WHAT AUDITORS DO
HOW TO MAKE THEM GO AWAY HAPPY
What Auditors Do and How to Make Them Go Away Happy – Coursebook
After successful completion of this course, participants will understand:
1. What financial audits are and why they are performed.
2. How risk is assessed from an auditing viewpoint.
3. How an audit is conducted.
4. The types and meanings of audit reports that may be issued.
What Auditors Do and How to Make Them Go Away Happy – Coursebook
Section Subject Page
1. Role of an Auditor 1
2. Overview of a Financial Statement Audit 4
3. Professional Standards 7
4. Audit Evidence 11
5. Audit Planning 14
6. Audit Risk and Materiality 16
7. Risk Assessment 20
8. Completing the Audit 25
9. Audit Reports and Communications 28
A. Engagement Letter 39
B. Audit Program for Cash 41
C. Cash Workpaper 45
1. Role of an Auditor
Why Are Audits Performed?
Financial statements are issued on a periodic basis by the full range of entities, including
commercial companies, not-for-profits, and state and local governments. In doing so,
these entities are fulfilling a reporting function to their varied stakeholders which can
include owners of a company, creditors and lenders, employees, taxpayers and other
constituents, and governmental authorities and agencies. For a number of reasons,
however, the financial statements prepared and issued by these entities may actually be or
may be perceived to be inaccurate or misleading.
The first reason is the complexity of today’s transactions and the potential difficulties that
may arise in attempting to correctly identify a transaction and then determine how to
properly record the transaction. New types of transactions seem to appear daily. As a
result, it can be difficult for even an experienced accountant to determine the appropriate
accounting treatment. These complexities result in a need to utilize professional
accountants who are experts in accounting matters.
The second reason is the existence or perceived existence of bias. Management is
responsible for preparing the financial statements. Those financial statements, however,
may also be used to evaluate management’s performance. As a result, an incentive exists
for financial performance to be misstated. The use of professional accountants, in
particular, independent professional accountants, can help ensure the reliability of the
financial statements – that the financial statements accurately, completely, and
appropriately reflect the transactions that occurred during the year and the financial
position as of the end of the year.
A third reason is that the financial statements may contain errors due to careless
mistakes, problems with the financial reporting system, or insufficient knowledge of
accounting requirements. Accounting transactions and the financial statements resulting
from those transactions are the result of a series of processing steps typically performed
by individuals and thus subject to human error. The processing steps also involve internal
controls which can help to ensure that transactions are captured and reported accurately
and completely. Weaknesses in internal controls can result in problems in the financial
reporting system and errors in the financial statements. Errors may also result simply
because the individuals performing the various accounting steps do not fully understand
what they are doing – for example, they may have been trained in how to enter purchase
orders but not in the accounting entries related to those purchase orders. This lack of
understanding can lead to errors in the recording of transactions and in the preparation of
financial statements. Engaging professional accountants to perform an audit of the
financial statements helps to ensure that such errors will be detected and corrected.
A final reason is the possibility of fraud – the deliberate manipulation of the accounting
records and financial statements – for any number of reasons including concealment of
theft, false encouragement of reliance on the financial statements, hiding program
revenue and expense deficiencies. Professional accountants are trained to look for fraud
and material misstatements resulting from fraud in audits of financial statements. An
audit will provide assurance that misstatements resulting from fraud have been detected.
Types of Audits
Audits are typically categorized as: 1) financial audits; 2) compliance audits; and 3)
operational audits. A brief description of each type follows.
Financial audits seek to determine whether the financial statements of an entity are
presented fairly in accordance with generally accepted accounting principles (GAAP). For a
private entity, these rules would be established by the Financial Accounting Standards
Board (FASB). For a state or local governmental entity, these rules are established by the
Governmental Accounting Standards Board (GASB). Financial audits are generally
performed by “independent” auditors such as certified public accountants (CPAs) or federal
audit agencies such as the General Accountability Office (GAO) auditors.
Compliance audits determine whether recognized criteria or standards have been followed,
such as laws and regulations or company policies and procedures. Gross revenues tax,
sales tax, or import tax audits are examples of compliance audits, as are audits of travel
and entertainment expense reports to verify that company policies were followed. In
governmental settings, compliance audits under the Single Audit Act or OMB Circular A-
133 are common. These audits are required of federal assistance recipients, such as
those receiving Department of Education (DOE) or Department of Housing and Urban
Development (HUD) grants.
Operational audits, also known as performance audits, address operational efficiency and
effectiveness. Efficiency audits look at the entity’s success in utilizing resources
economically while effectiveness audits are concerned with whether or not the entity was
able to achieve its stated objectives. Operational audits also include:
• Determination of the effectiveness of internal controls in achieving management’s
• Analysis of alternative proposals and provision of related recommendations.
• Provision of information regarding “best practices.”
Operational audits differ from financial and compliance audits because the nature of the
engagements requires more subjective judgments. In addition, the criteria employed for
each engagement may need to be selected or developed by the auditor.
Types of Auditors
One means of categorizing the different types of auditors that exist is to classify them as:
External, Internal, and Governmental.
External - Certified Public Accountants (CPAs)
External auditors have the primary characteristic of being independent. This characteristic
enables them to render opinions on assertions made by others, i.e., provide attestation
services. External auditors are certified public accountants (CPAs) who belong to the public
accounting profession. CPAs apply to and receive their licenses from the states. In Guam,
for example, the Guam Board of Accountancy licenses and regulates all CPAs practicing in
the Territory of Guam. While CPAs also provide accounting, tax, and consulting services,
they are best known for their audits of financial statements.
Internal auditors are employed by the companies they audit and focus their efforts on
improving company performance, verifying compliance with company policies and
procedures, and maintaining internal controls. Internal auditors are found in almost every
large corporation as well as not-for-profit organizations. A certification for internal auditors
(Certified Internal Auditor – CIA) is available through the Institute of Internal Auditors, an
international organization with over 120,000 members.
Governmental auditors are found at the local, state, and federal levels and perform
functions similar to those of internal auditors. For example, each federal agency has its
own audit staff. One of the best known groups of governmental auditors is the U.S.
General Accounting Office (GAO). The GAO is the audit arm of Congress. Unlike most of
the other governmental auditing groups, the GAO is typically independent of the entities
audited. As a result, GAO auditors are able to perform financial audits of governmental
entities and programs, in addition to operational and compliance audits.
Single Audits and Circular A-133 Audits
Governmental entities that receive federal grants-in-aid are subject to the Single Audit Act
requirements. Each state or local government that receives federal financial assistance
equal to or greater than $500,000 in a fiscal year is required to have an audit for that year
conducted in accordance with the Single Audit Act and OMB Circular A-133 Audits of
States, Local Governments, and Non-Profit Organizations provisions. These provisions
require that an organization-wide audit, i.e., a single audit, be performed (rather than each
grant being audited individually).
Specific requirements include:
• An audit of the financial statements and schedule of expenditures of federal
• An audit of the internal controls relating to the financial statements and major
• An audit of compliance with laws, regulations, and grant provisions that could have
a material effect on the financial statements.
The focus of this course is the financial statement audit performed by external auditors,
2. Overview of a Financial Statement Audit
The definition of auditing provided by the American Accounting Association is a:
systematic process of objectively obtaining and evaluating evidence regarding
assertions about economic actions and events to ascertain the degree of
correspondence between those assertions and established criteria and
communicating the results to interested users. 1
If we consider each piece of this definition, we can gain a better understanding of what an
audit is and how it is conducted.
Audits are carefully planned and conducted. Rules must be followed and specific
requirements met. For example, auditors are required to follow auditing rules known as
generally accepted auditing standards (GAAS). Auditors of governmental entities are
required to also follow governmental auditing standards (GAGAS).
Objectively obtaining and evaluating
Auditors must be independent in order to objectively collect and evaluate evidence
regarding the financial statements. Independence includes both “independence in fact”
and “independence in appearance.” Independence in fact means that the auditors are
unbiased and able to make decisions in an impartial fashion. Independence in
appearance means that the auditors look independent. For example, they cannot work for
the entity they are auditing.
In recent years, auditor independence has come under considerable scrutiny due to widely
publicized audit failures such as Enron and WorldCom. In 2002 the governmental auditing
standards were revised via Amendment No. 3 on Independence to include additional
prohibitions and requirements related to independence. The Amendment specifically
addresses the performance of nonaudit services for audited entities.
In general, auditors CANNOT
• Perform management functions.
• Make management decisions.
• Provide nonaudit services that will significantly affect the audit.
They are specifically prohibited from:
• Providing bookkeeping services.
• Posting transactions to the financial records.
• Recommending an individual for a specific position.
Auditing Concepts Committee, “Report of the Committee on Basic Auditing Concepts,” Accounting Review 47,
Supp. (1972): 18.
• Preparing indirect cost proposals when the amounts are material to the financial
They may still, however, provide “routine” advice or assistance to management. What
would be considered “routine” services?
