Audit and Assurance ACCT 331, Study notes of Accounting

The core of the ACCT 331 Audit & Assurance course is the systematic process an independent auditor follows to determine if a company's financial statements are presented fairly. It begins with Foundation (ethics and legal responsibility), moves to Planning (understanding the client and assessing high-risk areas using the RMM model), continues with evaluating and **Testing Controls** for efficiency, and culminates in Substantive Procedures where direct evidence (like confirmations and recalculations) is gathered for account balances; the entire process concludes with a final review of Subsequent Events and the issuance of the Audit Opinion (Unmodified, Qualified, or Adverse) which communicates the auditor's final verdict to users.

Typology: Study notes

2024/2025

Available from 11/03/2025

emma-lw9
emma-lw9 🇸🇬

5 documents

1 / 17

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Module 1: The Audit Foundation - Why We Exist
Forget the textbooks for a second. The core question of this entire course is: Why should
anyone trust a company's financial numbers? This module answers that by establishing the
Audit Mandate and the Rules of the Game (ethics and law).
1. The Assurance Game:
Think of an audit like a third-party referee checking a high-stakes game.
What Assurance Actually Means
"Assurance" is just a fancy word for "making information better for decision-makers." If a
service improves the quality or reliability of some piece of data, it’s an assurance service. That
data could be anything—from the reported profit on a balance sheet to a company's carbon
emissions report.
The Vow: The person doing the assurance (the auditor) must be totally independent—no ties,
no bias.
Two Levels of Confidence:
oReasonable Assurance (The Audit Standard): This means we’ve done a ton of work to give a
high level of confidence that the financials are correct. It’s not 100% proof (no one is perfect!),
but it’s close.
oLimited Assurance (The Review Standard): This is a quick check, providing only a moderate
level of comfort. Think of it as a quick glance versus a deep dive.
The Financial Statement Audit (The Core Task)
This is the flagship service. Our job is to give an opinion—a professional judgment—that the
financial statements are presented fairly according to the rules (like GAAP or IFRS).
The Triangle of Trust:
1. Management: They make the statements. They're the chef.
2. Users (Investors/Banks): They eat the statements. They need to trust the meal.
3. Auditor (You!): You're the independent health inspector verifying the chef followed all the
sanitation rules.
The Mission: Our value is reducing Information Risk—the chance that the numbers the user
relies on are flat-out wrong.
2. Ethics: The Auditor's Non-Negotiables
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff

Partial preview of the text

Download Audit and Assurance ACCT 331 and more Study notes Accounting in PDF only on Docsity!

Module 1: The Audit Foundation - Why We Exist

Forget the textbooks for a second. The core question of this entire course is: Why should

anyone trust a company's financial numbers? This module answers that by establishing the

Audit Mandate and the Rules of the Game (ethics and law).

1. The Assurance Game:

Think of an audit like a third-party referee checking a high-stakes game.

What Assurance Actually Means

"Assurance" is just a fancy word for "making information better for decision-makers." If a

service improves the quality or reliability of some piece of data, it’s an assurance service. That

data could be anything—from the reported profit on a balance sheet to a company's carbon

emissions report.

 The Vow: The person doing the assurance (the auditor) must be totally independent —no ties,

no bias.

 Two Levels of Confidence:

o Reasonable Assurance (The Audit Standard): This means we’ve done a ton of work to give a

high level of confidence that the financials are correct. It’s not 100% proof (no one is perfect!),

but it’s close.

o Limited Assurance (The Review Standard): This is a quick check, providing only a moderate

level of comfort. Think of it as a quick glance versus a deep dive.

The Financial Statement Audit (The Core Task)

This is the flagship service. Our job is to give an opinion —a professional judgment—that the

financial statements are presented fairly according to the rules (like GAAP or IFRS).

 The Triangle of Trust:

1. Management: They make the statements. They're the chef.

2. Users (Investors/Banks): They eat the statements. They need to trust the meal.

3. Auditor (You!): You're the independent health inspector verifying the chef followed all the

sanitation rules.

 The Mission: Our value is reducing Information Risk —the chance that the numbers the user

relies on are flat-out wrong.

2. Ethics: The Auditor's Non-Negotiables

Our entire profession relies on the public believing we're honest. If that trust breaks, the audit

opinion is just paper.

The Five Golden Rules (The AC-COP Framework)

You have to live by these principles every single day:

 Integrity: Be honest, period. No sugar-coating, no hiding.

 Confidentiality: What happens in the client's office stays in the client's office, unless the law

demands otherwise.

