Академический Документы
Профессиональный Документы
Культура Документы
AUD
Auditing & Attestation
SECTIONS 3000–3400
2019 (EFFECTIVE OCTOBER 1)
Surgent CPA Review:
Editor‐in‐Chief: Liz Kolar, CPA, CGMA
Director of Accounting and License Preparatory Content: John Castonguay, PhD, CPA
This book contains material copyrighted © 1953 through 2019 by the American Institute of Certified Public
Accountants, Inc., and is used or adapted with permission.
Portions of various FASB and GASB documents, copyrighted by the Financial Accounting Foundation, 401 Merritt 7,
P.O. Box 5116, Norwalk, CT 06856‐5116, are reprinted with permission. Complete copies of these documents are
available from the Financial Accounting Foundation.
Material from Uniform CPA Examination Questions and Unofficial Answers, copyright © 1976 through 2019,
American Institute of Certified Public Accountants, Inc., is used or adapted with permission.
This book is written to provide accurate and authoritative information concerning the covered topics. It is not meant
to take the place of professional advice. The content of this book has been updated to reflect relevant legislative
and governing body modifications as of October 2019.
Content and software copyright © 2019, Surgent CPA Review, LLC.
No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical,
including photocopying and recording, or by any information storage or retrieval system, except as may be expressly
permitted by the 1976 Copyright Act or in writing by the Publisher.
Printed in the United States of America.
Surgent CPA Review was developed by a team of professionals who are experts in the fields of accounting, business
law, and computer science, and are also experienced teachers in CPA Review programs and continuing professional
education courses.
Surgent CPA Review expresses its sincere appreciation to the many individual candidates, as well as accounting
instructors, who took time to write to us about previous editions. The improvements in this edition are attributable
to all of these individuals. Of course, any deficiencies are the responsibilities of the editors and authors. We very
much appreciate and solicit your comments and suggestions about this year’s edition.
The editors and authors are also indebted to the American Institute of Certified Public Accountants, the Financial
Accounting Standards Board, and the Governmental Accounting Standards Board for permission to quote from their
pronouncements. In addition, the AICPA granted us permission to use material from previous Uniform CPA
Examination Questions and Answers. AICPA codification numbers are used throughout the Auditing portion of the
Review to indicate the source of materials.
We recognize the work and dedication of our team of software designers and developers. Their vision has made this
the best product possible. They contributed countless hours to deliver this package and are each fully dedicated to
helping you pass the exam. Our thanks go out to the many individuals who have made contributions to both the
software and textbook portions of the CPA Review. We extend our gratitude to our team of software testers who
ensure that you receive only the highest quality product. Finally, we express appreciation to the editorial teams who
have devoted their time to review this product. They have provided invaluable aid in the writing and production of
the Surgent CPA Review.
Good luck on the exam!
Paul Brown, CPA, is the Director of Technical Services for a large state CPA Society. One of Paul’s main duties is to
serve as the technical reviewer in the state society’s American Institute of Certified Public Accountants (AICPA)
Peer Review Program. The program administers approximately 450 reviews annually and oversees approximately
125 peer reviewers. Paul has previously been an instructor and author of continuing education programs, for
which he had received several outstanding discussion leader and author awards. He also served on the AICPA’s
Technical Reviewers Advisory Task Force to the Peer Review Board and serves as staff liaison to two committees
and one section at the state society level. Prior to joining the state society, Paul was an audit manager with a
regional firm in Florida. He holds a BS degree in Accounting and Finance from Florida State University.
Annhenrie Campbell, PhD, CPA, CMA, CGFM, is a professor of Accounting at California State University, Stanislaus.
A former governmental accountant, her teaching and research interests have included governmental and not‐for‐
profit accounting throughout her career. She completed her MBA at Humboldt State University in California and
her PhD at the University of Colorado in Boulder. After earning a CPA and CMA and starting her university career,
Dr. Campbell became a Certified Government Financial Manager at the start of the CGFM program. In addition to
numerous presentations, Dr. Campbell and her colleagues continue to publish research on accounting education
issues.
John “Jack” Castonguay, PhD, CPA, is an Assistant Professor of Accounting, Taxation, and Legal Studies in Business
at Hofstra University in New York. He has taught financial accounting and auditing at the graduate and
undergraduate levels and is currently focused on emerging technologies and data analytics. Jack holds a BBA in
Accounting and a Master of Science in Accounting from James Madison University and received his PhD in
Accounting from the University of Tennessee. He began his career at PricewaterhouseCoopers as an assurance
associate, where his primary clients were financial service firms and manufacturing firms. Dr. Castonguay is a
member of the American Accounting Association and a volunteer for Big Brothers Big Sisters of New York City.
Joshua Dixon, CPA, is President of J Dixon Accounting Services, PC, a full‐service tax, accounting, and business
consulting firm located in Frisco, Texas. He graduated from Metropolitan State University of Denver with dual
Bachelor of Science degrees in Accounting and Finance. Josh is a CPA licensed in both Colorado and Texas. He is a
member of the American Institute of Certified Public Accountants (AICPA) and the Texas Society of Certified Public
Accountants (TSCPA).
Tim Firch, JD, LLM, is an Adjunct Professor of accounting and business law. A graduate of the University of
California, Davis, King Hall School of Law, he is a member of the California State Bar, taxation section (inactive in
good standing). His research and teaching interests center on writing skills development for upper‐division
accounting students. His writing skills courses include a major research component. He also teaches business law
along with financial, managerial, and tax accounting.
David P. Flanders, MBA, CPA, is an independent technical editor for CPA Examination reviews and tax and
accounting CPE courses. A native of Colorado, he received his MBA and undergraduate degrees from the University
of Colorado at Boulder. He is a CPA in Colorado. For over 20 years he was a corporate accountant and controller
for a variety of corporations, including subsidiaries of NYSE‐listed companies. More recently he spent 14 years as a
senior editor of accounting reviews and CPE courses for some of the largest publishing companies in the United
States.
LaMarion N. Green‐Hughey, CPA, MBA currently serves as Director of Finance for the DeKalb County, Georgia,
Sheriff’s Office. Previously, she served as a Field Auditor for the Office of the Comptroller of the Currency.
LaMarion received both her BBA and MBA from Georgia Southern University and holds an active CPA license in the
state of Georgia.
Janel Greiman is an Assistant Professor at the Monfort College of Business at the University of Northern Colorado.
She teaches tax at the undergraduate level as well as in the Master of Accountancy program. Ms. Greiman earned
her Master of Taxation at the Sturm College of Law at the University of Denver. She is a CPA in Colorado with
recent experience practicing in taxation. She is a member of the AICPA, the Colorado Society of Certified Public
Accountants (CSCPA), the tax section of the CSCPA, and the American Accounting Association. Her research
includes recent publication in Practical Tax Strategies and the American Journal of Business Education.
Jeff Helton, PhD, CMA, CFE, FHFMA, is an Assistant Professor of Health Care Management at Metropolitan State
University of Denver, where he teaches courses in health care finance. He has over 25 years of financial
management experience in hospitals, health plans, and government entities. Jeff is a Certified Management
Accountant, Certified Fraud Examiner, Fellow of the Healthcare Financial Management Association, and a member
of the Board of Examiners for the Healthcare Financial Management Association. He has published articles on
health care accounting and budgeting in Strategic Finance, Healthcare Financial Management, and the American
Journal of Management. Jeff has a PhD in Health Care Management from the University of Texas, an MS in Hospital
Administration from the University of Alabama at Birmingham, and a BBA from Eastern Kentucky University.
Cynthia Hollenbach, BBA, MS, CPA, CGMA, has been teaching at the collegiate level for the last 10 years. She has
also been and is currently a financial consultant to many corporate clients for over 25 years, involved with both
private and public companies. She received her BBA from Baylor University and her MS in Taxation from the
University of North Texas. Cynthia is licensed as a CPA in Texas and recently licensed as a CGMA, a new designation
by the AICPA to recognize skills as a global management accountant.
Tracy Hunt, Esq., is a founding partner of Timby Hunt, LLC. He received his Bachelor of Arts from the University of
North Carolina, Chapel Hill, and his law degree from Widener University School of Law in Wilmington,
Delaware. For the past 15 years, Mr. Hunt has concentrated his legal practice in all areas of civil litigation, including
business‐related contract issues, employment, land use, and personal injury. Mr. Hunt also heads up the Wills and
Estates practice for the firm, and assists his business clients in incorporation, drafting of contracts, trademark
infringement, and personnel matters.
Liz Kolar, CPA, CGMA, has been teaching CPA Review for more than 25 years in the United States, has personally
taught more than 2,500 live sessions, and has helped thousands of candidates pass the CPA Exam. She founded
Pinnacle CPA Review and co‐founded Surgent Kolar CPA Review. She is a recipient of the ASWA Business Woman of
the Year Northeast Region, Distinguished Faculty Member of the Year, and PICPA Outstanding Educator of the
Year. Liz began her career in Public Accounting with a Big Four accounting firm auditing financial service clients
after graduating from Pace University with an MBA in Public Accounting. Liz’s teaching career spans almost 30
years. She has taught at the undergraduate and graduate levels at Pace University and Seton Hall University, and is
currently a professor at Delaware Valley University.
Lola Neudecker is an Internal Auditor employed at the University of New Mexico. Lola has over 20 years of
financial accounting experience in subjects including auditing, fraud investigations, taxation, contracts and grants,
purchasing, budgeting, payroll, and banking. She has worked in public accounting, higher education, and
government. Lola graduated from the University of Texas at El Paso with a Bachelor’s degree in Business
Administration with a major in Accounting and a Master of Accountancy degree. Lola is a Certified Public
Accountant (CPA), Certified Management Accountant (CMA), Certified Financial Manager (CFM), Certified
Government Auditing Professional (CGAP), Certified Internal Auditor (CIA), Certified Fraud Examiner (CFE), and
Chartered Global Management Accountant (CGMA) and is Certified in Financial Forensics (CFF). She is a member of
the American Institute of Certified Public Accountants (AICPA), The Institute of Internal Auditors (IIA), the
Association of Certified Fraud Examiners, and the Institute of Management Accountants (IMA).
E. Lynn Nichols, CPA, is a nationally recognized authority on federal income tax issues. He has written several CPE
texts, speaks at conferences, and serves as an adviser to several CPA firms on matters of federal income taxation,
tax practice quality control, and IRS procedures. Lynn has produced tax update podcasts and webinars, contributes
to tax discussion groups, and monitors sponsored discussion groups for The Ohio Society of CPAs and the South
Carolina Association of CPAs.
Paul E. Pierson, CPA, is Director of Professional Standards and Peer Review for the Illinois CPA Society. In this
capacity, he oversees the administration of the Peer Review Program for approximately 1,500 CPA firms in Illinois
and Iowa. Paul has served as a discussion leader at the AICPA’s Annual Peer Review Conference and Advanced
Reviewer Training Course as well as several state CPA society conferences and chapter events. He is also
responsible for monitoring the continuing professional education and licensing rules in Illinois and Iowa and
responding to member inquiries regarding those matters. Paul has served on the Technical Reviewers Advisory
Task Force to the AICPA Peer Review Board, and currently serves as staff liaison to the Peer Review Report
Acceptance and Employment Benefits Committees of the Illinois CPA Society. He also oversees the Society’s
Accounting Principles, Audit and Assurance Services, Not‐for‐Profit, Governmental, and Ethics Committees. Paul
graduated from Illinois State University with a BS in Accounting and was an audit manager with a large, local CPA
firm in East Peoria, Illinois, prior to joining the Society.
Darlene A. Pulliam, PhD, CPA, joined the faculty of West Texas A&M in 1997. A native of eastern New Mexico, Dr.
Pulliam received a BS in Mathematics in 1976 and an MBA in 1978 from Eastern New Mexico University and joined
the accounting firm of Peat, Marwick, Mitchell and Co. (now KPMG) in Albuquerque. After five years in public
accounting, she completed her PhD at the University of North Texas and joined the faculty of the University of
Tulsa in 1987. As a Regents Professor and McCray Professor of Business at WTAMU, her responsibilities include
teaching tax and financial accounting, and advising the students in the Master of Professional Accounting program.
Her publications include many articles appearing in Tax Advisor; the Journal of Accountancy; Practical Tax
Strategies; Oil, Gas and Energy Quarterly; CPA Journal; and the Journal of Forensic Accounting as an author or
coauthor.
Ellen Rackas, MBA, CPA, has more than 25 years of accounting, auditing, and tax‐related industry experience,
including 10 years as an accounting professor at Delaware Valley University and currently at Muhlenberg College in
Pennsylvania, where she teaches accounting and tax‐related courses. Her career started in Washington, DC, as a
staff accountant for Raffa & Associates, a public accounting firm. After progressing through roles as a senior
accountant and audit supervisor, she joined Harman International Industries, Inc., a designer, manufacturer, and
marketer of audio and infotainment products. Over the course of her career, she has held roles as a finance
manager, audit manager, controller, and CFO. Ellen has 14 years’ independent consulting experience and has
assisted more than 40 corporate clients and 100 individual clients with financial statement preparation, tax return
preparation, and other accounting functions. Ellen received her Bachelor of Science degree in accounting from
Guy Schmitz, JD, LLM, MA, has practiced tax law for over 40 years. He has been a lecturer in tax law at Fontbonne
University and Washington University in St. Louis, Missouri, and is the author of articles for the Journal of the
Missouri Bar and St. Louis Bar Journal. He received his JD from Cornell Law School, where he was editor‐in‐chief of
the Cornell International Law Journal; received his LLM in Taxation from New York University; and served as clerk
to the U.S. Tax Court.
Brian E. Sebak, CPA, is a tax return specialist providing IRS and state tax resolution services. He is a Certified Public
Accountant in the state of New Jersey, representing many of his clients in front of the IRS and State Department of
Treasury. Brian is the President of his family‐based CPA firm.
Ken Smith, PhD, CPA‐Retired, is the President of Accounting Institute Seminars, for which he has written and
presented CPA Review seminars in many locations around the United States since 1972. He received his BS in
Accounting from the University of Montana and his PhD from the University of Texas–Austin. Ken is a professor of
accounting at Idaho State University, where he has taught since 1970. He has served as accounting department
chair, associate dean of the College of Business, and College of Business dean. He is actively involved with the
AICPA and the American Accounting Association.
Strategic Solutions for Business (SSB) is a management consulting firm based in Denver, Colorado, specializing in
accounting and information technology. Bryan Smith, CPA, is a managing partner of SSB with over 12 years of
experience assisting clients with business intelligence, data conversions, revenue/cost assurance, data and process
analytics, internal audit, operational metrics, mergers and acquisitions, and financial and regulatory compliance.
Amy Weisbender, CPA, previously a staff accountant at one of the Big Four, has worked in audit, finance, and
consulting for over 11 years. She has worked in various industries including restaurants, telecommunications,
manufacturing, technology, energy, real estate, and travel management. Amy’s focus is on business analysis and
project management with an emphasis on IT and accounting projects.
John (Jack) M. Surgent, MS in Taxation, CPA, is Chairman of Surgent Professional Education, the largest provider of
tax and financial‐planning seminars to CPAs in the United States. Mr. Surgent has presented over 1,800 live
seminars in the past 25 years and has been named Outstanding Discussion Leader by various professional
organizations. He has worked in the tax department of a Big Four accounting firm and was an assistant professor at
St. Joseph's University in Philadelphia. Mr. Surgent received his Bachelor's degree in Accounting from Villanova
University and a Master's in Taxation from Villanova University School of Law.
Mark M. Ulrich, MBA, CPA, is an Assistant Professor at Queensborough Community College of the City University
of New York. Prior to his career in academia, he worked for KPMG as a Senior Audit Associate and also worked at
St. John's University in Queens, New York, as the Director of Budgets and Compliance for the Peter J. Tobin College
of Business. Professor Ulrich currently serves on the Board of Directors of the New York State Society of Certified
Public Accountants (NYSSCPA), is a Past President and current Treasurer of the Queens/Brooklyn Chapter of the
NYSSCPA, and sits on the NYSSCPA’s Future of Accounting Education Committee. He received his Bachelor of
Science degree in Accounting from St. John’s University in 2006, his MBA in Accounting from St. John’s University
in 2007, and his CPA license from the State of New York in 2008.
Geri B. Wink, BBA, MBA, CPA, joined the faculty at Colorado State University–Pueblo in 2004 after serving over 20
years on the accounting faculty at the University of Texas at Tyler. She received both her BBA and MBA from Sam
Houston State University and holds CPA licenses in both Texas and Colorado. She maintained a tax practice for
over 20 years while in Texas. Her publications include articles and cases appearing in Oil and Gas Quarterly,
Management Accounting, The Business Review, Journal of International Society of Business Disciplines, and Journal
of International Academy of Case Studies. She also has written a book with a coauthor, Intermediate Accounting
DeMystified. She is very active in the Colorado Society of CPAs.
Section 3000 Overview of the Auditing & Attestation Examination ................................................................ 1
Section 3100 Ethics, Professional Responsibilities, and General Principles ..................................................... 7
Section 3200 Assessing Risk and Developing a Planned Response .............................................................. 119
Section 3300 Performing Further Procedures and Obtaining Evidence ....................................................... 189
Section 3400 Forming Conclusions and Reporting ...................................................................................... 279
Skill Levels
The examination or assessment of problems, and use of judgment to
Evaluation draw conclusions.
The examination and study of the interrelationships of separate
Analysis areas in order to identify causes and find evidence to support
inferences.
Application The use or demonstration of knowledge, concepts, or techniques.
3010.05 Blueprint
The Blueprint is organized by content AREA, content GROUP, and content TOPIC. Each topic
includes one or more representative TASKS. The purpose of the Blueprint is to:
a. document the minimum level of knowledge and skills necessary for initial licensure.
b. assist candidates in preparing for the Exam by outlining the knowledge and skills that
may be tested.
c. apprise educators of the knowledge and skills candidates need to function as newly
licensed CPAs.
d. guide the development of Exam questions.
The tasks in the Blueprint are representative; they are not intended to be viewed as an all-
inclusive list of tasks that may be tested. It is important to note that the number of tasks
associated with a particular content group or topic is not indicative of the extent such
content group, topic, or related skill level will be assessed on the Exam.
Source: AICPA
3120 Ethics, Independence, and Professional Conduct
3121 AICPA Code of Professional Conduct
3122 Securities and Exchange Commission and Public Company Accounting Oversight Board: Overview
3123 Government Accountability Office and Department of Labor Requirements
3124 Professional Skepticism and Professional Judgment
3130 Terms of Engagement
3131 Preconditions for an Engagement
3132 Terms of Engagement and Engagement Letter
3140 Requirements for Engagement Documentation
3141 Audit Engagements
3142 Nonaudit Engagements
3150 Communication with Management and Those Charged with Governance
3151 Planned Scope and Timing of an Engagement
3152 Internal Control Related Matters
3153 All Other Matters
3160 Communication with Component Auditors and Other Parties
3170 A Firm’s System of Quality Control
3110 Nature and Scope
3111 Audit Engagements
3111.01 The purpose of the audit is to provide financial statement users with an opinion by the
auditor on whether the financial statements are presented fairly, in all material respects, in
accordance with an applicable financial reporting framework. This enhances the degree of
confidence that intended users can place in the financial statements. An audit conducted in
accordance with relevant professional, regulatory, and ethical requirements enables the
auditor to form that opinion. The form of the opinion will depend on the applicable financial
reporting framework and any applicable law or regulation.
3111.02 An applicable financial reporting framework is one adopted by reporting entity management
with oversight by those charged with governance in the preparation and fair presentation of
the financial statements that is acceptable in view of the nature of the entity and the
financial reporting objective, or that is required by law or regulation.
3111.03 Those charged with governance include the person(s) or organization(s) (e.g., a corporate
trustee) with responsibility for overseeing the strategic direction of the entity, the financial
reporting process, and the obligations related to the accountability of the entity. In some
entities, this is the board of directors or the audit committee. In other entities, “those
charged with governance” have management responsibilities.
3111.04 The financial statements subject to audit are prepared and fairly presented by reporting
entity management with oversight by those charged with governance. Auditing standards of
issuers or nonissuers are based on the premise that management and those charged with
governance have accepted and acknowledged certain responsibilities fundamental to audit
conduct.
3111.05 The auditor may have certain other reporting and communication responsibilities regarding
matters noted during the audit. These responsibilities may be established by relevant audit
standards or applicable law or regulation.
3111.06 Auditors of issuers (e.g., as defined by the SEC, generally including entities that must file or
register financial information with the SEC) must comply with the Public Company
Accounting Oversight Board’s (PCAOB) Auditing Standards. Auditors of nonissuers must
comply with the AICPA’s Auditing Standards Board’s Statements on Auditing Standards
(SASs).
If an auditor conducts an audit in accordance with the standards of the PCAOB, but the audit
itself is not under the jurisdiction of the PCAOB (per SAS 131), the auditor must comply with
GAAS and use the form of reporting specified by the PCAOB Auditing Standards, amended to
indicate that the audit was also conducted in accordance with GAAS.
3111.07 The auditor should consider matters that determine the nature, scope, and objectives of the
engagement. These factors can be determined from conversations with management and
those charged with governance, or from reading documents such as board meeting minutes
and the prior year’s engagement files.
3111.08 Considerations that affect the scope of the audit engagement
a. The financial reporting framework on which the financial information to be audited has
been prepared, including any significant changes in the financial reporting framework
(such as changes in accounting standards) or the need for reconciliations to another
financial reporting framework
b. Industry‐specific reporting requirements (e.g., reports mandated by industry regulators)
and significant industry developments, such as changes in industry regulations and new
reporting requirements
c. The expected audit coverage, including audit areas where there is a higher risk of
material misstatement
d. The nature of the control relationships between a parent and its components that
determine how the group is to be consolidated (e.g., noncontrolling minority interest,
associate company, subsidiary)
e. The extent to which components are audited by other auditors
f. Significant business developments affecting the entity, including changes in information
technology and business processes; changes in key management; changes in the legal
environment affecting the entity; and any acquisitions, mergers, and divestments
g. The reporting currency to be used, including any need for currency translation for the
financial information audited
h. The need for statutory or regulatory audit requirements (e.g., the Office of Management
and Budget (OMB) Uniform Guidance for Federal Awards)
i. The availability of client personnel and the work of internal auditors, including the
extent of the auditor’s potential reliance on such work
j. The entity’s use of service organizations and how the auditor may obtain evidence
concerning the design or operation of controls performed by them
k. Results of previous audits that involved evaluating the operating effectiveness of
internal control, including identified deficiencies and action taken to address them
l. The effect of information technology on the audit procedures, including the availability
of data and the expected use of computer‐assisted audit techniques
m. The coordination or the expected coverage and timing of the audit work with any
reviews of interim financial information and the effect on the audit of the information
obtained during such reviews
n. Management’s commitment to the design, implementation, and maintenance of sound
internal control, including the importance attached to internal control throughout the
entity to the successful operation of the business
3111.09 Considerations that affect the reporting objectives, timing of the audit, and
communications required
a. The entity’s timetable for reporting, including interim periods
b. The organization of meetings with management and those charged with governance to
discuss the nature, extent, and timing of the audit work
c. The discussion with management and those charged with governance regarding the
expected type and timing of reports and communications to be issued
d. The discussion with management regarding the expected communications on the status
of audit work throughout the engagement
e. Communication with auditors of components regarding the expected types and timing
of reports to be issued and other communications in connection with the audit of
components
f. The expected nature and timing of communications among engagement team
members, including the nature and timing of team meetings and timing of the review of
work performed
g. Whether there are any other expected communications with third parties, including any
statutory or contractual reporting responsibilities arising from the audit
3112 Government Auditing Standards Engagements
Reporting Requirements: Yellow Book
3112.01 The generally accepted government auditing standards (GAGAS), also known as the “Yellow
Book,” provide a framework for auditors of government entities, entities that receive
government awards, and other audit organizations conducting governmental audits. GAGAS
requirements are in addition to the requirements contained in the AICPA standards.
a. The Yellow Book outlines the requirements for audit reports, professional qualifications
for auditors, and audit organization quality control. Auditors of federal, state, and local
government programs use these standards to perform their audits and produce their
reports.
b. The Yellow Book was revised in 2018, with an effective date for financial statement
audits, attestation engagements, and reviews of financial statements for periods ending
on or after June 30, 2020. It is effective for performance audits beginning on or after
July 1, 2019. Along with changes to its format and structure, the revision contains
updates on the following topics:
(1) Independence
(2) Competence and continuing professional education
(3) Quality control and peer review
(4) Financial audits
(5) Attestation engagements and reviews of financial statements
(6) Performance audits
c. The more significant changes include the following:
(1) A definition for waste, with specific requirements for reporting or communicating
waste that auditors become aware of during audits
(2) Incorporation of SSAE 18, Attestation Standards: Clarification and Recodification,
and SSARS 21, section 90 (Review of Financial Statements), into GAGAS for auditors
conducting attestation engagements and reviews of financial statements,
respectively
(3) Updated internal control requirements and guidance designed to align with the
revised Standards for Internal Control in the Federal Government and Internal
Control—Integrated Framework
3112.02 The additional items required by Government Auditing Standards relate to:
a. reporting auditor compliance with GAGAS;
b. reporting on internal control and compliance with provisions of laws, regulations,
contracts, and grant agreements;
c. communicating deficiencies in internal control, fraud, noncompliance with provisions of
laws, regulations, contracts, and grant agreements, and abuse;
d. reporting views of responsible officials;
e. reporting confidential or sensitive information;
f. documenting justification of deviations from presumptively mandatory procedures; and
g. distributing reports.
Reporting Requirements: Single Audit Act
3112.03 The Single Audit Act Amendments of 1996 (Single Audit Act) require audits, referred to as
“single audits,” to be conducted by an independent auditor. Single audits have a significant
public interest component as they are relied on by federal agencies as part of their
administrative responsibilities for determining compliance with the requirements of federal
awards by nonfederal entities.
a. Single audits are more extensive than GAAS or GAGAS audits. A single audit
encompasses an examination of a recipient’s financial records, financial statements,
federal award transactions and expenditures, the general management of its
operations, internal control systems, and federal assistance it received during the audit
period (the time period of recipient operations examined in the single audit, which
usually covers a natural or fiscal year).
b. The single audit is divided into two areas: compliance and financial. The compliance
supplement is the document that provides guidance to auditors who are engaged to test
for compliance with program requirements.
3112.04 The Director of the Office of Management and Budget (OMB) has the authority to develop
government‐wide guidelines and policy on performing audits to comply with the Single Audit
Act. The threshold for OMB compliance audits of entities that receive federal award money
is $750,000 per fiscal year.
a. The threshold relates to expenses, not revenues. An organization may receive more
than $750,000 and not be required to undergo a single audit if it does not spend more
than $750,000.
b. The entity may elect to have a program‐specific audit (an audit of a single federal
program, without auditing the entire entity).
3112.05 Before determining which federal programs to examine, the auditor must first evaluate the
recipient itself. The evaluation concludes with the auditor determining, based on the
evaluation, whether the recipient is a high‐risk auditee or a low‐risk auditee. A high‐risk
auditee is a recipient that has a high risk of not complying with federal laws and regulations,
while a low‐risk auditee is the exact opposite. The Office of Management and Budget (OMB)
Uniform Guidance for Federal Awards has set certain requirements a recipient must meet to
be considered a low‐risk recipient. These include the following for each of the preceding two
audit periods:
a. Single audits have been performed on an annual basis in prior years. Also, the data
collection form and reporting package were submitted to the Federal Audit
Clearinghouse within the earlier of 30 calendar days after the receipt of the auditor’s
report or nine months after the end of the audit period.
b. The auditor's opinions on the financial statements and in relation to the opinion on the
Schedule of Expenditure of Federal Awards (SEFA) were unmodified.
c. There are no material weaknesses identified in prior‐year audits related to internal
control over financial reporting.
d. None of the federal programs previously audited had audit findings in the last two years
in which they were classified as Type A programs during the audit period that resulted in
a modified opinion on major program compliance, or known or likely questioned costs
that exceeded 5% of the total federal awards for a Type A program. In addition, the
Type A programs did not have material weaknesses in internal control over compliance
with major programs.
e. The auditor did not report a substantive doubt about the auditee’s ability to continue as
a going concern.
3112.06 Once the need for a single audit is determined, the Office of Management and Budget
(OMB) Uniform Guidance for Federal Awards requires that federal programs be categorized
in two groups: Type A and Type B programs.
1. Type A program: A Type A program is any federal program that exceeds a quantifiable
amount per a fixed formula as outlined below. Type A programs are then evaluated as
to whether they are low risk or not low risk. Type A programs are classified as low risk
only if the program has been audited as a major program in at least one of the two most
recent audit periods; additionally, in the most recent period the program did not have
(a) any material weaknesses in internal control over compliance, (b) a modified opinion
on compliance, or (c) known or likely questioned costs exceeding 5% of the program’s
expenditures. The Uniform Guidance for Federal Awards also contains provisions that in
making the final determination about whether a type A program is low risk, the auditor
will also consider (a) the oversight exercised by federal agencies and pass‐through
entities, (b) the results of audit follow‐up, and (c) whether there have been any changes
in personnel or systems affecting the program that indicate a significantly increased risk
and preclude the program from being low risk. For any Type A programs that are
considered to not be low risk of not complying, the OMB Uniform Guidance for Federal
Awards requires that the auditor perform a compliance audit on that program. For a
Type A program that is considered to be of low risk, the auditor is not required to
perform a compliance audit, although the OMB Uniform Guidance for Federal Awards
allows the auditor to do so if he or she chooses.
Type A programs are defined as follows:
Total Federal Awards Expended Type A/B Threshold
Equal to $750,000 but less than or equal to $750,000
$25 million
Exceed $25 million but less than or equal to Total federal awards expended times 0.03
$100 million
Exceed $100 million but less than or equal to $3 million
$1 billion
Exceed $1 billion but less than or equal to Total federal awards expended times
$10 billion 0.003
Exceed $10 billion but less than or equal to $30 million
$20 billion
Exceed $20 billion Total federal awards expended times
0.0015
2. Type B program: A Type B program is any single program that does not meet the Type A
requirement.
After determining which programs are Type A and Type B, the OMB Uniform Guidance
for Federal Awards requires that the auditor perform and document a risk assessment to
determine whether Type B programs have either a high or low risk of not complying
with laws and regulations. The auditor is only required to perform risk assessments on
Type B programs that exceed 25% of the Type A program calculated threshold. Type B
programs below this threshold are referred to as relatively small federal programs and
the auditor does not need to perform risk assessments on them. The auditor will pull
programs out of the Type B program pool and perform risk assessments on the
programs until the auditor identifies high‐risk Type B programs which equal at least 25%
of the number of low‐risk Type A programs that the auditor previously identified. Once
the 25% threshold has been met, the auditor can stop performing risk assessments on
the Type B programs.
3112.07 Minimum coverage rule. For a non‐low‐risk auditee the auditor is required to audit, as major
programs, federal programs with federal awards expended that, in the aggregate,
encompass at least 40% of the total federal awards expended. For a low‐risk auditee the
auditor is required to audit, as major programs, federal programs with federal awards
expended that, in the aggregate, encompass at least 20% of the total federal awards
expended.
3112.08 The Single Audit Act requires that a recipient prepare financial statements specifically for the
single audit. It also requires that a financial audit be performed on the recipient, which
includes the federal assistance operations as well as the nonfederal assistance operations.
a. Tests of transactions and account balances are performed to ensure that the
information presented in the financial statements, and notes thereof, are reasonably
correct.
b. The recipient must prepare a Schedule of Expenditure of Federal Awards (SEFA), which
is a supplementary financial statement unique to recipients of federal assistance that
details all the federal assistance expended by the recipient during the year, categorized
by federal program. The auditor must then audit and report on this schedule in relation
to the financial statements as a whole.
Reporting Requirements: Nonaudit Services
3112.09 Providing nonaudit services to entities for which audits are performed may create threats to
the independence of the audit organization or members of the audit team. The auditor
should determine if an activity amounts to assuming management responsibility. Examples
of activities that would be considered a management responsibility include:
a. setting policies and strategic direction for the audited entity;
b. directing and accepting responsibility for the actions of the audited entity’s employees
in the performance of their normal recurring activities;
c. having custody of an audited entity’s assets;
d. reporting to those charged with governance on behalf of management;
e. deciding which recommendations of the auditors’ or other third parties to implement;
f. accepting responsibility for the management of an audited entity’s project;
g. accepting responsibility for designing, implementing, or maintaining internal control;
h. providing services that are intended to be used as management’s primary basis for
making decisions that are significant to the subject matter of the audit;
i. developing an audited entity’s performance measurement system when that system is
material or significant to the subject matter of the audit; and
j. serving as a voting member of an audited entity’s management committee or board of
directors.
3112.10 Routine activities performed by the auditors that relate directly to the performance of an
audit are not considered nonaudit services under GAGAS. Activities such as financial
statement preparation, cash to accrual conversions, and reconciliations are considered
nonaudit services under GAGAS. Examples of routine activities directly related to an audit
include:
a. providing advice to the audited entity on an accounting matter as an ancillary part of
the overall financial audit;
b. researching and responding to the audited entity’s technical questions on relevant tax
laws as an ancillary part of providing tax services;
c. providing advice to the audited entity on routine business matters;
d. educating the audited entity on matters within the technical expertise of the auditors;
and
e. providing information to the audited entity that is readily available to the auditors, such
as best practices and benchmarking studies.
3112.11 For all nonaudit services performed for audited entities, the auditor should obtain assurance
that management performs the following functions:
a. Assumes all management responsibilities
b. Oversees the services by designating an individual, preferably within senior
management, who possesses suitable skill, knowledge, and/or experience
c. Evaluates the adequacy and results of the services performed
d. Accepts responsibility for the results of those services
Reporting Requirements: Performance Audits
3112.12 Performance audits provide objective analysis, findings, and conclusions to assist
management and those charged with governance and oversight with, among other things,
improving program performance and operations, reducing costs, facilitating decision making
by parties responsible for overseeing or initiating corrective action, and contributing to
public accountability.
3112.13 Performance audit objectives vary widely and include assessments of program effectiveness,
economy, and efficiency; internal control; compliance; and prospective analyses and include
the following:
a. Program effectiveness and results audit objectives
b. Internal control audit objectives
c. Compliance audit objectives
d. Prospective analysis audit objectives
3112.14 The fieldwork requirements for performance audits conducted in accordance with generally
accepted government auditing standards (GAGAS) relate to planning the audit; conducting
the engagement; supervising staff; obtaining sufficient, appropriate evidence; and preparing
audit documentation.
3112.15 For audit objectives that pertain to the current status or condition of a program, sufficient,
appropriate evidence is gathered to provide reasonable assurance that the description of
the current status or condition of a program is accurate and reliable and does not omit
significant information relevant to the audit objectives.
3112.16 The reporting requirements for performance audits relate to reporting the auditors’
compliance with GAGAS, the form of the report, the report contents, obtaining the views of
responsible officials, report distribution, reporting confidential or sensitive information, and
discovery of insufficient evidence after report release.
3112.17 The full text of Government Auditing Standards can be downloaded for free at
www.gao.gov.
3112.18 To simplify relations between federal grantees and awarding agencies, the Office of
Management and Budget (OMB) established the cognizant agency concept, under which a
single agency represents all others in dealing with grantees in common areas.
a. The cognizant agency is responsible for reviewing, negotiating, and approving cost
allocation plans, indirect cost rates, and similar rates; monitoring nonfederal audit
reports; conducting federal audits as necessary; and resolving cross‐cutting audit
findings.
b. The cognizant agency under the applicable cost principles and under OMB Circular A‐
133 may be different for a given recipient.
c. The cognizant agency for nonprofit organizations is determined by calculating which
federal agency provides the most grant funding. For example, the Department of the
Interior is the cognizant agency for all Indian tribal governments; for hospitals, the
Department of Health and Human Services serves as the main cognizant agency.
3113 Nonaudit Engagements
3113.01 The Statements on Standards for Accounting and Review Services (SSARS) issued by the
Accounting and Review Services Committee (ARSC) describe professional requirements
when a public accountant performs a review, compilation, or an engagement to prepare
financial statements for nonissuers. The SSARS consist of four distinct sections.
SSARS Definitions
3113.02 Defining professional responsibilities: The SSARS list two categories of professional
requirements:
1. Unconditional requirements: indicated by the use of the word “must”
2. Presumptively mandatory requirements: indicated by the use of the word “should”
3113.03 Special purpose framework: a financial reporting framework other than GAAP, including the
cash basis, modified cash basis, tax basis, regulatory basis, contractual basis, and any other
basis that uses a definite set of logical, reasonable criteria that is applied to all material items
in the financial statements.
Section 60: General Principles for SSARS Engagements
3113.04 Section 60 provides general principles for SSARS engagements and provides definitions for
certain terms used within SSARS:
a. A financial reporting framework is defined as a set of criteria used to determine
measurement, recognition, presentation, and disclosure of all material items appearing
in the financial statements. This may include either GAAP or a special‐purpose
framework.
b. A fair presentation framework is defined as a financial reporting framework that
requires compliance with the requirements of the framework and does one of the
following:
(1) Acknowledges explicitly or implicitly that, to achieve fair presentation of the
financial statements, it may be necessary for management to provide disclosures
beyond those specifically required by the framework
(2) Acknowledges explicitly that it may be necessary in rare circumstances for
management to depart from a requirement of the framework to achieve fair
presentation of the financial statements
c. Financial statements subject to a SSARS engagement are the responsibility of those of
the reporting entity management, including selecting the financial reporting framework
to be applied.
d. The accountant should determine whether management’s selected financial reporting
framework is acceptable before accepting the SSARS engagement.
e. The accountant should comply with all relevant ethical requirements, including
exercising professional judgment in performance of the engagement.
f. Management is responsible for preventing and detecting fraud and noncompliance with
laws and regulations.
g. Management is responsible for the design, implementation, and maintenance of
internal control relevant to the preparation and fair presentation of the financial
statements that are free from material misstatement, whether due to fraud or error,
unless the accountant decides to accept responsibility for such internal control (and
consequently impair the ability to accept engagements that require independence).
Section 70: Engagement to Prepare Financial Statements
3113.05 An engagement to prepare financial statements is a nonattest service and does not require
a report to be issued. The determination about whether the accountant has been engaged
to prepare the financial statements (covered by the SSARSs) or merely assist in preparing
financial statements (i.e., bookkeeping nonattest services that are not governed by the
SSARSs) is based on the client’s actual request for services to be performed and the
accountant’s professional judgment.
The objective of the service is to prepare financial statements in accordance with an
applicable financial reporting framework. There is no assurance provided and no report
issued. Since a report is not issued, the accountant:
a. is not required to be independent of the entity.
b. does not need to verify the accuracy or completeness of the information provided by
management.
c. is not required to collect evidence to express an opinion or otherwise report on the
financial statements.
3113.06 Section 70 applies when an accountant in public practice is engaged to prepare financial
statements; it does not apply if the accountant prepares financial statements:
a. and is also engaged to perform an audit, review, or compilation of those statements.
b. solely for submission to taxing authorities.
c. for inclusion in written personal financial plans prepared by the accountant.
d. in conjunction with litigation services.
e. in conjunction with business valuation services.
Section 80: Compilation Engagement
3113.07 A compilation is a service that does result in a report, the objective of which is to assist
management in presenting financial information in the form of financial statements without
undertaking to obtain or provide any assurance that there are no material modifications that
should be made to the financial statements in order for the statements to be in conformity
with the applicable financial reporting framework. Although a compilation is not an
assurance engagement, it is an attest engagement (because a report is issued).
3113.08 A compilation differs significantly from a review or an audit of financial statements. A
compilation does not contemplate performing inquiry, analytical procedures, or other
procedures performed in a review. Additionally, a compilation does not contemplate
obtaining an understanding of the entity’s internal control; assessing fraud risk; testing
accounting records by obtaining sufficient appropriate audit evidence through inspection,
observation, confirmation, or the examination of source documents; or other procedures
ordinarily performed in an audit. Therefore, a compilation does not provide a basis for
obtaining or providing any assurance regarding the financial statements.
Section 90: Review Engagement
3113.09 A review is a service, the objective of which is to obtain limited assurance that there are no
material modifications that should be made to the financial statements in order for the
statements to be in conformity with the applicable financial reporting framework. In a
review engagement, the accountant should accumulate review evidence to obtain a limited
level of assurance. A review engagement is an assurance engagement, as well as an attest
engagement.
3113.10 A review differs significantly from an audit of financial statements in which the auditor
obtains a high level of assurance (expressed in the auditor’s report as obtaining reasonable
assurance) that the financial statements are free of material misstatement. A review does
not contemplate obtaining an understanding of the entity’s internal control; assessing fraud
risk; testing accounting records by obtaining sufficient appropriate audit evidence through
inspection, observation, confirmation, or the examination of source documents; or other
procedures ordinarily performed in an audit. Accordingly, in a review, the accountant does
not obtain reasonable assurance that he or she will become aware of all significant matters
that would be disclosed in an audit. Therefore, a review is designed to obtain only limited
assurance that there are no material modifications that should be made to the financial
statements in order for the statements to be in conformity with the applicable financial
reporting framework.
Other Relevant Professional Standards
3113.11 In addition to SSARSs, AICPA members who perform preparation of financial statements,
compilation, and review engagements of a nonissuer are governed by the AICPA’s Code of
Professional Conduct and Statements on Quality Control Standards (SQCS).
3113.12 The AICPA’s Code of Professional Conduct sets out the fundamental ethical principles that all
AICPA members are required to observe. When performing any engagement for a nonissuer,
the code requires an accountant to maintain objectivity and integrity and comply with all
other applicable provisions.
3113.13 The Statements on Quality Control Standards (SQCS) establish standards and provide
guidance on a firm’s system of quality control. A firm should establish quality control policies
and procedures to provide reasonable assurance that personnel comply with professional
standards when performing any attest engagement for nonissuers.
Reviews of Interim Financial Information
3113.14 Nonissuers: An auditor may conduct, in accordance with generally accepted auditing
standards for nonissuers, a review of the interim financial information when the entity’s
latest annual financial statements have been audited by the auditor or a predecessor
auditor; the auditor has either been engaged to audit the entity’s current‐year financial
statements or audited the entity’s latest annual financial statements; and the entity
prepared its interim financial information in accordance with the same financial reporting
framework as that used to prepare the annual financial statements. The term “interim
financial information” refers to financial information prepared or presented in accordance
with an applicable financial reporting framework that comprises either a complete or
condensed set of financial statements covering a period or periods less than one full year or
covering a 12‐month period ending on a date other than the entity’s fiscal year‐end.
3113.15 Issuers: Public Company Accounting Oversight Board (PCAOB) Auditing Standard (AS) 4105
relates to reviews of interim financial information for issuers. Although the auditor is not
required to issue a written report on a review of interim financial information, the Securities
and Exchange Commission (SEC) requires that the auditor’s review report be filed with the
interim financial information if, in any filing, the entity states that the interim financial
information has been reviewed by an independent public accountant.
PCAOB Standards
3113.16 The Public Company Accounting Oversight Board (PCAOB) has adopted both the AICPA’s
preexisting ethics and independence standards contained in the Code of Professional
Conduct and its preexisting quality control standards as its interim standards. The PCAOB has
made some of these rules and standards more stringent due to public accountability. This
includes the inability to perform certain nonattest services, such as preparation of financial
statements, without impairing independence.
Attestation Engagements
Nonissuers
3113.17 The Statements of Standards for Attestation Engagements (SSAEs) establish requirements
for performing and reporting on examination, review, and agreed‐upon procedures
engagements.
The purpose of an attestation engagement is to provide users of information, generally third
parties, with an opinion, conclusion, or findings regarding the reliability of a subject matter
(or an assertion about the subject matter) as measured against suitable and available
criteria. Examples of attestation engagement include examinations of prospective financial
information, reviews of pro forma financial information, and agreed‐upon procedures
related to compliance with contract provisions.
3113.18 Examination: To express an opinion in an examination, the attest accountant obtains
reasonable assurance about whether the subject matter, or an assertion about the subject
matter, is free from material misstatement, whether due to fraud or error. Reasonable
assurance is high, but not absolute.
3113.19 Review: To express a conclusion in a review, the attest accountant obtains limited assurance
about whether any material modification should be made to the subject matter in order for
it to be in accordance with (or based on) the criteria or to an assertion about the subject
matter in order for it to be fairly stated. The nature and extent of procedures are
substantially less than an examination.
3113.20 Agreed‐upon procedures: To report on the application of agreed‐upon procedures, the
attest accountant applies procedures determined by specified parties who are the intended
users of the attest report and who are responsible for the sufficiency of the procedures for
their purposes. The attest accountant reports on the results of the engagement, but does
not provide an opinion or conclusion on the subject matter or assertion.
Issuers
3113.21 The Public Company Accounting Oversight Board (PCAOB) has adopted the preexisting
attestation standards of the AICPA’s Auditing Standards Board’s Statements on Standards
for Attestation Engagements (SSAEs).
a. In general, the attestation requirements for examinations, reviews, and agreed‐upon
procedures are similar when a public accountant is engaged to perform an attestation
engagement for an issuer or a nonissuer.
b. However, whenever the practitioner is required to make reference in a report to
attestation standards established by the American Institute of Certified Public
Accountants, the practitioner must instead refer to "the standards of the Public
Company Accounting Oversight Board (United States)."
c. A practitioner must also include the city and state (or city and country, in the case of
non‐U.S. practitioners) from which the practitioner's report has been issued. There also
are some additional PCAOB attestation standards related to broker‐dealers.
3120 Ethics, Independence, and Professional Conduct
3121 AICPA Code of Professional Conduct
3121.01 The Code of Professional Conduct of the American Institute of Certified Public Accountants
(AICPA) consists of the principles, rules, and interpretations and other guidance. The
principles provide the framework for the rules, which govern the performance of
professional services by members of the AICPA. The Council of the AICPA is authorized to
designate bodies to promulgate technical standards under the rules, and the bylaws require
adherence to those rules and standards. The full text of the principles and the rules can be
viewed and printed for free at www.aicpa.org.
3121.02 The Code of Professional Conduct was adopted by the membership in 1988 to provide
guidance and rules to all members—those in public practice, industry, government, and
education—in the performance of their professional responsibilities.
3121.03 Compliance with the Code of Professional Conduct, as with all standards in an open society,
depends primarily on members’ understanding and voluntary actions, secondarily on
reinforcement by peers and public opinion, and ultimately on disciplinary proceedings, when
necessary, against members who fail to comply with the rules. The Code of Professional
Conduct contains three parts to include member in public practice, member in business, and
all other members.
3121.04 The term “member” as used in this section refers to members in public practice, members in
business, and other members who formally adopt the Code of Professional Conduct.
3121.05 Application of the AICPA Code (ET 0.200.020)
a. The rules of conduct that follow apply to all professional services performed except:
(1) when the wording of the rule indicates otherwise.
(2) that a member who is practicing outside the United States will not be in violation of
a particular rule for departing from any of the rules stated as long as the member’s
conduct is in accordance with the rules of the organized accounting profession in
the country in which the member is practicing. However, when a member is
associated with financial statements under circumstances that would lead the
reader to assume that U.S. practices were followed, the member must comply with
the “Compliance with Standards Rule” (ET 1.310.001 for members in public practice
and ET 2.310.001 for member in business) and the “Accounting Principles Rule” (ET
1.320.001 for members in public practice and ET 2.320.001 for members in
business).
(3) that a member who is a member of a group engagement team (see AU‐C 600,
Special Considerations—Audits of Group Financial Statements (Including the Work
of Component Auditors)) will not be considered in violation of a particular rule if a
foreign component auditor (accountant) departed from any of the ethics
requirements with respect to the audit or review of group financial statements or
other attest engagement, as long as the foreign component auditor’s (accountant’s)
conduct, at a minimum, is in accord with the ethics and independence
requirements set forth in the International Ethics Standards Board for Accountants’
(IESBA’s) Code of Ethics for Professional Accountants, and the members of the
group engagement team are in compliance with the rules stated herein.
(4) that the independence of the member’s firm will not be considered impaired if
another firm or entity located outside the United States that is within the member
firm's network departed from any of the rules, as long as the other firm or entity's
conduct, at a minimum, is in accordance with the ethics and independence
requirements set forth in the IESBA’s Code of Ethics for Professional Accountants.
b. A member shall not knowingly permit a person, whom the member has the authority or
capacity to control, to carry out on his or her behalf, either with or without
compensation, acts that, if carried out by the member, would place the member in
violation of the rules. Further, a member may be held responsible for the acts of all
persons associated with the member in public practice whom the member has the
authority or capacity to control.
c. A member in public practice or a covered member may be considered to have his or her
independence impaired, with respect to a client, as the result of the actions or
relationships of certain persons or entities, as described in the Independence Rule (ET
1.200.001) and its interpretations, whom the member or covered member does not
have the authority or capacity to control. Therefore, it should not be concluded that the
member’s independence is not impaired solely because of an inability to control the
actions or relationships of such persons or entities.
d. The “Breach of an Independence Interpretation” (ET 1.298.010) of the Independence
Rule contains guidance with which a member should comply if the member identifies a
breach of an independence interpretation of the code. If a member identifies a breach
of any other provision of this code, the member should evaluate the significance of the
breach and its effect on the member’s ability to comply with the rules of the code. The
member should take whatever actions may be available, as soon as practicable, to
satisfactorily address the consequences of the breach. The member should determine
whether to report the breach, for example, to those who may have been affected by the
breach, a professional body, relevant regulator, or oversight authority. In making the
evaluation and in determining what actions should be taken, the member should
exercise professional judgment and take into account whether a reasonable and
informed third party, weighing the significance of the breach, the action to be taken,
and all the specific facts and circumstances available to the member at that time, would
be likely to conclude that the member is able to comply with the rules of the code. A
member’s determination that the member has satisfactorily addressed the
consequences of the breach will not, however, preclude an investigation or
enforcement action concerning the underlying breach of the code and the member
should be prepared to justify such determination.
3121.06 Preamble (ET 0.300.010)
a. Membership in the American Institute of Certified Public Accountants (AICPA) is
voluntary. By accepting membership, a certified public accountant assumes an
obligation of self‐discipline above and beyond the requirements of laws and regulations.
b. The principles of the Code of Professional Conduct of the AICPA express the profession’s
recognition of its responsibilities to the public, to clients, and to colleagues. These
principles guide members in the performance of their professional responsibilities and
basic tenets of ethical and professional conduct. The principles call for an unswerving
commitment to honorable behavior, even at the sacrifice of personal advantage.
3121.07 Responsibilities (ET 0.300.020): “In carrying out their responsibilities as professionals,
members should exercise sensitive professional and moral judgments in all their activities.”
As professionals, certified public accountants perform an essential role in society. Consistent
with that role, members of the American Institute of Certified Public Accountants (AICPA)
have responsibilities to cooperate with each other to improve the art of accounting,
maintain the public’s confidence, and carry out the profession’s special responsibilities for
self‐governance. The collective efforts of all members are required to maintain and enhance
the traditions of the profession.
3121.08 The Public Interest (ET 0.300.030): “Members should accept the obligation to act in a way
that will serve the public interest, honor the public trust, and demonstrate a commitment to
professionalism.”
a. A distinguishing mark of a profession is acceptance of its responsibility to the public. The
accounting profession’s public consists of clients, credit grantors, governments,
investors, the business and financial community, and others who rely on the objectivity
and integrity of certified public accountants to maintain orderly functioning of
commerce. This reliance imposes a public interest responsibility on certified public
accountants. The public interest is defined as the collective well‐being of the community
of people and institutions the profession serves.
b. In discharging their professional responsibilities, members may encounter conflicting
pressures from each of those groups. In resolving those conflicts, members should act
with integrity, guided by the precept that when members fulfill their responsibility to
the public, clients’ and employers’ interests are best served.
c. Those who rely on certified public accountants expect them to discharge their
responsibilities with integrity, objectivity, due professional care, and a genuine interest
in serving the public. Certified public accountants are expected to provide quality
services, enter into fee arrangements, and offer a range of services—all in a manner
that demonstrates a level of professionalism consistent with these principles of the
Code of Professional Conduct.
d. All who accept membership in the American Institute of Certified Public Accountants
(AICPA) commit themselves to honor the public trust. In return for the faith that the
public reposes in them, members should seek continually to demonstrate their
dedication to professional excellence.
3121.09 Integrity (ET 0.300.040): “To maintain and broaden public confidence, members should
perform all professional responsibilities with the highest sense of integrity.”
a. Integrity is an element of character fundamental to professional recognition. It is the
quality from which the public trust derives and the benchmark against which a member
must ultimately test all decisions.
b. Integrity requires a member to be honest and candid within the constraints of client
confidentiality. Service and the public trust should not be subordinated to personal gain
and advantage. Integrity can accommodate the inadvertent error and the honest
difference of opinion; it cannot accommodate deceit or subordination of principle.
c. Integrity is measured in terms of what is right and just. In the absence of specific rules,
standards, or guidance, or in the face of conflicting opinions, a member should test
decisions and deeds by asking: “Am I doing what a person of integrity would do? Have I
retained my integrity?” Integrity requires a member to observe both the form and the
spirit of technical and ethical standards; circumvention of those standards constitutes
subordination of judgment.
d. Integrity also requires a member to observe the principles of objectivity and
independence and of due care.
3121.10 Objectivity and Independence (ET 0.300.050): “A member should maintain objectivity and
be free of conflicts of interest in discharging professional responsibilities. A member in public
practice should be independent in fact and appearance when providing auditing and other
attestation services.”
a. Objectivity is a state of mind, a quality that lends value to a member’s services. It is a
distinguishing feature of the profession. Objectivity imposes the obligation to be
impartial, intellectually honest, and free of conflicts of interest. Independence precludes
relationships that may appear to impair a member’s objectivity in rendering attestation
services.
b. Members often serve multiple interests in many different capacities and must
demonstrate their objectivity in varying circumstances. Members in public practice
render attest, tax, and management advisory services. Other members prepare financial
statements in the employment of others, perform internal auditing services, and serve
in financial and management capacities in industry, education, and government. They
also educate and train those who aspire to admission into the profession. Regardless of
service or capacity, members should protect the integrity of their work, maintain
objectivity, and avoid any subordination of their judgment.
c. For a member in public practice, the maintenance of objectivity and independence
requires a continuing assessment of client relationships and public responsibility. A
member who provides auditing and other attestation services should be independent in
fact and appearance. In providing all other services, a member should maintain
objectivity and avoid conflicts of interest.
d. Although members not in public practice cannot maintain the appearance of
independence, they nevertheless have the responsibility to maintain objectivity in
rendering professional services. Members employed by others to prepare financial
statements or to perform auditing, tax, or consulting services are charged with the same
responsibility for objectivity as members in public practice. They must be scrupulous in
their application of generally accepted accounting principles (or other applicable
financial reporting framework, as relevant) and candid in all their dealings with
members in public practice.
3121.11 Due Care (ET 0.300.060): “A member should observe the profession’s technical and ethical
standards, strive continually to improve competence and the quality of services, and
discharge professional responsibility to the best of the member’s ability.”
a. The quest for excellence is the essence of due care. Due care requires a member to
discharge professional responsibilities with competence and diligence. It imposes the
obligation to perform professional services to the best of a member’s ability, with
concern for the best interest of those for whom the services are performed and
consistent with the profession’s responsibility to the public.
b. Competence is derived from a synthesis of education and experience. It begins with a
mastery of the common body of knowledge required for designation as a certified public
accountant. The maintenance of competence requires a commitment to learning and
professional improvement that must continue throughout a member’s professional life.
It is a member’s individual responsibility. In all engagements and in all responsibilities,
each member should undertake to achieve a level of competence that will assure that
the quality of the member’s services meets the high level of professionalism required by
these principles.
c. Competence represents the attainment and maintenance of a level of understanding
and knowledge that enables a member to render services with facility and acumen. It
also establishes the limitations of a member’s capabilities by dictating that consultation
or referral may be required when a professional engagement exceeds the personal
competence of a member or a member’s firm. Each member is responsible for assessing
his or her own competence—of evaluating whether education, experience, and
judgment are adequate for the responsibility to be assumed.
d. Members should be diligent in discharging responsibilities to clients, employers, and the
public. Diligence imposes the responsibility to render services promptly and carefully, to
be thorough, and to observe applicable technical and ethical standards.
e. Due care requires a member to plan and supervise adequately any professional activity
for which he or she is responsible.
3121.12 Scope and Nature of Services (ET 0.300.070): “A member in public practice should observe
the Principles of the Code of Professional Conduct in determining the scope and nature of
services to be provided.”
a. The public interest aspect of certified public accountants’ services requires that services
be consistent with acceptable professional behavior for certified public accountants.
Integrity requires that service and the public trust not be subordinated to personal gain
and advantage. Objectivity and independence require that members be free from
conflicts of interest in discharging professional responsibilities. Due care requires that
services be provided with competence and diligence.
b. Each of these principles should be considered by members in determining whether or
not to provide specific services in individual circumstances. In some instances, they may
represent an overall constraint on the nonaudit services that might be offered to a
specific client. No hard‐and‐fast rules can be developed to help members reach these
judgments. Members must be satisfied that they are meeting the spirit of the principles
in this regard.
c. In order to accomplish this, members should:
(1) practice in firms that have in place internal quality‐control procedures to ensure
that services are competently delivered and adequately supervised.
(2) determine, in their individual judgments, whether the scope and nature of other
services provided to an audit client would create a conflict of interest in the
performance of the audit function for that client.
(3) assess, in their individual judgments, whether an activity is consistent with their
roles as professionals.
Definitions (ET 0.400)
3121.13 Attest engagement. An attest engagement is an engagement that requires independence as
defined in the AICPA Professional Standards.
3121.14 Attest engagement team. The attest engagement team consists of individuals participating
in the attest engagement, including those who perform concurring and second partner
reviews. The attest engagement team includes all employees and contractors retained by
the firm who participate in the attest engagement, irrespective of their functional
classification (for example, audit, tax, or management consulting services). The attest
engagement team excludes specialists as discussed in AU‐C 620, Using the Work of an
Auditor’s Specialist, and individuals who perform only routine clerical functions, such as
word processing and photocopying.
3121.15 Client. A client is any person or entity, other than the member’s employer, that engages a
member or member’s firm to perform professional services (engaging entity), and also a
person or entity with respect to which a member or member’s firm performs professional
services (subject entity). When the engaging entity and the subject entity are different, while
there is only one engagement, they are separate clients.
3121.16 Confidential client information. Confidential client information is any information obtained
from the client that is not available to the public. Information that is available to the public
includes, but is not limited to, information:
a. in a book, periodical, newspaper, or similar publication;
b. in a client document that has been released by the client to the public or that has
otherwise become a matter of public knowledge;
c. on publicly accessible websites, databases, online discussion forums, or other electronic
media by which members of the public can access the information;
d. released or disclosed by the client or other third parties in media interviews, speeches,
testimony in a public forum, presentations made at seminars or trade association
meetings, panel discussions, earnings press release calls, investor calls, analyst sessions,
investor conference presentations, or a similar public forum;
e. maintained by, or filed with, regulatory or governmental bodies that is available to the
public; or
f. obtained from other public sources.
3121.17 Covered member. A covered member is:
a. an individual on the attest engagement team.
b. an individual in a position to influence the attest engagement.
c. a partner, partner equivalent, or manager who provides nonattest services to the attest
client beginning once he or she provides 10 hours of nonattest services to the client
within any fiscal year and ending on the later of the date:
(1) the firm signs the report on the financial statements for the fiscal year during which
those services were provided or
(2) he or she no longer expects to provide 10 or more hours of nonattest services to
the attest client on a recurring basis.
d. a partner or partner equivalent in the office in which the lead attest engagement
partner primarily practices in connection with the attest engagement.
e. the firm, including the firm’s employee benefit plans.
f. an entity whose operating, financial or accounting policies can be controlled (as defined
by FASB ASC 810, Consolidation) by any of the individuals or entities described in (a)
through (e) or by two or more such individuals or entities if they act together.
3121.18 Firm. A firm is a form of organization permitted by law or regulation whose characteristics
conform to resolutions of the council of the AICPA that is engaged in public practice. Except
for purposes of applying the Independence Rule the firm includes the individual partners
thereof. For purposes of applying the Independence Rule, the firm includes a network firm
when the engagement is either a financial statement audit or review engagement, and the
audit or review report is not restricted, as defined by professional standards.
3121.19 Immediate family. Immediate family is a spouse, spousal equivalent, or dependent (whether
or not related).
Close relative. A close relative is a parent, sibling, or nondependent child.
3121.20 Individual in a position to influence the attest engagement. An individual in a position to
influence the attest engagement is one who:
a. evaluates the performance or recommends the compensation of the attest engagement
partner;
b. directly supervises or manages the attest engagement partner, including all successively
senior levels above that individual through the firm’s chief executive;
c. consults with the attest engagement team regarding technical or industry‐related issues
specific to the attest engagement; or
d. participates in or oversees, at all successively senior levels, quality control activities,
including internal monitoring, with respect to the specific attest engagement.
3121.21 Joint closely held investment. A joint closely held investment is an investment in an entity or
a property by the member and the attest client (or the attest client’s officers or directors, or
any owner who has the ability to exercise significant influence over the attest client) that
enables them to control the entity or property.
3121.22 Key position. A key position is a position in which an individual has:
a. primary responsibility for significant accounting functions that support material
components of the financial statements;
b. primary responsibility for the preparation of the financial statements; or
c. the ability to exercise influence over the contents of the financial statements, including
when the individual is a member of the board of directors or similar governing body,
chief executive officer, president, chief financial officer, chief operating officer, general
counsel, chief accounting officer, controller, director of internal audit, director of
financial reporting, treasurer, or any equivalent position.
For purposes of attest engagements not involving financial statements, a key position is one
in which an individual is primarily responsible for, or able to influence, the subject matter of
the attest engagement.
3121.23 Manager. A manager is a professional employee of the firm who has responsibility for the
planning and supervision of engagements for specified clients.
3121.24 Member(s) in business. A member in business is a member employed or engaged on a
contractual or volunteer basis in an executive, staff, governance, advisory, or administrative
capacity in such areas as industry, the public sector, education, the not‐for‐profit sector, or
regulatory or professional bodies. This does not include a member while engaged in public
practice.
3121.25 Office. An office is a reasonably distinct subgroup within a firm, whether constituted by
formal organization or informal practice, where personnel who make up the subgroup
generally serve the same group of clients or work on the same categories of matters.
Substance should govern the office classification. For example, the expected regular
personnel interactions and assigned reporting channels of an individual may well be more
important than an individual’s physical location.
3121.26 Partner. A partner is a proprietor, shareholder, equity or non‐equity partner, or any
individual who assumes the risks and benefits of firm ownership or who is otherwise held
out by the firm to be the equivalent of any of the aforementioned.
3121.27 Partner equivalent. A partner equivalent is a professional employee who is not a partner of
the firm, but who:
a. has the authority to bind the firm to conduct an attest engagement without partner
approval; or
b. has the ultimate responsibility for the conduct of an attest engagement, including the
authority to sign or affix the firm’s name to an attest report or issue, or authorize others
to issue, an attest report on behalf of the firm without partner approval.
3121.28 Period of the professional engagement. The period of the professional engagement begins
when a member either signs an initial engagement letter or other agreement to perform
attest services or begins to perform an attest engagement, whichever is earlier. The period
lasts for the entire duration of the professional relationship, which could cover many
periods, and ends with the formal or informal notification, either by the member or client, of
the termination of the professional relationship or by the issuance of a report, whichever is
later. Accordingly, the period does not end with the issuance of a report and recommence
with the beginning of the following year’s attest engagement.
3121.29 Public interest entities. Public interest entities are all of the following:
a. All listed entities, including entities that are outside the United States whose shares,
stock, or debt are quoted or listed on a recognized stock exchange or marketed under
the regulations of a recognized stock exchange or other equivalent body
b. Any entity for which an audit is required by regulation or legislation to be conducted in
compliance with the same independence requirements that apply to an audit of listed
entities (for example, requirements of the SEC, the PCAOB, or other similar regulators or
standard setters)
Members may wish to consider whether additional entities should also be treated as public
interest entities because they have a large number and wide range of stakeholders. Factors
to be considered may include the nature of the business, such as the holding of assets in a
fiduciary capacity for a large number of stakeholders; size; and number of employees.
3121.30 Integrity and Objectivity Rule (ET 1.100.001 and 2.100.001): “In the performance of any
professional service, a member shall maintain objectivity and integrity, shall be free of
conflicts of interest, and shall not knowingly misrepresent facts or subordinate his or her
judgment to others.”
a. In the absence of an interpretation of the “Integrity and Objectivity Rule” that addresses
a particular relationship or circumstance, a member should apply the “Conceptual
Framework for Members in Public Practice” (ET 1.000.010 and 2.000.010).
A member would be considered in violation of the “Integrity and Objectivity Rule” if the
member cannot demonstrate that safeguards were applied to eliminate or reduce
significant threats to an acceptable level.
A member should consider the guidance in “Ethical Conflicts” (ET 1.000.020 and
2.000.020) when addressing ethical conflicts that may arise when the member
encounters obstacles to following an appropriate course of action.
b. Conflicts of interest may occur if a member performs a professional service for a client
or employer, and the member or the member’s firm has a relationship with another
person, entity, product, or service that could be viewed as impairing the member’s
objectivity. If the member believes the professional service can be performed with
objectivity, and if the relationship is disclosed to and consent is obtained from the client,
employer, or other appropriate parties, the rule shall not operate to prohibit
performance of the professional service.
c. Before accepting a new client, engagement, or business relationship, a member should
take reasonable steps to identify circumstances that might create a conflict of interest
including identification of the nature of the relevant interests and relationships between
the parties involved and the nature of the service and its implication for relevant
parties.
d. Subordination of judgment by a member (ET 1.130.020 and 2.130.020):
The “Integrity and Objectivity Rule” prohibits a member from knowingly
misrepresenting facts or subordinating his or her judgment when performing
professional services for a client, for an employer or on a volunteer basis.
A member should evaluate the significance of any threats to determine if they are at an
acceptable level. Threats are at an acceptable level if the member concludes that the
position taken does not result in a material misrepresentation of fact or a violation of
applicable laws or regulations.
If threats are not at an acceptable level:
(1) the member should first discuss his or her concerns with the supervisor.
(2) the member should then discuss his or her concerns with the appropriate higher
level of management in the member’s organization.
(3) the member should determine whether the organizations’ internal policies and
procedures have any additional requirements for reporting differences of opinion.
(4) the member should determine whether he or she is responsible for communicating
to third parties.
(5) the member should consult with his or her counsel regarding the member’s
responsibilities.
(6) the member should document his or her understanding of the facts, the accounting
principles, auditing standards, or other relevant professional standards or
applicable laws or regulations and the conversations and parties with whom these
matters were discussed.
If the member concludes that no safeguards can eliminate or reduce the threats to an
acceptable level or appropriate action was not taken, then the member should consider
taking steps to eliminate his or her exposure to subordination of judgment.
e. Professional services regarding client advocacy (ET 1.140.010 and 2.140.010):
An advocacy threat to compliance with the “Integrity and Objectivity Rule” may be
requested by a client to perform tax and consulting services that involve acting as an
advocate for a client, or to support a client’s position on accounting or financial
reporting issues, either within the firm or outside the firm with standard setters,
regulators, or others.
Services provided or actions taken pursuant to such types of client requests are
professional services. There is a possibility that some requested professional services
involving client advocacy may appear to stretch the bounds of performance standards,
go beyond sound and reasonable professional practice, or compromise credibility. The
services may pose an unacceptable risk of impairing the reputation of the member and
the firm with respect to independence and integrity. In such circumstances, the member
and the member’s firm should consider whether it is appropriate to perform the
services.
3121.31 Independence Rule (ET 1.200.001)
A member in public practice shall be independent in the performance of professional
services as required by standards promulgated by bodies designated by the AICPA Council.
a. In the absence of an interpretation of the Independence Rule that addresses a particular
relationship or circumstance, a member should apply the “Conceptual Framework for
Independence” interpretation (ET 1.210.010).
b. A member is considered in violation of the rule if the member cannot demonstrate that
safeguards were applied that eliminated or reduced significant threats to an acceptable
level.
c. A member should consider the guidance in “Ethical Conflicts” (ET 1.000.020) when
addressing ethical conflicts that may arise when the member encounters obstacles to
following an appropriate course of action.
3121.32 It is impossible to enumerate all circumstances in which the appearance of independence
might be questioned. In the absence of an independence interpretation or ruling that
addresses a particular circumstance, a member should evaluate whether that circumstance
would lead a reasonable and informed third party who is aware of all the relevant facts to
conclude that there is a threat to the member’s and the firm’s independence, or both, that is
not at an acceptable level. When making that evaluation, a member should apply the
conceptual framework approach to analyze independence matters and to gain a better
understanding of the conclusions reached in other interpretations.
The code specifies that in some circumstances no safeguards can reduce an independence
threat to an acceptable level.
3121.33 The conceptual framework approach entails identifying threats and evaluating the threat
that the member would not be independent or would be perceived by a reasonable and
informed third party who is aware of the relevant information as not being independent. The
“Conceptual Framework” is for members in public practice and members in business.
Members in both public practice and in business may be involved in various relationships
and circumstances that create threats to the member’s compliance with the rules, not just
independence.
3121.34 When the member applies safeguards to eliminate or reduce significant threats to an
acceptable level, the member should document the identified threats and safeguards
applied. Failure to document the threats and safeguards would be considered a violation of
the “Compliance with Standards Rule” (ET 1.310.001 and 2.310.001).
3121.35 Many different relationships or circumstances can create threats. It is impossible to identify
every relationship or circumstance. Following are examples of threats associated with a
specific relationship or circumstance:
a. Adverse interest threat is a threat that a member will not act with objectivity because
the member’s interests are in opposition to the interests of an attest client. The adverse
interest threat applies to members in public practice and members in business.
b. Advocacy threat is a threat that a member will promote an attest client’s interests or
position to the point that his or her independence is compromised. The advocacy threat
applies to members in public practice and members in business.
c. Familiarity threat is a threat that, because of a long or close relationship with an attest
client, a member will become too sympathetic to the client’s interests or too accepting
of the client’s work or product. The familiarity threat applies to members in public
practice and members in business.
d. Management participation threat is the threat that a member will take on the role of
attest client management or otherwise assume management responsibilities. The
management participation threat is only associated with the members in public practice.
e. Self‐interest threat is the threat that a member could benefit, financially or otherwise,
from an interest in, or relationship with, an attest client or persons associated with the
client. The self‐interest threat applies to members in public practice and members in
business.
f. Self‐review threat is the threat that a member will not appropriately evaluate the
results of a previous judgment made or service performed or supervised by the member
or an individual in the member’s firm, and that the member will rely on that service in
forming a judgment as part of an attest engagement. The self‐review threat applies to
members in public practice and members in business.
g. Undue influence threat is the threat that a member will subordinate his or her
judgment to that of an individual associated with an attest client or any relevant third
party due to that individual’s reputation or expertise, aggressive or dominant
personality, or attempts to coerce or exercise excessive influence over the member. The
undue influence threat applies to members in public practice and members in business.
3121.36 Safeguards may partially or completely eliminate a threat or diminish the potential influence
of a threat. The nature and extent of the safeguards applied will depend on many factors,
including the size of the firm and whether the attest client is a public interest entity. The
safeguards apply to members in public practice and members in business.
3121.37 Family Relationships with Attest Clients (ET 1.270)
Except as stated below, a covered member’s immediate family is subject to the
Independence Rule (ET 1.200.001), and its interpretations and rulings. The exceptions are
that independence would not be considered to be impaired solely as a result of the following
interpretations:
a. “Immediate Family Member Is Employed by the Attest Client” (ET 1.270.020)
b. “Immediate Family Member Participation in an Employee Benefit Plan That Is an Attest
Client or Is Sponsored by an Attest Client (Other Than Certain Share‐Based
Arrangements or Nonqualified Deferred Compensation Plans)” (ET 1.270.030)
c. “Immediate Family Member Participation in an Employee Benefit Plan With Financial
Interests in an Attest Client” (ET 1.270.040)
d. “Immediate Family Member Participation in Share‐Based Compensation Arrangements
Resulting in Beneficially Owned Financial Interests in Attest Clients” (ET 1.270.050)
e. “Immediate Family Member Participation in Share‐Based Compensation Arrangements
Resulting in Rights to Acquire Shares in an Attest Client” (ET 1.270.060)
f. “Immediate Family Member Participation in Share‐Based Compensation Arrangements
Based Upon Stock Appreciation” (ET 1.270.070)
g. “Immediate Family Member Participation in a Nonqualified Deferred Compensation
Plan” (ET 1.270.080)
3121.38 An immediate family member of a covered member may hold a direct financial interest or
material indirect financial interest in an attest client through participation in a plan, provided
that:
a. the covered member neither participates on the attest engagement team nor is in a
position to influence the attest engagement;
b. such investment is an unavoidable consequence of such participation; and
c. in the event that a plan option to invest in a nonattest client becomes available, the
immediate family member selects such option and disposes of any direct or material
indirect financial interests in the attest client as soon as practicable but no later than 30
days after such option becomes available.
3121.39 As a result of his or her permitted employment, an immediate family member of a covered
member may participate in a share‐based compensation arrangement, such as an employee
stock ownership plan (ESOP), that results in his or her holding a beneficial financial interest
in an attest client, provided that:
a. the immediate family member does not serve in a key position for the attest client, as
discussed in the “Immediate Family Member Is Employed by the Attest Client”
interpretation (ET 1.270.020) of the Independence Rule (ET 1.200.001).
b. the covered member neither participates on the attest engagement team nor is in a
position to influence the attest engagement.
c. the immediate family member does not serve as a trustee for the share‐based
compensation arrangement and does not have the ability to supervise or participate in
the selection of the investment options, if any, that are available to plan participants.
d. when the financial interests that are beneficially owned are distributed or the
immediate family member has the right to dispose of the financial interests, the
immediate family member is required to do one of the following:
(1) Dispose of the financial interests as soon as practicable, but no later than 30 days
after he or she has the right to dispose of the financial interests.
(2) Exercise his or her put option to require the employer to repurchase the beneficial
financial interests as soon as permitted by the terms of the share‐based
compensation arrangement. Any repurchase obligation due to the immediate
family member arising from exercise of the put option that is outstanding for more
than 30 days would need to be immaterial to the covered member during the
payout period.
e. Benefits payable from the share‐based compensation arrangement to the immediate
family member upon termination of employment, whether through retirement, death,
disability, or voluntary or involuntary termination, are funded by investment options
other than the employer’s financial interests, and any unfunded benefits payable are
immaterial to the covered member at all times during the payout period.
3121.40 As a result of his or her permitted employment, an immediate family member of a covered
member may participate in a share‐based compensation arrangement resulting in a right to
acquire shares in an attest client, such as an employee stock option plan or restricted stock
rights plan, provided that:
a. the immediate family member does not serve in a key position for the attest client, as
discussed in the “Immediate Family Member Is Employed by the Attest Client”
interpretation (ET 1.270.020) of the Independence Rule (ET 1.200.001).
b. the covered member neither participates on the attest engagement team nor is in a
position to influence the attest engagement.
c. the immediate family member exercises or forfeits these rights once he or she is vested
and the closing market price of the underlying stock equals or exceeds the exercise price
for 10 consecutive days (market period). The exercise or forfeiture should occur as soon
as practicable but no later than 30 days after the end of the market period. In addition,
if the immediate family member exercises his or her right to acquire the shares, he or
she should dispose of the shares as soon as practicable but no later than 30 days after
the exercise date. If the employer repurchases the shares, any employer repurchase
obligation due to the immediate family member that is outstanding for more than 30
days would need to be immaterial to the covered member during the payout period.
3121.41 As a result of his or her permitted employment, an immediate family member of a covered
member may participate in a share‐based compensation arrangement based on the
appreciation of an attest client's underlying shares, provided that:
a. the immediate family member does not serve in a key position for the attest client, as
discussed in the “Immediate Family Member Is Employed by the Attest Client”
interpretation (ET 1.270.020) of the Independence Rule (ET 1.200.001).
b. the share‐based compensation arrangement (for example, a stock appreciation or
phantom stock plan) does not provide for the issuance of rights to acquire the
employer's financial interests.
c. the covered member neither participates on the attest engagement team nor is in a
position to influence the attest engagement.
d. the immediate family member exercises or forfeits his or her vested compensation
rights if the underlying price of the employer's shares equals or exceeds the exercise
price for 10 consecutive days (market period). Exercise or forfeiture should occur as
soon as practicable but no later than 30 days after the end of the market period.
e. any resulting compensation payable to the immediate family member that is
outstanding for more than 30 days is immaterial to the covered member during the
payout period.
3121.42 As a result of his or her permitted employment at an attest client, an immediate family
member of a covered member may participate in a nonqualified deferred compensation
plan, provided that:
a. the immediate family member does not serve in a key position for the attest client, as
discussed in the “Immediate Family Member Is Employed by the Attest Client”
interpretation (ET 1.270.020) of the Independence Rule (ET 1.200.001).
b. the covered member neither participates on the attest engagement team nor is in a
position to influence the attest engagement.
c. the amount of the deferred compensation payable to the immediate family member is
funded through life insurance, an annuity, a trust, or similar vehicle and any unfunded
portion is immaterial to the covered member.
d. any funding of the deferred compensation does not include financial interests in the
attest client.
3121.43 Close Relatives (ET 1.270.100)
Independence would be considered impaired if:
a. an individual participating on the attest engagement team has a close relative who had:
(1) a key position with the client or
(2) a financial interest in the client that:
(a) the individual knows or has reason to believe was material to the close relative
or
(b) enabled the close relative to exercise significant influence over the client.
b. an individual in a position to influence the attest engagement or any partner or partner
equivalent in the office in which the lead attest engagement partner or partner
equivalent primarily practices in connection with the attest engagement has a close
relative who had:
(1) a key position with the client or
(2) a financial interest in the client that:
(a) the individual or partner knows or has reason to believe was material to the
close relative and
(b) enabled the close relative to exercise significant influence over the client.
3121.44 Employment relationships of a covered member’s immediate family and close relatives with
an existing attest client that impair independence under this interpretation and that existed
as of November 2001 will not be deemed to impair independence provided such
relationships were permitted under preexisting requirements, interpretations, and rulings of
the Independence Rule (ET 1.200.001).
3121.45 It is impossible to enumerate all circumstances in which the appearance of independence
might be questioned. In the absence of an independence interpretation that addresses a
particular circumstance, a member should evaluate whether that circumstance would lead a
reasonable person aware of all the relevant facts to conclude that there is an unacceptable
threat to the member’s and the firm’s independence. When making that evaluation,
members should refer to the risk‐based approach described in the Conceptual Framework
for AICPA Independence Standards.
3121.46 If threats to independence are at an unacceptable level, safeguards should be applied to
eliminate the threats or reduce them to an acceptable level. The threats identified and the
safeguards applied to eliminate the threats or reduce them to an acceptable level should be
documented.
3121.47 Simultaneous Employment or Association with Attest Client (ET 1.275.005)
Simultaneous employment or association with an attest client is when an auditor is serving
as a director, an officer, an employee, a promoter, an underwriter, a voting trustee, or a
trustee for any pension or profit‐sharing trust, or serving in any capacity equivalent to that
of a member of management of an attest client during the period covered by the financial
statements or the professional engagement.
If the partner or professional employee of the member’s firm is considered a simultaneous
employee or associated with the attest client, the Independence Rule would not be at an
acceptable level and cannot be reduced to an acceptable level. Therefore, independence
would be impaired.
3121.48 Honorary Director or Trustee of Not‐for‐Profit Organization (ET 1.275.010)
Partners or professional employees of a firm (individual) may be asked to lend the prestige
of their names to not‐for‐profit organizations that limit their activities to those of a
charitable, religious, civic, or similar nature by being named as a director or a trustee. An
individual who permits his or her name to be used in this manner would not be considered
to impair independence under the Independence Rule provided his or her position is clearly
honorary, and he or she cannot vote or otherwise participate in board or management
functions. If the individual is named in letterheads and externally circulated materials, he or
she must be identified as an honorary director or honorary trustee.
3121.49 If the following safeguards are met, independence would not be impaired and threats would
be at an acceptable level:
a. The position is clearly honorary and the individual holds the position in name only.
b. The individual cannot vote or otherwise participate in board or management
responsibilities.
c. If the individual is named in letterheads and externally circulated materials, the
individual is identified as an honorary director or honorary trustee.
3121.50 Nonattest Services (ET 1.295.010)
a. Before the member or his or her firm (“member”) performs nonattest services (for
example, tax or consulting services) for an attest client, the member should determine
that the requirements of the Independence Rule. In cases where the requirements have
not been met during the period of the professional engagement or the period covered
by the financial statements, the member’s independence would be impaired.
b. This interpretation requires compliance with independence regulations of authoritative
regulatory bodies. Failure to comply with the nonattest services provisions contained in
the independence rules of the applicable regulatory body that are more restrictive than
the provisions of this interpretation would constitute a violation of this interpretation.
c. If the following conditions exist, the member’s independence would not be impaired in
a nonattest service during the period covered by the financial statements:
(1) The nonattest services were provided prior to period of the professional
engagement.
(2) The nonattest services related to periods prior to the period covered by the
financial statements.
(3) The financial statements for the period to which the nonattest services relate were
audited by another firm.
d. The following are communications that would involve the member and the client’s
management:
(1) The client’s selection and application of accounting standards or policies and
financial statement disclosure requirements
(2) The appropriateness of the client’s methods used in determining accounting and
financial reporting
(3) Adjusting journal entries that the member has prepared or proposed for client
management consideration
(4) The form or content of the financial statements
These communications are considered a normal part of the attest engagement and are
not considered nonattest services subject to the “General Requirements for Performing
Nonattest Services” (ET 1.295.040) and “Documentation Requirements When Providing
Nonattest Services” (ET 1.295.050) interpretations.
e. Activities such as financial statement preparation, cash to accrual conversions, and
reconciliations are considered outside the scope of the attest engagement. Therefore,
this would be considered a nonattest service. These services would not impair
independence under the interpretations of the “Nonattest Services” subtopic.
3121.51 Appraisal, Valuation, and Actuarial Services (ET 1.295.110)
a. Independence would be impaired if a member performs an appraisal, valuation, or
actuarial service for an attest client where the results of the service, individually or in
the aggregate, would be material to the financial statements and the appraisal,
valuation, or actuarial service involves a significant degree of subjectivity.
b. Threats to compliance with the Independence Rule (ET 1.200.001) would not be at an
acceptable level and could not be reduced to an acceptable level by the application of
safeguards if the member performs an appraisal, a valuation, or an actuarial service for
an attest client when (a) the services involve a significant degree of subjectivity and (b)
the results of the service, individually or when combined with other valuation, appraisal,
or actuarial services, are material to the attest client’s financial statements. Accordingly,
independence would be impaired under these circumstances.
c. Threats would be at an acceptable level if a member provided appraisal, valuation, or
actuarial services solely for nonfinancial statement purposes. Some examples are
appraisal, valuation, and actuarial services performed for tax planning or tax
compliance, estate and gift taxation, and divorce proceedings. Accordingly,
independence would not be impaired.
3121.52 Forensic Accounting (ET 1.295.140)
For purposes of this interpretation, forensic accounting services are nonattest services that
involve the application of special skills in accounting, auditing, finance, quantitative methods
and certain areas of the law, and research, and investigative skills to collect, analyze, and
evaluate evidential matter and to interpret and communicate findings. Forensic services
consist of litigation services and investigative services.
Litigation services recognize the role of the member as an expert or consultant and consist
of providing assistance for actual or potential legal or regulatory proceedings before a trier
of fact in connection with the resolution of disputes between parties. Litigation services
consist of the following services:
a. Expert witness services are those litigation services where a member is engaged to
render an opinion before a trier of fact as to the matter(s) in dispute based on the
member’s expertise, rather than his or her direct knowledge of the disputed facts or
events.
(1) Expert witness services create the appearance that a member is advocating or
promoting a client’s position. Accordingly, if a member conditionally or
unconditionally agrees to provide expert witness testimony for a client,
independence would be considered to be impaired.
(2) However, independence would not be considered impaired if a member provides
expert witness services for a large group of plaintiffs or defendants that includes
one or more attest clients of the firm provided that at the outset of the
engagement (1) the member’s attest clients constitute less than 20% of (i) the
members of the group, (ii) the voting interests of the group, and (iii) the claim; (2)
no attest client within the group is designated as the “lead” plaintiff or defendant of
the group; and (3) no attest client has the sole decision‐making power to select or
approve the expert witness.
(3) While testifying as a fact witness, a member may be questioned by the trier of fact
or counsel as to his or her opinions pertaining to matters within the member’s area
of expertise. Answering such questions would not impair the member’s
independence.
b. Litigation consulting services are those litigation services where a member provides
advice about the facts, issues, and strategy of a matter. The consultant does not testify
as an expert witness before a trier of fact.
The performance of litigation consulting services would not impair independence
provided the member complies with the general requirements set forth under this
interpretation. However, if the member subsequently agrees to serve as an expert
witness, independence would be considered to be impaired.
c. Other services are those litigation services where a member serves as a trier of fact,
special master, court‐appointed expert, or arbitrator (including serving on an arbitration
panel) in a matter involving a client. These other services create the appearance that the
member is not independent. Accordingly, if a member serves in such a role,
independence would be considered to be impaired. However, independence would not
be considered impaired if a member serves as a mediator or any similar role in a matter
involving a client provided the member is not making any decisions on behalf of the
parties, but rather is acting as a facilitator by assisting the parties in reaching their own
agreement.
Investigative services include all forensic services not involving actual or threatened
litigation such as performing analyses or investigations that may require the same skills
as used in litigation services. Such services would not impair independence provided the
member complies with the general requirements set forth under this interpretation.
3121.53 Internal Audit Assistance Services (ET 1.295.150)
a. Internal audit services involve assisting the client in the performance of its internal audit
activities, sometimes referred to as “internal audit outsourcing.” In evaluating whether
independence would be impaired with respect to an attest client, the nature of the
service needs to be considered.
b. The attest client’s management is responsible for directing the internal audit function,
including the management thereof. Such responsibilities include, but are not limited to,
designing, implementing, and maintaining internal control. Threats to compliance with
the Independence Rule would not be at an acceptable level and cannot be reduced to
an acceptable level by the application of safeguards, and independence would be
impaired if the attest client outsources the internal audit function to the member,
whereby the member, in effect, manages the attest client’s internal audit activities.
However, except for the outsourcing services discussed in in this paragraph, threats to
compliance with the Independence Rule would be at an acceptable level and
independence would not be impaired if the member assists the attest client in
performing financial and operational internal audit activities, provided that, in addition
to the “General Requirements for Performing Nonattest Services” interpretation (ET
1.295.040) of the Independence Rule, the member is satisfied that management:
(1) designates an individual or individuals who possess suitable skills, knowledge,
and/or experience, preferably within senior management, to be responsible for the
internal audit function;
(2) determines the scope, risk, and frequency of internal audit activities, including
those to be performed by the member providing internal audit assistance services;
(3) evaluates the findings and results arising from the internal audit activities, including
those performed by the member providing internal audit assistance services; and
(4) evaluates the adequacy of the audit procedures performed and the findings
resulting from the performance of those procedures by, among other things,
obtaining reports from the member.
The member should also be satisfied that the client’s board of directors, audit
committee, or other governing body is informed about the member’s and
management's respective roles and responsibilities in connection with the engagement.
Such information should provide the client's governing body a basis for developing
guidelines for management and the member to follow in carrying out these
responsibilities and monitoring how well the respective responsibilities have been met.
The member is responsible for performing the internal audit procedures in accordance
with the terms of the engagement and reporting thereon. The performance of such
procedures should be directed, reviewed, and supervised by the member. The report
should include information that allows the individual responsible for the internal audit
function to evaluate the adequacy of the audit procedures performed and the findings
resulting from the performance of those procedures. This report may include
recommendations for improvements in systems, processes, and procedures. The
member may assist the individual responsible for the internal audit function in
performing preliminary audit risk assessments, preparing audit plans, and
recommending audit priorities. However, the member should not undertake any
responsibilities that are required, as described above, to be performed by the individual
responsible for the internal audit function.
d. The following are examples of activities that, if performed as part of an internal audit
assistance engagement, would impair independence:
(1) Performing ongoing monitoring activities or control activities (for example,
reviewing loan originations as part of the client’s approval process or reviewing
customer credit information as part of the customer’s sales authorization process)
that affect the execution of transactions or ensure that transactions are properly
executed, accounted for, or both, and performing routine activities in connection
with the client’s operating or production processes that are equivalent to those of
an ongoing compliance or quality control function
(2) Determining which, if any, recommendations for improving the internal control
system should be implemented
(3) Reporting to the board of directors or audit committee on behalf of management or
the individual responsible for the internal audit function
(4) Approving or being responsible for the overall internal audit work plan, including
the determination of the internal audit risk and scope, project priorities, and
frequency of performance of audit procedures
(5) Being connected with the client as an employee or in any capacity equivalent to a
member of client management (for example, being listed as an employee in client
directories or other client publications, permitting himself or herself to be referred
to by title or description as supervising or being in charge of the client’s internal
audit function, or using the client’s letterhead or internal correspondence forms in
communications)
The foregoing list is not intended to be all‐inclusive.
e. Services involving an extension of the procedures that are generally of the type
considered to be extensions of the member’s audit scope applied in the audit of the
client’s financial statements, such as confirming of accounts receivable and analyzing
fluctuations in account balances, are not considered internal audit assistance services
and would not impair independence even if the extent of such testing exceeds that
required by generally accepted auditing standards. In addition, engagements performed
under the attestation standards would not be considered internal audit assistance
services and therefore would not impair independence.
3121.54 Tax Services (ET 1.295.160)
Tax compliance services addressed by this interpretation are preparation of a tax return,
transmittal of a tax return and transmittal of any related tax payment to the taxing authority,
signing and filing a tax return, and authorized representation of clients in administrative
proceedings before a taxing authority.
a. Preparing a tax return and transmitting the tax return and related tax payment to a
taxing authority, in paper or electronic form, would not impair a member’s
independence provided the member does not have custody or control over the client’s
funds and the individual designated by the client to oversee the tax services:
(1) reviews and approves the tax return and related tax payment and
(2) if required for filing, signs the tax return prior to the member transmitting the
return to the taxing authority.
b. Signing and filing a tax return on behalf of client management would impair
independence, unless the member has the legal authority to do so and:
(1) the taxing authority has prescribed procedures in place for a client to permit a
member to sign and file a tax return on behalf of the client (for example, IRS Form
8879 or 8453) and such procedures meet, at the minimum, standards for electronic
return originators and officers outlined in IRS Form 8879; or
(2) an individual in client management who is authorized to sign and file the client’s tax
return provides the member with a signed statement that clearly identifies the
return being filed and represents that:
(a) such individual is authorized to sign and file the tax return;
(b) such individual has reviewed the tax return, including accompanying schedules
and statements, and it is true, correct, and complete to the best of his or her
knowledge and belief; and
(c) such individual authorizes the member or another named individual in the
member’s firm to sign and file the tax return on behalf of the client.
c. Authorized representation of a client in administrative proceedings before a taxing
authority would not impair a member’s independence provided the member obtains
client agreement prior to committing the client to a specific resolution with the taxing
authority. However, representing a client in a court to resolve a tax dispute would
impair a member’s independence.
d. When a member has an attest client’s power of attorney, the self‐review, management
participation, and advocacy threats to the covered member’s compliance with the
Independence Rule may exist. If the member applies the “General Requirements for
Performing Nonattest Services” interpretation (ET 1.295.040) of the Independence Rule,
threats would be at an acceptable level and independence would not be impaired,
provided that the member’s use of the power of attorney is limited strictly to tax
matters and the member does not bind the attest client to any agreement with a taxing
authority or other regulatory agency.
3121.55 General Standards Rule (ET 1.300.001 and 2.300.001): “A member shall comply with the
following standards and with any interpretations thereof by bodies designated by Council.”
a. Professional competence. “Undertake only those professional services that the member
or the member’s firm can reasonably expect to be completed with professional
competence.”
b. Due professional care. “Exercise due professional care in the performance of
professional services.”
c. Planning and supervision. “Adequately plan and supervise the performance of
professional services.”
d. Sufficient relevant data. “Obtain sufficient relevant data to afford a reasonable basis for
conclusions or recommendations in relation to any professional services performed.”
3121.56 Compliance with Standards Rule (ET 1.310.001 and 2.310.001): “A member who performs
auditing, review, compilation, management consulting, tax, or other professional services
shall comply with standards promulgated by bodies designated by Council.”
a. ET Appendix A lists AICPA Council resolutions designating bodies to promulgate
technical standards.
b. In the absence of an interpretation of the “Compliance with Standards Rule” (ET
1.310.001) that addresses a particular relationship or circumstance, a member should
apply the “Conceptual Framework for Members in Public Practice” (ET 1.000.010).
3121.57 Accounting Principles Rule (ET 1.320.001 and 2.320.001): “A member shall not (1) express
an opinion...that financial statements or other financial data are presented in accordance
with generally accepted accounting principles...if such statements contain a departure from
an accounting principle promulgated by bodies designated by Council to establish such
principles that has a material effect on the statement or data taken as a whole.”
a. In the absence of an interpretation of the “Accounting Principles Rule” that addresses a
particular relationship or circumstance, a member should apply the “Conceptual
Framework for Members in Public Practice.”
b. A member would be considered in violation of the “Accounting Principles Rule” if the
member cannot demonstrate that safeguards were applied that eliminated or reduced
significant threats to an acceptable level.
c. A member should consider the guidance in “Ethical Conflicts” when addressing ethical
conflicts that may arise when the member encounters obstacles to following an
appropriate course of action. Such obstacles may be due to internal or external
pressures or to conflicts in applying relevant professional or legal standards, or both.
d. The “Accounting Principles Rule” recognizes that GAAP is presumably correct in nearly
all instances of recording financial statements. There are instances of unusual
circumstances that may make the financial statements misleading when applying GAAP,
and in these instances, the proper accounting treatment that will not render the
financial statements misleading is what should be applied.
e. The “Accounting Principle Rule” does not prevent a member from preparing or
reporting on financial statements that have been prepared pursuant to financial
reporting frameworks other than GAAP, such as:
(1) financial reporting frameworks generally accepted in another country, including
jurisdictional variations of International Financial Reporting Standards (IFRS) such
that the entity’s financial statements do not meet the requirements for full
compliance with IFRS;
(2) financial reporting frameworks prescribed by an agreement or a contract; or
(3) an other comprehensive basis of accounting, including statutory financial reporting
provisions required by law or a U.S. or foreign governmental regulatory body to
whose jurisdiction the entity is subject.
f. The financial statements should not purport that the financial statements are in
accordance with GAAP, and the financial statements should make clear the financial
reporting framework(s) used.
