Which of the following procedures would a CPA most likely perform when reviewing the financial statements of a non issuer?
An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial StatementsSupersedes Auditing Standard No. 2 Show
Effective Date: Fiscal years ending on or after November 15, 2007Final Rule: PCAOB Release No. 2007-005ASummary Table of Contents
Introduction1. This standard establishes requirements and provides direction that applies when an auditor is engaged to perform an audit of management's assessment 1/ of the effectiveness of internal control over financial reporting ("the audit of internal control over financial reporting") that is integrated with an audit of the financial statements. 2/ 2. Effective internal control over financial reporting provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes. 3/ If one or more material weaknesses exist, the company's internal control over financial reporting cannot be considered effective. 4/ [The following paragraph is effective for audits of fiscal years beginning on or after December 15, 2010. See PCAOB Release No. 2010-004. For audits of fiscal years beginning before December 15, 2010, click here.] 3. The auditor's objective in an audit of internal control over financial reporting is to express an opinion on the effectiveness of the company's internal control over financial reporting. Because a company's internal control cannot be considered effective if one or more material weaknesses exist, to form a basis for expressing an opinion, the auditor must plan and perform the audit to obtain appropriate evidence that is sufficient to obtain reasonable assurance 5/ about whether material weaknesses exist as of the date specified in management's assessment. A material weakness in internal control over financial reporting may exist even when financial statements are not materially misstated. 4. The general standards 6/ are applicable to an audit of internal control over financial reporting. Those standards require technical training and proficiency as an auditor, independence, and the exercise of due professional care, including professional skepticism. This standard establishes the fieldwork and reporting standards applicable to an audit of internal control over financial reporting. 5. The auditor should use the same suitable, recognized control framework to perform his or her audit of internal control over financial reporting as management uses for its annual evaluation of the effectiveness of the company's internal control over financial reporting. 7/ Integrating the Audits6. The audit of internal control over financial reporting should be integrated with the audit of the financial statements. The objectives of the audits are not identical, however, and the auditor must plan and perform the work to achieve the objectives of both audits. 7. In an integrated audit of internal control over financial reporting and the financial statements, the auditor should design his or her testing of controls to accomplish the objectives of both audits simultaneously -
8. Obtaining sufficient evidence to support control risk assessments of low for purposes of the financial statement audit ordinarily allows the auditor to reduce the amount of audit work that otherwise would have been necessary to opine on the financial statements. (See Appendix B for additional direction on integration.)
Planning the Audit[The following paragraph is effective for audits of fiscal years beginning on or after December 15, 2010. See PCAOB Release No. 2010-004. For audits of fiscal years beginning before December 15, 2010, click here.] 9. The auditor should properly plan the audit of internal control over financial reporting and properly supervise the engagement team members. When planning an integrated audit, the auditor should evaluate whether the following matters are important to the company's financial statements and internal control over financial reporting and, if so, how they will affect the auditor's procedures -
Note: Many smaller companies have less complex operations. Additionally, some larger, complex companies may have less complex units or processes. Factors that might indicate less complex operations include: fewer business lines; less complex business processes and financial reporting systems; more centralized accounting functions; extensive involvement by senior management in the day-to-day activities of the business; and fewer levels of management, each with a wide span of control. Role of Risk Assessment10. Risk assessment underlies the entire audit process described by this standard, including the determination of significant accounts and disclosures and relevant assertions, the selection of controls to test, and the determination of the evidence necessary for a given control. 11. A direct relationship exists between the degree of risk that a material weakness could exist in a particular area of the company's internal control over financial reporting and the amount of audit attention that should be devoted to that area. In addition, the risk that a company's internal control over financial reporting will fail to prevent or detect misstatement caused by fraud usually is higher than the risk of failure to prevent or detect error. The auditor should focus more of his or her attention on the areas of highest risk. On the other hand, it is not necessary to test controls that, even if deficient, would not present a reasonable possibility of material misstatement to the financial statements. 