Auditing

Spring 2012

by

Jim Peters

Table of Contents CHAPTER ONE - EDUCATIONAL APPROACH OVERVIEW, STYLE SHEET, AND BUSINESS MATH OVERVIEW ...... 1-1

SUMMARY ...... 1-1 EDUCATIONAL APPROACH ...... 1-1 HOW TO STUDY TEXT MATERIALS AND CASES ...... 1-3 HOW TO STRUCTURE ANSWERS TO DISCUSSION QUESTIONS ...... 1-4 Descriptive ...... 1-4 Recommendations for action ...... 1-5 Evaluation Questions ...... 1-5 Diagnosis ...... 1-6 PROFESSIONAL WRITING AND SPEAKING ...... 1-7 BASIC BUSINESS MATHEMATICAL SKILLS ...... 1-7 CONTENT GOALS OF THIS AUDITING CLASS ...... 1-7 APPENDIX A - WRITTEN ASSIGNMENT STYLE SHEET ...... 1-8 Numeric Presentation Formats ...... 1-8 Numbers in Text ...... 1-8 Financial Statements ...... 1-8 Use of decimal points ...... 1-9 Text Style Issues...... 1-9 Document Structure ...... 1-9 Writing Style ...... 1-11 APPENDIX B - BUSINESS MATHEMATICAL APPLICATIONS ...... 1-13 Ratios, Fractions, Times, and Percentages ...... 1-13 Interpreting Ratios with Small Denominators ...... 1-13 Increasing/Decreasing Numerators and Denominators by the Same Amount ...... 1-14 Working with Negative Numbers ...... 1-14 Calculating Percentage Changes or Differences...... 1-14 Calculation of Weighted Averages ...... 1-15 APPENDIX C - UNIFORM CPA EXAMINATION CONTENT SPECIFICATIONS ...... 1-16 CHAPTER TWO - DEFINITION AND NEED FOR AUDITING ...... 2-1

SUMMARY ...... 2-1 DEFINITION OF AUDITING, ATTESTATION, AND ASSURANCE ...... 2-1 Auditing ...... 2-1 Assurance and Attestation ...... 2-3 Assurance ...... 2-3 Attestation ...... 2-3 ECONOMIC JUSTIFICATION FOR AUDITING ...... 2-4 Moral Hazard of Financial Statement Preparers ...... 2-4 Information Complexity ...... 2-5 REGULATORY ENVIRONMENT ...... 2-5 Types of Auditors ...... 2-6 Regulating CPAs ...... 2-6 Requirements for Certification ...... 2-6 Registration of Firms Auditing Public Companies ...... 2-7 Membership in the AICPA ...... 2-8 Auditing Standards ...... 2-8 Financial Reporting Standards ...... 2-8 Auditing Standards ...... 2-10 Source of Auditing Standards ...... 2-10 Generally Accepted Auditing Standards (GAAS) ...... 2-11 International Standards on Auditing ...... 2-12 AICPA Code of Professional Conduct ...... 2-13

i APPENDIX A - NEW MEXICO CPA LICENSING REQUIREMENTS ...... 2-14 APPENDIX B - GRADUATING WITH A CP-YAY ...... 2-29 APPENDIX C - EXTRACT OF KEY PROVISIONS FROM SARBANES-OXLEY ...... 2-32 CHAPTER THREE - AUDITING RISK AND THE AUDIT PROCESS ...... 3-1

SUMMARY ...... 3-1 RISK MODEL ...... 3-1 Goals of a Financial Statement Audit ...... 3-1 Structure and Use of the Audit Risk Model ...... 3-2 Audit Risk ...... 3-3 Inherent Risk ...... 3-3 Control Risk ...... 3-4 Detection Risk ...... 3-4 Risk Model Summary ...... 3-6 SUMMARY OF AUDIT STEPS ...... 3-6 Auditee Acceptance...... 3-7 Auditee Acceptance ...... 3-7 Signing the Engagement Letter ...... 3-8 Selecting the Audit Team ...... 3-9 Structure of the Core Audit Team ...... 3-9 Assess the Need for Outside Experts ...... 3-10 Planning the Audit ...... 3-11 Nature of Audit Planning ...... 3-11 Setting Materiality and Audit Risk, and Assessing Inherent Risk ...... 3-11 Assess Control System Design ...... 3-12 Tradeoff Between Direct and Indirect Testing ...... 3-12 Test Controls and Assess Control Risk ...... 3-13 Substantive Tests and Tests of Balances ...... 3-14 Completing the Audit ...... 3-14 Reporting ...... 3-15 AUDIT DOCUMENTATION ...... 3-15 Nature and Rationale for Audit Documentation ...... 3-15 Structure of Audit Documentation ...... 3-16 Examples of Audit Documentation ...... 3-18 CHAPTER FOUR - MATERIALITY DETERMINATION AND PRELIMINARY RISK ASSESSMENT ...... 4-1

SUMMARY ...... 4-1 SETTING MATERIALITY ...... 4-2 Materiality Level for the Financial Statements ...... 4-2 Tolerable Error for Each Account ...... 4-4 Using Materiality to Evaluate Audit Findings...... 4-4 SETTING AUDIT RISK ...... 4-5 ASSESSING INHERENT RISK...... 4-5 Business Risk and Management's Incentives ...... 4-6 Applying Analytical Procedures ...... 4-6 Factors that Create Management Incentives ...... 4-6 Factors that affect Management's Ability to Manipulate Financial Statements ...... 4-7 Assessing Fraud Risk ...... 4-8 Business Risk and Accounting Complexity ...... 4-9 Nature of the industry ...... 4-9 Nature of the Firm's Regulatory Environment ...... 4-10 Characteristics of the Auditee ...... 4-10 Assess the Quality of the Auditee's Information System ...... 4-11 Sources of Information ...... 4-11

ii CHAPTER FIVE - INHERENT RISK ASSESSMENT ...... 5-1

SUMMARY ...... 5-1 ASSESSING INHERENT RISK...... 5-1 General Sources of Inherent Risk ...... 5-1 External Environmental Factors ...... 5-2 Industrial Factors ...... 5-2 Regulatory Factors ...... 5-3 Economic Factors ...... 5-4 Firm-specific Factors ...... 5-4 Summary of Sources of Inherent Risk ...... 5-6 Sources of Inherent Risk in Revenue Processes ...... 5-6 Revenue Recognition ...... 5-7 Credit Terms ...... 5-7 Economic and Regulatory Factors ...... 5-7 INFORMATION SOURCES FOR INHERENT RISK ASSESSMENT ...... 5-7 Management and Other Key Personnel ...... 5-8 Third Parties ...... 5-8 Auditee Documents ...... 5-8 Trade Publications ...... 5-8 Economic Data ...... 5-9 CHAPTER SIX - REVENUE PROCESSES ...... 6-1

SUMMARY ...... 6-1 REVENUE RECOGNITION ...... 6-1 Delivery of Goods or Services ...... 6-2 Receipt of Payment ...... 6-3 Revenue Recognition for Long-term Contracts ...... 6-4 DESCRIPTION OF REVENUE AND COLLECTION PROCESSES ...... 6-4 Major Activities and Documents ...... 6-4 Take an order ...... 6-4 Approve Credit ...... 6-5 Fill Order ...... 6-5 Ship Order ...... 6-6 Bill ...... 6-6 Collect ...... 6-7 APPLICATION TO SERVICES ...... 6-7 DIAGRAM OF NORMAL SALES PROCESSES ...... 6-9 TOM'S TRAILER SALES, INC CASE DESCRIPTION ...... 6-9 Nature of the Trailer Business and Market ...... 6-10 Tom's Basic Operating Procedures ...... 6-11 Sales and Marketing ...... 6-11 Purchasing and Inventory Management ...... 6-13 General Administration ...... 6-13 Tom's Information System...... 6-14 CHAPTER SEVEN - USE OF ANALYTICAL PROCEDURES FOR INHERENT RISK ASSESSMENT ...... 7-1

SUMMARY ...... 7-1 STRUCTURE OF THIS CHAPTER ...... 7-1 TYPES OF ANALYTICAL PROCEDURES ...... 7-2 Preliminary Analytical Procedures...... 7-2 Substantive Analytical Procedures ...... 7-2 Develop an Expectation ...... 7-4 Define a Tolerable Difference ...... 7-6 Compare Expectation to Actual and Investigate ...... 7-6 Draw Conclusions ...... 7-6

iii Final Analytical Procedures ...... 7-7 PRELIMINARY ANALYTICAL PROCEDURES ...... 7-7 Common-sized Financial Statements ...... 7-8 Ratios and Comparisons ...... 7-9 Basis of Comparison ...... 7-10 Performance Evaluation ...... 7-11 OPERATING PERFORMANCE ...... 7-12 Overall Performance ...... 7-12 Price to earnings ratio ...... 7-12 Return on assets ...... 7-13 Return on owners’ equity...... 7-13 Leverage ...... 7-14 Earnings Management ...... 7-14 Profitability ...... 7-15 Gross profit percentage ...... 7-15 Profit margin ...... 7-16 Common-sized Income statement ...... 7-16 Utilization ...... 7-16 CASH MANAGEMENT ANALYSIS ...... 7-17 Cash Conversion Cycle ...... 7-17 Cash Flow Statement...... 7-18 Main Benchmarks ...... 7-19 Cash Flows from Operations ...... 7-19 Cash Flows for Investment and Depreciation ...... 7-21 Free Cash Flows ...... 7-22 Balance Between Short- and Long-term Sources ...... 7-23 FINANCIAL POSITION ...... 7-23 Short term ...... 7-24 Current and Quick Ratios ...... 7-25 Dividend yields ...... 7-26 Operating cash flows ...... 7-26 Long term ...... 7-27 Debt to equity ...... 7-27 Bond ratings ...... 7-29 ANALYSIS STRATEGIES ...... 7-29 General Approach ...... 7-29 Indicators of Strong Auditees ...... 7-30 Stability over time ...... 7-30 Proportional growth...... 7-30 Outperforming the industry ...... 7-30 Balanced Management ...... 7-31 Profit and utilization...... 7-31 Financial position and operating cash flow ...... 7-31 Leverage and financial risk ...... 7-31 Diagnosing Change ...... 7-32 Profitability ...... 7-32 Cash flows ...... 7-32 Overall Summary ...... 7-32 SUBSTANTIVE AND FINAL ANALYTICAL PROCEDURES REVISITED ...... 7-33 TABLE 1 - SUMMARY OF RATIOS ...... 7-34 TABLE 2 - GENERAL ECONOMIC DATA ...... 7-36 TABLE 3 - SAMPLE PATTERNS OF CASH FLOW BEHAVIOR ...... 7-37 FIGURE 1 - FINANCIAL ANALYSIS OVERVIEW ...... 7-38 FIGURE 2 - CASH CONVERSION CYCLE ...... 7-39 FIGURE 3 - CAUSAL STRUCTURE UNDERLYING FINANCIAL ANALYSIS ...... 7-40

iv APPENDIX A - OUTLINE OF ANALYSIS STRATEGY ...... 7-41 Overall Analysis ...... 7-41 Summary of Cash Flow Analysis ...... 7-42 APPENDIX B - ADDITIONAL RATIOS ...... 7-45 Operating Performance ...... 7-45 Return on invested capital ...... 7-45 Capital Turnover ...... 7-46 Current Turnovers ...... 7-46 Financial Position ...... 7-47 Operating cash flow to current liabilities ...... 7-47 Accounts payable turnover ...... 7-47 Days cash ...... 7-47 Long-term Debt to Capitalization ...... 7-47 Operating Cash Flow to Total Debt ...... 7-48 Times Interest Earned ...... 7-48 APPENDIX C - BOND RATING DEFINITIONS ...... 7-49 Standard and Poors ...... 7-49 Moody's ...... 7-50 CHAPTER EIGHT - EVALUATING THE DESIGN OF A CONTROL SYSTEM ...... 8-1

SUMMARY ...... 8-1 COSO FRAMEWORK ...... 8-1 ROLE OF CONTROL DESIGN EVALUATION IN THE FINANCIAL STATEMENT AUDIT ...... 8-2 THREATS OF ERROR ...... 8-3 Firm-level Threats ...... 8-3 Perceived Value...... 8-4 Awareness and Understanding ...... 8-4 Clearly Defined Lines of Authority ...... 8-4 Formal Policies and Procedures ...... 8-5 Adequate Personnel with Proper Incentives ...... 8-6 Levels of Awareness and Understanding ...... 8-6 Documentation ...... 8-6 Attributes of Control Procedures ...... 8-7 Monitoring ...... 8-7 Transaction Processing Threats ...... 8-8 Completeness ...... 8-8 Validity ...... 8-9 Accuracy ...... 8-10 Security ...... 8-10 Other Assertions in the Auditing Literature ...... 8-10 Summary of Transaction Processing Threat Types ...... 8-11 Information Transformation, Transmission, and Reporting ...... 8-11 CONTROLS THAT MITIGATE THREATS ...... 8-12 Basic Principles of Control ...... 8-12 Control Defined ...... 8-12 Management Override ...... 8-12 Classes of Control Procedures ...... 8-13 Firm-level Controls ...... 8-13 Plans, Policies, and Procedures ...... 8-13 Personnel Practices ...... 8-14 Authorization ...... 8-15 Segregation of Duties ...... 8-16 Operating Duties ...... 8-16 Electronic Data Processing Duties ...... 8-17 Cross Training and Job Rotation ...... 8-20 Monitoring of Policies and Procedures ...... 8-21 Contingency Planning ...... 8-22

v Insurance ...... 8-23 Transaction Processing Controls ...... 8-24 Data Entry Controls ...... 8-24 Processing and Output Controls ...... 8-25 Reperformance Controls ...... 8-25 Audit Trails ...... 8-25 Analytical Procedures ...... 8-26 Database Structure ...... 8-26 Error and Exception Reports ...... 8-26 Report Distribution ...... 8-27 Access and Transmission Controls ...... 8-27 MATCHING CONTROLS TO THREATS ...... 8-29 SCANDAL ...... 8-32 Contents ...... 8-32 Background ...... 8-33 Timeline of Enron's downfall ...... 8-33 Investors begin to worry ...... 8-34 The crisis begins to unravel ...... 8-34 "There is an appearance that you are hiding something" ...... 8-35 Credit rating danger ...... 8-36 Enron seeks help ...... 8-37 Other shoes drop ...... 8-39 The deal falls apart ...... 8-39 Aftermath ...... 8-40 1998 Cornell University Student research ...... 8-42 Fallout ...... 8-42 Pensions ...... 8-43 ...... 8-43 Societal and legal impacts ...... 8-44 Class action lawsuit ...... 8-44 Trials ...... 8-45 Trivia ...... 8-45 See also ...... 8-46 Further reading ...... 8-51 External links ...... 8-51 MCI INC...... 8-52 Contents ...... 8-52 History ...... 8-53 Corporate founding ...... 8-53 MCI acquisition ...... 8-53 Sprint merger ...... 8-53 Accounting scandals ...... 8-53 Bankruptcy ...... 8-54 Post-bankruptcy ...... 8-55 See also ...... 8-55 References ...... 8-56 Citations ...... 8-56 External links ...... 8-56 Third party...... 8-56 CHAPTER NINE - TESTING CONTROLS ...... 9-1

SUMMARY ...... 9-1 OVERVIEW OF TESTING PROCESS ...... 9-1 Timing of Testing ...... 9-1 Dual Tests ...... 9-2 Dual Goals of Testing ...... 9-2

vi How Controls are Tested ...... 9-3 IDENTIFYING KEY CONTROLS ...... 9-4 Identify Information Processes ...... 9-5 Determining a Control's Coverage ...... 9-6 Multiple Locations ...... 9-7 Example Company's Key Controls ...... 9-8 TESTING A CONTROL ...... 9-8 Determine the Objective and Nature of the Test ...... 9-9 Define the Population Characteristics ...... 9-9 Define the Population ...... 9-10 Determine the Sampling Unit ...... 9-10 Define an Error ...... 9-10 Determining Sample Size ...... 9-11 Desired Confidence Level ...... 9-11 Tolerable Deviation Rate ...... 9-12 Expected Population Deviation Rate ...... 9-12 Calculating Sample Size ...... 9-13 Non-statistical Applications ...... 9-14 Select Sample Items ...... 9-14 Perform Tests ...... 9-15 Calculate Results ...... 9-16 Draw Conclusions ...... 9-17 DEFINING LEVELS OF CONTROL WEAKNESS ...... 9-18 APPENDIX 1 - FUNDAMENTAL TRANSACTION CYCLES ...... 9-20 Sales and Collection or Revenue ...... 9-20 Description ...... 9-20 Major Activities and Documents ...... 9-20 Relationship to Accounting ...... 9-22 Purchases and Payment ...... 9-23 Supplies, Outside Services, and Materials ...... 9-23 Description ...... 9-23 Major Activities and Documents ...... 9-23 Personnel and Human Resource Management ...... 9-25 Description and Activities ...... 9-25 Major Documents ...... 9-25 Relationship to Accounting ...... 9-26 Production and Conversion ...... 9-26 Description and Major Activities ...... 9-26 Major Documents ...... 9-26 Relation to Accounting ...... 9-27 Administration...... 9-27 Description and Major Activities ...... 9-27 Major Documents ...... 9-28 APPENDIX 2 - EXAMPLE COMPANY PROCESS FLOW ...... 9-29 CHAPTER TEN - TESTING BALANCES ...... 10-1

SUMMARY ...... 10-1 PURPOSE OF BALANCE TESTING ...... 10-1 MONETARY UNIT SAMPLING ...... 10-2 Relationship to Attribute Sampling ...... 10-2 Key Parameters ...... 10-3 STEPS IN THE TESTING PROCESS ...... 10-5 Determine the Test Objectives ...... 10-5 Determine the Population Characteristics ...... 10-5 Define the Population ...... 10-5

vii Define the Sampling Unit ...... 10-6 Define a Misstatement ...... 10-6 Calculate the Sample Size ...... 10-6 Acceptable Risk of Incorrect Acceptance ...... 10-7 Tolerable Misstatement ...... 10-7 Expected Misstatement Rate ...... 10-7 Population Size ...... 10-8 Select Sample Items ...... 10-9 Perform the Tests ...... 10-11 Calculate Results ...... 10-12 Calculate Basic Precision ...... 10-12 Calculate the Effect of Misstatements in the Sample ...... 10-13 Compute the Upper Misstatement Bound ...... 10-14 Draw Conclusions ...... 10-19 Execute the Decision Rule ...... 10-19 Summary of MUS Assumptions ...... 10-20 Auditor's Options is Sample Results Indicate Rejection of the Account ...... 10-21 NON-STATISTICAL SAMPLING ...... 10-22 CHAPTER ELEVEN - COMPLETING THE AUDIT...... 11-1

SUMMARY ...... 11-1 OVERVIEW OF TOPICS IN THIS CHAPTER ...... 11-1 CONTINGENCIES ...... 11-1 Definition and Classification Rules ...... 11-1 Examples ...... 11-3 Audit Procedures ...... 11-3 Legal Representation Letters ...... 11-4 Management Representation Letters ...... 11-5 COMMITMENTS ...... 11-6 SUBSEQUENT EVENTS AND DISCOVERY OF FACTS ...... 11-6 Subsequent Events ...... 11-7 Subsequent Discovery of Facts ...... 11-8 Audit Procedures ...... 11-9 GOING CONCERN EVALUATION ...... 11-9 FINAL EVIDENCE EVALUATION ...... 11-10 Final Analytical Procedures ...... 11-10 Working Paper Review ...... 11-10 Evaluate Financial Statement Presentation and Disclosure ...... 11-11 Obtain Independent Review ...... 11-11 REQUIRED COMMUNICATIONS ...... 11-11 Communications to the Board of Directors ...... 11-11 Management Letter ...... 11-12 CHAPTER TWELVE - AUDIT REPORTS ...... 12-1

SUMMARY ...... 12-1 OVERVIEW OF AUDIT REPORTS ...... 12-1 STANDARD UNQUALIFIED REPORT ON FINANCIAL STATEMENTS ...... 12-2 Major Sections of Standard Report ...... 12-4 Modifications to Provide Additional Explanations ...... 12-5 Reliance on Other Auditors ...... 12-6 Going Concern Issues ...... 12-6 Agreed Upon Departures from GAAP ...... 12-7 Inconsistencies between Years ...... 12-7 Special Emphasis ...... 12-8 DEPARTURES FROM UNQUALIFIED REPORTS ON FINANCIAL STATEMENTS ...... 12-8

viii Types of Opinions ...... 12-8 Qualified Opinions ...... 12-8 Disclaimer ...... 12-10 Adverse Opinion ...... 12-10 Reasons for Qualifying Reports ...... 12-11 Scope Limitations ...... 12-11 Statements Violate GAAP ...... 12-12 Auditor is not Independent ...... 12-12 REPORTS ON INTERNAL CONTROLS ...... 12-13 Elements of the Internal Control Report ...... 12-13 Modifications to the Standard Report on the Auditee's Controls ...... 12-16 Levels of Deficiencies ...... 12-16 Modifications due to Control Deficiencies ...... 12-18 Modifications due to Scope Limits ...... 12-20 Modifications to the Standard Report on the Management's Control Assessment ...... 12-22 OTHER MODIFICATIONS TO CONTROL REPORTS ...... 12-22 APPENDIX - HOME DEPOT'S MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS ...... 12-24 CHAPTER THIRTEEN - PROFESSIONALISM IN AUDITING ...... 13-1

SUMMARY ...... 13-1 AICPA CODE OF PROFESSIONAL CONDUCT ...... 13-1 Overview of the Role of the Code in Enforcing Professional Behavior ...... 13-1 Structure of the Code ...... 13-2 Statement of Principles ...... 13-3 Rules ...... 13-3 Rule Differences with SEC and PCAOB ...... 13-5 Non-audit services ...... 13-5 Human resource issues ...... 13-6 Additional Communications ...... 13-6 OTHER QUALITY CONTROLS ...... 13-7 APPENDIX - AICPA CODE OF PROFESSIONAL CONDUCT...... 13-8

ix Chapter One - Educational Approach Overview, Style Sheet, and Business Math Overview

Summary

This course employs the Socratic method of instruction. It also employs problems and cases extensively to provide a context in which students can see how the principles on which the course is built can be applied in practice and provide students an opportunity to learn those principles through practice. Use of the Socratic Method means that the instructor leads class sessions that are collaborative group problem-solving exercises. This approach keeps students actively involved in their own learning and helps to develop better oral communication skills. I use the term "cases" very liberally and include any description of a setting in which the student needs to apply content from the text to the setting and draw conclusions. • Analyzing problems and cases primarily is an exercise in deductive reasoning where the quality of the reasoning is as important as the conclusion. Successful case analysis involves determining the real problem, decomposing the problem into manageable parts, and applying principles from the course to solve the problem.

Educational Approach

The results of current research in cognitive psychology have identified several ways to improve the efficiency and effectiveness of the educational process. This research tells us that students learn conceptual material best if:

They have clear goals to accomplish prior to being exposed to the material. An instructor provides them with a theoretical framework that provides structure to the material. They are exposed to the material in several different ways over time. The material is presented in a form that actively involves students, typically in a problem solving exercise of some type.

I have structured this course and text to take advantage of these findings. The summaries at the beginning of each chapter tell students what the goals are for the chapter. The body of each chapter presents the detailed principles and logic behind the main points listed in the summary and is designed to provide students with a structure for the material. The in-class and graded exercises challenge students to apply the principles to solve problems and make decisions.

Research in cognitive psychology has proven that the science underlying the Socratic Method is more successful in helping students retain the material from the class and has some intuitive appeal. Here are the basic premises of the Socratic Method:

1-1

1. Learning requires active involvement - People must be actively involved in their own learning process. Educational psychologists have developed a "learning triangle", which is shown below. The instructional methods at the top of the triangle are the least effective because they are the most passive for the student. As you move down the triangle, the methods become more effective because they require more active involvement by the student. Reading is more active than listening because a student can control the process by stopping and rereading unclear passages, something that may be difficult to do in a lecture environment.

5% Listening to a lecture

10% Reading the material

50% Solving a problem with the material

75% Explaining the material to someone else

2. Learning requires two-way communication - Psychologists refer to human memory as "associative." This means that all memories are stored in the brain by linking them to other memories already stored in the brain. Therefore, if the instructor wants to link new memories into a student's brain, they need to know what is already in the student's brain. Since the Socratic Method involves a dialog between the instructor and the student, the instructor can determine what the student already knows and help the student to link the new material into existing memories.

1-2 3. Learning is automatic and involves abstraction - Humans can control what they attend to, but not what they learn. They control learning indirectly by controlling their attention. In addition, memories are not stored exactly as they are experienced (e.g., like a video camera). The key information elements in an experience are abstracted and linked to an existing framework. An instructor should provide exercises that focus the student's attention on the most important elements of the material to be learned. However, they also should present the material in a variety of different contexts and settings so that students can experience what matters (i.e., things that are constant across contexts) and what doesn't, (i.e., things that change but do not affect the solution to the problem).

For example, the seat you sit in when attending a class has no meaning for the material you are trying to learn. However, if you always sit in the same seat, your brain will automatically and subconsciously association your location with the material being learned because location doesn't vary. You will be able to recall more material if you take a test in the same seat, but will recall less material outside of class (i.e., away from your seat). This effect isn't very strong, but it is detectable.

How to Study Text Materials and Cases

I recommend that students use the SQRRR approach. SQRRR stands for "skim," "question," "read," "review," and "recite." Research in educational psychology provides strong support for its effectiveness. Note that the steps involve repeated exposure to the material in difference contexts (point 3. above) and active student participation (point 1. above) like developing and responding to questions.

To apply the approach to the chapters in this text, first read the in-class assignment I have given you to help you prepare for the class that will cover the material in the chapter. Then read the summary at the beginning of each chapter as well as the Table of Contents for that chapter. This will help focus your skimming of the chapter, which you should do next. As you read the summary and skim the chapter, try to answer the questions I have given you for the class session. Also, develop a set of questions about each item in the summary. In addition to the questions I have assigned, these questions should reflect principles and concepts you do not understand as well as your curiosity about relationships between concepts and their potential application to problems you might face.

At this point, your mind will be primed to accept the new material you are about to read. You should have a general "road map" of what issues are covered and how they are structured. Now read the chapter with this road map and your questions in mind. Try to answer the questions as you go.

After you have read the chapter, review my questions and the answers you have written down, the chapter summary, and your questions. If you have not answered mine or your questions but you recall something relevant from the reading, review the material in the reading to develop an answer for those questions.

1-3 In addition, when reviewing the chapter summary, elaborate on the points presented there. You should be able to add two or three sentences of meaningful details to each point in the summary. If you cannot elaborate on a point, skim the relevant section of the reading that contains the relevant information. This exercise is a form of self-recitation that helps solidify your understanding.

Finally, review your solutions to the discussion questions that I have assigned for each class session. If the questions are based on a case that is more than a few paragraphs of material, you should use the same SQRRR approach to read the case as well. First, read the discussion questions supplied by the instructor for the case. Then skim the case to get a general idea of what information the case presents. As you read the questions and skim and then read the case, try to think about these questions at two levels. First, think about how you would approach answering the question, decompose the question into manageable parts, and identify principles from the readings that are relevant to the question. Second, sketch out a rough answer to the question by executing the strategy you developed.

At this point you should be prepared to come to class and participate in the discussion. Use the class discussion as an opportunity to test your understanding of the material and receive feedback from me and members of the class on your ideas. This process is the "recitation" phase of the SQRRR method. The greatest amount of learning comes from trying to apply new material and getting feedback on your attempt. Since people rarely produce their best results on their first effort, do not be too surprised to learn that you have missed some key points in your solution to the case.

How to Structure Answers to Discussion Questions

Discussion questions can be classified into broad categories. The following discussion lists the components of each class of questions. Some examples are included in Italics. Since I base my exams on cases and questions that are similar to discussion questions that I use in class, this section of the text will give you guidance on how to prepare for exams as well as class discussion. On exams you should strive to produce sharp, precise answers to questions that are supported by relevant evidence from the case and do not include irrelevant evidence or discussion.

Descriptive

Descriptive questions ask you to characterize something about the firm in the case in some way. What auditing standards does the American Institute of Certified Public Accountants set? A good answer would include:

1. Statement of your characterization. The Auditing Standards Board, a division of the AICPA, sets auditing standards for private companies. Thus, the AICPA indirectly sets auditing standards, but only for private companies.

1-4 2. Facts that support your characterization and how they do so. The Public Companies Account Oversight Board, created by the Sarbanes-Oxley Act of 2002, has taken over the setting of auditing standards for public companies. However, they adopted all the Auditing Standards Board's pronouncements as a starting point for developing auditing standards for public companies.

Recommendations for action

Recommendations ask you to review a situation and recommend what action they should take. Sometimes the question will include a list of alternatives, but frequently you will have to generate your own alternatives. A good answer would include:

1. Your recommendation. Your recommendation should be specific to the case, solve the problem you have identified, and take a stand. You should recommend a specific action, not a set of possible actions. The firm should institute a "blind receiving" procedure where the receiving clerks only get a copy of the purchase order that contains the items ordered but not the quantity ordered.

2. A description of the problem your recommendation is supposed to solve, if the question has not described it. Receiving clerks may not actually count the items in the shipment if they do not have to determine the amount in the shipment and can just check off a number from the purchase order.

3. Reasons that support your recommendation. That is, how your recommendation will solve the problem you have identified. By requiring receiving clerks to determine the number of units in the shipment they will have to count the items in the shipment. If they were given the number of items in the shipment and merely had to verify that number, they could check off the number without counting the items in the shipment.

4. Drawbacks to your recommendation. No recommendation is ever perfect. There are always some problems. You should identify major problems to show that you have considered them. Receiving clerks could miscount the items and the accounting clerks who reconcile the purchase order to the receiving report wouldn't catch the difference until after it was too late to recount the items in the shipment. If receiving clerks knew the amount that was supposed to be in the shipment, they could reconcile any differences between the shipment and the purchase order at the time they received the shipment.

Evaluation Questions

Evaluation questions ask you to rate a firm on some attribute or set of attributes. Evaluate the firm's internal controls over merchandise receiving. A good answer would include:

1. Your evaluation. Typically, good, bad, or in-between. The firm's internal controls over merchandise receiving are inadequate.

1-5 2. Criteria used. A statement of principles from the course that apply to your evaluation decision. The firm's internal control over merchandise receiving should be sufficient to prevent or detect completeness, validity, and accuracy errors.

3. Evidence from the case that supports your evaluation. Here you will need to include the data, why the data are relevant to your evaluation, and the basis of comparison. The firm has no controls in place that would insure all shipments that they receive are recorded in the accounting records.

4. A discussion of any counter evidence from the case using the same three components. The firm does require that receiving clerks immediately log information about all shipments the firm receives into the firm's database, but the firm does not reconcile these receiving reports to invoices received from vendors.

Diagnosis

Diagnostic questions ask you to determine the cause of some set of problems the firm is having. Why are the firm's accounts receivable overstated? Answers to diagnostic questions draw on an understanding of the causal factors that influence aspects of a firm's performance. Your answer should include:

1. A statement of the problem, if it is not included in the question. When the auditors confirmed accounts receivable with customers, they found that accounts receivable was overstated by 20%.

2. A statement of the cause. The main thing to consider is that your stated cause could actually cause the problem in the case. Included in this is some sense of magnitude. The cause you cite should be significant enough to cause (or at least be a major contributing factor to) a problem of the magnitude described in the case. The firm does not segregate cash receiving from customer billing.

3. Evidence in the case that shows the cause exists. The same accounting clerks that bill customers for credit sales also open the mail and post checks received to the cash receipts journal.

4. A decision rule or principle that shows how the cause can cause the problem. An account clerk could develop a lapping scheme where they steal a check from a customer and deposit it into an account they have set up and then apply other payments from other customers to the first customer's account. The clerk would have to continue to misapply payments on a regular basis to cover their theft.

5. A discussion of any counter evidence in the case, if any. The auditors did not find where any of the accounting clerks had set up suspicious accounts. However, the auditors would have a difficult time identifying all the accounts that all the accounting clerks had established.

1-6 Professional Writing and Speaking

Since auditors regularly have to write up their conclusions and present them to their superiors and their clients, education in financial statement analysis is not complete without reinforcement of professional writing and speaking skills. Most professional school faculty members include written assignments as part of their courses. Appendix A to this chapter covers some basic written style issues with which students frequently have problems. Since auditing usually involves presenting dollar figures in professional writing, the appendix introduces students to the proper way to present numerical data in professional writing. I require that students participate in class discussions or present cases in class to reinforce their professional speaking skills. I usually structure these discussions as cooperative group decision-making exercises that I carefully guide.

Basic Business Mathematical Skills

With the exception of statistical sampling techniques, the mathematics underlying audit is quite simple. Many students, however, have not had to use algebra, decimals, and fractions extensively before coming into the class, or at least not recently. In addition, I have found that students often do not recognize basic mathematical principles when they are presented within the context of an audit. Therefore, Appendix B of this chapter includes a short discussion of some of the principles with which students frequently have difficulty.

Content Goals of This Auditing Class

This class' primary goal is to give students an overview of how auditors execute an independent audit of a firm's financial statements and internal controls. However, students also need to understand the regulatory environment that auditors must comply with when doing independent auditing. Thus, this course also discusses the rules and regulations that constrain an independent audit of a firm's financial statements and internal controls. Finally, only certified public accountants (CPAs) can execute independent audits of a firm's financial statements and internal controls. Thus, this course also discusses the requirements for becoming a CPA in the United States. One key requirement any person must meet to become a CPA in the US is passing the Uniform CPA exam. I have included an outline of the content tested by the CPA exam in Appendix C of this chapter.

1-7 Appendix A - Written Assignment Style Sheet

The purpose of this style sheet is not to present a complete listing of all style issues, but to highlight a few recurring style problems students have had on my assignments. The sheet contains two sections - one on numeric presentation formats and one on written presentation issues. Although these issues may seem "nit-picky," readers will interpret lack of conformance to these standards as a sign of lack of professional expertise. In most professional environments, both form and content count.

Numeric Presentation Formats

Numbers in Text

Spell out small numbers in text (one through ten), but leave numbers greater than ten in numerical form. Any number over 999 should include commas to delimit the thousands (e.g., 1,000 or 1,000,000). If the numbers are dollars, they should have dollar signs.

Financial Statements

The following are some guides for presenting financial data in various types of reports. The financial data presented in this text should serve as good examples for applying these guidelines.

1. Right-justify all numbers in columns. In Microsoft Word, either use the right align or decimal tab-stops as appropriate.

2. Normally, round dollar amounts to the nearest dollar, or thousands of dollars, and present ratios to two, or at most three, decimal places. As an author, you need to use some judgment here. Too much detail is just confusing. Presentation of more than four or five significant digits usually doesn't add much to precision and leads to an unnecessarily confusing presentation.

3. Commas and decimal points should line up in columns. The most common problem here is spacing over to line up columns instead of using right-alignment tabs. Some fonts are variable-spaced fonts so each character does not take up the same space. Therefore, if you space over to align columns, they won't line up when you print it. The two solutions are to use right-align tab-stops (best solution) or a fixed space font, like Courier. If you produce your data with a spreadsheet, make sure you use the same numerical format for all numbers in a column. In Excel, the accounting format is probably best for presenting numbers.

4. When presenting a column of numbers, totals and subtotals should be preceded by a single underline as you read down the column. Totals should also be followed by a double underline.

1-8 5. Dollar signs should be included with the first item in a column and with each total in the column, but should not be included with each number.

6. Present negative numbers in parenthesis, i.e., $(1,200), not -$1,200. Excel has accounting formats that do this for you.

7. When developing spreadsheets, make sure you blank out unneeded cell values. If you copy a formula down an entire column, remove any extraneous zeros that occur when there are breaks in the numbers.

8. When using Excel, be aware that it has default headers and footers that will print on your pages. Review these and make sure they are meaningful for your report.

9. When presenting multiple year data in one financial statement, numbers in the same row can be both positive and negative (e.g., when a firm shows a profit one year and a loss the next). Typically, label these rows as follows where the first number is income and the second a loss:

Net Income/(Loss) $1,200 $( 900)

Use of decimal points

When presenting numbers with decimal points, always include a leading "0" for decimals less that one (e.g., 0.05 and not .05). Also, keep the number of decimal points you use for making a point the same. For example, if you are comparing one value that is 2.25 and one that is 3.50, display two decimal points for both numbers even though the trailing 0 in the second number isn't necessary. If you are presenting different data in different places within your write-up, you can use different numbers of decimal points as appropriate, but keep them the same within each point you are trying to make with the numbers.

Text Style Issues

Document Structure

Overall structure - I will provide you with specific guidance on the structure of class assignments. A general report, however, begins with an executive summary. This summary should include the problem being analyzed, the methods used, and the results of the analysis. It should contain a complete summary of all your major points in about two or three paragraphs. Follow the executive summary with a problem statement that states the nature of the problem your analysis addresses and includes any background that is relevant to the problem definition. Next, present your analysis followed by your conclusions. In presenting your analysis, clearly state all your assumptions and your rationale for making them. Use some judgment as to how you present any calculations in your analysis. You probably should present detailed calculations and supporting data in an appendix, figure, or table and only present an explanation of those calculations in the body of the write-up. When presenting calculations, make sure that the reader can reconstruct your numbers with the data presented somewhere in the write-up.

1-9

Provide a road map - Use headings and sub-headings to highlight the structure of your analysis and its major points. I use a rough rule of thumb that if I have written more than a page or two without a heading, I probably need one. The extent of the "road map" will vary with the length and nature of the write-up. The pattern of headings and subheadings you use may vary from the pattern used by others, as long you use them consistently. Headings and subheadings should follow a hierarchical structure and you should use the same font style for any heading or subheading at the same level of the hierarchy.

You should format your headings as heading styles within Word. This will help insure that they are consistent throughout the document. In addition, Word can generate a table of contents from heading styles. In reports that are longer than about 10 pages, a table of contents helps the reader develop an overview of the document prior to reading it in detail.

Use an issue-driven structure - Organize your points so that they are issue-driven and not data- driven. That is, decide what the major issues are in the assignment and structure your write-up around those (i.e., issue-driven). Do not present a chronological description of how you resolved the issues (i.e., data-driven). For example, if I give you a set of financial statements and asked to perform an analytical review, don't present a summary of each financial statement and ratio. Review the data, decide what the important issues are, and discuss each issue in turn, drawing supporting data from whatever source is relevant to the issue.

Number pages - Page numbers should start with the first page containing substance. Do not number the title page, if any.

Use proper page breaks - There should be at least two lines of a paragraph at the beginning or ending of each page. Most word processing programs check this for you. In Word, for example, make sure your paragraph formatting includes "windows and orphans control." If a heading precedes the paragraph, then the heading should be included as well. That is, a heading and at least two lines for the paragraph. Word allows you to format the paragraph containing the heading so that it is always kept with the following text on the same page.

Indent or double space between paragraphs - In a double-spaced document, you should indent the first line of each paragraph to insure that paragraph breaks are clear to the reader. If you are single-spacing a document, then you can either indent the paragraphs or leave a blank line between them, or do both.

Paragraph structure - Every paragraph should start with a topic sentence that states, in some way, the topic you want to cover in the paragraph. All the other sentences in the paragraph should be related to the topic sentence directly. If you find yourself straying from the topic in the topic sentence, then start a new paragraph with a new topic sentence.

In addition, paragraphs should not cover much more than about half a page double-spaced, but should contain at least two sentences. Try to avoid one-sentence paragraphs. The maximum length measure is crude, but a good guideline. If you find yourself writing a paragraph that spans

1-10 a full page or more, it is probably time to reconsider how you have structured your paragraph and topics. If each paragraph is going to be limited to a single topic and roughly one-half of a page double- spaced, then each topic must be very limited in scope. However, this limitation is a good one in that your reader will have an easier time following your logic if you can break your individual points down to this level of detail.

Writing Style

Use of "which" and "that" - A very common error most people make is using "which" when they should be using "that." "Which," when used to start a subordinate clause, always in preceded by a comma because the use of "which" signals that the subordinate clause is more indirectly linked to the main clause. For example, "The firm, which has no accounts receivables, has a lower current ratio." If the subordinate clause is related more closely to the main clause, then use "that" and do not precede it with a comma. For example, "Any firm that has no accounts receivables will inherently have a low current ratio." The issue of whether the clause is directly or indirectly linked is a judgment call. Thus, the important issue is to always precede "which" with a comma and don't precede "that" with one.

Keep it simple and direct - The type of writing style used in major news magazines and newspapers is a very good example of a simple and direct writing style. Minimize the use of passive voice. For example, use "John wrote the document" (active voice) rather than "The document was written by John" (passive voice). Use simple, direct phrasing (e.g., "The cash balance declined." not "The balance in the firm's cash account shows less cash available in the current year than in the preceding year."). Avoid technical jargon unless you define the terms. Developing a simple, concise writing style is probably the most difficult style issue for students to master. They seem to believe that complexity reflects sophistication when just the opposite is true. One trick I use is to say what I want to write aloud.

Make sure pronouns have clear referents - A pronoun refers to a noun; that's its role in life. Frequently, people (not just students) use the pronoun "it" when "it" doesn't clearly refer to a noun. For example, the "it" in "It is well established that rapidly growing firms have cash flow problems" has no clear referent. A better presentation would be "Rapidly growing firms frequently have cash flow problems."

Try to minimize personal pronouns - This point frequently goes counter to minimizing the use of passive voice in your writing. That is, writers frequently use passive voice to avoid personal pronouns. My preference is to use personal pronouns when doing so keeps the writing style active and direct. However, do not use the royal or editorial "we." If you are the sole author, use "I," not "we."

Don't use rhetorical questions - All questions in a written document are rhetorical since the reader can't answer them for you. You should stick to a declarative style.

1-11 Use professional terms - You should avoid "flowery" adjectives. For example, use "large" instead of "enormous" or "gargantuan." This does make your writing relatively plain and dry, but your purpose is to present facts, logical arguments, and conclusions, not to entertain the reader.

Spell-check and grammar-check your document - Increased technology is a mixed blessing. The good news is you have the tools available to you. The bad news is that you are expected to have used them. Microsoft Word's spellchecker automatically checks grammar as well. It will flag such things as run-on, long, and passive-voice sentences for you. In addition, you can set the grammar checker to flag whether you have one or two spaces after each sentence; whether you punctuation is inside or outside a quotation mark; and whether you use a comma after the second to the last item in a list. These last items may seem very trivial, but if you are inconsistent in the way you apply these rules, you paper will look sloppy and unprofessional to the reader. Thus, you should learn to use Word’s spelling and grammar checkers to help you clean up your writing style.

Spell out acronyms and abbreviations on first use - Professional writing can flow much more efficiently if you use acronyms or abbreviations. For example, if you are writing about the Digital Equipment Corporation, it would be easier on you and the reader if you used DEC instead. However, the first time you referred to the Digital Equipment Corporation, you should spell out the full name and put the acronym or abbreviation you intend to you in parenthesis such as "Digital Equipment Corporation (DEC)." This way the reader is clear what you mean when you use DEC later in the document. Also, be conservative and spell out even commonly used acronyms of first use such as earnings per share (EPS).

Avoid run-on sentences - The basic structure of any sentence includes a subject, verb, and object of that verb. If your sentences start to run over a couple of lines and you have a lot of “ands” in it, consider breaking the sentence into two or more sentences that have only one subject, verb, object combination and focus on a single point.

Do not split infinitives or predicates - A split infinitive is when you put an adjective or adverb between a preposition and the object of the preposition. For example, "to rapidly grow" is a split infinitive and "to grow rapidly" is not. The same holds for predicates of sentences. Do not put adverbs between verbs in the predicate. For example, "John will rapidly grow" is a split predicate while "John will grow rapidly" is not.

Quantify magnitudes - You frequently will be asked to make size observations in your write- ups (e.g., characterizing the rate of growth in a statistic as fast or slow). In most cases, you need to provide a reference to data to quantify what you mean by "fast" or "slow." For example, a fast growth rate might be 25% per year and a slow one would be 2% per year. Do not expect the reader to understand what you mean when you use adjectives and adverbs like fast or slow, or large or small and provide a brief reference to some data to quantify the magnitude of the affect to which you are referring.

1-12 Appendix B - Business Mathematical Applications

Ratios, Fractions, Times, and Percentages

A percent is a ratio expressed in units of one hundred instead of one. Therefore, the fraction 5/100 means five units of something per 100 units of that same thing. It also can be written 0.05, which is the decimal equivalent of 5/100, or 5%, which means five units per 100 units. The point is that these are alternative ways of writing the same number.

Ratios are fractions and, like all fractions, have a denominator and a numerator. The denominator is the bottom of the fraction and the numerator the top. For example, in the fraction or ratio 1/2, the numerator is 1 and the denominator is 2. Fractions also can be expressed as decimals. The decimal equivalent of 1/2 is 0.5. Percentages are decimals where the numerator of the fraction is expressed as a rate per 100, not 1. When expressed as a percentage, the fraction or ratio 1/2 would be 50%. The only difference between the decimal representation and the percentage is that the decimal point has been moved two places. Ratios can also be interpreted as "times," which means the number of times the numerator is to the denominator. In business math, times is used when the fraction is greater than 1.0 so that the interpretation is that the numerator is so many times the denominator. For example, in the fraction 2/1 would be expressed as two times, indicating that the numerator (2) is two times the size of the denominator (1). Alternatively, it could be expressed as 200% as well.

Times, decimals, and percentages can be used interchangeably in business communications and the reader is expected to know how to convert from one to the other. For example, a debt to equity ratio is usually express as times where debt (the numerator) is so many times the equity (the denominator). Therefore, a total debt to equity ratio of 2.35 means that total debt (the numerator of the fraction) is 2.35 times as large as total equity (the denominator of the fraction). However, when the debt to equity ratio falls below 1.0, it is more common to express it as a percent. For example, if the debt to equity ratio is 0.69, readers often find the number easier to understand if it express as 69% rather than 0.69 times, but the two numbers are identical.

Interpreting Ratios with Small Denominators

When a ratio or fraction's denominator is close to zero or very small compared to the numerator, the value of the ratio can vary widely with small changes in the denominator. For example, consider a price to earnings ratio (P/E) where the company is close to break-even, i.e., they are incurring small profits or losses. The formula for the P/E ratio is the market price of the stock divided by its earnings per share, where earnings per share is the firm's net income divided by the number of shares outstanding. Assume the market price for the company's stock averages around $40 per share. In the first year, the company incurs a small net loss of $(0.10) per share. The P/E ratio would be -400.0. Since the market price is based on expected future earnings, it might not fall sharply because of one year's loss. Further, assume that the stock price fell to $30 because the market was a little worried about the loss and that the company recovered a little and made a small profit the next year of $0.10 per share. The second year's P/E ratio would be a positive

1-13 300.0. These large swings in P/E ratio do not reflect equally large swings in the firm's performance, just artifacts of the fact that ratios with small denominators will vary widely in value with small changes in the value of the numerator.

Increasing/Decreasing Numerators and Denominators by the Same Amount

When the same positive number is added to the numerator and the denominator of a ratio or fraction, the value of the ratio moves towards 1.0. The opposite is true if the same number is subtracted from both the numerator and the denominator. The value of the fraction moves away from 1.0. For example, if a firm has $200 in total current assets and $100 in total current liabilities, its current ratio is 2.0, where the formula for current ratio is current assets divided by current liabilities. If that same firm got a shipment of raw materials worth $50, which was added to inventory thus increasing its total current assets by $50, and had not yet paid for the shipment, thus increasing its total current liabilities by $50, its current ratio would fall to 1.67. The amount of excess current assets it has to cover current liabilities is still $100 ($200 - $100 versus $250 minus $150), but the ratio falls towards 1.0 because the same amount has been added to the numerator and the denominator. Therefore, when companies "downsize" by selling off inventory to paid accounts payable, their current ratios tend to rise but their working capital (current assets minus current liabilities) may stay the same.

Working with Negative Numbers

In business applications, you frequently need to add and subtract negative numbers to either other negative numbers or positive numbers. For example, if in year 1 a firm loses $10,000 but in year 2 it makes $5,000, the change in income between the two years is $15,000 = $5,000 - (-$10,000). The first "-" in the equation represents subtraction, the second represents the fact that the $10,000 is already negative. I find that students who have not worked with negative numbers in a while benefit from visualizing the real number line with positive numbers to the right and negative to the left of zero, which is in the middle. In this example, there would be $5,000 to the right of the zero and another $10,000 to the left, meaning that the total distance along the number line between the two would be $15,000. Note that to do the subtraction; we need to know which number is higher in some sense. In this case, "higher" means more recent since we are calculating the change in net income from one year to the next. If we reverse the example and say the firm made $5,000 in year 1 and lost $10,000 in year 2, the difference in income would be -$15,000 = $-10,000 - $5,000. The "-" sign in this second example tells us that the income declined from year 1 to year 2. We still moved $15,000 on the number line, but went from positive to negative in this second example.

Calculating Percentage Changes or Differences

A percentage change is the difference between two numbers expressed as a percent of one of the two numbers. The most common way to calculate percentage changes in business math is year- to-year. For example, if a firm has total sales of $500 million in year 1 and $550 million in year 2, the percentage change is 10% [($550 - $500)/$500] * 100. These changes are just another

1-14 ratio or fraction and can be expressed as times or percentages, but are most commonly expressed as percentages. The formula is: New Number −Old Number PercentageChange = 100* | Old Number |

When calculating percentage changes in numbers, you need to use the absolute value of the number in the denominator, which is what the "|" in the denominator above signifies. Absolute value means the value of the number without regard for its sign, either "+" or "-." The denominator is there just to scale the magnitude of the change, not to assign direction. For example, if you are calculating the percentage change from -$5,000 (old number) to -$4,000 (new number), the answer is a positive 20%, not a negative 20%.

−−− )000,5$(000,4$ %20 = 000,5$ The interpretation is that the value became more positive (less negative) by $1,000 or 20% of the old number and, therefore, the percentage change is positive.

Calculation of Weighted Averages

Frequently you will need to calculate the average of two or more numbers where the numbers do not have the same weight in the calculations. A simple average or mean of a series of numbers is an unweighted average because each number in the average is treated equally. When the numbers are not to be treated equally, a weighted average is needed. A common application is calculating a weighted average cost of capital for a discount rate. For example, assume that a for-profit firm has an average cost of debt of 8% and an average return on equity (i.e., cost of equity) of 14%. Further assume that this firm maintains an average debt to equity ratio of 0.67 (i.e., 2/3rds), or two parts debt to three parts equity. To calculate their weighted average cost of capital, you would weight each component of the cost of capital (i.e., debt and equity) by its proportionate amount. In this case, the formula would be ((8% * 2) + (14% * 3))/5 = 11.6%, where 5 is the sum of the weighting factors.

1-15 Appendix C - Uniform CPA Examination Content Specifications1

CONTENT AND SKILL SPECIFICATIONS FOR THE UNIFORM CPA EXAMINATION

Approved by the Board of Examiners American Institute of Certified Public Accountants May 15, 2009

Reference Changes Approved on January 19, 2011

Effective Date: July 1, 2011

Examinations Team American Institute of Certified Public Accountants 100 Princeton South Suite 200 Ewing, NJ 08628

COPYRIGHT © 2011 BY AMERICAN INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS, INC.

1 Downloaded from http://www.aicpa.org/BecomeACPA/CPAExam/ExaminationContent/ContentAndSkills/Downlo adableDocuments/CSOs-SSOs-Effective.7-1-11.pdf on 12/23/11.

1-16 CONTENT SPECIFICATION OUTLINES (CSOs)

The outline portions of the content specifications identify the extent of the technical content to be tested on each of the four sections of the Uniform CPA Examination. The outlines list the areas, groups, and topics to be tested in the following manner:

I. (Roman numeral) Area

A. (Capital letter) Group

1. (Arabic numeral) Topic

Each outline is followed by information about selected publications that candidates may study to prepare for the Uniform CPA Examination.

Weights

The percentage range following each area represents the approximate percentage of total test questions associated with the area. The ranges are designed to provide flexibility in building the examination, and the midpoints of the ranges for all areas in each section total 100%. The examination questions will be selected from each area to fall within the percentage allocation range. No percentages are given for groups or topics. The presence of several groups within an area or several topics within a group does not imply equal importance or weight will be given to these groups or topics on an examination.

Auditing and Attestation (AUD)

The Auditing and Attestation section tests knowledge and understanding of the following professional standards: Auditing standards promulgated in the United States of America (related to audits of an “Issuer” (a public company), a “Nonissuer” (an entity that is not a public company), governmental entities, not-for-profit entities, and employee benefit plans, standards related to attestation and assurance engagements, and standards for performing accounting and review services.

Candidates are expected to demonstrate an awareness of: (1) the International Auditing and Assurance Standards Board (IAASB) and its role in establishing International Standards on Auditing (ISAs), (2) the differences between ISAs and U.S. auditing standards, and (3) the audit requirements under U.S. auditing standards that apply when they perform audit procedures on a U.S. company that supports an audit report based upon the auditing standards of another country, or the ISAs.

This section also tests knowledge of professional responsibilities of certified public accountants, including ethics and independence.

Candidates are also expected to demonstrate an awareness of: (1) the International Ethics Standards Board for Accountants (IESBA) and its role in establishing requirements of the International Federation of Accountants (IFAC) Code of Ethics for Professional Accountants, and (2) the independence requirements that apply when they perform audit procedures on a U.S. company that supports an audit report based upon the auditing standards of another country, or the ISAs.

1-17

In addition to demonstrating knowledge and understanding of the professional standards, candidates are required to demonstrate the skills required to apply that knowledge in performing auditing and attestation tasks as certified public accountants. The outline below specifies the tasks and related knowledge in which candidates are required to demonstrate proficiency: Candidates are also expected to perform the following tasks:

• Demonstrate an awareness and understanding of the process by which standards and professional requirements are established for audit, attestation, and other services performed by CPAs, including the role of standard-setting bodies within the U.S. and those bodies with the authority to promulgate international standards.

• Differentiate between audits, attestation and assurance services, compilations, and reviews.

• Differentiate between the professional standards for issuers and nonissuers.

• Identify situations that might be unethical or a violation of professional standards, perform research and consultations as appropriate, and determine the appropriate action.

• Recognize potentially unethical behavior of clients and determine the impact on the services being performed.

• Demonstrate the importance of identifying and adhering to requirements, rules, and standards that are established by licensing boards within their states, and which may place additional professional requirements specific to their state of practice.

• Appropriately apply professional requirements in practice, and differentiate between unconditional requirements and presumptively mandatory requirements.

• Exercise due care in the performance of work.

• Demonstrate an appropriate level of professional skepticism in the performance of work.

• Maintain independence in mental attitude in all matters relating to the audit.

• Research relevant professional literature.

I. Auditing and Attestation: Engagement Acceptance and Understanding the Assignment (12% - 16%)

A. Determine Nature and Scope of Engagement

B. Consider the Firm’s System of Quality Control for Policies and Procedures Pertaining to Client Acceptance and Continuance, including:

1-18 1. The CPA firm’s ability to perform the engagement within reporting deadlines

2. Experience and availability of firm personnel to meet staffing and supervision requirements

3. Whether independence can be maintained

4. Integrity of client management

5. Appropriateness of the engagement’s scope to meet the client’s needs

C. Communicate with the Predecessor Auditor

D. Establish an Understanding with the Client and Document the Understanding Through an Engagement Letter or Other Written Communication with the Client

E. Consider Other Planning Matters

1. Consider using the work of other independent auditors

2. Determine the extent of the involvement of professionals possessing specialized skills

3. Consider the independence, objectivity, and competency of the internal audit function

F. Identify Matters and Prepare Documentation for Communications with Those Charged with Governance

II. Auditing and Attestation: Understanding the Entity and Its Environment (including Internal Control) (16% - 20%)

A. Determine and Document Materiality Levels for Financial Statements Taken as a Whole

B. Conduct and Document Risk Assessment Discussions Among Audit Team, Concurrently with Discussion on Susceptibility of the Entity’s Financial Statement to Material Misstatement Due to Fraud

C. Consideration of Fraud

1. Identify characteristics of fraud

2. Document required discussions regarding risk of fraud

3. Document inquiries of management about fraud

1-19 4. Identify and assess risks that may result in material misstatements due to fraud

D. Perform and Document Risk Assessment Procedures

1. Identify, conduct and document appropriate inquiries of management and others within the entity

2. Perform appropriate analytical procedures to understand the entity and identify areas of risk

3. Obtain information to support inquiries through observation and inspection (including reading corporate minutes, etc.)

E. Consider Additional Aspects of the Entity and its Environment, including: Industry, Regulatory and Other External Factors; Strategies and Business Risks; Financial Performance

F. Consider Internal Control

1. Perform procedures to assess the control environment, including consideration of the COSO framework and identifying entity-level controls

2. Obtain and document an understanding of business processes and information flows

3. Perform and document walkthroughs of transactions from inception through recording in the general ledger and presentation in financial statements

4. Determine the effect of information technology on the effectiveness of an entity’s internal control

5. Perform risk assessment procedures to evaluate the design and implementation of internal controls relevant to an audit of financial stateme nts

6. Identify key risks associated with general controls in a financial IT environment, including change management, backup/recovery, and network access (e.g. administrative rights)

7. Identify key risks associated with application functionality that supports financial transaction cycles, including: application access control (e.g. administrative access rights); controls over interfaces, integrations, and e- commerce; significant algorithms, reports, validation, edit checks, error handling, etc.

1-20 8. Assess whether the entity has designed controls to mitigate key risks associated with general controls or application functionality 9. Identify controls relevant to reliable financial reporting and the period-end financial reporting process

10. Consider limitations of internal control

11. Consider the effects of service organizations on internal control

12. Consider the risk of management override of internal controls

G. Document an Understanding of the Entity and its Environment, including Each Component of the Entity’s Internal Control, in Order to Assess Risks

H. Assess and Document the Risk of Material Misstatements

1. Identify and document financial statement assertions and formulate audit objectives including significant financial statement balances, classes of transactions, disclosures, and accounting estimates

2. Relate the identified risks to relevant assertions and consider whether the risks could result in a material misstatement to the financial statements

3. Assess and document the risk of material misstatement that relates to both financial statement level and specific assertions

4. Identify and document conditions and events that may indicate risks of material misstatement

I. Identify and Document Significant Risks that Require Special Audit Consideration

1. Risk of fraud

2. Significant recent economic, accounting, or other developments

3. Related parties and related party transactions

4. Improper revenue recognition

5. Nonroutine or complex transactions

6. Significant management estimates

7. Illegal acts

III. Auditing and Attestation: Performing Audit Procedures and Evaluating Evidence (16% - 20%)

1-21

A. Develop Overall Responses to Risks 1. Develop overall responses to risks identified and use the risks of material misstatement to drive the nature, timing, and extent of further audit procedures

2. Document significant risks identified, related controls evaluated, and overall responses to address assessed risks

3. Determine and document level(s) of tolerable misstatement

B. Perform Audit Procedures Responsive to Risks of Material Misstatement; Obtain and Document Evidence to Form a Basis for Conclusions

1. Design and perform audit procedures whose nature, timing, and extent are responsive to the assessed risk of material misstatement

2. Integrating audits: in an integrated audit of internal control over financial reporting and the financial statements, design and perform testing of controls to accomplish the objectives of both audits simultaneously

3. Design, perform, and document tests of controls to evaluate design effectiveness

4. Design, perform, and document tests of controls to evaluate operating effectiveness

5. Perform substantive procedures

6. Perform audit sampling

7. Perform analytical procedures

8. Confirm balances and/or transactions with third parties

9. Examine inventories and other assets

10. Perform other tests of details, balances, and journal entries

11. Perform computer-assisted audit techniques (CAATs), including data query, extraction, and analysis

12. Perform audit procedures on significant management estimates

13. Auditing fair value measurements and disclosures, including the use of specialists in evaluating estimates

1-22 14. Perform tests on unusual year-end transactions 15. Audits performed in accordance with International Standards on Auditing (ISAs) or auditing standards of another country: determine if differences exist and whether additional audit procedures are required

16. Evaluate contingencies

17. Obtain and evaluate lawyers’ letters

18. Review subsequent events

19. Obtaining and placing reliance on representations from management

20. Identify material weaknesses, significant deficiencies, and other control deficiencies

21. Identify matters for communication with those charged with governance

IV. Auditing and Attestation: Evaluating Audit Findings, Communications, and Reporting (16% - 20%)

A. Perform Analytical Procedures

B. Evaluate the Sufficiency and Appropriateness of Audit Evidence and Document Engagement Conclusions

C. Evaluate Whether Audit Documentation is in Accordance with Professional Standards

D. Review the Work Performed by Others to Provide Reasonable Assurance that Objectives are Achieved

E. Document the Summary of Uncorrected Misstatements and Related Conclusions

F. Evaluate Whether Financial Statements are Free of Material Misstatements

G. Consider the Entity’s Ability to Continue as a Going Concern

H. Consider Other Information in Documents Containing Audited Financial Statements (e.g. Supplemental Information and Management’s Discussion and Analysis)

I. Retain Audit Documentation as Required by Standards and Regulations

J. Prepare Communications

1. Reports on audited financial statements

1-23

2. Reports required by government auditing standards

3. Reports on compliance with laws and regulations 4. Reports on internal control

5. Reports on the processing of transactions by service organizations

6. Reports on agreed-upon procedures

7. Reports on financial forecasts and projections

8. Reports on pro forma financial information

9. Special reports

10. Reissue reports

11. Communicate internal control related matters identified in the audit

12. Communications with those charged with governance

13. Subsequent discovery of facts existing at the date of the auditor’s report

14. Consideration after the report date of omitted procedures

V. Accounting and Review Services Engagements (12% - 16%)

A. Plan the Engagement

1. Determine nature and scope of engagement

2. Decide whether to accept or continue the client and engagement including determining the appropriateness of the engagement to meet the client’s needs and consideration of independence standards

3. Establish an understanding with the client and document the understanding through an engagement letter or other written communication with the client

4. Consider change in engagement

5. Determine if reports are to be used by third parties

B. Obtain and Document Evidence to Form a Basis for Conclusions

1. Obtain an understanding of the client’s operations, business, and industry

1-24 2. Obtain knowledge of accounting principles and practices in the industry and the client 3. Obtain knowledge of stated qualifications of accounting personnel

4. Perform analytical procedures for review services

5. Obtain representations from management for review services

6. Perform other engagement procedures

7. Consider departures from generally accepted accounting principles (GAAP) or other comprehensive basis of accounting (OCBOA)

8. Prepare documentation from evidence gathered

9. Retain documentation as required by standards

10. Review the work performed to provide reasonable assurance that objectives are achieved

C. Prepare Communications

1. Reports on compiled financial statements

2. Reports on reviewed financial statements

3. Restricted use of reports

4. Communicating to management and others

5. Subsequent discovery of facts existing at the date of the report

6. Consider degree of responsibility for supplementary information

VI. Professional Responsibilities (16% - 20%)

A. Ethics and Independence

1. Code of Professional Conduct (AICPA)

2. Public Company Accounting Oversight Board (PCAOB)

3. U. S. Securities and Exchange Commission (SEC)

4. Government Accountability Office (GAO)

5. Department of Labor (DOL)

1-25

6. Sarbanes-Oxley Act of 2002, Title II

7. Sarbanes-Oxley Act of 2002, Title III, Section 303

8. Code of Ethics for Professional Accountants (IFAC)

B. Other Professional Responsibilities

1. Sarbanes-Oxley Act of 2002, Title IV

2. Sarbanes-Oxley Act of 2002, Title I

References – Auditing and Attestation

• AICPA Statements on Auditing Standards and Interpretations

• AICPA Codification of Statements on Auditing Standards, AU Appendix B, Analysis of International Standards on Auditing

• Public Company Accounting Oversight Board (PCAOB) Standards (SEC-Approved) and Related Rules, PCAOB Staff Questions and Answers, and PCAOB Staff Audit Practice Alerts

• U.S. Government Accountability Office Government Auditing Standards

• Single Audit Act, as amended

• Office of Management and Budget (OMB) Circular A-133

• AICPA Statements on Quality Control Standards

• AICPA Statements on Standards for Accounting and Review Services and Interpretations

• AICPA Statements on Standards for Attestation Engagements and Interpretations

• AICPA Audit and Accounting Guides

• AICPA Auditing Practice Releases

• AICPA Code of Professional Conduct

• IFAC Code of Ethics for Professional Accountants

• Sarbanes-Oxley Act of 2002

1-26

• Department of Labor Guidelines and Interpretive Bulletins re: Auditor Independence

• SEC Independence Rules

• Employee Retirement Income Security Act of 1974

• The Committee of Sponsoring Organizations of the Treadway Commission (COSO): Internal Control – Integrated Framework

• Current textbooks on auditing, attestation services, ethics, and independence

• International Auditing Standards (ISAs) Financial Accounting and Reporting (FAR)

The Financial Accounting and Reporting section tests knowledge and understanding of the financial reporting framework used by business enterprises, not-for-profit organizations, and governmental entities. The financial reporting frameworks that are included in this section are those issued by the standard-setters identified in the references to these CSOs, which include standards issued by the Financial Accounting Standards Board, the International Accounting Standards Board, the U.S. Securities and Exchange Commission, and the Governmental Accounting Standards Board.

In addition to demonstrating knowledge and understanding of accounting principles, candidates are required to demonstrate the skills required to apply that knowledge in performing financial reporting and other tasks as certified public accountants. To demonstrate such knowledge and skills, candidates will be expected to perform the following tasks:

• Identify and understand the differences between financial statements prepared on the basis of accounting principles generally accepted in the United States of America (U.S. GAAP) and International Financial Reporting Standards (IFRS).

• Prepare and/or review source documents including account classification, and enter data into subsidiary and general ledgers.

• Calculate amounts for financial statement components.

• Reconcile the general ledger to the subsidiary ledgers or underlying account details.

• Prepare account reconciliation and related schedules; analyze accounts for unusual fluctuations and make necessary adjustments.

• Prepare consolidating and eliminating entries for the period.

• Identify financial accounting and reporting methods and select those that are appropriate.

1-27

• Prepare consolidated financial statements, including balance sheets, income statements, and statements of retained earnings, equity, comprehensive income, and cash flows.

• Prepare appropriate notes to the financial statements.

• Analyze financial statements including analysis of accounts, variances, trends, and ratios.

• Exercise judgment in the application of accounting principles.

• Apply judgment to evaluate assumptions and methods underlying estimates, including fair value measures of financial statement components.

• Produce required financial statement filings in order to meet regulatory or reporting requirements (e.g. Form 10-Q, 10-K, Annual Report). • Determine appropriate accounting treatment for new or unusual transactions and evaluate the economic substance of transactions in making the determinations.

• Research relevant professional literature.

The outline below specifies the knowledge in which candidates are required to demonstrate proficiency:

I. Conceptual Framework, Standards, Standard Setting, and Presentation of Financial Statements (17% - 23%)

A. Process by which Accounting Standards are Set and Roles of Accounting Standard- Setting Bodies

1. U. S. Securities and Exchange Commission (SEC)

2. Financial Accounting Standards Board (FASB)

3. International Accounting Standards Board (IASB)

4. Governmental Accounting Standards Board (GASB)

B. Conceptual Framework

1. Financial reporting by business entities

2. Financial reporting by not-for-profit (nongovernmental) entities

3. Financial reporting by state and local governmental entities

C. Financial Reporting, Presentation and Disclosures in General-Purpose Financial

1-28 Statements

1. Balance sheet

2. Income statement

3. Statement of comprehensive income

4. Statement of changes in equity

5. Statement of cash flows

6. Notes to financial statements

7. Consolidated and combined financial statements

8. First-time adoption of IFRS D. SEC Reporting Requirements (e.g. Form 10-Q, 10-K)

E. Other Financial Statement Presentations, including Other Comprehensive Bases of Accounting (OCBOA)

1. Cash basis

2. Modified cash basis

3. Income tax basis

4. Personal financial statements

5. Financial statements of employee benefit plans/trusts

II. Financial Statement Accounts: Recognition, Measurement, Valuation, Calculation, Presentation, and Disclosures (27% - 33%)

A. Cash and Cash Equivalents

B. Receivables

C. Inventory

D. Property, Plant, and Equipment

E. Investments

1. Financial assets at fair value through profit or loss

1-29 2. Available for sale financial assets

3. Held-to-maturity investments

4. Joint ventures

5. Equity method investments (investments in associates)

6. Investment property

F. Intangible Assets – Goodwill and Other

G. Payables and Accrued Liabilities

H. Deferred Revenue

I. Long-Term Debt (Financial Liabilities) 1. Notes payable

2. Bonds payable

3. Debt with conversion features and other options

4. Modifications and extinguishments

5. Troubled debt restructurings by debtors

6. Debt covenant compliance

J. Equity

K. Revenue Recognition

L. Costs and Expenses

M. Compensation and Benefits

1. Compensated absences

2. Deferred compensation arrangements

3. Nonretirement postemployment benefits

4. Retirement benefits

5. Stock compensation (share-based payments)

1-30 N. Income Taxes

III. Specific Transactions, Events and Disclosures: Recognition, Measurement, Valuation, Calculation, Presentation, and Disclosures (27% - 33%)

A. Accounting Changes and Error Corrections

B. Asset Retirement and Environmental Obligations

C. Business Combinations

D. Consolidation (including Off-Balance Sheet Transactions, Variable-Interest Entities and Noncontrolling Interests)

E. Contingencies, Commitments, and Guarantees (Provisions)

F. Earnings Per Share

G. Exit or Disposal Activities and Discontinued Operations

H. Extraordinary and Unusual Items

I. Fair Value Measurements, Disclosures, and Reporting

J. Derivatives and Hedge Accounting

K. Foreign Currency Transactions and Translation

L. Impairment

M. Interim Financial Reporting

N. Leases

O. Distinguishing Liabilities from Equity

P. Nonmonetary Transactions (Barter Transactions)

Q. Related Parties and Related Party Transactions

R. Research and Development Costs

S. Risks and Uncertainties

T. Segment Reporting

U. Software Costs

1-31

V. Subsequent Events

W. Transfers and Servicing of Financial Assets and Derecognition

IV. Governmental Accounting and Reporting (8% - 12%)

A. Governmental Accounting Concepts

1. Measurement focus and basis of accounting

2. Fund accounting concepts and applications

3. Budgetary accounting

B. Format and Content of Comprehensive Annual Financial Report (CAFR)

1. Government-wide financial statements

2. Governmental funds financial statements 3. Proprietary funds financial statements

4. Fiduciary funds financial statements

5. Notes to financial statements

6. Management’s discussion and analysis

7. Required supplementary information (RSI) other than Management’s Discussion and Analysis

8. Combining statements and individual fund statements and schedules

9. Deriving government-wide financial statements and reconciliation requirements

C. Financial Reporting Entity, Including Blended and Discrete Component Units

D. Typical Items and Specific Types of Transactions and Events: Recognition, Measurement, Valuation, Calculation, and Presentation in Governmental Entity F inancial Statements

1. Net assets and components thereof

2. Fund balances and components thereof

3. Capital assets and infrastructure assets

1-32

4. General long-term liabilities

5. Interfund activity, including transfers

6. Nonexchange revenue transactions

7. Expenditures

8. Special items

9. Encumbrances

E. Accounting and Reporting for Governmental Not-for-Profit Organizations

V. Not-for-Profit (Nongovernmental) Accounting and Reporting (8% - 12%)

A. Financial Statements

1. Statement of financial position

2. Statement of activities 3. Statement of cash flows

4. Statement of functional expenses

B. Typical Items and Specific Types of Transactions and Events: Recognition, Measurement, Valuation, Calculation, and Presentation in Financial Statements of Not -for-Profit Organizations

1. Support, revenues, and contributions

2. Types of restrictions on resources

3. Types of net assets

4. Expenses, including depreciation and functional expenses

5. Investments References – Financial Accounting and Reporting

• Financial Accounting Standards Board (FASB) Accounting Standards Codification

• Governmental Accounting Standards Board (GASB) Codification of Governmental Accounting and Financial Reporting Standards

1-33 • Standards Issued by the U. S. Securities and Exchange Commission (SEC): o Regulation S-X of the Code of Federal Regulations (17 CFR Part 210) o Financial Reporting Releases (FRR)/Accounting Series Releases (ASR) o Interpretive Releases (IR) o SEC Staff Guidance in Staff Accounting Bulletins (SAB) o SEC Staff Guidance in EITF Topic D and SEC Staff Observer Comments o Regulation S-K of the Code of Federal Regulations

• International Accounting Standards Board (IASB) International Financial Reporting Standards (IFRS), International Accounting Standards (IAS), and Interpretations

• AICPA Auditing and Accounting Guides

• Codification of Statements on Auditing Standards

o AU Section 623, Special Reports

• Current textbooks on accounting for business enterprises, not-for-profit organizations, and governmental entities

• FASB Concept Statements

• GASB Concept Statements

• IFRS Framework Regulation (REG)

The Regulation section tests knowledge and understanding of ethics, professional and legal responsibilities, business law, and federal taxation.

Ethics, Professional and Legal Responsibilities and Business Law These topics test knowledge and understanding of professional and legal responsibilities of certified public accountants. Professional ethics questions relate to tax practice issues and are based on the AICPA Code of Professional Conduct, Treasury Department Circular 230, and rules and regulations for tax return preparers. Business law topics test knowledge and understanding of the legal implications of business transactions, particularly as they relate to accounting, auditing, and financial reporting. This section deals with federal and widely adopted uniform state laws or references identified in this CSO.

In addition to demonstrating knowledge and understanding of these topics, candidates are required to demonstrate the skills required to apply that knowledge in performing their responsibilities as certified public accountants. To demonstrate such knowledge and skills, candidates will be expected to perform the following tasks:

1-34 • Identify situations that might be unethical or a violation of professional standards, perform research and consultations as appropriate, and determine the appropriate action.

• Recognize potentially unethical behavior of clients and determine the impact on the tax services being performed.

• Demonstrate the importance of identifying and adhering to requirements, rules, and standards that are established by licensing boards within their state, and which may place additional professional requirements specific to their state of practice.

• Apply business law concepts in evaluating the economic substance of client transactions, including purchase agreements, loans and promissory notes, sales contracts, leases, side agreements, commitments, contingencies, and assumption of liabilities.

• Evaluate the legal structure of an entity to determine the implications of applicable laws and regulations on how a business is organized, governed, and operates.

Federal Taxation These topics test knowledge and understanding of concepts and laws relating to federal taxation (income, gift, and estate). The areas of testing include federal tax process, procedures, accounting, and planning, as well as federal taxation of property transactions, individuals, and entities (which include sole proprietorships, partnerships, limited liability entities, C corporations, S corporations, joint ventures, trusts, estates, and tax-exempt organizations).

In addition to demonstrating knowledge and understanding of these topics, candidates are required to demonstrate the skills required to apply that knowledge in providing tax preparation and advisory services and performing other responsibilities as certified public accountants. To demonstrate such knowledge and skills, candidates will be expected to perform the following tasks: • Evaluate the tax implications of different legal structures for business entities.

• Apply analytical reasoning tools to assess how taxes affect economic decisions related to the timing of income/expense recognition and property transactions.

• Consider the impact of multijurisdictional tax issues on federal taxes.

• Identify the differences between tax and financial accounting.

• Analyze information and identify data relevant for tax purposes.

• Identify issues, elections, and alternative tax treatments.

• Research issues and alternative tax treatments.

• Formulate conclusions.

1-35 • Prepare documentation to support conclusions and tax positions.

• Research relevant professional literature.

The outline below specifies the knowledge in which candidates are required to demonstrate proficiency:

I. Ethics, Professional, and Legal Responsibilities (15% -19%)

A. Ethics and Responsibilities in Tax Practice

1. Treasury Department Circular 230

2. AICPA Statements on Standards for Tax Services

3. Internal Revenue Code of 1986, as amended, and Regulations related to tax return preparers

B. Licensing and Disciplinary Systems

1. Role of state boards of accountancy

2. Requirements of regulatory agencies

C. Legal Duties and Responsibilities

1. Common law duties and liability to clients and third parties

2. Federal statutory liability

3. Privileged communications, confidentiality, and privacy acts II. Business Law (17% - 21%)

A. Agency

1. Formation and termination

2. Authority of agents and principals

3. Duties and liabilities of agents and principals

B. Contracts

1. Formation

2. Performance

1-36 3. Third party assignments

4. Discharge, breach, and remedies

C. Uniform Commercial Code

1. Sales contracts

2. Negotiable instruments

3. Secured transactions

4. Documents of title and title transfer

D. Debtor-Creditor Relationships

1. Rights, duties, and liabilities of debtors, creditors, and guarantors

2. Bankruptcy and insolvency

E. Government Regulation of Business

1. Federal securities regulation

2. Other federal laws and regulations (antitrust, copyright, patents, money- laundering, labor, employment, and ERISA)

F. Business Structure (Selection of a Business Entity)

1. Advantages, disadvantages, implications, and constraints

2. Formation, operation, and termination 3. Financial structure, capitalization, profit and loss allocation, and distributions

4. Rights, duties, legal obligations, and authority of owners and management

III. Federal Tax Process, Procedures, Accounting, and Planning (11% - 15%)

A. Federal Tax Legislative Process

B. Federal Tax Procedures

1. Due dates and related extensions of time

2. Internal Revenue Service (IRS) audit and appeals process

3. Judicial process

1-37

4. Required disclosure of tax return positions

5. Substantiation requirements

6. Penalties

7. Statute of limitations

C. Accounting Periods

D. Accounting Methods

1. Recognition of revenues and expenses under cash, accrual, or other permitted methods

2. Inventory valuation methods, including uniform capitalization rules

3. Accounting for long-term contracts

4. Installment sales

E. Tax Return Elections, Including Federal Status Elections, Alternative Treatment Elections, or Other Types of Elections Applicable to an Individual or Entity’s Tax Reu t rn

F. Tax Planning

1. Alternative treatments

2. Projections of tax consequences

3. Implications of different business entities

4. Impact of proposed tax audit adjustments

5. Impact of estimated tax payment rules on planning

6. Role of taxes in decision-making

G. Impact of Multijurisdictional Tax Issues on Federal Taxation (Including Consideration of Local, State, and Multinational Tax Issues)

H. Tax Research and Communication

1. Authoritative hierarchy

1-38 2. Communications with or on behalf of clients

IV. Federal Taxation of Property Transactions (12% - 16%)

A. Types of Assets

B. Basis and Holding Periods of Assets

C. Cost Recovery (Depreciation, Depletion, and Amortization)

D. Taxable and Nontaxable Sales and Exchanges

E. Amount and Character of Gains and Losses, and Netting Process

F. Related Party Transactions

G. Estate and Gift Taxation

1. Transfers subject to the gift tax

2. Annual exclusion and gift tax deductions

3. Determination of taxable estate

4. Marital deduction

5. Unified credit

V. Federal Taxation of Individuals (13% - 19%)

A. Gross Income

1. Inclusions and exclusions

2. Characterization of income B. Reporting of Items from Pass-Through Entities

C. Adjustments and Deductions to Arrive at Taxable Income

D. Passive Activity Losses

E. Loss Limitations

F. Taxation of Retirement Plan Benefits

G. Filing Status and Exemptions

1-39 H. Tax Computations and Credits

I. Alternative Minimum Tax

VI. Federal Taxation of Entities (18% - 24%)

A. Similarities and Distinctions in Tax Treatment Among Business Entities

1. Formation

2. Operation

3. Distributions

4. Liquidation

B. Differences Between Tax and Financial Accounting

1. Reconciliation of book income to taxable income

2. Disclosures under Schedule M-3

C. C Corporations

1. Determination of taxable income/loss

2. Tax computations and credits, including alternative minimum tax

3. Net operating losses

4. Entity/owner transactions, including contributions and distributions

5. Earnings and profits

6. Consolidated returns D. S Corporations

1. Eligibility and election

2. Determination of ordinary income/loss and separately stated items

3. Basis of shareholder’s interest

4. Entity/owner transactions, including contributions and distributions

5. Built-in gains tax

1-40 E. Partnerships

1. Determination of ordinary income/loss and separately stated items

2. Basis of partner’s/member’s interest and basis of assets contributed to the partnership

3. Partnership and partner elections

4. Transactions between a partner and the partnership

5. Treatment of partnership liabilities

6. Distribution of partnership assets

7. Ownership changes and liquidation and termination of partnership

F. Trusts and Estates

1. Types of trusts

2. Income and deductions

3. Determination of beneficiary’s share of taxable income

G. Tax-Exempt Organizations

1. Types of organizations

2. Obtaining and maintaining tax-exempt status

3. Unrelated business income References – Regulation

Ethics, Professional and Legal Responsibilities, and Business Law

• AICPA Statements on Standards for Tax Services

• Revised Model Business Corporation Act

• Revised Uniform Limited Partnership Act

• Revised Uniform Partnership Act

• Securities Act of 1933

• Securities Exchange Act of 1934

1-41

• Sarbanes-Oxley Act of 2002

• Uniform Commercial Code

• Current textbooks covering business law, auditing, accounting, and ethics

Federal Taxation

• Internal Revenue Code of 1986, as amended, and Regulations

• Treasury Department Circular 230

• Other administrative pronouncements

• Case law

• Public Law 86-272

• Uniform Division of Income for Tax Purposes Act (UDITPA)

• Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010

• Current Federal tax textbooks Business Environment and Concepts (BEC)

The Business Environment and Concepts section tests knowledge and skills necessary to demonstrate an understanding of the general business environment and business concepts. The topics in this section include knowledge of corporate governance; economic concepts essential to understanding the global business environment and its impact on an entity’s business strategy; and financial risk management; financial management processes; information systems and communications; strategic planning; and operations management.

In addition to demonstrating knowledge and understanding of these topics, candidates are required to apply that knowledge in performing audit, attest, financial reporting, tax preparation, and other professional responsibilities as certified public accountants. To demonstrate such knowledge and skills, candidates will be expected to perform the following tasks:

• Demonstrate an understanding of globalization on the business environment

• Distinguish between appropriate and inappropriate governance structures within an organization (e.g. tone at the top, policies, steering committees, strategies, oversight, etc.).

• Assess the impact of business cycles on an entity’s industry or business operations.

1-42

• Apply knowledge of changes in the global economic markets in identifying the impact on an entity in determining its business strategy and financial management policies, including managing the risks of: inflation, deflation, commodity costs, credit defaults, interest rate variations, currency fluctuation, and regulation.

• Assess the factors influencing a company’s capital structure, including risk, leverage, cost of capital, growth rate, profitability, asset structure, and loan covenants.

• Evaluate assumptions used in financial valuations to determine their reasonableness (e.g. investment return assumptions, discount rates, etc.).

• Determine the business reasons for and explain the underlying economic substance of transactions and their accounting implications.

• Identify the information systems within a business that are used to process and accumulate transactional data, as well as provide monitoring and financial reporting information.

• Distinguish between appropriate and inappropriate internal control systems, including system design, controls over data, transaction flow, wireless technology, and internet transmissions.

• Evaluate whether there is appropriate segregation of duties, levels of authorization, and data security in an organization to maintain an appropriate internal control structure.

• Obtain and document information about an organization’s strategic planning processes to identify key components of the business strategy and market risks. • Develop a time-phased project plan showing required activities, task dependencies, and required resources to achieve a specific deliverable.

• Identify the business and operational risks inherent in an entity’s disaster recovery/business continuity plan.

• Evaluate business operations and quality control initiatives to understand its use of best practices and the ways to measure and manage performance and costs.

