performing an effective audit risk assessment in the covid

© Surgent • www.surgentcpe.com

Performing an Effective Audit Risk Assessment in the COVID-19 Environment


Today’s presenter

Marci Thomas, MHA, CPA, CGMA

Marci Thomas, MHA, CPA, CGMA, licensed as a CPA in Georgia and North Carolina, is an author and nationally recognized speaker on various accounting and auditing topics to companies, nonprofits, CPA firms, and state societies of CPAs around the country. A frequent speaker at local, regional, and national conferences, she also writes and teaches courses in governance, financial management, grants accounting, strategy, and various operational topics. Marci is a clinical assistant professor in the School of Public Health at the University of North Carolina at Chapel Hill. She works with numerous accounting firms, performing quality control and efficiency reviews and with boards on strategic planning, internal control, and governance issues. Marci serves on the Not-for-profit Committee for the North Carolina Association of CPAs.

Marci has written and co-written several books, including Essentials of Physician Practice Management, published by Jossey Bass in 2004. Her book Best of Boards: Sound Governance and Leadership for Nonprofit Organizations was published by the AICPA and Wiley Publishing in 2018 and is on its second printing. Her book on health care financial management was published by Wiley Publishing in 2014, with a new edition expected in 2020.

Marci received her Bachelor in Business Administration with a concentration in accounting from the Georgia State University and her Masters in Health Administration from the University of North Carolina at Chapel Hill.

R A C 42


Course objectives

• Identify key elements of an effective risk assessment

• Recall professional standards covering risk assessment

• Recognize how to implement the risk assessment standards in practice

• Recall the linkage between audit procedures and the risk assessment

• Be able to produce documentation to meet professional standards

• Prepare communications resulting from the audit

R A C 43


Topics covered in our course

• COVID-19 environment

• Audit planning and supervision

• Performing risk assessment procedures and collecting the data to perform the risk assessment

• Understanding and evaluating the design and implementation of internal controls

• Assessing overall risk and risk at the account balance and assertion level

• Linking the risk assessment to further audit procedures including tests of controls

• Documentation

• Audit communications

R A C 44


Course agenda

Section 1 – Introduction to Risk Assessment in COVID-19 Environment

Section 2 – Audit Planning and Supervision

Section 3 – Obtaining an Understanding of the Entity and Its Environment Including Its Internal Control

Section 4 – Audit Risk and Performing Risk Assessment Procedures

Section 5 – Materiality and Tolerable Misstatement Considerations

Section 6 – Linking to Further Audit Procedures

Section 7 – Documentation and Audit Communications

R A C 45

Introduction to Risk Assessment in the COVID-19 Environment

Section 1


Introduction to risk assessment

• Auditor’s overall objectives

– Plan and perform the audit to obtain reasonable assurance that the financial statements are free from material misstatement

– Provide an audit report consistent with the auditor’s findings

• The Auditing Standards Board (ASB) revised its risk assessment process in 2006

• Additional revisions with the clarity standards in 2012

• More revisions are coming in the next couple of years as the ASB conforms to international audit standards

– In a riskier environment, it is important to understand these revisions since they were written to address specific risks in an audit

R A C 47


Introduction to risk assessment

• The risk-based approach is a more holistic approach to auditing in that it assesses the risk of fraud or error in the financial statements based on a much more rigorous process

• Auditors still tend to focus very little on internal controls as a means to reduce the level of substantive testing but are required to obtain an understanding of the design of key internal controls over significant systems and determine if they’ve been implemented

– Internal controls will be a very important part of an audit in a COVID-19 environment

• AICPA ethics findings have established that this is a weak spot in audits and that the risk assessment process is not always well-documented

• In addition, steps are not always performed appropriately or are omitted

R A C 48


COVID-19 environment overview

• COVID-19 produces many stressors on an audit, primarily those for years ending on or after March 31, 2020

• Audit issues tend to relate to 4 categories

– People

– Process

– Technology

– Accounting and Financial Reporting

R A C 49


COVID-19 environment overview – people

• Auditors are working remotely. This works well for more experienced people. For newer people it can lead to reluctance to ask questions and therefore misunderstanding in what they need to do resulting in audit errors

• WFH is, for many, filled with distractions where stopping and starting a project can lead to a less efficient process and in some cases errors from forgetting to do an important step

• Information is not necessarily going to be always available in the same form as before. The auditor will need to guard against accepting evidence that is not authentic, not from an unreliable source, or not acceptable according to professional standards

• Auditors will need to ramp up professional skepticism and ask to speak to those outside accounting to corroborate discussions with accounting personnel

• Clients will have many of these issues and for them access to the data they need to perform their jobs may be very challenging, especially for less sophisticated entities

• Risk of fraud is heightened. Additional opportunity through changes in internal control and additional incentive due to the environment of uncertainty.

R A C 410


COVID-19 environment overview – process

• One of the biggest challenges in the audit process will be understanding internal controls

• The auditor will need to understand pre-WFH controls and post-WFH controls

• Design of controls may not be too difficult to assess but implementation will be harder

• Inquiry alone is not sufficient to understand if controls have been implemented

• Corroborative inquiry, creative use of cameras to observe processes (internal control as well as inventory counts and other processes)

• Representation letters- electronic signature is ok if precautions are taken to validate signature (additional representations will be important in this environment). If letterhead is not available at least have the company name and address on the top of the page.

R A C 411


COVID-19 environment overview – technology

• Auditors should consider extensive use of video chat/conferencing for discussions including questions about the risk of fraud

• Video can also be used if paper documents are scanned and then sent to auditors since auditors cannot view originals. Camera can show the document before scan and the image can be compared to incoming scanned document.

• Many auditors already use external services for bank confirmations

• For other confirmations those that are generally mailed may not be received by the party with whom the auditor is confirming if there is no one to check and process mail during the shelter in place. Auditors may want to consider sending other types of confirmations out electronically. Or if mailed, ask the client to contact the party and let them know the confirmations are coming.

R A C 412



• SOC reports could pose significant challenges

• Auditors obtain an understanding of:

– Nature and significance of services provided and effect on the user entity’s internal control relevant to the audit

– Design and implementation of controls depending on the nature and significance of services (Type 1)

– If the user auditor needs control reliance, then they need to understand operating effectiveness of controls (Type 2)

• Auditor needs to be able to assess the risk of material misstatement so he/she can design further audit procedures (nature, timing, and extent)

• In the COVID-19 environment SOC reports may not be available (the further out we go the more likely this is to be true)

R A C 413



• If a report is not available, the auditor should ask

– Is it really necessary? Sometimes auditors get in the habit of asking for SOC reports when they don’t really need to. Key is the degree of interaction.

ClientService

Organization

input

output

Service Auditor

High degree of interaction

• Payroll

Low degree of interaction

• Claims processing• Investment (trading,

management, valuation)• Benefit plan processes

(participant elections, investment changes)

R A C 414



• If the entity has an older SOC report without much overlap then more work will be needed

• Visiting the Service Organization is not likely to work in this environment so instead of obtaining an older report the auditor could perform the following:

– Contact relevant individuals at the service organization through the user entity and document the following:

• Significant changes within the system (including relevant system controls), including procedures or controls that changed to accommodate employees working remotely and process flows

• System events that affected the service organization’s ability to achieve its commitments to users

• Read system documentation and any amendments to contracts or service level agreements to the entity that address significant system changes

• Read communications from the service organization to the user entity about its COVID-19 responses and effects on the system

R A C 415



• If control reliance is necessary and a report is not available (type 2)

• Testing controls is not as easy as understanding them without a current SOC report and it may be wise to hold open the issuance of the statements if unable to obtain SOC report for a significant system

R A C 416


COVID-19 environment overview – accounting & financial reporting

• Areas where the auditor may find that the client needs to challenge estimates or prepare additional disclosures

– Impairments (ROU assets, fixed assets, goodwill, credit losses)

– Fair value hierarchy

– Concentrations

– Other risks and uncertainties

– Going concern

– Unusual or infrequent events

– Deferred tax assets

– Lease concessions

– Inventory valuation

R A C 417


Audit risk assessment literature

Risk Assessment Standards

AU-C 450, Evaluating Misstatements

AU-C 315, Understanding the Entity, Environment and Internal Controls

AU-C 300, Planning the Audit

AU-C 320, Materiality

AU-C 500, Audit Evidence

AU-C 330, Performing Procedures in Response to Assessed Risk

AU-C 200, General PrinciplesAU-C 260, Communicating with those Charged with Governance

AU-C 240, Consideration of FraudAU-C 250, Consideration of Laws and RegulationsAU-C 520, Analytical Procedures

AU-C 230, Audit DocumentationAU-C 265, Communicating Internal Control Matters

R A C 418

Audit Planning and Supervision

Section 2


AU-C 300, Planning the Audit

• AU-C 300, Planning an Audit, addresses the auditor’s responsibility to plan an audit so that it will be performed in an effective manner

• Audit planning is a significant part of the overall audit strategy and conduct

• Objective of audit planning is to develop an understanding of an audit client’s risks of material misstatement due to error or fraud, and develop appropriate audit procedures necessary to obtain evidence related to those risks

• Planning in a COVID-19 environment is very important since the audit strategy will change, and the audit plan is also very likely to change. This documentation is very important

R A C 420


Goal: Reduce audit risk to acceptably low level

Effective Efficient

Risk-based auditing

The COVID-19 environment will generally increase the overall risk in the engagement