• Internal control advice and assistance
• Responding to technical questions
• Provision of best practices, benchmarking
• Provision of internal control assessment
• Serving on committees in an advisory
Before providing allowed nonaudit services, the auditors must be able to affirmatively
answer the following questions:
1. Will the personnel providing the nonaudit services be restricted from planning,
conducting, or reviewing audit work related to such services?
2. Has consideration been given to ensure that the provision of the nonaudit services
does not reduce the scope and extent of the audit work more than would be
appropriate if the nonaudit work were performed by another unrelated party?
3. Has the verification that the nonaudit services do not violate the bans against
performance of management functions, the provision of nonaudit services that
significantly affect the audit, and the provision of nonaudit services that would
result in auditors auditing their own work been documented?
4. Have the objectives, scope, and product of the nonaudit services and
management’s responsibilities been established with the entity and documented
before work will begin?
5. Does the quality control system include policies and procedures that ensure
compliance with independence requirements?
6. Has consideration been given to whether or not the nonaudit services impair
independence? If impairment will result, has that been communicated to
7. Will documentation of the nonaudit services engagement be available for peer
If these controls are in place, nonaudit services that are not specifically prohibited may be
performed. Permitted nonaudit services include:
• Preparing a trial balance in accordance with management’s chart of accounts.
• Drafting financial statements from the trial balance or notes based on
• Preparing routine tax filings.
• Maintaining depreciation schedules when management has determined key
components, i.e., depreciation method, rate, and salvage value.
• Proposing adjusting entries that management approves.
• Aiding management in evaluating possible employment candidates, such as serving
on an evaluation panel.
• Providing limited advice on information systems where management has
acknowledged primary responsibility.
• Reviewing specialists’ work related to valuation or appraisal where management
has taken responsibility for significant assumptions and data. 2
Auditors collect evidence of different types and using different methods that will eventually
support the opinion rendered. For example, evidence may be written or verbal. It may be
obtained from management or third parties or based on the auditor’s direct observation or
calculation. To a large degree, the amount and type of evidence collected is a judgmental
matter. The auditor must collect enough evidence to support the opinion.
Assertions about economic actions and events
The auditor collects evidence regarding “assertions about economic actions and events.”
Those assertions are management’s assertions and they appear in the form of the
financial statements. Management is asserting that the financial statements fairly present
the results of the transactions and events that have occurred.
The financial statements are then compared against established criteria. The criteria are
generally accepted accounting principles or GAAP. As noted earlier, GAAP for local and
state governments is set by GASB.
The final piece of the audit is communication of the results. The auditors communicate
the results of their work in the form of an audit report. Because audit reports are widely
used by many different types of users, they follow a fairly standard wording and
appearance. The audit report identifies the entity and financial statements that were
audited, the responsibilities of management and the auditor, provides an overview of the
audit process, and expresses the opinion that was obtained.
Comptroller General of the United States, Government Auditing Standards: 2007 Revision, Washington, D.C.:
U.S. General Accounting Office, 2007, Chapter 3, Section 3.28
3. Professional Standards
Auditors are required to follow professional standards when conducting an audit.
Professional standards applicable to an audit of a governmental entity include both GAAS
and GAGAS. GAAS have been incorporated into GAGAS.
Generally accepted auditing standards (GAAS) are promulgated by the Auditing Standards
Board of the AICPA. These standards are applicable to financial statement audits of private
companies, not-for-profit entities, and governmental entities.
1. The audit must be performed by a person or persons having adequate technical
training and proficiency as an auditor.
2. The auditor must maintain independence in mental attitude in all matters
relating to the audit.
3. The auditor must exercise due professional care in the performance of the audit
and the preparation of the report.
Standards of Field Work
1. The auditor must adequately plan the work and must properly supervise any
2. The auditor must obtain a sufficient understanding of the entity and its
environment, including its internal control, to assess the risk of material
misstatement of the financial statements whether due to error or fraud, and to
design the nature, timing, and extent of further audit procedures.
3. The auditor must obtain sufficient appropriate audit evidence by performing
audit procedures to afford a reasonable basis for an opinion regarding the
financial statements under audit.
Standards of Reporting
1. The auditor must stated in the auditor’s report whether the financial statements
are presented in accordance with generally accepted accounting principles
2. The auditor must identify in the auditor’s report those circumstances in which
such principles have not been consistently observed in the current period in
relation to the preceding period.
3. When the auditor determines that Informative disclosures in the financial
statements are not reasonably adequate, the auditor must so state in the
4. The auditor must either express an opinion regarding the financial statements,
taken as a whole, or state that an opinion cannot be expressed, in the auditor’s
report. When an auditor cannot express an overall opinion, the auditor should
state the reasons therefor in the auditor’s report. In all cases where an auditor’s
name is associated with the financial statements, the auditor should clearly
indicate the character of the auditor’s work, if any, and the degree of
responsibility the auditor is taking, in the auditor’s report. 3
The first three standards are known as the general standards and address the personal
qualifications of the auditor.
Adequate training and proficiency mean that the auditor will have the knowledge and skills
necessary to enable him/her to perform the auditing tasks required. Obviously, the level of
knowledge and skills needed would vary by level. Typically, for an entry level auditor, an
undergraduate degree in accounting is required. In many states and in Guam, the
requirement to sit for the CPA exam is 150 hours (i.e., 150 college credits), so entry level
auditors may have an undergraduate degree plus additional coursework.
Today auditors are expected to have technical knowledge in accounting and auditing. They
must also understand the business environment and their client’s business and industry.
They must be able to identify problems, collect required information, analyze, and develop
solutions. For example, an auditor will be required to review accounting transactions,
determine if they have been accounted for properly, propose adjusting entries to correct
errors, and provide recommendations to help the client avoid the problem in the future.
Note that because accounting and auditing rules are constantly changing, auditors must
continuously update their knowledge.
Independence is often viewed as the “cornerstone” of auditing. The auditor’s opinion is
valued specifically because it is an independent opinion. Auditors are charged with
“maintaining the highest degree of integrity, objectivity, and independence.” They are
required to act “in a way that will serve the public interest, honor the public trust, and
uphold their professionalism.” 4
Auditors must be objective and free from bias in all matters relating to the audit, e.g.,
planning the audit, deciding how much evidence to collect, and evaluating the evidence.
The problem that occurs is that it is difficult to evaluate whether an auditor’s behavior and
judgments are truly independent. Far more time is spent regulating and evaluating
independence in appearance. Auditors must also be viewed as independent; if they do
anything that causes others to doubt their independence, the value of the audit opinion is
diminished or lost completely. Regulations addressing independence in appearance
include prohibitions against owning stock in audit clients, borrowing money from audit
clients, and, most recently, restrictions against taking jobs with audit clients or using
former audit client employees on audit engagements.
AICPA Professional Standards as of June 1, 2007. 2007. New York, NY: AICPA, AU Section 150.
AICPA Professional Standards as of June 1, 2007. 2007. New York, NY: AICPA, ET Section 53.
Due professional care requires that auditors perform the audit with the skill and care
expected of a professional. The legal test employed is whether or not a “reasonably
prudent” auditor would have performed the procedure in the same manner or come to the
same conclusion. Due professional care is interpreted as requiring critical evaluation of
judgments made and careful consideration of all relevant factors in making judgments.
Due professional care requires that all of the other standards be followed.
The next three standards are known as the field work standards and they address how the
audit is to be performed.
Planning and supervision requires that the audit be planned and the staff accountants be
supervised. Audit planning includes obtaining an understanding of the business, assessing
risks related to the financial statements, and determining the audit strategy to be
employed. It requires the preparation of written audit programs that detail the auditing
procedures to be completed.
Supervision is required to ensure that the audit is properly conducted and performed and
to provide proper training for assistants. Much of the training that occurs in auditing is “on-
the-job” training. The assistants should be assigned areas suitable for their level of
experience. Their work should be reviewed and feedback given to enable errors to be
identified and corrected and to ensure the quality of the audit work performed.
Understanding of entity, including internal control, requires that the auditor obtain an
understanding of the entity in order to identify where material misstatements might occur
and to plan the audit accordingly. The auditor is specifically required to obtain an
• External factors such as the industry, regulatory factors, and the economy.
• The nature of the entity and how it selects and applies accounting policies.
• The entity’s objectives, strategies, and related business risks, especially those
affecting the financial statements.
• How the entity measures and reviews its financial performance.
• Internal control.
The knowledge gained is used to identify accounts and assertions and to select specific
auditing procedures to be used.
Evidence governs the support for the opinion. The auditor is directed to gather sufficient
appropriate evidence to support the opinion on the financial statements. Note that this is
a subjective determination. While the auditing standards do require that certain
procedures be performed in certain circumstances, in general, it is the auditor’s choice as
to how many and what type of auditing procedures to perform, how many items to look at
in a sample, and when enough evidence has been collected.
The last four standards are the reporting standards. They address the wording of the report.
GAAP requires that the auditor’s report specifically state whether or not the financial
statements are presented in accordance with GAAP.
Consistency requires that the auditor’s report identify when accounting principles have
changed. Note that if the report is silent, then it is assumed that accounting principles are
Disclosures is similar to the consistency requirement. Only when disclosures are deemed
to be inadequate does the report say anything. Thus, the audit report is silent when
disclosures are adequate.