The outline below specifies the knowledge in which candidates are required to demonstrate proficiency:

I. Corporate Governance (16% - 20%)

A. Rights, Duties, Responsibilities, and Authority of the Board of Directors, Officers, and Other Employees

1. Financial reporting

1-43 2. Internal control (including COSO or similar framework)

3. Enterprise risk management (including COSO or similar framework)

B. Control Environment

1. Tone at the top – establishing control environment

2. Monitoring control effectiveness

3. Change control process

II. Economic Concepts and Analysis (16% - 20%)

A. Changes in Economic and Business Cycles – Economic Measures/Indicators

B. Globalization and Local Economies

1. Impacts of globalization on companies

2. Shifts in economic balance of power (e.g. capital) to/from developed from/to emerging markets

C. Market Influences on Business Strategies

D. Financial Risk Management

1. Market, interest rate, currency, liquidity, credit, price, and other risks 2. Means for mitigating/controlling financial risks

III. Financial Management (19% - 23%)

A. Financial Modeling, Projections, and Analysis

1. Forecasting and trends

2. Financial and risk analysis

3. Impact of inflation/deflation

B. Financial Decisions

1. Debt, equity, leasing

2. Asset and investment management

C. Capital Management, including Working Capital

1-44

1. Capital structure

2. Short-term and long-term financing

3. Asset effectiveness and/or efficiency

D. Financial Valuations (e.g. Fair Value)

1. Methods for calculating valuations

2. Evaluating assumptions used in valuations

E. Financial Transaction Processes and Controls

IV. Information Systems and Communications (15% - 19%)

A. Organizational Needs Assessment

1. Data capture

2. Processing

3. Reporting

4. Role of information technology in business strategy

B. Systems Design and Other Elements 1.s Bu iness process design (integrated systems, automated, and manual interfaces)

2. Information Technology (IT) control objectives

3. Role of technology systems in control monitoring

4. Operational effectiveness

5. Segregation of duties

6. Policies

C. Security

1. Technologies and security management features

2. Policies

1-45 D. Internet – Implications for Business

1. Electronic commerce

2. Opportunities for business process reengineering

3. Roles of internet evolution on business operations and organization cultures

E. Types of Information System and Technology Risks

F. Disaster Recovery and Business Continuity

V. Strategic Planning (10% – 14%)

A. Market and Risk Analysis

B. Strategy Development, Implementation, and Monitoring

C. Planning Techniques

1. Budget and analysis

2. Forecasting and projection

3. Coordinating information from various sources for integrated planning

VI. Operations Management (12% - 16%)

A. Performance Management and Impact of Measures on Behavior 1. Financial and nonfinancial measures

2. Impact of marketing practices on performance

3. Incentive compensation

B. Cost Measurement Methods and Techniques

C. Process Management

1. Approaches, techniques, measures, and benefits to process-management- driven businesses

2. Roles of shared services, outsourcing, and off-shore operations, and their implications on business risks and controls

3. Selecting and implementing improvement initiatives

1-46 4. Business process reengineering

5. Management philosophies and techniques for performance improvement such as Just in Time (JIT), Quality, Lean, Demand Flow, Theory of Constraints, and Six Sigma

D. Project Management

1. Project planning, implementation, and monitoring

2. Roles of project managers, project members, and oversight or steering groups

3. Project risks, including resource, scope, cost, and deliverables

References – Business Environment and Concepts

• The Committee of Sponsoring Organizations of the Treadway Commission (COSO):

o Internal Control – Integrated Framework

o Enterprise Risk Management

• Sarbanes-Oxley Act of 2002:

o Title III, Corporate Responsibility

o Title IV, Enhanced Financial Disclosures

o Title VIII, Corporate and Criminal Fraud Accountability

• Current Business Periodicals

• Current Textbooks on:

o Accounting Information Systems

o Budgeting and Measurement

o Corporate Governance

o Economics

o Enterprise Risk Management

o Finance

1-47 o Management

o Management Information Systems

o Managerial Accounting o Production Operations o Project Management

• International Standards for the Professional Practice of Internal Auditing

• COBIT (The Control Objectives for Information and related Technology)

SKILL SPECIFICATION OUTLINES (SSOs)

The Skill Specification Outlines (SSOs) identify the skills to be tested on the Uniform CPA Examination. There are three categories of skills, and the weightings will be implemented through the use of different question formats in the exam. For each of the question formats, a different set of tools will be available as resources to the candidates, who will need to use those tools to demonstrate proficiency in the applicable skills categories.

Weights

The percentage range assigned to each skill category will be used to determine the quantity of each type of question, as described below. The percentage range assigned to each skill category represents the approximate percentage to which that category of skills will be used in the different sections of the CPA Examination to assess proficiency. The ranges are designed to provide flexibility in building the examination, and the midpoints of the ranges for each section total 100%. No percentages are given for the bulleted descriptions included in these definitions. The presence of several groups within an area or several topics within a group does not imply equal importance or weight will be given to these bullets on an examination.

Skills Category Weights Weights (FAR, REG, AUD) (BEC) Knowledge and Understanding 50% - 60% 80% - 90% Application of the Body of Knowledge 40% - 50% - Written Communication - 10% - 20%

Knowledge and Understanding: Multiple-choice questions will be used as the proxy for assessing knowledge and understanding, and will be based upon the content topics as outlined in the CSOs. Candidates will not have access to the authoritative literature, spreadsheets, or database tools while answering these questions. A calculator will be accessible for the candidates to use in performing calculations to demonstrate their understanding of the principles or subject matter.

Application of the Body of Knowledge: Task-based simulations will be used as the proxy for assessing application of the body of knowledge and will be based upon the content topics as outlined in the CSOs. Candidates will have access to the authoritative literature, a calculator, spreadsheets, and other resources and tools which they will use to demonstrate proficiency in applying the body of knowledge.

1-48 Written Communication will be assessed through the use of responses to essay questions, which will be based upon the content topics as outlined in the CSOs. Candidates will have access to a word processor, which includes a spell check feature.

Outlines

The outlines below provide additional descriptions of the skills that are represented in each category.

Knowledge and Understanding: Expertise and skills developed through learning processes, recall, and reading comprehension. Knowledge is acquired through experience or education and is the theoretical or practical understanding of a subject; knowledge is also represented through awareness or familiarity with information gained by experience of a fact or situation. Understanding represents a higher level than simple knowledge and is the process of using concepts to deal adequately with given situations, facts, or circumstances. Understanding is the ability to recognize and comprehend the mea ning of a particular concept.

Application of the Body of Knowledge, including Analysis, Judgment, Synthesis, Evaluation, and Research: Higher-level cognitive skills that require individuals to act or transform knowledge in some fashion. These skills are inextricably intertwined and thus are grouped into this single skill area.

• Assess the Business Environment:

o Business Process Evaluation: Assessing and integrating information regarding a business’s operational structure, functions, processes, and procedures to develop a broad operational perspective; identify the need for new systems or changes to existing systems and/or processes.

o Contextual Evaluation: Assessing and integrating information regarding client’s type of business or industry.

o Strategic Analysis – Understanding the Business: Obtaining, assessing and integrating information on the entity’s strategic objectives, strategic management process, business environment, the nature of and value to customers, its products and services, extent of competition within its market space, etc.).

o Business Risk Assessment: Obtaining, assessing and integrating information on conditions and events that could impede the entity’s ability to achieve strategic objectives.

o Visualize abstract descriptions: Organize and process symbols, pictures, graphs, objects, and other information.

• Research:

o Identify the appropriate research question.

1-49

o Identify key search terms for use in performing electronic searches through large volumes of data.

o Search through large volumes of electronic data to find required information.

o Organize information or data from multiple sources. o Integrate diverse sources of information to reach conclusions or make decisions.

o Identify the appropriate authoritative guidance in applicable financial reporting frameworks and auditing standards for the accounting issue being evaluated.

• Application of Technology:

o Using electronic spreadsheets to perform calculations, financial analysis, or other functions to analyze data.

o Integration of technological applications and resources into work processes.

o Using a variety of computer software and hardware systems to structure, utilize, and manage data.

• Analysis:

o Review information to determine compliance with specified standards or criteria.

o Use expectations, empirical data, and analytical methods to determine trends and variances.

o Perform appropriate calculations on financial and nonfinancial data.

o Recognize patterns of activity when reviewing large amounts of data or recognize breaks in patterns.

o Interpretation of financial statement data for a given evaluation purpose.

o Forecasting future financial statement data from historical financial statement data and other information.

o Integrating primary financial statements: using data from all primary financial statements to uncover financial transactions, inconsistencies, or other information.

• Complex Problem Solving and Judgment:

1-50 o Develop and understand goals, objectives, and strategies for dealing with potential issues, obstacles, or opportunities.

o Analyze patterns of information and contextual factors to identify potential problems and their implications.

o Devise and implement a plan of action appropriate for a given problem.

o Apply professional skepticism, which is an attitude that includes a questioning mind and a critical assessment of information or evidence obtained. o Adapt strategies or planned actions in response to changing circumstances.

o Identify and solve unstructured problems.

o Develop reasonable hypotheses to answer a question or resolve a problem.

o Formulate and examine alternative solutions in terms of their relative strengths and weaknesses, level of risk, and appropriateness for a given situation.

o Develop creative ways of thinking about situations, problems, and opportunities to create insightful and sound solutions.

o Develop logical conclusions through the use of inductive and deductive reasoning.

o Apply knowledge of professional standards and laws, as well as legal, ethical, and regulatory issues.

o Assess the need for consultations with other professionals when gray areas, or areas requiring specialized knowledge, are encountered.

• Decision Making:

o Specify goals and constraints.

o Generate alternatives.

o Consider risks.

o Evaluate and select the best alternative.

• Organization, Efficiency, and Effectiveness:

o Use time effectively and efficiently.

o Develop detailed work plans, schedule tasks and meetings, and delegate assignments and tasks.

1-51

o Set priorities by determining the relevant urgency or importance of tasks and deciding the order in which they should be performed.

o File and store information so that it can be found easily and used effectively.

Written Communication: The various skills involved in preparing written communication, including:

• Basic writing mechanics, such as grammar, spelling, word usage, punctuation, and sentence structure. • Effective business writing principles, including organization, clarity, and conciseness.

• Exchange technical information and ideas with coworkers and other professionals to meet goals of job assignment.

• Documentation:

o Prepare documents and presentations that are concise, accurate, and supportive of the subject matter.

o Document and cross-reference work performed and conclusions reached in a complete and accurate manner.

• Assist client to recognize and understand implications of critical business issues by providing recommendations and informed opinions.

• Persuade others to take recommended courses of action.

• Follow directions.

1-52 Chapter Two - Definition and Need for Auditing

Summary

This chapter will provide you with a broad overview of auditing and the environment in which auditors perform audits. The focus is on the audit of publicly available financial statements. After completing this chapter, you should be able to:

Define auditing and differentiate it from other assurance services provided by CPAs; Describe why audits are so important in modern economies; Describe, in general terms, the requirements for becoming a CPA and being able to perform audits of financial statements; Describe, in general terms, the organizations, and their interrelationships, that regulate the practice of auditing and setting of financial reporting standards in the US and around the world.; and Describe the structure and content of generally accepted auditing standards.

Definition of Auditing, Attestation, and Assurance

Auditing

I want to begin our exploration of auditing by defining auditing.

"Auditing is the accumulation and evaluation of evidence about information to determine and report on the degree of correspondence between the information and established criteria. Auditing should be done by competent, independent people."2

As with most concepts in auditing, this definition includes terms that auditors use rather precisely and that auditing students need to learn. Throughout this text, however, I will attempt to put these concepts in more common terms as well to assist you in understanding the core idea behind the concept.

In simpler terms, auditing is verifying the accuracy of information. However, to determine whether information is accurate, the auditor needs a definition of accuracy. That is, for the specific information the auditor is auditing, what makes it accurate? This is what the phrase "correspondence between the information and established criteria" means in the above definition. To be accurate, the information must measure up to some established criteria.

2 Arens, A. A., Randal J. E., and M. S. Beasley (2008). Auditing and Assurance Services. Twelfth Edition. Pearson Prentice Hall.

2-1

The bulk of this course will teach you how to perform an audit of a firm's public financial statements. By "public" I mean financial statements that are filed with the Securities and Exchange Commission or distributed to the firm's shareholders. For financial statements to be accurate, they must be prepared according to generally accepted accounting principles (GAAP). Thus, for financial statement audits, the "established criteria" are GAAP.

However, the auditor can't just make a summary conclusion that the information being audited meets the established criteria (i.e., is accurate). (S)he needs to be able to support that conclusion with evidence. Thus, the definition of auditing includes the accumulation and evaluation of evidence to support the auditor's conclusion about the information (s)he is auditing. Since, depending on the complexity of the information the auditor is auditing and the complexity of the criteria (s)he is applying to the information, the audit needs to have a substantial technical background (i.e., be competent).

Finally, the auditor should not have an incentive to bias his/her conclusions about the accuracy of the information. To insure that the auditor isn't biased, (s)he should not be able to benefit if his/her conclusions are biased in anyway. That is, they need to be independent of the outcome of their conclusions.

The last concept in the definition of auditing is the report. For their conclusions to mean anything, they auditor needs to communicate them to someone. Generally, the auditor is hired by someone to produce an audit report on the accuracy of information. In the typical financial statement audit, the auditor is hired by a firm to verify the accuracy of the firm's financial statements.

At this point, a "red flag" should have gone off in your mind. If the auditor is supposed to be independent and not biased because they don't benefit from how their report comes out, how can they be independent of the firm that hired them to produce a report on the accuracy of the firm's financial statements (i.e., the auditor is auditing the hand that feeds them)? If the firm is paying for the audit, wouldn't the auditor be biased toward producing a report that the firm wants and not an unbiased one? The audit environment, as we shall see later in this chapter, is full of mechanisms to encourage the auditor to be non-biased even in light of the fact that they are "auditing the hand that feeds them."

To summarize, an audit is a process of gathering and evaluating evidence by a competent, independent person to report on the accuracy of some information. In the financial statement audit, the information being audited is the firm's financial statements, including footnotes. The basis for determining whether the financial statements are accurate is GAAP.

Based on the current laws regarding audits of financial statements, the auditor actually issues three reports: a report on the financial statements themselves, a report on the firm management's assessment of the firm's internal controls; and a report on the firm's internal controls themselves. We will be discussing auditor reporting in detail in Chapter 12. After we cover that chapter, you will understand the components of the three audit reports and how the differ from each other.

2-2 Assurance and Attestation

Certified public accountants (CPAs) perform nearly all audits of public financial statements in the US. In fact, state laws require that a person be a licensed CPA to perform audits of public financial statements. You need to keep in mind that CPA firms are for-profit organizations and exist to maximize the profits of their owners, who are the partners in the CPA firm. Over the years, CPAs have attempted to develop other products based on the same core idea as the audit to expand their product line and increase revenues. They call these products assurance services. Assurance services include audits as well as other attestation services.

Frankly, I have never been clear in my own mind how these new services differ from an audit, but the terms are used in the profession and appear on the CPA exam. Thus, I need to try to explain how the CPA profession uses them. The terms were defined by the American Institute of Certified Public Accountants (AICPA) Special Committee on Assurance Services.

Assurance

The Special Committee on Assurance Services defines assurance services as:

"... independent professional services that improve the quality of information, or its context, for decision makers."3

While there are a rich variety of ways that in independent professional can improve the quality of information for decision-making, the vast majority of ways that CPAs do this is by verifying the accuracy of the information.

Attestation

Let me start by describing how the terms "audit," "attest," and "assurance" are related. "Audit" is the most specific and usually refers to issuing a reporting whether financial statements meet GAAP. Attest is the next most specific and includes audits as well as services that provide reports on things other than financial statements. The AICPA's definition of attest services is:

"This section applies to engagements ... in which a certified public accountant in the practice of public accounting (hereinafter referred to as a practitioner) is engaged to issue or does issue an examination, a review, or an agreed-upon procedures report on subject matter, or an assertion about the subject matter (hereafter referred to as the assertion), that is the responsibility of another party."4

3 Messier, W.F. Jr., S.M. Glover, and D.F. Prawitt (2008). Auditing & Assurance Services. 5th Edition. McGraw-Hill, page 13. 4 AICPA (2007A). https://www.aicpa.org/download/members/div/auditstd/AT-00101.PDF. Downloaded 12/16/2007. You can find the AICPA's publications that define terms and cover other auditing issues through a variety of sources. In this text, I am going to use the AICPA's website as my source of technical information because it is publicly available.

2-3

There is very little difference between this definition and the definition of an audit. However, in practice, the term "audit" tends to be limited to financial statements and "attest" can apply to other types of information. This definition does specify that the person gathering and evaluating the evidence is a CPA, which the audit definition does not. However, as I mentioned above, CPAs do nearly all audits of public financial statements. The attestation definition also includes the issuing of a report by the CPA, which is similar to the definition of an audit.

The "examination, review, or agreed upon procedures" mentioned in the attest definition looks a lot like gathering and evaluating evidence to me. I just find the audit definition to be more general. The attest definition also includes mention of an assertion by another party. This is exactly what financial statements are. They are a series of assertions by the management of the firm issuing the financial statements that the financial statements meet GAAP.

Thus, while the words are different, the idea is the same. Attesting means gathering and evaluating evidence about information and reporting your conclusions. While the attest definition doesn't mention how the person providing the attest services (i.e., attester) determines what to report, it implies that the attester evaluates the assertion based on some criteria of accuracy otherwise there would be nothing to report.

To sum up, the core concepts behind audit, attest, and assure is a competent, independent person verifying the accuracy of information provided by one party for other parties through a report on the accuracy of the information. While the public accounting community distinguishes between these concepts, I believe the differences are more for creating service marketing opportunities than for defining fundamentally different services. However, the AICPA has developed different standards for audits and for other attest services. The problem is that the attest standards are very similar to, and built around, audit standards. Frankly, I believe the main reason for the use of these different terms is that the term "audit" has become associated with the audit of financial statements and nothing else. Thus, the AICPA needed additional terms that they could apply to services that provided audit-like assurances over things other than financial statements.

Economic Justification for Auditing

Moral Hazard of Financial Statement Preparers

Now let's turn to why audits exist for public financial statements. The reason is simple. A firm's management produces public financial statements, which investors and potential investors use to determine how well management is running the firm and to decide on investing in the firm. This creates a moral hazard problem. That is, the main source of information on which investors are evaluating management's running of the firm is management themselves. Obviously, management has an incentive to manipulate the financial statements so that they present the impression that management is doing a good job running the firm. Since management has the sole access to the information that is summarized in the financial statements, investors have no way of knowing how accurate those financial statements are. Enter the independent, competent

2-4 auditor and their report on the accuracy of the financial statements. Auditors provide an independent report (i.e., they have no incentive to manipulate the financial statements) and they are competent to produce that report (i.e., they can use GAAP to determine if the financial statements are accurate). Because they are independent and competent, investors can trust auditors to make sure that management hasn't manipulated the financial statements and that they are accurate.

Information Complexity

Independence helps insure that the auditor will not bias their report in any way. However, competence is equally important because of the complexity of the information included in a set of financial statements and their footnotes. If you have ever looked at the codification of GAAP, you will find that it is thousands of pages long and includes highly technical information about the nature of a rich variety of different types of transactions in which a firm engages. All you need to do is review the outline of topics covered by the uniform CPA exam I included as an appendix to Chapter 1 to begin to understand how complex financial statements can be and why auditors need to be highly trained in technical issues. Without this extensive training, the auditor could not provide a credible report that a set of financial statements meets GAAP.

Regulatory Environment

Because audits are so important to our society and because firms hire their own auditors, thus undermining the auditor's independence, societies have created regulations that specify how auditors should perform audits and who can be an auditor. This regulatory environment consists of private, non-profit regulatory bodies that set some standards and monitor auditor's performance as well as governmental regulatory bodies that do the same.

Until the Sarbanes-Oxley act was passed in 2002, governmental bodies only regulated who could be a CPA and how governmental audits needed to be executed. Governmental bodies did not set auditing standards for public, non-governmental financial statements. The Government Accountability Office (GAO) sets auditing standards for all governments in the US, except the Federal Government. The GAO is a branch of the US Congress. Sarbanes-Oxley changed that by also transferring the authority to set auditing standards for publicly traded firms to the Public Companies Accounting Oversight Board (PCAOB), which is a Federal executive agency under the supervision of the SEC. This chapter refers to provisions of the Sarbanes-Oxley Act in several places where it applies to the regulatory environment of auditing. Appendix C - Summary of the Sarbanes-Oxley Act provides an overview of the major provisions of the act.

This section breaks the regulatory environment into two halves: regulations concerning who can be an auditor and regulations concerning how audits need to be performed. In all cases, I am talking about audits of public financial statements where "public" means financial statements that are distributed outside the firm that produced them.

2-5 Types of Auditors

There are two basic types of auditors: internal and external. This course will cover the activities on external auditors only. These auditors work in audit firms and sell their audit services to businesses, governments, and non-profit organizations. That is, they are independent of the organizations they audit. Internal auditors are employees of the firm that produces the financial statements. Thus, internal auditors cannot be independent of the firm since they are employees of the firm.

Firms have internal audit departments because the firm's management also needs accurate information with which to manage the firm. There also is a moral hazard problem within the firm in that top-level managers use information produced by lower-level managers to judge the performance of the lower-level managers. One role of internal auditors is to provide non-biased information to top management about the activities of subordinate managers. However, internal auditors cannot provide a report on the accuracy of the financial statements to outside parties because they are not independent of the firm.

Regulating CPAs

In the US, states pass laws that regulated who can perform external audits (i.e., who can be a CPA). There is no national law that regulates who can perform audits. However, all states require that you be a CPA if you are going to do external audits. Thus, any discussion about regulating auditors that produce external audits of financial statements centers on what it takes to be a CPA.

Requirements for Certification

Before a person can perform an external audit, they must be licensed to practice as a CPA in the state in which the auditee (i.e., firm being audited) is based. The requirements for becoming a CPA are set by the states in the US. Thus, if you want to be a CPA, you first need to determine the state in which you want to practice and then review that state's laws. However, most states have very similar requirements. I have included New Mexico's requirements as implemented in state law in the Appendix to this chapter. In nearly all states, a State Board of Accountancy, which is a state agency, administers the laws.

The common themes that run through all state's requirements include that CPAs:

Have a formal education in auditing and accounting - Most states require that CPA candidates have a bachelor's degree and 150 credit hours of college education, undergraduate or graduate, to sit for the CPA exam.5 The degree does not have to be in accounting, but most states specify a minimum number of credit hours that candidates must take in accounting. Since most colleges grant bachelor's degrees to students with around

5 New Mexico just changed its law to allow candidates to sit for the CPA exam if they have completed a bachelor's degree and have 30 hours of accounting. They cannot practice as a CPA until they have their 150 credit hours, but they can sit for the exam now.

2-6 120 credit hours, the 150 credit hour rule implies students have a fifth year of education. While many students get those extra 30 credit hours in master’s programs, many just take additional undergraduate classes to meet the 150-hour requirement. Pass the Uniform CPA exam - The CPA exam is as its name implies - uniform. The exam is developed and administered by the AICPA and is standard in all states. What varies from state to state is how long you have to pass the exam and how many sections you need to take at once. Currently, the exam is computerized and administered nine months of the year. Most people who take the exam take more than one try to pass its sections. Less than 15% of people who take the exam pass it on their first try. In New Mexico last year, only 8% of people taking the exam passed all of it. Most states allow people to retain credit for passing one or more sections of the exam while they attempt to pass the rest of the test. However, all states set limits on the amount of time that can pass from when you pass your first section until when you have to pass all the sections. If you don't pass the remaining sections in time, you have to start over. Have some auditing experience - Nearly all, but not all, states require that you have some auditing experience before you can be certified as a CPA. This is the area where states vary the most. A few require little or no experience while others require up to six years of experience. Some states require the experience before you can sit for the CPA exam and others just require the experience before you can be certified and licensed to practice as a CPA. Be of high moral character - Again, the requirements to prove high moral character differ from state to state. However, nearly all states prohibit someone who has been convicted of a felony from practicing as a CPA. Thus, one major requirement to prove moral character is to have a clean criminal record. Many states also require letters of recommendation from CPAs licensed to practice in the state and many require that the CPA candidate pass a separate ethics exam as well as passing the CPA exam itself. Maintain their education - The above requirements are necessary to obtain a CPA certificate and license to practice. However, nearly all states also required that CPAs take around 40 contact hours of continuing education each year to maintain their license to practice. Also, if a CPA is convicted of a felony, most states would revoke his/her license to practice.

Registration of Firms Auditing Public Companies

There now is one additional requirement for CPAs to audit publicly traded firms (i.e., firms that sell stock to the public on exchanges like the New York Stock Exchange). Sarbanes-Oxley established the PCAOB to regulate the auditing of public companies in the US. I will talk more about the PCAOB below. The role that is relevant to our discussion of regulating CPAs is that any CPA who wants to audit a public company must register with the PCAOB. Thus, the PCAOB also provides some regulation as to who can audit publicly traded firms. The PCAOB is not involved in licensing CPAs but they set some additional requirements that CPAs must meet if they want to audit public companies.

2-7 Membership in the AICPA

While the AICPA is a voluntary professional association of CPAs, it still has some regulatory power over CPAs. No state that I know of requires a CPA to be a member of the AICPA to practice. However, membership in the AICPA carries a lot of weight with potential audit clients. To join the AICPA, you must be a CPA and have a license to practice in a state. The AICPA has several programs that help CPAs to do their jobs. For example, the have continuing education programs, reference libraries, and sell professional publications. The AICPA also has some regulatory powers in that they require peer reviews of larger firms and have developed a code of conduct for CPAs. The only enforcement power the AICPA has is to expel a CPA for violations. While expulsion doesn't carry with it any direct consequences (e.g., loss of your CPA license), it can be very damaging to a CPA's reputation and ability to attract clients.

Finally, the Auditing Standards Board (ASB), which is overseen by the AICPA, used to set all auditing standards in the US before the creation of the PCAOB. Now the PCAOB sets auditing standards for public company audits and the ASB sets auditing standards for non-public companies. I will discuss this more in the next section.

Auditing Standards

In this section, I will cover the existing standards for conducting a financial statement audit and the organizations that set those standards in the US. Then I will briefly cover the international regulatory environment.

Financial Reporting Standards

Since the criteria auditors use to determine if financial statements are accurate is GAAP, I am going to start with who sets GAAP. Two main bodies in the US, one private and one governmental, set financial reporting standards for publicly traded firms. The formal legal authority to set financial reporting standards for publicly traded companies rests with the Securities and Exchange Commission (SEC). Congress created it with the 1934 Securities Exchange Act in response to the stock market crash of 1929 and the Great Depression that followed. The SEC's original responsibilities were to enforce the 1933 Securities Act, but it has taken on additional responsibilities over the years. The SEC is an independent agency of the Federal government whose five commissioners are appointed by the President and confirmed by the Senate. At most three members of the Commission can come from one political party, thus keeping it bi-partisan.

However, at the time the SEC was formed there was no body, public or private, designated to set accounting standards. In 1939, at the urging of the SEC, the AICPA established the Committee on Accounting Procedure (CAP) to deal with financial reporting issues. However, the CAP was reactionary in that it responded to problems as they arose and did not develop an overall framework for accounting standards. Thus, in 1959, the AICPA established the Accounting Principles Board (APB) that took over the responsibilities of the CAP and attempted to develop a more comprehensive framework of standards.

2-8 In 1973, at the urging of the SEC, a group of professional associations with interest in accounting issues joined together to form a private, non-profit organization strictly dedicated to setting accounting standards. The main motivation was to increase the standard-setting body's credibility by taking it out from under the AICPA and putting it under an organization of several professional associations. Those associations represented not only the CPA community, in the form of the AICPA, but also the academic accounting community, financial executives, financial analysts, securities traders, and the general public. The association was the Financial Accounting Foundation (FAF), which is an umbrella organization that oversees the Financial Accounting Standard Board (FASB) and the Governmental Accounting Standards Board (GASB).

The GASB sets accounting standards for state and local governments in the US and I will not discuss it in this text. If you are interested, there is one additional accounting standard setting body in the US, the Financial Accounting Standards Advisory Board (FASAB). The FASAB is a joint effort of the US Treasury Department, the Government Accountability Office (GAO), and the Office of Management and Budget of the US federal government. It sets financial accounting standards for the US federal government only.

The FASB is the key organization in that it sets GAAP for for-profit organizations, which is the core focus of this text. Like the AICPA and its boards and committees, the FASB has no direct enforcement authority. The SEC enforces GAAP but has delegated most financial accounting standard setting to the FASB. Thus, the SEC enforces GAAP but the FASB sets GAAP. There are some exceptions in that the SEC also has some accounting standards it has established in addition to the standards set by the FASB, but they are not extensive in scope.

My discussion thus far has focused on the SEC and accounting standards for publicly traded firms. There is no enforcement mechanism that forces private firms (i.e., those who do not sell stock to the public) to follow GAAP. However, private firms frequently need to obtain bank loans or solicit outside investment other than by selling stock on the open market. When they go to banks or investors for funds, the vast majority of these banks and investors insist on GAAP financial statements as a basis for making a loan or investment. Thus, de facto, private companies must use GAAP as well.

Finally, everything I just discussed above is about to change. The SEC has mandated that all US public firms switch to international GAAP, formally know as International Financial Reporting Standards (IFRS), by 2014. However, the AICPA has announced that the CPA exam may start testing IFRS along side US GAAP beginning in January 2010 and some large international firms may switch to IFRS as early as 2009. The details of the transition are still being negotiated. Since IFRS are set by the International Accounting Standards Board (IASB), which is a non-profit body based on , switching to IFRS may eliminate the FASB altogether. At a minimum, it would reduce the FASB to setting standards for non-public for-profit firms and non-profit organizations in the U.S.

2-9 Auditing Standards

Source of Auditing Standards

Until Sarbanes-Oxley was passed in 2002, the Auditing Standards Board (ASB) of the AICPA set generally accepted auditing standards (GAAS). As we will discuss later in this course, GAAS, and the related Statements of Auditing Standards (SAS), are the rules that govern how external auditors perform an audit of a firm's financial statements. The Sarbanes-Oxley act transferred the responsibility for setting auditing standards for public companies to the Public Companies Accounting Oversight Board (PCAOB).6 The ASB still sets auditing standards for non-public for-profit firms and non-profit organizations.

The PCAOB is a private, non-profit organization7, but it has substantial enforcement powers and the SEC appoints all of its five members. Therefore, I prefer to think of the PCAOB as a federal government agency since that is what it really acts like. The main regulatory powers of the PCAOB as established by Sarbanes-Oxley are to:

register public accounting firms that prepare audit reports for publicly traded firms; set auditing, quality control, ethics, independence, and other standards relating to the preparation of audit reports by publicly traded firms; conduct inspections of registered public accounting firms; and conduct investigations and disciplinary proceedings concerning CPA firms and their employees registered to audit public companies and impose appropriate sanctions where justified.

This isn't a complete list, but these are the most important powers. Refer to Appendix C for a more complete list.

The PCAOB did not start setting auditing standards from scratch, but, instead, adopted in their entirety, the auditing standards set by the ASB over the years. However, it has promulgated some new standards (they call them rules) since its inception and will have the responsibility for setting all new standards for public companies from now on.

6 The PCAOB is sometimes called "Peek-a-boo." 7 The non-profit status of the PCAOB was the basis of a court challenge that a US Appeals Court recently resolved. The plaintiffs contended that delegating enforcement powers by the SEC to the PCAOB was unconstitutional because of its non-profit status. However, the Appeals Court held that the SEC retains substantial oversight of the PCAOB and, therefore, the PCAOB is acting under the SEC's enforcement authority. (M. Cohn, "How Would the Supreme Court Rule on the PCAOB?", http://www.webcpa.com/article.cfm?articleid=28982&pg=ros, downloaded 12/3/08.) Currently, the case has been appealed to the US Supreme Court and so the validity of Sarbane-Oxley may yet be overturned.

2-10 The ASB still exists and sets auditing standards. However, any new standards that the ASB sets only apply to private companies and non-profit organizations, not public companies. Thus, there could be a divergence in auditing standards between public and private companies in the future.

Generally Accepted Auditing Standards (GAAS)

When the PCAOB came into existence, the ASB had established a rich set of auditing standards that, as I pointed out above, are still in force. These standards consume well over 1,000 pages and are very detailed and extensive. Given the volume and complexity of auditing standards, I can't cover all of them in this text. I am going to provide you with a broad road map of how those standards are structured here and then refer to them in more detail as I proceed to walk you through the audit process in the balance of this text.

At top level of auditing standards are 10 generally accepted auditing standards (GAAS) that include:

General Standards  The audit is to be performed by a person or persons having adequate technical training and proficiency as an auditor.  In all matters relating to the audit, independence in mental attitude is to be maintained by the auditor or auditors.  Due professional care is to be exercised in the planning and performance of the audit and the preparation of the report. Standards of Field Work  The auditor must adequately plan the work and must properly supervise any assistants.  The auditor must obtain a sufficient understanding of the entity and its environment, including its internal controls, to assess the risk of material misstatement8 of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures.  The auditor must obtain sufficient appropriate audit evidence by performing audit procedures to afford a reasonable basis for an opinion regarding the financial statements under audit. Standards of Reporting  The report shall state whether the financial statements are presented in accordance with GAAP.  The report shall identify those circumstances in which such principles have not been consistently observed in the current period in relation to the preceding period.

8 I will define the term "material misstatement" later. It is an auditor's way of saying significant error.

2-11  Informative disclosures9 in the financial statements are to be regarded as reasonably adequate unless otherwise stated in the report.  The report shall either contain an expression of opinion regarding the financial statements, taken as a whole, or an assertion to the effect that an opinion cannot be expressed. When an overall opinion cannot be expressed, the reasons therefore should be stated. In all cases where an auditor's name is associated with financial statements, the report should contain a clear-cut indication of the character of the auditor's work, if any, and the degree of responsibility the auditor is taking.

Let me briefly relate these standards to the definition of auditing. The general standards address the competency and independence of the auditor. The fieldwork standards address the way the auditor gathers evidence as to whether the financial statements being audited meet GAAP. The reporting standards address how the auditor structures his/her report on whether the financial statements meet GAAP or not.

As you can see, GAAS doesn't take up over 1,000 pages. However, when reading the 10 standards, you probably realized that they are very general principles and need to be expanded and explained to be enforceable. Over the years, the ASB expanded on the 10 GAAS standards with Statements on Auditing Standards (SAS). These SAS take up over 1,000 pages. The ASB organized SAS around the 10 GAAS. However, the ASB issues SAS sequentially as topics come up. Thus, the AICPA publishes SAS in two forms: one by SAS number as they were issued and a codification that is structured around GAAS. That is, the SAS is reorganized by topic.

International Standards on Auditing

International Standards on Auditing (ISA) are issued by International Federation of Accountants (IFA). I am not going to go into them in any detail because they are quite similar to US standards. However, international standards have become more important with the globalization of the world economy. The percentage of publicly traded firms that do business in more than one country is quite high, and the number of firms that sell their stock in multiple stock markets around the world is growing. Firms that want to sell their stock on foreign exchanges need to produce auditing financial statements that meet IFRS and are auditing using ISA.

Because firms that do business globally do not want to have to address multiple accounting and auditing standards, the SEC, AICPA, and other US organizations are working activity with the IASB ), which sets international accounting standards, and the IFA to standardize accounting and auditing standards throughout the world. However, as you might expect, national pride and politics makes such an effort difficult, particularly for the US. The US has dominated the world economy since the end of World War II and will find it difficult, politically, to alter its accounting and auditing standards to conform to the rest of the world.

9 "Informative disclosures" mean the footnotes and certain information in any management discussion that accompanies the financial statements.

2-12 AICPA Code of Professional Conduct

One final regulatory constraint on auditors' activities is the AICPA's Code of Professional Conduct. The AICPA has sent standards of behavior for its members in an effort to maintain professionalism in public accounting. I will cover these standards in more detail at the end of this class. However, I mention them here to illustrate how they fit into the broader regulatory environment of auditing.

While the AICPA has no enforcement authority over anyone other than its members, its Code of Professional Conduct still has a significant impact on the accounting profession. The AICPA is the most prestigious professional association for accountants in the US. Thus, CPAs tend to join the AICPA to enhance their credentials with their clients. If they lose their membership in the AICPA because of violations of the Code of Professional Conduct, it could seriously damage their reputations and ability to attract clients. In addition, courts frequently refer to the Code when adjudicating cases involving CPAs. Thus, any CPA who violates the code can find themselves is trouble.

While the Code has several provisions that focus on auditing, its provisions also cover other activities in which CPAs engage. It even covers general deportment and professionalism by prohibiting acts that would discredit to the accounting profession and it does so for all activities in which a CPA engages to include things like volunteer activities and even public behavior.

2-13 Appendix A - New Mexico CPA Licensing Requirements

TITLE 16 OCCUPATIONAL AND PROFESSIONAL LICENSING CHAPTER 60 CERTIFIED PUBLIC ACCOUNTANTS PART 3 LICENSURE AND CONTINUING PROFESSIONAL EDUCATION REQUIREMENTS 16.60.3.1 ISSUING AGENCY: State of New Mexico Public Accountancy Board [16.60.3.1 NMAC - Rp 16 NMAC 60.4.1 & 16 NMAC 60.6.1, 02-14-2002]

16.60.3.2 SCOPE: General public: Individuals seeking to become certified public accountants (CPAs) CPAs and registered public accountants (RPAs) seeking to maintain their New Mexico certificate/license status through continuing professional education (CPE). [16.60.3.2 NMAC - Rp 16 NMAC 60.4.2 & 16 NMAC 60.6.2, 02-14-2002]

16.60.3.3 STATUTORY AUTHORITY: 1999 Public Accountancy Act, Sections 61-28B-1 to 61-28B-29 NMSA 1978 [16.60.3.3 NMAC - Rp 16 NMAC 60.4.3 & 16 NMAC 60.6.3, 02-14- 2002]

16.60.3.4 DURATION: Permanent. [16.60.3.4 NMAC - Rp 16 NMAC 60.4.4 & 16 NMAC 60.6.4, 02-14-2002]

16.60.3.5 EFFECTIVE DATE: February 14, 2002, unless a later date is cited at the end of a section. [16.60.3.5 NMAC - Rp 16 NMAC 60.4.5 & 16 NMAC 60.6.5, 02-14-2002]

16.60.3.6 OBJECTIVE: Protect the public interest by implementing provisions of the 1999 Public Accountancy Act (act) which provide for initial application issuance and renewal of CPA and RPA certificates/licenses; reinstatement of expired, cancelled, suspended or revoked CPA/RPA certificates; application and issuance of CPA certificates through interstate and international reciprocity; establishment of intent to practice privilege under substantial equivalency; maintenance of professional competency through continuing professional education (CPE) of CPA and RPA certificate/license holders; and change of status application procedures between active/inactive or retired status. [16.60.3.6 NMAC - Rp 16 NMAC 60.4.6 & 16 NMAC 60.6.6, 02-14-2002]

16.60.3.7 DEFINITIONS: [RESERVED] [16.60.3.7 NMAC - Rp 16 NMAC 60.4.7 & 16 NMAC 60.6.7, 02-14-2002]

16.60.3.8 APPLICATION REQUIREMENTS: All certificate/license applications and renewals shall be made on and meet all information requirements contained in board prescribed forms. Applications will not be considered complete and filed with the board until all required information and board prescribed fees have been received. [16.60.3.8 NMAC - Rp. 16 NMAC 60.4.8.1, 02-14-2002]

16.60.3.9 INITIAL CERTIFICATE/LICENSE REQUIREMENTS:

A. An applicant for initial certification/licensure shall demonstrate to the board's satisfaction that he:

2-14 (1) is of good moral character and lacks a history of dishonest or felonious acts;

(2) meets the education, experience and examination requirements of the board; and

(3) passes the American institute of certified public accountants ethics examination with a score of 90 percent or higher.

B. Moral character requirements: The board may assess moral character requirements based upon applicant-provided character references and background checks to determine an applicant's history of dishonest or felonious acts.

C. Education and examination requirements: Education and examination requirements are specified in the Act, Section 61-28B7 and Section 61-28B8 (After July 1, 2004) and are further delineated in Part 2 of board rules. An applicant who has passed the uniform CPA examination prior to July 1, 2004, is exempt from the 150 semester-hour requirement.

D. Experience required: Applicants documenting their required experience for issuance of an initial certificate pursuant to Section 7H of the act, and after July 1, 2004 Section 8H of the act shall: 16.60.3 NMAC

(1) provide documentation of experience in providing any type of services or advice using accounting, attest, management advisory, financial advisory, tax or consulting skills; acceptable experience shall include experience gained through employment in industry, government, academia or public practice;

(2) have their experience verified by an active, licensed CPA as defined in the act or by an active, licensed CPA from another state; the board shall consider and evaluate factors such as complexity and diversity of the work in determining acceptability of experience submitted:

(a) one year of experience shall consist of full or part-time employment that extends over a period of no less than 1 year and no more than 3 years and includes no fewer than 2,000 hours of performance of services described above;

(b) experience documented in support of an initial application must be obtained within the 7 years immediately preceding passing of the examination or within 7 years of having passed the examination upon which the application is based; this does not apply to applicants who qualified and sat for the examination during or prior to the November 2001 administration;

(c) any licensee requested by an applicant to submit evidence of the applicant’s experience and who has refused to do so shall, upon request of the board, explain in writing or in person the basis for such refusal; the board may require any licensee who has furnished evidence of an applicant’s experience to substantiate the information;

(d) the board may inspect documentation relating to an applicant’s claimed experience; any applicant may be required to appear before the board or its representative to supplement or verify evidence of experience.

2-15 E. Swearing in ceremony: Every new licensee must participate in a swearing in ceremony before the board within one year from the date of the issuance of the initial license. Swearing in ceremonies shall be held two times per year in locations to be determined by the board. Upon good cause presented in writing prior to the expiration of the one-year period of initial licensure, the board may extend the period for being sworn in or arrange an alternate method for the licensee to be sworn in. If an extension for good cause is granted, the licensee shall arrange with the board director to present him or herself for swearing in before the board within the time prescribed by the board. Failure to appear at a swearing in ceremony before the board may result in the imposition of a fine or other disciplinary action, as deeded appropriate by the board.

F. Replacement wall certificates and licenses to practice: Replacement wall certificates and licenses to practice may be issued by the board in appropriate cases and upon payment by the CPA or RPA of the fee as set by the board. A certificate/license holder is specifically prohibited from possessing more than one wall certificate and more than one license to practice as a CPA or RPA. When a replacement wall certificate or license to practice is requested, the certificate/license holder must return the original certificate/license or submit a notarized affidavit describing the occurrence that necessitated the replacement certificate or license.

G. Renewal requirements: Certificates/licenses for individuals will have staggered expiration dates based on the individual's birth month. Deadline for receipt of certificate/license renewal applications and supporting continuing professional education affidavits or reports is no later than the last day of the CPA or RPA certificate/license holder's birth month or the next business day if the deadline date falls on a weekend or holiday.

(1) The board may accept a sworn affidavit as evidence of certificate/license holder compliance with CPE requirements in support of renewal applications.

(2) Renewal applications and CPE reports received after prescribed deadlines shall include prescribed delinquency fees.

(3) Applications will not be considered complete without satisfactory evidence to the board that the applicant has complied with the continuing professional education requirements of Sections 9E and 12A of the act and of these rules.

(4) The board shall mail renewal application notices no less than 30 days prior to the renewal deadline. [16.60.3.9 NMAC - Rp 16 NMAC 60.4.8.2 & 16 NMAC 60.4.8.3, 02-14-2002; A, 01- 15-2004; A, 06-15-2004; A, 12-30-2004; A, 04-29-2005; A, 07-29-2005]

16.60.3.10 BOARD ACCEPTANCE OF GRADE TRANSFER CERTIFICATE APPLICANTS:

A. The board will only accept grade transfers from applicants passing the uniform CPA examination in other jurisdictions/states for an initial CPA certificate application under the following situations:

2-16 (1) temporary change in residence to the state/jurisdiction where the applicant passed the uniform CPA examination while the grade transfer applicant was a student; 16.60.3 NMAC

(2) temporary change in residence to the state/jurisdiction where the applicant passed the uniform CPA examination while the grade transfer applicant was on military duty;

(3) temporary change in residence to the state/jurisdiction where the applicant passed the uniform CPA examination while the candidate was on a temporary work assignment;

(4) presentation of documented evidence demonstrating current resident status in the state of New Mexico; or

(5) presentation of documented evidence demonstrating anticipated employment and residency in the state of New Mexico within 6 months of the application’s date.

B. An applicant who resides in New Mexico and was issued a certificate in another state based upon passage of the examination but never received a license to practice will be considered for licensure by grade transfer.

C. The board may waive the above requirements due to hardship exceptions presented by a grade transfer certificate applicant. [16.60.3.10 NMAC -N, 02-14-2002; A, 06-15-2004]

16.60.3.11 RELINQUISHING A CERTIFICATE/LICENSE:

A. Any individual certificate/license holder may at any time and for any reason, subject to the approval of the board, relinquish that certificate/license to the board. An individual relinquishing his certificate/license during the course of a disciplinary investigation or proceeding may not apply for reinstatement but may apply for the issuance of a new certificate/license upon completion of all requirements for the issuance of such certificate, including meeting all education, examination, experience, and ethics examination requirements of the act and board rules in effect at the time of the new application. This includes sitting for and passing the uniform CPA examination, meeting current experience requirements, and passing a current ethics examination.

B. This rule does not apply to a licensee who relinquished their license while in good standing and was not the subject of a board investigation or disciplinary proceeding at the time they relinquished their license. If an individual relinquishes their certificate/license during the course of a board disciplinary investigation or proceeding, this fact shall be disclosed in any later application for a new certificate and shall be considered before the issuance of a new certificate. [16.60.3.11 NMAC -N, 02-14-2002]

16.60.3.12 REINSTATEMENT REQUIREMENTS:

A. Requests to reinstate a certificate/license that lapsed or expired as a result of non- renewal shall meet all board prescribed requirements for reinstatement including the current year’s renewal fee and continuing professional education. An individual whose

2-17 certificate/license has been subject to board disciplinary action pursuant to the Uniform Licensing Act, Sections 61-1-1 to 61-1-31 NMSA 1978, may, upon application in writing and for good cause, request reinstatement of the certificate/license after completion of all requirements contained in the board’s original order or agreement.

B. A reinstatement application pursuant to Section 21 of the Act and this rule will be processed by the board upon the basis of the materials submitted in support thereof and supplemented by such additional inquiries as the board may require. For reinstatement of a certificate/license, a hearing may be held, and the board may, at its discretion, impose terms and conditions on an application following procedures the board may find suitable for the particular case.

C. The reinstatement request shall set out in writing the reasons constituting good cause for the relief sought and shall be accompanied by at least 2 supporting recommendations, under oath, from practitioners who have personal knowledge of the activities of the applicant since board disciplinary action was imposed. In considering a reinstatement application, the board may consider all activities of the applicant since the disciplinary action from which relief is sought was imposed; the offense for which the applicant was disciplined; the applicant’s activities during the time the certificate/license was in good standing; the applicant’s rehabilitative efforts; restitution to damaged parties in the matter for which the penalty was imposed; and the applicant’s general reputation for trust and professional probity.

D. No application for reinstatement will be considered while the applicant is under sentence for any criminal offense, including any period during which the applicant is on court- imposed probation or parole. [16.60.3.12 NMAC - Rp 16 NMAC 60.4.11, 02-14-2002; A, 12-30- 2005]

16.60.3.13 RECIPROCITY REQUIREMENTS:

16.60.3 NMAC

A. Interstate Reciprocity: The board may issue a certificate/license to the holder of a certificate issued by a state other than New Mexico as defined under Sections 3Q, 11B and D, and 26A of the Act provided that the license from the other state is valid and in good standing and that the applicant:

(1) provides proof from a board-approved national qualifications service that their CPA qualifications are substantially equivalent to the CPA requirements of the act; or

(2) successfully completed the CPA examination in accordance with the rules of the other state at the time it granted the applicant’s initial certificate; and

(3) meets the experience requirements under the act and these rules for issuance of the initial certificate; and

(4) has met the CPE requirement of the state in which he is currently licensed pursuant to the act and board rules; and

2-18 (5) has passed either the American institute of certified public accountants ethics examination with a score of 90 percent or higher or an ethics examination of another state board of accountancy with a score of 90 percent or higher.

B. An applicant who holds a certificate from another state based upon passage of the examination but who does not hold a license to practice shall not be eligible for licensure by reciprocity.

C. The board may rely on the national association of state boards of accountancy (NASBA), the American institute of certified public accountants (AICPA), or other professional bodies deemed acceptable to the board for evaluation of other state's CPA qualification requirements in making substantial equivalency determinations.

D. International reciprocity: The board may designate a professional accounting credential issued in a foreign country as substantially equivalent to a New Mexico CPA certificate and may issue a certificate/license to the holder of a professional accounting credential issued in a foreign country.

(1) The board may rely on NASBA, AICPA, or other professional bodies deemed acceptable to the board for evaluation of foreign credentials in making equivalency determinations.

(2) The board may satisfy itself through qualifying examination(s) that the holder of a foreign country credential deemed by the board to be substantially equivalent to a CPA certificate possesses adequate knowledge of U.S. practice standards and the board’s rules. The board will specify the qualifying examination(s) and may rely on NASBA, AICPA, or other professional bodies to develop, administer, and grade such qualifying examination(s).

(3) The board recognizes the existence of the international qualifications appraisal board (IQAB), a joint body of NASBA and AICPA, which is charged with:

(a) evaluating the professional credentialing process of certified public accountants, or their equivalents, from countries other than the United States; and

(b) negotiating principles of reciprocity agreements with the appropriate professional and governmental bodies of other countries seeking recognition as having requirements substantially equivalent to the requirements for the certificate of a certified public accountant in the United States.

(4) The board shall honor the terms of all principles of reciprocity agreements issued by IQAB.

(5) The board recognizes the international uniform CPA qualification examination (IQEX), written and graded by AICPA, as a measure of professional competency satisfactory to obtain a New Mexico certificate by reciprocity.

2-19 (6) The board may accept a foreign country accounting credential in partial satisfaction of its certificate/license requirements if:

(a) the holder of the foreign country accounting credential meets the issuing body’s education requirement and has passed the issuing body’s examination used to qualify its own domestic candidates; and

(b) the foreign country credential is valid and in good standing at the time of application for a certificate/license.

(7) The board shall accept the following foreign credentials in partial satisfaction of its certificate/license requirements:

(a) Canadian chartered accountant;

(b) Australian chartered accountant;

(c) Australian certified practicing accountant;

(d) Mexican contador publicos certificado;

(e) chartered accountants in Ireland.

E. An applicant for renewal of a CPA certificate/license originally issued in reliance on a foreign country accounting credential shall:

(1) meet all board prescribed certificate/license renewal requirements; and 16.60.3 NMAC

(2) present documentation from the foreign country accounting credential issuing body that the applicant’s foreign country credential has not been suspended or revoked and is not the subject of a current investigation; and

(3) report any investigations undertaken or sanctions imposed by a foreign country credential body against the CPA’s foreign country credential.

F. If the foreign country credential has lapsed, expired, or been cancelled, the applicant must present proof from the foreign country credentialing body that the certificate holder/licensee was not the subject of any disciplinary proceedings or investigations at the time the foreign country credential lapsed.

G. Suspension or revocation of, or refusal to renew, the CPA’s foreign accounting credential by the foreign credentialing body shall be considered evidence of conduct reflecting adversely upon the CPA’s fitness to retain the certificate and may be a basis for board action.

2-20 H. Conviction of a felony or any crime involving dishonesty or fraud under the laws of a foreign country is evidence of conduct reflecting adversely on the CPA’s fitness to retain a certificate/license and is a basis for board action.

I. The board shall notify the appropriate foreign country credentialing authorities of any sanctions imposed against a CPA. The board may participate in joint investigations with foreign country credentialing bodies and may rely on evidence supplied by such bodies in disciplinary hearings. [16.60.3.13 NMAC -Rp 16 NMAC 60.4.9, 02-14-2002; A, 09-16-2002; A, 01-15-2004; A, 06-15-2004; A, 12-302004; A, 04-29-2005]

16.60.3.14 SUBSTANTIAL EQUIVALENCY/INTENT TO PRACTICE REQUIREMENTS: Pursuant to Section 26 of the act, a person whose principal place of business is not New Mexico and who has a valid certificate/license as a certified public accountant from a state that the board-approved qualification service has verified to be in substantial equivalence with the certified public accountant requirements of the act shall be presumed to have qualifications substantially equivalent to New Mexico's requirements.

A. The board may rely on NASBA, AICPA, or other professional bodies approved as acceptable to the board to provide qualification appraisal in determining whether an applicant's qualifications are substantially equivalent to New Mexico's requirements.

B. A person whose qualifications are deemed substantially equivalent shall submit a notification of intent to practice under substantial equivalency and include related fees. An individual practicing in New Mexico under substantial equivalency provisions shall:

(1) provide written notice to the board no later than 30 days after commencing practice in New Mexico;

(2) consent to personal and subject matter jurisdiction of the board;

(3) agree to full compliance with the act and related board rules; and

(4) consent to appointment of the state board of the state of their principal place of business as their agent, upon whom process may be served in an action or proceeding by the New Mexico public accountancy board against it.

C. As a condition of this practice privilege, an individual shall renew their notification of intent to practice every 12 months.

D. The individual shall be subject to disciplinary action for any violation of the act or board rules committed in New Mexico.

E. Pursuant to the Uniform Accountancy Act, an individual entering into an engagement to provide professional services via a web site pursuant to Section 23 shall disclose, via any such web site, the individual’s principal state of licensure, license number, and an address as a means for regulators and the public to contact the individual regarding complaints, questions, or regulatory compliance. [16.60.3.14 NMAC -N, 02-14-2002; A, 07-30-2004; A, 07-29-2005]

2-21 16.60.3.15 CONTINUING PROFESSIONAL EDUCATION (CPE) REQUIRED TO OBTAIN OR MAINTAIN AN "ACTIVE" CPA LICENSE:

A. The following requirements of continuing professional education apply to certificate/license renewals and reinstatements pursuant to Sections 9E and 12A of the act. An applicant for certificate/license renewal shall show completion of no less than 120 clock hours of CPE, complying with these rules during the 36-month period ending on the last day of the certificate/license holder's birth month.

(1) Any applicant seeking a license/certificate or renewal of an existing license shall demonstrate participation in a program of learning meeting the standards set forth in the statement on standards for continuing

16.60.3 NMAC professional education (CPE) programs jointly approved by NASBA and AICPA or standards deemed comparable by the board.

(2) Each person holding an active CPA certificate/license issued by the board shall show completion of no less than 120 hours of continuing professional education complying with these rules during the preceding 36-month period ending on the last day of the certificate/license holder's birth month, with a minimum of 20 hours completed in each year. Licensees shall report CPE completion on board prescribed forms including a signed statement indicating they have met the requirements for participation in the CPE program set forth in board rules.

(3) The board may, at its discretion, accept a sworn affidavit as evidence of certificate/license holder compliance with CPE requirements in support of renewal applications in lieu of documented evidence of such. Reciprocity and reinstatement applications shall require documented evidence of compliance with CPE provisions.

(4) Deadline for receipt of license renewal applications and supporting CPE reports or affidavits is no later than the last day of the certificate/license holder's birth month. Renewal applications and supporting CPE affidavits or reports shall be postmarked or hand-delivered no later than the renewal deadline date or the next business day if the deadline date falls on a weekend or holiday.

(5) In the event that a renewal applicant has not completed the requisite CPE by the renewal deadline, he shall provide a written explanation for failure to complete CPE; request an extension for completion of the required CPE; and shall provide a written plan of action to remediate the deficiency.

(a) The extension request and action plan shall accompany the renewal application.

(b) The provisions of the action plan shall be executed within 60 days of the expiration date of the license.

(c) The board reserves the right not to approve a plan of action or grant an extension.

2-22 (d) Although a plan of action may be approved immediately upon receipt, the board reserves the right to levy a fine at a later date for late CPE of $10.00 per day not to exceed $1,000.

(e) The board may waive this fine for good cause.

(f) If all CPE requirements are not met within 90 days beyond the expiration date of the license, the license shall be subject to cancellation.

(6) Renewal applications and CPE reports received after prescribed deadlines shall include prescribed delinquency fees.

(7) Applications will not be considered complete without satisfactory evidence to the board that the applicant has complied with the CPE requirements of Sections 9E and 12A of the act and of these rules.

(8) Reinstatement applicants whose certificates/licenses have lapsed shall provide documented evidence of completion of 40 hours of CPE for each year the certificate/license was expired, not to exceed 200 hours. If the license was expired for longer than 36 months, at least 120 of the hours must have been earned within the preceding 36 months.

(a) The length of expiration shall be calculated from the date the license expired to the date the application for reinstatement was received by the board office.

(b) If the license was expired for less than one year, documented evidence of 40 hours of CPE earned within the 12 months immediately preceding the date of application for reinstatement must be provided.

(c) If the license was expired for longer than one year, for the purpose of determining the number of CPE hours required, the length of expiration shall be rounded down to the last full year if the partial year was less than six months and rounded up to the next full year if the partial year was more than six months.

B. Exemption from CPE requirements through change of certificate/license status between inactive/retired and active status.

(1) Pursuant to Section 9E of the act, the board may grant an exception to CPE requirements for certificate holders who do not provide services to the public. Public means any private or public corporate or governmental entity or individual. An individual who holds an inactive certificate/license is prohibited from practicing public accounting and may only use the CPA-inactive designation if they are not offering accounting, tax, tax consulting, management advisory, or similar services either in New Mexico or in another state or country. Persons desiring exemption from CPE rules requirements may request to change from "active" to "inactive" or "retired" certificate/license status, provided that they:

(a) complete board-prescribed change-of-status forms and remit related fees;

2-23 (b) not practice public accountancy as defined in Section 3M of the act; public accountancy means the performance of one or more kinds of services involving accounting or auditing skills, including the issuance of reports on financial statements, the performance of one or more kinds of management, financial advisory or consulting services, the preparation of tax returns or the furnishing of advice on tax matters; and 16.60.3 NMAC

(c) place the word "inactive" or "retired" adjacent to their CPA or RPA title on a business card, letterhead or other documents or devices, except for a board-issued certificate.

(2) Persons requesting to change from "inactive" or "retired" to "active" certificate/license status shall:

(a) complete board-prescribed change-of-status forms and remit related fees; and

(b) provide documented evidence of 40 hours of CPE for each year the certificate/license was inactive, not to exceed 200 hours; if the license was inactive for longer than 36 months, at least 120 of the hours must have been earned within the preceding 36 months.

(3) The effective date of this provision shall be January 1, 2007. An individual who holds an inactive certificate/license as of January 1, 2006 and expects to be subject to the provisions of this rule shall be permitted to obtain an active certificate/license between January 1, 2006 and December 31, 2006 provided they:

(a) complete board-prescribed change-of-status forms and remit related fees; and

(b) provide documented evidence of 40 hours of CPE earned between January 1, 2005 and December 31, 2006 or complete 120 hours of CPE within the three-year period immediately prior to the date of application for active status, provided that the application is received by the board no later than December 31, 2006.

(4) An individual who obtains an active certificate/license during this transitional period of January 1, 2006 to December 31, 2006 shall not be subject to the provisions of sub-paragraph (b) of paragraph (2) above.

C. Hardship exceptions: The board may make exceptions to CPE requirements for reason of individual hardship including health, military service, foreign country residence, or other good cause. Requests for such exceptions shall be subject to board approval and presented in writing to the board. Requests shall include such supporting information and documentation as the board deems necessary to substantiate and evaluate the basis of the exception request.

D. Programs qualifying for CPE credit: A program qualifies as acceptable CPE for purposes of Sections 9E and 12A of the act and these rules if it is a learning program contributing to growth in professional knowledge and competence of a licensee. The program must meet the minimum standards of quality of development, presentation, measurement, and reporting of credits set forth in the statement on standards for continuing professional education programs jointly approved by NASBA and AICPA, by accounting societies recognized by the board, or such other standards deemed acceptable to the board.

2-24 (1) The following standards will be used to measure the hours of credit to be given for acceptable CPE programs completed by individual applicants:

(a) an hour is considered to be a 50-minute period of instruction;

(b) a full 1-day program will be considered to equal 8 hours;

(c) only class hours or the equivalent (and not student hours devoted to preparation) will be counted;

(d) one-half credit increments are permitted after the first credit has been earned in a given learning activity.

(2) Service as a lecturer, discussion leader, or speaker at continuing education programs or as a university professor/instructor (graduate or undergraduate levels) will be counted to the extent that it contributes to the applicant’s professional competence.

(3) Credit as a lecturer, discussion leader, speaker, or university professor/instructor may be allowed for any meeting or session provided that the session would meet the continuing education requirements of those attending.

(4) Credit allowed as a lecturer, discussion leader, speaker or university professor/instructor will be on the basis of 2 hours for subject preparation for each hour of teaching and 1 hour for each hour of presentation. Credit for subject preparation may only be claimed once for the same presentation.

(5) Credit may be allowed for published articles and books provided they contribute to the professional competence of the applicant. The board will determine the amount of credit awarded.

(6) Credit allowed under provisions for a lecturer, discussion leader, speaker at continuing education programs, or university professor/instructor or credit for published articles and books may not exceed one half of an individual’s CPE requirement for a 3-year reporting period (shall not exceed 60 hours of CPE credit during a 3-year reporting period).

(7) For a continuing education program to qualify under this rule, the following standards must be met:

(a) an outline of the program is prepared in advance and preserved;

(b) the program is at least 1 hour in length;

(c) a qualified instructor conducts the program; and 16.60.3 NMAC

(d) a record of registration or attendance is maintained.

(8) The following programs are deemed to qualify, provided the above are met:

2-25 (a) professional development programs of recognized national and state accounting organizations;

(b) technical sessions at meetings of recognized national and state accounting organizations and their chapters; and

(c) no more than 4 hours CPE annually may be earned for board meeting attendance.

(9) University or college graduate-level courses taken for academic credit are accepted. Excluded are those courses used to qualify for taking the CPA exam. Each semester hour of credit shall equal 15 hours toward the requirement. A quarter hour credit shall equal 10 hours.

(10) Non-credit short courses - each class hour shall equal 1 hour toward the requirement and may include the following:

(a) formal, organized in-firm educational programs;

(b) programs of other accounting, industrial, and professional organizations recognized by the board in subject areas acceptable to the board;

(c) formal correspondence or other individual study programs which require registration and provide evidence of satisfactory completion will qualify with the amount of credit to be determined by the board.

(11) The board will allow up to a total of 24 hours of CPE credits for firm peer review program participation. Hours may be earned and allocated in the calendar year of the acceptance letter for the firm's CPAs participating in the peer review.

(a) Firms having an engagement or report peer review will be allowed up to 12 hours of CPE credits.

(b) Firms having a system peer review will be allowed up to 24 hours of CPE credits.

(c) Firms having a system peer review at a location other than the firm’s office shall be considered an off-site peer review and will be allowed up to 12 hours of CPE credits.

(d) The firm will report to the board the peer review CPE credit allocation listing individual firm CPAs and the number of credits allotted to each CPA. Individual CPAs receiving credit based upon a firm's report to the board may submit firm-reported hours in their annual CPA report forms to the board. If CPE credits will not be used, no firm report will be necessary.

(12) The board may look to recognized state or national accounting organizations for assistance in interpreting the acceptability of the credit to be allowed for individual courses. The board will accept programs meeting the standards set forth in the NASBA CPE registry, AICPA guidelines, NASBA quality assurance service, or such other programs deemed acceptable to the board.

2-26 (13) For each 3-year reporting period, at least 96 of the hours reported shall be courses, programs or seminars whose content is in technical subjects such as audit; attestation; financial reporting; tax, management consulting; financial advisory or consulting; and other areas acceptable to the board as directly related to the professional competence of the individual.

(14) For each 3-year reporting period, at least 24 of the hours reported shall be taken outside of the individual’s firm, agency, company, organization or normal work setting in a public presentation environment, which is defined as a group program, classroom, live instructor setting in which at least 10 percent of the registered participants are not members, associates, clients, or employees of the firm, agency, company, organization or normal work environment.

(15) For each 3-year reporting period, credit will be allowed once for any single course, program or seminar unless the individual can demonstrate that the content of such course, program or seminar was subject to substantive technical changes during the reporting period.

E. Programs not qualifying for CPE:

(1) CPA examination review or “cram” courses;

(2) industrial development, community enhancement, political study groups or similar courses, programs or seminars;

(3) courses, programs or seminars that are generally for the purpose of learning a foreign language;

(4) partner, shareholder or member meetings, business meetings, committee service, and social functions unless they are structured as formal programs of learning adhering to the standards prescribed in this rule.

F. Continuing professional education records requirements: When applications to the board require evidence of CPE, the applicants shall maintain such records necessary to demonstrate evidence of compliance with requirements of this rule. 16.60.3 NMAC

(1) Reinstatement and reciprocity applicants shall file with their applications a signed report form and statement of the CPE credit claimed. For each course claimed, the report shall show the sponsoring organization, location of program, title of program or description of content, the dates attended, and the hours claimed.

(2) Responsibility for documenting program acceptability and validity of credits rests with the licensee and CPE sponsor. Such documentation should be retained for a period of 5 years after program completion and at minimum shall consist of the following:

(a) copy of the outline prepared by the course sponsor along with the information required for a program to qualify as acceptable CPE as specified in this rule; or

2-27 (b) for courses taken for scholastic credit in accredited universities and colleges, a transcript reflecting completion of the course. For non-credit courses taken, a statement of the hours of attendance, signed by the instructor, is required.

(3) Institutional documentation of completion is required for formal, individual self- study/correspondence programs.

(4) The board may verify CPE reporting information from applicants at its discretion. Certificate holders/licensees or prospective certificate holders/licensees are required to provide supporting documentation and/or or access to such records and documentation as necessary to substantiate validity of CPE hours claimed. Certificate holders/licensees are required to maintain documentation to support CPE hours claimed for a period of 5 years after course completion/CPE reporting. Should the board exercise its discretion to accept an affidavit in lieu of a CPE report, the board shall audit certificate/license holder CPE rules compliance of no less than 10 percent of active CPA/RPA licensees annually.

(5) In cases where the board determines requirements have not been met, the board may grant an additional period of time in which CPE compliance deficiencies may be removed. Fraudulent reporting is a basis for disciplinary action.

(6) An individual who has submitted a sworn affidavit on their renewal application as evidence of compliance with CPE requirements and is found, as the result of a random audit, not to be in compliance will be subject to a minimum $250.00 fine and any other penalties deemed appropriate by the board as permitted by Section 20B of the act.

(7) The sponsor of a continuing education program is required to maintain an outline of the program and attendance/registration records for a period of 5 years after program completion.

(8) The board may, at its discretion, examine certificate holder/licensee or CPE sponsor documentation to evaluate program compliance with board rules. Non-compliance with established standards may result in denial of CPE credit for non-compliant programs and may be a basis for disciplinary action by the board for fraudulent documentation and representation by a CPE sponsor or certificate holder/licensee of a knowingly noncompliant CPE program. [16.60.3.15 NMAC -Rp 16 NMAC 60.6.6, 02-14-2002; A, 09-16-2002; A, 06-15-2004; A, 07- 30-2004; A, 12-302004; A, 04-29-2005; A, 12-30-2005; A, 05-15-2006]

2-28 Appendix B - Graduating With a CP-Yay

Firms Lavish Accounting Majors With Trips, Parties and Offers By Kim Hart Washington Post Staff Writer Friday, July 6, 2007; A01 Katie Piniuk got a lot of yawns from friends when she chose accounting as her major at Virginia Tech. But two weeks into her final year, she had lined up 15 interviews with the biggest firms in the country. Recruiters treated her to trendy happy hours and fancy steak dinners, wooing her with impressive salaries, free Cancun vacations and irresistible sign-on bonuses. She got three job offers in one afternoon. "I had no idea it would be that easy to find a job," said Piniuk, 23, who will start at Ernst & Young's McLean office in October.

Accounting isn't typically considered to be the most thrilling course of study, but number- crunching students have become hot commodities on college campuses as firms try to keep up with the exploding demand for financial workers.

Increased scrutiny of public companies coupled with the impending retirement of thousands of baby boomers have driven accounting firms to snag the next generation of auditors, bookkeepers and tax experts as early as possible with promises of plump paychecks and tempting perks. Some firms are grooming potential interns as early as high school.

"These firms are so crunched for workers that they've become really aggressive in their recruiting," said Lindsay Terry, who works in the office of career management at the University of Maryland's Robert H. Smith School of Business. "Students are getting serious internships by the time they're sophomores. The top seniors have had jobs lined up for years -- and that's after deciding between 12 offers."

The supply of accountants dropped off in the late 1990s as high-tech professions grew more popular. Yet the need for people with a knack for numbers has soared in recent years. In response to a raft of corporate scandals, Congress enacted the Sarbanes-Oxley Act of 2002, requiring companies to keep much closer tabs on their books.

"Ever since Sarbanes-Oxley, the demand for accountants has exploded, and it hasn't slowed down," said Charles Ingersoll, principal at Korn/Ferry International, a recruiting and staffing firm. Nonprofit organizations and government agencies have also been affected by the shortage, making the Washington market especially tight, he added. "Every single sector is struggling desperately to fill these slots."

In the Washington region, workers providing financial and business services make up the largest professional talent pool, outnumbering legal and information technology workers by nearly 3 to 1, according to a recent Greater Washington Board of Trade report, sponsored in part by The Washington Post Co.

2-29 But area universities are not churning out enough graduates to keep pace with the growing demand. According to the report, about 1,060 local students graduated with a bachelor's or master's degree in accounting in 2005, leaving about 700 jobs in the region unfilled. The same year, the Washington area had 1,240 openings for employees with an associate's degree in accounting, yet local community colleges graduated only 100 people with the skills. Accountants and management analysts make up half of the 58,000 business and financial workers the region will need to hire over the next seven years.

As a result, recruiters often use extravagant perks to lure students into the field -- and into their companies. Last semester, PricewaterhouseCoopers threw a beach party on the University of Maryland's College Park lawn, giving away embroidered lawn chairs, beach balls with logos and $3,000 spring-break trips. Ernst & Young threw an ice cream social, and KPMG held a lavish party at a Ruth's Chris Steak House in downtown Washington for new recruits and their professors. On the first day of the fall semester, Deloitte & Touche plans to be on campus to welcome the new class of students.

In the Washington region, entry-level salaries have risen 10 to 20 percent a year for the past four years, to amounts 130 percent above what is available elsewhere in the country, said John Owen, regional vice president of Robert Half International, a staffing firm. An entry level salary typically is $58,000 to $70,000 a year; people with master's degrees generally start in the range of $63,000 to $80,000.

Last fall, days after starting his senior year at Maryland, Mark Kaufman, 22, of Silver Spring got eight job offers. He decided on a position at Beers & Cutler, an accounting and consulting firm in Vienna where he had interned the previous summer. In addition to a $5,000 signing bonus, the firm is paying part of his tuition for graduate school, which he will start in the fall. (Many states, including Maryland and Virginia, require a fifth year of school or a graduate degree before students are eligible to become certified public accountants.)

"When I was a freshman, all the seniors told me how great the market was for accountants," said Kaufman, who graduated in May. He was president of the school's accounting and business association, which held meetings that became a popular venue for recruiters looking to promote their firms to top students. Slots filled up within the first month of the semester.

"Companies are on a year-long waiting list to get in front of students at those meetings," he said. "It got to the point where we had to schedule a career fair just for accounting students."

To reach students like Kaufman, firms have tried to figure out what today's college students, dubbed the millennial generation, are looking for in a career. The Big Four -- Ernst & Young, Deloitte & Touche, PricewaterhouseCoopers and KPMG -- have nearly tripled the size of their recruiting teams and budgets over the last three years, partly to finance youth-oriented seminars, campus leadership programs and edgy marketing campaigns. Some firms have posted jobs on Facebook, a social networking Internet site popular among college students.

2-30 Beers & Cutler hired a consultant to get inside students' heads. Last year the firm gave $250,000 to the University of Maryland and George Mason University to provide scholarships to accounting students. Partners at PWC now spend part of their week on college campuses to teach classes and chat up students. Argy, Wiltse & Robinson, with headquarters in McLean, promotes a generous reward system, including 20-percent bonuses and rapid promotions. Grant Thornton, a firm with a major office in Tysons Corner, offers sign-on bonuses to interns and sends welcome letters to their parents.

Jean Wyer, head of PWC's recruiting, said the firm hires about 3,500 students, or about 80 percent of its workforce, directly from 200 colleges every year. Connecting with students as early as possible is key to successful hiring, she said.

"If you don't reach them by their sophomore year, you've kind of missed out," she said, adding that the firm is considering starting recruiting efforts at the high school level. "We'll probably be in fifth- and sixth-grade classes soon."

© 2007 The Washington Post Company

2-31 Appendix C - Extract of Key Provisions from Sarbanes-Oxley10

Section 3: Commission Rules and Enforcement.

A violation by any person of the Sarbanes-Oxley Act, any rule or regulation of the Securities and Exchange Commission (SEC or the Commission) or any rule of the Public Company Accounting Oversight Board (PCAOB or the Board) is treated as a violation of the Securities and Exchange Act of 1934, giving rise to the same penalties that may be imposed for violations of that Act.

Section 101: Establishment; Administrative Provisions.

The PCAOB was established to oversee the audits of public companies. The Board will have five financially-literate members, appointed for five-year terms. Two of the members must be or have been certified public accountants, and the remaining three must not be and cannot have been CPAs. The Chair may be held by one of the CPA members, provided that he or she has not been engaged as a practicing CPA for five years.

The Board's members will serve on a full-time basis.

No member may, concurrent with service on the Board, "share in any of the profits of, or receive payments from, a public accounting firm," other than "fixed continuing payments," such as retirement payments.

Members of the Board are appointed by the Commission, "after consultation with" the Chairman of the Federal Reserve Board and the Secretary of the Treasury.

Members may be removed by the Commission "for good cause."

Section 102: Registration with the Board.

All public accounting firms that prepare or issue, or who participate in the preparation or issuance of, any audit report with respect to an issuer, must register with the Board.

Section 103: Auditing, Quality Control, And Independence Standards And Rules.

The Board shall:

1 register public accounting firms;

10 I have extracted key provisions from the AICPA's website to create this document. Title of the page is Summary of the Provisions of the Sarbanes-Oxley Act of 2002, AICPA (2008), http://thecaq.aicpa.org/Resources/Sarbanes+Oxley/Summary+of+the+Provisions+of+the+Sarban es-Oxley+Act+of+2002.htm, downloaded 1/28/2008.

2-32 2 establish, or adopt, by rule, "auditing, quality control, ethics, independence, and other standards relating to the preparation of audit reports for issuers;" conduct inspections of accounting firms;

3 conduct investigations and disciplinary proceedings, and impose appropriate sanctions;

4 perform such other duties or functions as necessary or appropriate;

5 enforce compliance with the Act, the rules of the Board, professional standards, and the securities laws relating to the preparation and issuance of audit reports and the obligations and liabilities of accountants with respect thereto; and

6 set the budget and manage the operations of the Board and the staff of the Board.

Auditing standards. The Board would be required to "cooperate on an on-going basis" with designated professional groups of accountants and any advisory groups convened in connection with standard-setting, and although the Board can "to the extent that it determines appropriate" adopt standards proposed by those groups, the Board will have authority to amend, modify, repeal, and reject any standards suggested by the groups. The Board must report on its standard- setting activity to the Commission on an annual basis.

The Board must require registered public accounting firms to "prepare, and maintain for a period of not less than 7 years, audit work papers, and other information related to any audit report, in sufficient detail to support the conclusions reached in such report."

The Board must require a 2nd partner review (concurring review) and approval of audit reports registered accounting firms must adopt quality control standards.

The Board must adopt an audit standard to implement the internal control review required by section 404(b). This standard must require the auditor to evaluate whether the internal control structure and procedures include records that accurately and fairly reflect the transactions of the issuer, provide reasonable assurance that the transactions are recorded in a manner that will permit the preparation of financial statements in accordance with GAAP, and a description of any material weaknesses in the internal controls.

Section 104: Inspections of Registered Public Accounting Firms.

Annual quality reviews (inspections) must be conducted for firms that audit more than 100 issues, all others must be conducted every 3 years. The SEC and/or the Board may order a special inspection of any firm at any time.

Section 105: Investigations And Disciplinary Proceedings.

All documents and information prepared or received by the Board shall be "confidential and privileged as an evidentiary matter (and shall not be subject to civil discovery or other legal process) in any proceeding in any Federal or State court or administrative agency, . . . unless and until presented in connection with a public proceeding or [otherwise] released" in connection

2-33 with a disciplinary action. However, all such documents and information can be made available to the SEC, the U.S. Attorney General, and other federal and appropriate state agencies.

Disciplinary hearings will be closed unless the Board orders that they be public, for good cause, and with the consent of the parties.

Sanctions can be imposed by the Board to a firm if it fails to reasonably supervise any associated person with regard to auditing or quality control standards, or otherwise.

No sanctions report will be made available to the public unless and until stays pending appeal have been lifted.

Section 106: Foreign Public Accounting Firms.

The bill would subject foreign accounting firms who audit a U.S. company to registrations with the Board. This would include foreign firms that perform some audit work, such as in a foreign subsidiary of a U.S. company that is relied on by the primary auditor.

Section 107: Commission Oversight Of The Board.

The SEC shall have "oversight and enforcement authority over the Board." The SEC can, by rule or order, give the Board additional responsibilities. The SEC may require the Board to keep certain records, and it has the power to inspect the Board itself, in the same manner as it can with regard to SROs such as the NASD.

The Board must notify the SEC of pending investigations involving potential violations of the securities laws, and coordinate its investigation with the SEC Division of Enforcement as necessary to protect an ongoing SEC investigation.

The Board must notify the SEC when it imposes "any final sanction" on any accounting firm or associated person. The Board's findings and sanctions are subject to review by the SEC.

The SEC may enhance, modify, cancel, reduce, or require remission of such sanction.

Section 109: Funding.

In order to audit a public company, a public accounting firm must register with the Board. The Board shall collect "a registration fee" and "an annual fee" from each registered public accounting firm, in amounts that are "sufficient" to recover the costs of processing and reviewing applications and annual reports.

The Board shall also establish by rule a reasonable "annual accounting support fee" as may be necessary or appropriate to maintain the Board. This fee will be assessed on issuers only.

Section 201: Services Outside The Scope Of Practice Of Auditors.

It shall be "unlawful" for a registered public accounting firm to provide any non-audit service to an issuer contemporaneously with the audit, including: (1) bookkeeping or other services related

2-34 to the accounting records or financial statements of the audit client; (2) financial information systems design and implementation; (3) appraisal or valuation services, fairness opinions, or contribution-in-kind reports; (4) actuarial services; (5) internal audit outsourcing services; (6) management functions or human resources; (7) broker or dealer, investment adviser, or investment banking services; (8) legal services and expert services unrelated to the audit; (9) any other service that the Board determines, by regulation, is impermissible. The Board may, on a case-by-case basis, exempt from these prohibitions any person, issuer, public accounting firm, or transaction, subject to review by the Commission.

Section 202: Preapproval Requirements.

It will not be unlawful to provide other non-audit services if they are pre-approved by the audit committee in the following manner. The bill allows an accounting firm to "engage in any non- audit service, including tax services," that is not listed above, only if the activity is pre-approved by the audit committee of the issuer. The audit committee will disclose to investors in periodic reports its decision to pre-approve non-audit services. Statutory insurance company regulatory audits are treated as an audit service, and thus do not require pre-approval.

The pre-approval requirement is waived with respect to the provision of non-audit services for an issuer if the aggregate amount of all such non-audit services provided to the issuer constitutes less than 5% of the total amount of revenues paid by the issuer to its auditor (calculated on the basis of revenues paid by the issuer during the fiscal year when the non-audit services are performed), such services were not recognized by the issuer at the time of the engagement to be non-audit services; and such services are promptly brought to the attention of the audit committee and approved prior to completion of the audit.

The authority to pre-approve services can be delegated to 1 or more members of the audit committee, but any decision by the delegate must be presented to the full audit committee.

Section 203: Audit Partner Rotation.

The lead audit or coordinating partner and the reviewing partner must rotate off of the audit every 5 years.

Section 204: Auditor Reports to Audit Committees.

The accounting firm must report to the audit committee all "critical accounting policies and practices to be used; all alternative treatments of financial information within [GAAP] that have been discussed with management, ramifications of the use of such alternative disclosures and treatments, and the treatment preferred" by the firm.

Section 206: Conflicts of Interest.

The CEO, Controller, CFO, Chief Accounting Officer or person in an equivalent position cannot have been employed by the company's audit firm during the 1year period preceding the audit.

Section 207: Study of Mandatory Rotation of Registered Public Accountants.

2-35 The GAO will do a study on the potential effects of requiring the mandatory rotation of audit firms.

Section 209: Consideration by Appropriate State Regulatory Authorities.

State regulators are directed to make an independent determination as to whether the Boards standards shall be applied to small and mid-size nonregistered accounting firms.

Section 301: Public Company Audit Committees.

Each member of the audit committee shall be a member of the board of directors of the issuer, and shall otherwise be independent.

"Independent" is defined as not receiving, other than for service on the board, any consulting, advisory, or other compensatory fee from the issuer, and as not being an affiliated person of the issuer, or any subsidiary thereof.

The SEC may make exemptions for certain individuals on a case-by-case basis.

The audit committee of an issuer shall be directly responsible for the appointment, compensation, and oversight of the work of any registered public accounting firm employed by that issuer.

The audit committee shall establish procedures for the "receipt, retention, and treatment of complaints" received by the issuer regarding accounting, internal controls, and auditing.

Each audit committee shall have the authority to engage independent counsel or other advisors, as it determines necessary to carry out its duties.

Each issuer shall provide appropriate funding to the audit committee.

Section 302: Corporate Responsibility For Financial Reports.

The CEO and CFO of each issuer shall prepare a statement to accompany the audit report to certify the "appropriateness of the financial statements and disclosures contained in the periodic report, and that those financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the issuer." A violation of this section must be knowing and intentional to give rise to liability.

Section 401: Disclosures In Periodic Reports.

Each financial report that is required to be prepared in accordance with GAAP shall "reflect all material correcting adjustments . . . that have been identified by a registered accounting firm..."

"Each annual and quarterly financial report . . . shall disclose all material off-balance sheet transactions" and "other relationships" with "unconsolidated entities" that may have a material current or future effect on the financial condition of the issuer.

2-36 The SEC shall issue rules providing that pro forma financial information must be presented so as not to "contain an untrue statement" or omit to state a material fact necessary in order to make the pro forma financial information not misleading.

SEC shall study off-balance sheet disclosures to determine a) extent of off-balance sheet transactions (including assets, liabilities, leases, losses and the use of special purpose entities); and b) whether generally accepted accounting rules result in financial statements of issuers reflecting the economics of such off-balance sheet transactions to investors in a transparent fashion and make a report containing recommendations to the Congress.

Section 402: Enhanced Conflict of Interest Provisions.

Generally, it will be unlawful for an issuer to extend credit to any director or executive officer. Consumer credit companies may make home improvement and consumer credit loans and issue credit cards to its directors and executive officers if it is done in the ordinary course of business on the same terms and conditions made to the general public.

Section 403: Disclosures Of Transactions Involving Management And Principal Stockholders.

Directors, officers, and 10% owners must report designated transactions by the end of the second business day following the day on which the transaction was executed.

Section 404: Management Assessment Of Internal Controls.

Requires each annual report of an issuer to contain an "internal control report", which shall:

1 state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

2 contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

Each issuer's auditor shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this section shall be in accordance with standards for attestation engagements issued or adopted by the Board. An attestation engagement shall not be the subject of a separate engagement.

The language in the report of the Committee which accompanies the bill to explain the legislative intent states, "--- the Committee does not intend that the auditor's evaluation be the subject of a separate engagement or the basis for increased charges or fees."

Directs the SEC to require each issuer to disclose whether it has adopted a code of ethics for its senior financial officers and the contents of that code.

Directs the SEC to revise its regulations concerning prompt disclosure on Form 8K to require immediate disclosure "of any change in, or waiver of," an issuer's code of ethics.

2-37 Section 406: Code of Ethics for Senior Financial Officers.

The SEC shall issue rules that require each issuer to disclose whether or not, and if not, the reasons therefore, such issuer has adopted a code of ethics for senior financial officers.

Section 407: Disclosure of Audit Committee Financial Expert.

The SEC shall issue rules to require issuers to disclose whether at least 1 member of its audit committee is a "financial expert."

Section 409: Real Time Issuer Disclosures.

Issuers must disclose information on material changes in the financial condition or operations of the issuer on a rapid and current basis.

2-38 Chapter Three - Auditing Risk and the Audit Process

Summary

The purpose of this chapter is to provide you with a broad overview of how auditors conduct audits. The core goal underlying the audit is to assess and control the risk that the auditor will report that the financial statements being audited are accurate when they are not. The audit risk model expresses how auditors analyze this risk. Then the chapter presents a brief overview of the steps auditors take to execute an audit.

After reading this chapter, students should be able to: Explain the risk model formula and describe its components and how audits use them. Describe in basic terms used to describe each step of the audit process and the goal of each step.

Risk Model

Goals of a Financial Statement Audit

In the next six chapters, I am going to walk you through the audit process. Along the way, I will cover a series of technical issues that arise in various steps. The purpose of this chapter is to present the audit risk model that expresses the core goal of all audits; give you a very brief overview of the audit process; and cover two of the first steps in the audit process. From this point on, I will be discussing a normal financial statement audit as CPA firms currently execute one. In addition, from this point on, I will use the term "financial statements" to include the Balance Sheet, Income Statement, Statement of Stockholders Equity, Cash Flow Statement, and all the footnotes. In addition, the term "financial statements" includes any references that management makes to data in these financial statements and footnotes in their management discussion. This is the information that the auditor's opinion on the financial statements must cover. Finally, since Congress passed the Sarbanes-Oxley Act in 2002, a financial statement audit report must include two opinions in addition to the one on the auditee's financial statements. These two additional opinions include one on management's assessment of their own internal controls and one on the internal controls themselves. Thus, the discussion in the next six chapters will cover how auditors plan and execute a joint audit if an auditee's financial statements and internal controls.

I mentioned the three opinions that audits provide because developing and supporting those opinions is the goal of the audit. That is, auditors plan and execute the audit to "gather and evaluate evidence" (from the definition of auditing) to reach and support an opinion as to whether the auditee's financial statements were prepared according to GAAP (the criteria used as a basis of comparison for the information, i.e., financial statements). In addition, Sarbanes-Oxley now requires auditors to compare the auditee's management's assessment of their internal

3-1 controls to an established framework for assessing internal controls, which I will discuss in more detail later. Finally, Sarbanes-Oxley also requires auditors to compare the auditee's internal controls to that framework as well. However, for all three opinions, the auditor applies the same basic process involving gathering and evaluating evidence; coming to a conclusion as to how well the information compares to a basis of comparison; and reporting that opinion.

