sign in sign up
<<
Home , Public company

In-Depth Guide to Public Auditing: The Audit Why an In-Depth Guide to Auditing?

The foundation for confi dence in U.S. capital markets is strengthened through effective management, regulation, oversight and assurance. Independent audits of public company fi nancial statements are understood to be a core contributor to this foundation. In 2009, the Center for Audit Quality (CAQ) published the Guide to Public Company Auditing—an educational tool for non-auditors that provides an introduction and overview of the key processes, participants and issues related to public company auditing. The foundational guide can be accessed at http://www.thecaq.org/newsroom/pdfs/GuidetoPublicCompanyAuditing.pdf.

The foundational guide, however, only touched the surface of the work involved in an audit of a public company’s fi nancial statements and the context within which public company auditing takes place. The objective of the In-Depth Guide to Public Company Auditing is to give readers a behind-the-scenes look inside the fi nancial statement audit process to provide further insight into the work the independent auditor performs to issue an audit report. This includes processes and practices that determine how a public company audit fi rm decides to accept a new audit engagement, how it prepares for and performs the fi nancial statement audit, and how it reports its fi ndings.

This guide provides a basic defi nition of the fi nancial statement audit for public and the key players involved in the fi nancial reporting process. Next, it takes a look at an audit fi rm’s system of quality control—the platform for a quality fi nancial statement audit. Then it takes a chronological look at the steps generally taken by independent auditors to audit a company’s fi - nancial statements: engagement acceptance and continuance activities; planning and scoping the audit; and performing and completing the audit.

May 2011 What is a Financial Statement Audit?

An independent fi nancial statement audit is conducted by a registered public accounting fi rm. It includes examining, on a test basis, evidence supporting the amounts and disclosures in the company’s fi nancial statements, an assess- ment of the accounting principles used and signifi cant estimates made by INTERNAL CONTROL OVER management, as well as evaluating the overall fi nancial statement presentation FINANCIAL REPORTING (ICFR) to form an opinion on whether the fi nancial statements taken as a whole are free of material misstatement. Under Section 404 of the Sarbanes-Oxley Act of 2002, management is responsible for es- The independent auditor’s overarching goal is to provide fi nancial statement tablishing and maintaining a system of ICFR. users with reasonable—but not absolute—assurance that the fi nancial state- Management is also required to provide an ments prepared by management are fairly presented. To communicate that annual assessment of the effectiveness of its assurance, the independent auditor provides a report that includes an opin- internal control structure and procedures for ion about whether the company’s fi nancial statements are fairly presented, in fi nancial reporting to in its annual all material respects, in conformity with U.S. generally accepted accounting report. In addition, public companies with principles (GAAP). of $75 million or more are required to include an attestation report An important element of the framework that company management maintains of its independent auditor on the effective- to enable it to produce reliable fi nancial statements is internal control over ness of ICFR. The audit of ICFR is integrated fi nancial reporting (ICFR). Public companies with market capitalization of with the audit of the fi nancial statements of $75 million or more are required by law to have an audit of management’s the company. The objectives of the audits are assessment of the effectiveness of ICFR that is integrated with an audit of not identical, however, and the independent the fi nancial statements. This is referred to as an integrated audit. The ob- auditor designs his or her testing of controls jectives of these two types of audits are complementary but not identical. to accomplish both audits simultaneously. They are performed by the same audit fi rm at the same time and are usually “integrated” in the sense that procedures supporting the opinion on fi nancial statements are executed concurrently with procedures that involve testing of the related controls. As discussed in a later section, control testing may impact the nature, timing and extent of substantive testing performed. This In-Depth Guide to Public Company Auditing focuses principally on the audit work re- quired to produce an opinion on the fi nancial statements.

3 Who are the Key Players?

Audit Committee The fi nancial statement audit report is the culmina- tion of the audit, but it is based on the responsibilities of three distinct but interrelated groups that make up Internal Independent the fi nancial reporting supply chain. Audit Auditor (Optional) • Company Management – Bears the primary re- sponsibility for the company’s fi nancial statements. Company Management Management also is responsible for implementing and maintaining internal control over fi nancial re- porting and for periodically assessing its operating effectiveness. must be independent of the organizations they audit in accordance with specifi c regulations governing their • – Oversees the fi nancial report- independence. They report directly to the audit com- ing process, including internal control over fi nancial mittee, which engages them and oversees their work. reporting. The audit committee also is responsible for the appointment, compensation, and oversight of Although not required, a number of public companies the independent auditor. Often, the audit committee also employ an internal audit function. As defi ned by oversees the company’s internal audit group as well. The Institute of Internal Auditors, “internal auditing is an independent, objective assurance and consulting activ- • Independent Auditor – Provides a public audit report ity designed to add value and improve an organization’s on the company’s annual fi nancial statements. That operations.” The scope of internal auditing within an or- report provides an opinion about whether the fi nan- ganization is broad and may involve topics such as the cial statements taken as a whole are fairly presented, effi cacy of operations, the reliability of fi nancial report- in all material respects, in accordance with GAAP. In- ing, deterring and detecting fraud, safeguarding assets, dependent auditors are external to the company and and compliance with laws and regulations.

