work was performed in accordance with professional standards and legal and regulatory requirements.
Significant issues were raised and considered.
Consultations, if necessary, took place and were documented.
The nature, timing, and extent of the work were appropriate.
Work performed supports the conclusion and is documented, and the evidence supports the auditor's report.
Objectives were achieved.
(AU-C 220.A16)
The engagement partner's review should allow time to resolve issues. (AU-C 220.A17) If the engagement partner's review is completed after the date of the auditor's report and the review calls for additional procedures or evidence, the auditor should change the date of the report until the reviewer's comments are satisfied in accordance with AU-C 700 or AU-C 703. (AU-C 220.A25)
Consultation
The engagement partner is also responsible for ensuring that team members undertake consultation on matters outside of their expertise. This consultation may be with other team members, other audit firm staff, or experts outside the firm. The partner must be satisfied with the consultations in terms of nature and scope and that the conclusions are understood and have been implemented. (AU-C 220.20)
Engagement Quality Control Review
If the firm requires a quality control review, the engagement partner should determine that a reviewer has been appointed in a timely manner and that the engagement partner discusses with the reviewer any significant findings or issues. The audit report should not be released until the quality control review is completed. (AU-C 220.21) If the quality control review report is completed after the audit report is dated, and the auditor determines that additional procedures or evidence is needed, the auditor should change the date of the report to the date when the auditor is satisfied. Also, see AU-C 700 and 703. (AU-C 220.25)
As part of the review, the reviewer should:
Discuss the significant findings with the engagement partner
Read the financial statements
Read the draft audit report
Select and review audit documents related to significant judgments
Evaluate conclusions
Consider whether the report is appropriate
(AU-C 220.22)
When AU-C 701 applies, the engagement team's conclusions include:
Key audit matters to be communicated
Key audit matters not communicated in the auditor's report
If applicable, that there are no key audit matters to communicate in the auditor's report
When reading the proposed auditor's report as part of the quality control review, the auditor should consider the description of key audit matters. (AU-C 220.A28)
Difference of Opinion
If differences of opinion arise among firm personnel about accounting or auditing issues in an audit, the engagement team should follow the firm's policies and procedures. (AU-C 220.23) Procedures to consider may include:
Consultation to attempt resolution
Documentation of an assistant's disagreement, if he or she wants to be disassociated from the final resolution
Documentation of the basis for the final resolution
Monitoring
The audit firm must establish a monitoring process. Policies and procedures should provide reasonable assurance that the above elements of quality control are suitably designed and effectively applied. (AU-C 220.24) Monitoring involves:
Relevant and adequate policies and procedures that are complied with by members of the firm
Appropriate guidance and practice aids
Effective professional development activities
DOCUMENTATION
Audit documentation should include:
Compliance and ethical issues identified
How those issues were resolved
Conclusions on independence compliance
Discussions that support those conclusions
Conclusions reached regarding the acceptance and continuance of audit engagements
Nature and scope of consultations undertaken during the audit engagement
Conclusions resulting from those consultations
(AU-C 220.25)
In addition, the engagement quality control reviewer should document:
That the firm's engagement quality control procedures were performed
The date the engagement quality control review was completed
An affirmation that the reviewer is not aware of any unresolved matters that would cause the reviewer to believe that the judgment and conclusions of the engagement team were inappropriate.
(AU-C 220.26)
This documentation may be made after the report release date. (AU-C 220.A24)
4
AU-C 230 Audit Documentation
Scope
Definitions of Terms
Objectives of AU-C 230
Requirements
Requirement for Audit Documentation
Form, Content, and Extent of Audit Documentation
Ownership and Confidentiality
Standardization of Audit Documentation
Preparation of Audit Documentation
Quality of Audit Documentation
Audit Documentation Deficiencies
Documentation Requirements in Other Sections
Interpretations
Providing Access to or Copies of Audit Documentation to a Regulator
AU-C 230 Illustrations
SCOPE
AU-C 230 concerns the audit documentation the auditor is expected to prepare. See also other standards, laws, or regulations. (AU-C 230.01)
DEFINITIONS OF TERMS
Source: AU-C 230.06. For definitions related to this standard, see Appendix A, Definitions of Terms
: Audit documentation, Audit file, Documentation completion date, Experienced auditor, Report release date.