Structure and Use of the Audit Risk Model

The audit definition, and my discussion of it thus far, implies that auditors live in a certain world and can come to a yes or no conclusion about whether the auditee has prepared their financial statements in conformance with GAAP. This is an inaccurate characterization. Auditors can only reduce the probability that the financial statements contain an error, i.e., departure from GAAP, to an acceptably low level. That is, auditing is all about using and evaluating evidence to reduce the probability that the financial statements contain an undetected error11 to a low enough level that the auditor is willing to state that they don't contain an error. Thus, you can think of an audit as a highly informed gamble.

Auditors developed the risk model as an equation that expresses the ultimate risk that the financial statements contain an error the auditor didn't catch as a function of the sources of that risk. That is, an undetected error can exist in the financial statements because: of general factors (e.g., high turnover in employees responsible for preparing the financial statements), which is called inherent risk; failure of the auditee's only internal controls (i.e., the auditee's error prevention and detection/correction procedures), which is called control risk; or because the auditor's tests didn't find it, which is called detection risk.

The audit risk model contains components for each of these factors.

The audit risk model is:

Audit Risk = Inherent Risk * Control Risk * Detection Risk

or

AR = IR * CR * DR

11 I am using the common term "undetected error" to help you grasp the underlying concepts involved in planning and executing an audit. Auditing literature uses more technical terminology that I will introduce later when I get into more details of the technical tools auditors use to execute the audit. Be advised that you will not find the term "undetected error" used in professional audit literature.

3-2 Audit Risk

Audit risk (AR) is the risk that the financial statements contain an error that neither the auditor nor the auditee caught. Now I need to inject some technical terms to define what an "error" is.

First, one unstated assumption in my definition of audit risk is that the auditor would always report an error in their auditor report. When I discuss the audit report in more detail below, you will find that the auditor's report is a highly structured statement with very precise wording that is used by all auditors for all audit reports. Thus, reporting an error in an audit report really means qualifying the auditor's opinion that the financial statements were prepared according to GAAP. Thus, audit risk really is the risk that the auditor didn't qualify their audit opinion for financial statements that contain a departure from GAAP.

Next, I need to define more precisely what an error is. An error is a departure from GAAP that is big enough to matter. The technical term auditors use is material misstatement. A misstatement is a departure from GAAP and "material" means big enough to matter. That is, all financial statements contain some errors. The financial reporting process handles too many transactions of different types, some of which are highly complex, to produce financial statements that are 100% in conformance with GAAP. In addition, GAAP itself is so complex that auditees and auditors can form different opinions on what treatment of a transaction conforms to GAAP and what treatment doesn't. If auditors tried to insure that financial statements were 100% in conformance with GAAP, audits not only would be prohibitively expensive, they would be doomed to fail from the start because the task would be impossible.

However, to judge whether an error is big enough to matter, auditors have developed a generic benchmark of a prototypical user of financial statements. That is, an error (misstatement) is big enough to matter (material) if a prototypical user's judgment of the auditee would change if the error were eliminated. I will discuss how auditors apply this simple rule to developing specific levels of error in the chapter on materiality and risk assessment below.

Inherent Risk

Inherent risk is the risk that the auditee's financial reporting process will produce an error (i.e., material misstatement) regardless of the controls the auditee has in place to eliminate (i.e., prevent or detect/correct)12 the error. Thus, inherent risk measures the quality of the auditee's financial reporting system separate from the internal controls embedded in that system. Inherent risk exists independent of the audit and so auditors assess an auditee's inherent risk. That is, auditors and their audit procedures cannot alter an auditee's inherent risk and so auditors can only assess its level and cannot influence its level. I will discuss the factors auditors consider in assessing inherent risk in the chapter on setting materiality and assessing preliminary risk below.

12 A firm's internal control system can eliminate errors from financial statements either by preventing them from entering into the information stream that produces the financial statements or by detecting and correcting them after they have entered the information stream. The process that this text discusses related to internal controls does not differentiate between prevention and detection/correction and so I will use the term "eliminated."

3-3 However, the factors that influence an auditee's inherent risk are broad and range from environmental factors like the complexity of the auditee's production process and level of competition in the auditee's markets to auditee-specific factors like the level of training and monitoring the auditee provides for its employees and how well designed their financial reporting process is.

Control Risk

Control risk is the risk that the auditee's internal controls will not eliminate an error from the financial reporting process given that an error exists. Thus, control risk measures the effectiveness of the auditee's internal controls. Internal controls are the policies and procedures an auditee puts in place to eliminate errors from its financial reporting process and to safeguard its assets. I will discuss the nature and components of internal controls in the chapter on the preliminary assessment of control risk. In short, control risk is the risk that the auditee's internal controls will not eliminate an error created by the auditee's inherent risk. Mathematically, control risk is a conditional probability. That is, it is the risk that the auditee's internal controls will not eliminate an error given that (i.e., conditioned on) the fact that the error was created by that financial reporting process.

As with inherent risk, an auditee's control risk is independent of the audit and cannot be altered by the auditor or the audit process. Thus, auditors also must assess control risk; they cannot control it or alter it in any way.

Detection Risk

Detection risk is the risk that the auditee's financial reporting process will contain an error (i.e., material misstatement) that the auditor's procedures don't detect. This is the only component of the right hand side of the audit risk model that auditors control. That is, auditors set their acceptable audit risk, assess inherent and control risk, and then plan audit tests and procedures to drive detection risk to a level low enough to insure that their audit risk level isn't exceeded. Thus, we can restate the audit risk model to illustrate the way auditors actually view it:

DR = AR / (IR * CR)

In this presentation of the risk model, the factors that the auditor assesses or sets are on the right hand side and the factor that the auditor controls through the extent of their audit work are on the left hand side. Auditors make one simplification of this model in practice as well. Since both IR and CR are independent of the audit and are assessed by the auditor, auditors frequently combine them and refer to them jointly as the risk of material misstatement (RMM). That is, combined IR and CR represent the risk that the auditee's financial reporting system will contain an error and the auditor's job is to use audit procedures to reduce RMM to their acceptable level of AR. Thus, the auditors also state the risk formula as:

DR = AR / RMM

3-4 I can use this formulation to illustrate some intuitions about the audit process. Keep in mind that all the components of the risk model are probabilities and are expressed as fractions between 0 and 1. Thus, if you hold AR constant, DR moves in the opposite direction as RMM. As the RMM increases (i.e., the auditee's financial reporting system is weaker), the denominator of the fraction gets larger and approaches 1. As the denominator of the fraction becomes larger, the right hand side of the equation becomes smaller (i.e., since I have set AR, dividing by a larger number will reduce the value of the right hand side of the equation). If the auditee's financial reporting process is weak and the RMM is high, then auditors need to engineer their procedures and test to achieve a lower lever of DR in order to achieve their desired AR. To lower their detection risk, the auditors have to do more work. That is, to lower the probability that their auditor procedures will miss an error, they need to do more, or more extensive, procedures. This should seem logical to you because all I am saying is that to achieve a certain probability that the auditor won't miss an error; they have to do more work if the auditee's systems are weak.

Another important intuition illustrated by this model is that there are limits to how low DR can go. For example, if we hold RMM constant, DR risk varies with AR. That is, the lower the AR (i.e., the more certain the auditor wants to be that they didn't miss an error), the lower the detection risk must be (i.e., the more work the auditor must do). Keep in mind that DR is the risk that the auditor will miss an error and so the lower DR; the more work the auditor has to do.

Now what happens if the auditee's financial reporting system is very weak but the auditor wants to be sure that the financial statements don't contain an error? This situation may mean that the auditee's systems are so weak that they are unauditable (i.e., the auditor can't do enough work to get the AR down to an acceptable level). I will plug in some numbers to illustrate the point.

Let's assume that the auditee's reporting process is so bad that there is a 40% chance that it will produce at least one material error (i.e., one error large enough to alter a user's perception of the auditee). Let's also assume that the auditee has very few control procedures in place such that there is an 80% chance that their controls won't eliminate the error. This means that RMM is 32% (i.e., there is a 32% chance of an error in the auditee's financial statements). Finally, let's assume that the auditor wants to achieve an AR of 5% (i.e., the auditor will tolerate only a 5% chance that the financial statements contain an error his/her audit procedures didn't detect).

Plugging the numbers into the formula, I get a DR equal to 15.6% (15.6% = 0.05 / (0.40 * 0.80)). While this number might not mean much to you, it means that the auditors will have to do enough work to create only a 15.6% chance that not one error will slip through their audit procedures anywhere in the financial statements. This really is a lot of work and the auditor and auditee may believe that the audit would be too expensive to execute. Keep in mind that the lower the DR risk, the more work the auditor has to do to reduce the risk that their audit procedures will miss an error to that level. A higher DR means the auditor can accept more risk that their auditor procedures won't detect an error.

I can turn this example around and demonstrate that if the auditee's financial reporting process is very strong, the auditor may not have to do any work at all, other than the work they need to do to assess IR and CR. That is, if RMM is equal to or lower than AR, DR is greater than equal to

3-5 1, which means that auditor's tests can be so weak that there is a 100% chance they will miss an error. Since the auditee's management relies on the same financial reporting system that produces financial statements to run the firm, most auditees have very strong financial reporting processes because management needs accurate data to run their business. Thus, auditors frequently are auditing auditees with very low RMM. However, given the uncertainties involved in assessing RMM, audit standards do not allow auditors to eliminate audit tests altogether regardless of how low the auditor assess RMM.

Risk Model Summary

The core issues that I want you to internalize at this point is that auditors set a level of tolerable AR, assess the auditee's RMM by assessing IR and CR and combining them, and then determine how much testing they have to do to generate a DR low enough to achieve their AR. Auditors control the level of risk they will tolerate (AR) and the amount of testing they do (DR), but only assess the strength of the auditee's financial reporting process (RMM = IR * CR).

One final issue I need to address is how auditors actually apply the risk model in practice. While I believe one of the benefits of the risk model is that it allows auditors to make quantitative assessments of risk and combine them precisely, auditors rarely use the model quantitatively. Typically, auditors assess risk qualitatively and then use audit firm-based rules to combine the qualitative assessments. For example, auditors might assess inherent or control risk at three or four levels, high, moderate, low, or very low, and then set audit risk using the same terms. Then, they will use a set of decision rules to determine detection risk. Some examples of those decision rules include:

Example Audit Risk RMM Detection Risk (Inherent * Control) 1 Very Low High Low 2 Low Moderate Moderate 3 Moderate Moderate Moderate

The rationale for not assigning probabilities to these risks is that probabilities are too hard to determine and auditors do not have a good sense for how to think probabilistically. Personally, I believe this is a major weakness in current audit practice and it undermines the usefulness of the audit risk model.

Summary of Audit Steps

In this section, I am going to give you a high-level overview of the major steps in the audit process. The diagram at the end of this chapter displays the major steps. I have included a branch in the diagram to highlight that when auditors are actually running tests of controls and balances, they frequently do joint testing that covers both controls and balances at the same time. Thus, even though the "logical" approach to auditing would be to test the controls first so that you can assess control risk before you start testing balances so that you tests of balances are informed by your control risk assessment, practical considerations usually lead auditors to joint testing of both controls and balances.

3-6

The risk model captures the essence of the audit process, which are the steps auditors take to set audit risk, assess inherent and control risk, and develop a plan to execute the tests needed to reduce detection risk to an acceptable level.

Auditee Acceptance13

Auditee Acceptance

The first step in the audit process is for the auditor to determine if they want to take on the audit or not, or, if the auditee is a continuing auditee, whether they want to keep the auditee or not. Audit firms need to be selective about the auditees that they accept because of the risk of incorrectly certifying the auditee's financial statements as being accurate when they aren't. In addition, the little example above concerning what happens to detection risk when an auditee has a weak financial reporting process also illustrate that can get involved with auditees whose systems are so weak that the audit becomes prohibitively expensive. Keep in mind that auditors are for-profit businesses and attempting to audit a weak auditee can become a money-losing proposition.

As a sidebar example, Sarbanes-Oxley increased the amount of audit work that auditors had to do to execute an audit and, therefore, increased the fees auditors charged. After Sarbanes-Oxley, audit fees of the major firms jumped about 35% in one year. However, since auditors face a substantial risk if they do a sloppy job of auditing, audit firms couldn't just hire enough new, untrained staff to meet the new demand. Thus, the four largest audit firms (Big 4 - PricewaterhouseCoopers (PWC), Deloitte Touche Tohmatsu, Ernst and Young, and KPMG Peat Marwick) turned away new business and resigned from existing auditees. PWC resigned from 20% of their existing auditees because they could not handle the increase in demand for their services. As you might expect, they resigned from the 20% that were their weakest auditees and kept the strong ones.

My point is that taking on, or keeping, an auditee is a serious decision that audit firms carefully consider. Some of factors that the auditor will consider are:

Financial health of the potential client - auditees that are in financial distress represent a much higher inherent risk for financial statement errors than healthy auditees because some errors may result from the intentional efforts by the auditee's management to hide the true financial state of the auditee from the investors and potential investors. In addition, auditors are less likely to be paid if the client is having financial problems. Nature of the potential client's industry - Different industries have different special accounting and business issues that affect the auditor's ability to perform a good audit. If the auditor

13 The auditing literature uses the term "client" when describing the "client acceptance" process. I am going to use the term "auditee" to remind us that we are only focused on audit clients in this course and not other types of clients.

3-7 has no experience with the potential auditee's industry and the industry has some unique features, the auditor may decline the auditee as opposed to spending time training himself or herself in that industry. Obviously, this criterion doesn't apply to continuing auditees and doesn't apply to a large firm, like the Big 4, since large firms have large enough practices to do business in most industries. Integrity of the potential auditee's management - While auditors are supposed to provide a competent opinion on the auditee's financial statements based on objective evidence, they inherently must rely on the auditee's management to provide them with information for the audit. However, the auditee's management has control over the auditee's financial reporting process and, therefore, the quality of information in it. Therefore, if the auditee's management is intent on deceiving the auditor, an auditor would have a very difficult time detecting the deception. If the auditor feels that the prospective auditee's management is dishonest, that would greatly increase the inherent risk associated with the audit and undermine the auditor's ability to do a competent audit. Whether there is a conflict of interest in auditing the auditee - Auditors must remain independent of their auditees and so, if the audit firm has a prior relationship with the prospective auditee that would impair their independence, they should not take on the auditee. For example, if a senior partner in the audit firm owned stock in the prospective auditee, the audit firm probably should decline the auditee.

The auditor would use a variety of information sources to determine whether to take on the auditee. Some of these include:

The prospective auditee's prior auditor. I list this item first because it is required by the auditing standards currently in force. Auditors are always required to contact the prior auditor before taking on a new auditee. Trade business publications for stories about the prospective auditee. The prospective auditee's prior financial statements. Talking to third parties like the prospective auditee's vendors, bankers, lawyers, and customers. Note that the auditor may need to get the prospective auditee's permission to talk to some of these people. An internal review within the audit firm to insure that the auditee has the necessary technical skills to audit the prospective auditee. Normally, audit firms have strong skills in the basic steps of auditing, but may lack knowledge of the prospective auditee's industry or other special circumstances that might undermine their ability to complete a good audit. An internal review within the audit firm to determine if they are independent of the prospective auditee.

Signing the Engagement Letter

Auditors refer to an audit as an engagement. I guess it sounds more sophisticated than a job; although auditors in the field refer to the job, not the engagement. Like most service providers,

3-8 auditors want a signed agreement before they begin work. That agreement is called an engagement letter. Auditors use engagement letters for all types of engagements, not just audits. The audit engagement letter's purpose is to clarify with the auditee what work the auditor is going to do; what auditee management's responsibilities are in regards to the audit; and what the auditor is going to charge. Audit engagement letters usually include the following sections:

Services the auditor will provide - This section lists the periods the auditors will audit. The auditor's responsibilities and limitations - Frankly, I call this the waffle section because it discusses the obvious - that an audit isn't perfect and that the auditor's job is to follow generally accepted audit standards and execute due professional care in executing the audit. Thus, this section usually states that the auditor will execute due professional care, but cannot guarantee that they will find all the errors. Management's responsibilities - This section reminds management that they are responsible for turning out accurate financial statements and maintaining adequate internal controls. It also states that management is responsible for providing auditors with the documents and other information they need to perform the audit and to do so on a timely basis. This section also states that if the auditee publishes or files the financials statements that include the auditor's report, they must notify the auditor so that the auditor can review those documents or filings. This is a new requirement under Sarbanes-Oxley. Auditors now are required to review any document or electronic filing that contains their opinion to insure that the opinion is still valid and not being misused by the auditee. Management is required to tell the auditor whenever they use the audit opinion so that the auditor can fulfill this responsibility. Timing and fees - This section discusses the timeline the auditor intends to use to complete the audit and how they will calculate their fees.

The auditors prepare the engagement letter and sign it. They then present the engagement letter to the auditee for the auditee's signature. Once signed, the engagement letter represents a contract between the two parties.

Selecting the Audit Team

Structure of the Core Audit Team

Once the auditor and auditee have signed the engagement letter, the auditor begins the process of planning the audit. The first step is to assemble an audit team to perform the audit. Most audit firms are partnerships and so the most senior members of the audit team will be the partner in charge of the audit. While a large audit team may have more than one partner, it will only have one partner in charge. The audit firm may bring other partners on to the job14, but they normally provide technical support.

14 Forgive my informality, but "job" is shorter to type than "engagement."

3-9 States historically have required that audit firms structure themselves as partnerships where the partners are the owners of the firm and are individually liable for the actions of the firm. This was the state of affairs when I was an audit partner. Trust me, when you know that you are putting your house and all your personal assets on the line when you sign an audit report, you attend to the details.

In the last decade or two, states have allowed audit firms to be structured as limited liability partnerships (LLPs). LLPs limit a partner's liability a little. In an LLP, the audit partners are still personally liability for the jobs on which they are the partner in charge, but are not liable for the actions of other partners within the firm. In a general partnership, all partners are personally liable for the actions of all the other partners on all the audit firm's jobs. In an LLP, they are only liable for their own jobs.

The point of this discussion is to highlight that the partner in charge of the job has many responsibilities and has the ultimate say over how the job is run, largely because they are personally liable for the results. Thus, each job only has one partner in charge.

Below the partners are the audit managers. The managers are in charge most of the audit planning and execution and usually have five to ten years of experience (and make more than most accounting professors). While the audit partner usually negotiates with the auditee; signs the engagement letter; makes key decisions during the audit; and signs off, for the firm, on the audit report, the manager runs the job. Large jobs may involve more than one manager, but usually to preserve a strict chain of command, there is only one senior manager who reports to the partner.

The audit managers supervise audit seniors and juniors. Audit juniors are new hires with less than three years of experience and audit seniors usually have two to five years of experience. Audit seniors supervise portions of the audit work in the field, but juniors and seniors are the audit team members that do most of evidence gathering and initial evidence evaluation for the audit.

When audit firms select the audit team, they need to screen for any independence problems and look for team members that are familiar with the auditee's industry or other special circumstances. In addition, as I have described it, the audit team needs a balance of more experienced and less experienced personnel. Finally, the audit team also may contain technical specialists for specific portions of the audit. One common technical specialist would be a computer and information systems expert to assist the audit team in assessing the auditee's electronic information systems. For example, a high percentage of firms today have websites that they use to make sales. Most audit teams would include someone with experience and training in auditing the security of websites.

Assess the Need for Outside Experts

Audit firms sometimes need to go outside the firm to hire outside experts in technical areas to assist them with the audit. For example, a smaller audit firm may not have an information technology expert on its staff. Another example would be an audit firm that was auditing an oil

3-10 and gas company. The firm probably would not have a geologist on its staff and would need to hire an outside geologist to help verify the value of the auditee's oil and gas reserves that were still in the ground.

Planning the Audit

Nature of Audit Planning

Once the auditor has an agreement with the auditee and the audit team is in place; the next steps will involve gathering detailed evidence on which to set audit risk, assess inherent and control risk, and establish materiality levels for the overall audit as well as for individual account balances. However, at this point the auditor needs to have a detailed plan on how to complete these steps because they can be quite complex and will involve coordinating the activities of the members of the audit team. That detailed plan is represented by an audit program that is a checklist of specific data-gathering steps the auditor plans to take to complete the audit. In addition, the audit program will contain a summary of the overall audit strategy.

The audit program is a very detailed list of specific tests that the audit team performs during the audit. It also is a key documentation tool in that it will contain a description of the step the auditor is performing, the initials of the auditor performing the step, the date the step was completed, and a working paper reference to the working paper that documents the audit step. In many cases, the audit program also will include a place for the auditor that reviews the working papers to initial when a specific working paper was reviewed and the date the review was completed.

Audit planning is a dynamic process in that once early steps in the audit are complete (i.e., setting audit risk and assessing inherent risk), auditors use the results of these steps to plan more a more detailed testing strategy. For example, the auditor cannot fill in the detailed tests of account balances that they intend to use to reduce detection risk until they have set audit risk, assessed inherent risk, and at least made a preliminary assessment of control risk. However, the audit program also will include procedures that the auditor plans to execute to set audit risk and assess inherent and control risk. Thus, the details within the audit program do change as the audit progresses.

I am not going to cover the details of how auditors build an audit program in this chapter because the core of building the program is deciding what tests and other procedures to execute. I will discuss how auditors select tests and other procedures as I get to the appropriate step in the audit process in future chapters. For example, I will discuss how auditors select procedures to assess inherent risk in the next chapter on materiality setting and risk assessment.

Setting Materiality and Audit Risk, and Assessing Inherent Risk

I am going to cover this step in detail in the next chapter. In general, the audit needs to determine how big an error in the auditee's financial statements would be material. However, auditors don't audit the financial statements as a single entity, they audit the various account balances and

3-11 footnote disclosures individually and then combine that evidence to make a final decision on the financial statements. Thus, the question that the auditor has to answer is how big of an error in an individual account might matter to the user (i.e., be material). To answer this question, the auditor will determine how big of an error in a key account (e.g., net income) would be material and then apply some procedures to use that number to establish materiality levels for all the accounts in the financial statements. The point is that net income is such a critical statistic for all financial statement users that auditors tend to set materiality levels for individual accounts based on how errors in those accounts might affect net income.

In addition, the audit is a dynamic process. That is, auditors need to be flexible and change their audit procedures as they gather evidence during the audit. However, they also need to make some risk assessment at the beginning in order to plan how much testing they will do. Since audit risk and inherent risk are based on broad, auditee-wide factors, auditors can set their audit risk and assess the auditee's inherent risk without doing any detailed testing of the auditee's procedures or balances. In addition, since these components of the risk model influence control and detection risk assessment, auditors tend to do them first.

Assess Control System Design

Tradeoff Between Direct and Indirect Testing

The dynamic nature of audit execution is a point I need to clarify and emphasize because it has a significant impact on how auditors test controls and balances. The auditor's goal is to gather sufficient evidence to conclude that the auditee's financial statements conform to GAAP. That evidence can come from a variety of sources and the auditor needs to evaluated evidence from all those sources to determine if, in total, the evidence is sufficient to support the auditor's conclusions. The audit risk model captures the key sources of evidence the auditor uses. That is, evidence about the auditee's management system and environment (i.e., inherent risk) the auditee's control system (i.e., control risk); and the financial results produced by the auditee (i.e., detection risk).

The most direct and powerful evidence an auditor can develop is from his/her own tests (i.e., tests of the auditee's account balances). However, direct tests also tend to be more expense and difficult to execute in many cases. Thus, auditors employ indirect tests of the auditee's control systems as well. The logic for indirect testing is that if the auditee's control system is working well, then the likelihood of errors in the account balances is reduced. Indirect tests can be cheaper and easier for the auditor to execute, but are less powerful than direct evidence to support the auditor's conclusions about the account balances.

Since indirect (i.e., tests of controls) and direct tests (i.e., tests of balances)15 target the same types of potential errors in account balances, the specific procedures auditors use to execute indirect and direct tests can overlap. In addition, auditors now have to perform some indirect

15 Sorry to mix terms on you, but the concepts of "indirect" and "direct" capture inherent features of tests of controls and balances that I want to emphasize in the section.

3-12 testing to satisfy Sarbanes-Oxley requirements. These tradeoffs create a challenge for auditors. Auditors would like to finalize their assessment of the auditee's control risk before they start testing balances so that they have a more precise estimate of the level of direct testing they will need to do to satisfy their audit risk goals. However, many of the actual procedures they will use to execute direct testing are most efficient executed on the same documents and records that the auditor would use to test controls.

Thus, Auditors assess control risk in a two-stage process. First, they assess the strength of the design of the auditee's control system. If they believe the design is sufficiently strong, then they will proceed to test the controls to insure they are functioning as designed. The point is that if the control system's design is too weak to function properly, the auditor doesn't want to waste a lot of time testing the controls to see if they are actually working. If, however, the design of the auditee's controls system is strong enough to reduce control risk below 100%, the auditor must determine if the control system is actually functioning as designed by testing controls.

In addition, because of the inherent tradeoff between indirect and direct testing, auditors begin their direct testing at the same time they begin indirect testing. That is, they would assess the strength of the auditee's control system and then, if the design were sufficiently strong, they would begin simultaneously testing controls and balances. As their tests proceed, they may find the controls are weaker or stronger than they expected and would need to adjust the level of balance testing accordingly. In addition, they may find errors in the auditee's balances that would point to control weaknesses that would lead them to increase their tests of controls to determine the magnitude of the control weakness. This is why the diagram at the end of this chapter has a dashed line between "Test Controls" and "Test Balances." Frequently, auditors execute these two steps concurrently and the results of each step may affect how the auditor executes the other step.

My main point here is that auditors make initial assessments of inherent and control risk to begin the audit planning process. However, these assessments may change as the audit unfolds. For example, if members of the audit team begin to find errors in an account balance, they will communicate this information to the members of the audit team that are testing controls along with a description of the nature of the errors. The audit team members who are testing the controls can use this information to refine their tests of controls and target the most likely causes of the errors in the balances. The reverse also is true. If the audit team members who are testing controls find weaknesses in the auditee's controls, they will notify the audit team members who are testing balances and tell them the account balances that would be affected by those weaknesses. The audit team members who are auditing the balances may increase their level of testing for those accounts.

Test Controls and Assess Control Risk

I will cover this topic in detail in a later chapter. The key issue in this step is that the auditor has developed a preliminary assessment of control risk based on the design of the auditee's internal controls and is beginning to test the controls. While documenting and evaluating the design of the auditee's internal controls, the auditor targets key control procedures that (s)he wants to test to insure that the controls are working as designed. Auditors do not have to, and rarely do, test

3-13 all the auditee's controls. They evaluate the details of how the controls are designed and then focus on key controls that, if they are working properly, will provide a low enough control risk assessment so that the auditor can minimize the work they do to lower their detection risk. Again, as the auditor's tests of controls proceeds, they may have to alter the direct tests of balances they use to reduce detection risk.

Substantive Tests and Tests of Balances

Auditors use the term "substantive" to refer to tests of amounts, either balances or transactions. Most substantive tests are applied to account balances. However, the nature of these tests differ between income statement accounts and balance sheet accounts. Balance sheet accounts all consist of the total amounts for a series of items that make up the balance (e.g., the total of individual accounts receivable is equal to the total accounts receivable balance and the total inventory equals the sum of the value of individual items in inventory. Income statement accounts, however, are equal to the sum of the transactions that created them (e.g., total sales is the sum of all sales transactions).

Auditors use the terms substantive testing or tests of details to describe direct tests of account balances and to differentiate those tests from test of controls.16 The idea, illustrated in the risk model, is that auditors can determine the ultimate risk of error in a balance on a financial statement by assessment the reliability of the system that produced the balance (i.e., control risk) and by directly testing the balance itself (i.e., detection risk). Auditors use tests of controls17 to determine control risk and substantive tests to control detection risk. I will cover substantive testing in detail in a later chapter.

Completing the Audit

Once all the evidence is in, the auditor needs to pull it all together to determine if (s)he has sufficient evidence to support an opinion on the auditee's financial statements. There also are other forms of disclosures that GAAP requires auditee's to include in their footnotes that the auditor needs to review before forming a final opinion. I will cover these items in detail in the chapter on completing the audit. However, the main idea is that audits are a compilation of a lot of tests and other evidence-gathering procedures and before the auditor can decide whether to auditee's financials statements are accurate, which is a holistic concept, (s)he must pull all the evidence together and see how various pieces of evidence relate to each other. Auditors also need to go back through the audit plan that was developed at the beginning of the audit to insure that all the audit team executed, documented, and evaluated the results of all the planned steps.

16 To summarize this "terminology overload," substantive testing, direct testing, tests of balances, and tests of details all mean the same thing. They refer to tests of the auditee's account balances rather than their control procedures.

17 Some older audit texts or professional literature refer to tests of controls as compliance tests because they were used to determine if the firm’s execution of their control procedures complied with the design of those control procedures.

3-14 Reporting

The final step in the audit is to issue the report. As I mentioned above, since Sarbanes-Oxley auditors of all public companies must issue three opinions: one on the financial statements, one on management's assessment of their own internal controls, and one on the controls themselves. Each of these reports can be clean or qualified. A clean opinion states that the financial statements were prepared in accordance with GAAP and accurately report the financial results of the auditee. For the auditor's opinion on management's assessment of internal controls, a clean opinion states that management's assessment was accurate. For the auditor's opinion on the controls themselves, a clean opinion states that the controls are effective.

Generally, a clean opinion means everything is all right. Over 90% of all audit opinions are clean and so qualified opinions are rare. Auditors issue qualified opinions is they find errors in the financial statements; inaccuracies in managements assessment of their own controls; or weaknesses in the auditee’s internal controls. These errors, inaccuracies, or weaknesses must be material, however. If the auditor finds problems, they state as much in their opinions. They also tend to be precise in their opinions as to the source of the problem to inform the reader of the financial statements as to the nature of the problem.

In extreme cases, the auditor may conclude that the problems are so extreme that the financial statements are worthless. In these cases, the auditor will issue an adverse opinion that warns the reader that they should not rely on the financial statements at all. As you might expect, adverse opinions are extremely rare. Normally, management will work with auditors to fix the problems rather than have an auditor essentially state in a formal opinion that their financial statements are worthless. However, sometimes the problems are severe enough that management cannot correct them.

In the above paragraphs, I am using common terms to describe the contents of the auditor's reports. Auditors do not use these terms in practice and have a series of technical terms they use instead. You do need to know the technical terms, but I will present and discuss them in the chapter on the audit report. For now, I want you to understand the intuition behind the auditor's report and believe that I can accomplish that more effectively at this point by using common language even though it is inaccurate and not used by auditors in practice.

Audit Documentation

Nature and Rationale for Audit Documentation

As part of the audit process, auditors need to set up a documentation plan for the audit as well. Auditors need to maintain detailed documentation of:

all the steps they take during the audit to include:  which audit team member executed each step  when the step was completed

3-15  who reviewed the work for each step, and  when the review was done what evidence was gathered for each step, and what conclusions were drawn from that evidence. Thorough and accurate documentation of every audit step is critical to maintain quality control and to demonstrate to outside parties how the audit was executed. Audits are "team sports" and the audit firm and its partners are liable to any user of audited financial statements for the accuracy and completeness of the audit. As I will discuss towards the end of the class, both the audit firm as a whole and the individual audit partner are liable for any damages to third parties (i.e., people other than the auditor or auditee) incurred by relying on a set of audited financial statements that are proven to be inaccurate.18 This liability exposure derives from the auditor's social responsibility to insure that the financial statements they audit are accurate and complete.19

Because of the auditor's social responsibility as well as the liability exposure, auditors need to both be able to insure that the audit is properly executed and be able to demonstrate that fact to third parties. Audits are "team sports" and so auditors need a complete record of what various team members did, when they did it, what they did, and what they concluded from what they did. The final decision on whether to sign off on the audited financial statements rests with the partner in charge of the audit. However, that partner needs to be able to verify that his team members did their jobs and, therefore, needs documentation of what the team did.

In addition, auditors may be subject to several sources of outside review. These include:

The AICPA peer review process where audit firms must be reviewed every three years by other audit firms if the firms want to remain as members of the AICPA. Review by the PCAOB that is required if the audit firm wants to maintain its registration with the PCAOB to perform audits of public companies Lawsuits where a third party sues the audit firm for damages by claiming they relied on an inaccurate set of audited financial statements and incurred a financial loss because of that reliance.

Structure of Audit Documentation

Auditors develop a file for each audit client that includes all the documentation for that client. Since most audits are repeat engagements, the audit files are split into permanent and current components. The permanent component includes information about the client that does not change much from year to year. The annual portion will include the detailed documentation that

18 When I was in private practice, I always reminded myself while signing off on audits that I had just put my house on the line, as well as everything else I owned. 19 The proper terminology is not "accurate and complete," but is "free of material misstatements." We will discuss the formal terminology when we cover the audit report.

3-16 supports the current year's audit. Examples of items that would appear in the permanent portion of an audit file include copies of the auditee's: corporate charter or partnership agreement chart of accounts organization chart policies and procedures manuals, particularly their accounting manual important contracts like pension plans, union contracts, debt instruments and covenants, stock issuances, and leases documentation of internal controls and process flowcharts

Examples of documentation in the current portion of the audit file would include: copies of the financial statements and audit report all the original working papers to include the audit plan itself copies of minutes of important auditee Board of Directors and Committee meetings

The most extensive and detailed portion of the current audit file are the working papers. Audit working papers typically include:

The audit plan and program - Audit plans tend to be higher-level series of steps the auditor plans to take, whereas the audit program is a detailed list of specific procedures the auditor intents to execute. A working trial balance - Typically a spreadsheet file that begins with the auditee's unaudited general ledger balances, records any adjustments the auditors recommend based on their audit, and reports the adjusted general ledger balances used in the final financial statements. Accounting listings and analysis - This is the largest section. It contains listings of items in account balances, listing of items that were tested, the nature of the tests, the results of the tests, and the conclusions the auditor drew based on the tests. Any internal memos related to the audit Adjusting and reclassification entries - The journal entries the auditor recommends to the auditee based on their audit work are also documented in the working trial balance.

3-17 Examples of Audit Documentation20

The following is an example of how a working trail balance is constructed. As described above, it starts on the left-hand side with the auditee's unaudited general ledger account balances and includes columns to post adjusting and reclassification entries and columns to record the adjusted/reclassified account balances that will tie to the final financial statements. In addition, it contains a column for working paper reference.

This column illustrates the role of an audit trail in audit documentation. The auditor must be able to tie every component of the audit documentation to a final general ledger account balance and line item on the audited financial statements. Thus, all components must refer to other components in some logical sequence to provide a complete trail through the audit documentation.

The next example is of a working paper. This example shows information related to the auditee's legal and auditing expense account. In this example, the auditor is listing transactions in the account and indicating what audit procedures were performed on those transactions.

The auditor documents which step was performed on which transaction with tick marks. The working paper always includes a legend that reports what the tick mark means. Most firms establish standard tick marks that always refer to the same type of audit procedure to standardize and simplify their audit documentation.

In the upper right-hand corner of the working paper is the working paper number, the initials of the person who prepared it, and the date it was prepared. Later when audit managers and partners are reviewing the working papers, they will add their initials and dates. Working papers are numbered carefully so that the numbering scheme provides information on where the working paper fits in with the rest of the working papers.

20 All these examples were taken from Auditing & Assurance Services: A Systematic Approach, by William F. Messier, Jr., Steven M. Glover, and Douglas F. Prawitt, McGraw-Hill, 2008.

3-18

This last example illustrates how working papers fit together. They are organized hierarchically with the auditee's financial statements at the top level of the organization scheme. Then working papers that are more detailed are included underneath the higher-level working papers.

The following example shows the auditee's balance sheet at the top of the hierarchy. Beneath, is the working trial balance, as described above. Then comes a cash lead schedule that lists all the auditee's cash accounts that make up the cash balance on the working trial balance. Below, are the bank reconciliations for each cash account followed by supporting documentation for those bank reconciliations like bank confirmations and lists of outstanding checks.

3-19

The above examples should give you a basic idea of how audit working papers are organized and how auditors use numbering schemes and cross references to build a trail through their documentation. They use the audit trail to either drill down into the details behind a line item on the auditee's financial statements or drill up to insure a particularly transaction was properly included in the auditee's financial statements.

3-20 Major Phases of an Audit

Accept Auditee

Select Audit Team

Plan the Audit

Set Materiality and Audit Risk, and Assess Inherent Risk

Assess Control System Design

Test Balances Test Controls and Assess Control Risk

Complete the Audit

Issue Report

3-21 Chapter Four - Materiality Determination and Preliminary Risk Assessment

Summary

The purpose of this chapter is to familiarize students with three steps auditors execute early in the audit: setting materiality, setting audit risk, and assessing inherent risk. Auditors must complete these steps before they can design more detailed tests and procedures to assess control risk and reduce detection risk to acceptable levels.

After completing this chapter, students should be able to:

Describe the factors auditors consider in setting materiality and use those factors in a simple case to set and defend a financial statement materiality level. Discuss how auditors convert financial statement materiality into tolerable error levels for account balances and execute a strategy for doing so that is provided to them. Discuss how auditors set audit risk and why it does not vary much from audit to audit. Describe the factors auditors use to assess inherent risk and the sources of information they use as well as establish an inherent risk level for a simple case.

I have structured this chapter to parallel how auditors begin an audit to execute the audit risk model. That is, auditors start by setting audit risk and then assessing inherent and control risk. Auditors need to set audit risk as a basis for determining how much inherent, control, and detection risk they can tolerate. In addition, auditors set audit risk based on high-level factors that don't require detailed tests to determine that audit risk level. Thus, audit risk can be, and needs to be, set very early in the audit.

Auditors also assess inherent risk early in the audit for very similar reasons. Inherent risk is driven by factors that really don't require detailed testing to assess. In addition, the auditor needs to assess inherent risk early in the audit since his/her inherent risk assessment can influence how much control risk they are willing to tolerate and is needed to for him/her to calculate the detection risk they need to support with detailed tests.

Finally, auditors define the risks in the audit risk model as the risk of material misstatement. Thus, an auditor cannot assess risks before (s)he has set a materiality level. That is, auditors are not concerned with the risk of small errors, only the risk of material errors. Because of these dependencies between risk and materiality, I have structured this chapter to begin with setting materiality and then discuses assessing audit and inherent risk. I will leave the discussion of assessing control risk to the next chapter.

4-1 Setting Materiality

As I stated above, materiality is a quantitative measure of the magnitude of an error in a set of financial statements that would affect the user's perceptions of the firm. As you can imagine, this is a conceptually appealing statement, but this definition is very hard to implement. There are many types of users of financial statements that may be affected by different levels of errors in different accounts. For example, a potential investor in the firm may be more interested in the firm's trend in earnings per share and a potential lender may be more interested in the firm's current debt to equity ratio. I don't want to overstate the case, however. Bankers are also interested in the firm's earnings trends. My point is that different users will be sensitive to different error levels in different statistics and the auditor needs to develop one materiality level for the financial statements.

However, the auditor can't stop there. While the auditor's report covers the financial statements taken as a whole, the auditor actually audits individual financial reporting processes and account balances. Thus, the auditor needs a systematic way to distribute or assign his/her assessment of financial statement materiality to individual accounts. The balance of this chapter discusses tools and considerations auditors use to set financial statement materiality; how they use financial statement materiality as a basis for determining account level materiality (what auditors call tolerable error); and how they use financial statement materiality to assess their audit findings.

Materiality Level for the Financial Statements

Auditors need to determine two factors to set financial statement materiality: the statistic on which to measure materiality and the percentage of that statistic to use. For example, the most common statistic auditors use in setting financial statement materiality is net income, probably because readers of financial statements focus so much on net income and trends in net income when evaluating firms. The most common percentage of net income auditors use to set materiality is 5%.

However, using 5% of net income has several problems. First, it means that the materiality level for the firm will be affected by how well the firm is doing. For example, if the firm is very profitable, then materiality levels will rise and the auditor will assert that larger errors are not material. However, if the firm is just breaking even, then materiality levels will be very small and the auditor will have to test for small errors to assert that the financial statements are free of material misstatement. While a firm that is doing poorly may have a greater inherent risk of error, the auditor should address that issue through inherent risk assessment and not through materiality.

Another problem illustrated by the use of net income is that trends are as critical to users of financial statements as point estimates are. For example, the fact that a firm has a low net income this year will carry a different meaning for the users of the financial statements depending on whether the firm lost money last year or made a higher net income than this year. That is, users will be very sensitive to the trend in the firm's net income as well as what the net income was this year (i.e., a point estimate).

4-2

Because of some of these issues, many firms that use net income to set financial statement materiality will use an average net income over the last few years rather than the net income for the current year. This approach also helps if the current year's net income for the auditee is unusual and doesn't appear to represent a stable measure of the firm's performance over time.

Even though net income is an important statistic for most users of financial statements, many audit firms prefer to base financial statement materiality assessments on statistics that tend to be less volatile, like total sales or total assets. The idea here is that the size of an error that will affect a user will be affected by the overall size of the firm. For example, a $1 million error in New Mexico Highland University's checking account balance would be a major issue while a $1 million error in General Motors checking account probably wouldn't be noticed by anyone. Since the size of the firm is such an important issue, many audit firms will use statistics that measure firm size, like sales and assets that are not affected by how well the firm is performing, like net income.

Finally, an auditor's materiality determination can be affected by the nature of the firm. For example, auditors of banks and other financial institutions commonly use a percentage of net assets to set materiality. Net assets are the same as owner's equity and the level of a bank's net assets is critical to assessing the banks financial health.

Because the issue of how the size and location of an error might affect the judgment of a user of the financial statements, materiality determination is inherently judgmental and based on many qualitative considerations. Some of these include:

Whether a small error will affect a trend in a key statistic (e.g., change an decreasing trend into an increasing one) Whether a small error will trigger a covenant violation or affect a performance-based compensation contract (e.g., if the auditee is very close to a cutoff net income value that will trigger a bonus payment to management). Whether a small error will affect whether the firm meets or exceeds analysts' expectations for earnings per share. For those of you who are not that familiar with how the stock markets work, a firm's stock price can be affected by whether or not the firm's reported earnings per share fails to meet the expectations that financial analysts have developed by as little as a penny. This hypersensitivity to small differences between actual and expected earnings data can make relative small errors very meaningful to a large block of users.

To sum up, the auditor needs to consider a substantial number of contextual factors when setting financial statement materiality levels. An auditor's starting point would always be the materiality used in last year's audits for continuing clients, which most clients are. However, the auditor needs to be very careful to analyze the firm's current situation for changes that might affect the auditor's materiality judgment and not just accept the prior year's value. In addition, audit firms usually set a basic materiality level for all their audits that auditors can use as a starting point and then adjust that base value for qualitative considerations. Finally, since auditors must set a

4-3 materiality level as a basis for planning the audit, auditors frequently refer to the financial statement materiality they set at the beginning of the audit as planning materiality.

Tolerable Error for Each Account

Financial statement materiality is only a beginning point for planning an audit. As I mentioned above, auditors audit information processes to assess control risk and account balances to determine the existence of material misstatements. Thus, they need to have a systematic way to use their planned financial statement materiality to set error thresholds for individual accounts. While many audit textbooks use the term "allocate" to discuss how auditors use financial statement materiality to determine account level materiality (i.e., tolerable error), I have avoided using the term because "allocate" normally means taking an amount and spreading it out over items such that the amounts allocated to the items equals the total. This is not how auditors use financial statement materiality to determine tolerable error.21 Errors in accounts don't normally simply add up to an error in a key statistic. For example, sometimes errors offset each other. However, the auditor may be concerned about the very existence of these individual errors even though the offset each other in a key statistic. In addition, some errors may be additive and a series of small errors in enough accounts might add up to a material error in a key statistic.

Because of the complexities involved in using financial statement materiality to set tolerable error levels for the accounts, most audit firms develop conservative rules of thumb that allocate more than the financial statement materiality to accounts. For example, one firm I worked with assigned 50% of the financial statement materiality to every account balance, but then allowed auditors to adjust individual accounts based on qualitative factors. You can appreciate that if a firms has, say for example, 50 accounts or line items on their balance sheet and income statement and the firm allocates 50% of the financial statement materiality to each account, the total tolerable error for all accounts will be 25 times the financial statement materiality, which will leave the firm with a very large "materiality cushion." However, such highly conservative rules of thumb also could lead to over-auditing and a more expensive than necessary audit.

Using Materiality to Evaluate Audit Findings.

I will discuss this topic in more depth in the chapter on completing the audit. For the purposes of this chapter, I will merely point out that the auditor uses tolerable error to determine if an account balance is materially misstated as the auditor executes tests. However, the auditor also needs to aggregate all the errors (s)he finds while executing his/her tests to determine the overall impact on the financial statements as well. Thus, when evaluating the results of audit tests, the auditor must not only consider an error's effect on an individual account balance, but also that error's effect, in conjunction with other errors, on the overall impression the financial statements leave on the user.

21 I have used “account materiality” to this point because that term captures the conceptual meaning of tolerable error. However, to be consistent with audit practice and literature, I will use “tolerable error” from this point on.

4-4 Setting Audit Risk

Setting audit risk actually is a simple process for most audits. The amount of risk that an audit firm is willing to accept mostly is independent of the nature of a specific client. Note that the audit risk model differentiates between the risk the auditor is willing to accept (i.e., the left hand side of the equation) and the risk the client represents (i.e., the right hand side of the equation). For most audits, the risk the auditor is willing to accept does not differ from audit to audit. However, the risks that the client represents do vary greatly. Thus, most audit firms use a set audit risk for all audits, but do allow auditors to make qualitative adjustments for individual circumstances. For example, a common rule of thumb for audit risk is 5%. That is, auditors on most audits are willing to accept a 5% chance that they will certify that the financial statements are not materially misstated when they are materially misstated.

Assessing Inherent Risk

Inherent risk is the risk that the auditee's information system will create an error (i.e., material misstatement) in their financial statements without regard for the auditee's internal controls. Many factors affect a firm's inherent risk. Auditors classify these factors into three broad categories: factors that affect management's incentives to manipulate the financial statements, factors that affect the complexity of the firm's accounting and reporting, and the quality of the firm's information system.

The factors that affect the management's incentives relate to the firm's business risks. That is, the risks that affect the firm's operating and financial success. Since the financial community judges a firm's management by how well the firm performs, factors that make it more difficult for the firm to succeed increase the incentives on management to improve the firm's apparent success by manipulating their financial statements.

The firm's business risks also affect the complexity of their accounting and reporting. For example, firms that sell to customers in a declining market will have a more difficult time estimating their allowance for doubtful accounts. In addition, firm's whose products or services are inherently complex also face more difficult accounting issues. For example, firms that buy and sell complex investment instruments like securitized mortgages face difficult issues when determining how to classify these instruments on their balance sheets and how to calculate changes in their market value for financial statement presentation.

There also are a variety of factors that affect the quality of a firm's information system. The main factors are those related to the design of the information system and the quality of the people who run it. I am defining "information system" broadly to include the policies and procedures the firm uses to process information as well as the quality of the staff who execute those processes. Thus, a critical issue for inherent risk assessment is the experience, training, and monitoring of an auditee's employees as well as their attitude and incentives to do a good job. For employees to do a good job they need to have the resources, including knowledge, to do the job and the incentive to do it well.

4-5 Business Risk and Management's Incentives

Applying Analytical Procedures

Factors that Create Management Incentives

Auditors assess the degree to which management has an incentive to manipulate the firm's financial statements in a variety of ways. However, they usually start with an analysis of the firm's current operating performance and financial position by applying basic ratio analysis to the firm's unaudited financial statements. Auditors use the term "preliminary analytical procedures" to refer to this sort of analysis.

One problem in determining management's incentives to manipulate financial statements is defining what "look good" means. In most cases, the goal of management is to have the financial statements report stable earnings growth over time and significant excesses of assets over liabilities. These are the key factors that make the operating performance and financial position analyses covered in the beginning of the class lead to a positive assessment of the firm's performance. "Stable earnings" does not mean flat in this context. It means low variability around an increasing trend (i.e., growth). If a firm's reported Net Income increases, on average, over time but changes significantly from year to year, then reported net income is less reliable in predicting future net income. That is, variability in historical trends increases the difficulty of predicting future trends. Reducing the variability in earnings is commonly referred to as income smoothing. Because investors and potential investors are interested in predicting an auditee's future earnings, higher levels of variability in historic earnings will make it more difficult for investors to predict future earnings and, thus, they will not be willing to pay as much for a share of the auditee's stock. Thus, there is an incentive for the auditee's management to manipulate earnings to reduce variability in reported earnings.

Managers benefit in a variety of ways from reporting results that "look good." These include:

• Manager's pay and bonuses often are tied to reported numbers. • Managers frequently are granted stock options that only become valuable to the managers if the stock price goes up. • Better performance increases stock price, which makes raising new funds from the stock markets easier. • Many of the firm's long-term debts come with covenants that set limits on reported numbers. If the reported numbers go outside these limits, the creditor can force the firm to repay the debt immediately.

In some cases, however, managers have an incentive to make the firm's results "look bad," or at least not so "good." The management of not-so-healthy firms may have an incentive to reduce reported earnings even further. As discussed more completely in the next section, many of the

4-6 tools available to management to manage earnings will reverse in future years. Sometimes when a firm obviously is doing poorly in one year, management may increase the loss in that year (i.e., "take a bath") to create "reserves" that can be used to increase future earnings. These "reserves" usually are valuation accounts that management may increase to allow for future losses. However, nearly all the activity that involves the use of these valuation allowances will eventually "settle up" or reverse in the future. If management is overly conservative in setting a valuation allowance, when the transactions involve "settle up" and the expected loss is not incurred, the firm's net income will get a boost as the prior valuation allowance is reversed.

The incentive to reduce reported earnings also can occur in highly successful companies that tend to dominate their markets and risk regulatory intervention or increased competition. For example, the fact that Microsoft dominates the world's personal computer operating system market has lead the U.S. and European Union to attempt to force Microsoft to unbundle some of its software and make the source code for Windows™ open to other firms. If Microsoft were not as profitable or as dominant as it is, this regulatory pressure probably would be lower. In addition, if firms become too successful, they invite other firms to move into their markets, which increases competition. Therefore, sometimes management will attempt to manage their earnings downward to avoid looking too "good."

Factors that affect Management's Ability to Manipulate Financial Statements

GAAP includes several areas where it moves away from historical cost as a basis for valuation or requires interperiod cost allocations and relies on management judgment for both. The main areas covered in this course where management judgment is required are:

• determining the useful lives and depreciation methods for fixed assets; • setting allowances for doubtful accounts; • determining when asset values have been impaired (e.g., available for sale securities, fixed assets, and goodwill); • determining the net realizable value of inventories for the lower of cost or market rule; • setting the income tax asset valuation account; • designating securities as "available for sale" instead of "trading;" • valuing employee stock options, particularly setting the parameters for the Black-Scholes model, or the assumptions management uses for the binomial model; • determining the parameters used to estimate future pension or other post-retirement benefit liabilities; and • structuring transactions to take advantage of the boundaries of accounting rules. Some examples include:  leases to avoid capitalization  special purpose entities to create off-balance sheet liabilities

4-7  resale agreements with distributors and resellers to circumvent revenue recognition rules. Some of these items are harder to use to manipulate earnings than others. For example, items like determining useful lives for fixed assets cannot be changed every year to manipulate earnings. Similarly, classification of securities as available for sale cannot be changed frequently without sending out "red flags." Finally, asset impairment decisions cannot be reversed and are permanent once they have been made. Other items can be changed every year, but changing them too frequently also sends out "red flags." For example, the parameters used for calculating annual pension expense or for valuing stock options may change frequently due to changes in economic conditions. However, changes in these parameters that do not seem to parallel changes in economic conditions also can send out "red flags."

If you did not recognize many of the issues I just raised, most are covered in intermediate accounting classes and so if you have not taken intermediate accounting, they may not be familiar. However, to be a good auditor, you need to have a strong grasp of these sorts of accounting issues. I will not be covering these accounting issues in this class and I referred to the accounting issues above as examples of some of the areas within GAAP were managers are required to make judgments and, therefore, have the ability to use their judgments to manipulate earnings.

Since management typically is biased toward making the firm "look good" by making judgments and choices that increase assets and net income, most GAAP valuation rules tend to be biased in the opposite direction. A good example of this bias is in the lower of cost or market rule for valuing inventory and the requirement to write down the value of fixed assets whose value has been impaired . Both these rules only allow management to reduce asset values if market conditions change, not increase them. This is the main reason for the conservatism principle in accounting.

In summary, auditors use analytical procedures like basic ratio analysis to attempt to determine where the firm stands financially and what management's incentives might be to affect the perception that the firm's financial statements leave on the readers of those financial statements. This assessment not only leads to an assessment of inherent risk, but also helps the auditor create targeted expectations about where, within the financial statements, the incentives on management might come together with areas where management judgment inherently is required and, thus, where management has some ability to manipulate the financial statements. Auditors will use these targeted expectations to help generate specific audit tests and procedures to determine if the financial statements are actually misstated due to management manipulation.

Assessing Fraud Risk

The above discussion addressed management incentives to manipulate the financial statements. Most of the tools I discussed are legal and conform to GAAP but they just "push the envelope" within GAAP and can, if pushed too far, violate GAAP. Auditing standards require that auditors also explicitly look for fraud, which are intentional and illegal activities that affect the financial statements. The factors that help support fraud are very similar to the factors that affect

4-8 management's incentives to manipulate the firm's financial statements legally. However, fraud also can involve theft or misappropriation of assets and not just manipulation of the financial statements. The key factors that can lead to fraud include:

The ability to commit fraud, such as access to assets or the need for a judgment call under GAAP. An incentive to commit fraud, such as improving the image the financial statements present; increasing compensation; or stealing assets. The ability of the individual(s) involved to rationalize the fraud, usually based on weak ethical standards.

All these conditions need to be present for fraud to occur. However, the last condition particularly may be difficult for the auditors to assess. In addition, since fraud is an intention act, audits have a more difficult time detecting it because the perpetrator normally will take steps to cover it up.

As a practical matter, the auditors do not include many tests and procedures in their audit programs that are targeted specifically at fraud detection. Both fraud and unintentional errors create misstatements in the financial statements and audit procedures are designed to detect misstatements, regardless of their source. For example, if, during the auditor's assessment of inherent risk, (s)he identifies an account balance that might be susceptible to misstatement due to fraud, (s)he will target additional audit resources to auditing that account, which is the same approach (s)he would take if (s)he believed the account was susceptible to an unintentional error. However, if the auditor believed that fraud might be involved, (s)he might include tests of procedures that may be more effective in detecting an attempt to cover up the potential misstatement in the financial statements.

Business Risk and Accounting Complexity

Business risk factors also affect the complexity of the types of transactions in which a firm engages and, thus, the complexity required to account for the firm's activities. Here are some examples to illustrate the factors that affect the complexity of a firm's financial reporting.

Nature of the industry

Many industries have idiosyncratic factors that make accounting for the normal transactions within that industry challenging. For example, financial services firms buy and sell a rich variety of investment and insurance products that can be very complex and difficult to account for. The more complex the transaction, the more difficult it is for the firm to get the accounting right. Other industries deal in products that may be difficult to value. For example, oil and gas firms need to value their inventory of oil and gas reserves. However, the value of these reserves changes with the world market prices. In addition, the quantity and quality of these reserves is difficult to estimate because the reserves are unproven and still in the ground.

4-9 Nature of the Firm's Regulatory Environment

All industries are regulated to a degree by such things as financial reporting requirements (e.g., required filings with the SEC and stock exchanges), anti-trust laws, tax laws, employee safety and labor relations laws, and laws that affect international commerce. In addition, some industries are more regulated than others are. For example, utility firms that provide electricity, gas, telephone, and internet services all face specific regulation and, in some cases, price controls. Auditors need to have a deep understanding of all the regulations that an auditee faces to determine how those regulations might affect the inherent risk to the firm's financial statements.

A simple example of how regulation can affect a firm's financial statement is tax laws. Income tax accounting under GAAP can be quite complex because income tax accounting must address both the timing differences that arise between the accounting rules set by the taxing authorities and the accounting rules set by GAAP. In addition, there are permanent differences between items that GAAP recognizes as revenues and expenses and items that are recognized as taxable revenue or deductable expenses under tax law. Thus, the auditor needs to understand the firm's tax position in order to verify their tax accounting for their financial statements.

Characteristics of the Auditee

Finally, firms have idiosyncratic features that can affect the inherent risk of financial statement errors as well. These features can be extensive, but here are some illustrative examples:

The firm's credit and warrantee policies, which can affect allowances for bad debts and future warrantee claims. The types of joint ventures and other long-term relationships in which the firm engages, which can create related-party transactions and future commitments that need to be disclosed in the footnotes. The firm's merger and acquisition activities. Mergers and acquisitions tend to be complex transactions involving substantial management judgment in valuing things like goodwill and purchased in-process research and development. The firm's reorganization plans. Reorganization plans also tend to be complex transactions that involve management judgment dealing with the classification and valuation of expenditures and asset and goodwill impairments. The firm's reliance on a few key customers or suppliers, which can create both pressures on management as well as create problems in valuing the transactions between the customer or vendor and the firm. The firm's use of hedges, off balance sheet financing, and other complex financial instruments, all of which are complex transactions and frequently involved some form of market value estimation by management.

The auditor needs to have a comprehensive understanding of all these factors to assess inherent risk adequately and to target their audit tests and procedures on areas that are at a greater risk

4-10 than others are. Keep in mind that auditing is a for-profit business and auditors do not have unlimited resources to conduct an audit. Thus, a major part of inherent risk assessment in not only coming up with a number to plug into a formula, but also identifying key account balances or control procedures that may create a greater risk of error so that the auditor can target limited resources at the accounts and process most at risk of error.

Assess the Quality of the Auditee's Information System

While inherent risk is defined as the risk of an error independent of the firm's internal controls, assessing the quality of a firm's information system independent of the controls embedded in that system is quite difficult. Thus, auditors evaluate most of the inherent risk factors that affect the quality if a firm's information system as part of their assessment of control risk.

For example, the auditee's employment practices can have a significant effect on the quality of the firm's information system. If the firm does a thorough background screening of all new hires; insures that employees are well trained and have the necessary resources to do their jobs; and regularly monitors employee performance to insure top performers are rewarded and weak performances are counseled, then the inherent risk that the people who make the firm's information system work will make an error, is reduced. However, these same policies and procedures also help insure that the people running the auditee's controls also will be effective in eliminating errors from the information system. Thus, auditors typically assess these types of factors as part of their assessment of the firm's control procedures and control risk.

Sources of Information

I mentioned one main source of information that auditors use to assess inherent risk above, which was an analytical review of the firm's financial position and operating performance. In addition, auditors will use the following sources of information. Note that this is not a complete list:

Asking the firm's management about risk areas. Reviewing the popular business press and trade publications for the auditee's industry. Asking the firm's internal auditors. list. Interviewing other key employees. Observing the auditee's operations. Reviewing the auditee's internal documents and correspondence. Reviewing prior audit's working papers and interviewing audit team members from a prior year's audit. Interviewing audit firm personnel that provide non-audit services to the auditee. Interviewing audit firm experts in the auditee's industry.

4-11 Chapter Five - Inherent Risk Assessment

Summary

This chapter's purpose is to provide students with information on how auditors assess inherent risk and to include a discussion of the sources of inherent risk and sources of information auditors use to assess inherent risk. After completing this chapter, students should be able to:

Discuss the definition of inherent risk and how it relates to a normal financial statement audit. Describe the major sources of inherent risk in most audits and discuss why these sources create inherent risk. Describe the major sources of information auditors use to gather information to assess inherent risk and which risk factors these sources address.

Assessing Inherent Risk

General Sources of Inherent Risk

Assessing inherent risk is inherently judgmental. There is no standard rule or algorithm that can take a listing of relevant factors from those I am going to discuss for an auditee and convert that to an inherent risk assessment. This is probably the major reason why auditors don't try to assess inherent risk in terms of a percentage likelihood that the auditee's information system will produce an error irrespective of the auditee's internal controls. Instead, auditors will classify the firm's inherent risk into a category; usually high, medium, low, or very low. Nor have auditors attempted to assign probability ranges to these categories to facilitate creating a probability to plug into the audit risk formula. However, auditors can look for inherent risk factors for the auditee and build a body of evidence that supports their categorization of the auditee's inherent risk.

Auditors also need to assess inherent risk at two different levels: firm-level and account level. Thus, I have divided this chapter's discussion of inherent risk assessment into two sections: one that presents firm-level inherent risk factors and one that presents revenue process inherent risk factors. Firm-level inherent risk factors have a broad, but indirect, effect on the risk of error in a particular account balance. That is, the presence of firm-level inherent risk factors creates an increased likelihood that several account balances affected by more than one class of business processes may contain an error. For example, if the firm's management is under extensive pressure from the capital markets to meet analysts’ expectations for their year-end earnings per share statistic, this pressure will increase the likelihood of error in any account that would increase earnings per share, which would include things like asset valuation, revenue recognition, and expense recognition. An example of an account-level inherent risk would be an economic collapse in the auditee's customer's markets. Such a collapse would increase the risk of an error

5-1 in the allowance for doubtful accounts balance due to an understatement of the risk that the auditee's customers might not be able to pay their bills.

The line between a firm-level risk and an account-level risk can be fuzzy. While the distinction is useful to help auditors be complete in their consideration of factors that affect inherent risk, it isn't critical to assessing inherent risk. That is, the auditor ultimately will apply the audit risk model to individual accounts or groups of related accounts because they will use their inherent risk assessment to determine detection risk. In turn, auditors achieve their desired level of detection risk by running tests on account balances. Thus, auditors manipulate detection risk at the account level and, therefore, need to assess inherent risk at the account level. However, both firm-level and account-level factors affect an account's inherent risk level.

The following sections present annotated checklists of factors that can create firm-level inherent risk for an auditee. I have tried to produce a list of factors while providing a sentence or two on each one to explain how it can create inherent risk. I have broken the factors into two categories: external and internal. External factors are factors in the auditee's environment that they cannot control that create potential risk of error. Firms can control these factors in the sense that they can alter their activities to adjust to these risk factors. However, they usually can't directly alter the existence or magnitude of the risk factor. Internal factors are factors that the auditee can control because they are based on how the auditee has chosen to do business.

External Environmental Factors

Industrial Factors

Level of competition in the auditee's industry - high levels of competition, either for customers or for suppliers, put pressure on the firm in two ways. First, by increasing pressure on management to manipulate the firm's financial statements to improve the impression they leave on investors and, thus, keep the firm's stock price higher. Second, competitive pressures can alter management's focus on operating issues rather than financial reporting and controls issues. Management may redirect the firm's resources away from accounting and control activities to operating activities in a short-term attempt to boost the firm's performance. Managers may perceive accounting and control issues as "overhead" to be minimized and they may not appreciate the effect inaccurate financial information may have on the firm's longer-term performance. These competitive pressures can come from either the customer side or the supplier side. That is, most firms compete for customers. However, some firms also have to compete for limited supplies of raw materials or labor. For example, high-tech firms, like bioengineering firms, need to complete for highly skilled workers. Competition for supplies of materials and labor places management under pressure in the same way as competition for customers does. Seasonal or cyclical activity - Firms in industries with strong seasonal or business cycles need to adjust their activities accordingly. Failure to do so may increase the risk of error in the financial statements. For example, retailers normally generate 40% of their annual

5-2 revenues in the month between Thanksgiving and Christmas. If the firm doesn't increase staffing to handle the increased need to process these sales transactions, it could face increased risk of error due to understaffing in key financial reporting and transaction processing activities. High tech production processes or products - Complex production processes inherently create complex accounting issues. In addition, new types of production processes require time for the firm's accounting system to develop appropriate accounting procedures and valuation methods. Thus, there are two factors at play here: complexity and change. Both of these factors increase the inherent risk of error.

Regulatory Factors

Complex or judgmental accounting practices - This point is related to the industrial factors I discussed above. Complexity and change in the way an industry functions can create complex accounting procedures and GAAP rules that are specifically targeted at an industry. I also have included here the requirement for management judgment, usually in valuing transactions. The nature of products and other assets employed by some industries makes valuing those products or assets more difficult and can create the need for management judgment. For example, inventory values in an industry that is rapidly changing may be more sensitive to the lower of cost of market rule and may require substantial management judgment to determine if the net realizable value of the inventory is lower than the cost. Again, the level of complexity or the need for judgment both increase the inherent risk of error in the financial statements. Specific governmental regulation in for the industry - Some industries are more heavily regulated by governmental agencies than others are. For example, public accounting is heavily regulated by state governments who determine who may practice as a certified public accountant. The Federal government and state governments also heavily regulate the banking and savings industries to help insure the safety of people's savings and investments. Some of these regulations are straightforward and easy to follow while others are quite complex. Since there are serious penalties associated with violating these regulations and since these penalties frequently are assessed against management personnel, the existence of government regulation can create incentives for managers to circumvent them. Auditing standards do require that auditors insure that their auditees are not violating regulations. The reason is that violating regulations can create financial penalties and potential future liabilities that the auditee should disclose in their financials statements and footnotes. In addition, the more complex and extensive the regulation, the more difficult it is for the auditee to comply with them, thus increasing inherent risk. Governmental fiscal and tax policies - In addition to regulation, governments provide tax incentives, subsidies, and other forms of financial support for selected industries. To the degree that value of these provisions depends on financial information provided by the auditee, the existence of these provisions can create incentives on management to manipulate the firm's financial results. Also, the more complex and extensive these provisions are, the more difficult it is for the firm to comply with them properly, thus increasing the inherent risk of financial statement errors.

5-3 Economic Factors

Health of the general economy - If the economy is strong, then pressure on management to perform is reduced because achieving strong performance is easier. When the economy begins to turn down, managers are under increasing pressure to maintain the firm's performance in spite of the economic downturn. Many of the recent cases where firms have run into accounting problems occurred just as the recession of 2001 was starting. Historically, this is very common. Whenever the economy softens, the incidence of accounting and financial reporting problems tends to increase. Interest rates - Changes in the market rates of interest can have a significant impact on a firm's ability to afford to raise capital by borrowing money. Thus, rising interest rates can put pressure on a firm to maintain performance in the fact of rising costs, which can increase pressure on management and increase inherent risk. Inflation - Low levels of inflation make it much easier for firms to budget and forecast. High levels of inflation create uncertainty and put pressure on managers to insure their prices keep pace with their increased costs. Thus, high levels of inflation can increase pressure on managers and, thus, increase inherent risk. Changes in foreign exchange rates - Today most firms do business internationally. This means that many of their transactions are executed in a foreign currency and must be translated into a local currency to produce financial statements. Rapid changes in exchange rates make it harder to make those conversions correctly. In addition, changes in exchange rates can affect the demand for a firm's products or the costs of their labor and raw materials. For example, the US dollar has dropped consistently over the last few years against just about all the other major currencies in the world due to the US budget and balance of payments deficits. This means that US firms have tended to sell more overseas because their products' prices are stated in US dollars and, thus, become cheaper as the dollar falls. However, the fall of the US dollar also has increased the costs to firms who purchase products from overseas. These changes are outside the control of management and can put pressure on management to maintain the firm's performance in the face of potentially adverse market conditions, which can increase the inherent risk of error.

Firm-specific Factors

Financial condition of the firm - Firms that are successful and profitable tend to have lower inherent risk of error because of the reduced pressure on management than firms that are struggling. Auditors always perform an analysis of an auditee's recent operating, cash management, and financial results to determine if the auditee is struggling or not. History of error - If the auditee has a history of poor audit results where the auditor, either current or prior, has had to ask the auditee to make audit adjustments, this increases the likelihood that there will be errors in the current audit. To be precise, prior audit adjustments could have been caused by weak internal controls, which would be a control risk issue. However, the auditee's control system couldn't have failed to eliminate an error in the auditee's financial records if the error didn't exist in the first place. Thus, prior errors are evidence of both prior inherent and control risk.

5-4 Complex or innovative financial arrangements - The same logic applies to the types of financial arrangements a firm uses to generate cash from outside sources. Modern finance theory has developed a long list of hybrid financial products that have features of both debt and equity and/or whose values are derived from other financial instruments, assets, or liabilities. For example, mandatorily redeemable cumulative preferred stock has many features of debt and, under GAAP, is reported as debt even though it legally is preferred stock, which is equity. Other examples include hedging arrangements that match a financial instrument with an asset, liability, or future cash flow and the use of leases. Again, the complexity of these arrangements and the fact that some of them are hard to classify on a balance sheet increase the risk that the firm will generate an error when accounting for them. In addition, I have found that firms that have a significant amount of these non-traditional financial instruments normally are in financial trouble, which also increases inherent risk of error. Finally, many firms use leases to "purchase" property, plant, and equipment rather than buying it outright. The GAAP rules that determine whether these leases are accounted for as leases or as purchases (i.e., a capital lease) involve management judgment and estimation. Since many firms use lease arrangements not because of any direct economic benefit to doing so but, rather, for the accounting treatment that comes with leases, extensive use of leases can increase inherent risk of error because management may push the boundaries of the GAAP rules to achieve a desired accounting outcome. Debt covenants - Some lenders build covenants into their debt instruments that require that the debtor maintain things like certain levels of working capital, dividend payments, or debt levels or the creditor can call the debt. The existence of these covenants places pressure on managers to maintain the statistics covered in the covenants at levels that do not violate the covenants. This increased pressure on management can increase the inherent risk of error. Management compensation contracts - Some firms reward management if the firm's performance exceeds certain levels as measured by accounting data. For example, a firm's management might receive a bonus if the firm's profit margin increases by a percentage point over the prior year's profit margin. These types of incentive contracts increase the pressure on management to perform and can increase the inherent risk of error. Management strategies - Different firms may adopt different strategies to achieving success in their industry. Differences in these strategies can create increased inherent risk. For example, a firm whose strategy is to rapidly increase market share would be at greater inherent risk because of the additional pressure rapid growth places on both management's incentives and the firm's information systems. Specific customer or supplier arrangements - Firms can differ on how they structure arrangements with their customers and suppliers. Some firms in the same industry may sell directly to the ultimate consumer while others may user resellers. Recall the discussion in the prior chapter on revenue recognition issues that arise when a firm uses resellers. Thus, the use of resellers can increase the inherent risk of error because it complicates the revenue recognition process. In addition, some firms depend on a few, large suppliers or customers while others use a variety of suppliers and sell to a variety of customers. Concentration in the firm's supplier market increases the power the suppliers have over the

5-5 firm and can increase the inherent risk of error if the suppliers change their pricing or other supply arrangements and the auditee's information system isn't flexible enough to adjust. In addition, concentration in the supplier markets can put pressure on the auditee's management to maintain low production costs because of the supplier's market power and ability to raise prices. Thus, inherent risk also can increase due to increased pressure on management to maintain performance. Other special arrangements - There are a variety of other special arrangements firms can engage in that can create additional inherent risk of error. Some examples include joint ventures, partnerships, off-balance sheet financing arrangements, and related party transactions. To the degree that these arrangements create more complex accounting issues or place increased pressure on managers, they can increase inherent risk. Doing business in multiple industries - Some firms focus on one industry (e.g., Home Depot) and other firms do business in a variety of industries (e.g., General Electric). The more different industries in which a firm does business, the more complex their accounting becomes because each industry probably has some industry-specific accounting rules to follow. This increased complexity increases inherent risk of error. Doing business in multiple locations - The more geographically dispersed the auditee's operations are, the greater the difficulty in coordinating the accounting for diverse locations and conforming to local accounting and financial reporting rules. Obviously, the latter point applies mostly to firms that do business in several countries. However, there also are differences in state laws that affect firm's operations as well. The need for increased coordination and the need to comply with all local laws and rules both increase the complexity of the auditee's accounting challenges and, thus, the inherent risk of error.

Summary of Sources of Inherent Risk

In summary, financial statements and account balances can contain errors from two broad sources: unintentional and intentional. Intentional errors can be fraudulent, but also can merely involve overly aggressive management judgments, typically involving valuation decisions. The inherent risk of unintentional errors increases with the complexity of the accounting involved, the volume of activity the firm's information system has to process, and the rate of change in the nature, volume, and complexity of the transactions the firm's information system records and processes. The inherent risk of intentional errors increases with any factor that places increased pressure on management to meet performance expectations that are measured in terms of accounting numbers. All of the sources of inherent risk I discussed above create increased risk by increasing the complexity, volume, or rate of change in the firm's environment or by increasing pressure on management.

Sources of Inherent Risk in Revenue Processes

The purpose of this section is to provide some examples of inherent risks that are specific to revenue processes. However, students should recognize that these are just examples of the basic sources of inherent risk mentioned above. My main point is that students can take the list above and merely refine it by looking for industry, governmental, and economic factors that have an

5-6 effect on revenue recognition and credit collection to identify inherent risk factors for revenue processes.

Revenue Recognition

I discussed the issues involved in revenue in the previous chapter. Some industries have inherently more complex and/or judgmental revenue recognition practices. For example, the construction industry inherently must address recognizing revenue under the percentage of completion method, which involves management judgment. In addition to the revenue recognition practices of the auditee's industry, individual firms can develop various forms of reseller arrangements that can create revenue recognition complexities and, thus, increase inherent risk. Auditors need to review all such arrangements that the auditee has developed to determine the level of inherent risk associated with a specific firm's revenue recognition policies.

Credit Terms

Different firms have different policies on extending credit to customers. The more liberal or complex that these credit terms are, the greater the inherent risk that the auditee will make an error in accounting for credit sales and collections or that their estimates of bad debt expense may be inaccurate.

Economic and Regulatory Factors

Any economic factors that would tend to depress demand for the auditee's products, increase completion for customers, or increase the difficulty in collecting for credit sales would increase the inherent risk of error in the auditee's revenue processes. In addition, any government regulations that affect how the auditee can generate or recognize revenues, or affect their ability to collect for bad debts also increase inherent risk of error in their accounting for their revenue transactions.

Information Sources for Inherent Risk Assessment

This section presents a few major sources of information auditors use to assess inherent risk. As the extensive list of factors that affect inherent list that I presented above illustrates, sources of inherent risk are diverse and extensive. Thus, the auditor needs to look at a variety of sources to insure that their inherent risk assessment process is thorough.

At this point, I should point out that I have avoided using a common term from auditing texts and the auditing literature that authors apply to assessing inherent risk: "obtaining and understanding of the client's business and industry." I have avoided using the term "understanding" because I feel it isn't specific enough to be meaningful. Auditors have a need to identify the sources of inherent risk in an audit so that they can provide assessments for the risk model and, consequently, determine how much work they need to do and where they need to target that work. I have tried to frame my discussion of inherent risk assessment along those lines. I just believe that the term "understanding" is too vague to capture the goals auditors attempt to accomplish in reviewing the types of information sources I discuss next.

5-7 Management and Other Key Personnel

One of the best sources of information about an auditee's inherent risk is interviews with the auditee's management. I have included "other key personnel" because, as an auditor myself, I found that interviewing the "troops in the field" was an invaluable source of information as well. Lower level employees have less of an incentive to "spin" their answers to auditors and can be a valuable source of information. The key point is that the auditee's employees usually know more about the firm specific factors listed above than any other source of information. However, the main drawback of using the auditee's personnel as a source of inherent risk information is that those employees, particularly upper management, have an incentive to "spin" their responses in a way that will lower the auditor's assessment of inherent risk. Thus, auditors need to be careful to gather information from multiple sources within the firm and compare them.

Third Parties

Third parties include vendors, customers, the client's attorneys and consultants, and others who have some ongoing relationship with the auditee. These sorts of third parties may have significant knowledge about the factors that contribute to inherent risk and may have less of an incentive to "spin" their responses to the auditor. The auditor does need to get the auditee's permission to talk to many of these third parties; particularly attorneys who would have to protect their client's confidentiality. However, auditors usually build this sort of permission into their engagement letters and, if the auditee balks; that alone can be a sign of increased inherent risk.

Auditee Documents

Access to the auditee's documents also is something that auditors regularly build into their engagement letters since the auditee's documents are the primary source of data for all audit tests. For inherent risk assessment, the auditor usually focuses on documents that cover broad policy issues and operating procedures. Some examples would include the auditee's policy and procedures manuals, minutes of the Board of Directors meetings, and correspondence with key third parties. Keep in mind that the goal of inherent risk assessment is to indentify characteristics of the auditee and its operating and regulatory environment that might increase the likelihood that the firm's information system would create an error or that would increase the pressure on the firm's management to manipulate the firm's financial results. At this point, the auditor is not executing specific tests of transactions and balances or of the information processes that process those transactions.

Trade Publications

Auditors regularly read the popular and business press for stories about their auditees and their auditee's industry as well as about the economy. For example, if I were auditing an airline, which inherently is heavily affected by crude oil prices, I would be sure I knew how crude oil prices had changed recently and would read articles by oil analysts regarding the future of oil prices (which currently is that they will only go higher from their current record levels). In addition, publications like the Wall Street Journal, Barrons, Inc. Magazine, CFO magazine, and CIO magazine frequently contain articles on individual firms that can be very enlightening. Finally,

5-8 nearly every industry has an industry association designed to support and grow the industry. These associations normally have industry-specific publications that can provide an auditor with valuable information the history and direction of the industry as well as changes in produces and production methods and technologies.

Economic Data

The US government is an excellent source of general economic data for the US. For example, the website of the Federal Reserve Bank of St. Louis has historical data on interest and inflation rates and the Department of Labor's website has a variety of data on the US economy. The US government also publishes some information about the global economy as well. In addition, the United Nations publishes a rich variety of global economic data, as do several international magazines, like the Economist, which is published in London.

5-9 Chapter Six - Revenue Processes

Summary

The purpose of this chapter is to give students an overview of the basic procedures firms use to record and process revenue22 transactions. The specific nature of these procedures will differ depending on the type of firm and the type of good or service the firm produces. However, the basic information processing needs are similar.

After completing this chapter, students should be able to:

Describe GAAP rules for revenue recognition and apply them to simple cases. Describe the basic processes involved in generating and documenting revenue transactions and in collecting for revenue transactions. Describe the documents sellers use to document the details of revenue transactions to include the purpose each document serves and the information it typically contains.

Revenue and collection processes23 contain activities designed to market and sell products and services, as well as collect for those revenues. Therefore, it contains activities involved in marketing and sales, sales transaction processing, delivery of merchandise, and collection of payments. It also includes activities involved in processing returned merchandise, dealing with customer complaints, and managing bad debts and other collection problems. However, because I am using the revenue processes as an example to illustrate auditing internal controls and balances, I am not going to cover the processes and documents associated with sales returns and allowances. This will simplify the example and make it easier for me to focus on the auditing issues. The key economic goals of these activities are to maximize revenues and the cash flow generated by the collection of revenues.

Revenue Recognition

Before I get into the details of how sales and related transactions are processed, I need to cover the GAAP rules on when a sale is recognized. The FASB's Financial Accounting Concepts No. 6 defines revenues as:

22 I sometimes will use the terms "revenue" and "sales" interchangeably in this chapter. This is common in practice because the two terms are virtually identical. Some authors consider "revenue" to be more general, but, in my opinion, all revenue comes from selling something. Even interest income comes from selling the use of money. Thus, I don't see any significant difference between these terms. 23 Auditors used to refer to a group of related processes as a cycle. That is, they would refer to revenue and collection process as the revenue and collection cycle. Thus, if you run across references to "cycles" in the accounting, information systems, or auditing literature, it means the same as "processes."

6-1

"...inflows or other enhancements of assets of an entity or settlements of its liabilities (of a combination of both) from delivery or producing goods, rendering services, or other activities that constitute the entity's major or central operations."

The key aspects of this definition are that the firm has delivered a good or services as a part of its core operations and has received something of economic value in return. The firm receives economic value by either receiving an asset or being relieved of a liability.

However, the definition is incomplete because it doesn't address the certainty associated with the receipt of the asset or relief from the liabilities. Consider a typical credit sale where a firm delivers a product in exchange for a promise to pay (e.g., account receivable). Should the firm recognize the revenue from this transaction if there is only a low probability that the purchaser will actually pay for the goods or services?

To address this issue, the SEC, in Staff Accounting Bulletin (SAB) No. 101, includes the following additional criteria for recognizing revenues:

Persuasive evidence of an arrangement exists. Delivery has occurred or services have been rendered. The seller's price to the buyer is fixed or determinable. Collectability is reasonably assured.

Next, I will work through the major issues involved in recognizing revenues and provide some examples.

Delivery of Goods or Services

This issue is not as simple as it sounds. One key element, particularly for goods, is that legal title to the good has transferred. Since services are not a tangible item, the passage of title is not clear. However, passage of title to services normally means the purchaser has the right to use or apply the results of the service to their operations at their discretion.

For goods, "delivery" may require more than the physical transfer of the good to the purchaser. There are two, common exceptions where physical delivery from the seller to the purchaser does not constitute "delivery" for the purposes of revenue recognition under GAAP: goods on consignment and transactions where an unlimited right of return exists. When a seller delivers goods to a purchaser on consignment this means that title to the goods has not transferred to the purchaser even though physical possession has. Under consignment arrangements, the purchaser intends to resell the good to another purchaser, typically the ultimate consumer. In this case, the initial purchaser is called a reseller because they intend to resell the goods and not consume them themselves.

6-2 In a consignment transaction, the reseller takes possession of, but not title to, the goods and, if the initial purchaser cannot sell the goods, the reseller returns them to the seller without any cost or penalty to the reseller. The key feature of a consignment is that the seller retains title to the goods. This means that the seller retains the risks and rights of ownership. In a consignment arrangement, the seller cannot record any revenue until the reseller sells the good to the consumer.

Sellers can create other forms of agreements with purchasers other than consignment arrangements. In general, sellers and purchasers can negotiate the conditions under which the purchaser can return the merchandise to the seller without cost to the purchaser. In most sales transactions, the purchaser can return defective merchandise without cost. This is a basic warrantee arrangement. The existence of a warrantee normally does not preclude the seller from recognizing revenue when the seller delivers the good. Most firms treat warrantees like accounts receivable. They estimate the cost of delivering on the warrantee at the point of sale to match the warrantee cost against the revenue they recognize from the sale. However, they recognize the revenue when the good is delivered.

There are additional features that sellers and purchasers can build into sales agreements. For example, the purchaser may have the right to return the good if the purchaser cannot resell it within a stated period. If this feature exists in the sales agreement, then the seller may not be able to recognize revenues until the purchaser resells the good.

I believe that SAB No. 101 is referring to these sorts of agreements when it referred to "persuasive evidence that an arrangement exits." An agreement between the seller and purchaser must exist that clearly specifies the conditions under which title will transfer to the purchaser and the conditions under which the purchaser can return the good to the seller without cost to the purchaser.

Receipt of Payment

The seller cannot recognize revenue from a sales transaction until they have been paid. "Paid" means that they have received some economic resource from the purchaser. That economic resource does not have to be cash; it can be a promise to pay (i.e., accounts receivable), some other asset, or a relief of a liability from the seller to the purchaser. This is why SAB No. 101 includes a provision that "collectability is reasonably assured." The seller should not be able to recognize revenue from a sale transaction unless there is a very good chance they will receive some economic benefit from the sale. In addition, the value of that economic benefit should be the selling price of the good. Thus, SAB No. 101 also includes a provision that "the seller's price to the buyer is fixed or determinable."

The term "reasonably assured" is ambiguous. Most firms that sell on credit rather than cash do not receive 100% of the selling price from all their credit sales. Some customers will not pay the full price or not pay at all. However, firms are not required to review each individual sale to determine if they can recognize revenues. They can establish revenue recognition polices for a

6-3 class of sales transactions and address the issue of "reasonable assurance" for that class of transactions.

For example, most firms recognize the revenue from all credit sales at the point they deliver the good and receive a promise to pay from the purchaser. Then, they establish an allowance for doubtful accounts as an estimate of the proportion, on average, of those credit sales that they will not collect to match the potential bad debt expense with the revenue that created the potential bad debt. However, they do recognize the revenue at the point of sale. In extreme cases, where a significant proportion of the revenue may not be collectable, the seller may not be allowed to recognize revenue until they receive payment.

In summary, sellers cannot recognize revenue from a sales transactions if they retain significant rights and risks of ownership to the good or service (i.e., "delivery" isn't complete), or there is a significant chance that they won't be paid. Given the strong incentives for firms to recognize revenue as soon as possible and the rich variety of sales agreements that they can negotiate with purchasers, revenue recognition can be a very tricky issue for an auditor.

Revenue Recognition for Long-term Contracts

The above discussion of revenue recognition assumes a transaction that takes place more or less all at once. However, some long-term construction and service contracts may span several reporting periods (e.g., quarters or years). This raises the issue of how much revenue the seller should record in a single reporting period. Under certain conditions, GAAP allows firms that sell these sorts of goods and services using the percentage of completion method. The idea is simple. The seller recognizes the percentage of total expected revenue that matches the percentage of the total goods or services that were delivered during the reporting period. The complexity arises in determining what percentage of goods or services were delivered during the period. Normally, this requires management judgment, which means that management has an opportunity either to push GAAP to the limit or to engage in fraud. Thus, auditors must review the seller's assumptions for recording revenue under the percentage of completion method to insure they are reasonable.