3121.58 Acts Discreditable Rule (ET 1.400.001, 2.400.001, and 3.400.001): “A member shall not
commit an act discreditable to the profession.”
a. Response to requests by clients and former clients for records
(1) The following terms are defined solely for use with this interpretation:
(a) The term “client” includes current and former clients.
(b) Client‐provided records are accounting or other records belonging to the client
that were provided to the member by or on behalf of the client, including
hardcopy or electronic reproductions of such records.
(c) Member‐prepared records are accounting or other records that the member
was not specifically engaged to prepare and that are not in the client’s books
and records or are otherwise not available to the client with the result that the
client’s financial information is incomplete. For example, member‐prepared
records include adjusting, closing, combining, or consolidating journal entries
(including computations supporting such entries) and supporting schedules and
documents that are proposed or prepared by the member as part of an
engagement (for example, an audit).
(d) Member’s work products are deliverables as set forth in the terms of the
engagement, such as tax returns.
(e) Member’s working papers are all other items prepared solely for purposes of
the engagement and include items prepared by:
i. the member, such as audit programs, analytical review schedules, and
statistical sampling results and analyses, and
ii. the client, at the request of the member and reflecting testing or other
work done by the member.
(2) When a client or former client (client) makes a request for member‐prepared
records, or a member’s work products that are in the custody or control of the
member or the member’s firm (member) that have not previously been provided to
the client, the member should respond to the client’s request as follows:
(a) Member‐prepared records relating to a completed and issued work product
should be provided to the client, except that such records may be withheld if
there are fees due to the member for the specific work product.
(b) Member’s work products should be provided to the client, except that such
work products may be withheld if there are fees due, if the work product is
incomplete, for purposes of complying with professional standards, or if
threatened or outstanding litigation exists concerning the engagement or
member’s work.
(3) Once the member has complied with these requirements, he or she is under no
ethical obligation to comply with any subsequent requests to again provide such
records or copies of such records. However, if subsequent to complying with a
request, a client experiences a loss of records due to a natural disaster or an act of
war, the member should comply with an additional request to provide such records.
(4) Member’s working papers are the member’s property and need not be provided to
the client under provisions of this interpretation; however, such requirements may
be imposed by state and federal statutes and regulations, and contractual
agreements.
(5) In connection with any request for client‐provided records, member‐prepared
records, or a member’s work products, the member may:
(a) charge the client a reasonable fee for the time and expense incurred to retrieve
and copy such records and require that such fee be paid prior to the time such
records are provided to the client;
(b) provide the requested records in any format usable by the client; and
(c) make and retain copies of any records returned or provided to the client.
(6) The member is not required to convert records that are not in electronic format to
electronic format or to convert electronic records into a different type of electronic
format. If the client requests records in a specific format and the records are
available in that format, the client’s request should be honored.
(7) Where a member is required to return or provide records to the client, the member
should comply with the client’s request as soon as practicable but, absent
extenuating circumstances, no later than 45 days after the request is made. The fact
that the statutes of the state in which the member practices grant the member a
lien on certain records in his or her custody or control does not relieve the member
of his or her obligation to comply with this interpretation.
b. Violating the antidiscrimination or harassment laws of the United States (or any state or
municipality) in hiring, promotion, or salary practices is an act discreditable to the
profession.
c. Failure to follow standards or procedures set forth in a government audit guide that
goes beyond GAAS is an act discreditable to the profession (unless the member
discloses in his or her report the fact that such requirements were not followed and the
reasons therefor).
d. A member shall be considered to have committed an act discreditable to the violation of
the “Acts Discreditable Rule” when, by virtue of negligence, such member does any of
the following:
(1) Makes or permits or directs another to make materially false and misleading entries
in the financial statements or records of an entity
(2) Fails to correct an entity’s financial statements that are materially false and
misleading when the member has the authority to record an entry
(3) Signs, or permits or directs another to sign, a document containing materially false
and misleading information
e. Failure to follow requirements of governmental bodies, commissions, or other
regulatory agencies (for example, the Securities and Exchange Commission, Federal
Communications Commission, state insurance commissions, and other regulatory
agencies such as the Public Company Accounting Oversight Board) in performing attest
or similar services is an act discreditable to the profession unless the member discloses
in the financial statements or the report, as applicable, that such requirements were not
followed and the reasons therefore.
If a member prepares financial statements or related information (for example,
management’s discussion and analysis) for purposes of reporting to such bodies,
commissions, or regulatory agencies, the member should follow the requirements of
such organizations in addition to generally accepted accounting principles (or other
applicable financial reporting framework, as relevant).
f. A member who solicits or knowingly discloses Uniform CPA Examination questions
and/or answers without the written authorization of the AICPA shall be considered to
have committed an act discreditable to the profession in violation of the “Acts
Discreditable Rule.”
g. A member who fails to comply with applicable federal, state, or local laws or regulations
regarding the timely filing of personal tax returns or tax returns of the member’s firm, or
timely remittance of all payroll and other taxes collected on behalf of others, may be
considered to have committed an act discreditable to the profession in violation of the
“Acts Discreditable Rule.”
h. Certain governmental bodies, commissions, or other regulatory agencies have
established requirements that prohibit entities subject to their regulation from including
certain types of indemnification and limitation of liability provisions in agreements for
the performance of audit or other attest services that are required by such regulators.
Often these requirements provide that the existence of such provisions causes a
member to be disqualified from providing such services to these entities. Examples are
federal banking regulators, state insurance commissions, and the Securities and
Exchange Commission, which have established such requirements.
(1) If a member enters into, directs, or knowingly permits another individual to enter
into a contract for the performance of audit or other attest services that are subject
to the requirements of these regulators, the member should not include, knowingly
permit, or direct another individual to include an indemnification or limitation of
liability provision that would cause the regulated entity of a member to be in
violation of such requirements or that would cause a member to be disqualified
from providing such services to the regulated entity.
(2) A member who enters into, directs, or knowingly permits another individual to
enter into such an agreement for the performance of audit or other attest services
that would cause the regulated entity or a member to be in violation of such
requirements, or that would cause a member to be disqualified from providing such
services to the regulated entity, would be considered to have committed an act
discreditable to the profession.
i. A member should maintain confidentiality of his or her employer’s or firm’s confidential
information and should not use or disclose any confidential employer information
obtained as a result of an employment relationship. This includes, but is not limited to,
any confidential information pertaining to a current or previous employer, subsidiary,
affiliate, or parent.
(1) A member should be alert to the possibility of inadvertent disclosure, particularly to
a close business associate or a close or immediate family member. Reasonable
steps should also be taken to ensure staff under his or her control or others within
the employing organization are aware of the confidential nature of the information.
(2) When a member changes employment, confidential employer information should
not be used for personal advantages or the advantage of a third party. The
requirement to maintain confidentiality of an employer’s confidential information
continues even after the end of the relationship between a member and the
employer. The member is allowed to use experience and expertise acquired
through prior employment.
(3) A member would be considered to have committed an act discreditable to the
profession if the member discloses or uses any confidential employer information
acquired as a result of employment or volunteer relationships without the proper
authority or specific consent of the employer or organization.
(4) A member may wish to consult with his or her legal counsel prior to disclosing, or
determining whether to disclose, confidential employer information.
j. A member in business who promotes or markets his or her abilities to provide
professional services or makes claims about his or her experience or qualifications in a
manner that is false, misleading, or deceptive will be considered to have committed an
act discreditable to the profession in violation of the “Acts Discreditable Rule.”
3121.59 Confidential Client Information Rule (ET 1.700.001): “A member in public practice shall not
disclose any confidential client information without the specific consent of the client.”
The rule does not:
a. relieve a member of his professional obligations under the “Compliance with Standards
Rule” and the “Accounting Principles Rule.”
b. affect in any way the member’s obligation to comply with a validly issued and
enforceable subpoena or summons, or to prohibit a member’s compliance with
applicable laws and government regulations.
c. prohibit review of a member’s professional practice under AICPA or state CPA society or
Board of Accountancy authorization.
d. preclude a member from initiating a complaint with, or responding to any inquiry made
by the professional ethics division or trial board of the AICPA, or a duly constituted
investigative or disciplinary body of a state CPA society or Board of Accountancy.
The confidential information rule allows the review of a practice in connection with a
prospective purchase or merger provided appropriate precautions are taken to ensure
confidentiality. Members reviewing a practice in connection with a prospective purchase or
merger shall not use to their advantage nor disclose any member’s confidential client
information that comes to their attention.
3121.60 Contingent Fees Rule (ET 1.510.001)
a. A member in public practice shall not:
(1) perform for a contingent fee any professional services for, or receive such a fee
from a client for whom the member or the member’s firm performs:
(a) an audit or review of a financial statement;
(b) a compilation of a financial statement when the member expects, or
reasonably might expect, that a third party will use the financial statement and
the member’s compilation report does not disclose a lack of independence; or
(c) an examination of prospective financial information; or
(2) prepare an original or amended tax return or claim for a tax refund for a contingent
fee for any client.
The prohibition in (1) above applies during the period in which the member or
member’s firm is engaged to perform any of the services listed above and the period
covered by any historical financial statements involved in any such listed services.
Except as stated in the next sentence, a contingent fee is a fee established for the
performance of any service pursuant to an arrangement in which no fee will be charged
unless a specific finding or result is attained, or in which the amount of the fee is
otherwise dependent upon the finding or result of such service. Solely for purposes of
this rule, fees are not regarded as being contingent if fixed by courts or other public
authorities, or, in tax matters, if determined based on the results of judicial proceedings
or the findings of governmental agencies.
A member’s fees may vary, for example, on the complexity of services rendered.
b. Definition of terms
(1) Preparation of an original or amended tax return or claim for tax refund includes
giving advice on events which have occurred at the time the advice is given if such
advice is directly relevant to determining the existence, character, or amount of a
schedule, entry, or other portion of a return or claim for refund.
(2) A fee is considered determined based on the findings of governmental agencies if
the member can demonstrate a reasonable expectation, at the time of a fee
arrangement, of substantive consideration by an agency with respect to the
member’s client. Such an expectation is deemed not reasonable in the case of
preparation of original tax returns.
c. Examples
(1) The following are examples, not all‐inclusive, of circumstances where a contingent
fee would be permitted:
(a) Representing a client in an examination by a revenue agent of the client’s
federal or state income tax return
(b) Filing an amended federal or state income tax return claiming a tax refund
based on a tax issue that is either the subject of a test case (involving a
different taxpayer) or with respect to which the taxing authority is developing a
position
(c) Filing an amended federal or state income tax return (or refund claim) claiming
a tax refund in an amount greater than the threshold for review by the Joint
Committee on Internal Revenue Taxation ($1 million at March 1991) or state
taxing authority
(d) Requesting a refund of either overpayments of interest or penalties charged to
a client’s account or deposits of taxes improperly accounted for by the federal
or state taxing authority in circumstances where the taxing authority has
established procedures for the substantive review of such refund requests
(e) Requesting, by means of “protest” or similar document, consideration by the
state or local taxing authority of a reduction in the “assessed value” of property
under an established taxing authority review process for hearing all taxpayer
arguments relating to assessed value
(f) Representing a client in connection with obtaining a private letter ruling or
influencing the drafting of a regulation or statute
(2) The following is an example of a circumstance where a contingent fee would not be
permitted:
Preparing an amended federal or state income tax return for a client claiming a
refund of taxes because a deduction was inadvertently omitted from the return
originally filed. There is no question as to the propriety of the deduction; rather, the
claim is filed to correct an omission.
3121.61 Advertising and Other Forms of Solicitation (ET 1.600.001): “A member in public practice
shall not seek to obtain clients by advertising or other forms of solicitation in a manner that is
false, misleading, or deceptive. Solicitation by the use of coercion, over‐reaching, or
harassing conduct is prohibited.”
a. False, misleading, or deceptive advertising includes activities that:
(1) create false or unjustified expectations of favorable results;
(2) imply the ability to influence a court, regulatory agency, etc.;
(3) contain a representation that specific professional services in current or in future
periods will be performed for a stated fee, estimated fee, or fee range when it was
likely at the time of the representation that such fees would be substantially
increased and the prospective client was not advised of that likelihood; or
(4) contain any other representations that would be likely to cause a reasonable person
to misunderstand or be deceived.
b. A member may render services to customers of a third party (e.g., bank) even if the
third party obtained the customers by advertising provided that such advertising is
within the bounds of the AICPA’s Code of Professional Conduct.
3121.62 Commissions and Referral Fees Rule (ET 1.520.001)
a. A member in public practice shall not for a commission recommend or refer to a client
any product or service, or for a commission recommend or refer any product or service
to be supplied by a client, or receive a commission when the member or the member’s
firm also performs for that client any of the following:
(1) An audit or review of a financial statement
(2) A compilation of a financial statement when the member expects, or reasonably
might expect, that a third party will use the financial statement, and the member’s
compilation report does not disclose a lack of independence
(3) An examination of prospective financial information
This prohibition applies during the period in which the member is engaged to perform
any of the services listed and the period covered by any historical financial statements
involved in such listed services.
b. A member in public practice who is not prohibited by this rule from performing services
for or receiving a commission and who is paid or expects to be paid a commission shall
disclose that fact to any person or entity to whom the member recommends or refers a
product or service to which the commission relates.
c. Any member who accepts a referral fee for recommending or referring any service of a
CPA to any person or entity or who pays a referral fee to obtain a client shall disclose
such acceptance or payment to the client.
3121.63 Form of Organization and Name Rule (ET 1.800.001): “A member may practice public
accounting only in a form of organization permitted by state law or regulation whose
characteristics conform to resolutions of Council.”
a. A member shall not practice public accounting under a firm name that is misleading.
b. Names of one or more past owners may be included in the firm name of a successor
organization.
c. A firm may not designate itself as “Members of the AICPA” unless all of its CPA owners
are members.
d. A member may own an interest in a separate business that performs for clients any
professional services of accounting, tax, personal financial planning, or litigation support
services or other services for which standards are promulgated by bodies designated by
the AICPA Council.
e. If the member, individually or collectively with the firm or with members of the firm,
does not control the separate business, the provisions of the Code of Professional
Conduct would apply to the member for their actions but not apply to the entity, its
other owners, and employees. For example, the entity could enter into a contingent fee
arrangement with an attest client of the member or accept commissions for the referral
of products or services to such attest clients.
3121.64 The AICPA Council Resolution Concerning the Form of Organization and Name Rule (the
Resolution, ET Appendix B) requires, among other things, that a majority (over 50%) of the
financial interests in a firm engaged in attest services (as defined therein) be owned by CPAs.
a. Any non‐CPA owner would have to be actively engaged as a member of the firm or its
affiliates. Ownership by investors or commercial enterprises not actively engaged as
members of the firm or its affiliates is against the public interest and continues to be
prohibited.
b. There must be a CPA who has ultimate responsibility for all the services described in the
Resolution, and non‐CPA owners could not assume ultimate responsibility for any such
services or engagements.
c. Non‐CPA owners would be permitted to use the title “principal,” “owner,” “officer,”
“member,” or “shareholder,” or any other title permitted by state law, but not hold
themselves out to be CPAs.
d. A member shall not knowingly permit a person, whom the member has the authority or
capacity to control, to carry out on his or her behalf, either with or without
compensation, acts which, if carried out by the member, would place the member in
violation of the rules. Further, a member may be held responsible for the acts of all
persons associated with him or her in public practice whom the member has the
authority or capacity to control.
e. Owners shall at all times own their equity in their own right and shall be the beneficial
owners of the equity capital ascribed to them. Provision would have to be made for the
ownership to be transferred, within a reasonable period of time, to the firm or to other
qualified owners if the owner ceases to be actively engaged in the firm or its affiliates.
f. Non‐CPA owners would not be eligible for regular membership in the AICPA.
g. If a member is engaged in public practice in a certified public accounting firm or
organization that does not perform:
(1) any audit or other engagement performed in accordance with the Statements on
Auditing Standards,
(2) any review of a financial statement performed in accordance with the Statements
on Standards for Accounting and Review Services, or
(3) any examination of prospective financial information performed in accordance with
the Statements on Standards for Attestation Engagements,
…but does perform compilations, then:
(a) there must be a CPA who has ultimate responsibility for any financial statement
compilation services provided by the firm and by each business unit performing
such compilation services and non‐CPA owners could not assume ultimate
responsibility for any such services.
(b) any compilation report must be signed individually by a CPA and may not be
signed in the name of the firm or organization.
h. The overriding focus of the Resolution is that CPAs remain responsible, financially and
otherwise, for the attest work performed to protect the public interest. The Resolution
contains many requirements that were developed to ensure that responsibility. In
addition to the provisions of the Resolution, other requirements of the Code of
Professional Conduct bylaws ensure that responsibility:
(1) Compliance with all aspects of applicable state law or regulation
(2) Enrollment in an AICPA‐approved practice monitoring program
(3) Compliance with the Independence Rule
(4) Compliance with applicable standards promulgated by Council‐designated bodies
and all other provisions of the Code of Professional Conduct
3121.65 Conceptual Framework: Overall for Members in Public Practice and Industry
Members in both public practice and in industry can face relationships and circumstances
that create threats to the ability to comply with any of the rules and interpretations in the
Code of Professional Conduct. The code cannot address all scenarios that may arise. A
member should always evaluate whether any relationship or circumstance would lead a
reasonable and informed third party who is aware of the relevant information to conclude
that there is a threat to the member’s compliance that is not at an acceptable level. When
making that evaluation, the member should apply the conceptual framework approach to
ensure (a) threats are identified, (b) threats are evaluated for severity, (c) safeguards are
identified, and (d) safeguards individually or in the aggregate appropriately eliminate or
mitigate risk posed by the threat(s). There are circumstances in which the code specifies that
no safeguards can reduce a threat to an acceptable level.
3122 Securities and Exchange Commission and Public Company Accounting
Oversight Board: Overview
Summary of Securities Act of 1933
3122.01 The objectives of the Securities Act of 1933 are as follows:
a. To provide information on securities offered for public sale
b. To prohibit misrepresentation or fraud in sales of securities generally
3122.02 The U.S. Securities and Exchange Commission (SEC) is interested in full and fair disclosure so
that the investor has an informed choice and that those associated with the registration
statement take responsibility for its accuracy.
3122.03 Firms offering securities for public sale, except those specifically exempted, must file a
registration statement with the SEC and provide the investor with a prospectus. Registration
forms require:
a. a description of the company’s properties and business,
b. a description of the security to be offered for sale,
c. information about the management of the company, and
d. financial statements audited by independent CPAs following GAAS and PCAOB Auditing
Standards.
3122.04 If a company meets an exemption in Regulation D, the securities can be sold without
registering with the SEC. The company must still file a “Form D” with the SEC after the first
sale of the securities.
a. Rule 504 of Regulation D provides an exemption from the registration requirements for
sales of up to $5 million in securities in any 12‐month period. These sales cannot be
advertised to the public, and the securities cannot be resold by the investors without
registration or an applicable exemption.
b. Rule 506 exempts securities if (1) the company does not use general solicitation or
advertising to market the securities; (2) unlimited “accredited investors” and up to 35
“non‐accredited investors” may purchase the securities, but the “non‐accredited
investors” must be sophisticated; (3) the company provides the same information to
“non‐accredited investors” that it provides to “accredited investors,” plus the
documents that would be required in a registered offering; (4) the company must be
available to answer questions by prospective purchasers; and (5) purchasers receive
“restricted” securities.
3122.05 Other exemptions include the following:
a. Private offerings to a limited number of persons or institutions who have access to the
kind of information registration would disclose and who do not propose to redistribute
the securities (sometimes called letter stock)
b. Offerings restricted to the residents of the state in which the issuing company is
organized and doing business
c. Securities of municipal, state, federal, and other governments; charitable institutions;
banks; and interstate commerce carriers
d. Offerings not in excess of a certain amount
e. Offerings of small business investment companies
Summary of Securities Exchange Act of 1934
3122.06 The Securities Exchange Act of 1934 created the Securities and Exchange Commission (SEC),
giving it powers over registering, regulating, oversight, discipline, and reporting for issuers.
The objective of the Securities Exchange Act of 1934 is the regulation of securities registered
on national exchanges plus over‐the‐counter stocks of companies with more than $10
million in assets and 500 or more shareholders.
3122.07 Registration under the 1934 SEC Act is separate from the 1933 Act. The major periodic
reports required are the following:
a. 10‐K annual report
b. 10‐Q quarterly report
c. 8‐K current report
d. Proxy statement
3122.08 The 10‐K must be accompanied by an auditor’s report. The 10‐Q may be subject to a limited
review. The 8‐K is not audited, but must be filed in writing 15 days after a significant event
such as a change in control, sale or purchase of division, start or termination of material
litigation, material default or debt, and/or write‐down or abandonment of assets. A change
in certifying CPA or the resignation of a director must be reported within five business days.
Proxy statements are not audited, but require full disclosure with regard to the proxy
solicitation. Proxy statements may, however, contain audited financial statements.
3122.09 Regulation S‐X is a compilation of reporting regulations required by the SEC. Regulation S‐K
sets forth the instructions for filing forms under both the Securities Act of 1933 and the
Securities Exchange Act of 1934. Regulation S‐T updates these instructions for electronic
filing.
3122.10 The 1934 Securities Exchange Act regulates exchanges and brokers, protects investors
against certain stock manipulations, prohibits insider trading, requires disclosure of tender
offers, and provides for regulation of margin requirements by the Federal Reserve Board.
Section 11(A) of the Securities Act of 1933
3122.11 The Securities Act of 1933 regulates public offerings of securities through the mails or in
interstate commerce.
3122.12 The Securities Act of 1933 requires the filing of a registration statement with the SEC prior to
the sale of securities. The act requires disclosure of all material facts concerning the
securities to be sold.
3122.13 Section 11(A) of the Securities Act of 1933 provides the following:
a. Any person who acquires securities may sue the CPA who audited the statements that
accompanied the registration.
b. The plaintiff may sue if the financial statements contain an untrue statement of a
material fact or omit a material fact.
c. The plaintiff does not have the burden of proving that the CPA was negligent or
fraudulent.
d. The plaintiff does not have to prove reliance on untrue financial statements or that
financial statements were the proximate cause of any loss.
e. The CPA has the burden of proof to establish innocence or that the cause of the
plaintiff’s loss was something other than the untrue financial statement.
3122.14 Section 11(A) of the Securities Act of 1933 expands liability as follows:
a. Privity of contract is not a necessary element.
b. Burden of proof, beyond proving material misstatement, is shifted from the plaintiff to
the CPA.
c. The CPA owes third‐party due diligence standard of care.
d. The plaintiff does not have to prove fraud or deceit—simple negligence is enough.
e. The plaintiff does not have to prove reliance.
3122.15 Defenses under Section 11(A) of the Securities Act of 1933 are the following:
a. The financial statements are true and not misleading.
b. The misstatement is immaterial.
c. The plaintiff purchased securities after issuance of a generally available earnings
statement and did not rely on registration statement (usually a generally available
earnings statement is published 12 months after effective date of registration).
d. The CPA exercised due diligence (i.e., that after a reasonable investigation the CPA had
reason to believe that the representations contained in the financial statements were
true and complete).
e. The damage does not relate to misstatement by the CPA.
f. The plaintiff had prior knowledge of falsity.
g. The statute of limitations (three years from securities sale) has expired.
3122.16 The CPA’s duty under Section 11(A) of the Securities Act of 1933 as to the fairness of the
financial statements contained in the registration statement extends to the time when the
registration statement becomes effective.
Rule 10b‐5 of the Securities Exchange Act of 1934
3122.17 The Securities Exchange Act of 1934 regulates securities exchanges and securities listed and
traded on exchanges.
3122.18 Rule 10b‐5 of the Securities Exchange Act of 1934 makes it unlawful for a person to use any
instrumentality of interstate commerce to do the following:
a. Employ any device, scheme, or artifice to defraud.
b. Make any untrue statement or omit a material fact.
c. Engage in any act, practice, or cause of business that operates or would operate as a
fraud or deceit upon any person in connection with the purchase or sale of any security.
3122.19 Notably absent from Rule 10b‐5 (SEA 1934) are the following:
a. Statement of defenses available to the CPA
b. Definition of to whom liability may run
c. Measures of damages
d. Limitation upon those who may be held liable
3122.20 The U.S. Supreme Court has ruled in Hochfelder that third parties must prove scienter in
order to reach the CPA under Rule 10b‐5 (SEA 1934).
a. Scienter is intent to deceive, manipulate, or defraud on the CPA’s part.
b. Simple negligence is not enough to hold the CPA responsible.
c. Recovery under Rule 10b‐5 (SEA 1934) is limited to the actual losses resulting from the
fraud.
3122.21 Courts have permitted the following defenses under Rule 10b‐5 (SEA 1934):
a. The CPA is not an insurer.
b. The CPA’s conduct does not include scienter.
c. There is a lack of reliance and materiality.
d. The statute of limitations has expired—this defense varies from state to state since Rule
10b‐5 is silent on this point and, therefore, courts look to state statutes of limitations.
Section 18 of the Securities Exchange Act of 1934
3122.22 Under Section 18 of the Securities Exchange Act of 1934, the CPA can incur liability for filing
any false or misleading statement in any document required to be filed under the act.
3122.23 Section 18 (SEA 1934) applies only to documents that are required to be filed (e.g., annual
10K, proxy statements).
3122.24 The third party must prove scienter (intent) in order to hold the CPA liable. Negligence on
the part of the CPA is not enough.
3122.25 Liability extends to any third party who relies on the false statement in purchasing or selling
a covered security.
3122.26 In order to recover, the third party must do the following:
a. Actually know of and rely upon the false statement
b. Show the price of the security was affected by the false statement
c. Show that the reliance caused the damage
3122.27 Section 18 of the Securities Exchange Act of 1934 is much narrower in scope than Rule 10b‐
5.
Dodd‐Frank Act
3122.28 The Dodd‐Frank Wall Street Reform and Consumer Protection Act of 2010 implements
sweeping and wide‐ranging financial regulatory reform. Title IX of this act is “Investor
Protections and Improvements to the Regulation of Securities.” It is referred to as the
Investor Protection and Securities Reform Act of 2010.
3122.29 While the bulk of the information in the Dodd‐Frank Act does not specifically apply to the
professional responsibilities of accountants, it is important for auditors of issuers to
understand the compliance issues applicable to their clients as a result of this new law. Parts
of the new law apply to the PCAOB and amend the Sarbanes‐Oxley Act and are thus relevant
to accountants.
3122.30 Title IX of the Dodd‐Frank Act is broken down into the following subtitles (A through J). The
information presented regarding each subtitle is in summarized highlight format and is not
meant to be representative of all of the changes in the securities laws. In addition,
references to the many studies required as part of the new law have been omitted. The full
text of Title IX can be found online.
3122.31 Dodd‐Frank Act, Title IX, Subtitle A: Increasing Investor Protection
a. This section establishes an Investor Advisory Committee to advise and consult with the
SEC on regulatory priorities of the SEC; issues relating to the regulation of securities
products, trading strategies, and fee structures, and the effectiveness of disclosure;
initiatives to protect investor interest; and initiatives to promote investor confidence
and the integrity of the securities marketplace. (Amends Title I of the Securities
Exchange Act of 1934)
b. The SEC is permitted to gather information from investors, members of the public,
academics, and consultants. It may also engage in investor testing programs. (Amends
Section 19 of the Securities Act of 1933)
c. The SEC is granted the authority to establish a fiduciary duty for brokers and dealers and
to require disclosure of range of products offered to investors. (Amends Section 15 of
the Securities and Exchange Act of 1934)
d. A new department in the SEC called the Office of the Investor Advocate reports directly
to the chairman of the SEC and assists investors in resolving problems, identifies areas in
which investors would benefit from changes in the regulations of the SEC, and reports to
Congress annually on its activities. (Amends Section 4 of the Securities Exchange Act of
1934)
e. The filing procedure for self‐regulatory organizations is streamlined under this section.
(Amends Section 19(b) of the Securities Exchange Act of 1934)
f. The SEC is permitted to issue rules requiring that a broker or dealer provide additional
documents or information to a retail investor prior to the purchase of an investment.
g. The Investor Advocate must appoint an Ombudsman to act as a liaison between the SEC
and any retail investor to resolve problems. (Amends Section 4(g) of the Securities
Exchange Act of 1934)
3122.32 Dodd‐Frank Act, Title IX, Subtitle B: Increasing Regulatory Enforcement and Remedies
a. The SEC is permitted to prohibit or impose conditions or limitations on the use of
arbitration agreements between brokers or dealers and investors. (Amends Section 15
of the Securities Exchange Act of 1934)
b. This section allows for protection of (and payment of monetary incentives to) those who
report information relating to a violation of the securities laws to the SEC
(“whistleblowers”). (Amends the Securities Exchange Act of 1934 by adding Section 21F)
c. The SEC must issue rules for the disqualification of a person convicted of a felony or
misdemeanor in connection with the purchase or sale of any security or involving the
making of any false filing with the SEC.
d. Any civil penalties obtained through a judicial or administrative action brought by the
SEC against a violator of securities laws may, at the direction of the SEC, be awarded to
the victims. (Amends Section 308 of the Sarbanes‐Oxley Act of 2002)
e. The borrowing limit on treasury loans is increased from $1 billion to $2.5 billion.
f. Subpoenas served to compel the attendance of a witness or documents for an SEC
action or proceeding may be served anywhere in the United States. (Amends Section
22(a) of the Securities Act of 1933 and Section 27 of the Securities Exchange Act of
1934)
g. The SEC is exempted from the Freedom of Information Act; it does not have to disclose
information that it obtains from examinations. (Amends Section 24 of the Securities
Exchange Act of 1934)
h. Foreign registered public accounting firms are required to produce audit workpapers at
the request of the SEC or the PCAOB. (Amends Section 106 of the Sarbanes‐Oxley Act of
2002)
i. Any person that knowingly or recklessly provides substantial assistance to another
person in violation of a provision of this act, or of any rule or regulation issued under
this act, is in violation of the same provisions, rules, or regulations as the person to
whom the assistance was provided. (Amends Section 15 of the Securities Act of 1933)
3122.33 Dodd‐Frank Act, Title IX, Subtitle C: Improvements to the Regulation of Credit Rating
Agencies
a. Credit rating agencies play a large, important role in capital formation, investor
confidence, and the efficient performance of the economy. They are the “gatekeepers”
in the debt market (deciding who receives credit based on the information provided),
and they provide ratings on structured financial products. The act sets forth that they
should be subject to the same standards of public oversight and accountability that
apply to auditors, securities analysts, and investment bankers.
b. Credit rating agencies are required to annually submit an internal controls report to the
SEC.
c. The SEC is required to issue rules to prevent the sales and marketing considerations of a
nationally recognized statistical rating organization from influencing the production of
ratings by the nationally recognized statistical rating organization.
d. Credit rating agencies must conduct reviews to determine if any conflicts of interest
exist that may influence a credit rating.
e. The SEC must establish an Office of Credit Ratings to promote accuracy in credit ratings
issued by nationally recognized statistical rating organizations and to ensure that the
ratings are not unduly influenced by conflicts of interest.
f. Each nationally recognized statistical rating organization must be examined annually by
the SEC. The inspection reports will be made available to the public.
g. Ratings information provided to the public must be comparable among nationally
recognized statistical rating organizations, be clear and informative, include certain
disclosures, include performance information over a range of years and for a variety of
types of credit ratings, be published and made freely available on a website, and be
accompanied by an attestation that no part of the rating was influenced by other
business activities (it was an independent evaluation).
h. The SEC must prescribe rules with respect to the procedures and methodologies used by
nationally recognized statistical rating organizations.
i. The SEC must issue rules that are designed to ensure the professional qualifications of
credit rating analysts.
j. Credit rating agencies are no longer exempt from the Fair Disclosure Rule.
3122.34 Dodd‐Frank Act, Title IX, Subtitle D: Improvements to the Asset‐Backed Securitization
Process
a. An asset‐backed security is “a fixed‐income or other security collateralized by any type
of self‐liquidating financial asset (including a loan, a lease, a mortgage, or a secured or
unsecured receivable) that allows the holder of the security to receive payments that
depend primarily on cash flow from the asset, including:
(i) a collateralized mortgage obligation;
(ii) a collateralized debt obligation;
(iii) a collateralized bond obligation;
(iv) a collateralized debt obligation of asset‐based securities;
(v) a collateralized debt obligation of collateralized debt obligations; and
(vi) a security that the Commission…determines to be an asset‐backed security….”
b. The federal banking agencies and the SEC must prescribe regulations to require any
securitizer (issuer of an asset‐backed security) to retain an economic interest in a
portion of the credit risk for any asset that the securitizer, through the issuance of an
asset‐backed security, transfers, sells, or conveys to a third party.
c. The securitizer cannot directly or indirectly hedge or otherwise transfer the credit risk
that is required to be retained and must retain not less than 5% of the credit risk for an
asset that is not a qualified residential mortgage. (For other assets, the required
percentage may be less than 5%.)
d. Separate asset classes are established, including classes for residential mortgages,
commercial mortgages, commercial loans, auto loans, and any other types of assets that
the SEC deems appropriate.
e. Certain institutions and programs are exempt, including farm credit system institutions,
and residential, multifamily, or health care facility mortgage loan assets that are insured
or guaranteed by the United States.
f. Enhanced disclosure requirements are set forth for asset‐backed securities. (Amends
Section 7 of the Securities Act of 1933)
g. Issuers of asset‐backed securities must perform due diligence analysis and disclosure of
the assets underlying the asset‐backed security. (Amends Section 7 of the Securities Act
of 1933)
3122.35 Dodd‐Frank Act, Title IX, Subtitle E: Accountability and Executive Compensation
a. At least every three years, shareholders are asked to vote to approve the compensation
of executives.
b. At the meetings where shareholders are asked to approve an acquisition, merger,
consolidation, or proposed sale or other disposition of all (or substantially all) of the
assets of an issuer, the solicitation must disclose (in clear and simple form) any golden
parachute agreements (compensation that is based on the change in ownership).
Shareholders must be asked to approve this compensation.
c. Issuers are required to have independent compensation committees, or they may not
be listed on the Exchange. (Amends the Securities Exchange Act of 1934 by inserting this
information after Section 10B)
d. Controlled companies are exempt from this subtitle.
e. Each issuer is required to disclose, in any proxy or consent solicitation material for the
annual meeting of the shareholders, information that shows the relationship between
executive compensation actually paid and the financial performance of the issuer.
f. Issuers must also disclose the median of the annual total compensation of all employees
of the issuer (except the CEO), the annual total compensation of the CEO, and the ratio
of the median amount of compensation to the annual total compensation of the CEO.
g. Issuers are required to develop and implement a policy whereby they may recover
erroneously awarded incentive‐based compensation if financial information is restated
due to material noncompliance with any financial reporting requirement under the
securities laws. (Amends the Securities Exchange Act of 1934 by inserting this
information after Section 10C)
h. The issuer must disclose, in any proxy or consent solicitation, if any employee or
member of the board is permitted to purchase financial instruments that are designed
to hedge or offset any decrease in the market value of equity securities granted to that
person as part of compensation or held directly or indirectly by that person.
i. Covered financial institutions are required to disclose the structure of all incentive‐
based compensation arrangements to determine if the compensation is excessive or
could lead to a material financial loss to the institution. The guidelines for disclosure
must be set forth by “appropriate” federal regulators.
3122.36 Dodd‐Frank Act, Title IX, Subtitle F: Improvements to the Management of the Securities
and Exchange Commission
a. The SEC must submit an annual report to Congress regarding its examinations of
registered entities, enforcement investigations, and review of corporate financial
securities filings.
b. Once every three years, the Comptroller General of the United States must submit a
report to Congress regarding the quality of personnel management by the SEC, including
the effectiveness of supervisors in using the skills, talents, and motivation of the
employees of the SEC in order to achieve the goals of the Commission; the criteria for
promoting employees of the SEC to supervisory positions; the fairness of the application
process for promotion; the competence of the professional staff of the SEC; and other
factors such as turnover rates at the SEC.
c. Each year the SEC must publish an internal control assessment and submit it to
Congress.
d. The Inspector General must maintain a hotline for the receipt of suggestions by
employees of the SEC for improvements and allegations of misconduct.
e. The SEC is required to hire an independent consultant to examine the internal
operations, structure, funding, and the need for comprehensive reform of the SEC.
3122.37 Dodd‐Frank Act, Title IX, Subtitle G: Strengthening Corporate Governance
a. Shareholders are permitted to use proxy materials to nominate individuals to
membership on the board of directors of the issuer. (Amends Section 14(a) of the
Securities Exchange Act of 1934)
b. Issuers must inform investors why the issuer has chosen:
(1) the same person to serve as chairman of the board of directors and CEO, or
(2) different individuals to serve as chairman of the board of directors and CEO.
(Amends the Securities Exchange Act of 1934 by inserting this information after Section 14A)
3122.38 Dodd‐Frank Act, Title IX, Subtitle H: Municipal Securities
a. Municipal advisors must be registered in order to provide advice to or on behalf of a
municipal entity or obligated person with respect to municipal financial products or the
issuance of municipal securities. (Amends Section 15B(a) of the Securities Exchange Act
of 1934)
b. The composition of the Municipal Securities Rulemaking Board is changed from the
original law. (Amends Section 15B(b) of the Securities Exchange Act of 1934)
c. A municipal advisor has a fiduciary duty to any municipal entity for whom it acts as an
advisor. Fines collected for violation of the rules are split between the SEC and the
board. (Amends Section 15B(c) of the Securities Exchange Act of 1934)
d. The SEC must establish an Office of Municipal Securities to administer the rules of the
SEC with respect to the practices of municipal securities brokers and dealers and to
coordinate with the Municipal Securities Rulemaking Board.
3122.39 Dodd‐Frank Act, Title IX, Subtitle I: Public Company Accounting Oversight Board, Portfolio
Margining, and Other Matters
a. The PCAOB is permitted to make information relating to a public accounting firm
available to a foreign auditor oversight authority. The foreign auditor oversight
authority must agree to keep the information confidential. (Amends Section 1059(b)(5)
of the Sarbanes‐Oxley Act of 2002)
b. Definitions for “audit,” “audit report,” “broker,” “dealer,” “professional standards,” and
“self‐regulatory organization” are added to the end of Title I of the Sarbanes‐Oxley Act
of 2002. In addition, the term “issuers” is replaced by “issuers, brokers, and dealers” in
certain sections of the text.
c. The PCAOB may conduct and require a program of inspection of registered public
accounting firms that provide audit reports for a broker or dealer. (Amends Section
104(a) of the Sarbanes‐Oxley Act of 2002)
d. This section establishes a Council of Inspectors General on Financial Oversight (known as
“Council of Inspectors General”). It is composed of Inspectors General from nine
different federal agencies.
3122.40 Dodd‐Frank Act, Title IX, Subtitle J: Securities and Exchange Commission Match Funding
This section sets forth the authority of the SEC to collect transaction fees and assessments to
recover the costs to the government of the annual appropriations to the SEC by Congress. It
also describes how the fee rates should be determined.
Sarbanes‐Oxley Act of 2002
3122.41 The Sarbanes‐Oxley Act of 2002 is named after Senator Paul Sarbanes and Representative
Michael Oxley, the chief architects of the act. The law is also referred to as HR 3763. The act
(often referred to in industry jargon as “SOX”) protects investors by improving the accuracy
and reliability of corporate disclosures made pursuant to the securities laws, and for other
purposes. Accordingly, SOX establishes regulations and regulatory oversight for issuers
(public companies) and their auditors.
3122.42 The Sarbanes‐Oxley Act is arranged into 11 titles:
Title I. Public Company Accounting Oversight Board
Title II. Auditor Independence
Title III. Corporate Responsibility
Title IV. Enhanced Financial Disclosures
Title V. Analyst Conflicts of Interest
Title VI. Commission Resources and Authority
Title VII. Studies and Reports
Title VIII. Corporate and Criminal Fraud Accountability
Title IX. White‐Collar Crime Penalty Enhancements
Title X. Corporate Tax Returns
Title XI. Corporate Fraud and Accountability
Title I: Public Company Accounting Oversight Board (PCAOB)
3122.43 SOX Section 101: Establishment; Administrative Provisions
Title I of the Sarbanes‐Oxley Act (SOX) is titled “Public Company Accounting Oversight
Board.” This title sets forth the specifics of the creation and powers of the PCAOB.
3122.44 SOX Section 102: Registration with the Board
Public accounting firms performing audits on issuers must register with the PCAOB. A new,
current registration must include:
a. the names of all issuers for which the firm prepared or issued audit reports during the
immediately preceding calendar year, and for which the firm expects to prepare or issue
audit reports during the current calendar year;
b. the annual fees received by the firm from each issuer for audit services, other
accounting services, and nonaudit services;
c. other current financial information for the most recently completed fiscal year of the
firm that the Board may request;
d. a statement of the firm’s quality control policies for its accounting and auditing
practices;
e. a list of the names and license numbers of all accountants associated with the firm who
participate in or contribute to the preparation of audit reports;
f. information regarding criminal, civil, or administrative actions or disciplinary
proceedings against the firm (or any person in the firm) connected with an audit report;
g. copies of any periodic or annual disclosure filed by an issuer with the SEC during the
immediately preceding calendar year that discloses accounting disagreements between
the issuer and the firm in connection with an audit report furnished or prepared by the
firm for the issuer;
h. consents from the firm to cooperate and comply with any request made by the PCAOB
in furtherance of its authority and responsibilities; and
i. any other information that the Board requests.
3122.45 Each registered public accounting firm must submit an annual report to the PCAOB. The
firms must also pay registration fees and annual fees.
3122.46 SOX Section 103: Auditing, Quality Control, and Independence Standards and Rules
The PCAOB has the authority to set, amend, update, and modify auditing, quality control,
and ethics standards.
3122.47 SOX Section 104: Inspections of Registered Public Accounting Firms
This section gives the PCAOB the mandate and authority to conduct compliance inspections
of each registered public accounting firm.
a. Those firms that audit more than 100 issuers are inspected annually.
b. Those firms that audit 100 or fewer issuers are inspected every three years.
3122.48 The PCAOB will inspect and review selected audit and review engagements of the firm,
evaluate the sufficiency of the firm’s quality control system, perform testing of the audit,
supervisory, and quality control procedures, provide a written report about its findings, and
investigate violations and take disciplinary actions if necessary.
3122.49 SOX Section 105: Investigations and Disciplinary Proceedings
The PCAOB may investigate any act or practice, or omission to act, by a registered public
accounting firm, any associated person of such firm, or both, that may violate any provision
of the Sarbanes‐Oxley Act, the rules of the PCAOB, the provisions of the securities laws
relating to the preparation and issuance of audit reports and the obligations and liabilities of
accountants with respect thereto, including the rules of the SEC issued under the SOX, or
professional standards, regardless of how the act, practice, or omission is brought to the
attention of the PCAOB.
3122.50 Possible disciplinary sanctions may include:
a. temporary suspension or permanent revocation of registration under this SOX Title I;
b. temporary or permanent suspension or bar of a person from further association with
any registered public accounting firm;
c. temporary or permanent limitation on the activities, functions, or operations of such
firm or person (other than in connection with required additional professional education
or training);
d. a civil money penalty for each such violation, in an amount equal to:
(1) not more than $100,000 for a natural person or $2,000,000 for any other person;
and
(2) in any case to which intentional or knowing misconduct applies, not more than
$750,000 for a natural person or $15,000,000 for any other person;
e. censure;
f. required additional professional education or training; or
g. any other appropriate sanction provided for in the rules of the PCAOB.
3122.51 The PCAOB will strictly sanction:
a. intentional, or knowing conduct, including reckless conduct, that results in violation of
the applicable statutory, regulatory, or professional standard.
b. repeated instances of negligent conduct, each resulting in a violation of the applicable
statutory, regulatory, or professional standard.
3122.52 Sanctions addressed in SOX Title I are reported to the SEC, state licensing boards, and the
public.
3122.53 SOX Section 106: Foreign Public Accounting Firms
Any foreign public accounting firm that prepares or furnishes an audit report with respect to
any issuer is subject to these rules, in the same manner as that of a U.S. public accounting
firm. The Dodd‐Frank Act (Title IX) amended this section to require that foreign public
accounting firms must produce the audit workpapers upon request of the Public Company
Accounting Oversight Board (PCAOB).
3122.54 SOX Section 107: Commission Oversight of the Board
The Securities and Exchange Commission (SEC) has oversight over the Public Company
Accounting Oversight Board (PCAOB). No rule of the PCAOB can become effective without
approval of the SEC. While the PCAOB is able to sanction a registered public accounting firm
(or individual in the firm), the SEC will review the sanctions and has the ability to enhance,
modify, cancel, reduce, or require the remission of a sanction.
3122.55 SOX Section 108: Accounting Standards
The SEC is permitted to recognize, as “generally accepted” for purposes of securities laws,
any accounting principles established by a standard‐setting body that meets certain
requirements and submits an annual report to the SEC containing audited financial
statements.
3122.56 SOX Section 109: Funding
This section discusses the PCAOB budget requirements and the method of funding its
operation (fees from registered public accounting firms). Any penalties collected must be
used to fund a merit scholarship program for undergraduate and graduate students enrolled
in accredited accounting degree programs.
Title II: Auditor Independence
3122.57 SOX Section 201: Services Outside the Scope of Practice of Auditors
Registered public accounting firms are prohibited from providing nonaudit services to audit
clients covered under SOX. These nonaudit services include:
a. bookkeeping or other services related to the accounting records or financial statements
of the audit client;
b. financial information systems design and implementation;
c. appraisal or valuation services, fairness opinions, or contribution‐in‐kind reports;
d. actuarial services;
e. internal audit outsourcing services;
f. management functions or human resources;
g. broker or dealer, investment advisor, or investment banking services;
h. legal services and expert services unrelated to the audit; and
i. any other service that the Public Company Accounting Oversight Board (PCAOB)
determines, by regulation, is impermissible.
3122.58 A registered public accounting firm may engage in any nonaudit service, including tax
services, but only if the activity is approved in advance by the audit committee of the issuer.
Preapproval must follow certain requirements (outlined in Section 202 of SOX Title II). The
PCAOB may, on a case‐by‐case basis, exempt any person, issuer, public accounting firm, or
transaction from the prohibition of nonaudit services.
3122.59 SOX Section 202: Preapproval Requirements
All auditing services and nonaudit services must be preapproved by the audit committee of
the issuer. The preapproval requirement for nonaudit services is waived if:
a. the total annual revenues for the nonaudit services are 5% or less of the total revenues
paid to the auditor by the issuer;
b. the services were not recognized to be nonaudit services by the issuer at the time of the
engagement; and
c. the services are promptly brought to the attention of the audit committee of the issuer
and approved prior to the completion of the audit.
3122.60 Audit committee approval of nonaudit services to be performed by the auditor must be
disclosed to investors.
3122.61 SOX Section 203: Audit Partner Rotation
The lead audit partner who has performed audit services for the issuer must rotate out of
that position if they have performed services for that issuer in each of the five previous fiscal
years of that issuer in order for the registered public accounting firm to continue to provide
audit services to the issuer.
3122.62 SOX Section 204: Auditor Reports to Audit Committees
Section 204 of SOX Title II amends Section 10A of the Securities Exchange Act of 1934 by
requiring that each registered public accounting firm that performs an audit of issuer
financial statements timely report to the issuer’s audit committee:
a. all critical accounting policies and practices to be used;
b. all alternative treatments of financial information within GAAP that have been discussed
with management officials of the issuer, ramifications of the use of such alternative
disclosures and treatments, and the treatment preferred by the registered public
accounting firm; and
c. other material written communications between the registered public accounting firm
and the management of the issuer, such as any management letter or schedule of
unadjusted differences.
3122.63 SOX Section 205: Conforming Amendments
This section amends the definition of “audit committee” and inserts “registered public
accounting firm” for “independent public accountants” in the Securities Exchange Act of
1934.
3122.64 SOX Section 206: Conflicts of Interest
Section 206 of SOX Title II amends Section 10A of the Securities Exchange Act of 1934 by
preventing a registered public accounting firm from performing an audit of issuer financial
statements if a CEO, controller, CFO, CAO, or any equivalent position was employed at the
registered public accounting firm and participated in the audit of the entity during the one‐
year period preceding the date of the initiation of the audit.
3122.65 SOX Section 207: Study of Mandatory Rotation of Registered Public Accounting Firms
The Comptroller General of the United States is required to conduct a study and review of
the potential effects of requiring the mandatory rotation of public accounting firms.
3122.66 SOX Section 208: Commission Authority
It is unlawful under Section 208 of SOX Title II for any registered public accounting firm to
prepare or issue any audit report with respect to any issuer, if the firm or associated person
engages in any activity with respect to that issuer that is prohibited by Section 10A of the
Securities Exchange Act of 1934, or any rule or regulation of the SEC or PCAOB.
3122.67 SOX Section 209: Considerations by Appropriate State Regulatory Authorities
State regulatory agencies are required to make an independent determination of the proper
standards applicable in supervising nonregistered public accounting firms.
Title III: Corporate Responsibility
3122.68 Title III, Section 303 of the Sarbanes‐Oxley Act (SOX) is titled “Improper Influence on Conduct
of Audits.”
3122.69 It is prohibited for any issuer’s officer or director (or anyone acting under their direction) to
take any action to fraudulently influence, coerce, manipulate, or mislead any independent
public or certified accountant engaged in the performance of an audit of the financial
statements of that issuer for the purpose of rendering such financial statements materially
misleading.
3122.70 The Securities Exchange Commission has the authority to enforce SOX Title III, Section 303 in
a civil proceeding, and this law is in addition to (not superseding or preempting) any other
provision of law or any rule or regulation thereunder.
Title IV: Enhanced Financial Disclosures
3122.71 SOX Section 401: Disclosures in Periodic Reports
Title IV of the Sarbanes‐Oxley Act (SOX) is titled “Enhanced Financial Disclosures.” This title
amends Section 13 of the Securities Exchange Act of 1934 by requiring that each financial
report that contains financial statements, and that is required to be prepared in accordance
with (or reconciled to) GAAP, shall reflect all material correcting adjustments that have been
identified by a registered public accounting firm.
3122.72 Each annual and quarterly financial report required to be filed with the SEC shall disclose all
material off‐balance‐sheet transactions, arrangements, obligations (including contingent
obligations), and other relationships of the issuer with unconsolidated entities or other
persons, that may have a material current or future effect on financial condition, changes in
financial condition, results of operations, liquidity, capital expenditures, capital resources, or
significant components of revenues or expenses.
3122.73 Pro forma information included in any report filed with the SEC must be presented in a
manner that:
a. does not contain an untrue statement of a material fact or omit to state a material fact
necessary in order to make the pro forma financial information not misleading; and
b. reconciles it with the financial condition and results of operations of the issuer under
GAAP.
3122.74 SOX Section 402: Enhanced Conflict of Interest Provisions
It is unlawful for any issuer, directly or indirectly, including through any subsidiary, to extend
or maintain credit in the form of a personal loan to or for any director or executive officer of
that issuer. Certain loans are exempted from this provision.
3122.75 SOX Section 403: Disclosures of Transactions Involving Management and Principal
Stockholders
Any person who is directly or indirectly the beneficial owner of more than 10% of any class
of any equity security (other than an exempted security) which is registered pursuant to
Section 12 of the Securities Exchange Act of 1934, or who is a director of an officer of the
issuer of such security, must file the statements required by SOX and the SEC. The deadline,
contents, and form of the statements are specified in SOX Title IV, Section 403.
3122.76 SOX Section 404: Management Assessment of Internal Controls
Each annual report filed with the SEC must contain an internal control report. This report
states the responsibility of management for establishing and maintaining an adequate
internal control structure and procedures for financial reporting. It also contains an
assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of
the internal control structure and procedures. Registered public accounting firms are
required to attest to, and report on, the assessment made by management regarding
internal control.
3122.77 SOX Section 405: Exemption
Sections 401, 402, and 404 do not apply to any investment company registered under
Section 8 of the Investment Company Act of 1940.
3122.78 SOX Section 406: Code of Ethics for Senior Financial Officers
Each issuer must disclose whether or not (and if not, why not) the issuer has adopted a code
of ethics for senior financial officers. Any change in or waiver of the code of ethics for senior
financial officers requires immediate disclosure.
3122.79 The term “code of ethics” refers to standards that are reasonably necessary to promote:
a. honest and ethical conduct, including the ethical handling of actual or apparent conflicts
of interest between personal and professional relationships;
b. full, fair, accurate, timely, and understandable disclosure in the periodic reports
required to be filed by the issuer; and
c. compliance with applicable governmental rules and regulations.
3122.80 SOX Section 407: Disclosure of Audit Committee Financial Expert
Each issuer must disclose whether or not (and if not, why not) the audit committee of that
issuer is comprised of at least one member who is a financial expert.
3122.81 “Financial expert” is defined in SOX Title IV as whether a person has, through education and
experience as a public accountant or auditor or a principal financial officer, comptroller, or
principal accounting officer of an issuer:
a. an understanding of GAAP and financial statements;
b. experience in:
(1) the preparation or auditing of financial statements of generally comparable issuers
and
(2) the application of such principles in connection with the accounting for estimates,
accruals, and reserves;
c. experience with internal accounting controls; and
d. an understanding of audit committee functions.
3122.82 SOX Section 408: Enhanced Review of Periodic Disclosures by Issuers
The SEC will review disclosures made by issuers at least once every three years. Special
attention will be paid to the disclosures of issuers:
a. who have issued material restatements of financial results;
b. who experienced significant volatility in their stock price as compared to other issuers;
c. who have the largest market capitalization;
d. who are emerging companies with disparities in price to earnings ratios;
e. with operations that significantly affect any material sector of the economy; and
f. with any other factor the SEC may consider relevant.
3122.83 SOX Section 409: Real Time Issuer Disclosures
Issuers must disclose to the public on a rapid and current basis any additional information
concerning material changes in the financial condition or operations of the issuer. These
disclosures must be in “plain English.”
Purpose and Duties of the PCAOB
3122.84 The Public Company Accounting Oversight Board (PCAOB) is a nonprofit corporation
established by the Sarbanes‐Oxley Act of 2002. The purpose of the PCAOB is to oversee the
audits of issuers (public companies) that are subject to the securities laws in order to protect
the interests of investors and further the public interest in the preparation of informative,
accurate, and independent audit reports. The PCAOB is not an agency or establishment of
the United States government.
3122.85 “Issuer” is defined in Section 2 of the Sarbanes‐Oxley Act. It is a company, the securities of
which are registered under Section 12 of the Securities Exchange Act of 1934, or that is
required to file reports under Section 15(d), or that files or has filed a registration statement
that has not yet become effective under the Securities Act of 1933, and that it has not
withdrawn.
3122.86 The PCAOB Board is composed of five members, with high integrity, who have a
demonstrated commitment to the interests of investors and the public. These members
should have an understanding of the financial reporting process as it exists under the
securities laws as well as the responsibilities of accountants regarding the preparation and
issuance of audit reports. Members of the PCAOB Board are appointed to staggered terms
by the Securities and Exchange Commission.
3122.87 The duties of the PCAOB (Board) include the following:
a. Register public accounting firms that prepare audit reports for issuers.
b. Establish or adopt, or both, by rule, auditing, quality control, ethics, independence, and
other standards relating to the preparation of audit reports for issuers.
c. Conduct inspections of registered public accounting firms.
d. Conduct investigations and disciplinary proceedings concerning, and impose appropriate
sanctions where justified upon, registered public accounting firms and associated
persons of such firms.
e. Perform such other duties or functions as necessary or appropriate to promote high
professional standards among, and improve the quality of audit services offered by,
registered public accounting firms and associated persons thereof, in order to protect
investors or to further the public interest.
f. Enforce compliance with the Sarbanes‐Oxley Act, the rules of the Board, professional
standards, and the securities laws relating to the preparation and issuance of audit
reports and the obligations and liabilities of accountants with respect thereto, by
registered public accounting firms and associated persons thereof.
g. Set the budget and manage the operations of the Board and the staff of the Board.
PCAOB: Registration of Public Accounting Firms
3122.88 All public accounting firms (domestic or foreign) that issue, or participate in the issuance of,
any audit report of an issuer must register with the PCAOB. In addition to the registration
requirement, the public accounting firm must indicate in a consent statement that the firm
understands its responsibility to cooperate with the Board and comply with any request for
testimony or the production of documents made by the Board in the furtherance of its
authority and responsibility.
3122.89 The registration application must be submitted electronically at www.pcaobus.org. The
application fee is based on the number of preceding‐year issuer audit clients.
PCAOB: Currently Applicable Standards
3122.90 A registered public accounting firm and its associated persons shall comply with all
applicable auditing and related professional practice standards (PCAOB Rule 3100). Any such
firm that fails to adhere to applicable PCAOB standards in connection with an audit of the
financial statements of an issuer may be the subject of a PCAOB disciplinary proceeding in
accordance with Section 105 of the Sarbanes‐Oxley Act. In addition, any violation of the
PCAOB’s rules is treated in the same manner as a violation of the Securities Exchange Act of
1934.
3122.91 The AICPA Code of Professional Conduct requires a member who performs auditing and
other professional services to comply with standards promulgated by bodies designated by
the AICPA Council. The AICPA Council has designated the PCAOB as a body with the authority
to promulgate auditing and related attestation standards, quality control, ethics,
independence, and other standards relating to the preparation and issuance of audit reports
for issuers.
3122.92 The AICPA’s Professional Ethics Division is able to hold an AICPA member who performs
audits of the financial statements of issuers accountable under the Code of Professional
Conduct for complying with the PCAOB’s auditing and related professional practice
standards when performing such audits.
3122.93 Rules and standards issued by the PCAOB must be approved by the SEC before they become
effective. In April 2003, the Board adopted certain preexisting standards as interim
standards:
a. Regarding Interim Auditing Standards, a registered public accounting firm and its
associated persons shall comply with generally accepted auditing standards (GAAS) as
described in the AICPA’s AU‐C 200. A registered public accounting firm is required to
follow these standards in the performance of audits of issuers until they are formally
superseded by standards issued by the PCAOB.
b. Interim Quality Control Standards consist of the AICPA’s Auditing Standards Board’s
Statements on Quality Control Standards, as in existence on April 16, 2003, to the extent
not superseded or amended by the Board, and (for those firms that were members of
the AICPA SEC Practice Section (SECPS)) certain AICPA SEC Practice Section’s
membership requirements, as in existence on April 16, 2003, to the extent not
superseded or amended by the Board.
c. Interim Attestation Standards consist of the AICPA’s Auditing Standards Board’s
Statements on Standards for Attestation Engagements, related interpretations, and
statements of position as in existence on April 16, 2003, to the extent not superseded or
amended by the Board.
d. Interim Ethics Standards consist of ethics standards described in the AICPA’s Code of
Professional Conduct Rule 102, and interpretations and rulings thereunder, as in
existence on April 16, 2003, to the extent not superseded or amended by the Board.
e. Interim Independence Standards consist of independence standards described in the
AICPA’s Code of Professional Conduct, and interpretations and rulings thereunder, as in
existence on April 16, 2003, to the extent not superseded or amended by the Board, and
certain standards, and interpretations, of the Independence Standards Board, to the
extent not superseded or amended by the Board.
3122.94 In addition, the PCAOB Board has adopted its own Auditing Standards and Ethics and
Independence Rules.
PCAOB Ethics and Independence Rules
3122.95 The following Ethics and Independence Rules have been adopted by the Public Company
Accounting Oversight Board (PCAOB) and approved by the Securities and Exchange
Commission (SEC). The PCAOB’s rules would be in addition to the AICPA’s Code of
Professional Conduct and interpretations and rulings thereunder, as in existence on April 16,
2003, to the extent not superseded or amended by the PCAOB, and certain standards, and
interpretations, of the Independence Standards Board, to the extent not superseded or
amended by the PCAOB.
3122.96 Rule 3501: Definitions of Terms Employed in Section 3, Part 5 of the Rules
This section defines terms to be used, such as “audit and professional engagement period,”
“audit client,” and “contingent fee.”
3122.97 Rule 3502: Responsibility Not to Knowingly or Recklessly Contribute to Violations
A person associated with a registered public accounting firm shall not take or omit to take an
action knowing, or recklessly not knowing, that the act or omission would directly and
substantially contribute to a violation by that registered public accounting firm of the
Sarbanes‐Oxley Act, the Rules of the PCAOB, the provisions of the securities laws relating to
the preparation and issuance of audit reports and the obligations and liabilities of
accountants with respect thereto, including the rules of the Commission issued under the
Sarbanes‐Oxley Act, or professional standards.
3122.98 Rule 3520: Auditor Independence
A registered public accounting firm and its associated persons must be independent of the
firm's audit client throughout the audit and professional engagement period.
Note 1: Under Rule 3520, a registered public accounting firm or associated person's
independence obligation with respect to an audit client that is an issuer encompasses not
only an obligation to satisfy the independence criteria set out in the rules and standards of
the PCAOB, but also an obligation to satisfy all other independence criteria applicable to the
engagement, including the independence criteria set out in the rules and regulations of the
Commission under the federal securities laws.
Note 2: Rule 3520 applies only to those associated persons of a registered public accounting
firm required to be independent of the firm's audit client by standards, rules, or regulations
of the Securities and Exchange Commission or other applicable independence criteria.
3122.99 Rule 3521: Contingent Fees
A registered public accounting firm is not independent of its audit client if the firm, or any
affiliate of the firm, during the audit and professional engagement period, provides any
service or product to the audit client for a contingent fee or a commission, or receives from
the audit client, directly or indirectly, a contingent fee or commission.
3122.100 Rule 3522: Tax Transactions
A registered public accounting firm is not independent of its audit client if the firm, or any
affiliate of the firm, during the audit and professional engagement period, provides any
nonaudit service to the audit client related to marketing, planning, or opining in favor of the
tax treatment of, a transaction:
a. that is a confidential transaction or
b. that was initially recommended, directly or indirectly, by the registered public
accounting firm and a significant purpose of which is tax avoidance, unless the proposed
tax treatment is at least more likely than not to be allowable under applicable tax laws.
Note 1: With respect to transactions subject to the U.S. tax laws, paragraph (b) above
includes, but is not limited to, any transaction that is a listed transaction within the meaning
of 26 CFR Section 1.6011‐4(b)(2).
Note 2: A registered public accounting firm indirectly recommends a transaction when an
affiliate of the firm or another tax advisor, with which the firm has a formal agreement or
other arrangement related to the promotion of such transactions, recommends engaging in
the transaction.
3122.101 Rule 3523: Tax Services for Persons in Financial Reporting Oversight Roles
A registered public accounting firm is not independent of its audit client if the firm, or any
affiliate of the firm, during the professional engagement period provides any tax service to a
person in a financial reporting oversight role at the audit client, or an immediate family
member of such person, unless:
a. the person is in a financial reporting oversight role at the audit client only because he or
she serves as a member of the board of directors or similar management or governing
body of the audit client;
b. the person is in a financial reporting oversight role at the audit client only because of
the person's relationship to an affiliate of the entity being audited:
(1) whose financial statements are not material to the consolidated financial
statements of the entity being audited; or
(2) whose financial statements are audited by an auditor other than the firm or an
associated person of the firm; or
c. the person was not in a financial reporting oversight role at the audit client before a
hiring, promotion, or other change in employment event and the tax services are:
(1) provided pursuant to an engagement in process before the hiring, promotion, or
other change in employment event; and
(2) completed on or before 180 days after the hiring or promotion event.
Note: In an engagement for an audit client whose financial statements for the first time will
be required to be audited pursuant to the standards of the PCAOB, the provision of tax
services to a person covered by Rule 3523 before the earlier of the date that the firm (1)
signed an initial engagement letter or other agreement to perform an audit pursuant to the
standards of the PCAOB, or (2) began procedures to do so, does not impair a registered
public accounting firm's independence under Rule 3523.
3122.102 Rule 3524: Audit Committee Pre‐approval of Certain Tax Services
In connection with seeking audit committee pre‐approval to perform for an audit client any
permissible tax service, a registered public accounting firm shall:
a. describe, in writing, to the audit committee of the issuer:
(1) the scope of the service, the fee structure for the engagement, and any side letter
or other amendment to the engagement letter, or any other agreement (whether
oral, written, or otherwise) between the firm and the audit client, relating to the
service; and
(2) any compensation arrangement or other agreement, such as a referral agreement,
a referral fee or fee‐sharing arrangement, between the registered public accounting
firm (or an affiliate of the firm) and any person (other than the audit client) with
respect to the promoting, marketing, or recommending of a transaction covered by
the service;
b. discuss with the audit committee of the issuer the potential effects of the services on
the independence of the firm; and
c. document the substance of its discussion with the audit committee of the issuer.
3122.103 Rule 3525: Audit Committee Pre‐approval of Non‐audit Services Related to Internal
Control Over Financial Reporting
In connection with seeking audit committee pre‐approval to perform for an audit client any
permissible nonaudit service related to internal control over financial reporting, a registered
public accounting firm shall:
a. describe, in writing, to the audit committee of the issuer the scope of the service;
b. discuss with the audit committee of the issuer the potential effects of the service on the
independence of the firm; and
c. document the substance of its discussion with the audit committee of the issuer.
Note: Regarding item (b) above, independence requirements provide that an auditor is not
independent of his or her audit client if the auditor is not, or a reasonable investor with
knowledge of all relevant facts and circumstances would conclude that the auditor is not,
capable of exercising objective and impartial judgment on all issues encompassed within the
accountant's engagement. Several principles guide the application of this general standard,
including whether the auditor assumes a management role or audits his or her own work.
Therefore, an auditor would not be independent if, for example, management had delegated
its responsibility for internal control over financial reporting to the auditor or if the auditor
had designed or implemented the audit client's internal control over financial reporting.
3122.104 Rule 3526: Communication with Audit Committees Concerning Independence
A registered public accounting firm must:
a. prior to accepting an initial engagement pursuant to the standards of the PCAOB:
(1) describe, in writing, to the audit committee of the issuer, all relationships between
the registered public accounting firm or any affiliates of the firm and the potential
audit client or persons in financial reporting oversight roles at the potential audit
client that, as of the date of the communication, may reasonably be thought to bear
on independence;
(2) discuss with the audit committee of the issuer the potential effects of the
relationships described above in (1) on the independence of the registered public
accounting firm, should it be appointed the issuer's auditor; and
(3) document the substance of its discussion with the audit committee of the issuer.
b. at least annually with respect to each of its issuer audit clients:
(1) describe, in writing, to the audit committee of the issuer, all relationships between
the registered public accounting firm or any affiliates of the firm and the audit client
or persons in financial reporting oversight roles at the audit client that, as of the
date of the communication, may reasonably be thought to bear on independence;
(2) discuss with the audit committee of the issuer the potential effects of the
relationships described above in (1) on the independence of the registered public
accounting firm;
(3) affirm to the audit committee of the issuer, in writing, that, as of the date of the
communication, the registered public accounting firm is independent in compliance
with Rule 3520; and
(4) document the substance of its discussion with the audit committee of the issuer.
PCAOB Release No. 2015‐008
3122.105 The rules of PCAOB Release No. 2015‐008 are designed to improve the transparency
regarding the engagement partner and other accounting firms that took part in the audit of
issuers. Firms are required to file Form AP, Auditor Reporting of Certain Audit Participants,
which is available to the public on the Public Company Accounting Oversight Board’s
(PCAOB) website.
3122.106 Firms are required to file a new Form AP for each issuer audit, disclosing the following:
a. The name of the engagement partner
b. The name, location, and extent of participation of each other accounting firm
participating in the audit whose work constituted at least 5% of total audit hours
c. The number and aggregate extent of participation of all other accounting firms
participating in the audit whose individual participation was less than 5% of total audit
hours
3122.107 Filing of Form AP with the Public Company Accounting Oversight Board (PCAOB) is required
no more than 35 days after the audit firm files the audit report with the SEC. For initial public
offerings, Form AP is required to be filed no later than 10 days after the auditor’s report is
first included in a document filed with the SEC.
3122.108 Audit firms may voluntarily disclose in the audit report the names of engagement partners
and other firms participating in the audit. To prevent confusion when engagement partners
have the same names or that change their names, firms will assign engagement partners
unique identification numbers for disclosure on Form AP. When partners change firms, they
will be assigned a new partner ID, but their previous ID number also will be reported on any
new Form AP associated with that partner.
3122.109 The full text of all PCAOB rules and standards and interim standards is available at
www.pcaob.org.
3123 Government Accountability Office and Department of Labor
Requirements
Government Accountability Office
3123.01 Government Auditing Standards, Chapter 3, “General Standards,” provides that in all matters
relating to the audit work, the audit organization and the individual auditor, whether
government or public, must be independent.
3123.02 Independence comprises the following:
a. Independence of mind: the state of mind that permits the performance of an audit
without being affected by influences that compromise professional judgment, thereby
allowing an individual to act with integrity and exercise objectivity and professional
skepticism
b. Independence in appearance: the absence of circumstances that would cause a
reasonable and informed third party, having knowledge of the relevant information, to
reasonably conclude that the integrity, objectivity, or professional skepticism of an audit
organization or member of the audit team has been compromised
3123.03 The Government Auditing Standards’ (GAGAS’s) practical consideration of independence
consists of four interrelated sections, providing:
1. a conceptual framework for making independence determinations based on facts and
circumstances that are often unique to specific environments;
2. requirements for and guidance on independence for audit organizations that are
structurally located within the entities they audit;
3. requirements for and guidance on independence for auditors performing nonaudit
services, including indication of specific nonaudit services that always impair
independence and others that would not normally impair independence; and
4. requirements for and guidance on documentation necessary to support adequate
consideration of auditor independence.
3123.04 The conceptual framework for making independence determinations involves:
a. identifying threats to independence,
b. evaluating the significance of the threats identified, both individually and in the
aggregate, and
c. applying safeguards as necessary to eliminate the threats or reduce them to an
acceptable level.
3123.05 Threats to independence (circumstances that could impair independence) may be created by
a wide range of relationships and circumstances. At a minimum, auditors should evaluate
the following broad categories of threats to independence when threats are being identified
and evaluated:
a. Self‐interest threat: the threat that a financial or other interest will inappropriately
influence an auditor’s judgment or behavior
b. Self‐review threat: the threat that an auditor or audit organization that has provided
nonaudit services will not appropriately evaluate the results of previous judgments
made or services performed as part of the nonaudit services when forming a judgment
significant to an audit
c. Bias threat: the threat that an auditor will, as a result of political, ideological, social, or
other convictions, take a position that is not objective
d. Familiarity threat: the threat that aspects of a relationship with management or
personnel of an audited entity, such as a close or long relationship, or that of an
immediate or close family member, will lead an auditor to take a position that is not
objective
e. Undue influence threat: the threat that external influences or pressures will impact an
auditor’s ability to make independent and objective judgments
f. Management participation threat: the threat that results from an auditor’s taking on
the role of management or otherwise performing management functions on behalf of
the entity undergoing an audit
g. Structural threat: the threat that an audit organization’s placement within a
government entity, in combination with the structure of the government entity being
audited, will impact the audit organization’s ability to perform work and report results
objectively
3123.06 The auditor applies safeguards (controls designed to eliminate or reduce threats to
independence to an acceptable level) that address the specific facts and circumstances
under which threats to independence exist. Government Auditing Standards 3.17–.19
provide examples of safeguards.
3123.07 The auditor is required to document the following information related to independence:
a. Threats to independence that require the application of safeguards, along with the
safeguards applied
b. Safeguards required if an audit organization is structurally located within a government
entity and is considered independent based on those safeguards
c. Consideration of audited entity management’s ability to effectively oversee a nonaudit
service to be provided by the auditor
d. The auditor’s understanding with an audited entity for which the auditor will perform a
nonaudit service
Department of Labor
3123.08 While not human resources directors or lawyers, CPAs should be knowledgeable about laws
affecting employment. First, CPAs often serve as consultants for their clients who have
employees and must comply with federal laws regarding hiring and payroll taxes. CPAs can
also be employers. Finally, CPAs often perform audits for compliance with laws and
regulations.
3123.09 The U.S. Department of Labor (DOL) administers and enforces more than 180 federal laws. A
summary of the major laws of the Department of Labor can be found on the department’s
website at www.dol.gov. Only a few of these laws will be outlined in this section.
3123.10 The Fair Labor Standards Act requires employers to pay covered employees who are not
otherwise exempt at least the federal minimum wage and overtime pay of 1‐1/2 times the
regular rate of pay. For nonagricultural operations, it restricts the hours that children under
age 16 can work and forbids the employment of children under age 18 in certain jobs
deemed too dangerous. For agricultural operations, it prohibits the employment of children
under age 16 during school hours and in certain jobs deemed too dangerous.
3123.11 Various workers compensation laws are administered by the Office of Workers
Compensation Programs. They provide compensation for injuries sustained on the job,
including occupational diseases (“black lung”), employment aggravated preexisting diseases,
and psychological injuries. States require that employers purchase coverage and pay the
entire cost of the insurance. The premiums are determined by the amount of payroll, the
number of employees, the type of work performed, and prior claim experience. Employees
accept payment under workers compensation in lieu of suing the employer for injuries
sustained in the workplace. Employers are encouraged to keep a safe and healthy working
environment to keep insurance premiums low.
3123.12 The Occupational Safety and Health Act (referred to as the OSH Act) regulates safety and
health conditions in most private industries. Employers have a general duty under the OSH
Act to provide their employees with work and a workplace free from recognized, serious
hazards. The Occupational Safety and Health Administration (OSHA) enforces the act
through workplace inspections and investigations. The OSH Act prohibits an employer from
discharging an employee for revealing OSH Act violations, and there are civil and criminal
penalties for willful violations of the act.
3123.13 The Employee Retirement Income Security Act (ERISA) regulates employers who offer
pension or welfare benefit plans. Title I of ERISA sets forth disclosure, fiduciary, and
reporting requirements. Title IV requires certain employers to fund the Pension Benefit
Guaranty Corporation (PBGC).
For entities that meet the requirements, IRS Form 5500 is filed annually with the
Department of Labor under the provisions of Title I of ERISA. Federal law requires that
employee benefit plans with 100 or more participants must have an audit annually as part of
their obligation to file Form 5500. Auditors of employee benefit plans must be independent,
in that they should not have any financial interests in the plan or the plan sponsor that
would affect their ability to render an objective, unbiased opinion about the financial
condition of the plan.
Frequently audits are found to be deficient because of the failure of the auditor to conduct
tests in areas unique to employee benefit plans. The AICPA maintains an “Employee Benefit
Plan Audit Quality Center” that firms can join (for a fee) for information and toolkits to help
promote the quality of employee benefit plan audits.
3123.14 The Consolidated Omnibus Budget Reconciliation Act (COBRA) and the Health Insurance
Portability and Accountability Act (HIPAA) are administered by the Employee Benefits
Security Administration (EBSA).
COBRA benefits are those provided to employees after they leave a position. Essentially,
employees are able to keep their health insurance for a specified period of time. HIPAA
protects the privacy of individually identifiable health information and sets national
standards for the security of electronic protected health information.
3123.15 The Family and Medical Leave Act (FMLA) requires employers of 50 or more employees to
give up to 12 weeks of unpaid, job‐protected leave to eligible employees for the birth or
adoption of a child or for the serious illness of the employee, spouse, child, or parent.
Department of Labor (DOL) Auditor Independence Rules
3123.16 The AICPA, DOL (Department of Labor), and SEC all have rules regarding auditor
independence. The DOL rules apply to all employee benefit plan auditors, the AICPA rules
also apply to those employee benefit plan auditors who are members of the AICPA, and the
SEC's rules apply to auditors of employee benefit plans that file on Form 11‐K with the SEC.
The following sections discuss where the DOL independence rules are more stringent than or
otherwise significantly different from those of the AICPA.
3123.17 The DOL defines covered “members” as all partners, partner equivalents, or shareholder
employees of the firm. It includes all professional employees participating in the employee
benefit plan audit or located in an office of the firm participating in a significant portion of
the audit.
3123.18 The DOL extends its independence rules to sponsors of a plan. The sponsor is the entity (or
entities) who establish or maintain the plan. A plan may also be established or maintained by
two or more employers, or with an employee organization.
3123.19 The DOL would consider independence to be impaired if during the period of professional
engagement, at the date of the opinion, or during the period covered by the financial
statements the auditor or other covered member had a direct or material indirect financial
interest in the plan or the plan sponsor.
3123.20 The DOL would consider independence to be impaired if the audit firm, or any of the
employees, maintain the underlying financial records or participant records of the employee
benefit plan or the sponsor of the plan. What constitutes “maintaining” the records is not
clearly defined in the DOL rules.
3124 Professional Skepticism and Professional Judgment
3124.01 External auditors are required to have appropriate competence and capabilities to perform
an audit. They must comply with relevant ethical requirements, apply professional
skepticism, and exercise professional judgment throughout the planning, performance, and
evaluation stages of the engagement, particularly as U.S. GAAP continues to evolve and
become more principles‐oriented.
Professional Skepticism
3124.02 Professional skepticism is required by due professional care standards for each individual
auditor on the engagement team, and includes a questioning mind, being alert to conditions
that may indicate possible misstatement due to fraud or error, and a critical assessment of
audit evidence.
3124.03 The Public Company Accounting Oversight Board (PCAOB) issued Staff Audit Practice Alert 10
(SAPA 10), Maintaining and Applying Professional Skepticism in Audits, in 2012 to address
concerns that auditors may not consistently and diligently apply professional skepticism.
3124.04 SAPA 10 provides the following examples of audit procedures found in various PCAOB
standards that reflect the need for professional skepticism:
a. Resolving inconsistencies in or doubts about the reliability of confirmations
b. Examining journal entries and other adjustments for evidence of possible material
misstatement due to fraud
c. Reviewing accounting estimates for biases that could result in material misstatement
due to fraud
d. Evaluating the business rationale for significant unusual transactions
e. Evaluating whether there is substantial doubt about an entity's ability to continue as a
going concern
3124.05 AU‐C 240 states that professional skepticism is particularly important as it relates to the
auditor's consideration of fraud in the audit.
a. Company management has a unique ability to perpetrate fraud as it is often in a
position to directly or indirectly manipulate accounting records and present fraudulent
financial information.
b. Company personnel who intentionally misstate the financial statements often seek to
conceal the misstatement by attempting to deceive the auditor.
c. Application of professional skepticism in response to the assessed fraud risks may result
in:
(1) modifying the planned audit procedures to obtain more reliable evidence regarding
relevant assertions.
(2) obtaining sufficient appropriate evidence to corroborate management's
explanations or representations concerning important matters, such as through
third‐party confirmation, use of a specialist engaged or employed by the auditor, or
examination of documentation from independent sources.
3124.06 SAPA 10 states that:
a. it is the responsibility of the engagement partner for setting an appropriate tone that
emphasizes the need to maintain a questioning mind throughout the audit and to
exercise professional skepticism in gathering and evaluating evidence such that
engagement team members have the confidence to challenge management
representations.
b. the engagement partner and other senior engagement team members should be
actively involved in planning, directing, and reviewing the work of other engagement
team members so that matters requiring audit attention (e.g., unusual matters or
inconsistencies in audit evidence) are identified and addressed appropriately.
3124.07 It is the responsibility of each individual auditor to appropriately apply professional
skepticism throughout the audit, including in identifying and assessing the risks of material
misstatement, performing tests of controls and substantive procedures to respond to the
risks, and evaluating the results of the audit.
This involves considering what can go wrong with the financial statements, performing audit
procedures to obtain sufficient appropriate audit evidence rather than merely obtaining the
most readily available evidence to corroborate management's assertions, and critically
evaluating all audit evidence regardless of whether it corroborates or contradicts
management's assertions.
3124.08 SAPA 10 provides the following examples of areas in the evaluation of audit results that
require the auditor to apply professional skepticism:
a. Evaluating uncorrected misstatements: The audit team must evaluate whether the
uncorrected misstatements identified during the audit result in material misstatement
of the financial statements, individually or in combination, considering both qualitative
and quantitative factors.
b. Evaluating management bias: This includes evaluating potential bias in accounting
estimates, bias in the selection and application of accounting principles, the selective
correction of misstatements identified during the audit, and identification by
management of additional adjusting entries that offset misstatements accumulated by
the auditor. When evaluating bias, it is important for auditors to consider the incentives
and pressures on management to manipulate the financial statements.
c. Evaluating the presentation of the financial statements: This includes determining
whether the financial statements contain sufficient information essential for a fair
presentation of the financial statements in conformity with the applicable financial
reporting framework.
3124.09 Impediments to applying professional skepticism include:
a. inherent pressures in the audit process itself, such as incentives to maintain client
relationships, keep audit costs down, avoid conflicts with management, or obtain high
client satisfaction ratings.
b. inappropriate levels of trust or confidence in management, particularly in long‐term
client relationships.
c. personal bias on the part of the auditor which may result in the auditor rationalizing
audit findings in a way that is consistent with client preferences rather than in the
interests of external users.
d. lack of auditor training, experience, and expertise.
3124.10 SAPA 10 suggests a number of ways how firms' quality control systems can improve the
application of professional skepticism, including:
a. setting a proper tone at the top that emphasizes the need for professional skepticism,
b. implementing and maintaining appraisal, promotion, and compensation processes that
enhance rather than discourage the application of professional skepticism,
c. assigning personnel with the necessary competencies to engagement teams,
d. establishing policies and procedures to assure appropriate audit documentation,
especially in areas involving significant judgments, and
e. appropriately monitoring the quality control system and taking necessary corrective
actions to address deficiencies, such as instances in which engagement teams do not
apply professional skepticism.
3124.11 Internal auditors: The Institute of Internal Auditors (IIA) has developed its own code of
professional ethics. This code, along with the IIA’s Professional Practices Framework and
other relevant IIA pronouncements, provides guidance to internal auditors related to
professional skepticism.
Professional Judgment
3124.12 Professional judgment is the accumulated knowledge that an auditor gains through
experience and training to make critical judgments in an objective, professionally skeptical
manner. Overlaying professional judgment with guidance from professional and ethical
standards results in the ability to make informed decisions about the courses of action that
are appropriate in specific circumstances. Examples of areas requiring professional judgment
include:
a. appropriateness of depreciation/amortization assumptions and calculations.
b. accounting for long‐term construction projects.
c. application of revenue recognition criteria.
d. lease classification.
e. value determinations (replacement value, net realizable value, fair value, salvage value,
etc.).
3124.13 The Center for Audit Quality (CAQ) states in its Professional Judgment Resource that auditors
are facing increased judgment challenges presented by:
a. the development of principles‐based (or objectives‐based) auditing and accounting
standards and a desire for consistent decisions in similar circumstances.
b. the increasing complexity of business transactions and economic decision‐making in a
global environment.
c. the complexity of accounting standards, including standards that require an auditor to
consider a number of reasonable alternative approaches.
d. the increasing focus on, and disclosure of, critical accounting policies, estimates, and
other highly subjective elements related to financial reporting.
e. inspections and reviews of the auditor’s work.
3124.14 The CAQ suggests that the exercise of professional judgment should be:
a. based on the relevant facts and circumstances known and available at the time the
judgment is made.
b. made after the consideration of reasonable alternatives.
c. sensitive to the degree of uncertainty that may be inherent in the judgment.
d. in compliance with the applicable professional standards.
3124.15 The CAQ states that some of the more common potential judgment tendencies that can lead
to auditor judgment bias include the following:
a. Confirmation: The potential tendency for an auditor to put more weight on information
that is consistent with his or her initial beliefs or preferences. As a result, the auditor
may rely unconsciously on evidence that is biased toward his or her expected or
preferred alternative, rather than objectively evaluating the facts as they exist.
b. Overconfidence: The potential tendency for an auditor to overestimate his or her own
ability to perform tasks or to make accurate assessments of risks or other judgments
and decisions. Overconfidence can affect an auditor’s willingness to involve others who
could provide meaningful perspective to the analysis.
c. Anchoring: The potential tendency to make assessments by starting from an initial
numerical value and then adjusting insufficiently away from that initial value in forming
a final judgment. For example, an auditor may be anchored to management’s
unaudited, current‐period amounts and may not sufficiently adjust from them, leading
to a biased expectation compared to what an auditor might expect in the absence of
anchoring.
d. Availability: The potential tendency for an auditor to consider information that is easily
retrievable as being more likely or more relevant; in other words, the information that is
most available to an auditor’s memory may unduly influence estimates, probability
assessments, and other professional judgments.
3124.16 Suggested strategies from the CAQ to minimize and/or avoid these common judgment
tendencies (in section 3124.15) and mitigate auditor judgment bias include the following:
a. Confirmation: Make the opposing case and consider alternative explanations; consider
potentially disconfirming or conflicting information
b. Overconfidence: Challenge opinions and experts; challenge underlying assumptions
c. Anchoring: Solicit input from others; consider management bias, including the potential
for fraud or material misstatements
d. Availability: Consider why something comes to mind; obtain and consider objective
data; consult with others and make the opposing case
3124.17 AU‐C 230 requires that audit documentation provide a sufficient and appropriate record of
the basis for the auditor’s report. Audit documentation should be prepared that is sufficient
to enable an experienced auditor, having no previous connection with the audit, to
understand, among other things, significant findings or issues arising during the audit, the
conclusions reached thereon, and significant professional judgments made in reaching those
conclusions.
3124.18 When professional judgment is challenged, proper documentation of the decision‐making
process used can show the analysis of the facts, circumstances, and alternatives considered,
and serve as a basis for supporting the conclusions reached by the engagement team.
3124.19 The CAQ’s Professional Judgment Resource provides an example of a decision‐making
process for auditors to use and document, which includes the following actions:
a. Identify and define the issue
b. Gather the facts and information and identify the relevant literature
c. Perform the analysis and identify alternatives
d. Make the decision
e. Review and complete the documentation and rationale for the conclusion
3130 Terms of Engagement
3131 Preconditions for an Engagement
Audit Engagement Acceptance
3131.01 At the beginning of the current audit engagement, the auditor should perform procedures
regarding the continuance of the client relationship and the specific audit engagement.
3131.02 The firm should establish policies and procedures for the acceptance and continuance of
client relationships and specific engagements, designed to provide the firm with reasonable
assurance that it will undertake or continue relationships and engagements only where the
firm:
a. has considered the integrity of the principal owners, key management, and those
charged with governance of the entity;
b. is competent to perform the engagement and has the capabilities and resources to do
so;
c. can comply with legal and ethical requirements (including independence); and
d. has significant findings or issues that have arisen during the current or previous audit
engagement and their implications for continuing the relationship.
3131.03 Matters to consider in accepting or continuing the client engagement include whether firm
personnel have:
a. knowledge of relevant industries or subject matters or the ability to effectively gain the
necessary knowledge;
b. experience with relevant regulatory or reporting requirements, or the ability to
effectively gain the necessary competencies;
c. technical expertise, including expertise with relevant IT and specialized areas of
accounting or auditing;
d. relevant industry knowledge;
e. the ability to apply professional judgment; and
f. an understanding of the firm’s quality control policies and procedures.
Integrity of Client Management
3131.04 Integrity is an element of character that determines if a person can be trusted. Integrity
involves honesty and candor. A person with integrity does what is right and just.
3131.05 During an audit, the auditor will inquire of management regarding many items. While the
auditor will always perform procedures to verify the veracity and reasonableness of
management’s answers, if an auditor does not believe that management is truthful and
honorable, the scope of the audit (the amount of testing required) could be much greater.
3131.06 Management also makes many representations during an audit, such as “We have made
available to you all financial records and related data” and “We have no knowledge of any
fraud affecting the entity.” Placing reliance on these representations becomes difficult (if not
impossible) if the auditor has questions about management’s integrity.
3131.07 The auditor may be unwilling to continue with the engagement if significant issues exist
concerning management’s integrity.
Preconditions for an Audit
3131.08 In order to establish whether the preconditions for an audit are present, the auditor should
determine whether the financial reporting framework to be applied in the preparation of the
financial statements is acceptable. The auditor should also obtain the agreement of
management that it acknowledges and understands its responsibility for the preparation of
the financial statements in accordance with the applicable financial reporting framework.
3131.09 Management must also acknowledge and understand its responsibility for the design,
implementation, and maintenance of internal control relevant to the preparation and fair
presentation of financial statements that are free from material misstatement, whether due
to fraud or error.
3131.10 Management must also acknowledge and understand its responsibility for providing the
auditor with access to all information of which management is aware that is relevant to the
preparation and fair presentation of the financial statements, such as records,
documentation, and other matters. Management must also provide the auditor with
additional information that the auditor may request from management and unrestricted
access to persons from whom the auditor deems necessary to obtain sufficient appropriate
audit evidence.
Appropriateness of the Engagement’s Scope to Meet the Client’s Needs
3131.11 Management may fail to mention, or be unaware of, the need for additional statutory or
regulatory requirements for the audit that would significantly increase the scope of the
necessary procedures and reporting.
3131.12 For example, if a nonprofit entity has received federal funds over a certain threshold, it may
be required to have a single audit in accordance with the Office of Management and Budget
(OMB) Uniform Guidance for Federal Awards. The single audit requires additional schedules
and testing that will increase the scope of the audit.
Management‐Imposed Limitation on Scope of Audit Prior to Audit Acceptance
3131.13 If management or those charged with governance impose a limitation on the scope of the
auditor’s work in the terms of a proposed audit engagement, where the outcome is likely to
result in a disclaimer of opinion, the auditor should not accept the engagement unless the
entity is required by law or regulation to have an audit. An auditor is never required to
accept any engagement.
Communicate with the Predecessor Auditor
3131.14 The successor auditor must communicate with the predecessor auditor before accepting an
engagement, because the predecessor may provide information regarding disagreements
about important accounting and auditing matters that will bear on the decision of whether
or not to accept the engagement. The successor auditor should bear in mind that, among
other things, the predecessor auditor and the client may have disagreed about accounting
principles, auditing procedures, or similarly significant matters.
3131.15 The successor auditor and predecessor auditor are defined as follows:
a. Successor auditor: This term used to refer to the person or persons conducting the
audit, usually the engagement partner or other members of the engagement team, or,
as applicable, the firm.
b. Predecessor auditor: The auditor from a different audit firm who has reported on the
most recent audited financial statements or was engaged to perform but did not
complete an audit of the financial statements
3131.16 Since the AICPA’s Code of Professional Conduct precludes an auditor from disclosing
confidential information obtained in an audit unless the client consents, the successor
auditor must ask the prospective client to authorize the predecessor auditor to respond fully
to the successor’s inquiries. Once the engagement is accepted, a second inquiry may be
made to allow the successor to view the predecessor auditor’s workpapers. If a prospective
client refuses to permit the predecessor auditor to respond or limits the response, the
successor auditor should inquire as to the reasons and consider the implications of that
refusal in deciding whether to accept the engagement.
3131.17 The successor should inquire of the predecessor regarding the following:
a. Information that might bear on the integrity of management
b. Disagreements with management as to accounting principles, auditing procedures, or
other similarly significant matters
c. Communications to those charged with governance regarding fraud and noncompliance
with laws or regulations by the entity
d. Communications to management and those charged with governance regarding
significant deficiencies and material weaknesses in internal control
e. The predecessor’s understanding as to the reasons for the change of auditors
3131.18 When more than one auditor is considering accepting an engagement, the predecessor
auditor should not be expected to be available to respond to inquiries until a successor
auditor has been selected by the client and has accepted the engagement subject to the
evaluation of the communications with the predecessor auditor.
3131.19 An auditor should not finalize formal acceptance of an engagement until the
communications noted are completed. However, an auditor may make a proposal for an
engagement before communicating with the predecessor auditor and can tentatively accept
the engagement as long as the client is aware that acceptance cannot be finalized until the
inquiries of the predecessor have been completed.
3131.20 The predecessor auditor may decide to limit the response due to unusual circumstances
such as pending, threatened, or potential litigation; disciplinary proceedings; or other
unusual circumstances. If the inquiry or response is limited, such limitations should be
considered when deciding to accept the engagement.
3131.21 Once an engagement has been accepted, the successor may do the following:
a. Make specific inquiries of the predecessor as to matters that affect the conduct of the
audit.
b. Review the predecessor’s workpapers, including documentation of planning, internal
control, audit results, and other matters of continuing accounting and auditing
significance, such as the working paper analysis of balance sheet accounts, and those
relating to contingencies.
3131.22 The predecessor auditor should decide which workpapers are available and which may be
copied. Access to the workpapers is a matter of judgment; the predecessor auditor may wish
to obtain a written understanding from the successor auditor regarding the use of the
workpapers. The successor auditor must obtain sufficient appropriate evidential matter to
afford a reasonable basis for expressing an opinion on the financial statements he or she has
been engaged to audit, including evaluating the consistency of the application of accounting
principles.
3131.23 The successor auditor’s review of the predecessor’s workpapers may affect the nature,
extent, and timing of the successor’s procedures with respect to the opening balances and
consistency of accounting principles. However, the nature, extent, and timing of audit work
performed and the conclusions reached in both these areas are the responsibility of the
successor auditor.
3131.24 In reporting on the audit, the successor auditor should not make reference to the report or
work of the predecessor auditor as the basis, in part, of the successor’s own opinion.
3131.25 An auditor may be asked to perform a “reaudit”—an audit of financial statements that have
been audited and reported on previously. In addition to the communications described
previously, the successor auditor should state that the purpose of the inquiries of the
predecessor is to obtain information about whether to accept an engagement to perform a
reaudit.
3131.26 The successor auditor may consider the information obtained from the predecessor auditor
if the successor auditor accepts the reaudit. Information obtained and a review of the
predecessor auditor’s report and workpapers are not sufficient to afford a basis for
expressing an opinion. Nature, extent, and timing of the audit work performed and
conclusions reached in the reaudit are solely the responsibility of the successor auditor
performing the reaudit.
3131.27 The successor auditor should:
a. plan and perform the reaudit in accordance with GAAS,
b. not assume responsibility for the predecessor auditor’s work, and
c. not issue a report that reflects divided responsibility.
3131.28 The results of the audit in the current period performed by the successor auditor may be
considered in planning and performing the reaudit of the preceding period or periods.
3131.29 The successor auditor should qualify or disclaim an opinion if the auditor is:
a. unable to obtain sufficient appropriate audit evidence to express an opinion or
b. unable to perform procedures considered necessary in the circumstances.
3131.30 The successor auditor generally will be unable to observe inventory or make physical counts
at the reaudit date or dates. In such cases, the successor auditor:
a. may consider the knowledge obtained from inquiries of the predecessor auditor and the
review of the predecessor auditor’s workpapers,
b. should, if material, observe or perform some physical counts of inventory at a date
subsequent to the period of the reaudit, or
c. should apply appropriate tests of intervening transactions.
3131.31 The successor auditor should request the client to inform the predecessor auditor when the
successor auditor becomes aware of information that leads them to believe the financial
statements reported on by the predecessor auditor may require revision. If the client refuses
to inform the predecessor auditor, or if the successor auditor is not satisfied with the
resolution of the matter, the successor auditor should evaluate:
a. implications on the current engagement,
b. whether to resign from the engagement, and
c. whether to consult with legal counsel in determining an appropriate course of further
action.