R A C 421


Reasonable assurance

• High, but not absolute, level of assurance

• Inherent limitations:

– Nature of financial reporting

– Nature of audit procedures

– Need for conducting audit in a reasonable period of time, with a balance of cost and benefit

• Sufficient and appropriate audit evidence to reduce audit risk to an acceptably low level

R A C 422


Planning the audit

• Audit strategy - establish an overall audit strategy that sets the scope, timing, and direction of the audit

• The reporting objectives

• Factors that are significant in directing the activities

• Results of preliminary engagement activities

• The nature, timing, and extent of resources necessary to perform the engagement

• Identification of audit engagement issues impacting the audit scope

• Determination of timing and reporting requirements

• Setting the audit scope

Likely to be a factor in COVID-19 environment

R A C 423


Planning the audit

• Audit plan documents the procedures that will be used in the audit

– The expected risk assessment procedures

– Other audit procedures

– The nature, timing, and extent of audit procedures responsive to risk assessment

• Activities conducted in the planning of an audit

1. Preliminary engagement activities

2. Planning activities

3. Consideration of multi-location engagements

4. Consideration of changes during the course of the audit

5. The need for persons with specialized skills or knowledge

6. Additional considerations in initial audits


R A C 424


Client acceptance and continuance procedures

• Client acceptance- an important part of assessing risk

– Assessment of personnel

– Communications with predecessor accountants and auditors

– Discussions with legal counsel

– Discussions with bankers

– Discussions with other significant third parties

– Assessment of management’s commitment

– Assessment of the client’s financial viability

– Conducting a financial review of prior financial statements, tax returns, and books and records

R A C 425



• Assessment of auditor independence

• Consideration of background investigations for significant management personnel, such as owners and officers

• Will client seek to impose scope restrictions

• Consideration of related parties

• Consideration of a high-risk business or industry environment

• Obtaining an engagement letter

• Charging a “fair” fee

• Documentation of the client acceptance process

R A C 426


Independence considerations – COVID-19

• Assisting an attest client with a COVID-19 PPP loan application is a nonattest service

• The majority of the certifications and authorizations contained in the “Representations, Authorizations and Certifications” section of the PPP loan application are management responsibilities; the signature required on page 2 of the application should be made by the company applying for the loan or its authorized representative

– Signing as a client’s authorized representative will impair independence because you have accepted the ability to exercise authority on behalf of a client. This is a management responsibility.

• The agent fee arrangement outlined in Treasury’s “Paycheck Protection Information Sheet for Lenders” is not considered a contingent fee because the fee will be determined by Treasury

• If you obtain a PPP loan from a lender that is an existing attest client, independence will be impaired

R A C 427



• Continuance- an important part of risk assessment

– Continued retention of first year audit clients should be evaluated

– Evaluate the retention of existing clients

– Assessment of unusual risks

– Lack of a well-controlled and well-managed client environment may substantially increase audit engagement risk

– Document the client retention process

• Is information obtained from the client acceptance and retention evaluation process relevant to identifying the risk of material misstatement?

R A C 428


AU-C 260 – Communications with Those Charged with Governance

• Communications at the beginning of the audit (written or oral)

– Auditor responsibilities and communicating matters related to the financial statement audit

• Performing the audit in accordance with generally accepted auditing standards;

• Designing the audit to obtain reasonable, rather than absolute, assurance

• Considering the reliability of internal control over financial reporting as a basis for designing audit procedures that are appropriate in the circumstances

• Communicating significant matters related to the financial statement audit

• Communicating matters required by law or regulation

• Assuring the auditor is independent as it relates to the reporting entity


R A C 429


AU-C 260 – Communications with Those Charged with Governance

• Communicate auditor’s responsibilities and matters related to the planned scope and timing of the audit. Matters the auditor may include:

– How the auditor plans to address significant risks of material misstatement due to error or fraud

– The auditor’s planned assessment of internal control and the assessment’s impact on planned audit procedures

– The auditor’s approach to materiality assessments and how materiality impacts the overall audit strategy

• Group audit considerations, if applicable


R A C 430


AU-C 250, Consideration of Laws and Regulations

• Risk may be related to possible violations of laws and regulations. Ask for regulatory correspondence.

• Management has responsibility to ensure that the entity conducts its operations in accordance with the provisions of laws and regulations

• The auditor is responsible for obtaining reasonable assurance that the financial statements as a whole are free from material misstatement

• There are inherent limitations on the auditor’s ability to detect misstatement

• The auditor's responsibility is limited to performing specified audit procedures that may identify noncompliance with those laws and regulations that may have a material effect on the financial statements

– Provisions of those laws and regulations generally recognized to have a direct effect– Provisions of other laws and regulations that do not have a direct effect

R A C 431


Supervision

• The engagement partner is responsible for the engagement and its performance

• The engagement partner and, as applicable, other engagement team members performing supervisory activities, should:

– Inform engagement team members of their responsibilities

– Direct engagement team members to bring significant accounting and auditing issues arising during the audit to the attention of the engagement partner or other engagement team members

– Younger staff may have a more challenging time and need to be carefully supervised

– Review the work of engagement team members


R A C 432


Supervision

– The engagement partner and other engagement team members performing supervisory activities should take into account:

• The nature of the company, including its size and complexity

• The nature of the assigned work for each engagement team member

• The risks of material misstatement (there will be areas of higher risk due to the COVID-19 environment)

• The knowledge, skill, and ability of each engagement team member

– In addition, consider:

• Fraud interviews

• Brainstorming sessions

• Independence and ethical considerations

• Due professional care


R A C 433

Understanding the Entity and Its Environment

Section 3


Risk-based approach to auditing

• Identifying the risk of material misstatement due to fraud or error

• Identifying the significant accounting processes

• Assessing the risk of material misstatement identified as high, moderate, or low (inherent risk, control risk)

• Identifying significant risks (which may be fraud risks)

• Developing tailored audit procedures to be responsive to assessed risk

– Internal control tests

– Substantive procedures

– Other wrap up and concluding procedures

– Reevaluate risk at the end of the audit An audit is an iterative process. It is not over until the auditor signs the independent auditor’s report.

R A C 435


Understanding the entity and its environment

• Industry, regulatory, and other external factors

• The areas of understanding that are required to be addressed are:

– Activity, regulatory, and other external factors including financial reporting framework

– Nature of the entity

– Objectives, strategies, and related operating risks

– Measurement and review of the entity’s financial performance

– Internal control

Documentation will be very important. Sometimes auditors tend to assume that this documentation is like a permanent file and remains the same each year. In the COVID-19 environment, care should be taken to document places that heighten the risk of material misstatement.

R A C 436


Nature of the entity

• Helps the auditor to understand the classes of transactions, account balances, and disclosures to be expected in the financial statements

– Operations

– Ownership and governance structures

– Types of investments that it makes (including in special purpose entities)

– How the entity is structured

– How it is financed — note whether or not management has taken steps to consider any delays that may occur because documentation is not readily available and client WFH causes them to be late in providing information to the auditor. These delays could impact covenants. Did management evaluate whether operations will impact covenants?

R A C 437


Industry, regulatory, and other external factors

• Industry developments (entity does not have the personnel or expertise to deal with the changes in the industry)

• New products and services (product liability is increased)

• Expansion of the business (demand has not been accurately estimated)

• New accounting requirements

• Regulatory requirements (legal exposure is increased)

• Current and prospective financing requirements (entity's inability to meet requirements)

• Use of IT (cyber fraud risk)

• The effects of implementing a strategy, including any effects that will lead to new accounting requirements

• What impact has COVID-19 had on suppliers, customers, and others that could or has caused disruption in the entity’s business

R A C 438


Measurement and review of the entity’s financial performance

• Key performance indicators (financial and nonfinancial)

• Key ratios

• Trends and operating statistics

• Period-on-period financial performance analyses

• Budgets, forecasts, variance analyses, segment information, and divisional, departmental, or other-level performance reports

• Employee performance measures and incentive compensation policies

• Comparisons of an entity's performance with that of competitors

This section is likely to be significantly impacted by the COVID-19 environment. It will be important to consider the ramifications in the preliminary analytical procedures.

R A C 439


Preliminary analytical procedures

• AU-C Section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

• May identify aspects of the entity of which the auditor was unaware

• May assist in assessing risk of material misstatement, whether due to fraud or error

• Often performed at a high level of aggregation and/or based on preliminary numbers:

– Broad initial indication about whether a material misstatement may exist

R A C 440


Preliminary analytical procedures

• Expectations about plausible relationships (better constructed by factoring anticipated

changes into the expectations)

• Analytical procedures performed in planning are generally performed using data that is

aggregated at a high level:

– Trend analysis

– Ratio analysis

– Consider using financial and nonfinancial measures (revenue per unit, salaries per FTE)

• Analytical procedures on revenue

Consider performing an analytic for the months pre-COVID-19 and a separate one for the post-COVID-19 time period. This will help assess where the risk is.