 Competence (and Due Care): You have to be smart enough and skilled enough to do the job

right. And when you do it, you have to be careful, meticulous, and thorough.

 Objectivity: This is the big one. No bias. Don't let your feelings, friendships, or external

pressures cloud your professional judgment.

 Professional Behavior: Follow the laws and don't do anything that makes the rest of us look

bad.

The Danger Zone: Threats to Independence

You have to be paranoid about anything that could compromise your objectivity.

 You're Grading Your Own Homework (Self-Review): When you check a system your firm

built last year. Uh oh.

 You're Too Chummy (Familiarity): You're best friends with the client's CFO. Can you really

be objective when their bonus is on the line?

 You're an Investor (Self-Interest): You own a few shares of the client's stock. Now your wallet

is talking.

 You're Their PR Agent (Advocacy): You argue for the client in a tax court. You've stopped

auditing and started rooting.

 They're a Bully (Intimidation): The client threatens to fire you if you don't back off that tough

inventory finding.

Your job is to put Safeguards in place (like having a different partner review the file) to

neutralize these threats.

3. Legal Liability: The Accountability Clause

If you mess up your job (negligence) and someone loses money because they relied on your

opinion, you can be sued. This is where "due professional care" becomes a legal requirement.

Getting Sued by the Client (Breach of Contract)

Module 2: The Audit War Room - Your Mission Briefing

Welcome, Agent. Your mission, should you choose to accept it, is to verify a company's financial

statements. But before you charge in, you need a plan. This module is your mission briefing.

We're moving from basic accounting ("What happened?") to strategic auditing ("Where is this

mission most likely to go wrong?").

1. The Reconnaissance Phase: Profiling the Target

You can't audit a company you don't understand. Your first job is to be a detective and build a

profile.

Your Mission Dossier: Gather intel like a spy. You need to know everything about your "target."

The Battlefield (External Environment): Is this a wild, fast-moving tech startup (risky estimates

everywhere)? Or a stable, old-school utility (pressure to fake growth)? These are Inherent Risks

—the natural dangers of the terrain.

The Command Structure (Internal Players): Who's in charge? Is the CEO a "growth-at-any-cost"

type? Is the board strong, or just a rubber stamp? A weak control environment here means

Control Risks high—the guards might be asleep.

The Motive: Look for the pressure points. Is the company about to get a loan? Is management's

bonus on the line? **Where there's pressure, there's often a reason to cheat.

The Briefing Deck: From all this intel, you create a hit list. Which accounts are the most

vulnerable? Which transactions are most likely to be faked? No hit list, no mission.

2. The Threat Assessment: Identifying the Bombs

Now, put on your cynical glasses. It's time to rate the dangers on your hit list. We call this the

Risk of Material Misstatement (RMM)—the chance a big error is hiding in the financials.

Setting the "Big Enough to Matter" Bar:First, we define "material." If a mistake would change an

investor's mind, it's a problem. We set two thresholds:

Planning Materiality: The overall error limit for the entire financial statement. (e.g., "No single

error over $1 million.")

Performance Materiality:A smaller, secret buffer for testing. This ensures a bunch of tiny,

undetected errors don't add up to a big one.

The Two Ingredients of Risk: The RMM for any account comes from two sources:

1. Inherent Risk (IR):The account is just naturally dangerous. Think "cash" (easy to steal) or

"complex tax calculations" (easy to mess up).

2. Control Risk (CR): The company's own security systems (internal controls) are weak or

broken.

The Formula:

Total Risk (RMM) = Natural Danger (IR) × Weak Security (CR)

Code Red Threats: Some risks are so severe—like potential fraud or a huge, one-time deal—they

get labeled Significant Risks. These are your top-priority targets that require your best

weapons.

3. The Battle Plan: Choosing Your Weapons

Here's where we connect the threats to our action plan. We use the Audit Risk Model to make

sure our overall chance of failure is tiny.

Of course! Here is a rewritten version of your notes with a fresh, unique structure and engaging new analogies while maintaining 100% accuracy.


Module 3: Internal Controls - Cracking the Client's Security Code

Forget just checking numbers. The smart auditor's first move is to crack the client's security system. Internal Controls are the company's own antivirus software—the rules and tools management installs to stop errors and hackers (including fraudulent employees) before they cause a disaster. Our mission: See if this "software" is actually running, or if it's just unused bloatware.