Nonaudit Engagement Acceptance
SSARS 21, Section 60
3131.32 The accountant should not accept an engagement to be performed in accordance with
SSARSs if:
a. the accountant has reason to believe that relevant ethical requirements will not be
satisfied;
b. the accountant’s preliminary understanding of the engagement circumstances indicates
that information needed to perform the engagement is likely to be unavailable or
unreliable; or
c. the accountant has cause to doubt management’s integrity such that it is likely to affect
the performance of the engagement.
3131.33 As a condition for accepting an engagement to be performed in accordance with SSARS, the
accountant should:
a. determine whether preliminary knowledge of the engagement circumstances indicate
that ethical requirements regarding professional competence will be satisfied.
b. determine whether the financial reporting framework selected by management to be
applied in the preparation of the financial statements is acceptable.
c. obtain the agreement of management that it acknowledges and understands its
responsibility:
(1) for the selection of the financial reporting framework to be applied in the
preparation of financial statements.
(2) for the design, implementation, and maintenance of internal control relevant to the
preparation and fair presentation of the financial statements that are free from
material misstatement, whether due to fraud or error (unless the accountant
decides to accept responsibility for the entity’s internal control, which would
preclude the accountant from providing services requiring independence).
(3) for the preparation and fair presentation of financial statements in accordance with
the applicable financial reporting framework, and the inclusion of all informative
disclosures that are appropriate for the applicable framework.
(4) for preventing and detecting fraud.
(5) for ensuring that the entity complies with laws and regulations applicable to its
activities.
(6) for the accuracy and completeness of the records, documents, explanations, and
other information, including significant judgments provided by management for the
preparation of financial statements.
(7) to provide the accountant with:
(a) access to all information of which management is aware that is relevant to the
preparation and fair presentation of the financial statements, such as records,
documentation, and other matters.
(b) additional information that the accountant may request from management for
the purpose of the engagement.
(c) unrestricted access to persons within the entity of whom the accountant
determines it necessary to make inquiries.
SSARS 23 revises the requirement detailed in c.(2) above so that the requirement does not
apply if the accountant decides to accept responsibility for such internal control.
3131.34 Standards do not prevent an accountant from accepting any engagement for an entity in an
industry with which the accountant has no previous experience. It does, however, place
upon the accountant a responsibility to obtain the required level of knowledge.
3131.35 While a successor accountant is not required to communicate with the predecessor
accountant in connection with acceptance of a preparation of financial statements,
compilation, or review engagement of a nonissuer, under some circumstances it may be
beneficial to obtain information from the predecessor that will assist in determining whether
to accept the engagement:
a. The information obtained about the prospective client is limited or appears to require
special attention.
b. The change in accountants takes place substantially after the end of the accounting
period for which statements are to be compiled or reviewed.
c. Frequent changes in accountants have occurred.
Preparation Engagements
3131.36 If the accountant is not satisfied with any of the items listed in section 3131.33 above, the
accountant should discuss the matter with management or those charged with governance.
If changes cannot be made to satisfy the accountant, the accountant should not accept the
proposed engagement.
Compilation Engagements
3131.37 If the accountant is not satisfied with any of the items listed in section 3131.33 above or
section 3131.38 below, the accountant should discuss the matter with management or those
charged with governance. If changes cannot be made to satisfy the accountant, the
accountant should not accept the proposed engagement.
3131.38 As a condition for accepting an engagement to perform a compilation, the accountant
should obtain the agreement of management that it acknowledges and understands its
responsibility:
a. for the preparation and fair presentation of financial statements in accordance with the
applicable financial reporting framework, and the inclusion of all informative disclosures
that are appropriate for the applicable framework.
b. to include the accountant’s compilation report in any document containing financial
statements that indicates that the entity’s accountant has performed a compilation
engagement on said financial statements unless a different understanding is reached.
3131.39 A compilation engagement on pro forma financial information may be a separate
engagement or may be completed as part of a compilation, review, or audit. The accountant
should agree upon the terms of the engagement with management or those charged with
governance. Those terms should be documented in an engagement letter or other suitable
form of written agreement.
If the accountant is not satisfied with any of the preconditions for accepting a compilation
engagement with respect to pro forma financial information, the accountant should discuss
the matter with management. If changes cannot be made to satisfy the accountant about
those matters, the accountant should not accept the proposed compilation engagement.
Review Engagements
3131.40 The accountant should not accept a review engagement if, in addition to the items listed in
section 3131.33 above or section 3131.41 below, management or those charged with
governance impose a limitation on the scope of the accountant’s work such that the
accountant believes the limitation will result in the accountant being unable to perform the
review procedures to provide an adequate basis for issuing a review report.
3131.41 As a condition for accepting a review engagement, the accountant should obtain the
agreement of management that it acknowledges and understands its responsibility:
a. for the preparation and fair presentation of financial statements in accordance with the
applicable financial reporting framework, and the inclusion of all informative disclosures
that are appropriate for the applicable framework.
b. to provide the accountant, at the conclusion of the engagement, with a letter that
confirms certain representations made during the review.
c. to include the accountant’s review report in any document containing financial
statements that indicates that the entity’s accountant has performed a review
engagement on said financial statements unless a different understanding is reached.
3131.42 The following chart summarizes the important distinctions among compilations, reviews,
and audit engagements.
Comparison of Compilation, Review, and Audit Attest Engagementsa
Comparison of Compilation, Review, and Audit Attest Engagementsa
Alabama, 1978, Accounting Research Convocation. Updated to reflect current standards.
Attestation Engagements
3131.43 Engagement acceptance or continuance decisions for engagements performed under
Statements on Standards for Attestation Engagements (SSAEs) are similar to those of other
attest engagements. For example, the attest accountant must comply with the Code of
Professional Conduct in all attest services.
3131.44 In an attest engagement, the objective is to attest to either a written assertion or subject
matter that is the representation of a responsible party. An attest accountant should obtain
from the responsible party a written assertion about the measurement or evaluation of the
subject matter against applicable criteria. Identifying a responsible party and obtaining a
written acknowledgement of responsibility is a prerequisite for all attest engagements.
3131.45 The subject matter of any attest engagement should be appropriate as a precondition of an
SSAE engagement. An element of appropriateness is the evidence of a reasonable basis for
measuring or evaluating the subject matter of the engagement. Subject matter is
appropriate if it is identifiable and capable of consistent measurement or evaluation.
3131.46 Suitable criteria to evaluate or measure against should be objective, measureable, complete,
and relevant—and should be clearly described in the presentation of financial information.
3132 Terms of Engagement and Engagement Letter
Audit Engagements
3132.01 The auditor or attest accountant should agree on the terms of the engagement with
management and those charged with governance, as appropriate. This should be
documented in an audit engagement letter or other suitable form of written agreement.
3132.02 The engagement letter should include the following elements:
a. The objective and scope of the engagement
b. The responsibilities of the auditor
c. The responsibilities of management
d. A statement that because of inherent limitations of an audit, together with the inherent
limitations of internal control, an unavoidable risk exists that some material
misstatement may not be detected, even though the audit is properly planned and
performed in accordance with generally accepted auditing standards
e. Identification of the applicable financial reporting framework for the preparation of
financial statements
f. Reference to the expected form and content of any reports to be issued by the auditor
and a statement that circumstances may arise in which a report may differ from the
expected form and content
3132.03 On recurring audits, the auditor should assess whether terms of the audit engagement
should be revised. Even if the auditor concludes that the terms need not be revised, the
auditor should remind management of the terms in written documentation.
3132.04 An auditor should not agree to a change in the terms of an engagement when no reasonable
justification for doing so exists. This includes changing to a lower level of assurance
engagement. Any new terms should be documented in an engagement letter or other
suitable written document. If the auditor concludes that there is no reasonable justification
for change, then the auditor should withdraw if not permitted to continue the original
engagement.
Engagement Letter: Audit
3132.05 An understanding with the client regarding an audit of the financial statements generally
includes the following matters:
a. Elaboration of the scope of the audit, including reference to applicable legislation,
regulations, GAAS, and ethical and other pronouncements
b. The form of any other communication of results of the audit engagement
c. Arrangements regarding the planning and performance of the audit, including the
composition of the audit team
d. The expectation that management will provide written representations
e. The agreement of management to make available to the auditor draft financial
statements and any accompanying other information in time to allow the auditor to
complete the audit in accordance with the proposed timetable
f. The agreement of management to inform the auditor of events occurring or facts
discovered subsequent to the date of the financial statements, of which management
may become aware, that may affect the financial statements
g. The basis on which fees are computed and any billing arrangements
h. A request for management to acknowledge receipt of the audit engagement letter and
to agree to the terms of the engagement outline therein, as may be evidenced by their
signature on the engagement letter
3132.06 An understanding with the client also may include other matters, such as the following:
a. Arrangements concerning the involvement of other auditors and specialists
b. Arrangements concerning the involvement of internal auditors and other staff of the
entity
c. Arrangements to be made with the predecessor auditor, if any, in the case of an initial
audit
d. Any restrictions of the auditor’s liability when not prohibited
e. Any obligations of the auditor to provide audit documentation to other parties
f. Additional service to be provided, such as those relating to regulatory requirements
g. A reference to any further agreements between the auditor and the entity
3132.07 The engagement letter is a contract between the CPA and the client, and a copy of it signed
by the client should be requested and retained by the CPA.
3132.08 The engagement letter should be addressed to the client and dated as soon as an
understanding of the engagement is reached.
Engagement Letter: Nonaudit Engagements
Preparation Engagements
3132.09 Terms of the engagement should be documented in an engagement letter or other suitable
form of written agreement. The letter should be signed by the accountant or the
accountant’s firm and management (or those charged with governance), and should include:
a. the objective of the engagement and identification of the applicable financial reporting
framework.
b. the responsibilities of management and the responsibilities of the accountant.
c. the agreement of management that each page of the financial statements will include a
statement that no assurance is provided; if management refuses, the accountant is
required to issue a disclaimer.
d. the limitations of a preparation engagement.
e. whether the financial statements contain a known departure(s) from the applicable
financial reporting framework (including inadequate disclosure) or omit substantially all
required disclosures.
3132.10 The following is a sample engagement letter for an engagement to prepare financial
statements prepared in accordance with accounting principles generally accepted in the
United States of America.
To the appropriate representative of ABC Company:
You have requested that we prepare the financial statements of ABC Company, which
comprise the balance sheet as of December 31, 20XX, and the related statements of
income, changes in stockholders’ equity, and cash flows for the year then ended, and the
related notes to the financial statements. We are pleased to confirm our acceptance and
our understanding of this engagement to prepare the financial statements of ABC
Company by means of this letter.
Our Responsibilities
The objective of our engagement is to prepare financial statements in accordance with
accounting principles generally accepted in the United States of America based on
information provided by you. We will conduct our engagement in accordance with
Statements on Standards for Accounting and Review Services (SSARSs) promulgated by
the Accounting and Review Services Committee of the AICPA and comply with the AICPA’s
Code of Professional Conduct, including the ethical principles of integrity, objectivity,
professional competence, and due care.
We are not required to, and will not, verify the accuracy or completeness of the
information you will provide to us for the engagement or otherwise gather evidence for
the purpose of expressing an opinion or a conclusion. Accordingly, we will not express an
opinion or a conclusion nor provide any assurance on the financial statements.
Our engagement cannot be relied upon to identify or disclose any financial statement
misstatements, including those caused by fraud or error, or to identify or disclose any
wrongdoing within the entity or noncompliance with laws and regulations.
Management Responsibilities
The engagement to be performed is conducted on the basis that management
acknowledges and understands that our role is to prepare financial statements in
accordance with accounting principles generally accepted in the United States of America.
Management has the following overall responsibilities that are fundamental to our
undertaking the engagement in accordance with SSARSs:
a. The prevention and detection of fraud
b. To ensure that the entity complies with the laws and regulations applicable to
its activities
c. The accuracy and completeness of the records, documents, explanations, and
other information, including significant judgments, you provide to us for the
engagement to prepare financial statements
d. To provide us with:
i. Documentation, and other related information that is relevant to the
preparation and presentation of the financial statements.
ii. Additional information that may be requested for the purpose of the
preparation of the financial statements, and
iii. Unrestricted access to persons within ABC Company of whom we determine
necessary to communicate.
The financial statements will not be accompanied by a report. However, you agree that
the financial statements will clearly indicate that no assurance is provided on them.
[If the accountant expects to issue a disclaimer, instead of the preceding paragraph, the
following may be added:
As part of our engagement, we will issue a disclaimer that will state that the financial
statements were not subjected to an audit, review, or compilation engagement by us, and
accordingly, we do not express an opinion, a conclusion, nor provide any assurance on
them.]
Other Relevant Information
Our fees for these services . . . .
[The accountant may include language, such as the following, regarding limitation of or
other arrangements regarding, the liability of the accountant or the entity, such as
indemnification to the accountant for liability arising from knowing misrepresentations to
the accountant by management (regulators may restrict or prohibit such liability limitation
arrangements):
You agree to hold us harmless and to release, indemnify, and defend us from any
liability or costs, including attorney’s fees, resulting from management’s knowing
misrepresentations to us.]
Please sign and return the attached copy of this letter to indicate your acknowledgement
of, and agreement with, the arrangements for our engagement to prepare the financial
statements described herein, and our respective responsibilities.
Sincerely yours,
[Signature of accountant or accountant’s firm]
Acknowledged and agreed on behalf of ABC Company by:
[Signed]
[Name and Title]
[Date]
Compilation Engagements
3132.11 For compilation engagements, the accountant should agree upon the terms of the
engagement with management or those charged with governance, as appropriate. The
agreed‐upon terms of the engagement should be documented in an engagement letter or
other suitable form of written agreement and should include the following:
a. The objectives of the engagement
b. The responsibilities of management
c. The responsibilities of the accountant
d. The limitations of the compilation engagement
e. Identification of the applicable financial reporting framework for the preparation of the
financial statements
f. The expected form and content of the accountant’s compilation report and a statement
that there may be circumstances in which the report may differ from its expected form
and content
The engagement letter or other suitable form of written agreement should be signed by:
a. the accountant or the accountant’s firm and
b. management or those charged with governance, as appropriate.
3132.12 The following is a sample engagement letter for a compilation engagement with respect to
financial statements prepared in accordance with accounting principles generally accepted
in the United States of America. Circumstances include the following:
a. The accountant will prepare, as a nonattest service, the financial statements, including
related notes, subject to the compilation engagement.
b. The financial statements will be prepared in accordance with accounting principles
generally accepted in the United States of America and will include all related notes
required by accounting principles generally accepted in the United States of America.
c. The accountant expects that his or her independence will not be impaired.
To the appropriate representative of management of ABC Company:
You have requested that we prepare the financial statements of ABC Company, which
comprise the balance sheet as of December 31, 20XX, and the related statements of
income, changes in stockholders’ equity, and cash flows for the year then ended, and the
related notes to the financial statements, and perform a compilation engagement with
respect to those financial statements. We are pleased to confirm our acceptance and our
understanding of this engagement by means of this letter.
Our Responsibilities
The objective of our engagement is to:
a. prepare financial statements in accordance with accounting principles generally
accepted in the United States of America based on information provided by you
and
b. apply accounting and financial reporting expertise to assist you in the
presentation of financial statements without undertaking to obtain or provide
any assurance that there are no material modifications that should be made to
the financial statements in order for them to be in accordance with accounting
principles generally accepted in the United States of America.
We will conduct our compilation engagement in accordance with Statements on
Standards for Accounting and Review Services (SSARSs) promulgated by the Accounting
and Review Services Committee of the AICPA and comply with the AICPA’s Code of
Professional Conduct, including the ethical principles of integrity, objectivity, professional
competence, and due care.
We are not required to, and will not, verify the accuracy or completeness of the
information you will provide to us for the engagement or otherwise gather evidence for
the purpose of expressing an opinion or a conclusion. Accordingly, we will not express an
opinion or a conclusion nor provide any assurance on the financial statements.
Our engagement cannot be relied upon to identify or disclose any financial statement
misstatements, including those caused by fraud or error, or to identify or disclose any
wrongdoing within the entity or noncompliance with laws and regulations.
Your Responsibilities
The engagement to be performed is conducted on the basis that you acknowledge and
understand that our role is to prepare financial statements in accordance with accounting
principles generally accepted in the United States of America and assist you in the
presentation of the financial statements in accordance with accounting principles
generally accepted in the United States of America. You have the following overall
responsibilities that are fundamental to our undertaking the engagement in accordance
with SSARSs:
a. The preparation and fair presentation of financial statements in accordance with
accounting principles generally accepted in the United States of America
b. The design, implementation, and maintenance of internal control relevant to the
preparation and fair presentation of the financial statements
c. The prevention and detection of fraud
d. To ensure that the entity complies with the laws and regulations applicable to its
activities
e. To make all financial records and related information available to us
f. The accuracy and completeness of the records, documents, explanations, and
other information, including significant judgments, you provide to us for the
engagement
You are also responsible for all management decisions and responsibilities and for
designating an individual with suitable skills, knowledge, and experience to oversee our
preparation of your financial statements. You are responsible for evaluating the adequacy
and results of the services performed and accepting responsibility for such services.
Our Report
As part of our engagement, we will issue a report that will state that we did not audit or
review the financial statements and that, accordingly, we do not express an opinion, a
conclusion, nor provide any assurance on them.
Other Relevant Information
Our fees for these services . . . .
[The accountant may include language, such as the following, regarding limitation of or
other arrangements regarding the liability of the accountant or the entity, such as
indemnification to the accountant for liability arising from knowing misrepresentations to
the accountant by management (regulators may restrict or prohibit such liability limitation
arrangements):
You agree to hold us harmless and to release, indemnify, and defend us from any
liability or costs, including attorney’s fees, resulting from management’s knowing
misrepresentations to us.]
Please sign and return the attached copy of this letter to indicate your acknowledgement
of, and agreement with, the arrangements for our engagement to prepare the financial
statements described herein and to perform a compilation engagement with respect to
those same financial statements, and our respective responsibilities.
Sincerely yours,
[Signature of accountant or accountant’s firm]
Acknowledged and agreed on behalf of ABC Company by:
[Signed]
[Name and Title]
[Date]
3132.13 The engagement letter should also address the following:
a. Material departures from the applicable financial reporting framework may exist, and
the effects of those departures, if any, on the financial statements may not be disclosed.
b. Whether substantially all disclosures (and statement of cash flows, if applicable)
required by the applicable financial reporting framework will be omitted at the election
of management
c. Reference to supplementary information or required supplementary information, if any
The accountant may be required by law or regulation to, for example:
a. notify a regulatory or enforcement body of certain matters communicated with those
charged with governance.
b. submit copies of certain reports prepared for those charged with governance to
relevant regulatory or funding bodies or, in some cases, make such reports publicly
available.
Unless required by law or regulation to provide a third party with a copy of the accountant’s
written communications with those charged with governance, the accountant may need the
prior consent of management or those charged with governance before doing so.
3132.14 For compilation engagements on pro forma financial information, the engagement letter
should include the following:
a. The objectives of the engagement
b. The responsibilities of management
c. The responsibilities of the accountant
d. The limitations of the compilation engagement
e. Identification of the applicable financial reporting framework for the preparation of the
pro forma financial information
f. The expected form and content of the accountant’s compilation report and a statement
that there may be circumstances in which the report may differ from its expected form
and content.
Review Engagements
3132.15 For review engagements, the accountant should agree upon the terms of the engagement
with management or those charged with governance, as appropriate. The agreed‐upon
terms of the engagement should be documented in an engagement letter or other suitable
form of written agreement and should include the following:
a. The objectives of the engagement
b. The responsibilities of management set forth in AR‐C 60 and AR‐C 90
c. The responsibilities of the accountant
d. The limitations of a review engagement
e. Identification of the applicable financial reporting framework for the preparation of the
financial statements
f. The expected form and content of the accountant’s review report and a statement that
there may be circumstances in which the report may differ from its expected form and
content
The engagement letter or other suitable form of written communication should be signed
by:
a. the accountant or the accountant’s firm and
b. management or those charged with governance, as appropriate.
The following is a sample engagement letter for a review of financial statements prepared in
accordance with accounting principles generally accepted in the United States of America.
Circumstances include the following:
a. The accountant will prepare, as a nonattest service, the financial statements, including
related notes, subject to the review engagement.
b. The financial statements will be prepared in accordance with accounting principles
generally accepted in the United States of America.
To the appropriate representative of management of ABC Company:
You have requested that we prepare the financial statements of ABC Company, which
comprise the balance sheet as of December 31, 20XX, and the related statements of
income, changes in stockholders’ equity, and cash flows for the year then ended, and the
related notes to the financial statements and perform a review engagement with respect
to those financial statements. We are pleased to confirm our acceptance and
understanding of this engagement by means of this letter.
Our Responsibilities
The objective of our engagement is to:
a. prepare financial statements in accordance with accounting principles generally
accepted in the United States of America based on information provided by you
and
b. obtain limited assurance as a basis for reporting whether we are aware of any
material modifications that should be made to the financial statements in order
for the statements to be in accordance with accounting principles generally
accepted in the United States of America.
We will conduct our engagement in accordance with Statements on Standards for
Accounting and Review Services (SSARSs) promulgated by the Accounting and Review
Services Committee of the AICPA and comply with the AICPA’s Code of Professional
Conduct, including ethical principles of integrity, objectivity, professional competence,
and due care.
A review engagement includes primarily applying analytical procedures to your financial
data and making inquiries of company management. A review engagement is substantially
less in scope than an audit engagement, the objective of which is the expression of an
opinion regarding the financial statements as a whole. A review engagement does not
contemplate obtaining an understanding of the entity's internal control; assessing fraud
risk; testing accounting records by obtaining sufficient appropriate audit evidence through
inspection, observation, confirmation, or the examination of source documents; or other
procedures ordinarily performed in an audit engagement. Accordingly, we will not express
an opinion regarding the financial statements.
Our engagement cannot be relied upon to identify or disclose any financial statement
misstatements, including those caused by error or fraud, or to identify or disclose any
wrongdoing within the entity or noncompliance with laws and regulations. However, we
will inform the appropriate level of management of any material errors and any evidence
or information that comes to our attention during the performance of our review
procedures that indicates fraud may have occurred. In addition, we will report to you any
evidence or information that comes to our attention during the performance of our
review procedures regarding noncompliance with laws and regulations that may have
occurred, unless they are clearly inconsequential.
Your Responsibilities
The engagement to be performed is conducted on the basis that you acknowledge and
understand that our role is to prepare financial statements in accordance with accounting
principles generally accepted in the United States of America and to obtain limited
assurance as a basis for reporting whether we are aware of any material modifications
that should be made to the financial statements in order for the statements to be in
accordance with accounting principles generally accepted in the United States of America.
You have the following overall responsibilities that are fundamental to our undertaking
the engagement in accordance with SSARSs:
a. The selection of accounting principles generally accepted in the United States of
America as the financial reporting framework to be applied in the preparation of
the financial statements
b. The preparation and fair presentation of the financial statements in accordance
with accounting principles generally accepted in the United States of America
and the inclusion of all informative disclosures that are appropriate for
accounting principles generally accepted in the United States of America
c. The design, implementation, and maintenance of internal control relevant to the
preparation and fair presentation of the financial statements
d. The prevention and detection of fraud
e. To ensure that the entity complies with the laws and regulations applicable to its
activities
f. To make all financial records and related information available to us
g. The accuracy and completeness of the records, documents, explanations, and
other information, including significant judgments, you provide to us for the
engagement
h. To provide us with unrestricted access to persons within the entity of whom we
determine it necessary to make inquiries
i. To provide us, at the conclusion of the engagement, with a letter that confirms
certain representations made during the review
You are also responsible for all management decisions and responsibilities, and for
designating an individual with suitable skills, knowledge, and experience to oversee our
preparation of your financial statements. You are responsible for evaluating the adequacy
and results of services performed and accepting responsibility for such services.
Our Report
[Insert appropriate reference to the expected form and content of the accountant’s review
report. Example follows.]
We will issue a written report upon completion of our review of ABC Company’s financial
statements. Our report will be addressed to the board of directors of ABC Company. We
cannot provide assurance that an unmodified accountant’s review report will be issued.
Circumstances may arise in which it is necessary for us to report known departures from
accounting principles generally accepted in the United States of America, add an
emphasis‐of‐matter or other‐matter paragraph(s), or withdraw from the engagement. If,
for any reason, we are unable to complete the review of your financial statements, we
will not issue a report on such statements as a result of this engagement.
Other Relevant Information
Our fees for these services . . . .
[The accountant may include language, such as the following, regarding limitation of or
other arrangements regarding the liability of the accountant or the entity, such as
indemnification to the accountant for liability arising from knowing misrepresentations to
the accountant by management (regulators may restrict or prohibit such liability limitation
arrangements):
You agree to hold us harmless and to release, indemnify, and defend us from any
liability or costs, including attorney’s fees, resulting from management’s knowing
misrepresentations to us.]
Please sign and return the attached copy of this letter to indicate your acknowledgement
of, and agreement with, the arrangements for our engagement to prepare the financial
statements described herein and to perform a review of those same financial statements
and our respective responsibilities.
Sincerely yours,
[Signature of accountant or accountant’s firm]
Acknowledged and agreed on behalf of ABC Company by:
[Signed]
[Name and Title]
[Date]
3132.16 SSARS 23, Omnibus Statements on Standards for Accounting and Review Services – 2016,
contains revisions to AR‐C 60, 70, 80, and 90. One revision states that if the accountant takes
responsibility for the design, implementation, and maintenance of internal control relevant
to the preparation and fair presentation of the financial statements that are free from
material misstatements whether due to fraud or error, the engagement letter must be
modified to document such responsibility.
Consider Change to a Lower‐Level Engagement
3132.17 An accountant who has been engaged to audit financial statements of a nonissuer in
accordance with GAAS (or an accountant who has been engaged to review the financial
statements of a nonissuer in accordance with SSARSs) may, before the completion of the
audit or review, be requested to change the engagement to a review or compilation
engagement.
A request to change the engagement may result from:
a. a change in circumstances affecting the entity’s requirement for an audit (review),
b. a misunderstanding as to the nature of an audit, review, or compilation, or
c. a restriction on the scope of the audit (review), whether imposed by the client or caused
by circumstances.
3132.18 Before an accountant agrees to change the engagement, the accountant should consider the
following:
a. The reason given for the client’s request (particularly, the implications of a scope
restriction)
b. The additional audit (review) effort required to complete the audit (review)
c. The estimated additional cost to complete the audit (review)
3132.19 A change in the circumstances that affects the entity’s requirement for an audit (review) or a
misunderstanding concerning the nature of an audit, review, or compilation would normally
be considered a reasonable basis for requesting a change in the engagement.
3132.20 When the accountant has been engaged to audit the financial statements of a nonissuer and
has been prohibited by the client from corresponding with the entity’s legal counsel, the
accountant ordinarily would be precluded from issuing a review report on the financial
statements.
3132.21 The accountant ordinarily would be precluded from issuing a compilation report if, during
the audit or review, the client does not provide the accountant with a signed representation
letter.
3132.22 In all circumstances, if the audit (review) procedures are substantially complete or the cost
to complete such procedures is relatively insignificant, the accountant should consider the
propriety of accepting a change in the engagement.
3132.23 The accountant is permitted to use professional judgment in deciding to change the
engagement. No reference should be made in the report to the original engagement, any
audit or review procedures that may have been performed, or scope limitations that
resulted in the change in engagement.
Engagement Letter: Attestation Engagements
3132.24 The Statements of Standards on Attestation Engagements (SSAEs) require an understanding
to be reached with the client as to the services to be performed. The elements should
include the following:
a. The objective and scope of the engagement
b. The responsibilities of the responsible party and the responsibilities of the engagement
party, if different
c. Identification of the subject matter or the assertion(s) thereon, which will be the subject
of the report. In both cases, the attest accountant should obtain a written assertion
from the responsible party about the measurement or evaluation of the subject matter
against the applicable criteria.
d. Identification of the applicable criteria to be used for measurement, evaluation, or
disclosure of the subject matter. In an agreed‐upon procedures engagement, this is
accomplished by enumerating or referring to the procedures agreed to.
e. If an examination or review, acknowledgment that the engaging party agrees to provide
a representation letter at the end of the engagement
f. Identification of specified parties, if a restricted‐use report or an agreed‐upon
procedures engagement
g. For an agreed‐upon procedures engagement, the procedures to be performed and the
specified parties’ acknowledgement of their responsibility for the sufficiency of the
procedures
h. For an examination, a statement about the inherent limitations of an examination
engagement
i. For a review, a statement that a review is substantially less in scope than an
examination, the objective of which is to obtain reasonable assurance about whether
the subject matter or assertions are free of material misstatement in order to express
an opinion, and that, accordingly, the practitioner will not express such an opinion
j. The CPA’s responsibilities
k. Reference to the attestation standards of the AICPA under which the engagement will
be performed
l. Any inherent limitations in the engagement (e.g., due to inherent limitations in internal
control, an unavoidable risk exists that some material misstatements may not be
detected)
m. Any disclaimers expected to be included in the report
n. Management’s responsibilities for engagement assistance
o. Involvement of a specialist, if applicable
p. Agreed‐upon materiality limits, if applicable
3132.25 The attest accountant should assess whether circumstances require that the terms of a
preceding engagement need to be revised. Regardless, the attest accountant should
document the reminder to the engaging party of the terms of the engagement. Also, a
supplemental written assertion from the responsible party is required.
3140 Requirements for Engagement Documentation
3141 Audit Engagements
3141.01 Audit documentation provides evidence of the auditor’s basis for a conclusion about the
achievement of the overall objectives of the audit, and evidence that the audit was planned
and performed in accordance with relevant audit standards and applicable legal and
regulatory requirements. It provides a sufficient and appropriate record of the basis for the
auditor’s report.
3141.02 The auditor should prepare audit documentation on a timely basis.
3141.03 The auditor should prepare audit documentation that is sufficient to enable an experienced
auditor, who has no previous experience with the specific audit, to understand the nature,
timing, and extent of the audit procedures performed; the results of the procedures
performed and evidence obtained; and significant findings or issues arising during the audit,
conclusions reach, and any significant professional judgments made in reaching those
conclusions.
3141.04 The nature, timing, and extent of documentation of audit procedures performed should
identify the characteristics of the specific items or matters tested; who performed the audit
work and the date it was complete; and who reviewed the work and the date and extent of
such review.
3141.05 The following audit matters require special documentation consideration:
a. Include abstracts or copies of any significant contracts or agreements inspected.
b. Document any significant findings or issues discussed with management, those charged
with governance, or others (including what was discussed, when, and with whom).
c. Resolution of any inconsistencies in audit evidence with final conclusions
d. Justification for any departures from presumption mandatory audit requirements, and
how sufficient appropriate alternative audit evidence was obtained
3141.06 The auditor should document the report release date. The auditor should then assemble and
complete all administrative processes to have a final audit file on a timely basis, no later
than 60 days following the report release. After the document completion date, no
documentation should be deleted or discarded before the end of a specified retention
period (which should not be shorter than five years from the report release date). Audit
documentation can be added after the documentation completion date, assuming that the
reasons for the change, who prepared and reviewed the change, and when the change was
made are all documented.
3141.07 For audits of issuers, PCAOB AS 1215 requires assembly and completion of the final set of
audit documentation no later than 45 days following the report release. In addition, the
workpaper retention period is defined as seven years following the report release.
Retain Audit Documentation as Required
3141.08 Audit documentation is the property of the auditor. The auditor may make the audit
documentation available to the entity at the auditor’s discretion, provided such disclosure
does not undermine the independence or the validity of the audit process.
3141.09 The auditor has an ethical, and sometimes legal, obligation to maintain the confidentiality of
client information.
3141.10 The auditor should apply appropriate and reasonable controls for audit documentation to:
a. clearly determine when and by whom audit documentation was created, changed, or
reviewed;
b. protect the integrity of the information at all stages of the audit, especially when the
information is shared within the audit team or transmitted to other parties via
electronic means;
c. prevent unauthorized changes to the documentation; and
d. allow access to the documentation by the audit team and other authorized parties as
necessary to properly discharge their responsibilities.
3141.11 The auditor should be aware that specific documentation or document retention
requirements may be included in other standards (for example, Government Auditing
Standards), laws, and regulations applicable to the engagement.
3141.12 PCAOB AS 1215 requires auditors of issuers to retain audit documentation for a minimum of
seven years from the date the auditor grants permission to use the auditor’s report in
connection with the issuance of the company’s financial statements (release date), unless a
longer period of time is required by law. If a report was not issued in connection with the
engagement, then the audit documentation must be retained for a period of seven years
after the fieldwork was substantially completed (or the date the engagement ceased, if
fieldwork was not completed).
3142 Nonaudit Engagements
Preparation Engagements
3142.01 The accountant should prepare documentation in connection with each preparation
engagement in sufficient detail to provide a clear understanding of the work performed. At a
minimum, the preparation engagement documentation should include the following:
a. The engagement letter or other suitable written documentation with management
b. A copy of the financial statements that the accountant prepared
c. SSARS 23 includes a requirement for the accountant to document the justification for a
departure from a relevant presumptively mandatory requirement and how the
alternative procedures performed in the circumstances were sufficient to achieve the
intent of the requirement.
Compilation Engagements
3142.02 The accountant should prepare documentation in connection with each compilation
engagement in sufficient detail to provide a clear understanding of the work performed. At a
minimum, the compilation engagement documentation should include the following:
a. The engagement letter or other suitable written documentation with management
b. A copy of the financial statements
c. A copy of the accountant’s report
d. SSARS 23 includes a requirement for the accountant to document the justification for a
departure from a relevant presumptively mandatory requirement and how the
alternative procedures performed in the circumstances were sufficient to achieve the
intent of the requirement.
3142.03 For compilations of pro forma financial information, SSARS 22 requires the accountant to
prepare documentation in sufficient detail to provide a clear understanding of the work
performed, which, at a minimum, includes the following:
a. The engagement letter or other suitable form of written documentation with
management
b. The results of procedures performed
c. A copy of the pro forma financial information
d. A copy of the accountant’s compilation report
Review Engagements
3142.04 The accountant should prepare review documentation that is sufficient to enable an
experienced accountant, having no previous connection to the review, to understand:
a. the nature, timing, and extent of the review procedures performed to comply with
SSARS;
b. the results of the review procedures performed and the review evidence obtained; and
c. significant findings or issues arising during the review, the conclusions reached thereon,
and significant professional judgments made in reaching those conclusions.
3142.05 The accountant’s review documentation should include the following:
a. The engagement letter or other suitable form of written documentation with
management
b. Communications to the appropriate level of management regarding fraud or
noncompliance with laws or regulations
c. Communications with management regarding the accountant’s expectations of
emphasis‐of‐matter or other‐matter paragraphs in the accountant’s review report
d. The written representation letter
e. A copy of the reviewed financial statements and the accountant’s review report
3142.06 The documentation of the analytical procedures performed should include the following:
a. The expectations formed and the factors considered in the development of those
expectations
b. Results of the comparison of the expectations to the recorded amounts or ratios
developed from recorded amounts
c. Management’s responses to the accountant’s inquiries regarding fluctuations or
inconsistent relationships
Review of Interim Financial Information of an Issuer
3142.07 The accountant should prepare documentation in connection with a review of interim
financial information of an issuer, the form and content of which should be designed to
meet the circumstances of the particular engagement. Documentation is the principal
record of the review procedures performed and the conclusions reached by the accountant
in performing the review.
3142.08 The documentation should include any findings or issues that in the accountant's judgment
are significant; for example, the results of review procedures that indicate that the interim
financial information could be materially misstated, including actions taken to address such
findings, and the basis for the final conclusions reached. In addition, the documentation
should (a) enable members of the engagement team with supervision and review
responsibilities to understand the nature, timing, extent, and results of the review
procedures performed; (b) identify the engagement team member(s) who performed and
reviewed the work; and (c) identify the evidence the accountant obtained in support of the
conclusion that the interim financial information being reviewed agreed or reconciled with
the accounting records.
Retain Documentation as Required by Standards
3142.09 Although the SSARSs do not specifically provide a length of time for documentation to be
retained, QC 10.51 states, “The firm should establish policies and procedures for the
retention of engagement documentation for a period sufficient to meet the needs of the
firm, professional standards, laws, and regulations.”
3142.10 In determining the accountant’s needs for retention of engagement documentation, the
accountant should consider:
a. the nature of the engagement and the firm’s circumstances (for example, whether the
engagement documentation is needed to provide a record of matters of continuing
significance to future engagements);
b. whether professional standards, law, or regulation prescribe specific retention periods
for certain types of engagements; and
c. if there are generally accepted retention periods in the absence of specific legal or
regulatory requirements.
3142.11 QC 10.50 requires the accountant to maintain the “confidentiality, safe custody, integrity,
accessibility, and retrievability of engagement documentation.”
3142.12 The accountant should not disclose confidential client information contained in engagement
documentation, unless the client has given permission or the accountant is under a legal
duty to do so.
3142.13 Engagement documentation must not be lost, damaged, or compromised by being added to,
altered, or deleted without the firm’s knowledge.
Prepare Documentation for Attestation Engagements
3142.14 The attest accountant should prepare and retain attest documentation that is appropriate to
the situation and the accountant’s needs. The quantity, type, and content of documentation
will vary with the situation.
3142.15 Documentation should be sufficient to allow the following:
a. Allow members of the engagement team with supervisory and review responsibilities to
understand the nature, timing, extent, and results of attest procedures performed and
the information obtained
b. Identifying characteristics of the specific items or matters tested
c. Indicate which engagement team members performed and reviewed the work, and
when
d. Discussion of significant issues or findings, including when and with whom discussed.
Significance is a matter of professional judgment.
e. Results of procedures performed and any evidence obtained
f. Resolve any inconsistencies in evidence
3142.16 A significant piece of audit evidence in an attestation engagement is a representation letter
from the responsible party (generally senior management or those charged with
governance, but may be a party other than the client). Representation letters are required
for all examinations, reviews, and agreed‐upon procedures engagements related to
compliance. However, a representation letter may be requested in any agreed‐upon
procedures engagement.
3142.17 In any attestation engagement, the accountant should completely assemble documentation
in the engagement file no later than 60 days following the report release. After final file
assembly, the accountant should not delete or discard documentation of any nature before
the end of the retention period specified in the firm’s quality control standards.
3150 Communication with Management and Those Charged with
Governance
Audit Engagements
3150.01 The auditor is required to communicate certain information to those charged with
governance in the engagement letter or in another form of communication. The term “those
charged with governance” usually refers to the person(s) or organization(s) (e.g., a corporate
trustee) with responsibility for overseeing the strategic direction of the entity and the
obligations related to the accountability of the entity. This includes overseeing the financial
reporting process.
3150.02 The auditor should determine the appropriate person(s) within the entity’s governance
structure with whom to communicate. In some entities, “those charged with governance” is
the board of directors or the audit committee. In other entities, “those charged with
governance” have management responsibilities. If management and those charged with
governance are separate, the auditor should consider the appropriateness of discussing all
communications with management. For example, the auditor would not want to include
management in communications regarding management’s integrity.
3150.03 Required communications with those charged with governance include the auditor’s
responsibilities under generally accepted auditing standards:
a. The auditor is responsible for forming and expressing an opinion about whether the
financial statements that have been prepared by management with the oversight of
those charged with governance are presented fairly, in all material respects, in
conformity with the applicable financial reporting framework.
b. The audit of the financial statements does not relieve management or those charged
with governance of their responsibilities.
c. The auditor is responsible for performing the audit in accordance with generally
accepted auditing standards and that the audit is designed to obtain reasonable, rather
than absolute, assurance about whether the financial statements are free of material
misstatement.
d. The auditor should communicate the auditor’s responsibility with respect to other
information prepared by management that accompanies the audited financial
statements.
Nonaudit Engagements
3150.04 An accountant should communicate with management or those charged with governance,
as appropriate, on a timely basis during the course of a review engagement, all matters
concerning the review engagement that, in the accountant’s professional judgment, are of
significant importance to merit the attention of management or those charged with
governance.
3151 Planned Scope and Timing of an Engagement
3151.01 The auditor should communicate to those charged with governance the planned scope and
timing of the audit, without compromising the effectiveness of the audit by revealing the
nature and timing of detailed audit procedures and thereby making them predictable.
Communication of the scope of the audit may assist those charged with governance in
understanding the consequences of the auditor’s work for their oversight activities,
discussing with the auditor issues of risk and materiality, and identifying any areas in which
they may request the auditor to undertake additional procedures.
3151.02 Communicating the audit scope to those charged with governance may assist the auditor in
planning the scope and timing of the audit, but it does not relieve the auditor of the sole
responsibility to determine the overall audit strategy and the audit plan, including the
nature, timing, and extent of procedures necessary to obtain sufficient appropriate audit
evidence.
3151.03 Matters related to the scope and timing of the audit could include the following:
a. How the auditor plans to address the significant risks of material misstatement, whether
due to error or fraud
b. The auditor’s approach to internal control relevant to the audit
c. The concept of materiality in planning and executing the audit
d. The extent to which the auditor will use the work of the internal auditors, where
appropriate
3151.04 The auditor may want to consider discussing the following with those charged with
governance:
a. The views of those charged with governance about the appropriate person with whom
to communicate; the allocation of responsibilities between those charged with
governance and management; the entity’s objectives, strategies, and business risks; and
areas where they request additional procedures to be undertaken
b. The attitudes, awareness, and actions of those charged with governance concerning the
internal control and the detection of fraud
c. Actions taken in response to developments in financial reporting, laws, and accounting
standards
d. The actions of those charged with governance in response to previous communications
with the auditor
3151.05 The auditor may also wish to discuss with those charged with governance any circumstances
or relationships that in the auditor’s professional judgment may reasonably be thought to
bear on independence and that the auditor gave significant consideration to in reaching the
conclusion that independence has not been impaired.
3151.06 In cases of auditing entities receiving funds from federal programs, the auditor must
determine if an audit is required and the percentage‐of‐coverage testing:
a. Audit requirement: An entity must have a single audit in any year when:
(1) the entity spends more than $750,000 in federal awards, grants, or funds; and
(2) the entity spends funds from one or more than one federal program.
b. Percentage of coverage: Under the “percentage‐of‐coverage rule” that is included in the
Single Audit Act Amendments of 2013, the auditor must determine the program type
(major and low risk) and testing coverage:
(1) Major programs must be audited. These are programs that account for at least 40%
of the federal funding spent by that entity.
(2) Low‐risk programs allow for a percentage‐of‐coverage exception. When an entity
qualifies as low risk, the scope of audits under the “percentage of coverage” rule in
the Single Audit Act Amendments of 2013 can be reduced to as low as 20% of the
federal funding spent by the entity.
3152 Internal Control Related Matters
3152.01 In an audit of the financial statements, the auditor is required to determine whether, on the
basis of the audit work performed, the auditor has identified one or more deficiencies in
internal control. During the audit, the auditor may become aware of deficiencies in internal
control while:
a. obtaining an understanding of the entity and its environment, including its internal
control,
b. assessing the risks of material misstatement of the financial statements due to error or
fraud,
c. performing further audit procedures to respond to assessed risks, or
d. communicating with management or others.
The auditor’s awareness of deficiencies in internal control varies with each audit and is
influenced by the nature, timing, and extent of audit procedures performed, as well as other
factors.
3152.02 AU‐C 265 establishes standards and provides guidance on communicating matters related to
an entity’s internal control over financial reporting identified in an audit of financial
statements. It is applicable whenever an auditor expresses an opinion on financial
statements (including a disclaimer of opinion).
3152.03 Control deficiencies identified during the audit that upon evaluation are considered
significant deficiencies or material weaknesses should be communicated in writing to
management and those charged with governance as a part of each audit, including
significant deficiencies and material weaknesses that were communicated to management
and those charged with governance in previous audits and have not yet been remediated.
3152.04 The written communication is best made by the report release date, which is the date the
auditor grants the entity permission to use the auditor’s report in connection with the
financial statements, but should be made no later than 60 days following the report release
date.
3152.05 For some matters, early communication to management or those charged with governance
may be important. Accordingly, the auditor may decide to communicate certain identified
significant deficiencies and material weaknesses during the audit.
3152.06 Nothing precludes the auditor from communicating to management and those charged with
governance other matters that the auditor:
a. believes to be of potential benefit to the entity, such as recommendations for
operational or administrative efficiency, or for improving internal control.
b. has been requested to communicate; for example, control deficiencies that are not
significant deficiencies or material weaknesses.
3152.07 The written communication regarding significant deficiencies and material weaknesses
identified during an audit of financial statements should:
a. state that the purpose of the audit was to express an opinion on the financial
statements, but not to express an opinion on the effectiveness of the entity’s internal
control over financial reporting.
b. state that the auditor is not expressing an opinion on the effectiveness of internal
control.
c. state that the auditor’s consideration of internal control was not designed to identify all
deficiencies in internal control that might be significant deficiencies or material
weaknesses.
d. include the definition of the term material weakness and, where relevant, significant
deficiency.
e. identify the matters that are considered to be significant deficiencies and, if applicable,
those that are considered to be material weaknesses.
f. state that the communication is intended solely for the information and use of
management, those charged with governance, and others within the organization and is
not intended to be and should not be used by anyone other than these specified parties.
If an entity is required to furnish such auditor communications to a governmental
authority, specific reference to such governmental authorities may be made.
3152.08 Following is a sample communication (AU‐C 265.A38, Exhibit A):
To Management and [identify the body or individuals charged with governance, such as
the entity's Board of Directors] of ABC Company.
In planning and performing our audit of the financial statements of ABC Company (the
"Company") as of and for the year ended December 31, 20XX, in accordance with auditing
standards generally accepted in the United States of America, we considered the
Company's internal control over financial reporting (internal control) as a basis for
designing audit procedures that are appropriate in the circumstances for the purpose of
expressing our opinion on the financial statements, but not for the purpose of expressing
an opinion on the effectiveness of the Company's internal control. Accordingly, we do not
express an opinion on the effectiveness of the Company's internal control.
Our consideration of internal control was for the limited purpose described in the
preceding paragraph and was not designed to identify all deficiencies in internal control
that might be [material weaknesses, or material weaknesses or significant deficiencies]
and therefore, [material weaknesses, or material weaknesses or significant deficiencies]
may exist that were not identified. However, as discussed below, we identified certain
deficiencies in internal control that we consider to be [material weaknesses, or significant
deficiencies, or material weaknesses and significant deficiencies].
A deficiency in internal control exists when the design or operation of a control does not
allow management or employees, in the normal course of performing their assigned
functions, to prevent, or detect and correct, misstatements on a timely basis. A material
weakness is a deficiency, or a combination of deficiencies, in internal control, such that
there is a reasonable possibility that a material misstatement of the entity's financial
statements will not be prevented, or detected and corrected, on a timely basis. [We
consider the following deficiencies in the Company's internal control to be material
weaknesses:]
[Describe the material weaknesses that were identified and an explanation of their
potential effects.]
[A significant deficiency is a deficiency, or a combination of deficiencies, in internal control
that is less severe than a material weakness, yet important enough to merit attention by
those charged with governance. We consider the following deficiencies in the Company's
internal control to be significant deficiencies:]
[Describe the significant deficiencies that were identified and an explanation of their
potential effects.]
[If the auditor is communicating significant deficiencies and did not identify any material
weaknesses, the auditor may state that none of the identified significant deficiencies are
considered to be material weaknesses.]
This communication is intended solely for the information and use of management,
[identify the body or individuals charged with governance], others within the organization,
and [identify any governmental authorities to which the auditor is required to report] and
is not intended to be, and should not be, used by anyone other than these specified
parties.
3152.09 If the auditor wishes, he or she may include additional statements in the communication
regarding the general inherent limitations of internal control, including the possibility of
management override of controls, or the specific nature and extent of the auditor’s
consideration of internal control during the audit.
3152.10 The auditor should not issue a written communication stating that no significant deficiencies
were identified during the audit because of the potential for misinterpretation of the limited
degree of assurance provided by such a communication. However, the auditor is permitted
to issue a communication indicating that the auditor has not identified any material
weaknesses if requested to do so by those charged with governance.
3152.11 The auditor should communicate, in writing or orally, only to management other deficiencies
in internal control identified during the audit that have not been communicated to
management by other parties and that, in the auditor’s professional judgment, are of
sufficient importance to merit management’s attention.
3152.12 The auditor should include in the written communication an explanation of the potential
effects of the significant deficiencies and material weaknesses identified.
3153 All Other Matters
Significant Audit Findings
3153.01 Regarding significant findings from the audit, the auditor should communicate with those
charged with governance the following matters:
a. The auditor’s views about qualitative aspects of the entity’s significant accounting
practices, including accounting policies, accounting estimates, and financial statement
disclosures
b. Significant difficulties, if any, encountered during the audit
c. Uncorrected misstatements, other than those the auditor believes are trivial, if any
d. Disagreements with management, if any
e. Other findings or issues, if any, arising from the audit that are, in the auditor’s
professional judgment, significant and relevant to those charged with governance
regarding their oversight of the financial reporting process
3153.02 Unless all of those charged with governance are involved in managing the entity, the auditor
also should communicate:
a. material, corrected misstatements that were brought to the attention of management
as a result of audit procedures.
b. representations the auditor is requesting from management.
c. management’s consultations with other accountants.
d. significant issues, if any, arising from the audit that were discussed, or the subject of
correspondence, with management.
3153.03 The auditor should inform those charged with governance of any significant difficulties
encountered in dealing with management related to the performance of the audit.
Significant difficulties encountered during the audit may include such matters as:
a. significant delays in management providing required information.
b. an unnecessarily brief time within which to complete the audit.
c. extensive unexpected effort required to obtain sufficient appropriate audit evidence.
d. the unavailability of expected information.
e. restrictions imposed on the auditors by management.
f. management’s unwillingness to provide information about management’s plans for
dealing with the adverse effects of the conditions or events that lead the auditor to
believe there is substantial doubt about the entity’s ability to continue as a going
concern.
3153.04 The auditor must accumulate all known and likely misstatements identified during the audit,
other than those that the auditor believes are trivial, and communicate them to appropriate
management. This communication should occur on a timely basis.
3153.05 When communicating details of misstatements, the auditor may distinguish between the
following to aid in evaluating the effect of misstatements accumulated during the audit:
a. Known (factual) misstatements. These are specific misstatements arising from the
incorrect selection or misapplication of accounting principles or misstatements of facts
identified during the audit, including, for example, those arising from mistakes in
gathering or processing data and the overlooking of misinterpretations of facts.
b. Likely (judgmental and projected) misstatements. These are misstatements that:
(1) arise from differences between management’s and the auditor’s judgments
concerning accounting estimates (for example, because an estimate included in the
financial statements by management is outside of the reasonable range of
outcomes the auditor has determined).
(2) the auditor considers likely to exist based on an extrapolation from audit evidence
obtained (for example, the amount obtained by projecting known misstatements
identified in an audit sample to the entire population from which the sample was
drawn).
3153.06 The auditor should request management to correct all known misstatements, including the
effect of prior‐period misstatement. The auditor may request management to further review
the impact of likely misstatements. If management decides not to correct some or all of the
known and likely misstatements communicated to it by the auditor, the auditor should
obtain an understanding of management’s reasons for not making the corrections and
should take that into account when considering the qualitative aspects of the entity’s
accounting practices.
3153.07 The auditor should discuss with those charged with governance the implications of a failure
to correct known and likely misstatements, if any, considering qualitative as well as
quantitative considerations, including possible implications in relation to future financial
statements. The auditor should also communicate with those charged with governance the
effect of uncorrected misstatements related to prior periods on the relevant classes of
transactions, account balances or disclosures, and the financial statements as a whole.
3153.08 The auditor should discuss with those charged with governance any disagreements with
management, whether or not satisfactorily resolved, about matters that individually or in
the aggregate could be significant to the entity’s financial statements or the auditor’s report.
Disagreements with management may occasionally arise over, among other things, the
application of accounting principles, management’s judgments about accounting estimates,
the scope of the audit, disclosures to be included in the entity’s financial statements, or the
wording of the auditor’s report.
3153.09 If the auditor becomes aware that management has consulted with other accountants
regarding auditing and accounting matters, the auditor should discuss his or her views of
such matters with those charged with governance.
3153.10 The auditor should communicate with those charged with governance any significant issues
that were discussed or were the subject of correspondence with management. These items
may include:
a. business conditions affecting the entity, and business plans and strategies that may
affect the risk of material misstatement.
b. any matters that arose in connection with the initial or recurring retention of the
auditor including, among other matters, any discussions or correspondence regarding
the application of accounting principles and auditing standards.
Evidence of Fraud
3153.11 Whenever the auditor has determined that there is evidence that fraud may exist, that
matter should be brought to the attention of an appropriate level of management. This
notification is appropriate even if the matter might be considered inconsequential, such as a
minor defalcation by an employee at a low level in the entity’s organization.
3153.12 Fraud involving senior management and fraud (whether caused by senior management or
other employees) that causes a material misstatement of the financial statements should be
reported directly to those charged with governance.
3153.13 The auditor should assure himself or herself that those charged with governance are
adequately informed with respect to noncompliance with laws and regulations (other than
those that are clearly consequential) that comes to the auditor’s attention. If senior
management is involved in the noncompliance, the auditor should communicate directly
with those charged with governance. The communication may be oral or written. If the
communication is oral, the auditor should document it in the working papers.
Written Communication
3153.14 The auditor should communicate in writing with those charged with governance significant
findings from the audit when, in the auditor’s professional judgment, oral communication
would not be adequate. This communication need not include matters that arose during the
course of the audit that were communicated with those charged with governance and
satisfactorily resolved.
3153.15 Effective communication may involve formal presentations and written reports as well as
less formal communications, including discussions. Written communications may include an
engagement letter that is provided to those charged with governance.
3153.16 The form of communication (written/oral; detailed/summarized; formal/informal) may be
affected by factors such as the following:
a. The significance of a particular matter
b. Whether the matter has been satisfactorily resolved
c. The size, operating structure, control environment, and legal structure of the entity
being audited
d. Legal or regulatory requirements that may require a written communication with those
charged with governance
e. The expectations of those charged with governance, including arrangements made for
periodic meetings or communications with the auditor
f. The amount of ongoing contact and dialogue the auditor has with those charged with
governance
g. Whether there have been significant changes in the membership of a governing body
h. In the case of a special‐purpose financial statement audit, whether the auditor also
audits the entity’s general‐purpose financial statements
3153.17 When an auditor communicates matters in writing, the communication should indicate that
it is intended solely for the use of those charged with governance (and management, if
appropriate), and is not intended to be and should not be used by anyone other than those
specified parties.
3153.18 The auditor should communicate with those charged with governance on a sufficiently
timely basis to enable those charged with governance to take appropriate action.
a. Planning matters should be communicated early in the audit.
b. Significant difficulties encountered should be communicated as soon as practicable.
c. The auditor should consider any legal obligations as well as the expectations of those
charged with governance to communicate matters within a specified time frame.
3153.19 Communication is a two‐way process. Effective communication assists both the auditor and
those charged with governance. Inadequate two‐way communication may indicate an
unsatisfactory control environment, which will influence the auditor’s assessment of the
risks of material misstatements. In this circumstance, the auditor should be concerned that
he or she may not have all obtained all the audit evidence required to form an opinion on
the financial statements.
3153.20 If an inadequate communication cannot be resolved, the auditor may take such actions as
the following:
a. Modifying the auditor’s opinion on the basis of a scope limitation
b. Obtaining legal advice about the consequences of different courses of action
c. Communicating with third parties or the responsible government agency for certain
government entities
d. Withdrawing from the engagement
3153.21 When any matters required to be communicated with those charged with governance have
been communicated orally, the auditor should document them. Documentation of oral
communication may include a copy of minutes prepared by the entity if those minutes are
an appropriate record of the communication. When matters have been communicated in
writing, the auditor should retain a copy of the communication.
Review Engagements
3153.22 An accountant should communicate with management or those charged with governance,
as appropriate, on a timely basis during the course of any engagement, all matters
concerning the engagement that, in the accountant’s professional judgment, are of
significant importance to merit the attention of management or those charged with
governance.
3153.23 When evidence or information comes to the accountant’s attention during the performance
of a review engagement that fraud or noncompliance with laws and regulations may have
occurred, that matter should be brought to the attention of the appropriate level of
management as soon as practicable. When matters involving fraud or noncompliance with
laws and regulations involve senior management or result in a material misstatement of the
financial statements, the accountant should communicate the matter directly to those
charged with governance. If management or, as appropriate, those charged with governance
do not provide sufficient information that supports that:
a. the financial statements are not materially misstated due to fraud or
b. the entity is in compliance with laws and regulations, and in the accountant’s
professional judgment, the effect of the suspected noncompliance may be material to
the financial statements
...the accountant should consider the need to obtain legal advice and take appropriate
action, including potential withdrawal.
3153.24 If the accountant expects to include an emphasis‐of‐matter or other‐matter paragraph in the
accountant’s review report, the accountant should communicate with management
regarding this expectation and the proposed wording of the paragraph.
3153.25 As a result of conducting a review of interim financial information of an issuer, the
accountant may become aware of matters that cause him or her to believe that:
a. material modification should be made to the interim financial information for it to
conform with generally accepted accounting principles,
b. modification to the disclosures about changes in internal control over financial reporting
is necessary for the certifications to be accurate and to comply with SEC requirements,
and
c. the entity filed the SEC Form 10‐Q or Form 10‐QSB before the completion of the review.
In such circumstances, the accountant should communicate the matter(s) to the appropriate
level of management as soon as practicable.
3160 Communication with Component Auditors and Other Parties
3160.01 The group engagement team is required to communicate specific items to the component
auditor and to group management or those charged with governance of the group, or both.
The component auditor must also communicate with the group engagement team about
certain matters. Explicit documentation requirements, including an analysis of the group’s
components indicating the significant components and the type of work performed on the
components, must also be completed.
3160.02 If an auditor suspects that management or those charged with governance are involved in
noncompliance with laws and regulations, then the auditor should communicate the matters
to the next higher level of authority at the entity. If no higher authority exists, or if the
auditor believes that any communications may not be acted on, the auditor should consider
the need to obtain legal advice.
3160.03 If the auditor has identified or suspects fraud, the auditor should determine whether the
auditor has a responsibility to report the occurrence or suspicion to a party outside the
entity. Although the auditor’s professional duty to maintain the confidentiality of client
information may preclude such reporting, the auditor’s legal responsibilities may override
the duty of confidentiality in some circumstances.
3170 A Firm’s System of Quality Control
3170.01 Any audit or nonaudit engagement should implement quality control procedures at the
engagement level to provide reasonable assurance that the engagement complies with
professional standards and applicable legal and regulatory requirements, depending upon
the firm's size, nature of practice, and cost‐benefit considerations.
3170.02 Statement on Quality Control Standards (SQCS) 8, A Firm's System of Quality Control, states
that the quality control policies and procedures applicable to a firm's accounting and
auditing practice (i.e., audit, attestation, compilation, and reviews) should encompass the
following elements:
a. Leadership responsibilities for quality within the firm
b. Relevant ethical requirements
c. Acceptance and continuance of client relationships and specific engagements
d. Human resources
e. Engagement performance
f. Monitoring
3170.03 The engagement partner should be satisfied that appropriate procedures regarding the
acceptance and continuance of client relationships and engagements have been followed,
and should determine that appropriate conclusions are reached in this regard. The
engagement partner should take ultimate responsibility for the overall quality on each
engagement to which he/she is assigned. Throughout the engagement, the engagement
partner and others on the engagement should remain alert for evidence of noncompliance
with relevant ethical requirements. Appropriate actions should be taken if such matters
arise.
3170.04 The engagement partner must consider the appropriate competence and capabilities of the
whole engagement team, including any external auditor’s specialist. A person, no matter
how capable in other fields such as business and finance, cannot meet these requirements
without proper education and experience in the field of auditing or other type of service.
3170.05 The engagement team, to include the engagement partner, must have the practical
experience and complexity from similar engagements or appropriate training. The
accountant must have technical expertise in specialized areas of accounting, auditing, or
other nonaudit service.
3170.06 The engagement partner should be confident that the engagement team has a good
understanding of legal and regulatory requirements and professional standards. In addition,
the engagement team should have knowledge of similar industries. The team must have a
comprehension of quality control policies and procedures.
3170.07 The engagement partner should take responsibility for undertaking consultation on difficult
or contentious matters. This means that the engagement partner should be satisfied that
members of the engagement team have undertaken appropriate consultation with
appropriate parties either inside or outside the CPA firm. The engagement partner should be
satisfied that the nature and scope of any consultations are agreed with, conclusions are
understood, and conclusions have been appropriately implemented.
3170.08 If any engagement is of the nature that an engagement quality control review is required,
the engagement partner should determine that an appropriate engagement quality control
reviewer is appointed. In addition, the engagement partner should discuss significant
findings or issuers with the reviewer, and not release any attest report until the completion
of the engagement quality control review. The engagement quality control reviewer may
review selected engagement documentation relating to significant judgments made and
conclusions reached.
3170.09 If differences of opinion arise within the engagement team, with those consulted, or with
others, the engagement partner is responsible for ensuring that appropriate policies and
procedures are followed to resolve those differences of opinion.
3170.10 The firm’s policies and procedures should provide that personnel selected for advancement
have the qualifications necessary for fulfillment of the responsibilities they will be called on
to assume.
3170.11 Effective performance evaluation, compensation, and advancement procedures give due
recognition and reward to the development and maintenance of competence and
commitment to ethical principles.
3170.12 Appropriate competence includes the capacity to apply professional judgment. In practice,
the competency requirements necessary for the engagement partner are broad and varied
in both their nature and number. Required competencies include the following, as well as
other competencies as necessary in the circumstances:
a. Understanding of the role of a system of quality control and the Code of Professional
Conduct
b. Understanding of the service to be performed
c. Technical proficiency
d. Familiarity with the industry
e. Professional judgment
f. Understanding the organization’s information technology system
3170.13 The continuing competence of the firm’s personnel depends to a significant extent on an
appropriate level of continuing professional development so that personnel maintain their
knowledge and capabilities. Effective policies and procedures emphasize the need for levels
of firm personnel to participate in general and industry‐specific continuing professional
education and other professional development activities that enable them to fulfill
responsibilities assigned, and to satisfy applicable continuing professional education
requirements.
3170.14 Supervision involves directing the efforts of the engagement team that is involved in
accomplishing the objectives of the audit and determining whether those objectives were
accomplished. Elements of supervision include instructing the team, keeping informed of
significant issues encountered, reviewing the work performed, and dealing with differences
of opinion among firm personnel. The engagement partner should take responsibility for
reviews being performed in accordance with the firm’s policies and procedures.
3170.15 The auditor with final responsibility for an audit should communicate with members of the
audit team regarding the susceptibility of the entity’s financial statements to material
misstatement due to error or fraud, with special emphasis on fraud. Each team member
should maintain a questioning mind and exercise professional skepticism in gathering and
evaluating evidence throughout the audit.
3170.16 The team should be informed of their responsibilities and the objectives of the procedures
they are to perform. They should be directed to bring issues that are significant to the
financial statements (or other subject matter of the engagement), as well as any difficulties
encountered while performing the engagement, to the attention of the partner with final
responsibility for the engagement.
3170.17 The work performed by each team member, including the engagement documentation,
should be reviewed to determine whether it was adequately performed and documented
and to evaluate the results, relative to the conclusions to be presented in any accountant’s
report.
3170.18 Each team member has a professional responsibility to bring to the attention of appropriate
individuals in the firm disagreements or concerns with respect to accounting and auditing
issues that the team member believes are of significance to the financial statements or
accountant’s report, however those disagreements or concerns may have arisen.
3170.19 The person with final responsibility for the engagement and team members should be aware
of the procedures to be followed when differences of opinion concerning accounting and
auditing issues exist among firm personnel involved in the engagement. Such procedures
should enable a team member to document his/her disagreement with the conclusions
reached if, after appropriate consultation, he/she believes it necessary to disassociate
him/herself from the resolution of the matter. In this situation, the basis for the final
resolution should also be documented.
3170.20 AU‐C 200.15 states, “The auditor must be independent of the entity when performing an
engagement in accordance with GAAS unless (a) GAAS provides otherwise or (b) the auditor
is required by law or regulation to accept the engagement and report on the financial
statements.” At the beginning of the current audit engagement, the auditor should evaluate
the auditor’s compliance with ethical requirements, including independence.
3170.21 The independent CPA must be without bias with respect to any attest client. The CPA’s
attitude is to be one of judicial impartiality. The CPA recognizes an obligation for fairness not
only to management and owners but also to creditors. The CPA’s attitude should not be the
accusatory attitude of a prosecutor.
3170.22 To be independent, the CPA must in fact be intellectually honest and be recognized in
appearance as independent by third parties. The CPA must be free from any obligation to or
interest in the client, its management, or owners. (For example, an independent auditor
auditing a company of which he was also a director might be intellectually honest, but it is
unlikely that the public would accept him as independent since he would be, in effect,
auditing decisions that he had a part in making.) The accountant should also apply
professional judgment.
3170.23 An effective system of quality control includes a monitoring process designed to provide
reasonable assurance that policies and procedures relevant to quality control are adequate
and operating effectively. The nature and extent of these policies and procedures are
dependent upon the firm's size, nature of practice, and cost‐benefit considerations.
3170.24 The firm's management, the environment in which the firm practices, and the environment
in which the client operates should all be considered as part of the monitoring of a firm's
practice.
Audits of Issuers
3170.25 An engagement quality control review is required for financial statement and integrated
internal control audits of issuers. The engagement quality control reviewer should evaluate
significant judgments made by the engagement team and the related conclusions reached.
Audits Under Generally Accepted Government Auditing Standards
3170.26 Audit organizations seeking to enter into a contract to perform an audit in accordance with
GAGAS (generally accepted government auditing standards) should provide the following to
the party contracting for such services when requested:
a. The audit organization’s most recent peer review report
b. Any subsequent peer review reports received during the period of the contract
3170.27 The auditor is required to have the professional knowledge, skills, and experience to
diligently perform, in good faith and with integrity, the gathering of information and the
objective evaluation of the sufficiency and appropriateness of evidence. Professional
judgment and competence are interrelated because judgments made are dependent upon
the auditor’s competence.
3170.28 Auditors performing work under GAGAS (including planning, directing, performing audit
procedures, or reporting on an audit conducted in accordance with GAGAS) must complete,
every two years, at least 24 hours of CPE that relates directly to government auditing. Those
individuals who charge 20% or more of their time annually to GAGAS assignments must
complete 80 hours every two years in CPE that relates to government auditing.
3170.29 Each audit organization performing audits or attestation engagements in accordance with
GAGAS must:
a. establish and maintain a system of quality control that is designed to provide the audit
organization with reasonable assurance that the organization and its personnel comply
with professional standards and applicable legal and regulatory requirements, and
b. have an external peer review at least once for each three‐year period.
3170.30 The policies and procedures in a firm’s system of quality control should address:
a. leadership responsibilities for quality within the audit organization;
b. independence, legal, and ethical requirements;
c. initiation, acceptance, and continuance of audits;
d. human resources;
e. audit performance, documentation, and reporting; and
f. monitoring of quality.
Nonaudit Engagements
3170.31 For engagements performed in accordance with SSARS 21, section 60, states the following
requirements for engagement‐level quality control:
a. The engagement partner should be competent in financial reporting and possess
sufficient capabilities to perform the engagement.
b. The engagement partner is responsible for:
(1) the overall quality of the engagement, including the direction, supervision,
planning, and performance of the engagement.
(2) the accountant’s report being appropriate under the circumstances.
(3) adherence to the firm’s quality control policies and procedures regarding
acceptance and continuation of client relationships.
(4) determining that appropriate conclusions are reached, including whether there is
information indicating management lacks integrity.
(5) ensuring that the engagement team has the appropriate competence, capabilities,
and expertise needed to complete the engagement.
(6) maintaining appropriate engagement documentation.
c. The firm should have in place a monitoring process designed to provide assurance that
the firm’s quality control policies and procedures are relevant, adequate, and operating
effectively. The engagement partner should determine that these policies and
procedures were adhered to during the engagement.
This page intentionally left blank.
3220 Understanding an Entity and Its Environment
3221 External Factors, Including the Applicable Financial Reporting Framework
3222 Internal Factors, Including Nature of the Entity, Ownership and Governance Structures, and Risk
Strategy
3230 Understanding an Entity’s Internal Control
3231 Control Environment and Entity‐Level Controls
3232 Flow of Transactions and Design of Internal Controls
3233 Implications of an Entity Using a Service Organization
3234 Information Technology (IT) General and Application Controls
3235 Limitations of Controls and Risk of Management Override
3240 Assessing Risks Due to Fraud
3241 Identifying Characteristics of Fraud
3242 Discussions with Audit Team Regarding Fraud
3243 Inquiries with Management Regarding Fraud
3244 Assessing Fraud Risk on Nonaudit Engagements
3250 Identifying and Assessing the Risk of Material Misstatement, Whether Due to Error or Fraud, and
Planning Further Procedures Responsive to Identified Risks
3251 Impact of Risks at the Financial Statement Level
3252 Impact of Risks for Each Relevant Assertion at the Class of Transaction, Account Balance, and
Disclosure Levels
3253 Further Procedures Responsive to Identified Risks
3260 Materiality
3261 For the Financial Statements as a Whole
3262 Performance Materiality and Tolerable Misstatement
3263 Materiality in Nonaudit Engagements
3270 Planning for and Using the Work of Others
3271 Work of Other Independent Auditors
3272 Work of Specialists
3273 Work of Internal Audit
3280 Specific Areas of Engagement Risk
3281 Entity’s Compliance with Laws and Regulations, Including Possible Illegal Acts
3282 Accounting Estimates, Including Fair Value Estimates
3283 Related Parties and Related Party Transactions
3284 Significant Recent Economic, Accounting, or Other Developments
3285 Improper Revenue Recognition
3286 Nonroutine or Complex Transactions
3210 Planning an Engagement
3211 Developing an Overall Engagement Strategy
Audit Engagements
3211.01 The auditor should establish the overall audit strategy. The overall audit strategy involves:
a. determining the characteristics of the engagement that define its scope, such as the
basis for reporting, industry‐specific reporting requirements, and the locations of the
entity.
b. ascertaining the reporting objectives of the engagement to plan the timing of the audit
and the nature of the communications required, such as deadlines for interim and final
reporting, and key dates for expected communications with management and those
charged with governance.
c. considering the important factors that will determine the focus of the audit team’s
efforts, such as determination of appropriate materiality levels, preliminary
identification of areas where there may be higher risks of material misstatement,
financial reporting developments, etc.
d. ascertaining the nature, timing, and extent of resources necessary to perform the
engagement.
3211.02 The process of developing the audit strategy helps the auditor:
a. determine the type and amount of resources to assign to specific audit areas, such as
the use of appropriately experienced team members for high‐risk areas or the number
of team members assigned to observe the inventory count at material locations.
b. plan the timing of resources, such as whether at an interim audit period or at key cutoff
dates.
c. manage, direct, and supervise resources, such as determining when team briefing and
debriefing meetings are expected to be held, how the auditor with final responsibility
and manager reviews are expected to take place (for example, on‐site or off‐site), and
whether to complete engagement quality control reviews.
3211.03 Planning is not a discrete phase of the audit, but rather an iterative process that begins with
engagement acceptance and continues throughout the audit as the auditor performs audit
procedures and accumulates sufficient appropriate audit evidence to support the audit
opinion. The auditor may begin execution of planned procedures before completing the
more detailed audit plan for the remainder of the audit procedures. Any changes to the
original audit plan should be documented.
3211.04 The purpose and objective of planning the audit are the same whether the audit is an initial
or recurring engagement. However, for an initial audit, the auditor may need to expand the
planning activities because the auditor does not ordinarily have the previous experience
with the entity that is considered when planning recurring engagements.
3211.05 For initial audits, additional matters the auditor should consider in developing the overall
audit strategy and audit plan include the following:
a. Arrangements to be made with the previous auditor; for example, to review the
previous auditor’s audit documentation
b. Any major issues discussed with management in connection with the initial selection as
auditors, the communication of these matters to those charged with governance, and
how these matters affect the overall audit strategy and audit plan
c. The planned audit procedures to obtain sufficient appropriate audit evidence regarding
opening balances
d. The assignment of firm personnel with appropriate levels of capabilities and
competence to respond to anticipated significant risks
e. Other personnel required by the firm’s system of quality control for initial audit
engagements
Nonaudit Engagements
3211.06 Engagements to prepare financial statements, compilations, reviews, and attestation
engagements require the Code of Professional Conduct to be considered in engagement
acceptance/continuance (e.g., competence, independence). In addition, a signed written
engagement letter is required to clearly distinguish the accountant’s responsibilities from
management’s responsibilities. In performing these tasks, the accountant defines the scope,
timing, and nature of the engagement.
3211.07 In an examination engagement under attestation standards, the accountant is required to
establish an overall strategy that sets the scope, timing, and direction of the engagement.
3212 Developing a Detailed Engagement Plan
Audit Engagements
3212.01 Once the audit strategy has been established, the auditor is able to start the development of
a more detailed audit plan to address the various matters identified in the audit strategy,
taking into account the need to achieve the audit objectives through the efficient use of the
auditor’s resources.
3212.02 Although the auditor may establish the audit strategy before developing the detailed audit
plan, the two planning activities are not necessarily discrete or sequential processes, but are
closely interrelated since changes in one may result in consequential changes to the other.
The auditor should update and document any significant revisions to the overall audit
strategy to respond to any changes in circumstances.
3212.03 The auditor must develop an audit plan for the audit in order to reduce audit risk to an
acceptably low level. The audit plan is more detailed than the audit strategy and includes the
nature, extent, and timing of audit procedures to be performed by audit team members.
Procedures that an auditor may consider in planning the audit usually involve review of his
or her records relating to the entity and discussion with other firm personnel and personnel
of the entity:
a. Reviewing correspondence files, prior year’s working papers, permanent files, financial
statements, and auditor's reports
b. Discussing matters that may affect the audit with firm personnel responsible for
nonaudit services to the entity
c. Inquiring about current business developments affecting the entity
d. Reading the current year’s interim financial statements
e. Discussing the type, scope, and timing of the audit with management of the entity, the
board of directors, or its audit committee
f. Considering the effects of applicable accounting and auditing pronouncements,
particularly new ones
g. Coordinating the assistance of entity personnel in data preparation
h. Determining the extent of involvement, if any, of consultants, specialists, and internal
auditors
i. Establishing the timing of the audit work
j. Establishing and coordinating staffing requirements
3212.04 The audit plan should include a description of:
a. the nature, extent, and timing of planned risk assessment procedures sufficient to
assess the risks of material misstatement.
b. the nature, extent, and timing of planned further audit procedures at the relevant
assertion level for each material class of transactions, account balance, and disclosure.
c. other audit procedures to be carried out for the engagement in order to comply with
GAAS.
Nonaudit Engagements
3212.05 In all attest engagements, the accountant should prepare and retain documentation that is
appropriate to the situation and meets the accountant’s needs. The goal is to allow
engagement teams, engagement partners, and others to be able to satisfy supervision,
review, and quality control responsibilities. While a detailed engagement plan is not
required for all nonaudit engagements, an adequate documentation trail is important to
satisfying quality control monitoring objectives. Work programs help satisfy that objective.
The accountant should determine the nature, timing, and extent of the planned procedures
to be carried out in order to achieve engagement objectives.
3212.06 In an examination engagement under the attestation standards, the accountant should
create a detailed plan that describes the nature, timing, and extent of any risk assessment
and further procedures to be performed.
3220 Understanding an Entity and Its Environment
3221 External Factors, Including the Applicable Financial Reporting
Framework
Audit Engagements
3221.01 The auditor’s understanding of the entity and its environment consists of an understanding
of the following aspects:
a. Industry, regulatory, and other external factors
b. Nature of the entity
c. Objectives and strategies and the related business risks that may result in a material
misstatement of the entity’s financial statements
d. Measurements and review of the entity’s financial performance
e. Internal control, which includes the selection and application of accounting policies
3221.02 The auditor should obtain an understanding of relevant industry, regulatory, and other
external factors. The industry in which the entity operates may be subject to specific risks of
material misstatement arising from the nature of the business, the degree of regulation, or
other external forces (such as political, economic, social, technical, and competitive).
Examples of matters to be considered follow:
a. Industry conditions
(1) The market and competition, including demand, capacity, and price competition
(2) Cyclical or seasonal activity
(3) Product technology relating to the entity’s products
(4) Supply availability and cost
b. Regulatory environment
(1) Accounting principles and industry‐specific practices
(2) Regulatory framework for a regulated industry
(3) Legislation and regulation that significantly affect the entity’s operations
(4) Taxation
(5) Government policies currently affecting the conduct of the entity’s business
(6) Environmental requirements affecting the industry and the entity’s business
c. Other external factors
(1) General level of economic activity (for example, recession, growth)
(2) Interest rates and availability of financing
(3) Inflation and currency revaluation
Nonaudit Engagements: Accounting and Review Engagements
3221.03 The accountant should obtain an understanding of the applicable financial reporting
framework and the significant accounting policies to be used in a preparation, compilation,
or review engagement.
3222 Internal Factors, Including Nature of the Entity, Ownership and
Governance Structures, and Risk Strategy
Audit Engagements
3222.01 The auditor should obtain an understanding of the nature of the entity. The nature of an
entity refers to the entity’s operations, its ownership and governance, the types of
investments that it is making and plans to make, the way that the entity is structured and
how it is financed. The entity may have a complex structure with subsidiaries or other
components in multiple locations. This understanding enables the auditor to understand the
classes of transactions, account balances, and disclosures to be expected in the financial
statements.
a. Business operations
(1) Nature of revenue sources
(2) Products or services and markets
(3) Conduct and method of operations
(4) Alliances, joint ventures, and outsourcing activities
(5) Involvement in e‐commerce
(6) Geographic dispersion and industry segmentation
(7) Location of production facilities, warehouses, and offices
(8) Key customers
(9) Important suppliers of goods and services
(10) Employment arrangements and matters
(11) Research and development activities and expenditures
(12) Transactions with related parties
b. Investments (including acquisitions, mergers, or disposals of business activities and
investments in nonconsolidated entities)
c. Financing (including the structure of financing, financing with related parties, and use of
derivatives)
d. Financial reporting
(1) Accounting principles and industry‐specific practices
(2) Revenue recognition practices
(3) Accounting for fair values
(4) Inventories
(5) Foreign currency assets, liabilities, and transactions
(6) Industry‐specific significant categories
(7) Accounting for unusual or complex transactions
(8) Financial statement presentation and disclosure
3222.02 The auditor should obtain an understanding of the entity’s objectives and strategies, and the
related business risks that may result in material misstatement of the financial statements.
a. The entity conducts its business in the context of industry, regulatory, and other internal
and external factors. To respond to these factors, the entity’s management or those
charged with governance define objectives, which are the overall plans for the entity.
Strategies are the operational approaches by which management intends to achieve its
objectives.
b. Business risks result from significant conditions, events, circumstances, actions, or
inactions that could adversely affect the entity’s ability to achieve its objectives and
execute its strategies, or through the setting of inappropriate objectives and strategies.
Management’s identification of business risk is part of internal control.
c. Business risk is broader than the risk of material misstatement of the financial
statements, although it includes the latter. Most business risks will eventually have
financial consequences and, therefore, an effect on the financial statements. However,
not all business risks give rise to risks of material misstatement. The auditor’s
consideration of whether a business risk may result in material misstatement is made in
light of the entity’s circumstances. The auditor does not have a responsibility to identify
or assess all business risks.
d. Smaller entities often do not set their objectives and strategies, or manage the related
business risks, through formal plans or processes. In many cases, there may be no
documentation of such matters. In such entities, the auditor’s understanding is
ordinarily obtained through inquiries of management and observation of how the entity
responds to such matters.
e. Some matters that the auditor may consider regarding the existence of objectives (how
the entity addresses industry, regulatory, and other external factors) include the
following:
(1) Industry developments
(2) New products and services
(3) Expansion of the business
(4) New accounting requirements
(5) Regulatory requirements
(6) Current and prospective financing requirements
(7) Use of information technology (IT)
(8) Risk appetite of managers and stakeholders
f. Implementing a new business strategy can have effects that will lead to new accounting
requirements. The auditor should consider this possibility as well.
3222.03 The auditor should obtain an understanding of the measurement and review of the entity’s
financial performance. Performance measures and their review indicate to the auditor
aspects of the entity’s performance that management and others consider to be important.
a. Performance measures, whether external or internal, create pressures on the entity
that, in turn, may motivate management to take action to improve the business
performance or to misstate the financial statements. Obtaining an understanding of the
entity’s performance measures assists the auditor in considering whether such
pressures result in management actions that may have increased the risks of material
misstatement.
b. Much of the information used in performance measurement may be produced by the
entity’s information system. If management assumes that data used for reviewing the
entity’s performance is accurate without having a basis for that assumption, errors may
exist in the information, potentially leading management to incorrect conclusions about
performance.
c. When the auditor intends to make use of the performance measures for the purpose of
the audit (for example, in performing analytical procedures), the auditor should
consider whether the information related to management’s review of the entity’s
performance provides a reliable basis and is sufficiently precise for such a purpose.
d. Smaller entities ordinarily do not have formal processes to measure and review the
entity’s financial performance. Management nevertheless often relies on certain key
indicators which knowledge and experience of the business suggest are reliable bases
for evaluating financial performance and taking appropriate action.
e. Examples of matters an auditor may consider include the following:
(1) Key ratios and operating statistics
(2) Key performance indicators
(3) Employee performance measures
(4) Trends
(5) Use of forecasts, budgets, and variance analysis
(6) Analyst reports and credit rating reports
(7) Competitor analysis
(8) Period‐on‐period financial performance (e.g., profitability or leverage)
3222.04 Obtaining an understanding of the entity and its environment is an essential aspect of
performing an audit in accordance with GAAS. In particular, that understanding establishes a
frame of reference within which the auditor plans the audit and exercises professional
judgment about assessing risks of material misstatement of the financial statements and
responding to those risks throughout the audit. This understanding will help the auditor:
a. establish materiality for planning purposes and evaluate whether that judgment
remains appropriate as the audit progresses.
b. consider the appropriateness of the selection and application of accounting policies and
the adequacy of financial statement disclosures.
c. identify areas where special audit consideration may be necessary.
d. develop expectations for use when performing analytical procedures.
e. design and perform further audit procedures to reduce audit risk to an appropriately
low level.
f. evaluate the sufficiency and appropriateness of audit evidence obtained.
3222.05 The auditor should use professional judgment to determine the extent of the understanding
required of the entity and its environment, including its internal control. The auditor’s
primary consideration is whether the understanding that has been obtained is sufficient to
assess risks of material misstatement of the financial statements and to design and perform
further audit procedures.
3222.06 Obtaining an understanding of the entity and its environment, including its internal control,
is a continuous, dynamic process of gathering, updating, and analyzing information
throughout the audit.
Nonaudit Engagements
Accounting and Review Engagements
3222.07 In a review engagement, the accountant should obtain knowledge about the entity,
including an understanding of the client’s business and the accounting principles and
practices used by the entity (particularly those that are unusual), sufficient to identify areas
in the financial statements where there is a greater likelihood that material misstatements
may arise and to be able to design procedures to address those areas.
Review of Interim Financial Information of Issuers
3222.08 To perform a review of interim financial information of an issuer, the accountant should
have sufficient knowledge of the entity’s business and its internal control related to the
preparation of interim financial information.
3222.09 This knowledge should allow the accountant the ability to:
a. identify the types of potential material misstatements in the interim financial
information and consider the likelihood of their occurrence.
b. select the inquiries and analytical procedures that will provide the accountant with the
basis for communicating whether he or she is aware of any material modifications that
should be made to the interim financial information for it to be in conformity with the
applicable financial reporting framework.
3222.10 In planning a review of interim financial information, the accountant should perform
procedures to update his or her knowledge of the entity’s business and its internal control.
Such procedures should include:
a. reading documentation of the preceding year’s audit and of reviews of prior interim
period(s) of the current year and corresponding quarterly and year‐to‐date interim
period(s) of the prior year.
b. reading the most recent annual and comparable prior interim‐period financial
information.
c. considering the results of any audit procedures performed with respect to the current
year’s financial statements.
d. inquiry of management about changes in the entity’s business activities.
e. inquiry of management about whether significant changes in internal control, related to
the preparation of interim financial information, have been made.
3222.11 The accountant who has audited the entity’s financial statements for one or more annual
periods would have acquired sufficient knowledge of an entity’s internal control as it relates
to the preparation of annual financial information and may have acquired such knowledge
with respect to interim financial information.
3222.12 If the accountant has not audited the most recent annual financial statements, the
accountant should perform procedures to obtain such knowledge.
3222.13 A restriction on the scope of the review may be imposed if the entity’s internal control
appears to contain deficiencies so significant that it would be impracticable for the
accountant, based on his or her judgment, to effectively perform review procedures.
Attestation Engagements
3222.14 In an examination and review engagement, the accountant should consider attestation risk,
which is the risk that the accountant expresses an inappropriate opinion or conclusion, as
applicable, when the subject matter or assertion is materially misstated. Attestation risk
includes the element of inherent risk, which should take into account what the accountant
knows about the entity and its environment as relevant to satisfying engagement objectives.
The degree of relevance of considerations in assessing attestation risk is affected by the
engagement circumstances.
3222.15 Attestation risk is not applicable to an agreed‐upon procedures engagement, as the design
of procedures in that type of engagement is the responsibility of the specified party(ies).
Therefore, the accountant is not responsible for assessing risk and developing a planned
response.
3230 Understanding an Entity’s Internal Control
Overview: Audit Engagements
3230.01 The information on internal control included in AU‐C 315 is quite extensive. The standard
also includes a detailed discussion of the five components of internal control in Appendix B.
The information presented in this outline of the standard includes far less detail than is
found in the final version of the standard. If you need further information on the particulars
of the data presented in this section, you should refer to the actual text of AU‐C 315.
3230.02 Internal control is a process—effected by those charged with governance, management, and
other personnel—designed to provide reasonable assurance about the achievement of the
entity’s objectives with regard to reliability of financial reporting, effectiveness and
efficiency of operations, and compliance with applicable laws and regulations.
3230.03 Internal control consists of five interrelated components:
1. Control environment
2. Risk assessment
3. Information and communication
4. Control activities
5. Monitoring
3230.04 The division of internal control into five components provides a useful framework for
auditors to consider how different aspects of an entity’s internal control may affect the
audit. However, the division does not necessarily reflect how an entity considers and
implements internal control.
3230.05 The design and implementation of an entity’s internal control varies with the entity’s size
and complexity. Many small businesses use simpler processes and procedures, and the
components of internal control may not be as clearly distinguished as they are in larger
entities.
3230.06 The control environment sets the tone of an organization, influencing the control
consciousness of its people. It is the foundation for all other components of internal control,
providing discipline and structure.
3230.07 An entity’s risk assessment process for financial reporting purposes is its identification,
analysis, and management of risks relevant to the preparation of financial statements that
are fairly presented in conformity with the entity’s applicable reporting framework.
3230.08 Information and communication systems support the identification, capture, and exchange
of information in a form and time frame that enable people to carry out their
responsibilities.
a. The information system consists of the procedures and records relevant to financial
reporting objectives (including the accounting system). The quality of system‐generated
information affects management’s ability to make appropriate decisions in controlling
the entity’s activities and to prepare reliable financial reports.
b. An entity’s communication involves providing an understanding of individual roles and
responsibilities pertaining to internal control over financial reporting.
3230.09 Control activities are the policies and procedures that help ensure that management
directives are carried out and necessary actions are taken to address risks that threaten the
achievement of the entity’s objectives. Examples of specific control activities include the
following:
a. Authorization
b. Segregation of duties
c. Safeguarding
d. Asset accountability
e. Performance reviews
3230.10 Monitoring of controls is a process to assess the quality of internal control performance over
time. It involves assessing the design and operation of controls on a timely basis and taking
necessary corrective actions. Monitoring is done to ensure that controls continue to operate
effectively.
Identify Controls Relevant to Reliable Financial Reporting
3230.11 There is a direct relationship between an entity’s objectives and the internal control
components it implements to provide reasonable assurance about their achievement. In
addition, internal control is relevant to the entire entity, or to any of its operating units or
business functions.
3230.12 Although the entity’s objectives, and therefore controls, relate to financial reporting,
operations, and compliance, not all of these objectives and controls are relevant to the
audit. In addition, an understanding of internal control relating to each of the entity’s
operating units and business functions may not be necessary to the performance of the
audit.
3230.13 Ordinarily, controls that are relevant to an audit pertain to the entity’s objective of preparing
financial statements that are fairly presented in conformity with GAAP, including the
management of risk that may give rise to a risk of material misstatement in those financial
statements.
3230.14 It is not necessary to assess all controls in connection with assessing the risks of material
misstatement and designing and performing further audit procedures in response to
assessed risks. It is a matter of the auditor’s professional judgment as to the controls or
combination of controls that should be assessed.
3230.15 In exercising professional judgment about which controls to assess, the auditor should
consider factors such as:
a. materiality,
b. the size of the entity,
c. the nature of the entity’s business,
d. the diversity and complexity of the entity’s operations,
e. applicable legal and regulatory requirements, and
f. the nature and complexity of the systems that are part of the entity’s internal control.
3230.16 Controls over the completeness and accuracy of the information produced by the entity may
be relevant to the audit if the auditor intends to make use of the information in designing
and performing further audit procedures. Controls over operations and compliance
objectives may have a direct and material effect on the financial statements as well. Internal
control over safeguarding assets against unauthorized acquisition, use, or disposition may
include controls relating to financial reporting.
3230.17 The auditor’s previous experience with the entity and its environment and throughout the
audit assist the auditor in identifying controls relevant to the audit.
3230.18 Controls relevant to the audit may exist in any of the components of internal control. The
auditor’s primary consideration is whether, and how, a specific control prevents, or detects
and corrects, material misstatements in classes of transactions, account balances, or
disclosures, and their relevant assertions, rather than its classification into any particular
component.
Audits of Issuers
3230.19 An audit of internal control over financial reporting may be integrated into the financial
statement audit. Public Company Accounting Oversight Board (PCAOB) Auditing Standard
2201 provides guidance on the requirements to express an opinion on the effectiveness of
the company’s internal control over financial reporting as of a point in time and taken as a
whole.
3230.20 Audits of issuers emphasize internal controls, because of the often integrated audit of
internal control over financial reporting. If internal control deficiencies exist, the auditor
should consider whether there should be higher assessed risk of material misstatement due
to fraud or error. Generally, the auditor should obtain more persuasive evidence from
substantive testing in a financial statement audit if a material weakness in internal control is
identified.
Accounting and Review Engagements
3230.21 An engagement to prepare financial statements is a nonattest engagement and does not
require the accountant to be independent. The accountant is not required to verify the
accuracy or completeness of the information provided by management or otherwise gather
evidence to express an opinion or conclusion on the financial statements.
3230.22 A compilation engagement is a no‐assurance engagement. There is no expectation that the
accountant would obtain an understanding of internal control in this type of engagement.
The accountant only needs to be able to have competence and capabilities to read the
financial statements for obvious departures from the applicable financial reporting
framework. This may be based on a very general and broad understanding of the entity and
its environment.
3230.23 A review engagement provides limited assurance. There is an expectation that the
accountant would gain an understanding of the significant accounting principles and
practices used by the entity. The accountant should understand the nature of the client’s
accounting records and transactions, systems, and accounting staff personnel, including any
known changes from the prior period that could impact the current engagement. The
understanding should be appropriate to provide limited assurance, which is substantially less
in scope than an audit. There is no requirement in a review to obtain a specific
understanding of the design of internal controls.
Attestation Engagements
3230.24 In an examination and review engagement, the accountant should consider attestation risk,
which is the risk that the accountant expresses an inappropriate opinion or conclusion, as
applicable, when the subject matter or assertion is materially misstated. Attestation risk
takes into account the elements of inherent risk, control risk, and detection risk. The degree
of relevance of considerations in assessing attestation risk is affected by the engagement
circumstances.
3230.25 Control risk is the risk that a material misstatement could occur in the subject matter and
not be prevented, or detected and corrected, on a timely basis by internal control. Control
risk would be more relevant when the subject matter relates to preparation of financial
information about an entity’s performance, rather than existence of a physical condition.
Control risk is often less relevant to a review engagement compared to an examination
engagement.
3230.26 In an examination engagement, similar concepts to an audit apply. Therefore, risk
assessment includes an understanding of internal control over the subject matter, and a
specific assessment of risks related to the subject matter.
3230.27 Attestation risk is not applicable to an agreed‐upon procedures engagement, as the design
of procedures in that type of engagement is the responsibility of the specified party(ies).
Therefore, the accountant is not responsible for assessing risk and developing a planned
response.
3230.28 AT‐C 320, Reporting on an Examination of Controls at a Service Organization Relevant to
User Entities’ Internal Control Over Financial Reporting, contains performance and reporting
requirements and application guidance for a service auditor examining controls at
organizations that provide services to user entities when those controls are likely to be
relevant to user entities’ internal control over financial reporting. It complements AU‐C 402,
Audit Considerations Relating to an Entity Using a Service Organization, which is relevant
when performing a financial statement audit.
3230.29 AT‐C 315, Compliance Attestation, is applicable if a practitioner is performing agreed‐upon
procedures related to an entity’s internal control over compliance with specified
requirements.
3230.30 AT‐C 215, Agreed‐Upon Procedures Engagements, is applicable when the practitioner is
engaged to report on the results of agreed‐upon procedures related to the controls of a
service organization or to transactions or balances of a user entity maintained by a service
organization.
3231 Control Environment and Entity‐Level Controls
3231.01 The COSO Framework refers to a publication called Internal Control—Integrated Framework
created by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.
The COSO committee consists of five sponsoring organizations whose representatives come
together to work on projects associated with guidance on enterprise risk management,
internal control, and fraud deterrence. The COSO Framework defines internal control and
breaks it down into the five major components.
3231.02 The auditor should obtain an understanding of the five components of internal control
sufficient to assess the risk of material misstatement of the financial statements whether
due to error or fraud, and to design the nature, timing, and extent of further audit
procedures.
3231.03 The auditor obtains this understanding by performing risk assessment procedures to
evaluate the design of controls relevant to an audit of financial statements and determine
whether they have been implemented.
3231.04 Entity‐level controls include, but are not limited to:
a. controls related to the control environment,
b. controls over management override,
c. the company’s risk assessment process,
d. centralized processing and controls, including shared service environments,
e. controls to monitor results of operations,
f. controls to monitor other controls, including activities to monitor the internal audit
function, the audit committee, and self‐assessment programs,
g. controls over the period‐end financial reporting process, and
h. policies that address significant business control and risk management practices.