R A C 441


Fraud defined

• Intentional act involving deception

• One or more individuals among management, those charged with governance, employees, or third parties

• Results in F/S misstatement:

– Fraudulent financial reporting

– Misappropriation of assets

• ACFE adds corruption and conflicts of interest

• Cyber fraud is perpetrated by external parties

– SEC report (2018) establishes more responsibility for public companies

R A C 442


Management’s responsibility for fraud

• Primary responsibility to prevent and detect fraud

• Management and those charged with governance should place strong emphasis on fraud prevention:

– Implement well-designed and effective internal controls

– Anti-fraud programs and controls

– Fear of getting caught

– Culture of honesty and ethical behavior

– Monitor management override or inappropriate influence

R A C 443


Fraud risk assessment procedures

• Discussions with management, those charged with governance, and others

• Consideration of what the auditor learns in performing analytical procedures

• Understanding the journal entry process and testing journal entries

• Evaluating transactions outside the normal course of business

• Revenue analytics

Inquiries of management, governance, and others should be well documented. The AICPA is recommending video conferencing. This is preferable to audio only or written questionnaires. This is a time when the opportunity is heightened due to changes in internal control due to WFH and the inability to get documents on a timely basis.

R A C 444


Discussions with management and others

• Management’s assessment of fraud risk:

– Process for identifying, responding to, and monitoring risk

– Including nature, extent, and frequency of assessments

– Ask directly about concerns due to changes in controls due to COVID-19

• Any known, suspected, or alleged specific risks

• Involvement of those charged with governance

• Means of communicating views on appropriate business practices and ethical behavior

• Internal audit, if relevant, and other appropriate employees

• Ask about relevant internal controls


R A C 445


Inquiries of others

• Operating personnel not directly involved in F/S process

• Employees with different levels of authority

• Employees involved in initiating, processing, or recording complex or unusual transactions

• In-house legal counsel

• Chief ethics officer or equivalent

• Person charged with dealing with fraud allegations

• Direct communication is superior to communication by electronic media or mailed questionnaires


R A C 446


Engagement team discussion

• Key engagement team members, including partner:

– Communicate significant matters to those not in attendance

– AICPA recommends video conference, especially at this risky time

• Exchange of ideas or brainstorming:

– How and where fraud may occur in F/S

– Set aside beliefs about honesty and integrity

– Consider issues identified during other risk assessment procedures

• Opportunity for more experienced team members to share insights

• May lead to probing, acquiring additional evidence, and consultation


R A C 447


Brainstorming on the risk of fraud

• Fraud triangle:

– Incentives/Pressures, Opportunity, Attitude/Rationalization

• Incentive/Pressure (fraudulent financial reporting)

– Entity is facing increased competition and declining margins

– Industry experiencing product obsolescence

– Unrealistic forecasts or projections

– Pressure to achieve performance measures by regulators


R A C 448



• Incentive/Pressure (misappropriation of assets):

– Anticipated layoffs known by employees

– Unfavorable changes in employee compensation or benefits

– Changes in lifestyle

– Significant personal financial obligations

• Opportunity (fraudulent financial reporting)

– Management bias

– Management override of controls, including journal entries

– Ineffective governance


R A C 449



• Opportunity (misappropriation of assets):

– Access to the assets

– Lack of segregation of duties

– Poorly designed and/or implemented internal controls


R A C 450



• Rationalization/Attitude (fraudulent financial reporting/misappropriation of assets)

– It is only a timing difference, we will adjust future periods

– Low morale with excessive pressure to succeed

– Unreasonable time demands

– Failure to receive promotion or expected benefits

– Abusive or overbearing management coupled with unreasonable performance expectations

– Everyone else is doing it

– If money from a third-party source, like a grant, then not “real money”


R A C 451


Examples of management override

• Recording fictitious journal entries to manipulate operating results

• Inappropriately adjusting assumptions and changing judgments

• Omitting, advancing, or delaying recognition of transactions/events

• Not disclosing facts that could affect F/S amounts

• Engaging in complex transactions structured to misrepresent F/S

• Altering records and terms to significant and unusual transactions

• Embezzling or stealing assets

• Appropriating assets for personal useLikely to be a factor in COVID-19 environment

R A C 452


Conditions that increase fraud risk in smaller entities

• Inadequate employee training

• Poor employee compensation

• Employee job dissatisfaction

• Unrealistic deadlines with few resources

• Management’s lack of commitment to internal control

• Lack of proper segregation of duties

• Lack of attention to detail, with little/no review

Likely to be a factor in COVID-19 environment with people WFH there is more room for misappropriation

R A C 453



• Circumstances that might indicate earnings management or other financial measurement manipulation

• Importance of professional skepticism throughout audit

• How auditor might respond to susceptibility to fraud


R A C 454


Professional skepticism

• Unless evidence to the contrary, may accept records and documents as genuine:

– Investigate if reason to challenge authenticity

– Since formerly paper documents could be provided electronically, it is necessary to challenge authenticity. Take precautions, such as using video feeds to compare electronically provided documents with originals. We are not expected to be authentication experts

• Beware of the temptation to believe that the COVID-19 environment is simply an inconvenience. There are now additional ways things could “go wrong” and auditor’s need to be alert to be able to spot this

• Be alert for inconsistencies or unsatisfactory responses to inquiry

• Evaluate whether identified unusual or unexpected relationships may indicate fraud risk

• Evaluate whether findings, adjustments, or other information indicates known or potential fraud

R A C 455

Understanding Internal Controls

Section 4


Obtain an understanding of internal control

• Internal control defined:

A process effected by those charged with governance, management, and other personnel that is designed to provide reasonable assurance about the achievement of the entity's objectives with regard to the reliability of:

– Financial reporting

– Effectiveness and efficiency of operations

– Compliance with applicable laws and regulations

Internal control over safeguarding of assets against unauthorized acquisition, use, or disposition may include controls relating to financial reporting and operations objectives

R A C 457



• The auditor should obtain a sufficient understanding of each component of internal control over financial reporting relevant to the audit

• Most controls relevant to the audit are likely to relate to financial reporting but not all controls that relate to financial reporting are relevant to the audit

• Auditor should evaluate the design of those controls and determine whether they have been implemented by performing procedures in addition to inquiry of the entity's personnel

R A C 458



• Auditors are not required to test internal controls over financial reporting except when:

– Control reliance is desired

– Substantive tests alone will not provide sufficient evidence

• Information is only available in electronic form

• Systems are highly complex

R A C 459



• When obtaining an understanding of internal control the auditor should understand:

– Size and complexity of the entity

– Auditor’s existing knowledge of the entity’s internal control over financial reporting

– Nature of the entity’s controls

– Nature and extent of changes in systems and operations

– Nature of the entity’s documentation of its internal control over financial reporting

R A C 460



• Obtaining an understanding includes evaluating the design of controls– Determining whether the company's controls, individually or in the

aggregate, are operated as prescribed by persons possessing the necessary authority and competence to perform the control effectively, satisfy the company's control objectives, and can effectively prevent or detect error or fraud that could result in material misstatements in the financial statements

Controls that may have been adequate pre-COVID-19 have undergone changes. For each significant system the auditor needs to understand what changed. Keep in mind that the level of substantive testing may need to be higher during the period with the modified controls.

R A C 461


What has changed in the COVID-19 environment?

• It is likely that the current year will have 2 sets of processes

• Important to understand what changed for the significant cycles

• Considerations:

– Segregation of duties even more affected

– Is there sufficient review (are there documents the client has a harder time obtaining)?

– What about newer employees? Are they properly supervised?

– Is the documentation of review, approval, etc. available? If review is now conducted electronically where before it was manual, how is the review documented?

– Who is reviewing risk areas such as estimates, covenant evaluations, and going concern evaluations (other than the preparer)?

– Is management forced to rush through reviews to make deadlines?

– Has management considered where the risk of fraud is?

R A C 462


The design and implementation evaluation process

• Implementation – Control exists and entity is using it:

– Determine how the system actually functions

• Procedures for design and implementation evaluation:

– Inquiring of entity personnel

– Observing the application of specific controls

– Inspecting documents and reports

– Tracing transactions through the relevant system

• Consider nature of complementary controls for outsourced systems

Implementation will be the most challenging part. As discussed earlier the AICPA recommends observation through video conference, corroborative inquiry, and review of documents (if scanned, follow the correct procedures).

R A C 463


Walkthroughs

• The auditor will perform walkthroughs as part of obtaining an understanding of internal control over financial reporting

• Walkthrough is designed to determine whether controls have been implemented

• Inquiry alone is not sufficient evidence for a walkthrough

• The identification of the key controls and the evidence about whether they are properly designed and have been implemented should be documented

R A C 464


5 internal control components

Source: COSO Integrated Framework, 2013

Subject matter of controlsControl

Elements

Layers of the entity to which controls apply

Foundational entity controls

Foundational entity controls

Control activities and IT application controls

COSO Framework has 17 principles within the control elements

R A C 465


COSO integrated framework

• 17 principles can be adapted for any type of entity

– Control environment (Principles 1 – 5)

– Risk assessment (Principles 6 – 9)

– Control activities (Principles 10 – 12)

– Information & communication (Principles 13 – 15)

– Monitoring (Principles 16 – 17)

R A C 466


Control environment – Principle 1

Principle 1. The organization demonstrates a commitment to integrity and ethical values.

• Setting the Tone at the Top- The board and management demonstrate the importance of integrity and ethical values to support the functioning of internal control.