Opinion has a multipart requirement. The audit report must:
• Express an opinion as to whether or not the financial statements are fairly
presented in accordance with GAAP or explain why an opinion cannot be given.
• Identify the nature of the work performed.
• Identify the degree of responsibility taken by the auditor.
The 10 GAAS are applicable to all financial statement audits performed by CPAs. They are
supported by additional and more detailed interpretations presented in Statements on
Auditing Standards (SASs) which are issued by the Auditing Standards Board.
Generally accepted governmental auditing standards (GAGAS) are promulgated by the
Comptroller General of the United States. They appear in the publication Government
Auditing Standards, better known as the Yellow Book. They are broader in scope than
GAAS and address financial audits, performance audits, and attestation engagements.
Performance audits include evaluations of program effectiveness and results, economy
and efficiency audits, operational audits, and value-for-money audits. Attestation
engagements include examinations, reviews, or agreed-upon procedures engagements and
report on a subject or assertion against identified criteria.
As noted above, GAGAS expands the requirements for audits of governmental entities,
specifically in the areas relating to field work and reporting.
Additional field work standards address:
• Required auditor communications.
• Consideration of prior audits and attestation engagements.
• Detection of material misstatements resulting from violations of contract
provisions, grant agreements, or abuse.
• Development of findings for financial audits.
• Audit documentation.
Additional reporting standards address:
• Reporting auditors’ compliance with GAGAS.
• Reporting on internal control and on compliance with laws, regulations, and
contract or grant provisions.
• Reporting fraud, illegal acts, violations of contracts or grants, abuse, and internal
• Reporting views of responsible officials.
• Reporting privileged and confidential information.
• Report issuance and distribution. 5
4. Audit Evidence
Audit evidence is “all the information used by the auditor in arriving at the conclusions on
which the audit opinion is based and includes the information contained in the accounting
records underlying the financial statements and other information.” 6 Remember that the
auditor is required by GAAS to accumulate “sufficient appropriate” evidence to support the
opinion. Sufficiency refers to the quantity of evidence obtained while appropriate refers to
the quality of the evidence obtained. The two factors are interrelated. For example, the
higher the quality of the evidence, the less needed. However, the reverse is not necessarily
true. Large quantities of poor quality evidence may not be enough to support the opinion.
Types of Audit Procedures
Audit evidence is obtained through the performance of different types of audit procedures,
described as follows:
1. Inspection of records or documents: The auditor’s examination of records or
documents including paper, electronic, or other media form. For example, during
the audit, the auditor reviews purchase orders and vendor invoices, examines
entries made in the general ledger, and reads loan documents.
2. Inspection of tangible assets: The auditor’s physical examination of assets. For
example, the auditor typically observes the physical inventory taking at year end
and takes test counts to verify that the inventory is complete and accurate. The
auditor might also examine new equipment or vehicles to verify that new property,
plant and asset acquisitions actually exist.
3. Observation: The auditor’s observation of the performance of a process or
procedure. For example, the auditor might observe how cash receipts are handled
from the time the cash is received to the preparation of the bank deposit.
4. Inquiry: The auditor’s collection of information from others based on verbal
responses. Inquiry is heavily used throughout the entire audit as the auditor is
always seeking information and explanations from management, staff, and others.
Comptroller General of the United States, Government Auditing Standards: 2007 Revision, Washington, D.C.:
U.S. General Accounting Office, 2007.
Auditing Standards Board, Statement on Auditing Standards No. 106 Audit Evidence, New York: AICPA, 2006.
5. Confirmation: The receipt by the auditor of a written response to a query. For
example, the auditor may send a confirmation request to the bank so that the bank
can verify the bank account balances as of year end.
6. Recalculation: The auditor’s computation to verify mathematical accuracy. For
example, the auditor might recalculate the depreciation expense for the year or the
accrued vacation pay balance.
7. Reperformance: The auditor’s performance of procedures or controls originally
performed by client staff or client technology. For example, the auditor might
reperform a control procedure such as re-reconciling the bank account at year end
to verify that the reconciliation was completed properly.
8. Analytical procedures: The auditor’s evaluation of financial information based on
identification of data interrelationships, prediction of an amount, and comparison to
actual. Analytical procedures also include the investigation of unusual fluctuations
or variances. For example, a common audit procedure is the comparison of current
year activity to the prior year or to budget and investigation of unusual differences.
Another analytical procedure commonly used is the verification of interest expense
by multiplying an average interest rate times the average principal balance and
then comparing that estimated interest expense to actual.
Audit evidence also includes evidence obtained from prior audits, evidence obtained from
the firm’s quality control procedures, information obtained externally such as industry
analysts’ reports and benchmarking data, and any other information developed by or
available to the auditor.
All evidence is not equal. Evidence may provide support for one assertion, but not for
another. For example, the auditor’s inspection of an asset provides support that the asset
exists. It does not, however, provide support that the asset is valued correctly.
Evidence varies in reliability. Reliability is affected by the source of the evidence, by the
type of evidence, and by the manner in which it is obtained. The following general rules
• Evidence obtained from outside sources (who are knowledgeable and
independent) is more reliable.
• Internally-generated evidence is more reliable when internal controls are
• Evidence obtained directly by the auditor is more reliable than evidence
• Documentary evidence is more reliable than oral evidence.
• Audit evidence obtained from original documents is more reliable than
evidence obtained from photocopies or faxes.
Types of Audit Tests
A distinction needs to be made between three general types of audit tests: risk
assessment procedures, tests of controls, and substantive tests. These audit test
categories differ in terms of their purpose – the reason why they are performed. Risk
assessment procedures are performed by the auditors to obtain an understanding of the
entity and its environment in order to identify areas where material misstatements might
occur, i.e., to assess the risks of material misstatement. For example, the auditor might
review the accounting manual or perform a walk-through of the revenue cycle.
Tests of controls are audit procedures that verify that a control is operating effectively. For
example, a test of payroll time cards could be performed to verify that the supervisor’s
initials were on the time card authorizing payment for the hours worked. Tests of controls
are performed to reduce the amount of substantive testing that will be required.
Remember that internally-generated evidence is more reliable when internal controls are
effective? Tests of controls help verify the effectiveness of internal controls which then
enables the auditor to place more reliance on documents and records generated by the
Substantive tests are audit procedures that look for material misstatements. For example,
sending a confirmation to a customer to verify an account receivable is a substantive test.
It enables the auditor to identify if the account receivable is a valid receivable, i.e., the
customer actually exists and owes the company. It is possible to perform an audit without
tests of controls. It is not possible to perform an audit without substantive tests.
5. Audit Planning
The auditor is required to perform a number of activities, generally classified as “audit
planning.” These include the pre-engagement activities and engagement letter, audit
strategy and audit plan, and planning meeting.
Pre-Engagement Activities and Engagement Letter
Auditors and audit firms do not accept every client that comes their way. Some clients are
riskier than others; some clients may require expertise that the firm does not have. For
these and other reasons, the auditor and firm are required to perform certain procedures
before they accept a new client. They must contact the predecessor auditor and obtain
information about accounting disagreements, problems encountered, why the predecessor
believes that the client has changed auditors, and other matters. This information helps
the auditor and firm evaluate management integrity and aids in the determination of
whether or not to accept the client. The firm must also determine if they are independent
with respect to the potential client.
If the auditor and firm decide to accept the client, the contract for the services to be
performed will be finalized in an engagement letter. The engagement letter will specify the
specific services to be performed, the estimated fees to be charged, the timing of the
engagement, use of the client’s staff, management’s responsibilities, the auditor’s
responsibilities, and limitations of the engagement. An example of an engagement letter
appears in Appendix A.
Remember that the purpose of an audit is to express an opinion as to whether or not the
financial statements are fairly presented in accordance with GAAP and to provide
reasonable assurance that no material misstatements exist. Material misstatements may
occur because of errors or carelessness or because of a deliberate action to misstate the
financial statements. The auditor is responsible for planning the audit to find all material
misstatements of the financial statements arising from errors, fraud, or direct-effect illegal
acts. Direct-effect illegal acts are those violations of laws and regulations that directly
affect the financial statements, such as tax laws. Indirect-effect illegal acts would include
violations of other laws and regulations that may potentially have an economic effect (and
thus affect the financial statements) but whose effects are more indirect, such as
violations of OSHA requirements.
Audit Strategy and Audit Plan
The auditor is required to establish and document an overall audit strategy for the
engagement. The strategy would consider:
• The scope of the engagement, including the basis of reporting, industry-specific
reporting requirements, and entity locations.
• The reporting objectives of the engagement, including timing and communication
deadlines and key dates.
• Key factors that impact the audit such as materiality, high risk areas, planned
reliance on internal control, and recent developments.
Determining the overall audit strategy will enable the auditor to identify:
• The types of and background requirements for audit team members.
• The number of audit personnel to assign to specific tasks, such as the inventory
• The timing of planned audit personnel utilization, e.g., interim versus final.