Description of Revenue and Collection Processes

This section presents the major activities that make up the revenue and collection process and the documents firms use to document the key aspects of a revenue transaction. I have included a diagram of these processes and the way they are document at the end of this chapter but before the Tom's Trailer Case Description.

Major Activities and Documents

Take an order

Revenue transactions normally begin with some form of agreement between the seller and purchaser on the nature of the good or service the seller is selling and the amount and form of the

6-4 payment the purchaser will make. In addition, these agreements also cover who will pay the transportation charges for goods and what right of return the purchaser has.

To help insure the firm accurately and completely understands the customer's desires; the order is usually documented with either a sales order or a customer-generated purchase order. Sales orders should include information about the customer, the products being ordered, and other details about the transaction. A typical sales order would include:

Name, billing address, shipping address, and contact information (e.g., telephone, fax number, and/or e-mail address) for the customer. List of merchandise ordered to include name, quantity, and price. Delivery terms such as expected delivery dates, shipping terms (e.g., who is responsible for delivery and who pays for delivery). Payment terms that specify how long after delivery payment is expected and whether any discounts are allowed for early payment. Date the order was placed and who took the order for the organization.

The customer may take the responsibility for documenting the revenue transaction by generating a purchase order, which would contain the same data elements as a sales order. The main point is that the selling firm should document the sale information listed above in some way. If the customer has done that in the form of a purchase order, then the selling firm may not need to duplicate that documentation with a sales order and just use the customer's purchase order in lieu of a sales order.

Approve Credit

If the organization sells on credit, the seller should establish the creditworthiness of the customer before executing the sale transaction. Accounting or finance departments usually deal with credit approval and document credit approval either through a separate credit approval form or by indicating that the customer's credit has been approved on the sales or purchase order.

Fill Order

Sellers can use the sales order as a checklist to determine what items of merchandise are required to fill the order. The contents of a shipment are frequently documented with a packing slip. A packing slip lists the items that have been included in a specific shipment. Usually a copy of the packing slip is included with the shipment so that the purchaser can use it to make sure the shipment is complete when it arrives. If the seller cannot fill the entire order for some reason, they usually produce backorder document. Backorder documents are very similar to sales order because their main function is, in effect, to reorder the merchandise that was not available. However, backorders should be linked in some way to the original order to document the fact that the merchandise is being reordered because it was not available when the main order was processed.

6-5 Ship Order

Once the seller has filled the order and prepared it for shipment, they need to ship the good. If the firm uses its own employees and equipment to ship merchandise, a copy of the sales order may be sufficient to document shipment since the sales order contains all the information needed to move the goods from the seller's location to the customer's. If the seller uses a shipping firm (sometimes referred to as a common carrier), then they produce a bill of lading. They use the bill of lading to give the shipper the information they need to deliver the goods, but no more than that. For example, the shipper does not need to know the details of what is in the shipment. They do need to know where the shipment is going, when it should arrive, who is paying for the shipment, and general information about the contents of the shipment (e.g., size, weight, number of packages, and general nature of the contents such as whether they need refrigeration or are flammable).

Bill

Once the shipment has been delivered, the seller normally can recognize the revenue from the sale under GAAP. The most common way to bill the purchaser is by preparing an invoice and sending it to the customer. The generation of the invoice indicates that the selling firm has completed their part of the transaction; can recognize the revenue; and has a right to be paid. The invoice is the seller's way of requesting payment from the purchaser. Invoices usually contain the same information as the sales order with the addition of information about shipping and delivery dates. The seller's accounting department usually handles billing activities.

The seller normally also will provide a periodic statement of account for the purchasers that make repeated purchases from the seller. These statements usually list all the transactions between the seller and the purchaser for a period as well as the balance the purchaser owed the seller at the beginning of the period and the ending balance due.

Most firms recognize revenues when they send an invoice to the purchaser. Technically, the seller can recognize revenues when they deliver the goods. Practically, they tend to calculate the amount of the sale as part of the invoicing process and so it is simpler just to record the sale when they generate the invoice. The sale usually is recorded in the seller's Sales Journal. When the seller is ready to produce a financial statement, they post a summary of the sales activities from the sales journal to the general ledger.

In addition, the seller will make an entry to an accounts receivable subsidiary ledger as the offset24 to the entry to the sales journal. The accounts receivable subsidiary journal maintains a listing of all sales and collection transactions for each customer. It is called a subsidiary ledger

24 This is basic double entry bookkeeping. "Offset" means the account(s) needed to balance the journal entry. In this example, the entry to the Sales Journal is a credit to sales and the offset would be a debit to accounts receivable. The Accounts Receivable Subsidiary Ledger records separate accounts for each customer. The total of the Subsidiary Ledger must total the balance in the Accounts Receivable General Ledger Account.

6-6 because it contains customer-by-customer detail that supports the accounts receivable totals recorded in the accounts receivable ledger.

Collect

The seller's accounting department also usually handles collection activities. Collection activities include: tracking payments as they are received and linking them back to invoices; following up on late payments; possibly turning unpaid bills over to a collection agency; or selling them to a collection agency; and documenting the receipt of payments and depositing the payments in the selling firm's bank account.

A critical feature of the collection process is linking the payments back to invoices to make sure the purchaser ultimately pays all invoices in full. Since the purchaser also has an interest in accurate accounting for payments and since purchasers may split payments for an invoice into several payments or combine several invoices into one payment, purchasers frequently use remittance advices to indicate the invoices for which they are paying. A remittance advice is just a stub attached to a purchaser's check that lists the seller's invoices to which the payment applies.

A key tool sellers use to facilitate collects and support estimates of bad debts is an accounts receivable aging report. An accounts receivable aging merely lists all the past due accounts by their age, i.e. how long they have been outstanding. It is a key report on which sellers base their allowance for doubtful accounts amount. The idea is that the longer an account is overdue, the less likely the seller will be able to collect it at all. Auditors usually get the client's accounts receivable aging report when evaluating the auditee's allowance for doubtful accounts balance.

Another tool sellers use to support their collection activities is a write-off authorization. The person in the firm that management has given the authority to approve the write off of overdue accounts signs this document, which provides proof of the approval.

Application to Services

The above discussion focuses on processing revenue transactions for goods. The processes for services are very similar since the same basic goals apply: documenting the sales agreement, delivering the services, and collecting. Since each sale of a service tends to have several unique characteristics, the seller has a need to develop detailed documentation of the sale agreement. The engagement letter provides this role in an audit. However, not all service providers document the nature of the services they will provide prior to delivery. For example, when you go to a doctor, you don't get a written contract prior to any diagnosis or treatment. There is an implicit contract that the doctor will use his/her expertise to fix whatever is wrong with you.

6-7 Once the sales arrangement is agreed to, either implicitly or explicitly, the seller must deliver (i.e., provide) the agreed upon services before the seller can recognize any revenue. Since sellers tend to deliver most services over time, they tend to raise more percentage of completion issues than goods. Once the seller has performed the services, they need to collect to complete the revenue cycle.

My point here is that the revenue processes for services include the same steps as the revenue processes for goods does. However, there are some differences in emphasis and documentation methods because of the different nature of services compared to goods.

6-8 Diagram of Normal Sales Processes

Use either customer's purchase order or seller's sales order to document: Document Customer contact information (e.g., name, address, phone number) Customer Needs - Price, quantity, and description of items being ordered Customer places Date order was placed an order Delivery date, shipping and payment terms

Approve Customer's Credit Document who approved credit and when. Form may vary with firm.

Generate packing slip that documents: Customer contact information (e.g., name, address, phone number) Quantity and description of items being ordered (note packing slips rarely Fill Customer's contain prices) Order Date order was shipped and who packed the order Delivery date and either customer purchase order number or seller's sales order number

If shipped by common carrier, document shipment with bill of lading that Contains the following. Sale could be recognized at this point. Name of common carrier shipping the products Ship Customer's Count of packages in the shipment Order Customer contact information (e.g., name, address, phone number) Date shipment was sent Shipping terms (e.g., FOB destination or shipping point)

Generate Invoice to document requirement for payment to include the following items. Sale frequently recognized at this point. Customer contact information (e.g., name, address, phone number) Bill Customer Sales or purchase order number and packing slip number Date of invoice and date of shipment Payment due date and terms (e.g., 2/10 net 30) Description, price, and quantities of all items ordered and shipped.

Collect from Customer Engage in follow-up activities to insure payment. Match payment to invoice based on customer's remittance advice or by matching to seller's invoice.

6-9 Tom's Trailer Sales, Inc Case Description

The following case description will be used as the basis for class discussion for most of the term.

Nature of the Trailer Business and Market

Tom Sullivan owns a small recreational trailer business in a suburban community located close to the mountains. Tom sales are mostly trailers for vacationing and camping, and a variety of accessories for those trailers. The community is relatively small but growing fast. Tom's business is growing due to the growth in the local economy and the lack of competition. Tom does not have a very aggressive marketing program because he does not need one. Tom expects an increase in competition in the near future, however, as the community grows.

Recreational trailers are "big ticket" items with prices that range from a few thousand dollars for a simple, collapsible trailer to well over $50,000 for large, fully equipped trailers that can sleep as many as six people. Because trailers are more a luxury than a necessity, people tend to spend quite a bit of time shopping for one. Although Tom has little competition in his community and people prefer to shop locally, trailers are inherently portable and so people are willing to go outside the community to shop for them.

Tom's trailer customers are mainly families, outdoor sports enthusiasts, and retired people. Since these classes of customers tend to evolve into different life styles and because, properly maintained, trailers can last for many years, Tom doesn't get a lot of repeat business from the same customer. Therefore, many of Tom's customers are first time buyers and require substantial help learning about how to use and maintain a trailer properly.

The trailer accessories market is different from the trailer market, but still is tied to trailer sales. Accessories are much less expensive than a trailer and tend to wear out faster. Some examples of accessories include appliances (e.g., small, gas-powered refrigerators, 12 volt lights and electronic equipment, microwaves), sanitary disposal equipment, appearance packages (e.g., sport wheel covers, more stylish curtains), and performance improvements (e.g., larger propane tanks). Auto parts stores sell some basic accessories (e.g., 12 volt lights), but seldom carry an extensive line of recreational trailer merchandise. Some of these accessories require regular replacement while people tend to upgrade others. Therefore, there is a significant amount of repeat business in the accessory market. Because accessories do not cost much compared to the price of the trailer, people do not tend to go outside the community to shop for them. In addition, because many accessories need to be carefully matched with the specific trailer to make sure they fit and work properly, Internet sales have not had a major impact on Tom's business. Tom believes it is important to his business to be able to maintain a balanced inventory that demonstrates the range of options in both trailers and accessories for his customers while minimizing the size and cost of his inventory. Thus, he needs to be able to fill special orders rapidly, particularly for accessories.

6-10 Tom buys trailers and accessories made by only a few, major brand vendors. These vendors tend to have complete product lines that can meet the needs of his customers. Tom does purchase accessories from a wide variety of vendors. However, he uses only one or two vendors for each type of accessory. Occasionally, Tom will special order a trailer or accessory from some other vendor, but this is rare. Tom relies on the vendors to maintain brand name recognition through major advertising campaigns. Tom uses some targeted advertising in the local papers and radio stations, but does not invest a significant amount in advertising due to lack of competition.

Both the trailer and accessory markets tend to be technologically stable (with the exception of increasing demand for electronic options for wireless communication). The basic design and production technology for trailers and accessories has not changed in decades and is not expected to change in the near future. Therefore, Tom tries to find reliable vendors with reasonable prices and high quality products, and stick with them. Even stable, reliable vendors, however, go through management changes, so Tom regularly reviews vendor performance and occasionally places small orders with new vendors to test their products and reliability.

Tom's Basic Operating Procedures

Sales and Marketing

Tom or a salesperson opens up the lot each morning. Tom always has a salesperson assigned to watch the lot so that whenever a customer walks on to the lot, (s)he is greeted by one salesperson. The salesperson tries to get the customer's name, phone number, and address when (s)he arrives, but Tom has told his sales people to be polite and not to push customers for this information if they are reluctant to give it. If a group of people come in together, the salesperson attempts to identify which person will make the purchase decision and focus on that person as the customer. Tom does require that his salespeople record as much information as they can about each visit from a customer or group of customers. However, he only wants them to record the name and contact information from one of the potential customers if there is a group.

The sales people try to help customers decide what type of trailer and set of accessories are right for them. Customers are allowed to look around the lot without a salesperson present if they want, but Tom wants one salesperson greet each customer to make sure they know how the lot is organized and to try to get contact information from the customer and attempt to determine what types of products are of interest to the customer. Tom also wants his salespeople to be aware of who is on the lot at all times to reduce the risk of theft or vandalism.

Since trailers are relatively expensive, customers frequently come back more than once before they decide to purchase a trailer. Tom also wants his salesperson to track these repeat visits as well. If a customer decides to make a purchase, a salesperson writes up a sales invoice that contains information about the customer, the serial number of the trailer (s)he is purchasing, and the list of accessories (s)he wants. Customers can purchase accessories separately, but these orders also are documented with a sales order. A sales order documents the name of the customer, as well as contact information for items that will have to be delivered, and the quantities and prices of the merchandise being sold and the date of the sale. Again, Tom

6-11 encourages his salespeople to get as much contact information as they can on all customers, but does not want them to be too pushy for information not needed to complete the transaction.

If the customer needs to finance the purchase, the salesperson has the customer fill out a credit application and then forwards the application to Tom's local bank for approval. Because of the volume of business Tom's does with the bank, the bank does not charge a fee to process a credit application. Once the bank approves the application, it notifies Tom or the salesperson that the customer's credit has been approved. Tom's does not process credit orders until the customer's credit has been approved. That is, the salesperson does not record the information about the sale until credit has been approved. This information is recorded on the credit application, but Tom does not record anything about the credit application in his records.

If Tom does not have the trailer and/or accessories in stock, the salesperson places an order with the appropriate vendor(s). Tom does require that the customer make a deposit equal to 10% of the purchase price on all special orders to help insure that customers are serious about purchasing the product. For special orders of trailers that are being financed through the bank, the credit application includes a provision that the bank will pay the 10% deposit if the customer fails to take delivery of the trailer and will collect the 10% from the customer.

Tom's is a cash-only business. Tom's does not allow customer to take accessories until they are paid for and does not prepare a trailer for delivery until the customer has paid the full amount due or the bank has accepted the customer's credit application and agreed to pay the amount due.

Tom waits until all items on a trailer order are ready to deliver to the customer before he prepares the order for delivery. That is, if the customer orders a trailer and additional accessories, Tom has his staff wait until both the trailer and accessories in stock before they prep the trailer for delivery. Accessory sales are "off the self" and do not need preparation.

Tom has one employee prepare each order for delivery by inspecting the merchandise and checking it against the sales order, cleaning and washing it, and making sure that all accessories are properly installed on trailer orders. Even though the order preparation process consumes supplies, Tom believes that it would be too costly to try to record the supplies consumed by the preparation of each order. Once the merchandise is ready for delivery, an employee calls the customer and arranges to have the customer pick it up.

To maintain accountability, Tom requires that only one employee prepare and one employee deliver each order. Tom prefers that different employees prepare and deliver the orders, but, because of staffing limits, this is not always possible. If the customer desires it, Tom can also have trailers delivered to the customer.

For all orders, the customer signs a copy of the order form indicating (s)he has received all items in the order. Tom's handles the paper work for registering trailers with the state, but the customers pay those fees directly to the state.

6-12 Purchasing and Inventory Management

Tom regularly reviews sales and inventory levels to try to minimize the amount of inventory on hand without jeopardizing sales. He faces the same, classic inventory management problems that all businesses do. Inventory costs money to purchase and maintain and so the firm wants to keep inventory levels as low as possible. However, customers may not want to wait for Tom to order their trailer or accessory and so he could lose sales if he doesn't have the right products in inventory. Periodically, Tom will review his sales records; review the items he has in inventory; and make a list of items he needs to order for inventory.

Tom rarely pays cash for trailer purchases and uses the same local bank to finance them. Frequently, accessory vendors will give Tom a 2% discount if he pays within 10 days but require that the total balance be paid within 30 days. If the accessory vendor does not extend credit to Tom, Tom can either pay cash or have the bank finance the purchase. The bank has set up a line of credit for Tom to finance accessory purchases and charges Tom 3% above the current prime rate on the outstanding balance of the line of credit. Since trailers are expensive, the bank generates a separate loan for each trailer Tom purchases and keeps the title to the trailer until it has been paid in full for it. Tom's must make monthly payments on trailer financing and pay off the balance due on any trailer when the trailer is sold. It also must pay off a trailer's remaining balance if that trailer is not sold within one year.

Tom does all his own ordering and fills out a purchase order to document each purchase. He has employees assigned to check all trailers and accessory shipments against the purchase order when they are received, and to store trailers on the lot and accessories in the warehouse. The receiving activity is "blind" and the person receiving the shipment does not have the quantity information from the purchase order. Employees fill out a receiving report that documents the results of their check on the shipment. The receiving reports are forward to the bookkeeper to compare against invoices when they come in from vendors. To maintain accountability, Tom only allows one employee to check and store a particular order. Since Tom has little control over how vendors choose to ship orders, periodically he has to accept partial shipments or shipments that combine several orders.

General Administration

Because Tom's Trailer Sales is so small, Tom does most of the administrative tasks himself (e.g., hire, fire, evaluate, and schedule employees; purchase merchandise; plan and budget; develop and execute the marketing strategy). He does have one full-time bookkeeper/secretary who pays bills; writes checks; does the accounting; and performs various clerical tasks. The bookkeeper is responsible for checking all the invoices that Tom's receives against purchase orders and the receiving reports that other employees fill out when merchandise is received. Some items like utilities and other services are not "received" as merchandise is, so there is not always a receiving report for every invoice. Tom personally approves all bills when he signs the check and requires some form of bill or invoice from the vendor.

Tom's only uses one checking account, but keeps a small petty cash fund to handle small expenditures without having to write a check. Tom's Trailer pays for his liability and fire

6-13 insurance policies two years in advance. Tom's Trailer also owns the site on which the business is located. The physical plant consists of a paved display and parking lot, one building that houses the offices and accessory inventory and contains a large garage where trailers are prepared for delivery. Tom's Trailer pays a variety of payroll and business taxes in addition to income taxes on its operations. Tom's Trailer's main debt is the mortgage on the land and buildings. Tom's is a closely held corporation with just Tom and his immediate family as stockholders. Tom has never paid dividends and prefers to leave accumulated earnings in the business to finance growth. Tom's Trailer Sales is located in Oregon, which is one of the few states without a sales tax.

Tom employs 10 salespersons who work varying hours. He keeps at least two salespersons on the lot at all times and has them answer the phones, since most of the calls Tom's Trailer receives are about trailers and accessories. He also has two full-time employees that prepare and deliver trailers and check in shipments.

Tom's Information System

Tom's Trailer does not own a computer, but Tom realizes that he needs one to remain competitive. Tom has done some thinking on the subject and has documented the following information needs that the any new system should accommodate.

• Hardware configuration - Tom will purchase three small personal computers (PCs) and one larger PC. The three small PCs will be located in the salespersons' office, the warehouse, and in Tom's office. The larger PC will be located in the business office and will be primarily used by the bookkeeper. All four will be networked together with the larger PC acting as the central server. The larger PC will also have high-speed internet access.

• Payroll - The system should be integrated and provide reports that support all aspects of payroll process. The major activities involved are calculating the weekly pay for hourly employees; calculating the monthly pay for salaried employees; calculating all withholdings for both employees, preparing payroll reports; and providing information needed to file payroll tax returns.

• Sales processing - Tom wants the MIS to be able to capture as much customer information as possible to use for sales campaigns and follow-up calls even if the customer never buys anything. The system should be able to store any customer information the salespersons can gather when customers come is as well as for customers who place orders. The system will need to store customers' names and contact information (e.g., address, phone number, and possibly e-mail address) for each customer who places an order. The system should be able to report the date, customer, employee, and merchandise items involved at each step of the order and delivery process to help insure the accurate and timely processing of orders and so Tom can evaluate sales processing activities. The MIS also should provide an audit trail for orders as they progress through preparation and delivery. That is, delivery preparation information needs to be linked back to the original order and delivery

6-14 information needs to be linked back to preparation information and as well as the original order.

• Inventory management - The system needs to be able to implement a perpetual inventory system so that all receipt and sale of merchandise are immediately recorded and the system can report the quantity of any item of merchandise on hand at any moment. Tom also needs to keep order and delivery histories for each type of merchandise and for each individual trailer for at least one year for historical analysis of product movements. Finally, Tom will take a physical inventory once per year, reconcile the results with the perpetual inventory system, and adjust the perpetual system to the actual physical inventory.

• Purchasing - Tom will use the system to generate and print purchase orders to vendors. The system needs to be able to record basic vendor contact information (e.g., name of vendor, contact person, address, phone number, e-mail address) as well as maintain historical information about vendor activity. Tom wants to be able to review periodically the transaction history of each vendor and any comments about the quality of a vendor's products or services. Tom especially wants to be able to track when orders are placed and received, how often items are backordered, and how often incorrect or damaged merchandise is received from a vendor. Tom also wants the system to keep information on prospective vendors (i.e., vendors Tom is considering using but from whom he has never ordered) such as information about their product lines, pricing structure, and other information he has gathered on their reliability. Since Tom rarely pays cash to his vendors, the system will need to track accounts payable.

As with sales processing, the MIS needs to maintain an audit trail through the purchasing cycle, but this trail needs to be more detailed. In the sales cycle, each order is processed by itself. In the purchasing cycle, vendors can back-order items and combine shipments, so the audit trail needs to track individual trailers or type of merchandise, not whole orders. For example, when the bookkeeper records information from a vendor's invoice, (s)he will need to link it back to one or more purchase orders on which the invoice is based. Tom has decided to have the bookkeeper enter information from the vendor's invoice, have the system check the math, and compare the billed quantities and prices to purchase orders and receiving reports.

• Cash receipts and disbursements - The MIS needs to maintain a basic "check book." The date, amount, and reference information should be recorded for each cash receipt and disbursements. Reference information will depend on the nature of the transaction. The most common reference for a cash receipt will be the customer order number and for cash payments, the vendor's invoice number. Since all of Tom's sales are on a cash basis, the system need not track accounts receivable. However, since Tom takes deposits on special orders, the system will need to track deposits.

• Accounting functions - The MIS should maintain a standard general ledger, purchases journal, sales journal, cash receipts and disbursements journal, and general journal, and be able to generate standard financial statements on demand. The payroll system will produce

6-15 all necessary payroll reports. Whenever the payroll is processed, they will produce a summary of the payroll activity that can be summarized like a general journal entry. Since all sales are on a cash basis, Tom's does not have any accounts receivable and sales transactions are booked to the cash account. Purchases transactions are booked to accounts payable when the shipment arrives and cleared from accounts payable when the check is written.

6-16

Chapter Seven - Use of Analytical Procedures for Inherent Risk Assessment

Summary

This chapter provides an overview of some of the major analytical procedures that auditors use to assess the inherent risk of an auditee as well as to audit individual account balances. Auditors use these procedures both to assess firm-level inherent risk as well as to assess account-specific inherent risk. This chapter covers both these uses. After completing this chapter, students should be able to:

Evaluate an auditee's operating performance, cash management effectiveness, and financial position. Develop a comprehensive, but high-level, description of how an auditee is raising and spending cash. Use the above evaluations and descriptions to indentify areas of auditee-level inherent risk. Identify specific accounts that show unusual fluctuations for further review during the audit process.

Structure of This Chapter

This chapter contains the following sections and appendices:

• An overview of the uses of analytical procedures in an audit. • Discussion of the tools that auditors use to assess firm-level inherent risk. • Discussion of the three main components of an auditee's operation that a financial analysis targets: operating performance, cash management, and financial position. • Presentation of some general strategies for assessing an auditee's performance. • Figures and tables that provide a high level summary of financial statement analysis. • Appendix A -that presents on outline of a comprehensive financials statement analysis. • Appendix B - that discusses some additional ratios found in the financial literature that are not covered in this chapter. • Appendix C - A listing of bond ratings and their interpretation. • Home Depot Case - financial statement information for the Home Depot company from 1997 through 2006.

7-1

Types of Analytical Procedures

Analytical procedures are procedures that auditors apply to the auditee's financial statements to develop an understanding of the auditee's economic condition; look for specific balances that seem to be unreasonable and warrant further investigation; and to do a high-level review of the audited financial statement balances to determine if they are reasonable.25 The core of analytical procedures is based on basic ratio analysis, which will be covered in depth in this chapter. However, they also include other calculations that auditors use to test account balances.

As the above paragraph implies, auditors classify analytical procedures into three categories depending on the stage of the audit process in which they are used. I discuss each of these categories next.

Preliminary Analytical Procedures

Auditors use preliminary analytical procedures to assess the overall financial health of the auditee during the audit planning process. As I mentioned in the chapter on inherent risk, auditees that are in strong financial shape are less risky than auditees that are not. In addition, auditors can identify specific areas of risk using preliminary analytical procedures. For example, auditors can use preliminary analytical procedures to assess the auditee's financial health within three major categories: operating performance, cash management, and financial position. I will discuss these categories in depth below, but the main issue is that firms need to make a strong profit (i.e., operating performance); turn that profit in to cash flows (i.e., cash management); to be able to pay their long and short-term bills (i.e., financial position).

In addition to the auditee's basic financial statements, auditors use the following tools to execute a preliminary analytical review of an auditee. ratio analysis, common-size and percentage change financial statements, trend analysis, industrial data, and general economic data

The bulk of this chapter discusses each of these tools in depth and presents a strategy for using these tools to perform a preliminary analytical review of an auditee's financial statements.

Substantive Analytical Procedures

Auditors use substantive analytical procedures to help test the auditee's account balances. Thus, they are another form of substantive test available auditors to use to assess the accuracy of

25 Auditors refer to this final overview as the "smell test" because they are using analytical procedures to determine if the final numbers "smell right."

7-2

the auditee's account balances. The main strategy, as illustrated in the figure below,26 auditors use is to develop an independent expectation about what an account balance should be; compare that expectation to the unaudited account balance; and investigate any significant differences.

26 Taken from Auditing & Assurance Services: A Systematic Approach, by William F. Messier, Jr., Steven M. Glover, and Douglas F. Prawitt, McGraw-Hill, 2008.

7-3

Develop an Expectation

Since a rich variety of factors can affect how an account balance will vary over time and because of economic conditions, auditors use a variety of tools to develop an expected account balance. One key issue for developing expectations is to build them independently of the auditee's unaudited account balance. That is, auditors should develop their expectations without peeking at the auditee's current balances. Otherwise, the auditor's expectations will naturally tend towards the auditee's balance and, thus, bias the auditor's expectations in favor of not spotting problems.

The following is a short overview of what different types of information each of the above tools provides auditors when they are performing substantive analytical procedures. Auditors also use all but the last one of these for both preliminary analytical procedures and final analytical procedures, both of which are firm-level analyses as opposed to account-level analyses.

Ratio analysis - Ratio analysis is inherently a cross-sectional analysis is that it compares the results of different types of activity to each other within the same period. Because of double entry bookkeeping, the accounts in any firm's financial statements are inherently linked to other accounts. However, this is not just an artifact of double entry bookkeeping. Double entry bookkeeping just captures the underlying dependencies between accounts. For example, for firms that sell on credit, their level of credit sales plus the effectiveness of their collection activities determine the level of their accounts receivable balance at any point in time. For an auditee with stable credit collection policies, the auditor would expect to see the relationship between the auditee's accounts receivable balance and their sales to remain constant over time. If, for example, the auditee's accounts receivable balance is growing faster than their sales, then the auditor might become suspicious that the auditee's collection policies are becoming less effective and, therefore, increase the inherent risk of the auditee's accounts receivable and allowance for doubtful accounts balances. Common-sized and percentage change financial statements - As firms grow in size, they tend to grow proportionally. For example, as a firm's sells more goods and services, its inventories, accounts receivable, and accounts payable tend to grown at the same rate as sales. Auditors can use common-sized financial statements to determine if different accounts are growing faster or slower than the firm as a whole. To accomplish this, common-sized financial statements restate all account balances in terms of a percentage of some measure of the firm's overall size. The two measures of firm size that common-sized statements use are total assets for the balance sheet and total revenues for the income and cash flow statements. Auditors can use percentage change versions of the financial statements to determine how fast accounts are growing over time. Common-sized financial statements restate every account balance as a percentage change from the prior year's balance. Thus, they calculate rates of change for all the accounts. Common-sized and percentage change financial statements allow auditors to analyze both cross sectional and longitudinal trends in the auditee's account balances. Longitudinal

7-4

analysis refers to analyzing trends over time, as opposed to cross sectional analysis, which analyzes relationships between accounts at a point in time or for a fixed period. Common-sized financial statements do both at once in that auditors use them to determine if cross sectional relationships are changing over time. For example, if an auditee's collection policies are deteriorating, then their accounts receivable as a percentage of total assets should increase, assuming that total assets are increasing with the growth in the auditee's sales, which is typical. The percentage change financial statements highlight longitudinal relationships directly by calculating the rate of growth in all the accounts. Trend analysis - Trend analysis focuses on how the auditee's account balances and ratios are changing over time. Thus, it combines longitudinal and cross sectional analysis in that auditors are interested both in trends in account balances as well as trends in relationships between account balances, which ratios capture. Thus, auditors use both common-sized and percentage change financial statements for trend analysis. Industrial and economic data - Auditors use industrial and economic data to separate out changes in an auditee's financial statements that are the result of the auditee's actions from those that are driven by changes in the auditee's industry and in the general economy. On average, changes in the general economy drive about 50% of the changes in the auditee's financial statements; changes in their industry drive about 30%; and actions of the auditee drive the remaining 20%. These are rough averages, but they make the point. The auditor is concerned about changes due to the auditee's actions because these are what the auditee can control. Thus, they need to try to sort out the effects of these three factors so that they can focus on what the auditee influenced or caused.

Ad hoc calculations - Auditors can apply the calculations I have described thus far to any account in any auditee's financial statements. In addition to these general tools, auditors can do ad hoc calculations that help develop expectations for specific accounts for specific auditees. For example, if an auditor were auditing a cable television company and wanted to verify the cable company’s accounts receivable, they probably would not try to confirm accounts receivable balances with the cable firm's customers because there may be millions of customers, each of whom only owes the cable company a small amount. The auditor could do a reasonability check on the accounts receivable balance by calculating the average monthly bill for the cable firm's customers and multiplying that times the number of customers to determine what the cable firm's accounts receivable balance would be if customers, on average, owed one month's fees to the cable company.

To develop an expectation, the auditor would review all the sources of information mentioned above to try to isolate trends that (s)he believes would lead to the current year's account balance. Developing these expectations is a complex task that requires experience and judgment. Auditors can use more advanced statistical tools, like regression analysis, to help develop expectations, but there is no substitute for auditor judgment based on a rich understanding of how the auditee's business runs to develop good expectations.

7-5

Define a Tolerable Difference

Next the auditor needs to determine how big a difference between the expected balance (s)he has developed and the auditee's actual balance matters. The idea is the same as the concept of material misstatement I mentioned in Chapter 3. Auditors do not have unlimited resources and so they need to focus on errors that are big enough to matter to the users of the financial statements. As I will discuss more later in this text, auditors use the term "material misstatement" to refer to errors in the financial statements that are big enough to matter and "tolerable error" to refer to an error in an individual account that are big enough to matter in an individual account. Thus, the term "tolerable difference" is virtually identical to tolerable error except that auditors use "tolerable difference" when referring to substantive analytical procedures and "tolerable error" to refer to statistical sampling techniques, which is another form of substantive test. Sorry about the "terminology overload," but auditing is full of such semantic "hair splitting" and you will need to know the different terms if you want to pass the CPA exam.

Compare Expectation to Actual and Investigate

Once the auditor has an expectation and a tolerable difference, (s)he needs to compare the expectation to the auditee's unaudited balance and determine if the different is larger than their tolerable difference. If it isn't, they move on to other accounts. If the difference is larger than his/her tolerable difference, (s)he needs to investigate further.

If the difference is larger than the tolerable difference, the auditor needs to determine if his/her expectation is at fault or whether the auditee's balance is at fault. Thus, (s)he would need to review their expected balance and how they built it to determine how much confidence they have in their expectation. If (s)he remains confident in his/her expectation, the auditor would perform some audit procedures on the auditee's balance to determine if it contains a material error. In practice, the auditor's first step would be to ask the auditee about the difference and then perform audit procedures to determine if the auditee's explanation is supported by evidence.

Draw Conclusions

Finally, the auditor needs to pull all the evidence together and decide whether the original expectation was flawed in some way, probably due to lack of evidence, or the auditee's balance is flawed and needs to be adjusted.

As you can see, these types of analytical procedures are imprecise, but cheap and easy to perform. They provide a reasonability check for the auditee's account balances. For example, if the auditor used the ad hoc calculation I described above and found that the cable firm's reported accounts receivable balance was much higher than the auditor estimated, the auditor probably would test some of the individual balances that make up the cable firm's accounts receivable balance to try to determine why the reported balance was much different than the estimated balance the auditor had calculated.

7-6

Final Analytical Procedures

After the auditor has completed his/her tests and gathered all the evidence (s)he feels is necessary to develop an opinion on the auditee's financial statements, (s)he will redo the same type of analytical procedures (s)he did for his/her preliminary review to determine of the financial statements, as adjusted for any audit findings, still makes sense. If there still are accounts that seem out of line, the auditor may go back and gather more evidence.

Preliminary Analytical Procedures

Auditors mainly use preliminary analytical procedures to assess the auditee's firm-level inherent risk. One of the auditor's goals is to produce a high-level assessment of an auditee's operating and financial performance history to determine what pressures may exist for management to manipulate the financial statements as well as to identify areas where the auditee's performance seems out of place with its own history and/or with current economic conditions. Auditors use the same analytical tools for this task that financial analysts do when evaluating an auditee for possible investment and that bankers do for assessing the credit worthiness of the auditee. Thus, the structured financial statement analysis approach I am presenting here commonly is used in a variety of setting.

As I mentioned in the section above on substantive analytical procedures, auditors also use the tools covered in this section (ratio analysis, common-sized and percentage change financial statements, and industrial and economic data) to develop expectations for substantive analytical procedures.

The analysis of financial statements consists of calculating a series of relationships between financial statement line items27 and comparing them to one or more bases of comparison. The reason relationships are calculated and compared to other items is that a financial statement line item by itself communicates very little information by itself because the values in most line items usually are linked to the balances of other lines items.

For example, just knowing what an auditee's ending accounts receivable balance is doesn't tell us much. We need to look at the accounts receivable balance as it relates to the amount of sales recorded during the year or quarter to determine whether collecting accounts receivable is taking more or less time since accounts receivables are generated from credit sales. Thus, if an auditee's accounts receivable balance went up sharply in one year, the auditor would not be very concerned about reduced collectability of accounts receivable balances if the auditee's sales when up proportionally to the increase in accounts receivable. However, the auditor might be concerned about why sales jumped so much.

27 I use the term "financial statement line item" in this chapter. However, another common term that means nearly the same thing is "account balance." Generally, account balance refers to the balance in a general ledger account and several related general ledger accounts can be combined into one financial statement line item. However, for the purpose of this chapter, that distinction is not important.

7-7

In most cases, individual line items need to be related to the size of the auditee in some way to determine how large they are. Additional comparisons are usually required to determine if the balance is suspicious and multiple balances and comparisons need to be made to assess overall firm-level inherent risk.

Effective financial statement analysis also takes into consideration the auditee's strategies for achieving its goals. For example, some auditees may achieve success by selling few items at a high profit per item while others will sell more items at a lower profit per item. Both of these auditees may be well-managed and successful. They just achieve success in different ways. Examples of how strategies affect financial statement analysis will be discussed further below.

Common-sized Financial Statements

One thing the auditor can do to add more meaning to the numbers on a financial statement is to common-size the statement. Statements are common-sized by dividing each item on a given financial statement by a measure of overall auditee size appropriate to that financial statement. In the case of the Balance Sheet, the appropriate measure of overall auditee size is total assets. The best measure of size for the Income Statement is total or net sales or revenues.28 The best measure for the Cash Flow Statement is operating cash receipts or cash received from customers. However, this statistic is only available on cash flow statements prepared using the direct method, which is actually quite rare. Thus, total or net sales or revenues are usually used to common-size cash flow statements prepared with the indirect method.

The main idea behind common-sizing is that, as auditees grow or shrink in size, their assets, liabilities, revenues and expenses tend to grow or shrink proportionally. Auditors can use the common-sized data to determine if changes in any account are out of proportion to changes in the overall size of the auditee. They also can use common-sized data to compare two auditees of differing size on a more equal basis.

The Home Depot case at the end of this chapter includes common-sized balance sheets, income statements, and cash flow statements for the 10-year period from 1997 through 2006. To illustrate one insight that auditors can gain from common-sized financial statements, note that Home Depot's Net Property and Equipment increased from $24,901 million in 2005 to $26,605 in 2006. At first, this looks like a significant growth. However, if you look at their common- sized balance sheet, you will see that Net Property and Equipment declined from 56.1% of total assets to 50.9%. Thus, it appears that Home Depot's Net Property and Equipment is not growing as fast as the overall size of the firm.

28 Different firms and different industries refer to the "top line" of their income statement differently. I will not make a distinction between total sales, net sales, total revenues, and net revenues in this chapter. All this terms usually refer to the top line of an income statement and report the total revenues generate by the firm during the year from their normal operations.

7-8

This observation raises the question of how Home Depot is growing the firm. Net Property and Equipment represent a firm's productive capacity and normally the growth in productive capacity drives the growth of the overall firm. Looking further at the common-sized balance sheet, you will see that goodwill increased from 7.4% of total assets to 12.1%. Thus, we now can conclude that Home Depot is growing by buying other firms and not by expanding internally since goodwill can only be created by buying another firm. This is just a small example of the insights you can gain from common-sized financial statement.

Ratios and Comparisons

Another way to relate different financial statement items to each other is with ratios. Table 1 summarizes the most common ratios used to analyze for-profit financial statements. Figure 1 presents a diagram of these same ratios, along with common-sized financial statements, that highlights the role each plays in a financial statement analysis. This set of ratios has been developed to facilitate analysis of two main aspects of an auditee's performance: operations and finances. The list of ratios in Table 1 is not complete. There are wide varieties of ratios that appear in the professional literature. However, it does contain the most common ratios. Since some of the ratios measure the same concept in slightly different ways, not all the ratios will be used in the analyses present in this text. Table 1 includes a broader range of ratios than is used in the text so that you will be aware that other ratios exist and have a general idea of what they measure. The ratios used in this text are highlighted in bold in Table 1. Only the bold ratios are discussed in the body of this chapter. Appendix B to this chapter contains a brief description of the non-bold ratios included in Table 1.

Another critical aspect of ratios is determining whether a higher or lower value is better. This text divides ratios generally into "two-sided" and "one-sided." For one-sided ratios, a higher value is generally better than a lower value and visa versa. In contrast, two-sided ratios are best if their values are somewhere in the middle of the range of all possible values that they can take. As each ratio is described below, its one-sided or two-sided nature will be discussed, as well as standard benchmarks of good or bad levels for the ratio, when applicable. All ratios need to be interpreted in the context of other information to determine whether they are good or bad. Some ratios, however, do have well-established benchmarks that are somewhat context independent and these will be discussed below.

Finally, some ratios are calculated by comparing items from the Income or Cash Flow Statements with items from the Balance Sheet. When these comparisons are made, the amount used for the Balance Sheet component for a given year's ratio should be the average balance for that year, not the ending balance. The items in the Income and Cash Flow Statements represent the total activity that occurred during the year and so they should be compared to the average asset, liability, or equity levels that existed throughout the year. Sometimes average balances are not available for Balance Sheet items and so ending balances are used. When more than one year's data are available, the auditor can estimate the average balance by averaging the beginning and ending balances. It takes two years of data to calculate an average so no average can be calculated for the first year of data. Therefore, when only a few years of data are available, the auditor may choose to use ending balances to gain an additional data point to evaluate trends.

7-9

Basis of Comparison

Any statistic, by itself, is meaningless. Auditors need to compare statistics (e.g., ratios, percentage changes, and common-size percentages, ad hoc calculations) to something both to help determine the reasonability of the statistic and to evaluate whether it is good or bad. Auditors can use five main bases of comparison: the auditee's own historic performance (history), the average of other similar auditees (industrial averages), generally accepted measures or typical performance for the best auditees that are similar to the one being analyzed (benchmarks), the auditee's budget, and ad hoc calculations relevant to the statistic. Each basis of comparison provides slightly different information. I will only discuss the first three of these in any depth in this chapter. Budget variance analysis normally is covered in depth in managerial accounting classes and ad hoc calculations are specific to a give situation.

Comparing an auditee's data to its own history tells the auditor the direction the auditee is heading, but not how well it is doing compared to others in the industry. The advantages of comparing an auditee to its own history are that the auditor knows she is comparing to a very similar firm (i.e., the auditee itself) and historical data are usually available. One disadvantage is that the auditee's environment or strategies may have changed, thus making historical comparisons less meaningful.

Comparing an auditee to industrial averages tells the auditor how well the auditee is doing compared to other auditees that face similar market and economic conditions. The industrial averages, however, may include firms that are quite different from the auditee. In addition, since management can make different choices in selecting how to present financial data on financial statements, industrial averages may combine auditees that use different accounting methods, thus also reducing their value as a basis of comparison. Industrial average information also may not be available or may contain limited detail, thus further reducing its value for comparative purposes. Finally, industrial averages show what the "middle of the pack" is doing and not what the "best performers" are doing. Thus, they can represent a low standard of excellence. However, even with all these shortcomings, comparisons to industrial data may help auditors determine if changes in the auditee's performance were due to factors that are specific to the auditee or to factors that also are influencing the performance of the auditee's industry.

Above, I referred to two types of benchmarks: accepted standards and best firm performance. With the advent of the Total Quality Management (TQM) movement, more auditees are trying to benchmark their activities against the best firms in their industry. When benchmark information is available, it provides the auditor with more helpful data than industrial averages alone. Industrial averages contain some weak firms against which the auditor may not want to compare the auditee. Benchmark data focuses the auditor's attention on the best possible results, not the average results.

Auditors also can use accepted standards for some ratios as a basis of comparison. However, these types of benchmarks are limited because they assume a high level of commonality among firms. When using these sorts of benchmarks, the auditor is trying to determine if the auditee meets basic standards of performance rather than determining if the auditee is excelling.

7-10

By comparing the auditee's results to its budget, the auditor can determine what the auditee's management expected to happen during the audit period. Comparing to a budget, however, does not tell the auditor whether any difference is due to poor planning or poor management of the auditee's operations. A difference between an actual outcome and a budgeted one could be due to management's failure to anticipate the future or to management's inability to control the operating activities of the auditee. While for-profit auditees do not have to publish their budgets as part of the financial statements, and usually do not, auditors can, and usually do, request copies for the auditee's budget as part of any audit.

Since all these bases of comparisons have both strengths and weaknesses, a thorough financial analysis usually compares the auditee's results to more than one basis. In this way, the auditor can evaluate trends in the auditee's activities, compare that auditee to similar firms or the best firms, and even compare trends in the industry or benchmark data to trends in the auditee's data. The auditor also can evaluate the auditee's planning and control activities by comparing their actual results to the auditee's budget.

Performance Evaluation

This chapter covers how to evaluate whether the auditee is doing well or not using three critical dimensions of any firm's performance: operating performance, cash management, and financial position.

Operating performance analysis focuses on how well the auditee is using its resources to generate return on the owners' investment. For example, several of the operating performance ratios relate the amount of profit generated by the production function to the size of the auditee's investment in productive assets or the amount of inputs used to generate those profits. The most common of these is return on investment, which relates net income to the amount of the owners' investment.

Financial position analysis focuses on how well the auditee is managing its financial function. This usually means how well it is able to meet its financial obligations (i.e., pay its bills) and how it is raising outside capital. Financial position analysis also includes a judgment of the auditee’s effectiveness in generating the cash it needs to finance its operations.

Cash flow analysis is the "bridge" between operating performance and financial position. Over time, auditees must generate profits from operations to generate cash to pay their bills and so a strong financial position ultimately depends on a strong operating performance. Just generating strong profits, however, is not enough. Auditees need to be able to convert those profits to cash in a timely manner to create a strong financial position from a strong operating position. Conversely, auditees can use short-term strategies, like selling off their inventories that will generate positive cash flows in the short term even though they are not making profits. If, however, they reduce their inventory levels too much, they could end up losing sales and making their operating performance even worse, thus eventually leading to a weak financial position.

7-11

Operating Performance

Operating performance analysis focuses on determining how well the auditee is generating returns on the owners' investments. The magnitude of these returns depends on three key factors: leverage, profitability, and utilization. Profitability ratios show the ability of various aspects of the auditee's production function to generate profit on each unit the auditee produces. Utilization ratios show the volume of activity (i.e., how many units it sells) the auditee generates with the assets it has. Leverage ratios show what portion of the total profits the auditee generates were generated with the owners' investments as opposed to the creditors' investments. Higher leverage means that the auditee is generating profits to the owners by using more borrowed money and less of the owners' investment. This generates higher return for the owners. "Return" measures the rate of profits generated as a percentage of the owners' investments.

Overall Performance

All of the overall performance ratios are one-sided because higher values are nearly always better than lower ones. The goal of for-profit auditees is to maximize these measures, and so higher is usually better.

Price to earnings ratio

The price to earnings ratio, or P/E ratio, as it is commonly called, tells the auditor how the stock market perceives the auditee's operating performance. It measures how many years worth of earnings per share (EPS) the stock market is willing to pay for each share of stock. The market will pay a higher premium (i.e., a higher P/E ratio) for stocks in a company that the market expects to become more profitable since it expects earnings to rise and a share of stock is a claim against future earnings. If the market is pessimistic, the P/E ratio will fall because the market anticipates that earnings will fall. In short, you can think of the P/E ratio as the future divided by the past. Thus, a higher P/E means a brighter future compared to the past and a lower P/E means the opposite.

The financial press typically refers to the above definition of the P/E as a "backward looking" P/E because it divides the current market price by the last year's EPS. Financial analysts also use a "forward looking" P/E that divides the current stock price by analysts expected EPS for the next year. I do not use the forward-looking P/E for three reasons. First, it replaces a historical audited number (historical EPS) with a forecast, which creates more uncertainty about the accuracy of the ratio. Second, analysts’ forecasts are not available as part of published financial statements and can be difficult to track down. In addition, different analysts will make different forecasts and selecting which forecast to use injects additional uncertainty into the calculation. Finally, market-wide P/E ratios are regularly published in the financial press that are calculated using the average historical EPS for the market divided by the average market price for stocks traded in the market. The table of economic data in this chapter (Table 2) includes these statistics for the stocks included in Standard and Poors Index. Thus, I have a basis of comparison to use when evaluating an auditee's backward looking P/E that I don't have if I were to use a forward-looking P/E.

7-12

The following two ratios measure how well an auditee is generating profit given the resources at its disposal. They merely use different measures of those resources based on who has claims against the assets. They all measure return on investment (ROI). They just differ in their definition of investment. In the popular press, when the term return on investment or ROI is used, it generally means return on owners’ equity.

Return on assets

Return on assets (ROA) uses the broadest definition of investment. It calculates the rate at which the auditee produces net income based on all its assets, regardless of whom has claims on them. Therefore, it measures how well the auditee is using all the economic resources at its disposal. Frequently in the popular press, after-tax interest expense is added back to net income to calculate this ratio. Thus, it also ignores differences in financing strategy between auditees and focuses directly on the effectiveness of the production function. However, auditors also can calculate the ratio without adjusting for interest expense if they consider an auditee's use of debt as just another operating decision. This chapter calculates ROA as net income over average assets and does not adjust for interest expense because it is simpler; because the interest adjustment usually doesn't change the ROA much; and because industrial averages usually do not adjust for interest expense. The simplified version of ROA looks directly at how effectively the auditee is using its assets to produce profits regardless of how those assets were financed, i.e. purchased with borrowed or invested money.

Return on owners’ equity

Return on owners’ equity (ROE) uses the narrowest, and the most common, definition of investment. It defines investment as the owners' claims against the auditee's assets. Since the owners have the residual claim to all the auditee's earnings, return on owners’ equity is the primary overall measure of an auditee's operating performance.

A crude benchmark for evaluating ROE is the current market rates of interest. People who buy stock in an auditee expect a return on that investment in excess of what they could have gotten by just putting the money in an insured savings account or other safe investment. They expect a higher return because they are taking a greater risk of loss by buying the stock. Therefore, the market rates of interest for relatively safe investments (e.g., insured savings accounts, certificates of deposit, high-grade bonds, US Treasury securities) represent a lower bound on what the owner should expect for a ROE. Because an investment in stock is usually considered a long-term investment, this text uses nominal29 10-year US Federal Treasury Bill rates as a basis benchmark for evaluating ROE (see Table 2)30.

29 "Nominal" means the rates that these securities are currently earning in the open market. The economic data in this chapter also includes a "real" rate, which is the nominal rate less inflation. It is called "real" since it represents the actual return the investor will receive once the reduction in the purchasing power of future dollars due to inflation is factored out of the market return. 30 Since the US government currently is considered the world's best credit risk, US Treasury bill rates are used worldwide as a measure of a risk-free rate of return.

7-13

Leverage

The difference between an auditee's ROA and ROE indicates how effectively the auditee is using leverage to maintain higher returns to their owners. ROE must always be higher than ROA if the auditee has any debt at all. The more debt the auditee has compared to equity, the more ROE exceeds ROA. By using more borrowed funds to finance their assets, an auditee is "making money from other people's money" and, since the owners have the claims against all the net income, the more money the auditee can make from borrowed funds instead of the owners' equity, the higher the owners' return on equity or ROE. Extensive use of leverage, however, means the auditee is heavily in debt, thus increasing its risk of financial problems like failing to pay its bills. An auditee's debt to equity ratio, which is covered below, measures the extent to which an auditee is using leverage.

To make the concepts clearer, consider a simple company with $100 in assets and $10 net income. Their ROA is 10% ($10/$100). If they have no debt, then their equity must be $100 and their ROE also is 10%. What if the same company had a $50 of debt and $50 of equity (or a debt to equity ratio of 1.0)? The ROA is still 10%, but the ROE is now 20% ($10/$50). If they increased their debt to $75 and reduced equity to $25 (debt to equity rises to 3.0), then their ROE becomes 40% ($10/$25). Holding net income constant, ROE goes up relative to ROA as the debt increases in proportion to equity because the owners have the residual claims to all the net income.

Earnings Management

"Earnings management" looks at how management can use accounting standards to manipulate the impression the financial statements present to third parties. The basic point is that many GAAP rules require management judgment. For example, the lower of cost or market rule for valuing inventory requires that management judge the net realizable resale value of items the auditee holds in its inventory. If management has latitude within GAAP to exercise judgment, then auditors need to be aware of the incentives that management has to use that latitude to manipulate the auditor's impression of the auditee. The most common incentive on management is to have the financial results show steadily growing net income and to minimize the auditee's liabilities. The "steady" part of the prior statement means that management, at times, may have an incentive to decrease reporting net income and at other times increase reported net income.

One other factor that is important to earnings management is change. If management consistently applies the same accounting rules over time, then they have very little ability to alter the impression that the financial statements present to auditors. Therefore, a key sign of earnings management is changes in accounting policies and estimates.

Managers also can manage earnings by deferring some expenses. The major deferrable expenses include maintenance, research and development, and marketing. These expenses tend to have longer-term impacts, so reducing them in the short-term will not cause an immediate reduction in profits. However, they either will lead to the need for higher expenses or lost competitive position in the future. Auditees also can inflate current earnings by deferring capital asset purchases. New plant and equipment normally will cost more than old and

7-14

purchasing new plant and equipment will increase depreciation expense. Auditees may be able to use outdated or deteriorating plant and equipment for a short time without seeing an impact on earnings, but delaying purchase of new assets could depress future earnings.

Determining whether an auditee is delaying expenses or capital asset purchases can be difficult. The best method for evaluating expense deferral is to compare against benchmark firms or industrial averages. The auditee's own history also can be used to spot drops in expenses. The section on cash flow statement analysis below discusses a rough analysis that auditors can performed to evaluate the capital asset replacement rate.

Finally, managers can manage earnings by how they structure transactions. For example, some auditees use leases extensively. Some types of leases (i.e., capital leases) are shown in the financial statements as if they were a purchase. That is, the leased asset is shown on the lessee's books and the present value of the future lease payments is shown as a liability. Other leases (operating leases) do not generate assets and liabilities and the full lease payments are reported as expenses of the current period.

The main difference between these three earnings management strategies is that the first involving accounting polices usually has no economic substance. That is, the underlying economic effect of transaction is the same and only the accounting for the transaction varies. Earnings management using accounting choices nearly always reverses. That is, using accounting choices that inflate current earnings will invariably deflate future earnings. However, deferring expenses or restructuring transactions has real economic impact. For example, deferring maintenance expenses can lead to reduced productivity and structuring a lease as a capital lease means that the auditee must make stronger commitments to the lessor (e.g., accept non-cancelability provisions).

The material in this reading periodically makes brief mention of these earnings management tools. Students should consider how things like valuation judgments might affect the analysis that we will perform in this section of the course as we work through basic ratio analyses.

Profitability

Profitability measures also tend to be one-sided because higher profit margins are usually, though not always, considered better than lower ones. Increasing profit margins by raising prices can reduce sales volume. If the higher prices produce a sufficiently large reduction in the number of units sold, then the auditee may be worse off than if they maintained lower profit margins. Therefore, even though higher profit margins are generally better than lower ones, a final determination of the appropriateness of a profit margin cannot be made exclusive of an analysis of the utilization ratios, which measure volume of units sold. Both of the profitability ratios included in Table 1 are very common and both will be used in the analyses in this text.

Gross profit percentage

For manufacturing and distribution (i.e., wholesale and retail) auditees, the gross profit percentage or gross profit margin is a key indicator of operating performance. The gross profit

7-15

margin is an auditee's gross profit divided by its revenues and is stated as a percentage. An auditee's gross profits are its revenues less its cost of goods sold. The gross profit margin measures how well the core production function of the auditee generates profits. These auditees need to make enough gross profits on their sales to cover administrative and other expenses, or they will be in trouble. Service auditees and financial institutions rarely report a cost of goods sold figure in the income statements and so you can't calculate a gross profit margin for these types of auditees.

Profit margin

The profit margin indicates the overall profitability of the auditee. Profit margins can differ significantly among auditees in different industries. As previously mentioned, auditees can follow two broad strategies for attaining high return on investment: high profitability and low utilization or low profitability and high utilization. Distribution auditees tend to rely on low profitability and high utilization, while manufacturing and service auditees tend to make higher profits with lower utilization. Note, however, that there are many auditees that fall somewhere in between these two broad strategies.

For example, fast food outlets do not have waiters and servers and their prices are low compared to a full-service restaurant. Their profit margin on each meal served is lower than in a full- service restaurant, but fast food restaurants can attain a higher return on investment by selling more meals per hour through more rapid turnover of customers. A full service restaurant would serve fewer customers per hour, but would make more profit on each meal by charging a price that leads to a higher gross margin on each meal. The return on investment statistics help auditors compare the relative profitabilities of auditees that use different operating strategies because those statistics relate profit to investment.

Common-sized Income statement

The common-sized Income Statement complements the above profitability ratios by showing the auditor where the auditee incurs most of its expenses. For example, it shows the relative proportion of expenses that are going for operating and for administration. The common-sized Income Statement is a very useful tool for diagnosing how an auditee achieved a particular profit margin because the auditor can see how each line item on the Income Statement contributed to the final profit margin. That is, in a common-sized income statement, every line item is stated as a percentage of revenues. Since the profit margin states net income as a percentage of revenues as well, the common-sized income statement shows how many percentage points of revenue each line item contributed to the profit margin.

Utilization

Like profitability ratios, utilization ratios (or rates) are mostly one-sided measures. Getting more production from the same asset or investment base is usually a good thing. As with profitability measures, this may not always be the case. Auditees can push up their utilization rates by dropping prices, increasing sales, and lowering profit margins. The net effect of these changes may not be higher return on investment. In addition, most assets have natural limits to their

7-16

productivity. For example, an auditee can maintain a high utilization rate by not replacing old equipment in a timely fashion. The key to understanding this statement is realizing that a utilization rate is merely the total sales divided by the book value of the assets. As assets age, their book values decline. In addition, their maintenance costs increase. Therefore, if an auditee held on to its equipment to the point where they were spending large sums in maintenance, the utilization rate would be high because of the assets’ low book value. However, net income could fall because of the high maintenance charges.

Asset Turnover is the key measure of an auditee's utilization. It compares sales volume to the value of all assets of the auditee. The analyses in this text are based on the asset turnover ratio because this is the most common and broadest measure of an auditee's utilization. The total asset turnover ratio can be interpreted as how often the assets of the auditee are capable of generating their own value in sales or revenues.

Cash Management Analysis

Cash Conversion Cycle

All for-profit auditees can be thought of as cash conversion machines. They use cash to purchase the inputs they need to produce goods or services; they produce those goods or services; they inventory goods; sell goods or services; and collect cash from the sale. This process is illustrated in Figure 2. The problem is that they usually have to pay out cash for the purchase of inputs well before they receive cash from the sale of their outputs. This process is called the cash conversion cycle. Firms must have a reservoir of cash available to finance this timing difference.

The amount of economic resources invested in the cash conversion cycle at any point in time is closely approximated by working capital. Formally, working capital is current assets minus current liabilities, so it includes things like cash and short-term investments that are not part of the cash conversion cycle. However, the components of the cash conversion cycle (i.e., inventory, accounts receivable, accounts payable, and expenses payable) make up the bulk of working capital, which is why working capital closely approximates the amount of economic resources tied up in the cash conversion cycle. Financing the cash conversion cycle is a long- term need because it represents a permanent difference in current assets and liabilities that is inherent in the production cycle of the auditee. Therefore, financing it is usually done with long- term debt or equity.

The amount of resources tied up in the cash conversion cycle depends on its length and the volume of activity it contains. Its length is calculated in days. For example, if it takes an auditee, on average, 30 days to produce a good, 30 days to sell it, and 30 days to collect for the sale, then the auditee needs to finance 90 days of activity. Part of this financing comes from accounts and expenses payable. If this same auditee can delay paying its suppliers for 30 days, then its cash conversion cycle has a length of 60 days (i.e., 90 less 30). The total amount of funding needed to finance the cash conversion cycle equals its length in days times the average

7-17

daily volume of activity. If this auditee processes $1,000,000 worth of goods per day, then it would need $60,000,000 to finance its cash conversion cycle.

The lengths of each of the three components of the cash conversion cycle are calculated using a different denominator, as the formulas in Table 1 show. Days Receivable is calculated using average daily sales (i.e., annual sales divided by 365) because both sales and receivables are stated in terms of selling prices, not costs. Days Inventory is calculated using average daily cost of sales (i.e., annual cost of sales divided by 365) because both are stated in terms of the cost of the units sold.

However, both Days Receivable and Days Inventory should be calculated using an auditee's gross accounts receivable and inventory, respectively. Auditees are only required to report their net accounts receivable (i.e., gross accounts receivable less allowances for doubtful accounts) and net inventory (gross inventory less any lower of cost or market adjustment). Since both these valuation accounts are disclosed in an auditee's footnotes, I have calculated the cash conversion cycles in this class's cases using gross accounts receivable and gross inventory.

The problem with using net amounts for these calculations is that the valuation allowances distort the true days receivable and payables. For example, when an auditee records an allowance for doubtful accounts, this reduces the net receivable balance and, thus, shortens the collection period. Thus, if you use the net accounts receivable balance, an auditee with a large allowance for doubtful accounts will look as if they are collecting their receivables as fast as an auditee that has not allowance but does collect their receivables rapidly.

The calculation of Days Payables is more complex. The goal of the days payable statistic is to relate the average current liabilities or payables associated with operating expense with the average daily level of those operating expenses (i.e., operating expenses divided by 365). Both these amounts are stated in terms of costs, and accounts payable and expenses payable are used to directly finance operating expenses. The specific way days payables are calculated may vary from auditee to auditee depending on how detailed the current liability section of the auditee's balance sheet and the operating expense section of the income statement is.

If you have looked at the formulas in Table 1 carefully, you may have noticed that each of these items has a counterpart that is stated in terms of a turnover. These counterparts are the mathematical inverse of the cash conversion cycle ratios, except for the division by 365. For example, days receivables is the inverse of receivable turnover. This relationship makes some sense. Conceptually, the faster something turns over, the less time it will be around. Therefore, the current turnover ratios tell auditors virtually the same thing as the cash conversion cycle analysis except that the cash conversion cycle components can be combined into a more holistic picture of how the auditee is managing its working capital.

Cash Flow Statement

In addition to ratio-based analysis presented above, cash flow statement analysis can provide insights on how the auditee is financing its operations and managing its cash flows. Since

7-18

production activities are an auditee's major source and use of cash, cash flow analysis forms a bridge between operating performance and financial position analysis. Its main focus, however, is tracking the details of where an auditee is generating the cash it needs to finance its activities and how it is spending that cash.

The cash flow statement is divided into three sections for a reason. Most healthy firms finance their operations with a balance of internally generated cash (i.e., cash flow from operations) and externally generated funds (i.e., cash flows from financing). These funds are used to invest in the productive capacity of the firm (i.e., cash flows for investing). Therefore, in a healthy, moderately growing firm, the auditor would expect to see a positive cash flow from operations and financing, and a negative cash flow from investing. Such a firm is generating cash from its operating and financing activities and investing that cash in more plant and equipment to expand the firm.

Not all auditees are healthy and moderately growing. A quick analysis of their cash flow statements can reveal problems. For example, an auditee with a negative cash flow from operations is probably in trouble since operating cash flows must ultimately provide the cash to fund the auditee's activities. That is, an auditee needs positive operating cash flows to invest in new productive assets as the old wear out and pay dividends. In the short run, however, a rapidly growing auditee may experience negative cash flows from operations because of things like inventory buildup without incurring substantial problems.

Table 3 illustrates some patterns from hypothetical cash flow statements and some possible interpretations. Further analysis would be needed to determine the complete explanation for each pattern and some patterns have more than one explanation. Table 3 is presented to illustrate the general approach, not to provide hard rules of interpretation.

One valuable piece of information missing from Table 3 is historical data. One year's cash flows can reflect temporary situations or unusual events. In fact, cash flows generally tend to be more volatile than net income or revenues. For example, the interpretation of Firm A in Table 3 would change significantly if the auditor knew that the firm had been in operation for ten years and had been running a negative cash flow from operations for the last three. This signals some real problems. If, on the other hand, Firm A is in its first year of operations, then its cash flow pattern is normal.

Main Benchmarks

The following are a few simple cash management benchmarks that auditors like to see in a healthy auditee. These are very general rules of thumb and need to be interpreted in the context of an overall analysis of the auditee.

Cash Flows from Operations

Ultimately, an auditee must generate its cash from operations. Since cash flows from operations do not include any cash paid to replace the auditee's fixed assets, an auditee needs to use operating cash to invest in replacement of fixed assets as their fixed assets age. If they don't, they

7-19

are disinvesting in productive capacity, which will eventually lead to drops in revenues and profits. Auditees should not borrow or sell stock to finance the replacement of fixed assets consumed during the year and should limit the use of financing cash flows to expand their productive capacity. That is, healthy auditees should generate enough cash from operations to replace the productive capacity (i.e., property, plant, and equipment) that they have consumed during the year and only borrow or sell stock to expand productive capacity. In addition, investors may expect to get cash back as dividends. Therefore, a healthy auditee needs to have a positive, stable cash flow from operations that is large enough to replace its productive capacity and pay dividends.

There can be legitimate reasons for an auditee's cash flow from operations to be negative for short periods of time, particularly if it is a new firm. Negative cash flows from operations for more than a few years, however, are a sign of serious trouble. Operating cash flows need to be more than just positive, however. They should be large enough to pay all the dividends and have enough left to replace the productive capacity the firm consumed during the year.

The free cash flow statistic discussed below is an approximation of this measurement. Normally, free cash flows are equal to operating cash flows less net, new investment in fixed assets, which represent the change in the auditee's productive capacity. Thus, free cash normally is not reduced by dividend payouts. A problem with free cash flows is that it cannot differentiate between the cash used to maintain the auditee's current productive capacity and the cash used to expand it. While the cash needed to maintain the auditee's productive capacity (i.e., replaced fixed assets as the wear out) should come from operating cash, the cash needed to expand the auditee should not always come from operating cash or the auditee may not be taking advantage of leverage. That is, growth should normally be financed by a combination of debt and equity financing, where operating cash is one form of equity financing.

Since depreciation is a significant expense for most auditees but is not a cash flow, most auditees will also have cash flows from operations that are larger than net income. When an auditee's cash flows from operations fall below net income it is usually a sign of problems in the cash conversion cycle.

It may be helpful to think of cash flows from operations as the output of the cash conversion cycle. This illustrates the tight linkage between cash flows from operations, the cash conversion cycle, and the current ratio (i.e., current assets divided by current liabilities). In the following discussion on the current and quick ratios, the chapter points out that these ratios were two-sided because having excess current assets could suppress profitability. The relationship between the cash conversion cycle, current ratio, and cash flows from operations reinforces that point. The components of the cash conversion cycle (accounts receivable, inventory, and accounts payable) are also the major components of current assets and current liabilities. Since the "needs" part of the cash conversion cycle (receivables and inventory) is current assets and the sources (accounts payable) are liabilities, the length of the cash conversion cycle is directly related to the current ratio. The fewer needs compared to sources, the lower the current ratio.

7-20

This relationship means that having a short cash conversion cycle, which is good because production and collection activities are generating cash faster, would also mean having a low current ratio, which signals a weak financial position. These seemingly inconsistent statements can be reconciled by realizing that the cash conversion cycle measures how fast assets are turned into cash while the current ratio measures how many assets, relative to liabilities, are still around.

An auditee can pay its short-term liabilities either by liquidating current assets or by drawing on operating cash flows. Therefore, in evaluating whether an auditee will have the cash it needs to pay its bills in the short term (i.e., short-term financial position) the auditor needs to look not only at the level of current assets available to pay current liabilities (i.e., the current ratio) but also the speed (length of the cash conversion cycle) and reliability (historical trends in cash flows from operations) with which the auditee generates cash. An auditee may have a high current ratio merely because they are unable to turn over their inventory or collect their receivables rapidly.

This discussion highlights the fact that, over time, an auditee's cash flow from operations should be roughly equal to its net income plus depreciation. If the length of the cash conversion cycle is stable, then the changes in the current assets and liabilities that are used to adjust net income to get operating cash flows should more or less cancel out, leaving depreciation and amortization as the major difference between net income and operating cash flows. If an auditee is using increases in accounts payable or decreases in inventories and receivables to "prop up" its operating cash flows for more than a year or two, this is a sign the auditee is having trouble stabilizing its cash conversion cycle or making profits.

Cash Flows for Investment and Depreciation

Auditees need to maintain their level of fixed assets over time. The auditor can determine if it is doing this by comparing the amount of depreciation incurred in a given year to the cash invested in new fixed assets in that year (i.e., CAPEX). Depreciation represents a rough approximation of the amount of fixed assets used up in a given year. Therefore, the auditee should reinvest in new assets at the same rate as it depreciates them if it is to maintain its production capacity. Because depreciation is based on historical costs and new fixed assets are purchased at current (probably higher) market prices, the cash invested in new fixed assets should actually be higher than depreciation to account for inflation.

Investment in new fixed assets (i.e., property, plant, and equipment) is usually the major investing cash flow. Some auditees, however, will invest money in temporary investments to earn some income while waiting to use the money to buy new productive assets.31 Therefore, the auditor may find large investment outflows in one year followed by a year or two of inflows as those investments are cashed in to purchase productive assets. If the amounts of the cash used to purchase new investments and the cash used to retire old investments is substantial, this indicates that the auditee is actively managing its investments.

31 I refer to this as "parking cash."

7-21

Free Cash Flows

A very common statistic used by financial analysts to judge the health of an auditee is free cash flows. Free cash flows are operating cash flows less the cash flows needed to replace a firm's productive capacity consumed during the year. That is, it is the cash that is left over after the firm has paid all their operating expense and replaced the productive capacity the firm used during the year. Free cash flows can be calculated in a variety of ways, but the most common is to subtract net cash invested in property, plant, and equipment (also know as capital expenditures or CAPEX) from operating cash flows to get free cash flows. The idea is that free cash flows are the operating cash flows left over after the auditee has reinvested enough cash to maintain its productive capacity. Thus, it is the cash that is free to grow the auditee’s productive capacity, pay dividends, and/or repurchase stock. Depending on the auditee's commitment to maintaining regular dividends, sometime dividends also are subtracted from operating cash flows to calculate free cash flow.

Calculating free cash flows is very difficult because determining how much cash the auditee should have invested in CAPEX to maintain its productive capacity is very difficult. The cash flow statement shows how much cash the auditee actually invested in new CAPEX, but nothing in the cash flow statement states whether that amount of investment in CAPEX was enough to maintain the auditee's productive capacity, grow it, or was insufficient to maintain productive capacity. That is, the theoretical definition of free cash flows focuses on the CAPEX needed to maintain existing capacity in order to determine how much cash is free to grow the auditee's productive capacity. However, financial statements don't separate CAPEX into a "maintenance" component and a "growth" component. They just present the total CAPEX spent in the investing section of the cash flow statement.

Analyzing free cash flows can be tricky because of leverage. If an auditee finances all of its capital expenditures from operations, it may be losing return on investment because it could finance some of those capital expenditures with cheaper borrowed funds instead of more expensive equity investment, which is what operating cash flows represent. Particularly for rapidly growing auditees, management would be unwise to limit CAPEX only to the amount generated by operating cash flows just to maintain free cash flows.

Most auditees use a balance of internally generated funds (i.e., cash flow from operations) and externally generated funds (i.e., cash flows from financing) to finance new investments. This balance reflects the discussion above about leverage and solvency. Internally generated funds come from the profits that belong to the owners. They are expensive in the sense that the owners tend to expect higher returns on this cash than creditors do. Therefore, a healthy auditee usually does not finance all its investment with operating cash flows, but uses some outside financing as well. Thus, a healthy, rapidly growing auditee will normally have a negative free cash flow. An equal balance of debt and equity implies that not all investment in capital assets like property, plant, and equipment will come from operating cash flows that, in turn, implies as negative free cash flow.

7-22

I have added a "free cash flow" line to all the Cash Flow Statements used in this course because it is such a commonly used statistic. However, GAAP does not require that free cash flows be shown on published Cash Flow Statements and so the free cash flow line is rarely presented in published Cash Flow Statements.

Balance Between Short- and Long-term Sources

Auditees also try to balance between short- and long-term sources of financing. They try to match the length of the repayment period on debt with the life of the asset the proceeds of the debt will purchase. For example, they would finance the purchase of a long-lived asset like a building with a 30-year mortgage. Normally if an auditee finances long-term needs with short- term loans or other short-term financing like accounts payable that is a sign of financial trouble. Creditors consider short-term loans less risky because they will be paid back in a shorter period and, therefore, short-term debt normally comes with a lower interest rate. If an auditee is drawing on these short-term sources to finance long-term needs it implies that creditors are unwilling to extend the longer-term credit the auditee really needs.32

One seeming exception to this rule is financing the cash conversion cycle (or working capital). Even though the components of the cash conversion cycle are all short-term assets and liabilities, financing the cash conversion cycle is a long-term need. The timing differences between cash disbursements and cash receipts that create the cash conversion cycle are permanent parts of an auditee's operations and require long-term financing.

Financial Position

The purpose of financial position analysis is to determine how well the auditee is managing its financing function and how well positioned it is to pay its debts. The auditee's financial position is the result of its operating performance and cash management effectiveness.

Auditees get money from two main sources: creditors and owners. Creditors can lend money to an auditee in three ways. Creditors that provide goods and services to an auditee and then wait to be paid are called trade creditors. Creditors also can lend the auditee money directly (e.g., a bank loan) or purchase the auditee's debt securities in an open capital market (e.g., purchase the auditee's bonds in an open bond market). Owners invest in auditees in two ways: by buying shares of stock or by leaving earnings in the auditee. Since owners own the auditee's net income, leaving income in the auditee (i.e., retained earnings) and not taking earnings out as dividends is a form of investment. Owners can buy stock directly from the auditee, but they more commonly purchase those shares in a stock market, which also is referred to as a capital market.

32 The difference between short and long-term interest rates in the debt markets is referred to as the "yield curve." If you follow the financial press, you may have heard recent discussion of how the yield curve became flat in the period between 2001 and 2006. This means that short- term rates rose to closely approximate long-term rates. The major cause of this anomaly is the growing impact of the global capital markets on the US economy. During this period, the US Federal Reserve Board kept raising short-term rates in the US, which is all they control. However, because of a global "capital glut," long-term rates remained low.

7-23

When either an owner buys stock in an auditee or a creditor lends money to it, the creditor or owner is said to have made an investment.

Investment decision, either lending or ownership, are driven by the risk/return tradeoff. The risk/return tradeoff refers to the simple fact that investments that are more risky must yield a higher return to compensate the investor for the risk. Since creditors' claims against the auditee's assets take precedence over the owners' claims, debt investments are usually less risky than equity. Therefore, as mentioned above, an auditee's return on owners' equity usually must be higher than the average interest rate it pays on its debt to compensate the owners for the increased risk they are taking.

The discussion thus far has focused on the investor. Auditees need to be sensitive to some basic rules of finance when developing a financing strategy as well. A financing strategy merely refers to how auditees balance between short-term and long-term sources of money and between debt and equity sources of financing. The issues involved in the balance between debt and equity were introduced above in the section on leverage and are discussed in more detail below in the long-term financial position section. In determining a balance between short and long-term sources, auditees should match the source to the use.

Matching sources to uses means that auditees should not use short-term sources of funds to purchase fixed assets and should not use long-term funds (i.e., long-term debt and equity) to finance current assets or expenses. The major exception to this rule is financing working capital. Working capital is the difference between an auditee's current assets and current liabilities. For most auditees, it is positive. There are two reasons why auditees need a positive amount of working capital (i.e., current assets greater than current liabilities).

First, the valuation of current liabilities is more certain than the valuation of current assets. An auditee must pay its debts at book value, but may not be able to collect its receivables or sell its inventory at their book values. Therefore, a financially sound auditee needs to have an excess of current assets over current liabilities to compensate for the greater uncertainty associated with current asset valuation.

Second, most auditees buy the inputs to their production processes first, then produce the good or service, possibly inventory it, sell it, and finally collect the cash from the sale. This timing difference means that an auditee must have an excess of current assets on hand to finance purchases while they wait for their collections. This timing difference is referred to as the cash conversion cycle and will be discussed in more detail below.

Short term

Short-term financial position analysis focuses on whether an auditee can pay its current liabilities as they fall due. It is also referred to as liquidity analysis since assets that can be readily converted to cash are referred to as liquid assets. These ratios are mostly two-sided. High ratios tend to indicate high liquidity and the ability to pay current debts easily, but, since liquid assets

7-24

also are less risky, they tend to generate lower returns. Therefore, an auditee with too many liquid assets is probably losing profitability.

Current and Quick Ratios

The current ratio, along with its close relative the quick ratio, or acid-test ratio, as it is also called, are the most common measures of an auditee's short-term financial position. The current ratio is total current assets divided by total current liabilities. It measures whether there are sufficient current assets on hand to pay current liabilities. The quick ratio differs from the current ratio because less liquid current assets, like inventory and prepaid expenses, are excluded from the numerator of the ratio. This leaves assets like accounts receivable, cash, and short-term investments that can be converted to cash fairly quickly, thus the name for the ratio. These assets are also called monetary assets because of the relative ease in converting them to cash. This statement may not seem obvious for accounts receivable. Auditees, however, do not have to collect an account receivable to get the cash. They can sell the receivable (commonly referred to as factoring). The auditee will, of course, receive less than full face value for the receivables they factor (i.e. sell), but they can get most of the cash.

A common benchmark for the current ratio is 2.0 and for the quick is 1.0. A current ratio of 2.0 may seem high because it means the auditee has twice as many current assets as current liabilities. A ratio of 2.0 is desirable because of the risk that the inventory and receivables may not generate their book values in cash. The current and quick ratios measure the auditee's ability to pay their short-term or current debts from the auditee's short-term or current assets. If the value of the auditee's short-term assets is overstated because of potential collection and realization problems, then the auditee needs to have extra value in the current assets to compensate for this potential valuation problem. Since the auditee almost always must pay the full value of their current liabilities, the current ratio benchmark of 2.0 builds in a cushion to allow for valuation problems with the current assets.

Auditors like to see that the auditee has sufficient monetary assets on hand to pay all current liabilities, thus a benchmark quick, or acid-test, ratio of 1.0. These benchmarks are more valid for manufacturing and distribution firms (wholesalers and retailers) because these types of firms carry substantial inventories. For service auditees and financial institutions, the current ratio is usually lower than 2.0 because of the lack of substantial inventories.

The current and quick ratios are two-sided because current assets usually do not produce a high return on investment. Therefore, auditees that have too high a level of current or monetary assets compared to their current liabilities may be losing profitability even though the existence of excess current or monetary assets provides greater liquidity. For example, an auditee can increase its current assets by increasing its inventory. Although this means that there are more assets available to pay creditors, inventory needs to be purchased; it costs money to be stored; and it tends to be perishable, due to either physical age or changes in market demand. Therefore, having too high a level of inventory depresses profits and return on investment while increasing the auditee's current ratio.

7-25

The benchmarks for both the current and quick ratios are very conservative in that they are assessing the short-term financial position of the auditee based solely on whether then have enough current assets as of the balance sheet date to pay off their current liabilities. However, auditees generate more cash every day through operations and can use this cash flow to pay their current liabilities as well. Thus, they don't need to have more current assets than liabilities to have a sound short-term financial position. For example, Dell computer, the second largest personal computer manufacturer in the world, has a very low current ratio (around 1.0) and a moderately low quick ratio (around 0.9). However, I would argue that they have a strong current financial position because of their business model. Dell sells on-line and assembles computers as they are ordered. Thus, they don't need to carry much of an inventory, which depresses their current ratio. They also sell a substantial proportion of their computers to consumers and do not extend credit. Thus, they have low accounts receivable. However, they do delay payment to their creditors, which creates a negative cash conversion cycle. That is, they get the money from their sales before they need to pay their creditors. This lack of inventory and quick collection means that they have plenty of cash flow to pay their creditors when those bills come due and, therefore, their low current and quick ratios do not signal a weak short-term financial position.

Dividend yields

Dividend yield and Dividend payout measure the amount of earnings the auditee is returning to its owners as dividends. Dividend yield normally is calculated by dividing dividends by net income and is expressed as a percentage. Dividend payout, which is used in this text, is calculated by dividing dividends by operating cash flows and is expressed as a percentage.

High dividend payouts may be good for owners because it increases the cash they get from the auditee. However, because most dividends are paid in cash, high dividend payouts could indicate that management is draining too much cash from the auditee. In addition, the stockholders may not be able to reinvest the cash they receive as dividends in investments that produce the same return on investment they could have received if they just left the cash in the auditee so it could invest in expanded capacity.

High dividend payouts are a particular concern when management also owns significant stock in the auditee since management usually controls the amount of dividend payout and may be using that power to take large amounts of cash out of the auditee. Therefore, dividend yields and payouts are two-sided measures. A higher dividend yield or payout can mean that the auditee has strong profits and cash flows, or it can mean that the auditee is paying out too much cash to owners. This text includes dividend payout in the short-term financial position analysis because it uses the statistic primarily to determine how much dividends are draining cash flows.

Operating cash flows

As my Dell example above illustrates, auditees can pay their short-term liabilities in two ways: by liquidating current assets or by tapping the auditee's cash flows. That is, they can pay debts with assets or with cash flows. Therefore, a complete assessment of an auditee's current financial position is not complete without a review of the strength of an auditee's operating cash flows,

7-26

their cash conversion cycle, and their overall cash management performance. These issues were discussed in the cash flow section above.

Long term

The purpose of long-term financial position analysis is similar to that of short-term analysis. The auditor also wants to measure the auditee’s ability to pay its bills over a longer period of time or solvency. Another purpose of long-term analysis of an auditee's financial position is to determine what type of long-term financing strategy it is using. Because different long-term financial strategies can equally beneficial to the auditee, long-term financial ratios are all two- sided. These ratios are considered weak if they are either too high or too low. For example, most creditors would like to see a total debt/equity ratio of somewhere around 1.0, meaning that the owners have at least as many claims against the auditee's assets as the creditors. If the owners have more claims against the auditee's assets than the creditors, then the creditors are more certain that the auditee can pay them back if the auditee got into financial trouble. However, a lower ratio might mean that the auditee is not taking advantage of leverage and instead is depending on equity financing, thus reducing return on owners' equity. Therefore, low debt-to- equity ratios are generally good for creditors and high debt-to-equity ratios are generally good for investors.

However, if debt-to-equity ratios become too high, they can be are bad for investors, too. Many credit agreements come with covenants that require the auditee to maintain certain levels in their ratios or restrict the level of dividends they can pay to help protect the creditors. For example, if a debt covenant states that the auditee's debt/equity ratio cannot go above 1.2 and the auditee's debt/equity raises above this level, the creditor could force the auditee to pay the full amount of the debt immediately, which probably would create serious problems for the auditee.

Debt to equity

The main long-term financing strategy decision an auditee has to make is the balance between debt and equity financing. This relationship is known as leverage and was discussed earlier in the chapter. Debt financing tends to be cheaper than equity financing because it is less risky for the investor. The terms "equity financing" and "debt financing" refer to who has claims against the auditee's assets: the creditors or the owners. Since both creditors and owners create claims against the auditee's assets by giving the auditee assets in some form, the liability and equity side of the Balance Sheet also reflects an auditee's sources of financing.

Most long-term debt is secured by claims against specific assets or at least comes with a fixed repayment schedule. Equity investment has neither of these features. The benefit to the investor is that equity usually has a higher return per dollar invested than debt, which is why it costs the auditee more. The advantage of equity financing is that it usually requires a lower cash flow to maintain. Much of the return that investors receive on their dollar comes as higher stock prices, not cash paid out in dividends. In addition, many companies pay dividends as additional stock and not cash, thus further reducing the cash flow requirements associated with equity. Therefore, much of the higher expense associated with equity comes as pressure on management to achieve a high return on investment, not in demands for cash outflows.

7-27

Paying dividends as stock, and not cash, does have an indirect cash flow effect, however. The auditee could have sold that additional stock in the stock markets and received cash instead of giving that stock to its owners. By giving up the ability to sell the stock, the auditee has incurred what economists call an opportunity cost or opportunity cash flow. While an opportunity cash flow isn't "real" because no cash goes out of the auditee, it is really just as "real" as an actual cash flow because the auditee gave up the ability to receive a cash inflow.

An auditee that relies too heavily on debt financing is running an increased risk of insolvency (i.e., the inability to pay its debts). A high debt-to-equity ratio means that an auditee necessarily has a low equity balance compared to total assets since the bulk of the claims against those assets are held by creditors. A low equity balance means that the auditee cannot lose too much money before its equity goes to zero or negative, which means the book value of the assets is not sufficient to cover the auditee's debts. Therefore, an increase in debt-to-equity means that creditors are carrying an increasing risk of losing their money. Under these circumstances, they will demand higher interest rates or force the auditee to pay off the loans because of violations of debt covenants.

If, however, the debt-to-equity ratio is too low, this means that the auditee is not taking full advantage of less expensive borrowed funds. Leverage, then, is the use of lower cost debt to finance the auditee, or making money with other people's money. For example, if an auditee is making a 10% return on total assets and paying 8% interest on long-term debt, then it would increase its return to the owners if it borrowed more money and invested it in more assets, assuming the new assets also would yield a 10% return. The 2% difference between what the auditee pays its creditors for the cash to invest in more assets and the 10% the auditee earns on its assets belongs to the owners. Therefore, they are earning 2% on the creditors' money. However, the owners also are assuming the risk that the auditee's return on the new assets it purchases with the creditors' money may not return 10%, or even the 8% needed to pay interest to the creditors.

The two debt-to-equity ratios measure the relative emphasis the auditee places on debt and equity financing. The Total Debt-to-Equity ratio is the broadest gauge, taking into account both short and long-term debt. The Long-term Debt-to-Equity ratio is a narrower measure because it only considers long-term debt. However, it may represent the tradeoffs between investors more accurately.33 As mentioned earlier, the broad interpretation of the term "investor" includes everyone with some form of long-term stake in the auditee, either creditor or owner.

The common-sized Balance Sheet can be used to analyze an auditee's relative debt and equity position. Auditors can look at the various liability and equity components as percentages of total assets and gain the same insights as looking at debt-to-equity ratios. This text uses both total and long-term debt-to-equity, as well as the common-sized balance sheet, for long-term financial position analyses.

33 The discussion of the return on invested capital statistic in Appendix B provides an alternative view of what constitutes a long-term stakeholder in an auditee.

7-28

Bond ratings

Auditors can use the bond markets to help them assess the long-term financial position of an auditee. This is done by reviewing the auditee's bond rating and the variability in the price of its bonds. Appendix C to this chapter includes the ratings criteria for the two main ratings auditees: Standard and Poors and Moody's. Bond ratings are a very good measure of an auditee's long-term financial position because they are produced by independent firms with high levels of financial analysis expertise. However, an auditee may not always report its bond ratings in its annual financial statements and, thus, these ratings can sometimes be hard to find.