KEY AUDIT COMMITTEE RESPONSIBILITY: INDEPENDENT AUDITOR’S RESPONSIBILITY: SELECTING THE AUDITOR SERVING THE PUBLIC INTEREST

In accordance with Section 301 of the Sarbanes-Oxley Act of 2002: Independent auditors perform their engagements with a skeptical “The audit committee of each issuer, in its capacity as a commit- mindset, and they cannot hesitate to challenge management’s asser- tee of the , shall be directly responsible for the tions whenever those assertions run counter to the audit evidence appointment, compensation, and oversight of the work of any and the auditor’s own judgment. It is not uncommon for independ- registered public accounting fi rm employed by that issuer (in- ent auditors and company management to have different views, for cluding resolution of disagreements between management and example, over the accounting treatment of a particular transaction, the auditor regarding fi nancial reporting) for the purpose of pre- the disclosure of certain information, or the reasonableness of an paring or issuing an audit report or related work, and each such accounting estimate. However, at all times the independent auditor registered public accounting fi rm shall report directly to the is called upon to act in a way that serves the public’s interest, not audit committee.” the interest of company management. If signifi cant differences can- not be resolved, the audit committee is called upon to resolve the issue. In rare circumstances where the auditor is not satisfi ed with the outcome, the auditor may resign from the engagement, inform the Securities and Exchange Commission (SEC) of the issue, or both. 4 What is the Importance of the Audit Firm’s System of Quality Control?

The foundation for a quality fi nancial statement audit • Monitoring of audit quality, including multiple lev- is the audit fi rm’s system of quality control. An audit els of review on each engagement and the regular fi rm’s leadership is critical in setting the proper “tone performance of in-fi rm quality inspections. at the top,” conveying through words and actions that quality work is of paramount importance. • Regular review of other elements of the fi rm’s qual- ity control system. An audit fi rm’s system of quality control consists of all the activities undertaken by the audit fi rm to promote These activities are driven by professional standards, audit quality and includes, for example: the audit fi rm’s own standards of quality, and feed- back from external inspections of the auditor’s work • The establishment of fi rm policies for the imple- by the regulator of public company auditors, the Pub- mentation of professional standards, including lic Company Accounting Oversight Board (PCAOB). standards of objectivity, integrity and auditor inde- pendence requirements. THE PUBLIC COMPANY ACCOUNTING OVERSIGHT BOARD • Personnel management, which includes poli- The PCAOB was created by the Sarbanes-Oxley Act of 2002 and is a cies and procedures related to hiring, assigning private-sector, non-profi t overseen by the SEC and in- personnel to engagements, training, professional dependent from the auditing profession. The PCAOB is charged with development, and advancement. overseeing accounting fi rms that audit the fi nancial statements of public companies. This oversight role includes responsibility for development of • The establishment of fi rm policies for acceptance auditing and related professional practice standards as well as perform- and continuance of clients and engagements. ing independent inspections of registered public accounting fi rms, and enforcement authority related to the rules of the PCAOB and the SEC. • The development, maintenance and deployment of fi rm-specifi c methods and tools for conducting audits.