3231.05 The auditor should obtain sufficient knowledge of the control environment to understand
the attitudes, awareness, and actions of those charged with governance concerning the
entity’s internal control and its importance in achieving reliable financial reporting. In
understanding the control environment, the auditor should concentrate on the
implementation of controls because controls may be established but not acted upon.
3231.06 In evaluating the entity’s control environment, the auditor should consider the following
elements and how they have been incorporated into the entity’s processes:
a. Communication and enforcement of integrity and ethical values
b. Commitment to competence
c. Participation of those charged with governance
d. Management’s philosophy and operating style
e. Organizational structure
f. Assignment of authority and responsibility
g. Human resource policies and practices
3231.07 The design and implementation of fraud prevention and detection programs is part of the
control environment. The auditor should evaluate whether entity programs and controls
that address identified risks of material misstatement due to fraud have been suitably
designed and placed in operation. Missing or inadequate anti‐fraud programs or controls
may constitute a significant deficiency or a material weakness.
3231.08 A satisfactory control environment can help reduce the risk of material misstatement due to
fraud, and it is a positive factor in the auditor’s overall assessment of risk. A weak control
environment may cause the auditor to expand substantive testing; a strong control
environment may give the auditor confidence that allows for testing at an interim date.
However, the control environment is not specific enough to prevent or detect material
misstatements in account balances, classes of transactions, or disclosures and related
assertions.
3231.09 The auditor should obtain sufficient knowledge of the entity’s risk assessment process to
understand how management considers risks relevant to financial reporting objectives and
decides about actions to address those risks.
3231.10 In evaluating the design and implementation of the entity’s risk assessment process, the
auditor should consider how management:
a. identifies business risks relevant to financial reporting,
b. estimates the significance of the risks,
c. assesses the likelihood of their occurrence, and
d. decides upon actions to manage them.
3231.11 A smaller entity may not have a formal risk assessment process. In this case, the auditor
should discuss with management how risks to the business are identified and addressed.
3231.12 The auditor should obtain an understanding of the entity’s information system relevant to
financial reporting. This includes obtaining an understanding of the origination of
transactions within the entity, authorization for transactions, the procedures that process
the transactions, how adjustments are made, and the reporting process.
3231.13 The auditor should obtain sufficient knowledge of the communication component to
understand how the entity communicates financial reporting roles and responsibilities and
significant matters relating to financial reporting. This component of internal control
involves the communication:
a. with personnel regarding their roles and responsibilities in the internal control structure,
b. with personnel about how their activities in the financial reporting system relate to
others,
c. with personnel about how and to whom to report financial reporting exceptions, and
d. between management and those charged with governance, as well as third parties such
as regulatory authorities.
3231.14 The auditor should obtain an understanding of control activities relevant to the audit. An
audit does not require an understanding of all control activities; the auditor would utilize
information regarding the presence or absence of control activities (received from the
understanding of other components of internal control) to determine whether it is necessary
to devote attention to specific control activities.
3231.15 The auditor’s emphasis is on identifying and obtaining an understanding of control activities
that address the areas where the auditor considers that material misstatements are more
likely to occur. The auditor’s primary consideration is whether, and how, a specific control
activity prevents, or detects and corrects, material misstatements in classes of transactions,
account balances, or disclosures.
3231.16 The auditor should obtain an understanding of how IT affects control activities that are
relevant to planning the audit.
3231.17 Management is responsible for establishing and maintaining internal controls. Management
determines if the controls are operating as intended (and that they are modified if
conditions change) by performing monitoring activities such as bank reconciliations and
evaluations of compliance with the entity’s policies.
3231.18 The auditor should obtain an understanding of:
a. the major types of activities that the entity uses to monitor control over financial
reporting and how those activities are used to initiate corrective actions to its controls;
and
b. the sources of the information related to the entity’s monitoring activities, and the basis
upon which management considers the information to be sufficiently reliable for the
purpose.
3231.19 The auditor should obtain an understanding of the entity’s selection and application of
accounting policies, and identify financial reporting standards and regulations that are new
to the entity.
3232 Flow of Transactions and Design of Internal Controls
3232.01 An entity’s business processes are the activities designed to develop, purchase, produce, sell,
and distribute an entity’s products and services; ensure compliance with laws and
regulations; and record information, including accounting and financial reporting
information.
3232.02 The auditor is concerned with business processes that relate to financial reporting, which
include the accounting system and consist of procedures (automated or manual) and records
established to initiate, authorize, record, process, and report entity transactions and to
maintain accountability for the related assets, liabilities, and equity.
3232.03 The auditor should obtain sufficient knowledge of the information system, including the
related business processes relevant to financial reporting, to understand the following:
a. The classes of transactions in the entity’s operations that are significant to the financial
statements
b. The procedures, within both automated and manual systems, by which those
transactions are initiated, authorized, recorded, processed, and reported in the financial
statements
c. The related accounting records, whether electronic or manual, supporting information,
and specific accounts in the financial statements involved in initiating, authorizing,
recording, processing, and reporting transactions
d. How the information system captures events and conditions, other than classes of
transactions, that are significant to the financial statements
e. The financial reporting process used to prepare the entity’s financial statements,
including significant accounting estimates and disclosures
f. Controls surrounding journal entries, including nonstandard journal entries used to
record nonrecurring, unusual transactions, or adjustments
3232.04 The auditor should consider how the entity:
a. identifies and records all valid transactions,
b. describes the transactions in sufficient detail to permit proper classification of
transactions for financial reporting,
c. measures the value of transactions in a manner that permits recording their proper
value in the financial statements,
d. determines the correct time period in which to record the transactions, and
e. presents the transactions (and related disclosures) in the financial statements.
3232.05 The auditor should document key elements of the understanding of the entity’s business
process and information flow. The format of documentation is at the auditor’s discretion.
Perform Risk Assessment Procedures to Evaluate the Design and Implementation of
Internal Controls Relevant to an Audit of Financial Statements
3232.06 The auditor should obtain a sufficient understanding by performing risk assessment
procedures to evaluate the design of controls relevant to an audit of financial statements
and to determine whether they have been implemented. The auditor should use such
knowledge to:
a. identify types of potential misstatements.
b. consider factors that affect the risks of material misstatement.
c. design tests of controls, when applicable, and substantive procedures.
3232.07 The way in which internal control is designed and implemented varies with an entity’s size
and complexity. Specifically, smaller entities may use less formal means and simpler
processes and procedures to achieve their objectives.
3232.08 Obtaining an understanding of internal control involves evaluating the design of a control
and determining whether it has been implemented.
a. Evaluating the design of a control involves considering whether the control, individually
or in combination with other controls, is capable of effectively preventing or detecting
and correcting material misstatements. The auditor should consider the design of a
control in determining whether to consider its implementation. An improperly designed
control may represent a material weakness in the entity’s internal control, and the
auditor should consider whether to communicate this to those charged with governance
and management.
b. Implementation of a control means that the control exists and that the entity is using it.
3232.09 The Public Company Accounting Oversight Board (PCAOB) Auditing Standard 2201, An Audit
of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial
Statements, states:
“The auditor should test the design effectiveness of controls by determining whether the
company's controls, if they are operated as prescribed by persons possessing the necessary
authority and competence to perform the control effectively, satisfy the company's control
objectives and can effectively prevent or detect errors or fraud that could result in material
misstatements in the financial statements.” (PCAOB AS 2201.42)
3232.10 Procedures to obtain audit evidence about the design and implementation of relevant
controls may include:
a. inquiry of entity personnel,
b. observation of the application of specific controls,
c. inspection of documents and reports, and
d. tracing transactions through the information system relevant to financial reporting.
3232.11 It is important to remember that inquiry alone is not sufficient to evaluate the design of a
control relevant to an audit and to determine whether it has been implemented.
3232.12 Generally, obtaining an understanding of an entity’s controls is not sufficient to serve as
testing the operating effectiveness of controls (also known as “tests of controls”). Testing
the operating effectiveness of a control means determining if the control is operating as
designed and whether the person performing the control possesses the necessary authority
and competence to perform the control effectively.
3233 Implications of an Entity Using a Service Organization
3233.01 This section provides guidance on the factors an independent auditor should consider when
auditing the financial statements or internal controls of an entity that uses a service
organization to process certain transactions.
3233.02 For the purposes of this section, the following definitions apply:
a. User entity—an entity that uses a service organization and whose financial statements
or internal controls are being audited
b. User auditor—the auditor who audits and reports on the financial statements of the
user entity or the entity’s internal controls over financial reporting integrated with the
financial statement audit
c. Service organization—the entity or segment of an entity that provides services to user
entities that are relevant to those user entities’ internal control over financial reporting
d. Service auditor—the auditor who reports on controls of a service organization
e. Report on management’s description of a service organization’s system and the
suitability of the design of controls (Type 1 report)—a service auditor’s report on a
service organization’s description of its controls that may be relevant to a user’s
organization’s internal control relating to an audit of financial statements or internal
controls, on whether such controls were suitably designed to achieve specified control
objectives, and on whether they have been in place as of a specific date
f. Report on management’s description of a service organization’s system and the
suitability of the design and operating effectiveness of controls (Type 2 report)—a
service auditor’s report on whether controls were suitably designed to achieve specified
control objectives, on whether they had been placed in operation as of a specific date,
and on whether the controls that were tested were operating with sufficient
effectiveness to provide reasonable, but not absolute, assurance that the related
control objectives were achieved during the period specified
3233.03 A service organization’s services are part of an entity’s information system if they affect any
of the following:
a. The classes of transactions in the entity’s operations that are significant to an entity’s
financial statements
b. How an entity’s transactions are initiated, recorded, processed, and reported
c. The accounting records, supporting information, and specific accounts in the financial
statements involved in the processing and reporting of the entity’s transactions
d. How the entity’s information system captures other events and conditions that are
significant to the financial statements
e. The financial reporting process used to prepare the entity’s financial statements,
including significant accounting estimates and disclosures
f. Controls surrounding journal entries, including nonstandard journal entries used to
record nonrecurring, unusual transactions, or adjustments
3233.04 When a user entity uses a service organization, transactions that affect the user entity’s
financial statements are subjected to controls that are, at least in part, physically and
operationally separate from the user organization.
3233.05 When the user entity initiates transactions and the service organization executes and does
the accounting processing of those transactions, there is a high degree of interaction
between the activities at the user entity and those at the service organization. In these
circumstances, it may be feasible for the user entity to implement effective controls for
those transactions.
3233.06 When the service organization initiates, executes, and does the accounting processing of the
user organization’s transactions, there is a lower degree of interaction and it may not be
practicable for the user organization to implement effective controls for those transactions.
3233.07 Auditing and examination standards require the accountant to obtain an understanding of
each of the five components of an entity’s internal control sufficient to plan the
engagement. This understanding may encompass controls placed in operation by the entity
and by service organizations whose services are part of the entity’s information system.
3233.08 Information about the nature of the services provided by a service organization that are part
of the user entity’s information system and the service organization’s controls over those
services may be available from a variety of sources. Some of those sources would include the
following:
a. User manuals
b. System overviews
c. Technical manuals
d. The contract between the user organization and the service organization
e. Reports by service auditors, internal auditors, or regulatory authorities on the service
organization’s controls
3233.09 If the user auditor concludes that information is not available to obtain a sufficient
understanding to plan the audit, the user auditor may consider contacting the service
organization, through the user entity, to obtain specific information or request that a service
auditor be engaged to perform procedures that will supply the necessary information. The
user auditor may also visit the service organization and perform such procedures.
3233.10 If the user auditor is unable to obtain sufficient evidence to achieve the audit objectives, the
user auditor should qualify the opinion or disclaim an opinion on the financial statements
because of a scope limitation.
3234 Information Technology (IT) General and Application Controls
Overview
3234.01 The use of information technology affects the fundamental manner in which transactions are
initiated, authorized, recorded, processed, and reported. An entity may have information
systems that automate the procedures that would otherwise be performed manually. In
these cases, electronic records may replace paper records such as purchase orders, invoices,
and shipping documents.
3234.02 Controls in systems that use IT consist of a combination of automated controls and manual
controls. This mix varies with the nature and complexity of the entity’s use of IT. While IT
systems and programs may include controls related to the corresponding assertions for
significant accounts, they may also be critical to the effective functioning of manual controls
that depend on IT.
3234.03 Generally, IT provides potential benefits of effectiveness and efficiency for an entity’s
internal control because it enables an entity to:
a. consistently apply predefined business rules and perform complex calculations in
processing large volumes of transactions or data.
b. enhance the timeliness, availability, and accuracy of information.
c. facilitate the additional analysis of information.
d. enhance the ability to monitor the performance of the entity’s activities and its policies
and procedures.
e. reduce the risk that controls will be circumvented.
f. enhance the ability to achieve effective segregation of duties by implementing security
controls in applications, databases, and operating systems.
3234.04 IT also poses specific risks to an entity’s internal control that could impact the completeness
and reliability of an entity’s data, including:
a. reliance on systems or programs that are processing data inaccurately, processing
inaccurate data, or both.
b. unauthorized access to data that may result in destruction of data or improper changes
to data, including the recording of unauthorized or nonexistent transactions or
inaccurate recording of transactions.
c. unauthorized changes to data in master files.
d. unauthorized changes to systems or programs.
e. failure to make necessary changes to systems or programs.
f. inappropriate manual intervention.
g. potential loss of data or inability to access data as required.
h. possibility of IT personnel gaining access privileges beyond those necessary to perform
their assigned duties, thereby breaking down segregation of duties.
3234.05 An entity’s use of IT may affect any of the five components of internal control relevant to the
achievement of the entity’s financial reporting, operations, or compliance objectives, and its
operating units or business functions. The following sections provide an analysis of factors
related to each of the internal control components and examples of control considerations
that should be made by the auditor.
3234.06 Factors related to the control environment that may impact an auditor's consideration of
the effect of IT on internal control are as follows:
a. Assignment of authority and responsibility. Clear lines of authority and responsibility
are important in an IT environment due to the potential access to data by multiple
users. When multiple users have access to a particular database, the potential for
manipulation increases. If manipulation does occur, management may have problems
determining responsibility.
b. Human resource policies and practices. One of the basic concepts of good internal
control is competent and trustworthy employees. In a computerized environment, the
need for skilled employees operating with a high degree of integrity is of great
importance.
c. Management’s philosophy and operating style. Management’s failure to commit
sufficient resources to address security risks presented by IT may adversely affect
internal control by allowing improper changes to be made to computer programs or to
data, or by allowing unauthorized transactions to be processed.
3234.07 Risk assessment requires the inclusion of a strict policy of control over changes in programs
and inappropriate access to data. The greatest risks in an IT environment are that the
programs that process the data will be altered to generate fraudulent results or data will be
manipulated by unauthorized data entry.
3234.08 The following factors related to control activities may impact an auditor's consideration of
the effect of IT on internal control.
a. Information processing. Two areas in which control activities can be affected by
computer processing are authorization of transactions and the maintenance of
adequate documents and records. Authorization procedures in many computer systems
are a part of the computer program. Thus, there is increased potential for unauthorized
individuals to gain access to sensitive accounting information. Concerning the
maintenance of adequate documentary evidence, auditors must be aware that the
traditional audit trail may not be available due to the fact that the IT system does not
provide a hard copy of source documents.
b. Segregation of duties. Adequate controls must be established within the IT department
to compensate for the lack of segregation of duties that would normally be available in a
manual system.
c. Physical controls. In an IT department, access to assets is often possible through the
computer system. As such, the need for enhanced physical controls is of great
importance in an IT environment. It is also important to have adequate backup for
computer files, as their destruction or damage could result in significant problems for a
business entity.
3234.09 The information and communication component of internal control has a direct impact on
the quality of the system‐generated information provided to management. The quality of
the information has a direct relationship to the relevance and appropriateness of the
decision‐making process. Controls embedded in the software and hardware must be utilized
by the system and be acted on by personnel in the IT department. The decisions are only as
good as the information on which those decisions are based. The integrity of the information
used by management is of great concern to the auditor.
3234.10 Management is responsible for establishing and maintaining proper internal controls.
Management must monitor controls to consider whether they are operating as intended
and that they are modified as appropriate for changes in conditions. An important
consideration for the auditor is that the knowledge base and skill level of those responsible
for monitoring the system is adequate to identify problems encountered and seek corrective
action.
3234.11 The auditor also should obtain an understanding of how the incorrect processing of
transactions is resolved. For example, such understanding might include whether there is an
automated suspense file, how it is used by the entity to ensure that suspense items are
cleared out on a timely basis, and how system overrides or bypasses to controls are
processed and accounted for.
3234.12 The identification of risks and controls within IT is not a separate evaluation. Instead, it is an
integral part of the approach used to assess risk and allocate audit effort.
IT General Controls
3234.13 General controls are policies and procedures that relate to many applications and support
the effective functioning of application controls by helping to ensure the continued proper
operation of information systems. These controls often include controls over:
a. data center and network operations;
b. system software acquisition, change, and maintenance;
c. program change;
d. access security; and
e. application system acquisition, development, and maintenance.
3234.14 Examples of general controls are program change controls, controls that restrict access to
programs or data, controls over the implementation of new releases of packaged software
applications, and controls over system software that restrict access to or monitor the use of
system utilities that could change financial data or records without leaving an audit trail.
3234.15 Ineffective general controls, by themselves, do not cause misstatements. They may,
however, permit application controls to operate improperly and allow misstatements to
occur and not be detected.
3234.16 General controls should be assessed in relation to their effect on applications and data that
become part of the financial statements.
IT Application Controls
3234.17 Application controls are designed to achieve specific control objectives related to specific
accounting tasks. They pertain to the processing of individual applications.
3234.18 Accordingly, application controls relate to the use of IT to initiate, authorize, record, process,
and report transactions or other financial data. These controls help ensure that transactions
occurred, are authorized, and are completely and accurately recorded and processed.
Examples include edit checks of input data, numerical sequence checks, and manual follow‐
up of exception reports.
3234.19 Application controls are classified as follows:
a. Input controls
b. Processing controls
c. Output controls
3234.20 Application controls can be performed by IT (automated) or by individuals. When application
controls are performed by people interacting with IT, they may be referred to as user
controls.
3234.21 Computer processing may produce reports and other output used in performing manual
control procedures. An example is an exception report. The effectiveness of the review of
the exception report (a user control) depends on both the effectiveness of the user review
and the accuracy of the information in the report produced by IT.
3234.22 Application controls are often dependent on general controls. It may be more efficient to
review the design of internal control procedures that are essential to the operation of
several specific control procedures before reviewing those specific control procedures. For
example, if an application control procedure, such as matching shipping information with
billing information, were to be performed by a customer‐billing program, the auditor might
review the controls over the access to and changing of computer programs before reviewing
this programmed control procedure.
Assess Whether Designed Controls Mitigate Key Risks
3234.23 The auditor should test the design effectiveness of IT controls by determining whether the
controls, if they are operated as prescribed, satisfy the company's control objectives and can
effectively prevent or detect errors or fraud that could result in material misstatements in
the financial statements.
3234.24 The extent and nature of the risks to internal control associated with IT vary depending on
the nature and characteristics of the entity’s information system. The auditor should
consider whether the entity has responded adequately to the risks arising from IT by
establishing effective controls, including effective general controls upon which application
controls depend. From the auditor’s perspective, controls over IT systems are effective when
they maintain the integrity of information and the security of the data such systems process.
3235 Limitations of Control and Risk of Management Override
Limitations of Internal Controls
3235.01 Internal control, no matter how well designed and operated, can provide an entity with
reasonable, but not absolute, assurance about achieving an entity’s objectives.
3235.02 The likelihood that those objectives will be achieved is affected by limitations inherent to
internal control. These limitations include the following:
a. Human judgment in decision making can be faulty.
b. Breakdowns in internal control can occur because of human failures such as simple
errors or mistakes.
c. Errors may occur in the use of information produced by IT. Individuals may not
understand the purpose of automated controls or the use of information produced by
IT.
3235.03 Any controls, whether automated or manual, can be circumvented by collusion (two or more
people working together) or management override of internal control. The potential for
override of controls by an owner‐manager depends to a great extent on the control
environment and owner‐manager’s attitudes about the importance of internal control.
3235.04 Smaller entities often have fewer employees, which may limit the extent to which
segregation of duties is practicable. However, for key areas, even in a very small entity, it can
be practicable to implement some degree of segregation of duties or other form of
unsophisticated but effective controls.
Management Override of Internal Controls
3235.05 Even if specific risks of material misstatement due to fraud are not identified by the auditor,
there is a possibility that management override of controls could occur and, accordingly, the
auditor should address that risk apart from any conclusions regarding the existence of more
specifically identifiable risks.
3235.06 Management is in a unique position to perpetrate fraud because of its ability to manipulate
accounting records and prepare fraudulent financial statements by overriding established
controls that otherwise appear to be operating effectively.
3235.07 Management override of controls can occur in unpredictable ways. Due to this fact, the
auditor should perform procedures (in addition to the procedures already performed to
address identified risks of material misstatements due to fraud) that include the following:
a. Examining journal entries and other adjustments for evidence of possible material
misstatement due to fraud
b. Reviewing accounting estimates for biases that could result in material misstatement
due to fraud
c. Evaluating the business rationale for significant unusual transactions
3235.08 The auditor should document the results of procedures performed to address the risk of
material misstatement due to management override of controls.
Document Understanding
3235.09 The auditor should document key elements of the understanding obtained regarding each of
the aspects of the entity and its environment, including each of the components of internal
control to assess the risks of material misstatements of the financial statements; sources of
information from which the understanding was obtained; and the risk assessment
procedures.
3235.10 The manner in which these matters are documented is for the auditor to determine using
professional judgment. See AU‐C 230, Audit Documentation, for general guidance.
3240 Assessing Risks Due to Fraud
3240.01 The auditor is required to specifically assess the risk of material misstatement of the
financial statements due to fraud and to consider that assessment in designing audit
procedures to be performed.
3240.02 An identified risk of misstatement that, quantitatively, would not normally be considered a
material risk could still be considered significant due to the fact that the circumstances
surrounding the risk involve implications of fraud.
3240.03 Because fraud is usually concealed, material misstatements due to fraud are difficult to
detect. Nevertheless, the auditor may identify events or conditions that are “fraud risk
factors.” The auditor uses professional judgment in determining whether a risk factor is
present and should be considered in identifying and assessing the risks of material
misstatement due to fraud.
3240.04 The consideration of fraud risk factors provides only a broad initial indication about whether
a material misstatement due to fraud may exist; it does not indicate the existence of fraud.
The auditor should respond to the risk of material misstatement due to fraud by
appropriately modifying audit procedures.
3240.05 In identifying risks of material misstatement due to fraud, it is helpful for the auditor to
consider the information that has been gathered in the context of the three conditions
present when a material misstatement due to fraud occurs; that is, incentive/pressures,
opportunities, and attitudes/rationalizations (AU‐C 240). Brief examples of fraud risk factors
for each condition follow.
3240.06 Incentives to perpetrate fraud could include:
a. pressure for management to meet profitability requirements (which could lead to
intentionally misstated financial statements) or
b. employees with personal financial difficulties (which may push an employee to steal
cash or inventory).
3240.07 Opportunities to commit fraud could include:
a. assets, liabilities, revenues, or expenses based on significant estimates involving
subjective judgments that are difficult to corroborate (which could provide an
opportunity for manipulation of numbers) or
b. inadequate segregation of duties or independent checks (which could provide an
opening for individuals to steal and cover it up).
3240.08 Rationalizations to allow justification of fraud could include:
a. a practice of management regularly committing to creditors or other third parties to
achieve aggressive or unrealistic forecasts (which may drive the thought that fraud is the
only way to accomplish these goals) or
b. behavior indicating that employees are dissatisfied with how they are treated by the
company (which could lead to an attitude that the company deserves what it gets or
that the company owes the employee this money).
3240.09 The auditor’s identification of fraud risks may be influenced by characteristics such as the
size, complexity, and ownership attributes of the entity. Risks may be specific to certain
geographic areas or business segments, or they may relate to the entity as a whole.
3240.10 Certain accounts, classes of transactions, and assertions that have high inherent risk because
they involve a high degree of management judgment and subjectivity may also present risks
of material misstatement due to fraud because they are susceptible to manipulation by
management.
3240.11 The identification of a risk of material misstatement due to fraud involves the application of
professional judgment and includes the consideration of the attributes of the risk, including:
a. the type of risk that may exist, that is, whether it involves fraudulent financial reporting
or misappropriation of assets.
b. the significance of the risk, that is, whether it is of a magnitude that could result in a
possible material misstatement of the financial statements.
c. the likelihood of the risk, that is, the likelihood that it will result in a material
misstatement in the financial statements.
d. the pervasiveness of the risk, that is, whether the potential risk is pervasive to the
financial statements as a whole or specifically related to a particular assertion, account,
or class of transactions.
3240.12 Material misstatements due to fraudulent financial reporting often result from an
overstatement or understatement of revenues. Therefore, the auditor should ordinarily
presume that there is a risk of material misstatement due to fraud relating to revenue
recognition.
3240.13 Even if specific risks of material misstatement due to fraud are not identified by the auditor,
there is a possibility that management override of controls could occur and, accordingly, the
auditor should address that risk apart from any conclusions regarding the existence of more
specifically identifiable risks.
3240.14 The auditor is required to document the specific risks of material misstatement due to fraud
that were identified and a description of the auditor’s response to those risks.
3240.15 An auditor’s assessment of the risks of material misstatement due to fraud should be
ongoing through the audit. Conditions may be identified that could indicate increased risks
of material misstatement due to fraud, such as the following:
a. Discrepancies in the accounting records, including the following:
(1) Transactions that are not recorded in a complete or timely manner or are
improperly recorded as to amount, accounting period, classification, or entity policy
(2) Unsupported or unauthorized balances or transactions
(3) Last‐minute adjustments that significantly affect financial results
(4) Evidence of employees’ access to systems and records inconsistent with that
necessary to perform their authorized duties
(5) Tips of complaints to the auditor about alleged fraud
b. Conflicting or missing audit evidence, including but not limited to the following:
(1) Missing documents
(2) Documents that appear to have been altered
(3) Unavailability of other than photocopied or electronically transmitted documents
when documents in original form are expected to exist
(4) Significant unexplained items on reconciliations
(5) Inconsistent, vague, or implausible responses from management or employees
arising from inquiries or analytical procedures
(6) Unusual discrepancies between the entity’s records and confirmation replies
(7) Missing inventory or physical assets of significant magnitude
(8) Unavailable or missing electronic evidence, inconsistent with the entity’s record
retention practices or policies
(9) Inability to produce evidence of key systems development and program change
testing and implementation activities for current‐year system changes and
deployments
c. Problematic or unusual relationships between the auditor and management, including
the following:
(1) Denial of access to records, facilities, certain employees, customers, vendors, or
others from whom audit evidence might be sought
(2) Undue time pressures imposed by management to resolve complex or contentious
issues
(3) Complaints by management about the conduct of the audit or management
intimidation of audit team members, particularly in connection with the auditor’s
critical assessment of audit evidence or in the resolution of potential disagreements
with management
(4) Unusual delays by the entity in providing requested information
(5) Unwillingness to facilitate auditor access to key electronic files for testing through
the use of computer‐assisted audit techniques
(6) Denial of access to key IT operations staff and facilities, including security,
operations, and systems development personnel
(7) An unwillingness to add or revise disclosures in the financial statements to make
them more complete and transparent
(8) An unwillingness to address identified deficiencies in internal control on a timely
basis
3240.16 Some unusual or unexpected analytical relationships may have been identified and may
indicate a risk of material misstatement due to fraud because management or employees
generally are unable to manipulate certain information to create seemingly normal or
expected relationships. Some examples are as follows:
a. The relationship of net income to cash flows from operations may appear unusual
because management recorded fictitious revenues and receivables but was unable to
manipulate cash.
b. Changes in inventory, accounts payable, sales, or cost of sales from the prior period to
the current period may be inconsistent, indicating a possible employee theft of
inventory, because the employee was unable to manipulate all of the related accounts.
c. A comparison of the entity’s profitability to industry trends, which management cannot
manipulate, may indicate trends or differences for further consideration when
identifying risks of material misstatement due to fraud.
d. A comparison of bad debt write‐offs to comparable industry data, which employees
cannot manipulate, may provide unexplained relationships that could indicate a possible
theft of cash receipts.
e. An unexpected or unexplained relationship between sales volume as determined from
the accounting records and production statistics maintained by operations personnel
(which may be more difficult for management to manipulate) may indicate a possible
misstatement of sales.
3241 Identifying Characteristics of Fraud
3241.01 An auditor has a responsibility to plan and perform the audit to obtain reasonable assurance
about whether the financial statements are free of material misstatements, whether caused
by fraud or error. Although fraud is a broad legal concept, the auditor’s interest specifically
relates to fraudulent acts that cause material misstatements of financial statements.
3241.02 The primary factor that distinguishes fraud from error is whether the underlying action that
results in the misstatement of the financial statements is intentional or unintentional. For
the purposes of AU‐C 240, fraud is “an intentional act…that results in a misstatement in
financial statements that are the subject of an audit.”
The primary responsibility for the prevention and detection of fraud rests with both those
charged with governance of the entity and management. It is important that management
places a strong emphasis on fraud prevention, which may reduce opportunities for fraud to
take place, and fraud deterrence, which could persuade individuals not to commit fraud
because of the likelihood of detection and punishment. This involves a commitment to
creating a culture of honesty and ethical behavior, which can be reinforced by active
oversight by those charged with governance. Oversight by those charged with governance
includes considering the potential for override of controls or other inappropriate influence
over the financial reporting process, such as efforts by management to manage earnings in
order to influence the perceptions of financial statement users regarding the entity’s
performance and profitability.
3241.03 Two types of misstatements are relevant to the auditor’s consideration in a financial
statement audit—misstatements arising from fraudulent financial reporting and
misstatements arising from misappropriation of assets.
3241.04 Fraudulent financial reporting and misappropriation of assets differ in that fraudulent
financial reporting is committed, usually by management, to deceive financial statement
users while misappropriation of assets is committed against an entity, most often by
employees.
3241.05 Fraudulent financial reporting may be accomplished by the following:
a. Manipulation, falsification, or alteration of accounting records or supporting documents
from which financial statements are prepared
b. Misrepresentation in or intentional omission from the financial statements of events,
transactions, or other significant information
c. Intentional misapplication of accounting principles relating to amounts, classification,
manner of presentation, or disclosure
3241.06 Misappropriation of assets involves the theft of assets that result in the financial statements
not being presented in conformity with GAAP. Misappropriation of assets includes acts such
as embezzling receipts, stealing assets, or causing an entity to pay for goods or services that
have not been received.
3241.07 Three conditions are generally present in an organization when fraud occurs:
1. Management or other employees have pressure or incentive to commit fraud.
2. A perceived opportunity to commit fraud exists.
3. Those involved in the fraudulent act are able to rationalize committing the fraud.
3241.08 Although fraud usually is concealed and management’s intent is difficult to determine, the
presence of certain conditions may suggest to the auditor the possibility that fraud may
exist. However, absolute assurance is not attainable and thus even a properly planned and
performed audit may not detect a material misstatement resulting from fraud.
3241.09 Due professional care requires the auditor to exercise professional skepticism. Professional
skepticism is an attitude that includes a questioning mind and a critical assessment of audit
evidence.
3242 Discussions with Audit Team Regarding Fraud
3242.01 The members of the audit team, including the auditor with final responsibility for the audit,
should discuss (i.e., brainstorm) the susceptibility of the entity’s financial statements to
material misstatements due to fraud or error.
3242.02 Although professional judgment should be used in determining which audit team members
should be included in the discussion, the discussion ordinarily should involve the key
members of the audit team, including the auditor with final responsibility for the audit. The
auditor may determine that a specialist should be included in the discussion.
3242.03 The auditor with final responsibility should consider which matters are to be communicated
to members of the engagement not involved in the discussion.
3242.04 The objective of this discussion is for members of the audit team to gain a better
understanding of the potential for material misstatements of the financial statements
resulting from fraud or error and to understand how the results of the audit procedures that
they perform may affect other aspects of the audit, including the decisions about the nature,
timing, and extent of further audit procedures.
3242.05 This discussion provides an opportunity for more experienced team members to share their
insights based on knowledge of the entity and for the team members to exchange
information about business risks to which the entity is subject and how and where the
financial statements might be susceptible to material misstatement.
3242.06 In this meeting, the team should also discuss critical issues, such as areas of significant audit
risk, areas susceptible to management override of controls, unusual accounting procedures
used by the client, important control systems, materiality at the financial statement level
and at the account level, and how materiality will be used to determine the extent of testing.
Specifically, the discussion among the audit team members should:
a. include consideration of the known external and internal factors affecting the entity
that might create incentives, opportunities, and rationalization to commit fraud.
b. emphasize the need to maintain a questioning mind and to exercise professional
skepticism in gathering and evaluating evidence throughout the audit.
c. include a discussion of the risk of management override of controls.
d. include unusual accounting procedures used by the client.
e. include important control systems.
f. include materiality at the financial statement level and at the accounting level, and how
materiality will be used to determine the extent of testing.
g. include how the auditor might respond to the susceptibility of the entity’s financial
statements to material misstatement due to fraud.
3242.07 The discussion among the team members should emphasize the exercise of professional
skepticism, the need to be alert for information or other conditions that indicate that a
material misstatement due to fraud or error may have occurred, and to be rigorous in
following up on such conditions.
3242.08 Communication among the audit team members about the risks of material misstatement
due to fraud or error should continue throughout the audit. Depending on the
circumstances, there may be multiple discussions regarding the susceptibility of the entity’s
financial statements to material misstatements.
3242.09 The auditor should document the discussion among the audit team regarding the
susceptibility of the entity’s financial statements to material misstatement due to error or
fraud, including how and when the discussion occurred, the subject matter discussed, the
audit team members who participated, and significant decisions reached concerning planned
responses at the financial statement and relevant assertion levels.
3243 Inquiries of Management Regarding Fraud
3243.01 Inquiry regarding fraud is important because fraud is often uncovered through information
received in response to inquiries.
3243.02 The auditor should inquire of management about the following:
a. Whether management has knowledge of any fraud or suspected fraud affecting the
entity
b. Whether management is aware of allegations of fraud or suspected fraud affecting the
entity
c. Management’s understanding about the risks of fraud in the entity, including any
specific fraud risks the entity has identified or account balances or classes of
transactions for which a risk of fraud may be likely to exist
d. Programs and controls the entity has established to mitigate specific fraud risks the
entity has identified, or that otherwise help to prevent, deter, and detect fraud, and
how management monitors those programs and controls
e. For an entity with multiple locations:
(1) the nature and extent of monitoring of operating locations or business segments
and
(2) whether there are particular operating locations or business segments for which a
risk of fraud may be more likely to exist
f. Whether and how management communicates to employees its views on business
practices and ethical behavior
g. If applicable, whether management has reported to those charged with governance on
how the entity’s internal control serves to prevent, deter, or detect material
misstatements due to fraud
When evaluating responses from management, the auditor should keep in mind that
management is often in the best position to commit fraud. When responses are inconsistent
among inquiries, the auditor should obtain additional audit evidence to resolve the
inconsistencies.
3243.03 The auditor should obtain an understanding about how the audit committee (those charged
with governance) exercises oversight of mitigating fraud risks. The auditor should also
directly ask those charged with governance their views of fraud and if they have any
knowledge of fraud or suspected fraud.
3243.04 The auditor should ask the internal auditors (if applicable) if they have any knowledge of
fraud or suspected fraud, their views on the risk of fraud, if they have performed any
procedures to detect or deter fraud, and if management has satisfactorily responded to the
findings from any of these procedures.
3243.05 In order to provide a perspective that is different from that of individuals involved in the
financial reporting process, to corroborate responses received from management, to help
uncover any possible instances of management override of internal control, and to evaluate
how effectively management has communicated standards of ethical behavior, the auditor
should inquire of others within the entity about the existence of fraud.
a. Employees interviewed should be of varying levels of authority and include operating
personnel not directly involved in the financial reporting process as well as in‐house
legal counsel.
b. Employees involved in initiating, authorizing, processing, or recording complex or
unusual transactions may help the auditor evaluate the appropriateness of the selection
and application of certain accounting policies.
3244 Assessing Fraud Risk on Nonaudit Engagements
Accounting and Review Engagements
3244.01 Compilation engagements provide no assurance. There is no responsibility on the part of the
practitioner to perform any procedures to identify or respond to fraud risk.
3244.02 Review engagements provide limited assurance. Inquiry, analytics, and other procedures are
designed and performed to provide limited assurance, which is substantially less than the
reasonable assurance expressed in an audit. The accountant is required to inquire of
management who has responsibility for financial and accounting matters about knowledge
of any fraud or suspected fraud involving management, employees with significant internal
controls roles, or others where there could be a material effect on the financial statements.
In addition, the accountant should inquire whether management is aware of fraud allegation
or suspected fraud affecting the entity communicated by employees, former employees,
regulatory bodies, or others. The accountant should consider the reasonableness and
consistency of management’s responses in light of the results of other review procedures
and the accountant’s knowledge. The accountant is not required to corroborate
management’s responses with other evidence.
3244.03 In a review, if the accountant becomes aware that fraud may have occurred, the accountant
should communicate (either written or oral) the matter as soon as practicable to the
appropriate level of management (at a level above those involved with the suspected fraud,
if possible). If the accountant identifies fraud that involves senior management, or fraud that
results in a material misstatement in the financial statements, the review accountant is
required to communicate the matter directly with those charged with governance (either
written or oral).
Attestation Engagements
3244.04 Examination engagements require an assessment of attestation risk, similar to financial
statement audits, to provide reasonable assurance whether any material modifications
should be made to the subject matter in order for it to be in conformity with stated criteria.
3244.05 A review engagement under the attestation standards would require similar fraud
consideration and responsibilities for a review of historical financial information. In a review,
the accountant should accumulate review evidence to obtain limited assurance about
whether any material modifications should be made to the subject matter in order for it to
be in conformity with stated criteria. The accountant should place increased focus in those
areas in which the practitioner believes increased risk of material misstatement exists.
3244.06 In both examination and review engagements, the accountant should make inquiries of
appropriate parties to determine whether they have knowledge of any actual, suspected, or
alleged fraud affecting the subject matter.
3244.07 In an agreed‐upon procedures engagement, the design of procedures is the responsibility of
the specified party(ies). Those procedures may or may not include fraud‐related procedures.
3250 Identifying and Assessing the Risk of Material Misstatement,
Whether Due to Error or Fraud, and Planning Further
Procedures Responsive to Identified Risks
Risk Assessment Procedures on an Audit Engagement
3250.01 The auditor should identify risks of material misstatement by obtaining an understanding of
the entity and its environment, including relevant controls that relate to the risks, and by
considering the classes of transactions, account balances, and disclosures in the financial
statements.
3250.02 Risk assessment procedures are those audit procedures that allow the auditor to obtain an
understanding of the entity and its environment (including its internal control). These
procedures may be used by the auditor as audit evidence to support assessment of the risks
of material misstatement. While performing these procedures, the auditor may also obtain
evidence about the relevant assertions related to classes of transactions, account balances,
or disclosures and about the operating effectiveness of controls, even though these
procedures were not specifically planned as substantive tests or tests of controls.
3250.03 Substantive testing and tests of controls may be performed concurrently with risk
assessment procedures if it is efficient to do so.
3250.04 The auditor should perform the following risk assessment procedures to obtain an
understanding of the entity and its environment, including its internal control:
a. Inquiries of management and others within the entity
b. Analytical procedures
c. Observation and inspection
3250.05 In addition, the auditor might perform other procedures where the information obtained
may be helpful in identifying risks of material misstatement. For example, the auditor may
consider making inquiries of others outside the entity such as the entity’s external legal
counsel or of valuation experts that the entity has used.
3250.06 The auditor is not required to perform all the risk assessment procedures for each aspect of
the understanding to be obtained, but all risk assessment procedures should be performed
by the auditor in the course of obtaining the required understanding.
3250.07 The nature, timing, and extent of the risk assessment procedures performed depend on the
circumstances of the engagement, such as the size and complexity of the entity and the
auditor’s experience with it.
3250.08 The auditor should use information gathered by performing risk assessment procedures,
including the audit evidence obtained in evaluating the design of controls and determining
whether they have been implemented, as audit evidence to support the risk assessment. The
auditor should use the risk assessment to determine the nature, extent, and timing of future
audit procedures to be performed.
3250.09 When the auditor plans to use information about the entity and its environment obtained
from a prior year’s audit, the auditor should determine if any changes have occurred that
may affect the relevance of the information for the current year’s audit.
3250.10 The auditor should document key elements of the understanding obtained regarding each of
the aspects of the entity and its environment, including each of the components of internal
control, to assess the risks of material misstatement of the financial statements, the sources
of information from which the understanding was obtained, and the risk assessment
procedures.
3250.11 The manner in which these matters are documented is for the auditor to determine using
professional judgment. Examples of techniques are narrative descriptions, questionnaires,
checklists, and flowcharts.
Analytical Procedures to Identify and Assess Risk of Material Misstatement
3250.12 Analytical procedures should be applied at two distinct phases in all audits.
1. At the initial planning stages of the audit to assist the auditor in planning the nature,
extent, and timing of other auditing procedures
2. As an overall review of the financial information in the final review stage of the audit
Analytical procedures may also be used by the auditor as substantive procedures to obtain
audit evidence about particular assertions.
3250.13 Analytical procedures used in planning the audit should focus on the following:
a. Enhancing the auditor’s understanding of the client’s business and the transactions and
events that have occurred since the last audit data
b. Identifying areas that may represent specific risks relevant to the audit
3250.14 For example, the auditor may use analytical procedures to identify the existence of unusual
transactions or events, and amounts, ratios, and trends that might indicate matters that
have financial statement and audit implications.
3250.15 In performing analytical procedures as risk assessment procedures, the auditor should
develop expectations about plausible relationships that are reasonably expected to exist.
When comparison of these expectations with recorded amounts or ratios developed from
recorded amounts yields unusual or unexpected relationships, the auditor should consider
those results in identifying risks of material misstatement.
3250.16 Often these analytical procedures use data aggregated at a high level. When this is the case,
the results provide only a broad initial indication about whether a material misstatement
may exist. Accordingly, the auditor should consider the results of such analytical procedures
along with other information gathered in identifying the risks of material misstatement.
Observation and Inspection to Identify and Assess Risk of Material Misstatement
3250.17 Observation and inspection may support (corroborate) inquiries of management and others.
These procedures may also provide information about the entity and its environment.
3250.18 Such audit procedures would normally include the following:
a. Observation of entity activities and operations (e.g., watching an employee perform a
task such as receiving an inventory shipment)
b. Inspection of documents, records, and internal control manuals (e.g., an organizational
chart)
c. Reading reports prepared by management, those charged with governance, and internal
audit (e.g., quarterly management reports, interim financial statements, or minutes of
board of directors’ meetings)
d. Physical observation of the entity’s premises and plant facilities (e.g., visiting the
warehouse)
3251 Impact of Risks at the Financial Statement Level
Financial Statement Level Risk on an Audit Engagement
3251.01 The assessment of the risk of material misstatement can be expressed in quantitative terms,
such as percentages, or qualitative terms, such as high, medium, or low. It should be
assessed, both at the financial statement level and at the relevant assertion level, and
documented in the workpapers.
3251.02 This assessment is important because it affects the amount of detection risk that the auditor
can accept. The higher the risk of material misstatement, the lower the detection risk must
be, and the more substantive procedures the auditor must perform in order to lower the
overall audit risk.
3251.03 Risks of material misstatement at the financial statement level refer to risks that relate
pervasively to the financial statements as a whole and potentially affect many assertions.
They represent circumstances that may increase the risks of material misstatement at the
assertion level. Financial statement risks may be especially relevant to fraud risk or
deficiencies in the control environment. However, these risks may also relate to factors such
as declining economic conditions and other matters.
Conditions and Events
3251.04 The following are examples of conditions and events that may indicate the existence of risks
of material misstatement. The examples provided cover a broad range of conditions and
events; however, not all conditions and events are relevant to every audit engagement and
the list of examples is not necessarily complete.
a. Operations in regions that are economically unstable; for example, countries with
significant currency devaluation or highly inflationary economies
b. Operations exposed to volatile markets; for example, futures trading
c. High degree of complex regulation
d. Going concern and liquidity issues, including loss of significant customers
e. Marginally achieving explicitly stated strategic objectives
f. Constraints on the availability of capital and credit
g. Changes in the industry in which the entity operates
h. Changes in the supply chain
i. Developing or offering new products or services, or moving into new lines of business
j. Expanding into new locations
k. Changes in the entity, such as large acquisitions, reorganizations, or other unusual
events
l. Entities or divisions likely to be sold
m. Complex alliances and joint ventures
n. Use of off‐balance‐sheet finance, special‐purpose entities, and other complex financing
arrangements
o. Significant transactions with related parties
p. Lack of personnel with appropriate accounting and financial reporting skills
q. Changes in key personnel, including departure of key executives
r. Weaknesses in internal control, especially those not addressed by management
s. Inconsistencies between the entity’s IT strategy and its business strategies
t. Changes in the IT environment
u. Installation of significant new IT systems related to financial reporting
v. Inquiries into the entity’s operations or financial results by regulatory or government
bodies
w. Past misstatements, history of errors, or a significant amount of adjustments at period‐
end
x. Significant amount of nonroutine or nonsystematic transactions, including intercompany
transactions and large revenue transactions at period‐end
y. Transactions that are recorded based on management’s intent; for example, debt
refinancing, assets to be sold, and classification of marketable securities
z. Application of new accounting pronouncements
aa. Complex processes related to accounting measurements
ab. Events or transactions that result in significant measurement uncertainty, including
accounting estimates
ac. Pending litigation and contingent liabilities; for example, sales warranties, financial
guarantees, and environmental remediation
3251.05 The auditor should document the risks identified and the related controls evaluated.
3251.06 The manner in which these items are documented is for the auditor to determine using
professional judgment. The form and extent of this documentation are influenced by the
nature, size, and complexity of the entity and its environment, including its internal control,
and the availability of information from the entity and the specific audit methodology and
technology used in the course of the audit.
3252 Impact of Risks for Each Relevant Assertion at the Class of Transaction,
Account Balance, and Disclosure Levels
3252.01 In representing that the financial statements are in accordance with the applicable financial
reporting framework, management implicitly or explicitly makes assertions regarding the
recognition, measurement, presentation, and disclosure of information in the financial
statements and related disclosures.
3252.02 Assertions used by the auditor fall into the following categories:
a. Assertions about classes of transactions and events for the period under audit
(1) Occurrence. Transactions and events that have been recorded have occurred and
pertain to the entity.
(2) Completeness. All transactions and events that should have been recorded have
been recorded.
(3) Accuracy. Amounts and other data relating to recorded transactions and events
have been recorded appropriately.
(4) Cutoff. Transactions and events have been recorded in the correct accounting
period.
(5) Classification. Transactions and events have been recorded in the proper accounts.
b. Assertions about account balances at the period end
(1) Existence. Assets, liabilities, and equity interests exist.
(2) Rights and obligations. The entity holds or controls the rights to assets, and
liabilities are the obligations of the entity.
(3) Completeness. All assets, liabilities, and equity interests that should have been
recorded have been recorded.
(4) Valuation and allocation. Assets, liabilities, and equity interests are included in the
financial statements at appropriate amounts and any resulting valuation or
allocation adjustments are appropriately recorded.
c. Assertions about presentation and disclosure
(1) Occurrence and rights and obligations. Disclosed events and transactions have
occurred and pertain to the entity.
(2) Completeness. All disclosures that should have been included in the financial
statements have been included.
(3) Classification and understandability. Financial information is appropriately
presented and described and information in disclosures is clearly expressed.
(4) Accuracy and valuation. Financial and other information is disclosed fairly and at
appropriate amounts.
3252.03 The auditor may use the assertions or may express them differently provided aspects
described have been covered.
3252.04 As part of the risk assessment process, the auditor should relate the identified risks to what
can go wrong at the relevant assertion level.
3252.05 All assertions are not relevant for all classes of transactions, account balances, and
disclosures. The auditor should determine which assertions have a meaningful bearing on
whether or not the account is fairly stated. For example, valuation may not be relevant to
the cash account unless currency translation is involved; however, existence and
completeness are always relevant.
3252.06 The auditor must identify the relevant assertions by determining the source of likely
potential misstatements in each significant class of transactions, account balance, and
presentation and disclosure. For example, the inventory asset account balance may have a
likely potential misstatement due to shipped items that have not been removed from
inventory. This potential misstatement would relate to the cutoff assertion.
3252.07 To determine whether a particular assertion is relevant to a significant account balance or
disclosure, the auditor should evaluate:
a. the nature of the assertion;
b. the volume of transactions or data related to the assertion; and
c. the nature and complexity of the systems, including the use of information technology,
by which the entity processes and controls information supporting the assertion.
3252.08 The auditor should determine whether the identified risks of material misstatement relate to
specific relevant assertions related to classes of transactions, account balances, and
disclosures, or whether they relate more pervasively to the financial statements taken as a
whole and potentially affect many relevant assertions. The latter risks (risks at the financial
statement level) may derive in particular from a weak control environment.
3252.09 Using professional judgment and the materiality assessment, the auditor should:
a. consider whether the risks are of a magnitude that could result in a material
misstatement of the financial statements and
b. consider the likelihood that the risks could result in a material misstatement of the
financial statements.
3252.10 Expressing the risk of material misstatement at the relevant assertion level (e.g., valuation of
accounts receivable, existence of accounts payable) provides a basis for the auditor to
determine the audit procedures that must be performed in order to lower audit risk.
3252.11 Although the determination of a risk level is based on the auditor’s professional judgment,
the auditor must have a basis for the assessment and must document this basis.
3252.12 The basis is derived from risk assessment procedures performed to obtain an understanding
of the entity and its environment (to address one component of the risk of material
misstatement—inherent risk) and suitable tests of controls (to address the other component
of the risk of material misstatement—control risk). If the auditor, based on the evaluation of
the design and implementation of controls, bases a risk assessment on an expectation that
controls are operating effectively to prevent or detect material misstatement, the auditor
should perform tests of controls to obtain evidence about the operating effectiveness of the
controls.
3252.13 In making risk assessments, the auditor should identify and document the controls that are
likely to prevent or detect and correct material misstatements in specific relevant assertions.
Controls can either be directly or indirectly related to an assertion. The more indirect the
relationship, the less effective that control may be in preventing or detecting and correcting
misstatements in that assertion.
Performing a Walkthrough or Otherwise Verifying Implementation of Internal
Control
3252.14 To further understand the likely sources of potential misstatements, and as part of selecting
the controls to test, performing a walkthrough will frequently be the most effective way of
achieving the following:
a. Understanding the flow of transactions in the entity, including how the transactions are
initiated, authorized, processed, and recorded
b. Verifying that the auditor has identified the points within the entity’s processes at which
a material misstatement could arise (including misstatements due to fraud)
c. Identifying the controls that management has implemented to address potential
misstatements
d. Identifying the controls that management has implemented to prevent or timely detect
unauthorized acquisition, use, or disposition of company assets that could result in a
material misstatement of the financial statements
3252.15 In performing a walkthrough, the auditor follows a transaction from origination through the
company's processes, including information systems, until it is reflected in the company's
financial records, using the same documents and information technology that company
personnel use. Walkthrough procedures usually include a combination of inquiry,
observation, inspection of relevant documentation, and re‐performance of controls.
3252.16 During a walkthrough, the auditor questions the company's personnel about their
understanding of what is required by the company's prescribed procedures and controls.
These probing questions, combined with the other walkthrough procedures, allow the
auditor to gain a sufficient understanding of the process and to be able to identify important
points at which a necessary control is missing or not designed effectively. Additionally,
probing questions that go beyond a narrow focus on the single transaction used as the basis
for the walkthrough allow the auditor to gain an understanding of the different types of
significant transactions handled by the process.
Impact of Risks Requiring Special Audit Attention
3252.17 As part of the risk assessment process, the auditor should determine which of the risks
identified are, in the auditor’s judgment, risks that require special audit consideration (such
risks are defined as “significant risks”). The determination of significant risks, which arise on
most audits, is a matter for the auditor’s professional judgment.
3252.18 Significant risks are often derived from business risks that may result in a material
misstatement. In considering the nature of the risks, the auditor should consider a number
of matters, including the following:
a. Whether the risk is a risk of fraud
b. Whether the risk is related to recent significant economic, accounting, or other
developments and, therefore, requires specific attention
c. The complexity of transactions
d. Whether the risk involves significant transactions with related parties
e. The degree of subjectivity in the measurement of financial information related to the
risks, especially those involving a wide range of measurement uncertainty
f. Whether the risk involves significant nonroutine transactions that are outside the
normal course of business for the entity, or that otherwise appear to be unusual
3252.19 Routine, noncomplex transactions that are subject to systematic processing are less likely to
give rise to significant risks because they have lower inherent risks. Significant risks often
relate to significant nonroutine transactions and judgmental matters.
3252.20 The auditor should document the identified significant risks.
3253 Further Procedures Responsive to Identified Risks
Develop Overall Responses to Identified Risks
3253.01 In order to reduce audit risk to an acceptably low level, the auditor should determine overall
responses to address risks of material misstatement at the financial statement level, and
should design and perform further audit procedures whose nature, extent, and timing are
responsive to the assessed risks of material misstatement at the relevant assertion level.
3253.02 The auditor’s overall responses to address the assessed risks of material misstatement at the
financial statement level may include emphasizing to the audit team the need to maintain
professional skepticism in gathering and evaluating audit evidence, assigning more
experienced staff or those with specialized skills such as specialists, providing more
supervision, or incorporating additional elements of unpredictability in the selection of
further audit procedures to be performed.
3253.03 The auditor may also make general changes to the audit procedures as an overall response;
for example, performing substantive procedures at period‐end instead of at an interim date.
3253.04 The assessment of the risks of material misstatement at the financial statement level is
affected by the auditor’s understanding of the control environment. An effective control
environment may allow the auditor to have more confidence in internal control and the
reliability of audit evidence generated internally within the entity.
3253.05 If there are weaknesses in the control environment, the auditor should consider an
appropriate response such as:
a. performing more audit procedures as of the period end rather than at an interim date,
b. seeking more extensive audit evidence from substantive procedures,
c. modifying the nature of audit procedures to obtain more persuasive audit evidence, or
d. increasing the number of locations to be included in the audit scope.
3253.06 Evaluation of the control environment will also have a significant bearing on the auditor’s
general approach. The auditor may use a substantive approach which emphasizes
substantive procedures or the use of a combined approach which tests controls along with
the performance of substantive procedures.
3253.07 The auditor should design and perform further audit procedures that are responsive to the
assessed risks of material misstatement at the relevant assertion level. In designing further
audit procedures, the auditor should consider such matters as:
a. the significance of the risk.
b. the likelihood that a material misstatement will occur.
c. the characteristics of the class of transactions, account balance, or disclosure involved.
d. the nature of the specific controls used by the entity and whether they are manual or
automated.
e. whether the auditor expects to obtain audit evidence to determine if the entity’s
controls are effective in preventing or detecting material misstatements.
f. results of data analytic outputs (such as reports and visualizations) to determine
relationships among variables and interpret results to provide a basis for developing
planned audit procedures.
3253.08 The auditor’s assessment of the identified risks at the relevant assertion level provides a
basis for considering the appropriate audit approach for designing and performing further
audit procedures. In some cases, the auditor may determine that performing only
substantive procedures is appropriate for specific relevant assertions and risks. In those
situations, the auditor may exclude the effect of controls from the relevant risk assessment.
However, the auditor needs to be satisfied that performing only substantive procedures for
the relevant assertions would be effective in reducing detection risk to an acceptably low
level. The auditor often will determine that a combined approach using both tests of the
operating effectiveness of controls and substantive procedures is an effective audit
approach.
3253.09 Regardless of the audit approach selected, the auditor should design and perform
substantive procedures for all relevant assertions related to each material class of
transactions, account balance, and disclosure.
3253.10 Because effective internal controls generally reduce, but do not eliminate, the risk of
material misstatement, tests of controls reduce, but do not eliminate, the need for
substantive procedures.
3253.11 In the case of very small entities, there may not be many control activities that could be
identified by the auditor. For this reason, the auditor’s further audit procedures are likely to
be primarily substantive procedures.
3253.12 The nature of further audit procedures refers to their purpose (tests of controls or
substantive procedures) and their type, that is, inspection, observation, inquiry,
confirmation, recalculation, reperformance, or analytical procedures.
3253.13 Certain audit procedures may be more appropriate for some assertions than others. For
example, in relation to revenue, tests of controls may be more responsive to the assessed
risk of misstatement of the completeness assertion, whereas substantive procedures may be
more responsive to the assessed risk of misstatement of the occurrence assertion.
3253.14 The higher the auditor’s assessment of risk, the more reliable and relevant is the audit
evidence sought by the auditor from substantive procedures.
3253.15 Timing refers to when audit procedures are performed or the period or date to which the
audit evidence applies. The auditor may perform tests of controls or substantive procedures
at an interim date or at period‐end.
3253.16 The higher the risk of material misstatement, the more likely it is that the auditor may
decide it is more effective to perform substantive procedures nearer to, or at, the period
end rather than at an earlier date, or to perform audit procedures unannounced or at
unpredictable times.
3253.17 A contrary argument is that performing audit procedures before the period end may assist
the auditor in identifying significant matters at an early stage of the audit, and consequently
resolving them with the assistance of management or developing an effective audit
approach to address such matters.
3253.18 If the auditor performs tests of the operating effectiveness of controls or substantive testing
before the period end, the auditor should consider the additional evidence that is necessary
for the remaining period.
3253.19 In considering when to perform audit procedures, the auditor should also consider such
matters as:
a. the effectiveness of the control environment.
b. when relevant information is available.
c. the nature of the risk.
d. the period or date to which the audit evidence relates.
3253.20 Extent refers to the quantity of a specific audit procedure to be performed; for example, a
sample size or the number of observations of a control activity.
3253.21 The extent of an audit procedure is determined by the judgment of the auditor after
considering the materiality, the assessed risk of material misstatement, and the degree of
assurance the auditor plans to obtain. In particular, the auditor ordinarily increases the
extent of audit procedures as the risk of material misstatement increases.
3253.22 Valid conclusions may ordinarily be drawn using sampling approaches that are properly
applied and evaluated. AU‐C 530, Audit Sampling, provides guidance on planning,
performing, and evaluating audit samples.
3253.23 Computer‐assisted audit techniques (CAATs) might enable more extensive testing of
electronic transactions and account files. This may be useful when deciding to modify the
extent of testing.
Document Overall Risk Response
3253.24 For significant risks, to the extent the auditor has not already done so, the auditor should
evaluate the design of the entity’s related controls, including relevant control activities, and
determine whether they have been implemented. An understanding of the entity’s controls
related to significant risks should provide the auditor with adequate information to develop
an effective audit approach.
3253.25 When the auditor has determined that an assessed risk of material misstatement at the
relevant assertion level is a significant risk, and if the auditor plans to rely on the operating
effectiveness of controls intended to mitigate that significant risk, the auditor should obtain
audit evidence about the operating effectiveness of those controls from tests of controls
performed in the current period.
3253.26 If management has not adequately responded by implementing controls over significant
risks and if, as a result, the auditor judges that there is a material weakness in the entity’s
internal control, the auditor should communicate this matter to those charged with
governance. In these circumstances, the auditor also should consider the implications for the
auditor’s risk assessment.
3253.27 When the auditor has determined that an assessed risk of material misstatement at the
relevant assertion level is a significant risk, the auditor should perform substantive
procedures that are specifically responsive to that risk.
3253.28 When the approach to significant risks consists only of substantive procedures, the audit
procedures appropriate to address such significant risks consist of tests of details only, or a
combination of tests of details and substantive analytical procedures. To obtain sufficient
appropriate audit evidence, the substantive procedures related to significant risks are most
often designed to obtain audit evidence with higher reliability.
Responding to the Risk of Material Misstatement Due to Fraud
3253.29 The auditor may determine that certain risks are significant because they indicate a risk of
fraud. The auditor responds to risks of material misstatement due to fraud in the following
three ways:
1. A response that has an overall effect on how the audit is conducted, including (1)
assignment of personnel and supervision, (2) management’s selection of accounting
principles, and (3) using audit procedures that include an element of unpredictability.
2. A response to identified risks involving the nature, extent, and timing of the auditing
procedures to be performed. The auditor should consider changing the nature, extent,
and timing of audit procedures to address specifically identified risks.
3. A response involving the performance of certain procedures to further address the risk
of material misstatement due to fraud involving management override of controls.
Because management override of controls can occur in unpredictable ways, the auditor
must be inventive in developing audit procedures.
3253.30 In modifying the nature, extent, and timing of audit procedures in response to identified
risks of material misstatements due to fraud, the auditor should consider the following:
a. Performing procedures at locations on a surprise or unannounced basis
b. Requesting that inventories be counted at the end of the reporting period or on a date
closer to period‐end to minimize the risk of manipulation of balances in the period
between the date of completion of the count and the end of the reporting period
c. Making oral inquiries of major customers and suppliers in addition to sending written
confirmations, or sending confirmations to a specific party within an organization
d. Performing substantive analytical procedures using disaggregated data, for example,
comparing gross profit or operating margins by location, line of business, or month to
auditor‐developed expectations
e. Interviewing personnel involved in activities in areas where a risk of material
misstatement due to fraud has been identified to obtain their insights about the risk and
how controls address the risk
f. If other independent auditors are used for one or more subsidiaries, divisions, or
branches, discussing with them the extent of work needed to address the risk of
material misstatement due to fraud resulting from transactions and activities among the
components
3253.31 The auditor’s response to a risk of material misstatement due to fraud relating to
misappropriation of assets usually will be directed toward certain account balances, such as
cash or merchandise inventory.
3253.32 The auditor should use professional judgment in determining the nature, extent, and timing
of the testing of journal entries and other adjustments. In determining the appropriate
method of examining the underlying support for such items, the auditor should consider:
a. the auditor’s assessment of the risk of material misstatement due to fraud.
b. the effectiveness of controls that have been implemented over journal entries and other
adjustments.
c. the entity’s financial reporting process and the nature of the evidence that can be
examined.
d. the characteristics of fraudulent entries or adjustments.
e. the nature and complexity of accounts.
f. journal entries or other adjustments processed outside the normal course of business.
3253.33 The auditor may conclude that it would not be practicable to design auditing procedures
that sufficiently address the risks of material misstatement due to fraud. In that case,
withdrawal from the engagement with communication to the appropriate parties may be an
appropriate course of action.
3260 Materiality
3261 For the Financial Statements as a Whole
3261.01 Audit risk is the risk that the auditor may unknowingly fail to appropriately modify his or her
opinion on financial statements that are materially misstated. Audit risk can also be defined
as a function of the risk that the financial statements prepared by management are
materially misstated, and the auditor may not detect such material misstatement. Because
of the nature of audit evidence and the characteristics of fraud, the auditor is able to obtain
reasonable, but not absolute, assurance that material misstatements are detected.
Reasonable assurance is obtained when the auditor has sufficient appropriate audit
evidence to reduce audit risk to an acceptably low level; reasonable assurance is not an
absolute level of assurance.
3261.02 The auditor must consider audit risk and must determine a materiality level for the financial
statements as a whole for the purpose of:
a. determining the extent and nature of risk assessment procedures.
b. identifying and assessing the risks of material misstatement.
c. determining the nature, timing, and extent of further audit procedures.
d. evaluating whether the financial statements as a whole are presented fairly, in all
material respects, in conformity with the applicable reporting framework.
3261.03 Risk may be assessed in quantitative (percentages) or nonquantitative terms (high, medium,
low).
3261.04 The auditor should perform the audit to reduce audit risk to a low level that is, in the
auditor’s judgment, appropriate for expressing an opinion on the financial statements. The
auditor does this by determining overall responses and designing the nature, timing, and
extent of further audit procedures based on risk assessments made at the financial
statement and relevant assertion level.
3261.05 In considering audit risk at the overall financial statement level, the auditor should consider
risks of material misstatement that relate pervasively to the financial statements as a whole
and potentially affect many relevant assertions. Risks of this nature often relate to the
entity’s control environment and are not necessarily identifiable with specific relevant
assertions at the class of transactions, account balance, or disclosure level.
3261.06 At the account balance, class of transactions, or disclosure level, audit risk consists of:
a. the risk (consisting of inherent risk and control risk) that the relevant assertions related
to balances, classes, or disclosures contain misstatements (whether caused by error or
fraud) that could be material to the financial statements when aggregated with
misstatements in other relevant assertions related to balances, classes, or disclosures,
and
b. the risk (detection risk) that the auditor will not detect such misstatements.
3261.07 Inherent risk is the susceptibility of a relevant assertion to a misstatement that could be
material, either individually or when aggregated with other misstatements, assuming that
there are no related controls. For example, cash is more susceptible to theft than other
assets. In addition, external circumstances that give risk to business risks also influence
inherent risk (such as technological developments or a decline in customers). A lack of
working capital would also influence inherent risk for the entity.
3261.08 Control risk is the risk that a misstatement that could occur in a relevant assertion and that
could be material, either individually or when aggregated with other misstatements, will not
be prevented or detected on a timely basis by the entity’s internal control. A lack of
segregation of duties would present a control risk, as would poor physical access controls to
blank check stock.
3261.09 Inherent risk and control risk are the entity’s risks, that is, they exist independently of the
audit of the financial statements. The standards describe the risk of material misstatement
as the auditor’s combined assessment of inherent risk and control risk; however, the auditor
may make separate assessments of inherent risk and control risk.
3261.10 Detection risk is the risk that the auditor will not detect a misstatement that exists in a
relevant assertion that could be material, either individually or when aggregated with other
misstatements. Detection risk is a function of the effectiveness of an audit procedure and its
application by the auditor.
3261.11 Detection risk relates to the substantive audit procedures and is managed by the auditor’s
response to risk of material misstatement. The risk of material misstatement and detection
risk are inversely related; the greater the risk of material misstatement, the less the
detection risk that can be accepted by the auditor.
3261.12 Materiality is a concept that recognizes that some matters, either individually or in the
aggregate, are important for fair presentation of financial statements in accordance with a
financial reporting framework, while other matters are not important.
3261.13 In performing the audit, the auditor is concerned with matters that, either individually or in
the aggregate, could be material to the financial statements. The auditor’s responsibility is to
plan and perform the audit to obtain reasonable assurance that material misstatements,
whether caused by errors or fraud, are detected.
3261.14 The auditor’s consideration of materiality is a matter of professional judgment and is
influenced by the perception of the needs of the financial statement users. Materiality
judgments involve both quantitative and qualitative considerations.
3261.15 The consideration of materiality is affected by the size and complexity of the entity and the
auditor’s experience with and knowledge of the entity and its environment, including its
internal control.
3261.16 The auditor should determine a materiality level for the financial statements as a whole
when establishing the overall audit strategy. The materiality level for the financial
statements as a whole helps guide the auditor’s judgments in identifying and assessing the
risks of material misstatements and in planning the nature, timing, and extent of further
audit procedures. The materiality level does not establish a threshold below which all
misstatements are considered immaterial. Certain characteristics of misstatements may
cause them to be considered material even though they are below this threshold.
3261.17 The determination of what is material to the users is a matter of professional judgment. The
auditor often applies a percentage to a chosen benchmark as a step in determining
materiality for the financial statements as a whole. When identifying an appropriate
benchmark, the auditor considers factors such as:
a. the elements of the financial statements (for example, assets, liabilities, equity, income,
and expenses) and the financial statement measures defined in generally accepted
accounting principles (for example, financial position, financial performance, and cash
flows) or other specific requirements,
b. whether there are financial statement items on which, for the particular entity, users’
attention tends to be focused,
c. the nature of the entity and the industry and economic environment in which it
operates,
d. the size of the entity, nature of its ownership, and the way it is financed, and
e. the relative volatility of the benchmark.
3261.18 When determining materiality, the auditor should consider prior periods’ financial results
and financial positions, the period‐to‐date financial results and financial position, and
budgets or forecasts for the current period, taking into account significant changes in the
entity’s circumstances and any relevant changes of conditions in the economy as a whole or
the industry in which the entity operates.
3261.19 Once materiality is established, the auditor considers materiality when planning and
evaluating the same way regardless of the inherent business characteristics of the entity
being audited. Materiality is determined based on the auditor’s understanding of the user
needs and expectations.
3261.20 When establishing the overall strategy for the audit, the auditor should consider whether
misstatements of lesser amounts than the financial statement materiality level could
reasonably be expected to influence economic decisions of users. In making this judgment,
the auditor should consider factors such as the following:
a. Whether the applicable financial reporting framework, laws, or regulations affect users’
expectations regarding the measurement or disclosure of certain items
b. The key disclosures in relation to the industry and the environment in which the entity
operates
c. Whether attention is focused on the financial performance of a particular business
segment that is separately disclosed in the consolidating financial statements
3261.21 When planning, it is not feasible for the auditor to anticipate all the circumstances that may
affect materiality by the completion of the audit. The auditor may conclude that a lower
level of materiality than that initially determined is appropriate.
3261.22 The auditor should document the levels of materiality, including any changes made to the
materiality level used in the audit and the basis on which those levels were determined.
3261.23 For audits of issuers, materiality is based on the concept of a “reasonable shareholder”
expressed by courts interpreting federal securities law.
3262 Performance Materiality and Tolerable Misstatement
3262.01 Performance materiality is defined in AU‐C 320.09 as “the amount or amounts set by the
auditor at less than materiality for the financial statements as a whole to reduce to an
appropriately low level the probability that the aggregate of uncorrected and undetected
misstatements exceeds materiality for the financial statements as a whole. If applicable,
performance materiality also refers to the amount or amounts set by the auditor at less than
the materiality level or levels for particular classes of transactions, account balances, or
disclosures. Performance materiality is to be distinguished from tolerable misstatement.”
Tolerable misstatement is the application of performance materiality.
3262.02 The auditor should determine one or more levels of performance materiality for classes of
transactions, account balances, and disclosures.
3262.03 Performance materiality is a planning concept and is related to the auditor’s determination
of materiality for planning the financial statement audit in such a way that misstatements,
combined for all of the tests in the entire audit, do not exceed materiality for the financial
statements.
3262.04 This means that the auditor should normally set performance materiality for a specific audit
procedure at less than the financial statement materiality so that when the results of the
audit procedures are aggregated, the required overall assurance is attained.
3262.05 Because it is not feasible for the auditor to anticipate all the circumstances that may
ultimately influence judgments about materiality in evaluating the audit findings at the
completion of the audit, the auditor’s judgment about materiality for planning purposes may
differ from the judgment about materiality used in evaluating the audit findings.
3262.06 If the auditor concludes that a lower materiality level than that initially determined is
appropriate, the auditor should reconsider the related levels of performance materiality and
appropriateness of the nature, timing, and extent of further audit procedures.
3262.07 The auditor should document the levels of materiality for the financial statements as a
whole; the materiality level for particular classes of transactions, account balances, or
disclosures; performance materiality and any revisions as the audit progresses; and the basis
on which those levels were determined.
3263 Materiality in Nonaudit Engagements
Accounting and Review Engagements
3263.01 Compilation engagements provide no assurance. The objective is to read the financial
statements to make sure they are appropriate in form and free from any obvious material
errors. Materiality is not specifically defined as it relates to compilations, which means
materiality is a matter of professional judgment.
3263.02 Review engagements provide limited assurance. The objective is to have a basis for reporting
whether the accountant is aware of any material modifications that should be made to the
financial statements for them to be in compliance with the applicable financial reporting
framework. Materiality is made in the context of the applicable financial reporting
framework. Some financial reporting frameworks discuss the concept of materiality in the
context of the preparation and fair presentation of financial statements. However,
materiality is ultimately a matter of professional judgment.
3263.03 In general, misstatements, including omissions, are considered to be material if they,
individually or in the aggregate, could reasonably be expected to influence the economic
decisions of users taken on the basis of the financial statements. Judgments are made in the
light of surrounding circumstances and are affected by the size or nature of a misstatement
or a combination of both. Judgments are based on a consideration of the common financial
information needs of users as a group. The possible effect of misstatements on specific
individual users, whose needs may vary widely, is not considered.
Attestation Engagements
3263.04 For an examination or review engagement performed in accordance with the attestation
standards, materiality should be considered in the context of qualitative and quantitative
factors. In general, misstatements, including omissions, are considered to be material if,
individually or in the aggregate, they could reasonably be expected to influence relevant
decisions of intended users that are made based on the subject matter. Materiality is a
matter of professional judgment. Materiality judgments should consider the relative size of a
misstatement or omitted fact, rather than the absolute amount.
3263.05 In an agreed‐upon procedures engagement, the accountant and the specified party(ies)
should agree on any applicable materiality limits.
3270 Planning for and Using the Work of Others
3271 Work of Other Independent Auditors
3271.01 A group engagement team must follow procedures in order to be involved with a
component auditor. The requirements include, but are not limited to, the following:
a. Acceptance and continuance of the audit
b. Determining if reference to the component auditor will be used in the audit report
c. Determining the process to assess risk
d. Communicating procedures and findings from the group engagement team to the
component auditor
3271.02 Be aware that the term “principal auditor” has been replaced with “group engagement
partner,” “group engagement team,” or “auditor of the group financial statements.”
3271.03 Group engagement partner: The group engagement partner is the individual responsible
for:
a. the direction, supervision, and performance of the group audit engagement in
compliance with professional standards and regulatory and legal requirements, and
b. determining whether the auditor’s report that is issued is appropriate in the
circumstances.
However, the group engagement partner may be assisted in fulfilling his or her
responsibilities by the group engagement team or, as appropriate in the circumstances, by
the firm. To help distinguish when such assistance is permitted, the audit standard uses the
terms “group engagement partner,” “group engagement team,” and “auditor of the group
financial statements.” Requirements to be undertaken by the group engagement partner are
addressed to the group engagement partner. When the group engagement team may assist
the group engagement partner in fulfilling a requirement, the requirement is addressed to
the group engagement team. When it may be appropriate in the circumstances for the firm
to fulfill a requirement, the requirement is addressed to the auditor of the group financial
statements. The group engagement team is defined as “partners, including the group
engagement partner, and staff who establish the overall group audit strategy, communicate
with component auditors, perform work on the consolidation process, and evaluate the
conclusions drawn from the audit evidence as the basis for forming an opinion on the group
financial statements” (AU‐C 600.11). Note that auditors who do not meet the definition of a
member of the group engagement team are considered to be component auditors.
3271.04 Acceptance and continuance considerations: The requirement is the determination of
whether the auditor believes he or she will be able to obtain sufficient appropriate audit
evidence over the group financial statements, including whether the group engagement
team will have appropriate access to information. The auditor should consider the
sufficiency of the group engagement team’s involvement in the performance of the audit,
including involvement in the work of the component auditors.
3271.05 Sufficient appropriate audit evidence includes, among other things, evidence that the audit
documentation (which includes the audit procedures performed) has been reviewed. Audit
documentation should clearly show who reviewed specific audit documentation and the
date of such review.
3271.06 The determination of whether to make reference to a component auditor in the auditor’s
report on the group financial statements:
a. explicitly permits making reference to the audit of a component auditor in the auditor’s
report on the group financial statements when the component’s financial statements
are prepared using a different financial reporting framework than that used for the
group financial statements, if certain conditions are met.
b. requires, when reference is made to a component auditor’s report on financial
statements prepared using a different financial reporting framework, the auditor’s
report on the group financial statements to disclose that the auditor of the group
financial statements is taking responsibility for evaluating the appropriateness of the
adjustments to convert the component’s financial statements to the financial reporting
framework used by the group.
c. explicitly precludes making reference to the audit of a component auditor in the
auditor’s report on the group financial statements unless the component auditor has
performed an audit that meets the relevant requirements of GAAS and provides
guidance regarding that determination.
d. requires that when the auditor of the group financial statements is making reference to
the audit of a component auditor and has determined that the component auditor
performed additional audit procedures in order to meet the relevant requirements of
GAAS, the auditor’s report on the group financial statements should indicate the set of
auditing standards used by the component auditor and that additional audit procedures
were performed by the component auditor to meet the relevant requirements of GAAS.
3271.07 The group engagement team’s process to assess risk: The requirement is that the auditor
applies the risk assessment standards to the group audit. When a component auditor
performs an audit or other specified audit procedures of the financial information of a
significant component for which the auditor of the group financial statements is assuming
responsibility for the component auditor's work, the group engagement team should be
involved in the risk assessment of the component to identify significant risks of material
misstatement of the group financial statements. The nature, timing, and extent of this
involvement are affected by the group engagement team's understanding of the component
auditor but, at a minimum, should include the following:
a. Discussing with the component auditor or component management the component's
business activities of significance to the group
b. Discussing with the component auditor the susceptibility of the component to material
misstatement of the financial information due to fraud or error
c. Reviewing the component auditor's documentation of identified significant risks of
material misstatement of the group financial statements. Such documentation may take
the form of a memorandum that reflects the component auditor's conclusion with
regard to the identified significant risks.
When significant risks of material misstatement of the group financial statements have been
identified in a component for which the auditor of the group financial statements is
assuming responsibility for the work of a component auditor, the group engagement team
should evaluate the appropriateness of the further audit procedures to be performed to
respond to the identified significant risks of material misstatement of the group financial
statements. Based on its understanding of the component auditor, the group engagement
team should determine whether it is necessary to be involved in the further audit
procedures.
3271.08 The determination of materiality to be used to audit the group financial statements: The
requirement is that the auditor requires the group engagement team to determine
materiality and performance materiality for the group as a whole, as well as component
materiality (that is, the materiality to be used to audit the financial information of a
component for purposes of the group audit) if assuming responsibility for the work of the
component auditor in the group audit report.
3271.09 The determination of materiality to be used to audit components: Component materiality
is determined by the group engagement team if assuming responsibility for the work of the
component auditor in the group audit report. For purposes of the group audit, component
materiality is required to be lower than group materiality in order to reduce the risk that the
aggregate of detected and undetected misstatements in the group financial statements
exceeds the materiality for the group financial statements as a whole.
3271.10 The selection of components and account balances for audit testing: Adapting an audit of
the financial information of a significant component to meet the specific needs of the group
engagement team may include requesting the component auditor to:
a. perform an audit, using component materiality, in accordance with GAAS, with the
exception of performing audit procedures on, for example, tax accounts or litigation,
claims, and assessments because those procedures are performed at the group level.
b. communicate the results of the audit in a form that is responsive to the needs of the
group engagement team.
The group engagement team's determination of the type of work to be performed on the
financial information of a component and its involvement in the work of the component
auditor is affected by the following:
a. The significance of the component
b. The identified significant risks of material misstatement of the group financial
statements
c. The group engagement team's evaluation of the design of group‐wide controls and the
determination of whether they have been implemented
d. The group engagement team's understanding of the component auditor
3271.11 Assessing the adequacy and appropriateness of audit evidence by the group engagement
team in forming an opinion on the financial statements: The parts of the audit
documentation of a component auditor that will be relevant to the group audit may vary
depending on the circumstances. Often, the focus is on audit documentation that is relevant
to the significant risks of material misstatement of the group financial statements. The
extent of the review may be affected by the fact that a component auditor's audit
documentation has been subjected to the review procedures of the component auditor's
firm.
3271.12 The group engagement team should determine whether it is necessary to review other
relevant parts of a component auditor's audit documentation. If the group engagement
team concludes that the work of a component auditor is insufficient, the group engagement
team should determine additional procedures to be performed and whether they are to be
performed by the component auditor or by the group engagement team.
3271.13 Study the following flowchart, which summarizes the procedures and decision points in this
section (from AU‐C 600.A79).
Using the Work of Other Accountants in a Review Engagement
3271.14 A review accountant should read the reports of other accountants who have issued reports
on significant components of the reviewed financial statements (e.g., subsidiaries and
investees). The impact of any modifications to the reports of other accountants should be
considered.
Using the Work of Other Accountants in an Attestation Engagement
3271.15 The attest accountant should clearly communicate with the other practitioner about the
scope and timing of the other practitioner’s work and findings. If assuming responsibility for
the work of the other practitioner, the attest accountant should evaluate whether the work
is adequate for the attest accountant’s purposes.
3271.16 The attest accountant should determine whether to make reference to the work of the other
practitioner’s report in the attest accountant’s report.
3272 Work of Specialists
3272.01 The auditor should consider whether specialized skills are needed in performing the audit. If
specialized skills are needed, the auditor should seek the assistance of a professional
possessing such skills (the “specialist”), who may be either on the auditor’s staff or an
outside professional. This guidance applies whether the specialist was engaged by the
auditor or by management.
3272.02 A specialist is a person or firm possessing special skill or knowledge in a particular field other
than accounting or auditing. Specialists include, but are not limited to, actuaries, appraisers,
engineers, environmental consultants, and geologists.
3272.03 The auditor should determine if the specialist will function as part of the audit team. If so,
the auditor must supervise the specialist in the same manner as other assistants and be able
to:
a. communicate the objectives of the specialist’s work,
b. evaluate whether the specified audit procedures will meet the auditor’s objectives, and
c. evaluate the results of the audit procedures applied.
3272.04 The purpose of using a specialist is to obtain sufficient appropriate evidence about items
material to the financial statements of which the auditor does not have knowledge.
Examples include the following:
a. Valuation—art appraisers, real estate appraisers
b. Physical characteristics relating to quantity on hand or condition—engineers, geologists
c. Amounts derived by special techniques—actuaries
d. Interpretation of technical requirements or documents—attorneys
3272.05 The use of professionals possessing information technology (IT) skills to determine the effect
of IT on the audit, to understand IT controls, or to design and perform tests of IT controls or
substantive procedures is a significant aspect of many audit engagements. In determining
whether such a professional is needed on the audit team, the auditor should consider such
factors as the following:
a. The complexity of the entity’s systems and IT controls and the manner in which they are
used in conducting the entity’s business
b. The significance of changes made to existing systems, or the implementation of new
systems
c. The extent to which data is shared among systems
d. The extent of the entity’s participation in electronic commerce
e. The entity’s use of emerging technologies
f. The significance of audit evidence that is available only in electronic form
3272.06 Audit procedures that the auditor may assign to the IT professional include inquiring of the
entity’s IT personnel about how data and transactions are initiated, recorded, processed,
and reported and how IT controls are designed; inspecting systems documentation;
observing the operation of IT controls; and planning and performing tests of IT controls.
3272.07 Selecting a specialist: The CPA should consider the specialist’s certification, license, degrees,
or other credentials; reputation; and experience.
3272.08 The agreement between the CPA and the specialist should contain the following:
a. Objectives and scope of the work
b. Representations as to the relationship, if any, of the specialist to the client
c. Methods or assumptions to be used this period
d. Comparison of methods or assumptions to be used with those used in the preceding
period
e. The specialist’s understanding as to use of results and the appropriateness of using the
work for the intended purpose
f. Form and content of the specialist’s report
3272.09 When the specialist has a relationship with the client (such as employment or a family
relationship), the auditor might question the control or influence that the client has on the
specialist’s objectivity. Under these circumstances, the auditor should perform additional
procedures with respect to some or all of the specialist’s assumptions, methods, or findings
to determine that the findings are not unreasonable. The auditor may also decide to engage
another specialist.
3272.10 The specialist is responsible for the appropriateness and reasonableness of methods and
assumptions used, as well as their application.
3272.11 The auditor is responsible for:
a. obtaining an understanding of the methods and assumptions used by the specialist;
b. making appropriate tests of data provided to the specialist, taking into account the
auditor’s assessment of control risk; and
c. evaluating whether the specialist’s findings support the related assertions in the
financial statements.
3272.12 Use of findings:
a. The CPA should accept the findings of the specialist unless the auditor’s procedures
determine that the findings are unreasonable.
b. If there is a material difference between the specialist’s findings and the assertions in
the financial statements, the auditor should apply additional procedures.
c. If the auditor is unable to resolve the matter, the auditor should obtain another opinion,
if possible. If the difference cannot be resolved, the auditor should issue a qualified
opinion or disclaimer.
d. If an unmodified opinion is issued, do not mention the use of a specialist. In a qualified
or adverse opinion, mention the use of a specialist only if it will help readers understand
the reason of the qualification.
3272.13 Study the following flowchart, which summarizes the decision steps with regard to the use of
a specialist.
Using the Work of a Specialist in an Attestation Engagement
3272.14 A specialist may be used on any engagement performed under the attestation standards.
The practitioner should have enough knowledge of the subject matter and the specialist to
communicate the objectives of the work to the specialist. The practitioner is responsible for
ensuring that the specialist has the necessary competence, capabilities, and objectivity for
the engagement’s purposes. The practitioner should agree with the nature, scope, and
objectives of the specialist’s work for the practitioner’s purposes, including any
confidentiality considerations. The role and responsibilities of the practitioner and specialist
should be clearly defined.
3272.15 The nature, timing, and extent of communications between the practitioner and the
specialist should be agreed upon, including the form of any report or documentation.
Ultimately, the engagement team partner is responsible for determining that the work of the
specialist satisfies engagement objectives.
3272.16 Reference to a specialist is permitted if relevant to the understanding of a modified report
(but not an unmodified report). However, the report must indicate that such reference does
not reduce the practitioner’s responsibility for that opinion.
3272.17 If the engagement is related to agreed‐upon procedures, the specified party(ies) and the
practitioner should explicitly agree on the involvement of a specialist. The practitioner’s
agreed‐upon procedures report should describe the nature of the assistance provided by the
specialist. The agreed‐upon procedures are to be performed entirely by the practitioner and
any assisting specialists.
3272.18 Internal auditors or other client personnel may prepare schedules or provide other
information for the practitioner’s use in performing the procedures. The CPA should not
agree to merely read the specialist’s report solely to describe or repeat the specialist’s
findings in his/her report.
3273 Work of Internal Audit
3273.01 The auditor will consider the existence of an internal audit function. Internal auditors are
responsible for providing analysis, evaluations, assurances, recommendations, and other
information to the entity’s management and those charged with governance.
3273.02 Internal auditors are responsible for providing analyses, evaluations, assurances,
recommendations, and other information to the entity’s management and those charged
with governance. To fulfill this responsibility, internal auditors maintain objectivity. Internal
auditors also review, assess, and monitor the performance of entity internal controls. In the
process, they obtain evidence regarding the design and effectiveness of controls that relate
to the entity’s ability to initiate, authorize, record, process, and report financial data
consistent with the assertions embodied in the financial statements. Information obtained
by internal audit may provide direct evidence about potential misstatements of financial
data.
3273.03 Independent auditors are required to obtain an understanding of the entity and its
environment, including the internal controls. This understanding includes the monitoring
function of internal control (for which internal audit is responsible) as well as the design of
the control procedures (which internal audit documents). The work done by internal
auditors may reduce or change the work needed to be performed by the independent
auditor. The standards state that the auditor should obtain an understanding of the internal
audit function sufficient to identify those internal audit activities that are relevant to
planning the audit.
3273.04 After obtaining an understanding of the internal audit function, the auditor may determine:
a. that the internal auditors’ work is or is not adequate for purposes of the audit and
b. if so, the effect of the work on the nature, timing, or extent of the external auditor’s
procedures.
3273.05 If the auditor decides to consider the effect of the internal auditors’ work on the audit or to
use internal auditors to provide direct assistance, the next step is to evaluate:
a. the objectivity of the internal audit function,
b. the internal auditors’ technical competence,
c. that the internal auditors’ work is carried out with due professional care,
d. that the communications between the internal and external auditors are effective,
e. the internal auditors’ knowledge of prior‐year audits,
f. how the internal auditors allocate their audit resources, and
g. the scope of internal audit activities.
3273.06 In determining the planned effect of the internal auditor’s work on the nature, timing, and
extent of the audit, the external auditor shall consider:
a. the nature and scope of specific work performed, or to be performed, by the internal
auditors;
b. the assessed risks of material misstatement at the assertion level for particular classes
of transactions, account balances, and disclosures; and
c. the degree of subjectivity involved in the evaluation of the audit evidence.
3273.07 Internal auditors’ work may affect the auditor’s audit plan by altering the procedures the
auditor performs when obtaining an understanding of the entity’s internal control. For
example, internal audit may provide the auditor with a flowchart showing a new
computerized sales and receivables system. The auditor may review the flowchart to obtain
information about the design of the related controls. In addition, the auditor may consider
the results of procedures performed by the internal auditors on related controls to obtain
information about whether the controls have been placed in operation.
3273.08 Certain controls have a pervasive effect on many financial statement assertions. As a result,
the work of the internal auditors (concerning whether the controls are properly designed, in
operation, and effective) can affect the auditor’s overall risk assessment at the financial
statement level.
3273.09 Auditors may use the results of the internal auditors’ tests of controls regarding the
effectiveness of relevant controls to reduce the extent of control testing procedures. For
example, the internal auditors’ scope may include tests of controls for the completeness of
accounts payable. The results of internal auditors’ tests may provide appropriate
information about the effectiveness of controls and reduce the amount of testing necessary.
3273.10 Likewise, substantive tests may be reduced if the auditor considers testing performed by
internal auditors. For example, if the internal auditors have confirmed certain accounts
receivable, the auditor may be able to reduce the number of accounts receivable to be
confirmed or change the timing of the confirmations.
3273.11 Even though the internal auditors’ work may affect the auditor’s procedures, the auditor is
still responsible for obtaining sufficient appropriate audit evidence to support the audit
opinion. Evidence obtained through the auditor’s direct personal knowledge, including
physical examination, observation, computation, and inspection, is generally more
persuasive than information obtained indirectly.
3273.12 The adequacy of the work of the internal auditor must be documented by the external
auditor along with the audit procedures performed by the external auditor on that work.
3273.13 The responsibility on the audit report cannot be shared with internal auditors.
3273.14 If internal auditors’ work is expected to have an effect on the auditor’s procedures, then the
auditor and internal auditor should coordinate by holding periodic meetings, scheduling
audit work, sharing internal auditors’ workpapers, reviewing audit reports, and discussing
possible accounting and auditing issues.
3273.15 The auditor may request direct assistance from the internal auditors. When determining the
nature and extent of the work that may be assigned to internal auditors, the external auditor
shall consider:
a. the amount of judgment involved in:
(1) planning and performing relevant audit procedures and
(2) evaluating the audit evidence gathered;
b. the assessed risk of material misstatement; and
c. the external auditor’s evaluation of the existence and significance of threats to the
objectivity and level of competence of the internal auditors who will be providing such
assistance.
3273.16 The external auditor shall direct, supervise, and review the work performed by the internal
auditors. The external auditor shall:
a. recognize that the internal auditors are not independent and
b. pull some of the underlying audit evidence for some of the work performed by the
internal auditors.
3280 Specific Areas of Engagement Risk
3281 Entity’s Compliance with Laws and Regulations, Including Possible Illegal
Acts
3281.01 The auditor, in conducting an audit of financial statements, takes into account the applicable
legal and regulatory framework. Even if an audit is planned and performed in accordance
with GAAS, an unavoidable risk exists that some material misstatements are not detected.
Inherent limitations on the auditor’s ability to detect material misstatements are greater for
the following reasons:
a. Many laws and regulations relate principally to the operating aspects of an entity, and
therefore do not affect the financial statements and are not captured by the entity’s
information system.
b. Noncompliance may involve conduct designed to conceal it, such as collusion, forgery,
or intentional misrepresentations made to the auditor.
c. A court of law, not the auditor, determines if an act constitutes noncompliance.
3281.02 Examples of laws and regulations that have a direct effect on the determination of material
amounts and disclosures in the financial statements include tax and pension laws and
regulations.
3281.03 Some laws and regulations do not have a direct effect on the determination of the amounts
and disclosures in the financial statements, but compliance with those laws and regulations
may be fundamental to the operating aspects of the business, fundamental to an entity's
ability to continue its business, or necessary for the entity to avoid material penalties.
3281.04 While the audit conducted according to GAAS contains no specific procedures designed to
detect noncompliance of laws and regulations, certain audit procedures may bring
noncompliance of laws and regulations to the auditor’s attention. These procedures include:
a. inquiring of management and those charged with governance about whether the entity
is in compliance with such laws and regulations.
b. inspecting correspondence with the relevant licensing or regulatory authorities.
3281.05 If noncompliance or suspected noncompliance with laws and regulations becomes apparent,
the auditor should:
a. obtain an understanding of the nature of the act and the circumstances in which it has
occurred.
b. obtain further information to evaluate the possible effect on the financial statements.
c. consult with management a level above those involved in order to obtain an
understanding of the nature of the act.
d. consult with the client’s legal counsel or other specialists if management’s response
does not provide satisfactory information. The client must make arrangements for the
conversation with legal counsel.
Procedures an auditor may perform to address the requirements of obtaining an
understanding of an act of identified or suspected noncompliance include:
a. examining supporting documents and comparing them with the accounting records,
b. confirming information with third parties (such as banks),
c. determining whether the transaction has been properly authorized, and
d. considering whether other similar transactions have occurred and applying procedures
to identify them.
3281.06 The matter of suspected noncompliance should be discussed with management and, when
appropriate, those charged with governance. If management or those charged with
governance are unable to provide sufficient information supporting compliance with laws
and regulations, the auditor should evaluate the effect of the lack of sufficient appropriate
audit evidence on the auditor’s opinion. The auditor should also evaluate the implications of
noncompliance in relation to other aspects of the audit and take appropriate action. In the
auditor’s professional judgment, the effect may be material to the financial statements, and
the auditor should consider legal advice.
3281.07 It may be necessary for the auditor to modify the audit opinion based on noncompliance
with laws and regulations.
a. The auditor should issue a qualified or adverse opinion if the auditor determines that
noncompliance with laws and regulations has a material effect on the financial
statements and the act has not been properly accounted for or disclosed. Depending on
materiality, the auditor may decide to issue an adverse opinion on the financial
statements as a whole.
b. The auditor should express a qualified opinion or disclaim an opinion if precluded by the
client from obtaining sufficient appropriate audit evidence to evaluate whether
noncompliance with laws and regulations that could be material to the financial
statements has, or is likely to have, occurred.
c. The auditor should withdraw from the engagement if the client refuses to accept the
auditor’s report as modified for the circumstances described above. The auditor should
indicate the reasons for withdrawal, in writing, to those charged with governance.
3281.08 The auditor should determine if he or she has the responsibility to report the identified or
suspected noncompliance to parties outside the entity if the noncompliance of laws and
regulations is identified or suspected.
3281.09 A description of the identified or suspected noncompliance of laws and regulations should
be included in the audit documentation. Also, the results of the discussion with
management, those charged with governance, and any third parties outside of the entity
should be included in the audit documentation.