OBJECTIVES OF AU-C 230
AU-C Section 230.05 states that:
The objective of the auditor is to prepare documentation that provides
applicable legal and regulatory requirements.
(AU-C Section 230.05)
REQUIREMENTS
REQUIREMENT FOR AUDIT DOCUMENTATION
The auditor must prepare audit documentation, on a timely basis, in sufficient detail to provide evidence:
About the conclusions reached; and
That the audit was planned and performed under GAAS and relevant legal and regulatory requirements.
(AU-C 230.02)
The form and content of the audit documentation should be designed for the specific engagement.
Audit documentation also:
Helps the team plan the audit
Provides information for supervisors to direct the audit
Provides documentation for review responsibilities in accordance with SAS 146
Supplies backup that the team performed as required by standards
Provides files to be used on future audits
Provides documentation for quality reviews, other types of reviews, and monitoring activities under the firm's system of quality management
Provides documentation for successor auditors
Helps auditors understand prior year works
(AU-C 230.03)
FORM, CONTENT, AND EXTENT OF AUDIT DOCUMENTATION
The quantity, type, and content of the audit documentation are based on the auditor's professional judgment and vary with the engagement. Factors to consider in determining the content of audit documentation are discussed in the following paragraphs.
Sufficiency of Audit Documentation
The auditor should prepare audit documentation on a timely basis that would allow an experienced auditor¹ having no previous connection with the audit to understand:
The nature, timing, and extent of auditing procedures performed to comply with GAAS and applicable legal and regulatory requirements;
The results of the audit procedures performed and the audit evidence obtained; and
The significant findings for issues that arose during the audit, the conclusions reached on those significant matters, and professional judgments made in reaching those conclusions.
(AU-C 230.08)
Examples of documentation of professional judgment include significant findings, issues, and judgments related to:
The consideration of certain information contextually significant
The auditor's conclusion on the reasonableness of subjective judgments made by management
The evaluation of whether an accounting estimate or related disclosures are contextually reasonable or are misstated
The authenticity of a document when the document is further investigated, such as by using a specialist or confirmations
The determination of key audit matters
The decision under extremely rare circumstances not to include key audit matters in the audit report because of adverse consequences
(AU-C 230.A12)
NOTE: Auditors should bear in mind that the presence of an audit document shows compliance with a requirement. For example, a well-documented audit plan shows the auditor has planned the audit. So, too, a signed engagement letter is proof that an agreement has been reached. Compliance with more subjective requirements, such as professional skepticism, may be less straightforward. Nonetheless, the practice of professional skepticism may be seen through such things as documentation of:
evidence contradicting management's assertions regarding accounting estimates or
how the auditor evaluated evidence that both corroborates and contradicts management's assertion, including judgments about the evidence's sufficiency and appropriateness.
(AU-C 230.A9)
Audit documentation should include:
Who reviewed specific audit work and the date and extent of the review
Who performed the audit work and the date the work was completed
Identifying characteristics of specific items tested
(AU-C 230.09)
Audit documentation should also include abstracts or copies of significant contracts or agreements that involved audit procedure. (AU-C 230.10)
Documentation of Significant Findings
The auditor should document significant audit findings or issues, actions taken to address them (including additional evidence obtained), and the basis of the conclusions reached. (AU-C 230.11) Significant audit findings or issues include:
Matters that are both significant and involve the appropriate selection, application, and consistency of accounting principles with regard to the financial statements, including related disclosures. Such matters often relate to (1) accounting for complex or unusual transactions or (2) estimates and uncertainties, and the related management assumptions, if applicable.
Results of auditing procedures that indicate that the financial statements or disclosures could be materially misstated or that the auditing procedures need to be significantly modified.
Circumstances that cause significant difficulty in applying necessary auditing procedures.
Other findings that could result in a modified auditor's report.