5 How Do Audit Firms Accept Audit Engagements?

Performing public company audits involves several Consider Requisite Auditor Expertise risks to the audit fi rm and results in lending an audit During the engagement acceptance process, the au- fi rm’s credibility to the company’s SEC fi lings through dit fi rm also evaluates whether it has the necessary the issuance of an auditor’s report. Before accepting industry-specifi c expertise (e.g., energy, biotechnology, a new audit engagement, the audit fi rm takes impor- or fi nancial services) and resources to perform the en- tant steps to meet its responsibilities and to protect its gagement with competence and due professional care. reputation. Given the signifi cance of the fi rm’s accept- When considering auditing the fi nancial statements ance and continuance process, the procedures and of a company that operates with specialized fi nal decision typically involve signifi cant input from practices and accounting standards, the audit fi rm the fi rm’s senior partners. wants to be satisfi ed that team members will have the proper training and experience relative to those spe- Before accepting a new audit engagement, the audit cialized practices. fi rm will gather information about the nature and complexity of the company’s business, the qualifi ca- Consider Auditor Independence tions and reputation of senior management and its Public company auditors are subject to strict inde- board of directors, and the needed expertise required pendence rules as promulgated by the PCAOB and to complete the audit. Independent auditors use this the SEC. As such, a fi rm will review the investment information to make a preliminary assessment of the holdings, business and personal relationships of its risks associated with the proposed engagement and partners and professionals, and other matters of the whether the company’s management is able to fulfi ll fi rm and its personnel to make sure it is independ- its responsibilities for fi nancial reporting. ent and free from relationships that would prevent its auditors from, in fact or appearance, objectively per- Consider Reputational Risks forming the audit. Once the client has been accepted, When deciding whether to accept a new engagement, independence must be rigorously maintained by the audit fi rms carefully consider the reputation and integrity audit fi rm so long as it is engaged. of company management. Audit fi rms typically perform background checks on certain members of senior man- Continuance of Engagement agement and the audit committee to mitigate the risk of Each year prior to the commencement of a recurring entering into an engagement with principals who may audit, the audit fi rm updates its understanding of the engage in questionable or unethical business practices. engagement, the company’s management, and its own capabilities to determine whether the fi rm should If the audit fi rm is taking over the engagement from continue serving as independent auditors. Companies another fi rm, it will make inquiries of the previous in- are constantly evolving and, as a result, it is important dependent auditors about matters such as management’s to reassess the prudence of continuing to be associ- integrity, the nature of any disagreements the predecessor ated with a particular company on an ongoing basis. may have had with management or the audit committee, and the predecessor’s understanding of the reasons why the company is changing audit fi rms.

6 How Does the Auditor Plan the Financial Statement Audit?

If, after the engagement acceptance or continuance as- would preclude timely fi nancial reporting and be pro- sessment, the independent auditor decides to accept hibitively expensive and resource intensive. or continue the engagement, and the company’s audit committee decides to hire or reappoint the independ- The concept of materiality is applied in planning and ent audit fi rm, the audit team spends additional time performing the audit, in evaluating the effect of any with the audit committee and company management identifi ed misstatements, and in forming the opinion to further understand the company’s business and in- included in the independent auditor’s report. Determin- dustry for the purpose of identifying and assessing the ing materiality involves both quantitative and qualitative risks of material misstatement in order to plan and set considerations. As a result, there is not one specifi c the scope of the fi nancial statement audit. The out- quantitative threshold that is used in evaluating materi- come of the planning and scoping process is an audit ality; rather, a combination of factors, both quantitative plan which is followed in order to complete the audit. and qualitative, are considered. The determination of Audit plans are modifi ed as circumstances occur dur- materiality is a matter of professional judgment and is af- ing the course of the audit engagement. fected by the independent auditor’s assessment. Inherent in reaching judgments about materiality is the concept of Reasonable Assurance and Materiality what a reasonable would deem important. All audits are guided by two important factors: rea- sonable assurance and materiality. These two factors Assembling the Right Engagement Team impact the way in which the independent auditor To properly carry out its responsibilities, the audit examines, on a test basis, transactions that occurred fi rm assembles a team of independent auditors that and controls which functioned during the year. The has skill and knowledge commensurate with the extent or scope of the testing is also driven by the needs of the engagement. Audit team members are auditor’s risk assessment. Because it is not practical then assigned areas of responsibility that are appro- for independent auditors to examine every transac- priate based on their capabilities. The more senior tion, control and event, there is no guarantee that all team members typically take responsibility for plan- material misstatements, whether caused by error or ning and directing the audit and for the supervision fraud, will be detected. Instead, the audit is designed and review of the work performed by less experienced to provide a level of assurance that is reasonable but members of the team. Audit team leaders also manage not absolute. Absolute assurance from the audit is, the timing of the engagement and the performance of practically speaking, impossible. Independent audi- the audit team to ensure a timely and effi cient audit. tors cannot test 100 percent, or, in most cases, even In some instances, audit procedures may be per- a majority of transactions recorded by a company; it formed throughout the year, not just after year-end.