• The required supervision and management of the audit team and planned
debriefings and reviews.
The creation of the audit strategy is then followed by the preparation of a more detailed
audit plan, often referred to as the audit planning memo. The audit plan will generally
• Objectives of the audit.
• Nature and extent of other services to be provided, e.g., tax return preparation.
• Timing and scheduling of audit work including key dates and deadlines.
• Description of the company and its environment.
• Assistance to be provided by the client, e.g., schedules to be prepared.
• How the audit will be staffed.
• Planned dates for completion of major portions of the audit, e.g., interim testing.
• Audit team discussions about significant risk areas, including fraud.
• Preliminary judgments about materiality levels.
An audit program and a time budget will also be prepared. An audit program details the
planned audit procedures while the time budget allocates the total planned time for the
audit to different areas. Audit programs are usually presented for each transaction cycle or
account. The time budget identifies the different levels of staff expected to work on the
audit, how much time each staff person is expected to spend on the audit, and an
allocation of that time to specific audit areas, e.g., 40 hours on the Cash account. A typical
audit team consists of one or more staff accountants, a senior or in-charge accountant, a
manager, and the engagement partner.
An example of an audit program for Cash appears in Appendix B.
The auditors are required to have one or more meetings to discuss the susceptibility of the
entity’s financial statements to material misstatement.
The auditors must specifically consider the
risk of material misstatement arising from
fraud – either fraudulent financial
reporting or asset misappropriation.
Where are material misstatements likely
to occur? What areas are susceptible to
fraud? The discussions are intended to
enable less experienced auditors to
benefit from the shared wisdom and
insights of the more experienced team
members. They are also intended to
increase awareness of the possibility of
fraud and material misstatements and to
help ensure a high degree of professional
6. Audit Risk and Materiality
Recall that the financial statements are management’s assertions about the financial
transactions and events that have occurred during the year. These assertions can be
detailed more specifically in the following manner.
Assertions exist for classes of transactions, account balances, and presentations and
disclosures that appear in the financial statements. The assertions for classes of
1. Occurrence – the transactions and events that have been recorded have occurred
and pertain to the entity.
2. Completeness – all transactions and events that should have been recorded have
3. Accuracy – amounts and other data relating to recorded transactions and events
have been recorded appropriately.
4. Cutoff – transactions and events have been recorded in the correct accounting
5. Classification – transactions and events have been recorded in the proper amounts.
The assertions for account balances are:
1. Existence – assets, liabilities, and equity interests exist.
2. Rights and obligations – the entity holds or controls the rights to assets, and
liabilities are the obligations of the entity.
3. Completeness – all assets, liabilities, and equity interests that should have been
recorded have been recorded.
4. Valuation and allocation – assets, liabilities, and equity interests are included in the
financial statements at appropriate amounts and any resulting valuation or
allocation adjustments are appropriately recorded.
Finally, the assertions that address presentation and disclosure are:
1. Occurrence and rights and obligations – disclosed events and transactions have
occurred and pertain to the entity.
2. Completeness – all disclosures that should have been included in the financial
statements have been included.
3. Classification and understandability – financial information is appropriately
presented and described and information in disclosures is clearly expressed.
4. Accuracy and valuation – financial and other information is disclosed fairly and at
All of these assertions are being made by management in the financial statements. The
auditor’s job is to verify the assertions and thus verify the financial statements.
A few things to remember about the assertions:
• All assertions are not equally important for each transaction class, account or
• As a result, the auditor will not spend the same amount of time verifying each
assertion for each transaction class, account, or disclosure but will instead focus on
the evidence needed to support the more important assertions for the most
important transaction class, account, or disclosure.
• Auditing procedures may address more than one assertion.
The Audit Risk Model
The audit risk model is a theoretical model that provides a framework for planning and
performing an audit. It considers risks at both the overall financial statement level and at
the individual class of transaction, account balance, or disclosure level.
FINANCIAL STATEMENT LEVEL
INDIVIDUAL ACCOUNT BALANCE, CLASS OF TRANSACTIONS, OR DISCLOSURE
AUDIT INHERENT CONTROL DETECTION
RISK RISK RISK RISK
Audit risk is the risk of issuing a “clean” opinion on financial statements that are materially
misstated. At the overall financial statement level, the auditor considers risks that affect
the financial statements as whole; risks that are pervasive and thus can affect many
assertions. For example, if management has a history of being very aggressive in its
accounting treatments, the risk of material misstatement that results can affect many
accounts and many assertions. Or if management does not believe that accounting is very
important and fails to allocate proper resources to the accounting department, again, the
material misstatements that may result can appear in many different accounts and in
many different assertions. Heightened audit risk at the financial statement level is
addressed through such actions as using more experienced audit staff or more closely
supervising the audit team.
Audit risk at the individual account balance, class of transactions, or disclosure level
consists of the risk that material misstatements are present and the risk that the auditor
will fail to find them. The risk that material misstatements are present is a result of
inherent risk (the risk that material misstatements will occur) and control risk (the risk that
the internal control system will not prevent or detect material misstatements). The risk
that the auditor will fail to find the material misstatements is detection risk. The auditor
addresses audit risk at the individual account balance, class of transactions, or disclosure
level through the determination of the “nature, timing, and extent” of audit testing. Nature
refers to the type of audit procedure selected, timing refers to when the audit procedure
will be performed, and extent refers to how many audit procedures will be applied and how
many items will be selected for each procedure.
In performing an audit and expressing an opinion on the financial statements, auditors do
not try to find every misstatement that exists. In fact, the audit opinion provides only
“reasonable assurance” that the financial statements are free of “material” misstatement.
The auditors focus their efforts on trying to find “material” misstatements.
How much is material? It is an amount (or omission) that would potentially affect a
decision made by a user of the financial statements based on his/her use of those
financial statements. Materiality per the Financial Accounting Standards Board (FASB
Statement of Financial Concepts No. 2, “Qualitative Characteristics of Accounting
Concepts”) is defined as:
the magnitude of an omission or misstatement of accounting information that, in
the light of surrounding circumstances, makes it probable that the judgment of a
reasonable person relying on the information would have been changed or
influenced by the omission or misstatements.
Materiality considers more than just dollar amount (the quantitative aspects); it also
considers qualitative factors. For example, a bribe paid to a politician may be small but
could be considered material because of the nature of the item – perhaps the bribe, if
discovered, could result in the loss of a license to do business in a particular jurisdiction or
have some other material effect. Another example would be an amount that is below
materiality but as recorded happens to enable the entity to meet its loan covenants, e.g.,
working capital ratio requirements.
The auditor must consider materiality during planning and in the overall evaluation. During
planning, the auditor will identify an amount to be used as “planning materiality.” This
amount is typically computed as a percentage of some base, e.g., total assets or total
revenues. Once determined, materiality will affect which accounts are audited, the size of
the samples drawn, and the disposition of errors discovered. For example, auditors will
propose audit adjustments for errors found that exceed materiality; they will not propose
audit adjustments for errors below materiality.
At the end of the audit, the auditor will reconsider materiality. Remember that materiality
was computed as a percentage of a base. Because the auditor has proposed audit
adjustments over the course of the audit, the base originally used may have changed. As a
result, materiality may have changed. The auditor must consider the evidence gathered in
light of the new materiality amount and determine if more evidence will be needed. For
example, suppose that materiality was originally 1% of total assets where total assets were
$25,000,000. Planning materiality would have been $250,000 and samples of
transactions pulled for testing would generally be amounts greater than $250,000. Audit
adjustments reduced total assets to $23,700,000 and materiality accordingly would now
be $237,000. The auditor must look at the evidence gathered to determine if sufficient
evidence has been collected in light of the revised materiality amount.
7. Risk Assessment
Obtaining an Understanding
In order to identify areas where material misstatements might occur, the auditors start by
learning about the entity and its environment or “obtaining an understanding.” The
procedures used are called risk assessment procedures. Examples of procedures
employed by the auditors in obtaining an understanding include:
• Asking questions of management, internal auditors, employees who perform
accounting functions, employees who perform other non-accounting functions, and
• Performing analytical procedures to identify unusual balances, transactions, or
• Observing activities and operations.
• Inspecting documents, records, and manuals.
• Reading reports and minutes.
• Touring premises and facilities.
• Tracing transactions through the system.
The Entity and Its Environment
The auditor is required to gain an understanding of specific areas related to the entity and
its environment. These areas are described below.
Industry, regulatory, and other external factors: The auditor must understand the
environment that the entity operates in. He/she would begin by investigating the industry -
What type of industry is the entity involved with? Is it a mature industry or a rapidly
growing industry? Is the industry facing any particular problems in obtaining raw materials
or other needed resources?
The auditor would also consider regulatory factors. If the entity is involved in a regulated
industry, the nature of the regulation may pose additional risks as well as additional
controls. For example, in Nevada, casinos are subject to the requirements of the Gaming
Control Board (GCB). Failure to adhere to GCB requirements could result in the loss of an
entity’s gaming license. On the plus side, however, the GCB maintains its own department
of auditors who audit all gaming entities on a regular basis. Additional oversight is thus
provided by the regulators.