12. The complexity of the organization, business unit, or process, will play an important role in the auditor's risk assessment and the determination of the necessary procedures. Scaling the Audit13. The size and complexity of the company, its business processes, and business units, may affect the way in which the company achieves many of its control objectives. The size and complexity of the company also might affect the risks of misstatement and the controls necessary to address those risks. Scaling is most effective as a natural extension of the risk-based approach and applicable to the audits of all companies. Accordingly, a smaller, less complex company, or even a larger, less complex company might achieve its control objectives differently than a more complex company. 9/ Addressing the Risk of Fraud[The following paragraph is effective for audits of fiscal years beginning on or after December 15, 2014. See PCAOB Release No. 2014-002. For audits of fiscal years beginning before December 15, 2014, click here.] 14. When planning and performing the audit of internal control over financial reporting, the auditor should take into account the results of his or her fraud risk assessment. 10/ As part of identifying and testing entity-level controls, as discussed beginning at paragraph 22, and selecting other controls to test, as discussed beginning at paragraph 39, the auditor should evaluate whether the company's controls sufficiently address identified risks of material misstatement due to fraud and controls intended to address the risk of management override of other controls. Controls that might address these risks include -
[The following paragraph is effective for audits of fiscal years beginning on or after December 15, 2010. See PCAOB Release No. 2010-004. For audits of fiscal years beginning before December 15, 2010, click here.] 15. If the auditor identifies deficiencies in controls designed to prevent or detect fraud during the audit of internal control over financial reporting, the auditor should take into account those deficiencies when developing his or her response to risks of material misstatement during the financial statement audit, as provided in paragraphs 65-69 of Auditing Standard No. 12, Identifying and Assessing Risks of Material Misstatement. Using the Work of Others16. The auditor should evaluate the extent to which he or she will use the work of others to reduce the work the auditor might otherwise perform himself or herself. AU sec. 322, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements, applies in an integrated audit of the financial statements and internal control over financial reporting. 17. For purposes of the audit of internal control, however, the auditor may use the work performed by, or receive direct assistance from, internal auditors, company personnel (in addition to internal auditors), and third parties working under the direction of management or the audit committee that provides evidence about the effectiveness of internal control over financial reporting. In an integrated audit of internal control over financial reporting and the financial statements, the auditor also may use this work to obtain evidence supporting the auditor's assessment of control risk for purposes of the audit of the financial statements. 18. The auditor should assess the competence and objectivity of the persons whose work the auditor plans to use to determine the extent to which the auditor may use their work. The higher the degree of competence and objectivity, the greater use the auditor may make of the work. The auditor should apply paragraphs .09 through .11 of AU sec. 322 to assess the competence and objectivity of internal auditors. The auditor should apply the principles underlying those paragraphs to assess the competence and objectivity of persons other than internal auditors whose work the auditor plans to use.
19. The extent to which the auditor may use the work of others in an audit of internal control also depends on the risk associated with the control being tested. As the risk associated with a control increases, the need for the auditor to perform his or her own work on the control increases. Materiality20. In planning the audit of internal control over financial reporting, the auditor should use the same materiality considerations he or she would use in planning the audit of the company's annual financial statements. 11/ Using a Top-Down Approach21. The auditor should use a top-down approach to the audit of internal control over financial reporting to select the controls to test. A top-down approach begins at the financial statement level and with the auditor's understanding of the overall risks to internal control over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions. This approach directs the auditor's attention to accounts, disclosures, and assertions that present a reasonable possibility of material misstatement to the financial statements and related disclosures. The auditor then verifies his or her understanding of the risks in the company's processes and selects for testing those controls that sufficiently address the assessed risk of misstatement to each relevant assertion.