(AU-C 230.A10)
The auditor should document discussions with management and those charged with governance, including when and with whom, about significant findings. (AU-C 230.11)
Departures from a Relevant Requirement
The auditor may find it necessary to not perform a required procedure. If so, the auditor should document the reason for the departure and how alternative procedures enabled the auditor to fulfill the objectives of the audit. (AU-C 230.13)
This documentation is required only if the required procedure is relevant to the audit. For example, if the entity does not have an internal audit function, procedures in AU-C 610 would not be relevant.
Factors to Consider in Determining Audit Documentation
The auditor should consider the following factors in determining the nature and extent of the documentation for an audit area or auditing procedure:
The size and complexity of the entity
The risk of material misstatement associated with the assertion, or account or class of transactions
The extent of judgment involved in performing the work and evaluating results
The nature of the auditing procedure
The significance of evidence obtained to the tested assertion
The nature and extent of identified exceptions
The need to document a conclusion or basis for a conclusion not readily determinable from the documentation of the work performed
The methodologies or tools used
(AU-C 230.A4)
Documentation of Matters Arising After the Date of the Auditor's Report
If, after the date of the auditor's report, the auditor performs additional procedures or changes conclusions, the auditor should document:
Circumstances,
Additional procedures performed, evidence obtained, conclusions reached, and their effect on the report,
When the changes were made, and
By whom the resulting changes were made.
(AU-C 230.14)
Documentation of Report Release Date and Revisions
The auditor should document the report release date and complete the assembly of the final audit file on a timely basis, but no later than 60 days following the report release date. (AU-C 230.15–.16) After this date, the auditor must not delete or discard existing audit documentation before the end of the specified retention period, not less than five years from the report release date. If changes are made to the audit documentation after the documentation completion date, the auditor should document when and by whom the changes were made, the specific reasons for the changes, and the effect of the changes, if any, on the auditor's previous conclusions. (AU-C 230.17 and .18)
OWNERSHIP AND CONFIDENTIALITY
The auditor owns the audit documentation, but his or her ownership rights are limited by ethical and legal rules on confidential relationships with clients. The auditor should adopt reasonable procedures to protect the confidentiality of client information. (AU-C 230.19) The auditor should also adopt reasonable procedures to prevent unauthorized access to the audit documentation. Sometimes audit documentation may serve as a source of reference for the client, but it should not be considered a part of, or a substitute for, the client's accounting records.
STANDARDIZATION OF AUDIT DOCUMENTATION
Audit documentation should be designed for the specific engagement; however, audit documentation supporting certain accounting records may be standardized.
The auditor should analyze the nature of his or her clients and the complexity of their accounting systems. This analysis will indicate accounts for which audit documentation may be standardized. An auditor ordinarily may be able to standardize audit documentation for a small-business client as follows:
Cash, including cash on hand
Short-term investments
Trade accounts receivable
Notes receivable
Other receivables
Prepaid expenses
Property, plant, and equipment
Long-term investments
Intangible assets
Deposits
Accrued expenses
Taxes payable
Long-term debt
Stockholders’ equity accounts
PREPARATION OF AUDIT DOCUMENTATION
All audit documentation should have certain basic information, such as the following:
Heading
Name of client
Description of audit documentation, such as
Proof of cash—Fishkill Bank & Trust Company
Accounts receivable—confirmation statistics
Period covered by engagement
For the year ended …
An index number
All audit documentation should be numbered for easy reference. Audit documentation is identified using various systems, such as the following:
Alphabetical
Numbers
Roman numerals
General ledger account numbers
A combination of the preceding
Preparer and reviewer identification
Identification of the person who prepared audit documentation and date of preparation:
If the client prepared the audit documentation, this should be noted. Person who checked papers also should be identified.
Identification of the person who reviewed the audit documentation and date of review.
Explanation of symbols
Symbols used in the audit documentation should be explained. Symbols show matters such as:
Columns were footed.
Columns were cross-footed.
Data were traced to original sources.