Other external factors that could impact an entity include the economy, interest rates,
availability of financing, and inflation.
Nature of the entity: Consideration of the nature of the entity itself looks at the entity’s
business operations – What are the sources of the entity’s revenues and expenses? What
types of transactions are involved? Is the entity involved in joint ventures or alliances?
Does the entity outsource certain functions? Where does the entity operate? Who are the
entity’s key customers? Does the entity engage in activities with related parties?
The auditor would also consider the entity’s plans for growth and expansion. Is the entity
planning to acquire or dispose of business activities? Are there plans for increasing
investment in plant and equipment? Does the entity have investments in other entities?
The auditor would need to understand the entity’s financing needs and sources. Does the
entity borrow funds? What requirements result from such borrowings? Is the entity using
derivative financial instruments?
The auditor would learn about the entity’s financial reporting processes. Is the entity
subject to industry-specific accounting requirements? Do revenue recognition issues exist?
Is the entity involved in foreign currency transactions? Are they hedging such transactions?
How does the entity address its fair value reporting requirements? Does the entity
maintain large inventory balances?
Objectives, strategies, and related business risks: An auditor is charged with
understanding the entity’s objectives and strategies and the business risks that result in
order to identify risks of material misstatement in the financial statements. The auditor
begins with the entity’s objectives – these are the entity’s plans. The ways that
management plans to achieve its objectives are the strategies. Business risks result from
conditions, events, factors, or circumstances that can keep the entity from achieving its
objectives. For example, assume that the State of Micronesia collects import taxes on all
goods imported for resale. The State plans to achieve a balanced budget (objective) by
increasing the import tax rates (strategy). A business risk that could keep the State from
achieving its objective is the economy (a weak economy would reduce imports). The
auditor’s job is to understand the objective, strategy, and related business risk and then to
identify if there is a possible financial statement effect. In this case, a weak economy
could also result in nonpayment of import taxes receivable, requiring a larger allowance for
Note that although business risks will generally have financial consequences, not all
business risks present a risk of material misstatement. The auditor focuses on those
business risks that increase the risk of material misstatement.
Measurement and review of financial performance: The auditor must understand how the
entity measures and reviews its financial performance. The auditor’s concern in this area
is two-fold: 1) The auditor needs to know which measures are being used and the
components of those measures. An otherwise immaterial adjustment may become
material if it impacts a financial performance measure. 2) The auditor may be able to
utilize performance measures for audit purposes. If such information is used, the auditor
would need to determine if the information were reliable and sufficiently precise.
The auditor is also required to obtain an understanding of internal control. This
understanding will enable the auditor to assess the risk of material misstatement and to
identify the audit procedures needed to identify any material misstatements that are
present in the financial statements.
Internal control is defined as
a process – effected by those charged with governance, management, and other
personnel – designed to provide reasonable assurance about the achievement of
the entity’s objectives with regard to reliability of financial reporting, effectiveness
and efficiency of operations, and compliance with applicable laws and regulations. 7
It enables those responsible for an entity to maintain control and to show accountability for
the resources of the entity.
Internal control, as outlined in COSO’s Internal Control – Integrated Framework, is
comprised of the following five components:
Control environment: The control environment is often considered THE most critical
element of internal control because of its effects on the other internal control components.
The Report of the National Commission on Fraudulent Financial Reporting considered an
effective control environment an essential requirement for proper financial reporting.
The tone set by top management – the corporate environment or culture within
which financial reporting occurs – is the most important factor contributing to the
integrity of the financial reporting process. Notwithstanding an impressive set of
written rules and procedures, if the tone set by management is lax, fraudulent
financial reporting is more likely to occur. 8
You could think of the control environment as an umbrella that protects the other four
components. Without a strong control environment, the other four components cannot be
The control environment includes the following elements:
• Communication and enforcement of integrity and ethical values – e.g. is there a
code of conduct and is it enforced?
• Commitment to competence – are job positions adequately defined in terms of the
skills and knowledge need to perform the job requirements?
Auditing Standards Board, 2006, “SAS No. 109, Understanding the Entity and Its Environment and Assessing the
Risks of Material Misstatement,” New York: AICPA.
Report of the National Commission on Fraudulent Financial Reporting, Washington, DC, 1987, p. 28.
• Participation of those charged with governance – does the entity have an
independent audit committee? Who oversees management?
• Management’s philosophy and operating style – what is management’s attitude
toward risk-taking? toward financial reporting?
• Organizational structure – how is the entity structured?
• Assignment of authority and responsibility – Are reporting lines and responsibilities
• Human resource policies and practices – how does the entity hire, train, evaluate,
and compensate employees?
Risk and Control Monitoring
Assessment Communi- Activities
Risk assessment for financial reporting relates directly to the business risks discussed
earlier. How does management identify business risks, analyze them, and take action to
reduce such risks when considered necessary? Does this process also incorporate
identification of areas that may affect the financial statements, i.e., risk assessment for
Note that management’s risk assessment process would not necessarily address every risk
identified. Instead, it would evaluate each risk in terms of magnitude and likelihood and
compare the risk to its acceptable risk level. Those risks that exceed the acceptable risk
level would require some action to mitigate or reduce the risk.
Information and communication systems refers to an entity’s accounting system and the
manner in which transactions are initiated, recorded, processed, and reported. Accounting
systems are typically set up to process transactions as groups via subsystems. For
example, sales (or revenues), accounts receivable, accounts payable, cash disbursements,
payroll, fixed assets, inventory, and general ledger.
Control activities are the policies and procedures that are usually identified as “internal
controls.” Control activities can be manual or automated.
They are commonly grouped into five categories:
a) Adequate separation of duties: The key to adequate separation of duties is
the separation of custody, authorization, and recordkeeping responsibilities.
For example, the employee in charge of the warehouse (custody) should not
have sole responsibility for recording inventory shipments and receipts
b) Proper authorization of transactions and activities: Transactions must be
properly authorized via general or specific authorizations. General
authorizations occur via policies established by management. For example,
the use of a rate list identifying different rates for imported goods categories
by the Revenue Department employees who are responsible for assessing
import taxes would demonstrate general authorization. Specific
authorizations occur on a transaction by transaction basis. For example, the
writeoff of import taxes due from a particular company would require
specific approval by the head of the Department of Finance.
c) Adequate documents and records: Proper recordkeeping is impossible
without adequate documents and records. These include purchase orders,
vendor invoices, tax bills, cash receipt forms, and many other documents
that evidence a transaction. These also include the computerized general
ledger and any other computer files in which the records are maintained.
d) Physical control over assets and records: An entity must safeguard both its
assets, such as inventory, property, plant, and equipment, and spare parts,
and its records. Physical controls include restricted access, locks, fireproof
safes and vaults, and video surveillance. It also includes controls over access
to computer records such as passwords and compatibility tests.
e) Independent checks on performance: Independent checks occur when
verification can be made by independent parties. For example, the
reconciliation of the bank account by a person who does not have access to
the cash, who does not record cash receipts or cash disbursements, and who
does not authorize cash transactions provides a check on the individuals
performing those functions and thus over cash transactions.
Internal controls must be monitored over time to ensure that they are operating effectively.
Ineffective operation can occur because of error or carelessness and because of changes in
the way business is conducted. Monitoring includes internal and external activities.
Internal monitoring activities could include the review of activity reports by management
and reviews conducted by internal auditors. External monitoring activities include reviews
by regulatory agencies and the audit by the independent auditors.
Assessing the Risk of Material Misstatement
After obtaining an understanding of the business and its environment, including internal
control, the auditor will assess the risk of material misstatement. Which account
balances, transactions, or disclosures are at risk of being materially misstated? The
auditor must consider which assertion is potentially affected, i.e., could be materially
misstated, what is the likelihood that the material misstatement has occurred, and what
amounts are involved? Based on this assessment, the auditor must then select and
perform the audit procedures that will enable him/her to find any material misstatements
that are present in the financial statements. Both tests of controls and substantive tests
may be used for this purpose. Remember, however, that tests of controls verify only that
controls are operating effectively. They do not provide evidence to directly support an
8. Completing the Audit
At the end of the audit, after the previously identified audit procedures have been
performed, the auditor starts wrapping up. A number of procedures must be performed to
complete the audit.
Search for Contingent Liabilities
First, the auditor must identify any contingent liabilities that exist. A contingent liability is a
possible loss that is the result of some past event that will be resolved in the future. For
example, a lawsuit that is in progress. The accounting rules (FASB 5, Accounting for
Contingencies) require that loss contingencies be accrued if they are likely to occur AND
can be reasonably estimated. If both elements are not present, the loss contingency must
be disclosed in the notes to the financial statements. The auditor is responsible for
identifying any contingent losses up to the date of the auditor’s report. The report is dated
as of the date when the auditor believes that sufficient evidence has been collected to
support the opinion. This usually occurs after the workpapers have been reviewed by the
partner in the office. Although the auditor has been looking for contingent liabilities
throughout the audit, one last search will be made at the end of the audit.