Phase 1: The System Scan - Understanding the Blueprint

Before we test anything, we need the system architecture. We use the industry- standard COSO Framework, which is like the five core components of any security suite.

  1. The Firewall (Control Environment): This is the core security protocol set by the CEO and board. Is the company culture paranoid about accuracy and ethics, or is it "move fast and break things"?
    • Auditor Verdict: A weak firewall = Maximum Danger. We assume Control Risk is High from the start.
  1. The Threat Detector (Risk Assessment): Is the company aware of its own vulnerabilities? Do they know they're a target for inventory theft or cyberattacks? A system that doesn't know its threats can't defend against them.
  2. The Active Shields (Control Activities): These are the specific security rules in action. This is where we get hands-on.
    • The "No One-Man Army" Rule (Segregation of Duties): The single most important shield. The person who authorizes a payment should not be the one who records it or has the cash. This prevents a single point of failure—and fraud.
    • The "Approval Matrix" (Authorization): Requiring a manager's digital signature for big purchases.
    • The "System Audit" (Independent Checks): The nightly virus scan—like the system automatically reconciling cash or a manager reviewing expense reports.
  3. The Network (Information & Communication): How do warnings and data flow? Are procedures documented, or is everything a secret handshake? A broken network means security updates never get installed.
  4. The Auto-Updater (Monitoring): Does the system check its own health? Are there internal auditors running penetration tests? A static system is a vulnerable system. Our Hacking Tools for the Scan:
  • Social Engineering (Inquiry): "So, walk me through how you process an invoice..."
  • Source Code Review (Inspection): Reading the company's security manual (if one exists!).
  • Live Surveillance (Observation): Watching an employee run a security procedure.
  • The Dry Run (Walkthrough): We pick one transaction—one "packet of data"— and follow its path from start to finish through the entire system. This proves the blueprint matches reality.

Our Finding: Control Risk (CR) is Low. The client's security is strong. Our Move: We can accept a Higher Detection Risk (DR). Translation: We can be more efficient. We do LESS of our own tedious number- checking later because we trust their system. This is the efficiency win we were hoping for. SYSTEM COMPROMISED (Controls Are Weak):

Our Finding:** Control Risk (CR) is High. The client's security is full of

holes.

Our Move:** We must achieve a Very Low Detection Risk (DR).

Translation:** It's all on us. We must do **MORE, DEEPER, and MORE

EXTENSIVE** substantive testing. We have to check almost everything

ourselves. This is the expensive, hard-work scenario.

The Bottom Line: We test controls for one reason: **to see if we can trust

the client enough to do less work.** It's a strategic gamble for efficiency. If

we win the bet, we save time. If we lose, we roll up our sleeves.

Module 4: Audit Evidence & Testing - Show Me The Proof

9. Performing Substantive Procedures (The Core Tools)

A substantive procedure is any test designed to detect a material misstatement at the assertion

level. These procedures are performed whether we rely on controls or not, though the extent

(how many transactions we check) depends entirely on our RMM assessment.

The Auditor's Toolkit (The 9 Types of Evidence)

Auditors use a toolkit of procedures to gather evidence. We must select the best tool to test the

specific assertion we're worried about:

Procedure What It Means Why We Use It Inspection of Records/Docume nts Examining client documents (internal or external). To check Existence (Did this sale really happen?) or Completeness (Did they record all liabilities?). Inspection of Tangible Assets Physically counting inventory, cash, or fixed assets. The best way to test the Existence and Valuation of physical assets. Observation Watching client personnel performing their duties. Helps with understanding controls, but weak for substantive testing.

Financial Statement Assertion What We are Testing Example Substantive Procedure Existence (Overstatement Risk) Did the sale/A/R actually occur? Confirmation: Send requests to a sample of customers asking them to confirm the outstanding balance. Completeness (Understateme nt Risk) Were all sales that occurred actually recorded? Tracing: Trace a sample of shipping documents (evidence of

shipment) forward to the sales

journal and accounts receivable ledger. Cutoff (Timing Risk) Were sales recorded in the correct period? Review sales recorded near year-end (a few days before and after) to ensure the shipment date matches the recognition date. Valuation Is Accounts Receivable stated at the net realizable value (A/R less the allowance for doubtful accounts)? Testing Estimates: Scrutinize the client's allowance for doubtful accounts calculation, focusing on old, past-due balances and general economic conditions.

11. Auditing Key Cycles: Purchases & Payables (The Understatement Risk)

For liabilities and expenses, the primary risk is usually understatement (management wanting

to look more profitable). The challenge here is finding transactions that should have been

recorded but weren't.