Source of information
The audit documentation should indicate source of information:
Client records
Client personnel
Related Accounts
One page of audit documentation may provide documentation for more than one account. Many balance sheet accounts are related to income statement accounts. In these circumstances, the audit work on the accounts should be documented in one page of audit documentation. Examples of related accounts are the following:
Notes receivable and interest income
Depreciable assets, depreciation expense, and accumulated depreciation
Prepaid expenses and the related income statement expenses, such as insurance, interest, and supplies
Long-term debt and interest expense
Deferred income taxes and income tax expense
Client Preparation of Audit Documentation
It is advisable to have the client's employees prepare as much as possible of the auditor's audit documentation. This increases the efficiency of the audit. The auditor should identify the audit documentation as Prepared by the Client
(PBC) and note the auditor who reviewed the client-prepared audit documentation. The preparation of audit documentation by the client does not impair the auditor's independence. However, the auditor should test the information in client-prepared audit documentation.
Considerations for Smaller, Less Complex Entities
The auditor of a smaller or less complex entity may find it useful to record some items in a single document with references to supporting workpapers. For instance, the auditor might document together:
The understanding of the entity,
The environment,
The applicable financial reporting framework,
The system of internal control,
The overall audit strategy and plan,
Materiality,
Assessed risks,
Significant findings or issues, and
Conclusions.
(AU-C 230.A20)
QUALITY OF AUDIT DOCUMENTATION
Audit documentation aids the execution and supervision of the current year's engagement. Also, such documentation helps the auditor in planning and executing the following year's audit. In addition, audit documentation serves as the auditor's reference for answering questions from the client. For example, a bank or a credit agency may want information that the auditor can provide to the client for submission to the third party from the audit documentation.
In case of litigation against the client, the auditor's audit documentation may be subpoenaed. In litigation against the auditor, the audit documentation will be used as evidence. Therefore, audit documentation should be accurate, complete, and understandable. After audit documentation is reviewed, additional work, if any, is done, and modifications are made to the audit documentation, superseded drafts, corrected documents, duplicate documents, review notes, and all to-do points should be discarded because the issues they addressed have been appropriately responded to in the audit documentation. (AU-C 230.A6)
Likewise, miscellaneous notes, memoranda, e-mails, and other communications among members of the audit engagement team created during the audit should be included or summarized in the audit documentation when needed to identify issues or support audit conclusions; otherwise, they should be discarded. Any information added after completion of fieldwork should be dated at the date added.
Oral Explanations
Oral explanations on their own do not represent sufficient support for the work the auditor performed or conclusions the auditor reached but may be used by the auditor to clarify or explain information in the audit documentation. (AU-C 230.A7)
NOTE: For example, if the auditing standards state that the auditor should obtain an understanding of the entity's control environment, but there is no evidence that he or she obtained such an understanding, then the auditor cannot make a plausible claim that the understanding was obtained but just not documented.
AUDIT DOCUMENTATION DEFICIENCIES
Some of the more common audit documentation deficiencies are failure to:
Express a conclusion on the account being analyzed.
Explain exceptions noted.
Get sufficient information for note disclosure.
Reference information.
Update and revise permanent file.
Post adjusting and reclassification journal entries to appropriate audit documentation.
Indicate source of information.
Promptly review audit documentation prepared by assistants.
Sign or date audit documentation.
Foot client-prepared schedules.
Explain tick marks.
DOCUMENTATION REQUIREMENTS IN OTHER SECTIONS
Certain other sections require documentation of specific matters. These requirements are presented in Illustration 4 at the end of this chapter. In addition, other standards, such as government auditing standards, laws, or regulations, may also contain specific documentation requirements.
INTERPRETATIONS
PROVIDING ACCESS TO OR COPIES OF AUDIT DOCUMENTATION TO A REGULATOR
A regulator may request access to an auditor's audit documentation to fulfill a quality review requirement or to help establish the scope of a regulatory examination. In making the request, the regulator may ask to make photocopies and may also make such copies available to others. (AU-C 9230.01) When regulators make a request for access, the auditor should:
Consider advising the client about the request and indicating that he or she intends to comply. In some cases the auditor may wish or be required to confirm in writing the requirements to provide access (see Illustration 1).
Make arrangements with the regulator for the review.
Maintain control over the original audit documentation.
Consider submitting a letter to the regulator (see Illustration 2). (AU-C 9230.02)
Obtain the client's consent, preferably in writing, to provide access when not required to provide access (see Illustration 3).