Identifying Entity-Level Controls22. The auditor must test those entity-level controls that are important to the auditor's conclusion about whether the company has effective internal control over financial reporting. The auditor's evaluation of entity-level controls can result in increasing or decreasing the testing that the auditor otherwise would have performed on other controls. 23. Entity-level controls vary in nature and precision -
24. Entity-level controls include -
25. Control Environment. Because of its importance to effective internal control over financial reporting, the auditor must evaluate the control environment at the company. As part of evaluating the control environment, the auditor should assess -
26. Period-end Financial Reporting Process. Because of its importance to financial reporting and to the auditor's opinions on internal control over financial reporting and the financial statements, the auditor must evaluate the period-end financial reporting process. The period-end financial reporting process includes the following -
Note: Because the annual period-end financial reporting process normally occurs after the "as-of" date of management's assessment, those controls usually cannot be tested until after the as-of date. 27. As part of evaluating the period-end financial reporting process, the auditor should assess -
Note: The auditor should obtain sufficient evidence of the effectiveness of those quarterly controls that are important to determining whether the company's controls sufficiently address the assessed risk of misstatement to each relevant assertion as of the date of management's assessment. However, the auditor is not required to obtain sufficient evidence for each quarter individually. Identifying Significant Accounts and Disclosures and Their Relevant Assertions28. The auditor should identify significant accounts and disclosures and their relevant assertions. Relevant assertions are those financial statement assertions that have a reasonable possibility of containing a misstatement that would cause the financial statements to be materially misstated. The financial statement assertions include 12/ -
29. To identify significant accounts and disclosures and their relevant assertions, the auditor should evaluate the qualitative and quantitative risk factors related to the financial statement line items and disclosures. Risk factors relevant to the identification of significant accounts and disclosures and their relevant assertions include -
30. As part of identifying significant accounts and disclosures and their relevant assertions, the auditor also should determine the likely sources of potential misstatements that would cause the financial statements to be materially misstated. The auditor might determine the likely sources of potential misstatements by asking himself or herself "what could go wrong?" within a given significant account or disclosure. 31. The risk factors that the auditor should evaluate in the identification of significant accounts and disclosures and their relevant assertions are the same in the audit of internal control over financial reporting as in the audit of the financial statements; accordingly, significant accounts and disclosures and their relevant assertions are the same for both audits.
32. The components of a potential significant account or disclosure might be subject to significantly differing risks. If so, different controls might be necessary to adequately address those risks. 33. When a company has multiple locations or business units, the auditor should identify significant accounts and disclosures and their relevant assertions based on the consolidated financial statements. Having made those determinations, the auditor should then apply the direction in Appendix B for multiple locations scoping decisions. Understanding Likely Sources of Misstatement34. To further understand the likely sources of potential misstatements, and as a part of selecting the controls to test, the auditor should achieve the following objectives -
35. Because of the degree of judgment required, the auditor should either perform the procedures that achieve the objectives in paragraph 34 himself or herself or supervise the work of others who provide direct assistance to the auditor, as described in AU sec. 322. [The following paragraph is effective for audits of fiscal years beginning on or after December 15, 2010. See PCAOB Release No. 2010-004. For audits of fiscal years beginning before December 15, 2010, click here.] 36. The auditor also should understand how IT affects the company's flow of transactions. The auditor should apply paragraph 29 and Appendix B of Auditing Standard No. 12, Identifying and Assessing Risks of Material Misstatement, which discuss the effect of information technology on internal control over financial reporting and the risks to assess.
37. Performing Walkthroughs. Performing walkthroughs will frequently be the most effective way of achieving the objectives in paragraph 34. In performing a walkthrough, the auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records, using the same documents and information technology that company personnel use. Walkthrough procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and re-performance of controls. 38. In performing a walkthrough, at the points at which important processing procedures occur, the auditor questions the company's personnel about their understanding of what is required by the company's prescribed procedures and controls. These probing questions, combined with the other walkthrough procedures, allow the auditor to gain a sufficient understanding of the process and to be able to identify important points at which a necessary control is missing or not designed effectively. Additionally, probing questions that go beyond a narrow focus on the single transaction used as the basis for the walkthrough allow the auditor to gain an understanding of the different types of significant transactions handled by the process. Selecting Controls to Test39. The auditor should test those controls that are important to the auditor's conclusion about whether the company's controls sufficiently address the assessed risk of misstatement to each relevant assertion. 40. There might be more than one control that addresses the assessed risk of misstatement to a particular relevant assertion; conversely, one control might address the assessed risk of misstatement to more than one relevant assertion. It is neither necessary to test all controls related to a relevant assertion nor necessary to test redundant controls, unless redundancy is itself a control objective. 41. The decision as to whether a control should be selected for testing depends on which controls, individually or in combination, sufficiently address the assessed risk of misstatement to a given relevant assertion rather than on how the control is labeled (e.g., entity-level control, transaction-level control, control activity, monitoring control, preventive control, detective control). Testing ControlsTesting Design Effectiveness42. The auditor should test the design effectiveness of controls by determining whether the company's controls, if they are operated as prescribed by persons possessing the necessary authority and competence to perform the control effectively, satisfy the company's control objectives and can effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements.