– Mission and values statements

– Standards or codes of conduct

– Policies and practices

– Operating principles

– Directives, guidelines, and other supporting communications

– Actions and decisions of management at various levels and governance

– Attitudes and responses to deviations from standards of conduct

– Informal and routine actions and communication of leaders at all levels of the entity

R A C 467



• Establishing Standards of Conduct - The board’s expectations of management for integrity and ethical values are understood at all levels

– Establishing what is right and wrong

– Providing guidance for considering associated risks in navigating gray areas

– Reflecting legal and regulatory expectations by stakeholders

• Management is ultimately accountable for activities delegated to outsourced service providers

R A C 468



• Evaluates Adherence to Standards of Conduct and Addresses Deviations in a Timely Manner — Red flags that may indicate a lack of adherence to standards are:

– Tone at top does not effectively convey expectations

– Board does not provide impartial oversight of management

– Decentralization without adequate oversight

– Coercion by superiors, peers, or external parties

– Performance goals that create pressure to cut corners

– Inadequate channels for employee feedback

– Failure to remedy non-existent or ineffective controls

– Inadequate complaint response process

– Weak internal audit function

– Inconsistent, insignificant, or unpublicized penalties

R A C 469



• Deviations from the standards of conduct are identified and remedied timely

– Defining a set of indicators to identify issues and

– Establishing continual and periodic compliance procedures to confirm that expectations and requirements are being met

– Identifying, analyzing, and reporting business conduct issues and trends to senior management and the board

– Evaluating the strength of leadership in the demonstration of integrity and ethical values for performance reviews, compensation, and promotions

– Compiling allegations centrally with independent evaluation

– Investigating allegations using defined investigation protocols

– Implementing corrections timely and consistently

– Periodically reviewing issues

R A C 470



Principle 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

• Establishes Oversight Responsibilities- The board identifies and accepts its oversight responsibilities. Public companies in many jurisdictions are required to have certain board committees.

• Applies Relevant Expertise- The board defines, maintains, and evaluates the skills needed among its members. Specialized skills needed among board members may include:

• Internal control mindset

• Market and entity knowledge

• Financial expertise

• Legal and regulatory expertise

• Social and environmental expertise• Incentives and compensation• Relevant systems and technology

R A C 471



• Operates Independently- The board has sufficient members who are independent and objective

• Provides Oversight for the System of Internal Control- The board maintains oversight of management’s design, implementation, and conduct of internal control

R A C 472



Principle 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives

• Consideration of All Structures of the Entity & Establishment of Reporting Lines of Responsibility- Many variables must be considered when establishing organizational structures, including:

– Nature, size, and geographic distribution of the entity’s business

– Risks related to the entity’s objectives and business processes

– Nature of the assignment of authority

– Definition of reporting lines

– Financial, tax, regulatory, and other reporting requirements

• Management and governance consider these variables and the risk when establishing or changing the organizational structure

R A C 473



• Defines, Assigns, and Limits Authorities and Responsibilities

– Board stays informed and challenges senior management for guidance on significant decisions

– Senior management establishes directives, guidance, and control to enable staff to understand and carry out their duties

– Management executes senior management’s directives

– Personnel understand standards and objectives for their area

– Management and responsible personnel oversee outsourced service providers

– Authority empowers, but limitations of authority are needed

R A C 474



Principle 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives

• Management and the Board Establish Policies and Practices

– Requirements and rationale

– Skills and conduct necessary to support internal control

– Defined accountability for performance of key business functions

– Basis for evaluating shortcomings and defining remedial actions

– Means to react dynamically to change

R A C 475



Principle 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives

• Evaluates Competence and Addresses Shortcomings-

– Knowledge, skills, and experience needed

– Nature and degree of judgment needed for a specific position

– Cost-benefit analysis of different skill and experience levels

• Attracts, Develops, and Retains Individuals

• Plans and Prepares for Succession - Management develops contingency plans for assigning responsibilities important to internal control. The board develops succession plans for key executives and trains and coaches succession candidates for each target role.

R A C 476



• Enforces Accountability through Structures, Authorities, and Responsibilities- The tone at the top helps to establish and enforce accountability, morale, and a common purpose through:

– Clarity of expectations

– Guidance through philosophy and operating style

– Control and information flow

– Anonymous or confidential communication channels for reporting ethical violations

– Employee commitment toward collective objectives

– Management’s response to deviation from standards

R A C 477



• Establish and Evaluate Performance Measures, Incentives, and Rewards- Good performance measures, incentives, and rewards support an effective system of internal control. Key success measures include:

– Clear Objectives – consider all levels of personnel and the multiple dimensions of expected conduct and performance

– Defined Implications – communicate objectives, review relevant market events and communicate consequences of failure

– Meaningful Metrics – define metrics, measure expected vs. actual, and assess the expected impact

– Adjustment to Changes – regularly adjust performance measures based on continual risk/reward evaluation

R A C 478



• Management and the Board Consider Excessive Pressures- Excessive pressures can cause undesirable side effects. Excessive pressures are most commonly associated with:

– Unrealistic targets, especially short-term

– Conflicting objectives of different stakeholders

– Imbalance between rewards for short-term vs. long-term objectives

• Evaluates Performance and Rewards or Disciplines Individuals- At each level, adherence to standards of conduct and expected levels of competence are evaluated, and rewards are allocated, or disciplinary action is exercised as appropriate

R A C 479



• COSO Principle 5 identifies formal reporting mechanisms as an important technique (preventive and detective control)

– The follow-up and investigation of hotline or other communications along with the penalties for infractions provides the entity with an opportunity to detect where fraud has occurred and make the appropriate corrections

– It is also a deterrent if employees realize that there are repercussions for fraudulent activities

R A C 480


Risk assessment – Principle 6

Principle 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives

• Operations Objectives

• External Financial Reporting Objectives

• External Non-Financial Reporting Objectives

• Internal Reporting Objectives

• Compliance Objectives

R A C 481



• Principle 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed

• Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels

– Entity-level risk identification is at a high level and does not include assessing transaction-level risks

– Process-level risk identification is more detailed and includes transaction-level risks

– Management also assesses risks from outsourced service providers, key suppliers, and channel partners

R A C 482



• Principle 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed

• Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels

– Entity-level risk identification is at a high level and does not include assessing transaction-level risks

– Process-level risk identification is more detailed and includes transaction-level risks

– Management also assesses risks from outsourced service providers, key suppliers, and channel partners

R A C 483



• Analyzes Internal and External Factors-

– Management realizes that risk is dynamic and considers the rate of change in risks

– Management evaluates the internal factors affecting entity-level risk including:

• Infrastructure and use of capital resources

• Management structure

• Personnel, including quality, training, and motivation

• Access to assets, including possibilities for misappropriation

• Technology, including possibility of IT disruption

– Management solicits input from employees as to transaction-level risks (also see control activities).

R A C 484



• Involves Appropriate Levels of Management- Effective risk assessment mechanisms match an appropriate level of management expertise to each risk

• Estimates Significance of Risks Identified- Management assesses the significance of risks

– Likelihood of risk occurring and impact

– Velocity or speed to impact upon occurrence of the risk

– Persistence or duration of time of impact after occurrence of risk

• Management determines how to respond to risks

– Acceptance – no action taken

– Avoidance – exiting the risky activities

– Reduction – action taken to reduce likelihood, impact, or both

– Sharing

• Segregation of duties needed to get intended significance reduction

• Cost/benefit of response options

R A C 485



Principle 8. The organization considers the potential for fraud

• Management and the Board Have an Awareness of How Fraud Can Occur

– Fraudulent financial reporting

– Fraudulent non-financial reporting

– Misappropriation of assets

– Illegal acts

R A C 486



• As part of the risk assessment process, management identifies various fraud possibilities:

– Management bias

– Degree of estimates and judgments in external reporting

– Fraud schemes and scenarios common in the industry

– Geographic regions

– Incentives

– Technology and management’s ability to manipulate information

– Unusual or complex transactions

– Vulnerability to management override

R A C 487



• Management Assesses Incentives and Pressures- Management Assesses Opportunities for Fraud to Occur- The likelihood of loss of assets or fraudulent external reporting increases when there is:

– A complex or unstable organizational structure

– High employee turnover, especially in accounting, operations, risk management, internal audit, or technology

– Ineffectively designed or poorly executed controls

– Ineffective technology systems

R A C 488



• Management Assesses Attitudes and Rationalizations

– Considers it “borrowing,” intends to repay

– Believes entity “owes” him something because of some form of job dissatisfaction

– Doesn’t understand or care about consequences

– Doesn’t understand or care about accepted ideas of decency and trust

R A C 489



• Principle 9. The organization identifies and assesses changes that could significantly impact the system of internal control

• Management Assesses Changes in the External Environment

• Management Assesses Changes in the Business Model

R A C 490


Information and communication – Principle 13

• Principle 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control

• Management Identifies Information Requirements- management identifies and defines information requirements at the relevant level and with requisite specificity. This is an ongoing and iterative process.