As part of the search for contingent liabilities, the auditor will send a request to the entity’s
attorney, asking the attorney to respond directly to the auditor about lawsuits in progress
and other matters which may indicate a contingent liability. The auditor will ask the
attorney to describe litigation that is being handled for the entity and to estimate the
amount of loss involved.
Search for Subsequent Events
The auditor is also required to search for subsequent events that occur up to the last day of
fieldwork. Subsequent events are events or transactions that occur after the balance sheet
date but before the report is issued and the audit completed.
There are two types of subsequent events. Type I subsequent events involve estimates
already present in the financial statements. They provide evidence about conditions that
existed at the balance sheet date. As a result, the financial statements must be adjusted.
Type II subsequent events involve conditions that did not exist at the balance sheet date.
These events do not require adjustment, but may be disclosed.
Examples of Type I subsequent events:
• A lawsuit is settled for an amount other than the amount accrued.
• A customer already in poor financial condition at year end files for bankruptcy after
• Investments are sold at a price below recorded values.
Examples of Type II subsequent events:
• Bonds or stock are issued.
• A catastrophic loss occurs as a result of a typhoon.
• The entity acquires a new subsidiary.
Management Representation Letter
The auditor is required to obtain a representation letter from management. The letter
confirms oral statements made to the auditors over the course of the audit. It also
reaffirms management’s responsibility for the financial statements. In practical terms, the
letter is drafted by the auditors but is printed on the entity’s letterhead and signed and
returned by management, usually the president and chief financial officer.
Evaluation of Misstatements
Over the course of the audit, the auditors propose audit adjustments for misstatements
that are discovered. Some misstatements, however, fall below the materiality limit and
adjustments are not proposed. Instead, these “passed AJEs” are accumulated on a
workpaper and considered at the end of the audit.
The auditor must evaluate known and likely misstatements for which audit adjustments
have not been proposed to see if they are now material, either individually or in the
aggregate. Known misstatements are actual errors found. For example, when auditing
cash, the auditor discovered that the bank service fees had not been recorded. The
amounts involved were not material and a passed AJE was identified. Likely
misstatements result from projections of sample error rates to the relevant populations.
For example, the auditor selected a sample of accounts receivable to confirm. The results
of this test indicated that accounts receivable were overstated by 10%. The likely
misstatement is the 10% sample error rate projected to the entire population of accounts
Known and likely misstatements may become material at the end of the audit because of
the size of the amounts or because of their effects. For example, the passed AJEs may add
up to a material amount in total. Or a single misstatement may change a required loan
covenant ratio from acceptable to unacceptable.
After the evaluation of the known and likely misstatements has been completed and any
necessary audit adjustments proposed and accepted, the remaining uncorrected known
and likely misstatements must be considered immaterial to the financial statements. The
auditor will then be able to express an opinion that the financial statements are fairly
presented in accordance with GAAP.
The audit procedures performed by the auditors are documented in the form of audit
workpapers. Each workpaper provides support for one or more account balances,
transaction classes, or disclosures. In total, the complete set of workpapers is the
“sufficient, appropriate evidence” that supports the opinion.
Audit workpapers contain several common elements:
1. A heading with the name of the entity, the year end date for the period being
audited, and a title describing the workpaper.
2. Identification of the auditor who completed the workpaper and the date the
workpaper was completed.
3. Identification of the reviewer (or reviewers) who reviewed the workpapers and the
date(s) the review was completed.
4. A reference number to indicate where it belongs in the set of workpapers.
5. Numbers cross-referenced to the general ledger or trial balance to indicate that the
auditor agreed the balance or transaction to the recorded amounts.
6. Tickmarks and a tickmark legend to describe the procedures performed.
See Appendix C for an example of a workpaper for the Cash account.
The audit firm’s quality control procedures would typically include:
• A review of each workpaper by one or more reviewers.
• Review of the financial statements, audit report, and completed workpapers by the
• Pre-issuance review of the financial statements and audit report by a second
9. Audit Reports and Communications
Standard Unqualified Report
The end product of a financial statement audit is the audit report. A standard unqualified
audit report, also known as a “clean” report, consists of three paragraphs: the introductory
paragraph, the scope paragraph, and the opinion paragraph. The introductory paragraph
describes the financial statements being audited and identifies the responsibilities of
management and the auditors. The scope paragraph indicates the auditing standards
followed by the auditors and provides a general description of how the audit was
conducted. The opinion paragraph reports the auditor’s conclusions regarding the financial
Here is an example of a “clean” audit report:
Independent Auditors’ Report
We have audited the accompanying financial statements of the governmental activities,
the business-type activities, the aggregate discretely presented component units, each
major fund, and the aggregate remaining fund information of the State of Pacific Islands,
as of and for the year ended June 30, 20X1, which collectively comprise the State’s basic
financial statements as listed in the table of contents. These financial statements are the
responsibility of the State of Pacific Islands’ management. Our responsibility is to express
opinions on these financial statements based on our audit.
We conducted our audit in accordance with auditing standards generally accepted in the
United States of America. Those standards require that we plan and perform the audit to
obtain reasonable assurance about whether the financial statements are free of material
misstatement. An audit includes examining, on a test basis, evidence supporting the
amounts and disclosures in the financial statements. An audit also includes assessing the
accounting principles used and significant estimates made by management, as well as
evaluating the overall financial statement presentation. We believe that our audit provides
a reasonable basis for our opinion.
In our opinion, the financial statements referred to above present fairly, in all material
respects, the respective financial statement position of the governmental activities, the
respective financial position of the governmental activities, the business-type activities, the
aggregate discretely presented component units, each major fund, and the aggregate
remaining fund information of the State of Pacific Islands, as of June 30, 20X1, and the
respective changes in financial position and cash flows, where applicable, thereof for the
year ended in conformity with accounting principles generally accepted in the United
States of America.
Governmental entities are also required to provide additional information, “supplemental
information required by the GASB,” that accompanies the basic financial statements but is
not a required part of the financial statements. As a result, audit reports for governmental
entities will typically include two additional paragraphs.
The [required supplementary information] on pages XX through XX are not a
required part of the basic financial statements but are supplementary information
required by accounting principles generally accepted in the United States of
America. We have applied certain limited procedures, which consisted principally of
inquiries of management regarding the methods of measurement and presentation
of the required supplementary information. However, we did not audit the
information and express no opinion on it.
Our audit was conducted for the purpose of forming opinions on the financial
statements that collectively comprise the State of Pacific Islands’ basic financial
statements. The [other supplementary information} are presented for purposes of
additional analysis and are not a required part of the basic financial statements.
The [other supplementary information] have been subjected to the auditing
procedures applied in the audit of the basic financial statements and, in our
opinion, are fairly stated in all material respects in relation to the basic financial
statements taken as a whole. 10
Finally, it is also possible that the auditors will make reference to the reports on internal
control and compliance that are required by the Single Audit Act and Circular A-133. In that
case, an additional paragraph might appear as follows:
In accordance with Government Auditing Standards, we have also issued our report
dated XX, on our consideration of the State of Pacific Islands’ internal control over
financial reporting and our tests of its compliance with certain provisions of laws,
regulations, contracts and grant agreements and other matters. The purpose of
that report is to describe the scope of our testing of internal control over financial
reporting and compliance and the results of that testing, and not to provide an
opinion on the internal control over financial reporting or on compliance. That
report is an integral part of an audit performed in accordance with Government
Auditing Standards and should be read in conjunction with this report in considering
the results of our audit. 11
Other Types of Audit Reports
Adapted from the Example A.1 in Audits of State and Local Governments (GASB 34 Edition), 2003, New York:
Adapted from the Example A.1 in Audits of State and Local Governments (GASB 34 Edition), 2003, New York:
Adapted from the Independent Auditors’ Report on the State of Pohnpei financial statements dated December 19,
2005, issued by Deloitte & Touche LLP.
A clean audit report indicates that the financial statements being reported on are
presented fairly in accordance with applicable GAAP and that the auditors were able to
perform the audit in accordance with applicable GAAS. When either of these two
conditions is violated, a different type of opinion will be issued.
SCOPE LIMITATION GAAP DEPARTURE
QUALIFIED DISCLAIMER QUALIFIED ADVERSE
If the auditor is unable to obtain the evidence needed or is unable to perform auditing
procedures considered necessary, a scope limitation exists – the auditor is unable to
perform the audit in accordance with GAAS. When a scope limitation is present, the
auditor will issue a qualified audit report or a disclaimer. The choice between the two will
depend on the nature of the scope limitation and the accounts affected.
When a qualified report is issued due to a scope limitation, the scope paragraph will be
revised to reference the problem and a new third paragraph will be added to describe the
problem encountered. The opinion paragraph would be modified slightly to refer to the
An example of a report qualified for a scope limitation follows:
Independent Auditors’ Report
[No change in introductory paragraph]
Except as discussed in the following paragraph, … [change to first sentence of scope
[New paragraph] We were unable to obtain audited financial statements supporting the
State’s investment in Micronesian Fisheries Corporation, whose financial activities are
included in the aggregate discretely presented component units and represent 15% and
10%, respectively, of the assets and revenues of the State of Pacific Islands’ discretely
presented component units. Micronesian Fisheries Corporation did not produce audited
financial statements and the effect on the accompanying financial statements of this
matter is unknown.