Analysis Strategies

General Approach

Appendix A to this chapter contains an outline of the overall analysis strategy presented in this text. This section reviews that approach. A systematic approach to financial analysis that follows the structure presented in this chapter is usually best, particularly for students who are new to analysis. The trick is to understand what the ratios and other statistics mean about how the auditee is functioning as a whole. Figure 3 organizes the indicators used in this chapter into a causal structure that presents how they fit together. ROE is at the top of the figure because it represents the ultimate goal of a for-profit auditee. ROE is determined, however, by both the auditee's use of leverage and its ROA. ROA measures how effectively it generates profits from its assets and leverage measures the proportion of those assets provided by the owners. ROA is determined by the auditee's profit margin and asset turnover. Profit margin, in turn, is determined by how effective the auditee is in its core production function (Gross Profit) as well as controlling its other expenses (S., G., & A. and Other Stuff).

These operating performance relationships are also mathematical, as the formulas included in the figure indicate. That is, you can directly calculate one statistic given the statistics that determine it. The financial position relationships on the right hand side of the figure are not mathematical, but still represent strong, causal relationships. The arrow from Profit Margin and Asset Turnover to the Cash Conversion Cycle represents the fact that, ultimately, strong cash flows start with strong profits. The Cash Conversion Cycle measures how well profits are converted to cash and flow into operating cash flows. Operating cash flows are a major source of cash, but not the only source or use. Therefore, to determine what drives an auditee's financial position, both short and long-term, the auditor needs to review all of the auditee's major sources and uses of cash. How the auditee manages its cash ultimately determines what its financial position will be, and one major component of that financial position is the extent of leverage, thus the circle is complete.

7-29

Indicators of Strong Auditees

Stability over time

Stability over time in a variety of ratios and statistics indicates that the auditee has reached a balance in its operations and can maintain that balance through good planning and management. This observation is true under two conditions: the balance is at a high level of performance and the industry in which the auditee functions is stable. Stability at a low level of performance indicates failure to rectify poor practices and usually is not observed for more than a few years because the auditee will usually go out of business. Lack of stability in a volatile industry may not indicate bad management because even a well-managed auditee is heavily influenced by what is happening in its industry.

Proportional growth

"Stability," as discussed in the item above, does not mean lack of growth; it means stability in the ratios that relate components of the auditee's financial statements to each other. Since healthy growth is usually proportional, ratios that relate components will be stable. For example, if sales and inventories are both growing rapidly, but proportionally to each other, days inventory will remain the same.

Outperforming the industry

Since industrial averages are averages of all auditees in the industry, not just the good ones, a strong auditee should usually outperform the industry on key indicators for operating performance and financial position. Return on equity is a broad measure of performance and can be compared across industries as well as within an industry. Industrial data needs to be considered in light of several drawbacks. First, auditees in the same industry can adopt different strategies that are equally successful. For example, one auditee may target high profit, low volume business while another targets the opposite. In addition, one auditee may decide to use leverage to a greater extent than another in financing its activities, thus incurring greater risk but also greater returns to its owners. Finally, auditees can organize themselves in other ways that differ. For example, McDonald's does most of its business via franchising arrangements while the bulk of the industry it is in does business through ownership arrangements.

Second, modern auditees tend to be diversified and yet are only classified in one industry. For example, McDonald's is not in the same industry as defined by its SIC code34 as Burger King because Burger King is a wholly own subsidiary of Pepsi and the results of Burger King's

34 SIC stands for Standard Industrial Classification. It is the scheme used by the US Securities and Exchange Commission to classify auditees into different industries. An SIC code is hierarchical and can contain up to four digits. That is, the first digit represents the broadest classification level and the second through fourth digits further refine auditees within the categories represented by the higher level digits. I use four digit SIC codes to select the industrial data presented in the course.

7-30

activities are consolidated with Pepsi's and reported in the same industry with Coca Cola. These problems aside, comparisons to industrial averages can still provide valuable information in assessing the performance of an auditee. These comparisons, however, need to be taken in the context of the rest of a total analysis.

Balanced Management

Profit and utilization

Strong return on assets can be achieved through two opposite strategies: high volume and low profit or low volume and high profit, or somewhere in between. This is why there are no fixed benchmarks for either profit margin or asset turnover statistics. Analysis of these two statistics should be done within the context of the ROA they generate.

Financial position and operating cash flow

Auditees can insure that they have the resources to pay their bills in two general ways: by having sufficient assets on hand to cover their liabilities or by having a strong operating cash flow from which to draw the funds needed to pay their bills. Since the health of their operating cash flows ultimately depends on net income, any analysis of financial position must also include a general assessment of the strength and stability of the auditee's operating cash flows and, ultimately, operating performance.

Although an auditee may not have a strong current or quick ratio, or even debt-to-equity ratio, if they are profitable and have strong operating cash flows, their financial position may be quite strong. Auditees normally try to minimize their current assets because these assets do not produce income. What produces income is using their property, plant, and equipment to produce things that sell at a profit. Having large amounts of assets in cash, short-term investments, accounts receivable, and prepaid expenses may provide resources to pay their bills, but these assets don't generate profits. The one exception is inventory. Most auditees need a certain level of inventory to insure that they have the goods customers want when the customer wants them so too low an inventory level may lead to lost sales.

Leverage and financial risk

Since the owners of the auditee own the net income of the auditee and since net income is generated by producing things at a profit with the auditee's assets, the larger proportion of those assets that can be financed with borrowed money, the greater the amount net income that will be left over for the owners. The example earlier in the chapter illustrated how increasing leverage can increase ROE given the same ROA and net income, but it also illustrated that to do so, the auditee must incur higher levels of debt, thus increasing the risk that that debt may not be paid.

7-31

Diagnosing Change

The causal relationships in Figure 3 also are helpful in diagnosing cause of change in operating performance and financial position indicators. The following discussion illustrates that point.

Profitability

Since one key attribute of a healthy auditee is stability at strong levels of performance, volatility may be a sign of problems. Weak or volatile profit margins (gross and total) are best diagnosed with the common-sized income statement and the percentage change income statement.

The common-sized income statement helps diagnose why profit margins are changing. A scan of the relative percentages of the major expenses should tell you what is causing declines or variations in profit margins. Just look for the expenses that are increasing or fluctuating. That is, auditors can use the common-sized income statement to indentify which income statement components contributed to the any changes in the profit margin and how much they contributed in percentage points.

One key observation from the percentage change income statement is the rate of growth or decline in total revenues, sales, or net sales, whichever number is being used at the top of the statement. Revenue declines are usually a sign of problems.

Cash flows

A key link between operations and financial position is cash flow from operations. Like all components, cash flow from operations should grow in proportion to the size of the auditee. Because the indirect method cash flow statement does not have any good measure of auditee size, the best way to determine how operating cash flows are tracking is to compare them with net income. Operating cash flows should roughly approximate net income plus depreciation. If they do not or there is significant volatility in operating cash flow, then you should scan the adjustments between net income and operating cash flows to determine the source of the variation.

In addition to reviewing operating cash flows, auditors should usually scan for an auditee's major sources and uses of cash over time. The largest source should be operating cash flows. Beyond that, the other major sources tend to come from financing: either stock sales or borrowings. Since stock sales and major borrowings usually do not occur every year, many auditees use short- term investments as a temporary storage location for cash (i.e., parking cash) that is raised from major financing sources (stock or borrowing) until it is needed for investment in property, plant, and equipment. New net investment in productive capacity should be the largest use of cash for a healthy auditee.

Overall Summary

This chapter presents the evaluation of an auditee in a systematic flow. It starts with overall operations, looks at the components of those operations, and then moves on to financial position

7-32

and cash management. The logic is that, over the long term, auditees must be profitable to survive. Profitability, however, is not enough. They must also be able to turn profits into cash to use as a major source of financing for new property, plant, and equipment purchases. Healthy operations and healthy cash management should lead to strong financial position, although as noted in the section about balancing financial position and operating cash flows above, an auditee can have a strong financial position without having strong financial position ratios.

Substantive and Final Analytical Procedures Revisited

The bulk of this chapter has presented analytical tools for assessing an auditee's operating performance, cash management, and financial position. The main focus of this discussion was to uses the tools presented to "tell a story" about how well the auditee was doing on each of these dimensions and why. This sort of analysis is what auditors use to do preliminary and final analytical procedures. These goals of preliminary and final analytical procedures are to assess any high-level risk that the financial statements may be misstated when taken as a whole. Auditors also use the same tools to develop expectations for account balances when performing substantive analytical procedures. Auditors use substantive analytical procedures to develop expected account balances that they use to compare against the auditee's unaudited account balances.

For example, if an auditee's profit margin jumps suddenly from the prior year, an auditor would use the common-sized income statement to determine if the change was caused by a sudden change in one of the line items of the income statement. If one of the line items did change suddenly and that change accounts for a significant portion of the change in the profit margin, then the auditor would probably investigate that line item to determine why it changed so suddenly by asking management for an explanation and/or doing some targeted auditor procedures on that account.

However, auditors also perform ad hoc calculations on individual accounts to establish expectations. I illustrated one of these in my discussion above. I am not going to attempt to provide further examples and discussion of these procedures because they are so specific to the account and auditee's individual circumstances that general rules are hard to develop and present. Auditors develop ad hoc calculations by studying the processes the auditee uses to develop an account balance and determining how to calculate a reasonable expected balance for that account given the auditee's processes.

7-33

Table 1 - Summary of Ratios Name of Ratio Formula Results Benchmark Operating Performance: Overall Performance - Earnings per share Net income/shares outstanding Ratio Higher

Price to earnings ratio Market share price/earnings per share Ratio > Market P/E

Net income - Preferred Dividends + Return on Assets Interest Expense (1-tax rate) Percent Interest Total assets Rates

Return on Assets (limited data) Net income Percent Interest Total assets Rates

Return on invested capital Net income + (interest * (1 - tax rate)) Percent Interest Long-term debt + owners' equity Rates

Return on owners' equity Net income - Preferred Dividends Percent Interest Owners' equity Rates Profitability - Gross profit percentage Gross profit Percent Higher Sales or Revenues

Profit margin Net income Percent Higher Sales or Revenues

Utilization Rates - Asset turnover Sales or Revenues Ratio Two-sided Total assets

Invested capital turnover Sales or Revenues Ratio Two-sided Long-term liabilities + Owners' equity

Equity turnover Sales or Revenues Ratio Two-sided Owners' equity

Capital intensity (Fixed asset turnover) Sales or Revenues Ratio Two-sided Fixed assets

Accounts receivable turnover Sales or Revenues Ratio Two-sided Accounts receivable

Inventory turnover Cost of goods Sold Ratio Two-sided Inventory

Working capital turnover Sales or Revenues Ratio Two-sided Current assets - current liabilities

Items in bold type indicate ratios that are emphasized in the text. A Higher benchmark entry means higher is almost always better. Two-sided means that values that are too high or too low are unfavorable. 7-34

Table 1 Continued Name of Ratio Formula Results Benchmark Cash Flow Analysis: Cash conversion cycle Days cash in receivables Accounts receivable Days Industry Sales/365 Two-sided

Days cash in inventory Inventory Days Industry Cost of goods sold/365 Two-sided

Days cash in payables Accounts and Expenses Payable Days Industry Operating expenses/365 Two-sided

Cash Flow Statement Operating Cash Flows Positive and trend Relationship to Net Income Compare to dividends and fixed assets

Investing Cash Flows Fixed asset investment to depreciation Major sources and uses

Financing Cash Flows Dividend amount and history Major sources and uses over time

Financial Position: Short-term - Current ratio Current assets Ratio 2.00 Current liabilities Two-sided

Quick or Acid-test ratio Current assets - (inventory + prepaids) Ratio 1.00 Current liabilities Two-sided

Operating cash flow to current liabilities Operating cash flow Times or Higher Current Liabilities Percent

Accounts payable turnover Purchases Ratio Two-sided Accounts payable

Days cash Cash Days Two-sided Cash payments to suppliers/365

Dividend payout Dividends Percent Two-sided Cash flows from operations

Dividend yield Dividends Percent Two-sided Net Income

Long-term - Total debt to equity Total liabilities Ratio or 1.00 Owners' equity Percent Two-sided

Long-term debt to equity Long-term liabilities Ratio or 0.8 - 1.0 Owners' equity Percent Two-sided

Long-term debt to capitalization Long-term liabilities Ratio or 50% Long-term liabilities + owners' equity Percent Two-sided

Operating cash flow to total debt Operating cash flow Ratio or Somewhat Total liabilities Percent Higher

Times interest earned Net income before taxes + interest Ratio Somewhat Interest Higher

Item in bold type indicate ratios that are emphasized in the text. A Higher benchmark entry means higher is almost always better. Two-sided means that values that are too high or too low are unfavorable. 7-35

Table 2 - General Economic Data

General Economic Data (all data are percentages except P/E Ratio) 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999 Nominal Prime rate 5.1 8.0 7.9 6.2 4.3 4.1 5.0 6.9 9.2 8.0 Real Prime rate 2.8 5.3 4.8 3.0 1.5 2.0 3.2 4.5 7.1 6.6 Nominal 10-year T Bills 3.7 4.6 4.8 4.3 4.3 4.0 4.6 5.0 6.0 5.6 Real 10-year T Bills 1.4 1.9 1.6 1.1 1.4 1.9 2.9 2.6 3.9 4.2 Inflation rate 2.3 2.7 3.2 3.2 2.9 2.1 1.7 2.4 2.2 1.4 S & P Average P/E Ratio 33.2 18.5 17.3 18.7 20.5 26.2 35.6 35.5 27.7 31.7

7-36

Table 3 - Sample Patterns of Cash Flow Behavior

Cash Flows From: Auditee A Auditee B Auditee C Auditee D Auditee E Operations Negative Positive Positive Negative Positive Investing Negative Negative Negative Positive Small negative Financing Positive Positive Negative Positive Negative Net Cash Flows Zero Zero Zero Negative Positive Interpretation Probably a start-up Probably a healthy, Probably a mature, Probably an auditee Possibly an auditee company. Most growing auditee that stable auditee. It in serious trouble. preparing to new companies can is investing its cash generates enough It is disinvesting in restructure or not generate in growth. operating cash flows fixed assets, beginning a decline. positive operating to both cover its reducing its cash It seems to be cash flows but need investment and pay balance and still has maintaining, but not to invest in fixed dividends. to rely on outside expanding, fixed assets financing to cover assets and negative cash flows accumulating cash. from operations

7-37

Figure 1 - Financial Analysis Overview

Overall Performance

Operating Performance Financial Position • Price Earnings ratio • Common-sized B/S • Return on Assets • Return on Equity • Return on Invested Capital

Profitability Utilization Short-term Long-term (liquidity) (solvency) • Common-sized I/S • Asset Turnover • Current Ratio • Debt/Equity Ratio • Gross Profit Percentage • Cash Conversion Cycle • Quick Ratio • Long-term Debt/ • Profit Margin • Invested Capital Turnover • Cash Conversion Cycle Equity Ratio • Earnings per share (market) • Equity Turnover • Cash Flow Analysis • Cash Flow Analysis • Dividend Payout • Capital Intensity • Operating cash flow • Long-term debt/ • Accounts Receivable turnover to current liabilities capitalization ratio • Inventory Turnover • Accounts Payable Turnover • Operating cash flow to • Working Capital Turnover • Days Cash Total Debt • Dividend Payout • Times Interest Earned

7-38

Figure 2 - Cash Conversion Cycle

Days Inventory Days Receivables

Purchase Convert Store Finished Sell Finished Collect Cash Materials, Materials and Goods in Goods to from Customer supplies, services Labor to Finished Inventory Customer and labor Goods

Pay Cash for Length of Cash Conversion Cycle Materials, (Days Inventory + Days Receivables - Days Payables) Supplies, Services, and Labor

Days Payables

7-39

Figure 3 - Causal Structure Underlying Financial Analysis

ROE Net Income Owners' Equity

ROA Leverage Net Income 1 Total Assets Owners' Equity * Total Assets

Profit Margin Asset Turnover Financial Position Net Income Total Revenues Total Revenues * Total Assets

Short-term Long-term Current Ratio Long-term Debt/Equity Gross Profit S., G., & A. and Quick Ratio Total Debt/Equity Margin Other Stuff Gross Profit S., G., & A. and Total Revenues - Other Stuff Total Revenues Major Sources and Uses of Cash

Direct, mathematical Operating Cash Flows relationship between

Indirect influence Cash Conversion Cycle

7-40

Appendix A - Outline of Analysis Strategy

Overall Analysis

I. Basic ideas A. Overall analysis is decomposed into operating performance, cash management, and financial position because operating performance drives the firm's success, but that "success" also needs to generate cash so the firm can pay its bills. B. All things are relative - statistics need to be compared to history, benchmarks, industry. C. The tools of the trade are common-sized and percentage change financial statements, and ratios. D. Table 1 provides the structure to a systematic analysis E. An organization is an interrelated whole, all things fit together and things tend to change proportionately. Need to "tell a story." II. Operating performance A. Overall is measured by ROE and ROA B. Effect of leverage and difference between ROE and ROA C. ROE can be generated through high profit or high volume, therefore first level of decomposition is into profitability and volume measures D. Production profitability = gross profit, overall = profit margin E. Common-size income statement used for diagnosis F. Volume is asset turnover III. Cash flow analysis is the bridge between operations and finance A. Ultimate source of cash is operations B. How fast you generate case is effected by the cash conversation cycle - Days receivable + days inventory - days payable = length C. There is an inverse relationship between current financial position ratios and the length of the cash conversion cycle. Having assets versus turning them into cash. D. Basic cash flow statement analysis indicates how cash is being managed - Where is cash coming from and where is it going. 1. Operating cash flows a. Strong, positive, growing overtime. Cash flows from operations (CFO) are ultimate source of cash for the organization b. CFO should be higher than NI

7-41

c. Analyze major sources and uses d. Positive free cash flows unless the firm is rapidly growing 2. Investing cash flows a. Capital investment greater than depreciation b. Use of investments for cash management 3. Financing cash flows a. Balance between debt and equity b. Level and trends in dividends, in absolute terms and compared to CFO. IV. Financial Position A. Short-term 1. Current and quick ratio 2. Operating cash flow 3. Cash conversion cycle B. Long-term 1. Total or long-term debt to equity 2. Operating cash flows over time 3. Use of leverage

Summary of Cash Flow Analysis

I. Operating Cash Flows issues A. Are operating cash flows positive and have they been over time? B. What accounts for the major differences between operating cash flows and net income? What are the trends in these differences? These two questions focus on the overall magnitude of operating cash flows, the relationship between operating cash flows and net income, and trends in these items. A healthy, growing company will have a positive operating cash flow that grows over time at about the same rate as sales. Operating cash flows will be greater than net income because of depreciation and amortization. Other than depreciation and amortization, the other main differences between operating cash flows and net income are the changes in the major current asset and liability accounts (accounts receivable, inventory, and accounts payable). Table 3 presents a summary of major patterns to look for in these changes. Patterns to look for- Planned Growth - all ending balances rise proportional to sales increases. Unplanned Growth - accounts receivable and payable balances raise proportional to sales but inventory balances fall relative to sales or cost of sales.

7-42

Planned Reductions - all ending balances fall proportional to sales declines. Unplanned Reductions - accounts receivable and payable balances fall proportional to sales but inventory balances grow relative to sales or cost of sales. Collection Problems - accounts receivable grows faster than sales (i.e., increase in days receivable). Payment Problems - accounts payable grows faster than expenses (i.e., increase in days payables). Inventory Management Problems - inventory increases faster than cost of sales (i.e., increase in days inventory). C. Are operating cash flow large enough to make a significant contribution to capital investment and dividends? Have they been large enough over time? Operating cash flows are the organization’s major source of cash over time and investment in fixed assets is its major use of cash. An organization that can pay its dividends from operating cash flows and still have enough left to finance a major portion of its fixed asset purchases is in a strong cash position. An organization that uses operating cash flows exclusively to finance its fixed asset purchases, however, may not be taking full advantage of leverage II. Investing Cash Flows issues A. Are investments in fixed assets sufficient to cover the depreciation? B. Has this been the case over time? Investment in fixed assets can be compared to depreciation and the value of the fixed assets on hand to determine whether new investment is sufficient to cover use. You can compare new purchases to the asset base (i.e., value of assets on hand), by dividing the asset base by the purchases to calculate a rough replacement rate in years. Whether this replacement rate is sufficient is a matter of judgment and is based on the nature of the assets in the asset base. Both depreciation and the value of the assets on hand, however, are stated at historical cost while new purchases are made at market prices. Therefore, the new investment must be larger than depreciation to allow for inflation. III. Financing Cash Flows issues A. Are financing cash flows positive or negative? B. What has the trend been over time? Financing cash flows can fluctuate between positive and negative overtime in a healthy organization. In general, they should tend to be positive as the organization uses leverage to invest in fixed assets. C. What are the trends in dividend payments? Stockholders usually expect a reliable stream of dividends from a for-profit corporation. Dividends, however, should be paid out of operating cash flows, so, if operating cash flows are too small to pay dividends or are negative, then the corporation should consider reducing or eliminating dividends. Since reducing or eliminating dividends sends a “red flag” to the stock

7-43

markets that the auditee has a cash flow problem, corporations often resist cutting dividends even when operating cash flows are weak or negative. D. What is the balance between debt and equity financing? E. What is the trend in this balance over time? Healthy organizations balance between raising money through debt and equity. Too much of either one can indicate problems.

7-44

Appendix B - Additional Ratios

Operating Performance

Return on invested capital

Return on invested capital narrows the definition of investment from all assets to just the claims of long-term creditors and owners (i.e., long-term debt and equity). The logic behind this ratio is that long-term debtors have made a fairly long-term commitment to the auditee, which is what the concept of investment means. Therefore, this ratio calculates how well the auditee is generating profits for those with a long-term claim to the auditee's assets, the long-term debtors and owners. Return on invested capital also is not sensitive to an auditee's financing strategy while return on equity is. If the auditee chooses to raise most of its long-term capital funds from debt, then its return on equity will be higher than an auditee that raised most of its long-term capital funds from the sale of stock. The former auditee may not be doing a better job of generating profits from its assets than the latter, but will have a higher return on investment, which is all that matters to the owners. If an auditee finances its assets with equity, there is no expense related to that financing activity shown on the income statement. If an auditee finances its assets with debt, then there is a financing expenses (i.e., interest) deducted from revenues to calculate net income. To eliminate these net income differences from the ratio, after-tax interest is added back into net income. This puts auditees with different financing strategies on the same "playing field."

I do not use this ratio because I believe it is based on a flawed premise - that long-term creditors have made a long-term commitment to the auditee. An auditee's debt usually is traded on bond markets and so anyone holding an auditee's bonds does not need to wait for the bonds to be paid to liquidate their investment. In addition, short-term creditors make an equally long-term commitment to the auditee as long-term debt holders. For example, an auditee usually maintains a regular accounts payable to a single vendor that is never paid off because new credit is extended at roughly the rate that old credit is paid off. These vendors typically have a long-term relationship with the auditee. In many cases, their long-term commitment may be stronger than long-term debt holders.

I believe the use of this ratio flows from a misinterpretation of why accountants classify liabilities into long-term and short-term. The purpose of this classification is not to measure the holder of the debt's commitment to the auditee, but to determine when the auditee will need to generate cash to pay off a given liability. Most auditees never pay off their debts in full, but roll them over and replace them from year to year, thus generating longer term relationships with short-term creditors.

7-45

Capital Turnover

The first four utilization ratios in Table 1 all measure the amount of sales dollars generated by various measures of assets and investment. Asset Turnover compares sales volume to the value of all assets of the auditee while the Capital Intensity ratio relates sales volume to fixed assets only. Invested Capital Turnover and Equity Capital Turnover relate sales to the value of different investors’ claims against the auditee's assets. The analyses in this text will be based on the asset turnover ratio because this is the most common and broadest measure of an auditee's utilization. The total asset turnover ratio can be interpreted as how often the assets of the auditee are capable of generating their own value in sales or revenues.

Current Turnovers

Current turnover ratios relate a typical auditee's two main current assets, accounts receivable and inventory, to some measure of sales volume. Unlike capital turnover ratios, current turnover ratios do not use the same numerator (i.e., sales). A better comparison results if the inventory turnover is calculated using cost of sales because inventories are stated at cost. Accounts receivable turnover, however, is calculated using sales because accounts receivable are valued based on the selling price of an item, not its cost.

These ratios also tend to be more two-sided than capital turnover ratios. Accounts receivable turnover is a key statistic that measures how well an auditee is extending credit to its customers. Generally, a low accounts receivable turnover means the auditee is not doing a good job of collecting from its customers. A high accounts receivable turnover, however, can either mean the auditee is doing a good job of collecting from its customers or that it is not extending enough credit. Extending credit to customers can generate profitable sales, particularly if competitors are also extending credit. An auditee with a very high accounts receivable turnover may be extending too little credit to customers and losing sales in the process. Similarly, a very high inventory turnover ratio usually means the auditee is doing a good job of managing its inventory. It also could mean that the auditee is losing sales because it does not have products in inventory when customers want them.

For manufacturing auditees in the last decade or two, pushing inventory levels to a minimum has been a major focus. This idea is known as just-in-time manufacturing, a concept pioneered in Japan. Just-in-time gets its name from the fact that these manufacturers only produce an item just in time to sell it, and they only purchase raw materials just in time to use them, thus reducing inventories to only those items that are in the process of being manufactured. Just-in-time manufacturing requires very good estimation of customer needs and tight coordination on the production line and with suppliers. Since inventory represents idle assets, reducing inventory increases asset turnover and frees the financial resources that would have been invested in inventory.

The analyses in this text do not use current asset turnovers. Instead, this text makes extensive use of the cash conversion cycle (presented above) to analyze how rapidly current assets are being turned into cash. The statistics used in analyzing the cash conversion cycle are the mathematical inverse of the turnover statistics.

7-46

Financial Position

Operating cash flow to current liabilities

The operating cash flow to current liabilities ratio measures the ability of the auditee’s main cash generating activity, its operations, to cover its short-term debts. Operating cash flows also are needed to help finance fixed asset purchases. In addition, it relates a year's worth of cash generation to the balance of current liabilities, which typically represent a few months of activity. While auditees need to pay off an individual short-term liability, they can replace one short-term liability with another and therefore do not have to pay down their current liabilities to zero. For all these reasons, this ratio is difficult to interpret and is not used in this text. It does have a two- sided flavor since a very high ratio can indicate that the auditee is not taking advantage of cheap, short-term debt financing. Some short-term liabilities, because of their short life span, do not charge interest (e.g., accounts payable or wages payable).

Accounts payable turnover

Accounts payable turnover measures how fast the auditee is able to pay its accounts payable. A low ratio indicates trouble paying bills. A very high ratio could indicate underutilization of cheap short-term financing. The inverse of accounts payable turnover is days payables, which is part of the cash conversion cycle analysis. Therefore, this text does not use accounts payable turnover in its analyses.

Days cash

Days Cash measures what its name implies; the number of days the auditee could operate with just its cash on hand. This is the most conservative view of the auditee's short-term financial condition since it assumes that no cash will come in. Most auditees like to keep days cash fairly low because cash, as a risk-less investment, tends to generate very little or no interest income. However, auditees do need some cash on hand to cover short-term differences in daily cash receipts and disbursements. The number of days cash that are sufficient to meet these needs depends on how well the auditee manages its other current assets. An auditee with a high accounts receivable turnover, for example, does not need to maintain as high a cash balance as one that is having trouble collecting its receivables. Because this ratio is so conservative and has no clear benchmark, it is difficult to interpret and is not emphasized in this text.

Long-term Debt to Capitalization

Long-term Debt to Capitalization tells the auditor virtually the same thing as Long-term Debt- to-Equity, although it is used less commonly. This text includes it merely for the sake of completeness. The debt-equity ratios are all two-sided because auditees need to strike a balance between equity and debt financing.

7-47

Operating Cash Flow to Total Debt

Operating Cash Flow to Total Debt is the long-term version of Operating Cash Flow to Current Liabilities. It gives the auditor a rough idea of how well the auditee's main cash generating activity compares to its balance of long-term debt. Because its interpretation is problematic for the same reasons as its short-term cousin, it is not used in this text.

Times Interest Earned

Times Interest Earned measures the burden that interest payments are placing on income. It is directly related to the Long-term Debt-to-Equity ratio since long-term debt is usually the biggest generator of interest expenses. Therefore, it tells the auditor basically the same thing as the Long-term Debt-to-Equity ratio. It does, however, add a measurement of how much of an auditee's net income is going for interest expenses. Note that very similar information can be determined by looking at interest expenses as a percentage of sales on the common-sized Income Statement. For this reason, times interest earned is not used in the analyses in this text.

7-48

Appendix C - Bond Rating Definitions

Standard and Poors

Rating Criteria AAA Highest rating assigned by Standard & Poors. The obligator's capacity to meet its financial commitment on the obligation is extremely strong. AA An obligation rated "A" differs from the highest-rated obligations only in small degree. The obligator's capacity to meet its financial commitment on the obligation is very strong. A An obligation rated "A" is somewhat more susceptible to the adverse effects of changes in circumstances and economic conditions that obligations in higher-rated categories. However, the obligator's capacity to meet its financial commitment on the obligation is still strong. BBB An obligation rated "BBB" exhibits adequate protection parameters. However, adverse economic conditions or change circumstances are more likely to lead to a weakened capacity of the obligator to meet its financial commitment on the obligation. Below BBB Obligations rated "BB" and below are regarded as having significant speculative characteristics. "BB" indicates the least degree of speculation and "C": the highest. While such obligations will likely have some quality and protective characteristics, these may be outweighed by large uncertainties or major exposures to adverse conditions. BB An obligation rated "BB" is less vulnerable to nonpayment than other speculative issues. However, it faces major ongoing uncertainties or exposure to adverse business, financial, or economic conditions, which could lead to the obligator's inadequate capacity to meet its financial commitment on the obligation. B An obligation rated "B" is more vulnerable to nonpayment than obligations rated "BB," but the obligator currently has the capacity to meet its financial commitment on the obligation. Adverse business, financial, or economic conditions will likely impair the obligator's capacity or willingness to meet its financial commitment on the obligation. CCC An obligation rated "CCC" is currently vulnerable to nonpayment and is dependent upon favorable business, financial, and economic conditions for the obligator to meet its financial commitment on the obligation. In the event of adverse business, financial, or economic conditions, the obligator is not likely to have the capacity to meet its financial commitment on the obligation. CC An obligation rated "CC" is currently highly vulnerable to nonpayment. C The "C" rating may be used to cover a situation where a bankruptcy petition has been filed or similar action has been taken, but payments on this obligation are being continued. D An obligation rated "D" is in payment default. +/- The ratings from "AA" to "CCC" may be modified by the addition of a + or - to show relative standing within the major rating categories.

7-49

Moody's

Rating Criteria Aaa Bonds which are rated Aaa are judged to be of the best quality. They carry the smallest degree of investment risk and are generally referred to as "gilt edged." Interest payments are protected by a large or by an exceptionally stable margin and principal is secure. While the various protective elements are likely to change, such changes as can be visualized are most unlikely to impair the fundamentally strong position of such issues. Aa Bonds which are rated Aa are judged to be of high quality by all standards. Together with the Aaa group, they comprise what are generally known as high-grade bonds. They are rated lower than the best bonds because margins of protection may not be as large as in Aaa securities or fluctuation of protective elements may be of greater amplitude or there may be other elements present, which make the long-term risk appear somewhat larger than the Aaa securities A Bonds which are rated A possess many favorable investment attributes and are to be considered as upper-medium-grade obligations. Factors giving security to principal and interest are considered adequate, but elements may be present which suggest a susceptibility to impairment some time in the future. Baa Bonds which are rated Baa are considered as medium-grade obligations (i.e., they are neither highly protected nor poorly secured). Interest payments and principal security appear adequate for the present but certain protective elements may be lacking or may be characteristically unreliable over any great length of time. Such bonds lack outstanding investment characteristics and in fact have speculative characteristics as well. Ba Bonds that are rated Ba are judged to have speculative elements; their future cannot be considered as well assured. Often the protection of interest and principal payments may be very moderate and thereby not well safeguarded during both good and bad times over the future. Uncertainty of position characterizes bonds in this class. B Bonds which are rated B generally lack characteristics of the desirable investment. Assurance of interest and principal payments or of maintenance of other terms of the contract over any long period of time may be small. Caa Bonds which are rated Caa are of poor standing. Such issues may be in default or there may be present elements of danger with respect to principal or interest. Ca Bonds that are rated Ca represent obligations that are speculative in a high degree. Such issues are often in default or have other marked short-comings C Bonds that are rated C are the lowest rated class of bonds, and issues so rated can be regarded as having extremely poor prospects of ever attaining any real investment standing.

7-50

Chapter Eight - Evaluating the Design of a Control System

Summary

• A firm's control system contains several components that range from firm-wide factors that auditors call the control environment to the design and implementation of specific control procedures.

• The major risk that errors in the firm's information system that will flow to the financial statements come from weaknesses in a firm's culture, policies, and procedures, and from firm’s information system's inability to keep information complete, valid, accurate, and secure.

• Controls are policies and procedures firms implement to help mitigate the threats to information assurance.

• Firm-level controls mitigate threats that come from weaknesses in a firm's culture, policies, or procedures. They are based on insuring employees have clear goals and direction, and the resources and the incentive to achieve those goals.

• Transaction-level controls are designed to insure that, whenever information is captured or processed by an information system, the information system maintains the completeness, validity, accuracy, and security of the information.

An information system is only as good as the reliability and security of information that it contains and the ability of a firm's information system to carry out these goals is influenced by both the design of the system as well as the environment in which the system operates. This chapter describes the major threats to an information system's ability to produce accurate data and then describes procedures firms can adopt to mitigate the risks posed by those threats. These procedures are frequently referred to as controls. The chapter concludes with discussion and examples of how controls are paired with the risk that they mitigate. I use the term "mitigate" to emphasize that no control is perfect and a given control only can reduce a risk to a tolerable level. It cannot completely eliminate a risk.

COSO Framework

Because of the risk that a variety of factors can affect the effectiveness of an information system to produce accurate financial data, auditors use various frameworks to help insure their evaluations are complete. By framework, I mean something similar to the structured ratio analysis I presented in the previous chapter. However, evaluation of a control system isn't nearly as well defined as using ratios to evaluate a firm financial health.

The most commonly accepted framework for evaluating the design of a control system is the framework developed by the Committee on Sponsoring Organizations of the Treadway Commission (COSO). Their framework is called "Internal Control - Integrated Framework" or

8-1

the COSO Report. I am not going to go into a lot of detail on the Treadway Commission, COSO, or the Integrated Framework. COSO is co-sponsored by the AICPA, American Accounting Association, Financial Executives Association, Institute of Management Accountants, and Institute of Internal Auditors. You can learn more about COSO at their website: http://www.coso.org/. Bluntly, in my years of auditing I found the Integrated Framework to be too abstract to be of much use in the field. However, it is the dominant model auditors use as a framework around which to build their assessments of control risk and so you need to know it exists.

I believe the key insight that comes from the Integrated Framework is its list of components of a control system: These include:

The control environment - attitudes, awarenesses, policies, and actions of management and the Board of Directors concerning the firm's internal control and its importance to the firm. The firm's risk assessment process - how management identifies risks relevant to the preparation of financial statements that meet GAAP, estimates their significance, assesses the likelihood of their occurrence, and decides on actions to manage them. The firm's information system and related processes related to financial reporting - the firm's information system consists of procedures, automated or manual, and records established to initiate, record, process, and report transactions and to maintain accountability for the firm's assets, liabilities, and equity. Control activities - procedures the firm uses to prevent or detect and correct errors (i.e., eliminate)35 in the information system and to insure the security of assets. Control monitoring - if management does not regularly review the effectiveness of the firm's control system, its effectiveness can deteriorate.

In this chapter I focus on firm-level controls that auditor focus on to assess the effectiveness of a firm's control environment and on transaction-level controls that are the firm's control activities, which are embedded in the firm's information system to eliminate errors (i.e., information assurance)36.

Role of Control Design Evaluation in the Financial Statement Audit

I covered this point in Chapter 3, but it is worth repeating here. Auditors assess control risk in a two-stage process. First, they assess the strength of the design of the firm's control system. If they believe the design is sufficiently strong, then they will proceed to test the controls to insure they are functioning as designed. The point is that if the control system's design is too weak to

35 From this point on, I will use the term "eliminate" to cover both preventing and detecting and correcting errors to simplify my presentation. While there are differences in control design and effectiveness between preventative and detective/corrective controls, these difference are beyond the scope of this text (and, actually, rarely important in practice). 36 From this point on, I will use the term "information assurance" to refer to a control system's ability to eliminate errors.

8-2

function properly, the auditor doesn't want to waste a lot of time testing the controls to see if they are actually working. If, however, the design of the firm's controls system is strong enough to reduce control risk below 100%, the auditor must determine if the control system is actually functioning as designed by testing controls. This chapter focuses on the first step - evaluating the design of the auditee's control system.

Threats of Error

The first step in evaluating the design of the auditee's control system is identifying the specific threats that would prevent the information system from operating reliably and securely. Different threats typically require different controls to mitigate the risk that the threat would compromise the assurance of the information system. While there are a variety of ways these potential threats could be classified, separating them by how general or specific they are can be useful in decomposing the overall problem of identifying all significant threats to information assurance. This section discusses two broad categories of threats: firm-level threats and transaction-level threats. Firm-level threats are broad-based and tend to affect most or all of the processes and subsystems of the information system. Transaction-level threats tend to be more localized and target one, or a few, processes or subsystems of the information system. You may also think of transaction-level risks as transaction risks because they tend to be targeted at specific groups or related transactions.

Firm-level Threats

Firm-level threats to an information system flow from weak corporate culture and/or weak corporate governance. "Corporate culture" refers to the tone and attitude of top management, which usually flows down to the rest of the firm. Corporate culture is determined by what top management chooses to emphasize or de-emphasize in setting the goals for the firm and going about their daily activities. "Corporate governance" generally refers to how the organization's Board of Directors oversees the activities of top management. Nearly all corporations, including not-for-profit corporations, are controlled by a board of directors. These boards should represent the owners, or in the case of not-for-profits, the major stakeholders, of the organization. Their purpose is to set broad guidelines and goals for top management, who run the day-to-day activities of the organization. Boards of Directors set goals and develop or approve strategies for achieving those goals; monitor management's achievement of goals and compensate them accordingly; and oversee the internal and external audit processes.

Firm-level threats to corporate culture and governance tend to be abstract and, therefore, developing a framework to use to assess them is challenging. One framework that was initially developed to assess controls over information technology has been adopted for this purpose.37 That framework focuses on five key attributes of an organization's control environment: Perceived Value, Awareness and Understanding, Documentation, Control Procedures, and Monitoring. I will briefly describe and provide some general guidance on evaluation criteria for each of these below.

37 Ramos, M. 2004. Evaluate the Control Environment, Journal of Accountancy, May 2004: pp. 75 - 78.

8-3

Perceived Value

All firms are hierarchical structures with a Board of Directors or owner(s) at the top of the hierarchy and levels of management beneath the Board or owner(s). The Board and top-level managers establish the goals and strategies for a firm and identify its priorities. In doing so, they tend to set the tone or culture for the firm. If top management places little emphasis on information assurance, then the firm cannot expect its employees to place much emphasis on information assurance either. Therefore, the broadest and most pervasive threat to information assurance is ambivalence or lack of concern by the upper levels of the firm's management hierarchy. Management can communicate the priorities concerning information assurance to the firm by how they write policies and procedures, through memos and newsletters, by how they structure job descriptions, and through their daily actions in running the firm.

The lowest level of perceived value would be a total lack of emphasis on any firm-level controls by management. Strong levels of perceived value are achieved as management implements control procedures that are separate from business operations and elevates them to an integral part of the organizations strategy. The highest level of value comes when management adds a commitment to continuous improvement in controls.

Awareness and Understanding

Once top management has determined the emphasis they will place on control within the organization, they need to communicate that to all employees. Two common mechanisms for doing so are through the organization's chain of command or lines of authority and through formal policies and procedures.

Clearly Defined Lines of Authority

Assuming that top management has placed a proper level of emphasis on information assurance, the firm should have a management structure that provides clear lines of authority and responsibility for carrying out top managements intentions for information assurance. The firm's structure should make clear who is responsible for the assurance of various components of the information system. For example, line management (e.g., sales and production managers) tends to oversee the firm's interactions with customers and vendors. Therefore, they must have the primary responsibility for insuring that data entered into the information system is complete, valid, accurate, and timely. However, most firms have information technology (IT) or information processing departments that oversee the design, implementation, and maintenance of the firm's information system. Therefore, IT management should be responsible for maintaining the assurance of the data and information once it has been entered into the information system by the line departments.

Clearly, there is an overlap between assuring the data entered into the information system and assuring the data processed by the information system. One common way to assure the accuracy of processing is to compare input data to processed data to make sure the processing was correct. Firms should clearly specify different responsibilities to insure that someone is responsible for information assurance in all aspects of the firm's information system and that there are no

8-4

overlapping responsibilities (i.e., more than one department responsible for the same thing) that may lead to inefficiencies and firm-level conflicts. However, they also should specify areas of overlap where there may be joint responsibilities for information assurance. Firms structure these responsibilities and relationships through formal organization charts that specify lines of authority and job descriptions that define each employees responsibilities and authority.

Formal Policies and Procedures

Making sure that top management's goals for information assurance are carried out involves more than just specifying who is responsible for achieving those goals. Typically, management also needs to provide guidance on how these goals are to be carried out. Management normally implements this guidance as formal policies and procedures. These policies and procedures are also structured hierarchically. Policies and procedures that govern top management's behavior tend to be general and focused more on goals, policies, and principles than specific procedures. As these policies and procedures are applied to lower levels of the firm, they tend to become more specific and focused on detailed procedures that implement firm policies. Procedures are detailed, often step-by-step, specifications about how a task is to be done.

There is a delicate balance to be struck in formalizing policies and procedures. The more specific they are, the greater the level of control top management can exercise limiting an employee's authority to take independent action. However, the more specific they are, the less room lower-level management has to adapt to changing conditions or to use their own judgment and expertise. Since it is virtually impossible for top management to anticipate every threat to information assurance, policies and procedures need to allow lower-level managers and employees some latitude to use their judgment based on their expertise to fine-tune the policies and procedures to specific circumstances. However, some level of formalization is required to help top management ensure their goals for information assurance are carried out effectively and efficiently.

The right balance is difficult to strike. Overly restrictive controls can lead to rigid firms that are slow to adapt to changing conditions, which can cause them to lose their competitive advantage. Overly loose controls can undermine management's control and cause the firm to lose direction. Generally, the more stable a firm's environment, the tighter controls can be without causing problems. "Stability in the environment" includes such things as the rate of technological change in the firm's industry, the rate of competitive change and level of competition, and the rate of change in the regulatory environment.

Policies and procedures also need to specify both who is responsible for controlling various aspects of information assurance and who is not. My main point here is access to various aspects of an information system needs to be restricted to those who are responsible for that aspect of the system and all other employees should be denied access. The greater the number of people who have access to the information system, the greater the risk that information assurance will be compromised. However, the usefulness of the information system can be compromised severely if employees can't access the information they need when they need it. Again, striking the right balance will depend on the specific needs of the firm.

8-5

Adequate Personnel with Proper Incentives

Assuming a firm's top management has placed appropriate emphasis on information assurance, established clear lines of authority and responsibility, and formalized the policies and procedures needed for implementing that emphasis, the next step is to make sure that the employees who ultimately will be responsible for information assurance have the appropriate training, resources, and incentives to carry out their responsibilities. I am stretching the meaning of "understanding" a bit here to include incentives for an employee to use their understanding to execute the control properly.

Each of these components is critical. Employees need to have the skills to understand and implement controls and the resources (e.g., time and technology) to do so. As noted above, no policy or procedure can ever completely anticipate all possible threats to information assurance. Employees will need to adapt policies and procedures to specific cases and use judgment. Sound judgment is developed through adequate training and experience and so firms need to insure that their employees have the required training and experience to implement the policies and procedures.

In addition, employees need to have a reason to assure information. There is a rich literature on how firms can help insure that employees have the incentive (i.e., are motivated) to carry out top management's goals. In general, employee's incentives are effective by rewards ("carrots") and punishments ("sticks") coupled with the knowledge that their actions will be monitored in some way. My goal in raising this issue is not to summarize all of the research and experience firms have had in trying to manipulate employees' incentives, but merely to point out that if the firm does not implement some form of reward or punishment structure that emphasizes maintaining information assurance and backs it up with some form of monitoring and review process, all of the above mentioned factors probably will be ineffective.

Levels of Awareness and Understanding

The organization's level of awareness and understanding can range from none to highly formalized control procedures for which all employees have received comprehensive training and have strong incentives to execute control activities. Awareness can be achieved through informal and formal communications. The more formal the communication, the greater impact it tends to have on awareness and understanding. However, communication alone is insufficient to achieve understanding. Understanding usually requires training and incentives to carry out the control activities.

Documentation

For controls to be effective, they need to be documented. Part of documentation is having formal policies and procedures. However, the control activities themselves also need to be documented. Documentation includes recording the specifics of what the control activity involves; who is responsible for implementing the control; how often the control should be done; and the results of applying the control.

8-6

Documentation can range from none (highly unusual) or very limited to comprehensive and consistent. "Comprehensive" means that all the attributes of the controls I mentioned in the previous paragraph are covered by the documentation. "Consistent" means that all controls receive the same level of documentation and that things like the format used to document the controls is the same for all controls.

Attributes of Control Procedures

The control procedures themselves need to be effective if they are to support a strong control environment. To be effective, there needs to be sufficient controls to cover the major risks within the control environment and the controls need to be described in a fashion that makes them repeatable by the same person or different people. The attributes of controls can be achieved by developing a standardized approach to describing control activities and formalizing that approach by applying it to all control procedures.

Weak controls tend to be ad hoc and not linked to other control procedures. Strong controls are formalized and standardized so that anyone can read a description of the control activity and execute it. In addition, control activities are often interrelated and the effectiveness of one control may depend on the effectiveness of other related controls. These interdependencies need to be a part of the formal documentation of the controls.

Monitoring

There is an old saying about the "best laid plans of mice and men" going wrong. This rule applies to controls as well. No matter how thoroughly the above issues have been addressed by an organization, things change and mistakes happen. Therefore, the organization needs to have mechanisms in place to monitor the effectiveness of its controls. Two common monitoring mechanisms are internal audit departments and external audits. Section 404 of the Sarbanes- Oxley Act puts heavy pressure on a firm's management and external auditors to monitor and test the effectiveness of controls. Section 404 requires that management formally certify the effectiveness of their controls and that the external auditor sign off on management's certification. I will discuss these reporting issues in more detail in the chapter on audit reports.

Periodic monitoring is usually implemented through regular audits, both by the internal audit department and external auditors. Real-time or continuous monitoring can be implemented through techniques like regular error and exception reports and real-time reporting of key statistics. Error and exception reports need to be produced as errors or exceptions occur, and someone needs to be responsible for reviewing the errors and exceptions to determine if they are random or represent a systematic pattern that indicates a control weakness. Management can use real-time reporting of key statistics to perform analysis on the information coming from an information system to determine if there may be control problems. One common example is regular comparison of actual to budgeted amounts and following up with an investigation of major differences.

Levels of monitoring can range from none to frequent and systematic. Effective monitoring also requires that the results of the monitoring have an impact on employees since employees are

8-7

responsible for executing controls. Therefore, monitoring activities need to be linked in some way to employee incentives, usually through the performance review process.

Transaction Processing Threats

This section uses a simple framework to categorize all transaction-processing threats into three broad categories based on financial statement assertions. Auditors have used a list of assertions that management makes when they produce financial statements as a framework for structuring their tests of financial statement balances. However, only in the last 10 years have they applied these same assertions to their audits of an auditee's information processing systems and systems of controls.

Unlike other categorization schemes presented in this text, this framework has a formal structure that insures that each category is independent of the others and that the four categories cover all possible threats. The four categories are threats to completeness, validity, accuracy, and security38.

The auditing literature refers to these categories as assertions because management, when they produce a financial statement, are asserting that the firm's information system has recorded all valid transactions: the system only has recorded valid transactions; that the information the system has recorded about the transaction is accurate; and that firm's control system has kept the information, and any asset involved, secure. Security is really a supporting concept in that strong security will help prevent completeness, validity, and accuracy violations from arising. However, security also addresses the improper use of information, which goes beyond just assuring the information in the information system is complete, valid, and accurate. Security also refers to keeping assets secure.

The auditing literature has three sets of assertions: one for transactions (which is relevant to control testing), one for balances (which I will discuss in the chapter on substantive testing), and one for reporting (which I will discuss in the chapter on reporting). However, I will use the same four in all three places to emphasize that the concepts are identical in all three places. I will also present the terms as used in the literature as well.

Completeness

Completeness means that the information system has captured information about all transactions that have occurred and that affect the firm. While a firm may, and usually does, design their information to capture information about a variety of events that affect the firm, the auditor is

38 These four categories of threats are identical to the control objectives used by PriceWaterhouseCoopers™, the world's largest accounting firm. They call "security" "restricted access." I use "security" because I think it is a little broader in its meaning, but the difference isn't meaningful. Actually, I think their reason for using restricted access is to create a nice abbreviation (CAVR, pronounced "caviar"). I can't come up with a nice pronunciation of CAVS other than calves, which isn't as sexy as caviar.

8-8

interested only in those events that have an economic impact on the firm. The term "transaction" normally refers to events that have an economic impact on the firm and, thus, affect the firm's financial statements.

For example, Tom in the Tom's Trailer case wanted his information system to track, to the degree possible, customer visits to the lot. Thus, the designer of Tom's information system would need to consider developing controls to assure that Tom's information system captured information about all these events. One such policy is requiring a salesperson to greet every customer that came to the lot. However, not all firms would care about tracking this sort of event. All firms, though, would need to capture information about sales events because sales events involve the transfer of economic resources between the firm and an outside party, i.e., the customer. Information system designers always need to develop controls for economic transfer events (e.g., sales, purchases, cash payments and receipts, and asset consumption such as depreciation). While the designer of the firm's information system must consider controls for any additional information that management wants the information system to capture and process because management will rely on this additional information to make judgments (e.g., developing a sales campaign from the contact information mentioned in the Tom's example), the auditor would ignore controls over non-economic information.

There are two broad types of transactions (i.e., events that affect economic resources): internal and external. External transactions are events that transfer economic resources between the firm and other individuals or firms (e.g., purchases from vendors, sales to customers, tax payments to governments). Internal transactions are events that consume resources within the firm (e.g., depreciation). I am using the term transaction rather broadly here in that the event that triggers most of these internal transactions is the passage of time (e.g., depreciation, writing off prepaid insurance, accruing interest). These economic events are the core of what accounting was designed to record, classify, and report.

Validity

Validity is the opposite concept from completeness. Completeness means that the information system has captured all relevant transactions. Validity means that the information system has captured only transactions that actually have an economic impact on the firm. A major example of invalid transactions is those that never happened. The most common control procedure designed to insure validity is authorization (i.e., making sure the system doesn't record a transaction that hasn't been authorized).

While PwC and I use the term "validity" to cover management asserting that any transaction recorded in their information systems actually occurred and had an economic impact on the firm, the auditing literature uses the term "occurrence," which I find a little limited. In addition, the auditing literature adds another assertion related to transactions for authorization. That is, the auditing literature looks at management's assertion that all transactions have been properly authorized as a separate assertion. PwC and I do not. As I mentioned above, to me authorization is a control procedure management uses to help insure that transactions their firm's information

8-9

system records are valid and is not a separate assertion.39 That is, it is a tool to reach an end and not the end itself.

Accuracy

Conformance with the completeness and validity concepts insures that the information system captures all valid transactions and only valid transactions. Accuracy means that the data the information system captures about valid transactions completely and correctly records the attributes of the transaction. For example, Tom's information system records the price that the vendor actually charged for a trailer, the date the order was actually placed, and the fact that the event was an order, not a sale, usually by making sure the transaction has been coded to the right account. For auditors, the key attribute is the economic value of the transaction. However, other information, like the correct vendor, correct payment terms, or correct date also have implications for the accuracy of the financial statements. Note that the concept of accuracy also has a completeness component. That is, for the information system to record accurately a transaction, it must not only record the right information, it must also record all the relevant information (e.g., vendor name, date).

Security

If a firm avoids the above three threats then their information system will have accurate, complete, and valid information. However, much of that information is confidential and proprietary and should only be made available to users who have a legitimate need for it. It needs to be kept secure. As highly integrated information systems have grown in use, the problem of security is becoming more complex. One main advantage of an integrated information system is that it facilitates information sharing. However, this increases the need to determine who should share what information and to block access to unauthorized information.

The auditing literature does not include the security assertion, while PwC and I do. I believe security is an important assertion that auditors need to test because lack of security of data can lead to financial statement error through things like unauthorized changes to unauthorized use of data to commit fraud.

Other Assertions in the Auditing Literature

In addition to the authorization assertion I mentioned above, the auditing literature includes two other assertions related to transactions that PwC and I do not include: cutoff and classification. The cutoff assertion means that management has recorded the transaction in the correct period. The classification assertion means that management has recorded the transaction in the correct account. I believe these are not separate assertions, but components of accuracy. In addition, a cutoff error creates either a completeness or validity error depending on the period in which the

39 Sorry if it seems that I am "splitting semantic hairs" here, but I believe the auditing literature's approach only obscures the key underlying concept that any transaction the auditee's information system records was valid. Since the world's largest CPA firm agrees with me, I am in good company.

8-10

transaction should have been recorded. For example, if a firm posts a transaction that occurred next year in this year's records, then they have created a validity error because this year's records contain a transaction that didn't occur this year. If the firm records a transaction in next year's records that occurred this year, then this year's records are incomplete.

My main point here is that sticking with the four assertions that PwC and I use simplifies the process of evaluating the design of a auditee's information system because the four assertions create mutually exclusive (all four categories are totally independent of each other with no overlap) and exhaustive (they cover all possible sources of error) category scheme. By including additional assertions, the audit literature has created overlapping categories that, I believe, add confusion to the evaluation process.

Summary of Transaction Processing Threat Types

The concepts of completeness, validity, accuracy, and security provide a complete framework for thinking about information reliability in recording information about transactions. However, the specifics of which transactions are relevant and what attributes about transactions are relevant will vary, to a degree, by firm and transaction. Determining whether all transactions in the auditee's system are free from all four assertion violations is a complex task that requires that the auditor have a thorough understanding of the firm and its operations.

Information Transformation, Transmission, and Reporting

The preceding discussion and examples have focused on what data an information system captures. Making sure that the data an information system captures is complete, valid, and accurate is only the first step. The auditor also needs to insure that the data stay that way, i.e., that nothing is lost, erroneously added, or erroneously changed as the information system processes information, posts it to journals and legers, and produces financial statements. Any time data or information are transformed in any way, things can be lost (completeness violation), invalid things can be added (validity violation), and things that should stay the same can be changed (accuracy violation). Finally, any time information is transformed; it may become available to a different people. Therefore, an information system also must contain controls that help insure that completeness, validity, accuracy, and security aren't violated as information is stored, processed, and reported.

An information system also may transfer data or information from one location to another without actually transforming it in any way. Such information or data transfer also can inject completeness, validity, or accuracy errors. For example, data may need to be transferred from a remote location to a central office for processing. That data may be intercepted or changed by a hacker. Therefore, the auditor also needs to ensure that the auditee's has designed controls that will help insure that information transfers are secure and that information or data cannot be changed in any way during the transfer.

8-11

Controls that Mitigate Threats

Basic Principles of Control

Control Defined

Controls are policies and procedures that firms establish to help assure that the information in an information system is complete, valid, accurate, and secure. This definition is more limited than the COSO definition. The COSO definition, roughly, defines controls as policies and procedures that firms establish to help assure that management directives are carried out. My definition focuses more on the auditor's concern for the accuracy of the financial statements.

A key feature of controls is that they can never be perfect. This is why I use the term "mitigate" when discussing controls. "Mitigate" means reduce, not eliminate, and implies reducing the risk of loss from the threat to tolerable levels. My use of the term "tolerable" raises another feature of controls: they should be cost/benefit justified. As I discussed in Chapter 4, auditors establish materiality levels to determine how big of an error matters to users of financial statements and then uses that materiality level as a guideline to setting tolerable error for each account balance. That tolerable error becomes a basis for the auditor's evaluation of the auditee's control system.

Management Override

I have included management override of controls in this basic principles section to highlight that it is the biggest threat that auditors must assess when evaluating an auditee's control system. A firm's management uses the information from the firm's information system to manage the firm. Thus, management has an incentive to insure that the information system produces accurate information on which they can base decisions, which means that they have an incentive to design, implement, and monitor strong controls over their information systems. Thus, auditors rarely find significant unintentional errors in and auditee's control system, particularly in large firms. In practice, the material errors, either in balances or in the execution of controls, are the result of management intervention into the control system.

To illustrate this point, I have included the Wikipedia articles on the Enron and WorldCom cases from 2001 and 2002 in the Appendix to this chapter. Normally I caution students about using Wikipedia as an authoritative source because its articles are not screen by experts and may contain inaccuracies. However, I have reviewed both these articles and believe them to be accurate.

Both the Enron and WorldCom cases were, to a degree, information assurance failures instituted by top levels of corporate management. In the Enron case, their financial statements did not accurately report liabilities to which the firm was exposed. In the WorldCom case, billions of dollars of expenses were classified as assets, again by top levels of management. You can well imagine that if the boss is "cooking the books," it will be hard to "keep the troops in line."

8-12

These cases illustrate that the ultimate responsibility for control rests with an informed and active Board of Directors. However, Directors, just like employees, need the ability, resources, and incentive to maintain a strong control environment. When top management dominates the Board, the incentive to monitor and control top management's actions is lacking. The "fox" truly runs the "hen house." As of this writing, Congress, the SEC, and the accounting profession are all working on finding ways to make Boards more accountable and insure that auditors are truly independent of the management they audit. Having a truly independent, knowledgeable party (e.g., an auditor) review an information system and the reports it produces is a very powerful control if the auditor has the proper incentives (i.e., is truly independent of management and is paid a reasonable fee for his/her services) and the training and experience to perform the audit.

Classes of Control Procedures

A control is any policy, procedure, or activity that is designed to eliminate an error (i.e., a violation of a management assertion) in the auditee's information system.40 Preventive controls tend to be more efficient than detective/corrective controls because of the fundamental truth that "an ounce of prevention is worth a pound of cure." Detecting and correcting errors after they have occurred usually is more expensive than preventing them in the first place. However, preventive controls tend to be less effective than detective/corrective controls because anticipating all possible errors is usually impossible. Therefore, information assurance can be achieved only with a system of controls that includes both preventive and detective/corrective controls. Typically, information system designers use preventive controls to limit the range of possible errors that detective/corrective controls must detect and correct.

There are rich varieties of possible controls. A complete listing would be far too detailed and tedious to present in an introductory text. The balance of this section describes major classes of controls and gives examples of the most common individual controls. The section is divided into two main groupings, firm level and transaction level, to match the risk classifications discussed in the previous section.

Firm-level Controls

Plans, Policies, and Procedures

The above section on firm-level risks discussed risks as a "lack of" management concern, plans, policies, procedures, and lines of authority. The controls to mitigate these risks merely involve having management develop plans, policies, lines of authority; documenting those items; following those policies themselves; and clearly communicating to the firm their intent to monitor and reward compliance and punish non-compliance.

What may not be obvious to the reader is how plans can be controls. Plans (e.g., a budget) represent management's expectations about what the future should look like. When actual results

40 I use "control" and "control activity," as referenced in the COSO framework, interchangeably and will merely use "control" from now on.

8-13

are compared to plans, management should review the differences and determine why their expectations were not met. Frequently differences from plans occur merely because the future is hard to predict with total accuracy. However, differences between planned and actual results can also occur due to errors in the actual information that the information system is reporting. Therefore, a thorough budget variance analysis can be a useful control for detecting significant errors. A budget variance analysis, however, may not be able to detect smaller, but still meaningful, errors because of the number of possible explanations for any given variance. Management may find that it is not cost-effective to try to reconcile all differences between budgeted and actual results and, therefore, they will not detect small errors. Since the auditor sets their own level of tolerable error, their reliance on management's variance analysis as a control may be limited if management isn't concerned with small enough errors.

Personnel Practices

People are at the heart of any control system. People develop the controls and people implement them. As noted above, people need the skills, the incentives, and the resources to implement controls properly.

Firms can help guarantee that people have the appropriate skills through carefully designed and implemented hiring practices and on-going training programs. A thorough screening of a prospective employee's resume and references is a good preventive control that helps insure that the employee will have the skills to do his/her job properly. The popular press also has contained several stories over the last few years of high-placed people who have lied on, or distorted, their resumes in order to secure employment. As a college professor, I am frequently asked to act as a reference for students and I am concerned by how seldom employers actually check references. One reason for infrequent checks of references in employment situation is that the people giving recommendations must be careful how they respond or they can be sued for defamation of character. For this reason, most major employers only will verify dates of employment and will not make any statements about a former employee's performance or why they left the organization. However, employers can review resumes for signs of problems, such as blocks of time on the resume with no explanation, and can check public information sources like criminal records.

Hiring good employees is a good preventive control, but it is only a start. Information assurance problems frequently arise because an employee is asked to perform tasks for which they do not have the required training and experience. Most firms live in changing environments where the types of risks to information assurance change over time. Therefore, firms need to invest in continuing education and training to help insure that the employees who are executing control procedures have skills that reflect the current environment.

Finally, employees need to have an incentive to execute controls. A firm can give employees incentives in a variety of ways. If management has established a strong culture of control, employees will have an incentive to conform to that culture to help insure their future promotion and advancement in the firm. More directly, employees are periodically evaluated for purposes of pay raises and promotion. Firms should include control issues in those evaluations. Including

8-14

control issues in evaluations indicates to employees that someone is monitoring their actions and emphasizing control issues. Finally, for evaluations to be effective, they need to be linked to consequences, either positive or negative. In summary, if an employee who is responsible for a control knows that the effectiveness with which (s)he executes that control will be monitored and evaluated in a formal performance review and that performance review will affect his/her pay, then the employee has a strong incentive to do a good job in executing that control.

Authorization

In the section on risks, I discussed the need for firms to have an organizational hierarchy (i.e., chain of command) to define clearly areas of authority and responsibility. One control procedure that helps prevent a firm from engaging in inappropriate transactions and, consequently, recording invalid information in an information system is authorization. Most firms require that transactions as well as changes to key information in an information system be authorized by someone who has been delegated the appropriate authority. With authority comes responsibility. Therefore, employees who have been given approval authority usually are held responsible for how they exercise that authority. Because controls need to be cost/benefit justified, most firms require higher-level or more extensive authorization for larger transactions. For example, some firms will require purchase over a certain amount to be approved by a higher-level manager than purchases under that amount.

Authorization controls should extend beyond transactions. In addition to authorizing sales, purchases, and cash transactions that record direct transfer of economic resources into and out of the firm, management needs to authorize the addition, change, or deletion of information that does not arise from a transaction. For example, firms that accept credit sales should confirm a customer's credit rating before entering them into the information system as a valid customer. Management should also screen and approve vendors before the firm makes purchases from them. Employees should have their background checked; their application information reviewed; and their hiring approved before they are added to the information system as a valid employee. These authorization controls don't affect the direct transfer of goods and services into and out of the organization, but they have a powerful indirect effect in that they help assure that the agents and resources with which the firm deals exist and are reliable.

Requiring authorization functions as a control because authority is being matched with accountability. The manager with the authority has an incentive to review things that (s)he approves because (s)he knows that someone will monitor his/her use of that authority and hold him/her accountable if the authority is not used in the best interests of the firm or in conformance with the firm's policies and procedures.

I have included a discussion of authorization as a firm-level control because this discussion has been about whether or not the firm has authorization policies in place that affect all forms of transactions. The auditing literature includes authorization as a transaction assertion in the sense that auditors need to determine if specific transactions are authorized. I believe students need to understand the broader context of authorization as well.

8-15

Segregation of Duties

Operating Duties

Thus far, I have focused on making sure that a firm has a clearly defined structure with clear lines of authority and employees' actions are limited by policies and procedures. However, many controls involve independent checks on transactions and information processes. That is, having two people review things reduces the chance of error or fraud. Firms implement this sort of dual responsibility by segregating different aspects of transactions so that more than one person is involved. The key aspects that should be segregated are authorization, recording, and custody. "Custody" refers to the actual execution of the transaction, which usually means custody of some asset. The power of segregation of duties as a control comes from having more than one person involved in a transaction so that they can check on each other. However, if the parties that are involved in the transaction collude (e.g., get together and agree to falsify records), then segregation of duties fails as a control.

For example, a warehouse staff person has "custody" of the firm's inventory that resides in the warehouse because they have physical access to the asset. A firm should not allow warehouse personnel also to be responsible for making entries involving purchases and sales into the information system. If they did, a warehouse staff person could take items from inventory and either delete the record of that items purchase or create a false sale transaction to cover the fact that the item was missing. The same is true of the accounting personnel who enter purchase and sales data into the information system. The accounting staff should not be allowed in the warehouse where they would have physical access to items in inventory. By segregating recording from access, a firm can check for errors and fraud by comparing the recorded numbers with the actual asset. This is why firms have perpetual inventory systems but still physically count the inventory at least once a year and reconcile any differences. All a perpetual inventory system does is to record every purchase and sale so that the amount left on hand can be calculated at any point (i.e., purchase less sales). Maintaining such a system has little control value unless it is periodically checked against "reality," (i.e., the amount actually on hand) and differences are investigated and reconciled.

In this example, if the accounting clerk and a warehouse employee were to collude, then segregation of duties would fail because the duties really won't be segregated any more. This is why I, as an internal auditor, became concerned if I found out an accounting clerk was dating, married to, or related to a warehouse employee. Normally, person relationships are not an employer's business. However, they can become relevant when they can lead to collusion between segregated duties.

In addition, neither the warehouse nor the accounting staff should be allowed to authorize purchase and sales transactions and the person who authorizes these transactions should not be allowed to either record the information about the transaction or have physical access to the asset involved in the transaction. Segregating authorization adds an additional check on the validity of transactions and information about transactions. Authorization helps insure that a firm does not engage in inappropriate transactions but also means that a third party knows what transactions

8-16

should have occurred. By keeping authorization separate, the authorizing person cannot authorize an inappropriate transaction and the "cover their tracks" by falsifying the recording and misappropriating the asset.

In smaller firms, like Tom's Trailer Sales, managers can have difficulty totally segregating all the duties they need to for maximum effectiveness of controls. Normally the most important duties to segregate are recording and custody. If the person authorizing the transaction either records or has custody, but not both, the firm can still compare recorded numbers to actual amounts to catch errors and fraud. However, reducing the number of people involved increases the chances of collusion.

As with authorization, I have included a discussion of segregation of duties as a firm-level control because this discussion has been about whether or not the firm has job descriptions in place that insure key duties are segregated that affect all forms of transactions. The auditing literature usually discusses segregation of duties as a transaction-level in the sense that auditors need to determine if specific duties that affect a transaction are segregated. I believe students need to understand the broader context of segregation of duties as well.

Electronic Data Processing Duties

The examples of segregation of duties presented above related to traditional accounting systems. Computerized systems create a different set of duties that need to be segregated. The following table lists these major duties and discusses some major segregation issues related to these duties:

8-17

Title Description Systems Analysis Analysis and design function. Designers should never be given live data or access to the running system. They should work with a copy of the system and test data. They should not approve the design or changes to the design. Data control Insure the security, accuracy, and completeness of data used by the information system. This function is quite limited in an on-line environment where users perform most of the data accuracy checks. However, access to data needs to be controlled so that programmers, analysts, and operators cannot alter data. Programming Creating and changing programs. All program designs and changes should be documented and approved before programmers implement them. Programmers should not work with implemented systems or have access to live data. They should work with copies of the system and their work should be approved before it is implemented. Computer operations Responsible for running the programs. This role has largely been replaced in on-line, distributed environments where users run their own programs directly. However, access to application programs should be documented and restricted. Transaction authorization Limit system access to authorized personnel. Password and other access protections together with transaction authorization within the user department are the most common transaction authorization mechanisms in on-line environments. Systems library function Limit and record access to program and data. In on-line environments, original copies of software and data backup files are stored off-line and access is controlled. On-line data must be controlled though access logs and passwords.

The same basic principles of segregating authorization, recording, and custody apply to these electronic data processing (EDP) duties. However, the "assets" now are information and programs. Any changes to programs need to be authorized by someone independent of the people who program the system or design the changes. Designers are analogous to "recorders" in the traditional example. Systems designers develop documentation on how the system should run and what it should produce. They should not have custody of the actual computer code, which is the asset in this case. The reasoning is the same. When design is separated from implementation, two people have knowledge of the system's design and goals, and they can be used to check on each other's work. Neither the designer nor programmer should even have access to "live" data (i.e., data used in the operations of the firm) because they could alter data and then alter the program to cover their tracks.

Both the analysts and the manager who authorizes the development of or change to the information system should be involved in testing the system so that the programmer cannot implement features in the system of which the analyst or authorizing manager are unaware. Once a program has passed the testing phase and is implemented, it should be thoroughly documented

8-18

and a backup copy created. From that point on, the programmer should be required to make all changes to a copy of the program, not the version that is actually being used, so that the analyst and manager can test any changes the programmer makes before they are implemented.

In today's distributed computing environment, the roles of computer operations, computer library, and data control are changing. "Computer operations" normally refers to a centralized computer or server that is operated by an EDP staff member. As systems have become more distributed, individual users become the computer operators because they are entering data directly into data files and producing reports and other documents. Regardless of whether the computer operator is a user or an EDP staff member, they must have access to live data and should not have access to the computer code. Operators also must have access to the computer program to do their jobs, but it must be a version of the program that cannot be changed. Most computer programs are written in computer languages that are intelligible to people so that they are easier to write. However, they are not run in this form. Programs are compiled (i.e., translated) into a machine-readable form that runs much faster and cannot be changed. Actually, a good programmer can change compiled programs, but it is very difficult to do and takes a lot of expertise. Therefore, operators should only have compiled programs that have been documented, tested, and approved with which to work. Otherwise, they could alter live data and modify the program to cover it up.

The systems library function also has changed with technology. Its main function is to control and log access to programs and data so that only authorized personnel can run programs and process data. In older EDP environments, programs were not stored on disk drives where they could be accessed by the computer at any time, they were stored on punch cards, paper tape, or magnetic tape and had to be loaded into the computer before they were run. The same was true of data files. Therefore, the library could control what programs were run and on what data by physically controlling possession of media (i.e., cards, paper tape, and magnetic tape). However, in on-line environments where users enter data directly into the information system and process that data, programs and data must be stored in disk files that are directly connected to the computer so physical access control no longer works. In on-line environments, access control is addressed with passwords and computer accounts. A computer account is a unique identifier that is assigned to each user of the information system. Software can be used to track user's activities and limited their access to data and programs. Systems libraries still play a role in storing and controlling backup copies of software and data, and the documentation for the information system. Firms need to use the library function to control access to system documentation because employees can use the system documentation to, potentially, determine how to by pass controls embedded in the information system.

The data control function also has changed with technology. The main purposes of the data control function were to control access to data, verify the accuracy and completeness of data input into the information system, and the accuracy of information produced by the information system. Data control departments used to be responsible for "key punching41" data (i.e.,

41 The term "key punching" comes from old systems that used punch cards and all data and program had to be punched onto cards using a machine that had a keyboard similar to a

8-19

converting it to machine-readable form). They were also responsible for insuring that the data were transferred properly to machine-readable form. (Recall that a basic principle of threats to information assurance is that any time data or information is transformed, errors can occur). Finally, data control departments were also responsible for checking the output of the information system to insure that the data were processed properly.

These procedures only worked efficiently when data were processed in blocks or batches. They would be very cumbersome if data were processed one transaction at a time. Because data were processed in batches, two common controls data control departments could use were batch and hash totals.

Batch totals were totals that were calculated on one or more key fields in the input data. For example, if the data control department were processing invoices, they would calculate the total amount of all the invoices in a particular batch directly from the invoices. After the data were keypunched, they would recalculate the invoice total from the key punched data to make sure they were the same. Finally, after the information system processed the invoices, they would calculate the invoice total on the information system output to make sure it was the same. Note that this is an imperfect control because it couldn't catch compensating errors (i.e., one invoice was too much and another too little by exactly the same amount). However, such perfectly compensating errors are extremely rare and so batch totals were strong controls.

Hash totals are identical to batch totals except the totals themselves are meaningless. To continue the example, the total amount of the invoices in a batch is meaningful because it represents a total dollar amount of all the invoices in the batch. However, the total of all the invoice numbers would not be meaningful and would be a hash total. The total of the invoice numbers does have control value in that it can be used to check for keypunch errors in the invoice number field.

In an on-line environment where users enter transactions one at a time and the information system processes them immediately, the user must perform the data control function and batch and hash totals are useless. Modern systems depend more on computer-based input controls to control data assurance. I will be discussing this issue in more detail below.

Cross Training and Job Rotation

Firms can increase the effectiveness of segregating duties by training different employees to do each other's jobs (i.e., cross training) and rotating jobs between different employees. Cross training also helps insure that if an employee leaves or is incapacitated for some reason; their role can be covered by another employee, which reduces the disruption to a firm's operations caused by personnel emergencies. Job rotations help reduce the chances that collusion will circumvent segregation of duties because the roles of any colluding employees will periodically change. Like all controls, cross training and job rotation cost money. Training costs include not only the

typewriter or computer keyboard. The term has been replaced with "data entry" in today's on-line environment.

8-20

direct cost of the training program itself, but also the opportunity cost of the time lost while employees are in training and not performing their jobs. Job rotation also creates costs because people usually have to go through a learning curve on a new job to achieve maximum efficiency even if they have been trained to do the job.

Monitoring of Policies and Procedures

Designing and implementing good controls isn't sufficient to insure that those controls work. Management needs to establish policies and procedures to monitor controls to help insure that they are functioning as designed. One monitoring technique that all publicly traded firms are required to implement is an external audit, which is the topic of this text. As I will discuss in the chapter on reporting, under the Sarbanes-Oxley Act, auditors of public firms now are required to attest to both the reliability of the firm's control system as well as attest to management's self- assessment of the reliability of the firm's control system.

Most modern firms augment the independent review performed by external auditors with an internal audit department. Internal auditors perform many of the same tasks as external auditors, but tend to do so more frequently and in greater depth. Internal auditors also consider broader threats to the organization than just inaccurate financial statements. Internal auditors are involved in operational audits whose purpose is to help insure that the organization is operating efficiently and effectively as well as protecting information assurance.

Since internal auditors are employees of the firm, it is harder for them to be independent of the management they are charged with auditing. That same management is responsible for hiring and firing the internal auditors, doing their performance evaluations, and determining pay raises. Internal auditors' independence can be enhanced if they report directly to the audit committee of the Board of Directors and if that audit committee is made up of outside directors. Outside directors are directors that do not work for the firm. Many members of a firm's Board of Directors are also employees of the firm. If the audit committee has these "inside" directors on the committee, it can compromise the committee's independence and objectivity. Even having the internal audit department report to the audit committee is not a complete solution because these committees tend to delegate personnel issues (e.g., hiring and firing, performance evaluations, salary levels) to the firm's management. Outside directors serve on a part time basis and just don't have the time to engage in day-to-day oversight of the internal audit department.

Another common monitoring control is the use of regular reviews and analysis of the firm's operations to spot potential errors. These reviews are very similar to the analytical review procedures I discussed in Chapter 6. I covered one example of these reviews above when I discussed how budgeting and budget variance analysis could be used as a control. Generally, reviews involved developing expectations about what the output of the information system should look like (e.g., a budget) and then comparing the actual output to the expected output and trying to explain major differences. Budgets are one source of expectations. Another source is historical trends. If a firm's gross profit percentage has been stable at about 28% for years and suddenly jumps to 30% or falls to 25%, management should investigate to determine what

8-21

caused the shift. If management knows that they have made a major change in their pricing structure that would account for the change, then an investigation may not be warranted.

Another source of expectations is the performance of competitors. If firm A can maintain a gross profit percentage of 28% and firm B can't, but they use virtually the same pricing structure and production processes, then the management of both firms should make an effort to determine what is causing the difference. Finally, firms also develop standards they can compare to actual performance. These standards usually are developed by doing a detailed analysis of the process used to produce a good or service and calculating what it should cost based on that analysis.

Regular reviews and analyses are relatively cheap controls because they involve numerical analysis that can be automated. However, they also are relatively weak controls because they normally can only catch large or systematic errors42. There usually is just too much "noise" in the data for an analytical procedure to spot minor problems even though those minor problems may be significant to the firm. "Noise" in the data is created because there are so many factors that could cause an expectation to be slightly off from an actual result, no matter what the source of the expectation, that it is usually not cost/benefit justified for managers to try to reconcile small differences.

Contingency Planning

"The best laid plans of mice and men usually go awry." Firms should develop contingency plans to deal with potential threats to information security that their controls might miss.

Most firms today have computerized information systems that depend on equipment and hardware, software, and data files. The first line of defense against the failure of these items is a good maintenance schedule. "An ounce of prevention is worth a pound of cure." Preventive maintenance of hardware and equipment can go a long way to preventing losses due to equipment failure. The same is true for software. The nature of a firm's day-to-day activities changes over time, both in quantity and character. Software systems should be reviewed regularly to insure that they can continue to process the types of data the firm needs and in the quantity the firm requires.

Another way to plan for hardware and software failures is to have excess or redundant capacity. For hardware, this means that the firm buys more hardware than it needs for its daily operations so that if part of the hardware fails, there is excess capacity (i.e., unused hardware) to take up the slack. For hardware items for which the firm usually maintains multiple items (e.g., printers, disk drives, and monitors), replacing or compensating for one lost item usually isn't a problem. However, for things like mainframe computers, for which the firm usually only has a few machines, providing backup capacity is more expensive and difficult. As firms have moved away from having a few, large computers on which to process their data and towards more, smaller, networked computers, they have made it easier to respond to a hardware failure because

42 Systematic errors are errors that are consistently generated by an information process. For example, a systematic would occur when an accounts payable clerk consistently fails to take cash discounts when they are available.

8-22

they do not depend heavily on any one machine. However, if the network relies on a single central server, then networking and distributing the firm's computing capacity to many machines won't help much if the central server crashes.

As an alternative to redundant capacity, firms can contract with outside service providers for backup capacity. The backup capacity can come in a variety of forms. One approach is to use the Internet to connect to a remote location maintained by an outside contractor. If the firm needs backup computer capacity, then they can activate the connection to the remote processing center and use it to run their information system. Another alternative is to physically transfer data and programs to a remote site and then transfer the resulting reports back to where the firm needs them. Since backup hardware capacity is rarely needed and expensive to maintain, contracting out for this capacity can be a cost/effective alternative for maintaining backup capacity for critical hardware. However, contracting for backup capacity is complicated by the need for the backup site to be fully compatible with the organization's systems. The more standardized the programs an organization uses, the easier it is to find backup capacity. Organizations that have specialized software that they have developed will need to provide copies to the backup site and make sure that those copies run on the backup provider's machines.

An information system needs more than hardware to function. It also depends on data and software. Since software and data can be stored in electronic form on machine-readable media, the easiest way to provide backup capacity is just to maintain duplicate copies of all software and data (i.e., backup copies). This is easier to do for software since the software programs the firm uses don't change very often. Data, however, changes constantly as transactions occur, new agents and resources are identified, and old agents and resources are eliminated. Therefore, data files need to be backed up on a regular basis. As an added control, duplicate copies of software and data should be stored in a location separate from where they are used (i.e., remote location). That way if some natural disaster, like a fire, destroys the original copies, it won't destroy the backups as well.

Insurance

All the controls thus far have focused on preventing or detecting/correcting threats to information assurance. One other firm-level control that can mitigate the loss caused by a violation of information assurance is insurance. Insurance can't replace or correct information problems caused by lack of information assurance, but it can compensate the firm for any losses incurred due to violation of information assurance. One example would be carrying liability insurance in case a customer's private information is released because the firm's information security failed and the customer sues the firm. Another would be loss of business insurance that would compensate the firm if they lost business because of a major hardware failure. Insurance, like all controls, costs money. However, firms can use insurance as a fallback position in case of large losses by having insurance policies with large deductibles, which reduces the premiums for the insurance. Using large deductible insurance policies means that the firm will be covered in case of a large loss, but will not be paying high premiums. The strategy is to rely on the firm's controls as much as possible to mitigate threats, but have a "deep pockets" insurance company that will pick up large losses if the controls fail.

8-23

Transaction Processing Controls

This section is structured around the basic processes that an information system performs (i.e., input, process, and output of data and information). In this text, I refer to these types of controls as transaction-level controls. However, these types of controls also are frequently referred to as application controls because they are associated with a specific subsystem or application within the larger information system (e.g., payroll processing, purchasing, sales processing). Unlike the firm-level controls discussed above, these controls also are more specific to the type of data being processed and the type of data being processed tends to vary by application. Therefore, the information system literature frequently uses the term "application controls." My point in using the term "transaction processing" controls is to highlight the fact that these controls really are designed to assure that basic transaction processing (i.e., input, process, and output) is done effectively. While the nature of the data that goes through these processes will vary by application, all applications must support these three types of information processes.

Although transaction-level controls tend to be associated with specific processes within an organization and firm level controls tend to affect all, or at least a significant group, of business processes, there still is some overlap between the two categories. For example, I included segregation of duties as a firm-level control, particularly segregation of data processing duties, because the use of segregation of duties can affect a broad range of processes. However, when talking about specific duties to segregate, the discussion can get quite specific to a business process. In addition, budgetary controls, when applied to the entire budget, have a broad, firm- level impact. However, comparing a specific account to its budgeted amount affects only the business processes involved in generating that account balance.

My point is that the categories are used to break the overall problem of evaluating controls into useful subtasks based on the breadth of impact of the control. However, correctly classifying a control into one category or the other isn't critical to evaluating controls.

Data Entry Controls

An information system's first line of defense is its ability to determine whether data that is entered into the information system is complete, valid, and accurate. Today, most information systems are computerized and so many of the input controls are programmed into the information system itself.

Although I discussed authorization as a firm-level control because it is based on a firm's organizational structure, it also is a form of data entry control. By limiting the people who can authorize transactions and enter data into an information system, firms can help assure the data entered into the information system. Authorization can be used to insure that the people who are performing these tasks are qualified to do so and can improve accountability by limiting the number of people who are responsible for initiating transactions and recording them.

Information systems can be password protected so that only users with the correct password can open the database. In addition, information systems can provide user level password protection that limits the components within the system that a given user can use.

8-24

Not all data entry controls are embedded in the information system itself. For example, the batch and hash controls discussed above in the section on the data control department are data entry controls that are performed manually outside the information system. Another data entry control that is not embedded in the information system is document comparison. Frequently data being entered into an information system comes from documents. There may be more than one document that should contain the same information. For example, the quantity of an item a firm orders from a vendor should be the same on the purchase order, the receiving report, and the vendor's invoice. By manually comparing the information on these documents a firm can help insure that data concerning a purchase transaction that is entered into the information system is valid, accurate, and complete. As more firms move to electronic data interchange (EDI) where paper documents are being replaced with electronic ones, the information system can be programmed to make these comparisons within the information system itself thus reducing the change from human error.

Processing and Output Controls

Reperformance Controls

I have combined processing and output controls because the most common and powerful processing and output controls involved comparing output information to input information. By making this comparison, a control simultaneously can confirm the accuracy, validity, and completeness of the processes that transformed the data and the output that presents the data to the user. Auditors refer to these types of controls as reperformance controls because the processes are reperformed to insure their assurance. If these reperformance controls are performed on the original input data into the information system, then they also act as input controls. Reperformance controls are strong because they can help insure the assurance of input, processes, and outputs. However, they usually can't identify where the error occurred (i.e., in input, process, or output) and, therefore, they may be inefficient because the errors they identify may be hard to correct.

Audit Trails

To be more effective, reperformance controls need to be linked with audit trails. An audit trail is merely a link between every data element on an output report back to the original input data that was used to create it. For example, general ledgers (an output report) should show the beginning balance and list of all transaction postings that lead to the ending balance so that the total for an account can be recalculated as a reperformance control. In addition, each transaction posting should have a reference back to the transactions that created the posting. This reference usually is a record of the journal from which the posting came. The transaction listings or journals, in turn, should have a reference back to the original source of each transaction. For example, every item in a sales journal should have a reference to the sales invoice that created the entry in the sales journal. The general ledger should refer to the date, or other unique identifier, of the sales journal that lead to the total sales amount posted to the sales account in the general

8-25

ledger. Generally, inputs are hard to compare to outputs if there isn't a trail that someone can follow from the output back to the input.

Analytical Procedures

The assurance of output information also can be verified with what auditors call analytical procedures. I covered the general idea of analytical procedures in the firm-level discussion above under the topic of regular reviews and analysis because these procedures can be used to verify firm-wide data as well as application-level data. However, firms can use analytical procedures as both firm-level controls and transaction processing controls. Regardless of which level best describes the control, the basic idea is the same. Analytical procedures can be used as reasonability checks on output data by comparing that data to some form of expected result and research any differences between expected and actual results.