43. Procedures the auditor performs to test design effectiveness include a mix of inquiry of appropriate personnel, observation of the company's operations, and inspection of relevant documentation. Walkthroughs that include these procedures ordinarily are sufficient to evaluate design effectiveness. Testing Operating Effectiveness44. The auditor should test the operating effectiveness of a control by determining whether the control is operating as designed and whether the person performing the control possesses the necessary authority and competence to perform the control effectively.
45. Procedures the auditor performs to test operating effectiveness include a mix of inquiry of appropriate personnel, observation of the company's operations, inspection of relevant documentation, and re-performance of the control. Relationship of Risk to the Evidence to be Obtained46. For each control selected for testing, the evidence necessary to persuade the auditor that the control is effective depends upon the risk associated with the control. The risk associated with a control consists of the risk that the control might not be effective and, if not effective, the risk that a material weakness would result. As the risk associated with the control being tested increases, the evidence that the auditor should obtain also increases.
47. Factors that affect the risk associated with a control include -
48. When the auditor identifies deviations from the company's controls, he or she should determine the effect of the deviations on his or her assessment of the risk associated with the control being tested and the evidence to be obtained, as well as on the operating effectiveness of the control.
49. The evidence provided by the auditor's tests of the effectiveness of controls depends upon the mix of the nature, timing, and extent of the auditor's procedures. Further, for an individual control, different combinations of the nature, timing, and extent of testing may provide sufficient evidence in relation to the risk associated with the control.
50. Nature of Tests of Controls. Some types of tests, by their nature, produce greater evidence of the effectiveness of controls than other tests. The following tests that the auditor might perform are presented in order of the evidence that they ordinarily would produce, from least to most: inquiry, observation, inspection of relevant documentation, and re-performance of a control.
[The following paragraph is effective for audits of fiscal years beginning on or after December 15, 2010. See PCAOB Release No. 2010-004. For audits of fiscal years beginning before December 15, 2010, click here.] 51. The nature of the tests of effectiveness that will provide appropriate evidence depends, to a large degree, on the nature of the control to be tested, including whether the operation of the control results in documentary evidence of its operation. Documentary evidence of the operation of some controls, such as management's philosophy and operating style, might not exist.