7 When auditing a company that operates in an indus- AUDIT RISK try with specialized business practices and accounting standards, the team includes members who have the Audit risk is defi ned as the risk that the independent auditor expresses proper training and experience in those specialized an inappropriate audit opinion when the company’s fi nancial state- practices. Engagement teams are typically staffed with ments are materially misstated. The main components of audit risk varying levels of experience, and therefore supervi- consist of the following: sion and review by more senior auditors is important • Inherent risk is the risk that an account will contain an error irrespec- to the promotion of audit quality. tive of the company’s internal controls. For example, amounts that are based on highly subjective accounting estimates or the application of Some fi nancial statement audits require the expertise complex accounting standards have a higher risk of being materially of specialists to supplement the work of the core en- misstated than amounts that are more objective in nature and based gagement team. Those specialists may either be within on relatively uncomplicated, well-established accounting standards. the audit fi rm itself or engaged from outside the fi rm • Control risk is the risk that the company’s internal control system to supplement the audit team. For example, audit en- will fail to prevent or detect and correct a material misstatement of gagement teams may involve information technology the fi nancial statements. specialists, income tax specialists, appraisers, business • Detection risk is the risk that the independent auditor’s procedures specialists, or actuaries, among other such will not detect a misstatement that exists that could be material professionals. These individuals bring not only addi- (individually or when aggregated with other misstatements). The in- tional expertise to the audit but also a fresh perspective dependent auditor seeks to reduce the level of detection risk through that often helps the audit team to appropriately make the nature, timing, and extent of the audit tests performed. audit judgments. Any work performed by a specialist Inherent and control risk are functions of the company and its environ- is reviewed by the audit partner. ment while detection risk is not. Assessing a Company’s Risks that the Financial Statements Contain Material Misstatements Every fi nancial statement audit engagement presents a different set of challenges to an audit fi rm. No two companies are the same and therefore the independ- ent auditor must tailor the audit to each company, based on the specifi c risks identifi ed.

The design of an effective audit plan depends on the audit team’s ability to identify and assess the risk that the fi nancial statements contain a material misstate- ment, whether caused by error or fraud. The risk assessment process includes:

• Obtaining an understanding of the company and the environment in which it operates. This includes efforts to understand the events, conditions, and company activities that might reasonably be ex- pected to have a signifi cant effect on the risks of material misstatement. An understanding of the

8 company and the environment will often involve includes an exchange of ideas, or “brainstorming,” consideration of such things as the company’s in- among the key engagement team members, includ- dustry, regulatory environment, business objectives ing the engagement partner, about how and where and strategies, and selection and application of ac- they believe the company’s fi nancial statements counting principles. might be susceptible to material misstatement due to fraud, how management could perpetrate and • Considering information gathered during the engage- conceal fraudulent fi nancial reporting, how assets ment acceptance and continuance evaluation, audit of the company could be misappropriated, and con- planning activities, prior audits, and other non-audit sideration of the potential audit responses to the engagements performed for the company. susceptibility of the company’s fi nancial statements to material misstatement due to fraud. • Inquiring of the audit committee, management, and others within the company about risks of ma- The independent auditor’s risk assessment process terial misstatement. will include inquiries of management and the audit committee regarding fraud risks, including: • Obtaining an understanding of the company’s in- ternal control over fi nancial reporting. • Inquiries of management regarding whether man- agement has knowledge of fraud, alleged fraud, or • Performing analytical procedures, such as a com- suspected fraud affecting the company; manage- parison of a company’s current fi nancial statement ment’s process for identifying and responding to account balances to prior year fi nancial statements fraud risks; and whether and how management and/or a comparison of current relevant fi nancial communicates to employees its views on business ratios to industry ratios or prior year ratios. practices and ethical behavior.

• Conducting a discussion among engagement team • Inquiries of the audit committee regarding their members regarding the risks of material misstate- views about fraud risks in the company; wheth- ment. As it relates to fraud, the discussion typically er the audit committee has knowledge of fraud,

9 alleged fraud, or suspected fraud affecting the com- internal auditors are aware of instances of man- pany; whether the audit committee is aware of tips agement override of controls and the nature and or complaints regarding the company’s fi nancial re- circumstances of such overrides. porting and, if so, the audit committee’s responses to such tips and complaints; and how the audit • Inquiries of others within the company (e.g., op- committee exercises oversight of the company’s as- erating personnel not directly involved in the sessment of fraud risks and the establishment of fi nancial reporting process, in-house legal counsel) controls to address fraud risks. about their views regarding fraud risks, includ- ing, in particular, whether they have knowledge of • If the company has an internal audit function, in- fraud, alleged fraud, or suspected fraud. quiries of appropriate internal audit personnel regarding the internal auditors’ views about fraud The results of the risk assessment completed during risks in the company; whether the internal auditors the planning stages of an audit provide the basis for have knowledge of fraud, alleged fraud, or suspect- determining the scope of the audit and nature, timing, ed fraud affecting the company; whether internal and extent of the audit tests that will be performed. auditors have performed procedures to identify or Audit planning is a continuous process, however, and detect fraud during the year, and whether manage- the audit scope might be adjusted during the course ment has satisfactorily responded to the fi ndings of the audit based on audit results or consideration of resulting from those procedures; and whether other factors.

WHAT IS THE AUDITOR’S RESPONSIBILITY FOR DETECTING FINANCIAL REPORTING FRAUD?

It is management’s responsibility to design and implement programs and controls to prevent, deter, and detect fi nancial reporting fraud. Audits are designed to identify and assess fraud risk and detect material fi nancial reporting fraud. The PCAOB auditing stand- ards require that an independent auditor plan and perform the audit to obtain reasonable assurance about whether the fi nancial statements are free of material misstatement, whether caused by error or fraud.