3281.10 The following examples, if discovered through the application of audit procedures, may raise
a question about the possibility of noncompliance under applicable laws and regulations:
a. Unauthorized transactions or improperly recorded transactions
b. Investigation by a governmental agency, an enforcement proceeding, or payment of
unusual fines and penalties
c. Violations of laws or regulations cited in reports of examinations by regulatory agencies
that have been made available to the auditor
d. Large payments for unspecified services to consultants, affiliates, or employees
e. Sales commissions or agent’s fees that appear excessive
f. Unusual payments in cash or transfers to bank accounts
g. Unexplained payments to government officials
h. Failure to file tax returns or pay government duties or similar fees that are common to
the entity’s industry
i. Adverse media comment
j. Purchases made at prices significantly above or below market price
Nonaudit Engagements
Review Engagements
3281.11 In a review engagement, if the accountant becomes aware of a suspected noncompliance
with laws and regulations whose effects should be considered on the financial statements
(i.e., more than clearly inconsequential), the accountant should communicate such matters
to management (either written or oral). If the accountant identifies noncompliance that
involves senior management or results in a material misstatement in the financial
statements, the accountant should communicate the matter directly with those charged
with governance (either written or oral). The accountant should consider the need to seek
legal advice or other action if sufficient information is not obtained related to known or
potential misstatement due to noncompliance.
Attestation Engagements
3281.12 In an examination or review engagement performed in conformity with attestation
standards, the practitioner should make inquiries of appropriate parties to determine
whether they have knowledge of any actual, suspected, or alleged noncompliance with laws
or regulations affecting the subject matter.
3281.13 In any attestation engagement, the practitioner should consider whether matters, such as
noncompliance with laws and regulations, that come to the attention of the accountant
during the engagement should be communicated to the responsible party, client, or others.
3281.14 An examination or agreed‐upon procedures engagement may be performed related to
compliance with requirements of specified laws, regulations, rules, contracts, or grants.
3281.15 Any compliance engagement associated with a financial statement audit would be
performed in conformity with auditing standards.
3282 Accounting Estimates, Including Fair Value Estimates
3282.01 Risks of material misstatement may be greater for risks relating to significant judgmental
matters that require the development of accounting estimates arising from:
a. differing interpretation of accounting principles,
b. required complex or subjective judgment, or
c. assumptions about the effects of future events.
3282.02 An accounting estimate is an approximation of a financial statement element, item, or
account. Accounting estimates are often included in historical financial statements.
Examples of accounting estimates are net realizable values of inventory and accounts
receivable, property and casualty insurance loss reserves, fair value, revenues from contracts
accounted for by the percentage‐of‐completion method, and pension and warranty
expenses.
3282.03 Management is responsible for making the accounting estimates included in the financial
statements. As estimates are based on subjective as well as objective factors, it may be
difficult for management to establish controls over them.
3282.04 The auditor’s objective is to obtain sufficient appropriate audit evidence about whether:
a. accounting estimates, including fair value accounting estimates, in the financial
statements, whether recognized or disclosed, are reasonable and
b. related disclosures in the financial statement are adequate.
3282.05 The auditor should obtain an understanding of the following to provide a basis for the
identification and assessment of risks for accounting estimates:
a. The requirements of the applicable reporting framework relevant to accounting
estimates
b. How management identifies those transactions, events, and conditions that may give
rise to the need for accounting estimates to be recognized or disclosed in financial
statements
c. How management makes the accounting estimates and the data on which they are
based
3282.06 Management’s process for preparing accounting estimates (although it may not be
documented or formally applied) normally consists of the following:
a. The method used in making the accounting estimate, including, when applicable, the
model
b. Identifying the relevant controls over the accounting estimate
c. Identifying whether management has used a specialist
d. Developing assumptions underlying the accounting estimate
e. Determining whether there has been or ought to have been a change from the prior
period in the method or assumptions for making the estimate and, if so, why
f. Determining whether and, if so, how management has assessed the effect of estimation
uncertainty
3282.07 Based on the assessed risks of material misstatement, the auditor determines whether
management has appropriately applied the requirements of the applicable framework and
whether the methods for making the estimate are appropriate and have been applied
consistently, and whether changes from the prior period, if any, in accounting estimates or
the method for making them are appropriate in the circumstances.
3282.08 Even when management’s estimation process involves competent personnel using relevant
and reliable data, there is potential for bias in the subjective factors associated with the
estimate.
3282.09 The risk of material misstatement normally varies with the:
a. complexity and subjectivity associated with the process,
b. availability and reliability of relevant data,
c. number and significance of assumptions that are made, and
d. degree of uncertainty associated with the assumptions.
Responding to the Risk of Material Misstatement in Significant Accounting Estimates
3282.10 The auditor should perform a retrospective review of significant accounting estimates
reflected in the financial statements of the prior periods to determine whether management
judgments and assumptions relating to the estimates indicate a possible bias on the part of
management.
3282.11 The significant accounting estimates selected for testing should include those that are based
on highly sensitive assumptions or are otherwise significantly affected by judgments made
by management.
3282.12 If the auditor identifies a possible bias on the part of management in making accounting
estimates, the auditor should evaluate whether circumstances producing such a bias
represent a risk of a material misstatement due to fraud.
3283 Related Parties and Related Party Transactions
3283.01 Related parties of a reporting entity consist of the following (per the FASB ASC Glossary):
a. Its affiliates
b. Entities for which investments are accounted for under the equity method
c. Trusts for the benefit of its employees that are managed by entity management
d. Its principal owners and immediate family
e. Its management and immediate family
f. Any other party with which the reporting entity may deal when one party controls or
has the ability to significantly influence the management or operating policies of the
other
g. Any other party that can significantly influence the management or operating policies of
the transacting parties or have ownership interest in one of the transacting parties and
can significantly influence the other where one might be prevented from fully pursuing
its own interests
3283.02 Related party transactions represent significant risks because:
a. related party transactions must be disclosed (FASB ASC 850 provides these
requirements) and
b. the substance of a particular transaction may be significantly different from its form
(financial statements should recognize the substance of a particular transaction rather
than merely its legal form).
3283.03 In order to prevent those risks, the auditor should perform procedures to obtain an
understanding of the company’s relationships and transactions with its related parties, as
follows:
a. Determine the existence of related parties.
b. Identify transactions with related parties.
c. Examine the transactions as to their business purpose, substance, extent, and effect on
financial statements.
d. Be certain the following regarding material related party transactions are disclosed:
(1) The nature of the relationship(s)
(2) Description of transactions
(3) Dollar volume of transactions
(4) Amounts due from or to related parties and terms, if relevant
3283.04 Material misstatements should be assessed at the financial statement level and the assertion
level. This includes identifying and assessing the risks of material misstatement, including
whether the company has properly identified, accounted for, and disclosed the related
parties and relationships and transactions with related parties.
3283.05 The audit responses, designed and implemented by the auditor, that address the identified
and assessed risks of material misstatement include designing and performing audit
procedures in a manner that addresses material misstatements associated with related
parties.
3283.06 The auditor should be aware of the possible existence of material related party transactions
that could affect the financial statements and of common ownership or management control
relationships.
3283.07 The auditor should obtain an understanding of management responsibilities, management
activities, and the relationship of each component to the total entity. In addition, the auditor
should consider the business purpose served by the various components of the entity.
Business structure and operating style are occasionally deliberately designed to obscure
related party transactions.
3283.08 Once the auditor finds undisclosed related parties, relationships, or transactions, the auditor
should perform procedures to distinguish that there are related parties, relationships, or
transactions that do exist, by:
a. inquiring of management about the undisclosed related party and the possible existence
of other transactions not disclosed;
b. evaluating why the discovery was not disclosed;
c. promptly communicating the undisclosed item to appropriate members of the
engagement team;
d. assessing the need for more procedures; and
e. performing the following procedures:
(1) evaluate the implications on the auditor’s assessment of internal control,
(2) reassess the risk of material misstatement and perform additional procedures if
needed, and
(3) evaluate the implications for the audit if the nondisclosure indicates that fraud or
noncompliance with laws or regulations may have occurred.
3283.09 In the absence of evidence to the contrary, transactions with related parties should not be
assumed to be outside the ordinary course of business.
3283.10 Transactions that because of their nature may be indicative of the existence of related
parties include:
a. borrowing or lending on an interest‐free basis or at a rate of interest significantly above
or below current market rates,
b. selling real estate at a price that differs significantly from its appraised value,
c. nonmonetary exchanges, and
d. making loans with no written terms.
3283.11 The auditor should be alert to situations, such as the following, that might result in
questionable related party transactions:
a. Lack of sufficient working capital or credit
b. An urgent desire to improve earnings to bolster the price of stock
c. An overly optimistic earnings forecast
d. Dependence on a few products or customers
e. A declining industry
f. Excess capacity
g. Significant litigation
h. Significant obsolescence in a high‐technology industry
3283.12 The evaluation of the relationships and transactions with related parties should be
communicated to the audit committee. Other significant matters should be communicated
also.
3283.13 If the statements contain a representation that is unsubstantiated (e.g., that a related party
transaction was equivalent to an arm’s‐length transaction) with regard to related party
transactions, the auditor should issue a qualified or adverse opinion.
3284 Significant Recent Economic, Accounting, or Other Developments
3284.01 Risks relevant to financial reporting include external and internal events and circumstances
that may occur and adversely affect an entity’s ability to initiate, authorize, record, process,
and report financial data consistent with the assertions of management in the financial
statements.
3284.02 Risks can arise or change due to circumstances such as the following:
a. Changes in operating environment
b. New personnel
c. New or revamped information systems
d. Rapid growth
e. New technology
f. New business models, products, or activities
g. Corporate restructurings
h. Expanded foreign operations
i. New accounting pronouncements
3284.03 Recent events in the financial markets and the current economic environment may affect
companies’ operations and financial reporting and, in turn, may have implications for audits
of financial statements and internal control over financial reporting. Audit risks that may
have been identified previously may become more significant or new risks may exist due to
current events (e.g., those affecting the economy, credit, and liquidity). Among other things,
uncertainties in the market and economy may create questions about the valuation,
impairment, or recoverability of certain assets and the completeness or valuation of certain
liabilities reflected in financial statements.
3284.04 Circumstances arising from the economic environment may give rise to fraud risk factors
affecting the risk of material misstatement due to fraudulent financial reporting. The auditor
should consider situations such as these when assessing the risk of material misstatement
due to fraud:
a. Financial stability or profitability is threatened by economic, industry, or company
operating conditions.
b. Excessive pressure exists for management to meet the requirements or expectations of
third parties.
c. Information available indicates management or the board of directors’ personal
financial situation is threatened by the company’s financial performance.
d. Excessive pressure is placed on management or operating personnel to meet financial
targets set up by the board of directors or management, including sales or profitability
incentive goals.
3284.05 Internal and external factors that create risks should be identified by management as part of
the risk assessment component of internal control. The auditor should inquire about
business risks that management has identified and should consider whether they may result
in material misstatement of the financial statements and whether they may be “significant
risks” that require special audit consideration.
3284.06 During the audit, the auditor may identify business risks or risks of material misstatements in
the financial statements that management failed to identify. The auditor’s experience and
continuing education allow the auditor to identify economic trends affecting other similar
businesses as well as recent accounting pronouncements that are applicable to the entity;
management may not have been aware of these issues.
3285 Improper Revenue Recognition
3285.01 Due to the significant judgment involved in the interpretation of the accounting principles
surrounding revenue recognition and the accounting estimates often involved, the risk of
material misstatement may be greater for improper revenue recognition.
3285.02 In addition, material misstatements due to fraudulent financial reporting often result from
an overstatement of revenues (for example, through premature revenue recognition or
recording fictitious revenue) or an understatement of revenues (for example, through
improperly shifting revenues to a later period). Therefore, the auditor should ordinarily
presume that there is a risk of material misstatement due to fraud relating to revenue
recognition.
3285.03 The auditor should perform analytical procedures relating to revenue with the objective of
identifying unusual or unexpected relationships involving revenue accounts that may
indicate a material misstatement due to fraudulent financial reporting. Examples of these
procedures would be comparisons of sales volume to production capacity or a trend analysis
of revenues by month and sales returns by month shortly before and after year‐end to
indicate the existence of undisclosed agreements with customers to return merchandise.
3285.04 The auditor should develop auditing procedures based on the auditor’s understanding of the
entity and its environment, including the composition of revenues, specific attributes of the
revenue transactions, and unique industry considerations.
3285.05 If the auditor has not identified improper revenue recognition as a risk of material
misstatement due to fraud, the auditor should document the reasons supporting the
auditor’s conclusion.
Responding to the Risk of Material Misstatement Due to Improper Revenue
Recognition
3285.06 If the auditor identifies a risk of material misstatement due to fraud that involves improper
revenue recognition, the auditor may:
a. perform substantive analytical procedures relating to revenue using disaggregated data
(e.g., comparing revenue reported by month and by product line or business segment
this period with comparable prior periods).
b. confirm contract terms and the absence of side agreements with customers.
c. inquire about sales at the end of the period and the sales/marketing employees’
knowledge of any unusual terms or conditions.
d. physically observe shipment of goods at period‐end and perform sales and inventory
cutoff procedures.
e. test controls for the electronic processing of revenue transactions.
3286 Nonroutine or Complex Transactions
3286.01 Nonroutine transactions are those that are unusual, either due to size or nature, and that
therefore occur infrequently.
3286.02 Examples of nonroutine or nonsystemic transactions that may indicate a risk of material
misstatement would be intercompany transactions and large revenue transactions at period‐
end.
3286.03 Risks of material misstatement may be greater for risks relating to significant nonroutine
transactions arising from matters such as the following:
a. Greater management intervention to specify the accounting treatment
b. Greater manual intervention for data collection and processing
c. Complex calculations or accounting principles
d. The nature of nonroutine transactions, which may make it difficult for the entity to
implement effective controls over the risks
e. Significant related party transactions
This page intentionally left blank.
3310 Understanding Sufficient Appropriate Evidence
3320 Sampling Techniques
3330 Performing Specific Procedures to Obtain Evidence
3331 Analytical Procedures
3332 External Confirmations
3333 Inquiry of Management and Others
3334 Observation and Inspection
3335 Recalculation and Reperformance
3336 All Other Procedures
3340 Specific Matters That Require Special Audit Consideration
3341 Opening Balances
3342 Investments in Securities and Derivative Instruments
3343 Inventory and Inventory Held by Others
3344 Litigation, Claims, and Assessments
3345 An Entity’s Ability to Continue as a Going Concern
3346 Accounting Estimates, Including Fair Value Estimates
3350 Misstatements and Internal Control Deficiencies
3360 Written Representations
3370 Subsequent Events and Subsequently Discovered Facts
3371 Subsequent Events
3372 Subsequently Discovered Facts
3310 Understanding Sufficient Appropriate Evidence
Concept of Audit Evidence
3310.01 Audit evidence is all the information used by the auditor in arriving at the conclusions on
which the audit opinion is based and includes the information contained in the accounting
records underlying the financial statements and other information. Auditors are not
expected to examine all information that may exist.
3310.02 Accounting records generally include the records of initial entries and supporting records,
such as checks and records of electronic fund transfers; invoices; contracts; the general and
subsidiary ledgers, journal entries, and other adjustments to the financial statements that
are not reflected in formal journal entries; and records such as worksheets and spreadsheets
supporting cost allocations, computations, reconciliations, and disclosures.
3310.03 Management is responsible for the preparation of the financial statements based on the
accounting records of the entity. The auditor should obtain audit evidence by testing the
accounting records, for example, through analysis and review, reperforming procedures
followed in the financial reporting process, and reconciling related types and applications of
the same information.
3310.04 The sufficiency of audit evidence is measured by the quantity. Appropriateness is the
measure of the quality of audit evidence, that is, its relevance and its reliability in providing
support for the conclusions on which the auditor's opinion is based.
3310.05 The quantity of audit evidence needed is affected by the risk of misstatement (the greater
the risk, the more audit evidence is likely to be required) and also by the quality of such
audit evidence (the higher the quality, the less the audit evidence that may be required).
3310.06 The reliability of audit evidence is influenced by its source and by its nature and is
dependent on the individual circumstances under which it is obtained. Generalizations about
the reliability of various kinds of audit evidence can be made; however, such generalizations
are subject to important exceptions. While recognizing that exceptions may exist, the
following generalizations about the reliability of audit evidence may be useful:
a. Audit evidence is more reliable when it is obtained from knowledgeable independent
sources outside the entity.
b. Audit evidence that is generated internally is more reliable when the related controls
imposed by the entity are effective.
c. Audit evidence obtained directly by the auditor (for example, observation of the
application of a control) is more reliable than audit evidence obtained indirectly or by
inference (for example, inquiry about the application of a control).
d. Audit evidence is more reliable when it exists in documentary form, whether paper,
electronic, or other medium (written records are superior to oral representations).
e. Audit evidence provided by original documents is more reliable than audit evidence
provided by photocopies or facsimiles.
3310.07 The auditor ordinarily obtains more assurance from consistent audit evidence obtained from
different sources or of a different nature than from items of audit evidence considered
individually.
3310.08 The auditor may consider the relationship between the cost of obtaining audit evidence and
the usefulness of the information obtained. However, the matter of difficulty or expense
involved is not in itself a valid basis for omitting an audit procedure for which there is no
appropriate alternative.
Audit: Assess Risk of Material Misstatement
3310.09 In determining the nature, timing, and extent of audit procedures to be applied to a specific
account balance, class of transactions, or disclosure, the auditor should design audit
procedures to obtain reasonable assurance of detecting misstatements that the auditor
believes, based on the judgment about materiality, could be material, when aggregated with
misstatements in other balances, classes, or disclosures, to the financial statements taken as
a whole.
3310.10 The auditor should obtain audit evidence to draw reasonable conclusions on which to base
the audit by performing audit procedures to:
a. obtain an understanding of the entity and its environment, including its internal control,
to assess the risks of material misstatement at the financial statement and relevant
assertion levels. (Audit procedures performed for this purpose are referred to as risk
assessment procedures.)
b. test the operating effectiveness of controls in preventing or detecting material
misstatements at the relevant assertion level. (Audit procedures performed for this
purpose are referred to as tests of controls.)
c. detect material misstatements at the relevant assertion level. (Audit procedures
performed for this purpose are referred to as substantive procedures and include tests
of details or classes of transactions, account balances, and disclosures, and substantive
analytical procedures.)
3310.11 When the auditor’s risk assessment includes an expectation of the operating effectiveness of
controls, the auditor should identify and test those controls relevant to assertions associated
with substantive procedures to support the risk assessment.
3310.12 When the level of substantive procedures alone does not provide sufficient appropriate
audit evidence, the auditor should perform tests of controls to obtain audit evidence about
their operating effectiveness.
3310.13 The auditor should plan and should perform substantive procedures to be responsive to the
related assessment of the risk of material misstatement, which includes the results of tests
of controls, if any. The auditor’s risk assessment is judgmental, however, and may not be
sufficiently precise to identify all risks of material misstatement.
3310.14 The auditor should use one or more of the types of audit procedures described below. These
audit procedures, or combinations thereof, may be used as risk assessment procedures,
tests of controls, or substantive procedures, depending on the context in which they are
applied by the auditor. When the information is in electronic form, the auditor may carry out
certain of these audit procedures through computer‐assisted audit techniques (CAATs).
a. Inspection of records or documents. Consists of examining records or documents,
whether internal or external, in paper form, electronic form, or other media
b. Inspection of tangible assets. Consists of physical examination of the assets
c. Observation. Consists of looking at a process or procedure being performed by others
d. Inquiry. Consists of seeking information of knowledgeable persons, both financial and
nonfinancial, inside or outside the entity
e. Confirmation. A specific type of inquiry which involves obtaining a representation of
information or of an existing condition directly from a third party
f. Recalculation. Consists of checking the mathematical accuracy of documents or records
g. Reperformance. Involves the independent execution of procedures or controls that
were originally performed as part of the entity’s internal control, either manually or
through the use of CAATs
h. Analytical procedures. Consist of evaluations of financial information made by a study
of plausible relationships among both financial and nonfinancial data
Audit: Integrating Audits
3310.15 An auditor may be engaged to perform an audit of the effectiveness of internal control over
financial reporting that is integrated with an audit of financial statements for an entity that is
an issuer (publicly traded company).
3310.16 Regulation S‐K under the securities laws requires management to provide an annual report
on internal control over financial reporting. In this report, management must make
statements, or assertions, about the entity’s internal control. One of these statements is
whether or not the internal control over financial reporting is effective. Management’s
discussion must include disclosure of any material weaknesses in the entity’s internal
control.
3310.17 Management is not permitted to conclude that the entity’s internal control is effective if
there are one or more material weaknesses.
3310.18 With this report, the entity must include an attestation report from a public accounting firm
registered with the Public Company Accounting Oversight Board (PCAOB) (with certain
specific exceptions, based on the size and nature of the issuer). The attestation report
provides an opinion on the effectiveness of the entity’s internal control over financial
reporting. As issuers are required to have their financial statements audited as well, the
auditor integrates the two audits (audit of internal control over financial reporting and audit
of the financial statements).
3310.19 When planning and performing an audit of internal control over financial reporting, the
auditor should evaluate whether controls sufficiently address risks of material misstatement
due to fraud and controls intended to address risk of management override. Such controls
would include the following:
a. Controls over significant, unusual transactions, particularly late or unusual journal
entries
b. Controls over journal entries made at year‐end
c. Controls over related party transactions
d. Controls related to significant estimates
e. Controls that mitigate incentives for, and pressures on, management to falsify or
manage financial results
3310.20 In an integrated audit of internal control over financial reporting and the financial
statements, the auditor should design the testing of controls to accomplish the objectives of
both audits simultaneously:
a. to obtain sufficient evidence to support the auditor’s opinion on internal control over
financial reporting as of year‐end and
b. to obtain sufficient evidence to support the auditor’s control risk assessments for
purposes of the audit of financial statements.
3310.21 Obtaining sufficient evidence to support control risk assessments of low for purposes of the
financial statement audit ordinarily allows the auditor to reduce the amount of audit work
that otherwise would have been necessary to provide an opinion on the financial
statements.
3310.22 In some circumstances, particularly in audits of smaller and less complex companies, the
auditor might choose not to assess control risk as low for purposes of the audit of the
financial statements. In such circumstances, the auditor’s tests of the operating
effectiveness of controls would be performed principally for the purpose of supporting the
auditor’s opinion on whether the company’s internal control over financial reporting is
effective as of year‐end. The results of the auditor’s financial statement auditing procedures
also should inform the auditor’s risk assessments in determining the testing necessary to
conclude on the effectiveness of a control.
Audit: Evaluate Design and Operating Effectiveness of Controls
3310.23 The auditor should test the design effectiveness of controls by determining whether the
company’s controls, if they are operated as prescribed by persons possessing the necessary
authority and competence to perform the control effectively, satisfy the company’s control
objectives and can effectively prevent or detect errors or fraud that could result in material
misstatements in the financial statements.
3310.24 A smaller, less complex company might achieve its control objectives in a different manner
from a larger, more complex organization. For example, a smaller, less complex company
might have fewer employees in the accounting function, limiting opportunities to segregate
duties and leading the company to implement alternative controls to achieve its control
objectives. In such circumstances, the auditor should evaluate whether those alternative
controls are effective.
3310.25 Procedures the auditor performs to test design effectiveness include a mix of inquiry of
appropriate personnel, observation of the company’s operations, and inspection of relevant
documentation. Walkthroughs that include these procedures ordinarily are sufficient to
evaluate design effectiveness.
3310.26 The auditor should design sufficient tests of controls to obtain sufficient appropriate audit
evidence that the controls are operating effectively throughout the period of reliance.
Factors that the auditor may consider in determining the extent of tests of controls include
the following:
a. The frequency of the performance of the control by the entity during the period
b. The length of time during the audit period that the auditor is relying on the operating
effectiveness of the control
c. The relevance and reliability of the audit evidence to be obtained in supporting that the
control prevents, or detects and corrects, material misstatements at the relevant
assertion level
d. The extent to which audit evidence is obtained from tests of other controls related to
the relevant assertion
e. The extent to which the auditor plans to rely on the operating effectiveness of the
control in the assessment of risk (and thereby reduce substantive procedures based on
the reliance of such control)
f. The expected deviation from the control
3310.27 The auditor should test the operating effectiveness of a control by determining whether the
control is operating as designed and whether the person performing the control possesses
the necessary authority and competence to perform the control effectively.
3310.28 In some situations, particularly in smaller companies, a company might use a third party to
provide assistance with certain financial reporting functions. When assessing the
competence of personnel responsible for a company’s financial reporting and associated
controls, the auditor may take into account the combined competence of company
personnel and other parties that assist with functions related to financial reporting.
3310.29 When the risk assessment is based on an expectation that controls are operating effectively
to prevent or detect material misstatement, individually or when aggregated, at the relevant
assertion level, the auditor should perform tests of the controls that the auditor has
determined to be suitably designed to prevent or detect a material misstatement in the
relevant assertion to obtain audit evidence that the controls are operating effectively.
3310.30 The nature of the risks arising from a weak control environment is such that they are not
likely to be confined to specific individual risks of material misstatement in particular classes
of transactions, account balances, and disclosures. Rather, weaknesses such as
management’s lack of competence may have a more pervasive effect on the financial
statements and may require an overall response by the auditor.
3310.31 When the auditor has determined that it is not possible or practicable to reduce the risks of
material misstatement at the relevant assertion level to an acceptably low level with audit
evidence obtained only from substantive procedures, he or she should perform tests of
controls to obtain audit evidence about their operating effectiveness.
3310.32 Tests of the operating effectiveness of controls are performed only on those controls that
the auditor has determined are suitably designed to prevent or detect a material
misstatement in a relevant assertion.
3310.33 When performing tests of controls, the auditor should obtain audit evidence that controls
operate effectively. This includes obtaining audit evidence about how controls were applied
at relevant times during the period under audit, the consistency with which they were
applied, and by whom or by what means they were applied.
3310.34 Tests of the operating effectiveness of controls ordinarily include the same types of audit
procedures used to evaluate the design and implementation of controls (inquiry,
observation, inspection), and may also include reperformance of the application of the
control by the auditor. Since inquiry alone is not sufficient, the auditor should use a
combination of audit procedures to obtain sufficient appropriate audit evidence regarding
the operating effectiveness of controls.
3310.35 The timing of tests of controls depends on the auditor’s objective and determines the period
of reliance on those controls. If the auditor tests controls at a particular time, the auditor
only obtains audit evidence that the controls operated effectively at that time. However, if
the auditor tests controls throughout a period, the auditor should obtain audit evidence of
the effectiveness of the operation of the controls during that period.
3310.36 Audit evidence pertaining only to a point in time may be sufficient for the auditor’s purpose;
for example, when testing controls over the entity’s physical inventory counting at the
period end. However, if the auditor needs audit evidence of the effectiveness of a control
over a period, audit evidence pertaining only to a point in time may be insufficient and the
auditor should supplement those tests with other tests of controls that would relate to the
entire period.
3310.37 If, based on the understanding of the entity and its environment, the auditor plans to rely on
controls that have not changed since they were last tested, the auditor should test the
operating effectiveness of such controls at least once in every third audit (while a shorter
period of reliance may be necessary).
3310.38 The auditor may not rely on audit evidence about the operating effectiveness of controls
obtained in prior audits for controls that have changed since they were last tested or for
controls that mitigate a significant risk.
3310.39 In considering whether it is appropriate to use audit evidence about the operating
effectiveness of controls obtained in prior audits and, if so, the length of the time period that
may elapse before retesting a control, the auditor should consider:
a. the effectiveness of other elements of internal control, including the control
environment, the entity’s monitoring of controls, and the entity’s risk assessment
process.
b. the risks arising from the characteristics of the control, including whether controls are
manual or automated.
c. the effectiveness of IT general controls.
d. the effectiveness of the control and its application by the entity, including the nature
and extent of deviations in the application of the control from tests of operating
effectiveness in prior audits.
e. whether the lack of a change in a particular control poses a risk due to changing
circumstances.
f. the risk of material misstatement and the extent of reliance on the control.
3310.40 To reduce the extent of substantive procedures in an audit, the tests of controls performed
by the auditor need to be sufficient to determine the operating effectiveness of the controls
at the relevant assertion level and the level of planned reliance.
3310.41 Generally, IT processing is inherently consistent; therefore, the auditor may be able to limit
the testing to one or a few instances of the control operation. An automated control should
function consistently unless the program is changed. Once the auditor determines that an
automated control is functioning as intended, the auditor should perform tests to determine
that the control continues to function effectively.
3310.42 The more the auditor relies on the operating effectiveness of controls in the assessment of
risk, the greater is the extent of the auditor’s tests of controls. In addition, as the rate of
expected deviation from a control increases, the auditor should increase the extent of
testing of the control.
Accounting and Review Services
3310.43 In order to comply with the standards for compilation of financial statements of a nonissuer
(although the accountant expresses no assurance on such statements), the accountant
should:
a. obtain the required level of knowledge about the accounting principles and practices of
the industry in which the entity operates (in order to determine that the financial
statements are appropriate in form) and
b. gain a general understanding of the nature of the entity’s business transactions and
operations (to identify any obvious material errors, including inadequate disclosures).
3310.44 In order to express limited assurance that reviewed financial statements of a nonissuer need
no material modifications to be in conformity with GAAP (or other applicable financial
reporting framework), the accountant should obtain a reasonable basis for this conclusion
by:
a. making inquiries of management and other personnel,
b. performing analytical procedures, and
c. obtaining written representations from management.
3310.45 These review procedures are based on the accountant’s understanding of the industry in
which the client operates and the accountant’s knowledge of the entity. The accountant
should also consider the risk that the accountant may unknowingly fail to modify the review
reports that are materially misstated.
3310.46 The accountant should consider the reasonableness and consistency of management’s
responses to inquiry and other procedures in light of the results of other procedures and the
accountant’s knowledge. If information is deemed incomplete, inaccurate, or otherwise
misleading, the accountant should bring it to the attention of management for consideration
of the effect on the financial statements. The accountant should read the financial
statements and consider whether there are indications of material nonconformities with the
applicable financial reporting framework.
Review of Interim Financial Information of an Issuer
3310.47 To perform a review of interim financial information of an issuer, the accountant should
have sufficient knowledge of the entity's business and its internal control as they relate to
the preparation of both annual and interim financial information to:
a. identify the types of potential material misstatements in the interim financial
information and consider the likelihood of their occurrence.
b. select the inquiries and analytical procedures that will provide the accountant with a
basis for communicating whether he or she is aware of any material modifications that
should be made to the interim financial information for it to conform with the
applicable financial reporting framework.
Attestation Engagements
3310.48 In an examination or review, sufficient appropriate evidence should be obtained to provide a
reasonable basis for the conclusion associated with the nature of the engagement.
Sufficiency is a measure of the quantity of evidence, which is affected by risks and material
misstatement. Appropriateness is a measure of quality of evidence, such as relevance and
reliability.
3310.49 In a review engagement, generally inquiry and analytical procedures will provide a
reasonable basis for obtaining limited assurance. However, it may be appropriate to perform
additional procedures if information obtained differs significantly from that on which
planned procedures were based. In addition, analytical procedures may not be possible
when the subject matter is qualitative, rather than quantitative.
3310.50 In an examination engagement, the accountant may design and perform tests of controls to
obtain sufficient appropriate evidence about the operating effectiveness of relevant controls
in the following situations:
a. The accountant intends to rely on the operating effectiveness of controls to determine
the nature, timing, and extent of other procedures.
b. Procedures other than tests of controls cannot alone provide sufficient appropriate
evidence.
c. The subject matter is internal control.
3310.51 If deviations are noted when performing tests of controls to rely on operating effectiveness,
the accountant should make specific inquiries and perform other procedures as deemed
necessary in the circumstances.
3310.52 An examination will apply evidence concepts and guidelines similar to an audit of historical
financial information.
3320 Sampling Techniques
3320.01 Audit sampling is the application of an audit procedure to less than 100% of the items within
an account balance or class of transactions.
3320.02 There are two general approaches to audit sampling:
1. Nonstatistical
2. Statistical
Either approach, when properly applied, can provide sufficient appropriate audit evidence.
3320.03 The sufficiency of audit evidence is related to the design and size of an audit sample, among
other factors. The size of an audit sample necessary to provide sufficient appropriate audit
evidence depends on both the objectives and the efficiency of the sample. More efficient
samples achieve the same objective with a smaller sample size.
Uncertainty and Audit Sampling
3320.04 Audit risk, or ultimate risk, is a combination of the risk that material error will occur in the
accounting process by which the financial statements are developed, and the risk that any
material errors that occur will not be detected by the auditor.
3320.05 Audit risk includes both uncertainties due to sampling and uncertainties due to factors other
than sampling. These aspects of audit risk are as follows:
a. Sampling risk
b. Nonsampling risk (human error)
3320.06 Sampling risk arises from the possibility that when a test of controls or a substantive test is
restricted to a sample of balances or transactions, the auditor's conclusions about the
account balance or class of transactions may be different from the conclusions reached if the
test were applied in the same way to all items in the account balance or class of
transactions.
3320.07 For a sample of a specific design, sampling risk varies inversely with sample size—the smaller
the sample size, the greater the sampling risk.
3320.08 Nonsampling risk includes all the aspects of audit risk that are not due to sampling.
3320.09 Examples of nonsampling risk include the following:
a. Failure to properly define the audit population
b. Failure to define clearly the nature of an audit exception
c. Failure to recognize an error when one exists in the sample
d. Failure to evaluate sample findings properly
3320.10 Nonsampling risk can be reduced to a negligible level by adequate planning, supervision, and
quality control and review.
3320.11 The auditor should consider sampling risk whether nonstatistical or statistical sampling is
used and should apply professional judgment to assess this risk.
3320.12 There are two types of sampling risks that affect substantive testing:
1. The risk of incorrect acceptance (also called beta risk)
2. The risk of incorrect rejection (also called alpha risk)
3320.13 The risk of incorrect acceptance is the chance that the statistical evidence might support fair
statement of a materially misstated book value. The risk of incorrect acceptance is controlled
by adjusting the ratio of tolerable error (A) to materiality (M).
3320.14 The risk of incorrect rejection is the chance that the statistical evidence might fail to support
fair statement of a correct book value. This type of error usually results in testing additional
sample items. The risk of incorrect rejection is the complement of reliability specified when
calculating sample size—UR factor. The risk of incorrect rejection is controlled by decreasing
or increasing reliability.
Audit Evidence Indicates Client's Book Value is:
Fairly Stated Not Fairly Stated
Accept Risk of incorrect
Correct decision
acceptance
Reject Risk of incorrect
Correct decision
Rejection
3320.15 The auditor is also concerned with two aspects of sampling risk in performing tests of
controls:
1. The risk of assessing control risk too low (also called beta risk)
2. The risk of assessing control risk too high (also called alpha risk)
3320.16 The risk of assessing control risk too low is the risk that the assessed level of control risk
based on the sample is less than the true operating effectiveness of the control.
3320.17 The risk of assessing control risk too high is the risk that the assessed level of control risk
based on the sample is greater than the true operating effectiveness of the control.
Tests of Controls Sample Client's Internal Control Structure is:
Reliable Unreliable
Accept Risk of assessing
Correct decision
control risk too low
Reject Risk of assessing
Correct decision
control risk too high
3320.18 The risk of incorrect rejection and the risk of assessing control risk too high relate to the
efficiency of the audit. If the auditor’s evaluation of an audit sample leads to the initial
erroneous conclusion that a balance is materially misstated when it is not, the application of
additional audit procedures and consideration of other audit evidence would ordinarily lead
the auditor to the correct conclusion. Similarly, if the auditor assesses control risk too high,
additional substantive procedures will be performed to compensate for the high risk.
3320.19 The risk of incorrect acceptance and the risk of assessing control risk too low relate to the
effectiveness of the audit in detecting existing material misstatement.
Sampling in Substantive Tests of Detail
3320.20 When planning a particular sample for a substantive test of details, the auditor should
consider the following:
a. The relationship of the sample to the relevant audit objective
b. Preliminary estimates of materiality levels
c. The auditor's allowable risk of incorrect acceptance
d. Characteristics of items comprising the account balance or class of transactions to be
sampled (the population)
3320.21 The auditor should determine that the population from which the auditor draws the sample
is appropriate for the specific audit objective.
3320.22 The auditor should consider the tolerable error.
3320.23 When planning a sample for a substantive test of details, the auditor uses judgment to
determine which items, if any, in an account balance or transaction class should be
individually examined and which items should be subject to sampling. For those items for
which, in the auditor's judgment, acceptance of some sampling risk is not justified, the
auditor should examine each item.
3320.24 The auditor may be able to reduce the sample size required by separating items subject to
sampling into relatively homogeneous groups.
3320.25 To determine the number of items to be selected in a sample for a particular substantive
test of details, the auditor should consider:
a. the auditor’s assessment of the risk of material misstatement,
b. the assurance obtained from other substantive procedures directed at the same
assertion,
c. the tolerable misstatement,
d. the expected misstatement for the population,
e. the stratification of the population when performed, and
f. for some sampling methods, the number of sampling units in each stratum.
3320.26 Sample items should be selected in such a way that the sample can be expected to be
representative of the population.
3320.27 Auditing procedures that are appropriate to the particular audit objective should be applied
to each sample item.
3320.28 The auditor should project the error results of the sample to the items from which the
sample was selected and add that amount to the errors discovered in any items examined
100%. This total projected error should be compared with the tolerable error for the account
balance or class of transactions and appropriate consideration should be given to possible
sampling risk.
3320.29 In addition to the evaluation of the frequency and amounts of monetary misstatements,
consideration should be given to the qualitative aspects of the errors. These include the
following:
a. The nature and cause of misstatements, such as whether there are differences in
principles or in application, whether there are errors or fraud, or whether the
misstatements are due to misunderstanding of instructions or to carelessness
b. The possible relationship of the misstatements to other phases of the audit
3320.30 Projected error results for all audit sampling applications and all known errors from
nonsampling applications should be considered in the aggregate by the auditor when
evaluating whether the financial statements taken as whole may be materially misstated.
Sampling in Tests of Controls
3320.31 When planning a particular audit sample for a test of controls, the auditor should consider
the following:
a. The relationship of the sample to the objective of the test
b. The maximum rate of deviations from prescribed control procedures that would support
the planned reliance (the tolerable rate)
c. The auditor's allowable risk of assessing control risk too low
d. Characteristics of items comprising the accounting balance or class of transactions to be
sampled
3320.32 Sampling applies when the auditor needs to decide whether the rate of deviation from a
prescribed procedure is no greater than a tolerable rate. Risk assessment procedures
performed to obtain an understanding of internal control do not involve sampling. Sampling
generally is not applicable to tests of controls of the internal control when the tests depend
primarily on appropriate segregation of duties or otherwise provide no documentary
evidence of performance.
3320.33 When designing samples for tests of controls that leave an audit trail of documentary
evidence, the auditor should ordinarily plan to evaluate compliance in terms of deviations
from or compliance with pertinent control procedures.
3320.34 Pertinent control procedures are ones that, had they not been included in the design of the
system, would have affected adversely the auditor's preliminary evaluation of the internal
control.
3320.35 The auditor's overall evaluation of controls for a particular purpose involves combining
judgments about the prescribed controls, the sample results of tests of controls (the
deviations from the controls), and the degree of assurance provided by the sample and
other tests of controls.
3320.36 Because the test of controls is the primary source of evidence as to whether the procedure is
being applied as prescribed, the auditor should allow for a low level of risk of overreliance
(e.g., 5% or 10%) whether the auditor is using nonstatistical or statistical sampling.
3320.37 To determine the number of items to be selected for a particular sample for a test of
controls, the auditor should consider the:
a. tolerable rate of deviation from the controls being tested,
b. likely rate of deviations, and
c. allowable risk of assessing control risk too low.
The auditor applies professional judgment to relate these factors in determining the
appropriate sample size.
3320.38 Sample items should be selected in such a way that the sample can be expected to be
representative of the population. Ideally, the auditor should use a selection method that has
the potential for selecting items from the entire period under audit.
3320.39 Auditing procedures that are appropriate to achieve the objective of assessing control risk
should be applied to each sample item.
3320.40 When evaluating the results of the testing, the auditor should compare the deviation rate
from the sample to the tolerable rate for the population. If the deviation rate is less than the
tolerable rate, the auditor should consider the risk that such a result might be obtained even
though the true deviation rate for the population exceeds the tolerable rate for the
population.
3320.41 In addition to the frequency of deviations, consideration should be given to the qualitative
aspects of the deviations. These include:
a. the nature and cause of the deviations (are they due to fraud) and
b. the possible relationship of the deviations to the other phases of the audit.
3320.42 The auditor may design a sample that will be used for dual purposes—evaluating the design
effectiveness of a control (control testing) and performing a test of details (substantive
testing). The size of a sample designed for both purposes should be the larger of the samples
that would otherwise have been designed for the two separate purposes.
3320.43 The auditor should evaluate deviations from the prescribed control and monetary
misstatements separately. Misstatements that the auditor detects by performing
substantive procedures should be considered by the auditor as a possible indication of a
control failure when assessing the operating effectiveness of related controls.
Selecting a Sampling Approach
3320.44 Statistical sampling helps the auditor to do the following:
a. Design an efficient sample.
b. Measure the sufficiency of the audit evidence obtained.
c. Evaluate the sample results.
3320.45 Statistical sampling involves additional costs of training auditors and designing and selecting
individual samples to meet the statistical requirements.
3320.46 Because either nonstatistical or statistical sampling can provide sufficient appropriate audit
evidence, the auditor chooses between them after considering their relative cost and
effectiveness in the circumstances.
Definition of Statistical Sampling
3320.47 Statistical sampling: The use of a sampling plan in such a manner that the laws of probability
can be used to make statements about a population
3320.48 Nonstatistical sampling: Includes all samples that are not statistical, or any sampling plan
that does not meet all the rigorous requirements of statistical sampling
3320.49 For a sampling plan to be statistical, the following two requirements must be met:
1. The sample must be statistically selected (e.g., random number table selection).
2. Sample results must be mathematically evaluated.
Selected Statistical Terms Defined
3320.50 Mean: A measure of central tendency that is obtained by totaling all the values and dividing
by the number of items. The mean of a population is expressed symbolically as X . The mean
of a sample is expressed symbolically as X . To illustrate a sample mean calculation, assume
that a sample of 10 items was selected. The numeric values are as follows:
3320.51 Standard deviation: A widely used statistic that is employed to measure the extent to which
the values of the items are spread about the mean. To illustrate the calculation of the
standard deviation, the sample items selected to illustrate a sample mean calculation are
used.
(1) Computed in section 3320.50.
3320.52 Normal distribution: The distribution shown following is a normal distribution. An important
feature of this distribution is that the relative frequency of any interval be determined by
knowing only the mean X and the standard deviation (SD). The interval from X SD
contains 68% of the items; from X 1.96 SD contains 95% of the items; and from X 3 SD
contains 99% of the items.
3320.53 Central limit theorem: For large sample sizes (typically, 30 is a reasonable lower bound), the
distribution of sample means tends to be normally distributed, almost independently of the
shape of the original population. The fact that sample means from a lopsided accounting
population converge to a normal distribution is the reason why normal theory is useful in
accounting and auditing.
3320.54 Distribution of sample means: A distribution of sample means (means calculated from
repeated samples of the same size) has three properties:
1. The shape of the distribution is approximately normal if the sample size is large enough.
2. The distribution is centered at the population mean X .
3. The standard of error of the mean equals the estimated population standard deviation
(SD) divided by the square root of the sample size.
Types of Statistical Sampling Models
3320.55 There are two broad categories of statistical sampling—attribute (or proportional) and
variable (or quantitative) sampling.
3320.56 Attribute sampling: A term that is used to refer to two different but related types of
proportional sampling
1. Attribute sampling: A sampling plan that is used to estimate the rate (percentage) of
occurrence of a specific quality (attribute) in a population. Two common types of
attributes for which auditors test are correct account distributions and adequate
supporting documentation (see section 3320.82).
2. Discovery sampling: A sampling plan that is appropriate when the expected occurrence
rate is extremely low (near zero). Discovery sampling is used when the auditor desires a
specific chance of observing at least one example of an occurrence if the true rate of
occurrence is greater than expected (see section 3320.100).
3320.57 Variable or quantitative sampling, in contrast to attribute sampling, is employed when the
auditor wishes to estimate or test a client's book value.
3320.58 Attribute sampling is used primarily for tests of controls, whereas variable sampling is most
useful for substantive testing.
Advantages and Disadvantages of Statistical Sampling
3320.59 Statistical sampling allows the auditor to calculate the risk of reliance on the sample for
assessing control risk.
3320.60 Statistical sampling enables the auditor to make objective statements about the population
on the basis of the sample.
3320.61 In some cases, the cost of performing statistical sampling may exceed the benefits to be
derived—especially variable sampling applications that are not computerized.
3320.62 Whether or not statistical sampling should be used is a question that depends primarily on
professional judgment. The AICPA does not require that statistical sampling be used.
Professional Judgment in Statistical Sampling
3320.63 Statistical sampling does not eliminate professional judgment.
3320.64 The following areas illustrate the kinds of judgmental decisions an auditor must make when
using statistical sampling:
a. Population definition: The auditor must define the population in terms of its size, the
characteristics of significance to the audit, and what constitutes an error.
b. Sampling method: The auditor must determine the type of sampling method to be used
(e.g., attribute sampling, discovery sampling, variable sampling) and the most efficient
means of selecting the sample. In fact, to begin with, the auditor has to decide whether
to use nonstatistical or statistical sampling.
c. Selection technique: The auditor must decide which sampling selection process is to be
used (e.g., random number table selection, systematic selection).
d. Error analysis: Statistical sampling findings must be evaluated both quantitatively and
qualitatively. The primary input into the auditor's qualitative evaluation is professional
judgment and experience.
Random Number Tables
3320.65 A random, as opposed to an arbitrary or judgmental, selection offers the best chance that
the sample will be representative.
3320.66 A random number table is composed of randomly generated digits 0 through 9. Each digit
should appear in the table approximately the same number of times, and the order in which
they appear is random. Columns in the tables are purely arbitrary and otherwise
meaningless.
3320.67 Selected random numbers should be documented in audit workpapers by identifying each of
the following:
a. Correspondence: Relationship between population sampled and random number table
b. Route: Go up or down the columns—left or right. Any route desired can be selected as
long as it is consistently followed until all required numbers are drawn.
c. Starting point: Document row, column, digit starting position, as well as source (book)
and page number of starting point
d. Stopping point: Facilitates adding new sample items, if needed.
Probability‐Proportional‐to‐Size Sampling (Dollar Unit Sampling)
3320.68 In probability‐proportional‐to‐size (PPS) sampling, the strategy is to randomly select
individual dollars from a population and then audit the balances, transactions, or
documents—called logical units—that include the individual dollars selected.
3320.69 PPS sampling gives logical units with larger recorded dollar amounts more opportunity to be
selected than logical units with smaller recorded amounts. For example, if an entity has a
balance of $1.5 million in its accounts receivable account, the population size is 1.5 million
and an individual customer account balance of $90,000 has a 6% chance ($90,000
$1,500,000) of being selected.
3320.70 You must determine sample size in advance to use PPS. Thus, if the auditor has decided to
sample only 100 customer accounts from the accounts receivable balance of $1.5 million
described in section 3320.69 and to use systematic selection, the sampling interval is 15,000
($1,500,000 100). With one random start, you would select every fifteen‐thousandth dollar
in the population. Thus, every customer account with a balance of $15,000 or more will be
selected.
3320.71 In projecting the error rate in a PPS sampling plan to the population, the auditor would take
the ratio of the sampling interval to the recorded amount of the sampling unit and apply
that resulting ratio to the error found to exist in the sample. For example, using the numbers
from section 3320.70, if a sampling unit with a recorded amount of $3,000 was found to
have an audited amount of $2,600, the following projection of that error to the population
would be made. The sampling unit’s recorded amount is $3,000 and the sampling interval is
$15,000. Thus, the sampling unit is 1/5 ($3,000 $15,000) of the sampling interval. In this
case the error discovered by the auditor is $400 ($3,000 sampling unit - $2,600 audited
amount). This error projected to the population would be $2,000 ($400 5).
3320.72 The following advantages are generally associated with PPS sampling:
a. The use of PPS is not dependent on an estimate of the population standard deviation.
b. PPS automatically results in a stratified sample because items are selected in proportion
to their dollar values.
c. PPS systematic sample selection automatically identifies any item that is individually
significant if its value exceeds the sampling interval.
d. If the auditor expects no errors, PPS sampling will usually result in a smaller sample size
than the sample size that results from the use of classical variable sampling.
e. Because larger‐dollar‐value accounts have a higher probability of being selected,
overstatements are more likely to be detected than understatements. Thus, PPS
sampling is most appropriate when an auditor desires testing for material
overstatements.
Difference and Ratio Estimation
3320.73 In many areas of an audit, the auditor is aware of the recorded value and the audit value for
each value in a sample. When this is the case, the use of difference estimation is
appropriate. Difference estimation is an easy sampling method to use and normally results in
a smaller sample size than other methods.
3320.74 An example of the application of difference estimation is as follows. Assume that a sample
of 50 is drawn from a population of 500 items. Further assume that the mean of the
misstatements found in the sample was between $18 and $43 at the 95% confidence level.
Thus, the estimate of the error in the population falls between $9,000 and $21,500 (500
18 and 500 43). The auditor would then compare his or her tolerable error to the range
and if the tolerable error were greater than $21,500, the population would be acceptable.
However, if the tolerable error were less than $21,500, the auditor would conclude that the
population was unacceptable and would most likely expand audit procedures.
3320.75 Ratio estimation is similar to difference estimation except that the auditor determines the
ratio of misstatements in the audited values to recorded values and estimates the audited
balance by multiplying the recorded balance by the computed ratio.
3320.76 As an example of ratio estimation, assume that an auditor samples a population and finds
$24,000 of misstatements in the sample that has a recorded value of $320,000. Thus, the
ratio of misstatements in the sample is 7.5% ($24,000 $320,000). If the population from
which the sample was drawn totals $2,650,000, the projected misstatement in the
population is $198,750 (.075 $2,650,000). The auditor would then apply a calculation of
confidence limits to analyze the sample results and his or her confidence in the recorded
dollar amount of the population.
Stratified Sampling
3320.77 When a population is highly variable (large standard deviation), unstratified sampling may
produce excessively large variable sample sizes. Stratification increases efficiency because
each stratum has a relatively small standard deviation, and the weighted sum of standard
deviations is less than the standard deviation for the whole population.
3320.78 To stratify a variable sampling application, the following three rules must be followed:
1. Every population element (item) must belong to one and only one stratum.
2. There must be a tangible, specifiable difference that defines and distinguishes the
stratum.
3. The exact number of elements in each stratum must be known.
3320.79 In stratifying a population, one rule of thumb is to select stratum boundaries so that each
stratum contains approximately the same total dollars.
Factors Influencing Sample Size
3320.80 The following table, included in the appendix to AU‐C 530, describes certain factors that
influence sample sizes.
3320.81 This table is designed to be used in connection with tests of details in sample planning.
Factors Influencing Sample Size for a Substantive
Test of Details in Sample Planning
Related Factor
for Substantive
Factor Smaller Sample Size Larger Sample Size Sample Planning
a. Assessment of inherent risk Low assessed level of High assessed level of Allowable risk of
inherent risk inherent risk incorrect acceptance
b. Assessment of control risk Low assessed level High assessed level Allowable risk of
control risk control risk incorrect acceptance
c. Assessment of risk for other Low assessment of risk High assessment of risk Allowable risk of
substantive procedures associated with other associated with other incorrect acceptance
related to the same relevant substantive relevant substantive
assertion (including procedures procedures
substantive analytical
procedures and other
relevant substantive
procedures)
d. Measure of tolerable Larger measure of Smaller measure of Tolerable misstatement
misstatement for a specific tolerable misstatement tolerable misstatement
account
e. Expected size and frequency Smaller misstatements Larger misstatements or Assessment of
of misstatements or lower frequency higher frequency population
characteristics
f. Number of items in the Virtually no effect on sample size unless population is very small
population
g. Choice between statistical Sample sizes are comparable.
and nonstatistical sampling
Attribute Sampling
3320.82 Attribute sampling relates to the question of “How many?” Variable sampling relates to the
question, “How much?”
3320.83 Attribute sampling is used primarily by the auditor in testing compliance with the control
where the auditor desires to estimate the extent to which prescribed procedures are being
followed and/or the degree of clerical accuracy in an internal control.
3320.84 An attribute must be carefully defined before an auditor begins attribute sampling
execution. Defining an attribute is difficult and is a matter of professional judgment.
Considerable care must be exercised. For example, if the sampling unit is a check and the
audit test is concerned with whether or not a check is properly supported, one of the
attributes reviewed for proper support may be a receiving report. An error may be defined
as a check not supported by a properly signed receiving report. Disbursements for services
received (such as rent payments) are not typically supported by receiving reports. There are
two ways that the auditor may handle this problem. First, the attribute definition may be
structured so that checks selected relating to service acquisitions are excluded from the
population. A second way to address this problem is to define the attribute broadly as a
properly supported check with identification of what constitutes proper support.
3320.85 In an attribute sampling application, the auditor should make certain that the population
from which the samples are pulled is homogeneous. Homogeneity means that all the items
in the population must have similar characteristics.
Setting Reliability Levels and Tolerable Rates
3320.86 AU‐C 530 uses the concept of risk instead of reliability or confidence level. Risk is the
complement of reliability or confidence level.
The terms reliability level and confidence level are used interchangeably. Reliability refers to
the probability of being right in placing reliance on an effective internal accounting control
system. For example, if an auditor selects a 95% reliability level, the auditor has a 5% risk of
placing reliance on internal accounting control when the system is ineffective given a certain
tolerable rate. If the auditor decides that a 90% reliability level is acceptable, the auditor has
a 10% chance of accepting reliance given a certain tolerable rate when the auditor should
not.
3320.87 The complement of reliability (1.0 - Reliability) is the risk that the auditor will rely on the
control when, in fact, the control should not be relied on. This risk is referred to as the risk of
assessing control risk too low.
3320.88 According to many CPA firms, the minimum reliability level should be 90%. However, at least
95% reliability should be used if an attribute is critical to the scope of the remainder of the
audit. When evaluating internal accounting control attributes to determine the extent to
which audit tests can be limited, a high reliability level or low risk of overreliance should
generally be used.
3320.89 The maximum tolerable rate (MTR) on compliance deviations represents a critical value
established so that the possibility of deviations in excess of that rate would cause the auditor
to place less than full reliance (perhaps no reliance) on the control being evaluated.
According to many CPA firms, MTR should not exceed 10% if some reliance is being placed
on selected internal accounting control procedures. If substantial reliance is to be placed on
internal accounting control, an MTR of 5% or possibly lower would be reasonable.
3320.90 In an attribute sampling application, two deviation rates are generated. The first, the
maximum tolerable rate (MTR), is preset. The second, referred to as the projected rate, is
determined after the selected sample has been audited.
3320.91 If the projected rate is greater than the maximum tolerable rate (i.e., MTR is less than the
projected rate), the statistical evaluation indicates that the control should not be relied
upon. However, the auditor's qualitative error analysis may suggest otherwise.
3320.92 If the projected rate is less than or equal to the maximum tolerable rate (MTR), the
statistical evaluation indicates that the control may be relied on. However, because of the
nature of the few errors or deviations that did occur, the auditor's error analysis may suggest
no reliance on the control.
Attribute Sampling Tables
3320.93 The first table presented, Table 1, is used to determine sample size. Table 2 is used to
evaluate sample findings. These tables should be used if the auditor desires to project
statistically the sample findings. The estimated population occurrence rate is determined by
dividing the sample occurrences by the sample size.
3320.94 To determine sample size, the following four requirements must be predefined:
1. Establish the reliability level (or risk of overreliance).
2. Determine which table should be used based on reliability level desired. (To illustrate
how the tables are used, only one sample size table and one evaluation of results table
are presented.)
3. Estimate population occurrence rate in percentage.
4. Define the maximum tolerable rate.
Table 1
Determination of Sample Size: Reliability, 95%
Tolerable Rate
Expected
Population
Deviation Rate
(%) 2% 3% 4% 5% 6% 7% 8% 9% 10% 15% 20%
0.00 149(0) 99(0) 74(0) 49(0) 59(0) 42(0) 36(0) 32(0) 29(0) 19(0) 14(0)
0.25 236(1) 157(1) 117(1) 93(1) 78(1) 66(1) 58(1) 51(1) 46(1) 30(1) 22(1)
0.50 * 157(1) 117(1) 93(1) 78(1) 66(1) 58(1) 51(1) 46(1) 30(1) 22(1)
0.75 * 208(2) 117(1) 93(1) 78(1) 66(1) 58(1) 51(1) 46(1) 30(1) 22(1)
1.00 * * 156(2) 93(1) 78(1) 66(1) 58(1) 51(1) 46(1) 30(1) 22(1)
1.25 * * 156(2) 124(2) 78(1) 66(1) 58(1) 51(1) 46(1) 30(1) 22(1)
1.50 * * 192(3) 124(2) 103(2) 66(1) 58(1) 51(1) 46(1) 30(1) 22(1)
1.75 * * 227(4) 153(3) 103(2) 88(2) 77(2) 51(1) 46(1) 30(1) 22(1)
2.00 * * * 181(4) 127(3) 88(2) 77(2) 68(2) 46(1) 30(1) 22(1)
2.25 * * * 208(5) 127(3) 88(2) 77(2) 68(2) 61(2) 30(1) 22(1)
2.50 * * * * 150(4) 109(3) 77(2) 68(2) 61(2) 30(1) 22(1)
2.75 * * * * 173(5) 109(3) 95(3) 68(2) 61(2) 30(1) 22(1)
3.00 * * * * 195(6) 129(4) 95(3) 84(3) 61(2) 30(1) 22(1)
3.25 * * * * * 148(5) 112(4) 84(3) 61(2) 30(1) 22(1)
3.50 * * * * * 167(6) 112(4) 84(3) 76(3) 40(2) 22(1)
3.75 * * * * * 185(7) 129(5) 100(4) 76(3) 40(2) 22(1)
4.00 * * * * * * 146(6) 100(4) 89(4) 40(2) 22(1)
5.00 * * * * * * * 158(8) 116(6) 40(2) 30(2)
6.00 * * * * * * * * 179(11) 50(3) 30(2)
7.00 * * * * * * * * * 68(5) 37(3)
* Sample size is too large to be cost‐effective for most audit applications.
Note: This table assumes a large population.
Adapted and used with permission of the American Institute of Certified Public Accountants.
3320.95 To illustrate, assume that an auditor desires to verify the footings of 20,000 sales invoices.
The auditor desires a statistical sample that will give 95% confidence that not more than 5%
of the sales invoices are in error. The auditor estimates from previous experience that about
1.75% of the invoices are in error.
a. Estimated error rate = 1.75%
b. Maximum tolerable rate = 5%
c. Reliability level = 95%
d. The required sample (n) size is 153. This is determined by going down the 5% maximum
tolerable rate column in Table 1 until the expected error rate 1.75% or the next higher
number is located.
3320.96 In situations where the auditor does not know what the estimated error rate is (1.75%),
select a sample of 50 to estimate the population occurrence rate. To illustrate, if a sample of
50 is selected and one error is discovered for a given attribute, the estimated population
occurrence rate is (1/50), or 2%. Assuming the reliability level desired is 95% and the
maximum tolerable rate is 7%, the sample size from Table 1 is equal to 88.
3320.97 To evaluate sample findings, Table 2 is used. (To illustrate, consider the example from
section 3320.95 where the sample size was calculated to be 153.) If four occurrences are
found in the sample of 153, the projected rate is 6%. This is determined by the intersection
of the 150 sample size row with “4” errors.
Table 2
Statistical Sampling Results Evaluation: Reliability, 95%
Table for Compliance Tests
Upper Limits at 5% Risk of Overreliance
Actual Number Of Deviations Found
Sample 0 1 2 3 4 5 6 7 8 9 10
Size
25 11.3 17.6 * * * * * * * * *
30 9.5 14.9 19.6 * * * * * * * *
35 8.3 12.9 17.0 * * * * * * * *
40 7.3 11.4 15.0 18.3 * * * * * * *
45 6.5 10.2 13.4 16.4 19.2 * * * * * *
50 5.9 9.2 12.1 14.8 17.4 19.9 * * * * *
55 5.4 8.4 11.1 13.5 15.9 18.2 * * * * *
60 4.9 7.7 10.2 12.5 14.7 16.8 18.8 * * * *
65 4.6 7.1 9.4 11.5 13.6 15.5 17.4 19.3 * * *
70 4.2 6.6 8.8 10.8 12.6 14.5 16.3 18.0 19.7 * *
75 4.0 6.2 8.2 10.1 11.8 13.6 15.2 16.9 18.5 20.0 *
80 3.7 5.8 7.7 9.5 11.1 12.7 14.3 15.9 17.4 18.9 *
90 3.3 5.2 6.9 8.4 9.9 11.4 12.8 14.2 15.5 16.8 18.2
100 3.0 4.7 6.2 7.6 9.0 10.3 11.5 12.8 14.0 15.2 16.4
125 2.4 3.8 5.0 6.1 7.2 8.3 9.3 10.3 11.3 12.3 13.2
150 2.0 3.2 4.2 5.1 6.0 6.9 7.8 8.6 9.5 10.3 11.1
200 1.5 2.4 3.2 3.9 4.6 5.2 5.9 6.5 7.2 7.8 8.4
* Over 20%
Note: This table presents upper limits as percentages. This table assumes a large population.
Adapted and used with permission of the American Institute of Certified Public Accountants.
3320.98 Other error findings for the sample size of 150 are evaluated as follows:
Errors Discovered Projected Rate
0 = 2%
1 = 3.2%
2 = 4.2%
5 = 6.9%
10 = 11.1%
3320.99 Since the maximum tolerable rate was 5%, three or more errors would probably cause the
auditor to conclude that this aspect of internal accounting control should not be relied on.
Discovery Sampling
3320.100 Discovery sampling is used when the auditor believes that the population occurrence rate is
near zero. In case the occurrence rate is not zero, discovery sampling applications are
designed to yield a large enough sample size so that if the auditor is wrong, at least one
occurrence will be produced. Discovery sampling is a special case of attribute sampling.
3320.101 The following two conditions must exist before discovery sampling should be used:
1. Discovery sampling is used when the auditor's best judgment of the population
occurrence rate is 0% or near 0%.
2. In a discovery sampling application, the auditor is usually looking for a very critical
characteristic (e.g., payroll padding), which if discovered might be indicative of more
widespread fraud or serious errors in the financial statements.
3320.102 To properly frame a discovery sampling application, the following prerequisites must be
defined:
a. Characteristic to be evaluated
b. Reliability desired
c. Maximum tolerable occurrence rate
d. Definition and size of population
3320.103 To determine which table to use in a discovery sampling application, define the population
and its size. The population size determines which sample size table is appropriate.
3320.104 Table 3 is presented to illustrate how discovery sampling tables are used. Note that Table 3
is for population sizes between 2,000 and 5,000.
Table 3
Probability in Percentage of Including at Least One Occurrence
in a Sample for Population Between 2,000 and 5,000
Maximum Tolerable Occurrence Rate
Sample
.3% .4% .5% .6% .8% 1% 1.5% 2%
Size
50 14% 18% 22% 26% 33% 40% 53% 64%
60 17 21 26 30 38 45 60 70
70 19 25 30 35 43 51 66 76
80 22 28 33 38 48 56 70 80
90 24 31 37 42 52 60 75 84
100 26 33 40 46 56 64 78 87
120 31 39 46 52 62 70 84 91
140 35 43 51 57 68 76 88 94
160 39 48 56 62 73 80 91 96
200 46 56 64 71 81 87 95 98
240 52 63 71 77 86 92 98 99
300 61 71 79 84 92 96 99 99+
340 65 76 83 88 94 97 99+ 99+
400 71 81 88 92 96 98 99+ 99+
460 77 86 91 95 98 99 99+ 99+
500 79 88 93 96 99 99 99+ 99+
600 85 92 96 98 99 99+ 99+ 99+
700 90 95 98 99 99+ 99+ 99+ 99+
800 93 97 99 99 99+ 99+ 99+ 99+
900 95 98 99 99+ 99+ 99+ 99+ 99+
1000 97 99 99+ 99+ 99+ 99+ 99+ 99+
Adapted and used with permission of the American Institute of Certified Public Accountants.
3320.105 Assume that the auditor is examining a population of 4,500 payroll checks. The auditor
desires 95% reliability of seeing an example of payroll padding if 1% or more of the checks
are not payable to bona fide employees. To determine sample size, go down the 1% column
of Table 3 until the desired reliability (or the next reliability level if the one you are looking
for is not in the table) is located. The sample size is 300 (located across from 96% reliability).
3320.106 If no errors are discovered in the sample examined, the auditor can immediately state that
the sampling plan criteria has been achieved (i.e., the auditor can state that they are 96%
certain that the worst likely error rate in the population of payroll checks does not exceed
1%).
3320.107 If one or more errors are located, the statistical statement, “If no errors are discovered in
the sample examined, the auditor can immediately state that the sampling plan criteria has
been achieved (i.e., the auditor can state that they are 96% certain that the worst likely error
rate in the population of payroll checks does not exceed 1%),” cannot be made. No statistical
conclusion should be expressed. Expanded audit procedures should be applied. Perhaps
client employees under auditor supervision will examine every one of the remaining
population items.
3330 Performing Specific Procedures to Obtain Evidence
Substantive Procedures
3330.01 Substantive procedures are performed to detect material misstatements at the relevant
assertion level, and include tests of details of classes of transactions, account balances, and
disclosures and substantive analytical procedures. The auditor should plan and perform
substantive procedures to be responsive to the related assessment of the risk of material
misstatement.
3330.02 Regardless of the assessed risk of material misstatement, the auditor should design and
perform substantive procedures for all relevant assertions related to each material class of
transactions, account balance, and disclosure.
3330.03 The auditor’s substantive procedures should include the following audit procedures related
to the financial statement reporting system:
a. Agreeing the financial statements, including their accompanying notes, to the
underlying accounting records
b. Examining material journal entries and other adjustments made during the course of
preparing the financial statements
3330.04 Substantive procedures include tests of details and substantive analytical procedures.
Substantive analytical procedures are generally more applicable to large volumes of
transactions that tend to be predictable over time. Tests of details are ordinarily more
appropriate to obtain audit evidence regarding certain relevant assertions about account
balances, including existence and valuation.
3330.05 The auditor should plan substantive procedures to be responsive to the planned level of
detection risk. In some situations, the auditor may determine that performing only
substantive analytical procedures may be sufficient to reduce the planned level of detection
risk to an acceptably low level.
3330.06 The auditor’s determination as to the substantive procedures that are the most responsive
to the planned level of detection risk is affected by whether the auditor has obtained audit
evidence about the operating effectiveness of controls.
3330.07 The auditor should design tests of details responsive to the assessed risk with the objective
of obtaining sufficient appropriate audit evidence to achieve the planned level of assurance
at the relevant assertion level.
3330.08 The auditor should consider testing the controls, if any, over the entity’s preparation of
information to be used by the auditor in applying analytical procedures. When the controls
are effective, the auditor has greater confidence in the reliability of the information and,
therefore, in the results of analytical procedures.
3330.09 When substantive procedures are performed at an interim date, the auditor should perform
further substantive procedures or substantive procedures combined with tests of controls to
cover the remaining period that provide a reasonable basis for extending the audit
conclusions from the interim date to the period end.
3330.10 In deciding whether to perform substantive procedures at an interim date, the auditor
should consider such factors as:
a. the control environment and other relevant controls.
b. the availability of information at a later date that is necessary for the auditor’s
procedures.
c. the objective of the substantive procedure.
d. the assessed risk of material misstatement.
e. the nature of the class of transactions or account balance and relevant assertions.
f. the ability of the auditor to reduce the risk that misstatements that exist at the period
end are not detected by performing appropriate substantive procedures or substantive
procedures combined with tests of controls to cover the remaining period in order to
reduce the risk that misstatements that exist at the period end are not detected.
3330.11 If the auditor has identified risks of material misstatements due to fraud, the auditor’s
responses to address those risks may include changing the timing of audit procedures.
3330.12 If misstatements are detected in classes of transactions or account balances at an interim
date, the auditor should consider modifying the related assessment of risk and the planned
nature, timing, or extent of the substantive procedures covering the remaining period that
relate to such classes of transactions, or account balances, or the auditor may extend or
repeat such audit procedures at the period end.
3330.13 Regarding the extent of substantive procedures performed, the greater the risk of material
misstatement, the greater the extent of substantive procedures.
3330.14 In designing tests of details, the extent of testing is ordinarily thought of in terms of the
sample size, which is affected by the risk of material misstatement (planned level of
detection risk), tolerable misstatement, expected misstatement, and nature of the
population. AU‐C 530, Audit Sampling, contains guidance on the use of sampling and other
means of selecting items for testing.
3331 Analytical Procedures
Audit Engagements
3331.01 Analytical procedures consist of evaluations of financial information made by a study of
plausible relationships among both financial and nonfinancial data. A basic premise
underlying the application of analytical procedures is that plausible relationships among data
may reasonably be expected to exist and continue in the absence of known conditions to the
contrary. Analytical procedures are required to be applied at the overall review stage of the
audit, as well as at the initial planning stage. Analytical procedures performed in the overall
review stage of an audit may indicate a previously unrecognized risk of material
misstatement due to fraud. When these procedures identify an unusual or unexpected
relationship that may indicate the potential for fraud, the auditor should use judgment in
deciding on the extent of any additional procedures to be performed.
3331.02 The objective of analytical procedures used in the overall review stage of the audit is to
assist the auditor in assessing the conclusions reached and in the evaluation of the overall
financial statement presentation. The results of an overall review may indicate that
additional evidence may be needed. A wide variety of analytical procedures may be useful
for this purpose. The overall review would generally include reading the financial statements
and notes and considering:
a. the adequacy of evidence gathered in response to unusual or unexpected balances
identified in planning the audit or in the course of the audit, and
b. unusual or unexpected balances or relationships that were not previously identified.
3331.03 Analytical procedures involve comparisons of recorded amounts, or ratios developed from
recorded amounts, to expectations developed by the auditor. Examples of sources of
information for developing expectations include the following:
a. Financial information for comparable prior period(s) giving consideration to known
changes
b. Anticipated results (e.g., budgets or forecasts, including extrapolations from interim or
annual data)
c. Relationships among elements of financial information within the period
d. Information regarding the industry in which the client operates (e.g., gross margin
information)
e. Relationships of financial information with relevant nonfinancial information
3331.04 Analytical procedures also encompass the investigation of identified fluctuations and
relationships that are inconsistent with other relevant information or deviate significantly
from predicted amounts. This may include outputs from audit data analytic techniques (such
as reports and other visualizations) to determine relationships among variables and interpret
results.
3331.05 An analytical procedure might be scanning, which is the auditor’s use of professional
judgment to review accounting data to identify significant or unusual items and then to test
those items. This includes the identification of anomalous individual items within account
balances or other data, as well as searching for large or unusual items in the accounting
records (for example, nonstandard journal entries). Since the auditor tests the items
selected by scanning, the auditor obtains audit evidence about those items.
3331.06 In some cases, analytical procedures can be more effective or efficient than tests of details
for achieving particular substantive testing objectives. For some assertions, analytical
procedures are effective in providing the desired level of assurance.
3331.07 The expected effectiveness and efficiency of an analytical procedure in identifying potential
misstatements depends on, among other things:
a. the nature of the assertion,
b. the plausibility and predictability of the relationship,
c. the availability and reliability of the data used to develop the expectation, and
d. the precision of the expectation.
3331.08 Analytical procedures may be effective and efficient tests for assertions in which potential
misstatements would not be apparent from an examination of the detailed evidence or in
which detailed evidence is not readily available.
3331.09 Considerations for the auditor regarding plausibility and predictability of data include the
following:
a. Sometimes data appear to be related when they are not; the auditor should understand
the reasons that make relationships plausible.
b. The presence of an unexpected relationship can provide important evidence when
appropriately scrutinized.
c. As higher levels of assurance are desired from analytical procedures, more predictable
relationships are required to develop the expectation.
d. Relationships in a stable environment are usually more predictable than relationships in
a dynamic or unstable environment.
e. Relationships involving income statement accounts tend to be more predictable than
relationships involving only balance sheet accounts. (Income statement accounts
represent transactions over a period of time, whereas balance sheet accounts represent
amounts as of a point in time.)
f. Relationships involving transactions subject to management discretion are sometimes
less predictable.
3331.10 The reliability of the data used by the auditor to develop expectations should be appropriate
for the desired level of assurance from the analytical procedures. The following factors
influence the auditor’s consideration of the reliability of data for purposes of achieving audit
objectives:
a. Whether the data was obtained from independent sources outside the entity or from
sources within the entity
b. Whether sources within the entity were independent of those who are responsible for
the amount being audited
c. Whether the data was developed under a reliable system with adequate controls
d. Whether the data was subjected to audit testing in the current or prior year
e. Whether the expectations were developed using data from a variety of sources
3331.11 The expectation should be precise enough to provide the desired level of assurance that
differences that may be potential material misstatements, individually or when aggregated
with other misstatements, would be identified for the auditor to investigate. Expectations
developed at a detailed level generally have a greater chance of detecting misstatement of a
given amount than do broad comparisons. For example, monthly amounts will generally be
more effective than annual amounts. Comparisons by location or line of business will usually
be more effective than company‐wide comparisons.
3331.12 In planning the analytical procedures as a substantive test, the auditor should consider the
amount of difference from the expectation that can be accepted without further
investigation. This amount should be developed consistent with materiality levels and with
the consideration that a combination of misstatements in the specific account balances or
class of transactions could aggregate to an unacceptable amount.
3331.13 The auditor should evaluate significant unexpected differences and corroborate
management responses concerning these differences with other audit evidence. If a
difference cannot be explained, the auditor should design other audit procedures to
determine whether the difference is a likely misstatement.
3331.14 The auditor should document the following:
a. The expectation, where that expectation is not otherwise readily determinable from the
documentation of the work performed, and factors considered in its development
b. Results of the comparison of the expectation to the recorded amounts or ratios
developed from recorded amounts
c. Any additional auditing procedures performed in response to significant unexpected
differences arising from the analytical procedure and the results of such additional
procedures
Ratio Analysis
3331.15 Ratio analysis is the comparison of relationships between financial statement accounts
(between two periods or over time), the comparison of an account with nonfinancial data, or
the comparison of relationships between firms in an industry. Ratio analysis is most
appropriate when the relationship between accounts is fairly predictable and stable.
3331.16 Many different ratios are computed and used to analyze the operating characteristics of
enterprises, primarily by investors and creditors, both present and potential. Several of the
frequently encountered ratios are presented in the next paragraph in the illustration of the
Ratio Company, whose income statement (year 20X2) and balance sheets (years 20X1 and
20X2) are presented. The ratios are computed as of December 31, 20X2.
Ratio Company
Comparative Balance Sheets
At December 31, 20X1, and 20X2
12/31/X2 12/31/X1
Assets
Cash and marketable securities $ 250,000 $ 200,000
Net accounts receivable 200,000 100,000
Inventories 100,000 150,000
Total current assets 550,000 450,000
Net plant and equipment 400,000 450,000
Goodwill 100,000 100,000
$1,050,000 $1,000,000
Liabilities and Equities
Accounts payable $ 200,000 $ 150,000
Long‐term debt 450,000 500,000
Preferred stock, $100 par 100,000 100,000
Common stock, $10 par
(market price $17.00) 200,000 200,000
Retained earnings 100,000 50,000
$1,050,000 $1,000,000
Ratio Company Income Statement For Year Ended December 31, 20X2
Net sales (all credit) $1,000,000
Cost of goods sold ($25,000 depreciation) 600,000
Gross profit on sales $ 400,000
Selling and administrative expenses 225,000
Income from operations $ 175,000
Interest on long‐term debt 50,000
Income before taxes $ 125,000
Taxes, 40% 50,000
Net income $ 75,000
Dividends declared on common stock 10,000
Dividends declared on preferred stock 15,000
Net income to retained earnings $ 50,000
Net earnings per common share* $ 3
*(75,000 - 15,000) 20,000 shares = $3
Ratio Company Statement of Cash Flows For Year Ended December 31, 20X2
Cash flows from operating activities:
Cash received from customers $1,100,000
Cash paid to purchase inventory (675,000)
Cash paid for selling and administrative expenses (225,000)
Cash paid for interest (50,000)
Cash paid for taxes (50,000)
Net cash provided by operating activities $100,000
Cash from investing activities:
Cash paid for plant and equipment (75,000)
Cash from financing activities:
Proceeds from long‐term debt $50,000
Cash paid for dividends on common stock (10,000)
Cash paid for dividends on preferred stock (15,000)
Net cash provided by financing activities 25,000
Net increase in cash $ 50,000
Cash, beginning of 20X2 200,000
Cash, end of 20X2 $250,000
3331.17 These ratios should be understood in terms of the following:
a. Definition (i.e., how is the ratio computed?)
b. Significance (i.e., what does the ratio tell you?)
c. Limitations (i.e., what care should be taken in the use of the ratio?)
Ratios Used in Financial Statement Analysis
Ratio Definition Significance Computation Limitations
a. Current Current assets Measures ability to $550,000 = 2.75 Balance sheet account totals
ratio Current liabilities discharge currently $200,000 based on historical cost do not
maturing necessarily represent market
obligations from values. A sizable amount of the
existing current current asset total might be tied
assets up in inventory which is less
liquid. Implies liquidation of
assets and elimination of
liabilities (neither of which is
likely in a “going concern”).
3331.18 For analytical purposes, the ratios presented in this table can be grouped as follows:
a. Measures of liquidity (i.e., ability to meet current debt):
(1) Current ratio
(2) Quick ratio
(3) Inventory turnover
(4) Receivables turnover
(5) Cash from operating activities to current liabilities
b. Measures of return on investment:
(1) Total asset turnover
(2) Rate of return on total assets
(3) Return on common stockholders’ equity
(4) Price‐earnings ratio
(5) Dividend yield
(6) Profit margin on sales
(7) Payout ratio to common shareholders
c. Measures of solvency (i.e., long‐term financing and debt‐paying ability):
(1) Debt to equity ratio
(2) Equity ratio
(3) Times interest earned
(4) Book value per common share
(5) Cash flow per common share
(6) Cash from operating activities to net income
3331.19 Care must be taken in the use of ratios, as can be seen by the specific limitations stated
previously. In summary, several of the critical considerations of which one must be
continually mindful in ratio analysis include the following:
a. Accounting methods used to state assets, liabilities, stockholders’ equity, revenues, and
expenses are not necessarily designed to produce the most useful numbers for the
purposes for which the ratios are intended.
b. Differences in the underlying economic events, the types of enterprises involved, the
stage of development of enterprises, and other factors affect comparability between
enterprises.
c. Several ratios include the use of external market values of stock, which are influenced
by numerous variables over which management has little influence or control.
d. Management policy may influence many ratios.
Nonaudit Engagements
3331.20 No analytical procedures are expected to be performed in a preparation of financial
statements or compilation engagement, as no assurance is provided. Procedures for
conducting a review of financial statements generally are limited to analytical procedures,
inquiries, and other procedures that address significant accounting and disclosure matters
relating to the financial statements to be reported.
3331.21 For a review engagement, the accountant should design and perform analytical procedures
and make inquiries and perform other procedures, as appropriate, to obtain limited
assurance as a basis for reporting whether he or she is aware of any material modifications
that should be made to the financial statements for them to be in accordance with the
applicable financial reporting framework based on the accountant’s:
a. understanding of the industry.
b. knowledge of the entity.
c. awareness of the risk that the accountant may unknowingly fail to modify the
accountant’s review report on financial statements that are materially misstated.
3331.22 The accountant should focus the analytical procedures and inquiries in those areas where
the accountant believes there are increased risks of material misstatements.
3331.23 Analytical procedures involve the use of both financial and nonfinancial data, and include:
a. comparing financial information with statements for comparable prior periods, giving
consideration to known changes,
b. comparing recorded amounts, or ratios developed from recorded amounts, to
expectations developed by the accountant,
c. considering plausible relationships among both financial and, when relevant,
nonfinancial information, and
d. comparing disaggregated revenue data, as applicable.
3331.24 When designing analytical procedures, the accountant should consider the following:
a. Suitability of the analytical procedures
b. Reliability of the data from which the accountant’s expectation of recorded amounts or
ratios are developed, taking into account the source, comparability, nature, and
relevance of information available
c. Precision of the expectation to be appropriate to identify both individually and
aggregated material misstatements
d. Amount of any differences from expected values that are acceptable without further
investigation
3331.25 If analytical procedures performed identify fluctuations or relationships that are inconsistent
with other relevant information or that differ from expected values by a significant amount,
the accountant should investigate these differences by inquiring of management and
performing other procedures as necessary in the circumstances.
Review of Interim Financial Information of an Issuer
3331.26 Analytical procedures in reviewing interim financial information of an issuer should include
the following:
a. Comparing quarterly interim financial information with comparable information for the
immediately preceding interim period and the quarterly and year‐to‐date interim
financial information with the corresponding periods in the previous year, giving
consideration to known changes
b. Comparing plausible relationships among both financial and, where relevant,
nonfinancial information
c. Comparing recorded amounts, or ratios developed from recorded amounts, to
expectations developed by the accountant
d. Comparing disaggregated revenue data; for example, comparing revenue reported by
month and by product line or operating segment during the current interim period with
that of comparable prior periods
Attestation Engagements
3331.27 In either a review or examination in accordance with attestation standards, when designing
and performing analytical procedures in response to assessed risks, the accountant should:
a. determine the suitability of the particular analytic procedure for the subject matter,
taking into account the assessed risk of material misstatement and any related tests of
details.
b. evaluate the reliability of data from which the accountant’s expectation is developed,
taking into account the source comparability, nature, and relevance of information
available and controls over their preparation.
c. develop an expectation which is sufficiently precise to identify possible misstatements.
3331.28 If analytical procedures identify fluctuations or relationships that are inconsistent with other
relevant information or that differ significantly from expected quantities or ratios, the
accountant should investigate by inquiring of responsible parties, obtaining additional
evidence, and/or performing other procedures, as deemed necessary in the circumstance.
3332 External Confirmations
3332.01 Confirmation is a specific type of inquiry (an audit procedure for obtaining audit evidence). It
is the process of obtaining a representation of information or of an existing condition
directly from a third party. Confirmations are also used to obtain audit evidence about the
absence of certain conditions.
3332.02 Confirmations provide audit evidence that has been obtained from knowledgeable
independent sources outside the entity. Therefore, confirmations are generally more reliable
evidence about assertions made by management.
3332.03 Confirmations should be tailored to specific audit objectives. Confirmation requests may
address one or more of the following five assertions: existence/occurrence, completeness,
rights/obligations, valuation/allocation, and presentation/disclosure. However,
confirmations do not address all assertions equally well. When obtaining evidence for
assertions not adequately addressed by confirmations, auditors should consider other
auditing procedures.
3332.04 The auditor should exercise an appropriate level of professional skepticism throughout the
confirmation process. Professional skepticism is important in designing the confirmation
request, performing the confirmation procedures, and evaluating the results of the
confirmation process.
3332.05 The confirmation process involves the following:
a. Selecting the items for which confirmations are to be requested
b. Designing the confirmation request
c. Communicating the confirmation request to the appropriate third party
d. Obtaining the response from the third party
e. Evaluating the information, or lack thereof, provided by the third party about the audit
objectives, including the reliability of that information
3332.06 Confirmations are frequently used in relation to account balances and their components but
need not be restricted to these items. The most common confirmations are for cash and
liability balances (with the bank) and for accounts receivable (with customers).
3332.07 Unusual or complex transactions may be associated with high levels of inherent and control
risk. If the entity has entered into an unusual or complex transaction and the combined
assessed level of inherent and control risk is high, the auditor should consider confirming the
terms of the transaction with the other parties in addition to examining documentation held
by the entity.
3332.08 There are two types of confirmation requests: positive and negative.
3332.09 The positive confirmation requires a response from the recipients. Some positive forms
request that the recipient indicate agreement with an amount; others (blank forms) ask the
recipient to fill in the balance or furnish other information.
3332.10 The risk with positive confirmations that have amounts printed for the recipients to confirm
is that the recipient will merely sign without verifying that the information is correct.
3332.11 Blank positive confirmations provide a greater degree of assurance, but there is a higher
probability that the forms will not be returned because of the additional effort required on
the part of the recipient. Positive confirmations provide audit evidence only when the
responses are received from the recipients.
3332.12 The auditor should generally follow up with a second and sometimes a third request to those
parties from whom replies have not been received.
3332.13 When the auditor has not received replies to positive confirmation requests, the auditor
should apply alternative procedures (see accompanying flowchart in section 3332.23). The
omission of alternative procedures may be acceptable:
a. when the auditor has not identified unusual qualitative factors or systematic
characteristics related to the nonresponses or
b. when testing for overstatement of amounts, the nonresponses in the aggregate, when
projected as 100% misstatements to the population and added to the sum of all other
unadjusted differences, would not affect the auditor’s decision about the
reasonableness of the account.
3332.14 The negative confirmation requests the recipient to respond only if he or she disagrees with
the information stated on the request.
3332.15 Negative confirmation requests should be used to reduce audit risk to an acceptable level
only when:
a. the combined assessed level of inherent and control risk is low,
b. a large number of small balances is involved,
c. the auditor has no reason to believe that the recipients of the requests are unlikely to
give them consideration, and
d. a low exception rate is expected.
3332.16 Returned negative confirmations may provide evidence about the financial statement
assertions; however, unreturned negative confirmations rarely provide significant evidence
concerning financial statement assertions.
3332.17 In determining the effectiveness and efficiency of confirmation requests, the auditor may
consider information from prior years’ audits or audits of similar entities.
3332.18 When designing confirmation requests, the auditor should consider the types of information
respondents will be readily able to confirm. The auditor’s understanding of the client’s
arrangements and transactions with third parties is key to determining the information to be
confirmed.
3332.19 The auditor should direct the confirmation request to a third party the auditor believes is
knowledgeable about the information to be confirmed.
3332.20 During the confirmation process, the auditor should maintain control over the confirmation
requests and responses. Maintaining control means establishing direct communication
between the intended recipient and the auditor. The need to maintain control does not
preclude the use of internal auditors in the confirmation process. All responses should be
sent directly to the auditor and not to the client.
3332.21 Sometimes the auditor will receive a reply that is other than a written communication
mailed directly to the auditor (fax, e‐mail, oral, or other electronic means). The auditor
should take steps to verify the validity of the response (confirmation of the source of the
information). Any oral responses should be noted in the workpapers, but oral responses are
considered alternative evidence to external confirmation (since they are not received in
writing).
3332.22 Confirmation of trade accounts receivable is a generally accepted auditing procedure. Thus,
there is a presumption that the auditor will request the confirmation of accounts receivable
during an audit unless one of the following is true (AU‐C 330.20):
a. Accounts receivable are immaterial.
b. The use of confirmations would be ineffective.
c. The auditor's combined assessed level of inherent and control risk is low, and the
assessed level, in conjunction with the evidence expected to be provided by analytical
procedures or other substantive tests of details, is sufficient to reduce audit risk to an
acceptably low level for the applicable financial statement assertions. In many
situations, both confirmation of accounts receivable and other substantive tests of
details are necessary to reduce audit risk to an acceptably low level for the applicable
financial statement assertions.
3332.23 An auditor who has not requested confirmations of accounts receivable should document
how this presumption was overcome.
3333 Inquiry of Management and Others
Audit Engagements
3333.01 Although much of the information the auditor obtains by inquiry can be obtained from
management and those responsible for financial reporting, inquiries of others within the
entity, such as production and internal audit personnel, and other employees with different
levels of authority, may be useful in providing the auditor with a different perspective in
identifying risks of material misstatement.
3333.02 Those charged with governance may help the auditor understand the environment in which
the financial statements are prepared.
3333.03 Internal auditors may assist the auditor in understanding the design and effectiveness of the
entity’s internal control and whether management has satisfactorily responded to any
findings from these activities.
3333.04 Employees involved in initiating, authorizing, processing, or recording complex or unusual
transactions may help the auditor evaluate the appropriateness of the selection and
application of certain accounting policies.
3333.05 In‐house legal counsel may relay information pertaining to such matters as litigation,
compliance with laws and regulations, knowledge of fraud or suspected fraud affecting the
entity, warranties, post‐sales obligations, arrangements (such as joint ventures) with
business partners, and the meaning of contract terms.
3333.06 Marketing, sales, and production personnel may discuss matters such as changes in the
entity’s marketing strategies, sales trends, production strategies, or contractual
arrangements with the entity’s customers.
3333.07 Auditors should use professional judgment to determine the method of documenting these
discussions.
Nonaudit Engagements (Review Engagements Only)
3333.08 For review engagements, the accountant should inquire of members of management who
have responsibility for the financial statements about:
a. whether the financial statements have been prepared and fairly presented in
accordance with the applicable financial reporting framework consistently applied.
b. unusual or complex situations that may have an effect on the financial statements.
c. significant transactions occurring or recognized during the period, particularly those in
the last several days of the period.
d. the status of uncorrected misstatements identified during the previous review.
e. matters about which questions have arisen in the course of applying the review
procedures.
f. material subsequent events.
g. its knowledge of fraud, suspected fraud, or allegations of fraud.
h. any noncompliance (or suspected noncompliance) with laws and regulations.
i. significant journal entries, other adjustments, and assumptions made by management.
j. communications from regulatory agencies, if any.
k. related party transactions.
l. any litigation, claims, and assessments that existed at the date of the balance sheet up
to the time of management’s response to the accountant’s inquiry.
m. actions taken at board of director or stockholder meetings that may affect the financial
statements.
n. any other relevant matters.
3333.09 The accountant should consider the reasonableness and consistency of management’s
responses in light of the results of other review procedures and the accountant’s knowledge
of the entity’s business. The accountant is not required to corroborate management’s
responses with other evidence.
3334 Observation and Inspection
3334.01 Inspection, or examination, of tangible assets may provide appropriate audit evidence with
respect to the assets’ existence, but not necessarily about the entity’s rights and obligations
or the valuation of the assets.
3334.02 Inspection of individual items ordinarily accompanies the observation of inventory counting.
For example, when observing an inventory count, the auditor may inspect individual
inventory items (such as opening containers included in the inventory count to ensure that
they are not empty) to verify their existence.
3334.03 Observation of inventory is a generally accepted auditing procedure. Unless otherwise
satisfied regarding the inventory through alternate procedures, it will always be necessary
for the auditor to make, or observe, some physical counts of the inventory and apply
appropriate tests of intervening transactions.
3334.04 As of the balance sheet date (or as of a single date within a reasonable time before or after
the balance sheet date), the auditor should be present at the time of count and, by suitable
observation, tests, and inquiries, be satisfied regarding the effectiveness of the methods of
inventory taking and the measure of reliance which may be placed upon the client’s
representations about the quantities and physical condition of the inventories.
3334.05 The observation should be coupled with inspection of the records of any client’s counts and
procedures relating to the physical inventory on which the balance sheet inventory is based.
3334.06 If an auditor is asked to audit financial statements that cover the current period and one or
more periods for which the auditor has not observed or made some physical counts of
inventory, the auditor may be able to become satisfied regarding the inventory through
appropriate procedures such as tests of prior transactions, reviews of the records of prior
counts, or the application of gross profit tests (provided the auditor has been above to
become satisfied as to the current inventory). Otherwise, an audit report modification may
be required.
3335 Recalculation and Reperformance
3335.01 The CPA should perform tests of the accounting records. These tests may be of balances or
of transactions. For example, the CPA may want to verify the beginning and ending inventory
and test a sample of debit entries (purchases and purchase returns) and credit entries
(shipments and sales).
3335.02 Testing of the accounting records can involve vouching to underlying documents or retracing
bookkeeping entries. In making these tests, the direction of the test is important. For
example, to vouch from the source document to the entry in the journal tests the objective
“all transactions are recorded.” To vouch from the journal to the source document tests the
objective “all recorded entries have proper documentation.”
3335.03 Tests may also be directed primarily toward a particular type of error. For example, tests of
receivables are primarily for overstatements, and tests of payables are primarily for
understatements.
3335.04 The accountant should design tests of details responsive to the assessed risk with the
objective of obtaining sufficient appropriate audit evidence to achieve the planned level of
assurance at the relevant assertion level.
3335.05 In designing substantive procedures related to the existence or occurrence assertion, the
accountant should select from items contained in a financial statement amount and should
obtain the relevant evidence.
3335.06 On the other hand, in designing procedures related to the completeness assertion, the
accountant should select from evidence indicating that an item should be included in the
relevant financial statement amount and should investigate whether that item is so
included.
3335.07 This section provides examples of audit procedures that could be performed to provide audit
evidence using inspection, observation, inquiry, confirmation, recalculation, reperformance,
and analytical procedures. The examples are not intended to be all‐inclusive, nor is it
expected that all of the procedures would be applied in an audit. The particular substantive
procedures to be used in each circumstance depend on the auditor’s risk assessments and
tests of controls.
3335.08 Cash
Examples of Substantive Procedures Illustrative Assertions
Test cash transactions as follows: Accuracy
a. Foot cash journals. “Have all entries regarding cash posted
b. Trace postings to ledger accounts. accurately?”
c. Agree details of bank deposits to client Occurrence
records. “Did cash transactions actually occur at the
d. Reconcile bank activity for one or two bank?”
months with cash account activity. Completeness
e. Verify cash transactions in one or more “Have all entries from journals posted to
expense accounts. the general ledger?”
Count all cash on hand with custodian Existence
present. “Does the cash on the balance sheet really
exist?”
Verify cutoff of cash receipts and cash Cutoff
disbursements. “Are transactions recorded in the correct
accounting period?”
Confirm amounts on deposit with banks. Existence
“Do these accounts exist?”
Rights and obligations
“Does the entity have the rights to these
amounts (are they accounts that belong to
them and not to a subsidiary/shareholder,
etc.)?”
Completeness
“Does the bank have any additional
accounts that are not listed on their
financial statements?”
Valuation
“Are the cash accounts stated at the correct
amount?”
Prepare four‐column bank reconciliation as Completeness
follows: “Have all transactions from the bank been
a. Trace checks to cash disbursement. recorded in the financial records?”
b. Account for all checks. Occurrence
c. Review deposits. “Did the transactions in the financial
d. Review outstanding checks beginning records actually occur at the bank?”
and end. Cutoff
e. Investigate NSF checks and other “Are the outstanding checks on the bank
unusual items. reconciliation at period‐end reflected in the
correct accounting period?”
Obtain bank cutoff statements 10 to 15 Existence
days after year‐end. “Were outstanding checks at period‐end for
actual expenses (as evidenced by the
clearing of the check after year‐end on the
bank statement)?”
Trace all bank transfers—be alert for Valuation
kiting.* “Are the cash accounts stated at the correct
amount?”