In our opinion, except for the effects on the respective financial statements of such
adjustments, if any, as might have been determined to be necessary had Micronesian
Fisheries Corporation been audited, as discussed in the third paragraph above, … [change
to first sentence of opinion paragraph]
When a disclaimer is issued, the auditor believes that regardless of the amount and types
of auditing procedures that were completed, the work is insufficient to support any type of
opinion. As a result, the auditor expresses no opinion.
A disclaimer report includes a modified introductory paragraph, deletes the scope
paragraph completely, includes a new paragraph explaining the problems encountered,
and adds a disclaimer paragraph in lieu of the opinion paragraph.
An example of a disclaimer report follows:
Independent Auditors’ Report
We were engaged to audit the accompanying financial statements of the governmental
activities, the business-type activities, the aggregate discretely presented component units,
each major fund, and the aggregate remaining fund information of the State of Pacific
Islands, as of and for the year ended June 30, 20X1, which collectively comprise the
State’s basic financial statements as listed in the table of contents. These financial
statements are the responsibility of the State of Pacific Islands’ management.
The State did not make a count of its physical inventory in 2010, stated in the
accompanying financial statements at $750,000 as of September 30, 2010. Further,
evidence supporting the cost of property and equipment acquired prior to September 30,
2010, is not longer available. The State’s records do not permit the application of other
auditing procedures to inventories or property and equipment.
Since the State did not take physical inventories and we were not able to apply other
auditing procedures to satisfy ourselves as to inventory quantities and the cost of property
and equipment, the scope of our work was not sufficient to enable us to express, and we
do not express, an opinion on these financial statements.
A GAAP departure exists when the financial statements contain a GAAP misstatement or
omission that has been identified but not corrected. Management may be unwilling or
unable to correct the item creating the GAAP departure. For example, the auditors have
proposed adjustments to capitalize leases as required by GAAP and management refuses
to record the adjustments in the financial statements. Alternatively, the time required to
obtain the information needed to identify the adjustments needed is considerable and due
to deadlines on issuance of the financial statements, management is unable to provide the
information or record the adjustments.
Depending on the severity of the problem and its effects on the financial statements, either
a qualified or adverse opinion would be issued. In choosing between a qualified or adverse
opinion, the auditor would consider the dollar magnitude of the amounts involved, the
significance of the item to users of the financial statements, and the pervasiveness of the
A qualified report would include a new explanatory paragraph following the scope
paragraph describing the GAAP departure. The opinion paragraph would also be modified
An example of an audit report qualified for a GAAP departure follows:
Independent Auditors’ Report
[No change in introductory paragraph]
[No change in scope paragraph]
[New paragraph] As more fully described in Note 25 to the financial statements, the State
has excluded certain lease obligations from property and debt in the accompanying
balance sheet. In our opinion, accounting principles generally accepted in the United
States of America require that such obligations be included in the balance sheet.
In our opinion, except for the effects of not capitalizing certain lease obligations as
discussed in the preceding paragraph, … [change to first sentence of opinion paragraph]
The auditor may believe, however, that the GAAP departure is so pervasive or so
detrimental to the fair presentation of the financial statements that an adverse opinion
must be issued. An adverse opinion states that the financial statements are NOT fairly
presented in accordance with GAAP.
An adverse report includes a new third paragraph describing the GAAP departure and
modifies the opinion paragraph as follows:
Independent Auditors’ Report
[No change in introductory paragraph]
[No change in scope paragraph]
[New paragraph] As more fully described in Note 25 to the financial statements, the State
has excluded certain lease obligations from property and debt in the accompanying
balance sheet. In our opinion, accounting principles generally accepted in the United
States of America require that such obligations be included in the balance sheet.
In our opinion, because of the matters discussed in the preceding paragraph, the financial
statements referred to above do not present fairly, … [change to first sentence of opinion
Other Modifications to Standard Report
Under certain circumstances, an auditor may issue an unqualified report but believe that it
is important to bring specific matters to the reader’s attention. The standard report is thus
modified to reflect these additional concerns BUT the opinion is not changed.
Going Concern: An auditor is required to evaluate whether an entity can remain in
operation for an operating period, usually one year. The auditor would consider such
factors as recurring deficits, violations of regulations or loan covenants, catastrophic
losses, or legal proceedings. If based on that evaluation, the auditor believes that
“substantial doubt” exists regarding the entity’s ability to continue as a going concern, the
auditor adds an additional paragraph to the audit report. The paragraph must contain the
words “substantial doubt” and “going concern” and provide an explanation as to the
reasons for the auditor’s concern.
Change in Accounting Principles: Recall that the second reporting standard required that
the audit report indicate when accounting principles are changed. The reason for the
requirement is because financial statements are difficult to compare in a meaningful
fashion if the accounting rules used to prepare the accounting rules are changed. When
accounting principles are changed in an acceptable fashion, the audit report must contain
an additional paragraph describing the change.
Rule 203: Under very unusual circumstances, it is possible that following GAAP could
result in misleading financial statements. The Rule 203 exception provides that when
these circumstances exist, the financial statements can utilize the non-GAAP method that
is more appropriate. Ordinarily, this would result in a qualified or adverse report. The Rule
203 exception allows the auditor to issue an unqualified opinion but requires that the audit
report contain an additional paragraph explaining the departure.
Emphasis of a Matter: The auditor is allowed to add an additional explanatory paragraph
to the audit report whenever he/she believes that attention should be brought to a
particular matter. Examples include:
• Significant related party transactions.
• Material uncertainties and contingent liabilities.
• Key subsequent events.
Shared Responsibility: In the United States, it is possible to share responsibility for an
audit with another auditor. For example, another CPA firm may be used to audit the
operations of a division or subsidiary, while the principal CPA firm audits the parent
company. When the CPA firm decides to share responsibility, modifications to the audit
report appear in all three paragraphs – the introductory paragraph, the scope paragraph,
and the opinion paragraph – that reference the work done by the other CPA firm.
An example of a shared responsibility report follows:
Independent Auditors’ Report
[No change in introductory paragraph except for the following sentences added at the end
of the paragraph] … We did not audit the financial statements of the Pacific Islands
Housing Authority, a discretely presented component unit, which statements reflect total
assets of $15,035,000 as of June 30, 20X1, and total revenues of $4,372,000, for the
year then ended. Those statements were audited by other auditors whose report has been
furnished to us, and our opinion, insofar as it relates to the amounts included for Pacific
Islands Housing Authority, is based solely on the report of the other auditors.
[No change in scope paragraph except for modification of the last sentence] … We believe
that our audit and the report of other auditors provide a reasonable basis for our opinion.
In our opinion, based on our audit and the report of other auditors, the financial
statements referred to above present fairly … [change to first sentence of opinion
The auditor has other reporting requirements related to an audit. These include
communicating significant deficiencies and discussions with the audit committee.
Significant Deficiencies: Significant deficiencies are control weaknesses in the design or
operation of internal control that could adverse affect the entity’s ability to initiate, record,
process, and report financial information. The auditor is not required to look for significant
deficiencies but must report them to management if any are discovered. The report must
Examples of significant deficiencies conditions include:
• Inadequate provisions for safeguarding assets.
• Lack of appropriate reviews and transaction approvals.
• Intentional override of internal controls.
• Failure to correct previously identified internal control deficiencies.
Audit Committee: The auditor is required to meet with the audit committee (or comparable
body such as a finance committee or budget committee) to provide additional information
regarding the audit. The communication may be verbal or written.
The matters to be communicated include:
• The auditor’s responsibility under GAAS.
• Significant accounting policies.
• Management judgments and accounting estimates.
• Audit adjustments – corrected and uncorrected.
• Auditor’s judgments about the quality of the entity’s accounting principles.
• Other information in documents containing audited financial statements.
• Disagreements with management.
• Management’s consultations with other accountants.
• Major issues discussed with management prior to retention.
• Difficulties encountered in performing the audit.
This completes the review of the requirements for a financial statement audit.
Key points to remember:
1. The purpose of a financial statement audit is to render an opinion on the financial
statements’ presentation in accordance with GAAP and to provide reasonable
assurance that no material misstatements exist. Audits are performed to add
credibility to the financial statements.
2. An audit is conducted in accordance with GAAS (and GAGAS). GAAS require that:
a. The audit be planned and carefully executed,.
b. The auditors obtain an understanding of the entity and its environment,
including internal control.
c. The understanding obtained be used to identify the risks of material
d. The auditors perform auditing procedures selected to find material
misstatements that are present.
e. The auditors collect sufficient appropriate evidence to support the opinion.
f. The auditors issue an audit report providing the opinion reached.