NOTE: The guidance in this interpretation applies to requests from regulators, specifically federal, state, and local government officials with legal oversight authority over the entity. The guidance does not apply to requests from:
The IRS,
Practice monitoring programs,
Proceedings related to alleged ethics indicators, or
Subpoenas.
(AU-C 9230 footnotes 1 and 2)
AU-C 230 ILLUSTRATIONS
Illustrations 1, 2, and 3 are adapted from AICPA Interpretations of AU-230 (AU-C 9230).
An auditor's written communication to client when wishing to or required to provide access
An auditor's letter to a regulator
A written communication to the client when regulator may request access to audit documentation when not required by law or regulation
Illustration 4, which lists audit documentation requirements in other sections, is adapted from the application guidance in AU-C 230.
ILLUSTRATION 1. AUDITOR'S WRITTEN COMMUNICATION TO CLIENT WHEN THE AUDITOR MAY WISH AND IN SOME CASES MAY BE REQUIRED TO PROVIDE ACCESS (ADAPTED FROM AU-C 9230.02 AND FOOTNOTE 4)
The audit documentation for this engagement is the property of Guy & Co. and constitutes confidential information. However, we may be requested to make certain audit documentation available to [name of regulator] pursuant to authority given to it by law or regulation. If requested, access to such audit documentation will be provided under the supervision of [name of auditor]. Furthermore, upon request, we may provide copies of selected audit documentation to [name of regulator]. The [name of regulator] may intend or may decide to distribute the copies of information contained therein to others, including other government agencies.
You have authorized Guy & Co. to allow [name of regulator] access to the audit documentation in the manner discussed above. Please confirm your agreement to the above by signing below and returning it to [name of auditor, address].
Firm signature
_____________________________
Agreed and acknowledged:
_____________________________
[Name and title]
_____________________________
[Date]
_____________________________
ILLUSTRATION 2. AUDITOR'S LETTER TO REGULATOR (FROM AU-C 9230.06)
[Date]
_________________
[Name and address of regulatory agency]
_______________________________________
_______________________________________
_______________________________________
Your representatives have requested access to our audit documentation in connection with our audit of December 31, 20X1, financial statements of Widget Company. It is our understanding that the purpose of your request is [state purpose: for example, to facilitate your regulatory examination
].
Our audit of Widget Company December 31, 20X1, financial statements was conducted in accordance with auditing standards generally accepted in the United States of America, the objective of which is to form an opinion as to whether the financial statements, which are the responsibility and representations of management, present fairly, in all material respects, the financial position, results of operations, and cash flows in conformity with generally accepted accounting principles. Under generally accepted auditing standards, we have the responsibility, within the inherent limitations of the auditing process, to design our audit to provide reasonable assurance that errors and fraud that have a material effect on the financial statements will be detected, and to exercise due care in the conduct of our audit. The concept of selective testing of the data being audited, which involves judgment both as to the number of transactions to be audited and as to the areas to be tested, has been generally accepted as a valid and sufficient basis for any auditor to express an opinion on financial statements. Thus, our audit, based on the concept of selective testing, is subject to the inherent risk that material errors or fraud, if they exist, would not be detected. In addition, an audit does not address the possibility that material errors or fraud may occur in the future. Also, our use of professional judgment and the assessment of materiality for the purpose of our audit means that matters may have existed that would have been assessed differently by you.
The audit documentation was prepared for the purpose of providing principal support for our report on Widget Company December 31, 20X1, financial statements and to aid in the conduct and supervision of our audit. The audit documentation is the principal record of the auditing procedures performed, the evidence obtained, and the conclusions reached in the engagement. The auditing procedures that we performed were limited to those we considered necessary under generally accepted auditing standards to enable us to formulate and express an opinion on the financial statements taken as a whole. Accordingly, we make no representation as to the sufficiency or appropriateness, for your purposes, of either the information contained in our audit documentation or our audit procedures. In addition, any notations, comments, and individual conclusions appearing on any of the audit documentation do not stand alone, and should not be read as an opinion on any individual amounts, accounts, balances, or transactions.