However, as noted in PCAOB Interim Auditing Standard AU Section 316, Consideration of Fraud in a Financial Statement Audit, ab- solute assurance is not attainable and thus even a properly planned and performed audit may not detect a material misstatement resulting from fraud. A material misstatement may not be detected because of the nature of audit evidence or because the character- istics of fraud may cause the independent auditor to rely unknowingly on audit evidence that appears to be valid, but is, in fact, false and fraudulent.

10 How Does the Auditor Perform a Financial Statement Audit?

Developing an Audit Strategy whether to rely on those controls for various com- With a mindset of professional skepticism, independ- ponents of the audit. The independent auditor may ent auditors seek to gather suffi cient, appropriate audit decide (and for public companies with market capital- evidence to support their opinion about the fi nancial ization of $75 million or more, auditors are required) statements. Because the facts and circumstances of an to perform tests of the company’s internal control over audit typically vary dramatically between companies, fi nancial reporting. An independent auditor assesses the standards describe a principles-based process and the desirability of adopting such a strategy by consid- provide guidance to help independent auditors use their ering factors such as cost/benefi t considerations, size judgment in the application of these principles on a par- of the company, and prior year results of control test- ticular engagement. ing. If test results indicate that the company’s internal controls are effective, the independent auditor may In developing an audit strategy, the independent decide to reduce the level of substantive tests that it auditor considers internal controls and determines performs as a basis for its opinion.

essiona r’s Prof l Judgm dito en Au t

Audit Engagement Acceptance

Communicate Results Assemble • Audit Report Audit Team • Audit Committee

Audit Firm’s System of Quality Control

Evaluate Engagement Results & Quality Review Risk Conclude Assessment

D n ocumentatio

Audit Procedures Audit Strategy

Au ism dito ptic r’s Professional Ske

11 It is important to note that a control reliance approach is not the equivalent of an integrated audit. An integrated au- dit is designed to express an opinion on the effectiveness of ICFR, while a control reliance strategy considers controls Table 1: Types of Audit Procedures for purposes of determining the nature, timing and extent Independent auditors can perform a wide variety of procedures and of substantive testing to be performed. However, the in- combinations of procedures to gather the evidence needed to support their opinion on the fi nancial statements. dependent auditor is precluded from relying exclusively on the company’s internal controls as a basis for conclud- TYPE OF PROCEDURE DESCRIPTION ing that the fi nancial statements are free from material Inspection The examination of records or misstatement. For example, in audits of companies with documents, whether internal or excellent controls, independent auditors will still perform external, in paper form, electronic substantive tests of balances, transactions, and disclosures, or other media, or physically but to a lesser degree in those instances. examining an asset. For example, inspecting a sample of invoices. Notwithstanding the auditor’s understanding of internal controls, the independent auditor may choose an audit Observation Observing a process or procedure being performed by company strategy that relies heavily or almost exclusively on sub- personnel or others. For example, stantive tests to gather the audit evidence necessary to form observing a company’s physical an opinion on the fi nancial statements. Regardless of the inventory count, and re-performing strategy chosen, the independent auditor will perform a counts on a test basis. suffi cient level of substantive audit procedures to support the auditor’s opinion, which provides reasonable assurance Inquiry Seeking information from that the fi nancial statements taken as a whole are free of knowledgeable persons in fi nancial or nonfi nancial roles within the material misstatement. company or outside the company. Choosing Audit Procedures Confi rmation Obtaining information or In designing the audit strategy, judgments are made in the representation of an existing selection of the auditing procedures to be performed (see condition directly from a Table 1). In doing so, the independent auditor considers knowledgeable third party. three factors. Recalculation Checking the mathematical • Nature. The independent auditor can choose from a vari- accuracy of documents or records. ety of audit procedures. Some are better suited than others Analytical Comparison of recorded amounts, to address certain types of risks. For example, the physical procedures or ratios developed from recorded observation of property (e.g., building, land) is an effec- amounts, to expectations developed tive procedure to establish the physical existence of the by the independent auditor. asset reported on the company’s balance sheet. It is not an effective procedure to address the risk that the fi nan- Reperformance The auditor’s independent cial statements do not refl ect the correct value of the asset execution of procedures or controls (i.e., the dollar amount at which the asset is recorded). that originally were performed as part of the company’s internal Choosing an audit procedure that most directly addresses control over fi nancial reporting. the identifi ed risk is arguably the most important factor in designing effective audit procedures. The independent au- ditor also recognizes that some audit procedures result in more reliable audit evidence than other audit procedures.

12 For example, the independent auditor’s confi rmation assurance, as required by law, that their fi nancial re- of account balances from third parties may be more porting is reliable and that their fi nancial statements reliable evidence than inspection of internally gener- for external purposes have been prepared in accord- ated company documents. ance with GAAP.