3. Auditors search for material misstatements in the financial statements. A material
misstatement is one that could affect a decision made by a user of the financial
statements based on the information contained in the financial statements. In
searching for material misstatements, the auditors consider inherent risk (the risk
that the material misstatements will occur) and control risk (the risk that the
internal control system will not prevent or detect material misstatements that
4. The end product of the audit is an audit report. The type of audit report can vary
depending on whether or not the auditor was able to perform all necessary auditing
procedures and whether the financial statements contain uncorrected GAAP
departures. The auditor is also required to communicate certain other matters
relating to the audit to the audit committee or a comparable body.
A. Engagement Letter
MAJURO & KOSRAE, LTD.
Certified Public Accountants
May 31, 2006
Mr. Ephraim Tico, President
Micronesian Business Corp.
P.O. Box 885
Dear Mr. Tico:
This letter is to confirm our arrangements for the audit of the financial statements of Micronesian Business Corp.
for the year ended December 31, 2006.
We will audit the Corporation’s balance sheet as of December 31, 2006, and the related statements of income,
retained earnings, and cash flows for the year then ended. The objective of our audit is the expression of an
opinion on the financial statements in conformity with accounting principles generally accepted in the United
States of America.
Our examination will be conducted in accordance with auditing standards generally accepted in the United States
of America. Those standards require that we obtain reasonable, rather than absolute, assurance about whether
the financial statements are free of material misstatement, whether caused by error or fraud. Accordingly, an
audit cannot be relied upon to identify all material errors, fraud, or illegal acts that may exist. Also an audit is not
designed to detect error or fraud that is immaterial to the financial statements. If, for any reason, we are unable
to complete the audit or have not formed an opinion, we may decline to express an opinion or decline to issue a
report as a result of the engagement.
Our audit will include such tests of the company records as we consider necessary. It will include examining, on
a test basis, evidence supporting the amounts and disclosures in the financial statements. The examination will
also include a review of the internal control structure and tests of controls as we deem necessary to assess the
impact of the control structure on the nature, timing, and extent of our evidence. In conjunction with our review of
the control structure, we will provide you with specific suggestions as to how the internal control structure may be
improved. Our audit will also include assessing the accounting principles used and the significant estimates
made by management, as well as evaluating the overall financial statement presentations.
The financial statements are the responsibility of the Company’s management. Management is also responsible
for (1) establishing and maintaining effective internal control over financial reporting; (2) establishing systems and
procedures for the prevention and detection of fraud; (3) identifying and ensuring that the Company complies with
the laws and regulations applicable to its activities; (4) making all financial records and related information
available to us; and (5) at the conclusion of the engagement providing us with a representation letter that, among
other things, confirms management’s responsibility for the preparation of the financial statements in accordance
with generally accepted accounting principles, the completeness and availability of all minutes of the board and
committee meetings, the effects of any uncorrected misstatements that we bring to your attention are immaterial
to the financial statements taken as a whole, and to the best of its knowledge and belief, the absence of fraud
involving management or those employees who have a significant role in the entity’s internal control.
As in prior years, we will require assistance from your personnel, including the preparation of schedules and
analyses of accounts. The expected date of completion of the audit is March 27, 2007. Our fees for this audit
will be based on the estimates of time to be expended by our staff at our regular rates, plus direct expenses. It
should be recognized that these estimates could be affected by unusual circumstances. We will notify you
immediately of any circumstances we encounter that could significantly affect our initial fee estimate of $125,000.
If these arrangements are in accordance with your understanding, please sign this letter in the space provided
and return a copy to us at your earliest convenience.
Very truly yours,
Frank Majuro, CPA
Accepted by: ________________________________________
B. Audit Program for Cash
Sample Audit Program 12
SUBSTANTIVE TESTS FOR CASH
A. Cash physically exists and is owned by the entity as of the balance sheet date.
B. Cash receipts and cash disbursements are recorded correctly as to account, amount, and
C. Cash balances include funds at all locations, funds with custodians, and deposits in
D. Cash is properly classified and presented in the financial statements and adequate
disclosures are made with respect to restricted cash.
1. Prepare or obtain from the client a listing of all
cash accounts open as of the balance sheet date
or opened and closed during the period under
audit, showing the following: (a) account number
and type, (b) custodian, and (c) balance per the
2. Request that the client prepare bank confirmation
forms for all bank/custodian accounts used during
the period under audit. Maintain control of the bank
confirmation forms and mail directly to the bank.
3. Ask the client to request cut-off bank statements
(including cancelled checks, deposit tickets, and
related bank advices) for a period of 10-15 days
subsequent to the balance sheet date to be mailed
directly to the auditor.
4. Obtain copies of client-prepared bank reconciliations
and perform the following:
a. Trace balance per bank to cut-off bank
statement and returned bank confirmation.
b. Trace balance per books to the general ledger.
c. Test the arithmetical accuracy of the bank
d. Trace deposits in transit amounts to cut-off
bank statement and determine that they were
recorded in the proper period.
e. Examine all cancelled checks over $_____
that were returned with the cut-off bank state-
ments and determine that they were properly in-
cluded in (drawn prior to the balance sheet date)
or excluded from (drawn subsequent to the
balance sheet date) the list of outstanding checks.
f. Investigate checks over $_____ on the list
of outstanding checks that did not clear on the
cut-off bank statements. Note name of payee
g. Investigate other reconciling items over
$ and determine propriety and
5. Prepare or obtain an analysis of savings accounts,
certificates of deposit, or interest-bearing accounts
showing (a) name of institution, (b) interest rate,
(c) maturity date, (d) balances at the beginning of the
period, activity during the period, and balances at the
end of the period, and (e) interest income and related
accruals, and perform the following:
a. Trace book balances, interest income, and interest
accrued to the general ledger.
b. Compare balances and interest rate per passbooks
and certificates of deposit to returned confirmation
c. Test the arithmetical accuracy of the analysis.
d. Recalculate interest earned and evaluate results
6. Prepare or obtain a bank transfer schedule showing the
following information: (a) name of disbursing bank,
(b) check or transfer number, (c) amount of transfer,
(d) date transferred out per books, (e) date transferred
out per bank, (f) name of receiving bank, (g) date
transferred in per books, and (h) date transferred in
per bank, and perform the following:
a. Review the cash receipts and cash disbursements
disbursements journal, bank statements, cut-off
bank statements, and journal entries for days before
and after the balance sheet date and for all amounts
over $ and determine that they are all
included in the bank transfer schedule.
b. Determine that all receipts and disbursements
per books are recorded in the same month.
For receipts and disbursements with bank
statement dates that differ from the dates per
books, trace such transfers to proper inclusion
in the list of outstanding checks and/or deposits
in transit shown in the bank reconciliations.
c. Investigate any disbursements with bank
statement dates that precede the dates per books.
d. Determine that the number of days lag between
bank statement dates and dates per books appear
reasonable and investigate any unusual delays.
7. If cut-off bank statements are not requested and/or
received by the auditor, obtain the bank statement for
the month subsequent to the balance sheet date and
perform the following:
a. Test the arithmetical accuracy of the bank
b. Compare all cancelled checks listed in the bank
statement and foot the total of all checks paid to
the total indicated per the bank statement.
c. Examine and investigate all debit and credit
memos over $
8. Ascertain that all requests for bank confirmations
and confirmations with other custodians have been
received, signed, and all questions have been
answered. Follow up on all comments and missing
9. Determine all petty cash funds that should be
counted and perform the following:
a. Count petty cash funds in the presence of a
b. Summarize cash counted by denomination.
Include other items such as vouchers, stamps, etc.
c. Reconcile the balance per the custodian
to the general ledger.
d. At the conclusion of the count, return all items
to the custodian and ask for a signed receipt.
Based on the procedures performed and the results obtained,
it is my opinion that the objectives listed in this audit program
have been achieved.
Prepared by Date
Reviewed and approved by Date
C. Cash Workpaper
STATE OF PACIFIC ISLANDS Prepared by: RG
BANK RECONCILIATION – GENERAL ACCOUNT – PBC Date: 11/5/10
SEPTEMBER 30, 2010 Reviewed by: HS
Per bank statement $57,896.50 √
Deposits in transit:
9/30/10 $ 3,000.00 ¥ µ
9/30/10 875.00 ¥ µ 3,875.00
#571 8/25/10 $ 320.00 ≠ ≈
#583 8/31/10 250.00 ≠ ≈
#590 9/30/10 1,582.25 ≠ ∩
#591 9/30/10 10,382.00 ≠ ∩
#592 9/30/10 2,700.00 ≠ ∩
#593 9/30/10 163.00 ≠ ∩ (15,397.25)
Adjusted balance per bank $46,374.25 ₣
Per general ledger $46,431.17 ∂
Bank service charges (57.45) √
Adjusted balance per books $46,374.25 ₣
√ Traced to client’s 9/30/10 bank statement.
∞ Agreed to bank confirmation.
¥ Traced to cash receipts journal before year end.
µ Traced to cutoff bank statement.
≠ Traced to cash disbursements journal before year end.
∩ Examined cancelled check returned with cutoff bank statement – no exceptions
≈ Traced to check requisition and vendor invoice.
∂ Agreed to general ledger