Database Structure

Designers can embed some forms of processing controls in an information system. For example, information systems software can enforce what the information systems literature refers to as referential integrity. Enforcing referential integrity will insure that if a key piece of information is changed in, or deleted from, the database, all related pieces of information will be changed or deleted. If a customer is deleted from the customer table in the database, then all invoices relating to that customer should also be deleted. If these deletions were not made, then the information system would contain invoices without valid customers, which would create an accuracy violation for those invoices.

Error and Exception Reports

Controls won't work unless the results of the procedures are provided to employees who are supposed to eliminate the errors detected by the controls. Most of the data entry controls are preventive and provide immediate feedback to the user that something is wrong with the data the user is attempting to enter. Frequently, however, controls that check on output and processes need to produce explicit error and exception reports to notify the responsible employee that there may be errors in the data.

This example illustrates that most analytical procedures do not explicitly identify errors, but identify data or information elements that may be in error because they appear to be outside of an expected range. A responsible employee must make the final determination of whether these amounts are in error or just the results of unusual activity. Error and exception reporting helps focus that employee's attention on problem areas by screening a large amount of data and information and only reporting potential problem areas. Error and exception reporting also produces a record of problem areas so that management, or responsible employees, can review patterns for problems over time to look for systematic problems in the information system and not just problems with current transactions or processing.

8-26

Report Distribution

Most of the controls discussed so far focus on insuring the information system produces complete, valid, and accurate information. However, because of confidentiality and segregation of duties concerns, firms need to limit the information that is available to any given employee. For example, payroll information is very sensitive and, because of both good management practices and Federal law, must be kept confidential. Therefore, information system designers need to develop report distribution lists that limit which employees get which reports on a regular basis.

Access and Transmission Controls

Finally, most of these controls assume that only authorized persons have access to the information system and the data contained in the information system. Access controls mainly address the security threat listed above. In a manual environment, the main access controls are physical access controls. Physical access controls are things like locks on doors, files, and equipment that physically prevent unauthorized access. Today, firms can use technology to improve on locks by including such features as biometric screening. Biometric screening involves the use of some physical feature of a person's body to identify them uniquely. Movie writers have done a good job of illustrating these techniques. Examples of biometric screening devices include retinal scans and finger or palm print scans.

In an electronic environment, people do not have to access records physically to change them or gain unauthorized access to their contents. Electronic access is called logical access in the information system community. Information system designers can limit logical access using passwords, firewalls, proxy servers, and virus checkers.

Passwords are a very cheap and effective means of access control as long as the passwords are kept secret. Passwords can be revealed by guessing or by the inadvertent release of the password. Picking passwords that are nonsense to anyone other than the person selecting the password can reduce "Guessing." This is why systems security experts encourage users to avoid obvious things like birthdays and encourage them to use a combination of letters and numbers or characters. One thing that many employees fail to appreciate is that passwords don't just protect that employee's data. Once some unauthorized person uses a password to gain access to the information system, they may be able to access other parts of the system outside the individual user's immediate data files. Modern information systems are very complex and tightly integrated, and there can be many paths to data and information that the best access control methods may overlook. To help prevent unauthorized access, most firms require that employees regularly change their passwords even if they have no reason to believe that the passwords have been compromised.

Firewalls and proxy servers provide protection to the information system from unauthorized access by people outside the firm. The need for firewalls and proxy servers arises from the use of the Internet to transmit data to and from an information system.

8-27

Firewalls are software packages that screen all attempts to access a system from a remote location, typically via the Internet. In addition to using accounts and passwords, firewalls can also screen a potential user based on the users IP address. An IP (i.e., Internet protocol) address is a unique identifier assigned to every computer that accesses the Internet. Some IP addresses are permanent and others are temporary. Most computers that are permanently linked to the Internet (e.g., like file servers) have permanent IP addresses that do not change. For example, I use a cable modem at home to access the Internet. Since this modem is linked to the Internet constantly, the modem has a permanent IP address and the computer that uses that modem is identified by the modem's IP address. When a computer accesses the Internet temporarily (e.g., when I use dialup access from my laptop), the access provider assigns the computer a temporary IP address. Firewall software screens the IP address of anyone trying to access the information system from outside the firm and only allow access to recognized IP addresses.

Proxy servers are similar to firewalls, but are designed to screen both incoming and outgoing communications. A proxy server is a special file server designed to handle both incoming and outgoing Internet access. Therefore, firms can use proxy servers to implement firewalls against unauthorized access from outside parties. In addition, when a user inside the firm tries to access a webpage, the request goes to the proxy server before it goes to the Internet server containing the webpage. The proxy server can screen the webpage address and block access to the user. While this use of proxy servers may not seem related to information assurance because it is limiting access to sources of information outside the firm's information system, it does help limit unauthorized use by employees of limited Internet resources and, in doing so, helps insure that adequate resources are available for authorized purposes.

Data encryption and electronic signatures can provide substantial protection against unauthorized access to data while that data are being transmitted over publicly accessible means. Both the Internet and phone lines, either cell phones or landlines, are publicly accessible. Data encryption reduces the threat of data being intercepted in transmission by coding the data into a form that cannot be interpreted without knowing how to decode it. Coding and decoding can use very sophisticated techniques that are virtually impossible to break, but the basic idea is as simple as used by decoder rings in the old Cracker Jack™ boxes I used to buy as a kid. The sending party must code the message in a way that unauthorized parties cannot read and the receiving party must know how to decode the message. The key to any coding scheme is to keep the coding method secret.

Electronic signatures are a particular use of encryption where the sender's identification is encrypted is such a way that unauthorized persons cannot imitate or steal another person's identity. To develop an electronic signature, a person determines what string of characters (s)he will use to identify themselves uniquely (just like a written signature) and then encrypts that signature and attaches it to any data they want to transmit. The receiving party needs to know how to decrypt the signature to verify the sender's identity. Because of the power of modern encryption technology, electronic signatures can be more secure than manual signatures.

Virus checkers are a specific form of access control that attempts to prevent vandalism to the firm's information system and its data. Most students have had personal experiences with worm

8-28

and virus programs that have infected their systems and damaged programs or data. Most of these programs have no purpose other than random destruction of programs and data (i.e. electronic vandalism). All worms and viruses are small programs that trick the host computer into executing the worm or virus. They tend to enter a computer system disguised in things like e-mails, pictures, and webpages. Once these programs are executed, they can erase data and programs, duplicate and transmit copies of themselves to other computers, and disable virus- checking programs. They also can install "back doors" in the infected machine, allowing the hacker to bypass firewalls and gain access to the infected computer.

The best defenses against viruses and worms are use of caution in opening any incoming message from the Internet and the use of virus checking programs. You should never open any e-mail message or attachment that comes from a source you can't identify or is unexpected. For example, a worm that came in an e-mail from my wife's uncle, who is usually a reliable source of e-mail, recently infected my home computer. However, her uncle wasn't even aware that he had sent the e-mail since the worm had done so without his knowledge. My virus checker didn't detect the worm because it was new and I hadn't updated my virus checker's database recently.

Virus checkers are only as good as their databases and screening rules. The main way virus checkers work is to compare incoming data to a database of known worms and viruses. Therefore, it takes time for a virus or worm to be identified and added to the checker's database. Since new worms and viruses are produced every day, firms and users need to update their virus checker's databases frequently to prevent infection from newer threats. In addition, most virus checkers contain screening rules that look for questionable forms of information or code coming into the system. These screening rules are limited in effectiveness because although many virus or worm programs share some common features, each is unique. Screening rules only can look for typical common features and may miss specific programs or flag valid programs as potential viruses.

Matching Controls to Threats

The prior two sections have presented a significant number of concepts and terms within an overall framework of threats to information assurance and controls to mitigate those threats. This section provides a general summary of those two sections that provides better links between controls and threats. The following table summarizes how controls relate to threats, as discussed above. A brief summary of the primary principles that the table summarizes follows the table.

8-29

Threats Controls Firm-level People Skills - training and continuing education Goals - clear policies and direction from management Resources Time - to implement controls Equipment& supplies - needed to implement controls Procedures - clearly defined control procedures to implement Authority - to implement the controls Incentives Management example - top management cares and acts that way Monitoring & evaluation - someone is watching and there are consequences Segregation of Duties Authorization, recording, and physical access should be done by separate people Contingency Planning Backups - data and software & Insurance Excess capacity - for equipment and software Regular maintenance - to prevent problems Insurance - to fill in gaps in controls Transaction level - completeness, validity, and accuracy Input Input edit checks in software - table definitions, relationships, and forms field definitions Authorization - to prevent invalid entries, supported by segregation of duties Process and output Reperformance - double checks, reconciliations, supported by segregation of duties Audit trails - clear links from output back to input Analytical procedures - reasonability comparisons to expectations Database structure - foreign keys and referential integrity Error and exception reports - flag possible errors for review, look for patterns over time Report distribution - limit information to "need to know" Access and Accounts, passwords, firewalls and proxy servers - to limit transmission virtual access Locks and biometrics - to limit physical access Virus checkers - to limit vandalism Data encryption and electronic signatures - to limit transmission threats.

The focus of firm-wide threats and controls is to develop an organizational culture, implemented by management action as well as formal policies, procedures, and personnel practices that give employees clear direction on how to maintain information assurance, the resources they need to carry out that direction, and the incentives to do so. One frequently used principle that helps limit an employee's ability to undermine information assurance is segregation of duties. Segregating key duties insures that more than one person is involved in transactions and/or data

8-30

processing. In this way, the threat to information assurance is reduced because different employees act as cross checks on each other.

The focus on information processing controls is to insure that data and information are complete, valid, accurate, and secure as that data are captured, processed, and reported by the information system. Every time data are captured or transformed, there is a risk that data could be lost, invalid data could be injected into the information system, data could be altered so that it is no longer valid, or data could be accessed by unauthorized personnel. Therefore, transaction processing controls should be in place at any point where information is captured, transformed, transmitted, or reported.

8-31

Enron Scandal

From Wikipedia, the free encyclopedia43

The was a financial scandal that was revealed in late 2001. After a series of revelations involving irregular accounting procedures bordering on fraud, perpetrated throughout the 1990s, involving Enron and its accounting firm Arthur Andersen, it stood at the verge of undergoing the largest bankruptcy in history by mid-November 2001. A white knight rescue attempt by a similar, smaller energy company, Dynegy, was not viable. Enron filed for bankruptcy on December 2, 2001.

As the scandal was revealed, Enron shares dropped from over US$90.00 to just pennies. As Enron had been considered a blue chip stock, this was an unprecedented and disastrous event in the financial world. Enron's plunge occurred after it was revealed that much of its profits and revenue were the result of deals with special purpose entities (limited partnerships that it controlled). The result was that many of Enron's debts and the losses that it suffered were not reported in its financial statements.

In addition, the scandal caused the dissolution of Arthur Andersen, which at the time was one of the world's top five accounting firms.

Contents

. 1 Background . 2 Timeline of Enron's downfall . 2.1 Investors begin to worry . 2.2 The crisis begins to unravel . 3 "There is an appearance that you are hiding something" . 3.1 Credit rating danger . 3.2 Enron seeks help . 3.3 Other shoes drop . 3.4 The deal falls apart . 3.5 Aftermath . 3.6 1998 Cornell University Student research . 4 Fallout . 4.1 Pensions . 4.2 Arthur Andersen . 4.3 Societal and legal impacts . 4.4 Class action lawsuit . 4.5 Trials . 5 Trivia . 6 See also . 7 Notes

43 Downloaded 12/07.

8-32

. 8 Further reading . 9 External links

Background

In the early 1990s the Congress of the United States of America passed legislation deregulating the sale of electricity. It had done the same for natural gas some years earlier. The resulting energy markets made it possible for companies like Enron to thrive, while the resultant price [2] volatility was often bemoaned by producers and local governments. Strong lobbying on the part [3][4] of Enron and others, however, kept the system in place. By the late 1990s Enron's stock was trading for $80-90 per share, and few seemed to concern themselves with the opacity of the company's financial disclosures. In mid July 2001, Enron reported earnings of $50.1 billion, [5] almost triple year-to-date, beating analysts' estimates by 3 cents a share. Despite this, Enron's profit margin had stayed at a modest average of about 2.1%, and its share price had dropped by [6] over 30% since the same quarter of 2000.

However, concerns were mounting. Enron had recently faced several serious operational challenges, namely logistical difficulties in running a new broadband communications trading unit, constructing the Dabhol Power project, a large power plant in India, and criticism of the company for the role it allegedly had played in the power crisis of California in 2000-2001.

Timeline of Enron's downfall

On August 14, 2001, , the chief executive of Enron, a former energy consultant at McKinsey & Company who joined Enron in 1990, announced he was resigning his position after only six months.

"[T]he reasons for leaving the business are personal," said Skilling at the time, "but I'd just as [7] soon keep that private." Observers noted that in the months leading up to his exit, Skilling had sold at minimum 450,000 shares of Enron at a value of around $33 million (though he still [8] owned over a million shares at the date of his departure). Nevertheless, , the chairman at Enron, reassured analysts by affirming that there was "[a]bsolutely no accounting issue, no trading issue, no reserve issue, no previously unknown problem issues" prompting the departure. He further assured stunned market watchers that there would be "no change in the [9] performance or outlook of the company going forward" from Skilling's departure. Lay announced he himself would re-assume the position of chief executive.

The next day, however, Skilling admitted that a very significant reason for his departure was [10] Enron's faltering price in the stock market. The columnist Paul Krugman, writing in the NY Times, asserted that Enron was an illustration of the consequences that occur from the [11] deregulation and commodification of things such as energy. A few days later, in a letter to the editor, Kenneth Lay defended Enron and the philosophy behind the company:

8-33

The broader goal of [Krugman's] latest attack on Enron appears to be to discredit the free-market system, a system that entrusts people to make choices and enjoy the fruits of their labor, skill, intellect and heart. He would apparently rely on a system of monopolies controlled or sponsored by government to make choices for people. We disagree, finding ourselves less trusting of the integrity and good faith of such institutions and their leaders.

The example Mr. Krugman cites of "financialization" run amok (the electricity market in California) is the product of exactly his kind of system, with active government intervention at every step. Indeed, the only winners in the California fiasco were the government-owned utilities of Los Angeles, the Pacific Northwest and British Columbia. The disaster that squandered the wealth of [12] California was born of regulation by the few, not by markets of the many.

Investors begin to worry

By the end of August of 2001, his company's stock still falling, Lay named Greg Whalley, 39, president and chief operating officer of Enron Wholesale Services and Mark Frevert, 46, who was previously Mr. Whalley's superior at Enron Wholesale, to positions in the chairman's office. Some observers suggested that Enron's investors were in significant need of reassurance, not [14] least because the company's business was difficult to understand (even "indecipherable" ) and [15] difficult to properly express in a financial statement. "[I]t's really hard for analysts to determine where [Enron] are making money in a given quarter and where they are losing money," said one [16] analyst. Lay accepted that Enron's business was very complex, but asserted that analysts would "never get all the information they want" to satisfy their curiosity. He also explained that the [17] complexity of the business was due largely to tax strategies and position-hedging.

Lay's efforts seemed to meet with limited success; by September 9, 2001, one prominent hedge [18] fund manager noted that "[Enron] stock is trading under a cloud." The sudden departure of Skilling combined with the opacity of Enron's accounting books made proper assessment difficult for Wall Street. In addition, the company admitted to repeatedly using "related-party transactions," which some feared could be too-easily used to transfer losses that might otherwise appear on Enron's own balance sheet. A particularly troubling aspect of this technique is that several of the "related-party" entities were or had been controlled by Enron's CFO, Andrew [19] Fastow.

After the September 11, 2001 attacks, media attention shifted away from the company and its troubles; a little less than a month later Enron announced its intention to begin the process of shearing its lower-margin assets in favor of its core businesses of gas and electricity trading. This move included selling Portland General Electric to another Oregon utility, Northwest Natural Gas, for about $1.9 billion in cash and stock, and possibly selling its 65% stake in the Dabhol [20] project in India.

The crisis begins to unravel

Then, a few days later, on October 17, 2001, Enron announced that its third-quarter results were negative due to one-time charges of over $1 billion. Enron management claimed the losses were

8-34

mostly due to investment losses, along with charges such as about $180 million in money spent restructuring the company's troubled broadband trading unit. "After a thorough review of our businesses, we have decided to take these charges to clear away issues that have clouded the performance and earnings potential of our core energy businesses," said Kenneth Lay in a [21] statement. Some analysts were unnerved. "What's next?," asked David Fleischer at Goldman [22] Sachs, an analyst called previously 'one of the company's strongest supporters' asserting that the Enron "[m]anagement... lost credibility and have to reprove themselves. They need to convince investors these earnings are real, that the company is for real and that growth will be [23] realized".

Additionally Enron asserted that the broadband unit alone was worth $35 billion, a claim also mistrusted. "I don't think anyone knows what the broadband operation is worth," said Todd [24] Shipman, an analyst at Standard & Poor's. On October 22, 2001, the share price of Enron fell to $20.65, down $5.40 in one day, following the Securities and Exchange Commission's announcement that it was investigating several suspicious deals struck by Enron, pronouncing "some of the most opaque transactions with [25] insiders ever seen". Attempting to explain the billion dollar charge and calm investors, Enron's disclosures spoke of "share settled costless collar arrangements," "derivative instruments which eliminated the contingent nature of existing restricted forward contracts," and strategies that served "to hedge certain merchant investments and other assets." Such puzzling phraseology left [26] many analysts feeling ignorant about just how Enron ran its business.

In addition, despite the crisis of confidence felt by many observers and Enron investors, the company refused to elaborate on its unusual investment and accounting practices. Jeffrey Skilling, while still in his capacity as CEO, went as far as to use an expletive against a participant in a conference call who was insistent that Enron release balance sheet numbers along with [27] earnings. Regarding the SEC investigation, chairman and CEO Lay said, "We will cooperate fully with the [28] S.E.C. and look forward to the opportunity to put any concern about these transactions to rest."

"There is an appearance that you are hiding something"

Concerns about Enron's liquidity prompted Lay to participate in a conference call on Oct. 23, in which he attempted to reassure investors that the company's cash resources were ample and no further "one-time charges" loomed. Secondly, Lay adamantly insisted there were no improprieties regarding Enron's transactions with partnerships run by . Lay emphasized his [29] support for Fastow. David Fleischer, the analyst at Goldman, was again skeptical, telling Lay and Fastow, "There is an appearance that you are hiding something." Nevertheless, Fleischer persisted in recommending the stock, arguing that he didn't "think accountants and auditors [30] would have allowed total shenanigans." Lay also attempted to reassure the conferees by stressing that all of Enron's financial and accounting manoeuvres had been scrutinized by their auditor, Arthur Andersen. After several questioners pressed the issue, Lay stated Enron

8-35

management would "look into providing" more detailed statements for the end of better [31] understanding the company's relationship with the special entities as those run by Fastow.

Two days later, on October 25, 2001, despite his reassurances days earlier, Kenneth Lay removed Andrew Fastow from his position. Enron's stock was now trading at $16.41, having lost half its value in a little over a week. "In my continued discussions with the financial community, it became clear to me that restoring investor confidence would require us to replace Andy as [32] C.F.O.," said Lay in the statement announcing Fastow's exit. However, with Skilling and Fastow now both departed, some analysts feared that shedding light on the company's practices [33] would be made all the more difficult.

On October 27 the company began buying back all its commercial paper, valued at around $3.3 billion, in an effort to keep investors from fearing about Enron's supply of cash. Enron financed the re-purchase by depleting its lines of credit at several banks. While the company's debt rating was still considered investment-grade, its bonds were trading at levels slightly below, making [34] future sales problematic.

As October 2001 came to a close, serious concerns were being raised by some observers regarding Enron's possible manipulation of accepted accounting rules; however, some claimed [35] analysis was impossible based on the incomplete information provided by Enron. Some now openly feared that Enron was the new Long-Term Capital Management, the hedge fund whose collapse in 1998 threatened systemic failure in the international financial markets. Enron's tremendous presence worried some about the consequences of Enron's possible [36] [37] collapse. Enron executives were tight-lipped, accepting questions in written form only.

Credit rating danger

The central short-term danger to Enron's survival at the end of October 2001 seemed to be its credit rating. It was reported at the time that Moody's and Fitch Investors Service, two of the [38] three biggest credit-rating agencies, had slated Enron for review for possible downgrade. Such a downgrade would force Enron to issue millions of shares of stock to cover loans it had guaranteed, a move that would dilute the value of existing stock further.

Additionally, all manner of companies began reviewing their existing contracts with Enron, especially in the long term, in the event that Enron's rating were rated below investment grade, a [39] possible hindrance in future transactions.

Analysts and observers continued their chorus of complaints regarding Enron's difficulty or impossibility of properly assessing a company whose financial statements were so mysterious. Some feared that no one at Enron apart from Skilling and Fastow could completely explain years of mysterious transactions. "You're getting way over my head," said Ken Lay in late August 2001 [40] in response to detailed questions about Enron's business, a reaction that worried analysts.

8-36

On October 29, 2001, responding to growing concerns that Enron might in the short-term have insufficient cash on hand, the news spread that Enron was seeking a further $1-2 billion in [41] financing from the banks.

The next day, as feared, Moody's lowered Enron's credit rating, or senior unsecured long-term debt ratings, to Baa2, two levels above so-called junk status, from Baa1. Standard & Poor's also lowered their rating to BBB+, the equivalent of Moody's rating. Moody's also warned that it might downgrade Enron's commercial paper rating, the consequence of which might be [42] preventing the company from finding the further financing it sought to keep solvent.

November began with the disclosure that the SEC was now pursuing a formal investigation, prompted by questions related to Enron's dealings with "related parties". Enron's board also announced that it would commission a special committee to investigate the transactions, headed by William C. Powers, the dean of the University of Texas law school. "We welcome this request" to cooperate with the SEC, said Kenneth Lay in a [43] statement. The next day, an editorial in the New York Times called for an "aggressive" [44] investigation into the matter.

On November 2, 2001 Enron succeeded in securing an additional $1 billion in financing, but the news was not universally admired in that the debt was secured with the company's valuable [45] Northern Natural Gas and Transwestern Pipeline.

Enron seeks help

A few days into November 2001 it became known that the Enron management had been [46] aggressively pursuing new investment or an outright buyout. The efforts were reported to have [47] been largely unsuccessful. Investor Warren Buffett was approached, but declined. Other overtures were made to prominent buyout firms such as Clayton, Dubilier & Rice, the Blackstone Group, and Kohlberg Kravis Roberts, all apparently fruitless efforts. [48]

Sources claimed that Enron was planning to explain its business practices more fully within the [49] coming days, as a confidence-building gesture. Enron's stock was now trading at around $7, as investors worried that the company would not be able to find a buyer.

After it received a wide spectrum of rejections, Enron management apparently found a buyer when the board of Dynegy, another energy trader based in , TX, voted late at night on [50] November 7 to acquire Enron "at a fire-sale price" or about $8 billion in stock. Chevron Texaco, which at the time owned about a quarter of Dynegy, agreed to provide Enron with $2.5 billion in cash, specifically $1 billion up front and the rest when the deal was completed. Dynegy would also be required to assume nearly $13 billion of debt, plus any other debt hitherto occulted [51] by the Enron management's secretive business practices , possibly as much as $10 billion in [52] "hidden" debt. Dynegy and Enron confirmed their deal on November 8, 2001.

8-37

Commentators remarked on the different corporate cultures between Dynegy and Enron, and on [53] the "straight-talking" personality of the CEO of Dynegy, Charles Watson. Some wondered if [54] Enron's troubles hadn't simply been the result of innocent accounting errors. By November, Enron was asserting that the billion-plus "one-time charges" disclosed in October should in reality have been $200 million, with the rest of the amount simply corrections of dormant [55] [56] accounting mistakes. Many feared other "mistakes" and restatements might yet be revealed.

November 9, 2001 brought with it another major correction of Enron's earnings with a reduction of $591 million over the stated revenue of years 1997-2000. The charges were said to come largely from two special purpose partnerships, called "Jedi" and "Chewco". The corrections resulted in the virtual elimination of profit for fiscal year 1997, with significant reductions every other year. Nevertheless Dynegy was reported to have not lost interest in purchasing Enron [57] despite this disclosure. Both companies were said to be anxious to receive an official [58] assessment of the proposed sale from Moody's and S&P (considered by some a "do or die" deal for Enron) presumably to understand the effect on Dynegy and Enron's credit rating the completion of any buyout transaction. In addition, concerns were raised regarding antitrust regulatory hurdles leading to possible divestiture, along with what to some observers were the [59] radically different corporate cultures of Enron and Dynegy.

Nevertheless both companies pushed aggressively for the deal, and some observers were hopeful; Charles Watson was praised for his vision in attempting to create the biggest presence on the [60] energy market in one fell swoop. "We feel [Enron] is a very solid company with plenty of capacity to withstand whatever happens the next few months," said Watson at the time.[61] One analyst called the deal "a whopper [...] a very good deal financially, certainly should be a good [62] deal strategically, and provides some immediate balance-sheet backstop for Enron."

Credit issues were becoming more critical, however. Around the time the buyout was made public, Moody's and S&P both lowered Enron's rating to just one notch above junk status. Were the company's rating to fall below investment-grade, its ability to trade might be severely limited [63] subsequent to a curtailment or elimination of its credit lines with competitors. In a conference call, S&P affirmed that, were Enron not to be taken over, S&P would cut its rating cut to low BB [64] or high B, ratings "not even at the high end of junk". Furthermore many traders had limited their doing business with Enron, or stopped altogether, fearing more bad news. But Watson again attempted to re-assure, affirming during a presentation to investors in New York that there was [65] "nothing wrong with Enron's business." He also acknowledged that remunerative steps (in the form of more stock options) would have to be taken to redress the animosity of many Enron employees for management after it was revealed that Lay and other top officials had sold [66] hundreds of millions of dollars worth of stock in the months leading up to the crisis. The [67] situation was not helped by the disclosure that Kenneth Lay, his "reputation in tatters" , stood to receive a payment of $60 million as a change-of-control fee subsequent to the Dynegy acquisition, and this while many Enron employees had seen their retirement accounts, which were largely based on Enron stock, decimated as the price fell 90% in a year. "We had some

8-38

married couples who both worked who lost as much as $800,000 or $900,000," said an official at [68] a company owned by Enron. "It pretty much wiped out every employee's savings plan."

Watson assured investors that the true nature of Enron's business had been made clear to him: "We have comfort there is not another shoe to drop. If there is no shoe, this is a phenomenally [69] good transaction," he said at the time. Watson further asserted that Enron's energy trading part [70] alone was worth the price Dynegy was paying for the whole company.

Other shoes drop

By mid-November, Enron announced it planned to sell about $8 billion worth of underperforming assets, along with a general plan to reduce its scale for the sake of financial [71] stability.

On November 19, 2001 Enron disclosed to the public further evidence of its critical state of affairs, most pressingly that the company was facing debt repayment obligations in the range of [72] $9 billion by the end of 2002. Such debts were "vastly in excess" of its available cash. Also, the success of measures to preserve its solvency were not guaranteed, specifically as regarded asset sales and debt refinancing. "An adverse outcome with respect to any of these matters would likely have a material adverse impact on Enron's ability to continue as a going concern," said [73] Enron in a statement.

Two days later, on November 21, Wall Street was expressing serious doubts that Dynegy would proceed with its deal at all, or would seek to radically renegotiate. Enron's stock price fell $2 to about $7. Furthermore Enron revealed in a 10Q filing that almost all the money it had recently borrowed for purposes including buying its commercial paper, or about $5 billion, had been exhausted in just 50 days. Analysts were unnerved at the revelation, especially since Dynegy was [74] reported to also have been unaware of Enron's rate of cash use.

In order to walk away from the proposed buyout, Dynegy would need to legally demonstrate a "material change" in the circumstances of the transaction; as late as November 22, sources close [75] to Dynegy were skeptical that the latest revelations constituted sufficient grounds. The SEC announced it had filed civil fraud complaints against Arthur Andersen, Enron's [76] auditor. A few days later, sources claimed Enron and Dynegy were now actively renegotiating [77] the terms of their arrangement. Dynegy now demanded Enron agree to be bought for $4 billion rather than the previous $8 billion. Observers were reporting difficulties in ascertaining whether or which of Enron's operations, if any, were profitable. Reports described an en masse shift of business to Enron's competitors for the sake of risk exposure reduction. Finally, a new report [78] from Moody's made Wall Street nervous.

The deal falls apart

On November 28, 2001, Enron's two worst outcomes came true. Dynegy Inc. unilaterally disengaged from the proposed acquisition of the company and Enron's credit rating fell to junk

8-39

status. The company, having very little cash with which to run its business, let alone satisfy enormous debts, imploded. Its stock price fell to $0.61 at the end of the day's trading. "Enron is [79] now shorthand for the perfect financial storm," wrote one editorial observer.

Systemic consequences were felt, as Enron's creditors and other energy trading companies suffered the loss of several percentage points. Some analysts felt Enron's failure highlighted the risks of the post-September 11 economy, and encouraged traders to lock in profits where they [80] could.

The question now became determining the total exposure of the markets and other traders to Enron's failure. Early figures put the number at $18.7 billion. "We don't really know who is out there exposed to Enron's credit," said one adviser. "I'm telling my clients to prepare for the [81] worst."

Enron was estimated to have about $23 billion in liabilities, both debt outstanding and guaranteed loans. Citigroup and JP Morgan Chase in particular appeared to have significant amounts to lose with Enron's fall. Additionally, many of Enron's major assets were pledged to lenders in order to secure loans, throwing into doubt what if anything unsecured creditors and [82] eventually stockholders might receive in bankruptcy proceedings.

Enron's European operations filed for bankruptcy on November 30, 2001, and it sought Chapter 11 protection in the U.S. two days later on December 2. At the time, it was the biggest [83][84] bankruptcy in U.S. history, and it cost 4,000 employees their jobs.

Aftermath

Kenneth Lay, the former Chairman of the Board and Chief Executive Officer and Jeffrey Skilling, former Chief Executive Officer and Chief Operating Officer, went on trial for their part in the Enron scandal in January 2006. The 53-count, 65-page indictment covers a broad range of financial crimes, including bank fraud, making false statements to banks and auditors, securities fraud, wire fraud, money laundering, conspiracy and insider trading. U.S. District Judge Sim Lake had previously denied motions by the defendants to hold separate trials and to move the case out of Houston, where the defendants argued the negative publicity surrounding Enron's demise would make it impossible to get a fair trial.

Mr. Lay pleaded not guilty to the eleven criminal charges. Lay stated that he was misled by those around him. At the time of his death the U.S. Securities and Exchange Commission (SEC) had been seeking more than $90 million from Lay in addition to civil fines.

The case surrounding Mrs. Linda Lay is a difficult one. Mrs. Lay sold roughly 500,000 shares of Enron ten minutes to thirty minutes before the information that Enron was collapsing went public on November 28, 2001. This was information that Enron executives had known for over a year. Former managing director of investor relations for Enron Paula Rieker pleaded guilty in federal court to a criminal insider trading charge. The one felony charge against Rieker carries a maximum penalty of ten years in prison and a $1 million fine. Rieker agreed never again to serve

8-40

as an officer or director of a public company. If a federal court approves the settlement, Rieker will pay the SEC $499,333, the profit from the sale of 18,380 shares of Enron stock. Rieker has been a valuable witness for the government as she prepared earnings releases and conference calls with Enron analysts.

On December 28, 2005, former CAO Richard Causey pleaded guilty to securities fraud. He will have to serve 7 years in prison and pay $1.25 million to the U.S. Government. Causey has the possibility of only serving 5 years in prison if he cooperates and testifies with Lay and Skilling. On January 13, 2006 lobbyist William "Art" Roberts pleaded guilty to impersonating Senate staff members during the investigation. Roberts was hired by a German bank in June 2004 to get a letter from a Senate subcommittee stating the bank had done their due diligence investigating the [85] Enron collapse, as part of the bank's defense in a suit filed against it by a London bank.

Lay and Skilling were indicted for securities and wire fraud in July 2004, leading to a highly- publicized trial in which Lay was convicted on all six counts and Skilling on 19 of 28 counts on May 25, 2006. On July 5, 2006, Lay died at age 64 while vacationing in Aspen, Colorado, after suffering a heart attack on July 4. Skilling was convicted and sentenced to 24 years, 4 months in a federal prison on October 23, 2006. As well as his sentence of 24 years, 4 months, he was ordered to restore the Enron pension fund with $26 million out-of-pocket. It is expected that he will appeal.

Former Enron executive Paula Rieker has been charged with criminal insider trading. Rieker obtained 18,380 Enron shares for $15.51 a share. She sold that stock for $49.77 a share in July 2001, a week before the public was told what she already knew about the $102 million loss. Enron's bankruptcy took the form of a liquidation, rather than a restructuring, as initially expected, and even announced on the company's website. Assets considered "non-core", such as Enron's energy and bandwidth trading businesses, the Enron Wind energy unit, and the IT consulting businesses, were divested. Also including in the divestiture process were oil field services company Mariner Energy (in which Enron held a 98% controlling interest) and INSELA, a Venezuelan gas valve and electrical equipment manufacturer in which Enron held 50%. Also sold outright were Enron's paper and forest products companies in the U.S. and Canada, consisting of Garden State Paper Company, Papiers Stadacona, and St. Aurelie Timberlands.

Enron's sole electric utility in the United States, Portland General Electric, was spun off as an independent company in 2006, with its shares disbursed to creditors. The remainder of Enron's operations were reorganized under two major subsidiaries formed in 2003: CrossCountry Energy, consisting of Enron's domestic gas pipeline interests; and Prisma Energy International, formed from most of Enron's global electricity generation and distribution businesses, formerly referred to as "". CrossCountry Energy was sold to CCE Holdings, a joint venture of Southern Union and a unit of General Electric, in 2004. The spin-off of Portland General Electric in 2005 left Prisma Energy as Enron's last major business asset. Prisma Energy itself was ultimately sold to Ashmore Energy International in 2006, leaving Enron Corp. as a non-trading "shell" company, now in the final stage of its bankruptcy liquidation. Between the initial proposal of the reorganization plan in 2002, and the formal creation of Prisma Energy International and

8-41

CrossCountry Energy in 2003, the two proposed companies were referred to within Enron as "InternationalCo" and "PipeCo" respectively.

To reflect its new status as a largely asset-less shell existing solely to manage final payouts to creditors, Enron changed its legal, corporate name to "Enron Creditors Recovery Corporation", d/b/a Enron Corporation, in early 2007. Perhaps one of Enron's few remaining assets is DealBench, an online transaction and divestiture service, once part of the now defunct EnronOnline.

1998 Cornell University Student research

In May 1998 six students of Cornell University released a report about Enron. In page 12 they wrote: "As shown in Table 2, the 8-variable Beneish model shows that that Enron may be manipulating its earnings." You can read the report here: http://www.johnson.cornell.edu/parkercenter/docs/studentresearch/1998_spring/ene.pdf

Fallout

The long-term trials and implications of Enron's collapse are somewhat unclear, but there is considerable political fallout both in the U.S. and in the UK relating to the money Enron gave to political figures (around US$7 million since 1990). During Clinton's eight years in office, the company and Lay contributed about $900,000 to the Democratic Party. In 1999 and 2000, the company gave $362,000 in soft-money donations to Democrats. Since 1996, between 72% and 94% of yearly American contributions went to the Republican Party, including heavy contributions to George W. Bush's presidential campaign.

Fallout from the scandal quickly extended beyond Enron and all those formerly associated with it. The trial of Arthur Andersen LLP on charges of obstruction of justice related to Enron helped to expose accounting fraud at WorldCom. The subsequent bankruptcy of that telecommunications firm quickly set off a wave of other accounting scandals. This wave engulfed many companies, exposing high-level corruption, accounting errors, and insider trading. Though at the time of its collapse, Enron was the largest bankruptcy in history, this has been eclipsed by the collapse of WorldCom.

Former Enron CFO Andrew Fastow, the mastermind behind Enron's complex network of offshore partnerships and questionable accounting practices, was indicted on November 1, 2002, by a federal grand jury in Houston on 78 counts including fraud, money laundering, and conspiracy. He and his wife Lea Fastow, former assistant treasurer, accepted a plea agreement on January 14, 2004. Andrew Fastow will serve a ten-year prison sentence and forfeit US $23.8 million, while Lea Fastow will serve a five-month prison sentence and a year of supervised release, including five months of house arrest; in return, both will provide testimony against other Enron corporate officers.

Ben Glisan Jr., a former Enron treasurer, was the first man to be sent to prison in the Enron scandal. He pleaded guilty to one count of conspiracy to commit security and wire fraud. John Forney, a former energy trader who invented various strategies such as the "Death Star," was

8-42

indicted in December 2002, on 11 counts of conspiracy and wire fraud. His trial was scheduled for October 12, 2004. His supervisors, Timothy Belden and Jeffrey Richter, have both pled guilty to conspiring to commit wire fraud and currently are aiding prosecutors in investigating this scandal.

Jeffrey Skilling was arrested on February 11, 2004, by the FBI. Kenneth Lay was indicted by a federal grand jury on July 7, 2004 for his involvement in the scandal. He pleaded not guilty on July 9.

On May 25, 2006, the jury in the Lay and Skilling trial returned its verdicts. Skilling was convicted of 19 of 28 counts of securities fraud and wire fraud and acquitted on the remaining nine, including charges of insider trading. He was sentenced to 24 years, 4 months in prison. Lay was convicted of all six counts of securities and wire fraud for which he had been tried, and he [86] faced a total sentence of up to 45 years in prison. Lay died on July 5, 2006, before sentencing was scheduled. On July 12, 2006, a potential Enron witness scheduled to be extradicted to the US, Neil Coulbeck, was found dead in a park in north-east London.[1] The US case alleges that Coulbeck and others conspired with former Enron CFO Andrew Fastow.[2] All told, sixteen people pleaded guilty for crimes committed at the company, and five others, including four former Merrill Lynch employees, were found guilty at trial. Eight former Enron executives [87] testified, the star witness being Fastow, against Lay and Skilling, his former bosses. Another was Kenneth Rice, the former chief of Enron Corp.'s high-speed Internet unit, who cooperated and whose testimony helped convict Skilling and Lay. In June 2007, he received a 27 month [88] sentence.

Pensions

Thousands of Enron employees and investors lost all their savings, children's college funds, and pensions when Enron collapsed. A lawsuit on the behalf of a group of Enron's shareholders has been filed against Enron executives and directors. This lawsuit accuses twenty-nine of these executives and directors of insider trading and misleading the public. Because the 401(k) plan is a defined contribution plan, there was no PBGC insurance and employees lost the money they invested in Enron stock. They could only sue those considered a fiduciary for breach of their duty of care based on ERISA Section 404. The Pension Benefit Guaranty Corporation is attempting to cover some and possibly all of this.

Arthur Andersen

On June 15, 2002, Arthur Andersen was convicted of obstruction of justice for shredding documents related to its audit of Enron. Since the U.S. Securities and Exchange Commission does not allow convicted felons to audit public companies, the firm agreed to surrender its licenses and its right to practice before the SEC on August 31. On May 31, 2005, the Supreme Court of the United States unanimously overturned Andersen's conviction due to flaws in the jury instructions. Despite this ruling, it is highly unlikely Andersen will ever return as a viable business. The firm lost nearly all of its clients when it was indicted, and there are over 100 civil suits pending against the firm related to its audits of Enron and other companies. It began

8-43

winding down its American operations after the indictment. From a high of 28,000 employees in the U.S. and 85,000 worldwide, the firm is now down to around 200 based primarily in Chicago. Most of their attention is on handling the lawsuits.

Andersen was one of the "Big Five" large international accounting firms. Its demise left only four big international accounting firms (the Big Four accounting firms as now called). This concentration of the industry is still causing difficulty for large corporations that need to use more than one accounting firm for auditing and non-auditing services. In addition, the pricing of accounting services is less elastic as large corporations feel that they must use a Big Four firm.

Societal and legal impacts

Enron's collapse also contributed to the creation of the U.S. Sarbanes-Oxley Act (SOX), signed into law on July 30, 2002. It is considered the most significant change to federal securities laws since FDR's New Deal in the 1930s. Other countries have also adopted new corporate governance legislations. This law provides stronger penalties for fraud and, among other things, requires public companies to avoid making loans to management, to report more information to the public, to maintain stronger independence from their auditors, and most controversially, to report on and have audited, their financial internal control procedures. However, certain provisions in the legislation are currently under review in Congress.

Securities law historian Joel S. Seligman was quoted in The Washington Post saying, "[t]his was the most important corporate scandal of our lifetimes. It was one of the immediate causes of the Sarbanes-Oxley Act, the governance reforms of the New York Stock Exchange and NASD, and the most consequential reorientation of corporate behavior in living memory." [3] In California, widespread public anger over the power crisis and its financial impact on the state were a major factor contributing to the recall of Governor Gray Davis and the election of Arnold Schwarzenegger.

Class action lawsuit

On April 8, 2002, Lerach Coughlin Stoia Geller Rudman & Robbins, LLP attorneys led by William Lerach filed a consolidated class action lawsuit against Enron Corp. in the U.S. District Court in Houston. On behalf of its clients, Lerach Coughlin seeks relief for purchasers of Enron publicly traded equity and debt securities between October 19, 1998 and November 27, 2001. Lerach Coughlin attorneys moved swiftly to freeze over $1.1 billion in illicit insider trading proceeds. Lerach Coughlin attorneys and investigators interviewed more than 100 witnesses concerning the numerous organizations within Enron, including over 3,000 related entities and partnerships. Lerach Coughlin attorneys sought expedited discovery from both Enron and Enron's auditor, Andersen. Just 24 hours after Andersen revealed it destroyed an untold number of relevant documents concerning the Enron fraud, the attorneys went back to court seeking to preserve all evidence. Lerach Coughlin attorneys' factual investigation also uncovered Enron's extensive document destruction at its Houston headquarters.

8-44

The U.S. District Court in Houston has denied a number of motions to dismiss the litigation. The parties are currently engaged in discovery and motion practice; depositions began in the summer of 2004.

Lead Plaintiff, The U.C. Regents, has reached settlements with Lehman Brothers, Bank of America, the Outside Directors, Citigroup, JP Morgan Chase and CIBC totaling over $7 billion for investors. Those settlements are subject to approval by the Court.

Trials

. Arthur Andersen LLP v. United States . Enron Broadband trial . The NatWest Three - three former UK NatWest bankers, recently extradited to the United States in a case that has generated considerable controversy about UK/US laws. . Lay and Skilling trial . Regents of the University of California v. Credit Suisse First Boston (USA), Inc. . Nigerian barge trial

Trivia

. The baseball stadium Enron Field in Houston, Texas, named after the company, was opened on April 7, 2000, at game where Kenneth Lay threw out the first pitch. That game was attended by George W. Bush, who was then governor of Texas. The field was renamed to Astros Field after the collapse of Enron, to avoid negative publicity, with the Houston Astros having to pay Enron $5 million to get out of the deal. The park's name was later changed to Minute Maid Park. . Enron's iconic Houston headquarters, a 50-story oval glass tower at 1400 Smith Street[4], was sold for $55.5 million, far below its $93 million local tax valuation. The current sellers had bought the property for $285 million in the 1990s.[5] Enron relocated to 4 Houston Center.[6][7][8] . In 2002 the book , written by Brian Cruver, is released as the first insider account of events surrounding Enron's collapse. The book and Cruver's experience were turned into the CBS television movie The Crooked E: The Unshredded Truth About Enron, starring Brian Dennehy. In 2007, The Wall Street Journal listed the book as one of the five best books about life on Wall Street, along with The Predators Ball, Liar's Poker, Bonfire of the Vanities, and Barbarians at the Gate.[9][10][11] . The 2003 non-fiction book Enron: The Smartest Guys in the Room, written by Bethany McLean and Peter Elkind, was a bestseller. The book was turned into a film that was nominated for the 2005 Academy Award for Documentary Feature.[12] [13] . As a result of their investigation the FERC made a large portion of Enron's email database available to the public. This database comprises roughly 500,000 email messages and has become a standard dataset in email research.[14] [89] . Playboy devoted photo spreads to the women of Enron, and released a movie with the [90] name Playboy: Women of Enron (2002). . Following the collapse of Enron many ex-

8-45

Enron employee bloggers (such as Thomas Duff and Ted Barlow) commentated on the ongoing scandal even while looking for new positions. . There is an untitled film about the fall of Enron that is being developed as a starring vehicle for Leonardo DiCaprio, who will produce the film through his production company, Appian Way. It's been stated that DiCaprio will not play one of the Enron executives, but a company accountant who exposes the company's financial mismanagement. The film may be based on Kurt Eichenwald's book .[15]

See also

. Timeline of the Enron scandal Enron companies . EnronOnline . . Dabhol Power Company . Enron International . LJM

Enron fallout . Arthur Andersen LLP v. United States . California electricity crisis . Conspiracy of Fools

. The Enron Three . J. Clifford Baxter, Enron executive . Enron: The Smartest Guys in the Room

Corporation-related . Definition of "Cook the books" from Wiktionary . Corporate abuse . Corporate crime . Corporate governance . Creative accounting . Mark to market . Vitality curve - Management construct, where the least performing 10% are fired each year. . List of corporate executives charged with crimes . List of notable business failures

Notes 1 ^ "Once-mighty Enron strains under scrutiny." The New York Times (Oct 28, 2001 pBU1(N) pBU1(L) col 2 (25 col): BU1(L). 2 ^ Gerth, Jeff, Marko, and Richard A. Oppel Jr. "Regulators struggle with a marketplace created by Enron.(Statistical Data Included)." The New York Times (Nov 10, 2001 pC1(N) pC1(L) col 2 (40 col): C1(L). 3 ^ Gerth, Jeff, and Richard A. Oppel Jr. "Regulators struggle with a marketplace created by Enron.(Statistical Data Included)." The New York Times (Nov 10, 2001 pC1(N) pC1(L) col 2 (40 col): C1(L).

8-46

4 ^ Banerjee, Neela. "Surest steps, not the swiftest, are propelling Dynegy past Enron." The New York Times (Nov 9, 2001 pC5(N) pC5(L) col 1 (14 col): C5(L). 5 ^ "Enron net rose 40% in quarter." The New York Times (July 13, 2001 pC12(L) col 4 (6 col): C12(L). 6 ^ "Enron net rose 40% in quarter." The New York Times (July 13, 2001 pC12(L) col 4 (6 col): C12(L). 7 ^ Oppel, Richard A., Jr, and Alex Berenson. "Enron's chief executive quits after only 6 months in job.(Jeffrey Skilling)." The New York Times (August 15, 2001 s0 pC1(N) pC1(L) col 2 (25 col): C1(L) 8 ^ Oppel, Richard A., Jr, and Alex Berenson. "Enron's chief executive quits after only 6 months in job.(Jeffrey Skilling)." The New York Times (August 15, 2001 s0 pC1(N) pC1(L) col 2 (25 col): C1(L)

9 ^ Oppel, Richard A., Jr, and Alex Berenson. "Enron's chief executive quits after only 6 months in job.(Jeffrey Skilling)." The New York Times (August 15, 2001 s0 pC1(N) pC1(L) col 2 (25 col): C1(L) 10 ^ Krugman, Paul. "Enron goes overboard.(Jeffrey Skilling leaves Enron to Kenneth Lay who plans to transform the company)(Column)." The New York Times (August 17, 2001 pA21(N) pA19(L) col 6 (18 col): A19(L). 11 ^ Krugman, Paul. "Enron goes overboard.(Jeffrey Skilling leaves Enron to Kenneth Lay who plans to transform the company)(Column)." The New York Times (August 17, 2001 pA21(N) pA19(L) col 6 (18 col): A19(L). 12 ^ Lay, Ken. "Defending free markets.(response to August 17, 2001 article)(Letter to the Editor)." The New York Times (August 22, 2001 pA22(N) pA18(L) col 4 (4 col): A18(L). 13 ^ Berenson, Alex. "A self-inflicted wound aggravates angst over Enron.(Statistical Data Included)." The New York Times (Sept 9, 2001 pBU1(N) pBU1(L) col 1 (15 col): BU1(L). 14 ^ Berenson, Alex. "A self-inflicted wound aggravates angst over Enron.(Statistical Data Included)." The New York Times (Sept 9, 2001 pBU1(N) pBU1(L) col 1 (15 col): BU1(L). 15 ^ Oppel, Richard A., Jr. "Two are promoted as Enron seeks executive stability." The New York Times (August 29, 2001 pC2(N) pC2(L) col 1 (35 col): C2(L). 16 ^ Oppel, Richard A., Jr. "Two are promoted as Enron seeks executive stability." The New York Times (August 29, 2001 pC2(N) pC2(L) col 1 (35 col): C2(L). 17 ^ Oppel, Richard A., Jr. "Two are promoted as Enron seeks executive stability." The New York Times (August 29, 2001 pC2(N) pC2(L) col 1 (35 col): C2(L). 18 ^ Berenson, Alex. "A self-inflicted wound aggravates angst over Enron.(Statistical Data Included)." The New York Times (Sept 9, 2001 pBU1(N) pBU1(L) col 1 (15 col): BU1(L). 19 ^ Berenson, Alex. "A self-inflicted wound aggravates angst over Enron.(Statistical Data Included)." The New York Times (Sept 9, 2001 pBU1(N) pBU1(L) col 1 (15 col): BU1(L). 20. ^ "Enron reaches a deal to sell Oregon utility for $1.9 billion.(Portland General Electric to Northwest Natural Gas)." The New York Times (Oct 6, 2001 pC4(N) pC4(L) col 5 (8 col): C4(L). 20 ^ Gilpin, Kenneth N. "Enron reports $1 billion in charges and a loss." The New York Times (Oct 17, 2001 pC5(N) pC5(L) col 1 (13 col): C5(L).

8-47

21 ^ Norris, Floyd. "Enron tries to dismiss finance doubts.(chief brushes off conflict-or-interest doubts)". The New York Times (Oct 24, 2001 pC1(N) pC1(L) col 5 (25 col): C1(L). 22 ^ Gilpin, Kenneth N. "Enron reports $1 billion in charges and a loss". The New York Times (Oct 17, 2001 pC5(N) pC5(L) col 1 (13 col): C5(L). 23 ^ Gilpin, Kenneth N. "Enron reports $1 billion in charges and a loss." The New York Times (Oct 17, 2001 pC5(N) pC5(L) col 1 (13 col): C5(L). 24 ^ Norris, Floyd. "Where did the value go at Enron. (sharp drop in stock price)." The New York Times (Oct 23, 2001 pC1(N) pC1(L) col 5 (25 col): C1(L). 25 ^ Norris, Floyd. "Where did the value go at Enron. (sharp drop in stock price)." The New York Times (Oct 23, 2001 pC1(N) pC1(L) col 5 (25 col): C1(L). 26 ^ Norris, Floyd. "Where did the value go at Enron. (sharp drop in stock price)." The New York Times (Oct 23, 2001 pC1(N) pC1(L) col 5 (25 col): C1(L). 27 ^ Norris, Floyd. "Where did the value go at Enron. (sharp drop in stock price)." The New York Times (Oct 23, 2001 pC1(N) pC1(L) col 5 (25 col): C1(L). 28 ^ Norris, Floyd. "Enron tries to dismiss finance doubts.(chief brushes off conflict-or-interest doubts)." The New York Times (Oct 24, 2001 pC1(N) pC1(L) col 5 (25 col): C1(L). 29 ^ Norris, Floyd. "Enron tries to dismiss finance doubts.(chief brushes off conflict-or-interest doubts)." The New York Times (Oct 24, 2001 pC1(N) pC1(L) col 5 (25 col): C1(L). 30 ^ Norris, Floyd. "Enron tries to dismiss finance doubts.(chief brushes off conflict-or-interest doubts)." The New York Times (Oct 24, 2001 pC1(N) pC1(L) col 5 (25 col): C1(L). 31 ^ Norris, Floyd. "Enron ousts finance chief as S.E.C. looks at dealings." The New York Times (Oct 25, 2001 pC2(N) pC2(L) col 5 (30 col): C2(L). 32 ^ Norris, Floyd. "Enron ousts finance chief as S.E.C. looks at dealings." The New York Times (Oct 25, 2001 pC2(N) pC2(L) col 5 (30 col): C2(L). 33 ^ Norris, Floyd. "Enron taps all its credit lines to buy back $3.3 billion of debt." The New York Times (Oct 27, 2001 pC2(N) pC2(L) col 5 (7 col): C2(L). 34 ^ Norris, Floyd. "Plumbing mystery of deals by Enron. (questions and answers).(Interview)." The New York Times (Oct 28, 2001 pBU13(N) pBU13(L) col 6 (18 col): BU13(L). 35 ^ Berenson, Alex, and Richard A. Oppel Jr. "Once-mighty Enron strains under scrutiny." The New York Times (Oct 28, 2001 pBU1(N) pBU1(L) col 2 (25 col): BU1(L). 36 ^ Berenson, Alex, and Richard A. Oppel Jr. "Once-mighty Enron strains under scrutiny." The New York Times (Oct 28, 2001 pBU1(N) pBU1(L) col 2 (25 col): BU1(L). 37 ^ Berenson, Alex, and Richard A. Oppel Jr. "Once-mighty Enron strains under scrutiny." The New York Times (Oct 28, 2001 pBU1(N) pBU1(L) col 2 (25 col): BU1(L). 38 ^ Berenson, Alex, and Richard A. Oppel Jr. "Once-mighty Enron strains under scrutiny." The New York Times (Oct 28, 2001 pBU1(N) pBU1(L) col 2 (25 col): BU1(L). 39 ^ Berenson, Alex, and Richard A. Oppel Jr. "Once-mighty Enron strains under scrutiny." The New York Times (Oct 28, 2001 pBU1(N) pBU1(L) col 2 (25 col): BU1(L). 40 ^ Oppel, Richard A., Jr. "Enron seeks additional financing.($1 to $2 billion)(National Pages)." The New York Times (Oct 29, 2001 pA8(N) pA9(L) col 6 (15 col): A9(L).

8-48

41 ^ "Enron credit rating is cut, and its share price suffers; concern increases on borrowing capacity.(Moody's Investors Service lowers credit rating)." The New York Times (Oct 30, 2001 pC2(N) pC2(L) col 5 (10 col): C2(L). 42 ^ Berenson, Alex. "S.E.C. opens investigation into Enron; a company fails to explain dealings." The New York Times (Nov 1, 2001 pC4(N) pC4(L) col 6 (13 col): C4(L). 43 ^ "The rise and fall of Enron.(Editorial)." The New York Times (Nov 2, 2001 pA20(N) pA24(L) col 1 (12 col): A24 (L). 44 ^ Oppel, Richard A., Jr. "Enron's shares fall and debt rating is cut." The New York Times (Nov 2, 2001 pC11(N) pC11(L) col 1 (16 col): C11(L). 45 ^ Oppel, Richard A., Jr, and Andrew Ross Sorkin. "Enron looks for investors, but finds them skittish; concern grows on energy trader's future." The New York Times (Nov 7, 2001 pC2(N) pC2(L) col 5 (20 col): C2(L). 46 ^ Oppel, Richard A., Jr, and Andrew Ross Sorkin. "Enron looks for investors, but finds them skittish; concern grows on energy trader's future." The New York Times (Nov 7, 2001 pC2(N) pC2(L) col 5 (20 col): C2(L). 47 ^ Oppel, Richard A., Jr, and Andrew Ross Sorkin. "Enron looks for investors, but finds them skittish; concern grows on energy trader's future." The New York Times (Nov 7, 2001 pC2(N) pC2(L) col 5 (20 col): C2(L). 49. ^ Oppel, Richard A., Jr, and Andrew Ross Sorkin. "Enron looks for investors, but finds them skittish; concern grows on energy trader's future." The New York Times (Nov 7, 2001 pC2(N) pC2(L) col 5 (20 col): C2(L). 48 ^ Oppel, Richard A., Jr, and Andrew Ross Sorkin. "Dynegy is said to be near to acquiring Enron for $8 billion." The New York Times (Nov 8, 2001 s0 pC1(N) pC1(L) col 2 (25 col): C1(L). 49 ^ Oppel, Richard A., Jr, and Andrew Ross Sorkin. "Dynegy is said to be near to acquiring Enron for $8 billion." The New York Times (Nov 8, 2001 s0 pC1(N) pC1(L) col 2 (25 col): C1(L). 50 ^ Berenson, Alex, and Andrew Ross Sorkin. "Rival to buy enron, top energy trader, after financial fall.(Dynegy) (Statistical Data Included)." The New York Times (Nov 10, 2001 pA1(N) pA1(L) col 2 (50 col): A1(L). 51 ^ Banerjee, Neela. "Surest steps, not the swiftest, are propelling Dynegy past Enron." The New York Times (Nov 9, 2001 pC5(N) pC5(L) col 1 (14 col): C5(L). 52 ^ Norris, Floyd. "Does Enron trust its new numbers? It doesn't act like it.(Statistical Data Included)." The New York Times (Nov 9, 2001 pC1(N) pC1(L) col 2 (10 col): C1(L). 53 ^ Oppel, Richard A., Jr, and Andrew Ross Sorkin. "Enron admits to overstating profits by about $600 million.(over last 5 years)." The New York Times (Nov 9, 2001 pC1(N) pC1(L) col 2 (35 col): C1(L). 54 ^ Berenson, Alex, and Richard A. Oppel Jr. "Dynegy's rushed gamble on Enron carries some big risks." The New York Times (Nov 12, 2001 pC1(N) pC1(L) col 2 (35 col): C1(L). 55 ^ Oppel, Richard A., Jr, and Andrew Ross Sorkin. "Enron admits to overstating profits by about $600 million.(over last 5 years)." The New York Times (Nov 9, 2001 pC1(N) pC1(L) col 2 (35 col): C1(L). 56 ^ Oppel, Richard A., Jr, and Andrew Ross Sorkin. "Enron admits to overstating profits by about $600 million.(over last 5 years)." The New York Times (Nov 9, 2001 pC1(N) pC1(L) col 2 (35 col): C1(L). 57 ^ Berenson, Alex, and Andrew Ross Sorkin. "Rival to buy enron, top energy trader, after financial fall.(Dynegy) (Statistical Data Included)." The New York Times (Nov 10, 2001 pA1(N) pA1(L) col 2 (50 col): A1(L).

8-49

58 ^ Berenson, Alex, and Richard A. Oppel Jr. "Dynegy's rushed gamble on Enron carries some big risks." The New York Times (Nov 12, 2001 pC1(N) pC1(L) col 2 (35 col): C1(L). 59 ^ Berenson, Alex, and Richard A. Oppel Jr. "Dynegy's rushed gamble on Enron carries some big risks." The New York Times (Nov 12, 2001 pC1(N) pC1(L) col 2 (35 col): C1(L). 60 ^ Berenson, Alex. "Suitor for Enron receives approval from Wall St.(Dynegy Inc.)." The New York Times (Nov 13, 2001 pC11(N) pC13(L) col 1 (10 col): C13(L). 61 ^ Berenson, Alex, and Richard A. Oppel Jr. "Dynegy's rushed gamble on Enron carries some big risks." The New York Times (Nov 12, 2001 pC1(N) pC1(L) col 2 (35 col): C1(L). 62 ^ Norris, Floyd. "Gas pipeline is prominent as Dynegy seeks Enron." The New York Times (Nov 13, 2001 s0 pC1(N) pC1(L) col 5 (25 col): C1(L). 63 ^ Berenson, Alex. "Suitor for Enron receives approval from Wall St.(Dynegy Inc.)." The New York Times (Nov 13, 2001 pC11(N) pC13(L) col 1 (10 col): C13(L). 64 ^ Berenson, Alex. "Suitor for Enron receives approval from Wall St.(Dynegy Inc.)." The New York Times (Nov 13, 2001 pC11(N) pC13(L) col 1 (10 col): C13(L). 65 ^ Oppel, Richard A., Jr, and Floyd Norris. "Enron chief will give up severance.(Kenneth L. Lay to give up $60.6 million in severance to show he will not profit from merger with Dynegy Inc.)." The New York Times (Nov 14, 2001 pC1(N) pC1(L) col 5 (35 col): C1(L). 66 ^ Oppel, Richard A., Jr. "Employees' retirement plan is a victim as Enron tumbles." The New York Times (Nov 22, 2001 s0 pA1(N) pA1(L) col 2 (35 col): A1(L). 67 ^ Norris, Floyd. "Gas pipeline is prominent as Dynegy seeks Enron." The New York Times (Nov 13, 2001 s0 pC1(N) pC1(L) col 5 (25 col): C1(L). 70. ^ Norris, Floyd. "Did Ken Lay understand what was happening at Enron?." The New York Times (Nov 16, 2001 pC1 (N) pC1(L) col 2 (15 col): C1(L). New York Times and New York Post (2000-present). 68 ^ Oppel, Richard A., Jr. "Enron will sell some assets in hope of raising billions; shrinking to try to bolster shaky finances." The New York Times (Nov 15, 2001 pC3(N) pC3(L) col 5 (20 col): C3(L). 69 ^ Oppel, Richard A., Jr, and Floyd Norris. "In new filing, Enron reports debt squeeze.(belated third- quarter results filing with Securities and Exchange Commission)." The New York Times (Nov 20, 2001 pC1(N) pC1(L) col 2 (25 col): C1(L). 70 ^ Oppel, Richard A., Jr, and Floyd Norris. "In new filing, Enron reports debt squeeze.(belated third- quarter results filing with Securities and Exchange Commission)." The New York Times (Nov 20, 2001 pC1(N) pC1(L) col 2 (25 col): C1(L). 71 ^ Oppel, Richard A., Jr. "Enron's growing financial crisis raises doubts about merger deal." The New York Times (Nov 21, 2001 s0 pA1(N) pA1(L) col 1 (20 col): A1(L). 72 ^ Sorkin, Andrew Ross, and Riva D. Atlas. "Risks Too Great To Let Trader Just Die.(Business/Financial Desk)." The New York Times (Nov 22, 2001 pC1(L) col 02 (25 col): C1(L). 73 ^ Norris, Floyd. "From Sunbeam to Enron, Andersen's reputation suffers.(Arthur Andersen accounting firm) (Column)." The New York Times (Nov 23, 2001 pC1(N) pC1(L) col 2 (10 col): C1(L). 74 ^ Oppel, Richard A., Jr. "Trying to restore confidence in Enron to salvage a merger. (with Dynegy)." The New York Times (Nov 28, 2001 pC1(N) pC1(L) col 2 (25 col): C1(L). 75 ^ Oppel, Richard A., Jr. "Trying to restore confidence in Enron to salvage a merger. (with Dynegy)." The New York Times (Nov 28, 2001 pC1(N) pC1(L) col 2 (25 col): C1(L).

8-50

76 ^ "An implosion on Wall Street. (the collapse of Enron Corp.).(Editorial)." The New York Times (Nov 29, 2001 pA30(N) pA34(L) col 1 (11 col): A34(L). 77 ^ "Investors pull back as Enron drags down key indexes; doubts are raised about the strength of the recent rally.(Statistical Data Included)." The New York Times (Nov 29, 2001 pC8(N) pC10(L) col 1 (10 col): C10(L). 78 ^ Henriques, Diana B. "Market that deals in risks faces a novel one; a jolt to the freewheeling trading of energy contracts.(Enron's Collapse)(Statistical Data Included)." The New York Times (Nov 29, 2001 pC7(N) pC7(L) col 1 (20 col): C7(L). 79 ^ Glater, Jonathan D. "A bankruptcy filing might be the best remaining choice.(Enron's Collapse)(Statistical Data Included)." The New York Times (Nov 29, 2001 pC6(N) pC6(L) col 1 (20 col): C6(L). 80 ^ Lay and Skilling's day of reckoning. CNN. May 25, 2006. Last accessed November 22, 2006. 81 ^ The 15 Largest Bankruptcies 1980 - Present. BankruptcyData.com, Last accessed November 22, 2006. 82 ^ http://www.bloomberg.com/apps/news?pid=10000103&sid=aKHHN.3en36I&refer=us 83 ^ http://today.reuters.com/news/newsArticle.aspx?type=businessNews&storyID=2006-05- 25T180046Z_01_N25441446_RTRUKOC_0_US-ENRON-TRIAL.xml 84 ^ Shaheen Pasha; Jessica Seid. "Lay and Skilling's day of reckoning: Enron ex-CEO and founder convicted on fraud and conspiracy charges; sentencing slated for September", CNNMoney.com, May 25, 2006. 85 ^ John Porretto. "Ex-Enron broadband head sentenced", AP, June 18, 2007. 86 ^ Enron Workers Reveal More, CBS News, June 27, 2002. Last accessed January 2007. 87 ^ Playboy: Women of Enron, IMDb. Last accessed January 2007.

Further reading

. Mimi Swartz, Sherron Watkins (2004) Power Failure: The Inside Story of the Collapse of Enron, Currency, ISBN 076791368X

External links

. Forbes' list of corporate scandals . BBC overview and links to information on the Enron collapse

Retrieved from "http://en.wikipedia.org/wiki/Enron_scandal" Categories: All articles with unsourced statements | Articles with unsourced statements since April 2007 | Articles with trivia sections from December 2007 | Defunct media companies of the United States | Corporate crime | Corporate scandals

. This page was last modified 17:57, 8 January 2008. . All text is available under the terms of the GNU Free Documentation License. (See Copyrights for details.) Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a U.S. registered 501(c)(3) tax-deductible nonprofit charity.

8-51

MCI Inc.

From Wikipedia, the free encyclopedia44

MCI, Inc. was an American telecommunications company that was headquartered in Ashburn, Virginia. The corporation was the result of the merger of WorldCom (formerly known as LDDS followed by LDDS WorldCom) and MCI Communications, and used the name MCI WorldCom followed by WorldCom before taking its final name on April 14, 2003 as part of the corporation's emergence from bankruptcy. The company formerly traded on NASDAQ under the symbols "WCOM" (pre-bankruptcy) and "MCIP" (post-bankruptcy). The corporation was purchased by Verizon Communications with the deal closing on January 6, 2006, and is now identified as that company's Verizon Business division with the local residential divisions slowly integrated into local Verizon subsidiaries.

MCI's history, combined with the histories of companies it has acquired, echoes most of the trends that have swept American telecommunications in the past half-century: It was instrumental in pushing legal and regulatory changes that led to the breakup of the AT&T monopoly that dominated American telephony; its purchase by WorldCom and subsequent bankruptcy in the face of accounting scandals was symptomatic of the Internet excesses of the late 1990s. It accepted a proposed purchase by Verizon for US$7.6 billion. For a time, WorldCom (WCOM) was the United States' second largest long distance phone company (AT&T was the largest). WorldCom grew largely by acquiring other telecommunications companies, most notably MCI Communications. It also owned the Tier 1 ISP UUNET, a major part of the Internet backbone. It was based in Clinton, Mississippi before moving to Ashburn, Virginia.

Contents

44 Downloaded 12/07

8-52

History

Corporate founding

Long Distance Discount Services, Inc. (LDDS) began in Clinton, Mississippi in 1983. In 1985 LDDS selected Bernard Ebbers to be its CEO. The company went public in August 1989 when it merged with Advantage Companies Inc. The company name was changed to LDDS WorldCom in 1995, and later just WorldCom.

The company’s growth under WorldCom was fueled primarily through acquisitions during the 1990s and reached its apex with the acquisition of MCI in 1998. Among the companies that were bought or merged with WorldCom were Advanced Communications Corp. (1992), Metromedia Communication Corp.(1993), Reurgens Communications Group(1993), IDB Communications Group, Inc (1994), Williams Technology Group, Inc. (1995), and MFS Communications Company (1996). The acquisition of MFS included UUNet Technologies, Inc., which had been acquired by MFS shortly before the merger with WorldCom. In February 1998, a complex transaction saw WorldCom purchase online pioneer CompuServe from its parent company H&R Block. WorldCom then retained the CompuServe Network Services Division, sold its online service to America Online, and received AOL's network division, ANS. The acquisition of Digex (DIGX) in June 2001 was also complex; WorldCom acquired Digex's corporate parent, Intermedia Communications, and then sold all of Intermedia's non-Digex assets to Allegiance Telecom.

MCI acquisition

On November 10, 1997, WorldCom and MCI Communications announced their US$37 billion merger to form MCI WorldCom, making it the largest merger in US history. On September 15, 1998 the new company, MCI WorldCom, opened for business.

Sprint merger

On October 5, 1999 Sprint Corporation and MCI WorldCom announced a $129 billion merger agreement between the two companies. The deal would have been the largest corporate merger in history up to that time. The new company was to have been WorldCom and would have been the largest communications company in the United States. The merger would have put AT&T in the number two spot of the largest communications companies in the US for the first time in history. However the deal did not go through because of pressure from the US Department of Justice and the EU on concerns of it creating a monopoly. On July 13, 2000, the Board of Directors of both companies acted to terminate the merger. Later, in 2000, MCI WorldCom renamed itself 'WorldCom' without Sprint being part of the company.

Accounting scandals

Bernard Ebbers became very wealthy from the rising price of his holdings in WorldCom’s stock.[1] However, shortly after the MCI acquisition in 1998, the telecommunications industry

8-53

entered a downturn and WorldCom’s growth strategy suffered a serious blow when it was forced to abandon its proposed merger with Sprint in late 2000. By that time, WorldCom’s stock was declining and Ebbers came under increasing pressure from banks to cover margin calls on his WorldCom stock that was used to finance his other businesses (timber and yachting, among others).[2] During 2001, Ebbers persuaded WorldCom’s board of directors to provide him corporate loans and guarantees in excess of $400 million to cover his margin calls,.[3] but this strategy ultimately failed and Ebbers was ousted as CEO in April 2002 and replaced by John Sidgmore, former executive of UUNet Technologies, Inc.

Beginning in 1999 and continuing through May 2002, the company (under the direction of Scott Sullivan (CFO), David Myers (Controller) and Buford “Buddy” Yates (Director of General Accounting) used fraudulent accounting methods to mask its declining financial condition by painting a false picture of financial growth and profitability to prop up the price of WorldCom’s stock.[4]

The fraud was accomplished primarily in two ways:

1 Underreporting ‘line costs’ (interconnection expenses with other telecommunication companies) by capitalizing these costs on the balance sheet rather than properly expensing them. 2 Inflating revenues with bogus accounting entries from ‘corporate unallocated revenue accounts’.

WorldCom’s internal audit department uncovered approximately $3.8 billion of the fraud in June 2002 during a routine examination of capital expenditures and alerted the company’s new auditors, KPMG (who had replaced Arthur Andersen, WorldCom’s external auditors during the fraud). Shortly thereafter, the company’s audit committee and board of directors were notified of the fraud and acted swiftly: Sullivan was fired, Myers resigned, Arthur Andersen withdrew its audit opinion for 2001, and the U.S. Securities and Exchange Commission (SEC) launched an investigation into these matters on June 26, 2002 (see accounting scandals). By the end of 2003, it was estimated that the company's total assets had been inflated by around $11 billion. [5]

Bankruptcy

On July 21, 2002, WorldCom filed for Chapter 11 bankruptcy protection in the largest such filing in United States history. WorldCom changed its name to MCI, and moved the corporate headquarters from Clinton, Mississippi to Dulles, Virginia, on April 14, 2003. Under the bankruptcy reorganization agreement, the company paid $750 million to the SEC in cash and stock in the new MCI, which was intended to be paid to wronged investors. In May 2003, the company was given a no-bid contract by the United States Department of Defense to build a cellular telephone network in Iraq. The deal has been criticized by competitors and others who cite the company's lack of experience in the area.

8-54

Post-bankruptcy

The company emerged from Chapter 11 bankruptcy in 2004 with about $5.7 billion in debt and $6 billion in cash. About half of the cash was intended to pay various claims and settlements. Previous bondholders ended up being paid 35.7 cents on the dollar, in bonds and stock in the new MCI company. The previous stockholders' stock was valueless.

It has yet to pay many of its creditors, who have waited for two years for a portion of the money owed. Many of the small creditors include former employees, primarily those who were laid off in June 2002 and whose severance and benefits were withheld when WCOM filed for bankruptcy.

On August 7, 2002, the exWorldCom 5100 group was launched. It was composed from former WorldCom employees with a common goal of seeking full payment of severance pay and benefits based on the WorldCom Severance Plan. The '5100' stands for the number of WorldCom employees laid off on June 28, 2002 before WorldCom filed for bankruptcy.[6] On February 14, 2005, Verizon Communications agreed to acquire MCI for $7.6 billion.

On March 15, 2005 Bernard Ebbers was found guilty of all charges and convicted of fraud, conspiracy and filing false documents with regulators — all related to the $11 billion accounting scandal at the telecommunications company he founded. He was sentenced to 25 years in prison. Other former WorldCom officials charged with criminal penalties in relation to the company's financial misstatements include former CFO Scott Sullivan (entered a guilty plea on March 2, 2004 to one count each of securities fraud, conspiracy to commit securities fraud, and filing false statements [7]), former controller David Myers (pleaded guilty to securities fraud, conspiracy to commit securities fraud, and filing false statements on September 27, 2002 [8]), former accounting director Buford Yates (pleaded guilty to conspiracy and fraud charges on October 7, 2002 [9]), and former accounting managers Betty Vinson and Troy Normand (both pleading guilty to conspiracy and securities fraud on October 10, 2002 [10]).

On July 13, 2005 Bernard Ebbers received a sentence that would keep him in prison for 25 years. At time of sentencing, Ebbers was 63 years old. On September 26, 2006, Ebbers self-surrendered to the Bureau of Prisons facility at Oakdale, Louisiana, the Oakdale Federal Corrections Institution ("Oakdale FCI") to begin serving his sentence. This prison facility is 35 miles south of Alexandria, LA, and 58 miles north of Lake Charles, LA. His projected release date is July 4, 2028.

In March 2005, 16 of WorldCom's 17 former underwriters reached settlements with the investors ([11]). Citigroup settled for $2.65 billion on May 10, 2004 ([12]). In December 2005, Microsoft announced that MCI will join them by providing Windows Live Messenger customers voip service to make calls around the world. This was MCI's last totally new product called "MCI Web Calling". After the merge, this product was renamed "Verizon Web Calling".

See also

. Corporate abuse

8-55

. Corporate governance References . Lynne W. Jeter (2003). Disconnected: Deceit and Betrayal at WorldCom. Wiley. ISBN 0-471- 42997-X. . Om Malik (2003). Broadbandits. Wiley. ISBN 0-471-43405-1. . First Interim Report of Dick Thornburgh, Bankruptcy Court Examiner, United States Bankruptcy Court for the Southern District of New York, In re WorldCom, Inc., Case No. 02-15533 (AJG) (November 4, 2002)

Citations

Report of Investigation by The Special Investigative Committee of the Board of Directors of WorldCom, Inc.. SEC. Retrieved on 2008-01-04.

External links

. Verizon Business corporate website . MCI website, mostly redirects to Verizon

Credit risk . Moody's KMV Default Case Studies

Third party

. MCI Investor Starts Petition - Denver Business Journal / mcipetition.com . WorldCom Securities Litigation - Official WorldCom class action suit / settlement update site . HavenWorks' WorldCom News . Forbes article on WorldCom scandal . BBC News - WorldCom files for bankruptcy . Analyst Coached WorldCom Chief on His Script, The New York Times, February 27, 2003 . CFO Magazine, April 21, 2004, "MCI Emerges from Bankruptcy" . cnn.com 07-13-2005 "Ebbers gets 25 years" . Largest US Corporate Bankruptcies (1980-present) . Cybertelecom :: MCI / WCOM Regulatory History . Qwest Withdraws from Bidding - Denver Business Journal / MCIpetition.com

Retrieved from "http://en.wikipedia.org/wiki/MCI_Inc." Categories: Companies established in 1983 | 2006 disestablishments | Corporate scandals | Defunct telecommunications companies of the United States | Verizon | Corporate crime.

This page was last modified 17:54, 8 January 2008. . All text is available under the terms of the GNU Free Documentation License. (See Copyrights for details.)

8-56

Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a U.S. registered 501(c)(3) tax-deductible nonprofit charity.

8-57

Chapter Nine - Testing Controls

Summary

The purpose of this chapter is to walk you through the process auditors might use to test controls. There are many alternative approaches to testing controls. This chapter presents one approach that highlights the core goals of control testing and the major issues that auditors face. After completing this chapter, students should be able to:

Describe the concept of key controls and identify a possible set of key controls for a simplified audit case. Describe the steps auditors use to test controls. Within each testing step, describe the key issues and concepts, and apply them to a simplified audit case such that you can plan, execute, and interpret a test of a given control. Differentiate between statistical and non-statistical sampling techniques and describe the strengths and weaknesses of each approach.

Overview of Testing Process

Timing of Testing

Chapter 8 covered the basic concepts behind how auditees design and implement internal controls. This chapter builds on those concepts and covers how auditors evaluate the effectiveness of the auditee's internal controls and assess control risk. In terms of the audit process presented in Chapter 3, Chapter 8 ended with the "Assess Control System Design" step. Once auditors have completed this step, they should have developed a preliminary assessment of control risk based on the design of the auditee's controls. To finalize that assessment, they need to test the auditee's controls to determine if they are working as designed.

What the diagram doesn't cover is where we are in the auditee's financial reporting cycle. Auditors normally reach this point in the audit process during the auditee's fiscal year and do not wait until the auditee's financial statements have been prepared. Auditors also execute some of both their tests of controls and tests of balances before the auditee has closed their books for the year. Auditors need to perform many of the audit steps prior to when the auditee has closed their books to shorten the time it takes to complete the audit after the auditee has closed their books. They also need to spread the audit work out over the year to even out the workload and to avoid too much overtime for their staff.

9-1

Finally, as the diagram illustrates the audit process branches at this point, some control testing, and some balance testing45 goes on simultaneously. This may seem a bit strange given the description of how auditors use the audit risk model. That is, the audit risk model implies that auditors don't determine the extent of their tests of balances, which are designed to address detection risk, until they have finalized their assessment of control risk so that they know how much detection risk they need to address. However, this is impractical for reasons I will discuss next.

Dual Tests

The audit process branches at the point of testing for two reasons. First, some tests that auditors use are dual tests. A dual test is a test that tests the effectiveness of a control at the same time it tests an account balance. For example, auditors could pull a sample of purchase invoices to determine if those invoices had been properly processed, which would be a test of controls. While the auditor was reviewing the invoices to determine if they were properly processed, (s)he also could trace the balance from the invoice into the purchases journal to insure that the amount of the invoice had been included the accounts payable balance.

The second reason that the audit process branches at this point is to shorten it. If an audit team can carry out control tests and balance tests at the same time, they can shorten the overall time it takes to complete the audit. Since Sarbanes-Oxley also shortened the time firms have to report their annual results to the SEC and since the annual results must be audited before they can be submitted to the SEC, auditors are under increased pressure to complete audits rapidly. If auditors waited until the auditee had completed closing their books for the year before they started testing the auditee's balances, they would have a difficult time completing the audit rapidly and might hold up the auditee's filing with the SEC. Since the auditor audits the auditee's ending balances, they should base their audit on the ending balances and then how controls work throughout the year. However, if they waited until after the auditee's year-end to begin testing controls, this delay would confound the auditor's ability to issue an audit report in time for the auditee to meet their filing deadline with the SEC.

Dual Goals of Testing

Before I begin a more detailed discussion of the control testing process, I need to point out that auditors have two, closely related goals when evaluating controls: setting control risk for the financial statement audit and determining whether the auditee's controls contain significant weaknesses.46 I have covered how the auditor uses an assessment of the firm's control risk within the audit risk model to determine detection risk in a previous chapter. An issue I have not

45 From this point on, I am going to refer to tests of balances to cover all tests that auditors use to determine directly if the auditee's account balances are accurate. The auditor literature also calls these tests tests of details, direct tests, or substantive tests. I use the term because I believe it clearly highlights that these tests are designed to test an account balance directly. 46 Auditors don't use the term "significant weakness" and I will define the terms they do use below. However, I believe the concept of "weakness" is a little easier for students to understand at this point.

9-2

discussed is the second goal I mentioned above - determination whether the auditee's controls contain a significant weakness. Sarbanes-Oxley requires that all financial statement audits include two additional reports by auditors: one that provides an opinion on management's self- assessment of their controls and one that provides the auditor's independent assessment of the auditee's controls. Both these reports address the presence, if any, of control weaknesses in the auditee's control system. I will discuss these two additional reports later in the chapter on reports. For now, just be aware of the auditor's two related goals in evaluating an auditee's internal controls. The goal of setting control risk requires not only that the auditor identify any weaknesses in the client's control system, but also that they link those weaknesses to account balances so that they can adjust their detection risk and balance tests. The new reports they need to make because of Sarbanes-Oxley only require that they identify the existence and extent of any weaknesses. Thus, while the two goals are tightly related, they lead to different reports.

Prior to the passage of Sarbanes-Oxley, auditors could make a determination at this point in the financial statement audit that the design of the auditee's controls was too weak to test; set control risk to 100%; and cover all their audit risk with tests of balances. In effect, they would assume the auditee had no controls and go from there. For developing a report on the auditee's financial statements, they can still do this. However, since now they have to develop the two reports on the auditee's controls and since developing these reports requires testing anyway, auditors now will include some assessment of control risk in determining their balance testing procedures. However, recall that Sarbanes-Oxley only applies to publicly traded companies. Thus, audits of private companies can still set control risk to 100% based on the design of the auditee's control system and execute an audit that only tests balances and not controls.

How Controls are Tested

After the auditor has a complete description and understanding of the auditee's internal controls, (s)he needs to determine which controls (s)he needs to test to achieve his/her target control risk. That is, auditors develop a preliminary control risk assessment based on their review of the design of the auditee's internal controls. This preliminary control risk assessment becomes the auditor's target control risk assessment because they use this preliminary control risk assessment to develop the direct tests they are going to apply to the account balances. Thus, they set design control tests to determine if their preliminary control risk assessment was accurate and, if not, they adjust their balance-testing plan accordingly.

This chapter talks about testing controls to determine if they are working as designed. By far the most common way to test a control is to determine whether the control has processed a group of transactions correctly. For information processing controls, this statement may seem obvious. Information processes initiate, capture, process, and summarize and report information about transactions. However, even many firm-level controls involve discreet events similar to transactions. For example, screening all applicants for criminal records would be a firm-level control. However, these screenings are done on an applicant-by-applicant basis and so the screening of one applicant would be a discreet event similar to a transaction.

9-3

My point is that most, but not all, controls process discrete events or transactions47 and auditors test the effectiveness of a control by testing how effectively that control has processed a group of transactions. The problem is that auditors rarely have the time and resources to test all the transactions that a control has processed. Therefore, the auditor must select a subset or sample of those transactions to test and then draw conclusions about the control's effectiveness based on that sample. Selecting a sample, rather than testing all the transactions, raises the possibility that the test results for the sample may not be representative of the control's actual effectiveness because the sample was not representative of all the transactions the control processes. If auditors use statistical sampling techniques, then they can quantify the risk that the sample results are not representative of all the transactions the control processed (i.e., the population). I will discuss statistical and non-statistical sampling techniques in detail below. At this point, I am just trying to provide you with context on the auditor's decision-making processes.

In addition to determining how may transactions to test, auditors also need to determine which controls to test. Most control systems contain redundant or overlapping controls that cover the same assertions about the same transaction. One reason for this redundancy is that auditees develop control systems independently of the auditor's goals. Auditees may have lower control risk thresholds than auditors do. They also may have goals other than just producing accurate financial statements. Therefore, auditors usually do not need to test all the controls in the auditee’s control system to reach their targeted control risk. Auditors call the controls they need to test as key controls.

The balance of this chapter will walk you through the control testing process. That process begins with identifying key controls; proceeds to determining which transactions to test; and then covers the execution and interpretation of the test results.

Identifying Key Controls

Auditors use their preliminary assessment of control risk, which they base on the design of the auditee's internal controls, to set a target level of risk they want their tests of controls to achieve. That is, they are using their preliminary control risk to begin direct testing and, therefore, they would like their final assessment of control risk to be close to their preliminary assessment of control risk so that they don't have to modify their direct testing strategy.

At this point in the process, auditors need to select which of the auditee's controls they need to test to reach their preliminary control risk assessment. Since they ultimately are testing account balances, which involves testing management's assertions about those balances, auditors develop their preliminary control risk assessment at the account and assertion level. They also do this because, as illustrated in our exercises from the prior chapter, different processes can create different risks for different accounts and assertions, and different controls can mitigate different amounts of risk for different accounts and assertions.

47 From this point on, I will use transaction to mean all forms of discreet events even though normally the term transaction is limited to describing discreet events that involve the exchange of economic resources. This distinction isn't important for testing controls.

9-4

The auditor's goal in selecting key controls is to find a set of controls to test that, if the controls are functioning properly, their existence will insure that the auditors preliminary control risk assessment is met. That is, the auditor to test a set of controls that by themselves, exclusive of any other controls in the auditee's system, could mitigate all assertion violation risks in the auditee's processes the auditor is evaluating.