• Timing. Some of the independent auditor’s tests are If the independent auditor chooses to pursue an audit performed “as of” the balance sheet date. For exam- strategy that relies on a company’s internal controls he or ple, the independent auditor may confi rm with the she will test the design of the company’s relevant control company’s lender the amount of a loan balance at systems to assess the operating effectiveness of certain December 31. Often the independent auditor per- internal controls. In assessing the operating effectiveness forms tests “as of” a date prior to the balance sheet of a control, the independent auditor considers detect- date. For example, the company may perform its ed deviations or defi ciencies in management’s internal annual inventory count at a date other than De- control procedures, such as documents not properly cember 31. In that case, the independent auditor approved, reconciliations not regularly performed, or will perform certain tests of inventory “as of” that failure to enforce the appropriate segregation of duties. interim date and then perform some tests of the activity between that date and year-end to draw a Tests of controls typically involve: conclusion about inventory balances at year-end. • Inspection of documents for evidence of proper ap- • Extent. Independent auditors must determine the proval or acknowledgement of the performance of extent of testing they will perform. For example, control procedures. the necessary extent of a substantive audit proce- dure will often depend on the materiality of the • Observation of procedures to determine that prop- account, disclosure, or transactions, the assessed er procedures, particularly segregation of duties, risk of material misstatement, and the necessary are being applied. degree of assurance from the procedure. • Reperformance of procedures to see they have been The nature, timing and extent of auditing procedures are correctly performed. driven by judgments based upon the results of the inde- pendent auditor’s risk assessment and planning processes. • Application of test data to computer programs or other procedures to determine that programmed Testing Controls application controls are functioning properly. A company’s system of internal control over fi nancial reporting is a system of processes designed by a com- For purposes of effi ciency and convenience, the testing pany’s management so they may provide reasonable of controls and substantive testing of transactions will

13 often occur simultaneously. In such situations the in- The independent auditor’s substantive procedures include: dependent auditor will make an assumption about the results of tests of controls. If these tests do not confi rm • Substantive Analytical Procedures. In these tests, that the controls operate as intended, the audit strategy independent auditors gather evidence about relation- will be reconsidered and the level (nature, timing and ships among various accounting and non-accounting extent) of substantive procedures modifi ed. data such as industry and economic information. When relationships are signifi cantly different from Performing Substantive Audit Procedures the auditor’s expectations, the independent auditor Substantive audit procedures provide evidence as to will seek to understand the reason and undertake whether actual account balances are fairly stated. The additional investigation until satisfi ed that items procedures are used to obtain audit evidence about were properly recorded. Examples of variations in particular fi nancial statement assertions by manage- relationships among data can include specifi c unu- ment. Financial statement assertions can be classifi ed sual transactions or events, accounting changes, into the following categories: business changes, or misstatements. For example, if a company’s cost of sales in the income statement has • Existence or Occurrence – Assets or liabilities of historically been 68% of revenues, but in one period the company exist at a given date, and recorded is 80%, the auditor would investigate the apparent transactions have occurred during a given period. anomaly until satisfi ed that he or she understood the reasons for the change. • Completeness – All transactions and accounts that should be presented in the fi nancial statements are • Substantive Tests of Details of Account Balances, so included. Transactions and Disclosures. The details support- ing fi nancial statement accounts are tested to obtain • Valuation or Allocation – Asset, liability, equity, rev- assurance that material misstatements do not ex- enue, and expense components have been included in ist. Substantive procedures may be performed on a the fi nancial statements at appropriate amounts. sample basis over an existing group of similar transac- tions. Sampling approaches can either be statistical or • Rights and Obligations – The company holds or non-statistical. A simple example of this type of audit controls rights to the assets, and liabilities are obli- procedure would be to examine vendor invoices and gations of the company at a given date. bank statements to support a recorded expense. Inde- pendent auditors can also select targeted samples to • Presentation and Disclosure – The components match specifi c risk criteria, as well as use the results of of the fi nancial statements are properly classifi ed, sample testing, in some instances, to conclude on the described, and disclosed. population as a whole.

PROFESSIONAL SKEPTICISM

Professional skepticism is fundamental to an independent auditor’s ob- jectivity and includes a questioning mind and an objective assessment of audit evidence. It requires an emphasis on the importance of maintaining the proper state of mind throughout the audit. The independent auditor uses his or her knowledge, skill, and ability to diligently perform, in good faith and with integrity, the gathering and objective evaluation of audit evi- dence. Given that evidence is gathered and evaluated throughout the audit, professional skepticism is exercised throughout the entire audit process.