52. Timing of Tests of Controls. Testing controls over a greater period of time provides more evidence of the effectiveness of controls than testing over a shorter period of time. Further, testing performed closer to the date of management's assessment provides more evidence than testing performed earlier in the year. The auditor should balance performing the tests of controls closer to the as-of date with the need to test controls over a sufficient period of time to obtain sufficient evidence of operating effectiveness. 53. Prior to the date specified in management's assessment, management might implement changes to the company's controls to make them more effective or efficient or to address control deficiencies. If the auditor determines that the new controls achieve the related objectives of the control criteria and have been in effect for a sufficient period to permit the auditor to assess their design and operating effectiveness by performing tests of controls, he or she will not need to test the design and operating effectiveness of the superseded controls for purposes of expressing an opinion on internal control over financial reporting. If the operating effectiveness of the superseded controls is important to the auditor's control risk assessment, the auditor should test the design and operating effectiveness of those superseded controls, as appropriate. (See additional direction on integration beginning at paragraph B1.) 54. Extent of Tests of Controls . The more extensively a control is tested, the greater the evidence obtained from that test. 55. Roll-Forward Procedures. When the auditor reports on the effectiveness of controls as of a specific date and obtains evidence about the operating effectiveness of controls at an interim date, he or she should determine what additional evidence concerning the operation of the controls for the remaining period is necessary. 56. The additional evidence that is necessary to update the results of testing from an interim date to the company's year-end depends on the following factors -
Special Considerations for Subsequent Years' Audits57. In subsequent years' audits, the auditor should incorporate knowledge obtained during past audits he or she performed of the company's internal control over financial reporting into the decision-making process for determining the nature, timing, and extent of testing necessary. This decision-making process is described in paragraphs 46 through 56. 58. Factors that affect the risk associated with a control in subsequent years' audits include those in paragraph 47 and the following -
59. After taking into account the risk factors identified in paragraphs 47 and 58, the additional information available in subsequent years' audits might permit the auditor to assess the risk as lower than in the initial year. This, in turn, might permit the auditor to reduce testing in subsequent years. 60. The auditor may also use a benchmarking strategy for automated application controls in subsequent years' audits. Benchmarking is described further beginning at paragraph B28. 61. In addition, the auditor should vary the nature, timing, and extent of testing of controls from year to year to introduce unpredictability into the testing and respond to changes in circumstances. For this reason, each year the auditor might test controls at a different interim period, increase or reduce the number and types of tests performed, or change the combination of procedures used. Evaluating Identified Deficiencies62. The auditor must evaluate the severity of each control deficiency that comes to his or her attention to determine whether the deficiencies, individually or in combination, are material weaknesses as of the date of management's assessment. In planning and performing the audit, however, the auditor is not required to search for deficiencies that, individually or in combination, are less severe than a material weakness. 63. The severity of a deficiency depends on -
64. The severity of a deficiency does not depend on whether a misstatement actually has occurred but rather on whether there is a reasonable possibility that the company's controls will fail to prevent or detect a misstatement. 65. Risk factors affect whether there is a reasonable possibility that a deficiency, or a combination of deficiencies, will result in a misstatement of an account balance or disclosure. The factors include, but are not limited to, the following -
66. Factors that affect the magnitude of the misstatement that might result from a deficiency or deficiencies in controls include, but are not limited to, the following -
67. In evaluating the magnitude of the potential misstatement, the maximum amount that an account balance or total of transactions can be overstated is generally the recorded amount, while understatements could be larger. Also, in many cases, the probability of a small misstatement will be greater than the probability of a large misstatement. 68. The auditor should evaluate the effect of compensating controls when determining whether a control deficiency or combination of deficiencies is a material weakness. To have a mitigating effect, the compensating control should operate at a level of precision that would prevent or detect a misstatement that could be material. Indicators of Material Weaknesses69. Indicators of material weaknesses in internal control over financial reporting include -
70. When evaluating the severity of a deficiency, or combination of deficiencies, the auditor also should determine the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles. If the auditor determines that a deficiency, or combination of deficiencies, might prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles, then the auditor should treat the deficiency, or combination of deficiencies, as an indicator of a material weakness. Wrapping-UpForming an Opinion71. The auditor should form an opinion on the effectiveness of internal control over financial reporting by evaluating evidence obtained from all sources, including the auditor's testing of controls, misstatements detected during the financial statement audit, and any identified control deficiencies.