• Management Captures Internal and External Sources of Data

R A C 491



R A C 492



• Management Ensures that the Systems Processes Relevant Data into Information

• Management Ensures that Systems Maintain Quality throughout Processing

• Management Considers Costs and Benefits of Internal Controls

R A C 493



Principle 14. The organization internally communicates information, including objectives and responsibilities for internal control

• Management Communicates Internal Control Information

– Policies and procedures that support personnel in performing their internal control responsibilities

– Specified objectives

– Importance, relevance, and benefits of effective internal control

– Roles and responsibilities of management and other personnel in performing controls

– Expectations of the entity to communicate within the entity any significant internal control matters including weakness, deterioration, or non-adherence

R A C 494



• Management Communicates with the Board of Directors-Communication between management and the board provides the board with information needed to exercise its oversight responsibility for internal control

• Management Provides Separate Communication Lines- There must be open channels of communication and a clear willingness to report and listen

– Whistle-blower and ethics hotlines and anonymous or confidential reporting via information systems

R A C 495



• Management Selects Relevant Method of Communication- Clarity of information and effectiveness with which it is communicated are important to ensure messages are received as intended

R A C 496



Principle 15. The organization communicates with external parties regarding matters affecting the functioning of internal control

• Management Ensures that the Level of Communication to External Parties is Appropriate

• Management Enables Inbound Communications

• Management Enables Communications from External Parties to the Board of Directors

• Management Provides Separate Communication Lines- Separate communication channels, such as whistle-blower hotlines, are in place

• Management Selects Relevant Method of Communication

R A C 497


Monitoring – Principle 16

Principle 16. The organization selects, develops, and performs ongoing and/or separate evaluations of internal control

• Management Considers a Mix of Ongoing and Separate Evaluations

• Management Considers Rate of Change

• Management Establishes Baseline Understanding of the System of Internal Controls

• Management Uses Knowledgeable Personnel for Monitoring Tasks

R A C 498



• Management Considers a Mix of Ongoing and Separate Evaluations-

– Internal audit evaluations

– Other objective evaluations

– Cross-operating unit or functional evaluations

– Benchmarking/peer evaluations

– Self-assessments

• Management Integrates Ongoing Evaluations with Business Processes

• Management Adjusts Scope and Frequency of Separate Evaluations Depending on Risk and Makes Objective Evaluations to Provide Good Feedback

R A C 499



Principle 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

• Management and the Board Assess Results of Monitoring Procedures

– Internal parties

– External parties such as customers, vendors, external auditors, and regulators

R A C 4100



• Management Communicates Deficiencies in Internal Control

• Management Monitors Corrective Actions

R A C 4101


Control activities – Principles 10-12

Segregation of duties- the Foundation for Control Activities

• Segregate duties among personnel in order to ensure that no one person has control over two or more phases of a transaction or operation

• Segregation of duties reduces the opportunity to perpetrate and conceal errors or fraud in the normal course of employee’s assigned functions

• Segregation of duties is generally built into the selection and development of control activities

• When optimal segregation of duties is not possible, management needs to consider the risk, implement additional controls as needed, and consider that members of management will need to set a very strong tone from the top and perform additional monitoring

R A C 4102


Process vs. controls

• Process is the journey a transaction takes from initiation to recording in the general ledger

• Along the way controls prevent, detect, and correct misstatements

• A narrative is a good way to document the process but often auditors do not identify the controls within the process with the exception of perhaps, approval

• A process also has several parts (procurement, receipt of goods/services, payment) This process may differ significantly or slightly for routine expenses, inventory and property and equipment.

• Controls are the actions employees, management, and the board take

• Evidence of control implementation is evidence that is present other than inquiry (signoffs, preparation of reconciliations, initials signifying review)

• Evidence of control effectiveness involves evidence that is repeatable and uniform. Corroborative inquiry won’t work here.

• Assertions should be covered by controls

R A C 4103


Financial statement assertions

• Existence or occurrence- Exist at balance sheet date

• Completeness- Population of transactions complete

• Rights and obligations- Clear title/actual obligations

• Valuation and allocation- Properly valued and measured

• Accuracy and classification- Properly classified and understandable to users

• Cut-off- Recorded in the proper period

Auditor is required to obtain an understanding of the internal controls over significant risks

R A C 4104


Control activities – Principle 10

Principle 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels

• Management Integrates Control with Risk Assessments Performed

• Management Considers Entity-Specific Differences- in objectives, risk, risk responses, and related control activities

• Management Determines Relevant Business Processes

– Completeness – transactions that occur are recorded

– Accuracy – transactions are timely recorded at the correct amount in the correct account

– Validity – recorded transactions represent economic events that actually occurred

R A C 4105



• Management Evaluates a Mix of Control Activity Types- Management considers a variety of transaction control activities for its control portfolio including:

– Authorizations and approvals

– Verifications

– Physical controls

– Controls over standing data (e.g., master files)

– Reconciliations

– Supervisory controls

• Management considers a mix of control activities that are preventive and detective

R A C 4106



• Management Considers at What Level Activities Are Applied -In addition to transaction-level controls, management selects and develops a mix of controls that operate more broadly and at higher levels (business performance or analytical reviews involving comparisons of different sets of operating or financial data).

– These relationships are analyzed, are investigated, and corrective action is taken

• Management Addresses Segregation of Duties

R A C 4107



Principle 11. The organization selects and develops general control activities over technology to support the achievement of objectives

• Management Determines Dependency Between the Use of Technology in Business Processes and Technology General Controls and Implements Effective General Controls

– The reliability of technology within business processes, including automated controls, depends on the selection, development, and deployment of general control activities over technology

– These general controls help ensure that automated processing controls work properly initially, and that they continue to function properly after implementation. General controls apply to technology infrastructure, security management, and technology acquisition, development, and maintenance

– They also apply to all technology, both IT and technology used in production processes

R A C 4108



Principle 11. The organization selects and develops general control activities over technology to support the achievement of objectives

• Management Establishes Relevant Technology Infrastructure Control Activities

– Technology infrastructure may include computers, networks, power supply and backup systems, software, and robotics

– Since this infrastructure is often complex and rapidly changing. These complexities present risks that need to be understood and addressed, and management should track changes and assess and respond to new risks.

R A C 4109



• Management Establishes Relevant Security Management Process Control Activities-

– Security management includes sub-processes and controls over who and what has access to an entity’s technology, including who has the ability to execute transactions

– Security threats can come from both internal and external sources. Evaluating and responding to external threats will be more important when there is reliance on telecom networks and the internet.

– Internal threats may come from former or disgruntled employees, who pose unique risks. User access to technology is generally controlled by authentication controls.

– These controls are very important and are often the most abused by employees who may share access codes (generally passwords) and IT personnel who do not immediately shut off an employee’s unneeded access to systems resulting from job change or termination

R A C 4110



• Management Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities –– Technology controls vary depending on risks; large or complex projects have greater

risks, and control rigor should be sized accordingly

– Use of packaged software can reduce some risks versus in-house software development

– Another alternative is outsourcing, which, however, presents its own unique risks and often requires additional controls

R A C 4111



Principle 12. The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action

• Management Establishes Policies and Procedures to Support Deployment of Management’s Directives

• Management Establishes Responsibility and Accountability for Executing Policies and Procedures

• Management Specifies that Controls Must Be Performed in a Timely Manner

• Management Ensures that Corrective Action is Taken in Response to Issues Identified

• Management Ensures that Controls are Performed by Competent Personnel

• Management Reassesses Policies and Procedures

R A C 4112


Financial reporting system

• Significant accounts, classes, and disclosures:

– Non-routine and routine

• Flow of information:

– Initiating and authorizing

• How and by whom; source information

– Recording and processing

• How and by whom; automated and manual steps; supporting records; resolving incorrect processing

– Reconciling and reporting

• Process and procedures to get into G/L; management reports

– Important to consider outsourced systems

R A C 4113


Financial reporting “process”

• Estimates

• Journal entries (standard and nonstandard)

• “Top-side” adjustments

• Consolidations/combinations

• Supplemental schedules

• Disclosures

R A C 4114


Smaller, less complex entities

• Less structured means and simpler processes and procedures:

– May not have extensive written procedures with active management

– Evidence may not be in documented form

• Components may not be clearly distinguished

• Fewer employees, which limits proper segregation of duties:

– But may have effective oversight to compensate

• May not have independent, outside governance:

– Attitudes, awareness, and actions of particular importance

R A C 4115


Inherent limitations in internal control

• Reasonable, not absolute, assurance

• Human judgment may be faulty

• Breakdowns due to human error

• Responsible individual does not understand purpose or fails to take appropriate action

• Circumvention or collusion

• Management override of controls

R A C 4116


When to test operating effectiveness

• Assessed risk of material misstatement includes an expectation that controls are operating effectively:

– Plan to reduce control risk below “high”

• Substantive procedures alone do not provide sufficient appropriate evidence at the relevant assertion level:

– High volume of relatively small and routine transactions

– Verified completeness and accuracy of information used in other audit procedures

– Highly automated activity

• Impact on overall audit efficiency

The auditor is able to test controls for the non COVID-19 part of the year if he/she believes that the evidence to support effectiveness is not there in the COVID-19 environment. This means that control reliance is possible for a part of the year.

R A C 4117


Reducing control risk

• Internal control must be suitably designed and implemented to be effective

• Cost-benefit consideration to be efficient:

– Substantive only approach generally okay for small- and medium-sized audits

• Evaluate whether results of substantive procedures indicate lack of operating effectiveness:

– Absence of detected misstatement not sufficient

• May be required by regulatory body

– Internal control over compliance must be tested in single audit or program-specific audit

R A C 4118

Audit Risk and Performing Risk Assessment Procedures

Section 5


Audit risk and assessing risk

• Audit risk is the risk that the financial statements are materially misstated, and the auditor expresses an inappropriate opinion. It is a function of two components:

1. Risks of material misstatement – not under the auditor’s control

2. Detection risk

• Auditing is an assertion-based activity

– Categories of financial statement assertions

• Classes of transactions

• Account balances

• Presentation and disclosure

R A C 4120



• Significant financial statement level risks are likely to be:

– Due to external circumstances

– Related to the client and its environment

– Other economic, accounting, or other developments

R A C 4121



• There are some account balances or classes of transaction with higher risk characteristics

– Risk of fraud

– Risk related to significant economic conditions

– Complexity of transaction

– Related party transactions

– Transactions where there is greater subjectivity

– Non-routine transactions

• Significant risks will receive a focused audit consideration that should be documented so that the linkage is evident between the risk and the further audit consideration

Revenue recognition is presumed to be significant fraud risk.Management override is significant fraud risk.