14 Evaluating Test Results and Concluding that are materially misstated. The independent auditor Professional standards defi ne certain requirements cannot express an unqualifi ed opinion on the compa- and provide broad guidelines about the evaluation ny’s fi nancial statements unless he or she is satisfi ed that of audit evidence. However, the independent audi- there are no material misstatements. Misstatements dis- tor also is required to exercise professional judgment covered by the independent auditor during the course to determine the nature and amount of evidence re- of the audit (even those misstatements that are cor- quired to support the audit opinion. rected in the fi nancial statements by management prior to issuing the fi nancial statements), are required to be As the audit progresses, the audit team completes communicated to the audit committee. its tests and evaluates the results. A portion of this evaluation is qualitative in nature, in which the in- Documentation dependent auditor considers whether the test results Independent auditors document the procedures per- confi rm or contradict management’s assertion that the formed, evidence obtained, and conclusions reached. fi nancial statements are prepared in accordance with This documentation is intended to include suffi cient GAAP or that ICFR are operating effectively. information to enable an experienced auditor with no previous connection with the engagement to un- Depending on the test results, the engagement team derstand the nature, timing, extent, and results of the may need to adjust its audit plan, modify its tests, or procedures performed, evidence obtained, and con- perform additional procedures in response to this up- clusions reached as well as who performed the work, dated information as warranted. the date such work was completed, who reviewed the work, and the date of such reviews. When the independent auditor discovers misstatements in the accounting records or fi nancial statements, he or Engagement Quality Review she informs company management, who then decide The audit process includes quality control procedures whether and how to make any adjustments. Manage- prior to the audit fi rm’s issuance of its report, among ment bears the ultimate responsibility for the fi nancial them a review of audit procedures that is performed statements and may determine that some misstatements by another professional within or outside of the audit are immaterial in their judgment and do not warrant a fi rm—also known as an engagement quality review. The change to the fi nancial statements. objective of the engagement quality reviewer is to evalu- ate the signifi cant judgments and conclusions made by The audit team summarizes any uncorrected misstate- the engagement team in forming the overall conclusion ments and performs an independent evaluation as to on the engagement and in preparing the independent whether the uncorrected misstatements—both individ- auditor’s report in order to determine whether to provide ually and in the aggregate—result in fi nancial statements concurring approval on issuing the report.

AUDITOR’S PROFESSIONAL JUDGMENT

The independent auditor’s objective is to obtain suffi cient appropriate audit evidence to provide a reasonable basis for forming an opinion on the fi nancial statements. How much evidence is suffi cient and what kind of evidence is collected is based on the auditor’s judgment. Auditor judgment is also required in interpreting the results of audit testing and evaluating audit evidence. More judg- ment is needed when auditing accounting estimates in fi nancial statements, the measurements of which are inherently uncertain and depend on the outcome of future events. Independent auditors exercise professional judgment in evaluating the reasonableness of accounting estimates based on information that could reasonably be expected to be available prior to the completion of the audit. As a result, with regard to the company’s accounting estimates, the independent auditor often has to rely on evidence that is persuasive rather than convincing.

15 What is the Audit Report?

At the conclusion of the audit, the independent audi- and cash fl ows of the company in accordance with the tor issues the audit report. This report contains three appropriate fi nancial reporting framework (e.g., U.S. main elements: GAAP), the independent auditor issues what is known as a “standard unqualifi ed opinion.” It is important to • An introduction that identifi es the fi nancial statements recognize that, even though the audit is planned and that were audited and the division of responsibility performed at the individual account level, independent between the independent auditor and management. auditors express an opinion on the fi nancial statements taken as a whole. Independent auditors do not provide • A discussion of the scope of the engagement, which opinions on individual accounts or disclosures. describes the nature of the audit. Depending on the results of the engagement, the • The independent auditor’s opinion on the fi nancial standard opinion may be modifi ed (see Table 2). statements. Audit Committee Communications If the independent auditor concludes that the fi nancial The dynamic between management, its board of direc- statements, taken as a whole, “present fairly, in all mate- tors, and the was signifi cantly changed rial respects,” the fi nancial position, results of operations with the Sarbanes-Oxley Act of 2002 in order to foster

Table 2: Types of Financial Statement Audit Opinions UNQUALIFIED OPINIONS DESCRIPTION Standard It states that the fi nancial statements present fairly, in all material respects, unqualifi ed opinion the fi nancial position, results of operations, and cash fl ows of the company in conformity with GAAP.

Explanatory Certain circumstances, while not affecting the independent auditor’s unqualifi ed language added opinion, may require the auditor to add a paragraph to the standard report. For example, a change in an accounting principle or its application, or another matter that warrants emphasis. DEPARTURES FROM DESCRIPTION UNQUALIFIED OPINIONS Qualifi ed opinion* A qualifi ed opinion modifi es the standard opinion by stating that the fi nancial statements are a “fair presentation” except for the effects of certain matters.