72. After forming an opinion on the effectiveness of the company's internal control over financial reporting, the auditor should evaluate the presentation of the elements that management is required, under the SEC's rules, to present in its annual report on internal control over financial reporting. 16/ 73. If the auditor determines that any required elements of management's annual report on internal control over financial reporting are incomplete or improperly presented, the auditor should follow the direction in paragraph C2. 74. The auditor may form an opinion on the effectiveness of internal control over financial reporting only when there have been no restrictions on the scope of the auditor's work. A scope limitation requires the auditor to disclaim an opinion or withdraw from the engagement (see paragraphs C3 through C7). Obtaining Written Representations75. In an audit of internal control over financial reporting, the auditor should obtain written representations from management -
76. The failure to obtain written representations from management, including management's refusal to furnish them, constitutes a limitation on the scope of the audit. As discussed further in paragraph C3, when the scope of the audit is limited, the auditor should either withdraw from the engagement or disclaim an opinion. Further, the auditor should evaluate the effects of management's refusal on his or her ability to rely on other representations, including those obtained in the audit of the company's financial statements. 77. AU sec. 333, Management Representations , explains matters such as who should sign the letter, the period to be covered by the letter, and when to obtain an updated letter. Communicating Certain Matters78. The auditor must communicate, in writing, to management and the audit committee all material weaknesses identified during the audit. The written communication should be made prior to the issuance of the auditor's report on internal control over financial reporting. 79. If the auditor concludes that the oversight of the company's external financial reporting and internal control over financial reporting by the company's audit committee is ineffective, the auditor must communicate that conclusion in writing to the board of directors. [The following paragraph is effective for audits of fiscal years beginning on or after December 15, 2012. See PCAOB Release No. 2012-004. For audits of fiscal years beginning before December 15, 2012, click here.] 80. The auditor also should consider whether there are any deficiencies, or combinations of deficiencies, that have been identified during the audit that are significant deficiencies and must communicate such deficiencies, in writing, to the audit committee. This communication should be made in a timely manner and prior to the issuance of the auditor's report on internal control over financial reporting. [The following paragraph is effective for audits of fiscal years beginning on or after December 15, 2012. See PCAOB Release No. 2012-004. For audits of fiscal years beginning before December 15, 2012, click here.] 81. The auditor also should communicate to management, in writing, all deficiencies in internal control over financial reporting (i.e., those deficiencies in internal control over financial reporting that are of a lesser magnitude than material weaknesses) identified during the audit and inform the audit committee when such a communication has been made. The auditor should communicate this information to the audit committee in a timely manner and prior to the issuance of the auditor's report on internal control over financial reporting. When making this communication, it is not necessary for the auditor to repeat information about such deficiencies that has been included in previously issued written communications, whether those communications were made by the auditor, internal auditors, or others within the organization. 82. The auditor is not required to perform procedures that are sufficient to identify all control deficiencies; rather, the auditor communicates deficiencies in internal control over financial reporting of which he or she is aware. 83. Because the audit of internal control over financial reporting does not provide the auditor with assurance that he or she has identified all deficiencies less severe than a material weakness, the auditor should not issue a report stating that no such deficiencies were noted during the audit. 84. When auditing internal control over financial reporting, the auditor may become aware of fraud or possible illegal acts. In such circumstances, the auditor must determine his or her responsibilities under AU sec. 316, Consideration of Fraud in a Financial Statement Audit, AU sec. 317, Illegal Acts by Clients, and Section 10A of the Securities Exchange Act of 1934. 17/ Reporting on Internal Control85. The auditor's report on the audit of internal control over financial reporting must include the following elements 18/ -
Separate or Combined Reports86. The auditor may choose to issue a combined report (i.e., one report containing both an opinion on the financial statements and an opinion on internal control over financial reporting) or separate reports on the company's financial statements and on internal control over financial reporting. 87. The following example combined report expressing an unqualified opinion on financial statements and an unqualified opinion on internal control over financial reporting illustrates the report elements described in this section.
88. If the auditor chooses to issue a separate report on internal control over financial reporting, he or she should add the following paragraph to the auditor's report on the financial statements -
The auditor also should add the following paragraph to the report on internal control over financial reporting -
Report Date[The following paragraph is effective for audits of fiscal years beginning on or after December 15, 2010. See PCAOB Release No. 2010-004. For audits of fiscal years beginning before December 15, 2010, click here.] 89. The auditor should date the audit report no earlier than the date on which the auditor has obtained sufficient appropriate evidence to support the auditor's opinion. Because the auditor cannot audit internal control over financial reporting without also auditing the financial statements, the reports should be dated the same. Material Weaknesses90. Paragraphs 62 through 70 describe the evaluation of deficiencies. If there are deficiencies that, individually or in combination, result in one or more material weaknesses, the auditor must express an adverse opinion on the company's internal control over financial reporting, unless there is a restriction on the scope of the engagement. 19/ 91. When expressing an adverse opinion on internal control over financial reporting because of a material weakness, the auditor's report must include -
Note: If the material weakness has not been included in management's assessment, the report should be modified to state that a material weakness has been identified but not included in management's assessment. Additionally, the auditor's report should include a description of the material weakness, which should provide the users of the audit report with specific information about the nature of the material weakness and its actual and potential effect on the presentation of the company's financial statements issued during the existence of the weakness. In this case, the auditor also should communicate in writing to the audit committee that the material weakness was not disclosed or identified as a material weakness in management's assessment. If the material weakness has been included in management's assessment but the auditor concludes that the disclosure of the material weakness is not fairly presented in all material respects, the auditor's report should describe this conclusion as well as the information necessary to fairly describe the material weakness. 92. The auditor should determine the effect his or her adverse opinion on internal control has on his or her opinion on the financial statements. Additionally, the auditor should disclose whether his or her opinion on the financial statements was affected by the adverse opinion on internal control over financial reporting.