Our audit of Widget Company December 31, 20X1, financial statements was performed for the purpose stated above and has not been planned or conducted in contemplation of your [state purpose: for example, regulatory examination
] or for the purpose of assessing Widget Company compliance with laws and regulations. Therefore, items of possible interest to you may not have been specifically addressed. Accordingly, our audit and the audit documentation prepared in connection therewith should not supplant other inquiries and procedures that should be undertaken by the [name of regulatory agency] for the purpose of monitoring and regulating statements of Widget Company. In addition, we have not audited any financial statements of Widget Company since [date of audited balance sheet referred to in the first paragraph above], nor have we performed any audit procedures since [date], the date of our auditor's report, and significant events or circumstances may have occurred since that date.
The audit documentation constitutes and reflects work performed or evidence obtained by [name of auditor] in its capacity as independent auditor for Widget Company. The documents contain trade secrets and confidential commercial and financial information of our firms and Widget Company that are privileged and confidential, and we expressly reserve all rights with respect to disclosures to third parties. Accordingly, we request confidential treatment under the Freedom of Information Act or similar laws and regulations when requests are made for the audit documentation or information contained therein or any documents created by the [name of regulatory agency] containing information derived therefrom. We further request that written notice be given to our firm before distribution of the information in the audit documentation (or photocopies thereof) to others, including other government agencies, except when such distribution is required by law or regulation.
[If it is expected that photocopies will be requested, add:]
Any photocopies of our audit documentation we agree to provide you will be identified as Confidential Treatment Requested by [name of auditor, address, telephone number].
Firm signature
________________________
ILLUSTRATION 3. WRITTEN COMMUNICATION TO THE CLIENT WHEN REGULATOR MAY REQUEST ACCESS TO AUDIT DOCUMENTATION WHEN NOT REQUIRED BY LAW OR REGULATION (FROM AU-C 9230.13)
The audit documentation for this engagement is the property of [name of auditor] and constitutes confidential information. However, we may be requested to make certain audit documentation available to [name of regulator] for [describe the regulator's basis for its request]. If requested, access to such audit documentation will be provided under the supervision of [name of auditor] personnel. Furthermore, upon request, we may provide photocopies of selected audit documentation to [name of regulator]. The [name of regulator] may intend or decide to distribute the copies of information contained therein to others, including other government agencies.
You have authorized [name of auditor] to allow [name of regulator] access to the audit documentation in the manner discussed above. Please confirm your agreement to the above by signing below and returning to [name of auditor, address].
Firm signature
_____________________________
Agreed and acknowledged:
_____________________________
[Name and title]
_____________________________
[Date]
_____________________________
ILLUSTRATION 4. AUDIT DOCUMENTATION REQUIREMENTS IN OTHER AU-C SECTIONS (FROM AU-C 230.A30)
The following lists the main paragraphs in other AU-C sections that contain specific documentation requirements. See the related chapters in this book for additional information.
NOTE
1See Definitions of Terms
section.
5
AU-C 240 Consideration of Fraud in a Financial Statement Audit
Technical Alert
Scope
Definitions of Terms
Objectives of AU-C 240
Requirements
Description and Characteristics of Fraud
Responsibilities of the Auditor
Professional Skepticism
Engagement Team Discussion about Fraud (Brainstorming)
Obtaining Information Needed to Identify Fraud Risks
Inquiries of Internal Auditors
Inquiries of Others within the Organization
Inquiries of Those Charged with Governance
Considering the Results of Analytical Procedures
Considering Fraud Risk Factors
Identifying Fraud Risks
Assessing Identified Risks
Responding to the Results of the Assessment of Risk of Material Misstatement
Evaluating Audit Evidence
Communication about Possible Fraud to Management and Those Charged with Governance
Documentation
Antifraud Programs and Controls
AU-C 240 Illustrations
TECHNICAL ALERT
Although the Public Accounting Oversight Board (PCAOB) is focused on guidance for public companies and broker dealers, it offers information that can be valuable on audits of other entities. In June 2022, the PCAOB issued areas of focus for its inspections. Its alert emphasized current threats regarding fraud risk. See the preface to this volume for more information.