Identify Information Processes

A typical information system contains multiple information processes and the nature of these processes can vary from firm to firm. Auditors decompose a firm's information processes into groups of processes that have common goals. Auditors refer to these groups as processes or cycles. I reviewed the revenue processes in Chapter 5. I have included a brief description of other key processes in Appendix 1. To focus on the tools auditors use to identify key controls, this chapter will focus on the revenue cycle.

Auditors refer to the groups of process as cycles because these processes normally form a sequential chain of events that begins with a transaction and ends with a financial statement line item. The major steps in most cycles are:

Initiating Transactions - Either firms or outside parties can initiate a transaction. The firm initiates transactions purchases and payments (including payroll) production and conversion, pay employees; and administration. Outsiders initiate sales transactions. The most important control involved in initiating transactions is authorization. Firms should establish policies and procedures that insure the firm does not engage in unauthorized transactions regardless of who initiates them. Capturing Transaction Information at the Boundary - Firms are single entities that have boundaries between the firm's internal activities and the outside world. The majority of the transactions in which a firm engages occur across that boundary with outsiders. You probably have heard the old adage "garbage in, garbage out." This applies to internal control. Firms need to insure that whenever they engage in a transaction, its information system captures all relevant information accurately (accuracy) about all those transactions (completeness) and that the system does not capture information about invalid transactions (validity). Controls over these boundary spanning transactions (boundary controls) are some of the most difficult to implement because the firm needs verify the information that is captured by the information system with sources outside the firm. Information Transformation Points - Once a firm's MIS48 captures information about a transaction, the MIS transforms that information in a variety of ways. Some examples of information transformations include calculations (e.g., pricing and extending an invoice), summations (e.g., totally the line items on an invoice), transfers (e.g., posting the sales journal to the general ledger), and classifications (e.g., posting a sale to a specific sales account or splitting an employee's wages to different jobs).

48 I will refer to a firm's information system from this point on as their MIS, which stands for management information system, to simplify things a bit.

9-5

Reporting - Once the MIS has transformed the information to some final state, firms combine different types of information into reports. The most basic of these is combining and organizing general ledger account balances into financial statements.

The auditor's first step in selecting key controls is to document the auditee's information processes within a cycle. Appendix 2 contains a diagram and some explanation of the revenue processes of a lumber yard. I will be using this example below to illustrate how auditors might select key controls.49 In the example, transactions are initiated at the bottom of the diagram. Information is transformed and new information added through several processes and, in the example, processing terminates in the general ledger account balances. The table following the diagram provides some explanation of the activities contained within each process.

In addition, the diagram shows the control procedures the auditee has implemented for each process. One feature of the diagram that may be hard to recognize is that the controls are listed next to each process for which they can mitigate some risk. The diagram lists the risks that any control can mitigate next to the control. Some controls are listed next to more than one process. This is not because the control is duplicated at multiple processes, but because the nature of the control's design allows a single control to mitigate risks that might arise from several processes. I will discuss this feature in more detail in the next section on a defining a control's coverage.

Once the auditor has documented the auditee's information processes and controls, (s)he needs to determine which assertions a process might violate (i.e., risk of error). This step is pretty simple because all information processes can inject all the three basic types of assertion violations or errors. Anytime information is captured or transformed in anyway, something can be missed or get lost (completeness violation); something invalid can be included or added (validity violation); or an amount can be entered incorrectly or changed (accuracy violation).

Determining a Control's Coverage

A more difficult task for auditors is determining which risks a control might mitigate and for which processes. For simplicity, and to mimic audit practice, I am going to avoid discussing how strong different controls are in any depth. Most auditors map controls to risks but do not go to the next level and make judgments as to how strong different controls might be in mitigating risks.50

49 There is no standard approach to selecting key controls, or even for defining key controls, in the audit literature and different audit firms use different methods. The approach I am teaching you actually is one that a couple of colleagues and I invented. I believe it is the most systematic and logical approach available. However, I also believe that it helps me identify the key issues in key control selection for students. The methods that most auditors use are more judgmental and ad hoc. 50 A colleague and I built an auditing decision aid in Access™ that allows auditors to enter the information represented in the diagram into the aid, along with an assessment of each control’s strength as well as testing costs, and the aid will select the best set of key controls. Testing costs are the estimated cost the auditor expects to incur in testing the control. "Best" means that the set of key controls will cover all possible risks in the cycle, but at the lowest testing cost. "Cover all

9-6

The following are some basic rules for determining which assertion-violation risks a control can mitigate. I will refer to this property of a control as its coverage.

Controls that reconcile information coming into a process to the information leaving the process can eliminate completeness, validity, and valuation errors. The same is true for reperformance controls since, to reperform an activity, you must have access to both input information and you are recreating the output information. That is, they can detect when something has been dropped or been added, or the value changed. This applies to controls at the boundary as well. However, boundary controls must have access to information outside the firm to eliminate these errors. Generally, authorization controls cannot ensure completeness, but can ensure validity and accuracy depending on the information available to the person authorizing the transaction. Analytical procedures and error and exception reports generally can detect all three types of assertion violations. However, analytical procedures function at a relatively high level and only can detect relatively large errors. In addition, both error and exception reports and analytical procedure controls only flag suspicious amounts. For them to be effective, the auditee must have follow-up procedures in place to investigate those suspicious numbers. Software access controls are similar to reconciliation controls. They prevent things from being added or deleted, or changes being make, which are completeness, validity, and accuracy violations.

Multiple Locations

As I mentioned above, a control may mitigate risks within multiple processes. The key feature of controls that creates this property is that they have access to input information coming into processes that are nearer to the boundary and can compare that input information to the output information of processes that are nearer the general ledger. The idea is that if a control has access to all the information coming into a process and the information coming out of a process, it can mitigate all risks that that process might generate. Since information flows through a series of sequential processes, if a control has access to input information for a process near the beginning of the sequence and access to output information near the end of the sequence, it can mitigate any risks for all processes in between.

The "Driver obtains signature on sales invoice" control in the appendix is an example. This control requires that the lumberyard's truck driver who is delivering the goods to the customer has the customer sign the extended sales invoice at delivery. Since the customer knows what they ordered and what price they were promised, this control has access to information entering the cycle from the boundary as well as information exiting the "Extended Sales Invoice" process.

possible risks" is a probability in the aid and means that, if the controls are functioning properly, the ultimate risk of error for all assertions in the general ledger accounts will not exceed the auditor's preliminary control risk estimate.

9-7

Therefore, it can mitigate validity and accuracy errors that any intervening process might have injected into the information. However, it cannot detect completeness errors because, if an order were lost, it would not have triggered a delivery and, consequently, there would be nothing to verify and no extended sales order for the customer to sign.

Example Company's Key Controls

The bolded controls in the Example Company diagram in Appendix 1 are the controls my decision aid selected as key controls. The bolded controls at each process mitigate all three risks. However, other controls and combinations of controls also would cover all risks at all processes. Thus, there usually is more than one possible set of key controls for a given transactions cycle for an auditee. The decision aid's choices in the example also were informed by testing cost and control strength data not shown in the example. My point here is not that you understand exactly how the aid selected key controls, but the general goal auditors used in doing so. In fact, the aid in this case developed more than one set of key controls and the diagram only illustrates one of them.

Testing a Control

Once the auditor has selected key controls (i.e., the controls (s)he will test), the next decisions they need to make is what tests to perform and the number of transactions for each control to test. For most controls, testing all the transactions processed by the control is far too costly and unnecessary. One exception would be for account balances that result from a few, large transactions like long-term debt. When an account balance results from a few large transactions, the auditor may decide to test all the transactions for the audit period (usually one year).

However, there are very few accounts like this. Thus, the auditor needs to determine the number of transactions to test; which transactions to test (i.e., the sample); and what tests to run. (S)he wants to select his/her sample, both the number and set of specific transactions, so that (s)he can be confident that the results (s)he obtains from his/her test of the sample transactions will represent the results (s)he would have observed if (s)he had tested all the transactions (i.e., the population). The risk that the sample results won't be representative of the population is called sampling risk.

The following subsections present the steps auditors use in developing and executing tests of controls. The steps are similar regardless whether the auditor chooses to use statistical sampling or non-statistical, usually referred to as judgmental, sampling techniques. The main advantage of statistical sampling techniques over non-statistical is that, with statistical sampling techniques, the auditor can quantify the level of sampling risk for each test but with non- statistical sampling (s)he cannot. The main advantage of non-statistical sampling techniques over statistical is that they are cheaper and easier to perform.

To design and execute a test of a control, the auditor must go through the following steps. Recall that GAAS fieldwork standards (see Chapter 2) require that auditors plan audits so that they obtain sufficient appropriate evidence to support their opinion on the auditee's financial statements. The following steps are necessary to help insure that the results of an auditor's tests

9-8

of controls provide sufficient appropriate evidence to support the auditor's control risk assessment: determine the objective of the test and select a testing procedure, define key characteristics of the transaction in the population (s)he is testing, determine the sampling procedure and sample size, select the sample, execute the test, calculate the results of the test, and draw conclusions about the population from the sample results.

I will discuss each of these steps in more detail next. In that discussion I will introduce formal statistical terms and concepts as they relate to each step and, where appropriate, discuss the tradeoffs between statistical and non-statistical sampling methods. Throughout my discussion, I will use the "Driver obtains signature on sales invoice" control (referred to from now on as Driver Control) the Example Company as an example.

Determine the Objective and Nature of the Test

The object of the auditor's test normally is to insure that the control being tested is working as designed. Since the auditor determined which controls mitigate which types of risks when documenting the auditee's control system to select key controls, they know which risks each control mitigates. Thus, their main goal is to select testing procedures that focus on the risks (i.e., assertion violations) the control being tested is designed to mitigate. For example, tests of the Driver Control would focus on insuring that the customer's signature is present, that the customer was a valid customer, and that the information on the extended sales order was accurate (i.e., that the customers aren't signing off without checking the invoice). They would not, and could not, focus on whether all of the original sales invoices made it to this step. Auditors would need to test different controls to determine the likelihood of a completeness error. In the example, the "Checking invoice to Packing Slip 2" control provides coverage of completeness and the auditor would focus their tests of that control on completeness violations.

In addition, auditors need to select the types of tests to run. The table in the "Matching Controls to Threats" section of Chapter 8 illustrates some alternatives that auditors consider in selecting testing procedures.

Define the Population Characteristics

The next step for auditors is to define the characteristics of the transactions being sampled (i.e., the characteristics of the population). The auditors work through three steps to define the critical characteristics of the population: defining the population, defining the sampling unit, and defining errors.

9-9

Define the Population

This step involves the auditor defining the set of all transactions that will make up the population from which they draw their sample. In many cases, this step is straightforward and the population would include all transactions processed by the control being tested. However, the auditor needs to be clear about how that population fits into their overall testing plan. For example, the population for a test of the Driver Control would include all extended sales invoices. However, while this population is fine for testing the Driver Control, it isn't adequate for testing for completeness errors in accounting for the extended sales invoices. In addition, auditors need to define the time period for the population. Ideally, the time period should be the fiscal year being audited. However, frequently it isn't since the auditor may run their control tests prior to the end of the auditee's fiscal year. Thus, the population of transactions may be all transactions that have occurred from the beginning of the fiscal year to the date of the test. Here, the auditor would have to assume that nothing that affects the execution of the control changed between the date (s)he tested and the end of the fiscal year.

However, defining the population isn't sufficient. The auditor needs to determine the physical representation (referred to as the frame) for the items in the population. That is, the auditor needs some form of listing that includes all the elements of the population from which (s)he will select their sample. For example, to test the Drive Control, the auditor will need to get a complete listing of all extended sales invoices. The accuracy of the auditor's tests depends on the completeness and accuracy of the frame or listing. Thus, the auditor needs to insure that the frame is complete and accurate because they will need to select their transactions from the frame.

Determine the Sampling Unit

In most cases, the sampling unit is a transaction or document that records the information about a transaction. In the Driver control example, the sampling unit would be one extended sale invoice. A sampling defines what "one of" is for the sample.

Define an Error

In the auditing literature, an error in a test of controls is called a control deviation, or just deviation. I will continue to use "error" for simplicity, but periodically will link errors back to deviations to help you remember the more formal terminology.

For most tests of controls, the auditor will define more than one deviation. Drawing samples and reviewing documents is costly and the auditor wants to get the most from the process. Therefore, they will define deviations that cover, to the degree possible, all types of errors that can occur. For example, in testing the Driver Control, the auditor would consider either the absence of a customer signature or any incompleteness or inaccuracy on the extended sales invoice that the customer didn't detect when they signed off as a deviation.

9-10

Determining Sample Size

Sample size selection for statistical sampling techniques is a systematic, rigorous process that is based on three parameters the auditor must determine: the auditor's desired confidence level, the level of error the auditor can tolerate (i.e., tolerable deviation rate), and the expected population deviation rate. I will discuss the intuition behind each of these parameters and the techniques auditors use to set them next.

These parameters are used for attribute sampling. Attribute sampling is a form of statistical sampling where the goal is to determine whether the sampling unit has some attribute and not to determine what value the sampling unit has. The term used for statistical sampling techniques that focus on the value of a transaction is variable sampling and I will discuss that approach when we talk about testing balances. The two sampling approaches differ in that attribute sampling is based on mathematics appropriate for a population that either has an attribute or doesn't and variable sampling is based on mathematics appropriate for sampling units whose values vary continuously. Since we are testing whether the control contains our define error or not, auditors apply attribute sampling to tests of controls.

Desired Confidence Level

Keep in mind that the goal of control testing is to assess control risk, which is the likelihood that the auditee's controls missed an error that would be material to the financial statements. However, the auditor at this point is not assessing control risk for the financial statements taken as a whole, but the control risk for a specific assertion or assertions within a specific account or accounts. The auditor's desired confidence level is the degree to which they want to be sure that, if their tests are successful, they can conclude that the control is functioning appropriately. Thus, the complement of the desired confidence level (1 - confidence level) is the risk that the sample results will indicate that the control is functioning when it isn't. The intuition here is that the auditor needs to determine how confident they want to be in the results of their sample tests.

In setting the desired confidence level, the auditor will consider how important the account and assertion involved in the test is to the overall audit. Factors that they consider include the size or other measure of significance of the account, the importance of the assertion, as well as the degree they plan to rely on the control when concluding about the financial statement balances. Given that the auditor plans to rely on the control (i.e., use the results of testing controls to lower their control risk below 100%), they will set their desired confidence level at 90% or 95%. Since the confidence level is the complement of the risk of drawing an incorrect conclusion from the sample that the control is functioning, these confidence levels mean the auditor is willing to accept a 10% to 5%, respectively, risk that their tests will indicate the control is working when it isn't.

When setting their confidence level, the auditor needs to consider the practical tradeoffs involved. The higher the confidence level they want to achieve, the larger the sample size must be. That is, the greater the number of items you sample, the lower the risk that the sample results won't reflect the control's actual effectiveness.

9-11

Tolerable Deviation Rate

The tolerable deviation rate refers to the maximum rate of error they are willing to find in their tests and still conclude the control is working. No control is perfect and auditors will nearly always find errors in the tests of controls. Thus, they need to decide how many errors, given their sample size, they are willing to accept and still rely on the control to mitigate risks. The difference between their desired confidence level and their tolerable error is that the confidence level refers to how confident they want to be that the results of their tests accurately reflect the control's accuracy, the tolerable deviation rate refers to how many errors the control can have, and the auditor will still conclude that it is working. In other words, confidence refers to how effectively the tests reflect reality and tolerable deviation refers to how bad a control can be and still be considered to be working.

Again, there are practical tradeoffs here. The fewer errors the auditor is willing to accept and still concluded the control is working, the larger the sample size. The intuition is if the auditor is not willing to accept many errors, they have to look harder for errors (i.e., increase their sample size).

Note that statistical sampling is all about percentages and other quantitative concepts. Recall that I presented the audit risk model as a quantitative model, but also pointed out that auditors rarely use it that way. Finally, the auditor's goal in testing controls is to assess control risk. Thus, there seems to be a disconnect between using quantitative methods to arrive at a qualitative conclusion (i.e., assessing control risk as high, medium, or low). To bridge this gap, auditors use ranges of percentages to define qualitative categories. In the case of tolerable deviation rate, auditors commonly define a low deviation rate as between 3% and 5% error, a medium rate between 6% and 10%, and a high deviation rate between 11% and 20%. Normally, if auditors are willing to accept over 20% error in a control, there really isn't any reason to test it. Their willingness to accept such a high error rate and still assume the control is working implies that they do not intend to rely on the control to assess control risk or they do not plan to relay on lowering their control risk below 100% to reduce their tests of balances.

Expected Population Deviation Rate

This parameter may seem a bit strange to students. The expected population deviation rate is the level of error the auditor expects from the control before they test it. Students sometimes ask why auditors need to guess at an error rate when they are about to find out what it is with their tests. Recall that these parameters will determine the sample size for the test. Thus, the intuition is that the size of the sample that the auditor would use to satisfy their desired confidence level and their tolerable deviation rate depends on how error prone the population really is. The higher the expected error rate, the more testing they will need to do to achieve their target confidence and tolerable deviation.

Auditors can develop estimates of the expected population deviation rate using several methods. The most common is to use the actual deviation rate they observed in the prior year's audit since most audits are continuing engagements. For new auditees, or when the auditee has made significant changes to the controls, the auditor might take an initial sample just to estimate the

9-12

population deviation rate and then take a second sample to use to support their control risk conclusions. Auditors also can use judgment. For example, if the auditor feels that the firm's control environment (e.g., training and supervision for the employees executing the control is high) is strong, they might use error rates they experienced with other clients that also had strong control environments.

If the auditor's expected population deviation rate is higher than their tolerable deviation rate, then they shouldn't perform the test. If they expect to find more errors than they are willing to tolerate, they should find alternative controls to test that would meet their testing goals.

Again, there are practical consequences to estimating the population's deviation rate. The greater the expected error, the larger the sample size. That is, the messier the population, the more work the auditor will need to do to insure that it isn't messier than they can tolerate.

Calculating Sample Size

Once the auditor has determined values for the three parameters, all they need to do is look up their sample size in a standard statistical table. The following is a table for a 95% confidence level. Auditors have access to a variety of tables like this for different confidence levels. However, as I noted above, 95% and 90% are the most common levels.

Note that as the expected population rate increases, so does the sample size. Also, as the tolerable deviation rate increases, the sample size goes down. In addition, the numbers in parentheses next to the sample sizes indicate how many errors (deviations) the auditor can find in a sample of that size.

9-13

Statistical Sample Sizes for Attribute Sampling - 95% Confidence Level

Non-statistical Applications

All of the above describe how auditors determine the sample size for a statistical sample. Many auditors do not use statistical samples and, instead, choose judgmental sampling techniques. With judgmental sampling techniques, there are no formal tools for developing sample sizes. Most firms develop guidelines for non-statistical sample selection based on statistical approaches. For example, firms can develop categories (high, medium, and low) for each parameter; map those categories onto ranges of confidence levels, tolerable deviation levels, and expected error rates and then provide a suggested sample size.

Select Sample Items

For statistical sampling techniques, the process that auditors must use to select sampling units from the population must be random. Random sampling is the only way to guarantee that the items selected in the sample represent the items in the population. Pure random sampling requires numbering every unit in the population such that the auditor can use a random number table or random number generator51 to select a random number and use that number to select a unique sampling unit from the population.

Systematic sampling is a quasi-random sampling technique that closely approximates random sampling and is easier to apply. In systematic sampling, the auditor uses his/her frame (list of all items in the population) and choose a random starting point in the frame. They then select every Nth item in the frame from that starting point. The calculate N by dividing the population count by the sample size. For example, assume that an auditor wanted to take a sample of 100 from a

51 Excel has a RAND function that creates random numbers, for example.

9-14

population of 1,000,000 items. (S)he would select a random starting point in the first 10,000 in a list of the 1,000,000 items and then move sequentially through the list selecting every 10,000th item for their sample.

I referred to systematic sampling as quasi-random because it is close to random, but not quite perfectly random. There could circumstances, usually highly unusual, where there is a sequential pattern in the items in the frame. For example, if, because of the way the frame was built, the same person processed every 10,000th item, then the sample would not be random since it would only test how that one person processed the transactions through the control. I said it was highly unusual, but still possible, and auditors need to be aware of the limitation.

As you might have realized, systematic sampling is a lot easier than random sampling if you are selecting samples manually. However, most auditors today use software packages that allow them to access the auditee's client files directly and select truly random samples electronically. These software packages eliminate benefits of systematic sampling.

If the auditor is using non-statistical sampling, they don't need to take random samples. However, the accuracy of their sampling usually would benefit if they did so. One non-random sampling technique auditors use in non-statistical sampling is called haphazard sampling. Haphazard sampling can approximate random. Haphazard sampling is self-explanatory to a degree. To take a haphazard sample, auditors select items from the frame in a haphazard manner. The more haphazard they are, the more random the sample. For example (and this is a bit extreme), auditors could take a listing of the items in the population, tape them to the wall, and through darts at the listing. Assuming they didn't aim at the same part of the list each time, the results would be close to random.

However, one benefit of using non-statistical sampling techniques is that auditors can use judgment in selecting items to sample. With statistical sampling techniques, sample selection is very mechanical and the auditor has no say in what sampling unit is selected. With judgmental sampling, auditors have the ability to use their experience and judgment is selecting items to sample. For example, they may target large transactions, problematic transactions, or transactions processed by new personnel to test. In effect, they are loading their sample in favor of finding errors using their judgment as to where the errors might be. This way, they may be able to justify a smaller sample size since the sample is biased toward finding errors. However, they also risk overstating the error rate in the population and ending up doing more tests of balances to achieve their target audit risk.

Perform Tests

This step may seem simple. Just execute the tests you have decided to do on the items in your sample and count the errors. However, there are complications the auditor needs to consider. For example, what if the sample item isn't available because it was voided, destroyed, or lost, or is inappropriate for the test selected? Whenever the auditor encounters a situation where they cannot examine a sampling unit in their sample, they need to evaluate the reason for the problem and consider how they should respond. For example, if the item was just voided, this is a normal

9-15

situation and the auditor might just select another unit to sample. If the item is unavailable, lost, destroyed, or inappropriate, the auditor may just count the item as an error and move on.

Another complication can arise if the auditor is partially through their sample and already has accumulated more than the tolerable number of errors. The auditor can just terminate the sampling process and conclude the control isn't working. However, depending on how close they are to finishing their sample and other factors, they may elect to increase their sample size to compensate. The risk of increasing their sample size is that they may end up doing more work and still having to conclude that the control isn't working. Thus, usually auditors won't extend their sample sizes unless they believe there is a reasonable chance that the results they have observed thus far are not representative of the population. Obviously, this is a judgment call and a gamble.

One major flaw with statistical sampling is a side effect of its major strength. Its strength is that it is systematic, mechanical, and quantifiable, sort of like a black box. However, this is its greatest weakness as well and the reason why many audit firms have abandoned statistical sampling. Auditors substitute the precision and rigor of statistical sampling for good judgment. Specifically, auditors should not just count errors and plug results into formulas to decide whether a control is working or not. They should analyze the nature of the errors and use that information to develop a richer understanding of what is going wrong with the auditee's control and why. When auditors use judgmental approaches, making these sorts of judgment calls comes more naturally. When auditors use statistical sampling techniques, they need to take more care not to just plug numbers into the formula and move on. My personal preference and belief is that training auditors to use statistical sampling is easy and that the audit firms shouldn't have "thrown the baby out with the bath water." Statistical sampling brings with it the ability to make much more precise conclusions about control risk and, with more precision, the auditors can be more efficient and effective in developing audit plans.

Calculate Results

For statistical sampling, calculating the result is easy. Auditors just take the number of errors they find and look up the upper deviation rate52 in a table (or software package). The upper deviation rate is the maximum error rate the auditor can expect in the population given the errors they found in their sample and the sample size they used. The upper deviation rate is stated as a percentage and auditors can compare their upper deviation rate to their tolerable deviation rate. If the upper deviation rate is higher than the tolerable deviation rate, the auditor should conclude the control isn't working.

The table below is a companion to the sample size table I presented earlier. It computes the upper deviation rates, at a 95% confidence level, given the number of errors the auditor found in the sample and the sample size. The cell entries are percentages. For example, if an auditor found 1 error in a sample of 100, the upper deviation rate would be 4.7%. However, the sample

52 The complete term is "computed upper deviation rate." I dropped the "computed" because it is obvious and it makes my writing simpler.

9-16

deviation rate was only 1% (or 1 / 100). The reason the upper deviation rate, which is for the population, is always higher than the sample deviation rate is due to sampling risk. Sampling risk is the risk that the sample results aren't representative of the population. This risk arises because the auditor is drawing conclusions about the population, but only tested a small part of that population. You may have noticed that the column for zero errors contains upper deviation rates. That is, the auditor cannot conclude the population is error-free just because his/her sample was.

Notice that as the sample size increases, the difference between the sample deviation rate and the upper deviation rate declines. For example, with a sample size of 100 and 1 error, the difference was 3.7 percentage points (4.7% - 1.0%). For a sample size of 200 and 1 error, the difference is 1.9 percentage points (2.4% - 0.5%). This makes sense since the larger the sample, the greater the likelihood that the sample accurately represents the population and the lower the sampling risk. Thus, the difference between the sample deviation rate and the upper deviation rate as calculated in the table measures the sampling risk for that sample size, sample deviation rate, and confidence level.

Upper Deviation Rates for Attribute Samples - 95% Confidence Level

Draw Conclusions

Drawing conclusions can be very mechanical with statistical sampling techniques. The auditor calculates their upper deviation rate and compares it to their tolerable deviation rate. If the upper deviation rate is lower than or equal to their tolerable deviation rate, they can conclude the control works. If the control works as designed, then the auditor has a basis for stating that their preliminary assessment of control risk for the account and assertion affected by the control is valid. If the auditor finds a lower than expected error rate, they may have a reason to lower their control risk and, subsequently, the magnitude of their tests of balances. However, since auditors are pretty conservative and don't want to risk audit failure, they usually don't reduce their preliminary assessment of control risk.

9-17

If their upper deviation rate is higher than their tolerable error, then the auditor will need to increase their preliminary assessment of control risk. To compensate, they may test additional controls or expand their tests of the existing control. These steps would allow them to use alternative tests of other controls, or more extensive tests of the current control, to verify their preliminary assessment of control risk. Alternatively, they could just increase the amount of direct tests of balances they do to lower detection risk to compensate and, thus, achieve their target audit risk.

Defining Levels of Control Weakness

Since the passage of Sarbanes-Oxley, auditors also have had to conclude in separate audit opinions on the adequacy of the auditee's controls and on the adequacy of the auditee management's assessment of their own controls. I will discuss these reporting requirements more in the chapter on audit reports. In this chapter, I want to introduce the categories that auditors use to classify the effectiveness of the auditee's controls. These categories classify the level of control deficiencies the auditor found in the auditee's control system. The categories are control deficiency, significant deficiency, and material deficiency. The PCAOB developed definitions of these three levels. The levels are determined by two factors: the magnitude of the deficiency and the likelihood that the deficiency would cause a material misstatement in the financial statements and the potential magnitude of that material misstatement. All three levels of deficiencies can be caused by either poor design (e.g., there were not controls in place to eliminate a particular potential assertion violation) or poor operation (i.e., the control wasn't functioning as designed).

A control deficiency exists when either the design or operating of the controls does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis. A significant deficiency exists when a control deficiency, or combination of control deficiencies, create more than a remote likelihood that a misstatement of the auditee's financial statements that is more than inconsequential will not be prevented or detected and corrected. A material deficiency exists when a significant deficiency, or combination of significant deficiencies, creates more than a remote likelihood that a material misstatement will not be prevented or detected and corrected.

The following table summarizes the these categories and their relationship to measures of likelihood and magnitude

9-18

53

53 All three of the figures in this chapter were taken from W. F. Messier, Jr., S. M. Glover, and D. F. Prawitt (2008), Auditing & Assurance Services: A Systematic Approach, McGraw-Hill Irwin.

9-19

Appendix 1 - Fundamental Transaction Cycles

Sales and Collection or Revenue

Description

The sales and collection cycle contains activities designed to market and sell products, as well as collect for those sales. Therefore, it contains activities involved in marketing and sales, sales transaction processing activities, delivery of merchandise, and collection of payments. It also includes activities involved in processing returned merchandise, dealing with customer complaints, and managing bad debts and other collection problems. The key economic goals of these activities are to maximize sales revenues and the cash flow generated by the collection of sales revenues.

Major Activities and Documents

• Generated an order - By "generate" I am including all the firm's marketing and promotion activities such as advertising campaigns, salesperson contacts, and promotional activities like use of coupons and special sales. I differ from most accounting texts on this issue because most accounting texts consider marketing an administrative function and not a sales function.

There are very few standard documents for recording marketing activities. However, when the marketing process involves isolatable events, like sales calls, these events can be recorded in things like sales logs.

• Take an order - The purpose of marketing activities is to generate orders for goods and services that the organization then fills. To help insure the firm accurately and completely understands the customer's desires; the order is usually documented with either a sales order or a customer-generated purchase order. Sales orders should include information about the customer, the products being ordered, and other details about the transaction. A typical sales order would include:

 Name, billing address, shipping address, and contact information (e.g., telephone, fax number, and/or e-mail address) for the customer.

 List of merchandise ordered to include name, quantity, and price.

 Delivery terms such as expected delivery dates, shipping terms (e.g., who is responsible for delivery and who pays for delivery).

 Payment terms that specify how long after delivery payment is expected and whether any discounts are allowed for early payment.

9-20

 Date the order was placed and who took the order for the organization.

The customer may take the responsibility for documenting the sales transaction by generating a purchase order, which would contain the same data elements as a sales order. Purchase orders are discussed below in the purchase and payment cycle where the firm is acting as a customer. The main point is that the sale information listed above should be documented by the selling firm in some way. If the customer has done that in the form of a purchase order, then the selling firm may not need to duplicate that documentation with a sales order and just use the customer's purchase order in lieu of a sales order.

• Approve Credit - If the organization sells on credit, the creditworthiness of the customer should be established before executing the sale transaction. Credit approval usually is performed by the accounting or finance departments of the organization and is documented either through a separate credit approval form or by indicating that the customer's credit has been approved on the sales or purchase order.

• Fill Order - The sales order can be used as a checklist to determine what items of merchandise are required to fill the order. The contents of a shipment are frequently documented with a packing slip. A packing slip lists the items that have been included in a specific shipment. Usually a copy of the packing slip is included with the shipment so that the customer can use it to make sure the shipment is complete when it arrives. If the organization cannot fill the entire order for some reason, a backorder document is usually produced. Backorder documents are very similar to sales order because their main function is, in effect, to reorder the merchandise that was not available. However, backorders should be linked in some way to the original order to document the fact that the merchandise is being reordered because it was not available when the main order was processed.

• Ship Order - Once the order has been filled and prepared for shipment, it needs to be shipped. If the firm uses its own employees and equipment to ship merchandise, a copy of the sales order may be sufficient to document shipment since the sales order contains all the information needed to move the goods from the seller's location to the customer's. If a shipping firm is used (sometimes referred to as a common carrier), then a bill of lading is produced. The bill of lading is used to give the shipper the information they need to deliver the goods, but no more than that. For example, the shipper does not need to know the details of what is in the shipment. They do need to know where the shipment is going, when it should arrive, who is paying for the shipment, and general information about the contents of the shipment (e.g., size, weight, number of packages, and general nature of the contents such as whether they need refrigeration or are flammable).

• Bill - Once the shipment has been delivered, the selling firm can recognize the revenue from the sale under GAAP. The most common way to document this transaction is by preparing an invoice and sending it to the customer. The generation of the invoice indicates that the selling firm has completed their part of the transaction; can recognize the revenue; and has a right to be paid. The invoice is their way of requesting payment from the customer. Invoices usually contain the same information as the sales order with the

9-21

addition of information about shipping and delivery dates. The selling firm's accounting department usually handles billing activities.

• Collect - The collection activities usually also are handled by the selling firm's accounting department. Collection activities include:

 tracking payments as they are received and linking them back to invoices;

 following up on late payments, possibly turning unpaid bills over to a collection agency or selling them to a collection agency; and

 documenting the receipt of payments and depositing the payments in the selling firm's bank account.

A critical feature of the collection process is linking the payments back to invoices to make sure all invoices are ultimately paid in full. Since the customer also has an interest in accurate accounting for payments and, since the customers may split payments for an invoice into several payments or combine several invoices into one payment, customers frequently use remittance advices to indicate the invoices for which they are paying. A remittance advice is just a stub attached to a purchaser's check that lists the seller's invoices to which the payment applies.

• Forecast sales and cash receipts - The historical information recorded during the day-to- day sales and collection process discussed thus far are used as a basis for forecasting or budgeting future sales and cash inflows.

Relationship to Accounting

The major accounting issues involved in the Sales and Collection processing are determining when to record a sale; physically recording the sale; and recording the payment for the sale. Sales are recognized when goods and services being sold have been transferred to the customer and the customer has provided the selling firm with an asset to pay for the items sold. Assets can be cash, other physical assets (i.e., trade-in of an old trailer), or a promise to pay cash or other asset in the future (i.e., accounts receivable). Detailed information about the sale or collection transaction is recorded in the documents listed above. Accounting systems usually produce a listing of those sales transactions call a Sales Journal. Listing of the collection transactions are usually recorded in a Cash Receipts and Disbursements Journal, which is very similar to the register you use to record your checks and deposits in for your checking account. Therefore, the accounting functions of the Sales and Collection Process would focus on a subset of the data that management would need to record about each sale or collection transaction. Accounting focus on recording how much and what was sold while an REA analysis would lead to a system that also recorded other details of the sale transaction (e.g., demographic information about the customer).

9-22

Purchases and Payment

I have divided the purchase and payment cycle into subcomponents: personnel and everything else. An employee's time is just another economic resource that an organization has to purchase. However, purchasing people's time has some unique features that warrant separating those activities from the purchase of supplies, raw materials, outside services, and capital assets.

Supplies, Outside Services, and Materials

Description

The purpose of the purchase and payment cycle is to secure economic resources that the firm uses to produce goods and services. These economic resources include things like raw materials directly used in the production process, supplies that are indirectly used in the production process or for administration, outside services (e.g., accounting, legal, utilities, telephone, rental of space), and capital assets (e.g., buildings, machinery, and equipment). The purchase of capital assets also has some unique features that may warrant separating those activities into a separate cycle as well, but I have chosen not to do so here.

The main goal of the purchase and payment cycle is to secure economic resources of sufficient quality and quantity to meet the needs of the organization at the lowest possible cost and to pay for them on time. "Quality" is rarely a single dimensional concept. Most economic resources have many qualities that are important to the organization (e.g., reliability of the resource as well as the reliability of the delivery of the resource). Therefore, the MIS may need to be designed to track several aspects of the resources being acquired, such as time to deliver and performance reliability. The major activities of the purchase and acquisition cycle parallel those of the sales and collection cycle because they present the view of the sales transaction from the standpoint of the purchaser instead of the seller.

Major Activities and Documents

• Recognize Need - The purchase and payment cycle is triggered when the firm recognizes a need for some goods or services. Need recognition can be based on periodic monitoring such as taking a physical inventory, continuous monitoring such as maintaining a perpetual inventory, or systematic monitoring such as renewing an insurance policy every year. Need recognition often involves forecasting future needs rather than identifying needs after they arise. Since purchasing and receiving goods and services take time, most firms try to anticipate their needs ahead of time to help insure that their production operations are not interrupted because of lack of needed resources. Maintaining significant inventories, however, is costly for the firm. The real goal is to have needed goods and services arriving at the firm just in time to be put to use in the production process, thus eliminating the need for inventories.

Needs are documented with purchase requisitions. For control purposes, most firms separate purchasing activities from production activities. Production personnel usually

9-23

identify the need, document it with a purchase requisition, and sent that requisition to the purchasing department to actually purchase the good or service. Therefore, the purchase requisition should include all the information the purchasing department needs to purchase the right good or service in the right quality and quantity. Purchase requisitions usually include the list of goods or services needed and the quantity, specific characteristics of those goods and services (e.g., size, color, and quality specifications), the name of the person or department making the request, and the date by which the goods or services are needed. For control purposes, most purchase requisitions need to be approved by management to help insure that goods and services are really needed, and the correct resources are being requested.

• Purchase Goods or Services - Purchasing activities usually include selecting a vendor or supplier for the requested goods or services, determining the best price, documenting the details of the purchase transaction, and, possibly, obtaining additional approval to actually place the order. Purchase transactions are documented with purchase orders or, if the resource being purchased is large and complex, a purchase contract. Purchase orders contain the very similar information to a sales order because they merely represent the other side of the transaction. This information includes:

 Name, billing address, shipping address, and contact information (e.g., telephone, fax number, and/or e-mail address) of purchaser.

 List of merchandise ordered to include name, quantity, and price.

 Delivery terms such as delivery dates, shipping terms (e.g., who is responsible for delivery and who pays for delivery).

 Payment terms that specify how long after delivery payment is expected and whether any discounts are allowed for early payment.

 Date the order was placed and who took the order for the organization.

Included in the "select vendor" step is a rich set of activities that accountants usually ignore but need to be supported by an MIS. Most firms carefully evaluate potential vendors and continuously evaluate the records of their existing vendors. Therefore, to support the "purchase goods and services" step, the MIS needs to capture data about the quality of the vendor's goods and services as well as the reliability of the vendor in delivering those goods and services on time.

• Receive Goods and Services - When merchandise that has been ordered is received, it needs to be checked against the order to make sure what was received was the same as what was ordered. This check is usually preformed by a receiving department that stores the merchandise in the purchasing firm's inventory once the check is complete. Receiving personnel use the packing slip, as well as a bill of lading if a common carrier was used, to verify what the selling firm intended to ship and a copy of the purchase order to verify what

9-24

the purchasing firm intended to order. Any discrepancies are noted and usually turned over to the accounting department to reconcile.

The receiving event is documented with a receiving report that documents what was actually received. Firms may require that these reports be filled out in a blind receiving process. A blind receiving process occurs when the receiving department knows what items should be in the shipment, but not the quantity of each item. The goal of a blind receiving is to force the receiving department to count the items in the shipment in order to record the amount received. If the receiving department knows the quantity of each item that should be in the shipment, they might get lazy and not count the items in the shipment to see what was actually there. If they don't know what to expect, they are forced to develop a complete listing of what was in the shipment to fill out the receiving report.

• Make Payment - Once the firm has documented what was received, they need to pay for it. The ordering firm's accounting department usually makes payments after an invoice has been received from the selling firm. The accounting department's job is to compare the purchase order, packing slips, receiving reports, and invoices to make sure that everything matches up. That is, what was ordered was received and the selling firm hasn't changed the shipping and payment terms. Once the accounting department has determined that everything matches, they generate a check to make the payment. Usually, the check must be approved and signed by someone outside the accounting department, or by some higher level manager within the accounting department, before it is sent to the vendor. The payment is documented with the check itself as well as with a remittance advice attached to the check, as discussed above.

Personnel and Human Resource Management

Description and Activities

Purchasing people's time, typically by hiring them as employees, follows the same sorts of steps as purchasing goods and services. The "vendor," in this case the employee, needs to be selected and, as part of that process, existing employee's performance needs to be monitored to determine if continued employment is warranted. The firm needs to "purchase" the employee's services by hiring them and giving them a job to do. This includes setting work hours and assigning tasks. Periodically, the employee needs to be paid for their services.

Major Documents

Some employees are paid based on the hours they work; others based on larger measures of time such as bi-weekly or monthly. Hourly employees usually document their time with time cards or time sheets. These documents specify the exact hours worked on each day. They may also list the tasks on which the employee worked, particularly if the firm uses a job costing system. Monthly and bi-weekly employees usually don't document the hours they work in any detail and are merely paid based on the passage of time. However, all employees usually are required to

9-25

submit some sort of performance report at least annually to justify continued employment, salary or wages increases, and promotions. The nature of these performance reports tends to vary significantly from firm to firm. In addition, employees who work for service organizations that bill customers for the time employees work on those customers' projects (e.g., CPA firms) will require all employees to accounting for their billable hours, i.e., the hours the firm can legitimately charge to the customer or client.

Relationship to Accounting

The relationship between the above discussion and accounting functions is very similar to that of the Sales and Collection Process. Accountants need to determine when a purchase has taken place and the purchaser is liable to pay for the goods or services purchased, and need to record purchase events. The above mentioned documents record information about purchase and payment events. Accounting systems usually produce two detailed listings of purchase transactions: one for the purchase of goods and services (Purchases Journal) and one for the purchase of employees' time (Payroll Journal). Collection activity is normally listed in the Cash Receipts and Disbursements Journal. As with the Sales and Collection Processes, accounting functions are interested in only a subset of the information about purchase and payment transactions.

Production and Conversion

Description and Major Activities

Production and conversion activities are the activities a firm uses to convert raw resources coming into the firm into goods and services that they sell or provide to customers. "Provide" applies to government and not-for-profit organizations that don't sell things to customers but provide social services to them, which are paid for from other revenue sources. The nature of these conversion activities will vary significantly by the type of firm. Manufacturers, for example, tend to have very complex conversion activities that use raw materials, employee's time, and the use of buildings and equipment to produce products. Distributors (i.e., retailers and wholesalers) have somewhat simpler conversion activities that break down large shipments into smaller lots for distribution to their customers. Service providers also have relatively simple conversion processes that use their employee's time, as supported by some minor supplies, equipment, and buildings, to produce services that they sell to customers or clients.

Major Documents

Since the nature of the conversion activities of firms can vary significantly, the documentation also varies. Generally, conversion activities need to be documented by recording the nature, timing, and quantity of resources that enter the conversion process and the nature, timing, and quantity of the products that exit the conversion process.

9-26

Relation to Accounting

Accounting systems normally only record details of the conversion and production activities for manufacturing firms since these firms have extensive conversion activities. The main focus of accounting for conversion activities is recording the raw materials used, labor, and overhead used to produce a good or service so that the accounting system can calculate a production cost for each good or services. The other conversion related activity within accounting is maintaining a record of current inventory of raw materials, work in progress, and finished goods. For all but manufacturing operations, the current inventory can be calculated from purchase and sale records. In manufacturing, the accounting system also needs to track movement from raw materials to work in progress to finished goods.

Administration

Description and Major Activities

Administration involves executing the basic management functions of a firm. These can be characterized as planning, executing, evaluating, and re-planning or Plan, Do, Check, Act. The operating activities described in the cycles above make up the bulk of the "Do" step. General management's main role is planning and evaluating these operating activities (i.e., "Plan" and "Check") and then using the results of the evaluation to revise the plan (i.e., "Act"). General management also has a role to play in the "Do" step because they need to monitor operating activities to insure that, on a day-to-day basis, they are being properly executed. Note, however, that these activities, like those above, have a natural cycle that is nicely captured by the "Plan, Do, Check, Act" framework.

The boundaries between the Administration cycle and other operating cycles can be a little fuzzy. For example, some MIS designers might consider making and receiving payments as administrative functions because they tend to occur in the accounting departments and usually are centralized for the entire firm. Similarly, the personnel cycle might be considered as part of the administration cycle. The structure I have provided above is the most common one I have found in practice, however.

9-27

Major Documents

The most common documents that I would consider part of the administrative cycle are the traditional external financial statements accountants produce. Other than financial statements, there are few standardized documents for the administrative cycle. However, most firms develop formal strategic plans and budgets. Budgets have been around for centuries and have been regularly captured by MISs. Increasingly, however, MISs are being called on to capture and report key elements of strategic plans and other data that can be used for performance evaluation. A common example is non-financial performance measures, such as market share, customer analysis, vendor analysis, and competitor analysis. These types of data frequently require having the MIS capture information not associated with transactions in which the organization engages. Examples would be changes in interest rates, laws, competitor marketing strategies, and technologies available for marketing and production activities.

9-28

Appendix 2 - Example Company Process Flow

Sales Accounts Receivable

Treasurer reconciles A/R and Sales (C, V, A)

Compare A/R batch totals (C, V, A) A/R Posting

Compare Sales Register to Accounts Receivable Cards (C, V, A)

Compare invoice to packing slip 2 (C, A)

Driver obtains signature on sales Extended Sales invoice (V, A) Invoice

Matching control copy to signed copy of Sales Order (C, V, A) Key: Solid boxes are processes Check Extended Sales Invoice (A) Dashed boxes contain controls associated with processes Compare invoice to packing slip 2 (C, A) Letters after controls are the Packing Slip assertions they cover. Numbers are Compare invoice to packing slip 1 costs. (C, A) Italic letters after controls indicate Driver obtains signature on sales assertion violations that controls invoice (V, A) address

C = Completeness Matching to authorized list (A) V = Validity Sales Invoice A = Accuracy Compare invoice to packing slip 1 (C, A) Key controls are in bold while nonkey controls shown in normal Driver obtains signature on sales font. invoice (V, A)

9-29

Documentation Process Control Description Sales Invoice – Sales clerk prepares a 4-part sales invoice based on phone order from customer Packing Slip – Yard manager’s secretary adjusts Matching to authorized list – Yard manager sales invoice for out-of-stock items, forwards the checks customer name against approved customer adjusted sales invoice to yardmen who fill the list adjusted order and prepare a packing slip. Compare Invoice to Packing Slip 1 – Yard manager compares packing slip to adjusted sales invoice. Extended Sales Invoice – The truck is loaded and Driver Obtains Signature – Truck driver has merchandise delivered to customer. The yard customer sign adjusted sales invoice. manager’s secretary prices the merchandise on the Matching Control copy to signed copy of Adjusted adjusted sales invoice and totals it. Sales Invoice – Yard manager’s secretary matches a signed copy of the adjusted sales invoice to a control copy. Checking Extended Sales Invoice – V.P. checks accuracy of extended sales invoice and initials it. Compare Invoice to Packing Slip 2 - Accounting staff compare the information on the Packing Slip to the extended sales invoice and correct any differences. Accounts Receivable Posting – Yard manager’s Comparing Batch Totals - Accounting staff secretary batches extended sales invoices and compares yard manager secretary’s batch total to computes a batch total. Accounting enters the post-processing batch total. invoices into the accounting system and posts Compare Sales Register to Accounts Receivable transactions to the Accounts Receivable Ledger Cards – VP compares sales register information to and the Sales Register. The monthly statements Accounts Receivable Cards and aged trial balance are prepared from the data in the AR ledger. Accounts Receivable and Sales General Ledger The treasurer reconciles the account receivable Accounts The batch total from extended sales and sales general ledger balances to the accounts invoices is posted to Accounts Receivable and receivable ledger and sales register weekly. Sales general ledger accounts.

9-30 Chapter Ten - Testing Balances

Summary

This chapter presents the statistical approach that auditors use to test account balances and briefly discusses some non-statistical alternatives. After completing this chapter, student should be able to: describe monetary unit sampling (MUS) and discuss its strengths and weaknesses; execute an MUS on a simplified example; discuss how to evaluate the results of an MUS and issues that auditors should address before concluding that the auditee's balances is misstated; and describe the options auditors have in responding to sample results that indicate that auditee's balances are misstated.

Purpose of Balance Testing

Recall from our discussion of the audit risk model that auditors have some choices as to how they reduce their audit risk. For example, they can set higher tolerable deviation rates for their tests of controls, which would lead to a higher control risk assessment, and make up the difference with a lower detection risk. A lower detection risk means they have to do more substantive testing54 of account balances (e.g., larger sample sizes for their substantive tests). The basic idea is that control risk measures the strength of the system that generated the account balances, and substantive tests measure the accuracy of the account balance directly. Auditors sometimes refer to control tests as indirect tests because they are testing the accuracy of the account balance indirectly. That is, they are testing the accuracy of the account balance by testing the strength of the system that produced that balance rather than directly testing the balance itself. Chapter 9 covered how auditors indirectly test account balances by testing controls. This chapter covers how auditors directly test account balances.

When auditors test controls, they are doing "either/or" testing. That is, either the control generated an error or it didn't. When auditors test account balances, they are trying to determine if the account balance is in error, in which direction, and by how much. Mathematically, these two concepts are not that different. Auditors do express control errors as rates (i.e., percent of items reviewed that had errors). They also express errors in balances as rates (e.g., the account balance is overstated by 10%). Thus, the underlying statistics for the two types of tests is similar.

54 The audit literature uses several terms that apply to testing account balances to include substantive tests, test of details, tests of balances, or direct tests of balances. I am going to use substantive tests in this chapter.

10-1

The approach that a statistician would apply to substantive testing is called classical variable sampling. In classical variable sampling, you are trying to estimate the mean of a population by taking a sample from the population, calculating the sample mean and standard deviation, and estimating the mean of the population based on the sample mean and standard deviation. The sample mean is an estimate of the population mean. That is, the statistician's best estimate of the population's mean is the sample's mean. However, the statistician has to address sampling risk (i.e., the risk that the sample isn't representative of the population). As with attribute sampling, statisticians use some estimate of the variation in the population and the sample size to determine the level sampling risk. For example, if the items in the population are very close to each other (i.e., low variance or low standard deviation), then any sample would most likely yield a mean that was close to the population mean. However, if the items in the population vary over a wide range (i.e., they have high variance or standard deviation), then the risk that the sample mean is not close to the population mean goes up.

However, auditors rarely use classical variable sampling to test account balances. Auditors have invented their own statistical method for testing balances called monetary unit sampling. The remainder of this chapter will present the monetary unit sampling method and walk you through how auditors use it to test account balances. I will not cover classical variable sampling because it is so rarely used in practice.

Monetary Unit Sampling

Relationship to Attribute Sampling

Monetary unit sampling (MUS) is a modification of the attribute sampling method auditors use to test controls that is designed to test account balances. Auditors modify attribute sampling by treating each dollar in the account balance as the sampling unit. That is, they use underlying statistic formulae designed to test yes or no questions to test balances by treating a dollar as a sampling unit and ask whether that dollar is correct or not. However, since the auditor is interested in not only whether the dollar is correct or not, but by how much, they have to make modifications to the sampling procedures used for control testing.

The most obvious problem is that auditors can't test whether an individual dollar is misstated or not; they can only test whether an individual item (e.g., customer's account receivable, item of inventory) is misstated and by how much. Thus, auditors must make some assumptions to convert statistical tests designed for yes/no answers to generate estimates of the dollar amount an account is misstated. I will cover these assumptions as they arise in the sample process that I describe next.

One other challenge in teaching MUS is that there is no one generally accepted approach to making the adjustments necessary to apply attribute sampling techniques to dollar balances. The approach that I present in this chapter is based on the approach presented in A.A. Arens, R.J.

10-2

Elder, and M.S. Beasley, Auditing and Assurance Services: An Integrated Approach.55 and in one of the original classics on the topic, D. A. Leslie, A. D. Teitlebaum, and R. J. Anderson, Dollar Unit Sampling: A Practical Guide for Auditors.56 However, I also will point out some alternatives where different approaches are used as well.

Key Parameters

Since MUS is based on attribute sampling, the key parameters are the same. However, since the purpose of the test is different, auditors use different terms. Here is the mapping:

55 A.A. Arens, R.J. Elder, and M.S. Beasley (2008), Auditing and Assurance Services: An Integrated Approach, Pearson Prentice Hall.

56 D. A. Leslie, A. D. Teitlebaum, and R. J. Anderson (1979), Dollar Unit Sampling: A Practical Guide for Auditors, Toronto, Copp, Clark, and Pitman.

10-3

Mapping of Attribute Sampling Terms to MUS Attribute Parameter MUS Parameter Concept Confidence level = 1 - Confidence level or ARIA is sampling risk and equals 1 - Acceptable Risk of Acceptable Risk of confidence level. That is, the amount of Assessing Control Risk Incorrect Acceptance sampling risk the auditor is willing to Too Low (ARACR) (ARIA) accept is 1 - the confidence level the auditor wants to achieve. Tolerable deviation rate Tolerable The error rate that the auditor can tolerate misstatement rate 57 in the population and still conclude either the control is working or the balance is accurate. Expected deviation rate Expected population The level of error the auditor expects in the misstatement transactions process by the control or in the account balance. N/A Population size Attribute sampling approach tells that auditors do not consider population size when calculating sample size but MUS does. The reason for this difference is rather technical. The basic intuition is that MUS focuses on estimating and account balance and, in MUS, the population size is the number of dollars in that account balance. Thus, in MUS, population size is the account balance and the size of the account balance is relevant to selecting a sample size. Upper deviation rate Upper misstatement The upper deviation rate and the upper bound and lower misstatement bound are conceptually misstatement bound identical. They are the maximum error the auditor can expect in the population given their tolerable error or deviation rate and confidence level. Auditors also calculate a lower misstatement bound for MUS samples, which will be explained below. Finally, auditors use the term "bound" and not limit because calculation of the bounds requires assumptions.

57 I will be using the term "error" interchangeably with "misstatement" and will remind you of that periodically. Auditors use "misstatement" to refer to an error in an account balance and "deviation" to refer to an error in a control. I tend to use "error" for both because it is the same concept and simplifies my writing style.

10-4

Steps in the Testing Process

The steps auditors follow to execute an MUS are the same as they use for attribute sampling. I am going to illustrate my discussion of how these steps apply to substantive testing using the following example.58

I am auditing the accounts receivable balance of a firm by sending confirmations to the customers. This test can detect accuracy and validity assertion violations, but not completeness. A test for completeness would focus on determining whether the firm had recorded all valid accounts receivable balances. Since we must draw our sample from the firm's accounts receivable listing, the test cannot determine if that list is missing an account. If the auditor were concerned about completeness errors in the accounts receivable balance, (s)he would need to draw the sample from sales data or from accounts receivable balances with zero or negative balances. I will expand on this last point below when I discuss how to draw a sample with MUS show why zero and negative balances cannot be sampled with MUS.

I have established the following statistics about the firm's accounts receivable balance.

The book or reported value of their accounts receivable is $2,500,000 I have established a tolerable misstatement for this account of $125,000 I desire a 95% confidence level I expect a misstatement of $25,000

Determine the Test Objectives

The primary goal of MUS is to determine if an account balance is misstated and, if so, by how much. However, since my test cannot test for completeness errors, the objective of my test is to determine whether the accounts receivable balance is misstated due to validity and accuracy errors.

Determine the Population Characteristics

Define the Population

Auditors need to insure that the population fits the goals of their tests. Tests can have more general goals (e.g., in my example, I am testing for the amount of misstatement due to validity and accuracy errors). However, auditors also can focus tests on different assertions. For example, if the auditor were testing to make sure that all the goods that my example firm shipped were billed to a customer (completeness assertion), then the population for his/her sample would be the shipping documents and not the accounts receivable balances. In my example, I want to

58 This example was adapted from W. F. Messier, Jr., S. M. Glover, and D. F. Prawitt (2008), Auditing & Assurance Services: A Systematic Approach, McGraw-Hill Irwin.

10-5

test the balance itself and I am going to confirm those balances with the customer. For MUS, the population is all the individual dollars in the accounts receivable balance.

Part of the definition of the population also must include a frame or mechanism for identifying all the dollars in the balance. Since all the dollars in the accounts receivable balance must belong to some customer, my frame will be a list of each individual customer's account balance. Since the conclusions I can draw from any sample based on this frame only can be extended to the frame, I need to make sure that the frame captures all the items in my target population, which is the accounts receivable balance. In this example, I can verify that the frame and the population match merely by totaling the individual customer accounts in my customer listing and comparing it to the accounts receivable balance. If the two numbers are the same, I know my frame includes all the items in the balance.

Define the Sampling Unit

Defining the sampling unit in MUS is complex and can be confusing. The sampling unit is a dollar. However, all dollars in the sample belong to an item in the account balance and auditors review the items, not the individual dollars. For example, my running example involves auditing an accounts receivable balance, which is the total of individual account balances. With MUS, the auditor selects individual dollars to sample, but then determines which account those individual dollars belong to and then audits that account balance. I appreciate this process is hard to "get your brain around," but I am going to defer providing a concrete example until I discuss "selecting sample items" below.

Define a Misstatement

For an MUS, a misstatement is a difference between the recorded or book amount for an individual item in the account balance and the amount the auditor, based on their audit evidence, believes that amount should be. Again, note the auditor is auditing an individual item from the account balance and not an individual dollar. An MUS just uses individual dollars to as a tool to select the individual customer account to audit.

Auditors need to be careful about their definitions of misstatement because differences can arise from circumstances that do not constitute a misstatement. For example, I am illustrating MUS in this chapter with an example that involves confirming accounts receivable with customers. The customer's response would be the auditor's best evidence of the correct balance amount. However, the customer's response could be different from the book amount because a check from the customer was in the mail and hadn't been received by the auditee yet. Thus, auditors need to review carefully their audit evidence to determine if any differences are truly misstatements.

Calculate the Sample Size

Auditors calculate sample sizes for MUS in the same manner that they do for attribute sampling, with one exception. For MUS, they also need to calculate or estimate the population size. They set or estimate the same three parameters needed by attribute sampling and look up the sample

10-6

size in a table.59 However, they need to use the population size to determine tolerable misstatement and expected misstatement rates, usually stated as percentages.

Next, I will walk you through the process of calculating a sample size for the example data listed above by discussing each of the three parameters you need to estimate as well as population amount. Since MUS is merely a modification of attributes sampling, calculating the sample size for an MUS sample is identical to calculating the sample size for an attribute sample. However, auditors use different terms for the three parameters used to calculate sample size. You should refer to the "Mapping of Attribute Sampling Terms to MUS" table above to determine which MUS parameter used to calculate sample size is equivalent to which attribute sampling term used in the "Statistical Sample Sizes for Attribute Sampling" table used below to calculate an MUS sample size.

Acceptable Risk of Incorrect Acceptance

In MUS, the term "Acceptable Risk of Incorrect Acceptance" really refers to sampling risk. Thus, acceptable risk of incorrect acceptance is the complement of the confidence level. As auditors increase their desired confidence level, the sample size increases. The intuition is that if they want to be more confident that their sample is representative of the population, they need to do more work. In addition, you can think of the acceptable risk of incorrect acceptance as the detection risk for the accounting and assertion the auditor is testing. That is, detection risk is the risk that the auditor's tests will not detect a material error in the balance. Since the auditor will know whether their sample has a material error in it, detection risk boils down to whether the sample is representative of the population, or sampling risk.

Tolerable Misstatement

Tolerable misstatement is the maximum misstatement the account balance can contain and the auditor will still be willing to certify it as accurate. Recall our discussion of planning materiality. One step in the auditing process is to allocate the materiality level the auditor has set to each account balance. One refinement I didn't mention at that time is that auditors may make that allocation not only to the account balance, but also to different assertions about that account balances. Thus, auditors may allocate materiality to tolerable misstatement on an account balance and assertion level. Thus, tolerable misstatement is the materiality level for the account and, possibly, assertion about an account.

Expected Misstatement Rate

This is the level of error, stated as a percentage of the population amount, that the auditor expects in the account balance and, again, possibly in a specific assertion about an account balance. Auditors set expected misstatement using the same sorts of tools they use to set expected deviation rates for attribute sampling because these two concepts are virtually identical.

59 Actually, the tables are calculated with formulas and so auditors can use formulas to calculate sample sizes. In addition, most audit firms now have audit software they use for sampling and that software calculates their sample sizes for them.

10-7

The key observation here is that the expected misstatement rate must be below the tolerable misstatement amount or auditors cannot test the balance. One reason is that auditors need to allow for sampling risk. For example, if the auditor expects the account balance to be off by 10%, then, assuming their sampling was representative of the population, they should end up with 10% error in their sample. However, when they project the sample results to the population, they need to add sampling risk, which would drive their maximum calculated misstatement level for the population above their tolerable misstatement level.

Finally, the higher the expected misstatement rate, the higher the sample size. Actually, this is a slight oversimplification. The more their tolerable misstatement level exceeds their expected misstatement level; the lower will be the sample size. The intuition here is that, as I just discussed, auditors need to allow some room between their tolerable misstatement level and expected misstatement level to allow for sampling risk. Thus, the greater this difference, the more sampling risk they can tolerable and the lower their sample size.

Population Size

Intuitively, you would expect population size to be directly related to the sample size in that the larger the population, the larger the sample needs to be to insure that it is representative of the population. This is true to a point. Note that MUS and attribute sampling are based on the same statistical theory and mathematics. However, the attribute sampling chapter I did not include population in my discussion of sample size calculations. In addition, many approaches to MUS also exclude population from the sample size calculation. The reason for the seeming inconsistency is that, when the population becomes large, differences in population size no longer matter for sample size calculations.

The intuition is that the population has some error rate in it. That error rate is an average of all the items in the population. If you add more items to the population that were generated by the same information system and control structure, the likelihood is that these new items would also have the same error rate. Thus, the increasing size of the population doesn't have a significant effect on the population's error rate. Using the same logic, you can see why increasing the sample size beyond a certain point will no longer reduce sampling risk by much. In general, regardless of the population size, samples sizes above about 200 no longer reduce sampling risk by a significant amount over a sample of around 200.

The sample size for the example I presented above is 93. I used the same table I used in Chapter 9 to calculate the sample size because the confidence level in my example also is 95%. I have duplicated the table below. However, I need to make some calculations to fit the example into the table's requirements. First, I need to state my tolerable misstatement as a percentage of the account balance. Thus, my tolerable misstatement rate (which is the same as the tolerable deviation rate in the table) is $125,000 / $2,500,000 or 5%. I need to do the same thing for the expected misstatement rate (which is the same as the expected population deviation rate in the table). My expected misstatement rate is $25,000 / $2,500,000 or 1%. Then all I had to do was look up the sample size, which is 93.

10-8

Statistical Sample Sizes for Attribute Sampling - 95% Confidence Level

Select Sample Items

Now life gets interesting. Since my sampling unit for MUS is an individual dollar, I need to find a way to select 93 individual dollars from a balance of $2,500,000. However, I won't be auditing an individual dollar, so I need to associate the individual dollars I select with a specific customers accounts receivable balance. Auditors refer to the item they actually will audit as the logical unit. Thus, in my example, an individual dollar in the accounts receivable balance (my population) is the sampling unit, but an individual customer account balance is my logical unit. I will use the sampling unit to select logical units, but will audit the logical units.

Mechanically, I need to create a list of all the individual dollars in the account balance that keeps the link between an individual dollar and a customer's account balance. I do this by listing all the customer's account balances, in any order, and running a cumulative total within the listing. The following figure presents this listing for the accounts in my example company. Note that this example is still based on a sample size of 93. However, all that means is that the same process used in the example would merely be extended to include an additional seven items.

10-9

60 Now I can randomly select any dollar between 1 and 2,500,000; go to this listing; and associate that dollar with a specific customer's balance. For example, if I selected the 40,000th dollar in the balance, that dollar would belong to Good Hospital Corp. because their balance accounts for the 18,790th dollar through the 40,683rd dollar.

Now I need a mechanism to select a sample of 93 dollars from the 2,500,000 dollars in the balance. Auditors can use either form of random sampling here. That is, they can draw a random sample using random numbers to select the 93 dollars or they can use systematic sampling. Because I illustrated random sampling in the prior chapter, I will use systematic sampling in this chapter.

Recall from Chapter 9 that auditors take a systematic sample by finding a random starting point and then sampling every nth item from that starting point on. They calculate the number to use for n by dividing the population by the sample size. The approach is the same for MUS but the term for "nth" is the sampling interval. In my example, the sampling interval is $26,882 ($2,500,000 / 93, rounded up to the even dollar).

Now I am ready to draw my sample. I use a random number generator or random number table to find a random number between 1 and 26,882 for my starting point. Then I sample every 26,882th dollar from then on. In this case, my random number table yielded 3,997 as a starting point and my sampling procedure selected the accounts that are bolded in the figure above. Thus, Admington Hospital was the first item I selected because its account balance contained the 3,977th dollar in the accounts receivable balance. To select the next item, I added the sampling interval (26,882) to the starting number (3,977) and got 30,859. Since Good Hospital Corporation's balance contained the 30,859th dollar, I selected it as my second sample item. Then, I just kept adding the sampling interval to the prior number and selected 93 items for my sample.

60 All three of the figures in this chapter were taken from W. F. Messier, Jr., S. M. Glover, and D. F. Prawitt (2008), Auditing & Assurance Services: A Systematic Approach, McGraw-Hill Irwin.

10-10

Auditors call this sample selection process probability proportionate to size (PPS) because the likelihood that a customer balance will be included in the sample is proportional to the size of the customer's balance. Since my sampling unit is a dollar and since larger balances have more dollars, larger balances are more likely to be included in my sample. Auditors like this feature because it weights their sample toward larger items that will increase the power of their tests because larger items have a greater impact on the account balance.

This approach has some other features as well. Any item in the population that has an amount that is greater than the sampling interval must be included in the sample. In addition, items with balances larger than the sampling interval may also be included twice in the sample. In the figure above, Axa Corporation's balance ($32,549) exceeds the sampling interval ($26,882). Thus, it must be in the sample. However, its balance also is associated with more than one sampling unit. Good Hospital Corp. was included as the second logical unit because the second sampling unit ($30,859 = $3,977 + $26,882) was contained in its balance. The third sampling unit would be $57,741 ($30,859 + $26,882). However, this sampling unit also is contained within the Axa Corporation's balance. Although Axa can only be audited once, the results of the test of its balance will be included twice in the sample.

Another feature of MUS sampling that flows from the sampling procedure is that accounts with zero balances cannot be selected using MUS sampling techniques because they cannot contain any sampling units. In addition, any customers with negative balances would be excluded from the sample. In my example, these would be customers with credit balances in accounts receivable. The reason for this is not quite as obvious. Consider what effect a negative balance would have on the cumulative total the auditors were using to select their MUS. It would lower the cumulative balance to a level that was less than the cumulative balance at the end of the logical unit that preceded the credit balance and, in effect, create a sort of loop in the sample selection procedure.

Here is a summary of the key features of MUS, or probability proportionate to size, sampling:

The likelihood of an individual item being selected in an MUS sample is proportionate to the size of the balance Items whose amount is greater than the sampling internal always will be selected in the sample. Items whose amount is greater than the sampling internal may be included more than once. Zero and negative balances cannot be included in an MUS sample.

Perform the Tests

This step is straightforward. The auditors merely execute their planned test, which is confirming the accounts receivable in this case.

10-11

Calculate Results

Calculating the sample results is quite complex. The first step, which is calculating the error rate in the sample, is simple. However, the auditor needs to project the sample results to the population and calculate the upper and lower misstatement bounds to conclude on the account balance. The upper misstatement bound is the likely maximum overstatement error in the population given the sample size and sampling results. The lower misstatement bound is the likely maximum understatement error in the population given the sample size and sampling results.

Assuming the sample finds overstatement errors, the upper misstatement bound is the overstatement level of the sample plus an amount that captures the sampling risk. Note that the auditor is not trying to estimate the error rate in the population, but the maximum level of error in the population based on the sample results and sampling error. There always will be uncertainty in any account balance that the auditor projects from the sample results and (s)he wants to insure that the error in the population balance does not exceed the tolerable misstatement. (S)he is not concerned with what the balance should be, just that it isn't too far off from the balance reported in the auditee's books. Assuming the sample finds understatement errors, the lower misstatement bound is the understatement level of the sample plus the same amount that captures sampling risk. However, to calculate the final upper and lower misstatement bounds, the auditor will need to offset understatement errors against overstatement errors and visa versa, which I will illustrate below.

Calculate Basic Precision

As I just mentioned, auditors calculate the misstatement bounds by adding a sampling risk factor to the error rate detected in the sample. They call this sampling risk factor the basic precision because it is the result of the basic assumptions they used to calculate the sample size. The basic precision is the misstatement bound, upper or lower, that would result from a sample that found no errors. For this example, I will use the 95% confidence table from Chapter 9 that calculates the upper deviation rate. Note that the upper deviation rate and the misstatement rate are the same thing. Auditors just use the term "deviations" when testing controls and "misstatement" when testing balances. Both represent the maximum error rate in the population given the sample results and the sampling risk.

10-12

Upper Deviation Rates for Attribute Samples - 95% Confidence Level61

Keep in mind that the entries in this table are the estimated number of deviations in the population. Since the table has no entry for a sample size of 93, I rounded the sample size down to 90 to be conservative and calculated my basic precision. This approach yields a basic precision for my sample of 3.3 percent, which estimates the sample risk for a sample of 90 items given a confidence level of 95%. A confidence level of 95% is identical to a tolerable misstatement rate of 5% (e.g., 1 - 5% = 95%).

Calculate the Effect of Misstatements in the Sample

The following table contains the results from my sample of my example company's customer accounts receivable balances.

Example Sample Results Customer Book Value Audited Value Difference Sample Unit Error Rate (Difference / Book Value) Good Hospital $21,893 $18,609 $3,284 0.15 Marva Medical Supply 6,705 4,023 2,682 0.40 Learn Heart Centers 15,000 0 15,000 1.00 Axa Corp. 32,549 30,049 2,500 0.08 Wayne County Medical 2,000 2,200 -200 -0.10

My goal at this point is to calculate a sample error rate to which I will add the 3.3% basic precision, which will yield my upper misstatement bound. In addition, since the sample also found an understatement error, I will need to calculate a lower misstatement bound as well. Then

61 Recall that this table was developed for attribute sampling where the sampling unit is either right or wrong and not for MUS. For MUS, "deviations" are "misstatements."

10-13

I will need to adjust the upper misstatement bound for understatement errors and adjust the lower misstatement bound for overstatement errors.

MUS requires that I calculated the upper and lower bounds separately and not combine over and understatements into one calculation. Recall that the upper bound is based on overstatements and the lower bound is based on understatements. Once I have calculated these two bounds, I will combine the results by using the overstatement results to adjust the lower bound and the understatement results to adjust the upper bound. That is, I will offset overstatements and understatements.

Compute the Upper Misstatement Bound

To compute the upper misstatement bound, I need to project the errors from the sample to the population and I need to add sampling risk using the basic precision percentage I calculated above. The following table presents the calculations for my sample, which I will explain in detail right after the table.

10-14

Calculation of Initial Upper and Lower Misstatement Bounds Misstatements Upper Precision Recorded Sample Unit Misstatement Bound Portion Population Error Rate Bound Portion Value 1 2 3 4 (2 * 3 * 4) Overstatements Basic Precision 0.033 $2,500,000 1.00 $82,500 Learn Heart Centers 0.019 $2,500,000 1.00 47,500 (0.052 - 0.033)

Marva Medical 0.017 $2,500,000 0.40 17,000 (0.069 - 0.052)

Good Hospital 0.015 $2,500,000 0.15 5,625 (0.084 - 0.069)

Axa Corp. 0.015 $2,500,000 0.08 3,000 (0.099 - 0.084)

Axa Corp. 0.015 $2,500,000 0.08 3,000 (0.114 - 0.099)

Initial Upper $158,625 Misstatement Bound Understatements Basic Precision 0.033 $2,500,000 1.00 $82,500 Wayne County 0.019 $2,500,000 0.10 4,750 Medical (0.052 - 0.033) Initial Lower $87,250 Misstatement Bound

The first step is to calculate the basic precision, which represents the sampling risk. That is, we need to calculate the upper misstatement bound given that we found no errors in the sample. I looked up this percentage in the "Upper Deviation Rates" table above. I have highlighted the 3.3% (0.033) rate in the "0 Deviation" column and "90 sample size" row. The "basic precision" error rate means that, due to sampling error, you can only be 95% sure (the confidence level for the table) that the population contains no more than 3.3% misstatements, either over or under, even if you found no errors in your sample.

However, to complete the basic precision calculation, I need to make an assumption about how badly misstated a misstatement is. That is, the 3.3% upper misstatement rate is saying that up to

10-15

3.3% of the customer account balances can be misstated in the population even in our sample of 90 found no misstatements but it doesn't say by how much each account can be misstated. This is one modification that MUS makes that requires an assumption. The tables we are using are based on yes/no errors and not the size of the error. Thus, the basic precision is stated in terms of the proportion of account balances that are misstated, but not by how much.

My example assumes a 100% error rate for each misstated account. That is, if an account is misstated in the population, it is misstated by 100%. This is what the Sample Unit Error column reports. For items in my sample, I know what the error rate was. But basic precision is about error rates that would occur in account balances not in the sample and is measuring sampling risk. Thus, I need to make an assumption about the rate of error in items in the population that may be misstated but were not in the sample.

100% is the most common assumption used by auditors. It is conservative because most account balances that are misstated are probably misstated by less than 100% of their balance. However, auditors who use lower error rate assumptions for basic precision have to justify these lower levels and that is hard to do. One alternative to making such a general assumption would be to use the average error rate in the sample. That is, the assumption auditors are making is how much an account is misstated given it is misstated. They could average the misstatement rates for their sample and use that average in their basic precision calculations, which would give their assumption some empirical basis. It still is an assumption since the auditor would be assuming that the error rates in the misstated items in the sample were the same as the error rates for any misstated customer accounts in the population. However, the assumption would at least be based on observed data and not just a general assumption as the 100% assumption is.

In my example if I averaged the error rates, both over and understatement, from the sample, I would get 30% [(1.00 + 0.40 + 0.15 + 0.10 + 0.08 + 0.08) / 6 =0.30]. However, the auditor also could calculate the average error rates for over and understatements separately if (s)he believed that the error rates for these two types of misstatements differed.

While using the error rates from the sample appears to have some logical appeal, I couldn't find examples in the audit literature where is was used in practice. Thus, for my example, I will use the most common assumption of 100%.

The second step is to rank order the errors that I found from largest error rate to smallest. The "Example Sample Results" table calculates the error rate from each logical unit in my sample for which I found an error. I entered the error rates for each item in this table into the "Calculation of Initial Upper and Lower Misstatement Bounds" table from top to bottom in with the highest error rate first. Since Learn Heart Centers had the highest error rate of 100%, it is listed first. I also list the overstatement errors separately from the understatement errors.62 Finally, the table

62 I am using "error" and "misstatement" interchangeably here. They mean the same thing, but auditors tend to use "misstatement" for errors in account balances and "deviations" for errors in the execution of controls. I just find "error" to be easier to read. However, "misstatement" is the preferred term for errors in account balances.

10-16

includes the results from Axa Corp. twice because its accounts receivable balance was larger than the sampling interval, which means is was selected twice in the sample. However, the account can only be audited once and only has one error rate.

The next step is to assign each error with an "Upper Precision Limit Portion." This is the increase to our upper and lower precision limits that we need to add because we found an error in the sample.

To calculate this amount, I need to go to the "Upper Deviation Rate" table above to calculate the incremental percentage points I need to add based on finding one more error in the sample. This is the calculation shown in Column 2 of the "Calculation of Initial Upper and Lower Misstatement Bounds" above. Since Learn Heart Centers is the first misstatement in my table, I subtracted my basic precision from the error rate I would expect given one error in the sample, which is 4.7%. This yields an increment of 1.7 percentage points63.

Since the amount of the increment declines as the number of errors increases, this approach also is conservative. Since Learn Heart Centers error rate was the highest, it is assigned the first upper precision limit increment of 1.9 percentage points. The next highest error rate was found in the Marva Medical account and its increment is only 1.7 percentage points. The increment continues to decline for each additional error. The last three are the same due to rounding. Thus, larger error rates are assigned larger upper precision limit portions or increments, which is a conservative assumption.

Next, I need to project the error rate from the sample item to the population. I do this by multiplying the incremental contribution to sampling risk (i.e., Upper Precision Limit Portion in Column 2) times the population amount (i.e., account balance) in Column 3 times the error rate in the sampled item (Column 4). Thus the error found in an individual account from my sample contributes to the misstatement bound because an error existed (contribution to sampling risk), the size of the population, and the error rate in the sampled item.

I proceed with the same process for each misstated logical unit in my sample. Once I have completed that process, I sum all the contributions to the misstatement bound to get an initial misstatement bound. I perform the same calculations for all over- and understatement errors separately. For my example, the Initial Upper Misstatement Bound is $158,625 and the Initial Lower Misstatement Bound is $87,250. What the Upper Misstatement Bound mean is that if I only consider the overstatement errors in my sample, I can be 95% confident that the auditee's accounts receivable balance will overstated by no more than $158,625. The Lower Misstatement Bound means that if I only consider the understatement errors in my sample, I can be 95% confident that the auditee's accounts receivable balance will be understated by no more than $87,250.

63 Students frequently get "percentage" and "percentage points" confused. The correct concept here is "percentage points."

10-17

Finally, I need to combine my over and understatement errors into one set of upper and lower misstatement bounds. Since these errors came from the same account, I need to conclude on the account balance. The following table presents these calculations for my sample.

Adjusted Misstatement Bounds Calculations Misstatements Sample Sample Recorded Point Adjustments Unit Size Population Estimate to Bounds Error Value 1 2 3 4 5 6 (2 / 3 * 4) Adjustments to Upper Misstatement Bound Initial Upper $ 158,625 Misstatement Bound Wayne County Medical 0.10 90 $2,500,000 $ 2,778 (2,778) Adjusted Upper $ 155,847 Misstatement Bound Adjustments to Lower Misstatement Bound Initial Lower $ 87,250 Misstatement Bound Learn Heart Centers 1.00 Marva Medical 0.40 Good Hospital 0.15 Axa Corp. 0.08 Axa Corp. 0.08 Total Error Rates 1.71 90 $2,500,000 $ 47,500 (47,500) Adjusted Lower $ 39,750 Misstatement Bound

The first step in combining the over and understatement errors is to calculate a point estimate of how the errors would affect the population balance. The point estimate is a different concept than the contribution of each item to the misstatement bounds (i.e., misstatement bound portion) because the misstatement bounds consider sampling error and the point estimate does not. In addition, auditors calculate the point estimate for the entire sample, not each logical unit in the sample. That is, the point estimate is an estimate of how the population balance would change assuming all items in the population were in error at the average error rate of all the items in the sample.

Auditors calculate the point estimate for the over and understatement errors separately and then adjust the opposite bound by that point estimate. That is, they would calculate a point estimate for overstatement error and use that point estimate to adjust the lower misstatement bound. They also would calculate a point estimate for the understatement errors and use that point estimate to adjust the upper misstatement bound.

10-18

In the above example, I only found one understatement error and so I use the error rate for that item to calculate an average understatement error rate for the sample. Since I only had one understatement error of 10% in a sample of 90 items, the average understatement error rate for the sample is 0.11111% (10% / 90 = 0.11%). I estimate the population understatement error rate by multiplying the average sample error rate times the population balance (0.11111% * $2,500,000 = $2,778). Note that this calculation assumes that all items in the population are understated by the same percentage as the average understatement percentage in the sample and there is no consideration for sampling error.

I make the final adjustment to the upper misstatement bound by lowering it by the point estimate for understatement errors. I know this is a very complex calculation, but the intuition is that the upper misstatement bound was calculated only using the overstatement errors (i.e., the auditee's book value was higher than the confirmed value for an account) in the sample and the sample also found understatement errors (i.e., the auditee's recorded book value was lower than the confirmed value for the account). Thus, we need to lower the upper misstatement bound to account for the understatement errors before we use that bound to determine if the account balances is misstated. Thus, the adjusted upper misstatement bound for my sample is $155,847.

Since the sample produced five overstatement errors and I need to calculate an average overstatement error rate for the sample, I need to total the error rates for the overstatement errors and divide by the sample size to get an average error rate for the sample. In the above example, the total error rates for the overstatement errors was 171% (or 1.71). Dividing this total by the 90 items in the sample yields an average error rate for the 90 items of 1.71% or 0.019. Multiplying this average error rate times the population yields and adjustment to the lower misstatement bound of $42,750 (1.9% * $2,500,000 = $47,500). Finally, I lower the lower misstatement bound by the adjustment to get an adjusted lower misstatement bound of $39,750.

Again, the intuition is that my initial lower misstatement bounds were calculated using only the understatement errors from my sample and the sample also found overstatement errors. Thus, the lower statement bound needs to be reduced to consider those overstatement errors.

Draw Conclusions

Execute the Decision Rule

The decision rule auditors use to conclude on the account balances includes both upper and lower misstatement bounds. The rule is "If both the lower misstatement bound and upper misstatement bound fall between the under misstatement and over misstatement tolerable misstatement amounts, accept the account balance." That is, based on my sample results, I can conclude with 95% confidence (i.e., with a sampling risk of 5%) that the accounts receivable balance is overstated by no more than $155,847 and understated by no more than $39,750. Stated another way, I can conclude with 95% confidence that the actual account balance lies between $2,344,153 (the $2,500,000 recorded or book value less my adjusted upper misstatement bound or $2,500,000 - $155,847) and $2,539,750 (the $2,500,000 recorded or book value plus my

10-19

adjusted lower misstatement bound or $2,500,000 + $39,750). Thus, for my example, I must reject the balance since my upper misstatement bound is larger than the tolerable misstatement amount I set for the example.

However, the MUS process contains several simplifying assumptions and so auditors rarely just rigidly execute the decision rule and move on. Rejecting an account balance creates problems for both the auditor and the auditee and so auditors usually want to do additional work before rejecting a balance. The next section discusses the simplifying assumptions that MUS uses to help you appreciate why the results should be reviewed before the auditor concludes on the account. The section after that discusses the options available to the auditor if their sample results indicate that the account balance should be rejected.

Summary of MUS Assumptions

The above discussion of MUS has only made very limited references to the assumptions auditors use in executing an MUS sample and interpreting the results as well as other biases and problems that arise from using MUS. MUS is a modification of attribution sampling and all those modifications involve some assumptions about the sample errors and the population being sampled. The mathematics behind attribute sampling, and the tables used in the above MUS example, assume that the sampled item can be either right or wrong and do not consider how right or how wrong. This assumption fits the types of errors that occur when auditors audit controls because either the control eliminated an error or it didn't. However, the misstatement errors that auditors detect when testing account balances vary in size. Thus, the math for attribute sampling doesn't fit the population auditors sample when testing account balances. MUS has made a series of assumptions to compensate for this mismatch between the math used to calculate sample sizes and interpret results for attribute samples and MUS samples. The main assumption and issues are;

MUS is biased towards overstatement errors, not understatement errors. The reason is the probability proportion to size feature of MUS sampling. Since an overstatement raises the book balance of an account and an understatement lowers the balance, overstated balances are more likely to be sampled than understatement errors. Thus, MUS is rarely applied to accounts where auditors are more concerned about understatement (e.g., liabilities) than overstatements (e.g., assets). MUS requires that auditors make an assumption about the error rate for misstated items in a balance when calculation basic precision because the statistical techniques used by MUS are built on yes/no errors and not the amount of an error. The results of an MUS can vary dramatically depending on what assumption the auditor makes. Because of the way auditors select sampling units with MUS, accounts with zero and negative balances are never selected and must be audited separately.

Auditors must rank order the errors they find in an MUS sample and normally assume that the largest errors also are the most likely to impact the population. This is the ultimate effect of assigning the item with the largest error rate in the sample to the highest incremental increase in the upper or lower precision bound.

10-20

Because of these issues, there are some differences between classical variables sampling and MUS. The main ones include:

Compared to classical variable sampling, MUS yields lower sample sizes for populations with low expected error rates. The precision of the results between the two methods is the same, but MUS is able to achieve the same level of precision with a smaller sample than classical variable sampling, but just for low error-rate populations. The same feature that creates the above advantage leads to interpretation problems for samples with more than one or two errors. If there are more than a few errors in the sample, the MUS results overstate the amount of error in the population. In general, auditors tend to make conservative assumptions with MUS when MUS requires assumptions. Thus, MUS tends to overstate the actual amount of error in most populations.

Auditor's Options is Sample Results Indicate Rejection of the Account

Based on the results of my sample, I would conclude that the auditee's accounts receivable were overstated because the upper limit of misstatement was higher than my tolerable misstatement. However, my options at this point are all costly to some degree and so I would want to review the misstated accounts once more before I decided what follow-up actions to take. I don't want to press forward blindly just based on the math, but would want to make sure that I understood what caused the errors in the customer accounts.

I have three follow-up actions that I can take when my sample indicates a misstatement in the auditee's account:

Take no action until the audit is completed and then determine if the error in the accounts receivable balance would create a material misstatement if the financial statements taken as a whole when combined with other errors the auditor found in other accounts. The auditor's goal is to certify that the financial statements are not materially misstated, not to certify each account balance individually. Thus, the auditor could just wait until the end of the audit and see how the misstatement in accounts receivable affected the financial statements when any other account misstatements were considered before deciding whether to do anything about the accounts receivable misstatement amount. Expand the sample size and hope that the reduction in sampling risk offsets any additional errors that I might find. This option will add cost to the audit with no guarantee that the additional items won't just confirm my prior findings. Do other audit work using other types of substantive testing procedures to confirm the balance. In my example, I relied on confirmations to verify the accounts receivable balance. Since customers' records can be faulty, this option probably would be the best one for my example. I could do a detailed review of the auditee's supporting documents for the account balances that weren't confirmed to try to determine if the auditee’s or the customers' balances were correct.

10-21

Ask the auditee to restate their balance to bring it in line with my sample projections. This is a difficult option for the auditee because, other than the three errors I found in my sample, they would have no way of knowing which customer's balances were in error. Thus, they would have to make some sort of general adjustment to accounts receivable that wouldn't tie to their accounts receivable subsidiary ledger. Recall that the accounts receivable balance is just a total of individual customer's accounts. If I ask the auditee to adjust the total, they face a dilemma of how to do that and still keep the total accounts receivable balance equal to the sum of the individual customer account balances when they don't know which customer's balances are in error. Ask the auditee to adjust the population. This is an extreme request for account balances that have a significant number of items in them. Typically, accounts receivable balances consist of many individual accounts, none of which is very large. If this is the case, having the auditee review every individual balance in accounts receivable and correct them would probably be too costly for the auditee. However, for account balances that contain a few, large individual items, this option may be reasonable. The last, and most extreme, option is to qualify my audit opinion. We will cover the types of qualifications I could make in the chapter on the audit reports. At this point you need to understand that this option is extreme in that very few audit reports are every qualified in any manner. Roughly 97% of all audit reports are "clean." Thus, giving an auditee a qualified audit opinion is a very strong signal to the capital markets that the auditee has some serious problems.