Subsequent Events93. Changes in internal control over financial reporting or other factors that might significantly affect internal control over financial reporting might occur subsequent to the date as of which internal control over financial reporting is being audited but before the date of the auditor's report. The auditor should inquire of management whether there were any such changes or factors and obtain written representations from management relating to such matters, as described in paragraph 75h. 94. To obtain additional information about whether changes have occurred that might affect the effectiveness of the company's internal control over financial reporting and, therefore, the auditor's report, the auditor should inquire about and examine, for this subsequent period, the following -
95. The auditor might inquire about and examine other documents for the subsequent period. Paragraphs .01 through .09 of AU sec. 560, Subsequent Events , provide direction on subsequent events for a financial statement audit that also may be helpful to the auditor performing an audit of internal control over financial reporting. 96. If the auditor obtains knowledge about subsequent events that materially and adversely affect the effectiveness of the company's internal control over financial reporting as of the date specified in the assessment, the auditor should issue an adverse opinion on internal control over financial reporting (and follow the direction in paragraph C2 if management's assessment states that internal control over financial reporting is effective). If the auditor is unable to determine the effect of the subsequent event on the effectiveness of the company's internal control over financial reporting, the auditor should disclaim an opinion. As described in paragraph C13, the auditor should disclaim an opinion on management's disclosures about corrective actions taken by the company after the date of management's assessment, if any. 97. The auditor may obtain knowledge about subsequent events with respect to conditions that did not exist at the date specified in the assessment but arose subsequent to that date and before issuance of the auditor's report. If a subsequent event of this type has a material effect on the company's internal control over financial reporting, the auditor should include in his or her report an explanatory paragraph describing the event and its effects or directing the reader's attention to the event and its effects as disclosed in management's report. 98. After the issuance of the report on internal control over financial reporting, the auditor may become aware of conditions that existed at the
report date that might have affected the auditor's opinion had he or she been aware of them. The auditor's evaluation of such subsequent information is similar to the auditor's evaluation of information discovered subsequent to the date of the report on an audit of financial statements, as described in AU sec. 561, Subsequent Discovery of Facts Existing at the Date of the Auditor's Report . Which of the following procedures does a CPA usually perform when reviewing the financial statements of a non issuer?Which of the following procedures would an accountant most likely perform when reviewing the financial statements of a nonissuer? Ask management about the entity's procedures for recording transactions.
Which of the following procedures would a CPA least likely perform when reviewing the financial statements of a client?Answer and Explanation: Obtaining confirmation of cash balances is least likely to be performed as a part of obtaining an understanding during an audit engagement of a new audit client previously audited by another CPA.
When performing a review on financial statements the CPA is required to?Reviewed Financial Statements must be performed by an independent licensed CPA firm. The accountant must obtain evidence that will provide a reasonable basis for obtaining the limited assurance needed that there are no material modifications that should be made to the financial statements.
What is the first step for reviewing financial statement data for a nonpublic company?What is the first step for reviewing financial statement data for a nonpublic company? - Assess the risks of material misstatements. - Make preliminary judgments about risk and materiality. - Perform an assessment of internal control activities.
|