SCOPE
AU-C 240 focuses on the auditor's responsibility for fraud in a financial statement audit. AU-C 240 complements and expands on guidance in AU-C 315 and 330 regarding risks of material misstatements. (AU-C 240.01)
DEFINITIONS OF TERMS
Source: AU-C 240.11. For definitions related to this standard, see Appendix A, Definitions of Terms
: Fraud, Fraud risk factors, Significant unusual transactions.
OBJECTIVES OF AU-C 240
The objectives of the auditor under AU-C Section 240 are to:
Identify and assess the risks of material misstatement of the financial statements due to fraud;
Obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud, through designing and implementing appropriate responses; and
Respond appropriately to fraud or suspected fraud identified during the audit.
(AU-C 240.10)
REQUIREMENTS
DESCRIPTION AND CHARACTERISTICS OF FRAUD
Although fraud is a broad legal concept, the auditor's interest specifically relates to fraudulent acts that cause a material misstatement of financial statements. Two types of misstatements are relevant to the auditor's consideration in a financial statement audit.
Misstatements arising from fraudulent financial reporting
Misstatements arising from misappropriation of assets
(AU-C 240.02–.03)
Fraudulent financial reporting does not need to involve a grand plan or conspiracy. Management may rationalize that a misstatement is appropriate because it is an aggressive interpretation of accounting rules, or that it is a temporary misstatement that will be corrected later.
Fraudulent financial reporting and misappropriation of assets differ in that fraudulent financial reporting is committed, usually by management, to deceive financial statement users, whereas misappropriation of assets is committed against an entity, most often by employees.
Fraud Risk Factors
Fraud generally involves the following three conditions:
A pressure or an incentive to commit fraud
A perceived opportunity to do so
Rationalization of the fraud by the individual(s) committing it
(AU-C 240.A1)
However, not all three conditions must be observed to conclude that there is an identified risk. It is particularly difficult to observe that the correct environment for rationalizing fraud is present.
Although fraud usually is concealed, the presence of risk factors or other conditions may alert the auditor to its possible existence.
The auditor should be aware that the presence of each of the three conditions may vary, and is influenced by factors such as the size, complexity, and ownership of the entity. These three conditions usually are present for both types of fraud.
The typical fraudster. KPMG released a study of 750 fraudsters in 81 countries, Global Profile of a Fraudster: Technology Enables and Weak Controls Fuel the Fraud,
¹ regarding characteristics of people who commit fraud: They
are often experienced employees in a position to collude with people inside and outside the entity.
usually hold management or senior positions.
do not have a prior history of criminal activity.
are highly respected.
appear trustworthy.
are predominantly male between the ages of 36 and 55.
Most (61%) fraudsters are employed by the entity.
In 2010, several organizations (the Center for Audit Quality Financial Executives International, the Institute of Internal Auditors, and the National Association of Corporate Directors) formed the Anti-Fraud Collaboration. The organization's website at antifraudcollaboration.org contains resources for audits in the form of case studies, reports, videos, articles, and free CPE.
Management's Override of Controls
The auditor should also be alert to the fact that fraudulent financial reporting often involves the override of controls, and that management's override of controls can occur in unpredictable ways. Also, fraud may be concealed through collusion, making it particularly difficult to detect.
In recent years, one international company paid a multimillion-dollar fine to the SEC for inflating its fiscal year results to meet earnings expectations and committing other accounting-related violations over a first-year period.² Another international company paid penalties because it was overstating revenues and assets.³ Both companies improperly accounted for write-downs under ASC 450. One company also failed to amortize properly intangible assets under ASC 350.
Responsibilities for the Prevention and Detection of Fraud
Management and those charged with governance have the primary responsibility for the prevention and detection of fraud. Management should create an atmosphere that makes fraud prevention a priority by creating a culture of ethical behavior supported by oversight. Management should consider potential inappropriate influence over the financial reporting process, such as managing earnings. Management is responsible for designing and implementing programs to prevent, deter, and detect fraud. When management and others, such as the audit committee and board of directors, set the proper tone of ethical conduct, the opportunities for fraud are significantly reduced. (AU-C 240.04)
RESPONSIBILITIES OF THE AUDITOR
In every audit, the auditor is obligated to plan and perform the audit to obtain reasonable assurance about whether the financial statements as a whole are free of material misstatements, whether caused by error or by fraud. (AU-C