R A C 4122


Potential significant risks in the COVID-19 environment

• There are some account balances or classes of transaction with higher risk characteristics

– Estimates and impairments (e.g. valuation of inventories (including overhead considerations if applicable), financing receivables, contributions receivable, ROU assets, fixed assets, goodwill, deferred tax assets, equity method investments, equity securities measurement alternative, equity securities without readily determinable fair value due to the volatile market, alternative investments)

– Disclosures (fair value hierarchy, risks and uncertainties, concentrations, subsequent events)

– Risk related to significant economic conditions (risk of fraudulent financial reporting as well as misappropriation of assets)

– Complexity of transaction (unplanned sales of assets, transactions with related parties, restructuring debt)

R A C 4123



• Elements of audit risk (AU-C 200)

– Inherent risk is the susceptibility of a relevant assertion to misstatement that could be material. This risk is the responsibility of management.

– Control risk is the risk that the entity’s internal controls will not prevent or detect errors or fraud. This risk is the function of management.

– Detection risk is the risk that the auditor will issue an unqualified opinion when there are material misstatements in the financial statements. This is the auditor’s responsibility.

– The AU-C’s do not go into detail about inherent risk and control risk but rather refer to them together as the risk of material misstatement. This is NOT how the AICPA wants to see the documentation.

AR = IR x CR x DR

R A C 4124


Inherent risk

• When assessing risk, inherent risk and control risk are assessed separately

• Both assessments should be performed at the account balance and assertion level

• Some account balances have more risk than others

– Example: Cash is far easier to misappropriate and more likely to have errors than fixed assets

• Some assertions have more risk than others for an account balance

– Example: Accounts receivable- existence may not be as much of an issue if the processing is routine and the entity has good recordkeeping. However, valuation is subjective (estimate) so there is more risk

• Documentation of inherent risk should include the reasons why an auditor identified the risk as low, moderate, or high

R A C 4125


Inherent risk

• Factors influencing inherent risk

– Susceptibility to theft or fraudulent reporting

– Complex accounting or calculations

– Accounting personnel’s knowledge and experience

– Need for judgment

– Difficulty in creating disclosures

– Size and volume of accounts balance or transactions

– Susceptibility to obsolescence

– Prior year period adjustments

Inherent risk is likely to be higher in the COVID-19 environment

R A C 4126


Control risk

• Risk that internal control will not prevent or detect material misstatements that occur on a timely basis

• Must have sufficient understanding of internal controls to determine the nature, timing, and extent of audit testing:

– Assists in understanding risk

– Assists in evaluating audit evidence

R A C 4127


DR =AR

IR X CRDR= Detection RiskAR= Audit RiskIR = Inherent RiskCR= Control Risk

Using the Audit Risk Model to Determine the Audit

Evidence Required

Inherent Risk Control Risk RMMHigh High HighHigh Moderate HighHigh Low ModerateModerate High ModerateLow High ModerateModerate or Low Moderate Low/ModerateModerate or Low Low Low

Detection risk

R A C 4128


Risk-based approach

Team meeting

Understand internal control

Assess risk of fraud

Understand entity &

environment

Risk assessment procedures: • Making inquiries• Performing analytical procedures• Conducting observations and inspections• Assessing prior experience with the audit

client and audit procedures performed in prior audits

Identify overall risk, risk at the account balance and assertion level, and significant/fraud risks

There is an expectation that there will be significant risks identified. This is especially true in the COVID-19 environment. It is important, however, that the final risks coming out of the team meeting into the risk assessment summary be the ones with high likelihood and magnitude.

R A C 4129


Risk-based approach

• Obtain data points

– Obtain an understanding of an entity and its environment including internal control

– Assess the risk of fraud

– Perform preliminary analytical procedures

– Consider client acceptance and continuance procedures

– Hold team meeting to synthesize data obtained

R A C 4130


Risk-based approach

• Perform a risk assessment

• Step 1: Identify risks at the financial statement level

• Step 2: When risks are identified at the financial statement level, try to relate them to

account balances and classes of transactions where possible

• Step 3: When risks relate to individual account balances and classes of transactions,

the auditor will consider what can go wrong at the assertion level

• Step 4: Identify significant risks

• Step 5: Link to further RESPONSIVE audit procedures

R A C 4131


Assessing risk

• Once risks are identified, the auditor should classify them by:

– Type

– Significance

– Likelihood

– Pervasiveness (magnitude)

• Note that fraud risks generally are significant risks under AU-C 315

• Both AU-C 240 and AU-C 330 require the auditor to test journal entries to provide evidence about the possibility of management override

R A C 4132


Linkage in a financial statement auditRisk Assessment Components

Understand the entity and its environment• Relevant industry, regulatory, and other external factors• Financial reporting framework• Nature of the entity, including its operations, ownership,

and governance structures• Investments that the entity is making and plans to make• Way that the entity is structured and how it is financed• Entity's selection and application of accounting policies,

including changes• Entity's objectives and strategies and related business

risks • Measurement/review of the entity's financial performance

Understand the entity’s internal control and perform tests if necessary or desired

Client acceptance/continuance procedures

Perform preliminary analytical procedures

Develop theaudit strategy

Develop theaudit plan

Make fraud inquires and perform procedures such as journal entry testing to understand risk

Supports the determination of inherent risk

Supports the determination of control risk

Audit team discussion-brainstorm –Risk of fraud,

significant risks

Document-Risk

assessment summary and conclusions

An audit is an iterative process. It’s not over until it’s over!

Link to workpapers

Read the Minutes of the Governing Board

Linkage in a financial statement audit

R A C 4133

Materiality & Tolerable Misstatement Considerations

Section 5


Materiality

• AU-C 320

• SAS 138 (not yet effective) changed the definition to conform to international standards

• Materiality is the amount (quantitatively) of error that the auditor can permit in the financial statements without them being materially misstated. Materiality also has qualitative aspects. Focus is on the user of the financial statements.

• In the COVID-19 environment the auditor might want to consider lower levels of materiality for specific line items

R A C 4135


Materiality

• Materiality and audit risk are considered throughout the audit when:

– Determining the nature and extent of risk assessment procedures to be performed

– Identifying and assessing the risks of material misstatement

– Determining the nature, timing, and extent of further audit procedures

– Evaluating the effect of uncorrected misstatements, if any, on the financial statements and in forming the opinion in the auditor's report.

R A C 4136


Materiality

• The concept of materiality recognizes that some matters are more important for the fair presentation of an entity’s financial statements than others

• The auditor uses a benchmark to set materiality. It is a matter of the auditor’s professional judgment.

• Users of the financial statements are assumed to have an appropriate knowledge of business and economic activities and understand the concept of materiality in connection with audits of financial statements

R A C 4137


Materiality

• The materiality benchmark (or threshold) is assessed, determined, and computed by the auditor very early on during the audit planning process

• Materiality is used to:

– Determine the types and amount of risk assessment procedures to perform

– Identify the level at which the auditor will need to perform procedures

– Determine the types, amounts, and timing of further audit procedures

– Evaluate audit findings

• AU-C 320, Materiality in Planning and Performing an Audit

R A C 4138


Common materiality quantitative thresholds

Benchmark Illustrative percentage

Total revenue .5%-2.0%

Total assets .5%- 2.0%

Gross profit 1.0%-2.0%

Pretax income 5.0% - 10.0%

Equity 1.0%

Cash flows from operations

3.0% - 5%

Public Entities• Generally 5% of pre-tax earnings

SEC SAB 99 thresholdAuditor should consider the following:

• Volatility in earnings• Unusual items impacting pre-

tax earnings• Pre-tax earnings close to

break-even

R A C 4139


Materiality

• Performance materiality- The amount or amounts set by the auditor at less than materiality for the financial statements as a whole toreduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole

• Materiality & performance materiality can be set by the auditor at less than the materiality level or levels for particular classes of transactions, account balances, or disclosures

R A C 4140


What happened to tolerable misstatement?

• Tolerable misstatement is the way the auditor applies performance materiality to a particular sampling procedure

• Trivial- another mechanism the auditor uses to pass adjustments without considering them in the summary of passed adjustments. AU-C 450 says

– The auditor should accumulate misstatements identified during the audit, other than those that are clearly trivial.