Examples of Substantive Procedures Illustrative Assertions
* Kiting involves manipulating the float time between banks. If money shows up in one
bank account but has not yet come out of another, the cash is technically available in two
bank accounts. The cash accounts would be overstated. Current electronic clearing of
checks serves to make this float time negligible.
Determine balance sheet presentation Valuation‐disclosures
(restrictions, cash in foreign or closed “Is cash presented correctly with any
banks). necessary disclosures?”
3335.09 Marketable Securities and Investment Revenue
Examples of Substantive Procedures Illustrative Assertions
Examine securities on hand with custodian Existence
present (simultaneously with cash, “Do the securities on the balance sheet
compare serial numbers with records). really exist?”
Confirm securities in possession of others. Existence
“Do these securities exist?”
Rights and obligations
“Does the entity have the rights to these
securities (do they truly own them)?”
Completeness
“Are there any other securities that are not
listed on the financial statements?”
Verify purchases and sales of securities Occurrence
during the year. “Did purchases and sales actually occur?”
Perform cutoff review. Cutoff
“Are securities and investment revenue
reflected in the correct accounting period?”
Verify gain or loss on security transactions. Occurrence
“Did the gain or loss in the financial
statements actually occur?”
Accuracy
“Were the gain or loss transactions
recorded accurately?”
Valuation
“Does the value of the securities reflect any
gain or loss during the year (if applicable)?”
Recalculate dividend and interest income. Valuation
“Is the value of the dividend and interest
income in the financial statements
reasonable?”
Determine proper accounting methods. Valuation
“Are the securities recorded at the proper
value, based on the correct accounting
treatment?”
Classification
“Are the securities classified correctly on
the financial statements?”
Investigate investments in related parties. Completeness—disclosure
“Are all of the required disclosures
regarding related parties present?”
Examples of Substantive Procedures Illustrative Assertions
Determine market value. Valuation
“Are the securities recorded at market
value (if applicable)?”
Determine financial statement Valuation—disclosure
presentation (at fair value, pledged). “Are the securities recorded at their proper
value?”
Classification—disclosure
“Are the securities classified correctly on
the financial statements?”
3335.10 Accounts Receivable and Revenues
Examples of Substantive Procedures Illustrative Assertions
Test revenue and receivables transactions Accuracy
as follows: “Have all entries regarding sales and
a. Examine a sample of sales transactions. accounts receivable posted accurately?”
b. Compare a sample of sales invoices and Rights and obligations
shipping documents. “Are postings supported by
c. Test a sample of sales invoices for documentation?”
clerical accuracy. “Does the entity have rights to these
d. Examine a sample of credit memoranda. receivables?”
e. Examine a sample of cash discounts. Occurrence
f. Vouch a sample of cash register tapes “Did sales and returns actually occur?”
and sales invoices to the sales journal. Completeness
g. Foot the sales journal. “Have all entries from journals posted to
h. Trace a sample of postings from the the general ledger?”
sales journal to the accounts receivable
ledger.
Prepare aging of accounts receivable. Valuation
“Is accounts receivable recorded at its net
realizable value?”
Occurrence
“Does an unusually large amount of sales at
year‐end indicate that the sales may be
fictitious?”
Review adequacy of allowance for bad Valuation
debts and bad debt expense. “Is accounts receivable recorded at its net
realizable value?”
Reconcile subsidiary ledger to control Completeness
accounts. “Is all information in the individual
customer accounts reflected in the control
accounts?”
Accuracy
“Do the control accounts accurately reflect
individual customer balances?”
Existence
“Are there any entries in the control
accounts that did not come from a
customer subsidiary ledger (and therefore
may not exist)?”
Examples of Substantive Procedures Illustrative Assertions
Confirm accounts receivable—positive and Existence
negative. “Do these receivables exist?”
Rights and obligations
“Does the entity have the rights to these
receivables (does the customer
acknowledge they are owed)?”
Completeness
“Are there any other receivables that are
not listed on their financial statements?”
(positive, blank confirmations)
Valuation
“Are the receivables valued at the correct
amount?”
Review collections subsequent to year‐end. Existence
“Did the receivables at year‐end exist (as
reflected by their payment after year‐
end)?”
Valuation
“Were the receivables at year‐end valued
correctly (as evidenced by the collection of
the same amount)?”
Perform cutoff review—vouch sales Cutoff
transactions before and after year‐end and “Are sales and receivables recorded in the
examine sales returns. correct accounting period?”
Review receivables from related parties. Completeness—disclosure
“Are all of the required disclosures
regarding related parties present?”
Inquire as to restrictions. Completeness—disclosure
“Are all of the required disclosures
regarding restrictions present?”
Review write‐offs of accounts receivable. Valuation
“Were the write‐off amounts
substantiated?”
Perform analytical review—gross profit. Valuation
“Is the amount reasonable, based on other
known factors?”
Determine financial statement Completeness and Accuracy—disclosure
presentation (current, nontrade, pledged, “Are all disclosures present that should be?
or assigned, repaid loans to insiders, Are the disclosures fair and at appropriate
installment). amounts?”
Classification—disclosure
“Are the accounts classified correctly?”
3335.11 Notes Receivable and Interest Income
Examples of Substantive Procedures Illustrative Assertions
Perform account analysis. Valuation
“Do the amounts seem reasonable, based
on known facts?”
Confirm notes receivable. Existence
“Do these notes exist?”
Rights and obligations
“Does the entity have the rights to collect
these notes (does the debtor acknowledge
they are owed)?”
Valuation
“Are the notes valued at the correct
amount?”
Inspect notes. Existence
“Does the entity have documentation that
supports the existence of these notes?”
Rights and obligations
“Does the documentation show that the
entity is owed this money?”
Valuation
“Is the amount on the physical note (and
corresponding amortization schedule)
reflected correctly in the financial
statements?”
Evaluate collectability. Valuation
“Is the note recorded at realizable value?”
“Should all or part of the note be written
off?”
Review subsequent collections. Existence
“Did the note amounts at year‐end exist (as
reflected by their payment after year‐
end)?”
Valuation
“Were the notes at year‐end valued
correctly (as evidenced by the collection of
the same amount)?”
Inquire as to discounted notes and other Completeness—disclosure
restrictions leading to contingent liabilities. “Are all of the required disclosures
regarding restrictions present? Are there
any contingent liabilities that need to be
disclosed?”
Recalculate interest income. Valuation
“Is the value of the interest income in the
financial statements reasonable?”
Determine financial statement Completeness and Accuracy—disclosure
presentation (restrictions, insiders, “Are all disclosures present that should be?
contingent liabilities). Are the disclosures fair and at appropriate
amounts?”
3335.12 Inventories and Cost of Goods Sold
Examples of Substantive Procedures Illustrative Assertions
Test a sample of transactions as follows: Completeness
a. Compare a sample of purchase “Are the inventory listings accurately
requisitions, purchase orders, receiving compiled, and are the totals properly
reports, and vendors’ invoices. included in the inventory accounts?”
b. Test and evaluate cost accounting Rights and obligations
system. “Do the inventories exclude items billed to
customers or owned by others?”
Valuation and allocation
“Are inventories properly stated at cost?”
Participate in planning of physical Existence
inventory. “Do the inventories included in the balance
sheet physically exist?”
Observe the taking of physical inventory as Existence
follows: “Do the inventories included in the balance
a. Make test counts. sheet physically exist?”
b. Trace test counts to inventory sheets.
c. Trace test counts to perpetual inventory
records.
d. Verify all inventory tagged.
e. Test clerical accuracy of inventory
sheets and perpetual records.
Review cutoff receiving reports and Completeness
invoices, look for F.O.B. shipping point. “Do inventory listings include the proper
amounts?”
Cutoff
“Are transactions recorded in the proper
accounting period?”
Determine quality and condition. Valuation
“Are defective items included in inventory
value?”
“Have inventories been reduced, where
appropriate, to net realizable value?”
Inquire about goods held on consignment. Rights and obligations
“Does the entity have legal title or similar
rights of ownership to the inventories?”
Confirm goods held in public warehouses. Completeness
“Do inventory quantities include all
products, materials, and supplies owned by
the company that are stored at outside
locations?”
Review basis and methods for inventory Valuation
pricing. “Are inventories (and therefore cost of
goods sold) properly stated at cost?”
Review analysis of cost of sales. Valuation
“Is the cost of goods sold amount
reasonable?”
Examples of Substantive Procedures Illustrative Assertions
Determine financial statement Rights and obligations—disclosure
presentation (classification, pledged). “Are the pledges or assignments of
inventory appropriately disclosed?”
Completeness—disclosure
“Do the financial statements include all of
the disclosures related to inventories
specified by GAAP?”
Understandability—disclosure
“Are inventories properly classified in the
balance sheet as current assets?”
Accuracy and valuation—disclosure
“Are the major categories of inventories
and their bases of valuation accurately
disclosed in the financial statements?”
3335.13 Property, Plant, and Equipment—Depreciation and Depletion
Examples of Substantive Procedures Illustrative Assertions
Reconcile subsidiary ledgers to control Completeness
accounts. “Is all information in the individual
subsidiary ledgers reflected in the control
accounts?”
Accuracy
“Do the control accounts accurately reflect
subsidiary ledger balances?”
Verify legal ownership. Rights and obligations
“Does the entity have legal title or similar
right to the equipment?”
Verify additions. Valuation
“Are the addition amounts supported by
documentation?”
Verify disposals. Valuation
“Are there any assets that need to be
removed from the accounts (is the account
valued correctly with additions removed)?”
Review scrap sales for unrecorded Valuation
disposals. “Do any assets need to be removed from
the account?”
Recalculate gains and losses. Valuation
“Are gains and losses reasonable?”
Accuracy
“Have gains and losses been recorded at
the correct amount?”
Make physical inspections of additions. Existence
“Do the added assets exist?”
Completeness
“Have all new assets been added to the
financial records?”
Examples of Substantive Procedures Illustrative Assertions
Perform analysis of repairs and Completeness
maintenance. “Are there any transactions posted to the
repairs and maintenance account that
should have been posted to a fixed asset
account?”
Recalculate depreciation and depletion. Valuation
“Have depreciation and depletion been
recorded at the correct amount?”
Perform analytical review. Valuation
“Are the amounts reasonable based on
known facts and relationships?”
Review lease agreements. Rights and obligations—disclosure
“Do lease agreements indicate rights to an
asset and obligations under a capital
lease?”
Accuracy and valuation—disclosure
“Are capital leases recorded correctly in the
financial statements, and are the terms of
any leases disclosed as required?”
Determine financial statement Completeness—disclosure
presentation (major classes, depreciation “Have all disclosures related to property,
methods, basis of valuation, estimated plant, and equipment and depreciation and
lines restrictions, leases). depletion been made as required by
GAAP?”
Valuation—disclosure
“Are the bases of valuation for fixed assets
accurately disclosed in the financial
statements?”
3335.14 Long‐Term Investments
Examples of Substantive Procedures Illustrative Assertions
Verify all transactions by reference to Existence
authorization and documentary evidence. “Do these assets exist?”
Occurrence
“Have the transactions in the accounting
records with respect to these assets
actually occurred?”
Accuracy
“Are the transactions recorded accurately
in the financial statements?”
Inspect and count securities and records. Existence
“Do these assets exist?”
Completeness and valuation
“Are all assets owned reflected in the
financial statements at the correct value?”
Examples of Substantive Procedures Illustrative Assertions
Confirm securities with independent Existence
custodian. “Do these securities exist?”
Rights and obligations
“Does the entity have the rights to these
securities (do they truly own them)?”
Completeness
“Are there any other securities that are not
listed on their financial statements?”
Obtain evidence for carrying value and Valuation
earnings therefrom: “Are assets and earnings properly valued in
a. Obtain audited statements, if available. the financial statements?”
b. If audited statements are not available,
extend unit tests depending on
materiality of investment. May rely on
investee’s auditor.
c. Use market quotations when based on
broad and active market.
d. Use personal valuations only if available
and reasonable.
e. If collateral is important with regard to
collectability, ascertain existence,
market value, and transferability.
Inquire of management with regard to Rights and obligations
status of long‐term investments.* “Does the entity have legal title or rights of
ownership for these assets?”
Valuation
“Does the asset account accurately reflect
the value of the total assets owned?”
* Management’s responses should be verified by other audit procedures.
Verify income related to investments. Valuation
“Is the income from the investments
recorded at the correct amount in the
financial statements?”
Determine financial statement Valuation—disclosure
presentation (cost or equity methods). “Is the financial information regarding the
assets disclosed fairly and at appropriate
amounts?”
Classification—disclosure
“Are the assets appropriately presented
and described?”
3335.15 Accounts Payable
Examples of Substantive Procedures Illustrative Assertions
Test accounts payable transactions as Accuracy
follows: “Have all entries regarding accounts
a. Vouch to postings a sample of payable posted accurately?”
transactions in accounts payable Rights and obligations
subsidiary ledger. “Are postings for the accounts payable
b. Trace postings from accounts payable obligations supported by documentation?”
control to subsidiary ledger. Occurrence
c. Verify sample of cash discount and “Did purchases and returns actually occur?”
purchase returns. Completeness
“Have all entries from the subsidiary
ledgers posted to the general ledger?”
Examine subsequent cash payments to Completeness
search for unrecorded liabilities. “Are all of the accounts payable recorded at
year‐end?”
Confirm certain accounts, if appropriate. Existence
“Do these payables exist?”
Rights and obligations
“Does the entity have the obligations
related to these payables (does the vendor
acknowledge they are owed)?”
Valuation
“Are the payables valued at the correct
amount?”
Review payables to related parties. Completeness—disclosure
“Have all related party payables been
disclosed as required?”
Investigate debit balances. Valuation
“Has the company overpaid its payables, or
are there payables that are missing?”
Vouch selected balances payable to Valuation
supporting documents. “Is the correct payables balance recorded?”
Rights and obligations
“Does the entity have the obligation for
these payables?”
Existence
“Do these payables exist?”
Occurrence
“Did the payables transactions actually
happen?”
Inquire as to unrecorded liabilities. Completeness
“Are all of the payables recorded?”
Determine financial statement Completeness—disclosure
presentation (non‐trade, related parties, “Have all disclosures related to accounts
debit balances, consignments). payable been made as required by GAAP?”
3335.16 Other Current Liabilities—Examples: Accrued Payroll and Payroll Expense
Examples of Substantive Procedures Illustrative Assertions
Test payroll transactions as follows:* Valuation
a. Trace names and wage or salary rates to “Are the payroll expense and accrual for
records in personnel department. payroll recorded at the correct amount?”
b. Trace time shown on payable timecards. Accuracy
c. Verify payroll deductions to legal “Have transactions related to payroll been
requirements and employee requests. recorded accurately?”
d. Test extensions and footings of payroll.
e. Compare totals of payroll to totals of
payroll checks.
f. Examine paid checks for endorsements
and compare with payroll.
g. Review treatment of unclaimed checks.
* These audit procedures are also testing for a risk of fraud (ghost employees,
overstatement of time worked, manipulation of pay rates).
Review authorization for all payrolls. Rights and obligations
“Does proper approval exist to show that
the entity owes these wages?”
Conduct analytical review. Valuation
“Are amounts recorded for payroll
reasonable based on other known facts
(such as plant hours and number of
employees)?”
Recalculate accrued payroll. Valuation/Accuracy
“Is the amount of the accrual correct (is the
journal entry accurate)?”
Recalculate payroll taxes and other Valuation
withholdings, inspect payroll tax returns. “Is payroll tax expense recorded at the
correct amount?”
Accuracy
“Is payroll being calculated accurately?”
Test subsequent payment of accrued Valuation
payroll and payroll taxes and other “Are the accruals at year‐end recorded at
withholdings. the correct amount, based on payment
after the period end?”
Determine financial statement Accuracy and valuation—disclosure
presentation. “Are transactions related to payroll valued
correctly and presented accurately in the
financial statements?”
3335.17 Interest‐Bearing Debt and Related Expense
Examples of Substantive Procedures Illustrative Assertions
Verify additions and retirements during the Accuracy
year by vouching to supporting documents. “Are the transactions recorded accurate?”
Existence
“Do the new loans exist?”
“Were the retired loans satisfied?”
Search for unrecorded liabilities. Completeness
“Are all liabilities recorded that should be?”
Recalculate interest expense, interest Valuation
payable, and amortization. “Are amounts recorded for interest
expense, interest payable, and amortization
correct?”
Trace interest to debt for completeness. Completeness
“Has all interest been accrued based on
interest rates and debt balances?”
Examine subsequent payments of notes Valuation
and interest. “Are interest accruals at year‐end correct,
based on actual payments in the new
year?”
Confirm interest‐bearing debt. Existence
“Do these debts exist?”
Valuation
“Is the correct amount of debt recorded?”
Rights and obligations
“Does the entity have obligations for these
debts?”
Examine notes, mortgages, and bond Existence
indenture. “Does this indebtedness exist?”
Rights and obligations
“Is the entity responsible for these debts?”
Valuation
“Have the debts been recorded at the
correct amount?”
Verify authorization by reading minutes of Rights and obligations
meetings. “Has the debt been approved by those
charged with governance (indicating an
obligation)?”
Determine that all provisions of indentures Classification
have been met. “Has the entity fulfilled its obligations as
stated in the notes, or will the notes be
reclassified due to noncompliance?”
Determine financial statement Completeness/Valuation/Classification—
presentation (interest rate, maturity, disclosure
pledged assets, current portion, “Has all information regarding interest‐
covenants). bearing debt and related expense been
disclosed correctly and accurately in the
financial statements?”
3335.18 Contingent Liabilities
Types:
a. Pending litigation
b. Income tax disputes
c. Notes receivable discounted
d. Accounts sold at recourse
e. Accommodation endorsement of rates
f. Renegotiation of U.S. government contracts
Examples of Substantive Procedures Illustrative Assertions
Read minutes of meetings of board of Completeness
directors. “Has the board divulged the existence of
any contingent liabilities?”
Read contracts. Completeness
“Could any contingent liabilities exist based
on possible contract default?”
Review confirmations (banks and others). Completeness
“Are there any undisclosed contingent
liabilities?”
Obtain a letter from client’s lawyer. Completeness
“Are there any undisclosed contingent
liabilities?”
Valuation
“What is the value of the contingent
liability?”
Inquire of client. Completeness
“Are there any undisclosed contingent
liabilities?”
Determine financial statement Completeness—disclosure
presentation. “Have all contingent liabilities been
reported that are required to be reported?”
Valuation—disclosure
“Have all contingent liabilities been
reported at the correct value as required by
GAAP?”
3335.19 Stockholders’ Equity and Dividends
Examples of Substantive Procedures Illustrative Assertions
Verify all transactions as to computation Accuracy
and authorization. “Have amounts been recorded accurately?”
Read minutes of meetings of board of Completeness
directors and officers. “Are all transactions affecting stockholders’
equity reflected in the financial
statements?”
Account for proceeds of stock issues. Valuation
“Is the amount of proceeds from stock issue
correct?”
Examples of Substantive Procedures Illustrative Assertions
Confirm shares outstanding with registrar Valuation—disclosure
and transfer agent. “Is the outstanding stock valued correctly in
the financial statements?”
Inspect treasury stock or confirm with Existence
broker. “Does treasury stock exist?”
Verify treasury stock transactions. Valuation
“Have transactions with treasury stock
been recorded at the correct value?”
Analyze retained earnings and Classification
appropriations of retained earnings. “Is retained earnings classified properly in
the financial statements as appropriated?”
Examine and verify all retained earnings Valuation
transactions. “Are retained earnings reported at the
correct amount on the balance sheet?”
Recalculate dividends and verify Valuation
authorization of dividends transactions. “Is the amount recorded for dividends
reasonable?”
Classification
“Is the payment properly recorded as a
dividend (or does the lack of approval
indicate that the payment was for
something else)?”
Determine financial statement Classification—disclosure
presentation (capital stock described, stock “Is stockholders’ equity properly classified
options, appropriations, retained earnings and disclosed in the financial statements as
statement, treasury stock). required by GAAP?”
3336 All Other Procedures
Audit Engagements
Unusual Year‐End Transactions
3336.01 During the course of an audit, an auditor may become aware of business transactions that
are outside the normal course of business for the entity. The auditor should gain an
understanding of the business rationale for such transactions and whether that rationale
suggests that the transactions may have been entered into to engage in fraudulent financial
reporting or conceal misappropriation of assets.
3336.02 In understanding the business rationale for an entity’s transactions, the auditor should
consider:
a. whether the form of such transactions is overly complex.
b. whether management has discussed the nature of and accounting for such transactions
with those charged with governance.
c. whether management is placing more emphasis on the need for a particular accounting
treatment than on the underlying economics of the transaction.
d. whether transactions that involve unconsolidated related parties, including special
purpose entities, have been properly reviewed and approved by those charged with
governance.
e. whether the transactions involve previously unidentified related parties or parties that
do not have the substance or the financial strength to support the transaction without
assistance from the entity under audit.
3336.03 The audit engagement team might consult with individuals having appropriate levels of
knowledge, competence, and judgment regarding significant unusual transactions. In
addition, the auditor may use audit data analytic outputs (such as reports and other
visualizations) to determine relationships among variables and interpret results to meet
objectives of planned procedures.
3336.04 If the company has entered into a significant unusual transaction and the risk of material
misstatement is high, in addition to examining documentation held by the company, the
auditor should consider confirming the terms and amounts of the transaction with the other
parties. The auditor should also obtain an understanding of the substance of the transaction
to determine the appropriate information to include on the confirmation request.
Consider Departures from Applicable Financial Reporting Framework
3336.05 The standards refer to “an applicable financial reporting framework” instead of GAAP.
Management is responsible for the selection of the entity’s applicable financial reporting
framework, as well as the individual accounting policies when the financial reporting
framework contains acceptable alternatives. The financial reporting framework
encompasses financial accounting standards established by an authorized or recognized
standards‐setting organization.
3336.06 The requirements of the applicable financial reporting framework determine the form and
content of the financial statements. Although the framework may not specify how to
account for or disclose all transactions or events, it ordinarily embodies sufficiently broad
principles that can serve as a basis for developing and applying accounting policies that are
consistent with the concepts underlying the requirements of the framework.
3336.07 Examples of financial reporting frameworks include:
a. U.S. generally accepted accounting principles (GAAP) as promulgated by the FASB, the
GASB, or the FASAB;
b. IFRSs issued by the International Accounting Standards Board; and
c. financial statements presented on a special‐purpose framework.
3336.08 Examples of special‐purpose framework financial statements include:
a. a basis of accounting that the reporting entity uses to comply with the requirements or
financial reporting provisions of a governmental regulatory agency;
b. a basis of accounting that the reporting entity uses or expects to use to file its income
tax return for the period covered by the financial statements; or
c. the cash basis of accounting and modifications of the cash basis having substantial
support.
3336.09 An accountant who is engaged to perform any services on financial statements may become
aware of a departure from the applicable financial reporting framework (which includes
adequate disclosure) that is material to the financial statements.
3336.10 An entity may request an accountant to compile financial statements that omit substantially
all the required disclosures. This type of departure from the applicable financial reporting
framework follows different rules than other departures from the applicable financial
reporting framework.
The accountant may compile statements that omit substantially all disclosures, provided the
omission of substantially all disclosures is clearly indicated in the report and is not
undertaken with the intention of misleading those who might reasonably be expected to use
such financial statements.
3336.11 For all other departures, if the financial statements are not revised, the accountant should
consider whether modification of the standard report is adequate to disclose the departure.
3336.12 If the accountant believes that modification of the standard report is not adequate to
indicate the deficiencies in the financial statements taken as a whole, the accountant should
consider withdrawing from the engagement and provide no further services with respect to
those financial statements. The accountant may also wish to consult with legal counsel
under these circumstances.
3336.13 If the accountant feels that management’s disclosure of the uncertainty regarding the
entity’s ability to continue as a going concern is not adequate, the accountant should follow
these procedures as well.
Nonaudit Engagements: Review Engagements
3336.14 For a review engagement, the accountant should read the financial statements and consider
whether any information has come to the accountant’s attention to indicate that such
financial statements do not conform to the applicable financial reporting framework. The
accountant should also obtain evidence that the financial statements agree or reconcile with
the accounting records.
3336.15 For a review engagement, if other accountants have issued a report on the financial
statements of significant components (such as a subsidiary), the accountant should obtain
and read reports from such other accountants.
3340 Specific Matters That Require Special Audit Consideration
3341 Opening Balances
3341.01 An initial audit engagement is one on which either the financial statements for the prior
period were not audited, or the financial statements for the prior period were audited by a
predecessor auditor.
3341.02 Opening balances are those account balances that exist at the beginning of the period.
Opening balances are based upon the closing balances of the prior period and reflect the
effects of transactions and events of prior periods and accounting policies applied in the
prior period. They also include disclosures, such as contingencies and commitments.
3341.03 The auditor should obtain sufficient appropriate evidence about whether the opening
balances contain misstatements that materially affect the current period’s financial
statements. This includes determining whether the prior period’s closing balances have been
correctly brought forward to the current period, or restated when appropriate. These
opening balances should reflect the application of appropriate accounting balances. The
auditor may have to perform specific procedures to obtain evidence regarding the opening
balances.
3341.04 The auditor should obtain sufficient appropriate evidence about whether the accounting
policies reflected in the opening balances have been consistently applied in the current
period’s financial statements. Any changes should be appropriately accounted for and
adequately presented and disclosed in accordance with the applicable financial reporting
framework. If there is a material lack of consistency or a change is not appropriately
accounted for and disclosed, then the auditor should express a qualified or adverse opinion.
3341.05 When the prior‐year financial statements were audited, the auditor should read the most
recent financial statements and auditor’s report. If a modification was made to the prior
period’s auditor’s report, the current‐period auditor should evaluate the effect of the
modification in assessing risk of material misstatement. If the modification remains relevant
and material to the current period’s financial statements, the auditor should appropriately
modify the current‐period auditor’s report.
3341.06 The auditor should also ask management to authorize the predecessor auditor to allow the
successor auditor to have access to the predecessor auditor’s documentation. The auditor
should review the predecessor auditor’s audit documentation to obtain evidence regarding
the opening balances and other information with continuing audit relevance.
3341.07 If evidence indicates that opening balances may contain a material misstatement that affects
the current period’s financial statements, the auditor should perform additional appropriate
audit procedures to evaluate the effect. The auditor should communicate the misstatement
to the appropriate level of management and those charged with governance.
3341.08 If the financial statements reported on by the predecessor auditor require revision, the
successor auditor should request client management to inform the predecessor auditor and
arrange for cooperation in resolution of the matter. If management refuses, or the current‐
period auditor is not satisfied with the resolution of the matter, the current‐period auditor
should evaluate the impact on the current‐period engagement. The auditor should consider
whether withdrawal or a disclaimer of opinion is warranted.
3341.09 The auditor should not make reference to the report or work of the predecessor auditor as a
basis, in part, for the auditor’s own opinion.
3341.10 The auditor should express a qualified opinion or disclaim an opinion if unable to obtain
sufficient appropriate evidence regarding the opening balances. In addition, if the opening
balances contain a misstatement that materially affects the current period’s financial
statements and necessary corrections are not made, the auditor should qualify or give an
adverse opinion.
3342 Investments in Securities and Derivative Instruments
Investments in Securities When Valuations Are Based on the Investee’s Financial
Results
3342.01 When investments in securities are valued based on an investee’s financial results, such as
investments accounted for using the equity method of accounting or consolidated entities,
the auditor should obtain sufficient appropriate audit evidence in support of the investee’s
financial results.
3342.02 The auditor should obtain and read available financial statements of the investee and the
accompanying audit report, if any, including determining whether the report of the other
auditor is satisfactory for this purpose. If the financial statements are not audited, or the
audit report is not satisfactory, the auditor should apply (or request that another auditor
apply) appropriate procedures, considering the materiality of the investment in relation to
the financial statements of the investor entity.
3342.03 If the carrying amount of the investment reflects factors that are not recognized in the
investee’s financial statements or fair values of assets that are materially different from the
investee’s carrying amounts, the auditor should obtain appropriate evidence in support of
such amounts.
3342.04 If the difference between the financial statement period of the entity and the investee has
or could have a material effect, the auditor should determine whether the entity’s
management has properly considered the lack of comparability and any effect on the
auditor’s report.
3342.05 Subsequent events and transactions occurring after the date of the investee’s financial
statements, but before the date of the auditor’s report, should be considered. The auditor
should obtain and read available interim financial statements of the investee and make
appropriate inquiries to identify such transactions and events that may be material to the
investor’s financial statements. Investee subsequent transactions and events may need to
be recognized or disclosed in the investor’s financial statements.
Investments in Derivative Instruments and Securities Measured or Disclosed at Fair
Value
3342.06 An entity may have investments in securities and derivative instruments measured or
disclosed at fair value. The auditor should determine whether the applicable financial
reporting framework specifies the method to be used to determine the fair value, and
evaluate whether the fair value determination is consistent with that specified method.
3342.07 If fair value is obtained from broker‐dealers or other third‐party sources based on valuation
models, the auditor should understand the method used in developing the estimate. Any
valuation model should be evaluated to support management’s assertion about fair value
determined using the model.
Change in Value, Including Impairment Losses
3342.08 The auditor should evaluate management’s conclusions about the need to recognize an
impairment loss for a decline in a security’s fair value below its cost or carrying amount. In
addition, the auditor should obtain sufficient appropriate audit evidence supporting the
amount of any impairment adjustments recorded, including whether applicable financial
reporting framework requirements were complied with.
3342.09 The auditor should obtain sufficient appropriate evidence about the amount of unrealized
appreciation or depreciation in the fair value of a derivative that is recognized (or disclosed
because of the ineffectiveness of a hedge), including whether the requirements of the
applicable financial reporting framework are complied with.
3343 Inventory and Inventory Held by Others
3343.01 The auditor should obtain sufficient appropriate audit evidence regarding the existence and
condition of material inventory. This includes attending the physical inventory counting,
unless impracticable. The purpose is to evaluate management’s instructions and procedures
for recording and controlling the results of the entity’s physical count. The auditor should
observe count procedures, inspect inventory, and perform test counts. Procedures should
then be performed over the final inventory records to determine whether they accurately
reflect actual inventory count results.
3343.02 If the physical count is conducted at a date other than the financial statement date, the
auditor should obtain evidence about whether changes in inventory between the count date
and the financial statement date are properly recorded.
3343.03 If the auditor is unable to attend the physical count due to unforeseen circumstances, an
observation of a count at an alternative date is acceptable, with procedures performed on
intervening transactions.
3343.04 If attendance at the inventory count is impracticable, and it is not possible to obtain
sufficient appropriate alternative evidence of existence and condition, the auditor should
modify the auditor’s report opinion appropriately.
3343.05 If material inventory is held by a third‐party custodian, the auditor should request
confirmation regarding quantities and condition of inventory held by the custodian, or
perform inspection or other appropriate audit procedures.
3344 Litigation, Claims, and Assessments
Contingencies
3344.01 A contingency is “an existing condition, situation, or set of circumstances involving
uncertainty as to possible gain…or loss (loss contingency) to an entity that will ultimately be
resolved when one or more future events occur or fail to occur.” (FASB ASC Glossary)
a. A contingency may be probable, reasonably possible, or remote.
b. A loss contingency should be accrued if the loss:
(1) is probable and
(2) can be reasonably estimated.
c. Disclosure of contingencies not accrued is required under the following conditions:
(1) No amount can be reasonably estimated for a probable contingency.
(2) The contingency is reasonably possible.
d. Unasserted claims are disclosed if:
(1) assertion is probable and
(2) a loss is reasonably possible.
e. When possible, disclosure should include the range of the estimated loss.
3344.02 Management is responsible for adopting all procedures to identify and account for asserted
and unasserted litigation, claims, and assessments (LCA), and management is the primary
source of information.
3344.03 With regard to litigation, claims, and assessments (LCA) and in accordance with FASB ASC
450, the auditor must obtain audit evidence relevant to:
a. its existence,
b. the accounting period in which its underlying cause occurred,
c. the degree of probability of an unfavorable outcome, and
d. the range of potential loss.
3344.04 The auditor should design and perform audit procedures to identify litigation, claims, and
assessments involving the entity that may give rise to a risk of material misstatement. The
auditor should perform the following:
a. Inquire of management and other appropriate parties, such as in‐house legal counsel.
b. Obtain from management a description and evaluation of litigation, claims, and
assessments that existed at the date of the financial statements reported on and during
the period from the date of the financial statements to the date the information is
furnished.
c. Review minutes of meetings of those charged with governance and other relevant
documents, such as correspondence with legal counsel.
d. Review legal expense accounts and invoices from external legal counsel.
Communication with Entity’s Legal Counsel
3344.05 In addition to normal procedures of inquiry, examining documents, and other procedures, a
letter of inquiry may be addressed, with the client’s permission, to the client’s lawyer as a
means of obtaining corroborating evidence of litigation, claims, and assessments. Such direct
communication with external legal counsel is necessary when there is a risk of material
misstatement that exists related to actual or potential litigation, claims, or assessments. If
there is no external legal counsel in such cases, direct communication with in‐house legal
counsel may be performed. However, communication with in‐house legal counsel is not a
substitute for external legal counsel communication, when warranted.
3344.06 The auditor should document the basis for any determination not to seek direct
communication with the entity’s external legal counsel. A letter of inquiry to external legal
counsel is presumed in an audit of an issuer. However, for audits of both issuers and
nonissuers, inquiry need not be made concerning matters that are not considered material,
provided the client and the auditor have reached an understanding on the limits of
materiality for this purpose.
3344.07 The direct communication with external legal counsel, if deemed necessary, should obtain
evidence about any litigation, claims, assessments, and unasserted claims that counsel is
aware of, together with an assessment of the outcome of the litigation, claims, and
assessments, and an estimate of the financial implications, including costs involved.
3344.08 In addition to identifying the company and relevant dates, the letter contains management’s
list of asserted and unasserted claims. With regard to these items, the lawyer is asked to
indicate:
a. a description of the nature of the matter, the progress of the case to date, and action
the company intends to take,
b. an evaluation of an unfavorable outcome, and
c. an estimated range (if estimable) of potential loss.
3344.09 If any material litigation, claims, and assessments (LCA) are omitted from management’s list,
the lawyer is expected to advise the client of the client’s need to disclose any unasserted
claims under the provisions of FASB ASC 450. In some cases, a client’s failure to do so may
require that the attorney resign.
3344.10 A lawyer may limit a response to matters to which the lawyer has given substantive
attention and to matters which individually or collectively are material to the financial
statements.
3344.11 If the auditor becomes aware that an entity has changed legal counsel, or that legal counsel
has resigned, the auditor should consider making inquiries of management or others about
the underlying reasons.
3344.12 If management refuses to give the auditor permission to communicate with or meet with the
external legal counsel, the auditor should modify the auditor’s report appropriately.
3344.13 A lawyer’s refusal to cooperate is a limitation of scope which may be sufficient to preclude
an unmodified opinion. For issuers, other methods, such as relying on an internal legal
department, do not provide evidence of equal quality. For nonissuers, an unmodified
opinion can still be given if sufficient appropriate audit evidence can be obtained from other
sources.
3344.14 If the lawyer is unable to respond in estimating the likelihood of loss and/or the estimated
amount, the uncertainty should be disclosed (e.g., probable of negative outcome, yet not
reasonably estimated). The auditor should consider if an unmodified opinion is appropriate
under the given circumstances.
3344.15 Special audit procedures include the following:
a. Evaluate management policies for identifying and accounting for litigation, claims, and
assessments (LCA).
b. Obtain a listing of LCA through the date of the report.
c. Obtain a representation letter from the client.
d. Examine documents in the client’s possession, including invoices from lawyers.
e. Obtain assurance from the client regarding unasserted claims for which the lawyer has
recommended disclosures (it may be desirable to confirm with the lawyer).
f. Consider evidence from other standard audit procedures (review of minutes, contracts,
etc.) in terms of LCA.
g. Obtain a letter of audit inquiry, if there is risk of material misstatement:
(1) List all asserted LCA and unasserted LCA (list prepared by the client with the
lawyer’s comment as to completeness or list prepared by the lawyer).
(2) Obtain a description, evaluation of likelihood, and estimation of amount.
(3) Include a client statement that indicates the client’s reliance on the lawyer to advise
disclosure with regard to unasserted LCA. Request the lawyer’s confirmation.
h. If the lawyer has resigned, then investigate.
3344.16 Study the following flowchart, which summarizes the procedures and decision points with
regard to inquiries of the client’s lawyers. (Note that the SASs discuss sending legal inquiry
letters when there is a risk of material misstatement. The PCAOB standards were not
modified with that same language, but also discuss a concept of materiality. This graphic
assumes that there is a risk of material misstatement to obtain information from external
legal counsel.)
Is
accounting
in accordance with
FASB ASC
450?
Will client
revise financials
in accordance with
FASB ASC
450?
Section 3300 © 2019 Surgent CPA Review, LLC
255
3345 An Entity’s Ability to Continue as a Going Concern
3345.01 Under the going concern basis of accounting, financial statements are prepared on the
assumption that the entity is a going concern and will continue its operations for a
reasonable period of time, unless there is substantial doubt about an entity’s ability to
continue as a going concern for a reasonable period of time.
a. FASB ASC 205‐40 provides the following guidance as a result of the issuance of ASU
2014‐15 by defining substantial doubt about an entity’s ability to continue as a going
concern as follows: "Substantial doubt about an entity’s ability to continue as a going
concern exists when conditions and events, considered in the aggregate, indicate that it
is probable that the entity will be unable to meet its obligations as they become due
within one year after the date that the financial statements are issued (or within one
year after the date that the financial statements are available to be issued, when
applicable)."
b. Other financial reporting frameworks may use different terms that are similar to the
concept of substantial doubt. For example, International Financial Reporting Standards
(IFRS) use the terms material uncertainty and significant doubt.
c. A “reasonable period of time” is the period of time required by the applicable financial
reporting framework, or within one year after the date that the financial statements are
issued or available to be issued.
3345.02 The objectives of the auditor, relating to an entity’s ability to continue as a going concern
and the implications for the auditor’s report, are to:
a. obtain and conclude on sufficient appropriate audit evidence regarding the
reasonableness of management’s use of the going concern basis of accounting, when
relevant, in the preparation of the financial statements.
b. conclude, based on the audit evidence obtained, whether substantial doubt about an
entity’s ability to continue as a going concern for a reasonable period of time exists.
c. evaluate and report on the possible financial statement effects, including the adequacy
of disclosure regarding the entity’s ability to continue as a going concern for a
reasonable period of time.
Risk Assessment Procedures
3345.03 When performing risk assessment procedures as required by AU‐C 315, Understanding the
Entity and Its Environment and Assessing the Risks of Material Misstatement, the auditor
should determine if management has performed a preliminary evaluation of whether there
are conditions or events, considered in the aggregate, that raise substantial doubt about the
entity’s ability to continue as a going concern for a reasonable period of time.
3345.04 Management’s evaluation involves making a judgment, at a particular point in time, about
inherently uncertain future outcomes of conditions or events.
a. The degree of uncertainty increases significantly the further into the future a condition
or event or the outcome occurs. It should be noted that subsequent events after the
date of the financial statements may result in outcomes that are inconsistent with
judgments that were reasonable at the time that they were made.
b. That judgment may be affected by the size and complexity of the entity, the nature and
condition of its business, and the degree to which it is affected by external factors.
3345.05 If management has performed an evaluation, the auditor should discuss the evaluation with
management and determine whether management has identified specific conditions or
events and understand management’s plans to address them. The auditor’s evaluation
should:
a. cover the same period as that used by management, as required by the applicable
financial reporting framework.
b. include consideration of whether management’s evaluation includes all relevant
information of which the auditor is aware as a result of the audit.
3345.06 The auditor should inquire of management regarding its knowledge of conditions or events
beyond the period of management’s evaluation that may have an effect on the entity’s
ability to continue as a going concern. Additionally, the auditor should remain alert
throughout the audit for audit evidence of conditions or events that raise substantial doubt
about an entity’s ability to continue as a going concern for a reasonable period of time.
Additional Audit Procedures
3345.07 If management has not performed an evaluation, the auditor should discuss with
management the intended use of the going concern basis of accounting and inquire of
management whether conditions or events exist that raise substantial doubt about an
entity’s ability to continue as a going concern for a reasonable period of time.
3345.08 Under these circumstances, the auditor is required to obtain sufficient appropriate audit
evidence regarding, and to conclude on, the appropriateness of management’s continued
use of the going concern basis of accounting in the preparation of the financial statements.
Suggested audit procedures include the following:
a. Requesting management to make an evaluation when management has not yet
performed an evaluation
b. Evaluating management’s plans in relation to its going concern evaluation, with regard
to whether it is probable that:
(1) management’s plans can be effectively implemented and
(2) the plans would mitigate the relevant conditions or events that raised substantial
doubt about the entity’s ability to continue as a going concern for a reasonable
period of time
c. When the entity has prepared a cash flow forecast, and analysis of the forecast is a
significant factor in evaluating management’s plans, the auditor should:
(1) evaluate the reliability of the underlying data generated to prepare the forecast and
(2) determine whether there is adequate support for the assumptions underlying the
forecast, which includes considering contradictory audit evidence.
d. Considering whether any additional facts or information have become available since
the date on which management made its evaluation
3345.09 When management’s plans include financial support by third parties, or the entity’s owner‐
manager, SAS 132 requires the auditor to obtain sufficient appropriate audit evidence about
the intent and ability of those parties to provide the necessary financial support, provided
that such evidence is necessary in order to support management’s assertions.
a. Failure to obtain the written evidence constitutes a lack of sufficient appropriate audit
evidence regarding the intent of the supporting parties to provide financial support.
b. In this situation, the auditor should conclude that management’s plans are insufficient
to alleviate the determination that substantial doubt exists about the entity’s ability to
continue as a going concern for a reasonable period of time.
3345.10 If the auditor believes that substantial doubt exists about the entity’s ability to continue as a
going concern for a reasonable period of time, the auditor should request the following
written representations from management:
a. A description of management’s plans that are intended to mitigate the adverse effects
of conditions or events that indicate there is substantial doubt about the entity’s ability
to continue as a going concern for a reasonable period of time and the probability that
those plans can be effectively implemented
b. That the financial statements disclose all the matters of which management is aware
that are relevant to the entity’s ability to continue as a going concern for a reasonable
period of time, including principal conditions or events and management’s plans
Auditor Conclusions and Implications for Auditor’s Report
3345.11 SAS 132 states that the issues of the appropriateness of management’s use of the going
concern basis of accounting and whether substantial doubt exists are to be considered
separately.
a. Accordingly, the auditor is not required to obtain sufficient appropriate audit evidence
regarding the appropriateness of management’s use of the going concern basis of
accounting when the going concern issue is not relevant.
b. The auditor is required to conclude whether substantial doubt exists and to evaluate the
possible financial statement effects.
3345.12 The auditor should evaluate the adequacy of the financial statement disclosures, as required
by the applicable financial reporting framework, if conditions or events have been identified
that raise substantial doubt about an entity’s ability to continue as a going concern for a
reasonable period of time, regardless of whether that doubt has been alleviated by
management’s plans. If adequate disclosure is not made in the financial statements, the
auditor should express a qualified opinion or adverse opinion, as appropriate.
3345.13 If the auditor concludes that management’s use of the going concern basis of accounting is
inappropriate, the auditor should express an adverse opinion.
3345.14 If the auditor concludes that management’s use of the going concern basis of accounting is
appropriate, and that substantial doubt about the entity’s ability to continue as a going
concern for a reasonable period of time remains, the auditor should include an emphasis‐of‐
matter paragraph in the auditor’s report.
a. The auditor should use wording and terminology for the emphasis‐of‐matter paragraph
that is consistent with those included in the applicable financial reporting framework.
b. The auditor should not use conditional language concerning the existence of substantial
doubt about the entity’s ability to continue as a going concern for a reasonable period
of time.
Communication with Those Charged with Governance
3345.15 The auditor should communicate the following with those charged with governance:
a. The nature of the events or conditions, considered in the aggregate, identified that
raised substantial doubt about the entity’s ability to continue as a going concern for a
reasonable period of time
b. The auditor’s consideration of management’s plan
c. Whether management’s use of the going concern basis is appropriate, under the
circumstances
d. The adequacy of related disclosures in the financial statements
e. The implications, if any, for the auditor’s report
Documentation
3345.16 The auditor should document all of the following:
a. The conditions or events that led to the belief that a going concern issue exists
b. The elements of management’s plans that the auditor considered to be particularly
significant to overcoming the adverse effects
c. The auditing procedures performed and evidence obtained to evaluate management’s
plans
d. The auditor’s conclusion as to whether substantial doubt about the entity’s ability to
continue as a going concern for a reasonable period of time is alleviated
(1) If substantial doubt remains, the auditor should document the possible effects of
the conditions or events on the financial statements and the adequacy of the
related disclosures.
(2) If substantial doubt is alleviated, the auditor should document the auditor’s
conclusion regarding the need for and adequacy of disclosure of the principal
conditions or events that initially caused the auditor to believe there was
substantial doubt and management’s plans that alleviated the substantial doubt.
e. The auditor’s conclusion as to whether or not an emphasis‐of‐matter paragraph should
be included in the auditor’s report
3346 Accounting Estimates, Including Fair Value Estimates
3346.01 Some financial statement items cannot be measured precisely, but can only be estimated.
The nature and reliability of information available to management to support the making of
estimates varies widely, which also impacts the degree of estimation uncertainty and
associated risk of material misstatement. The auditor is responsible for evaluating the
reasonableness of accounting estimates made by management. When planning and
performing procedures to evaluate accounting estimates, the auditor should consider, with
an attitude of professional skepticism, both the subjective and objective factors.
3346.02 The auditor’s objective when evaluating accounting estimates is to obtain sufficient
appropriate audit evidence to provide reasonable assurance that:
a. all accounting estimates that could be material to the financial statements have been
developed,
b. those accounting estimates are reasonable in the circumstances, and
c. the accounting estimates are presented in conformity with applicable accounting
principles and are properly disclosed.
3346.03 The auditor should:
a. identify the circumstances that require accounting estimates and
b. evaluate whether the methods for making the estimate are appropriate and have been
applied consistently, and determine if changes from the prior period are appropriate in
the circumstances.
3346.04 In evaluating whether management has identified all accounting estimates that could be
material to the financial statements, the auditor considers the circumstances of the industry
or industries in which the entity operates, its methods of conducting business, new
accounting pronouncements, and other external factors. The auditor should consider
performing the following procedures:
a. Consider assertions embodied in the financial statements to determine the need for
estimates. Examples of these estimates are uncollectible receivables, valuation of
securities, warranty claims, subscription income, and percent of completion income.
(See AU‐C 540.A136 for more examples.) The measurement objective of some
accounting estimates is to forecast the outcome of one or more transactions, events, or
conditions. For other accountant estimates, such as fair value, the measurement
objective is expressed in terms of the value of a current transaction or financial
statement item based on prevalent conditions at the measurement date. The applicable
financial reporting framework may require fair value measurement based on an
assessed hypothetical current transaction between knowledgeable, willing parties in an
arm’s‐length transaction.
b. Evaluate information obtained in performing other procedures, such as changes made
or planned in the entity’s business, changes in methods of accumulating information,
and information contained in regulatory reports.
c. Inquire of management about the existence of circumstances that may indicate the
need to make an accounting estimate.
3346.05 In evaluating the reasonableness of an estimate, the auditor normally concentrates on key
factors and assumptions that are significant to the accounting estimate. The auditor should
consider the historical experience of the entity in making past estimates as well as the
auditor’s experience in the industry.
3346.06 The auditor should obtain an understanding of how management developed the estimate
by:
a. reviewing and testing the process used by management.
b. developing an independent expectation of the estimate to corroborate the
reasonableness of management’s estimate.
c. reviewing subsequent events or transactions occurring prior to the date of the auditor’s
report.
3346.07 Because no one accounting estimate can be considered accurate with certainty, the auditor
may determine that a difference between an estimated amount best supported by the audit
evidence and the estimated amount included in the financial statements may not be
significant, and such difference would not be considered to be a likely misstatement.
However, if the auditor believes the estimated amount included in the financial statements
is unreasonable, the auditor should treat the difference between that estimate and the
closest reasonable estimate as a likely misstatement.
Fair Value Measurements and Disclosures
3346.08 The auditor should obtain sufficient appropriate audit evidence to provide reasonable
assurance that fair value measurements and disclosures are in conformity with the
applicable reporting framework.
3346.09 Although U.S. GAAP may not prescribe the method for measuring the fair value of an item, it
expresses a preference for the use of observable market prices to make that determination.
In the absence of observable market prices, U.S. GAAP requires fair value to be based on the
best information available in the circumstances.
3346.10 Assumptions used in fair value measurements are similar in nature to those required when
developing other accounting estimates. However, if observable market prices are not
available, U.S. GAAP requires that valuation methods incorporate assumptions that
marketplace participants would use in their estimates of fair value whenever that
information is available without undue cost and effort.
3346.11 Management is responsible for making the fair value measurements and disclosures
included in the financial statements. The auditor should obtain an understanding of the
entity’s process for determining fair value measurements and disclosures and of the relevant
controls sufficient to develop an effective audit approach.
3346.12 The auditor should evaluate whether the fair value measurements and disclosures in the
financial statements are in conformity with the applicable reporting framework. The
evaluation of the entity’s fair value measurements and of the audit evidence depends, in
part, on the auditor’s knowledge of the nature of the business.
3346.13 When there are no observable market prices and the entity estimates fair value using a
valuation method, the auditor should evaluate whether the entity’s method of
measurement is appropriate in the circumstances. That evaluation requires the use of
professional judgment and the auditor should consider whether:
a. management has sufficiently evaluated and appropriately applied the criteria, if any,
provided by the financial reporting framework to support the selected method.
b. the valuation method is appropriate in the circumstances given the nature of the item
being valued.
c. the valuation method is appropriate in relation to the business, industry, and
environment.
3346.14 The auditor should consider whether to engage a specialist and use the work of that
specialist as audit evidence in performing substantive tests to evaluate material financial
statement assertions. The auditor may have the necessary skill and knowledge to plan and
perform audit procedures related to fair values or may decide to use the work of a specialist.
3346.15 Because of the wide range of possible fair value measurements, from relatively simple to
complex, and the varying levels of risk of material misstatement associated with the process
for determining fair values, the auditor’s planned audit procedures can vary significantly in
nature, timing, and extent.
3346.16 The auditor’s understanding of the reliability of the process used by management to
determine fair value is an important element in support of the resulting amounts and
therefore affects the nature, timing, and extent of audit procedures. When testing the
entity’s fair value measurements and disclosures, the auditor evaluates whether:
a. management’s assumptions are reasonable and reflect, or are not inconsistent with,
market information.
b. the fair value measurement was determined using an appropriate model, if applicable.
c. management used relevant information that was reasonably available at the time.
3346.17 The auditor considers the sensitivity of the valuation to changes in significant assumptions,
including market conditions that may affect the value. Where applicable, the auditor
encourages management to use techniques such as sensitivity analysis to help identify
particularly sensitive assumptions.
3346.18 To be reasonable, the assumptions on which the fair value measurements are based,
individually and taken as a whole, need to be realistic and consistent with:
a. the general economic environment, the economic environment of the specific industry,
and the entity’s economic circumstances.
b. existing market information.
c. the plans of the entity, including what management expects will be the outcome of
specific objectives and strategies.
d. assumptions made in prior periods, if appropriate.
e. past experience of, or previous conditions experienced by, the entity to the extent
currently applicable.
f. other matters, relating to the financial statements. For example, assumptions used by
management in accounting estimates for financial statement accounts other than those
relating to fair value measurements and disclosures.
g. the risk associated with cash flows, if applicable, including the potential variability in the
amount and timing of the cash flows and the related effect on the discount rate.
3346.19 The auditor should evaluate whether the disclosures about fair values made by the entity
are in conformity with GAAP. Disclosure of fair value information is an important aspect of
financial statements. Often, fair value disclosure is required because of the relevance to
users in the evaluation of an entity’s performance and financial position.
3346.20 When disclosure of fair value information under GAAP is omitted because it is not
practicable to determine fair value with sufficient reliability, the auditor evaluates the
adequacy of disclosures required in these circumstances. If the entity has not appropriately
disclosed fair value information required by GAAP, the auditor evaluates whether the
financial statements are materially misstated.
3346.21 The auditor ordinarily should obtain written representations from management regarding
the reasonableness of significant assumptions, including whether they appropriately reflect
management’s intent and ability to carry out specific courses of action on behalf of the
entity where relevant to the use of fair value measurements and disclosures.
3346.22 Depending on the nature, materiality, and complexity of fair values, management
representations about fair value measurements and disclosures contained in the financial
statements also may include representations about:
a. the appropriateness of the measurement methods, including related assumptions, used
by management in determining fair value and the consistency in application of the
methods.
b. the completeness and adequacy of disclosures related to fair values.
c. whether subsequent events require adjustment to the fair value measurement and
disclosures included in the financial statements.
3346.23 The auditor should determine that those charged with governance are informed about the
process used by management in formulating particularly sensitive accounting estimates,
including fair value estimates, and about the basis for the auditor’s conclusions regarding the
reasonableness of those estimates.
3350 Misstatements and Internal Control Deficiencies
Misstatements
3350.01 Misstatements can result from errors or fraud and may consist of any of the following:
a. An inaccuracy in gathering or processing data from which financial statements are
prepared
b. A difference between the amount, classification, or presentation of a reported financial
statement element, account, or item and the amount, classification, or presentation
that would have been reported under the applicable reporting framework
c. The omission of a financial statement element, account, or item
d. A financial statement disclosure that is not presented in conformity with the applicable
financial reporting framework
e. The omission of information required to be disclosed in conformity with the applicable
reporting framework
f. An incorrect accounting estimate arising, for example, from an oversight or
misinterpretation of facts
g. Differences between management’s and the auditor’s judgments concerning accounting
estimates, or the selection and application of accounting policies that the auditor
considers inappropriate
3350.02 The term errors refers to unintentional misstatements of amounts or disclosures in financial
statements. The term fraud refers to an intentional act by one or more individuals among
management, those charged with governance, employees, or third parties, involving the use
of deception to obtain an unjust or illegal advantage. The two types of misstatements
resulting from fraud that are relevant to an auditor are (1) fraudulent financial reporting and
(2) misappropriation of assets.
3350.03 Misstatements may be of two types: known (or factual) and likely (or judgmental and
projected). Known misstatements consist of the amount, classification, presentation, or
disclosure that are different than that required by the applicable financial reporting
framework. These are factual misstatements about which there is no doubt. Likely
misstatements represent the auditor’s best estimate of the total misstatements in the
account balances, classes of transactions, presentations, or disclosures that the auditor has
examined, applying professional judgment. These include judgmental misstatements arising
from the judgments of management concerning accounting estimates that the auditor
considers unreasonable or the selection or application of accounting policies that the
auditor considers inappropriate. Likely misstatements also include projected misstatements,
which are the auditor’s best estimate of misstatements in populations.
3350.04 Although the auditor has no responsibility to plan and perform the audit to detect
immaterial misstatements, there is a distinction in the auditor’s response to detected
misstatements depending on whether those misstatements are caused by error or fraud.
When the auditor encounters evidence of potential fraud, regardless of its materiality, the
auditor should consider the implications for the integrity of management or employees and
the possible effect on other aspects of the audit.
Audit Engagements: Summary of Uncorrected Misstatements
3350.05 In evaluating whether the financial statements are presented fairly in conformity with an
applicable financial reporting framework, the auditor must consider the effects, both
individually and in the aggregate, of misstatements (known and likely) that are not corrected
by the entity, other than those that are clearly trivial.
3350.06 The auditor should determine whether the overall audit strategy and audit plan need to be
revised if the nature of identified misstatements and the circumstances of their occurrence
indicate that other misstatements may exist that, when aggregated with other
misstatements accumulated during the audit, could be material. In addition, the aggregate
of misstatements accumulated during the audit may approach materiality alone.
3350.07 Before considering the aggregate effect of identified uncorrected misstatements, the auditor
should consider each misstatement separately to evaluate:
a. its effect in relation to the relevant individual classes of transactions, account balances,
presentations, or disclosures, including whether materiality levels for particular items of
lesser amounts than the materiality level for the financial statements taken as a whole
have been exceeded.
b. whether, in considering the effect of the individual misstatement on the financial
statements taken as a whole, it is appropriate to offset misstatements.
c. the effect of misstatements related to prior periods.
3350.08 When an auditor uses audit sampling to test a relevant assertion for an account balance or a
class of transactions, he or she should project the amount of known misstatements
identified in the sample to the items in the balance or class from which the sample was
selected. That projected misstatement, along with the results of other substantive
procedures, contributes to the auditor’s assessment of likely misstatement in the balance or
class.
3350.09 Qualitative considerations also influence the auditor in reaching a conclusion about whether
misstatements are material. Qualitative factors that the auditor may consider relevant to the
consideration of whether misstatements are material include the following:
a. The potential effect of the misstatement on trends, especially trends in profitability
b. A misstatement that changes a loss into income or vice versa
c. The potential effect of the misstatement on the entity’s compliance with loan
covenants, other contractual agreements, and regulatory provisions
d. The existence of statutory or regulatory reporting requirements that affect materiality
thresholds
e. The misstatement that masks a change in earnings or other trends, especially in the
context of general economic and industry conditions
f. A misstatement that has the effect of increasing management’s compensation; for
example, by satisfying the requirements for the award of bonuses or other forms of
incentive compensation
g. The sensitivity of the circumstances surrounding the misstatement; for example, the
implications of misstatements involving fraud and possible noncompliance with laws
and regulations, violations of contractual provisions, and conflicts of interest
h. The significance of the financial statement elements affected by the misstatement
i. The effects of misclassifications
j. The significance of the misstatement relative to reasonable user needs; for example,
earnings to investors and the equity amounts to creditors
k. The definitive character of the misstatement; for example, the precision of an error that
is objectively determinable as contrasted with a misstatement that unavoidably involves
a degree of subjectivity through estimation, allocation, or uncertainty
l. The motivation of management with respect to the misstatement; for example, (1) an
indication of a possible pattern of basis by management when developing and
accumulating accounting estimates, (2) a misstatement precipitated by management’s
continued unwillingness to correct weaknesses in the financial reporting process, or (3)
an intentional decision not to follow an applicable financial reporting framework
m. The existence of offsetting effects of individually significant but different misstatements
n. The likelihood that a misstatement that is currently immaterial may have a material
effect in future periods because of a cumulative effect; for example, that builds over
several periods
o. The cost of making the correction; it may not be cost beneficial for the client to develop
a system to calculate a basis to record the effect of an immaterial misstatement
p. The risk that possible additional undetected misstatements would affect the auditor’s
evaluation
3350.10 If the aggregate of the misstatements (known and likely) that the auditor has identified
approaches the materiality level, the auditor should consider whether there is a greater than
acceptably low level of risk that undetected misstatements, when taken with the aggregate
identified misstatements, could exceed the materiality level and, if so, the auditor should
reconsider the nature and extent of further audit procedures.
3350.11 The auditor should document:
a. the levels of materiality and tolerable misstatement, including any changes thereto,
used in the audit and the basis on which those levels were determined;
b. a summary of uncorrected misstatements, other than those that are trivial, related to
known and likely misstatements;
c. the auditor’s conclusion as to whether uncorrected misstatements, individually or in the
aggregate, do or do not cause the financial statements to be materially misstated, and
the basis for that conclusion; and
d. all known and likely misstatements identified by the auditor during the audit, other than
those that are trivial, that have been corrected by management.
3350.12 Uncorrected misstatements should be documented in a manner that allows the auditor to:
a. separately consider the effects of known and likely misstatements, including
uncorrected misstatements identified in prior periods;
b. consider the aggregate effect of misstatements on the financial statements; and
c. consider the qualitative factors that are relevant to the auditor’s consideration of
whether misstatements are material.
3350.13 The auditor should communicate on a timely basis with the appropriate level of
management all misstatements accumulated during the audit. The auditor should request
management to correct those misstatements. If management has reexamined items at the
auditor’s request to make corrections for misstatements detected in the audit process, the
auditor should perform additional procedures to determine whether misstatements remain
after management’s corrections.
3350.14 The auditor should obtain an understanding of management’s reasons for not making
corrections, and take that understanding into account when forming an opinion on the
financial statements as a whole.
3350.15 The auditor should document the amount below which misstatements would be regarded as
clearly trivial. Documentation should also include all misstatements accumulated during the
audit, whether they have been corrected, and the auditor’s conclusion about whether
uncorrected misstatements are material individually or in the aggregate, and the basis for
that conclusion.
Internal Control Deficiencies
3350.16 A deficiency in internal control exists when the design or operation of a control does not
allow management or employees, in the normal course of performing their duties, to
prevent, or detect and correct misstatements on a timely basis.
3350.17 A deficiency in design exists when:
a. a control necessary to meet the control objective is missing or
b. an existing control is not properly designed so that, even if the control operates as
designed, the control objective would not be met.
3350.18 A deficiency in operation exists when:
a. a properly designed control does not operate as designed or
b. the person performing the control does not possess the necessary authority or
competence to perform the control effectively.
3350.19 A material weakness is a deficiency, or combination of deficiencies, in internal control, such
that there is a reasonable possibility that a material misstatement of the entity’s financial
statements will not be prevented, or detected and corrected on a timely basis.
3350.20 A significant deficiency is a deficiency, or combination of deficiencies, in internal control that
is less severe than a material weakness, yet important enough to merit attention by those
charged with governance. (Note: All material weaknesses are significant deficiencies.)
3350.21 The severity of a deficiency in internal control depends upon:
a. the magnitude of the potential misstatement and
b. whether there is a reasonable possibility that the entity’s controls will fail to prevent, or
detect and correct a misstatement of an account balance or disclosure.
3350.22 The severity of a deficiency does not depend on whether a misstatement actually occurred.
3350.23 The magnitude of a possible misstatement depends on the total transactions exposed to the
deficiency and the volume of activity in the account exposed to the deficiency.
3350.24 The auditor must evaluate identified control deficiencies and determine whether these
deficiencies, individually or in combination, are significant deficiencies or material
weaknesses.
3350.25 Evaluating whether a significant deficiency is also a material weakness is a subjective process
that depends on factors such as the nature of the accounting system and any financial
statement amounts exposed to the significant deficiency.
3350.26 Indicators of material weaknesses in internal control include the following:
a. Identification of fraud, whether or not material, on the part of senior management
b. Restatement of previously issued financial statements to reflect the correction of a
material misstatement due to error or fraud
c. Identification by the auditor of a material misstatement of the financial statements
under audit in circumstances that indicate that the misstatement would not have been
detected by the entity’s internal control
d. Ineffective oversight of the entity’s financial reporting and internal control by those
charged with governance
3350.27 AU‐C 265.A37 states that the absence of or inadequacy of programs and controls to address
the risk of fraud may constitute a significant deficiency or a material weakness.
3350.28 When evaluating whether control deficiencies, individually or in combination, are significant
deficiencies or material weaknesses, the auditor should consider the likelihood and
magnitude of misstatement. The following are examples of factors that may affect the
likelihood that a control, or combination of controls, could fail to prevent or detect a
misstatement:
a. The nature of the financial statement accounts, disclosures, and assertions
b. The susceptibility of the related assets or liabilities to loss or fraud
c. The subjectivity or complexity of the amount involved, and the extent of judgment
needed to determine that amount
d. The cause and frequency of any known or detected exceptions related to the operating
effectiveness of a control
e. The interaction or relationship of the control with other controls
f. The possible future consequences of the deficiency
3350.29 Control deficiencies identified during the audit that upon evaluation are considered
significant deficiencies or material weaknesses must be communicated in writing to
management and those charged with governance (which includes the audit committee) as a
part of each audit, including significant deficiencies and material weaknesses that were
communicated to management and those charged with governance in previous audits and
have not yet been remediated.
Nonaudit Engagements
3350.30 The accountant in a review engagement should accumulate identified misstatements,
including inadequate disclosure, and evaluate whether, individually and in the aggregate,
material modifications are necessary to the financial statements to be in accordance with
the applicable financial reporting framework.
3350.31 If, during the review, the accountant becomes aware that information may be incorrect or
incomplete, the accountant should request that management consider the effect on the
financial statements and communicate the results of its consideration to the accountant.
The accountant should then consider whether the results communicated by management
indicate that the financial statements may be materially misstated.
3350.32 If the accountant believes that the financial statements may be materially misstated, he/she
should perform additional procedures deemed necessary to obtain limited assurance that
there are no material modifications that should be made to the statements in order for them
to be in accordance with the applicable financial reporting framework.
3350.33 The accountant should evaluate whether sufficient appropriate review evidence has been
obtained from the procedures performed and, if not, additional procedures judged by the
accountant to be necessary in the circumstances should be performed to form a conclusion
on the statements.
3360 Written Representations
Audit Engagements
3360.01 During an audit, management makes many representations to the auditor, both oral and
written, in response to the specific inquiries or through the financial statements. Such
representations from management are part of the audit evidence the independent auditor
obtains, but they are not a substitute for the application of those auditing procedures
necessary to afford a reasonable basis for an opinion on the financial statements under
audit.
3360.02 If management makes a representation that is contradicted by other audit evidence, the
auditor should investigate the circumstances and consider the reliability of the
representations made. Based on the circumstances, the auditor should consider whether
reliance on management’s representations relating to other aspects of the financial
statements is appropriate and justified.
3360.03 Written representations from management should be obtained for all financial statements
and periods covered by the auditor’s report. Written representations ordinarily confirm
representations explicitly or implicitly given to the auditor, indicate and document the
continuing appropriateness of such representations, and reduce the possibility of
misunderstanding concerning the matters that are the subject of the representations. In
practice, these representations are often referred to as the “management rep letter” or the
“client rep letter.”
In connection with an audit of financial statements, presented in accordance with GAAP or
other financial reporting framework, specific representations should be made. These specific
representations should be related to the following matters:
a. Financial statements:
(1) Management’s acknowledgment of its responsibility for the preparation and fair
presentation of the financial statements in accordance with the applicable reporting
framework
(2) Management’s belief that the financial statements are fairly presented in
conformity with the applicable reporting framework
b. Completeness of information:
(1) Availability of all financial records and related data
(2) Completeness and availability of all minutes of stockholders, directors, and
committees of directors
(3) Communications from regulatory agencies concerning noncompliance with or
deficiencies in financial reporting practices
(4) Absence of unrecorded transactions
c. Recognition, measurement, and disclosure:
(1) Management’s belief that the effects of any uncorrected financial statement
misstatements aggregated by the auditor during the current engagement and
pertaining to the latest period presented are immaterial, both individually and in
the aggregate, to the financial statements taken as a whole
(2) Management's acknowledgment of its responsibility for the design and
implementation of programs and controls to prevent and detect fraud
(3) Knowledge of fraud or suspected fraud involving (a) management, (b) employees
who have significant roles in internal control, or (c) others where the fraud could
have a material effect on the financial statements
(4) Knowledge of any allegations of fraud or suspected fraud affecting the entity
received in communications from employees, former employees, analysts,
regulators, short sellers, or others
(5) Plans or intentions that may affect the carrying value or classification of assets or
liabilities
(6) Information concerning related party transactions and amounts receivable from or
payable to related parties
(7) Guarantees, whether written or oral, under which the entity is contingently liable
(8) Significant estimates and material concentrations known to management that are
required to be disclosed in accordance with FASB ASC 275, Risks and Uncertainties
(9) Violations or possible violations of laws or regulations whose effects should be
considered for disclosure in the financial statements or as a basis for recording a
loss contingency
(10) Unasserted claims or assessments that the entity’s lawyer has advised are probable
of assertion and must be disclosed in accordance with FASB ASC 450, Contingencies
(11) Other liabilities and gain or loss contingencies that are required to be accrued or
disclosed by FASB ASC 450
(12) Satisfactory title to assets, liens, or encumbrances on assets, and assets pledged as
collateral
(13) Compliance with aspects of contractual agreements that may affect the financial
statements
d. Information concerning subsequent events
3360.04 Management’s representations may be limited to matters that are considered either
individually or collectively material to the financial statements, provided management and
the auditor have reached an understanding on materiality for this purpose. Materiality may
be different for different representations. If necessary, a discussion of materiality may be
included in the representation letter.
3360.05 Materiality considerations would not apply to those representations that are not directly
related to amounts included in the financial statements, such as management’s
acknowledgment of its responsibility for the financial statements, the availability of all
financial records, and management’s acknowledgment of its responsibility for the design and
implementation of programs and controls to prevent and detect fraud.
3360.06 The management representation letter should be addressed to the auditor and should be
dated the date of the auditor’s report.
3360.07 The management representation letter should be signed by those members of management
with overall responsibility for financial and operating matters whom the auditor believes are
responsible for and knowledgeable about the matters covered by the representations. Such
members of management normally include the chief executive officer and chief financial
officer or others with equivalent positions in the entity.
3360.08 If current management was not present during all periods covered by the auditor’s report,
the auditor should nevertheless obtain written representations from current management
on all such periods. The auditor may also want to obtain written representations from other
individuals. For example, representations that the board minutes are complete might
warrant representation from the person responsible for keeping the minutes.
3360.09 If a predecessor auditor is requested by a former client to reissue the report on prior‐period
financial statements, and those statements are to be presented on a comparative basis with
audited financial statements of a subsequent period, the predecessor auditor should obtain
an updating representation letter from the management of the former client. The updating
representation letter should state (a) whether any information has come to management’s
attention that would cause them to believe that any of the previous representations should
be modified and (b) whether any events have occurred subsequent to the balance sheet
date of the latest financial statements that would require adjustment of or disclosure in
those financial statements.
3360.10 If management refuses to furnish a written representation, this is a scope limitation that is
sufficient to preclude an unmodified opinion and is ordinarily sufficient to cause an auditor
to disclaim an opinion or withdraw from the engagement. However, based on the nature of
the representations not obtained or the circumstances of the refusal, the auditor may
conclude that a qualified opinion is appropriate. The auditor should consider the effects of
the refusal on the ability to rely on other management representations.
3360.11 If the auditor is precluded from performing procedures considered necessary in the
circumstances, even though management has given representations concerning the matter,
this is a scope limitation and the auditor should issue a qualified opinion or disclaim an
opinion on the financial statements.
Review Engagements
3360.12 Written representations are required from management for all financial statements and
periods covered by the accountant’s review report. Written representations are not required
for a compilation engagement but may be requested at the discretion of the accountant.
3360.13 The specific written representations from management obtained by the accountant will
depend on the circumstances of the engagement and the nature and basis of presentation of
the financial statements.
3360.14 Specific written representations from management should relate to the following matters:
a. Management has fulfilled its responsibility for the preparation and fair presentation of
the financial statements in accordance with the applicable financial reporting
framework.
b. Management’s acknowledgement of its responsibility for designing, implementing, and
maintaining internal control relevant to the preparation and fair presentation of the
financial statements
c. Management has provided the accountant with all relevant information and access, as
agreed upon in the terms of the engagement.
d. Management’s full and truthful response to all inquiries
e. All transactions have been recorded and are reflected in the financial statements.
f. Management has disclosed its knowledge of any fraud or suspected fraud affecting the
entity involving management or others where the fraud could have a material effect on
the financial statements, including any communications received from employees,
former employees, or others.
g. Management has disclosed all known instances of actual or suspected noncompliance
with laws and regulations whose effects should be considered when preparing the
financial statements.
h. Management has disclosed to the accountant whether it believes that the effects of
uncorrected misstatements are immaterial, individually and in the aggregate, to the
financial statements as a whole. A summary of such items should be included in the
written representation.
i. Management has disclosed all known actual or possible litigation and claims whose
effects should be considered when preparing the financial statements; such litigation
and claims have been appropriately accounted for and disclosed in accordance with the
applicable financial reporting framework.
j. Management has disclosed to the accountant whether it believes that significant
assumptions used by it in making accounting estimates are reasonable.
k. Management has disclosed the identity of the entity’s related parties and all of the
related party relationships and transactions of which it is aware. It has appropriately
accounted for and disclosed such relationships and transactions.
l. Management has disclosed to the accountant all information relevant to use of the
going concern assumption in the financial statements.
m. Management has properly accounted for all events occurring subsequent to the date of
the financial statements and for which the applicable financial reporting framework
requires adjustment or disclosure.
3360.15 If management does not provide the written representations, or the accountant concludes
that there is cause to doubt management’s integrity such that the written representations
are not reliable, the accountant should discuss the matter with management and those
charged with governance. After said discussion, if the accountant continues to doubt
management’s integrity, the accountant should withdraw from the engagement.
3360.16 Because the accountant is concerned with events occurring through the date of the report
that may require adjustment to or disclosure in the financial statements, the management
representation letter should be made as of the date of the accountant’s review report.
3360.17 The management’s representation letter should be signed by those members of
management whom the accountant believes are responsible for and knowledgeable about
the matters covered in the representation letter (normally, the CEO and CFO).
Engagements Performed Under the Attestation Standards
3360.18 Statements on Standards for Attestation Engagements (SSAEs) include examinations,
reviews, and agreed‐upon procedures on subject matter or an assertion that is the
responsibility of another party. The accountant must obtain written acknowledgement or
other evidence of the responsible party’s responsibility for the subject matter or any
attestation engagement (or written assertion thereon in an examination or review
engagement). An assertion is any declaration about whether subject matter is based on, or
in conformity with, selected criteria. This responsibility may be obtained through a
representation letter or other appropriate means.
3360.19 A written representation letter should be obtained in review and examination engagements.
3360.20 Matters covered may include the following:
a. A statement that the subject matter is based on or in conformity with the applicable
criteria and that all relevant matters are reflected in the measurement or evaluation of
the subject matter or assertion
b. A statement that all known matters contradicting the subject matter or assertion and
any communication from regulatory agencies affecting the subject matter or the
assertion have been disclosed to the accountant
c. The assertion about the subject matter based on the selected criteria, if applicable
d. A statement acknowledging responsibility for the subject matter and the assertion
e. A statement acknowledging responsibility for selecting the criteria, if applicable
f. A statement acknowledging responsibility for determining that such criteria are
appropriate for the purpose
g. A statement that all records and information relevant to the subject matter of assertion
have been provided
h. A statement that any material known events subsequent to the period (or point in time)
of the subject matter have been disclosed to the accountant
i. A statement that the responsible party has disclosed all relevant significant deficiencies
in internal control; knowledge of any actual, suspected, or alleged fraud or relevant
noncompliance with laws or regulations; or other appropriate matters
j. A statement that the effects of uncorrected misstatements are immaterial, individually
or in the aggregate
k. A statement that significant assumptions used in making any material estimates are
reasonable, if applicable
3360.21 If the client is not the responsible party in an examination or review engagement, the
accountant should obtain a representation letter from the client.
3360.22 The standards do not require the accountant to obtain a representation letter in an agreed‐
upon procedures engagement, unless related to compliance attestation. However, an
accountant may find a representation letter to be useful and practical.
3360.23 Any written representation letter from the responsible party and/or client should be dated
the same day as the attest report, and should cover the subject matter and periods referred
to in the report.
3360.24 If a responsible party who is not the client refuses to provide a written representation letter
in an examination, the accountant may be able to obtain satisfactory oral responses from
the responsible party and issue a restricted‐use report. Otherwise, a qualified opinion, a
disclaimer of opinion, or withdrawal from the examination engagement is necessary.
3360.25 If the client or responsible party refuses to furnish appropriate written representations in a
review, a scope limitation exists that would require the accountant to withdraw from the
review engagement.
3360.26 If the responsible party in an agreed‐upon procedures engagement refuses to provide
requested written representations, the accountant may do either of the following: a)
disclose the inability to obtain such representations in the agreed‐upon procedures report,
b) withdraw (which is required if it is an agreed‐upon procedures engagement related to
compliance), or c) change to another form of engagement.
3370 Subsequent Events and Subsequently Discovered Facts
3371 Subsequent Events
3371.01 A subsequent event is an event or transaction that occurs after the balance sheet date, but
before the date of the auditor’s report, that has a material effect on the financial
statements.
3371.02 The CPA must review subsequent events—of which there are two types—up to the date of
the report.
3371.03 Adjustment type (the first type), which requires adjustment of the financial statements,
consists of those events that provide additional evidence as to conditions that existed at the
date of the balance sheet and affect the estimates inherent in the process of preparing
financial statements. Examples of this type of event include the following:
a. Losses on receivables resulting from the bankruptcy of a major customer that was in a
weak financial position
b. Settlement of litigation or other uncertainty
c. Final determination of an amount that was estimated at the balance sheet date
In these cases, the financial statements should be adjusted (e.g., a journal entry should be
booked).
3371.04 Disclosure type (the second type), which requires disclosure only, consists of those events
that provide evidence with respect to conditions that did not exist at the date the balance
sheet was reported on but arose after that date. Examples include the following:
a. Sale of a bond or capital stock issue
b. Purchase of a business
c. Settlement of litigation when the event giving rise to the claim took place subsequent to
the balance sheet date
d. Fire or flood loss
e. Loss on receivable due to a post‐balance sheet date (customer’s major casualty)
In these cases, disclose in a note to the financial statements or, in extreme cases, provide
pro forma financial statements.
3371.05 The following are examples of events that would not normally be considered subsequent
events requiring disclosure:
a. Product changes
b. Changes in management
c. Loss of customer
d. Strikes
e. Proxy fights
Notice that none of these examples would normally result in a journal entry when the event
occurred.
3371.06 The CPA is required to perform some detailed audit procedures after the balance date. Such
procedures may reveal subsequent events. Examples of these procedures include the
following:
a. Cutoff procedures
b. Evaluation of assets and liabilities at the balance sheet dates (e.g., subsequent collection
of receivables)
3371.07 In addition, the CPA is required to perform the following procedures related to subsequent
events:
a. Read and review interim financial statements.
b. Inquire of officers:
(1) whether any substantial contingent liabilities or commitments existed at the date of
the balance sheet being reported on or at the date of inquiry.
(2) whether there was any significant change in the capital stock, long‐term debt, or
working capital to the date of inquiry.
(3) the current status of items, in the financial statements being reported on, that were
accounted for on the basis of tentative, preliminary, or inconclusive data.
(4) whether any unusual adjustments had been made during the period from the
balance sheet date to the date of inquiry.
c. Read minutes of stockholders’, directors’, and officers’ meetings.
d. Inquire of legal counsel.
e. Observe events in subsequent period.
f. Scan records for unusual transactions.
g. Obtain letter of representation on subsequent events.
3372 Subsequently Discovered Facts
Audit Engagement
3372.01 A subsequent discovery is the discovery of facts that existed at the date of the audit report
but that were not known at that time. It is not an event that occurs after the report date or
the resolution of a contingency that existed at that date.
3372.02 The auditor has no obligation to perform any further audit procedures after the report date,
but new information may come to the auditor’s attention. If this happens, the auditor should
(1) consult with an attorney and (2) determine if the subsequently discovered information:
a. is reliable,
b. existed at the date of the report,
c. is material to the report (would or might change opinion), and
d. is applicable to the report that is still being relied on.
3372.03 If the four conditions in section 3372.02 exist, the auditor should do the following:
a. Advise the client to revise and reissue the statements and auditor’s report.
b. Make disclosure in financial statements of a subsequent period if the date of issue is
imminent.
c. Notify persons relying on statements of the facts that are known to the auditor, if the
effect cannot be promptly determined and it appears the financial statements will be
revised after investigation.
d. Discuss with the SEC or other regulatory body, if appropriate.
3372.04 If the client refuses to cooperate in disclosing the facts, the auditor should notify the
following:
a. The client (management and board of directors) that the auditor’s report cannot be
associated with statements
b. Regulatory bodies
c. Each person known by the auditor to be relying on the statements
3372.05 When the auditor makes a satisfactory investigation, disclosure should consist of precise and
factual statements of:
a. facts as known by the auditor and
b. effects on financial statements and the auditor’s report.
3372.06 If the client refuses to cooperate, disclosure by the auditor cannot be as precise and should
contain a statement that the client has not cooperated.
Review Engagement Performed in Accordance with SSARS
3372.07 The accountant is not required to perform any review procedures regarding the financial
statements after the date of the accountant’s review report. However, if a subsequently
discovered fact becomes known to the accountant before the report release date, the
accountant should:
a. discuss the matter with management and, when appropriate, those charged with
governance and
b. determine whether the financial statements need revision and, if so, inquire how
management intends to address the matter in the financial statements.
If management revises the financial statements, the accountant should perform the review
procedures necessary in the circumstances on the revision. The accountant also should
either:
a. date the accountant’s review report as of a later date or
b. include an additional date in the accountant’s review report on the revised financial
statements that is limited to the revision (that is, dual‐date the accountant’s review
report for that revision), thereby indicating that the accountant’s review procedures
subsequent to the original date of the accountant’s review report are limited solely to
the revision of the financial statements described in the relevant note to the financial
statements.
If management does not revise the financial statements in circumstances when the
accountant believes they need to be revised, the accountant should modify the accountant’s
review report, as appropriate.
3372.08 If a subsequently discovered fact becomes known to the accountant after the report release
date, the accountant should:
a. discuss the matter with management and, when appropriate, those charged with
governance and
b. determine whether the financial statements need revision and, if so, inquire how
management intends to address the matter in the financial statements.
If management revises the financial statements, the accountant should:
a. apply the requirements of AR‐C 90.72.
b. if the reviewed financial statements (before revision) have been made available to third
parties, assess whether the steps taken by management are timely and appropriate to
ensure that anyone in receipt of those financial statements is informed of the situation,
including that the reviewed financial statements are not to be used. If management
does not take the necessary steps, the accountant should apply the requirements of AR‐
C 90.76.
c. if the accountant’s conclusion on the revised financial statements differs from the
accountant’s conclusion on the original financial statements, disclose in an emphasis‐of‐
matter paragraph:
(1) the date of the accountant’s previous report,
(2) a description of the revisions, and
(3) the substantive reasons for the revisions.
If management does not revise the financial statements in circumstances when the
accountant believes they need to be revised, then:
a. if the reviewed financial statements have not been made available to third parties, the
accountant should notify management and those charged with governance, unless all of
those charged with governance are involved in managing the entity, not to make the
reviewed financial statements available to third parties before the necessary revisions
have been made and a new accountant’s review report on the revised financial
statements has been provided. If the reviewed financial statements are, nevertheless,
subsequently made available to third parties without the necessary revisions, the
accountant should apply the requirements of AR‐C 90.76(b).
b. if the reviewed financial statements have been made available to third parties, the
accountant should assess whether the steps taken by management are timely and
appropriate to ensure that anyone in receipt of the reviewed financial statements is
informed of the situation, including that the reviewed financial statements are not to be
used. If management does not take the necessary steps, the accountant should apply
the requirements of paragraph AR‐C 90.77.
If management does not take the necessary steps to ensure that anyone in receipt of the
financial statements is informed of the situation, as provided by paragraph AR‐C 90.75(b) or
90.76(b), the accountant should notify management and those charged with governance,
unless all of those charged with governance are involved in managing the entity, that the
accountant will seek to prevent future use of the accountant’s review report. If, despite such
notification, management or those charged with governance do not take the necessary
steps, the accountant should take appropriate action to seek to prevent use of the
accountant’s review report.
Engagements Performed Under Attestation Standards
3372.09 While the accountant has no responsibility to detect subsequent events, the accountant
should inquire of the responsible party (and the client, if different) as to whether they are
aware of any subsequent events through the report date. The written representation letter
ordinarily contains a representation about subsequent events.
3372.10 If the accountant becomes aware of an event(s) where disclosure is necessary to prevent
users of the report from being misled, and information about that event is not adequately
disclosed by the responsible party in the subject matter or in its assertion, the accountant
should take appropriate action.
This page intentionally left blank.
3420 Reports on Attestation Engagements
3421 General Standards for Attestation Reports
3422 Agreed‐Upon Procedures Reports
3423 Reporting on Controls at a Service Organization
3430 Accounting and Review Service Engagements
3431 Preparation Engagements
3432 Compilation Reports
3433 Review Reports
3440 Reporting on Compliance
3450 Other Reporting Considerations
3451 Comparative Statements and Consistency Between Periods
3452 Other Information in Documents with Audited Statements
3453 Review of Interim Financial Information
3454 Supplementary Information
3455 Single Statements
3456 Special‐Purpose and Other Country Frameworks
3457 Letters for Underwriters and Filings with the SEC and Auditor Involvement with Exempt Offering
Documents
3458 Alerts That Restrict the Use of Written Communication
3459 Government Auditing Standards Reporting Requirements
3460 Miscellaneous Topics
3410 Reports on Auditing Engagements
3411 Forming an Audit Opinion, Including Modifications
Evaluating Audit Evidence Obtained
3411.01 An audit of financial statements is a cumulative and iterative process. As the auditor
performs planned audit procedures, the audit evidence obtained may cause the auditor to
modify the nature, timing, or extent of other planned audit procedures.
3411.02 Based on the audit procedures performed and the audit evidence obtained, the auditor
should evaluate whether the assessments of the risks of material misstatement at the
relevant assertion level remain appropriate.
3411.03 The auditor should not assume that an instance of fraud or error is an isolated occurrence,
and therefore should consider how the detection of such misstatement affects the assessed
risks of material misstatement.
3411.04 In developing an opinion, the auditor should consider all relevant audit evidence, regardless
of whether it appears to corroborate or to contradict the relevant assertions in the financial
statements.
3411.05 The sufficiency and appropriateness of audit evidence to support the auditor’s conclusions
throughout the audit are a matter of professional judgment. The auditor’s judgment as to
what constitutes sufficient appropriate audit evidence is influenced by such factors as:
a. the significance of the potential misstatement in the relevant assertion and the
likelihood of its having a material effect, individually or aggregated with other potential
misstatements, on the financial statements.
b. the effectiveness of management’s responses and controls to address the risks.
c. the experience gained during previous audits with respect to similar potential
misstatements.
d. the results of audit procedures performed, including whether such audit procedures
identified specific instances of fraud or error.
e. the sources and reliability of available information.
f. the persuasiveness of the audit evidence.
g. the understanding of the entity and its environment, including its internal control.
3411.06 If the auditor has not obtained sufficient appropriate audit evidence as to a material
financial statement assertion, the auditor should attempt to obtain further audit evidence. If
the auditor is unable to obtain sufficient appropriate audit evidence, the auditor should
express a qualified opinion or a disclaimer of opinion.
3411.07 The auditor should document:
a. the overall responses to address the assessed risk of misstatements at the financial
statement level.
b. the nature, timing, and extent of the further audit procedures.
c. the linkage of those procedures with the assessed risks at the relevant assertion level.
d. the results of the audit procedures.
e. the conclusions reached with regard to the use in the current audit of audit evidence
about the operating effectiveness of controls that was obtained in a prior audit.
3411.08 The manner in which these matters are documented is based on the auditor’s professional
judgment.
Evaluate Audit Documentation
3411.09 Audit documentation is the record of:
a. the audit procedures performed (including the nature, timing, and extent of the
procedures),
b. the relevant audit evidence obtained,
c. the conclusions the auditor reached, and
d. the agreement of the accounting records with the audited financial statements or other
the audited information.
3411.10 The audit documentation should enable an experienced auditor, having no previous
connection with the audit, to understand section 3411.09.
3411.11 Sufficient and appropriate documentation is essential to a quality audit.
3411.12 Audit documentation, known as working papers or workpapers, may be recorded on paper
or on electronic or other media. The form, content, and extent of audit documentation
depends on the circumstances of the engagement and the audit methodology and tools
used. Working papers are owned by the CPA firm that performed the engagement.
3411.13 The auditor should document significant findings or issues, actions taken to address them,
and the basis for the final conclusions reached.
3411.14 The auditor should document who performed the work, the date the work was completed,
who reviewed the work, and the date the work was reviewed.
3411.15 Documentation of the procedures performed should include identifying characteristics of
the specific items tested. For example, for a test of details, the auditor may identify the
documents selected for testing by their dates and unique purchase order numbers.
3411.16 If the auditor departs from a requirement under GAAS, the auditor must document the
justification for the departure and how the alternative procedures performed were sufficient
to achieve the objectives.
3411.17 Completion of the audit file under auditing standards generally accepted in the United
States of America is required within 60 days following the report release date. Completion of
the audit file under Public Company Accounting Oversight Board (PCAOB) standards is
required within 45 days following the report release date.
Evaluate Whether Financial Statements Are Free of Material Misstatements
3411.18 At or near the completion of fieldwork, the auditor should evaluate whether the
accumulated results of auditing procedures and other observations affect the assessment of
the risks of material misstatement due to fraud made earlier in the audit. This evaluation
primarily is a qualitative matter based on the auditor’s judgment.
3411.19 When audit test results identify misstatements in the financial statements, the auditor
should consider whether such misstatements may be indicative of fraud.
3411.20 If the auditor believes that the misstatement is or may be the result of fraud, and either has
determined that the effect could be material to the financial statements or has been unable
to evaluate whether the effect is material, the auditor should:
a. attempt to obtain additional audit evidence to determine whether material fraud has
occurred or is likely to have occurred and, if so, its effect on the financial statements
and the auditor’s report thereon.
b. consider the implications for other aspects of the audit.
c. discuss the matter and the approach for further investigation with an appropriate level
of management that is at least one level above those involved, and with senior
management and those charged with governance.
d. if appropriate, suggest that the client consult with legal counsel.
3411.21 The auditor must evaluate whether the financial statements as a whole are free of material
misstatement. In making this evaluation, the auditor should consider both the evaluation of
the uncorrected (known and likely) misstatements and qualitative considerations.
3411.22 When concluding as to whether the effect of misstatements, individually or in the aggregate,
is material, an auditor should consider the nature and amount of the misstatements in
relation to the nature and amount of items in the financial statements under audit.
3411.23 If the auditor believes that the financial statements as a whole are materially misstated, the
auditor should request management to make the necessary corrections. If management
refuses to make the corrections, the auditor must determine the implications for the
auditor’s report.
3411.24 Even if the auditor concludes that the effects of the uncorrected misstatements, individually
or in the aggregate, do not cause the financial statements to be materially misstated, the
financial statements could be materially misstated due to further misstatements remaining
undetected. The auditor should consider the effect of undetected misstatements when
concluding whether or not the financial statements are fairly stated.
3411.25 The auditor can reduce audit risk by modifying the nature, timing, and extent of planned
audit procedures in performing the audit. If the auditor believes that such risk is
unacceptably high, the auditor should perform additional audit procedures or be satisfied
that the entity has adjusted the financial statements to reduce the risk of material
misstatement to an appropriate level.
Modified Opinions: Qualified Opinions
3411.26 A qualified opinion should be expressed when sufficient appropriate audit evidence
concludes that misstatements are material but not universal to the financial statements, or
the auditor is unable to obtain sufficient appropriate audit evidence but concludes the
possible effects could be material but not universal.
3411.27 A qualified opinion is necessary when a matter is material enough to mention but not
sufficiently material to require an adverse opinion or a disclaimer of opinion.
3411.28 The auditor is not required to prepare a basic financial statement (such as the statement of
cash flows) and include it in the report if the company’s management declines to present the
statement. Accordingly, in these cases, the auditor should ordinarily qualify the report.
3411.29 The auditor should evaluate a change in accounting principle by management. The auditor
should evaluate a material change in financial statement classification and the related
disclosure to determine whether such a change is also either a change in accounting
principle or an adjustment to correct a material misstatement in previously issued financial
statements. If a newly adopted accounting principle is not in accordance with an applicable
financial reporting framework, the method of accounting for the effect of the change is not
in conformity with an applicable financial reporting framework, or management has not
provided reasonable justification for the change, the auditor should express a qualified
opinion or an adverse opinion depending on the materiality of the item.
Modified Opinions: Adverse Opinions
3411.30 An adverse opinion is expressed when sufficient appropriate audit evidence is acquired, but
misstatements are both material and universal to the financial statements.
3411.31 Typically, the test for an adverse opinion is whether or not the CPA can provide a correcting
entry or a note to the financial statements that would provide a fair representation. If the
CPA cannot do this, a disclaimer may be appropriate.
Modified Opinions: Disclaimer of Opinion
3411.32 A disclaimer of opinion is expressed when the auditor is unable to obtain sufficient
appropriate audit evidence and concludes the possible effects of undetected misstatements
may be both universal and material.
3411.33 When disclaiming an opinion because of a scope limitation, the auditor should not identify
the procedures that were performed.
3411.34 If the auditor has made an audit sufficient to reveal material departures from an applicable
financial reporting framework, a disclaimer should not be issued. A disclaimer of opinion is
not a substitute for an adverse opinion.
Summary of Audit Report Forms
3411.35 The following summary chart reflects the alternative forms of audit reports and the
circumstances under which they should be issued:
Auditor’s Professional Judgment About the
Pervasiveness of the Effects or Possible
Effects on the Financial Statements
Nature of Matter Giving
Rise to the Modification Material but Not Pervasive Material and Pervasive
3412 Form and Content of an Audit Report
The Auditor’s Standard Report in Audit of a Nonissuer
3412.01 The auditor should either express an opinion regarding the financial statements, taken as a
whole, or state that an opinion cannot be expressed and the reasons why it cannot be
expressed.
3412.02 Whenever an auditor is associated with financial statements, a clear‐cut indication should be
given of the character of the auditor’s work and the degree of responsibility the auditor is
taking.
3412.03 The objective is to prevent misunderstanding of the degree of responsibility the auditor is
assuming when his or her name is associated with financial statements.
3412.04 The basis for the auditor’s opinion lies with:
a. the conformity of the audit with generally accepted auditing standards and
b. the audit findings.
3412.05 The audit report may be addressed to:
a. the company whose financial statements are being audited,
b. its board of directors,
c. its stockholders, or
d. a third party who engaged the auditor.
3412.06 This standard of reporting applies to all audits of nonpublic companies.
3412.07 “Taken as a whole” applies equally to a complete set of financial statements and to an
individual financial statement (e.g., to a balance sheet) for one or more periods presented.
3412.08 When an auditor has audited the financial statements of a company, the auditor must issue
one of the following:
a. Unmodified opinion
b. Qualified opinion (modified opinion)
c. Adverse opinion (modified opinion)
d. Disclaimer of opinion (modified opinion)
AU‐C 705.07 requires, “The auditor should modify the opinion in the auditor's report [in
accordance with section 705] when the auditor concludes that, based on the audit evidence
obtained, the financial statements as a whole are materially misstated or…the auditor is
unable to obtain sufficient appropriate audit evidence to conclude that the financial
statements as a whole are free from material misstatement.”
3412.09 When not independent, an auditor may issue only a compilation report.
3412.10 The auditor’s standard report states that the financial statements present fairly, in all
material respects, an entity’s financial position, results of operations, and cash flows in
conformity with U.S. generally accepted accounting principles (or modified for the applicable
financial reporting framework, as relevant).