Non-statistical Sampling

I am not going to cover non-statistical sampling in much detail in this chapter because I discussed the main issues in Chapter 9 and the issues are the same for substantive testing as they are for control testing.

The distinction between non-statistical and statistical sampling rests with the procedure the auditor uses to select the sample. If it is random, or closely approximates random (e.g., the systematic approach MUS uses), then the auditor is using statistical sampling and can use attribute sampling mathematics to make precise estimates of sampling risk to use to project the sample results to the population. However, as I mentioned in the discussion of MUS assumptions above, the precision of the auditor's conclusions for MUS are lower than for attribute sampling because of the assumption auditors have to make to execute an MUS. If auditors do not use some form of random sampling approach, then they cannot make precise estimates of sampling risk because they cannot assume their sample is representative of the population.

However, auditors frequently want to target large or problem accounts or transactions when auditing account balances and, therefore, do not use random sampling procedures. Most audit firms finesse this issue by building specific guidelines for estimating sampling risk for non- statistical samples. Nearly all these guidelines assume that the sample is close to random and draw on statistical tables to provide specific adjustments for sampling risk. However, some

10-22

auditors also use stratified sampling techniques where they audit all, or a higher proportion of, individual items in the account balance over a certain amount and then randomly sample the rest. If they sample all items for a subset of the population, they would project sample results to the population by including any errors found in those accounts without a sampling risk factor. Then they would project any errors found in the smaller accounts using some estimate of sampling risk.

Finally, some auditors may not feel comfortable with sampling dollars and testing accounts. That is, some auditors may not feel comfortable with a separate between sampling and logical units. Therefore, they may prefer to use account balances as both the sampling and logical unit. This is the approach that classical variable sampling uses, but auditors may not want to go through the classical variable sampling procedure for estimating sample size and might just take a haphazard sample of customer accounts. Again, this approach is non-statistical and the auditor cannot quantify sampling risk.

10-23

Chapter Eleven - Completing the Audit

Summary

This chapter covers a list of activities that auditors perform after their fieldwork, which includes all their tests of controls and balances as well as inherent risk and control risk reviews, has been completed. After completing this chapter, students should be able to:

Define contingent liabilities; describe the types of events that might create a contingent liability; and describe some places auditors look for contingent liabilities. Describe how auditors treat events that occur after the end of the fiscal year being audited, but before the audit opinion has been issued and that have a material impact on the audited financial statements, and describe steps auditors use to identify these events. Describe other steps the audit takes at the end of the audit to ensure that the audit is complete. Describe the going concern issue and how auditors address it in an audit report. Describe the communications, in addition to the audit reports, auditors are required to make to the auditee's governing body and the communications they normally make to management at the end of the audit.

Overview of Topics in this Chapter

This chapter presents a description of audit activities that typically occur after the auditor has completed their testing of controls and account balances. These activities normally do not lead to any changes in the financial statements, but do related to footnote disclosures as well as potential qualifications of the audit opinion. They also include communications the auditor is required to make to the auditee's management and Board of Directors regarding audit findings. These communications are in addition to the reports the auditor issues on the auditee's financial statements, internal controls, and management's assessment of internal controls that I will cover in the next chapter.

Contingencies

Definition and Classification Rules

GAAP defines a contingency as an existing condition, situation, or set of circumstances involving uncertainty as to possible loss or gain to an entity that will ultimately be resolved when some future event occurs or fails to occur. Basically, a contingency is an incomplete transaction where part of the transaction has occurred, but the transaction won't be complete until some future event, or lack of event. Conceptually, GAAP is concerned with how complete the transaction is and whether it will lead to a gain or loss for the firm. The literature refers to

11-1

contingent liabilities and losses as well as contingent gains and assets. Losses create a liability the firm needs to pay and gains create assets the firm can claim.

GAAP looks at two criteria for determining whether a contingency is recorded on the balance sheet, disclosed in the footnotes, or ignored: likelihood that the transaction will ultimate be completed and measurability of the value of the transaction when it is completed. GAAP applies conservatism and uses different criteria for a potential gain versus a potential loss.

The probability categories GAAP to the likelihood criteria are:

Probable - the event that will close the transaction is likely to occur Reasonably possible - the chance the transaction will close is more than remote but less than probable Remote - the chance that the transaction will close is slight

GAAP also considers whether the value of the transaction, should it close, is estimable or not. I have included a summary of the classification rules in the diagram below. There are three possible outcomes: the contingency is accrued in the balance sheet, it is disclosed in the footnotes, or it is ignored (as far as the financial statements are concerned).64

Event Contingent Contingent Loss/liability Gain/asset

Probability of Probable Reasonable Remote Probable Reasonable Occurrence or Remote Estimable?

Yes No

Accounting Accrue Disclose Disclose Ignore Disclose Ignore Treatment Here is a short statement of the classification rules:

For contingent losses or liabilities -

64 I have included a discussion of both gains and losses for contingencies because GAAP includes rules for both. I believe I am the only auditing author to include gains in my discussion because auditors are heavily prejudiced towards conservatism and do not look for missing assets nearly as rigorously as missing liabilities. However, an auditor's responsibility is to determine if the financial statements are fairly stated, not conservatively stated.

11-2

If the event is probably and the value is estimable - accrue it as a liability on the balance sheet. If the event is probable but the value is not estimable or the event is reasonably possible and the value is estimable, then disclose information about the event in the footnotes. Note that since the value is not estimable, or the event is only reasonably probable, the amount for the potential loss is not disclosed. If the probability is remote, then the auditee doesn't accrue or disclose anything.

For contingent gains or assets -

Disclose probably events Ignore all others

Examples

Contingent liabilities can be created by any of the following types of activities:

Pending or threatened lawsuits Other types of actual or possible claims or assessments (e.g., property tax valuation disputes) Income tax disputes Product warranties or defects Guarantees or obligations to others (e.g., co-signing on a note for another party) Agreements repurchase receivables that have been paid.

Some of these events systematically lead to different types of classifications. For example, lawsuits tend not to lead to accruals because each case is unique and the uncertainties of litigation are substantial. However, product warrantee claims usually lead to accrual because they are an ongoing part of business and firms usually have substantial experience on which to base determine the probability that claims, on average, will occur and when they do, how much they will cost.

The above list assumes that third parties have potential claims against the auditee. However, when the auditee has similar claims against others (i.e., are on the other side of the potential transaction), then a potential contingent gain or asset can occur.

Audit Procedures

The auditor's goal concerning contingencies is to insure that the auditee has indentified all of them (completeness); has properly classified them into their reporting category (validity); and has properly valued them if required by GAAP (accuracy). Auditors use a variety of procedures to look for contingencies. Some of the more common include:

Reading Board of Directors and Committee minutes

11-3

Review contracts and other such agreements Review income, sales, property, and payroll tax returns. Reviewing and confirming letters of credit, loan guarantees, and other such documents Reviewing the general correspondence files of key corporate officers Interviewing the members of the Board of Directors and key corporate officers Obtaining attorney representation letters and reviewing expense accounts containing attorney's fees. Obtaining a written statement from management concerning pending legal and other types of claims.

Legal Representation Letters

Two of the above bullets require additional explanation. The first is the legal representation letter. Auditors ask the auditee's management to request certain information from their attorneys. Because of attorney client privilege, the auditee's attorney cannot directly respond to the auditor's requests for information. The request must come from the auditee. The auditor will review the auditee's payments to attorneys to identify the attorneys with which the auditee has done business and then ask the auditee's management to request legal representation letters from those attorneys. In addition, the auditor will ask the auditee's management for a list of attorneys as well. However, they will confirm the list by checking payments to attorneys.

The legal representation letters ask attorneys to provide the following information:

List and description of any pending or threatened lawsuits or other claims against the auditee along with the attorney's assessment of the likely outcome of each. If management has provided the auditor with a list of the types of items mentioned above, then the letter will ask the attorney for any additions that (s)he may be aware of. A statement from the attorney about whether his/her response has been limited in anyway and, if so, how and why. A statement about any materiality levels that the attorney and auditee have agreed upon for the purposes of responding to the auditor's inquiries.

Attorneys are required to provide information about items to which they have devoted substantial attention. They also are informed of the GAAP disclosure requirements and are not required to provide estimates of the outcome of events that are either inestimable or remote. However, they are required to respond to the letter. If the attorney doesn't respond, the auditor may have to qualify their opinion on the auditee's financial statements.

11-4

Management Representation Letters

In addition to the legal representation letters, auditors ask management to confirm, in writing, that statements they have made to the auditors during the audit have been accurate and complete. While legal representation letters focus mainly on contingencies, management representation letters are much broader. I am including my discussion of management representation letters in this section because it is one of the tools auditors use to detect contingencies. However, the letter covers all statements management has made to the auditors during the audit.

Management representation letters are very important to the audit because the audit is so heavily dependent on information provided by management. Recall our discussion at the beginning of the class on moral hazard and the need for auditing. The audit in essence is an assessment of management's performance. However, management controls the bulk of the information on which the audit is based. Thus, there is a moral hazard problem. Auditors do many tests of records and gather information from third parties while conducting an audit. However, they still are heavily dependent on the accuracy and completeness of the information that management provides. Thus, auditors require management to sign a statement that management has been complete and accurate in making statements to the auditors.

Some specific items included in a typical management representation letter include:

The financial statements are fairly stated under GAAP and all required footnote disclosures have been included That all financial records, Board of Directors meeting minutes, and other key documents and correspondence have been supplied to the auditor That all communications with regulatory agencies regarding financial reporting have been disclosed All material transactions have been reported and/or disclosed The effects of uncorrected audit findings are immaterial Management recognizes their responsibility to establish and maintain an effect system of internal control and that they monitor the effectiveness of that control system They have no knowledge of any fraud They are not aware of any violations of the law They have no plans for future events that would affect the current valuation of liabilities and assets The firm is in compliance with all contracts and commitments Regulatory filings are complete and accurate

This is a highly condensed list and most management representation letters contain a lot more detail. For example, I included one bullet for "compliance with GAAP." Most management representation letters would include detailed statements about accounts receivable, inventory, and

11-5

other asset and liability valuations even those are contained within GAAP. Basically, you can consider this letter "butt covering" on the part of the auditor. If there is a problem with the financial statements that auditors don't catch, they want to be able to document that management misrepresented something to them to limit their liability.

Commitments

Commitments are similar to contingencies in that they involve incomplete transactions and, if material, they need to be disclosed or, in come cases, accrued. Firms engage in a variety of long- term, non-cancellable contracts that create commitments for the firm. In most cases, these commitments do not rise to the level of a liability because the transaction isn't complete. However, they may be significant in size and GAAP requires that they be disclosed.

The two most common classes of commitments are long-term, non-cancellable leases and purchase contracts. I am not going to go into the details of lease accounting in this course. It is covered in intermediate accounting. However, the auditor needs to review the auditee's leases and insure that they have been capitalized where required by GAAP. For operating leases that are not required to be capitalized, auditors need to insure that the required disclosures are included in the footnotes.

Long-term, non-cancellable purchase contracts are similar to long-term non-cancellable leases in that a lease is a commitment to purchase the use of an asset over time at a predetermined price while a purchase contract is a commitment to purchase an asset at a pre-determined price. If the size of these purchase commitments is material, the details of the purchase contract must be disclosed in the footnotes. Under certain circumstances, these purchase contracts may require that the auditee record a loss on their financial statements. For example, if the auditee has signed a non-cancellable purchase contract to purchase a raw material that is traded openly at a price that is higher than the market price as of the balance sheet date, the auditee would need to record a loss.

Subsequent Events and Discovery of Facts

While the auditor is certifying financial statements for a specific time period and as of a specific date, they also are required to look for major events or facts that occur after the fiscal year close and balance sheet date that might have a significant impact on how the reader of the financial statement would view the audited financial statements. In addition, the auditor may discover facts relevant to their audit opinion after they issue the opinion. This section discusses the rules auditors apply for determining whether these subsequent events and subsequent discovery of facts require either an alteration to the audit report. The following figure presents the time line involved.

Financial Audit Report Date Financial Statement Date - 2/15 Statements are Date - 12/31 Issued - 3/15

Subsequent Discovery of 11-6 Facts Subsequent Event Period

As the figure illustrates, generating an audit report and publishing financial statements takes time. Auditors have work they must do after the close of the fiscal year because they are certifying ending balances. However, once the auditor issues his/her report to the auditee, it takes time for the auditee to actually make the financial statements public and file them with the SEC. The auditor's responsibility for those financial statements doesn't end after the end of the fiscal year, nor after they issue their audit report. They are required to monitor the auditee even after the financial statements and audit reports are issued to determine if something happened that is relevant to those financial statements. There are two classes of "things" that the auditor must watch for: events that happen after the fiscal year end that have an effect on the financial statements and facts about events that occurred during the auditee's fiscal year that the auditor finds after the statements have been issued. I will discuss each of these in turn next.

Subsequent Events

Subsequent events are events that occur after the end of the fiscal year but that have a material effect on the financial statements for the fiscal year. There are two types of subsequent events: type 1 and type 2. The definition of these two types of events, and the auditor's responsibility for them, is very similar for both the auditor's responsibility for the financial statements as well as for the reports they now are required to issue on the auditee's internal controls. Thus, although my examples focus on matters that effect the financial statements and footnotes, the same logic and procedures apply to subsequent events that might affect the auditor's assessment of the auditee's internal controls as well.

Type 1 subsequent event - events that occur after the fiscal year end but that provide evidence about conditions that existed at or before the balance sheet date that materially affect the financial statements. An example would be the bankruptcy of a customer who owed the auditee money. In this case, the bankruptcy is considered evidence that the customer's account, at the balance sheet date, might be uncollectable even though the bankruptcy occurred after the balance sheet date. Another example would be settling a lawsuit where the amount of the settlement is different from the estimate shown in the auditee's footnotes or that was accrued as a liability. Type 1 subsequent events, if material, require that the auditee restate the financial statements before issuing them. Type 2 subsequent event - events that occur after the end of the fiscal year but might alter the fairness of the presentation of the financial statements as of the end of the fiscal year. These events tend to be large transactions, like the sale of subsidiary, merger with another firm, large stock or bond issuance, and major casualty loss (e.g., fire or flood). These events, if material, must be disclosed in the auditee's footnotes before the financial statements are issued.

11-7

If either of these two types of events occur after the auditor has issued his/her report but before the financial statements are issued, the auditor may need to dual date the audit report. Dual dating means that the audit report will have two dates, one for the bulk of the financial statement information and one strictly for the subsequent event.

Refer to the dates in the figure above to follow this example. Assume that the auditee involved in the figure purchased a subsidiary on 3/1. This would qualify as a type 2 subsequent event and would need to be included in the auditee's footnotes. The auditor would need to audit the information in that footnote and modify his/her report to include that information. However, if (s)he re-dated their entire audit report to 3/1 to indicate the date on which (s)he completed his/her audit work, (s)he now would be liable for all activity affecting the financial statements up to 3/1, not just for activity that occurred up to 2/15. To limit his/her liability, the auditor would leave the audit report date at 2/15, but include a statement in the report that they had audited the information in the new footnote discloser as of 3/1. By dual dating the audit report, auditors are limiting their liability for other activity that might have occurred between 2/15 and 3/1.

Subsequent Discovery of Facts

A subsequent event is one that occurred after the balance sheet date but before the financial statements were issued. Thus, information about these events can be included in the financial statements and audit reports before they are issued. While auditors are not required to conduct any auditor procedures after the financial statements have been issued, they are required to take some action if they obtain information after the financial statements have been issued that would have altered the financial statements or their audit report if they had know the information before the auditor issued his/her report. Note that if the facts relate to events that occurred after the audit report was issued but before the financial statements were issued; the auditor is not required to do anything.

This event is called a subsequent discovery of fact. An example would be that the client notifies the auditor after the financial statement were issued that they had discovered a major bug in their inventory software and that their ending inventory was materially misstated.

If the misstatement that is indicated by the subsequent discovery of fact is material, the audit needs to work with the client to reissue the financial statements and audit report. They also need to attempt to contact all parties whom they believe might be relying on the original financial statements and notify them of the error.

Obviously, the client and auditor cannot personally contact every person or institution that might be using the auditee's original financial statements. However, for publicly traded companies, they are required to contact the SEC, the stock exchanges on which the auditee's stock trades, and any other regulatory agency with which the auditee filed the original financial statements. In addition, if the audit used the financial statements to apply for a loan, for example, they would have to notify the lending institution.

11-8

Finally, the auditor would need to reissue their report after the client corrected the financial statements. In addition, the auditor would have to insure that the circumstances surrounding the re-issuances of the financial statements and the details of the reason for the re-issuances were disclosed in the footnotes of the re-issued financials statement.

If the client refuses to restate their financial statements, the auditor is required, if possible, to: notify the auditee to remove the auditors report from their financial statements; notify regulatory agencies that the auditor's report is no long valid; and notify any persons the auditor knows are relying on the financial statements that the audit report is no long valid (e.g., the auditee's bank).

The auditor should include in each of these notifications the details of the error and how it would have affected the financial statements and the auditor's report.

Audit Procedures

Auditors are not required to execute any audit procedures to detect subsequent discovery of facts. However, they are required to execute some audit procedures to detect subsequent events. Some examples include:

Asking management Reviewing any interim financial statements, usually quarterly, that might have been issued for the subsequent fiscal year Examining the auditee’s records for transaction that occurred after the fiscal year end that might qualify as a subsequent event Review Board of Directors minutes and other documents after the fiscal year end Reviewing the management representation letter and legal representation letters for any evidence of subsequent events

Going Concern Evaluation

An audit is essentially an historical exercise since the auditor is certifying the accuracy of historical information. However, they have one major forward-looking responsibility, which is to assess the auditee's viability for the immediate future. Auditing standards define "immediate future" as up to one year past the date of the financial statements being audited. That is, the auditor must consider whether the auditee will still be a going concern up to a year after the balance sheet date of the financial statements they are auditing. The reason for this requirement is that most of the valuation rules GAAP applies to assets assume that those assets are part of a viable business and not just a group of un-related assets. Consider what the assets of a firm would be worth if they were sold off individually, possibly because of a bankruptcy, versus how much they would be worth as part of a profitable firm. Thus, if the auditor believes that the

11-9

auditee might not be viable over the next year, then the financial statements might not fairly present the value of the firm's assets.

Auditors use the following steps to determine whether the auditee will be a going concern for the next year:

• Determine whether the audit evidence indicates a substantial doubt that the auditee will be a going concern. • If the audit evidence creates a substantial doubt, review management’s plan to mitigate the factors that are creating the doubt. That is, the auditee might be struggling at the end of the year, but the auditee's management would be aware of the problems and have a plan to correct. Auditors need to assess the viability of those plans before they conclude that there is substantial risk of a going concern problem. • Evaluate the evidence and management's plans and conclude whether the factors creating the risk are adequately disclosed in the financial statements. In addition, auditors are required to include an explanatory paragraph in their audit opinion that refers to the issues that create the risk of a going concern problem. I will discuss this modification in more detail in the chapter on the audit reports.

Final Evidence Evaluation

After the auditors have completed their fieldwork but before they issue their final report, they are required to step back and look holistically at the audit evidence. The vast majority of the procedures that auditors use is focused on assertion and account balance issues. However, they must certify that the financial statements, taken as a whole, are fairly stated. They also have to certify that the auditee's controls, taken as a whole, are effective. Thus, they need to consider the interactions between all the audit procedures they have run and the results they have obtained. The following subsections discuss a few of the major steps auditors execute to provide this level of overview.

Final Analytical Procedures

Earlier in this text, I discussed analytical procedures that auditors perform as part of their inherent risk assessment process. Auditors perform these procedures on the auditee's unaudited balances. Once the auditors have completed their fieldwork and the client has made any required adjustments to their account balances, the auditors rerun their analytical procedures to assess the overall fairness of the adjusted financial statements. Old auditors call this the "smell test" because they step back and try to determine if the final product "smells right."

Working Paper Review

Everything auditors do must be thoroughly documented in their working papers, which have been prepared by all members of the audit team. However, the partner in charge of the audit ultimately is responsible for signing off on the auditee's financial statements and internal controls. Thus, the partner in charge would perform a detailed review of the audit working

11-10

papers to insure him/herself that the audit reports (s)he intends to issue are supported by the evidence gather during the audit. In fact, working papers are reviewed as several levels. For example, audit seniors would review the working papers prepared by audit juniors under their supervision and audit managers would review the working papers of the audit seniors under their supervision. Thus, the audit partner may not review every working paper before signing off on the audit.

A part of this working paper review is to review the results of all the audit tests to determine how the results of those tests interact to affect the financial statements taken as a whole. For example, different audit procedures executed by different team members might contain information about a misstatement. These results might complement each other (add to the misstatement) or they might contradict each other (reduce the amount of the misstatement). Thus, auditors need to pull all the evidence together and organize it by assertion and account balance to develop their final conclusions on the financial statements and controls.

Evaluate Financial Statement Presentation and Disclosure

The above discussion focuses on making sure the account balances are correct or that the auditor's conclusions about controls are supported. In addition, the auditor needs to review the financial statements in their final form to insure that they are presented properly (e.g., current assets are properly shown in the right place on the balance sheet and labeled) and that all the disclosures required by GAAP are included in the footnotes.

Obtain Independent Review

Because of the risks involved in auditing, most firms require that a partner not associated with the audit review the audit results before the firm issues the audit reports. Note that above I referred to the engagement partner "signing off" on the audit. This really is a colloquialism because individual auditors don't sign audit reports, the firm does. While the engagement partner does have legal liability for the audit, the firm has the primary responsibility and would be the first entity sued in case of an audit failure. Thus, to protect the firm, most audit firms required an independent review of the audit results before the firm issues the audit report. This process also is referred to as second partner review or concurring partner review.

Required Communications

In addition to the audit report, auditors generate two additional types of reports or communications. The first is to the auditee's board of directors and/or audit committee and the second is to management. The first is required; the second is normally done but not required.

Communications to the Board of Directors

Actually, the auditing standards require communications to "those individuals responsible for oversight of the entity's strategic direction and its financial reporting process, sometimes referred

11-11

to as 'those charged with governance.'"65 Since that was a mouthful and since, for corporations and non-profit organizations, those charged with governance is the Board of Directors, I will refer to the Board of Directors in this subsection. However, the Boards of Directors for most corporations include an Audit Committee. In that case, the auditors most likely would communicate these matters to the Audit Committee.

The purpose of these communications is to insure that the Board of Directors is informed fully about the conduct of the audit and the results of the audit. The items that auditors are required to communicate include:

The auditor's responsibility under GAAS The auditee's significant account policies and the auditor's judgment about the quality of those policies The existence of management judgments and estimates Any significant audit adjustments Any disagreements with management Any consultations with other accounting firms Any discussions with management prior to the auditor accepting the engagement Any difficulties encountered during the audit. Any evidence of fraud by senior management or that has a material affect on the financial statements. Any significant deficiencies and material weaknesses in the auditee's internal controls (I will discuss these terms in more detail in the chapter on audit reports)

As you might expect, all these communications must be in writing so that they are properly documented.

Management Letter

This communication isn't required, but auditors almost always generate a management letter at the end of the audit. This letter is a private communication between the auditor and the auditee's senior management and it may contain issues that are not included in the auditor's communications with the Board of Directors. Auditors use the management letter to communicate advice to senior management on how to improve their controls and financial reporting process. In addition, they may make operating recommendations on how the auditee can improve its profitability and financial position. Thus, it may not be limited to just financial reporting issues. Note that the auditee pays a significant fee for the audit and would like to get a little more for their money that just three opinions attached to their financial statements. In addition, auditors work with a variety of firms over time and gain a substantial amount of solid

65 W. F. Messier, Jr., S. M. Glover, and D. F. Prawitt (2008), Auditing & Assurance Services: A Systematic Approach, McGraw-Hill Irwin, page 607.

11-12

business management knowledge. By sharing their opinions and knowledge with the auditee, they help insure that they will be rehired in the future. They may also pick up some consulting work. However, they types of consulting work they can do for the auditee is limited by the Sarbanes-Oxley Act.

11-13

Chapter Twelve - Audit Reports

Summary

The purpose of this chapter is to describe to students the types of audit reports auditors issue and the decision rules that auditing standards require auditors to use when selecting the type of report to issue. After completing this chapter, students should be able to:

Describe the components of an auditor's report on an auditee's financial statements; Describe the components of an auditor's report on an auditee's internal controls; Given a case scenario, determine what type of audit report an auditor should issue on the auditee's financial statements; and Given a case scenario, determine what type of audit report an auditor should issue on the auditee management's assessment of controls as well as on the controls themselves.

Overview of Audit Reports

The ultimate result of an external audit of a firm's financial statements is the auditor's report. This chapter discusses the types of audit reports auditors issue for publicly traded firms. The reports for privately held firms are very similar.

Prior to Sarbanes-Oxley auditors issued one report on the auditee's financial statements that stated: what financial statements the auditor was auditing; that they were the responsibility of management; that the auditor had followed GAAS; and auditor's opinion on whether the financial statements were fairly stated.

The above list is an over-simplified description of the four main points in the standard audit report, but I will discuss the details of each point below.

For publicly traded firms, Sarbanes-Oxley added a requirement for one additional audit report and two additional audit opinions. In the second report, the auditor is required to issue an opinion on management's self-assessment of their controls as well as the auditor's independent opinion of the effectiveness of those controls. The contents of this report are similar to the financial statement report and it contains the following basic information: the date to which the auditor's report applies; that they were the responsibility of management; the framework used to assess controls;

12-1

that the auditor had followed PCAOB rules; and some definitions and limitations of controls; and auditor's opinion on whether management's assessment of the controls was fairly stated as well as the auditor's opinion as to whether those controls were effective as of the date of the report.

The wording of both these reports66 is standard and highly scripted. Auditors rarely change any wording from the standard format except to indicate the dates of the financial statements being audited. Thus, the main goal for students is not to memorize the specific wording of the reports, but to be able to describe the major points the reports cover and to determine when auditors should alter the wording of the reports because of findings from the audit.

Standard Unqualified Report on Financial Statements

The following diagram contains an overview the options auditors have for developing auditor reports on financial statements. I cover the rules and issues behind the diagram below.

66 Although these are not official terms, I will be referring to the auditor's report on the auditee's financial statements as the financial statement report and the auditor's report on the auditee's controls as the control report.

12-2

67 Figure 12-1 - Financial Statement Report Modification Rules

By far the most common type of report that auditors issue on an auditee's financial statements is a standard, unqualified, unmodified report. Well over 90% of all audit reports fit this model. However, auditors do issue reports that are either qualified or modified in some way. Qualified audit reports arise when the auditor does not believe the firm's financial statements are fairly presented for some reason. Auditors issue modified audit reports when the auditor believes the financial statements are fairly presented, but the auditor wants to bring some feature of the financial statements to the reader's attention. This section walks you through the sections of a standard, unqualified, unmodified report on a set of financial statements. In subsequent sections, I will discuss the conditions that cause an auditor to qualify their report or fail to issue any report at all as well as the conditions that cause the auditor to modify, but not qualify, their report.

67 Taken from W. F. Messier, Jr., S. M. Glover, and D. F. Prawitt (2008), Auditing & Assurance Services: A Systematic Approach, McGraw-Hill Irwin.

12-3

Major Sections of Standard Report

The following is a copy of Home Depot's audit report on the financial statements they included in their annual report for their fiscal year ended January 28, 2007. It contains a modification that I will discuss in more detail in the section on modifications. Title

Addressee

Introduction

Scope

Opinion

Explanation

Reference to internal control report

Signature

Date

Each of the elements or paragraphs of the report that I have highlighted above, except for the explanation paragraph, contain:

Title - The title indicates that the report is being issued by an "independent registered public accounting firm." This terminology was created by the PCAOB and indicates that the firm doing the audit has registered with the PCAOB and, therefore, can legally perform audits of publicly traded companies. Addressee - This is always the Board of Directors of the auditee.

12-4

Introduction - This paragraph contains the dates and names of the financial statements being audited and a statement of the responsibility of management to produce them and the responsibility of the auditor to audit them. Note that all four financial statements are included and that the dates of the balance statements (i.e., Balance Sheet and Statement of Stockholders' Equity) are as of the fiscal year end date. The dates for the flow statements (i.e., Income Statement and Cash Flow Statement) are for the periods ending as of the fiscal year end date. In addition, since Home Depot's Annual Report merely reprinted their 10-K filing, the report covers two years for the balance statements and three years for the flow statements. This is an SEC requirement. Scope - The scope paragraph states that the audit was conducted according to standards set by the PCAOB. Recall that these include GAAS, the former SAS's, as well as the new PCAOB rules. This paragraph also include a brief statement of what an audit entails and a statement that the auditor believes their work constitutes a reasonable basis for their opinion on the financial statements. Finally, this paragraph contains a reminder to the reader that an audit can only provide reasonable assurance that the financial statements do not contain a material misstatement. Opinion - The opinion paragraph is the "meat" of the report and contains a statement that the financial statements, in the auditor's opinion, are fairly presented in all material aspects. It also contains a restatement of the financial statements being audit and a short statement of what those financial statements report. The wording used in Home Depot's report indicates that the auditor believes the financial statements are fairly stated. Auditor's call this a clean opinion. Reference to Internal Control Report - This paragraph states that the auditor also has audited the auditee's internal controls and states what the opinion the auditor issued on the auditee's controls was. Signature and Date - Finally, the audit firm signs and dates the report. Note that the partner in charge does not personally sign the report. It is signed by the firm. The main reason is to recognize that audit quality is a firm responsibility, not just an individual audit partner responsibility. I also believe that the firm signs the report to try to isolate the individual partner from personal liability in case of a lawsuit. However, I am not sure how effective that move is in court. As a partner, the auditor is potentially personally liable for the results of the audit.

Modifications to Provide Additional Explanations

Auditors may add additional explanations to their audit report to bring key issues to the attention of the reader. They only do so when the matter needing explanation has a material impact on the financial statements. These additional explanations do not affect the opinion that the financial statements are fairly stated. They just flag key issues. These additional explanations may be in separate paragraphs, as in the Home Depot example, or may just be included as additional sentences in other paragraphs. In addition, auditors nearly always require that the auditee include a footnote that discusses the reasons for, and in impact of, the item being explained in more detail. The explanations auditors provide in the audit report tend to be very brief (a couple of

12-5

sentences) and usually refer the reader to the explanatory footnote for a more detailed explanation.

The following subsections discuss the conditions under which an auditor might add explanatory language to their audit reports.

Reliance on Other Auditors

Sometimes auditors rely on the audit opinions and audit work of other audit firms in issuing their reports. The most common example is when the auditee owns subsidiary firms whose results are being consolidated into their financial statements. These subsidiary firms may have their own auditors and the auditor for the parent firm (referred to as the principal auditor) will not re-audit the subsidiary, but will rely on the subsidiary's auditor for accuracy of the financial results of the subsidiary. Here is an example of wording that an auditor might include in the introductory paragraph when they have relied on a subsidiary firm's auditors"

"We did not audit the financial statements of Furillo Company, a wholly owned subsidiary, whose statements reflect total assets of $25,450,000 and $23,750,000 as of December 31, 2006 and 2005, respectively, and total revenues of $42,781,000 and $40,553,000 for the years then ended. Those statements were audited by other auditors whose report has been furnished to us, and our opinion, insofar as it relates to the amounts included for Furillo Company, is based solely on the report of the other auditors."68

By including this language, the principal auditor is sharing responsibility for the audit with the subsidiary's audit firm. Auditors do not share this responsibility lightly because they could be held liable for the work of the subsidiary auditor. Thus, auditors will check out the reputation of the subsidiary's auditor before deciding to rely on their work and may even review portions of their working papers.

Going Concern Issues

I discussed how and why auditors are concerned about the future financial health of the auditee beyond the years being audited in Chapter 11 in the section on "Going Concern Evaluation." Years ago, if the auditor believed that the auditee was at risk of bankruptcy and would not be a going concern a year from the audit report date, they had to qualify the audit opinion under the logic that the financial statements might not fairly present the firm's financial position. However, the ASB recognized that qualifying the audit opinion might be extreme and changed the rules so that now the auditor merely includes an explanatory paragraph that describes the auditor's concerns about the auditee's future viability. The following is an example of such an explanatory paragraph:

68 All examples of language from modified or qualified audit reports were taken from W. F. Messier, Jr., S. M. Glover, and D. F. Prawitt (2008), Auditing & Assurance Services: A Systematic Approach, McGraw-Hill Irwin. The Home Depot auditor's opinion was copied from their annual report.

12-6

"The accompanying financial statements have been prepared assuming that the Company will continue as a going concern. As discussed in Note 6 to the financial statements, the Company has suffered recurring losses from operations and has a net capital deficiency that raises substantial doubt about its ability to continue as a going concern. Management's plans concerning these matters are also described in Note 6. The financial statements do not include any adjustments that might result from the outcome of this uncertainty."

Auditors normally include this paragraph after the opinion paragraph, which is also common for other explanatory paragraphs as well. This explanatory paragraph also refers the reader to a footnote that describes the going concern issues and the management's plans to address them in more detail.

Agreed Upon Departures from GAAP

Occasionally, but very rarely, the auditor may believe that strict use of GAAP in the auditee's financial statements would be misleading and agrees with the auditee to allow them to use some non-GAAP methods in their financial statements. If so, the auditor will include an explanatory paragraph disclosing the departure from GAAP and the reasons for it. In addition, they also will require that the auditee include a footnote providing a more detailed explanation. This situation is so rare that I don' have a wording example.

Inconsistencies between Years

Auditor reports nearly always cover more than one-year's financial statements. As I discussed above, the SEC requires all publicly traded companies to file to balance and three flow statements in their 10-K filings. This means that there may have been changes in the auditee's situation or use of GAAP between the different years thus creating an inconsistency between those years. These changes can be legitimate and do not mean that the differences have led to a material misstatement of any of the years being audited. However, the auditor must include an explanatory paragraph, referring to an explanatory footnote, that discloses the nature and impact of these changes.

There are three basic reasons that a firm might make a change between the years being audited that would require an explanatory paragraph. These include:

Change in accounting principal - Firms have choices under GAAP and are free to alter those choices. If they do, they have to disclose the change and the impact on the financial statements. An example would be changing from LIFO to FIFO or changing from straight- line to declining balance depreciation. The Home Depot paragraph above is an example of this type of change. Home Depot adopted a new accounting standard in 2006 and this fact is both disclosed in the auditor's report as well as in the footnotes. Note that this type of change is very common and does not signal anything wrong with the auditee. Accounting principles change all the time. However, in most cases, firms are given a time window in which to adopt the new standards. Thus, they need to disclose when they adopted the change so that the reader of the financial statements is aware of the change.

12-7

Change in the reporting entity - The main change that can occur in the reporting entity is because of change in the status of a subsidiary firm. If the auditee increases or decreases their holdings in a subsidiary such that the subsidiary either needs to be consolidate or is no longer consolidated, the auditor needs to add an explanatory paragraph, referring to a footnote disclosure, of the change and its impact on the financial statements. Correction of an error in principle - If the auditee misapplied a GAAP principle in one of the prior year's financial statements covered by the auditor's report but corrects the error by changing to an acceptable principle; this change needs to be disclosed in an explanatory paragraph that refers to a footnote explanation.

Special Emphasis

Occasionally auditors may want to bring a significant matter to the attention of the reader of the financial statements. Some examples include a significant subsequent event or a significant related party transaction. Auditors will use an explanatory paragraph to do so. However, the SAS's also caution auditors about overuse of this type of explanatory paragraph since including explanatory paragraphs might overemphasize the importance of the event or matter.

Departures from Unqualified Reports on Financial Statements

Explanatory paragraphs do not lead to qualifications of the auditor's opinion. The audit qualifies their opinion when they believe that the financial statements are not fairly presented under GAAP. This is extremely rare since the auditor would first work with the auditee to try to resolve the matter and would consider qualifying the opinion as a last resort.

There are three types of qualified audit reports that auditors can use, which I will discuss next. Following that discussion, I will present the major reasons that lead auditors to qualify their opinions. The reasons discussed are the circumstances that cause auditors to qualify their opinions. The magnitude of the problem determines which type of qualified opinion the auditor issues.

Types of Opinions

Auditors have three choices concerning the types of opinions they can issue, other than clean: qualified, disclaimer, or adverse. I will discuss each in turn. Note that auditing texts and the auditing literature refer to both qualifying or disclaiming the report, or issuing an adverse report as apposed to the opinion. In fact, the only thing that can be qualified, declaimed, or adverse is the auditor's opinion. However, since the opinion is the key component of the audit report, the literature frequently refers to qualified reports rather than opinion.

Qualified Opinions

Auditors issue qualified opinions when the financials statements are mostly fairly stated except for some isolated condition that is material. Then they will express an unqualified opinion on the

12-8

financial statements, but will include an explicit exception for the item that isn't fairly stated or disclosed. Normally, they also will refer to a footnote where the issued is discussed further.

If the item(s) that are not fairly stated were not just material, but pervasively material, the auditor would have to either disclaim an opinion or issue an adverse opinion. I discuss these types of reports below. The main point here is that, for the auditor to issue a qualified opinion as apposed to the more severe disclaimer or adverse opinion, the auditor would have to be able to isolate the effect of the departure from GAAP or scope limitation to a section of the financials statements. In addition, the magnitude of the impact of the GAAP departure or scope limitation was not large enough to make the financial statements deceiving. If the problem is so pervasive that it affects large sections of the financial statements, then the auditor must "go to the next level" and either disclaim an opinion or issue an adverse opinion.

The following is an example of a qualification based on a scope limitation. As I discuss below, scope limitations arise when the auditor can't gather all the evidence (s)he believes is necessary to form an opinion on the financial statements.

"[Standard wording for the introductory paragraph]

Except as discussed in the following paragraph, we conducted our audits in accordance with auditing standards generally accepted in the United States of America. Those standards require that ... [same wording as for the remainder of the standard scope paragraph].

We were unable to obtain audited financial statements supporting the Company's investment in a foreign affiliate stated at $12,500,000 and $11 ,700,000 at December 31, 2006 and 2005, respectively, or its equity in earnings of that affiliate of $1,200,000 and $1,050,000, which is included in net income for the years then ended as described in Note 10 to the financial statements; nor were we able to satisfy ourselves as to the carrying value of the investment in the foreign affiliate or the equity in its earnings by other auditing procedures.

In our opinion, except for the effects of such adjustments, if any, as might have been determined to be necessary had we been able to examine evidence regarding the foreign affiliate and earnings, the financial statements referred to ... [same wording as for the remainder of the standard opinion paragraph]."

When issuing a qualified opinion, the auditor must provide an explanatory paragraph that discusses the reason for the qualification and refer to the footnote that covers the issue in more detail. Then state the specific nature and extent of the qualification in their opinion paragraph. The scope paragraph in the above example also contains a reference to the exception because this example illustrates a qualification due to a scope limitation. If the qualification was due to a departure from GAAP, the auditor would not have to modify the scope paragraph.

12-9

Disclaimer

If the scope limitation on the audit raises above material to pervasively material, then the auditor must disclaim an opinion on the financial statements. Essentially, the auditor is saying that the limitation to their work was so extensive that they cannot express an opinion on the financial statements at all. This situation occurs when the auditor cannot limit the effect of the scope limitation to an identifiable, and therefore isolated, section of the financial statements or footnotes, or the magnitude of the problem is sufficiently large to effect the overall impression the financial statements would present to the user. The following is an example of a disclaimer:

"We were engaged to audit the accompanying balance sheet of Kosar Company as of December31, 2003 and 2005, and the related statements of income, retained earnings, and cash flows for the years then ended. These financial statements are the responsibility of the Company's management.

[Scope paragraph of standard report should be omitted]

We were unable to observe the taking of physical inventories stated in the accompanying financial statements at $4,550,000 as of December 31, 2006, and at $4,275,000 as of December 31, 2005, since those dates were prior to the time we were engaged as auditors for the Company. The Company's records do not permit the application of other auditing procedures regarding the existence of inventories.

Since we did not observe physical inventories and we were not able to apply other auditing procedures to satisfy ourselves as to inventory quantities, the scope of our work was not sufficient to enable us to express, and we do not express, an opinion on these financial statements."

Since disclaimers only arise from scope limitations that are pervasive, the scope paragraph is omitted altogether. As with other alterations to the clean opinion, the auditor is required to provide an explanatory paragraph that describes the nature and extent of the scope limitation. Since this is a disclaimer, the opinion paragraph states that the auditor cannot express an opinion on the financial statements.

Adverse Opinion

Auditors issue adverse opinions when the financial statements, due to GAAP departures, do not fairly presents the results of the firms operations, cash flows, and/or financial position. The following in an example of an adverse opinion:

"[Standard wording for the introductory and scope paragraphs]

As discussed in Note 6 to the financial statements, the Company carries its property, plant, and equipment accounts at appraisal values and determines depreciation based on such values. Generally accepted accounting principles require that property, plant, and equipment be stated at an amount not in excess of cost, reduced by depreciation based on

12-10

such amount. Because of the departures from generally accepted accounting principles identified above, as of December 31, 2006 and 2005, respectively, inventories have been increased $1,500,000 and $1,340,000 by inclusion in manufacturing overhead of depreciation in excess of that based on cost, property, plant, and equipment, less accumulated depreciation, is carried at $13,475,000 and $12,950,000 in excess of an amount based on the cost to the Company. For the years ended December 31, 2006 and 2005, cost of goods sold has been increased $4,200,000 and $3,600,000, respectively, because of the effects of the depreciation accounting referred to above, resulting in a decrease in net income of $2,520,000 and $2,160,000, respectively.

In our opinion, because of the effects of the matters discussed in the preceding paragraph, the financial statements referred to above do not present fairly, in conformity with accounting principles generally accepted in the United States of America, the financial position of Morton Company as of December 31, 2006 and 2005, or the results of its operation or its cash flows for the years then ended."

Again, the auditor explains the reason for the departure from a clean opinion and then states that the financial statements do not fairly present the firm's results. Adverse opinions are the most severe departure from a clean opinion because they, in essence, state that the financial statements are wrong. A disclaimer, the next more severe departure from a clean opinion, states that, in essence, the auditor doesn't know if the financial statements are wrong or not.

Reasons for Qualifying Reports

As I mentioned above, this section addresses the conditions that might cause an auditor to quality their opinion. The items mentioned below can all lead to qualifications if they are material or if the auditor believes that their effect on the financial statements would be material. Since each of these items can vary in terms of the magnitude and importance to the overall presentation of the financial statements, each item could lead to a different level of qualification that I just discussed.

Scope Limitations

Conditions either under the control of the auditee or outside the control of the auditee can lead to a scope limitation for the audit. A scope limitation merely means that the auditor could not perform all the tests and procedures that they felt were necessary. For example, the SAS's require that auditors physically observe the auditee's year-end inventory. However, if the auditor is not hired until after year-end, this would be impossible. If the auditor cannot develop alternative audit procedures to take the place of the physical inventory observation, then they would need to qualify their opinion or disclaim an opinion depending on the size of the auditee's inventory and its importance to the overall financial statements. In addition, whenever a scope limitation requires a modification of the opinion, the auditor needs to modify the scope paragraph of the audit report to describe the nature and extent of the scope limitation.

The inventory example was outside the auditee's control and merely an artifact of the timing of hiring the auditor. However, auditees also may request that they audit not perform an audit procedure that the auditor believes is necessary. For example, some auditees do not want the

12-11

auditors confirming accounts receivables with their customers because they fear the customers might misinterpret the confirmation request and it might hurt customer relations. The auditor needs to consider the auditee's reasoning and the availability of alternative audit procedures before deciding whether to qualify the opinion or disclaim an opinion. If the auditee's reasoning seems sound and the auditor can satisfy him/herself through alternative procedures, no qualification may be needed.

Statements Violate GAAP

If the auditee's financial statements materially violate GAAP and the auditee is unwilling or unable to correct the violation, the auditor must either qualify the audit opinion or issue an adverse opinion, depending on the size of the GAAP violation's affect on the financial statements. GAAP violations can include failure to use GAAP in developing the balances on the financial statements or failure to include required disclosures in the footnotes.

If the auditor issues an adverse opinion, then they must include an explanatory paragraph prior to their opinion paragraph explaining the reasons for the adverse opinion and the effects of the GAAP departure on the financial statements.

Auditor is not Independent

This final condition is extremely rare, but auditing standards cover it anyway. As we discussed earlier in the class, independence is at the heart of auditing. Audits must be done by auditors who are independent of the auditee to help assure that the auditor is objective in assessing the auditee's financial statements and controls. If the auditor is not independent, then they must disclaim any opinion on the financial statements.

One situation that could arise that would lead to this type of disclaimer is if the auditor completed the audit and then learned that a member of the audit team was not independent of the auditee. In such a case, the auditor would issue a very short disclaimer as illustrated below. Note that auditing standards prohibit the auditor from adding any explanations for why they were not independent or that describe any of the audit work they performed. The reason is to prevent the auditor from attempting to minimize the impact of their lack of independence.

"We are not independent with respect to Jordan Company, Inc., and the accompanying balance sheet as of December 31, 2006, and the related statements of earnings, retained earnings, and cash flows for the year then ended were not audited by us; accordingly, we do not express an opinion on them."

Obviously, the auditee would need to engage another auditor to redo the audit in order to obtain a clean opinion in this case. Thus, I am not sure what purpose is served by having the first auditor even issuing a report in the first place. However, the auditor would insist on having their report attached to the financial statements until the audit was redone by another auditor to prevent the auditee from misrepresenting them.

12-12

Reports on Internal Controls

This section covers the audit report that auditors issue on the auditee's internal controls. They are required to express two opinions within one report. The first opinion is on management's self- assessment of their controls and the second is the auditor's independent opinion on those controls. Obviously, the two opinions are related. For example, if the auditee stated that their controls were effective and the auditor stated that they weren't, the auditor would be hard pressed to provide an opinion that agreed with management's assessment in one opinion and then disagreed, by qualifying their own opinion of the controls, in the other.

Elements of the Internal Control Report

I will cover all these choices in more detail below. First, I will describe the basic sections of the auditor's internal control report and then I will cover the conditions that lead to a departure from clean opinions on management’s internal control report and/or the auditor’s own assessment of internal controls. The following is a copy of Home Depot's internal control report:

12-13

Title

Addressee

Introduction

Scope

Definitions

Inherent Limitations

Opinion

Signature

Date

Each of the elements or paragraphs of the report that I have highlighted above contain:

Title - The title is identical to the title of the auditor's report on the financial statements. Addressee - The addressee is identical to the title of the auditor's report on the financial statements.

12-14

Introduction - This paragraph is similar to the introductory paragraph of the financial statement report. It differs by stating that the auditor is auditing management's report on the controls and not the auditee's financial statements. It also mentions the Committee of Sponsoring Organizations (COSO) framework as a basis for that audit. PCAOB rules require that audits of controls be based on some comprehensive framework that describes controls. The most commonly used framework is the COSO framework. Similar to the introductory paragraph for the financial statement report, this paragraph describes management's and the auditor's responsibilities for controls. Scope - The scope paragraph also is similar to the financial statement report paragraph. However, since the internal control audit was created by Sarbanes-Oxley, there were no standards for such an audit prior to the creation of the PCAOB. Thus, the scope paragraph only refers to PCAOB rules. Definition - The definition paragraph presents definitions of key concepts and terms used to describe internal controls. My guess is that this paragraph is included because this type of audit is new and the PCAOB believed that the readers of this report might benefit from some definitions of terms and concepts. Inherent limitations - This presents a short paragraph that informs the reader that controls are inherently imperfect. It also points out that conditions can change and controls that were effective for the current period might not continue to be so. Opinion - The opinion paragraph, again, is the "meat" of the report. The opinion paragraph in the control report states two opinions. First, the auditor states what management's conclusions were in their report on controls and then states the auditor's opinion on their conclusions. In Home Depot's case, management concluded that their controls were effective and the auditors concluded that that conclusion was fairly stated. The auditor's second opinion states that they auditor's also believe that Home Depot's controls were effective. Both these opinions are as of the end of the fiscal year. The report and opinions do not state that the controls were effective during the fiscal year, just as of the end of the fiscal year.69

I have included a copy of Home Depot's management assessment of internal controls in the Appendix for your reference. I am not going to devote time to it in this chapter. However, I included it because the auditor's opinion on management's assessment is based on that report.

Signature and Date - These are the same as the report on the financial statements.

69 Certifying the controls as of the end of the year seems a bit strange to me since auditors, as well as management, would be reviewing control activity throughout the year. In addition, the reader of the financial statements would probably want to know if the controls were effective all year since all the year's activity is included in the financial statements. However, I didn't write the rules.

12-15

Modifications to the Standard Report on the Auditee's Controls

The choices and decisions that auditors make in determining whether to issue a clean, qualified, or adverse opinion, or disclaim an opinion, are similar for controls compared to financial statements. The auditor's core focus is on material weaknesses in controls or scope limitations in both cases. However, material control weaknesses are deficiencies in controls that could lead to material misstatements in the financial statements rather than the material misstatements themselves. The following diagram summarizes these choices for internal control reports:

Figure 12-2 - Control Report Modification Rules70

Levels of Deficiencies

Auditors determine whether to depart from a clean opinion in their control report based on either the severity of any control deficiencies impact on the financial statements or the severity of any scope limitations. The severity of the impact of any deficiency depends on the magnitude of the deficiency and the likelihood that the deficiency will have a material impact on the financial statements. These two concepts are related in that the larger the magnitude of the control deficiency, the greater the likelihood that the deficiency will lead to a material misstatement in

70 Taken from W. F. Messier, Jr., S. M. Glover, and D. F. Prawitt (2008), Auditing & Assurance Services: A Systematic Approach, McGraw-Hill Irwin.

12-16

the financial statements. However, they do address two different dimensions of a control's potential effect on the financial statements. Magnitude issues address the effects of the control deficiency on the firm's ability to process information while likelihood addresses the chance that those limitations on the firm's abilities will affect the financial statements.

PCAOB standards define three levels of control deficiencies: deficiency (usually called control deficiency), significant deficiency, and material weakness. Here are my simplifications of the PCAOB's definitions of each:

Control deficiency - A control deficiency is a weakness in a control(s), either in its design or in its operation, that does not allow the firm to eliminate71 material misstatements from the financial statements in a timely manner. Note that this definition does not address the likelihood that the deficiency would create a material error in the financial statements. Thus, the concept of a control deficiency is general and includes both significant and material deficiencies. That is, control deficiencies come in three degrees of severity: inconsequential, significant, and material. Inconsequential deficiency - An inconsequential control deficiency is one that would only create an inconsequential misstatement in the financial statements. That is, there is only a remote likelihood that the control deficiency would create a material misstatement in the financial statements. Significant deficiency - A significant deficiency is a control deficiency that is severe enough to create more than a remote likelihood that a consequential misstatement will occur in the financial statements. Material weakness - A material weakness is a control deficiency that is severe enough to create more than a remote likelihood that a material misstatement will occur in the financial statements.

These definitions include qualifiers for likelihood (remote and more than remote) and magnitude (inconsequential, consequential, and material). "Remote" is defined as only a slight chance that the event will occur, where the event here is the misstatement in the financial statements. Obviously, more than remote is any likelihood greater than remote. Inconsequential misstatements are ones that are clearly immaterial even after considering the possibility of additional undetected misstatements. Consequential misstatements are all misstatements that are more severe than inconsequential and, therefore, may be material. Material misstatements are misstatements that are material by the same definition of materiality we applied earlier in the course.

As you can see, there is some ambiguity in these definitions, particularly between consequential misstatements and material misstatements. The problem is that the auditor needs to consider the impact of a control deficiency on the financial statements and is not just considering a direct misstatement that (s)he has detected in the financial statements. Basically, inconsequential

71 I am going to continue to use the term "eliminate" to mean both prevent and detect and correct material misstatements.

12-17

misstatements are clearly immaterial and material misstatements are clearly material. Consequential misstatements fall in the middle such that they may be material, but the auditor isn't sure.

The following figure summarizes the above issues and how they relate to determine whether a control deficiency is a material weakness, significant deficiency, or just an inconsequential deficiency. Keep in mind that both magnitude and likelihood refer to the potential misstatement the control deficiency might cause in the financial statements.

72 Figure 12-3 - Levels of Control Deficiencies

Modifications due to Control Deficiencies

Once the auditor has determined the level of the control deficiency, (s)he needs to determine how to alter their report because of those control deficiencies. As you can see from Figure 12-2, auditors only have one choice to make if a control deficiency exists - issue an unqualified opinion or an adverse opinion. There is no qualified opinion and auditors only issue adverse opinions if a material deficiency exists.

The following is an example73 of how the auditor would modify their control report if they found a material deficiency and if management's assessment reported a material deficiency74:

72 Taken from W. F. Messier, Jr., S. M. Glover, and D. F. Prawitt (2008), Auditing & Assurance Services: A Systematic Approach, McGraw-Hill Irwin.

12-18

"Report of Independent Registered Public Accounting Firm

[Standard Wording for the Introductory, Scope, Definition, and Inherent Limitations Paragraphs]

[Explanatory Paragraph] A material weakness is a control deficiency, or combination of control deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected. The following material weakness has been identified and included in management's assessment. Treadron had an inadequate system for recording cash receipts, which could have prevented the Company from recording cash receipts on accounts receivable completely and properly. Therefore, cash received could have been diverted for unauthorized use, lost, or otherwise not properly recorded to accounts receivable. This material weakness was considered in determining the nature, timing, and extent of audit tests applied in our audit of the 2006 financial statements, and this report does not affect our report dated February 15, 2007, on those financial statements.

[Opinion Paragraph] In our opinion, management's assessment that Treadron Company did not maintain effective internal control over financial reporting as of December 31, 2006, is fairly stated, in all material respects, based on criteria established in Internal Control-Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Also, in our opinion, because of the effect of the material weakness described above on the achievement of the objectives of the control criteria, Treadron Company has not maintained effective internal control over financial reporting as of December 31, 2006, based on criteria established in Internal Control-Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

Mortensen & Mortensen Houston, Texas February 15, 2007"

As with nearly all alterations to audit reports, auditors are required to include an explanatory paragraph describing the nature of the material weakness. Then, they modify their report accordingly. In this case, management's assess also included a recognition of the material weakness. Thus, the auditor has issued a clean opinion on management's assessment. However,

73 Taken from W. F. Messier, Jr., S. M. Glover, and D. F. Prawitt (2008), Auditing & Assurance Services: A Systematic Approach, McGraw-Hill Irwin. 74 The preferred term is control deficiency, but it means the same as control weakness. Forgive me if I slip and use weakness occasionally because it is more common in non-technical writing.

12-19

they have issued an adverse opinion on the auditee's controls. An adverse opinion on controls merely states that the auditee's controls aren't effective.

If, in the above example, management's assessment had claimed that their controls were effective, the auditor also would have issued an adverse opinion on management's assessment. The following is an example of the wording they would have used:

"In our opinion, because of the effect of the material weakness described above on the achievement of the objectives of the control criteria, management's assessment that Treadron Company maintained effective internal control over financial reporting as of December 31, 2006, is not fairly stated, in all material respects, based on criteria established in Internal Control-Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)."

Modifications due to Scope Limits

Auditors have three choices in deciding whether to modify their control reports because of scope limitations: unqualified or qualified opinion, or disclaimer of an opinion. I defined scope limitations above in my discussion of financial statement reports and the same definition applies to control reports.

PCAOB rules define two levels of scope limitations for control reports. These rules are based on two dimensions that describe scope limitations - whether the limitation was imposed by management and how extensive the limitation was.

Not intentional or minor - If the scope limitations are not due to intentional intervention by management or are minor, then the auditor can issue an unqualified opinion. An example of an unintentional scope limitation would be the existence of a new control procedure the auditee added at the end of the fiscal year. If the auditor believes that the control has not been in operation long enough to provide enough evidence on which to base an opinion on its effectiveness, the auditor would face a scope limitation in that (s)he could not test that control. However, this would not be a management imposed control limitation. Management imposed and/or more than minor effect - If the scope limitation was imposed by management and/or the effect of the scope limitation is more than minor, then the auditor may either qualify their opinion, disclaim an opinion, or withdraw from the engagement. The difference between these options depends on the magnitude of the scope limitation and whether it was imposed or not. Auditors treat imposed scope limitations much more seriously than unimposed limitations because imposed limitations may signal management's intention to keep key information from the auditor. The following is an example of a control report that has been qualified due to a scope limitation:75

75 Taken from W. F. Messier, Jr., S. M. Glover, and D. F. Prawitt (2008), Auditing & Assurance Services: A Systematic Approach, McGraw-Hill Irwin.

12-20

" Report of Independent Registered Public Accounting Firm

[Standard wording for introductory paragraph]

[Scope paragraph] Except as described below, we conducted our audit in accordance with the standards of the Public Company Accounting Oversight Board (United States). Those standards [standard wording for the remainder of the scope paragraph].

[Explanatory paragraph that describes scope limitation] A material weakness is a control deficiency, or combination of control deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected. The following material weakness has been identified and included in management's assessment. Prior to December 20, 2006, Conquest Communications, Inc. had an inadequate system for recording cash receipts, which could have prevented the company from recording cash receipts on accounts receivable completely and properly. Therefore, cash received could have been diverted for unauthorized use, lost, or otherwise not properly recorded to accounts receivable. We believe this condition was a material weakness in the design or operation of the internal control of Conquest Communications, Inc., in effect prior to December 20, 2006. Although the company implemented a new cash receipts system on December 20, 2006, the system has not been in operation for a sufficient period of time to enable us to obtain sufficient evidence about its operating effectiveness.

[Standard wording for definition and inherent limitations paragraphs]

[Opinion paragraph] In our opinion, except for the effect of matters we might have discovered had we been able to examine evidence about the effectiveness of the new cash receipts system, management's assessment that Conquest Communications, Inc., maintained effective internal control over financial reporting as of December 31 , 2006, is fairly stated, in all material respects, based on criteria established in Internal Control Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Also, in our opinion, except for the effect of matters we might have discovered had we been able to examine evidence about the effectiveness of the new cash receipts system, Conquest Communications, Inc., maintained, in all material respects, effective internal control over financial reporting as of December 31, 2006, based on criteria established in Internal Control-Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

[Explanatory paragraph] We have also audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States), the consolidated financial statements of Conquest Communications, Inc., and our report dated February 15, 2007, expressed an unqualified opinion.

12-21

D'Knote, Slikk & Associates Denver, CO February 15, 2007

The auditor in the above example found a material weakness that the auditee had corrected by year end. However, the correction was not implemented in time, in the auditor's opinion, for the auditor to test the new control adequately. This constitutes an unintentional scope limitation. The qualified opinion also implies that the severity of the impact on the financial statements was more than minor, but not severe enough to either disclaim an opinion or withdraw from the engagement.

The auditor alters the scope paragraph to indicate a scope limitation, but includes an explanatory paragraph to explain the scope limitation. Then the auditor qualifies their opinion by stating that except for the effect of the controls they could not test, that management's assessment of the controls are fairly stated and that the controls are effective.

Modifications to the Standard Report on the Management's Control Assessment

The auditor's opinion on management's assessment of controls is straightforward. The auditor must state whether management's assessment if fairly stated or not. Auditors would give management a clean opinion (i.e., they are "fairly stated") for their own assessment of the auditee's control effectiveness if the auditor agreed with them. If the auditor did not agree with management, then the auditor's opinion would state that management's assessment was not fairly stated.

Other Modifications to Control Reports

An auditor would modify their report on an auditee's controls or the auditee's management assessment of those controls under a few conditions. These include:

If they rely on another auditor as part of their audit - They modify their report in the same way as they would for a report on the auditee's financial statements Material, subsequent event - I discussed these issues in Chapter 11 on completing the audit. If the auditor discovers a subsequent that (s)he believes might have a consequential impact on the auditee controls' ability to eliminate material errors in the auditee's financial statements, the auditor has a responsibility to report these issues in their report. As with most modifications, the auditor would require the auditee to include an explanation in the footnotes and the auditor would refer to that footnote in his/her report. Management's report contains additional information - Management may include information beyond that required to present their assessment of their controls. In this case, the auditors must modify their opinion to disclaim any information that management may include beyond what is required to present assessment of their controls. In this case, the auditors must modify their opinion to disclaim any opinion on that additional information. For example, if the management provides cost and benefit information about

12-22

improvements they have made to their controls (i.e., does a little bragging), this information is not relevant to their assertion that the controls work. Thus, the auditor would disclaim any opinion on that information. Some example wording in his/her opinion paragraph for this case might be:

"We do not express an opinion or any other form of assurance on management's statement referring to the costs and related benefits of implementing new controls."

12-23

Appendix - Home Depot's Management Assessment of Internal Controls

12-24

Chapter Thirteen - Professionalism in Auditing

Summary

The main goal of this chapter is to present students with a discussion of the importance of integrity in public accounting and to discuss the AICPA's Code of Professional Conduct, which is the major statement of ethical principles that guides auditors. After completing this chapter, students should be able to:

Describe the primary reasons why the AICPA, SEC, and PCAOB have created written codes of conduct for auditors. Describe the rules and principles included in the AICPA's Code of Professional Conduct and discuss the rationale behind those rules and principles. Briefly describe other efforts by the AICPA and PCAOB to help insure the quality if audits.

AICPA Code of Professional Conduct

Overview of the Role of the Code in Enforcing Professional Behavior

One of the most important documents that helps define professionalism and ethical behavior for the auditing profession is the AICPA's Code of Professional Conduct. Recall that state laws determine who can perform external audits and that Sarbanes-Oxley added to state laws the requirement that external auditors for publicly traded firms also be registered with the PCAOB. I believe all states require that external auditors be CPAs, and that CPAs follow the AICPA's code of professional conduct.

In addition, the PCAOB adopted the AICPA's Code of Professional Conduct and requires auditors of publicly traded companies to follow it. The PCAOB and the SEC have added additional restrictions on auditors of public companies, particularly regarding issues that affect auditor independence. Thus, although the only power the AICPA has to enforce their Code of Conduct is to deny the CPA violating the code membership in the AICPA, state and federal agencies insist that external auditors follow the code. Note that this situation is very similar to how auditing standards are set and enforced. As with auditing standards, auditors of private companies only need to conform to AICPA rules while auditors of publicly-traded companies need to conform to both AICPA rules and PCAOB and SEC rules regarding professional conduct. As with auditing standards, the PCAOB has the ultimate authority to set standards for professional conduct for auditors of publicly traded firms and so the rules for professional conduct for auditors of private versus public companies may diverge in the future. Finally, auditors of international firms also need to conform to the international standards of professional conduct.

13-1

While this text focuses on external audits of public company's financial statements and controls, the AICPA's Code of Professional Conduct applies to all CPAs regardless of whether they audit firms, public or private, or not. For example, I am a member of the AICPA and, thus, the Code applies to my actions as a professor as well.

Structure of the Code

This section provides a brief overview of the AICPA's Code of Professional Conduct (the Code). I have included major portions of the Code from the AICPA's website in the Appendix to this chapter. While the Code is written in formal language that contains specialized terms and may be difficult for students to read, I believe it is important for auditing students to be familiar with the actual text of the Code.

The Appendix to this chapter only includes major extracts from the rules in the Code of Professional Conduct because the rules are what are enforceable and what contain the detailed prohibitions to which auditors must attend. However, the Code also includes a statement of Principles of Professional Conduct as well as interpretations and rulings by the AICPA's Professional Ethics Executive Committee (PEEC). The following figure presents the structure of the Code.

76

76 Taken from W. F. Messier, Jr., S. M. Glover, and D. F. Prawitt (2008), Auditing & Assurance Services: A Systematic Approach, McGraw-Hill Irwin.

13-2

Statement of Principles

The Code is based on six principles of professional behavior that guide the rules that actually are enforceable. This structure is similar to GAAS, which lays out broad principles for executing an audit. However, broad principles are rarely specific enough to be enforceable and, therefore, the AICPA added specific rules to provide enforceable specifics. The six principles are:77

Responsibilities - In carrying out their responsibilities as professionals, members should exercise sensitive professional and moral judgments in all their activities. The Public Interest - Members should accept the obligation to act in a way that will serve the public interest, honor the public trust, and demonstrate commitment to professionalism. Integrity - To maintain and broaden public confidence, members should perform all professional responsibilities with the highest sense of integrity. Objectivity and Independence - A member should maintain objectivity and be free of conflicts of interest in discharging professional responsibilities. A member in public practice should be independent in fact and appearance when providing auditing and other attestation services. Due Care - A member should observe the profession's technical and ethical standards, strive continually to improve competence and the quality of services, and discharge professional responsibility to the best of the member's ability. Scope and Nature of Services - A member in public practice should observe the Principles of the Code of Professional Conduct in determining the scope and nature of services to be provided.

Rules

The rules that the AICPA created to flesh out the above principles are extensive, as are the interpretations and rulings. I have elected to include only some of the rulings and interpretations in the Appendix to avoid overwhelming students. In this section, I will provide you with an overview of the rules in the following figure and highlight some key issues they raise. However, students will need to review the Appendix to review the specific content of each rule.

77 Copied from http://www.aicpa.org/about/code, published by the AICPA. Downloaded 4/13/2008.

13-3

78 Note that there is no section 400 in the rules. This section used to regulate a CPA's interactions with other CPAs. Most of the rules in section 400 prohibited CPAs from advertising or soliciting clients from other CPAs. However, the US Supreme Court ruled in the 70's that such rules were a restraint of trade and anti-competitive and so the AICPA had to drop them.

In addition, I have dropped the most content from the independence rules. Independence is critical to auditing and has become a very complex issue, thus leading to a lot of rules and interpretations. My personal believe is that independence is very hard for CPAs to maintain when they are being paid by their clients and when they want to maximize their profits as a private, for-profit organization. Thus, there is a constant tension between providing more non-

78 Taken from W. F. Messier, Jr., S. M. Glover, and D. F. Prawitt (2008), Auditing & Assurance Services: A Systematic Approach, McGraw-Hill Irwin.

13-4

audit services to audit clients in order to boost fees and profits and limiting non-audit revenues from clients to maintain independence. This dynamic tension has led to the need to constantly define and redefine the boundary between these two forces that affect an auditor's independence.

The rules also contain terms that I have not address in this class to date. The main term is "attest engagement." An audit is an attest engagement because auditors are being hired to attest to the accuracy of a firm's financial statements independently. However, auditors can be hired to provide independent opinions on other issues as well. In this case, these other services that rely on auditor independence to maintain their objectivity are also called attest engagements.

Rule Differences with SEC and PCAOB

As I mentioned above, the PCAOB and SEC have more stringent rules in some areas than the AICPA does. In these cases, auditors of public companies must follow the PCAOB and SEC rules as well as the AICPA rules. The following subsections discuss some of the major areas where PCAOB and SEC rules differ.

Non-audit services

The AICPA code allows auditors to provide a variety of non-audit services to their audit clients, to include:

bookkeeping, systems implementation (but not design), internal audit outsourcing, tax preparation, and general consulting. The AICPA does put some limitations on these services when the provision of these services might affect the financial statements being audited. For example, under general consulting, the auditor cannot provide valuation services if those valuations involve judgment and would affect the values the auditee used on their financial statements.

However, SEC rules are more stringent and based on three principles:

auditors should not audit their own work; auditors should not act in a management capacity for the auditee; and auditors should not be advocates for their auditees.

Under these principles, the SEC has specified nine types of services that auditor of public companies are not allowed to perform for auditees:

bookkeeping and other financial statement preparation, financial information systems design and implementation,

13-5

appraisals and valuation services, actuarial services, internal audit outsourcing, management or human resource functions, broker or dealer, investment advisor, or investment banking, legal services, and expert services. This above list comes with a caveat that auditors may be allowed to perform some of these services if the results of these services will not be subject to audit procedures during the audit of the client's financial statements or controls.

Human resource issues

In additional to prohibiting certain services to help insure that auditors remain independent of their auditees, the SEC also prohibits certain interactions between the auditee and auditor personnel and places some restrictions on auditor personnel. The core theme behind these additional restrictions is to keep the auditor and auditee from becoming to close to each other. These include:

Partner rotation - The lead audit partner and the quality review partner cannot serve on the auditee of the same client for more than five years before they must rotate off the engagement and wait five years before they can return to that client. Former employment - An audit firm cannot audit a client if any members of the audit team have been employed by the auditee within one year of when the audit engagement starts. Contingent fees - Partners, not just the lead audit and quality review partner, cannot receive compensation from selling non-audit services to the auditee.

Additional Communications

Finally, the SEC requires more extensive communications between the auditor and the auditee's Board of Directors, particularly the auditee's Audit Committee. These include:

The auditor must report to the Audit Committee and consider the Auditee Committee their client. Since Sarbanes-Oxley also requires that the Audit Committee be composed totally of outside directors and be headed by a Board member with financial background, having the auditor report to the Audit Committee enhances their independence of management. They must summarize the auditee's accounting policies, and GAAP alternatives to those policies, with the Audit Committee for all accounting policies that the auditor has discussed with the auditee's management and that might have a material impact on the financial statements.

13-6

The auditee must disclose all audit and non-audit fees paid to their auditor and describe the nature of the work performed for all non-audit fees for the last two fiscal years.

Other Quality Controls

The AICPA also provides quality control standards for CPAs. I have elected not to cover them in detail in this text. However, I will provide you with a brief overview of both AICPA and PCAOB quality control standards.

The AICPA has had a peer review program in place since 1988. First, I need to point out that the AICPA not only has individual memberships, but firm memberships. Their peer review program applies to firms who were members of the AICPA. I provided that firms had to have a review by another AICPA member firm every three years. That review covered the firm's auditing practices and procedures and, particularly, focused on the firm's internal quality control practices. Such a peer review program is unprecedented in that no other major profession in the US has such a program.

Sarbanes-Oxley transferred the responsibility for reviewing the audit practices to the PCAOB. However, as with other issues, the PCAOB has delegated to the AICPA some of that responsibility. For example, the AICPA created two organizations to execute peer reviews: the AICPA Center for Public Company Audit Firms Peer Review Program and the AICPA Peer Review Program. The PCAOB requires all audit firms that register with the PCAOB to do audits of public companies must join the first Center. However, the PCAOB carries out its own peer auditor review program as well and so the requirements established by the AICPA's Center are in addition to the PCAOB's own requirements. Audit firms that don't audit public companies can join either organization, but the AICPA does require them to join one or the other to remain AICPA members.

13-7

Appendix - AICPA Code of Professional Conduct

The following is the text of the AICPA's Code of Professional Conduct.79

79 http://www.aicpa.org/about/code, published by the AICPA. Downloaded 4/13/2008.

13-8

Index bill of lading ...... 6-6, 9-21 billable hours ...... 9-26 A biometric screening ...... 8-27 blind receiving ...... 9-25 Accounting Principles Board ...... 2-8 bond price variability ...... 7-29 accounts payable turnover ...... 7-47 bond rating ...... 7-29 Accounts receivable ...... 7-46 budget variance analysis ...... 8-14 accounts receivable aging ...... 6-7 accounts receivable subsidiary ledger ...... 6-6 accuracy ...... 8-8 C Accuracy...... 8-10 acid-test ratio ...... 7-25 CAP ...... 2-8 ad hoc calculations ...... 7-10 CAPEX ...... 7-21, 7-22 Ad hoc calculations ...... 7-5 capital expenditures ...... 7-22 addressee ...... 12-4, 12-14 Capital Intensity ...... 7-46 adjusting and reclassification entries ...... 3-17 capital market ...... 7-23 adverse opinion ...... 3-15 Capturing Transaction Information at the Boundary ...... 9-5 AICPA ...... 2-3, 2-8 cash conversion cycle ...... 7-17, 7-24, 7-46 AICPA's Code of Professional Conduct ...... 2-13, 13-1 Cash flow analysis...... 7-11 American Institute of Certified Public Accountants ...... 2-3 Cash Receipts and Disbursements Journal ...... 9-22, 9-26 analytical procedures ...... 8-26 chain of command ...... 8-4 Analytical procedures ...... 7-2 change in accounting principal ...... 12-7 APB ...... 2-8 change in the reporting entity ...... 12-8 application controls ...... 8-24 classical variable sampling ...... 10-2 AR 3-3 classification assertion ...... 8-10 ASB ...... 2-8, 2-10 clean opinion ...... 3-15, 12-5 asset impairment ...... 4-8 Code of Professional Conduct ...... 2-13 Asset Turnover ...... 7-17, 7-46 Committee on Accounting Procedure ...... 2-8 assurance services ...... 2-3 common carrier ...... 6-6, 9-21 attest engagement ...... 13-5 common-size ...... 7-8 attribute sampling ...... 9-11 Common-sized financial statements ...... 7-4 audit committee ...... 8-21, 13-6 compiled ...... 8-19 audit juniors ...... 3-10 completeness ...... 8-8 audit managers ...... 3-10 Completeness ...... 8-8 audit plan ...... 3-17 computer accounts...... 8-19 audit program ...... 3-11, 3-17 computer operations ...... 8-19 Audit risk ...... 3-3 concurring partner review ...... 11-11 audit risk model ...... 3-2 conduct rules summary ...... 13-4 audit seniors ...... 3-10 Confidence level ...... 10-4 audit trail ...... 3-18 consequential ...... 12-17 audit trails ...... 8-25 conservatism principle ...... 4-8 auditing ...... 2-1 consignment ...... 6-2 Auditing Standards Board ...... 2-8, 2-10 contingency ...... 11-1 authorization ...... 8-9, 8-15, 8-16, 8-24 contingent assets...... 11-2 contingent fees ...... 13-6 contingent gains ...... 11-2 B contingent liabilities ...... 11-2 contingent losses ...... 11-2 backorder ...... 6-5, 9-21 continuing education ...... 8-14 backup copies ...... 8-23 control ...... 8-13 backward looking ...... 7-12 control coverage rules ...... 9-7 basic precision ...... 10-12, 10-15 control deficiencies ...... 9-18 basis of comparison ...... 7-7 control deficiency ...... 9-18, 12-17 batch controls ...... 8-25 control deviation ...... 9-10 batch processing ...... 8-20 control risk ...... 3-4 batch totals ...... 8-20 controls ...... 8-1

i

Control's coverage ...... 9-6 F corporate culture ...... 8-3 corporate governance...... 8-3 factoring ...... 7-25 correction of an error in principle ...... 12-8 FAF ...... 2-9 credit sales ...... 6-3 FASAB ...... 2-9 cross sectional analysis ...... 7-4 FASB ...... 2-9 cross training...... 8-20 Financial Accounting Foundation ...... 2-9 cross-sectional analysis ...... 7-4 Financial Accounting Standard Board ...... 2-9 current audit file ...... 3-17 Financial Accounting Standards Advisory Board...... 2-9 current ratio ...... 7-25 financial position ...... 7-11 custody ...... 8-16 financial statement assertions...... 8-8 customer statement ...... 6-6 financing strategy ...... 7-24 cutoff assertion ...... 8-10 firewalls ...... 8-27 Firewalls ...... 8-28 Firm-level threats ...... 8-3 D Formal Policies and Procedures ...... 8-5 former employment ...... 13-6 data control ...... 8-19 forward looking ...... 7-12 data encryption ...... 8-28 frame ...... 9-10 data entry controls ...... 8-24 free cash flows ...... 7-20, 7-22 Days Cash ...... 7-47 Days Inventory ...... 7-18 Days Payables ...... 7-18 G Days Receivable ...... 7-18 debt covenants ...... 7-27 GAAS ...... 2-10, 2-11 deductive reasoning ...... 1-1 GASB ...... 2-9 definition...... 12-15 generally accepted auditing standards ...... 2-10, 2-11 desired confidence level ...... 9-11 going concern ...... 11-9 detection risk ...... 3-4, 10-7 Governmental Accounting Standards Board ...... 2-9 detective/corrective controls ...... 8-13 gross profit margin ...... 7-15 Dividend payout ...... 7-26 gross profit percentage ...... 7-15 Dividend Yield ...... 7-26 document comparison ...... 8-25 dual date ...... 11-8 H dual tests...... 9-2 due care ...... 13-3 haphazard sampling ...... 9-15 hash controls ...... 8-25 E hash totals ...... 8-20 hiring practices ...... 8-14 earnings management ...... 7-14 economic data ...... 7-5 I EDI ...... 8-25 EDP...... 8-18 electronic signatures ...... 8-28 IASB ...... 2-9, 2-12 employees incentives ...... 8-14 IFA 2-12 EPS ...... 7-12 IFRS ...... 2-9, 2-12 Equity Capital Turnover ...... 7-46 inadequate personnel...... 8-6 error and exception reports ...... 8-7, 8-26 incentives ...... 8-6 excess ...... 8-22 income smoothing ...... 4-6 executive summary ...... 1-9 inconsequential ...... 12-17 expected population deviation rate ...... 9-11, 9-12 Inconsequential deficiency ...... 12-17 Expected population misstatement ...... 10-4 independent review ...... 11-11 external audit ...... 8-21 Industrial data ...... 7-5 external auditors ...... 2-6 information transformation ...... 8-11 Information Transformation Points ...... 9-5 inherent limitations ...... 12-15 inherent risk ...... 3-3

ii

Initiating Transactions ...... 9-5 insolvency ...... 7-28 M insurance ...... 8-23 integrity...... 13-3 management ambivalence ...... 8-4 internal auditors ...... 8-21 management imposed and/or more than minor scope Internal auditors ...... 2-6 limitation ...... 12-20 internal controls ...... 3-4 management letter ...... 11-12 internal memos ...... 3-17 management override ...... 8-12 International Accounting Standards Board ...... 2-9 management representation letters ...... 11-5 International Federation of Accountants ...... 2-12 mandatorily redeemable, cumulative preferred stock .... 5-5 International Financial Reporting Standards ...... 2-9 matching sources to uses ...... 7-24 International Standards on Auditing ...... 2-12 material ...... 12-17 Internet protocol ...... 8-28 material deficiency ...... 9-18 introduction ...... 12-5, 12-15 material misstatement ...... 3-3, 7-6 inventory turnover ...... 7-46 material weakness ...... 12-17 Invested Capital Turnover ...... 7-46 modified audit reports ...... 12-3 invoice ...... 6-6, 9-21 monetary assets ...... 7-25 IP address ...... 8-28 monetary unit sampling ...... 10-2 ISA 2-12 Monetary unit sampling ...... 10-2 moral hazard ...... 2-4, 11-5 more than remote ...... 12-17 J MUS ...... 10-2 job descriptions...... 8-5 job rotation ...... 8-20 N judgmental sampling ...... 9-15 just-in-time ...... 7-46 non-audit fees ...... 13-7 non-statistical sampling ...... 9-8 not intentional or minor scope limitations ...... 12-20 K key controls ...... 9-4 O key punching ...... 8-19 objectivity and independence ...... 13-3 one-sided ratios ...... 7-9 L operating cash flow to current liabilities ...... 7-47 Operating Cash Flow to Total Debt ...... 7-48 operating performance ...... 7-11 learning ...... 1-2 operational audits ...... 8-21 learning triangle ...... 1-2 opinion ...... 12-5, 12-15 leases ...... 11-6 opportunity cash flow ...... 7-28 legal representation letter ...... 11-4 opportunity cost ...... 7-28 leverage ...... 7-14, 7-27, 7-28 organization charts ...... 8-5 limited liability partnerships ...... 3-10 output controls ...... 8-25 lines of authority ...... 8-4 outside directors ...... 8-21 liquid assets ...... 7-24 liquidity ...... 7-24 LLP...... 3-10 logical access ...... 8-27 P logical unit...... 10-9 longitudinal analysis ...... 7-4 P/E ratio ...... 7-12 Long-term Debt to Capitalization ...... 7-47 packing slip ...... 6-5, 9-21 Long-term Debt to Equity ...... 7-28 parking cash ...... 7-32 lower misstatement bound ...... 10-4, 10-12 partner in charge ...... 3-9 lower of cost or market rule ...... 4-8 partner rotation ...... 13-6 password protection ...... 8-24 passwords...... 8-19, 8-27 Payroll Journal ...... 9-26 PCAOB ...... 2-5, 2-7, 2-10

iii

peer review ...... 13-7 reperformance controls ...... 8-25 Perceived Value ...... 8-4 report distribution ...... 8-27 percentage change financial statements ...... 7-4 Reporting ...... 9-6 percentage of completion method ...... 6-4 responsibilities...... 13-3 performance report ...... 9-26 retained earnings ...... 7-23 permanent audit file ...... 3-17 Return on assets ...... 7-13 perpetual inventory systems...... 8-16 Return on invested capital...... 7-45 personnel practices ...... 8-14 return on investment ...... 7-13 pervasively material ...... 12-9 Return on owner's equity ...... 7-13 physical access controls ...... 8-27 revenue and collection cycle ...... 6-1 physical representation ...... 9-10 risk of incorrect acceptance ...... 10-4 Plan, Do, Check, Act ...... 9-27 risk of material misstatement ...... 3-4 planning materiality ...... 4-4 risk/return tradeoff ...... 7-24 plans, policies, and procedures ...... 8-13 RMM...... 3-4 point estimate of population error ...... 10-18 ROA ...... 7-13 population...... 9-10 ROE ...... 7-13 Population size ...... 10-4 ROI ...... 7-13 PPS ...... 10-11 preliminary analytical procedures...... 4-6, 7-2 Preventive controls ...... 8-13 S price to earnings ratio ...... 7-12 principal auditor ...... 12-6 sales and collection cycle ...... 9-20 probability proportionate to size ...... 10-11 Sales Journal ...... 6-6, 9-22 processing ...... 8-25 sales order ...... 6-5, 9-20 profit margin ...... 7-16 sampling interval ...... 10-10 profitability ...... 7-12 sampling risk ...... 9-8, 9-17 proxy servers ...... 8-27, 8-28 sampling unit ...... 9-10 Public Companies Accounting Oversight Board ..... 2-5, 2-10 SAS ...... 2-10, 2-12 public interest ...... 13-3 scope ...... 12-5, 12-15 purchase contract ...... 9-24 scope and nature of services ...... 13-3 purchase contracts...... 11-6 scope limitation ...... 12-11 purchase order ...... 6-5, 9-20, 9-24 SEC ...... 2-8 purchase requisitions ...... 9-23 second partner review ...... 11-11 Purchases Journal ...... 9-26 Securities and Exchange Commission ...... 2-8 Securities Exchange Act of 1934 ...... 2-8 security ...... 8-8 Q Security ...... 8-10 segregation of duties ...... 8-16 qualified audit reports ...... 12-3 SIC code ...... 7-30 qualified opinions ...... 3-15 signature and date...... 12-5, 12-15 quick ratio ...... 7-25 significant deficiency ...... 9-18, 12-17 solvency ...... 7-27 SQRRR...... 1-3 R Statements of Auditing Standards ...... 2-10 Statements on Auditing Standards ...... 2-12 random sampling ...... 9-14 statistical sampling ...... 9-8 Ratio analysis ...... 7-4 subsequent discovery of fact ...... 11-8 ratios ...... 7-9 Subsequent events ...... 11-7 real-time reporting ...... 8-7 substantive analytical procedures ...... 7-2, 7-7 receiving report ...... 9-25 substantive testing ...... 3-14 recording ...... 8-16 systematic sampling ...... 9-14 redundant capacity ...... 8-22 systems library ...... 8-19 referential integrity ...... 8-26 regular reviews and analysis ...... 8-21, 8-26 remittance advice ...... 9-25 T remittance advices ...... 6-7, 9-22 remote likelihood ...... 12-17 tests of details ...... 3-14 remote location ...... 8-23 time cards ...... 9-25

iv

time sheets ...... 9-25 Times Interest Earned ...... 7-48 V title ...... 12-4, 12-14 tolerable deviation rate ...... 9-11 validity ...... 8-8 tolerable difference ...... 7-6 Validity ...... 8-9 tolerable error ...... 4-2, 4-4, 7-6, 8-12 variable sampling ...... 9-11 Tolerable misstatement rate...... 10-4 vendor ...... 9-24 Total Debt to Equity ...... 7-28 virus checkers ...... 8-27, 8-28 Total Quality Management ...... 7-10 TQM ...... 7-10 trade creditors ...... 7-23 W training ...... 8-14 training programs ...... 8-14 warrantee ...... 6-3 transaction processing controls ...... 8-24 working capital ...... 7-17, 7-24 Trend analysis ...... 7-5 working paper ...... 3-18 two-sided ratios ...... 7-9 working papers ...... 3-17 Type 1 subsequent event ...... 11-7 working trail balance ...... 3-18 Type 2 subsequent event ...... 11-7 working trial balance ...... 3-17 write-off authorization ...... 6-7 written policies and procedures ...... 8-4 U Y understanding the auditee ...... 5-7 unlimited right of return ...... 6-2 upper deviation rate ...... 9-16 yield curve ...... 7-23 upper misstatement bound ...... 10-4 upper misstatement bound ...... 10-12 utilization ...... 7-12

v