• The auditor may designate an amount below which misstatements would be clearly trivial and would not need to be accumulated

• "Clearly trivial" is not another expression for "not material"

R A C 4141


Evaluating misstatements

• Misstatements may result from fraud or error, including:

– An inaccuracy

– An omission

– A financial statement disclosure that is not presented in accordance with the applicable financial reporting framework

– An incorrect accounting estimate

– Management judgments

R A C 4142


Evaluating misstatements

• The auditor should accumulate misstatements identified during the audit

– The auditor should determine whether the overall audit strategy and audit plan need to be revised if:

• The nature of identified misstatements and the circumstances of their occurrence indicate that other misstatements may exist that, when aggregated with misstatements accumulated during the audit, could be material

• The aggregate of misstatements accumulated during the audit approaches materiality

R A C 4143


Consideration of prior year uncorrected misstatements

• Examine the effects of those the client was not willing to correct separately and in the aggregate by examining them:

– In relation to the relevant individual classes of transactions, account balances, or disclosures

– Whether it is appropriate to offset misstatements

– The effect of current year misstatements combined with prior period misstatements

• The auditor should also consider qualitative factors

• Governance communications- where misstatements that are not posted could later on result in misstatements

R A C 4144

Linking to Further Audit Procedures

Section 6


Develop theaudit strategy

Develop theaudit plan

Document- Risk assessment

summary and conclusions

Link to workpapers

Linkage in a Financial Statement Audit

Identification of issues and adjustments

Post adjustments or pass to summary of passed adjustments

Evaluate effects of passed adjustments on financial stmts.

Evaluate internal control deficiencies

Draft governance letter

Perform final analytical review and draft f/s. If issues identified go back and investigate.

Communicate with mgt/draft SAS 265 letter, if applicable

An audit is an iterative process. It’s not over until it’s over!

Linkage in a financial statement audit

R A C 4146


Introduction

• AU-C 330, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained, provides guidance on:

– Performing tests of controls

– Performing substantive tests

– Evaluating the sufficiency of the evidence obtained

R A C 4147


Linking the risk assessment to performance of procedures

• Based on the risk assessment performed, the auditor will determine the appropriate overall and specific responses to the significant risks identified

– Overall responses

• Used to address the pervasive risks that might be identified at the financial statement level

• Usually these risks will be related to issues associated with the entity’s control environment, risk assessment, information and communication, and/or monitoring activities

The COVID-19 environment will likely require an overall response due to the change in the environment for staff and the client

R A C 4148



• Ways the audit team can respond to these risks:

– Emphasize professional skepticism

– Use more skilled staff

– Provide more supervision

– Incorporate unpredictability into the audit

– Use personnel with specialized skills or specialists

– Modify procedures to obtain more persuasive audit evidence or increase the number of locations to be included in the audit scope

R A C 4149



• Specific responses

• Determining the types of procedures to perform. Consider:– Tests of controls

– Substantive procedures

• Presentation and disclosure– AU-C 500 lists the following assertions for presentation and disclosure:

• Occurrence and rights and obligations

• Completeness

• Classification and understandability

• Accuracy and valuation

• Evaluating disclosures

R A C 4150


Audit evidence

• Audit evidence is defined as the “information used by the auditor in arriving at the conclusions on which the auditor’s opinion is based”

• Audit evidence is obtained by the auditor

• Audit evidence must be both sufficient and appropriate

• AU-C 500

• Exposure draft on evidence

R A C 4151


Evidence

• Sufficiency

• Appropriate

• Reliability

– Obtained from independent sources

– Generated through a system of strong, effective internal controls

– Documentary evidence rather than oral

– Obtained directly by the auditor

– In original format

• The quantity of evidence is assessed by the level of the risk of material misstatement and the reliability of the evidence

This is important when the client has paper documents that must be scanned to send to the auditor

R A C 4152


Audit evidence

• Audit evidence can take the form of:

– Inspection of records or documents

– Inspection of tangible assets

– Observation

– Inquiry

– Confirmation

– Recalculation

– Re-performance

– Analytical procedures

R A C 4153


Audit evidence

– Documentary evidence

– Third-party representations

• AU-C 505, External Confirmations

• AU-C 620, Using the Work of an Auditor’s Specialist

– Physical evidence

– Client representations- AU-C 580

R A C 4154


Auditing non-standard journal entries

• For smaller clients, scanning the general ledger and general journal may be sufficient

• For medium sized clients that are using computerized systems, consider having the system generate reports of all journal entries

• For larger clients, the auditor should use a Computer Assisted Audit Tool or Technique

• Testing journal entries is required by AU-C 330 and AU-C 240

Consider journal entries during the whole period but pay particular attention to those made in the COVID-19 period

R A C 4155


Nature, timing, and extent of further audit procedures• The nature of procedures relates to the type of tests

– Some types of procedures may work better for certain assertions than others

– The auditor chooses the procedures to be performed related to the reason for the assessment of risk

• Timing relates to when the audit procedures are performed

– The higher the risk, the more likely it is that the auditor should perform procedures at year (or period) end

– The auditor may decide to perform tests of controls at an interim basis

– If tests of the operating effectiveness of controls or substantive tests are performed at an earlier date, consider how much additional work is necessary to extend them to the remaining period

– If operating effectiveness was tested before the COVID-19 environment (i.e. interim date) then they would need to be tested in the period where controls changed. If the original plan was to test 1/3 of the sample at year end, that may mean more selections need to be made

COVID-19 environment

R A C 4156


Nature, timing, and extent of further audit procedures

• Extent relates to the quantity of procedures to be performed

– As the level of risk increases, the number of selections in the sample increases

– Extent is determined by auditor’s judgment

– There are two types of sampling applications that the auditor needs to consider:

1. Attribute sampling for tests of controls

2. Sampling applications for substantive tests

R A C 4157


Tests of controls

• The auditor tests controls:

– Because the auditor plans to rely on them

– When his/her risk assessment includes an expectation of the operating effectiveness of controls

– When substantive procedures alone do not provide sufficient appropriate evidence at the relevant assertion level

• The auditor may have obtained a good bit of the audit evidence required as he/she was performing the risk assessment procedures

• As an internal control, observation is only relevant at the time it is performed

• The auditor may wish to rely on controls related to the information systems

The auditor may want to ask additional questions about how information security has changed since the move to employees WFH

R A C 4158


Tests of controls

• Using evidence obtained in prior periods

– Determine whether any changes have been made to the controls:

• Inquiry

• Observation

• Inspection

– Be certain that the evidence is not more than 2 years old

This may be more challenging because when there are changes to systems the auditor may not use the evidence from prior periods. This may affect only a portion of the year under COVID-19

R A C 4159


Tests of controls

• Extent of tests of controls

• Determining the extent of a test of control is addressed in sampling literature

• The size of the sample varies with the amount of control reliance desired by the auditor and the deviations that the auditor expects to find when testing

R A C 4160


Sampling table for attribute testing

90% Confidence Level

R A C 4161


Attribute testing for smaller applications

Smaller Populations

Less Frequent Procedures

R A C 4162


Substantive procedures

• The auditor is expected to perform the following tests related to the financial reporting process:

– Agreeing the financial statements to the underlying accounting records

– Examining material journal entries and other adjustments made

R A C 4163



• Timing

– Substantive procedures can be performed at an interim date

– There are some tests that are not effective to perform at an interim date

– If the auditor tests an account balance at an interim date and finds misstatements, then he or she may decide that it is necessary to increase or modify the testing at year-end

– When considering the timing of audit procedures, the auditor should consider how related procedures are coordinated

R A C 4164



• Extent

– The auditor will perform more tests where there is higher risk of material misstatement

– The extent of reliance on internal controls is also a factor in considering the extent of testing

– The basic mechanism for variables sampling:

– AU-C 330 makes it clear that audit procedures should be concerned with account balances, as well as classes of transactions

Sample size =Population

(excluding items confirmed 100%) X Confidence FactorTolerable Misstatement

R A C 4165



• Reliability

– Developing expectations

• The level of the detail the auditor can use to develop the expectation

• Reliability of the data

– Data is more reliable when:

• It is produced by systems with reliable internal controls

• External vs. internal data is used

• Nonfinancial data or data subjected to auditing procedures

Remain skeptical. The auditor is not expected to authenticate documents but should take precautions to verify authenticity as appropriate.

R A C 4166


Existence/completeness risk and testing

• Substantive tests normally focus on the existence, completeness, and valuation assertions

– Overstatement risk: auditor is confirming a recorded balance to determine if any component of the balance is a misstatement

– Understatement risk: performing a test for unrecorded amounts

R A C 4167


Interim testing – roll-forward of conclusions

• Some firms prefer to test controls and some of the transactions at an interim date

• Works best when controls are effective

• May extend testing to transactions in remaining period in order to extend interim conclusions

R A C 4168


Interim testing – roll-forward of conclusions

• Consider:

– Significance of assessed RMM at assertion level

– Specific controls tested and results of those tests

– Significant changes to controls since tested, including changes in IT, processes, and personnel

– Degree to which evidence obtained at interim

– Length of remaining period

– Extent of intent to rely on operating effectiveness of controls

– Effectiveness of control environment

R A C 4169


Substantive analytical procedures

• Using analytical procedures as substantive tests

– AU-C 520, Analytical Procedures, provides very specific guidance, including guidance on documentation, in performing substantive analytical procedures

– If the auditor is going to use information that has been accumulated in the entity’s information system to form the expectation, it should be tested for reliability

– The AICPA has issued The Analytical Procedures A&A Guide (AP Guide)A simple fluctuation analysis combined with choosing a sample of, for example, 40 selections will not be sufficient testing. Substantive analytical procedures need precision and to get that, a well-developed expectation is needed. When using SAPs in a COVID environment, it is even more important.