Adverse opinion* An adverse opinion states that the fi nancial statements do not present fairly the fi nancial position, results of operations, and cash fl ows of the company in conformity with GAAP.

Disclaimer opinion* In a disclaimer of opinion, the independent auditor declines to express an opinion because he or she was unable to access enough information to form an opinion, or because the scope of the audit was restricted by the company.

* Financial statements with a qualifi ed, adverse or disclaimer of opinion represent a substantial defi ciency in the reporting requirements for a company’s fi ling. As a result, the SEC would be expected to require the company to take corrective measures.

16 overall improvements to the fi nancial reporting process. • Any disagreements with management, whether or not Instead of company management, the audit committee satisfactorily resolved, about matters that individually of the board of directors is now directly responsible for or in the aggregate could be signifi cant to the entity’s fi - the appointment, compensation, and oversight of the nancial statements or the independent auditor’s report. work of the external auditor, and the auditor reports di- rectly to the audit committee. The Act also amended the • Signifi cant matters that were the subject of consul- composition of audit committees so that each member tation when the independent auditor is aware of of the audit committee is now independent of the com- management’s consultation with other accountants pany. Additionally, the audit committee is responsible for about auditing and accounting matters. establishing procedures for the receipt, retention, and treatment of complaints received by the company regard- • Other matters arising from the audit that the audi- ing accounting, internal accounting controls, or auditing tor believes to be signifi cant to the oversight of the matters, as well as the confi dential anonymous submis- fi nancial reporting process. sion by employees of the company of concerns regarding Discussions with the independent auditor are vital to questionable accounting or auditing matters. All of these the audit committee fulfi lling its responsibility to com- changes have resulted in a changed relationship and pany and others to oversee the integrity of a communications dynamic between these relevant parties. company’s fi nancial statements and the fi nancial report- For its part, the independent auditor is expected to ing process. An audit committee that is well-informed information regarding the scope and results of the audit about accounting and disclosure matters relevant to the that may assist the audit committee in its role of oversee- audit will be better able to carry out its responsibilities. ing the fi nancial reporting process for which management is responsible. These communications may be either writ- ten or oral and can take place at any time throughout the AUDIT OPINIONS: GOING CONCERN audit. While discussions between the independent audi- Substantial doubt about the company’s ability to continue as a “going con- tor and the audit committee frequently go beyond these cern” may warrant an explanatory paragraph. Absent information to the examples, matters the independent auditor is expected to contrary, the company’s ability to continue as a going concern is a valid discuss with the audit committee include: assumption in fi nancial reporting. Information that can signifi cantly con- tradict the going concern assumption may include the company’s inability • Signifi cant accounting policies, especially the effect to continue to meet its obligations as they become due without substantial of those policies in controversial or emerging areas disposition of assets outside the ordinary course of business, restructur- for which proper accounting treatment has yet to ing of debt, externally forced revisions of its operations, or other matters. be established. If, after considering identifi ed conditions, events and management’s plans, the independent auditor concludes that substantial doubt remains about • The process used by management to make signifi cant the entity’s ability to continue as a going concern (generally, for a period accounting estimates and how the independent audi- of at least twelve months past the balance sheet date), the audit report will tor determined that those estimates were reasonable. include an explanatory paragraph to refl ect that conclusion.

• The independent auditor’s judgment about the quality, not just the acceptability, of the company’s accounting policies.

• Diffi culties encountered in dealing with manage- ment related to the performance of the audit.

• Uncorrected misstatements and corrected material misstatements.

17 Conclusion

Both science and art, the independent audit is a wide-ranging, complex undertaking that calls upon not just technical expertise but also a skeptical mindset and the willingness to exercise professional judgment. High-quality fi nancial reporting plays an important role in promoting the integrity and reliability of the fi nancial information that is the lifeblood of our capital markets. A comprehensive, quality fi nancial reporting framework, overseen by an independent audit committee of the board, helps promote continuous improvement to the audit process that will enable audits to remain effective even in the face of a rapidly changing business environment.

18 The Center for Audit Quality and Its Vision

The Center for Audit Quality is an autonomous, public policy organization based in Washington, D.C. It is governed by a board comprised of leaders from the public company audit fi rms, the American Institute of Certifi ed Public Accountants, and three individuals independent of the profession.

The CAQ is dedicated to enhancing investor confi dence and public trust in the global capital markets by:

• Fostering high-quality performance by public company auditors.

• Convening and collaborating with other stakeholders to advance the discussion of critical issues requiring action and intervention.

• Advocating policies and standards that promote public company auditors’ objectivity, effectiveness and responsiveness to dynamic market conditions. 1155 F Street NW | Suite 450 Washington, D.C. 20004

202-609-8120 | www.TheCAQ.org