Financial Statement Assertion What We are Testing Example Substantive Procedure Completeness (Understateme nt Risk) Were all purchases and resulting liabilities recorded? Search for Unrecorded Liabilities: Examine cash disbursements made

after year-end (e.g., the first 30 days of

the new year) and trace them

backward to see if the liability existed

at year-end but was omitted. Existence Do these recorded liabilities actually exist? Confirmation: Confirm balances with major vendors (especially vendors with zero or unusually small balances— testing for omissions). Accuracy Were purchases and accounts payable correctly calculated? Recalculation: Check the mathematical accuracy of a sample of vendor invoices and compare them to the general ledger recording. Cutoff Were purchases recorded in the correct period? Review receiving reports for inventory received near year-end and match the receipt date to the liability recording date.

Module 5: The Final Lap and The Verdict

Module 5 focuses on stepping back from individual transactions to view the entire picture, which includes the financial statements as a whole. We finish the fieldwork and deliver the most anticipated document in business: the Audit Opinion.

  1. Wrapping Up the Audit Engagement (Tying Up Loose Ends) This phase includes mandatory checks to ensure the financial statements are finalized and that nothing critical is overlooked during year-end closing. Review of Subsequent Events (The Look-Ahead) The balance sheet gives a snapshot as of December 31st. However, we issue our final report much later. We must verify that nothing occurring between the balance sheet date and the report date makes the December 31st statements misleading. * Type 1 Events (Adjust!): These events confirm conditions that existed at the balance sheet date. They show that the estimate we used on December 31st was incorrect. * Real-World Example: A major customer files for bankruptcy in January due to problems they faced before December 31st. We need to adjust the Allowance for Doubtful Accounts on the December 31st statement. * Type 2 Events (Disclose!): These events arise after the balance sheet date. The December 31st numbers were accurate at that time, but the event is too important to ignore. * Real-World Example: A major, uninsured factory burns down in February. The company was stable on December 31st, but now its future is at risk. We must disclose the fire and its financial impact in the footnotes. Final Analytical Procedures (The Sanity Check) Once we finish detailed testing, we take a step back and perform one final round of high-level ratio analysis, similar to what we did in the planning stage. Purpose: To ensure the final, adjusted financial statements look reasonable and align with our overall understanding of the client. * For Example: If we significantly raised the inventory balance during the audit, we must check that the final Inventory Turnover Ratio doesn’t appear abnormally low, which could indicate a new issue. Management Representation Letter (The Legal Shield) This is a formal letter from the client to the auditor, signed by the CEO and CFO. * **What it says: Management formally

asserts they have met their responsibilities, such as preparing the statements, and have provided all relevant information, including disclosure of all known frauds, unrecorded liabilities, and subsequent events. * Crucial Note: It serves as evidence but does not replace other evidence. We can’t use it to excuse ourselves from testing cash, but it does provide legal backing and requires management to formally take responsibility.

  1. Forming and Issuing the Final Audit Report (The Official Verdict) This wraps up the entire ACCT 331 course. Here, we present our opinion to the world. The Unmodified Opinion (The "Clean" Report) This is our goal. It means the financial statements are fairly presented in all material respects according to GAAP. Key Message: Users can rely on these numbers. The auditor found no material misstatements that required changes. The Modified Opinions (When Things Go Wrong) When the audit evidence requires us to communicate material issues, the opinion must change. | Opinion Type | The Problem | The Scope/Pervasiveness
  2. Qualified Opinion A material misstatement exists OR a scope limitation occurred (we couldn’t obtain evidence), BUT the issue is NOT pervasive. | Meaning: The statements are fine except for this one specific part. *Example: We know the Inventory valuation is off, but the rest of the accounts are accurate. *2. Adverse Opinion A material misstatement exists that is so significant it is pervasive (it affects the entire set of statements). Meaning: The statements are fundamentally misleading and should NOT be relied upon. This is the strongest condemnation an auditor can issue.
  3. Disclaimer of Opinion A scope limitation exists that is so significant it is pervasive. Meaning: The auditor could not gather enough evidence to form any opinion. Essentially, they are saying, “We don’t know,” which severely harms the company’s credibility. Emphasis-of-Matter (EOM) Paragraphs These are added to a Clean (Unmodified) report to draw attention to something already properly disclosed in the financial statements. The Big Reason: To highlight Going Concern Uncertainty. The auditor believes the company might not survive the next year. This is a clean opinion, but it comes with a caution flag.