R A C 4170



• Methods for forming expectations:

– Trend analysis – implicit expectation

– Ratio analysis – implicit expectation

– Reasonableness or predictive expectation – Explicit expectation

– Expectation using regression analysis – Explicit expectation

• With substantive analytical procedures precision is important so a simple comparison of ratios over several years or a fluctuation analysis will not be precise enough

• Evaluating the unexplained differences- need evidence to support

R A C 4171



• Precision

– The auditor should consider the difference that will be acceptable without further investigation

– When there is a significant risk, substantive analytical procedures cannot be used alone unless controls are tested

– The greater the precision of the expectation, the more likely variances are due to misstatements

– The best way to get sufficient precision is to disaggregate the data

R A C 4172


Establishing the acceptance threshold

• Rule of thumb:

– 10% to 1/3 of performance materiality

– Circumstances may increase percentage

• Consider relative percentage to balance:

– 15% to 20% of actual account

– Gives sense of relative precision

R A C 4173


Evaluating the adequacy of the evidence obtained

• The determination of whether or not the auditor has obtained sufficient appropriate audit evidence can be influenced by several factors:

– Significance of the potential misstatement

– Effectiveness of management’s responses and controls to address the risks

– Experience gained during previous audits with similar types of misstatements

– Results of audit procedures performed

– Source and reliability of available information

– Persuasiveness of the audit evidence

– Understanding of the entity and its environment, including its internal control

R A C 4174


Evaluating the adequacy of the evidence obtained

• Evaluate, at or near end of audit, whether accumulated results of auditing procedures affect initial fraud risk assessments

• Analytically review revenues through end of reporting period

• Evaluate whether misstatements indicate fraud risk

• Evaluate implications of known fraud on other audit aspects:

– E.g., materiality, assessment of management’s integrity, reliability of management representations, etc.

– May be an isolated occurrence

R A C 4175

Audit Documentation and Audit Communications

Section 7


Audit documentation

• AU-C 230

• Audit documentation is “the record of audit procedures performed, relevant audit evidence obtained, and conclusions the auditor reached”

• Documentation should be sufficient to enable an experienced auditor, with no previous connection with the audit, to understand:

– The nature, timing, and extent

– The results of the audit procedures performed

• Significant findings or issues

In times like COVID-19, where business failures or fraud are more likely, the best defense the auditor has is the documentation of his/her thought processes, the risks documented thoroughly, very strong linkage and well-thought-out conclusions. Disclosure will also be very important.

R A C 4177


Audit documentation

• Audit documentation provides:

– Evidence of the auditor’s basis for a conclusion

– Evidence the audit was planned and performed in accordance with generally accepted auditing standards (GAAS)

R A C 4178


Audit documentation

• Document the following:

– Risk assessment procedures performed and conclusions including the team meeting and summary risk assessment

• Rationale for inherent risk

• Conclusions about revenue recognition and management override

– The response to address the risk of misstatement at the financial statement level

– Significant risks and specific linkage to further audit consideration

– Results of understanding/testing of internal control and any deficiencies that came out of the analysis

R A C 4179


Audit documentation

• Document the following:

– The nature, timing, and extent of audit procedures performed

– The linkage of those procedures with the assessed risks

– The results of the audit procedures

– Conclusions on sufficiency of the evidence

– Disclosures (rationale for those chosen in the COVID-19 environment) and whether emphasis paragraphs are necessary

– Going concern documentation (be sure to thoroughly test assumptions made by management). Consider asking for management’s assertion in writing. Evaluate disclosures carefully.

– Management representations- consider tailoring the standard reps to cover any COVID-19 issues. New representations should be added when necessary.

R A C 4180


Final analytics

• AU-C Section 520, Analytical Procedures

• Performed near the end of the audit as final “gut check”

• Corroborate audit evidence obtained

• Assists with overall conclusions on which F/S audit opinion based

• Generally, read the F/S and related footnotes

R A C 4181


Communication with governance

• The auditor has a responsibility to communicate with management and those charged with governance (AU-C 260)

• Communications should occur both at the beginning of the audit as a planning activity, and as a final audit activity at the conclusion of the audit

• The auditor is required to communicate, in writing or orally, only to management other deficiencies in internal control identified during the audit that have not been communicated to management by other parties and that, in the auditor’s professional judgment, are of sufficient importance to merit management’s attention

R A C 4182


AU-C 260 communications

• AU-C 260 requires the auditor to communicate the following significant findings or issues from the audit:

– The auditor’s views about qualitative aspects of the reporting entity’s significant accounting practices

– Significant difficulties

– Disagreements with management

– Other findings or issues

– Uncorrected misstatements

– Material, corrected misstatements

– Significant findings or issues

– The auditor’s views about significant matters

R A C 4183



• The communication process

– The auditor is required to communicate in writing the significant findings or issues when he/she concludes that verbal communicate would not be adequate

– Communications are restricted to those charged with governance

– The auditor is required to document the AU-C 260 communications whether the communication is in writing or made verbally

Most auditors tend to use a written approach. For those that don’t consider it in this time of COVID-19. Formal communication is better.Challenge the “boiler plate” language and provide better information.

R A C 4184



• AU-C requires the auditor to communicate deficiencies in internal control

• Assumes that during the course of the audit, the auditor may become aware of deficiencies in internal control

– A deficiency in internal control

– A material weakness

– A significant deficiency

Deficiencies can be noted during the understanding/testing of internal control and any deficiencies that came out of the analysis. Deficiencies can be noted through control understanding/testing or substantive testing. Be careful about linkage here. This is very important in the COVID-19 environment.

R A C 4185



• Identifying deficiencies in internal control

– Risk factors that contribute to whether there is a reasonable possibility that a deficiency, or a combination of deficiencies can result in a misstatement of an account balance or a disclosure

• The nature of the class of transaction, account balance, disclosure, and the related assertion being addressed

• The cause and frequency of the exceptions detected as a result of the deficiency, or deficiencies, in internal control

• The susceptibility of the related asset or liability to loss or fraud

R A C 4186



• The subjectivity, complexity, or extent of judgment required to determine the amount involved

• The interaction or relationship of the control with other controls

• The interaction among the deficiencies

• The possible future consequences of the deficiency

• The importance of the control to the financial reporting process

R A C 4187



• Evaluating deficiencies in internal control

– Examples of circumstances that might lend themselves to internal control deficiencies

• Inadequate design of controls over the preparation of financial statements

• Inadequate design of controls over a significant account or process

• Lack of segregation of duties over significant transactions

• A lack of “tone at the top”

R A C 4188



• Lack of controls over the safeguarding of assets

• Inadequate design of controls over information technology

• Inadequate design of monitoring controls

• Absence of a process to inform management of deficiencies in internal control on a timely basis

• Failure to reconcile significant account balances

• An observed error rate that exceeds the number of errors expected by the auditor in a test of the operating effectiveness of a control

R A C 4189



• Indicators of material weaknesses

– Identification of fraud

– Restatement of previously issued financial statements

– Identification of a material misstatement of the financial statements under audit in circumstances that indicate that the misstatement would not have been detected by the entity’s internal control

R A C 4190



• The communication process

– Significant internal control deficiencies and material weaknesses, identified by the auditor, must be communicated (in writing)

• Definition of the term material weakness

• Description of the significant deficiencies and material weaknesses

• Sufficient information to enable those charged with governance and management to understand the context of the communication

– Restriction in the communication

R A C 4191


Independent auditor’s report

• Auditor forms an opinion on whether the financial statements are presented fairly, in all material respects, in accordance with the applicable financial reporting framework

• Auditor concludes whether the auditor has obtained reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error

– Evidence from audit procedures performed

– Sufficiency and appropriateness of the evidence

– Evaluation of misstatements Identified during the audit and a conclusion about whether uncorrected misstatements are material, individually or in aggregate

– Evaluation on whether the financial statements are prepared, in all material respects, in accordance with the requirements of the applicable financial reporting framework.

R A C 4192



• Evaluate whether financial statements adequately cover if:

– Significant accounting policies selected and applied are disclosed

– Accounting policies selected and applied are consistent

– The accounting estimates made by management are reasonable

– Information presented in the financial statements is relevant, reliable, comparable, and understandable

– The financial statements provide adequate disclosures to enable the intended users to understand the effect of material transactions and events on the information conveyed in the financial statements

– Terminology used in the financial statements, including the title of each financial statement, is appropriate

• Consider the overall presentation, structure, and content of the financial statements

• Consider whether the financial statements, including the related notes, represent the underlying transactions and events in a manner that achieves fair presentation

• Auditor should evaluate whether the financial statements adequately refer to or describe the applicable financial reporting framework (Ref: par. .A10–.A13)

R A C 4193



• Opinion on the financial statements may be

– Unmodified

– Qualified

– Subject to scope limitation

– Adverse

• Consider COVID-19 emphasis paragraph

• Going concern emphasis paragraph may be necessary for some entities

R A C 4194



• SAS 134- new form of auditor’s report (delayed 1 year but could be implemented early)

– Changes made to report form from new definition of materiality (SAS 138)

– Changes also made to AU-Cs on Supplementary information, Required Supplementary Information, Interim Financial Information and Compliance Audits

• SAS 136- new form of auditor’s report for employee benefit plans (not yet effective)

R A C 4195


Q&A

We will now answer viewer questions that have come in during the webinar

R A C 4196

C O N N E C T W I T H U S

Facebook.com/SurgentProfessionalEducation

Twitter.com/SurgentCPE

LinkedIn.com/company/surgent-professional-education

Thank you!

Individuals, CPE certificates will be available in your Surgent profile within 24 hours.Groups, please scan and submit the attendance form to [email protected] for CPE certificates.

performing an effective audit risk assessment in the covid

Documents