3412.11 The auditor’s standard report identifies the financial statements audited in an opening
(introductory) paragraph, describes management’s responsibility for an audit in a
management’s responsibility paragraph, describes the auditor’s responsibility in an auditor’s
responsibility paragraph, and expresses the auditor’s opinion in a separate opinion
paragraph. For an unmodified opinion, each item listed must be satisfied:
Title:
The title must include the word independent.
Addressee:
The auditor’s report must be addressed to the entity or to those charged with governance.
Introductory paragraph:
AU‐C 700.25 requires the following:
a. Identify the entity whose financial statements have been audited.
b. State that the financial statements have been audited.
c. Identify the title of each statement that the financial statements comprise.
d. Specify the date or period covered by each financial statement that the financial
statements comprise.
Management’s Responsibility for the Financial Statements:
This paragraph should describe management’s responsibility for the preparation and fair
presentation of financial statements that are free from material misstatement, whether due
to fraud or error, in accordance with the applicable financial reporting framework. The
design, implementation, and maintenance of internal control must also be included.
Auditor’s Responsibility:
The auditor’s responsibility is to express an opinion on the financial statements. The report
should also state the audit was conducted in accordance with generally accepted auditing
standards and should identify the United States of America as the country of origin of these
auditing standards. The report should state whether the auditor believes that the evidence is
sufficient and appropriate to provide a basis for the opinion.
The auditor’s report describes an audit by stating the following:
a. An audit involves performing procedures to obtain audit evidence about the amounts
and disclosures in the financial statements.
b. The procedures selected depend on the auditor’s judgment, including the assessment of
the risks of material misstatement of the financial statements, whether due to fraud or
error. In making those risk assessments, the auditor considers internal control relevant
to the entity’s preparation and fair presentation of the financial statements in order to
design audit procedures that are appropriate in the circumstances but not for the
purpose of expressing an opinion on the effectiveness of the entity’s internal control
and, accordingly, no such opinion is expressed. (The phrase “the auditor’s consideration
of internal control is not for the purpose of expressing an opinion…” should be omitted
if the auditor is going to express an opinion.)
c. An audit also includes evaluating the appropriateness of the accounting policies used
and the reasonableness of significant accounting estimates made by management, as
well as the overall presentation of the financial statements.
Opinion paragraph:
a. For an unmodified opinion, the auditor’s opinion should state that the financial
statements present fairly, in all material respects, the financial position of the entity as
of the balance sheet date and the results of its operations and its cash flows for the
period then ended, in accordance with the applicable financial reporting framework.
b. The paragraph should identify the applicable financial reporting framework and its
origin.
The manual or printed signature of the auditor’s firm
The name of the city and state where the auditor practices
The date of the audit report
3412.12 The following is the wording of the standard auditor’s report issued for comparative
financial statements prepared in accordance with accounting principles generally accepted
in the United States of America when the audit has been conducted in accordance with both
auditing standards generally accepted in the United States and International Standards on
Auditing (AU‐C 700.A58, Illustration 3):
Independent Auditor’s Report
[Appropriate Addressee]
Report on the Financial Statements
We have audited the accompanying financial statements of ABC Company, which
comprise the balance sheets as of December 31, 20X1 and 20X0, and the related
statements of income, changes in stockholders' equity, and cash flows for the years then
ended, and the related notes to the financial statements.
Management’s Responsibility for the Financial Statements
Management is responsible for the preparation and fair presentation of these financial
statements in accordance with accounting principles generally accepted in the United
States of America; this includes the design, implementation, and maintenance of internal
control relevant to the preparation and fair presentation of financial statements that are
free from material misstatement, whether due to fraud or error.
Auditor’s Responsibility
Our responsibility is to express an opinion on these financial statements based on our
audits. We conducted our audits in accordance with auditing standards generally
accepted in the United States of America and in accordance with International Standards
on Auditing. Those standards require that we plan and perform the audit to obtain
reasonable assurance about whether the financial statements are free from material
misstatement.
An audit involves performing procedures to obtain audit evidence about the amounts
and disclosures in the financial statements. The procedures selected depend on the
auditor's judgment, including the assessment of the risks of material misstatement of the
financial statements, whether due to fraud or error. In making those risk assessments,
the auditor considers internal control relevant to the entity's preparation and fair
presentation of the financial statements in order to design audit procedures that are
appropriate in the circumstances, but not for the purpose of expressing an opinion on
the effectiveness of the entity's internal control. Accordingly, we express no such
opinion. An audit also includes evaluating the appropriateness of accounting policies
used and the reasonableness of significant accounting estimates made by management,
as well as evaluating the overall presentation of the financial statements.
We believe that the audit evidence we have obtained is sufficient and appropriate to
provide a basis for our audit opinion.
Opinion
In our opinion, the financial statements referred to above present fairly, in all material
respects, the financial position of ABC Company as of December 31, 20X1 and 20X0, and
the results of its operations and its cash flows for the years then ended in accordance
with accounting principles generally accepted in the United States of America.
Report on Other Legal and Regulatory Requirements
[Form and content of this section of the auditor's report will vary depending on the
nature of the auditor's other reporting responsibilities.]
[Auditor's signature]
[Auditor's city and state]
[Date of the auditor's report]
Modified Opinions: Qualified Opinions
3412.13 When the auditor expresses a qualified opinion, the auditor should disclose all of the
substantive reasons in one or more separate emphasis‐of‐matter or other‐matter
paragraph(s) in the report. The auditor should also include, in the opinion paragraph, the
appropriate qualifying language and a reference to the emphasis‐of‐matter or other‐matter
paragraph.
3412.14 A qualified opinion should include the word except or exception in a phrase such as “except
for” or “with the exception of.”
3412.15 When the qualified opinion results from a scope limitation, the auditor should mention the
scope limitation in the opinion paragraph and should only refer to an emphasis‐of‐matter
paragraph; the scope limitation should not be explained in a note to the financial
statements.
3412.16 An example of a qualified opinion due to a scope limitation concerning an investment in a
foreign subsidiary is shown as follows (AU‐C 705.A32, Illustration 4):
Independent Auditor’s Report
[Appropriate Addressee]
Report on the Financial Statements
We have audited the accompanying financial statements of ABC Company, which
comprise the balance sheets as of December 31, 20X1 and 20X0, and the related
statements of income, changes in stockholders' equity, and cash flows for the years then
ended, and the related notes to the financial statements.
Management’s Responsibility for the Financial Statements
Management is responsible for the preparation and fair presentation of these financial
statements in accordance with accounting principles generally accepted in the United
States of America; this includes the design, implementation, and maintenance of internal
control relevant to the preparation and fair presentation of financial statements that are
free from material misstatement, whether due to fraud or error.
Auditor’s Responsibility
Our responsibility is to express an opinion on these financial statements based on our
audits. We conducted our audits in accordance with auditing standards generally
accepted in the United States of America. Those standards require that we plan and
perform the audit to obtain reasonable assurance about whether the financial statements
are free from material misstatement.
An audit involves performing procedures to obtain audit evidence about the amounts and
disclosures in the financial statements. The procedures selected depend on the auditor's
judgment, including the assessment of the risks of material misstatement of the financial
statements, whether due to fraud or error. In making those risk assessments, the auditor
considers internal control relevant to the entity's preparation and fair presentation of the
financial statements in order to design audit procedures that are appropriate in the
circumstances, but not for the purpose of expressing an opinion on the effectiveness of
the entity's internal control. Accordingly, we express no such opinion. An audit also
includes evaluating the appropriateness of accounting policies used and the
reasonableness of significant accounting estimates made by management, as well as
evaluating the overall presentation of the financial statements.
We believe that the audit evidence we have obtained is sufficient and appropriate to
provide a basis for our qualified audit opinion.
Basis for Qualified Opinion
The Company has stated inventories at cost in the accompanying balance sheets.
Accounting principles generally accepted in the United States of America require
inventories to be stated at the lower of cost or market. If the Company stated inventories
at the lower of cost or market, a write‐down of $XXX and $XXX would have been required
as of December 31, 20X1 and 20X0, respectively. Accordingly, cost of sales would have
been increased by $XXX and $XXX, and net income, income taxes, and stockholders'
equity would have been reduced by $XXX, $XXX, and $XXX, and $XXX, $XXX, and $XXX, as
of and for the years ended December 31, 20X1 and 20X0, respectively.
Qualified Opinion
In our opinion, except for the effects of the matter described in the Basis for Qualified
Opinion paragraph, the financial statements referred to above present fairly, in all
material respects, the financial position of ABC Company as of December 31, 20X1 and
20X0, and the results of its operations and its cash flows for the years then ended in
accordance with accounting principles generally accepted in the United States of America.
Report on Other Legal and Regulatory Requirements
(Same as the standard report)
3412.17 When the qualified opinion results from a material departure from an applicable financial
reporting framework, the emphasis‐of‐matter paragraph should disclose the principal effects
of the qualification, if reasonably determinable, or refer to a footnote in the financial
statements disclosing the effect.
3412.18 An example of a qualified opinion due to the use of an accounting principle at variance with
an applicable financial reporting framework is shown as follows (AU‐C 705.A32, Illustration
7):
Independent Auditor’s Report
(Same first, second, and third paragraphs as the standard report)
Basis for Qualified Opinion
The Company has excluded, from property and debt in the accompanying 20X1 balance
sheet, certain lease obligations that were entered into in 20X1 which, in our opinion,
should be capitalized in accordance with accounting principles generally accepted in the
United States of America. If these lease obligations were capitalized, property would be
increased by $XXX, long‐term debt by $XXX, and retained earnings by $XXX as of
December 31, 20X1, and net income and earnings per share would be increased
(decreased) by $XXX and $XXX, respectively, for the year then ended.
Qualified Opinion
In our opinion, except for the effects on the 20X1 financial statements of not capitalizing
certain lease obligations as described in the Basis for Qualified Opinion paragraph, the
financial statements referred to above present fairly, in all material respects, the financial
position of ABC Company as of December 31, 20X1 and 20X0, and the results of its
operations and its cash flows for the years then ended in accordance with accounting
principles generally accepted in the United States of America.
3412.19 An example of a qualified opinion as a result of inadequate disclosure is shown as follows
(AU‐C 705.A32, Illustration 2):
Independent Auditor’s Report
(Same first, second, and third paragraphs as the standard report)
Basis for Qualified Opinion
The Company’s financial statements do not disclose [describe the nature of the omitted
information that is not practicable to present in the auditor's report]. In our opinion,
disclosure of this information is required by accounting principles generally accepted in
the United States of America.
Qualified Opinion
In our opinion, except for the omission of the information described in the Basis for
Qualified Opinion paragraph, the financial statements referred to above present fairly, in
all material respects, the financial position of ABC Company as of December 31, 20X1 and
20X0, and the results of its operations and its cash flows for the years then ended in
accordance with accounting principles generally accepted in the United States of America.
Modified Opinions: Adverse Opinions
3412.20 When the auditor expresses an adverse opinion, the auditor should disclose in a separate
emphasis‐of‐matter paragraph(s) in the report (a) all the substantive reasons for the adverse
opinion and (b) the principal effects of the subject matter of the adverse opinion on the
financial statements, if possible.
3412.21 An example of an adverse opinion is shown as follows (AU‐C 705.A32, Illustration 3):
Independent Auditor’s Report
(Same first, second, and third paragraphs as the standard report)
Basis for Adverse Opinion
As described in Note X, the Company has not consolidated the financial statements of
subsidiary XYZ Company that it acquired during 20X1 because it has not yet been able to
ascertain the fair values of certain of the subsidiary's material assets and liabilities at the
acquisition date. This investment is therefore accounted for on a cost basis by the
Company. Under accounting principles generally accepted in the United States of
America, the subsidiary should have been consolidated because it is controlled by the
Company. Had XYZ Company been consolidated, many elements in the accompanying
consolidated financial statements would have been materially affected. The effects on the
consolidated financial statements of the failure to consolidate have not been determined.
Adverse Opinion
In our opinion, because of the significance of the matter discussed in the Basis for Adverse
Opinion paragraph, the consolidated financial statements referred to above do not
present fairly the financial position of ABC Company and its subsidiaries as of December
31, 20X1, or the results of their operations or their cash flows for the year then ended in
accordance with accounting principles generally accepted in the United States of America.
Modified Opinions: Disclaimer of Opinion
3412.22 When the auditor disclaims an opinion, the auditor should disclose in a separate emphasis‐
of‐matter paragraph(s) in the report all the substantive reasons for the disclaimer of an
opinion.
3412.23 An example of a report disclaiming an opinion resulting from an inability to obtain sufficient
appropriate audit evidence because of the scope limitation is shown as follows (AU‐C
705.A32, Illustration 5):
Independent Auditor’s Report
[Appropriate Addressee]
Report on the Financial Statements
We were engaged to audit the accompanying financial statements of ABC Company,
which comprise the balance sheet as of December 31, 20X1, and the related statements
of income, changes in stockholders' equity, and cash flows for the year then ended, and
the related notes to the financial statements.
Management’s Responsibility for the Financial Statements
Management is responsible for the preparation and fair presentation of these financial
statements in accordance with accounting principles generally accepted in the United
States of America; this includes the design, implementation, and maintenance of internal
control relevant to the preparation and fair presentation of financial statements that are
free from material misstatement, whether due to fraud or error.
Auditor’s Responsibility
Our responsibility is to express an opinion on these financial statements based on
conducting the audit in accordance with auditing standards generally accepted in the
United States of America. Because of the matter described in the Basis for Disclaimer of
Opinion paragraph, however, we were not able to obtain sufficient appropriate audit
evidence to provide a basis for an audit opinion.
Basis for Disclaimer of Opinion
The Company's investment in XYZ Company, a joint venture, is carried at $XXX on the
Company's balance sheet, which represents over 90 percent of the Company's net assets
as of December 31, 20X1. We were not allowed access to the management and the
auditors of XYZ Company. As a result, we were unable to determine whether any
adjustments were necessary relating to the Company's proportional share of XYZ
Company's assets that it controls jointly, its proportional share of XYZ Company's liabilities
for which it is jointly responsible, its proportional share of XYZ Company's income and
expenses for the year, and the elements making up the statements of changes in
stockholders' equity and cash flows.
Disclaimer of Opinion
Because of the significance of the matter described in the Basis for Disclaimer of Opinion
paragraph, we have not been able to obtain sufficient appropriate audit evidence to
provide a basis for an audit opinion. Accordingly, we do not express an opinion on these
financial statements.
Report on Other Legal and Regulatory Requirements
(Same as the standard report)
Uncertainties, Scope Limitations, and Departures from an Applicable Financial
Reporting Framework Involving Risks or Uncertainties
3412.24 A matter involving an uncertainty is one that is expected to be resolved at a future date, at
which time conclusive audit evidence concerning its outcome would be expected to become
available.
3412.25 Conclusive audit evidence concerning the ultimate outcome of uncertainties cannot be
expected to exist at the time of the audit because the outcome and related audit evidence
are prospective. Management is responsible for appropriate estimates or required
disclosures in accordance with an applicable financial reporting framework.
3412.26 If the auditor is unable to obtain sufficient appropriate audit evidence to support
management’s assertions about the nature of a matter involving an uncertainty and its
presentation or disclosure in the financial statements, the auditor should consider the need
to express a qualified opinion or to disclaim an opinion because of a scope limitation.
3412.27 If the auditor concludes that a matter involving a risk or an uncertainty is not adequately
disclosed in the financial statements in conformity with an applicable financial reporting
framework, the auditor should express a qualified or an adverse opinion.
3412.28 In preparing financial statements, management estimates the outcome of certain types of
future events. In some cases, the inability to make a reasonable estimate may raise
questions about the appropriateness of the accounting principles used. If the auditor
concludes that the accounting principles used cause the financial statements to be materially
misstated, the auditor should express a qualified or adverse opinion.
3412.29 Usually, the auditor is able to be satisfied regarding the reasonableness of management’s
estimate of the effects of future events by considering various types of audit evidence,
including the historical experience of the entity. If the auditor concludes that management’s
estimate is unreasonable and that its effect is to cause the financial statements to be
materially misstated, the auditor should express a qualified or an adverse opinion.
Going Concern
3412.30 If the auditor concludes that substantial doubt remains regarding the entity’s ability to
continue as a going concern for a reasonable period of time (see section 3345), the audit
report should include an emphasis‐of‐matter paragraph that reflects that conclusion.
Adequate disclosure of the circumstances relating to the conditions surrounding the
substantial doubt should be provided in the financial statements. If such disclosure is not
provided or is considered inadequate by the auditor, either a qualified or adverse opinion
may be issued as a result of the inadequate disclosure.
3412.31 The addition of a going concern emphasis‐of‐matter paragraph does not result in a qualified
opinion.
Emphasis‐of‐Matter Paragraphs
3412.32 The auditor may deem it necessary to draw the users’ attention to a matter or matters
presented or disclosed in the financial statements that are of such importance that they are
fundamental to the users’ understanding of the financial statements. These are called
emphasis‐of‐matter paragraphs.
3412.33 An emphasis‐of‐matter paragraph may be required by GAAS, or may be included at the
auditor’s discretion. An emphasis‐of‐matter paragraph is required when there is substantial
doubt about the entity’s ability to continue as a going concern, when there is a lack of
consistency in the financial statements, and when financial statements are prepared in
accordance with a special‐purpose framework. Examples of matters that the auditor may
emphasize at his or her discretion include uncertainty related to the future outcome of
important litigation, impact of a major catastrophe, significant related party transactions, or
an unusually important subsequent event.
3412.34 When adding an emphasis‐of‐matter paragraph, the auditor should include it immediately
after the auditor’s opinion, using the heading “Emphasis of Matter.” The paragraph should
include a clear reference to the matter being emphasized and to where relevant disclosures
that fully describe the matter can be found in the financial statements. The paragraph
should indicate that the auditor’s opinion is not modified with respect to the matter
emphasized.
Other‐Matter Paragraphs
3412.35 The auditor may deem it necessary to draw the users’ attention to any matter or matters
other than those presented or disclosed in the financial statements that are relevant to the
users’ understanding of the audit, the auditor’s responsibilities, or the auditor’s report.
These are called other‐matter paragraphs.
3412.36 The paragraph should use the heading “Other Matter” or another appropriate heading. It
should immediately follow the opinion paragraph and any emphasis‐of‐matter paragraph. It
may also be in another area of the report if it is relevant to other reporting responsibilities.
3412.37 Examples of when an other‐matter paragraph may be necessary include reporting on more
than one set of financial statements, responsibilities for supplementary information,
responsibilities for required supplementary information, responsibilities for other
information in documents containing audited financial statements, or compliance in
conjunction with audited financial statements.
Restricting the Use of an Auditor’s Report (AU‐C 905)
3412.38 The term “general use” applies to auditor’s reports that are not restricted to specified
parties. The term “restricted use” applies to auditor’s reports intended only for specified
parties.
3412.39 An auditor should restrict the use of a report in the following circumstances:
a. The subject matter of the auditor’s report or the presentation being reported on is
based on measurement or disclosure criteria contained in contractual agreements or
regulatory provisions that are not in conformity with generally accepted accounting
principles (GAAP) or another comprehensive basis of accounting (special‐purpose
framework).
b. The auditor’s report is issued as a byproduct of a financial statement audit and is based
on the results of procedures designed to enable the auditor to express an opinion on
the financial statements taken as a whole, not to provide assurance on the specific
subject matter of the report.
3412.40 From time to time, an auditor is required to issue “byproduct” reports based on matters that
arise during an audit engagement. These reports result from Communicating Internal Control
Related Matters Identified in an Audit (AU‐C 265) and The Auditor’s Communication With
Those Charged With Governance (AU‐C 260), to name a couple of instances. Reports that
result from such circumstances are based on the results of procedures designed to enable an
auditor to express an opinion on the financial statements taken as a whole, not to provide
assurance on the specific subject matter of the report.
3412.41 Because the issuance of the byproduct report is not the primary objective of the
engagement, an audit generally includes only limited procedures directed toward the
subject matter of the byproduct report.
3412.42 Accordingly, because of the potential for misunderstanding or misinterpretation of the
limited degree of assurance associated with a byproduct report, the use of such reports
should be restricted.
3412.43 Auditors should inform their clients that restricted‐use reports should not be distributed to
nonspecified parties. However, an auditor is not responsible for controlling a client’s
distribution of restricted‐use reports.
3412.44 An auditor’s report that is restricted as to use should contain a separate paragraph at the
end of the report that includes the following elements:
a. A statement that the report is intended solely for the information and use of the
specified parties
b. An identification of the specified parties to whom use is restricted
c. A statement that the report is not intended to be and should not be used by anyone
other than the specified parties
Dating the Report (AU‐C 700.41)
3412.45 The auditor’s report should not be dated earlier than the date on which the auditor has
obtained sufficient appropriate audit evidence to support the opinion. Among other things,
sufficient appropriate audit evidence includes evidence that the audit documentation has
been reviewed and that the entity’s financial statements, including disclosures, have been
prepared and that management has asserted that they have taken responsibility for them.
3412.46 The auditor is primarily responsible for subsequent events up to this date.
3412.47 The auditor has no responsibility to make any inquiry or carry out any auditing procedure for
the period after the date of the auditor’s report, except in SEC filings.
3412.48 The auditor has two methods available for dating the report when a subsequent event
disclosed in the financial statements occurs after the original date of the auditor’s report but
before issuance of the related financial statements. The auditor may use “dual dating” (e.g.,
February 16, 20__, except for Note __, as to which the date is March 1, 20__) or may date
the report as of the later date. In the former instance, the auditor’s responsibility for events
occurring subsequent to the original report date is limited to the specific event referred to in
the note. In the latter instance, the auditor’s responsibility for subsequent events extends to
the date of the report.
3412.49 The auditor should use headings throughout the auditor’s report to clearly distinguish each
section of the report.
Form and Content of Audit Reports in Audits of Issuers
3412.50 The auditor’s report in the audit of the financial statement of an issuer must reference that it
was conducted in accordance with Public Company Accounting Oversight Board (PCAOB)
standards.
3412.51 The following is an example of a standard report for an audit of an issuer per PCAOB AS
3101, The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses
an Unqualified Opinion. The “Critical Audit Matters” paragraph and related content is
testable July 1, 2019; all other content is testable July 1, 2018.
To the shareholders and the board of directors of X Company
Opinion on the Financial Statements
We have audited the accompanying balance sheets of X Company (the "Company") as of
December 31, 20X2 and 20X1, the related statements of [titles of the financial
statements, e.g., income, comprehensive income, stockholders' equity, and cash flows],
for each of the three years in the period ended December 31, 20X2, and the related notes
[and schedules] (collectively referred to as the "financial statements"). In our opinion, the
financial statements present fairly, in all material respects, the financial position of the
Company as of [at] December 31, 20X2 and 20X1, and the results of its operations and its
cash flows for each of the three years in the period ended December 31, 20X2, in
conformity with [the applicable financial reporting framework].
Basis for Opinion
These financial statements are the responsibility of the Company's management. Our
responsibility is to express an opinion on the Company's financial statements based on
our audits. We are a public accounting firm registered with the Public Company
Accounting Oversight Board (United States) ("PCAOB") and are required to be
independent with respect to the Company in accordance with the U.S. federal securities
laws and the applicable rules and regulations of the Securities and Exchange Commission
and the PCAOB.
We conducted our audits in accordance with the standards of the PCAOB. Those
standards require that we plan and perform the audit to obtain reasonable assurance
about whether the financial statements are free of material misstatement, whether due
to error or fraud. Our audits included performing procedures to assess the risks of
material misstatement of the financial statements, whether due to error or fraud, and
performing procedures that respond to those risks. Such procedures included examining,
on a test basis, evidence regarding the amounts and disclosures in the financial
statements. Our audits also included evaluating the accounting principles used and
significant estimates made by management, as well as evaluating the overall
presentation of the financial statements. We believe that our audits provide a reasonable
basis for our opinion.
Critical Audit Matters [if applicable]
The critical audit matters communicated below are matters arising from the current‐
period audit of the financial statements that were communicated or required to be
communicated to the audit committee and that (1) relate to accounts or disclosures that
are material to the financial statements and (2) involved our especially challenging,
subjective, or complex judgments. The communication of critical audit matters does not
alter in any way our opinion on the financial statements, taken as a whole, and we are
not, by communicating the critical audit matters below, providing separate opinions on
the critical audit matters or on the accounts or disclosures to which they relate.
[Include critical audit matters]
[Signature]
We have served as the Company's auditor since [year].
[City and State or Country]
[Date]
3412.52 Form of the auditor's report: PCAOB AS 3101.08-.09 requires that the “Opinion on the
Financial Statements” section be the first section, immediately followed by the “Basis for
Opinion” section. In general, the order of the remaining sections of the auditor's report is
not specified. In addition, section titles have been added to the auditor's report to guide the
reader.
3412.53 Addressee: PCAOB AS 3101.07 requires the auditor's report to be addressed to the
shareholders and the board of directors, or equivalents for companies not organized as
corporations. For example, the auditor's report could be addressed to, in addition to other
addressees:
a. the plan administrator and plan participants for benefit plans;
b. the directors (or equivalent) and equity owners for brokers or dealers; or
c. the trustees and unit holders or other investors for investment companies organized as
trusts.
3412.54 Auditor independence: PCAOB AS 3101.09 requires a statement in the “Basis for Opinion”
section that the auditor is a public accounting firm registered with the PCAOB (United States)
and is required to be independent with respect to the company in accordance with the U.S.
federal securities laws and the applicable rules and regulations of the SEC and the PCAOB.
3412.55 Auditor tenure: PCAOB AS 3101.10 requires a statement in the auditor's report containing
the year the auditor began serving consecutively as the company's auditor. The disclosure of
tenure should reflect the entire relationship between the company and the auditor,
including the tenure of predecessor accounting firms and engagement by predecessors of
the company under audit. In determining the year the auditor began serving consecutively
as the company's auditor, the auditor would look to the year when the firm signs an initial
engagement letter to audit a company's financial statements or when the firm begins
performing audit procedures, whichever is earlier. For example, if the auditor signs the
engagement letter in December 20X8 to audit a company's financial statements for the years
ended December 31, 20X6, 20X7, and 20X8, the auditor would state 20X8 as the year the
auditor began serving consecutively as the company's auditor.
3412.56 Management reports on internal control over financial reporting (ICFR): In some
circumstances, management is required to report on the company's internal control over
financial reporting (ICFR) but such report is not required to be audited and the auditor is not
engaged to perform an audit of management's assessment of the effectiveness of ICFR. In
such cases, under PCAOB AS 3105.59, the auditor is required to include explanatory
language to that effect in the “Basis for Opinion” section. Alternatively, if the auditor issues
separate reports on ICFR and the financial statements, under PCAOB AS 2201.88 the
required paragraph referencing the separate report should appear in the “Opinion on the
Financial Statements” section, immediately following the opinion paragraph. If an auditor is
issuing an integrated report, then the reporting requirements of PCAOB AS 2201, An Audit of
Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial
Statements, should be followed.
3412.57 Explanatory paragraphs: Various standards of the PCAOB require that, in certain
circumstances, the auditor include explanatory language (or an explanatory paragraph) in
the auditor's report, while not affecting the auditor's opinion on the financial statements.
These standards specify the location of required explanatory paragraphs within the auditor's
report and may also have a requirement for an appropriate section title. These
circumstances include when:
a. there is substantial doubt about the company's ability to continue as a going concern;
b. the auditor decides to refer to the report of other auditors as the basis, in part, for the
auditor's own report;
c. there has been a change between periods in accounting principles or in the method of
their application that has a material effect on the financial statements;
d. there has been a change in a reporting entity, unless the change in the reporting entity
results from a transaction or event, such as the creation, cessation, or complete or
partial purchase or disposition of a subsidiary or other business unit;
e. a material misstatement in previously issued financial statements has been corrected;
f. the auditor performs an integrated audit and issues separate reports on the company's
financial statements and internal control over financial reporting;
g. management is required to report on the company's internal controls over financial
reporting but such report is not required to be audited, and the auditor has not been
engaged to perform an audit of management's assessment of the effectiveness of the
company's internal control over financial reporting;
h. certain circumstances relating to reports on comparative financial statements exist;
i. selected quarterly financial data required by Item 302(a) of Regulation S‐K is not
appropriately presented, has been omitted, or has not been reviewed;
j. supplementary information required by the applicable financial reporting framework
has been omitted, the presentation of such information departs materially from the
requirements of the applicable financial reporting framework, the auditor is unable to
complete prescribed procedures with respect to such information, or the auditor is
unable to remove substantial doubts about whether the supplementary information
conforms to the requirements of the applicable financial reporting framework;
k. there has been a change in an investee year‐end that has a material effect on the
company's financial statements; and
l. other information in a document containing audited financial statements is materially
inconsistent with information appearing in the financial statements.
3412.58 Emphasis paragraphs: The auditor may add a paragraph to the auditor's report to emphasize
a matter regarding the financial statements ("emphasis paragraph"). Emphasis paragraphs
are not required, but may be used by auditors to draw the reader's attention to matters such
as significant transactions with related parties and unusually important subsequent events.
If the auditor adds an emphasis paragraph in the auditor's report, the auditor should use an
appropriate section title.
3412.59 Information about certain audit participants: The auditor may include in the auditor's
report information regarding the engagement partner and/or other accounting firms
participating in the audit that is required to be reported on PCAOB Form AP, Auditor
Reporting of Certain Audit Participants. If the auditor decides to provide information about
certain audit participants in the auditor’s report, the auditor should use an appropriate
section title.
3412.60 Critical audit matters (CAMs): Requirements related to CAMs are testable on the CPA exam
July 1, 2019. When the relevant requirements take effect, auditors of certain issuers will be
required to include in the auditor's report a communication regarding CAMs. The
communication of CAMs is not required for audits of emerging growth companies; brokers
and dealers; investment companies other than business development companies; and
employee stock purchase, savings, and similar plans.
CAMs are defined as matters arising from the audit of the financial statements that have
been communicated (or were required to be communicated) to the audit committee and
that (1) relate to accounts or disclosures that are material to the financial statements and (2)
involved especially challenging, subjective, or complex auditor judgment.
3412.61 Identifying a CAM will require the auditor to consider their risk assessment, areas that
involved the use of significant judgment or estimation by management, any significant
unusual transactions, and the nature and extent of audit evidence and effort required to
address the CAM.
3412.62 The auditor’s report must (1) identify the CAM, (2) describe the principal considerations that
led the auditor to determine the matter is a CAM, (3) describe how it was addressed in the
audit, and (4) make reference to the relevant financial statement accounts and disclosures. If
the auditor determines there are no CAMs, the auditor must state so in the auditor’s report.
3413 Audit of Internal Control Integrated with an Audit of Financial
Statements
Applicability
3413.01 The standard for reporting on internal control (PCAOB AS 2201, An Audit of Internal Control
Over Financial Reporting That is Integrated with an Audit of Financial Statements)
establishes requirements and provides guidance when a practitioner is engaged to perform
an audit of the design and operating effectiveness of an entity’s internal control over
financial reporting that is integrated with an audit of financial statements of issuers. SAS
130, An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of
Financial Statements, provides similar guidance for integrated audits of nonissuers.
3413.02 An entity’s internal control over financial reporting includes those policies and procedures
that:
a. pertain to the maintenance of records that, in reasonable detail, accurately and fairly
reflect the transactions and dispositions of the assets of the entity;
b. provide reasonable assurance that transactions are recorded as necessary to permit
preparation of financial statements in accordance with the applicable financial reporting
framework, and that receipts and expenditures of the entity are being made only in
accordance with authorizations of management and those charged with governance;
and
c. provide reasonable assurance regarding prevention, or timely detection and correction
of unauthorized acquisition, use, or disposition of the entity’s assets that could have a
material effect on the financial statements.
Conditions for Engagement Performance
3413.03 An auditor may perform an audit of internal control only if the following conditions are met:
a. Management accepts responsibility for the effectiveness of the entity’s internal control
over financial reporting.
b. Management evaluates the effectiveness of the entity’s internal control using suitable
and available criteria.
c. Management supports its assessment of the effectiveness of the entity’s internal
control with sufficient appropriate evidence.
d. Management provides its assessment of the effectiveness of the entity’s internal control
in a report that accompanies the auditor’s report.
e. Management determines that the “as of” date corresponds to the balance sheet date
(or period ending date) of the period covered by the financial statements.
3413.04 Management’s refusal to furnish a written assessment of the effectiveness of the entity’s
internal control over financial reporting as part of an audit engagement should cause the
auditor to withdraw from the engagement, or disclaim an opinion and consider the impact
on the financial statement audit if not able to withdraw.
3413.05 The auditor may be requested to perform certain nonattest services related to the entity’s
internal control in addition to the audit of internal control. The auditor should determine
whether to perform such nonattest services after considering relevant ethical requirements.
3413.06 An auditor should not accept an engagement to review an entity’s internal control or a
written assessment thereon.
3413.07 The auditor’s objective in an audit of internal control is to form an opinion on the
effectiveness of the entity’s internal control. Because a company's internal control cannot be
considered effective if one or more material weaknesses exist, the auditor must plan and
perform the audit to obtain appropriate evidence that is sufficient to obtain reasonable
assurance about whether material weaknesses exist as of the date specified in
management's assessment to form a basis for expressing an opinion. A material weakness in
internal control over financial reporting may exist even when financial statements are not
materially misstated.
3413.08 The auditor’s opinion relates to the effectiveness of the entity’s internal control taken as a
whole and not to the effectiveness of each individual component of the entity’s internal
control. The auditor should use the same suitable, recognized control framework to perform
his or her audit of internal control over financial reporting as management uses for its
annual evaluation of the effectiveness of the company's internal control over financial
reporting. Just as in a financial statement audit, there is a direct relationship between risk of
material weakness and the level of evidence needed to satisfy detection risk. Only controls
that present a risk of material misstatement to the financial statements are necessary to test
in an integrated audit.
3413.09 The audit of internal control should be integrated with an audit of the financial statements.
Although the objectives of the engagements are not the same, the auditor should plan and
perform the integrated audit to achieve the objectives of both engagements simultaneously.
The objectives of an integrated audit should include obtaining sufficient evidence to support
the audit opinion on internal control over financial reporting, but also to support the
auditor’s control risk assessments for the purpose of the audit of the financial statements.
3413.10 Performing an audit of internal control involves the following:
a. Planning the engagement
b. Obtaining an understanding of internal control
c. Evaluating the design effectiveness of the controls
d. Testing and evaluating the operating effectiveness of the controls
e. Forming an opinion on the effectiveness of the entity’s internal control
3413.11 In planning an audit of internal control, the auditor should consider the following factors:
a. Knowledge of the entity’s internal control obtained during other professional
engagements
b. Matters affecting the industry in which the entity operates, such as financial reporting
practices, economic considerations, laws and regulations, and technology changes
c. Matters relating to the entity’s business, including its organization, operating
characteristics and capital structure
d. The extent of recent changes, if any, in the entity, its operations, or its internal control
e. Preliminary judgments about materiality, risk, and other factors relating to the
determination of material weaknesses
f. Deficiencies previously communicated to those charged with governance or
management
g. Legal or regulatory matters of which the entity is aware
h. The type and extent of available evidence related to the effectiveness of the entity’s
internal control
i. Preliminary judgments about the effectiveness of internal control
j. Public information about the entity relevant to the evaluation of the likelihood of
material misstatements and the effectiveness of the entity’s internal control
k. Knowledge about risks related to the entity evaluated as part of the auditor’s client
acceptance and retention evaluations
l. The relative complexity of the entity’s operations
3413.12 Risk assessment underlies the entire audit process. When performing an audit of internal
control that is integrated with an audit of financial statements, the same risk assessment
process supports both engagements. For instance, the auditor should incorporate the results
of fraud risk assessment performed in the financial statement audit when identifying and
testing entity‐level controls and selecting other controls for testing.
3413.13 The auditor should obtain written representations from management. Such representations
should include the following related to internal control over financial reporting:
a. Acknowledgment of management’s responsibility for establishing and maintaining
effective internal control
b. A statement that management has performed an evaluation of the effectiveness of the
entity’s internal control and specifying the control criteria
c. A statement that management did not use the auditor’s procedures performed during
the integrated audit as part of the basis for their assertions
d. Management’s assertion about the effectiveness of the entity’s internal control based
on the control criteria as of a specified date
e. A statement that management has disclosed to the auditor all deficiencies in the design
or operation of internal control, including separate disclosures regarding which
deficiencies management believes to be significant deficiencies or material weaknesses
in internal control
f. A description of any material fraud and any other fraud that, although not material,
involve management or other employees who have a significant role in the entity’s
internal control
g. A statement indicating whether any significant deficiencies and material weaknesses
identified and communicated to management and those charged with governance
during previous engagements have been resolved and specifically identifying any that
have not
h. A statement indicating whether there were, subsequent to the date being reported on,
any changes in internal control or other factors that might significantly affect internal
control, including any corrective actions taken by management with regard to significant
deficiencies and material weaknesses
3413.14 The auditor must audit and report directly on the effectiveness of an entity’s internal control
over financial reporting. There is not an option to report on management’s written assertion
about the effectiveness of internal control over financial reporting. However, there is an
option to combine the audit report on internal control with the financial statement audit
report. These reports may be either issued separate or combined.
3413.15 The auditor’s report on the audit of internal control of an issuer should include the
following:
a. The auditor's report must include the title "Report of Independent Registered Public
Accounting Firm."
b. The auditor's report must be addressed to the shareholders and the board of directors,
or equivalents for companies not organized as corporations. The auditor's report may
include additional addressees.
c. The first section of the auditor's report on the audit of internal control over financial
reporting must include the section title "Opinion on Internal Control Over Financial
Reporting" and the following elements:
(1) The name of the company whose internal control over financial reporting was
audited
(2) The auditor's opinion on whether the company maintained, in all material respects,
effective internal control over financial reporting as of the specified date, based on
the control criteria
d. The second section of the auditor's report on the audit of internal control over financial
reporting must include the section title "Basis for Opinion" and the following elements:
(1) A statement that management is responsible for maintaining effective internal
control and for evaluating the effectiveness of internal control over financial
reporting
(2) An identification of management's report on internal control
(3) A statement that the auditor’s responsibility is to express an opinion on the entity’s
internal control (or on management’s assertion) based on the audit
(4) A statement that the auditor is a public accounting firm registered with the Public
Company Accounting Oversight Board (United States) ("PCAOB") and is required to
be independent with respect to the company in accordance with the U.S. federal
securities laws and the applicable rules and regulations of the Securities and
Exchange Commission (SEC) and the PCAOB
(5) A statement that the audit was conducted in accordance with the standards of the
PCAOB
(6) A statement that such standards require that the auditor plan and perform the
audit to obtain reasonable assurance about whether effective internal control was
maintained in all material respects
(7) A statement that an audit included obtaining an understanding of internal control,
assessing the risk that a material weakness exists, testing and evaluating the design
and operating effectiveness of internal control based on the assessed risk, and
performing such other procedures as the auditor considered necessary in the
circumstances
(8) A statement that the auditor believes the audit provides a reasonable basis for the
opinion
e. The third section of the auditor's report on the audit of internal control over financial
reporting must include the section title "Definition and Limitations of Internal Control
Over Financial Reporting" and the following elements:
(1) A definition of internal control (The auditor should use the same definition of the
entity’s internal control as management uses in its report.)
(2) A paragraph stating that, because of inherent limitations, internal control may not
prevent, or detect and correct, misstatements and that projections of any
evaluation of effectiveness to future periods are subject to the risk that controls
may become inadequate because of changes in conditions, or that the degree of
compliance with the policies or procedures may deteriorate
f. The auditor's report must include the following elements related to signature, location,
and date:
(1) The signature of the practitioner’s firm
(2) The city and state (or city and country, in the case of non‐U.S. auditors) from which
the auditor's report has been issued
(3) The date of the report
3413.16 The following is an example of a standard report for combined reporting of an integrated
audit of financial statements and audit of internal control over financial reporting. The
elements in bold are the elements required for the audit of internal controls as a separate
report.
Report of Independent Registered Public Accounting Firm
To the shareholders and the board of directors of W Company
Opinions on the Financial Statements and Internal Control Over Financial Reporting
We have audited the accompanying balance sheets of W Company (the "Company") as of
December 31, 20X8 and 20X7, and the related statements of [titles of the financial
statements, e.g., income, comprehensive income, stockholders' equity, and cash flows] for
each of the years in the three‐year period ended December 31, 20X8, and the related
notes [and schedules] (collectively referred to as the "financial statements"). We also
have audited the Company's internal control over financial reporting as of December 31,
20X8, based on [Identify control criteria, for example, "criteria established in Internal
Control—Integrated Framework: (20XX) issued by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO)."].
In our opinion, the financial statements referred to above present fairly, in all material
respects, the financial position of the Company as of December 31, 20X8 and 20X7, and
the results of its operations and its cash flows for each of the years in the three‐year
period ended December 31, 20X8, in conformity with accounting principles generally
accepted in the United States of America. Also in our opinion, the Company maintained,
in all material respects, effective internal control over financial reporting as of
December 31, 20X8, based on [Identify control criteria, for example, "criteria established
in Internal Control—Integrated Framework: (20XX) issued by (COSO)."].
Basis for Opinion:
The Company's management is responsible for these financial statements, for
maintaining effective internal control over financial reporting, and for its assessment of
the effectiveness of internal control over financial reporting, included in the
accompanying [title of management's report]. Our responsibility is to express an opinion
on the Company's financial statements and an opinion on the Company's internal control
over financial reporting based on our audits. We are a public accounting firm registered
with the Public Company Accounting Oversight Board (United States) ("PCAOB") and are
required to be independent with respect to the Company in accordance with the U.S.
federal securities laws and the applicable rules and regulations of the Securities and
Exchange Commission and the PCAOB.
We conducted our audits in accordance with the standards of the PCAOB. Those
standards require that we plan and perform the audits to obtain reasonable assurance
about whether the financial statements are free of material misstatement, whether due
to error or fraud, and whether effective internal control over financial reporting was
maintained in all material respects.
Our audits of the financial statements included performing procedures to assess the risks
of material misstatement of the financial statements, whether due to error or fraud, and
performing procedures that respond to those risks. Such procedures included examining,
on a test basis, evidence regarding the amounts and disclosures in the financial
statements. Our audits also included evaluating the accounting principles used and
significant estimates made by management, as well as evaluating the overall presentation
of the financial statements. Our audit of internal control over financial reporting
included obtaining an understanding of internal control over financial reporting,
assessing the risk that a material weakness exists, and testing and evaluating the design
and operating effectiveness of internal control based on the assessed risk. Our audits
also included performing such other procedures as we considered necessary in the
circumstances. We believe that our audits provide a reasonable basis for our opinions.
Definition and Limitations of Internal Control Over Financial Reporting:
A company's internal control over financial reporting is a process designed to provide
reasonable assurance regarding the reliability of financial reporting and the preparation
of financial statements for external purposes in accordance with generally accepted
accounting principles. A company's internal control over financial reporting includes
those policies and procedures that (1) pertain to the maintenance of records that, in
reasonable detail, accurately and fairly reflect the transactions and dispositions of the
assets of the company; (2) provide reasonable assurance that transactions are recorded
as necessary to permit preparation of financial statements in accordance with generally
accepted accounting principles, and that receipts and expenditures of the company are
being made only in accordance with authorizations of management and directors of the
company; and (3) provide reasonable assurance regarding prevention or timely
detection of unauthorized acquisition, use, or disposition of the company's assets that
could have a material effect on the financial statements.
Because of its inherent limitations, internal control over financial reporting may not
prevent or detect misstatements. Also, projections of any evaluation of effectiveness to
future periods are subject to the risk that controls may become inadequate because of
changes in conditions, or that the degree of compliance with the policies or procedures
may deteriorate.
Critical Audit Matters [if applicable]:
[Include critical audit matters or a statement that no critical audit matters were noted]
[Signature]
We have served as the Company's auditor since [year].
[City and State or Country]
[Date]
3413.17 If the auditor chooses to issue a separate report on internal control over financial reporting,
he or she should add the following paragraph (immediately following the opinion paragraph)
to the auditor's report on the financial statements:
We also have audited, in accordance with the standards of the Public Company
Accounting Oversight Board (United States) ("PCAOB"), the Company's internal control
over financial reporting as of December 31, 20X8, based on [identify control criteria] and
our report dated [date of report, which should be the same as the date of the report on
the financial statements] expressed [include nature of opinion].
The auditor also should add the following paragraph (immediately following the opinion
paragraph) to the report on internal control over financial reporting:
We also have audited, in accordance with the standards of the Public Company
Accounting Oversight Board (United States) ("PCAOB"), the [identify financial statements]
of the Company and our report dated [date of report, which should be the same as the
date of the report on the effectiveness of internal control over financial reporting]
expressed [include nature of opinion].
SAS 130 Codified Under AU‐C 940
3413.18 The Auditing Standards Board (ASB) determined that the content of AT 501, An Examination
of an Entity’s Internal Control Over Financial Reporting That Is Integrated with an Audit of Its
Financial Statements, should be moved from the attestation standards into generally
accepted auditing standards (GAAS) for nonissuers. Accordingly, SAS 130, An Audit of
Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial
Statements, replaces AT 501 and adheres closely to PCAOB AS 2201. An examination of
internal controls that is not integrated with a financial statement audit is still performed in
accordance with the attestation standards.
3413.19 SAS 130 includes the following changes as a result of the transition of the guidance related
to integrated audits of nonissuers to all be included within generally accepted auditing
standards:
a. The auditor will be required to audit and report directly on the effectiveness of internal
control over financial reporting; there is no longer an option to examine and report on
management’s assertion about the effectiveness of internal control over financial
reporting.
b. The term significant account or disclosure used in AT 501 has been changed to
significant class of transactions, account balance, or disclosure to align with terminology
used in existing GAAS. This change also helps to clarify the risk factors the auditor is
required to evaluate in the identification of significant classes of transactions, account
balances, and disclosures and their relevant assertions are the same in the audit of
internal control over financial reporting as in the audit of the financial statements.
c. SAS 130 permits the auditor to use the work of internal auditors and others in obtaining
evidence about the effectiveness of internal control over financial reporting. The auditor
planning to use the work of others in the audit of internal control over financial
reporting is required to adapt and apply, as necessary, the requirements of AU‐C 610,
including the need for others to apply a systematic and disciplined approach.
3413.20 Generally accepted auditing standards (GAAS) are written in the context of an audit of
financial statements but are to be adapted as necessary in the circumstances when applied
to an audit of internal control over financial reporting (ICFR) that is integrated with an audit
of financial statements. The concept of risk assessment applies to both audit objectives, with
the goal of obtaining reasonable assurance to support the auditor’s opinion. The objectives
of the auditor in an audit of ICFR are to (a) obtain reasonable assurance about whether
material weaknesses exist as of the date specified in management’s assessment about the
effectiveness of ICFR (as of date) and (b) express an opinion on the effectiveness of ICFR in a
written report, and communicate with management and those charged with governance as
required, based on the auditor’s findings.
3413.21 The auditor should focus more attention on areas of higher risk. A direct relationship exists
between the degree of risk that a material weakness could exist in a particular area of the
entity’s ICFR and the amount of attention that would be devoted to that area. In addition, an
entity’s ICFR is less likely to prevent, or detect and correct, a misstatement caused by fraud
than a misstatement caused by error. It is not necessary to test controls that, even if
deficient, would not present a reasonable possibility of material misstatement to the
financial statements.
3413.22 The auditor should evaluate the severity of each deficiency in ICFR to determine whether the
deficiency, individually or in combination, is a significant deficiency. In performing such
evaluation, the auditor should determine whether deficiencies that affect the same
significant class of transactions, account balance, or disclosure; relevant assertion; or
component of ICFR collectively result in a significant deficiency. The auditor should
communicate in writing to management and those charged with governance significant
deficiencies and material weaknesses identified during the integrated audit, including those
that were remediated during the integrated audit and those that were previously
communicated but have not yet been remediated.
3413.23 The auditor should modify the report on ICFR if any of the following conditions exist:
a. One or more material weaknesses exist. Elements of management’s report are
incomplete or improperly presented.
b. There is a limitation on the scope of the engagement.
c. The auditor decides to refer to the report of a component auditor as the basis, in part,
for the auditor’s own opinion.
d. There is other information contained in management’s report.
3413.24 If there are deficiencies that, individually or in combination, result in one or more material
weaknesses as of the date specified in management’s assessment about ICFR, the auditor
should express an adverse opinion on the entity’s ICFR, unless there is a limitation on the
scope of the engagement that may result in a disclaimer of opinion.
3413.25 The auditor’s report on the audit of internal control over financial reporting (ICFR) of a
nonissuer should include the following elements:
a. A title that includes the word independent to clearly indicate that it is the report of an
independent auditor
b. An addressee as required by the circumstances of the engagement
c. An introductory paragraph that includes the following:
(1) Identification of the entity whose ICFR has been audited
(2) A statement that the entity's ICFR has been audited
(3) Identification of the “as of” date
(4) Identification of the criteria against which ICFR is measured
d. A section with the heading "Management's Responsibility for Internal Control Over
Financial Reporting" that includes the following:
(1) A statement that management is responsible for designing, implementing, and
maintaining effective ICFR
(2) A statement that management is responsible for its assessment about the
effectiveness of ICFR
(3) A reference to management's report on ICFR
e. A section with the heading "Auditor's Responsibility" that includes the following:
(1) A statement that the auditor's responsibility is to express an opinion on the entity's
ICFR based on the audit
(2) A statement that the audit was conducted in accordance with auditing standards
generally accepted in the United States of America
(3) A statement that such standards require that the auditor plan and perform the
audit to obtain reasonable assurance about whether effective ICFR was maintained
in all material respects
(4) A description of the audit by stating that:
(a) an audit of ICFR involves performing procedures to obtain audit evidence about
whether a material weakness exists
(b) the procedures selected depend on the auditor's judgment, including the
assessment of the risks that a material weakness exists
(c) an audit includes obtaining an understanding of ICFR and testing and evaluating
the design and operating effectiveness of ICFR based on the assessed risk
(5) A statement about whether the auditor believes that the audit evidence the auditor
has obtained is sufficient and appropriate to provide a basis for the audit opinion
f. A section with the heading "Definition and Inherent Limitations of Internal Control Over
Financial Reporting" or other appropriate heading that includes the following:
(1) A definition of ICFR (the auditor should use the same description of the entity's ICFR
as management uses in its report)
(2) A paragraph stating that because of inherent limitations, ICFR may not prevent, or
detect and correct, misstatements and that projections of any assessment of
effectiveness to future periods are subject to the risk that controls may become
inadequate because of changes in conditions, or that the degree of compliance with
the policies or procedures may deteriorate
g. A section with the heading "Opinion" that includes the auditor's opinion on whether the
entity maintained, in all material respects, effective ICFR as of the specified date, based
on the criteria
h. The manual or printed signature of the auditor's firm
i. The city and state where the auditor practices
j. The date of the auditor's report
3413.26 If the auditor issues a separate report on ICFR, the auditor should add the following
paragraph, in an other‐matter paragraph with an appropriate heading, to the auditor's
report on the financial statements:
We also have audited, in accordance with auditing standards generally accepted in the
United States of America, [entity name]'s internal control over financial reporting as of
December 31, 20X8, based on [identify criteria] and our report dated [date of report,
which should be the same as the date of the report on the financial statements] expressed
[include nature of opinion].
The auditor also should add the following other‐matter paragraph to the report on ICFR:
We also have audited, in accordance with auditing standards generally accepted in the
United States of America, the [identify financial statements] of [entity name] and our
report dated [date of report, which should be the same as the date of the report on ICFR]
expressed [include nature of opinion].
3420 Reports on Attestation Engagements
3421 General Standards for Attestation Reports
3421.01 Statements on Standards for Attestation Engagements (SSAEs) engagements include
examinations, reviews, and agreed‐upon procedures on subject matter or an assertion that
is the responsibility of another party. An examination results in an opinion, a review results
in a conclusion, and agreed‐upon procedures result in findings.
3421.02 In an examination engagement, the CPA obtains reasonable assurance, which is a high, but
not absolute, level of assurance, about the measurement or evaluation of subject matter
against criteria. The objective is to obtain sufficient appropriate evidence in order to express
an opinion about whether the subject matter is in conformity with the criteria, or whether
the assertion is fairly stated. The practitioner should request from the responsible party a
written assertion about the measurement or evaluation of the subject matter against the
criteria.
3421.03 In a review engagement, the objective is to obtain sufficient appropriate review evidence by
performing limited procedures in order to express a conclusion about whether any material
modification should be made to the subject matter in order for it to be in conformity with
the criteria, or the assertion, in order for it to be fairly stated. Procedures are generally
limited to inquiry and analytical procedures.
3421.04 In an agreed‐upon procedures engagement, the objective is to perform specific procedures
on subject matter or an assertion and report the findings without providing an opinion or
conclusion. A specified party (or parties) agree upon and are responsible for the sufficiency
of the procedures for their purposes.
Financial Forecasts and Projections
3421.05 The information in AT‐C 305 applies to the guidance practitioners should use when engaged
to issue examination or agreed‐upon procedures reports on prospective financial
statements. A practitioner should not be named as an outside attest provider if he or she
actively assisted in the preparation of the prospective financial statements without
appropriate independence safeguards.
3421.06 Prospective financial statements refer to either financial forecasts or financial projections,
including the summaries of significant assumptions and accounting policies.
3421.07 A financial forecast is a prospective financial statement that presents, to the best of the
responsible party’s knowledge and belief, an entity’s expected financial position, results of
operations, and cash flows. A financial forecast is based on the responsible party’s
assumptions reflecting the conditions it expects to exist and the course of action it expects
to take.
3421.08 A financial projection is a prospective financial statement that presents, to the best of the
responsible party’s knowledge and belief, given one or more hypothetical assumptions, an
entity’s expected financial position, results of operations, and cash flows.
3421.09 A hypothetical assumption is an assumption used in a financial projection to present a
condition or course of action that is not necessarily expected to occur but is consistent with
the purpose of the projection.
3421.10 Prospective financial statements are for either general use or limited use.
a. General use of prospective financial statements refers to the use of the statements by
persons with whom the responsible party is not negotiating directly (e.g., in an offering
statement of an entity’s debt or equity securities). Only a financial forecast is
appropriate for general use.
b. Limited use of prospective financial statements refers to the use of prospective financial
statements by the responsible party alone or by the responsible party and third parties
with whom the responsible party is negotiating directly. Either financial forecasts or
financial projections are appropriate for limited use.
3421.11 Because a financial projection is not appropriate for general use, a practitioner should not
consent to the use of his or her name in conjunction with a financial projection that it is
believed will be distributed to those who will not be negotiating directly with the responsible
party (unless the projection is used to supplement a financial forecast).
3421.12 Guidance related to performing a compilation of prospective financial statements has been
moved from the attestation standards (SSAEs) to the Statements on Standards for
Accounting and Review Services (SSARSs).
3421.13 A practitioner should not attest on prospective financial statements that exclude disclosure
of the summary of significant assumptions. A practitioner should not attest on a financial
projection that excludes either (1) an identification of the hypothetical assumptions or (2) a
description of the limitations on the usefulness of the presentation.
3421.14 The following standards apply to an attestation of prospective financial statements and the
resulting report:
a. The attest engagement should be performed by a person or persons having adequate
technical training and proficiency to report on the prospective financial statements.
b. Due professional care should be exercised in the performance of the attest engagement
and the preparation of the report.
c. The work should be adequately planned and assistants, if any, should be properly
supervised.
d. Applicable procedures should be performed as a basis for reporting on prospective
financial statements.
e. The report based on the practitioner’s attestation engagement on prospective financial
statements should conform to the applicable guidance.
3421.15 The practitioner’s standard report on a compilation of prospective financial statements
prepared in accordance with the Statements on Standards for Accounting and Review
Services (SSARSs) should include the following elements:
a. An identification of the prospective financial statements presented by the responsible
party
b. A statement that the practitioner has compiled the prospective financial statements in
accordance with the Statements on Standards for Accounting and Review Services
established by the AICPA
c. A statement that a compilation is limited in scope and does not enable the practitioner
to express an opinion or any other form of assurance on the prospective financial
statements or the assumptions
d. A caveat that the prospective results may not be achieved
e. A statement that the practitioner assumes no responsibility to update the report for
events and circumstances occurring after the date of the report
f. The manual or printed signature of the practitioner or the practitioner’s firm
g. The city and state of the accountant or accountant’s firm
h. The date of the compilation report
3421.16 An examination of prospective financial statements is a professional service that involves the
following:
a. Evaluating the preparation of the prospective financial statements
b. Evaluating the support underlying the assumptions
c. Evaluating the presentation of the prospective financial statements for conformity with
AICPA presentation guidelines
d. Issuing an examination report
3421.17 The practitioner’s standard report on an examination of prospective financial statements
should include the following:
a. A title that includes the word independent
b. An identification of the prospective financial statements presented, including the period
of time to which the prospective financial information relates
c. An indication that the criteria against which the prospective financial information was
measured or evaluated are the guidelines for the presentation of a forecast (or
projection) established by the American Institute of Certified Public Accountants (AICPA)
d. An identification of the responsible party and a statement that the preparation and
presentation of the prospective financial statements in accordance with the guidelines
established by the AICPA are the responsibility of the responsible party
e. A statement that the practitioner’s responsibility is to express an opinion on the
prospective financial statements based on the examination
f. A statement that the examination of the prospective financial statements was
conducted in accordance with attestation standards established by the AICPA
g. A statement that standards require that the practitioner plan and perform the
examination to obtain reasonable assurance about whether the forecast (or projection)
is presented in accordance with the guidelines for the presentation of a forecast (or
projection) established by the AICPA, in all material respects
h. A statement that the practitioner believes that the examination provides a reasonable
basis for an opinion
i. A description of the nature of an examination engagement
j. The practitioner’s opinion that the prospective financial statements are presented in
conformity with AICPA presentation guidelines and whether the underlying assumptions
are suitably supported and provide a reasonable basis for the forecast or a reasonable
basis for the projection given the hypothetical assumptions
k. A caveat that the prospective results may not be achieved
l. A statement that the practitioner assumes no responsibility to update the report for
events and circumstances occurring after the date of the report
m. The manual or printed signature of the practitioner’s firm
n. The city and state of the practitioner’s firm
o. The date of the examination report
3421.18 A practitioner who accepts an engagement to apply agreed‐upon procedures to prospective
financial statements should follow the standards for attest engagements. They should also
consult the guidance presented in AT‐C 215.
3421.19 A practitioner may perform an agreed‐upon procedure attest engagement on prospective
financial statements provided the following conditions are met:
a. The practitioner is independent.
b. The practitioner and the specified parties agree on the procedures performed by the
practitioner.
c. The specified parties take responsibility for the sufficiency of the agreed‐upon
procedures for their purposes.
d. The prospective financial statements include a summary of significant assumptions.
e. The prospective financial statements to which the procedures are to be applied are
subject to reasonably consistent evaluation against criteria that are suitable and
available to the specified parties.
f. Criteria to be used in the determination of findings are agreed on between the
practitioner and the specified parties.
g. The procedures to be applied to the prospective financial statements are expected to
result in reasonably consistent findings using the criteria.
h. Evidential matter related to the prospective financial statements to which the
procedures are applied is expected to exist to provide a reasonable basis for expressing
the findings in the practitioner’s report.
i. Where applicable, the practitioner and the specified users agree on any agreed‐upon
materiality limits for reporting purposes.
j. Use of the report is to be restricted to the specified parties.
Reports on Pro Forma Financial Information
3421.20 The objective of pro forma financial information is to show what the significant effects on
historical financial information might have been had a consummated or proposed
transaction (or event) occurred at an earlier date.
3421.21 Pro forma financial information is commonly used to show the effects of transactions such
as (1) business combinations, (2) changes in capitalization, (3) disposition of a significant
portion of the business, (4) changes in the form of business organization or status as an
autonomous entity, and (5) proposed sale of securities and the application of the proceeds.
3421.22 The objective of pro forma financial information is achieved primarily by applying pro forma
adjustments to historical financial information. Pro forma adjustments should be based on
management’s assumptions and give effect to all significant effects directly attributable to
the transaction (or event).
3421.23 Pro forma financial information should be labeled as such to distinguish it from historical
financial information.
3421.24 The presentation of pro forma information should describe the transaction that is reflected
in the pro forma data, the source of the historical financial information on which it is based,
the significant assumptions used in developing the pro forma adjustments, and any
significant uncertainties about those assumptions. The presentation also should indicate
that the pro forma financial information should be read in conjunction with related historical
financial information and that the pro forma financial information is not necessarily
indicative of the results that would have been attained had the transaction (or event)
actually taken place earlier.
3421.25 The objective of the practitioner’s examination procedures applied to pro forma financial
information is to provide reasonable assurance as to whether:
a. management’s assumptions provide a reasonable basis for presenting the significant
effects directly attributable to the underlying transaction,
b. the related pro forma adjustments are mathematically correct and give appropriate
effect to those assumptions, and
c. the pro forma column reflects the proper application of those adjustments to the
historical financial statements.
3421.26 The objective of the practitioner’s review procedures applied to pro forma financial
information is to provide negative assurance as to whether any information came to the
practitioner’s attention to cause the practitioner to believe that:
a. management’s assumptions do not provide a reasonable basis for presenting the
significant effects directly attributed to the underlying transaction,
b. the related pro forma adjustments do not give appropriate effect to those assumptions,
or
c. the pro forma column does not reflect the proper application of those adjustments to
the historical financial statements.
3421.27 Other than the procedures applied to historical financial statements, the procedures the
practitioner should apply to the assumptions and pro forma adjustments for either an
examination or a review engagement are as follows:
a. Obtain an understanding of the underlying transaction (for example, by reading relevant
contracts and board meeting minutes and by making inquiries of appropriate officials of
the entity)
b. Obtain a level of knowledge of each constituent part of the combined entity in a
business combination that will enable the practitioner to perform the required
procedures
c. Discuss with management their assumptions regarding the effects of the transaction or
event
d. Evaluate whether pro forma adjustments are included for all significant effects directly
attributable to the transaction
e. Obtain sufficient evidence in support of such adjustments
f. Evaluate whether management’s assumptions that underlie the pro forma adjustments
are presented in a sufficiently clear and comprehensive manner
g. Determine that computations of pro forma adjustments are mathematically correct and
that the pro forma column reflects the proper application of those adjustments to the
historical financial statements
h. Obtain written representations from management concerning their:
(1) responsibility for the assumptions used in determining the pro forma adjustments,
(2) assertion that the assumptions provide a reasonable basis for presenting all of the
significant effects directly attributable to the transaction, that the related pro forma
adjustments give appropriate effect to those assumptions, and that the pro forma
column reflects the proper application of those adjustments to the historical
financial statements, and
(3) assertion that the significant effects directly attributable to the transaction are
appropriately disclosed in the pro forma financial information.
i. Read the pro forma financial information and evaluate whether:
(1) the underlying transaction, the pro forma adjustments, the significant assumptions,
and the significant uncertainties, if any, about those assumptions have been
appropriately described; and
(2) the source of the historical information on which the pro forma financial
information is based has been appropriately identified.
3421.28 An accountant is required to comply with AR‐C 60, General Principles for Engagements
Performed in Accordance With Statements on Standards for Accounting and Review Services,
and AR‐C 80, Compilation Engagements, in addition to SSARS 22, Compilation of Pro Forma
Financial Information.
a. The accountant must be independent of the entity in a compilation of pro forma
financial information engagement.
b. The accountant should obtain an understanding of the applicable financial reporting
framework and the significant accounting policies intended to be used in the
preparation of the pro forma financial information, including those of the significant
constituent part of the combined entity, if applicable.
c. The accountant applies accounting and financial reporting expertise to assist
management in the presentation of pro forma financial information and reports that
information in accordance with SSARS 22, without undertaking to obtain or provide any
assurance on the pro forma financial information.
d. The accountant should obtain the agreement of management that it acknowledges and
understands its additional responsibilities for the preparation and fair presentation of
the pro forma financial information in accordance with the applicable financial reporting
framework. Management must also agree to include the following in any document
containing the pro forma financial information:
(1) The financial statements of the entity for the most recent year
(2) Interim‐period historical financial information, if interim‐period pro forma financial
information is presented
(3) In the case of a business combination, the relevant historical financial information
for the significant constituent parts of the combined entity
e. Pro forma financial information must be based on historical financial statements that
have been compiled, reviewed, or audited. Management must include (or make readily
available) those historical financial statements, as well as a summary of significant
assumptions, with any document containing the pro forma financial information.
f. Management must obtain the accountant’s permission before including the compilation
report in any document containing the pro forma financial information which indicates
that a compilation has been performed on such information.
3421.29 A practitioner’s examination report on pro forma financial information should include the
following:
a. A title that includes the word independent
b. Identification of the pro forma financial information, including the point in time or
period of time to which the measurement or evaluation of the pro forma financial
information relates
c. A reference to the pro forma adjustments included in the pro forma financial
information, and a reference to management’s description of the transaction (or event)
to which the pro forma adjustments give effect
d. An identification of the criteria against which the pro forma financial information was
measured or evaluated
e. A reference to the financial statements from which the historical financial information is
derived and a statement that such financial statements were audited (and whether
audited by another auditor, if applicable)
f. Identification of the responsible party and a statement that the responsible party is
responsible for the pro forma information and that the pro forma adjustments are
based on management’s assumptions
g. A statement that the practitioner’s responsibility is to express an opinion on the pro
forma information based on his or her examination
h. A statement that the examination of the pro forma financial information was conducted
in accordance with attestation standards established by the American Institute of
Certified Public Accountants (AICPA)
i. A statement that standards require the practitioner plan and perform the examination
to obtain reasonable assurance about whether, in accordance with (or based on) the
criteria, (a) management’s assumptions provide a reasonable basis for presenting the
significant effects directly attributable to the underlying transaction (or event), and (b)
in all material respects, the related pro forma adjustments give appropriate effect to
those assumptions, and the pro forma amounts reflect the proper application of those
adjustments to the historical financial statement amounts
j. A statement that an examination involves performing procedures to obtain evidence
about management’s assumptions, the related pro forma adjustments, and the pro
forma amounts
k. A statement that the practitioner believes the examination provides a reasonable basis
for his or her opinion
l. A separate paragraph explaining the objective of pro forma financial information and its
limitations
m. The practitioner’s opinion as to whether management’s assumptions provide a
reasonable basis for presenting the significant effects directly attributable to the
transaction, whether the related pro forma adjustments give appropriate effect to those
assumptions, and whether the pro forma column reflects the proper application of
those adjustments to the historical financial statements
n. The manual or printed signature of the practitioner’s firm
o. The city and state of the practitioner’s firm
p. The date of the examination report
3421.30 The practitioner’s review report on pro forma financial information should include the
following:
a. A title that includes the word independent
b. Identification of the pro forma financial information, including the point in time or
period of time to which the measurement or evaluation of the pro forma financial
information relates
c. A reference to the pro forma adjustments included in the pro forma financial
information, and a reference to management’s description of the transaction (or event)
to which the pro forma adjustments give effect
d. An identification of the criteria against which the pro forma financial information was
measured or evaluated
e. A reference to the financial statements from which the historical financial information is
derived and a statement that such financial statements were audited or reviewed
f. If the practitioner issued a review report on the historical financial statements, a
statement that a review report was issued, or a statement that the financial statements
were reviewed by another accountant, if applicable
g. Identification of the responsible party and a statement that the responsible party is
responsible for the pro forma information and that the pro forma adjustments are
based on management’s assumptions
h. A statement that the review of the pro forma financial information was conducted in
accordance with attestation standards established by the American Institute of Certified
Public Accountants (AICPA)
i. A statement that standards require the practitioner plan and perform the review to
obtain limited assurance about whether, in accordance with (or based on) the criteria,
(a) management’s assumptions provide a reasonable basis for presenting the significant
effects directly attributable to the underlying transaction (or event), and (b) in all
material respects, the related pro forma adjustments give appropriate effect to those
assumptions, and the pro forma amounts reflect the proper application of those
adjustments to the historical financial statement amounts
j. A statement that the practitioner’s responsibility is to express a conclusion on the pro
forma financial information based on the practitioner’s review, and that the practitioner
believes that the review provides a reasonable basis for a conclusion
k. A statement that a review is substantially less in scope than an examination, the
objective of which is the expression of an opinion on the pro forma financial information
and, accordingly, the practitioner does not express such an opinion
l. A separate paragraph explaining the objective of pro forma financial information and its
limitations
m. The practitioner’s conclusion as to whether any information came to the practitioner’s
attention to cause him or her to believe that management’s assumptions do not provide
a reasonable basis for presenting the significant effects directly attributable to the
transaction, or that the related pro forma adjustments do not give appropriate effect to
those assumptions, or that the pro forma column does not reflect the proper application
of those adjustments to the historical financial statements
n. The manual or printed signature of the practitioner’s firm
o. The city and state of the practitioner’s firm
p. The date of the examination report
3421.31 In addition to the requirements of AR‐C 80, the practitioner’s compilation report on pro
forma financial information should include the following:
a. A reference to the financial statements from which the historical financial information is
derived and a statement as to whether such financial statements were subjected to an
audit, a review, or a compilation engagement
b. A reference to any modification of the audit, review, or compilation report on the
historical financial information
c. A description of the nature and limitations of pro forma financial information
3422 Agreed‐Upon Procedures Reports
3422.01 An agreed‐upon procedures engagement is one in which a practitioner is engaged to issue a
report of findings based on specific procedures performed on subject matter. The client
engages the practitioner to assist specified parties in evaluating subject matter or an
assertion as a result of a need or needs of the specified parties.
3422.02 The specified parties and the practitioner agree upon the procedures to be performed by the
practitioner that the specified parties believe are appropriate.
3422.03 Because the needs of the specified parties may vary widely, the nature, timing, and extent of
the agreed‐upon procedures may vary as well; consequently, the specified parties assume
responsibility for the sufficiency of the procedures since they best understand their own
needs.
3422.04 The practitioner does not perform an examination or a review and does not provide an
opinion or negative assurance. Instead, the practitioner’s report on agreed‐upon procedures
should be in the form of procedures and findings.
3422.05 The practitioner may perform an agreed‐upon procedures engagement provided that:
a. the practitioner is independent.
b. one of the following conditions is met:
(1) The party wishing to engage the practitioner is responsible for the subject matter,
or has a reasonable basis for providing a written assertion about the subject matter
when the nature of the subject matter is such that a responsible party does not
otherwise exist.
(2) The party wishing to engage the practitioner is not responsible for the subject
matter but is able to provide the practitioner, or have a third party who is
responsible for the subject matter provide the practitioner with evidence of the
third party’s responsibility for the subject matter.
c. the practitioner and the specified parties agree on the procedures performed or to be
performed by the practitioner.
d. the specified parties take responsibility for the sufficiency of the agreed‐upon
procedures for their purposes.
e. the specific subject matter to which the procedures are to be applied is subject to
reasonably consistent measurement.
f. criteria to be used in the determination of findings are agreed on between the
practitioner and the specified parties.
g. the procedures to be applied to the specific subject matter are expected to result in
reasonably consistent findings using the criteria.
h. evidential matter related to the specific subject matter to which the procedures are
applied is expected to exist to provide a reasonable basis for expressing the findings in
the practitioner’s report.
i. where applicable, the practitioner and the specified parties agree on any materiality
limits for reporting purposes.
j. use of the report is restricted to the specified parties.
k. for agreed‐upon procedures engagements on prospective financial information, the
prospective financial statements include a summary of significant assumptions.
3422.06 To satisfy the requirements that the practitioner and the specified parties agree on the
procedures performed or to be performed and that the specified parties take responsibility
for the sufficiency of the agreed‐upon procedures for their purposes, ordinarily the
practitioner should communicate directly with and obtain affirmative acknowledgment from
each of the specified parties.
3422.07 The practitioner should establish an understanding with the client regarding the services to
be performed. When the practitioner documents the understanding through a written
communication with the client, such communication should be addressed to the client, and
in some circumstances also to all specified parties.
3422.08 The procedures that the practitioner and specified parties agree on may be as limited or as
extensive as the specified parties desire. However, mere reading of an assertion or specified
information about the subject matter does not constitute sufficient procedures to permit a
practitioner to report on the results of applying agreed‐upon procedures.
3422.09 The practitioner should not agree to perform procedures that are overly subjective and thus
possibly open to varying interpretations. Terms of uncertain meaning (such as general
review, limited review, check, or test) should not be used in describing the procedures
unless such terms are defined within the agreed‐upon procedures.
3422.10 The practitioner’s report on agreed‐upon procedures should be in the form of procedures
and findings. The report should contain the following elements:
a. A title that includes the word independent
b. Identification of the specified parties
c. Identification of the subject matter or assertion and the character of the engagement
d. Identification of the responsible party
e. A statement that the subject matter is the responsibility of the responsible party
f. A statement that the procedures performed were those agreed to by the specified
parties identified in the report
g. A statement that the agreed‐upon procedures engagement was conducted in
accordance with attestation standards established by the AICPA
h. A statement that the sufficiency of the procedures is solely the responsibility of the
specified parties and a disclaimer of responsibility for the sufficiency of those
procedures
i. A list of the procedures performed and related findings
j. Where applicable, a description of any agreed‐upon materiality limits
k. A statement that the practitioner was not engaged to and did not conduct an
examination or review of the subject matter, the objective of which would be the
expression of an opinion or conclusion, a disclaimer of opinion on the subject matter,
and a statement that if the practitioner had performed additional procedures, other
matters might have come to the practitioner’s attention that would have been reported
l. A statement of restriction on the use of the report because it is intended to be used
solely by the specified parties
m. Where applicable, reservations or restrictions concerning procedures or findings
n. Where applicable, a description of the nature of the assistance provided by a specialist
o. The manual or printed signature of the practitioner’s firm and the firm’s city and state
p. The date of the report
3422.11 A practitioner may find a representation letter to be a useful and practical means of
obtaining representation from the responsible party. The need for such a letter may depend
on the nature of the engagement and the specified parties.
3422.12 Before a practitioner who was engaged to perform another form of engagement agrees to
change the engagement to an agreed‐upon procedures engagement, the practitioner should
consider the following:
a. The possibility that certain procedures performed as part of another type of
engagement are not appropriate for inclusion in an agreed‐upon procedures
engagement
b. The reason given for the request, particularly the implications of a restriction on the
scope of the original engagement or the matters to be reported
c. The additional effort required to complete the original engagement
d. If applicable, the reasons for changing from a general‐use report to a restricted‐use
report
3422.13 If the specified parties acknowledge agreement to the procedures performed or to be
performed and assume responsibility for the sufficiency of the procedures to be included in
the agreed‐upon procedures engagement, either of the following would be considered a
reasonable basis for requesting a change in the engagement:
a. A change in circumstances that requires another form of engagement
b. A misunderstanding concerning the nature of the original engagement or the available
alternative
3423 Reporting on Controls at a Service Organization
3423.01 The service organization is an organization or segment of an organization that provides
services to user entities, which are likely to be relevant to those user entities’ internal
control over financial reporting (for example, processing of payments through a lockbox or
processing payroll for multiple entities).
3423.02 The service auditor is the practitioner who reports on controls of a service organization.
3423.03 The report on management’s description of a service organization’s system and the
suitability of the design and operating effectiveness of controls (also referred to as a type 2
report) is the service auditor’s report on a service organization’s description of its controls
that may be relevant to a user entity’s internal control over financial reporting, whether such
controls were suitably designed and operated effectively throughout the specified period to
achieve specified control objectives, and whether the controls that were tested were
operating with sufficient effectiveness to provide reasonable, but not absolute, assurance
that the related control objectives were achieved during the period specified.
3423.04 The service auditor may also just report on management’s description of a service
organization’s system and the suitability of the design of controls (also referred to as a type
1 report).
3423.05 The service auditor is responsible for the representations in the report and for exercising due
care in the application of procedures that support those representations.
3423.06 The service auditor must be independent from the service organization.
Reports on Management’s Description of a Service Organization’s System and
Suitability of the Design of Controls
3423.07 The information necessary for a report on management’s description of a service
organization’s system and suitability of the design of controls is generally obtained through
discussions with various service organization personnel and through reference to various
forms of documentation, such as system flowcharts and narratives. Evidence of whether
controls have been placed in operation is generally obtained through previous experience
with the organization and through inquiry, inspection of organization documents and
records, and observation of organization activities.
3423.08 The service auditor should:
a. obtain an understanding of the service organization’s system, including controls that are
included in the scope of the engagement;
b. obtain and read management’s description of the service organization’s system and
evaluate that such controls are presented fairly;
c. determine through inquiries, observation, and inspection of documents and records
whether the service organization’s system has been implemented; and
d. determine which of the controls are necessary to achieve the control objectives stated
in management’s description and assess whether those controls were suitably designed
to achieve the control objectives.
3423.09 A service auditor’s report on management’s description of a service organization’s system
and the suitability of the design of controls should contain the following:
a. A title that includes the word independent
b. An addressee
c. Identification of:
(1) management’s description of the service organization’s system and the function
performed by the system
(2) any parts of management’s description of the service organization’s system that are
not covered by the service auditor’s report
(3) any information included in a document containing the service auditor report that is
not covered by the service auditor’s report
(4) the criteria
(5) any services performed by a subservice organization and whether the carve‐out
method or the inclusive method was used in relation to them
d. A statement that the service auditor has not evaluated the suitability of the design or
operating effectiveness of complementary user entity controls, if applicable
e. A reference to management’s assertion and a statement that management is
responsible for:
(1) preparing the description of the service organization’s system and the assertion,
including the completeness, accuracy, and method of presentation of the
description and assertion;
(2) providing the services covered by the description of the service organization’s
system;
(3) specifying the control objectives, unless the control objectives are specified by law,
regulation, or another party, and stating them in the description of the service
organization’s system;
(4) identifying the risks that threaten the achievement of the control objective;
(5) selecting the criteria; and
(6) designing, implementing, and documenting controls that are suitably designed and
operating effectively to achieve the related control objectives stated in the
description of the service organization’s system
f. A statement that the service auditor’s responsibility is to express an opinion on the
fairness of the presentation of management’s description of the service organization’s
system and on the suitability of the design of the controls to achieve the related control
objectives stated in the description based on the service auditor’s examination
g. A statement that the examination was conducted in accordance with attestation
standards established by the American Institute of Certified Public Accountants (AICPA),
and that those standards require the service auditor to plan and perform the
examination to obtain reasonable assurance about whether management’s description
of the service organization’s system is fairly presented and the controls are suitably
designed as of the specified date to achieve the related control objectives
h. A statement that the service auditor has not performed any procedures regarding the
operating effectiveness of controls and, therefore, expresses no opinion thereon
i. A statement that an examination of management’s description of a service
organization’s system and the suitability of the design of the service organization’s
controls to achieve the related control objectives stated in the description involves
performing procedures to obtain evidence about the fairness of the presentation of the
description and the suitability of the design of those controls to achieve the related
control objectives stated in the description
j. A statement that the examination included assessing the risks that management’s
description of the service organization’s system is not fairly presented and that the
controls were not suitably designed to achieve the related control objectives
k. A statement that an examination engagement of this type also includes evaluating the
overall presentation of management’s description of the service organization’s system
and suitability of the control objectives stated in the description
l. A statement that the service auditor believes the examination provides a reasonable
basis for his or her opinion
m. A statement about the inherent limitations of controls, including the risk of projecting to
future periods any evaluation of the fairness of the presentation of management’s
description of the service organization’s system or conclusions about the suitability of
the design of controls to achieve the related control objectives
n. The service auditor’s opinion on whether, in all material respects, based on the criteria
described in management’s assertion:
(1) management’s description of the service organization’s system fairly presents the
service organization’s system that was designed and implemented as of the
specified date
(2) the controls related to the control objectives stated in management’s description of
the service organization’s system were suitably designed to provide reasonable
assurance that those control objectives would be achieved if the controls operated
effectively as of the specified date
(3) if the application of complementary user entity controls is necessary to achieve the
related control objectives stated in management’s description of the service
organization’s system, a reference to this condition
o. A statement restricting the use of the service auditor’s report to management of the
service organization, user entities of the service organization’s system as of the end of
the period covered by the service auditor’s report, and the independent auditors of such
user entities
p. The date of the service auditor’s report
q. The name of the service auditor and the city and state where the service auditor
maintains the office that has responsibility for the engagement
3423.10 For the service auditor to express an opinion on whether the controls were suitably designed
to achieve the specified control objectives, it is necessary that the service auditor:
a. identify the risks that threaten the achievement of the control objectives stated in
management’s description of the service organization’s system and
b. evaluate the linkage of the controls identified in management’s description of the
service organization’s system with those risks.
Reports on Management’s Description of a Service Organization’s System and the
Suitability of the Design and Operating Effectiveness of Controls
3423.11 The information necessary for a report on management’s description of a service
organization’s system and the suitability of the design and operating effectiveness of
controls is generally obtained through discussions with various service organization
personnel, through reference to various forms of documentation, such as system flowcharts
and narratives, and through the performance of tests of controls. Evidence of whether
controls have been placed in operation is generally obtained through previous experience
with the organization and through inquiry, inspection of organization documents and
records, and observation of organization activities.
3423.12 The service auditor should:
a. obtain an understanding of the service organization’s system, including controls that are
included in the scope of the engagement,
b. obtain and read management’s description of the service organization’s system and
evaluate that such controls are presented fairly,
c. determine through inquiries, observation, and inspection of documents and records
whether the service organization’s system has been implemented,
d. determine which of the controls are necessary to achieve the control objectives stated
in management’s description and assess whether those controls were suitably designed
to achieve the control objectives,
e. test specific controls to assess their operating effectiveness throughout the period, and
f. inquire about changes in controls that were implemented during the period covered by
the service auditor’s report.
3423.13 The service auditor’s report on management’s description of a service organization’s system
and the suitability of the design of operating effectiveness of controls should contain the
following:
a. A title that includes the word independent
b. An addressee
c. Identification of:
(1) management’s description of the service organization’s system and the function
performed by the system
(2) any parts of management’s description of the service organization’s system that are
not covered by the service auditor’s report
(3) any information included in a document containing the service auditor report that is
not covered by the service auditor’s report
(4) the criteria
(5) any services performed by a subservice organization and whether the carve‐out
method or the inclusive method was used in relation to them
d. A statement that the service auditor has not evaluated the suitability of the design or
operating effectiveness of complementary user entity controls, if applicable
e. A reference to management’s assertion and a statement that management is
responsible for:
(1) preparing the description of the service organization’s system and the assertion,
including the completeness, accuracy, and method of presentation of the
description and assertion;
(2) providing the services covered by the description of the service organization’s
system;
(3) specifying the control objectives, unless the control objectives are specified by law,
regulation, or another party, and stating them in the description of the service
organization’s system;
(4) identifying the risks that threaten the achievement of the control objective;
(5) selecting the criteria; and
(6) designing, implementing, and documenting controls that are suitably designed and
operating effectively to achieve the related control objectives stated in the
description of the service organization’s system
f. A statement that the service auditor’s responsibility is to express an opinion on the
fairness of the presentation of management’s description of the service organization’s
system and on the suitability of the design and operating effectiveness of the controls to
achieve the related control objectives stated in the description based on the service
auditor’s examination
g. A statement that the examination was conducted in accordance with attestation
standards established by the American Institute of Certified Public Accountants (AICPA),
and that those standards require the service auditor to plan and perform the
examination to obtain reasonable assurance about whether management’s description
of the service organization’s system is fairly presented and the controls are suitably
designed and operating effectively throughout the specified period to achieve the
related control objectives
h. A statement that an examination of management’s description of a service
organization’s system and the suitability of the design and operating effectiveness of the
service organization’s controls to achieve the control objectives stated in the description
involves performing procedures to obtain evidence about the fairness of the
presentation of the description and the suitability of the design and operating
effectiveness of those controls to achieve the related control objectives stated in the
description
i. A statement that the examination included assessing the risks that management’s
description of the service organization’s system is not fairly presented and that the
controls were not suitably designed to achieve the related control objectives
j. A statement that the examination also included testing the operating effectiveness of
those controls that the service auditor considers necessary to provide reasonable
assurance that the related control objectives stated in management’s description of the
service organization’s system were achieved
k. A statement that an examination engagement of this type also includes evaluating the
overall presentation of management’s description of the service organization’s system
and suitability of the control objectives stated in the description
l. A statement that the service auditor believes the examination provides a reasonable
basis for his or her opinion
m. A statement about the inherent limitations of controls, including the risk of projecting to
future periods any evaluation of the fairness of the presentation of management’s
description of the service organization’s system or conclusions about the suitability of
the design or operating effectiveness of controls
n. The service auditor’s opinion on whether, in all material respects, based on the criteria
described in management’s assertion:
(1) management’s description of the service organization’s system fairly presents the
service organization’s system that was designed and implemented throughout the
specified period
(2) the controls related to the control objectives stated in management’s description of
the service organization’s system were suitably designed to provide reasonable
assurance that those control objectives would be achieved if the controls operated
effectively throughout the specified period
(3) the controls the service auditor tested, which were those necessary to provide
reasonable assurance that the control objectives stated in the management’s
description of the service organization’s system were achieved, operated effectively
throughout the period
(4) if the application of complementary user entity controls is necessary to achieve the
related control objectives stated in management’s description of the service
organization’s system, a reference to this condition
o. A reference to a description of the service auditor’s tests of controls, and the results
thereof, that includes:
(1) identification of the controls that were tested, whether the items tested represent
all of a selection of the items in the population, and the nature of the tests in
sufficient detail to enable user auditors to determine the effect of such tests on
their risk assessments
(2) if deviations have been identified in the operation of controls included in the
description, the extent of testing performed by the service auditor that led to the
identification of deviations (including the number of items tested), and the number
and nature of the deviations noted (even if, on the basis of tests performed, the
service auditor concludes that the related control objective was achieved)
p. A statement restricting the use of the service auditor’s report to management of the
service organization, user entities of the service organization’s system during some or all
of the period covered by the service auditor’s report, and the independent auditors of
such user entities
q. The date of the service auditor’s report
r. The name of the service auditor and the city and state where the service auditor
maintains the office that has responsibility for the engagement
3430 Accounting and Review Service Engagements
Overview
3430.01 Rule 201, General Standards (ET 1.300.001 of the Code of Professional Conduct), states that
the accountant must “adequately plan and supervise the performance of professional
services.” This rule applies to accountants who undertake compilation and review
engagements.
3430.02 In addition, an accounting firm’s quality control system should establish policies and
procedures to address review responsibility for engagements. A qualified accountant should
review work performed by other team members and consider items such as if:
a. the work has been performed in accordance with professional standards and regulatory
and legal requirements;
b. significant findings and issues have been raised for further consideration;
c. appropriate consultations have taken place and the resulting conclusions have been
documented and implemented;
d. the nature, timing, and extent of work performed is appropriate and without need for
revision;
e. the work performed supports the conclusions reached and is appropriately
documented;
f. the evidence obtained is sufficient and appropriate to support the report; and
g. the objectives of the engagement procedures have been achieved.
3430.03 The accountant should review the work performed to provide reasonable assurance that the
objectives of the compilation (to assist management in presenting financial information in
the form of financial statements) and review (to obtain limited assurance that there are no
material modifications that should be made to the financial statements in order for the
statements to be in conformity with the applicable financial reporting framework) are
achieved.
3431 Preparation Engagements
3431.01 The accountant should prepare the financial statements using the records, documents,
explanations, and other information provided by management.
3431.02 The accountant is required to ensure that management acknowledges the responsibility to
include a statement on each page of the financial statements (including notes) indicating, at
a minimum, that no assurance is provided on the financial statements. If an adequate
statement is not able to be included on each page of the financial statements, the
accountant is required to either (i) issue a disclaimer to management that makes clear that
no assurance is provided on the financial statements or (ii) perform a compilation
engagement.
3431.03 If the accountant assists management with significant judgments regarding amounts or
disclosures to be reflected in the financial statements, the accountant should ensure that
management understands those significant judgments reflected in the financial statements
and accepts responsibility for those judgments.
3431.04 If the accountant becomes aware that the information used to prepare the financial
statements (including significant judgments) is incomplete, inaccurate, or otherwise
unsatisfactory, the accountant should bring that to the attention of management and
request additional or corrected information.
3431.05 If the accountant prepares financial statements that contain a known departure(s) from the
applicable financial reporting framework (including inadequate disclosure), the accountant
should disclose the material misstatement(s) in the financial statements.
3431.06 If the accountant prepares financial statements that omit substantially all disclosures
required by the applicable financial reporting framework, the accountant should disclose
such omission in the financial statements. The accountant should not prepare financial
statements that omit substantially all disclosures required by the applicable financial
reporting framework if the accountant becomes aware that the omission was undertaken
with the intention of misleading users of the financial statements.
Preparation of Prospective Financial Information
3431.07 SSARS 23 clarifies that the AICPA Guide Prospective Financial Information provides
comprehensive guidance regarding prospective financial information, including criteria for
the preparation and presentation of prospective financial information, and clarifies that the
accountant is not prohibited from preparing prospective financial information prepared and
presented in accordance with other suitable criteria.
3431.08 Because the summary of significant assumptions is essential to the user’s understanding of
prospective financial information, the accountant should not prepare prospective financial
information that excludes disclosure of said assumptions or a financial projection that
excludes either the identification of hypothetical assumptions or a description of the
limitations on the usefulness of the presentation.
3432 Compilation Reports
Standard Compilation Report
3432.01 When the accountant performs more than one service (e.g., preparation of financial
statement, compilation, review, or audit), the accountant should issue the report that is
appropriate for the highest level of service rendered.
3432.02 The accountant’s compilation report should be in writing and:
a. include a statement that management (owners) is (are) responsible for the financial
statements.
b. identify the financial statements that have been subjected to the compilation
engagement.
c. identify the entity whose financial statements have been subjected to the compilation
engagement.
d. specify the date or period covered by the financial statements.
e. include a statement that the accountant performed the compilation engagement in
accordance with SSARSs promulgated by the Accounting and Review Services
Committee of the AICPA.
f. include a statement that the accountant did not audit or review the financial statements
nor was the accountant required to perform any procedures to verify the accuracy or
completeness of the information provided by management and, accordingly, does not
express an opinion or a conclusion, nor provide any assurance on the financial
statements.
g. include the signature of the accountant or the accountant’s firm.
h. include the city and state where the accountant practices.
i. include the date of the report, which should be the date that the accountant has
completed the procedures required.
j. each page of the financial statements compiled by the accountant may include a
reference such as “See Accountant’s Compilation Report” at the accountant’s discretion.
3432.03 SSARS 23 amends AR‐C 80 as follows:
a. Expands subject matter to include prospective financial information, pro forma financial
information, and other historical financial information
b. Clarifies that the AICPA Guide Prospective Financial Information provides
comprehensive guidance regarding prospective financial information, including criteria
for the preparation and presentation of prospective financial information, and clarifies
that the accountant is not prohibited from performing a compilation engagement on
prospective financial information prepared and presented in accordance with other
suitable criteria
c. Clarifies the nature of an engagement letter and makes clear that an oral understanding
of the terms of the engagement is not sufficient
d. Includes additional requirements when the accountant is issuing a compilation report on
prospective financial information
e. Clarifies that the accountant is required to disclose known departures from the
applicable financial reporting framework in the accountant’s compilation report
f. If the accountant becomes aware of a departure from the applicable financial reporting
framework that is material to the financial statements and the financial statements are
not revised, the accountant is required to consider whether modification of the
standard report is adequate to disclose the departure.
3432.04 The following form of standard report is used for a compilation prepared in accordance with
accounting principles generally accepted in the United States of America:
Management is responsible for the accompanying financial statements of XYZ Company,
which comprise the balance sheets as of December 31, 20X2 and 20X1 and the related
statements of income, changes in stockholders’ equity, and cash flows for the years then
ended, and the related notes to the financial statements in accordance with accounting
principles generally accepted in the United States of America. I (We) have performed
compilation engagements in accordance with Statements on Standards for Accounting
and Review Services promulgated by the Accounting and Review Services Committee of
the AICPA. I (We) did not audit or review the financial statements nor was (were) I (we)
required to perform any procedures to verify the accuracy or completeness of the
information provided by management. Accordingly, I (we) do not express an opinion, a
conclusion, nor provide any form of assurance on these financial statements.
[Signature of accounting firm or accountant, as appropriate]
[Accountant’s city and state]
[Date of the accountant’s report]
3432.05 An accountant may be asked to issue a compilation report on one financial statement, such
as a balance sheet, and not on other related financial statements. The accountant is
permitted to do so.
3432.06 Financial statements prepared in accordance with a special‐purpose framework are not
considered appropriate in form unless the financial statements include:
a. a description of the special‐purpose framework, including a summary of significant
accounting policies and a description of the primary differences from GAAP. The effects
of the differences need not be quantified.
b. informative disclosures similar to those required by GAAP if the financial statements
contain items that are the same as, or similar to, those in financial statements prepared
in accordance with GAAP.
Report for a Compilation That Has Omitted Substantially All Disclosures
3432.07 The accountant should not issue an accountant’s compilation report on financial statements
that omit substantially all disclosures required by the applicable financial reporting
framework unless the omission of substantially all disclosures is not, to the accountant’s
knowledge, undertaken with the intention of misleading those who might reasonably be
expected to use such financial statements.
When financial statements that the accountant has compiled omit substantially all
disclosures but are otherwise in conformity with the applicable financial reporting
framework, the accountant should include a separate paragraph in the accountant’s
compilation report that includes the following elements:
a. A statement that management has elected to omit substantially all the disclosures (and
the statement of cash flows, if applicable) required by the applicable financial reporting
framework (or ordinarily included in the financial statements if the financial statements
are prepared in accordance with a special‐purpose framework)
b. A statement that if the omitted disclosures (and the statement of cash flows, if
applicable) were included in the financial statements, they might influence the user's
conclusions about the entity's financial position, results of operations, and cash flows
(or the equivalent for presentations other than GAAP)
c. A statement that, accordingly, the financial statements are not designed for those who
are not informed about such matters
Reporting When the Accountant Is Not Independent
3432.08 If the accountant is not independent, the lack of independence should be disclosed following
the last paragraph of the report:
I am (we are) not independent with respect to XYZ Company.
3432.09 The accountant is not precluded from disclosing a description about the reason(s) that his or
her independence is impaired. If the accountant elects to disclose a description about the
reasons for lack of independence, the accountant should ensure that all reasons are included
in the description.
Emphasis Paragraph
3432.10 At the accountant’s discretion, an emphasis paragraph may be added to the standard
compilation report. Examples of matters accountants may wish to emphasize are:
a. uncertainties,
b. that the entity is a component of a larger business enterprise,
c. that the entity has had significant transactions with related parties,
d. unusually important subsequent events, and
e. accounting matters, other than those involving a change or changes in accounting
principles, affecting the comparability of the financial statements with those of the
preceding period.
3432.11 An emphasis paragraph is not a substitute for disclosure. Therefore, the accountant should
not include an emphasis paragraph in a compilation report on financial statements that omit
substantially all disclosures unless the matter is disclosed in the financial statements.
Known Departure from Applicable Financial Reporting Framework
3432.12 When the accountant has concluded that modification of the standard report is appropriate
to disclose a departure from GAAP (or applicable financial reporting framework), the
departure should be disclosed in a separate paragraph of the report, including disclosure of
the effects of the departure on the financial statements if such effects have been
determined by management or are known as the result of the accountant’s procedures. The
accountant is not required to determine the effects of a departure if management has not
done so, provided the accountant states in the report that such determination has not been
made.
I (we) have compiled the accompanying balance sheet of XYZ Company as of December
31, 20XX, and the related statements of income, retained earnings, and cash flows for the
year then ended. I (we) have not audited or reviewed the accompanying financial
statements and, accordingly, do not express an opinion or provide any assurance about
whether the financial statements are in accordance with accounting principles generally
accepted in the United States of America.
Management (owners) is (are) responsible for the preparation and fair presentation of the
financial statements in accordance with accounting principles generally accepted in the
United States of America and for designing, implementing, and maintaining internal
control relevant to the preparation and fair presentation of the financial statements.
My (our) responsibility is to conduct the compilation in accordance with Statements on
Standards for Accounting and Review Services issued by the American Institute of
Certified Public Accountants. The objective of a compilation is to assist management in
presenting financial information in the form of financial statements without undertaking
to obtain or provide any assurance that there are no material modifications that should
be made to the financial statements. During my (our) compilation, I (we) did become
aware of a departure (certain departures) from accounting principles generally accepted
in the United States of American that is (are) described in the following paragraph.
As disclosed in Note X to the financial statements, accounting principles generally
accepted in the United States of America require that land be stated at cost. Management
has informed me (us) that the company has stated its land at appraised value and that, if
accounting principles generally accepted in the United States of America had been
followed, the land account and stockholders’ equity would have been decreased by
$500,000.
Predecessor’s Compilation or Review Report
3432.13 A predecessor may reissue his or her report at the client's request if he or she is able to
make satisfactory arrangements with his or her former client and if he or she complies with
the provisions of sections 3432.15–.19. However, a predecessor is not required to reissue his
or her compilation or review report on the financial statements of a prior period. If he or she
does not reissue his or her compilation or review report on the financial statements of a
prior period, a successor should either (a) make reference to the report of the predecessor
in accordance with the provisions of section 3432.14 or (b) perform a compilation or review
of the financial statements of the prior period and report on them accordingly.
Predecessor’s Compilation or Review Report Not Presented
3432.14 When the financial statements of a prior period have been compiled or reviewed by a
predecessor whose report is not presented and the successor has not compiled or reviewed
those financial statements, the successor should make reference in an additional
paragraph(s) of his or her report on the current‐period financial statements to the
predecessor's report on the prior‐period financial statements. This reference should include
the following matters:
a. A statement that the financial statements of the prior period were compiled or
reviewed by another accountant (other accountants)
b. The date of his or her (their) report
c. If the financial statements of the prior period were compiled, a statement that the other
accountant(s) did not audit or review the financial statements and, accordingly, did not
express an opinion or provide any assurance about whether the financial statements are
in accordance with the applicable financial reporting framework
d. If the financial statements of the prior period were reviewed, a statement that, based
on his or her review, the other accountant(s) are not aware of any material
modifications that should be made to the financial statements in order for them to be in
conformity with the applicable financial reporting framework, other than those
modifications, if any, indicated in the report
e. A description or a quotation of any modifications of the standard report and of any
paragraphs emphasizing a matter regarding the financial statements
Predecessor’s Compilation or Review Report Reissued
3432.15 Before reissuing a compilation or review report on the financial statements of a prior period,
a predecessor should consider whether his or her report is still appropriate. In making this
determination, the predecessor should consider (a) the current form and manner of
presentation of the prior‐period financial statements, (b) subsequent events not previously
known, and (c) changes in the financial statements that require the addition or deletion of
modifications to the standard report.
3432.16 A predecessor should perform the following procedures before reissuing his or her
compilation or review report on the financial statements of a prior period:
a. Read the financial statements of the current period and the successor's report.
b. Compare the prior‐period financial statements with those previously issued and with
those of the current period.
c. Obtain a letter from the successor that indicates whether he or she is aware of any
matter that, in his or her opinion, might have a material effect on the financial
statements, including disclosures, reported on by the predecessor. The predecessor
should not refer in his or her reissued report to this letter or to the report of the
successor.
3432.17 If a predecessor becomes aware of information, including information about events or
transactions occurring subsequent to the date of his or her previous report, that he or she
believes may affect the prior‐period financial statements or his or her report on them, he or
she should (a) make inquiries or perform analytical procedures similar to those he or she
would have performed if he or she had been aware of such information at the date of his or
her report on the prior‐period financial statements and (b) perform any other procedures he
or she considers necessary in the circumstances. For example, the predecessor may wish to
discuss this information with the successor or to review the engagement documentation of
the successor as it relates to the matters affecting the prior‐period financial statements. If
the predecessor decides, based on the information obtained, that his or her report on the
prior‐period financial statements should be revised, he or she should follow the guidance in
sections 3432.18–.19.
3432.18 A predecessor's knowledge of the current affairs of his or her former client is obviously
limited in the absence of a continuing relationship. Consequently, when reissuing his or her
report on the prior‐period financial statements, a predecessor should use the date of his or
her previous report to avoid any implication that he or she has performed procedures after
that date other than those described in sections 3432.15–.17. If the predecessor revises his
or her report or if the financial statements are restated, he or she should dual‐date his or
her report (for example, “March 1, 20X1, except for note X, as to which the date is March 15,
20X2”). The predecessor's responsibility for events occurring subsequent to the completion
of his or her engagement is limited to the specific event referred to in the note or otherwise
disclosed. He or she should also obtain a written statement from the former client setting
forth the information currently acquired and its effect on the prior‐period financial
statements and, if applicable, expressing an understanding of its effect on the predecessor's
reissued report.
3432.19 If a predecessor is unable to complete the procedures described in sections 3432.15–.18, he
or she should not reissue his or her report and may wish to consult with his or her attorney
regarding the appropriate course of action.
Compilation Reports on Financial Statements Included in Certain Prescribed Forms
3432.20 The requirements of AU‐C 800, Special Considerations—Audits of Financial Statements
Prepared in Accordance with Special‐Purpose Frameworks, are applicable when the
unaudited financial statements of a nonissuer are included in a prescribed form.
a. A prescribed form is any standard preprinted form designed or adopted by the body to
which it is to be submitted, such as forms used by industry trade associations, credit
agencies, banks, and governmental and regulatory bodies.
b. A form designed or adopted by the entity whose financial statements are to be
compiled is not considered to be a prescribed form.
c. There is a presumption that the information required by a prescribed form is sufficient
to meet the needs of the body that designed or adopted the form and that there is no
need for that body to be advised of departures from the applicable financial reporting
framework required by the prescribed form or related instructions.
d. If the accountant becomes aware of a departure from the requirements of the
prescribed form or related instructions, he or she should consider that departure as the
equivalent of a departure from an applicable financial reporting framework in
determining its effect on his or her report.
3433 Review Reports
Standard Review Report
3433.01 The written review report should include the following:
a. A title that includes the word independent to clearly indicate that it is the report of an
independent accountant
b. An addressee, as appropriate for the circumstances of the engagement
c. An introductory paragraph that identifies the entity whose financial statements have
been reviewed:
(1) states that the financial statements identified in the report were reviewed,
(2) identifies the financial statements,
(3) specifies the date or period covered by each financial statement,
(4) includes a statement that a review includes primarily applying analytical procedures
to management’s (owner’s) financial data and making inquiries of company
management (owners), and
(5) includes a statement that a review is substantially less in scope than an audit, the
objective of which is the expression of an opinion regarding the financial
statements as a whole, and that, accordingly, the accountant does not express such
an opinion
d. A section with the heading “Management’s Responsibility for the Financial Statements”
that includes an explanation that management is responsible for the preparation of the
financial statements in accordance with the applicable financial reporting framework;
this responsibility includes the design, implementation, and maintenance of internal
control sufficient to provide a reasonable basis for the preparation and fair presentation
of financial statements in accordance with the applicable financial reporting framework
e. A section with the heading "Accountant’s Responsibility" that includes the following
statements:
(1) The accountant’s responsibility is to conduct the review engagement in accordance
with SSARSs promulgated by the Accounting and Review Services Committee of the
AICPA. The accountant’s review report should also explain that those standards
require that the accountant perform the procedures to obtain limited assurance as
a basis for reporting whether the accountant is aware of any material modifications
that should be made to the financial statements for them to be in accordance with
the applicable financial reporting framework.
(2) The accountant believes that the review evidence the accountant has obtained is
sufficient and appropriate to provide a basis for the accountant’s conclusion.
f. A concluding section with an appropriate heading that includes a statement about
whether the accountant is aware of any material modifications that should be made to
the accompanying financial statements for them to be in accordance with the applicable
financial reporting framework and that identifies the country of origin of those
accounting principles, if applicable
g. The manual or printed signature of the accountant’s firm
h. The city and state where the accountant practices
i. The date of the review report, which should be dated no earlier than the date on which
the accountant completed procedures sufficient to obtain limited assurance as a basis
for reporting whether the accountant is aware of any material modifications that should
be made to the financial statements for them to be in accordance with the applicable
financial reporting framework, including evidence that:
(1) all the statements that the financial statements comprise, including the related
notes, have been prepared and
(2) management has asserted that they have taken responsibility for those financial
statements (AR‐C 90.39)
j. Each page of the financial statements reviewed by the accountant may include a
reference such as “See Independent Accountant’s Review Report” at the accountant’s
discretion.
3433.02 SSARS 23 clarifies:
a. that AR‐C 90 applies to reviews of all historical financial information, excluding pro
forma financial information.
b. the nature of the engagement letter and makes clear that an oral understanding of the
terms of the engagement is not sufficient.
c. the requirement that the accountant’s review report include the signature of the
accountant or the accountant’s firm with that included in AR‐C 80 for an accountant’s
compilation report.
d. the accountant’s reporting responsibilities when supplemental information
accompanies reviewed financial statements and the accountant’s review report
thereon.
3433.03 The following form is an accountant’s review report on single‐year financial statements
prepared in accordance with accounting principles generally accepted in the United States of
America.
Circumstances include the following:
a. Review of a complete set of financial statements (single year).
b. The financial statements are prepared in accordance with accounting principles
generally accepted in the United States of America.
Independent Accountant’s Review Report
[Appropriate Addressee]
I (We) have reviewed the accompanying financial statements of XYZ Company, which
comprise the balance sheet as of December 31, 20XX, and the related statements of
income, changes in stockholders’ equity, and cash flows for the year then ended, and the
related notes to the financial statements. A review includes primarily applying analytical
procedures to management’s (owners’) financial data and making inquiries of company
management (owners). A review is substantially less in scope than an audit, the objective
of which is the expression of an opinion regarding the financial statements as a whole.
Accordingly, I (we) do not express such an opinion.
Management’s Responsibility for the Financial Statements
Management (Owners) is (are) responsible for the preparation and fair presentation of
these financial statements in accordance with accounting principles generally accepted in
the United States of America; this includes the design, implementation, and maintenance
of internal control relevant to the preparation and fair presentation of financial
statements that are free from material misstatement whether due to fraud or error.
Accountant’s Responsibility
My (Our) responsibility is to conduct the review engagement in accordance with
Statements on Standards for Accounting and Review Services promulgated by the
Accounting and Review Services Committee of the AICPA. Those standards require me (us)
to perform procedures to obtain limited assurance as a basis for reporting whether I am
(we are) aware of any material modifications that should be made to the financial
statements for them to be in accordance with accounting principles generally accepted in
the United States of America. I (We) believe that the results of my (our) procedures
provide a reasonable basis for our conclusion.
Accountant’s Conclusion
Based on my (our) review, I am (we are) not aware of any material modifications that
should be made to the accompanying financial statements in order for them to be in
accordance with accounting principles generally accepted in the United States of America.
[Signature of accounting firm or accountant, as appropriate]
[Accountant’s city and state]
[Date of the accountant’s review report]
3433.04 An accountant may, if requested, issue a review report on one financial statement and not
on the other related financial statements if the scope of inquiry and analytical procedures
has not been restricted.
When a Review Report May Not Be Issued
3433.05 When an accountant is unable to perform the inquiry and analytical procedures necessary to
achieve the limited assurance contemplated by a review, or the client does not provide the
accountant with a representation letter, the accountant cannot issue a review report. Under
these circumstances, the accountant should consider if it is appropriate to issue a
compilation report.
3433.06 An accountant may not issue a review report on the financial statements of an entity with
respect to which he or she is not independent. The accountant may issue a compilation
report.
Review Report for Special‐Purpose Framework
3433.07 Financial statements prepared in accordance with a special‐purpose framework are not
considered appropriate in form unless the financial statements include:
a. a description of the special‐purpose framework, including a summary of significant
accounting policies and a description of the primary differences from GAAP. The effects
of the differences need not be quantified.
b. informative disclosures similar to those required by GAAP if the financial statements
contain items that are the same as, or similar to, those in financial statements prepared
in accordance with GAAP.
3433.08 For financial statements prepared in accordance with a special‐purpose framework, the
accountant’s review report should:
a. make reference to management’s responsibility for determining that the applicable
financial reporting framework is acceptable in the circumstances.
b. describe the purpose for which the financial statements are prepared (i.e., regulatory,
contractual, etc.).
c. include an emphasis‐of‐matter paragraph indicating that the financial statements are
prepared in accordance with the special‐purpose framework, refer to the note in the
statements that describes said framework, and state that the framework is a basis of
accounting other than GAAP.
d. include an other‐matter paragraph that restricts the use of the review report when
financial statements are prepared in accordance with a contractual basis, regulatory
basis, or other basis of accounting.
3433.09 For financial statements prepared in accordance with a contractual basis of accounting, the
accountant should modify the review report if the financial statements do not adequately
describe any significant interpretations of the contract.
Comparative Financial Statements
3433.10 When comparative financial statements are issued, either as a result of requirements under
the applicable financial reporting framework or because management elects to issue them,
the review report should refer to each period for which the financial statements are
presented.
3433.11 When reporting on all periods presented, the accountant should update the report on one
or more prior periods presented with those of the current period. The report should not be
dated earlier than the date that the accountant completed procedures sufficient to obtain
limited assurance as a basis for reporting whether the accountant is aware of any material
modifications that should be made for the statements to be in accordance with the
applicable financial reporting framework with respect to the current period.
3433.12 When issuing an updated review report, the accountant should consider information that
he/she has become aware of during the review of the current‐period financial statements
and any effect it may have on either the prior‐period financial statements presented or the
review report.
3433.13 When the accountant’s review report on the financial statements of a prior period contains
a changed reference to a departure from the applicable financial reporting framework, the
report should include an other‐matter paragraph indicating the date of the previous review
report; the circumstances that caused the changed reference; and if, in fact, the prior‐period
statements have been changed.
3433.14 When the prior‐period financial statements were audited and the audit report is not
reissued, the review report on the current financial statements should include an other‐
matter paragraph indicating:
a. the financial statements of the prior period were previously audited.
b. the date of the prior‐period auditor’s report.
c. the opinion issued on the prior‐period financial statements; if the opinion was modified,
the substantive reasons for the modification.
d. that no auditing procedures were performed after the date of the previous report.
Emphasis‐of‐Matter and Other‐Matter Paragraphs
3433.15 At the accountant’s discretion, an emphasis‐of‐matter paragraph may be added to the
standard review report, provided that the accountant does not believe that the financial
statements may be materially misstated. Such paragraph should only refer to information
presented or disclosed in the financial statements.
3433.16 The emphasis‐of‐matter paragraph, if any, should:
a. be included immediately after the accountant’s conclusion paragraph.
b. use the heading “Emphasis of a Matter.”
c. include a clear reference to the matter being emphasized and to where relevant
disclosures that fully describe the matter can be found in the financial statements.
d. indicate that the accountant’s conclusion is not modified with respect to the matter
emphasized.
3433.17 The other‐matter paragraph, if any, should:
a. be included immediately after the accountant’s conclusion paragraph and any
emphasis‐of‐matter paragraph.
b. use the heading “Other Matter.”
Known Departure from Applicable Financial Reporting Framework
3433.18 When the accountant becomes aware of a material departure from the applicable financial
reporting framework (including inadequate disclosure), the accountant should consider
whether modification of the standard review report is adequate to disclose the departure.
a. If the disclosure is adequate, it should be disclosed in a separate paragraph under the
heading “Known Departure from the [identify the applicable financial reporting
framework],” including the effects on the financial statements of said departure. The
accountant is not required to determine the effects of the departure.
b. If the modification of the standard report is not adequate to indicate the deficiencies in
the financial statements as a whole, the accountant should withdraw from the review
engagement. The accountant should not modify the standard report to include a
statement that the financial statements are not in accordance with the applicable
financial reporting framework.
Report Restrictions
3433.19 The review report should include an alert, in a separate paragraph, that restricts its use
when the report’s subject matter is based on measurement or disclosure criteria that are:
a. determined by the accountant to be suitable only for a limited number of users who can
be presumed to have an adequate understanding of the criteria, or
b. available only to the specified parties.
3433.20 The alert that restricts use of the review report should:
a. identify the specified parties for whom the use is intended.
b. state that the accountant’s review report is intended solely for the information and use
of the specified parties, and is not intended to be, and should not be, used by anyone
other than the specified parties.
Going Concern Considerations
3433.21 If evidence or information comes to the accountant’s attention that there could be an
uncertainty about the entity’s ability to continue as a going concern for a reasonable period
of time, the accountant should request that management consider the possible effects of
the uncertainty on the financial statements, including the need for related disclosure.
a. A reasonable period of time is the same period of time required of management to
assess going concern when specified by the applicable financial reporting framework. If
not specified by the framework, a reasonable period is one year after the date the
financial statements are issued or are available to be issued.
b. For all financial statements presented and all periods covered by the review, the
accountant should request management to provide written representations that are
dated as of the date of the review report stating that management has disclosed to the
accountant all information relevant to use of the going concern assumption in the
financial statements.
c. The accountant should perform review procedures to evaluate whether the going
concern basis of accounting is appropriate and if there are conditions or events that
raise substantial doubt about the entity’s ability to continue as a going concern (and
management’s plans to mitigate those matters).
d. If, after considering conditions or events and management’s plans, the accountant
concludes that substantial doubt about the entity’s ability to continue as a going
concern for a reasonable period of time remains, the accountant should include an
emphasis‐of‐matter paragraph, as discussed in section 3433.15.
e. If the accountant determines that the going concern disclosures are inadequate, then a
departure from the applicable financial reporting framework exists, and the accountant
should follow the guidance discussed in section 3433.18.
Subsequent Events and Subsequently Discovered Facts
3433.22 If evidence or information comes to the accountant’s attention that there could be
subsequent events that require adjustment of, or disclosure in, the financial statements, the
accountant should request that management consider whether each such event is
appropriately reflected in the financial statements in accordance with the applicable
financial reporting framework. If the accountant determines that the subsequent event is
not adequately accounted for, then a departure from the applicable financial reporting
framework exists, and the accountant should follow the guidance discussed in section
3433.18.
3433.23 The accountant is not required to perform any review procedures regarding the financial
statements after the date of the review report. However, if a subsequently discovered fact
becomes known to the accountant before the report release date, the accountant should:
a. discuss the matter with management and/or those charged with governance.
b. determine whether the financial statements need revision; if so, determine how
management intends to address the matter.
3433.24 If management revises the financial statements, the accountant should:
a. date the accountant’s report as of a later date, or
b. include an additional date in the review report on the revised financial statements that
is limited to the revision (i.e., dual‐date the report).
3433.25 If management does not revise the financial statements, the accountant should modify the
review report as appropriate.
3433.26 If a subsequently discovered fact becomes known to the accountant after the report release
date, the accountant should:
a. discuss the matter with management and/or those charged with governance.
b. determine whether the financial statements need revision; if so, determine how
management intends to address the matter.
3433.27 If management revises the financial statements:
a. the accountant should date the accountant’s report as of a later date, or include an
additional date in the review report on the revised financial statements that is limited to
the revision (i.e., dual‐date the report).
b. if the reviewed financial statements (before revision) have been made available to third
parties, the accountant should assess whether management has taken timely and
appropriate steps to ensure that anyone in receipt of those financial statements is
informed of the situation.
c. if the accountant’s conclusion on the revised statements differs from the accountant’s
original conclusion, an emphasis‐of‐matter paragraph should be added, disclosing the
date of the accountant’s previous report, a description of the revisions, and the
substantive reasons for the revisions.
3433.28 If management does not revise the financial statements, then:
a. if the reviewed statements have not been made available to third parties, the
accountant should notify management not to make the statements available before the
necessary revisions have been made and a new accountant’s review report on the
revised financial statements has been provided.
b. if the reviewed statements have been made available to third parties, the accountant
should assess whether the steps taken by management are timely and appropriate to
ensure that anyone in receipt of the reviewed statements is informed of the situation.
c. if management does not take the appropriate steps, the accountant should notify
management that the accountant will seek to prevent future use of the accountant’s
review report.
Reference to the Work of Other Accountants
3433.29 If other accountants audited or reviewed the financial statements of significant components,
and the reporting entity’s accountant does not assume responsibility for the audit or review
performed by others, the accountant should make reference to the audit or review of such
other accountants in the review report, clearly indicating that the accountant used the work
of other accountants, and should include the magnitude of the portion of the statements
audited or reviewed by others.
a. Reference to the work of other accountants should not be made if the other
accountants issued a report that includes a restriction on use alert.
b. If the component’s financial statements are prepared using a different financial
reporting framework from that used by the reporting entity, procedures similar to an
audit are required to convert the financial statements to that used by the reporting
entity.
3433.30 The accountant of the reporting entity should communicate with the other accountants and
ascertain that:
a. the other accountants are aware that the financial statements of the component that
the other accountants audited or reviewed are to be included in the financial
statements on which the reporting entity’s accountant will report on and that the other
accountants’ report thereon will be relied upon by the reporting entity’s accountant.
b. the other accountants are familiar with the applicable financial reporting framework
and with SSARS or auditing standards generally accepted in the United States, and will
conduct the review or audit in accordance therewith.
c. the other accountants understand the relevant ethical requirements, particularly
independence.
d. a review will be made of matters affecting elimination of intercompany transactions and
accounts and, if appropriate, the uniformity of accounting practices among the
components included in the financial statements.
Supplementary Information
3433.31 The accountant should clearly indicate the degree of responsibility, if any, that the
accountant is taking with respect to any supplementary information that will accompany the
reviewed financial statements in either an other‐matter paragraph or in a separate report on
the supplementary information.
3433.32 The other‐matter paragraph or separate report should state that:
a. the information is presented for purposes of additional analysis and is not a required
part of the statements.
b. the information is the representation of management.
c. the accountant has reviewed the information and, based on the review, whether the
accountant is aware of any material modifications that should be made to the
information in order for it to be in accordance with the applicable financial reporting
framework.
d. the accountant has not audited the information and, accordingly, does not express an
opinion on such information.
3433.33 If the accountant has not reviewed the supplementary information, the other‐matter
paragraph or separate report should state that:
a. the information is presented for purposes of additional analysis and is not a required
part of the statements.
b. the information is the representation of management.
c. the accountant has not audited or reviewed the information and, accordingly, does not
express an opinion or a conclusion, nor provide any assurance on such information.
Required Supplementary Information
3433.34 With respect to required supplementary information (RSI), the accountant should include an
other‐matter paragraph in the review report that explains the following:
a. The RSI is included, and the accountant performed either a compilation engagement or
a review on the RSI.
b. The RSI is included, and the accountant did not perform a compilation, review, or audit
on the RSI.
c. The RSI is omitted.
d. Some RSI is missing, and some is presented in accordance with the prescribed
guidelines.
e. The accountant has identified departures from the prescribed guidelines.
f. The accountant has unresolved doubts about whether the RSI is presented in
accordance with prescribed guidelines.
3433.35 If the entity has presented all or some of the required supplementary information (RSI), and
the accountant did not perform a compilation, review, or audit on the RSI, the other‐matter
paragraph should include:
a. a statement that [identify the applicable financial reporting framework] requires that
the [identify the required supplementary information] be presented to supplement the
basic financial statements.
b. a statement that such information, although not a part of the basic financial statements,
is required by [identify designated accounting standards‐setter], who considers it to be
an essential part of financial reporting for placing the basic financial statements in an
appropriate operational, economic, or historical context.
c. a statement that the accountant did not perform a compilation, review, or audit on the
RSI and, accordingly, does not express an opinion or provide any assurance on the
information.
3433.36 If the entity has omitted all of the required supplementary information (RSI), the other‐
matter paragraph should include:
a. a statement that management has omitted [description of the missing RSI] that [identify
the applicable financial reporting framework] requires to be presented to supplement
the basic financial statements.
b. a statement that such missing information, although not a part of the basic financial
statements, is required by [identify designated accounting standards‐setter], who
considers it to be an essential part of financial reporting for placing the basic financial
statements in an appropriate operational, economic, or historical context.
Change in Engagement from Audit to Review
3433.37 If an accountant has been requested to change from an audit engagement to a review
engagement, and the accountant concludes, based upon their professional judgment, that
reasonable justification exists to change the engagement, and if the accountant complies
with the standards applicable to a review engagement, then the accountant should issue an
appropriate review report. The report should not include any reference to the original
engagement, any audit procedures that may have been performed, or any scope limitations
that resulted in the changed engagement.
International Reporting Issues
3433.38 Section 100 of the Statements on Standards for Accounting and Review Services (SSARS)
relates to the following circumstances:
a. The financial statements have been prepared in accordance with a financial reporting
framework generally accepted in another country not adopted by a body designated to
establish GAAP (such as a national variant of the International Financial Reporting
Standards (IFRS)).
b. The compilation or review engagement is performed in accordance with SSARS and
another set of standards (such as International Standard on Related Services (ISRS)
4410, Engagements to Compile Financial Statements, or International Standard on
Review Engagements (ISRE) 2400, Engagements to Review Historical Financial
Statements).
3433.39 In accepting a SSARS engagement related to financial statements prepared in accordance
with a financial reporting framework generally accepted in another country, the accountant
should obtain an understanding of the purpose for which the financial statements are
prepared and whether the financial reporting framework applied in the preparation of the
financial statements is a fair presentation framework.
a. The accountant should also understand the intended users of the financial statements
and the steps taken by management to determine that the applicable financial reporting
framework is acceptable in the circumstances.
b. Any SSARS report should include a statement that refers to a note to the financial
statements that describes the basis of presentation, including identification of the
country of origin of the accounting principles.
3433.40 In accepting an engagement in accordance with both the SSARS and another set of
standards, the accountant should obtain an understanding of applicable legal responsibilities
when the financial statements are intended for use only outside of the United States and the
accountant plans to use the form and content of the non‐SSARS standards.
a. When the financial statements are intended for use only outside the United States, the
accountant may use the report form and content of the other country’s standards.
Alternatively, the SSARS report format may be applied with a statement that refers to a
note to the financial statements that describes the basis of presentation, including
identification of the country of origin of the accounting principles.
b. If the financial statements will be used in the United States, the accountant should
report in accordance with the SSARS, including the requirements related to financial
statements prepared in accordance with a special‐purpose framework if the financial
statements are prepared in accordance with a financial reporting framework generally
accepted in another country.
c. When a SSARS refers to both SSARS and another set of standards, the report should
identify the other set of compilation or review standards (as well as its origin).
3440 Reporting on Compliance
Compliance with Aspects of Contractual Agreements or Regulatory Requirements
Related to Audited Financial Statements (AU‐C 806)
3440.01 Entities may be required by contractual agreements, such as certain bond indentures and
loan agreements, or by regulatory agencies to furnish compliance reports by independent
auditors. The independent auditor may satisfy this request by giving negative assurance
relative to the applicable covenants based on the audit of the financial statements.
3440.02 Such assurance should not be given unless the auditor has audited the financial statements
to which the contractual agreements or regulatory requirements relate. In addition, such
assurance should not be given if the auditor has expressed an adverse opinion or disclaimed
an opinion on the financial statements to which these covenants relate.
3440.03 An example report on compliance with contractual provisions given in a separate report is
illustrated as follows (AU‐C 806.A8, Illustration 1):
Independent Auditor’s Report
[Appropriate Addressee]
We have audited, in accordance with auditing standards generally accepted in the United
States of America, the financial statements of XYZ Company, which comprise the balance
sheet as of December 31, 20X2, and the related statements of income, changes in
stockholders' equity, and cash flows for the year then ended, and the related notes to the
financial statements, and have issued our report thereon dated February 16, 20X3.
In connection with our audit, nothing came to our attention that caused us to believe that
XYZ Company failed to comply with the terms, covenants, provisions, or conditions of
sections XX to YY, inclusive, of the Indenture dated July 21, 20X0, with ABC Bank, insofar
as they relate to accounting matters. However, our audit was not directed primarily
toward obtaining knowledge of such noncompliance.
Accordingly, had we performed additional procedures, other matters may have come to
our attention regarding the Company's noncompliance with the above‐referenced terms,
covenants, provisions, or conditions of the Indenture, insofar as they relate to accounting
matters.
This report is intended solely for the information and use of the board of directors and
management of XYZ Company and ABC Bank and is not intended to be and should not be
used by anyone other than these specified parties.
[Auditor's signature]
[Auditor's city and state]
[Date of the auditor's report]
Nonaudit Compliance Engagements
3440.04 Compliance engagements are either used to determine (1) an entity’s compliance with
requirements of specified laws, regulations, rules, contracts, or grants or (2) the
effectiveness of an entity’s internal control over compliance with specified requirements.
3440.05 Compliance requirements may be either financial or nonfinancial in nature. Compliance
engagements should be conducted in accordance with attestation standards.
3440.06 A practitioner may be engaged to perform an agreed‐upon procedures engagement or an
examination engagement in the area of compliance attestation.
3440.07 An important consideration in determining the type of engagement to be performed is
expectations by users of the practitioner’s report.
3440.08 A practitioner should not accept an engagement to perform a review of an entity’s
compliance with specified requirements or about the effectiveness of an entity’s internal
control over compliance or an assertion thereon.
3440.09 As a part of engagement performance, the practitioner should obtain from the responsible
party a written assertion about compliance with specified requirements or internal control
over compliance.
3440.10 In an examination engagement or an agreed‐upon procedures engagement, the practitioner
should obtain a written representation letter from the responsible party.
Agreed‐Upon Procedures Compliance Engagement
3440.11 A practitioner may be engaged to perform agreed‐upon procedures to assist users in
evaluating the following subject matter:
a. The entity’s compliance with specified requirements
b. The effectiveness of the entity’s internal control over compliance
c. Both the entity’s compliance with specified requirements and the effectiveness of the
entity’s internal control over compliance
3440.12 A practitioner may perform an agreed‐upon procedures engagement related to an entity’s
compliance with specified requirements or the effectiveness of internal control over
compliance if the following conditions are met:
a. The responsible party accepts responsibility for the entity’s compliance with specified
requirements and the effectiveness of the entity’s internal control over compliance.
b. The responsible party evaluates the entity’s compliance with specified requirements or
the effectiveness of the entity’s internal control over compliance.
3440.13 The objective of the practitioner’s agreed‐upon procedures engagement is to present
specific findings to assist users in evaluating an entity’s compliance with specified
requirements or the effectiveness of internal control over compliance based on procedures
agreed upon by the users of the report.
3440.14 In an engagement to perform agreed‐upon procedures on an entity’s compliance with
specified requirements or about the effectiveness of an entity’s internal control over
compliance, the practitioner is required to perform only the procedures that have been
agreed to by the users.
3440.15 The practitioner’s report on agreed‐upon procedures on an entity’s compliance with
specified requirements (or the effectiveness of an entity’s internal control over compliance)
should be in the form of procedures and findings. The report contains the following:
a. A title that includes the word independent
b. Identification of the specified parties
c. Identification of the subject matter of the engagement, including the period or point in
time addressed
d. An identification of the specified requirements against which the entity’s compliance
was measured or evaluated
e. An indication that management of the entity is responsible for the entity’s compliance
with the specified requirements
f. A statement that the sufficiency of the procedures is solely the responsibility of the
specified parties, and that the practitioner makes no representation regarding the
sufficiency of the procedures either for the purpose for which the report has been
requested or for any other purpose
g. A statement that the agreed‐upon procedures engagement was conducted in
accordance with attestation standards established by the American Institute of Certified
Public Accountants (AICPA)
h. A list of the procedures performed (or reference thereto) and related findings. The
practitioner should not provide negative assurance.
i. Where applicable, a description of any agreed‐upon materiality limits
j. A statement that the practitioner was not engaged to and did not conduct an
examination or review, the objective of which would be the expression of an opinion or
conclusion, respectively, on compliance with specified requirements (or the
effectiveness of an entity’s internal control over compliance), a disclaimer of opinion
thereon, and a statement that if the practitioner had performed additional procedures,
other matters might have come to his or her attention that would have been reported
k. A statement restricting the use of the report to the specified parties
l. Where applicable, reservations or restrictions concerning procedures or findings
m. Where applicable, a description or the nature of the assistance provided by a specialist
n. The manual or printed signature of the practitioner’s firm
o. The city and state of the issuing office of the practitioner’s firm
p. The date of the report
Examination Compliance Engagement
3440.16 A practitioner may perform an examination engagement related to an entity’s compliance
with specified requirements if the following conditions are met:
a. The responsible party accepts responsibility for the entity’s compliance with specified
requirements and the effectiveness of the entity’s internal control over compliance.
b. The responsible party evaluates the entity’s compliance with specified requirements.
c. Sufficient evidential matter exists or could be developed to support management’s
evaluation.
3440.17 The objective of a practitioner’s examination procedures applied to an entity’s compliance
with specified requirements is to express an opinion on the entity’s compliance based on the
specified criteria.
3440.18 In a compliance examination engagement, attestation risk is defined as the risk that the
practitioner may unknowingly fail to modify appropriately the opinion. It is composed of
inherent risk, control risk, and detection risk. For the purposes of a compliance examination,
these components are defined as follows:
a. Inherent risk: The risk that material noncompliance with specified requirements could
occur, assuming there are no related controls
b. Control risk: The risk that material noncompliance that could occur will not be
prevented or detected on a timely basis by the entity’s controls
c. Detection risk: The risk that the practitioner’s procedures will lead the practitioner to
conclude that material noncompliance does not exist when, in fact, such noncompliance
does exist
3440.19 In an examination of the entity’s compliance with specified requirements, the practitioner
should do the following:
a. Obtain an understanding of the specified compliance requirements.
b. Plan the engagement.
c. Consider relevant portions of the entity’s internal control over compliance.
d. Obtain sufficient evidence including testing compliance with specified requirements.
e. Consider subsequent events.
f. Form an opinion about whether the entity complied, in all material respects, with
specified requirements (or whether the responsible party’s assertion about such
compliance is fairly stated in all material respects) based on the specified criteria.
3440.20 The practitioner’s examination report on compliance, which is ordinarily addressed to the
entity, contains the following:
a. A title that includes the word independent
b. Identification of the specified compliance requirements, including the point in time or
period covered
c. An identification of the specified requirements against which compliance was measured
or evaluated
d. A statement that compliance with the specified requirements is the responsibility of the
entity’s management
e. A statement that the practitioner’s responsibility is to express an opinion on the entity’s
compliance with those requirements based on his or her examination
f. A statement that the examination was conducted in accordance with attestation
standards established by the American Institute of Certified Public Accountants (AICPA),
which require the practitioner to plan and perform the examination to obtain
reasonable assurance about whether the entity complied with the specified
requirements, in all material respects, or management’s assertion about compliance
with the specified requirements is fairly stated, in all material respects
g. A statement that the practitioner believes the examination provides a reasonable basis
for his or her opinion
h. A description of the nature of an examination engagement, and a description of
significant inherent limitations, if any, associated with the measurement or evaluation
of the entity’s compliance with specified requirements or its assertion thereon
i. A statement that the examination does not provide a legal determination on the entity’s
compliance
j. The practitioner’s opinion on whether the entity complied, in all material respects, with
specified requirements based on the specified criteria (or management’s assertion
about the entity’s compliance with specified requirements is fairly stated)
k. A statement restricting the use of the report to the specified parties under the following
circumstances:
(1) When the criteria used to evaluate compliance are determined by the practitioner
to be appropriate only for a limited number of parties who either participated in
their establishment or can be presumed to have an adequate understanding of the
criteria
(2) When the criteria used to evaluate compliance are available only to the specified
parties
l. The manual or printed signature of the practitioner’s firm
m. The city and state of the issuing office of the practitioner’s firm
n. The date of the examination report
3450 Other Reporting Considerations
3451 Comparative Statements and Consistency Between Periods
Reports on Comparative Financial Statements (AU‐C 700)
3451.01 A continuing auditor should update the report on the individual financial statements of the
one or more prior periods presented on a comparative basis with those of the current
period. The auditor's report on comparative financial statements should not be dated earlier
than the date on which the auditor has obtained sufficient appropriate audit evidence on
which to support the opinion for the most recent audit.
3451.02 If comparative information is presented but not covered by the auditor's opinion, the
auditor should clearly indicate in the auditor's report the character of the auditor's work, if
any, and the degree of responsibility the auditor is taking.
3451.03 If comparative information is presented and the entity requests the auditor to express an
opinion on all periods presented, the auditor should consider whether the information
included for the prior period(s) contains sufficient detail to constitute a fair presentation in
accordance with the applicable financial reporting framework.
3451.04 When reporting on prior‐period financial statements in connection with the current period's
audit, if the auditor's opinion on the prior‐period financial statements differs from the
opinion the auditor previously expressed, the auditor should disclose the following matters
in an emphasis‐of‐matter or other‐matter paragraph: the date of the auditor's previous
report; the type of opinion previously expressed; the substantive reasons for the different
opinion; and that the auditor's opinion on the amended financial statements is different
from the auditor's previous opinion.
3451.05 If the financial statements of the prior period were audited by a predecessor auditor, and
the predecessor auditor's report on the prior period's financial statements is not reissued, in
addition to expressing an opinion on the current period's financial statements, the auditor
should state the following in an other‐matter paragraph:
a. That the financial statements of the prior period were audited by a predecessor auditor
b. The type of opinion expressed by the predecessor auditor and, if the opinion was
modified, the reasons therefore
c. The nature of an emphasis‐of‐matter paragraph or other‐matter paragraph included in
the predecessor auditor's report, if any
d. The date of the report
3451.06 If the auditor concludes that a material misstatement exists that affects the prior‐period
financial statements on which the predecessor auditor had previously reported without
modification, the auditor should follow the communication requirements in AU‐C 510. If the
prior‐period financial statements are restated, and the predecessor auditor agrees to issue a
new auditor's report on the restated financial statements of the prior period, the auditor
should express an opinion only on the current period.
Reporting on Consistency (AU‐C 708)
Change in Accounting Principle
3451.07 The auditor should evaluate a change in accounting principle to determine whether:
a. the newly adopted accounting principle is in accordance with the applicable financial
reporting framework.
b. the method of accounting for the effect of the change is in accordance with the
applicable financial reporting framework.
c. the disclosures related to the accounting change are appropriate and adequate.
d. the entity has justified that the alternative accounting principle is preferable.
3451.08 If the auditor concludes that the criteria listed above (in section 3451.07) have been met,
and that the change in accounting principle has a material effect on the financial
statements, the auditor should include an emphasis‐of‐matter paragraph in the auditor's
report that describes the change in accounting principle and provides a reference to the
entity's disclosure. If the criteria are not met, the auditor should evaluate whether the
accounting change results in a material misstatement and whether the auditor should
modify the opinion accordingly.
The following is an example of an emphasis‐of‐matter paragraph when the entity has made a
voluntary change in accounting principle (that is, other than a change due to the adoption of
a new accounting pronouncement):
As discussed in Note X to the financial statements, the entity has elected to change its
method of accounting for [describe accounting method change] in [insert year(s) of financial
statements that reflect the accounting method change]. Our opinion is not modified with
respect to this matter. (AU‐C 708.A8)
Change in Accounting Estimate
3451.09 The auditor should evaluate and report on a change in accounting estimate that is
inseparable from the effect of a related change in accounting principle like other changes in
accounting principle. When a change in the reporting entity results in financial statements
that, in effect, are those of a different reporting entity, the auditor should include an
emphasis‐of‐matter paragraph in the auditor's report that describes the change in the
reporting entity and provides a reference to the entity's disclosure, unless the change in
reporting entity results from a transaction or event.
3451.10 When financial statements are restated to correct a prior material misstatement, the auditor
should include an emphasis‐of‐matter paragraph in the auditor's report. The emphasis‐of‐
matter paragraph should include a statement that the previously issued financial statements
have been restated for the correction of a material misstatement in the respective period
and a reference to the entity's disclosure of the correction of the material misstatement.
Change in Classification
3451.11 The auditor should evaluate a material change in financial statement classification and the
related disclosure to determine whether such a change is also either a change in accounting
principle or an adjustment to correct a material misstatement in previously issued financial
statements. If so, the relevant requirements apply.
3451.12 Changes in classification in previously issued financial statements do not require recognition
in the auditor's report unless the change represents the correction of a material
misstatement or a change in accounting principle. For example, certain reclassifications in
previously issued financial statements, such as reclassifications of debt from long‐term to
short‐term or reclassifications of cash flows from the operating activities category to the
financing activities category, might occur because those items were classified incorrectly in
the previously issued financial statements. In such situations, the reclassification also is the
correction of a misstatement.
Change in Reporting Entity
3451.13 A change in the reporting entity resulting from a transaction or event (such as the creation,
cessation, or complete or partial purchase or disposition of a subsidiary or other business
unit) does not require that an emphasis‐of‐matter paragraph about consistency be included
in the auditor’s report.
3451.14 A change in the reporting entity that does not result from a transaction or event requires
recognition in the auditor’s report through inclusion of an emphasis‐of‐matter paragraph.
3451.15 If prior‐year financial statements, presented in comparison with current‐year financial
statements, are not restated, a departure from an applicable financial reporting framework
has occurred which necessitates that the auditor express a qualified or adverse opinion.
3452 Other Information in Documents with Audited Statements
Consider Other Information in Documents Containing Audited Financial Statements
3452.01 In the absence of any separate requirement in the particular circumstances of the
engagement, the auditor’s opinion on the financial statements does not cover other
information, and the auditor has no responsibility for determining whether such information
is properly stated.
3452.02 “Documents containing audited financial statements” refers to annual reports or similar
documents that are issued to owners and annual reports of governments and organizations
for charitable purposes that are available to the public that contain the audited financial
statements and the auditor’s report.
3452.03 The auditor must respond appropriately when the auditor becomes aware that documents
containing audited financial statements and the auditor’s report include other information
that could undermine the credibility of those financial statements and the auditor’s report.
3452.04 The auditor should read the other information and identify any material inconsistencies with
the audited financial statements. The auditor should do so, if possible, before the report
release date.
3452.05 If the auditor identifies a material inconsistency, the auditor should determine whether the
audited financial statements or the other information needs to be revised.
3452.06 If the material inconsistency is discovered prior to the report release date that requires
revision of the audited financial statements and management refuses to make the revision,
the auditor should modify the auditor’s opinion.
3452.07 If the other information contains a material inconsistency, and management refuses to
modify the other information, the auditor should inform those charged with governance
and:
a. include an other‐matter paragraph in the auditor’s report,
b. withhold the auditor’s report, or
c. withdraw from the engagement if possible.
3452.08 If the auditor discovers that revision of the audited financial statements is necessary and the
financial statements have already been released, the auditor should apply the relevant
requirements in AU‐C 560, Subsequent Events and Subsequently Discovered Facts.
Management’s Discussion and Analysis
3452.09 The information in this section is applicable to the following levels of service when a
practitioner is engaged by (1) a public entity that prepares management’s discussion and
analysis (MD&A) in accordance with the rules and regulations adopted by the SEC, or (2) a
nonpublic entity that prepares an MD&A presentation and whose management provides a
written assertion that the presentation has been prepared using the rules and regulations
adopted by the SEC:
a. An examination of an MD&A presentation
b. A review of an MD&A presentation for an annual period, an interim period, or a
combined annual and interim period
3452.10 A practitioner engaged to examine or review management’s discussion and analysis (MD&A)
and report thereon should comply with the general, fieldwork, and reporting standards for
attestation engagements.
3452.11 The practitioner’s objective in an engagement to examine management’s discussion and
analysis (MD&A) is to express an opinion on the MD&A presentation taken as a whole by
reporting whether:
a. the presentation includes, in all material respects, the required elements of the rules
and regulations adopted by the Securities and Exchange Commission (SEC),
b. the historical financial amounts have been accurately derived, in all material respects,
from the entity’s financial statements, and
c. the underlying information, determinations, estimates, and assumptions of the entity
provide a reasonable basis for the disclosures contained therein.
3452.12 A practitioner may accept an engagement to examine management’s discussion and analysis
(MD&A) of a public or nonpublic entity, provided the practitioner audits, in accordance with
GAAS, the financial statements for at least the latest period to which the MD&A
presentation relates and the financial statements for the other periods covered by the
MD&A presentation have been audited by the practitioner or a predecessor auditor.
3452.13 The objective of a review of management’s discussion and analysis (MD&A) is to report
whether any information came to the practitioner’s attention to cause the practitioner to
believe that:
a. the MD&A presentation does not include, in all material respects, the required elements
of the rules and regulations adopted by the Securities and Exchange Commission (SEC).
b. the historical financial amounts included therein have not been accurately derived, in all
material respects, from the entity’s financial statements.
c. the underlying information, determinations, estimates, and assumptions of the entity do
not provide a reasonable basis for the disclosures contained therein.
3452.14 A practitioner may accept an engagement to review the management’s discussion and
analysis (MD&A) presentation of a public entity for an annual period provided the
practitioner has audited, in accordance with GAAS, the financial statements for at least the
latest annual period to which the MD&A presentation relates and the financial statements
for the other periods covered by the MD&A presentation have been audited by the
practitioner or a predecessor auditor.
3452.15 A practitioner may accept an engagement to review the management’s discussion and
analysis (MD&A) presentation of a nonpublic entity for an interim period provided that all of
the following conditions are met:
a. The practitioner performs one of the following:
(1) A review of the historical financial statements for the related interim period under
the guidance provided by SSARS and issues a review report
(2) A review of the condensed interim financial information for the related interim
periods and issues a review report thereon, and such interim financial information
is accompanied by complete annual financial statements for the most recent fiscal
year that have been audited
(3) An audit of the interim financial statements
b. The MD&A presentation for the most recent fiscal year has been or will be examined or
reviewed.
c. Management will provide a written assertion stating that the presentation has been
prepared using the rules and regulations adopted by the Securities and Exchange
Commission (SEC) as the criteria.
3452.16 Management is responsible for the preparation of the entity’s MD&A (management’s
discussion and analysis) pursuant to the rules and regulations adopted by the SEC.
3452.17 Factors to be considered by the practitioner in planning an examination of management’s
discussion and analysis (MD&A) include (1) the anticipated level of attestation risk related to
assertions embodied in the MD&A presentation, (2) preliminary judgments about materiality
for attest purposes, (3) the items within the MD&A presentation that are likely to require
revision or adjustment, and (4) conditions that may require extension or modification of
attest procedures.
3452.18 In an examination of management’s discussion and analysis (MD&A), the practitioner should
perform the following:
a. Obtain an understanding of the rules and regulations adopted by the SEC for MD&A and
management’s method of preparing MD&A.
b. Plan the engagement.
c. Consider relevant portions of the entity’s internal control applicable to the preparation
of MD&A.
d. Obtain sufficient evidence, including testing completeness.
e. Consider the effect of events subsequent to the balance sheet date.
f. Obtain written representation from management concerning its responsibility for
MD&A, completeness of minutes, events subsequent to the balance sheet date, and
other matters about which the practitioner believes written representations are
appropriate.
g. Form an opinion about whether the MD&A presentation includes, in all material
respects, the required elements of the rules and regulations adopted by the SEC,
whether the historical financial amounts included therein have been accurately derived,
in all material respects, from the entity’s financial statements, and whether the
underlying information, determinations, estimates, and assumptions of the entity
provide a reasonable basis for the disclosures contained in the MD&A.
3452.19 In a review engagement of management’s discussion and analysis (MD&A), the practitioner
should do the following:
a. Obtain an understanding of the rules and regulations adopted by the SEC for MD&A and
management’s method of preparing MD&A.
b. Plan the engagement.
c. Consider relevant portions of the entity’s internal control applicable to the preparation
of the MD&A.
d. Apply analytical procedures and make inquiries of management and others.
e. Consider the effect of events subsequent to the balance sheet date.
f. Obtain written representations from management concerning its responsibility for
MD&A, completeness of minutes, events subsequent to the balance sheet date, and
other matters about which the practitioner believes written representations are
appropriate.
g. Form a conclusion as to whether any information came to the practitioner’s attention
that causes the practitioner to believe any of the following:
(1) The MD&A presentation does not include, in all material respects, the required
elements of the rules and regulations of the SEC.
(2) The historical financial amounts included therein have not been accurately derived,
in all material respects, from the entity’s financial statements.
(3) The underlying information, determinations, estimates, and assumptions of the
entity do not provide a reasonable basis for the disclosures contained therein.
3452.20 If a practitioner concludes that the management’s discussion and analysis (MD&A)
presentation contains material inconsistencies with other information included in the
document containing the MD&A presentation or with the historical financial statements,
material omissions, or material misstatements of fact and management refuses to take
corrective action, the practitioner should inform the audit committee or others with
equivalent authority and responsibility.
3453 Review of Interim Financial Information
Review Conducted in Accordance with Statements on Standards for Accounting and
Review Services
3453.01 The accountant’s review report accompanying interim financial information should consist
of:
a. a title that includes the word independent.
b. a statement that the interim financial information identified in the report was reviewed.
c. a statement that the interim financial information is the responsibility of the entity’s
management.
d. a statement that the review of interim financial information was conducted in
accordance with the standards established by the AICPA.
e. a description of the procedures for a review of interim financial information.
f. a statement that a review of interim financial information is substantially less in scope
than an audit conducted in accordance with generally accepted auditing standards, the
objective of which is an expression of an opinion regarding the financial statements
taken as a whole, and accordingly, no such opinion is expressed.
g. a statement about whether the accountant is aware of any material modifications that
should be made to the accompanying interim financial information for it to be in
accordance with the applicable financial reporting framework and that identifies the
country of origin of those accounting principles.
h. the manual or printed signature of the accountant's firm.
i. the city and state of the issuing office of the accountant’s firm.
j. the date of the review report. (Generally, the report should be dated as of the date of
completion of the review procedures.)
In addition, each page of the interim financial information should be clearly marked as
unaudited.
3453.02 The following form of standard report is used for a review prepared on interim financial
statements prepared in accordance with accounting principles generally accepted in the
United States of America.
Circumstances include the following:
a. Review of a complete set of financial statements for the period ended September 30,
20XX, and for the three and nine months then ended.
b. The financial statements are prepared in accordance with accounting principles
generally accepted in the United States of America.
c. The accountant appropriately performs the engagement in accordance with SSARSs
(that is, AU‐C 930, Interim Financial Information [AICPA Professional Standards], is not
applicable).
Independent Accountant’s Review Report
[Appropriate Addressee]
I (We) have reviewed the accompanying financial statements of XYZ Company, which
comprise the balance sheet as of September 30, 20XX, and the related statements of
income, changes in stockholders’ equity, and cash flows for the three and nine months
then ended, and the related notes to the financial statements. A review includes primarily
applying analytical procedures to management’s (owners’) financial data and making
inquiries of company management (owners). A review is substantially less in scope than
an audit, the objective of which is the expression of an opinion regarding the financial
statements as a whole. Accordingly, I (we) do not express such an opinion.
Management’s Responsibility for the Financial Statements
Management (Owners) is (are) responsible for the preparation and fair presentation of
these financial statements in accordance with accounting principles generally accepted in
the United States of America; this includes the design, implementation, and maintenance
of internal control relevant to the preparation and fair presentation of financial
statements that are free from material misstatement whether due to fraud or error.
Accountant’s Responsibility
My (Our) responsibility is to conduct the review engagements in accordance with
Statements on Standards for Accounting and Review Services promulgated by the
Accounting and Review Services Committee of the AICPA. Those standards require me (us)
to perform procedures to obtain limited assurance as a basis for reporting whether I am
(we are) aware of any material modifications that should be made to the financial
statements for them to be in accordance with accounting standards generally accepted in
the United States of America. I (We) believe that the results of my (our) procedures
provide a reasonable basis for our conclusion.
Accountant’s Conclusion
Based on my (our) review, I am (we are) not aware of any material modifications that
should be made to the accompanying financial statements in order for them to be in
accordance with accounting principles generally accepted in the United States of America.
[Signature of accounting firm or accountant, as appropriate]
[Accountant’s city and state]
[Date of the accountant’s review report]
Review Conducted in Accordance with Statements on Auditing Standards
3453.03 If the entity’s latest annual financial statements have been audited by the auditor or a
predecessor auditor, and the auditor has either (i) been engaged to audit the entity’s
current‐year financial statements or (ii) audited the entity’s latest annual financial
statements and is expected to be engaged to perform the current period, then AU‐C 930
may apply. The reporting entity must prepare its interim financial information in accordance
with the same financial reporting framework as that used to prepare the annual financial
statements.
3453.04 The auditor’s report on a review of interim financial information should include a section
headed “Auditor’s Responsibility” that includes a statement that the auditor’s responsibility
is to conduct the review of interim financial information in accordance with auditing
standards generally accepted in the United States of America applicable to reviews of
interim financial information. A review of interim financial information consists principally of
applying analytical procedures and making inquiries of persons responsible for financial and
accounting matters. A review of interim financial information is substantially less in scope
than an audit conducted in accordance with auditing standards generally accepted in the
United States of America, the objective of which is an expression of an opinion regarding the
financial information as a whole, and accordingly, no such opinion in expressed.
3453.04 The conclusion in a review of interim financial information performed in accordance with
auditing standards should include a statement about whether the auditor is aware of any
material modifications that should be made to the accompanying interim financial
information for it to be in accordance with the applicable financial reporting framework and
that identifies the country of origin of those standards, if applicable.
Review Conducted in Conformance with PCAOB Auditing Standards
3453.05 The following is an illustrative report on a review of interim financial information:
Report of Independent Registered Public Accounting Firm
We have reviewed the accompanying [describe the interim financial information or
statements reviewed] of X Company as of September 30, 20X3 and 20X2, and for the
three‐month and nine‐month periods then ended. This (these) interim financial
information (statements) is (are) the responsibility of the Company's management.
We conducted our review in accordance with the standards of the Public Company
Accounting Oversight Board (United States). A review of interim financial information
consists principally of applying analytical procedures and making inquiries of persons
responsible for financial and accounting matters. It is substantially less in scope than an
audit conducted in accordance with the standards of the Public Company Accounting
Oversight Board, the objective of which is the expression of an opinion regarding the
financial statements taken as a whole. Accordingly, we do not express such an opinion.
Based on our review, we are not aware of any material modifications that should be made
to the accompanying interim financial (statements) for it (them) to be in conformity with
U.S. generally accepted accounting principles.
[Signature]
[City and State or Country]
[Date]
3454 Supplementary Information
Supplementary Information in Audited Financial Statements (AU‐C 725)
3454.01 The auditor may be engaged to obtain sufficient appropriate audit evidence to report on
whether supplementary information is fairly stated, in all material respects, in relation to the
financial statements as a whole.
3454.02 “Supplementary information” is defined by AU‐C 725.04 as “information presented outside
the basic financial statements, excluding required supplementary information that is not
considered necessary for the financial statements to be fairly presented in accordance with
the applicable financial reporting framework. Such information may be presented in a
document containing the audited financial statements or separate from the financial
statements.”
3454.03 In order to form an opinion on whether supplementary information is fairly stated, the
auditor should determine that all of the following conditions are met:
a. The supplementary information was derived from the same accounting records used to
prepare the financial statements.
b. The supplementary information relates to the same period as the financial statements.
c. The auditor issued an audit report on the financial statements that contained neither an
adverse opinion nor a disclaimer of opinion.
d. The supplementary information will accompany the entity's audited financial
statements, or such audited financial statements will be made readily available by the
entity.
3454.04 The auditor should obtain the agreement of management that it acknowledges and
understands its responsibility:
a. for the preparation of the supplementary information in accordance with the applicable
criteria.
b. to provide the auditor with certain written representations (see section 3454.05.g).
c. to include the auditor's report on the supplementary information in any document that
contains the supplementary information and that indicates that the auditor has
reported on such supplementary information.
d. to present the supplementary information with the audited financial statements, or to
make the audited financial statements readily available to the intended users, no later
than the date of issuance of the supplementary information and the auditor's report
thereon.
3454.05 In addition to the procedures performed in conjunction with the audit of the financial
statements, the auditor should perform the following additional procedures using the same
materiality level used in the audit of the financial statements:
a. Inquire of management about the purpose of the supplementary information, the
criteria used by management to prepare the information, and any significant
assumptions or interpretations underlying the measurement or presentation of the
information
b. Determine whether the form and content of the supplementary information complies
with the applicable criteria
c. Obtain an understanding about the methods of preparing the supplementary
information and determine whether the methods of preparing the supplementary
information have changed from those used in the prior period and, if the methods have
changed, the reasons for such changes
d. Compare and reconcile the supplementary information to the underlying accounting
and other records used in preparing the financial statements (or to the financial
statements themselves)
e. Inquire of management about any significant assumptions or interpretations underlying
the measurement or presentation of the supplementary information
f. Evaluate the appropriateness and completeness of the supplementary information,
considering the results of the procedures performed and other knowledge obtained
during the audit of the financial statements
g. Obtain written representations from management:
(1) that it acknowledges its responsibility for the presentation of the supplemental
information in accordance with the applicable criteria;
(2) that it believes the supplemental information, including its form and content, is
fairly presented, in accordance with the applicable criteria;
(3) that the methods of measurement or presentation have not changed from those
used in prior periods or, if the methods have changed, the reasons for such
changes;
(4) about any significant assumptions or interpretations underlying the measurement
or presentation of the supplemental information; and
(5) that when the supplementary information is not presented with the audited
financial statements, management will make the audited financial statements
readily available to the intended users of the supplementary information no later
than the date of issuance by the entity of the supplementary information and the
auditor's report thereon.
3454.06 The auditor has no responsibility for the consideration of subsequent events with respect to
the supplementary information. However, if such information comes to the auditor's
attention, the auditor should apply the relevant requirements in AU‐C 560, Subsequent
Events and Subsequently Discovered Facts.
3454.07 The auditor should report on supplementary information either:
a. in an other‐matter paragraph in the auditor’s report on the financial statements or
b. in a separate report on the supplementary information.
3454.08 The other‐matter paragraph or separate report should include the following:
a. A statement that the audit was conducted for the purpose of forming an opinion on the
financial statements as a whole
b. A statement that the supplementary information is presented for purposes of additional
analysis and is not a required part of the financial statements
c. A statement that the supplementary information is the responsibility of management
and was derived from, and relates directly to, the underlying accounting and other
records used to prepare the financial statements
d. A statement that the supplementary information has been subjected to the auditing
procedures applied in the audit of the financial statements and certain additional
procedures, including comparing and reconciling such information directly to the
underlying accounting and other records used to prepare the financial statements or to
the financial statements themselves and other additional procedures, in accordance
with auditing standards generally accepted in the United States
e. If the auditor issues an unmodified opinion on the financial statements and the auditor
has concluded that the supplementary information is fairly stated, in all material
respects, in relation to the financial statements as a whole, a statement that, in the
auditor's opinion, the supplementary information is fairly stated, in all material respects,
in relation to the financial statements as a whole
f. If the auditor issues a qualified opinion on the financial statements and the qualification
has an effect on the supplementary information, a statement that, in the auditor's
opinion, except for the effects on the supplementary information of (refer to the
paragraph in the auditor's report explaining the qualification), such information is fairly
stated, in all material respects, in relation to the financial statements as a whole
3454.09 When reporting separately on the supplementary information, the report should include, in
addition to the items listed in section 3454.08, a reference to the report on the financial
statements, the date of that report, the nature of the opinion expressed on the financial
statements, and any report modifications.
3454.10 When the auditor's report on the audited financial statements contains an adverse opinion
or a disclaimer of opinion and the auditor has been engaged to report on whether
supplementary information is fairly stated, in all material respects, in relation to such
financial statements as a whole, the auditor is precluded from expressing an opinion on the
supplementary information.
a. When permitted by law or regulation, the auditor may withdraw from the engagement
to report on the supplementary information.
b. If the auditor does not withdraw, the auditor's report on the supplementary information
should state that because of the significance of the matter disclosed in the auditor's
report, it is inappropriate to, and the auditor does not, express an opinion on the
supplementary information.
3454.11 The date of the auditor’s report on the supplemental information should not be earlier than
the date on which the auditor completed the procedures required in section 3454.08.
3454.12 If the auditor concludes that the supplementary information is materially misstated in
relation to the financial statements as a whole, the auditor should discuss the matter with
management and propose appropriate revision of the supplementary information. If
management does not revise the supplementary information, the auditor should either:
a. modify the auditor's opinion on the supplementary information and describe the
misstatement in the auditor's report or
b. if a separate report is being issued on the supplementary information, withhold the
auditor's report on the supplementary information.
3454.13 The following is an example of a report on supplemental information:
Our audit was conducted for the purpose of forming an opinion on the financial
statements as a whole. The [identify accompanying supplementary information] is
presented for purposes of additional analysis and is not a required part of the financial
statements. Such information is the responsibility of management and was derived from
and relates directly to the underlying accounting and other records used to prepare the
financial statements. The information has been subjected to the auditing procedures
applied in the audit of the financial statements and certain additional procedures,
including comparing and reconciling such information directly to the underlying
accounting and other records used to prepare the financial statements or to the financial
statements themselves, and other additional procedures in accordance with auditing
standards generally accepted in the United States of America. In our opinion, the
information is fairly stated in all material respects in relation to the financial statements
as a whole.
Required Supplementary Information (AU‐C 730)
3454.14 AU‐C 730, Required Supplementary Information, provides the following definition:
Required supplementary information (RSI) is “information that a designated accounting
standards setter requires to accompany an entity's basic financial statements. Required
supplementary information is not part of the basic financial statements; however, a
designated accounting standards setter considers the information to be an essential part of
financial reporting for placing the basic financial statements in an appropriate operational,
economic, or historical context. In addition, authoritative guidelines for the methods of
measurement and presentation of the information have been established.”
3454.15 The auditor should apply the following procedures to RSI (required supplementary
information):
a. Inquire of management about the methods of preparing the information, including
whether:
(1) it has been measured and presented in accordance with prescribed guidelines;
(2) methods of measurement or presentation have been changed from those used in
the prior period and the reasons for any such changes; and
(3) there were any significant assumptions or interpretations underlying the
measurement or presentation of the information.
b. Compare the information for consistency with:
(1) management’s responses to the above listed inquiries,
(2) the basic financial statements, and
(3) other knowledge obtained during the audit of the basic financial statements.
c. Obtain written representation from management acknowledging its responsibility for
the RSI and regarding the responses to inquiries listed in a. above regarding the RSI.
d. If the auditor is unable to complete the procedures listed above, and the auditor
concludes that the inability to complete the procedures was due to significant
difficulties encountered in dealing with management, the auditor should inform those
charged with governance.
3454.16 The auditor should include an other‐matter paragraph in the auditor’s report on the financial
statements which includes language to explain the following, as applicable:
a. The required supplementary information is included, and the auditor has applied the
procedures in section 3454.15.
b. The required supplementary information is omitted.
c. Some required supplementary information is missing and some is presented in
accordance with the prescribed guidelines.
d. The auditor has identified material departures from the prescribed guidelines.
e. The auditor is unable to complete the procedures in section 3454.15.
f. The auditor has unresolved doubts about whether the required supplementary
information is presented in accordance with prescribed guidelines.
Unaudited Interim Financial Information
3454.17 Interim financial information may be presented as supplementary information outside
audited financial statements. In such circumstances, each page of the interim financial
information should be clearly marked as unaudited. If management chooses or is required to
present interim financial information in a note to the audited financial statements, the
information also should be clearly marked as unaudited.
Accounting and Review Services Engagements: Responsibility for Supplementary
Information (SSARS 23)
3454.18 When the basic financial statements are accompanied by information presented for
supplementary analysis purposes, the accountant should clearly indicate the degree of
responsibility with respect to the information.
3454.19 Supplementary information is defined by SSARS 23 as “information presented outside the
basic financial statements, excluding required supplementary information, that is not
considered necessary for the financial statements to be fairly presented in accordance with
the applicable financial reporting framework. Such information may be presented in a
document containing the financial statements…or separate from the financial statements….”
3454.20 When supplementary information accompanies financial statements and the accountant’s
compilation or review report thereon, the accountant should clearly indicate the degree of
responsibility, if any, the accountant is taking with respect to such information in either:
a. a separate paragraph in the accountant’s compilation or review report on the financial
statements or
b. a separate report on the supplementary information.
3454.21 If a separate report is issued, the report should state that the other data accompanying the
financial statements are presented only for supplementary analysis purposes and is the
representation of management. The accountant should indicate the degree of responsibility,
if any, being taken on such information.
3454.22 For example, a review report may state one of the following:
a. The other data accompanying the financial statements are presented only for
supplementary analysis purposes and have been subjected to the inquiry and analytical
procedures applied in the review of the basic financial statements, and the accountant
did not become aware of any material modifications that should be made to such data,
or
b. The other data accompanying the financial statements are presented only for
supplementary analysis purposes and have not been subjected to the inquiry and
analytical procedures applied in the review of the basic financial statements, but were
compiled from the information that is the representation of management, without audit
or review, and the accountant does not express any opinion, conclusion, or any other
form of assurance on such data.
3455 Single Statements
3455.01 A single financial statement or a specific element of a financial statement includes the
related notes. The related notes ordinarily include a summary of significant accounting
policies and other explanatory information relevant to the financial statement or the specific
element.
3455.02 In the case of an audit of a single financial statement or a specific element of a financial
statement, the requirement to comply with all relevant AU‐C sections applies, irrespective of
whether the auditor is also engaged to audit the entity’s complete set of financial
statements. If the auditor is not also engaged to audit the entity’s complete set of financial
statements, the auditor should determine whether the audit of a single financial statement
or a specific element of those financial statements in accordance with GAAS is practicable.
3455.03 The auditor should obtain an understanding of the purpose for which the single financial
statement or specific element is prepared, the intended users, and the steps taken by
management to determine that the application of the financial reporting framework is
acceptable in the circumstances.
3455.04 In the case of an audit of a single financial statement, the auditor should determine
materiality for the single financial statement being reported on, rather than for the complete
set of financial statements. In the case of an audit of one or more specific elements of a
financial statement, the auditor should determine materiality for each individual element
reported on, rather than the aggregate of all elements or the complete set of financial
statements.
3455.05 If, in conjunction with an engagement to audit the entity’s complete set of financial
statements, the auditor undertakes an engagement to audit a single financial statement or a
specific element of a financial statement, the auditor should issue a separate auditor’s
report and express a separate opinion for each engagement. The auditor should indicate in
the report on a specific element of a financial statement the date of the auditor’s report on
the complete set of financial statements and the nature of the opinion expressed on those
financial statements under an appropriate heading.
3455.06 If the opinion in the auditor’s report on an entity’s complete set of financial statements is
modified, the auditor should determine the effect that this may have on the auditor’s
opinion on a single financial statement or a specific element of those financial statements. A
single financial statement is deemed to constitute a major portion of a complete set of
financial statements. Therefore, the auditor should not express an unmodified opinion on a
single statement if the auditor has expressed an adverse or disclaimed opinion on the
complete set of financial statements even if the auditor’s report on the single financial
statement is neither published together with nor otherwise accompanies the auditor’s
report containing the adverse opinion or disclaimer of opinion.
3456 Special‐Purpose and Other Country Frameworks
Special Considerations—Audits of Financial Statements Prepared in Accordance
With Special‐Purpose Frameworks (AU‐C 800)
3456.01 A special‐purpose framework (commonly referred to as other comprehensive bases of
accounting) is a financial reporting framework other than GAAP that is one of the following
bases of accounting:
a. Regulatory basis: A basis of accounting that the entity uses to comply with the
requirements or financial reporting provisions of a regulatory agency to whose
jurisdiction the entity is subject (for example, a basis of accounting that insurance
companies use pursuant to the accounting practices prescribed or permitted by a state
insurance commission)
b. Tax basis: A basis of accounting that the reporting entity uses or expects to use to file its
income tax return for the period covered by the financial statements
c. Cash basis: A basis of accounting that the entity uses to record cash receipts and
disbursements and modifications of the cash basis having substantial support (for
example, recording depreciation on fixed assets)
d. Contractual basis: A basis of accounting that the entity uses to comply with an
agreement between the entity and one or more third parties other than the auditor
e. Other basis: A basis of accounting that uses a definite set of logical, reasonable criteria
that is applied to all material items appearing in financial statements
3456.02 In an audit of special‐purpose financial statements, the auditor should evaluate whether the
financial statements are suitably titled, include a summary of significant accounting policies,
and adequately describe how the special‐purpose framework differs from GAAP. The effects
of these differences need not be quantified.
3456.03 In the case of special‐purpose financial statements prepared in accordance with a
contractual basis of accounting, the auditor should also evaluate whether the financial
statements adequately describe any significant interpretations of the contract on which the
financial statements are based.
3456.04 In an audit of special‐purpose financial statements when the special‐purpose financial
statements contain items that are the same as, or similar to, those in financial statements
prepared in accordance with GAAP, the auditor should evaluate whether the financial
statements include informative disclosures similar to those required by GAAP. The auditor
should also evaluate whether additional disclosures, beyond those specifically required by
the framework, related to matters that are not specifically identified on the face of the
financial statements or other disclosures are necessary for the financial statements to
achieve fair presentation.
3456.05 In the case of an auditor's report on special‐purpose financial statements, the explanation of
management's responsibility for the financial statements should also make reference to its
responsibility for determining that the applicable financial reporting framework is
acceptable in the circumstances, when management has a choice of financial reporting
frameworks in the preparation of such financial statements.
3456.06 The auditor's report should also describe the purpose for which the financial statements are
prepared or refer to a note in the special‐purpose financial statements that contains that
information, when the financial statements are prepared in accordance with a regulatory or
contractual basis of accounting, or an other basis of accounting (and the auditor is required
to restrict use of the auditor's report).
3456.07 The auditor's report should include an emphasis‐of‐matter paragraph, under an appropriate
heading, that indicates that the financial statements are prepared in accordance with the
applicable special‐purpose framework, refers to the note to the financial statements that
describes that framework, and states that the special‐purpose framework is a basis of
accounting other than GAAP.
3456.08 The auditor's report should include an other‐matter paragraph, under an appropriate
heading, that restricts the use of the auditor's report when the special‐purpose financial
statements are prepared in accordance with a contractual basis of accounting, a regulatory
basis of accounting, or an other basis of accounting.
3456.09 If the special‐purpose financial statements are prepared in accordance with a regulatory
basis of accounting, and the special‐purpose financial statements together with the auditor's
report are intended for general use, the auditor should not include the emphasis‐of‐matter
or other‐matter paragraphs discussed above (sections 3456.07 and 3456.08).
a. Instead, the auditor should express an opinion about whether the special‐purpose
financial statements are presented fairly, in all material respects, in accordance with
GAAP.
b. The auditor should also, in a separate paragraph, express an opinion about whether the
financial statements are prepared in accordance with the special‐purpose framework.
3456.10 An independent auditor’s report on financial statements prepared in conformity with a
comprehensive basis of accounting other than generally accepted accounting principles
should include the following in the report (AU‐C 800.22):
a. A title
b. An addressee
c. An introductory paragraph that identifies the special‐purpose financial statements
audited
d. A description of the responsibility of management for the preparation and fair
presentation of the special‐purpose financial statements
e. A reference to management's responsibility for determining that the applicable financial
reporting framework is acceptable in the circumstances when required
f. A description of the purpose for which the financial statements are prepared when
required
g. A description of the auditor's responsibility to express an opinion on the special‐purpose
financial statements and the scope of the audit that includes:
(1) a reference to GAAS and, if applicable, the law or regulation
(2) a description of an audit in accordance with those standards
h. An opinion paragraph containing an expression of opinion on the special‐purpose
financial statements and a reference to the special‐purpose framework used to prepare
the financial statements (including identifying the origin of the framework) and, if
applicable, an opinion on whether the special‐purpose financial statements are
presented fairly, in all material respects, in accordance with GAAP when required
i. An emphasis‐of‐matter paragraph that indicates that the financial statements are
prepared in accordance with a special‐purpose framework
j. An other‐matter paragraph that restricts the use of the auditor's report when required
k. The auditor's signature
l. The auditor's city and state
m. The date of the auditor's report
Financial Statements Prepared in Accordance With a Financial Reporting Framework
Generally Accepted in Another Country (AU‐C 910)
3456.11 If the auditor is reporting on financial statements prepared in accordance with a financial
reporting framework generally accepted in another country that are intended for use only
outside the United States, the auditor should report using the following:
a. A U.S. form of report that reflects that the financial statements being reported on have
been prepared in accordance with a financial reporting framework generally accepted in
another country.
b. The report form and content of the other country, provided that such a report would be
issued by auditors in the other country in similar circumstances, the auditor understands
and has obtained sufficient appropriate audit evidence to support the statements
contained in such a report, and the auditor has complied with the reporting standards of
that country and identifies the other country in the report.
3456.12 If financial statements prepared in accordance with a financial reporting framework
generally accepted in another country also are intended for use in the United States, the
auditor should report using the U.S. form of report. The auditor should include in the
auditor's report an emphasis‐of‐matter paragraph that identifies the financial reporting
framework used in the preparation of the financial statements, refers to the note to the
financial statements that describes that framework, and indicates that such framework
differs from accounting principles generally acceptable in the United States.
3457 Letters for Underwriters and Filings with the SEC and Auditor
Involvement with Exempt Offering Documents
Letters for Underwriters and Filings with the SEC
3457.01 Accountants are often requested to provide a letter for underwriters and other parties in
connection with financial statements and financial statement schedules contained in
registration statements filed with the Securities and Exchange Commission (SEC) under the
Securities Act of 1933 and other securities offerings. Such letters are commonly referred to
as “comfort letters.”
3457.02 The service of accountants providing letters for underwriters developed following
enactment of the Securities Act of 1933. Section 11 of the act provides that underwriters,
among others, could be liable if any part of a registration statement contains material
omissions or misstatements. The act also provides for an affirmative defense for
underwriters if it can be demonstrated that, after a reasonable investigation, the
underwriter has reasonable grounds to believe that there were not material omissions or
misstatements. Consequently, underwriters request accountants to assist them in
developing a record of reasonable investigation. An accountant issuing a comfort letter is
one of a number of procedures that may be used to establish that an underwriter has
conducted a reasonable investigation.
3457.03 A typical comfort letter includes the following:
a. A statement regarding the independence of the accountants
b. An opinion regarding whether the audited financial statements and financial statement
schedules included (incorporated by reference) in the registration statement comply as
to form in all material respects with the applicable accounting requirements of the
Securities Act of 1933 and related rules and regulations adopted by the SEC
c. Negative assurance on whether:
(1) the unaudited summary interim financial information included (incorporated by
reference) in the registration statement complies as to form in all material respects
with the applicable accounting requirements of the act and related rules and
regulations adopted by the SEC
(2) any material modifications should be made to the unaudited summary consolidated
financial statements included (incorporated by reference) in the registration
statement for them to be in conformity with generally accepted accounting
principles
d. Negative assurance on whether, during a specified period following the date of the
latest financial statements in the registration statement and prospectus, there has been
any change in capital stock, increase in long‐term debt, or any decrease in other
specified financial statement items
3457.04 When a party other than an underwriter requests a comfort letter but does not provide the
accountant with the required representation letter, the accountant should not provide a
comfort letter but may provide another form of letter. In such a letter, the accountant
should not provide negative assurance on the financial statements as a whole, or on any of
the specified elements, accounts, or items thereof.
Auditor Involvement with Exempt Offering Documents
3457.05 AU‐C 945 explicitly details auditors’ responsibilities with regard to exempt offerings. Exempt
offerings differ from registered offerings, as typically there are no laws or regulations
requiring auditors to undertake procedures related to an exempt offering document or
prohibiting the issuer from including the auditor’s report without obtaining the auditor’s
permission. Examples of exempt offerings include private placement offerings; exempt
public offerings; municipal securities; securities issued by nonprofit religious, education, or
charitable organizations; crowdfunding; small issues of securities (Regulation A offerings);
and franchise offerings.
3457.06 An auditor’s involvement with an exempt offering is applicable when both of the following
two conditions are met:
1. The auditor’s report on either interim or annual financial statements is included or
incorporated by reference in an offering document related to securities which are
exempt from the Securities Act of 1933, or franchise offerings regulated by the Federal
Trade Commission or applicable state law.
2. The auditor performs one or more of the activities listed in the auditing standard.
3457.07 Activities listed in SAS 133 that trigger an auditor’s responsibilities include when both (a) the
auditor’s report is included in the exempt offering document and (b) when the auditor
performs one or more of the following activities with respect to that exempt offering
document:
a. Assisting the entity in preparing information included in the exempt offering document
b. Reading a draft of the exempt offering document at the entity’s request
c. Issuing a comfort or similar letter in accordance with AU‐C 920, Letters for Underwriters
and Certain Other Requesting Parties, or an agreed‐upon procedures report in
accordance with AT‐C 215, Agreed‐Upon Procedures Engagements, in lieu of a comfort
or similar letter on information included in the exempt offering document
d. Participating in due diligence discussions with underwriters, placement agents, broker
dealers, or other financial intermediaries in connection with the exempt offering
e. Issuing a practitioner’s attestation report on information relating to the exempt offering
f. Providing written agreement for the use of the auditor’s report in the exempt offering
document
g. Updating an auditor’s report for inclusion in the exempt offering document
3457.08 The objectives of the auditor when involved with an exempt offering document are to
perform procedures and respond appropriately:
a. when the auditor determines that information included or incorporated by reference in
the exempt offering document could undermine the credibility of the financial
statements and the related auditor’s report, and/or
b. to facts that become known to the auditor after the date of the auditor’s report that,
had they been known to the auditor at that date, may have caused the auditor to revise
the auditor’s report.
3457.09 The auditor must perform a subsequent events review, as well as perform the procedures
described in paragraphs .06-.18 of AU‐C 720, Other Information in Documents Containing
Audited Financial Statements. The auditor should perform the procedures at or shortly
before the date of distribution, circulation, or submission of the exempt offering document,
and as appropriate upon any subsequent distribution, circulation, or submission of the
exempt offering document. When performing those procedures, the auditor should
determine that the auditor’s role is not described in the exempt offering document in a way
that indicates that the auditor’s responsibility is greater than the auditor intends.
3458 Alerts That Restrict the Use of Written Communication
3458.01 The term general use applies to accountant’s reports that are not restricted to specified
parties. Accountant’s reports on financial statements prepared in conformity with an
applicable financial reporting framework ordinarily are not restricted regarding use.
3458.02 The term restricted use applies to accountant’s reports intended only for one or more
specified third parties. The need for restriction on the use of a report may result from a
number of circumstances, including, but not limited to, the purpose of the report and the
potential for the report to be misunderstood when taken out of the context in which it was
intended to be used.
3458.03 An accountant should restrict the use of a report when the subject matter of the
accountant’s report or the presentation being reported on is based on measurement or
disclosure criteria contained in contractual agreements or regulatory provisions that are not
in conformity with an applicable financial reporting framework.
3458.04 If an accountant issues a single combined report covering both (a) subject matter or
presentations that require a restriction on use to specified parties and (b) subject matter or
presentations that ordinarily do not require such a restriction, the use of such a single
combined report should be restricted to the specified parties.
3458.05 The accountant should include a reference on each page of the financial statements
restricting their use, such as “Restricted for Management’s Use Only.”
3458.06 An accountant’s report that is restricted as to use should contain a separate paragraph at
the end of the report as follows:
This report is intended solely for the information and use of (the specified parties) and
is not intended to be and should not be used by anyone other than these specified
parties.
3458.07 Although an accountant is not responsible for controlling the distribution of restricted‐use
reports, an accountant should consider obtaining the client’s agreement that the client and
specified parties will not distribute the report to parties other than those identified in the
report.
3458.08 When use of the accountant’s review report is restricted, the intended users are the
specified parties. The restriction on use of the accountant’s review report is necessary due
to the nature of the report and the potential for the report to be misunderstood when taken
out of the context in which it was intended to be used. For example, special‐purpose
financial statements prepared in accordance with a contractual basis of accounting are
developed for and directed only to the parties to the contract or agreement.
3459 Government Auditing Standards Reporting Requirements
3459.01 Auditors should include a statement in the audit report that the audit was performed
accordance with GAGAS (generally accepted government auditing standards). GAGAS
incorporates the AICPA performance and reporting standards; the auditor is not required to
state compliance with the AICPA standards as well.
3459.02 When providing an opinion or a disclaimer on financial statements, the auditor should also
report on internal control over financial reporting and on compliance with laws, regulations,
and provisions of contracts or grant agreements.
a. This information may be in the same or in separate reports.
b. The auditor should also state in the report(s) whether the tests performed provided
sufficient appropriate evidence to support an opinion on the effectiveness of internal
control and on compliance with provisions of laws, regulations, contracts, and grant
agreements.
c. The report should state that compliance with laws and regulations is the responsibility
of the entity's management.
3459.03 The auditor should report, based on the work performed:
a. significant deficiencies or material weaknesses in internal control;
b. instances of fraud and noncompliance with provisions of laws and regulations that have
a material effect on the audit and any other instances that warrant the attention of
those charged with governance; and
c. noncompliance with provisions of contracts and grant agreements and abuse that could
have a material effect on the audit.
3459.04 The internal control reporting requirement under GAGAS differs from the objective of an
audit of internal control over financial reporting in accordance with SAS 130, which is to
express an opinion on the design or the design and operating effectiveness of an entity’s
internal control over financial reporting integrated with a financial statement audit, as
applicable. To form a basis for expressing such an opinion, the auditor would need to plan
and perform the audit to provide a high level of assurance about whether the entity
maintained, in all material respects, effective internal control as of a point in time or for a
specified period of time. If auditors issue an opinion on internal control, the opinion would
satisfy the GAGAS requirement for reporting on internal control.
3459.05 When auditors report separately on internal control and on compliance with provisions of
laws, regulations, contracts, and grant agreements, the audit report should state that the
separate report is being issued.
3459.06 The auditor should include a reference to the separate reports and also state that the
reports on internal control and compliance with provisions of laws, regulations, contracts,
and grant agreements are an integral part of a GAGAS audit and important for assessing the
results of the audit.
3459.07 If the auditor issued a management letter (separate communication of internal controls to
management that are not significant deficiencies or material weaknesses), he or she should
apply judgment when deciding whether to refer to the management letter in the reports.
3459.08 The auditor should place the findings in perspective by describing the nature and extent of
the issues being reported and the extent of the work performed that resulted in the finding.
To give the reader a basis for judging the prevalence and consequences of the findings, the
auditor should relate the instances identified to the population or the number of cases
examined and quantify the results in terms of dollar value or other measures, as
appropriate.
3459.09 Known or likely fraud; noncompliance with provisions of laws, regulations, contracts, and
grant agreements; and abuse should be reported to third parties outside the entity:
a. when entity management fails to satisfy legal or regulatory requirements to report such
information to external parties as required by law or regulation. The auditor should
communicate management’s failure to report the information to those charged with
governance.
b. when entity management fails to take timely and appropriate steps to respond to
known or likely fraud; noncompliance with provisions of laws, regulations, contracts,
and grant agreements; and abuse that is:
(1) likely to have a material effect on the financial statements and
(2) involves funding received directly or indirectly from a government agency.
3459.10 The written responses and perspectives of responsible officials, along with the planned
corrective action, should be included in the report along with the auditor’s findings,
conclusions, and recommendations. If entity management provides only oral responses, the
auditor should prepare a summary of the oral comments, confirm that they are accurately
stated, and include the summary in the report.
3459.11 The auditor should include in the report an evaluation of management’s comments. If the
entity does not provide any comments, the auditor should state in the report that the entity
did not provide comments.
3459.12 If certain confidential or sensitive information is prohibited from public exposure or
excluded from the report, the auditor should disclose in the report that certain information
has been omitted and the reason or other circumstances that make the omission necessary.
The auditor may issue a separate, classified, or limited‐use report containing the confidential
information and distribute it only to persons authorized by law or regulation to receive it.
3459.13 When audit organizations are subject to public records laws, the auditor should determine
whether public records laws could impact the availability of classified or limited‐use reports
and determine whether other means of communicating with management and those
charged with governance would be more appropriate.
Single Audit Act Reporting Requirements
3459.14 Audits in accordance with the Single Audit Act of 1984 (as amended in 1996) are more
extensive than GAAS or GAGAS audits. The auditor’s report should include the following:
a. Opinion (or disclaimer) on whether the financial statements conform to GAAP
b. Opinion on the Schedule of Federal Expenditures that includes an opinion as to whether
the information is presented fairly, in all material respects, in relation to the financial
statements presented as a whole
c. Report on internal control related to the financial statements and major programs. The
Single Audit Act requires auditors to plan to test internal controls over federal programs
to determine whether they are effective as part of planning the compliance audit, but
not to report on the design or operating effectiveness of internal control over major
federal programs.
d. Report on compliance with laws, regulations, and the provision of contracts or
agreements pertaining to federal awards that may have a direct and material effect on
each major program
3459.15 Government auditing standards require that auditors have policies and procedures for the
safe custody and retention of audit documentation for a time sufficient to satisfy legal,
regulatory, and administrative requirements for record retention.
3460 Miscellaneous Topics
Specified Elements, Accounts, or Items of a Financial Statement
3460.01 An independent auditor may be requested to express an opinion on one or more specified
elements, accounts, or items of a financial statement. In such an engagement, the specified
element(s), account(s), or item(s) may be presented in the report or in a document
accompanying the report.
3460.02 Examples of these engagements include reports on rentals, royalties, a profit participation,
or a provision for income taxes.
3460.03 An audit of specified elements, accounts, or items is usually more extensive than if the same
information was being considered in conjunction with an audit of financial statements taken
as a whole.
3460.04 A special report should not be a piecemeal opinion (i.e., it should not be issued on an
element of financial statements that carries an adverse or disclaimer opinion).
3460.05 An opinion on a report relating to accounts receivable is illustrated as follows (AU‐C 805.A25,
Illustration 3):
Independent Auditor’s Report
[Appropriate Addressee]
Report on the Schedule
We have audited the accompanying schedule of accounts receivable of ABC Company as
of December 31, 20X1, and the related notes (the schedule).
Management’s Responsibility for the Schedule
Management is responsible for the preparation and fair presentation of this schedule in
accordance with accounting principles generally accepted in the United States of America;
this includes the design, implementation, and maintenance of internal control relevant to
the preparation and fair presentation of the schedule that is free from material
misstatement, whether due to fraud or error.
Auditor’s Responsibility
Our responsibility is to express an opinion on the schedule based on our audit. We
conducted our audit in accordance with auditing standards generally accepted in the
United States of America. Those standards require that we plan and perform the audit to
obtain reasonable assurance about whether the schedule is free from material
misstatement.
An audit involves performing procedures to obtain audit evidence about the amounts and
disclosures in the schedule. The procedures selected depend on the auditor's judgment,
including the assessment of the risks of material misstatement of the schedule, whether
due to fraud or error. In making those risk assessments, the auditor considers internal
control relevant to the entity's preparation and fair presentation of the schedule in order
to design audit procedures that are appropriate in the circumstances, but not for the
purpose of expressing an opinion on the effectiveness of the entity's internal control.
Accordingly, we express no such opinion. An audit also includes evaluating the
appropriateness of accounting policies used and the reasonableness of significant
accounting estimates made by management, as well as evaluating the overall
presentation of the schedule.
We believe that the audit evidence we have obtained is sufficient and appropriate to
provide a basis for our audit opinion.
Opinion
In our opinion, the schedule referred to above presents fairly, in all material respects, the
accounts receivable of ABC Company as of December 31, 20X1, in accordance with
accounting principles generally accepted in the United States of America.
Other Matter
We have audited, in accordance with auditing standards generally accepted in the United
States of America, the financial statements of ABC Company as of and for the year ended
December 31, 20X1, and our report thereon, dated March 15, 20X2, expressed an
unmodified opinion on those financial statements.
Report on Other Legal and Regulatory Requirements
(Same as the standard report)
Financial Information Presented in Prescribed Forms
3460.06 Printed forms or schedules designed or adopted by the bodies with which they are to be
filed often prescribe the wording of an auditor’s report, which does not conform to the
applicable professional reporting standards.
3460.07 Some report forms can be made acceptable by inserting additional wording; others can be
made acceptable only by complete revision. Any form that calls upon the auditor to make a
statement that the auditor is not justified in making should be reworded. Alternately, the
auditor may attach a separate report using the appropriate language.
Reports on Summary Financial Statements and Selected Financial Data
3460.08 An auditor may be engaged to report on summary financial statements that are derived
from audited financial statements.
3460.09 Because summary financial statements do not constitute a fair presentation of financial
position, results of operations, and cash flows in conformity with generally accepted
accounting principles (or other applicable financial reporting framework, as relevant), an
auditor should not report on the summary financial statements in the same manner as he or
she reported on the complete financial statements from which they are derived. To do so
might lead users to assume, erroneously, that the summary financial statements include all
of the disclosures necessary for complete financial statements.
3460.10 The auditor’s report on summary financial statements that are derived from financial
statements that he or she has audited should indicate (a) that the auditor has audited and
expressed an opinion on the complete financial statements, (b) the date of the auditor’s
report on the complete financial statements, (c) the type of opinion expressed, and (d)
whether, in the auditor’s opinion, the information set forth in the summary financial
statements is fairly stated in all material respects in relation to the complete financial
statements from which it has been derived.
3460.11 An auditor may also be engaged to report on selected financial data that are included in a
client‐prepared document that contains audited financial statements (or with respect to a
public entity, a document that incorporates such statements by reference to information
filed with a regulatory agency).
3460.12 Selected financial data are not a required part of the basic financial statements, and the
entity’s management is responsible for determining the specific selected financial data to be
presented.
3460.13 If the auditor is engaged to report on the selected financial data, the auditor’s report should
be limited to data that are derived from audited financial statements (which may include
data that are calculated from amounts presented in the financial statements, such as
working capital).
3460.14 The auditor’s report on selected financial data should indicate (a) that the auditor has
audited and expressed an opinion on the complete financial statements, (b) the type of
opinion expressed, and (c) whether, in the auditor’s opinion, the information set forth in the
selected financial data is fairly stated in all material respects in relation to the complete
financial statements from which it has been derived.
Reports on the Application of Accounting Principles
3460.15 Management and others often consult with accountants on the application of accounting
principles to new transactions or financial products where there may be differing
interpretations as to whether and, if so, how existing accounting principles apply to such
transactions or products.
3460.16 Before accepting such an engagement, the reporting accountant should consider the
circumstances under which the written report or oral advice is requested, the purpose of the
request, and the intended use of the written report or oral advice.
3460.17 To aid in forming a judgment, the reporting accountant should perform the following
procedures:
a. Obtain an understanding of the form and substance of the transaction(s)
b. Review generally accepted accounting principles (or other applicable financial reporting
framework, as relevant)
c. If appropriate, consult with other professionals or experts
d. If appropriate, perform research or other procedures to ascertain and consider the
existence of creditable precedents or analogies
3460.18 The reporting accountant’s written report should be addressed to the requesting entity (for
example, management or the board of directors of the entity) and should ordinarily include
the following:
a. A brief description of the nature of the engagement and a statement that the
engagement was performed in accordance with applicable AICPA standards
b. Identification of the specific entity, a description of the transaction(s); a statement of
the relevant facts, circumstances, and assumptions; and a statement about the source
of the information
c. A statement describing the appropriate accounting principle(s) (including the country of
origin) to be applied or type of opinion that may be rendered on the entity’s financial
statements and, if appropriate, a description of the reasons for the reporting
accountant’s conclusion
d. A statement that the responsibility for the proper accounting treatment rests with the
preparers of the financial statements, who should consult with their continuing
accountant
e. A statement that any difference in the facts, circumstances, or assumptions presented
may change the report
f. A separate paragraph at the end of the report that includes the following elements:
(1) A statement indicating that the report is intended solely for the information and
use of the specified parties
(2) An identification of the specified parties to whom use is restricted
(3) A statement that the report is not intended to be and should not be used by anyone
other than the specified parties
Reissued Reports
3460.19 An auditor may reissue an audit report. Examples of reissue would be:
a. a reissue of the report on financial statements contained in annual reports filed with the
Securities and Exchange Commission or other regulatory agencies or in a document
submitted to the client or to others that contains information in addition to the client’s
basic financial statements subsequent to the date of the original report.
b. furnishing additional copies of a previously issued report.
3460.20 The use of the original report date on the reissued report implies no further examination,
and the auditor has no responsibility for any events which may have occurred during the
period between the original report date and the date of the release of additional reports.
3460.21 However, the auditor may have become aware of an event that occurred subsequent to the
date of the original report that requires adjustment or disclosure in the financial statements.
In this case, the auditor can make the adjustment or disclosure and choose the method of
dating the reissued report:
a. “Dual dating” allows for the disclosure of subsequent events. Dual dating states, for
example, “February 16, 20__, except for Note __, as to which the date is March 1,
20__.” With dual dating, the auditor’s responsibility is limited to the specific event
referred to in the note.
b. The auditor may date the report for a later date. In this case, the auditor’s responsibility
for subsequent events extends to the date of the report, and subsequent event
procedures should be extended to that date.
Disclaimer of Opinion on Unaudited Financial Statements
3460.22 When an accountant is associated with the financial statements of an issuer, but has not
audited or reviewed such statements, he or she should issue a disclaimer of opinion in
accordance with PCAOB audit standards. The disclaimer may accompany the unaudited
financial statements or it may be placed directly on them. In addition, each page of the
financial statements should be clearly and conspicuously marked as unaudited. When an
accountant issues this form of disclaimer of opinion, he or she has no responsibility to apply
any procedures beyond reading the financial statements for obvious material
misstatements.
3460.23 If the accountant is aware that his name is to be included in a client‐prepared written
communication of an issuer containing financial statements that have not been audited or
reviewed, he should request (a) that his name not be included in the communication or (b)
that the financial statements be marked as unaudited and that there be a notation that he
does not express an opinion on them. If the client does not comply, the accountant should
advise the client that he has not consented to the use of his name and should consider what
other actions might be appropriate.
This page intentionally left blank.